Scribd
Upload
11 views

ITGC User Access Testing

Uploaded by

rajendra
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
11 views

ITGC User Access Testing

Uploaded by

rajendra
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

5 Tests

to perform

User Access Review


What is user access testing ?

Process to ensure only authorized


individuals have access to the data.

Method of reviewing and detecting


inappropriate users

Periodic review of user permissions

https://www.linkedin.com/in/chinmaykulkarni22/
What are the
key risks?
User retains access post employment termination

User changes a team but still retains access to


previous team group

User takes on a new role (E.g. Operation Engineer)


but retains access to previous role (E.g. developer
role) in production leading to segregation of duties
issue

Unauthorized user having access to confidential


information could lead to data disclosure

https://www.linkedin.com/in/chinmaykulkarni22/
Step 1
Data Request

Pull data of all the Active users which have access


to the in-scope applications /systems /servers
/database

Include users who have been terminated to ensure


they do not retain access

Verify the completeness & accuracy of data being


pulled

https://www.linkedin.com/in/chinmaykulkarni22/
Step 2
User access review
Review if a user is active
Review if the user is approved before granting
access
Review the type of account:

User account - individual user having access


Service account - system account used to
perform system operations
Privileged account - account with admin or high
level privileges

Review if the user account access aligns with the


job function of individual user

https://www.linkedin.com/in/chinmaykulkarni22/
Step 3
Check for other details
Review the business unit of the user to ensure
access aligns with the job function

Review the reporting manager of the user to


validate if the user belongs to appropriate
business unit

Perform walkthroughs to validate appropriate


privileges have been granted

https://www.linkedin.com/in/chinmaykulkarni22/
Step 4
Review service accounts
The biggest risk with using service account is
"Traceability issues"

Malicious activity

Service_account_16745

Review the appropriateness of the users having


access to service accounts

https://www.linkedin.com/in/chinmaykulkarni22/
Step 5
Segregation of Duties (SoD)
Review that no single person can introduce
fraudulent or malicious activity without detection

E.g. Developer should not have access to deploy


code changes to production environment.

https://www.linkedin.com/in/chinmaykulkarni22/
Best Practices
Develop an onboarding template to assign user
roles, the tasks for each role and the required
access

Approve user before granting access

Review user access on a periodic basis

Develop an offboarding template to terminate user


and revoke access

Onboard interactive accounts to a privileged


account management tool

Implement principle of least privilege &


segregation of duties

https://www.linkedin.com/in/chinmaykulkarni22/
Connect with me
to learn more about
ITGC Testing

Certified Information Systems Auditor (CISA)

ISO 27001 ISMS

ISO 27701 PIMS

Data Privacy

IT Auditing

Risk Management

https://www.linkedin.com/in/chinmaykulkarni22/

You might also like