Beruflich Dokumente
Kultur Dokumente
Control Objectives for Information and related Technology (COBIT®) is an information technology (IT) governance framework and
supporting tool set that allows managers to bridge the gaps amongst control requirements, technical issues and business risks. COBIT
enables clear policy development and good practice for IT control throughout organisations. It emphasises regulatory compliance, helps
organisations increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework’s concepts.
COBIT is intended for use by business and IT management as well as IS auditors; therefore, its usage enables the understanding of
business objectives and communication of good practices and recommendations to be made around a commonly understood and well-
respected framework. COBIT is available for download on the ISACA web site, www.isaca.org/cobit. As defined in the COBIT framework,
each of the following related products and/or elements is organised by IT management process:
• Control objectives—Generic statements of minimum good control in relation to IT processes
• Management guidelines—Guidance on how to assess and improve IT process performance, using maturity models; Responsible,
Accountable, Consulted and/or Informed (RACI) charts; goals; and metrics. They provide a management-oriented framework for
continuous and proactive control self-assessment specifically focused on:
– Performance measurement
– IT control profiling
– Awareness
– Benchmarking
• COBIT Control Practices—Risk and value statements and ‘how to implement’ guidance for the control objectives
• IT Assurance Guide—Guidance for each control area on how to obtain an understanding, evaluate each control, assess
compliance and substantiate the risk of controls not being met
A glossary of terms can be found on the ISACA web site at www.isaca.org/glossary. The words audit and review are used
interchangeably.
Disclaimer: ISACA has designed this guidance as the minimum level of acceptable performance required to meet the professional
responsibilities set out in the ISACA Code of Professional Ethics. ISACA makes no claim that use of this product will assure a
successful outcome. The publication should not be considered inclusive of any proper procedures and tests or exclusive of other
procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific procedure
or test, the controls professional should apply his/her own professional judgement to the specific control circumstances presented by the
particular systems or information technology environment.
The ISACA Standards Board is committed to wide consultation in the preparation of the IS Auditing Standards, Guidelines and
Procedures. Prior to issuing any documents, the Standards Board issues exposure drafts internationally for general public comment.
The Standards Board also seeks out those with a special expertise or interest in the topic under consideration for consultation where
necessary. The Standards Board has an ongoing development programme and welcomes the input of ISACA members and other
interested parties to identify emerging issues requiring new standards. Any suggestions should be e-mailed (standards@isaca.org),
faxed (+1.847. 253.1443) or mailed (address at the end of document) to ISACA International Headquarters, for the attention of the
director of research standards and academic relations. This material was issued 1 December 2007.
1. BACKGROUND
2. GENERAL DEFINITIONS
2.2.2 Organisations should consider creating and periodically reviewing matrix of access roles to verify
segregation of critical duties.
2.5 Administration
2.5.1 The access control policy should clearly define responsibilities, roles and procedures for changes in
employee status, such as changes in positions and tasks, transfer within department/information
security administration (ISA). It is of great importance to establish a procedure to manage changes in
user status and communicate changes to information owners, users, super users, supervisors or any
person/department responsible for defining, granting/eliminating or changing entitlements/privileges.
A security administrator should have the overall responsibility for security administration. The term
‘entitlement’ is interchangeable with access granted to users.
2.12 Requisites
2.12.1 Access to information assets should be measured against identification, authentication, authorisation
or non-repudiation.
2.12.2 The user should be identified to the resource, typically with a user identification (ID) (a string of
numbers and characters not less than eight positions in length), ID card or physical ID, such as a
person’s voice, fingerprint or iris/retina (biometric).
2.12.3 The user should be authenticated by providing the resource with one secret item that demonstrates
who he/she is. Depending on classification and risk evaluation, authentication can be made by static
passwords, dynamic passwords or one-time passwords (tokens), biometrics, personal identification
numbers (PINs)/trading partner identification numbers (TPINs). Authentication is accomplished by
using ‘something that you know’, ‘something that you have’ or ‘something that you are’. Security is
stronger with a combination of factors, e.g., an automatic teller machine (ATM) that uses two-factor
authentication—something that you know (PIN) and something that you have (card). As an example,
an access control policy should include tables such as the following table.
Information Technique
classification, risk
PIN/TPIN Static One-time Biometrics
evaluation and
Passwords Passwords
application usage, and
type of access
Public information, low risk, S D D D
not transactional
applications, internal
access
Confidential information, I I D D
medium risk, transactional
applications and internal
access
Restricted information, high I I S D
risk, transactional
applications and remote
access (web)
Legend: S—Sufficient, I— Insufficient, D—Desired
2.12.4 If identification/authentication is approved, the system permits access to the specific resource in
question. This is accomplished by different techniques depending on type of resource, for example:
• For buildings, rooms, vaults and data centres—User access cards, PINs and biometrics
• For customers documents, cabinets and faxes—User access keys, cards and supervisor memos
• Firewalls and proxies are equipment assets that allow access to other resources, and because
they are very important, they should be given special protection. They should have both physical
and logical protection such as only administrator role usage, change in configurations, and usage
of alarms and logs. In all cases, each company must analyse its needs depending on what
services (e.g., web services, e-mail, FTPs) are in use and follow standards/best practices
recommendations (e.g., disable port 80). To achieve this objective, it is important that each
company considers a vulnerability and threat management procedure, which includes the
3. AUDIT PROCESS
3.1 Planning
3.1.1 An audit programme should be developed based on the organisation’s risk assessment and risk
management strategy, including the scope, objectives and timing of the audit. Reporting
arrangements should be clearly documented in the audit programme. Consideration should be given
to the nature and size of the organisation and its stakeholders. The IS auditor should gain an
understanding of the organisation’s mission and business objectives, the types of technical
infrastructure, and business critical data.
3.1.2 An understanding of the organisational structure is needed, specifically of the roles and
responsibilities of key staff, including the information managers, owners and supervisors.
3.1.3 A primary objective of the audit planning phase is to understand the threats and risks that the
organisation faces when the access is incorrectly defined, approved, assigned, used or controlled.
3.1.4 Formal risk assessment methodologies should be employed to define the scope of the review with
emphasis on high-risk areas.
3.1.5 Appropriate sampling techniques should be considered in the planning of the audit to quantify the
results of testing, if applicable.
3.1.6 All previous audit reports should be reviewed and the level of resolution should be assessed on each
issue according to the management action plan.
4. PERFORMANCE OF WORK
5. REPORTING
6. EFFECTIVE DATE
6.1 This guideline is effective for all IS audits beginning 1 February 2008.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Telephone: +1.847.253.1545
Fax: +1.847.253.1443
Email: standards@isaca.org
Web Site: www.isaca.org