Access Verification Reports:
USERID creation procedures while important are only half of the USERID management
program. Periodic (ideally monthly) reports itemizing all access associated with users
should be sent (preferably electronically) to managers and contracting officers to verify
the accuracy and appropriateness of the access. Non-employee access should be
reported to either the manager directly responsible for the activities of the nonemployee,
the contracting officer, or in special circumstances, the CIO or CEO. A
process should be established to allow managers to easily communicate necessary
modifications. Access is then monitored from a business perspective to ensure
changes in user job responsibilities (transfers, separations, reorganization, or contract
termination), application modifications or other circumstances result in commensurate
changes in user access. The ISSP should include assurance that managers are trained
on these responsibilities in the SATP and that the process is reviewed for effectiveness.
An effective security professional welcomes the auditing of their ISSP as a useful
hardening mechanism. Better to discover and mitigate weaknesses in the armor prior to
exploitation. Optimal configurations utilize an internal team that is responsible for
evaluating the various ISSP components on a rotational basis so vulnerabilities can be
identified and rectified prior to exploitation by intruders or exposure by external auditors.
An auditing plan should be included in the overall ISSP, periodically targeting each
module. The plan should integrate internal and external audits to optimize the
evaluation of corrective actions, and aggressive scanning and penetration attempts.
This will ensure the continual evaluation of a program’s effectiveness. It is imperative
that knowledge of the timing, focus and procedures for internal audits be limited to the
immediate auditing team and their managers to closely mimic the intruder experience as
much as possible. Because people are the determining factor in the success of any
undertaking, social engineering should be a targeted auditing function and the SATP
updated to mitigate the results of the audit.


Leave Comment

Your email address will not be published. Required fields are marked *