8.1. LOGICAL SECURITY DESIGN

Identification of the significant risks facing a system can best be accomplished through a formal risk assessment process. Because many internal and external auditors prepare risk assessment documents as a standard part of their audit process, they can be an excellent resource to a system design team for assistance in performing a formal risk assessment. Since members of a design team usually include representatives from all significantly impacted areas of the organization who are experts in their respective fields, the team will likely be able to identify most of the significant business risks. However, auditors are often aware of risks that a design team may not have considered.

For example, one of the most difficult risks to control is the performance of unauthorized activities by a system security administrator. By definition, a system security administrator needs to be able to add, delete, and change users and their access capabilities, monitor and regulate system activities, control system security parameters, review system security and operational logs, and perform various other unrestricted tasks. (Note: In large organizations, some of these tasks may be segregated.) To accomplish these tasks, a system security administrator requires virtually unrestricted access within the system. Most design team members do not think twice about the fact that the system security administrator essentially will have free rein of the system. In these cases, ...

Get Auditing Information Systems, Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.