Evaluating and Testing Access Controls
Organizations need to both build an access control environment and test it to see how it performs and behaves. In many cases, access control is the only barrier between outsiders and sensitive information. A great example is online banking: The only thing protecting your bank account information is your user ID and password. Don’t you want to be sure that the bank’s access control mechanism is working properly to protect your precious information from outsiders?
Computer systems contain information, which, in many cases, must be accessible to only authorized persons. However, weaknesses or vulnerabilities in access control software may permit users without the necessary credentials to also access this information. Additionally, poorly defined or inadequate access control policies can result in users having unauthorized access to sensitive data. User entitlement refers to the data access privileges that are granted to an individual user. Organizations must routinely — if not continually — review user entitlement to ensure overall data access privileges are appropriately administered in the organization. The audit and review process should be automated to increase efficiency, reduce errors, ensure completeness, and improve overall effectiveness.
Organizations should perform penetration and vulnerability testing on these systems to ensure that they don’t possess any vulnerabilities or weaknesses that could permit unauthorized persons ...