Appendix C. Logical Access Control Audit Program

Questions

Yes

No

N/A

Comments

The widespread use of communications networks has shown that physical controls provide limited value in protecting the data stored on and processed by the computer. Logical controls restrict access to specific systems to authorized individuals and to the functions each individual can perform on the system. Logical security controls enable the organization to:

  • Identify individual users of IS data and resources.

  • Restrict access to specific data or resources.

  • Produce audit trails of system and user activity.

    

Audit Procedures:

    

Each type of software has an access path. Access paths are those areas or points where access may be gained to the system. When accessing the computer system, a user may pass through one of multiple software levels before obtaining access to the data resources (e.g., data, program libraries, etc.).

  1. Review all possible access paths to the data resources to determine that the security features in each piece of software are utilized to minimize the vulnerabilities. Pay specific attention to “backdoor” methods of accessing data by operators and programmers.

  2. Interview management and review documentation to determine if integrated access control software is used to streamline security administration and improve security effectiveness.

  3. Control points are those areas on the software’s access path that may be used to control and protect data resources. An access path schematic identifies the users ...

Get Auditor’s Guide to Information Systems Auditing now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial