The Auditor-General of South Africa has a constitutional authorization and. as the Supreme Audit Institution ( SAI ) of South Africa. it exists to beef up our country’s democracy by enabling inadvertence. answerability and administration in the populace sector through scrutinizing. thereby constructing public conï¬dence.
For many administrations. information and the engineering that supports it stand for their most valuable. but frequently least understood assets. Successful endeavors recognise the beneï¬ts of information engineering and utilize it to drive their stakeholders’ value. These endeavors besides understand and manage the associated hazards. such as increasing regulative conformity and critical dependance of many concern procedures on information engineering ( IT ) . The usage of engineering and IT systems is progressively embedded into concern procedures to originate. authorise. procedure and pull off fiscal minutess. As a consequence. failings in the design. execution or effectivity of information engineering controls this have the potency to non merely compromise the unity and truth of ï¬nancial information. but may hinder the efï¬ciency of an entity to accomplish its aims and coverage of concern and ï¬nancial information. Supplying entree to systems in the face of possible abuse of information is an of import issue to be considered by accounting ofï¬cers. executives and senior direction in public sector entities. There are sufï¬cient illustrations in today’s universe to show that events that can look unlikely do go on.
Many services delivered by public sector entities are indispensable to the economic and societal wellbeing of our society âˆ’ a failure to present these could hold signiï¬cant effects for those concerned and for the state. It is portion of an entity’s overall attack to corporate administration which should include effectual IT administration and hazard direction. and should be closely aligned to the entity’s incident direction. exigency response direction and IT catastrophe recovery. This usher has been prepared based on penetrations from a figure of entities and concerns audited. Establishing. measuring and supervising the effectivity of internal controls over ï¬nancial information are an of import issue which is the duty of all public sector entities ; and entities’ attacks to these affairs are considered by the Auditor-General in finding our audit coverage of entities’ ï¬nancial statements. While patterns described in this publication by and large provide counsel to entities. it is of import that each entity assesses the extent to which the information provided is relevant. appropriate and cost-efficient in visible radiation of its ain single fortunes.
Chapter 1 – Introduction
1. Purpose of this usher
This usher is intended to help the South African authorities entities in beef uping IT security and controls within their systems. . It aims to steer and help entities that are looking to: • • • • • identify and buttocks concern impacts and hazards that may originate as a consequence of control weaknesses increase consciousness of user history direction hazards strengthen system security controls and guarantee that user entree to systems and applications is suitably restricted and segregated implement better pattern processs to better bringing of information from IT processes enhance good corporate administration and IT administration patterns. authorities entity has duty for the processing and/or system direction of ï¬nancial minutess on behalf of another authorities describing entity. In order to promote ï¬‚exible on the job patterns. IT services are presenting and spread outing functionality that allows users entree to the ï¬nancial direction system via web portals. remote entree and practical webs and. progressively. synchronised sign-on or individual sign-on ( SSO ) is being adopted by entities to ease individuality direction. As a consequence. IT system controls such as user history direction procedures are non merely inextricably linked to the overall ï¬nancial coverage procedure but organize the foundation of an effectual system of internal control for ï¬nancial coverage.
3. Areas covered by this usher
This usher covers those cardinal control aims that are most likely to be implemented by public sector entities. such as user history direction processs. user enrollment. modiï¬cation/changes. user deregistration. reappraisal of users’ entree rights. privilege direction. user duties in footings of watchword use and equipment. watchword direction and monitoring of access/user activities.
2. Why consider controls?
Increasingly. the coverage procedure in South African governmental entities is driven by information systems. The usage of engineering and IT systems is embedded in the concern processes to originate. authorise. procedure and manage minutess. Today’s IT systems have complex interfaces with internal concern systems and legion IT processing or describing systems and receive or reassign ï¬nancial information refering authorities payments or grant payments. Government entities are besides progressively implementing ‘shared services’ . whereby one
4. How to read this usher
Each control aim is introduced with a brief narrative description. followed by more elaborate processs and best patterns that should be considered to back up the accomplishment of the control aim.
Good pattern usher – User history direction
Chapter 2 – User history direction
Administrations should protect their information assets from the hazards created by both knowing and unwilled abuse of resources. The executions of engineering are diverse and complex ( e. g. platforms. applications. runing systems. databases. electronic mail. cyberspace. etc. ) and all of them have to be protected from unauthorized usage. The hazards can. nevertheless. be minimised by following the good user history direction patterns prescribed by the International Organisation for Standardisation. the International Electrotechnical Commission on Information Technology – security techniques – Code of Practice for Information Security Management ( ISO/IEC 27002:2005 ) and the Information Systems Audit and Control Association’s guideline on entree controls ( G38 ) . Standards from these paperss as outlined in this booklet could be of great value to administrations when executing self-assessments of entree to their systems. hence be implemented to understate these hazards to a degree that is acceptable to the administration.
Detective controls are besides required to procure the procedure. Proper user history direction is one of the procedures that can help in accomplishing better information security. duty and answerability. • The degree of entree granted to information and systems should be appropriate in footings of the concern intent and should be consistent with an organizational security policy. e. g. it should non compromise segregation of responsibilities ( responsibilities and countries of duty should be segregated to cut down chances for unauthorized or unwilled modiï¬cation or abuse of the organisation’s assets ) . A written statement should be issued to users explicating their entree rights. Users should subscribe statements bespeaking that they understand the conditions under which entree is granted. Unique user identiï¬cations ( IDs ) should be created that identify users and link their actions to their IDs. Redundant user IDs should non be issued to other users.
3. User history direction processs
These processs should cover all phases in the life rhythm of user entree. from the initial enrollment of new users to the ï¬nal deregistration of users who no longer necessitate entree to information systems and services. All processs should be documented and officially approved ( signed and communicated ) . It should besides be ensured that entree control duties. e. g. entree petition. entree mandate and entree disposal and monitoring. are segregated throughout the procedure.
Changes in user position include alterations of occupation map. functions. duties and transportations within the administration. A process should be established to pull off these alterations in user position and should include. inter alia. the undermentioned: • Changes should be communicated to information proprietors. users. superusers. supervisors or any person/department responsible for deï¬ning. allowing. altering or revoking entree privileges. The entree rights of users who have changed occupation map. functions. duties. etc. should instantly be removed or blocked. Procedures as for the enrollment of users should be followed when the position of a user alterations.
4. User enrollment
A formal user enrollment process for allowing entree to information systems and services should be in topographic point. This process should guarantee the followers. inter alia: • • • A officially documented entree petition should be completed and be approved by the user’s supervisor. The entree petition signifier should do proviso for adequate inside informations sing the user. supervisor. type of entree. blessings. etc. to be provided. Blessing from the business/system proprietor should be obtained before entree is granted to concern information resources.
Poor entree control patterns can take to unauthorized revelation of conï¬dential information ( conï¬dentiality ) . unauthorized alterations to informations ( unity ) or loss of continuity of concern ( handiness ) . The effects of non holding appropriate entree controls in topographic point should be considered in footings of the value of the plus to the administration from both a quantitative and a qualitative position. e. g. repute impact. customer/public perceptual experiences. regulative consequence and ï¬nancial consequence. Preventive controls should
6. User deregistration
The entree rights of users who have left the administration should instantly be removed.
of system disposal privileges can be a major lending factor in failures or breaches of systems. A formal mandate procedure should be used to command the allotment of privileges in multi-user systems that require protection against unauthorized entree. The undermentioned stairss should be considered: • The entree privileges associated with each system merchandise. e. g. runing system. database direction system and each application. every bit good as the users to which they need to be allocated. should be identiï¬ed. Privileges should be allocated to users on a needto-use footing and on an event-by-event footing. i. e. the lower limit required for their functional function and merely when needed. An mandate procedure and a record of all privileges allocated should be maintained. Privileges should non be granted until the mandate procedure is complete. Privileges should be assigned to a different user ID than that used for normal concern activities. Changes to favor histories should be logged for periodic reappraisal.
9. 1 Password use
Passwords are a basic control in verifying a user’s individuality before entree is granted to an information system or a service harmonizing to the user’s mandates. Each employee is responsible for all the actions performed with his/her watchword. even if it is demonstrated that an action was carried out by another person utilizing the user’s watchword. Users should therefore follow good security patterns in the choice and usage of watchwords and the followers should be kept in head: • • • • Keep watchwords conï¬dential. Avoid maintaining a record of watchwords. e. g. difficult transcript or electronic ï¬le. Change watchwords whenever there is any indicant of possible system or watchword via media. Compose watchwords that are: o easy to retrieve o O of sufï¬cient minimal length. e. g. six characters non based on anything person else could easy think or obtain utilizing person-related information. e. g. names. telephone Numberss. day of the months of birth. etc. non vulnerable to dictionary onslaughts ( i. e. do non dwell of words included in lexicons ) free of back-to-back. indistinguishable. all-numeric or all-alphabetic characters.
7. Review of user entree rights
The reappraisal of users’ entree rights is necessary to keep effectual control over entree to informations and information services. Users’ entree rights should hence be reviewed as follows: • • At regular intervals. e. g. every six months After any alterations such as: o publicity o o • • • • demotion expiration of employment
When traveling from one section/division to another within the same administration Authorisations for particular privileged entree rights should be reviewed at more frequent intervals. e. g. every three months. Privilege allotments should besides be reviewed at more frequent intervals to guarantee that no unauthorized privileges have been obtained. All alterations to favor histories should be logged for periodic reappraisal.
9. User duties
The cooperation of authorized users is indispensable for effectual security. Users should be made cognizant of their duties for keeping effectual entree controls. peculiarly sing the usage of watchwords and the security of user equipment.
8. Privilege direction
The allotment and usage of privileges should be restricted and controlled. Inadequate control
Change watchwords at regular intervals or based on the figure of times entree has been obtained. The watchwords for privileged histories should. nevertheless. be changed more often than normal watchwords. Avoid the reuse or cycling of old watchwords.
Change impermanent watchwords at ï¬rst logon. Never portion single user watchwords among users.
10. User watchword direction
The allotment of watchwords should be controlled through a formal direction procedure and this procedure should include the undermentioned demands as a lower limit: • Users should be required to subscribe an project to maintain personal watchwords conï¬dential. This signed statement could besides be included in the footings and conditions of employment. If users are required to keep their ain watchwords. they should be provided with a unafraid initial watchword. which they should be required to alter instantly at ï¬rst logon. Procedures should be established to verify the individuality of a user prior to supplying the user with a new. replacing or impermanent watchword. A unafraid process should be followed when allowing users impermanent watchwords and the usage of unprotected ( clear text ) electronic mail messages should be avoided. Impermanent watchwords should be alone and should conform to password criterions. Users should admit reception of watchwords. Passwords should ne’er be stored on computing machine systems in an unprotected signifier. Default seller watchwords should be replaced every bit shortly as the installing of systems or package has been completed.
11. Monitoring of access/user activities
A set of controls should be deï¬ned for commanding and supervising user entree to and activities on systems. The undermentioned should. bury alia. be considered: • • Repeated failed login efforts should be identiï¬ed and investigated. Any blocked or suspended user ID ( three or more consecutives failed efforts ) should be investigated to verify that the user is the authorized proprietor of the user ID and non an unauthorized individual seeking to detect watchwords. Inactive users should be monitored and disciplinary action should be taken after a predeï¬ned period of inaction. e. g. users that have been inactive for 60 yearss should be blocked. Activity carried out by default users ( e. g. invitee. decision maker. proprietor and root ) should be monitored on a day-to-day footing.
Access to critical histories. log ï¬les. informations ï¬les and databases should be monitored. Periodically. logs should be reviewed to supervise the activities of privileged users and failed entree efforts. The administration should be prepared to respond suitably should a breach of entree such as an unauthorized invasion be detected. Sporadically. the administration should look into for and take or barricade excess user IDs and histories. The activities of the privileged or superuser login history should be closelymonitored and reviewed by senior computing machine security direction. Users’ watchwords should be reviewed to guarantee that an appropriate degree of complexness is maintained.
9. 2 Unattended user equipment
All users should be made cognizant of the security demands and processs for protecting unattended equipment. every bit good as their duties in respect to the execution of such protection. Users should be advised to. inter alia: • terminate active Sessionss when ï¬nished. unless such Sessionss can be secured by an appropriate lockup mechanism. e. g. a password-protected screen rescuer log computing machines off at the terminal of a session ( i. e. it is non sufï¬cient to simply exchange off the Personal computer screen or terminus ) secure computing machines from unauthorized usage by agencies of a cardinal lock or an tantamount control. e. g. watchword entree. when non in usage.