User
What evidence is needed for access control?
Experta
During the certification audit, the auditor might look for the following evidence regarding access control:
- If rules to access information and information-related assets are established and implemented (control A.5.15 Access control)
- If user identities are managed throughout their lifecycle (control A.5.16 Identity management)
- If passwords and other authentication information are being managed (control A.5.17 Authentication information)
- If access of users is granted and revoked according to the defined access control policy (control A.5.18 Access rights)
- If access rights that go beyond access rights of regular users are restricted and controlled (control A.8.2 Privileged access rights)
- If access of users to information systems is limited according to the defined access control policy (control A.8.3 Information access restriction)
- If access to source code, development tools, and software libraries are managed (control A.8.4 Access to source code)
- If technologies for passwords and authentication methods are implemented (control A.8.5 Secure authentication)
- If the use of programs that can override or change security configurations are controlled (control A.8.18 Use of privileged utility programs)
Examples:
- A company has written an Access Control Policy where it has defined the rules to access information and other assets — The auditor may ask to see several information systems to see if the information is being accessed as defined.
- A company has defined in its Access Control Policy the steps to manage user identities, from creation through exclusion — The auditor may ask to see several user active accounts, and the latest excluded accounts, to see if their lifecycle was managed as defined.
- A company has defined in its Access Control Policy rules for the use and management of passwords and other authentication information — The auditor may ask to talk to several employees to see if they know how to handle passwords and other authentication information.
- A company has defined in its Access Control Policy the rules to grant and revoke accesses rights — The auditor may ask to see the latest hired personnel, personnel that has changed jobs, and latest dismissed personnel, to see if granted and revoked access were implemented as required.
- A company has defined in its Access Control Policy how access rights defined for regular users are enforced — The auditor may ask to observe several users with regular access rights try to perform administrative or other special rights to see if such actions are not allowed.
- A company has defined in its Access Control Policy which person/role can access which information — The auditor may ask to observe several users trying to access different types of information to see if they can access only the information allowed to his persona/role.
- A company has defined in its Access Control Policy which person/role can access which source code — The auditor may ask to observe several users trying to access different source codes to see if they can access only the source codes allowed to his persona/role.
- A company has defined in its Access Control Policy rules for authentication prior to granting access to information — The auditor may ask to see several information systems to see if authentication rules are implemented as defined.
- A company has written a Security Procedures for IT Department document where it has defined how the use of privileged utility programs is controlled — The auditor may ask to see the latest logs of all used utility programs and the authorizations for their use.