You are on page 1of 16

Navarro Amper and Company

(Deloitte Philippines)

Audit Program Guide


for
Access Security Administration

Philippine Veterans Bank


Makati City

Key Objectives
To determine and verify the following

Logical security tools and techniques are implemented and configured to enable restriction o
All information resources are subject to appropriate logical security.
Logical security tools and techniques are administered to restrict access to programs, data,
Testing should include:
Compliance with bank policies, procedures and regulatory requirements
Compliance to BSP Circular 808
Compliance with the ISO27001

Coverage
User Access Controls

ured to enable restriction of access to application system.


access to programs, data, and other information resources.

USER ACCESS CONTROLS


Objectives

<A> Logical security tools and techniques are implemented and configured to ena
<B> All information resources are subject to appropriate logical security.
<C> Logical security tools and techniques are administered to restrict access to p
* Covered period: April 1,2014 to March 31,2015
No.

Obj

ecurity tools and techniques are implemented and configured to enable restriction of access to application system.
mation resources are subject to appropriate logical security.
ecurity tools and techniques are administered to restrict access to programs, data, and other information resources.
eriod: April 1,2014 to March 31,2015
Detailed Objective

Control Activity Type

Application owners authorize the nature and extent of user


access privileges and such privileges are periodically
reviewed by application owners to ensure access privileges
remain appropriate.

Preventive

Information security tools include functionality designed to


restrict and monitor access to application system. Such
functionality typically includes restricting the nature and
extent of users access privileges, log authorized and
unauthorized attempts to access information resources.

Detective

Information security tools include functionality designed to


restrict and monitor access to application system. Such
functionality typically includes restricting the nature and
extent of users access privileges, log authorized and
unauthorized attempts to access information resources.

Detective

The security administrator is notified of employees who have Preventive


changed roles and responsibilities, transferred, or been
terminated. Access privileges of such employees are
immediately changed to reflect their new status.

The authority to administer user access information security Preventive


is limited to appropriate personnel.

Use of privileged access (the so-called "super user" and


supplier default user) is limited to appropriate personnel,
logged and reviewed.

Preventive

to application system.

r information resources.

Control Nature

IT Nature

Control
Rating

Manual

IT Dependent

Medium

Manual

IT Dependent

Medium

Manual

IT Dependent

Medium

Manual

IT Dependent

Medium

Automated

IT Dependent

High

Manual

IT Dependent

Medium

Testing Procedure
(Detailed and step-by-step procedures are shown in the
working papers)

WP Ref

T1.1
T1.1 Understand and document the policies and
procedures related to the authorization of user access to
data and application systems.
T1.2
T1.2 Determine completeness of request form and
timeliness of its maintenance in the system.
T1.3 Determine creation and maintenance of user access T1.3
matrix.
T1.4
T1.4 Determine appropriateness of user access given to
users for every application/system.
T1.5
T1.5 Determine appropriateness of controls over shared
accounts for every application/system.
T1.6 Determine existence and effectivity of user access T1.6
periodic review.

T2.1 Understand and document the policies and


procedures related to the unauthorized attempts and
T2.1
audit trail reporting.
T2.2 Determine existence and effectivity of login history T2.2
reporting process.

T2.3 Determine existence and effectivity of audit trail


T2.3
existence (trace sample items to the source documents).
T3.1 Understand and document the policies and
procedures relating to notifications for employee roles
changes, transfer and resignation/termination.

T3.1

T3.2 Determine timeliness of information to-and-from


T3.2
HR and IT (user access rights provider) and test whether
access are granted/revoked in a timely manner.
T4.1 Understand and document the policies and
procedures related to the user access information
security.

T4.1

T4.2 Determine name and User ID and the user access


privileges granted to the user access administrator.

T4.2

T5.1 Understand and document the policies and


procedures related to the limitation of usage, logging
and reviewing of privileged access (the so called "super
user") and supplier default users.

T5.1

T5.2 Determine (a) IDs for super-users and default


supplier , and who uses them (b) their password
changes history and (c) access validity.

T5.2

T5.3 Determine review process of super-users and


default users activity.

T5.3

Interview Topic
(this is not limited to the specific testing procedure but rather will
cater to the specific objective as a whole)
* Access provision process
- forms used
- who initiates, approves and effects the request form.
* Creation and maintenance of User Access Matrix
- who creates, approves and reviews.
* User Access review process
- who extracts and sent to whom
- who reviews

* User login (successful and not successful) summary reporting


process.
* User access rights changes review and reporting process.

* User login (successful and not successful) summary reporting


process.
* User access rights changes review and reporting process.

* Process and timeliness of HR informing IT Group (User Access


provider) or IT Group inquiring HR during employee (a) change of
responsibilites (b) transfer of department and (3)
resignation/termination.

* Process of administering user access information security.


- who is the responsible department.

* Maintenance of super-user and supplier default IDs.


- Validity
- Change of user passwords
*Review of access made by super-user

Test of Control Documentation


(this is not limited to the specific testing procedure but rather will
cater to the specific objective as a whole)
* Policy relating to (1) user access rights (2) user access matrix and
(3) user access review.
* Actual request forms
* List of users per application/system
* User access matrix
* Evidence of periodic review, if applicable.

* Policy relating to (1) user login reporting process and (2) user
access rights changes review.
* Audit trail report on the changes and login. Note on the process of
generation and distribution.

* Policy relating to (1) user login reporting process and (2) user
access rights changes review.
* Audit trail report on the changes and login. Note on the process of
generation and distribution.

* Policy relating to HR informing IT or IT inquiring HR Group for any


employee movement.
* List of employees who (a) changed roles (b) transferred to another
department and (c) resigned/terminated.

* Policy relating to administering user access information security.

* Policy relating to super-user and supplier default user.


*List of super-user and default user for all applications, if any.

You might also like