Identity Mgmt Audit/Assurance Program

Identity Management Audit/Assurance Program
ISACA®
With more than 86,000 constituents in more than 160 countries, ISACA (www.isaca.org) is a recognized worldwide
leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international
conferences, publishes the ISACA Journal®, and develops international information systems auditing and control
standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA ®) designation,
earned by more than 60,000 professionals since 1978; the Certified Information Security Manager ® (CISM®)
designation, earned by more than 10,000 professionals since 2002; and the new Certified in the Governance of
Enterprise IT™ (CGEIT™) designation.
Disclaimer
ISACA has designed and created Identity Management Audit/Assurance Program (the “Work”), primarily as an
informational resource for audit and assurance professionals. ISACA makes no claim that use of any of the Work
will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures
and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same
results. In determining the propriety of any specific information, procedure or test, audit/assurance professionals
should apply their own professional judgment to the specific circumstances presented by the particular systems or IT
environment.
Reservation of Rights
© 2009 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified,
distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical,
photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of
all or portions of this publication are permitted solely for academic, internal and noncommercial use, and
consulting/advisory engagements, and must include full attribution of the material’s source. No other right or
permission is granted with respect to this work.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
E-mail: info@isaca.org
Web site: www.isaca.org
ISBN 978-1-60420-077-5
Identity Management Audit/Assurance Program
Printed in the United States of America
© 2009 ISACA. All rights reserved. Page 2
Identity Management Audit/Assurance Program
ISACA wishes to recognize:
Author
Norm Kelson, CISA, CGEIT, CPA, The Kelson Group, USA
Expert Reviewers
Tomas Thobias Hellum, Linkin, Denmark
Hugo Köncke, CISM, CISSP, GCIH, INAC, Uruguay
Srinivasan S K, SKS Consulting, India
Gbadamosi Folakemi Toyin, AMPDM, CPE, MCS, Flookytee Computers, Nigeria
Reinhard Erich Voglmaier, GlaxoSmithKline Spa—Pharmaceuticals, Italy
ISACA Board of Directors
Lynn Lawton, CISA, FBCS, FCA, FIIA, KPMG LLP, UK, International President
George Ataya, CISA, CISM, CGEIT, CISSP, ICT Control SA, Belgium, Vice President
Howard Nicholson, CISA, CGEIT, City of Salisbury, Australia, Vice President
Jose Angel Pena Ibarra, CGEIT, Consultoria en Comunicaciones e Info. SA & CV, Mexico, Vice President
Robert E. Stroud, CA Inc., USA, Vice President
Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Vice President
Frank Yam, CISA, CIA, CCP, CFE, CFSA, FFA, FHKCS, FHKIoD, Focus Strategic Group Inc., Hong Kong, Vice
President
Marios Damianides, CISA, CISM, CA, CPA, Ernst & Young, USA, Past International President
Everett C. Johnson Jr., CPA, Deloitte & Touche LLP (retired), USA, Past International President
Gregory T. Grocholski, CISA, The Dow Chemical Company, USA, Director
Tony Hayes, Queensland Government, Australia, Director
Jo Stewart-Rattray, CISA, CISM, CSEPS, RSM Bird Cameron, Australia, Director
Assurance Committee
Gregory T. Grocholski, CISA, The Dow Chemical Company, USA, Chair
Pippa G. Andrews, CISA, ACA, CIA, Amcor, Australia
Richard Brisebois, CISA, CGA, Office of the Auditor General of Canada, Canada
Sergio Fleginsky, CISA, ICI, Uruguay
Robert Johnson, CISA, CISM, CISSP, Executive Consultant, USA
Anthony P. Noble, CISA, CCP, Viacom Inc., USA
Robert G. Parker, CISA, CA, CMC, FCA, Deloittte & Touche LLP (retired), Canada
Erik Pols, CISA, CISM, Shell International - ITCI, Netherlands
Vatsaraman Venkatakrishnan, CISA, CISM, CGEIT, ACA, Emirates Airlines, UAE
© 2009 ISACA. All rights reserved. Page 3
Identity Management Audit/Assurance Program
Table of Contents
I.
II.
III.
IV.
V.
VI.
Introduction ......................................................................................................................................... 4
Using This Document ......................................................................................................................... 5
Controls Maturity Analysis ................................................................................................................. 8
Assurance and Control Framework ..................................................................................................... 9
Executive Summary of Audit/Assurance Focus ............................................................................... 10
Audit/Assurance Program ................................................................................................................. 13
1. Planning and Scoping the Audit.................................................................................................... 13
2. Understanding Supporting Infrastructure...................................................................................... 15
3. Identity Management .................................................................................................................... 16
VII. Maturity Assessment ......................................................................................................................... 33
VIII. Assessment Maturity vs. Target Maturity ......................................................................................... 36
I. Introduction
Overview
ISACA has developed the IT Assurance FrameworkTM (ITAFTM) as a comprehensive and good-practicesetting model. ITAF provides standards that are designed to be mandatory and are the guiding principles
under which the IT audit and assurance profession operates. The guidelines provide information and
direction for the practice of IT audit and assurance. The tools and techniques provide methodologies,
tools and templates to provide direction in the application of IT audit and assurance processes.
Purpose
The audit/assurance program is a tool and template to be used as a road map for the completion of a
specific assurance process. The ISACA Assurance Committee has commissioned audit/assurance
programs to be developed for use by IT audit and assurance practitioners. This audit/assurance program is
intended to be utilized by IT audit and assurance professionals with the requisite knowledge of the subject
matter under review, as described in ITAF, section 2200—General Standards. The audit/assurance
programs are part of ITAF, section 4000—IT Assurance Tools and Techniques.
Control Framework
The audit/assurance programs have been developed in alignment with the IT Governance Institute®
(ITGITM) framework, Control Objectives for Information and related Technology (COBIT®)—specifically
COBIT 4.1—using generally applicable and accepted good practices. They reflect ITAF sections 3400—
IT Management Processes, 3600—IT Audit and Assurance Processes, and 3800—IT Audit and Assurance
Management.
Many organizations have embraced several frameworks at an enterprise level, including the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Framework. The
importance of the control framework has been enhanced due to regulatory requirements by the US
Securities and Exchange Commission (SEC) as directed by the US Sarbanes-Oxley Act of 2002 and
similar legislation in other countries. They seek to integrate control framework elements used by the
general audit/assurance team into the IT audit and assurance framework. Since COSO is widely used, it
has been selected for inclusion in this audit/assurance program. The reviewer may delete or rename these
columns to align with the enterprise’s control framework.
© 2009 ISACA. All rights reserved. Page 4
Identity Management Audit/Assurance Program
IT Governance, Risk and Control
IT governance, risk and control are critical in the performance of any assurance management process.
Governance of the process under review will be evaluated as part of the policies and management
oversight controls. Risk plays an important role in evaluating what to audit and how management
approaches and manages risk. Both issues will be evaluated as steps in the audit/assurance program.
Controls are the primary evaluation point in the process. The audit/assurance program will identify the
control objectives and the steps to determine control design and effectiveness.
Responsibilities of IT Audit and Assurance Professionals
IT audit and assurance professionals are expected to customize this document to the environment in
which they are performing an assurance process. This document is to be used as a review tool and starting
point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or
questionnaire. It is assumed that the IT audit and assurance professional holds the Certified Information
Systems Auditor (CISA) designation, or has the necessary subject matter expertise required to conduct the
work and is supervised by a professional with the CISA designation and necessary subject matter
expertise to adequately review the work performed.
II. Using This Document
This audit/assurance program was developed to assist the audit and assurance professional in designing
and executing a review. Details regarding the format and use of the document follow.
Work Program Steps
The first column of the program describes the steps to be performed. The numbering scheme used
provides built-in work paper numbering for ease of cross-reference to the specific work paper for that
section. The physical document was designed in Microsoft® Word. The IT audit and assurance
professional is encouraged to make modifications to this document to reflect the specific environment
under review.
Steps 1 and 2 are part of the fact gathering and pre-fieldwork preparation. Because the pre-fieldwork is
essential to a successful and professional review, the steps have been itemized in this plan. The first level
steps, e.g., 1.1, are in bold type and provide the reviewer with a scope or high-level explanation of the
purpose for the substeps.
Step 3 itemizes the steps associated with the work program. To simplify the use of the program, the
audit/assurance program describes the audit/assurance objective—the reason for performing the steps in
the topic area. The specific controls follow and are shown in blue type. Each review step is listed below
the control. These steps may include assessing the control design by walking through a process,
interviewing, observing or otherwise verifying the process and the controls that address that process. In
many cases, once the control design has been verified, specific tests need to be performed to provide
assurance that the process associated with the control is being followed. Test objectives are shown in
green type. The specific test process follows the test objective.
The maturity assessment, which is described in more detail later in this document, makes up the last
section of the program.
The audit/assurance plan wrap-up—those processes associated with the completion and review of work
papers, preparation of issues and recommendations, report writing and report clearing—has been
excluded from this document, since it is standard for the audit/assurance function and should be identified
elsewhere in the enterprise’s standards.
© 2009 ISACA. All rights reserved. Page 5
Identity Management Audit/Assurance Program
COBIT Cross-reference
The COBIT cross-reference provides the audit/assurance professional with the ability to refer to the
specific COBIT control objective that supports the audit/assurance step. The COBIT control objective
should be identified for each audit/assurance step in the section. Multiple cross-references are not
uncommon. Processes at lower levels in the work program are too granular to be cross-referenced to
COBIT. The audit/assurance program is organized in a manner to facilitate an evaluation through a
structure parallel to the development process. COBIT provides in-depth control objectives and suggested
control practices at each level. As the professional reviews each control, he/she should refer to COBIT 4.1
or the IT Assurance Guide: Using COBIT for good-practice control guidance.
COSO Components
As noted in the introduction, COSO and similar frameworks have become increasingly popular among
audit and assurance professionals. This ties the assurance work to the enterprise’s control framework.
While the IT audit/assurance function has COBIT as a framework, operational audit and assurance
professionals use the framework established by the enterprise. Since COSO is the most prevalent internal
control framework, it has been included in this document and is a bridge to align IT audit/assurance with
the rest of the audit/assurance function. Many audit/assurance organizations include the COSO control
components within their report and summarize assurance activities to the audit committee of the board of
directors.
For each control, the audit and assurance professional should indicate the COSO component(s) addressed.
It is possible but generally not necessary, to extend this analysis to the specific audit step level.
The original COSO internal control framework contained five components. In 2004, COSO was revised
as the Enterprise Risk Management (ERM) Integrated Framework and extended to eight components. The
primary difference between the two frameworks is the additional focus on ERM and integration into the
business decision model. ERM is in the process of being adopted by large enterprises. The two
frameworks are compared in figure 1.
Figure 1—Comparison of COSO Internal Control and ERM Integrated Frameworks
Internal Control Framework
ERM Integrated Framework
Control Environment: The control environment sets the tone of an
organization, influencing the control consciousness of its people. It is
the foundation for all other components of internal control, providing
discipline and structure. Control environment factors include the
integrity, ethical values, management’s operating style, delegation of
authority systems, as well as the processes for managing and
developing people in the organization.
Risk Assessment: Every entity faces a variety of risks from external
and internal sources that must be assessed. A precondition to risk
assessment is establishment of objectives, and thus risk assessment is
the identification and analysis of relevant risks to achievement of
assigned objectives. Risk assessment is a prerequisite for determining
how the risks should be managed.
Internal Environment: The internal environment encompasses the
tone of an organization, and sets the basis for how risk is viewed and
addressed by an entity’s people, including risk management
philosophy and risk appetite, integrity and ethical values, and the
environment in which they operate.
Objective Setting: Objectives must exist before management can
identify potential events affecting their achievement. Enterprise risk
management ensures that management has in place a process to set
objectives and that the chosen objectives support and align with the
entity’s mission and are consistent with its risk appetite.
Event Identification: Internal and external events affecting
achievement of an entity’s objectives must be identified,
distinguishing between risks and opportunities. Opportunities are
channeled back to management’s strategy or objective-setting
processes.
Risk Assessment: Risks are analyzed, considering the likelihood and
impact, as a basis for determining how they could be managed. Risk
areas are assessed on an inherent and residual basis.
Risk Response: Management selects risk responses—avoiding,
accepting, reducing or sharing risk—developing a set of actions to
align risks with the entity’s risk tolerances and risk appetite.
© 2009 ISACA. All rights reserved. Page 6
Identity Management Audit/Assurance Program
Figure 1—Comparison of COSO Internal Control and ERM Integrated Frameworks
Internal Control Framework
ERM Integrated Framework
Control Activities: Control activities are the policies and procedures
that help ensure management directives are carried out. They help
ensure that necessary actions are taken to address risks to achievement
of the entity’s objectives. Control activities occur throughout the
organization, at all levels and in all functions. They include a range of
activities as diverse as approvals, authorizations, verifications,
reconciliations, reviews of operating performance, security of assets
and segregation of duties.
Information and Communication: Information systems play a key
role in internal control systems as they produce reports, including
operational, financial and compliance-related information that make it
possible to run and control the business. In a broader sense, effective
communication must ensure information flows down, across and up
the organization. Effective communication should also be ensured with
external parties, such as customers, suppliers, regulators and
shareholders.
Monitoring: Internal control systems need to be monitored—a
process that assesses the quality of the system’s performance over
time. This is accomplished through ongoing monitoring activities or
separate evaluations. Internal control deficiencies detected through
these monitoring activities should be reported upstream and corrective
actions should be taken to ensure continuous improvement of the
system.
Control Activities: Policies and procedures are established and
implemented to help ensure the risk responses are effectively carried
out.
Information and Communication: Relevant information is
identified, captured, and communicated in a form and timeframe that
enable people to carry out their responsibilities. Effective
communication also occurs in a broader sense, flowing down, across,
and up the entity.
Monitoring: The entirety of enterprise risk management is monitored
and modifications made as necessary. Monitoring is accomplished
through ongoing management activities, separate evaluations, or both..
Information for figure 1 was obtained from the COSO web site www.coso.org/aboutus.htm.
The original COSO internal control framework addresses the needs of the IT audit and assurance
professional: control environment, risk assessment, control activities, information and communication,
and monitoring. As such, ISACA has elected to utilize the five-component model for these
audit/assurance programs. As more enterprises implement the ERM model, the additional three columns
can be added, if relevant. When completing the COSO component columns, consider the definitions of
the components as described in figure 1.
Reference/Hyperlink
Good practices require the audit and assurance professional to create a work paper for each line item,
which describes the work performed, issues identified and conclusions. The reference/hyperlink is to be
used to cross-reference the audit/assurance step to the work paper that supports it. The numbering system
of this document provides a ready numbering scheme for the work papers. If desired, a link to the work
paper can be pasted into this column.
Issue Cross-reference
This column can be used to flag a finding/issue that the IT audit and assurance professional wants to
further investigate or establish as a potential finding. The potential findings should be documented in a
work paper that indicates the disposition of the findings (formally reported, reported as a memo or verbal
finding, or waived).
Comments
The comments column can be used to indicate the waiving of a step or other notations. It is not to be used
in place of a work paper describing the work performed.
© 2009 ISACA. All rights reserved. Page 7
Identity Management Audit/Assurance Program
III. Controls Maturity Analysis
One of the consistent requests of stakeholders who have undergone IT audit/assurance reviews is a desire
to understand how their performance compares to good practices. Audit and assurance professionals must
provide an objective basis for the review conclusions. Maturity modeling for management and control
over IT processes is based on a method of evaluating the organization, so it can be rated from a maturity
level of nonexistent (0) to optimized (5). This approach is derived from the maturity model that the
Software Engineering Institute (SEI) of Carnegie Mellon University defined for the maturity of software
development.
The IT Assurance Guide Using COBIT, Appendix VII—Maturity Model for Internal Control, in figure 2,
provides a generic maturity model showing the status of the internal control environment and the
establishment of internal controls in an enterprise. It shows how the management of internal control, and
an awareness of the need to establish better internal controls, typically develops from an ad hoc to an
optimized level. The model provides a high-level guide to help COBIT users appreciate what is required
for effective internal controls in IT and to help position their enterprise on the maturity scale.
Maturity Level
0 Non-existent
1 Initial/ad hoc
2 Repeatable but
Intuitive
3 Defined
4 Managed and
Measurable
5 Optimized
Figure 2—Maturity Model for Internal Control
Status of the Internal Control Environment
Establishment of Internal Controls
There is no recognition of the need for internal control.
Control is not part of the organization’s culture or mission.
There is a high risk of control deficiencies and incidents.
There is some recognition of the need for internal control.
The approach to risk and control requirements is ad hoc and
disorganized, without communication or monitoring.
Deficiencies are not identified. Employees are not aware of
their responsibilities.
Controls are in place but are not documented. Their operation
is dependent on the knowledge and motivation of individuals.
Effectiveness is not adequately evaluated. Many control
weaknesses exist and are not adequately addressed; the
impact can be severe. Management actions to resolve control
issues are not prioritized or consistent. Employees may not be
aware of their responsibilities.
Controls are in place and adequately documented. Operating
effectiveness is evaluated on a periodic basis and there is an
average number of issues. However, the evaluation process is
not documented. While management is able to deal
predictably with most control issues, some control
weaknesses persist and impacts could still be severe.
Employees are aware of their responsibilities for control.
There is an effective internal control and risk management
environment. A formal, documented evaluation of controls
occurs frequently. Many controls are automated and regularly
reviewed. Management is likely to detect most control issues,
but not all issues are routinely identified. There is consistent
follow-up to address identified control weaknesses. A
limited, tactical use of technology is applied to automate
controls.
An enterprisewide risk and control program provides
continuous and effective control and risk issues resolution.
Internal control and risk management are integrated with
enterprise practices, supported with automated real-time
monitoring with full accountability for control monitoring,
risk management and compliance enforcement. Control
evaluation is continuous, based on self-assessments and gap
and root cause analyses. Employees are proactively involved
in control improvements.
There is no intent to assess the need for internal control.
Incidents are dealt with as they arise.
There is no awareness of the need for assessment of what is
needed in terms of IT controls. When performed, it is only on
an ad hoc basis, at a high level and in reaction to significant
incidents. Assessment addresses only the actual incident.
Assessment of control needs occurs only when needed for
selected IT processes to determine the current level of control
maturity, the target level that should be reached and the gaps
that exist. An informal workshop approach, involving IT
managers and the team involved in the process, is used to
define an adequate approach to controls for the process and to
motivate an agreed-upon action plan.
Critical IT processes are identified based on value and risk
drivers. A detailed analysis is performed to identify control
requirements and the root cause of gaps and to develop
improvement opportunities. In addition to facilitated
workshops, tools are used and interviews are performed to
support the analysis and ensure that an IT process owner
owns and drives the assessment and improvement process.
IT process criticality is regularly defined with full support
and agreement from the relevant business process owners.
Assessment of control requirements is based on policy and
the actual maturity of these processes, following a thorough
and measured analysis involving key stakeholders.
Accountability for these assessments is clear and enforced.
Improvement strategies are supported by business cases.
Performance in achieving the desired outcomes is
consistently monitored. External control reviews are
organized occasionally.
Business changes consider the criticality of IT processes and
cover any need to reassess process control capability. IT
process owners regularly perform self-assessments to confirm
that controls are at the right level of maturity to meet
business needs and they consider maturity attributes to find
ways to make controls more efficient and effective. The
organization benchmarks to external best practices and seeks
external advice on internal control effectiveness. For critical
processes, independent reviews take place to provide
assurance that the controls are at the desired level of maturity
and working as planned.
© 2009 ISACA. All rights reserved. Page 8
Identity Management Audit/Assurance Program
The maturity model evaluation is one of the final steps in the evaluation process. The IT audit/assurance
professional can address the key controls within the scope of the work program and formulate an
objective assessment of the maturity levels of the control practices. The maturity assessment can be a part
of the audit/assurance report and can be used as a metric from year to year to document progression in the
enhancement of controls. However, it must be noted that the perception as to the maturity level may vary
between the process/IT asset owner and the auditor. Therefore, an auditor should obtain the concerned
stakeholder’s concurrence before submitting the final report to management.
At the conclusion of the review, once all findings and recommendations are completed, the professional
assesses the current state of the COBIT control framework and assigns it a maturity level using the sixlevel scale. Some practitioners utilize decimals (x.25, x.5, x.75) to indicate gradations in the maturity
model. As a further reference, COBIT provides a definition of the maturity designations by control. While
this approach is not mandatory, the process is provided as a separate section at the end of the
audit/assurance program for those enterprises that wish to implement it. It is suggested that a maturity
assessment be made at the COBIT control level. To provide further value to the client/customer, the
professional can also obtain maturity targets from the client/customer. The graphic presentation
describing the achievement or gaps between the actual and targeted maturity goals has been removed
from this presentation since the COBIT subsections within the scope of this review are too limited to be of
significance. It is suggested that the maturity assessment for this review be included in the IT information
security review, which would focus on the Deliver and Support (DS) domain, IT process DS5 Ensure
systems security. A graphic is provided on the last page of this document (section VII), based on sample
assessments.
IV. Assurance and Control Framework
ISACA IT Assurance Framework and Standards
The following sections in ITAF are relevant to identity management:
 3425—IT Information Strategy
 3450—IT Processes (Operations, Human Resources, Development, etc.)
 3490—IT Support of Regulatory Compliance
 3630.7—Information Security Management
 3630.11—Network Management and Controls
 3630.17—Identification and Authentication
ISACA has long recognized the specialized nature of IT assurance and strives to advance globally
applicable standards. Guidelines and procedures provide detailed guidance on how to follow those
standards. IS Auditing Standard S15 IT Controls, and IS Auditing Guidelines G11 Effect of Pervasive IS
Controls and G38 Access Controls are relevant to this audit/assurance program.
ISACA Controls Framework
COBIT is an IT governance framework and supporting tool set that allows managers to bridge the gap
among control requirements, technical issues and business risks. COBIT enables clear policy development
and good practice for IT control throughout enterprises.
Utilizing COBIT as the control framework on which IT audit/assurance activities are based aligns IT
audit/assurance with good practices as developed by the enterprise.
The COBIT Plan and Organize (PO) and Deliver and Support (DS) domains apply to this evaluation and
include:
 PO2.3 Data classification scheme—Establish a classification scheme that applies throughout the
© 2009 ISACA. All rights reserved. Page 9
Identity Management Audit/Assurance Program



enterprise, based on the criticality and sensitivity (e.g., public, confidential, top secret) of enterprise
data. This scheme should include details about data ownership; definition of appropriate security
levels and protection controls; and a brief description of data retention and destruction requirements,
criticality and sensitivity. It should be used as the basis for applying controls such as access controls,
archiving or encryption.
PO4.8 Responsibility for risk, security and compliance—Embed ownership and responsibility for ITrelated risks within the business at an appropriate senior level. Define and assign roles critical for
managing IT risks, including the specific responsibility for information security, physical security and
compliance. Establish risk and security management responsibility at the enterprise level to deal with
organizationwide issues. Additional security management responsibilities may need to be assigned at
a system-specific level to deal with related security issues. Obtain direction from senior management
on the appetite for IT risk and approval of any residual IT risks.
DS5.3 Identity management—Ensure that all users (internal, external and temporary) and their activity
on IT systems (business application, IT environment, system operations, development and
maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms. Confirm
that user access rights to systems and data are in line with defined and documented business needs and
that job requirements are attached to user identities. Ensure that user access rights are requested by
user management, approved by system owners and implemented by the security-responsible person.
Maintain user identities and access rights in a central repository. Deploy cost-effective technical and
procedural measures, and keep them current to establish user identification, implement authentication
and enforce access rights.
DS5.4 User account management—Address requesting, establishing, issuing, suspending, modifying
and closing user accounts and related user privileges with a set of user account management
procedures. Include an approval procedure outlining the data or system owner granting the access
privileges. These procedures should apply for all users, including administrators (privileged users) and
internal and external users, for normal and emergency cases. Rights and obligations relative to access
to enterprise systems and information should be contractually arranged for all types of users. Perform
regular management review of all accounts and related privileges.
Refer to the IT Governance Institute’s COBIT Control Practices: Guidance to Achieve Control Objectives
for Successful IT Governance, 2nd Edition, published in 2007, for the related control practice value and
risk drivers.
V. Executive Summary of Audit/Assurance Focus
Identity Management
Identity management is the procedure surrounding the establishment (provisioning) and maintenance of
user IDs, and authentication and monitoring processes to provide assurance that only authorized users
have access to the business applications and the operating environments (Microsoft® Windows networks,
mainframes and distributed systems) that support the applications.
Businesses rely upon the integrity of the applications and the computer systems on which they operate to
identify and authenticate the initiator and processor of transactions and intellectual property (analysis, email, reports, presentations, etc.). Essential to the process is accurate and timely identification of each
user on the system, to attain assurance that the individual assigned to the user ID can be held accountable
for the activity performed by the user ID.
Key issues in the process include the following:
 The identity management strategy aligns with the corporate identity policy and the IT architecture. An
identity management strategy that is not in alignment with policy and architecture can result in
© 2009 ISACA. All rights reserved. Page 10
Identity Management Audit/Assurance Program









expensive control procedures and/or ineffective security over user access.
The central authentication system, often referred to as a single-sign-on system, removes the
responsibility of access control from the individual applications and replaces it with an enterprisewide
solution. Under this approach, all user authentication and maintenance processes are directed to one
automated system, eliminating maintenance and control assessments of each application as well as
user responsibility for remembering multiple user ID/password combinations. Single-sign-on
solutions may not integrate with legacy applications and computer systems, limiting their usefulness,
or requiring interim application-centric access security solutions until an interface is available or the
application is replaced.
The authentication process includes a risk assessment of the sensitivity of data available to the user,
the location from which the user is requesting access (internal network or external Internet) and the
selection of an authentication process commensurate with the risk. The solutions may include a
traditional user ID/password combination; the use of a token (i.e., SecureID), which requires a
password and a device that identifies the possessor of the token as an approved user; or a biometric
mechanism, which ties the user to a physical attribute (i.e., fingerprint, retina scan).
Unique identity is necessary to identify the specific initiator of a transaction and provide forensic
capabilities if it becomes necessary to investigate the originator of a transaction for legal or
operational reasons. It is important that the identity be unambiguous to satisfy human resources (HR)
termination requirements and, potentially, litigation requirements. A new user can be either a
casual/curious Internet user or a potential business partner. The real challenge lies in trying to
distinguish between the two and initiate appropriate action. Therefore, the risk assessment exercise
should bear this in mind.
The access policy establishes how often passwords must be changed (including password history), the
complexity of passwords to minimize the risk of hacking, and limitations on or logging of the
activities of administrators with superuser access that may bypass traditional controls.
User provisioning includes the approvals necessary to create a new user, to ensure that when a user is
transferred, his/her access authorities are changed to be in alignment with the new job function, and to
ensure terminated users no longer have access to enterprise data.
Violation monitoring ensures that access violations are identified, evaluated for risk, and escalated to
the appropriate information security professional for investigation or addressed to prevent occurrence
in the future. The latter may include retraining or a form of censure.
Accounts are linked to unique user IDs, which will give the organization the ability to react to orphan
accounts (accounts without an owner).
Roles are linked to accounts/unique user IDs.
Role management exists, specifying the roles from initiation to revocation as user IDs are managed.
The issues described above become the scope of the identity management function.
Business Impact and Risk
The impact on the business and the accompanying risk is significant. Identity management and its
processes are the keys to the enterprise’s information door. Unauthorized access can result in loss of
assets or intellectual property, distribution of sensitive data and information, loss of data integrity, or
business disruption. As a result, the enterprise might be exposed to reputational risk (public relations
issues with the customers or public), regulatory risk (inability to satisfy regulatory processing
requirements due to an outage or violation of a regulation), operational risk (inability to process critical
business functions), internal human relations issues (relating to payroll and employee privacy) and
financial risk (either loss of physical assets or the costs to remediate the other risks identified). Identity
management seeks to minimize the risk by identifying users and establishing uniform access controls,
managed centrally, with appropriate reporting and actions to remediate unauthorized access. In the
absence of a centrally administered system, identity management seeks to establish standard access and
© 2009 ISACA. All rights reserved. Page 11
Identity Management Audit/Assurance Program
identity methods that are used by application systems to achieve the identity policies.
Objective and Scope
Objective—The objective of the audit/assurance review is to provide management with an independent
assessment relating to the effectiveness of identity management and its policies, procedures, and
governance activities.
Scope—The review will focus on the identity management standards, guidelines and procedures as well
as on the implementation and governance of these activities. Application-specific user access
management—typically the task of the respective application and not that of the identity management
system—is outside the scope of this review.1
Minimum Audit Skills
The IT audit and assurance professional must have an understanding of good-practice information
security processes, identity management practices, and user authentication processes and techniques.
Professionals who have achieved CISA certification should have these skills. Technical skills necessary to
perform some audit steps may require specific understanding of information security, network analysis,
operating systems and database tools.
1
The line of demarcation between the two tends to get blurred in a complex enterprise IT infrastructure environment. It would
be prudent to include a disclaimer in the audit report, as appropriate, to indicate that the engagement scope does not include
review of user access management of individual applications.
© 2009 ISACA. All rights reserved. Page 12
Identity Management Audit/Assurance Program
VI. Audit/Assurance Program
1. PLANNING AND SCOPING THE AUDIT
1.1 Define audit/assurance objectives.
The audit/assurance objectives are high level and describe the overall audit goals.
1.1.1 Review the audit/assurance objectives
1.1.2 Modify the audit/assurance objectives to align with the audit/business
objectives
1.2 Define boundaries of review.
The review must have a defined scope. The reviewer must understand the operating
environment and prepare a proposed scope, subject to a later risk assessment.
1.2.1 Perform a high-level walkthrough of the processes affected by information
security.
1.2.1.1 Determine the applications and/or operating environments serviced (or should
be serviced) specifically, protection of systems via the firewall/intrusion detection,
intrusion protection and security information management.
1.2.1.1 Obtain and review the enterprise network diagram to gain an overall
understanding of the network components likely to impact/support
the security information management system.
1.2.2 Establish initial boundaries of the audit/assurance review.
1.2.2.1 Identify limitations and/or constraints affecting the audit of specific
systems.
1.3 Define assurance.
The review requires two sources of standards. The corporate standards defined in policy
and procedure documentation establish the corporate expectations. At minimum,
corporate standards should be implemented. The second source, a good-practice
© 2009 ISACA. All rights reserved. Page 13
Monitoring
Information and
Communication
Control Activities
Risk Assessment
ISACA
NIST
COBIT
CrossCrossCrossreference reference reference
Audit/Assurance Program Step
Control Environment
COSO
Issue
Crossreference
Comments
Identity Management Audit/Assurance Program
reference, establishes industry standards. Enhancements should be proposed to address
gaps between the two.
1.3.1 Obtain company security management policy and standards documentation.
1.3.2 Determine if COBIT/ISACA/COSO and the appropriate security management
framework will be used as a good-practice reference.
1.4 Identify and document risks.
The risk assessment is necessary to evaluate where audit resources should be focused.
The risk-based approach assures utilization of audit resources in the most effective
manner.
1.4.1 Identify the business risk associated with the security management threats.
1.4.2 Identify the technology risks associated with the security management threats.
1.4.3 Evaluate business and technology risks and vulnerabilities.
1.4.4 Based on the risk assessment, identify changes to the scope.
1.4.5 Discuss the risks with IT, business and operational audit management, and
adjust the risk assessment.
1.4.6 Based on the risk assessment, revise the scope.
1.5 Define the change process.
The initial audit approach is based on the reviewer’s understanding of the operating
environment and associated risks. As further research and analysis are performed,
changes to the scope and approach will result.
1.5.1 Identify the senior IT audit/assurance resource responsible for the review.
1.5.2 Establish the process for suggesting and implementing changes to the
audit/assurance program, and list the authorizations required.
1.6 Define assignment success.
©2009 ISACA All rights reserved. Page 14
Monitoring
Information and
Communication
Control Activities
Risk Assessment
ISACA
NIST
COBIT
CrossCrossCrossreference reference reference
Audit/Assurance Program Step
Control Environment
COSO
Issue
Crossreference
Comments
Identity Management Audit/Assurance Program
The success factors need to be identified. Communication among the IT audit/assurance
team, other assurance teams and the enterprise is essential.
1.6.1 Identify the drivers for a successful review (this should exist in the
audit/assurance function’s standards and procedures).
1.6.2 Communicate success attributes to the process owner or stakeholder, and
obtain agreement.
1.7 Define audit/assurance resources required.
The resources required are defined in the introduction to this audit/assurance program.
1.7.1 Determine the audit/assurance skills necessary for the review.
1.7.2 Determine any necessary professionals, if necessary.
1.7.3 Estimate the total resources (hours) and time frame (start and end dates)
required for review.
1.8 Define deliverables.
The deliverable is not limited to the final report. Communication between the
audit/assurance teams and the process owner is essential to assignment success.
1.8.1 Determine the interim deliverables, including initial findings, status reports,
draft reports, due dates for responses and the final report.
1.9 Communications
The audit/assurance process is clearly communicated to the customer/client.
1.9.1 Conduct an opening conference to discuss the review objectives with the
executive responsible for operating systems and infrastructure.
2 . UNDERSTANDING SUPPORTING INFRASTRUCTURE
2.1 Security management is supported by entity standards, processes and
procedures. To properly evaluate the process, the supporting infrastructure
needs to be reviewed and evaluated.
©2009 ISACA All rights reserved. Page 15
Monitoring
Information and
Communication
Control Activities
Risk Assessment
ISACA
NIST
COBIT
CrossCrossCrossreference reference reference
Audit/Assurance Program Step
Control Environment
COSO
Issue
Crossreference
Comments
Identity Management Audit/Assurance Program
2.1.1 Obtain and review the current organizational chart for the IT department and
the business units.
2.1.2 Interview the senior security officer and the IT security administrator.
2.1.2.1 Identify who has responsibility for security management.
2.1.3 Obtain a copy of the following:
 IT information security strategy and architecture documentation
 Identify firewall protection
 Identify Instruction Detection, Intrusion Prevention and Security
Information Management systems (if applicable)
 Identify licenses and contracts
 Identify update policies and procedures
 Verify most recent update and next due date.
 List of external entities with access to network and applications,( e.g., third
party security providers, vendors, partners and customers, employees who
access the system outside firewall/network)
 Role owners
 Role procedures
 Role policies
3 . INFORMATION SECURITY MANAGEMENT
Audit/assurance objective: Identify security management system-- should be in alignment
with IT architecture.
3.1 Security Management Strategy
Audit/assurance objective: identify security management system-- should be in alignment
with it architecture.
3.1.1 Information Security Management systems
Control: The Information Security Management system considers the IT
X
PO2.3
PO2.4
©2009 ISACA All rights reserved. Page 16
Monitoring
Information and
Communication
Control Activities
Risk Assessment
ISACA
NIST
COBIT
CrossCrossCrossreference reference reference
Audit/Assurance Program Step
Control Environment
COSO
Issue
Crossreference
Comments
Identity Management Audit/Assurance Program
strategy and infrastructure, and addresses firewall and intrusion
prevention/detection requirements and standards
PO3.4
3.1.1.1 Verify that the information security management system selected
protects the IT operating platforms and applications in use or
planned in the IT strategy.
3.1.1.2 Obtain information about data ownership; appropriate security levels
and protection controls; a brief description of data archiving or
encryption.
3.1.1.3 Determine if there are interfaces to the authentication system; if so,
obtain and review specifications.
3.1.1.4 Determine policies and procedures to ensure the integrity and
consistency of all data stored in electronic form, such as databases,
data warehouses and data archives.
3.1.1.5 Determine compliance standards and practices based on business
relevance and compare with external requirements (where
applicable).
©2009 ISACA All rights reserved. Page 17
Monitoring
Information and
Communication
Control Activities
Risk Assessment
ISACA
NIST
COBIT
CrossCrossCrossreference reference reference
Audit/Assurance Program Step
Control Environment
COSO
Issue
Crossreference
Comments
Identity Management Audit/Assurance Program
4 INTRUSION PREVENTION AND DETECTION SYSTEM (IPDS)
To ensure preventive, detective and corrective measures are in place and working as
intended to protect the information system from intrusion.
4.1.1 IPDS
Control: The IPDS is the primary authentication controller for preventing and
detecting intrusion to the network and operating systems.
DS5.5
DS5.6
DS5.7
X
DS5.9
X
4.1.1.1 Obtain the documentation of policy/procedures for access
requirements to the IDPS
4.1.1.2 Obtain the policy for security documentation disclosure
4.1.1.3 Obtain log/ system notifications of unauthorized access attempts.
4.1.2 IPDS Updates
Control: Update Intrusion Detection System (IPDS) when new threat is
detected and according to vendor recommendations.
4.1.2.1 Obtain log files listing update schedules and confirming successful
implementation.
4.1.2.1.1 Log file for operating system patches
4.1.2.1.2 Log file for IPDS system updates
4.1.2.1.3 Log file for antivirus software updates
DS5.5
4.1.3 IPDS Tests
Control: Test Intrusion Detection System (IPDS) to determine whether threats
can be detected.
4.1.3.1 Determine the procedures for testing the intrusion detection system.
4.1.3.2 Verify that intrusion detection systems tests were performed
Left off
here
©2009 ISACA All rights reserved. Page 18
Monitoring
Information and
Communication
Control Activities
Risk Assessment
ISACA
NIST
COBIT
CrossCrossCrossreference reference reference
Audit/Assurance Program Step
Control Environment
COSO
Issue
Crossreference
Comments
Identity Management Audit/Assurance Program
4.2 Authentication
Audit/assurance objective: User authentication methods should be based on risk, and
multitier authentication should be used where access to sensitive data is involved. Singlesign-on technologies should be utilized where possible to limit the number of user IDs
and passwords that a user must remember. Where single sign-on is not feasible, the
compensating controls equivalent to the single-sign-on functionality should be present.
4.2.1 Risk assessment
Control: Risk assessment has been utilized to determine whether single or
multitier authentication is required.
DS5.3
X X
DS5.3
DS5.4
X
4.2.1.1 Verify that a risk assessment has been performed to determine the
authentication mechanism to be employed (simple user ID and
password, token and password, or biometric verification) for each
class of user, and the risk assessment defines the users and/or
profiles within each class.
4.2.1.2 Based on risk assessment, determine how tokens or biometric
authentication are being employed.
4.2.1.3 Test objective: To verify that a risk assessment has categorized the
types of authentication to be used.
4.2.1.3.1 Obtain the risk assessment used to determine
authentication requirements.
4.2.1.3.2 Select users from the various risk classes.
4.2.1.3.3 Verify that the appropriate authentication has been
employed based on risk and the related policy.
4.2.2 Single sign-on
Control: A single-sign-on system is implemented to ensure uniform application
of access control.
©2009 ISACA All rights reserved. Page 19
Monitoring
Information and
Communication
Control Activities
Risk Assessment
ISACA
NIST
COBIT
CrossCrossCrossreference reference reference
Audit/Assurance Program Step
Control Environment
COSO
Issue
Crossreference
Comments
Identity Management Audit/Assurance Program
4.2.2.1 If a single-sign-on process is utilized for applications and online
access, determine if the user ID and passwords are automatically
synchronized.
4.2.2.2 If a scripting/macro process is used to emulate single sign-on,
determine if the scripting process is secure to prevent unauthorized
changes to the scripting process.\
4.2.3 Nonsingle sign-on
Control: Where single-sign-on systems are not feasible, each application and
system is in compliance with policy and good practices.
DS5.3
DS5.4
4.2.3.1 If a single-sign-on solution is not in place, verify that the user
authentication for each application and system is in compliance with
policy and good practices.
4.2.3.1.1 Test objective: To verify that nonsingle-sign-on solutions
are in compliance with policy
4.2.3.1.1.1 Identify the applications that are not in
compliance with a single-sign-on policy.
4.2.3.1.1.2 Select standard and superuser IDs from each
major application (using the established risk
criteria selected for the audit/assurance
review).
4.2.3.1.1.3 Verify that authentication is in compliance with
policy and good practices.
4.3 Identity repository
Audit/assurance objective: User IDs and access rights should be maintained in a secure
central repository.
©2009 ISACA All rights reserved. Page 20
X
Monitoring
Information and
Communication
Control Activities
Risk Assessment
ISACA
NIST
COBIT
CrossCrossCrossreference reference reference
Audit/Assurance Program Step
Control Environment
COSO
Issue
Crossreference
Comments
Identity Management Audit/Assurance Program
4.3.1 Identity management databases
Control: Identity management databases are secure from unauthorized access
or modification.
DS5.3
X
4.3.1.1 Verify that directory services and the databases that support them are
secure.
4.3.1.1.1 Verify that the directory services databases are behind a
firewall and demilitarized zone (DMZ).
4.3.1.1.2 Verify that only authorized administrators have access to
these databases by examining access rights to the
databases and database utilities.
4.3.1.1.3 Verify that data integrity tools to verify access rights are
installed and evaluated regularly.
4.4 Unique identity
Audit/assurance objective: All users (internal, external and temporary) and their activity
on IT systems (business application, IT environment, system operations, development and
maintenance) should be uniquely identifiable.
4.4.1 Unique user IDs
Control: All user IDs are unique when assigned. The naming convention does
not identify the user’s name or private information about the user, and shared
user IDs are prohibited where data are modified, added or deleted.
4.4.1.1 Verify that unique identifiers are not also personal identifiers (i.e.,
social or medical identifiers).
4.4.1.2 Determine if the user ID naming convention is based on difficult-toguess character/numeric combinations. (If the user ID is by name,
then there is a greater risk of user ID hacking attempts.)
4.4.1.3 Determine if any user IDs (administrator, application, system or
©2009 ISACA All rights reserved. Page 21
X
Monitoring
Information and
Communication
Control Activities
Risk Assessment
ISACA
NIST
COBIT
CrossCrossCrossreference reference reference
Audit/Assurance Program Step
Control Environment
COSO
Issue
Crossreference
Comments
Identity Management Audit/Assurance Program
user) are shared. If shared, determine how the user can be identified
and held accountable for the activities performed by the user ID.
4.4.1.4 Determine how users with multiple IDs are monitored regularly.
4.4.1.4.1 Test objective: To verify activity review of users with
multiple IDs
4.4.1.4.1.1 Obtain reports associated with multiple ID
usage.
4.4.1.4.1.2 Review reports for evidence of IT management
review of ID usage.
4.4.1.4.1.3 Determine if the review process adequately
identifies and monitors multiple user ID
activity.
4.4.2 System administrator IDs
Control: System administrators are assigned unique superuser IDs for systems
maintenance, and standard user IDs for routine general activities.
DS5.3
DS5.4
4.4.2.1 Determine if system administrators have been assigned separate
unique IDs to be used for systems maintenance and general user IDs
to be used for administrative and general use.
4.4.2.1.1 Test objective: To verify that unique user IDs are used,
administrators have separate superuser and standard user
IDs, and the IDs are not shared
4.4.2.1.1.1 Select a sample of user IDs of systems
administrators.
4.4.2.1.1.2 Identify superuser IDs and determine if they
are shared.
©2009 ISACA All rights reserved. Page 22
X
Monitoring
Information and
Communication
Control Activities
Risk Assessment
ISACA
NIST
COBIT
CrossCrossCrossreference reference reference
Audit/Assurance Program Step
Control Environment
COSO
Issue
Crossreference
Comments
Identity Management Audit/Assurance Program
4.4.2.1.1.3 Identify standard user IDs and determine if
controls are in place to minimize their use
(location or program limitations).
4.4.2.1.1.4 Determine if superuser IDs are being used for
general purposes where superuser access is not
required.
4.5 Access policy
Audit/assurance objective: An access policy should be established and enforced.
4.5.1 User ID policy
Control: User IDs and passwords are confidential, secure and changed
routinely.
DS5.3
DS5.4
4.5.1.1 Determine if the access policy requires user IDs to be disabled after a
preestablished number of failed logon attempts (good practices
recommend the failed logon attempts be set at three).
4.5.1.1.1 Test objective: To verify that the user ID lockout policy
is being enforced
4.5.1.1.1.1 Generate a report describing default user
lockout settings.
4.5.1.1.1.2 Generate a report describing users not in
compliance with default lockout settings.
4.5.1.2 Determine if user sessions are disconnected or locked after a
predefined idle period (depending on data sensitivity, good-practice
maximum idle time is between five and 30 minutes).
4.5.1.2.1 Test objective: To verify that the user idle lockout policy
is enforced
©2009 ISACA All rights reserved. Page 23
X
Monitoring
Information and
Communication
Control Activities
Risk Assessment
ISACA
NIST
COBIT
CrossCrossCrossreference reference reference
Audit/Assurance Program Step
Control Environment
COSO
Issue
Crossreference
Comments
Identity Management Audit/Assurance Program
4.5.1.2.1.1 Generate a report describing default idle
lockout settings.
4.5.1.2.1.2 Generate a report identifying users not in
compliance with idle lockout settings.
4.5.1.3 Determine if complex passwords are in use (defined as
character/numeric combinations and the use of special characters
[#$%] or upper- and lowercase letters).
4.5.1.3.1 Test objective: To verify that all users subscribe to the
complex password policy
4.5.1.3.1.1 Generate a report describing default password
composition settings and password history
requirements.
4.5.1.3.1.2 Generate a report identifying user IDs not in
compliance with the policy.
4.5.1.4 Determine if passwords and user IDs can be the same or if the
password can contain the user ID.
4.5.1.5 Determine if users are prohibited from being logged in on multiple
terminals. For users who require this feature, determine if their
usage is monitored.
4.5.1.5.1 Test objective: To verify use of multiple concurrent
terminal sessions
4.5.1.5.1.1 Generate a report describing users who may
operate multiple concurrent terminal sessions.
4.5.1.5.1.2 Determine if appropriate supervisory approval
to permit this practice is documented and
©2009 ISACA All rights reserved. Page 24
Monitoring
Information and
Communication
Control Activities
Risk Assessment
ISACA
NIST
COBIT
CrossCrossCrossreference reference reference
Audit/Assurance Program Step
Control Environment
COSO
Issue
Crossreference
Comments
Identity Management Audit/Assurance Program
revalidated annually.
4.5.1.6 Determine if password change is required after a defined number of
days depending on the duties of the user and the sensitivity of data
available to the user (good practices: seven for highly sensitive data
and systems administrators, 30 days for general users).
4.5.1.6.1 Test objective: To verify that the number of days between
password change is in compliance with the policy
4.5.1.6.1.1 Obtain the policy for the interval between
password changes.
4.5.1.6.1.2 Determine if the interval is tied to sensitivity of
information for that user or class of users.
4.5.1.6.1.3 Generate a report by class of user, and identify
users not in compliance with the policy.
4.5.1.7 Determine if password reuse is restricted (good practice is no reuse
for six generations).
4.5.1.7.1 Test objective: To verify adherence to password reuse
policy
4.5.1.7.1.1 Generate a report identifying users who are not
required to limit password reuse, or when the
number of generations is fewer than the
policy.
4.5.1.8 Determine if the password reset policy requires the user to provide
previously documented challenge and response questions that only
the valid user would know.
4.5.1.9 Determine if users must immediately reset the temporary password
on initial login.
©2009 ISACA All rights reserved. Page 25
Monitoring
Information and
Communication
Control Activities
Risk Assessment
ISACA
NIST
COBIT
CrossCrossCrossreference reference reference
Audit/Assurance Program Step
Control Environment
COSO
Issue
Crossreference
Comments
Identity Management Audit/Assurance Program
4.5.1.10 Determine if a random temporary password is provided to the user
when a suspended user ID is reset. If not, determine how users are
prevented from accessing user IDs with pending password resets.
4.5.1.11 Determine if the challenge and response questions contain personal
identity information (e.g., Social Security number).
4.5.2 Location-based access control
Control: Location-based controls limit access to data based on location and
authentication method.
DS5.3
X
4.5.2.1 Determine if access to specific resources from outside the enterprise
network is limited based on level of confidentiality of data.
4.5.2.2 Determine if access to specific resources from external entry points
is based on the use of two-tier authentication, e.g., virtual private
network (VPN).
4.6 User provisioning
Audit/assurance objective: User access rights should be requested by user management,
approved by system owners and implemented by the person responsible for security, and
should be in alignment with the user’s job requirements.
DS5.3
4.6.1 User access and job function
Control: User access is determined based on job function, considers separation
of duties, and utilizes job profiles to simplify granting and maintaining access
rights.
4.6.1.1 Determine if a SOD chart has been established for each job function,
identifying incompatible roles, profiles and rights.
4.6.1.1.1 Test objective: To verify that the SOD tables describe the
job functions and transactions/access points, are kept
current, and are regularly reviewed
©2009 ISACA All rights reserved. Page 26
X
Monitoring
Information and
Communication
Control Activities
Risk Assessment
ISACA
NIST
COBIT
CrossCrossCrossreference reference reference
Audit/Assurance Program Step
Control Environment
COSO
Issue
Crossreference
Comments
Identity Management Audit/Assurance Program
Control Activities
Information and
Communication
Monitoring
Risk Assessment
ISACA
NIST
COBIT
CrossCrossCrossreference reference reference
Audit/Assurance Program Step
Control Environment
COSO
X
X
X
4.6.1.1.1.1 Obtain the SOD tables for a selection of job
functions (use risk basis for selection and
include applications and platforms within
scope).
4.6.1.1.1.2 Verify the appropriateness of the SOD tables
by interviewing department management and
information security staff, and observing
operations.
4.6.1.2 Determine if job profiles identifying the access requirements for each
position are established and used to provide uniformity in granting
access (including applications transactions, directory/folders, time
of day and originating location access).
4.6.1.3 Confirm that user access rights to systems and data are in line with
defined and documented business needs and job requirements are
attached to user identities.
4.6.1.4 Verify that new user access rights are not copied from existing users
(this practice raises the potential for accidentally granting special
privileges).
4.6.2 Supervisory approval of user provisioning
Control: User provisioning requires supervisory approval and is routinely
reviewed by management, and data owners are responsible for approving and
monitoring users who access data under their custodianship.
DS5.3
DS5.4
4.6.2.1 Determine if a request for user provisioning requires a supervisor’s
approval, if access requirements in excess of those established for
the job function require a supervisor’s approval, and if data owners
must authorize access to their data.
4.6.2.2 If a user requires access to data or an application owned by another
©2009 ISACA All rights reserved. Page 27
Issue
Crossreference
Comments
Identity Management Audit/Assurance Program
Control Activities
Information and
Communication
Monitoring
Risk Assessment
ISACA
NIST
COBIT
CrossCrossCrossreference reference reference
Audit/Assurance Program Step
Control Environment
COSO
X
X
X
department, determine if the owner of the data approves access
initially and routinely reviews access rights.
4.6.2.3 Test objective: To verify evidence that requests for user
provisioning are approved by a supervisor and data owner
4.6.2.3.1 Obtain a sample of user requests that includes various
platforms and applications according to risk of the
applications and business processes operating in that
environment.
4.6.2.3.2 Verify the signatures of supervisors and data owners.
4.6.2.4 Determine how user access is routinely reviewed and explicitly
approved by the user’s supervisor.
4.6.2.4.1 Test objective: To verify that user access is regularly
reviewed
4.6.2.4.1.1 Select a sample of departments’ routine review
of user access privileges (generally a report of
access rules distributed to supervisors).
4.6.2.4.1.2 Verify that the supervisor approved the access
privileges, and note any changes requested.
4.6.2.4.1.3 If changes were requested, determine why they
were necessary (transfer or termination request
was not processed, etc.).
4.6.2.5 If users establish their own identities, verify that they are reviewed
and approved before being enabled.
4.6.3 Monitoring of access changes
Control: Access changes are monitored by security staff, data owners and
department managers.
DS5.3
DS5.4
©2009 ISACA All rights reserved. Page 28
Issue
Crossreference
Comments
Identity Management Audit/Assurance Program
Control Activities
Information and
Communication
Monitoring
Risk Assessment
ISACA
NIST
COBIT
CrossCrossCrossreference reference reference
Audit/Assurance Program Step
Control Environment
COSO
X
X
X
4.6.3.1 Determine how activity logs are generated, monitored and reviewed
by management.
4.6.3.1.1 Test objective: To verify activity log monitoring and
review
4.6.3.1.1.1 Obtain activity logs for a period within the
scope of the review. Select logs from the
various systems and applications based on
business risk.
4.6.3.1.1.2 Review for evidence of management review
and escalation.
4.6.3.2 Determine if data owners, security staff and department managers
receive reports on access changes within their area of responsibility.
4.6.3.3 Determine if reviews are evidenced by a signature.
4.6.4 Contractor access
Control: Contractor access requires managerial approval and is reviewed
frequently, and the user ID is immediately disabled at the conclusion of the
contract.
DS5.3
DS5.4
4.6.4.1 Determine if a contractor access policy has been established that
requires authorization by management before a user ID is assigned,
data owners’ approval of access rights, and automatic disabling of
user ID upon contract expiration or termination of consultant.
4.6.4.1.1 Test objective: To verify adherence to the contractor access
policy
4.6.4.1.1.1 Obtain the list of contractors with access to the
©2009 ISACA All rights reserved. Page 29
Issue
Crossreference
Comments
Identity Management Audit/Assurance Program
Control Activities
Information and
Communication
Monitoring
Risk Assessment
ISACA
NIST
COBIT
CrossCrossCrossreference reference reference
Audit/Assurance Program Step
Control Environment
COSO
X
X
X
systems.
4.6.4.1.1.2 Obtain a request for vendor access.
4.6.4.1.1.3 Verify signatures and expiration date.
4.6.4.1.1.4 Determine if the contractor ID had been
disabled according to request.
4.6.4.1.1.5 Determine if the contractor access request is in
alignment with agreed-upon duties.
4.7 User termination and transfer
Audit/assurance objective: User access should be disabled upon termination; when a
user’s duties change, access rights should be modified to fit the new job function.
4.7.1 User termination
Control: User IDs are immediately disabled upon termination.
DS5.3
DS5.4
4.7.1.1 Determine how the identity management administrator receives
notification of a user termination.
4.7.1.1.1 Determine if the procedures vary for voluntary and
involuntary terminations.
4.7.1.1.2 Interview identity management and human resources staff
to ensure that there are no gaps in the notification
process.
4.7.1.1.3 Determine if formal procedures exist for the review of
termination of temporary users on a periodic basis.
4.7.1.1.4 Determine if formal procedures are in place for the regular
review and follow-up of the list of terminated users.
©2009 ISACA All rights reserved. Page 30
Issue
Crossreference
Comments
Identity Management Audit/Assurance Program
Control Activities
Information and
Communication
Monitoring
Risk Assessment
ISACA
NIST
COBIT
CrossCrossCrossreference reference reference
Audit/Assurance Program Step
Control Environment
COSO
X
X
X
4.7.1.2 Determine if the disabling of the user ID is confirmed by the identity
management administrator to the terminated user’s supervisor.
4.7.1.3 Test objective: To verify that user IDs are disabled upon termination
4.7.1.3.1 Obtain a list of terminated users.
4.7.1.3.2 For involuntary terminations, determine the date and time
of the termination, and compare them to the date and
time that the user ID was disabled.
4.7.1.3.3 For voluntary terminations, determine if the user ID was
disabled within a reasonable period after the termination.
4.7.2 Reconciliation of user ID transfer
Control: The former supervisor of the transferred user and the new supervisor
notify the identity management administrator of the transfer.
DS5.3
DS5.4
4.7.2.1 Determine that a procedure exists to match the transferring and
receiving department access request to ensure that transferred user
IDs do not retain old access rights.
4.7.2.1.1 Test objective: To verify that the user transfer process
does not allow access rights from the old job function to
remain with the user
4.7.2.1.1.1 Obtain a list of transferred users.
4.7.2.1.1.2 Select a sample of users.
4.7.2.1.1.3 Obtain requests for transfer from the previous
and current manager.
4.7.2.1.1.4 Determine if they are signed.
©2009 ISACA All rights reserved. Page 31
Issue
Crossreference
Comments
Identity Management Audit/Assurance Program
Control Activities
Information and
Communication
Monitoring
Risk Assessment
ISACA
NIST
COBIT
CrossCrossCrossreference reference reference
Audit/Assurance Program Step
Control Environment
COSO
X
X
X
4.7.2.1.1.5 Determine if the access rights had been
changed to meet the requirements of the new
position.
4.8 Violation monitoring
Audit/assurance objective: Violation reports should be routinely generated, monitored,
reviewed, closed and escalated, and appropriate corrective action should be initiated.
4.8.1 Violation monitoring
Control: Violation reports are routinely generated and distributed as required.
An incident report is initiated if necessary, and violations are followed up on.
DS5.3
DS5.4
4.8.1.1 Determine if violation reports are initiated automatically by the
system.
4.8.1.2 Determine if violation reports are distributed to the information
security function and recorded as an incident in the
problem/information security incident systems.
4.8.1.3 Determine if violation reports are investigated, escalated and
reported to management.
4.8.1.4 Determine if violators of policy are retrained or penalized.
4.8.1.5 Test objective: To verify violation monitoring and follow-up
4.8.1.5.1 Select a violation report for several days.
4.8.1.5.2 Obtain the violation action report (containing the actions
taken upon discovery of the violation).
4.8.1.5.3 Match the violations per the report to the action report to
identify missing incidents.
4.8.1.5.4 Determine the actions taken: escalation, remediation, user
training, etc.
©2009 ISACA All rights reserved. Page 32
Issue
Crossreference
Comments
Identity Management Audit/Assurance Program
©2009 ISACA All rights reserved. Page 33
Identity Management Audit/Assurance Program
VII. Maturity Assessment
The maturity assessment is an opportunity for the reviewer to assess the maturity of the processes reviewed. Based on the results of audit/assurance
review, and the reviewer’s observations, assign a maturity level to each of the following COBIT control practices.
COBIT Control Practice
Assessed
Target
Maturity Maturity
PO2.3 Data Classification Scheme
1. Create a classification scheme that defines attributes for data classification, such as data
ownership, definition of security levels (confidentiality, integrity and availability), a brief
description of data retention and destruction requirements.
2. Define data classification levels for each of the defined attributes (e.g., for confidentiality:
public, internal, confidential).
3. Identify business owners accountable for information (data owners).
4. Ensure that the data owner classifies all information using the defined scheme and levels.
Classification covers the whole life cycle of information from creation to disposal. Where an
asset has been assessed as having a certain classification, any component inherits the same
classification.
5. Make owners understand the consequences of the classification, and balance security needs
against cost considerations and other business requirements considering the value of the
assets they own.
6. Ensure that information and data are labeled, handled, protected and otherwise secured in a
manner consistent with the data classification categories.
PO4.8 Responsibility for Risk, Security and Compliance
1. Encourage senior management to establish an organizationwide, adequately staffed risk
management and information security function with overall accountability for risk
management and information security. The reporting line of the risk management and
information security function is such that it can effectively design, implement and, in
conjunction with line management, enforce compliance with the organization’s risk
management and information security policies, standards and procedures.
2. Formalize and document roles and responsibilities for the risk management and information
security function. Allocate these responsibilities to appropriately skilled and experienced
staff and, in the case of information security, under the direction of an information security
officer.
3. Regularly assess the resource requirements in relation to risk management and information
security. Assess whether appropriate resources are provided to meet the needs of the
business.
©2009 ISACA All rights reserved. Page 34
Reference
Hyperlink
Comments
Identity Management Audit/Assurance Program
COBIT Control Practice
Assessed
Target
Maturity Maturity
4. Put a process in place to obtain senior management guidance concerning the enterprise’s risk
profile and acceptance of significant residual risks.
DS5.3 Identity Management
1. Establish and communicate policies and procedures to uniquely identify, authenticate and
authorize access mechanisms and access rights for all users on a need-to-know/need-to-have
basis, based on predetermined and preapproved roles. Clearly state accountability of any user
for any action on any of the systems and/or applications involved.
2. Ensure that roles and access authorization criteria for assigning user access rights take into
account:
• Sensitivity of information and applications involved (data classification)
• Policies for information protection and dissemination (legal, regulatory, internal policies
and contractual requirements)
• Roles and responsibilities as defined within the enterprise
• The need-to-have access rights associated with the function
• Standard but individual user access profiles for common job roles in the organization
• Requirements to guarantee appropriate segregation of duties
3. Establish a method for authenticating and authorizing users to establish responsibility and
enforce access rights in line with sensitivity of information and functional application
requirements and infrastructure components, and in compliance with applicable laws,
regulations, internal policies and contractual agreements.
4. Define and implement a procedure for identifying new users and recording, approving and
maintaining access rights. This needs to be requested by user management, approved by the
system owner and implemented by the responsible security person.
5. Ensure that a timely information flow is in place that reports changes in jobs (i.e., people in,
people out, people change). Grant, revoke and adapt user access rights in co-ordination with
human resources and user departments for users who are new, who have left the
organization, or who have changed roles or jobs.
DS5.4 User Account Management
1. Ensure that access control procedures include but are not limited to:
• Using unique user IDs to enable users to be linked to and held accountable for their actions
• Awareness that the use of group IDs results in the loss of individual accountability and are
permitted only when justified for business or operational reasons and compensated by
mitigating controls. Group IDs must be approved and documented.
• Checking that the user has authorization from the system owner for the use of the
information system or service, and the level of access granted is appropriate to the business
©2009 ISACA All rights reserved. Page 35
Reference
Hyperlink
Comments
Identity Management Audit/Assurance Program
COBIT Control Practice
Assessed
Target
Maturity Maturity
purpose and consistent with the organizational security policy
• A procedure to require users to understand and acknowledge their access rights and the
conditions of such access
• Ensuring that internal and external service providers do not provide access until
authorization procedures have been completed
• Maintaining a formal record, including access levels, of all persons registered to use the
service
• A timely and regular review of user IDs and access rights
2. Ensure that management reviews or reallocates user access rights at regular intervals using a
formal process. User access rights should be reviewed or reallocated after any job changes,
such as transfer, promotion, demotion or termination of employment. Authorizations for
special privileged access rights should be reviewed independently at more frequent intervals.
©2009 ISACA All rights reserved. Page 36
Reference
Hyperlink
Comments
Identity Management Audit/Assurance Program
VIII. Assessment Maturity vs. Target Maturity
AI1 Identify Automated Solutions
5
4
3
2
DS5.4 User Account Management
PO2.3 Data Classification Scheme
1
0
Assessment
Target
PO4.8 Responsibility for Risk, Security
& Compliance
DS5.3 Identity Management
©2009 ISACA All rights reserved. Page 37