IS AUDITING GUIDELINE

G36 BIOMETRIC CONTROLS

The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits require standards that apply specifically to IS auditing. One of the goals of ISACA is to advance globally applicable standards to meet its vision. The development and dissemination of the IS Auditing Standards are a cornerstone of the ISACA professional contribution to the audit community. The framework for the IS Auditing Standards provides multiple levels of guidance: Standards define mandatory requirements for IS auditing and reporting. They inform: IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics Management and other interested parties of the professions expectations concerning the work of practitioners Holders of the Certified Information Systems Auditor (CISA ) designation of requirements. Failure to comply with these standards may result in an investigation into the CISA holders conduct by the ISACA Board of Directors or appropriate ISACA committee and, ultimately, in disciplinary action. Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how to achieve implementation of the standards, use professional judgement in their application and be prepared to justify any departure. The objective of the IS Auditing Guidelines is to provide further information on how to comply with the IS Auditing Standards. Procedures provide examples of procedures an IS auditor might follow in an audit engagement. The procedure documents provide information on how to meet the standards when performing IS auditing work, but do not set requirements. The objective of the IS Auditing Procedures is to provide further information on how to comply with the IS Auditing Standards.

Control Objectives for Information and related Technology (COBIT) is an IT governance framework and supporting tool
set that allows managers to bridge the gaps among control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organisations. It emphasizes regulatory compliance, helps organisations increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework. As defined in the COBIT framework, each of the following is organised by IT management process. COBIT is intended for use by business and IT management as well as IS auditors; therefore, its usage enables the understanding of business objectives, communication of best practices, and recommendations to be made around a commonly understood and well-respected standard reference. COBIT includes: Control objectivesHigh-level and detailed generic statements of minimum good control Control practicesPractical rationales and how to implement guidance for the control objectives Audit guidelinesGuidance for each control area on how to obtain an understanding, evaluate each control, assess compliance and substantiate the risk of controls not being met Management guidelinesGuidance on how to assess and improve IT process performance, using maturity models, metrics and critical success factors. They provide a management-oriented framework for continuous and proactive control self-assessment, specifically focused on: Performance measurementHow well is the IT function supporting business requirements? Management guidelines can be used to support self-assessment workshops, and they also can be used to support the implementation by management of continuous monitoring and improvement procedures as part of an IT governance scheme. IT control profilingWhat IT processes are important? What are the critical success factors for control? AwarenessWhat are the risks of not achieving the objectives? BenchmarkingWhat do others do? How can results be measured and compared? Management guidelines provide example metrics enabling assessment of IT performance in business terms. The key goal indicators identify and measure outcomes of IT processes, and the key performance indicators assess how well the processes are performing by measuring the enablers of the process. Maturity models and maturity attributes provide for capability assessments and benchmarking, helping management to measure control capability and identify control gaps and strategies for improvement. A glossary of terms can be found on the ISACA web site at www.isaca.org/glossary. The words audit and review are used interchangeably. Disclaimer: ISACA has designed this guidance as the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics. ISACA makes no claim that use of this product will assure a successful outcome. The publication should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific procedure or test, the controls professional should apply his/her own professional judgement to the specific control circumstances presented by the particular systems or information technology environment. The ISACA Standards Board is committed to wide consultation in the preparation of the IS Auditing Standards, Guidelines and Procedures. Prior to issuing any documents, the Standards Board issues exposure drafts internationally for general public comment. The Standards Board also seeks out those with a special expertise or interest in the topic under consideration for consultation where necessary. The Standards Board has an ongoing development programme and welcomes the input of ISACA members and other interested parties to identify emerging issues requiring new standards. Any suggestions should be e-mailed (standards@isaca.org), faxed (+1.847.253.1443) or mailed (address at the end of document) to ISACA International Headquarters, for the attention of the director of research, standards and academic relations. This material was issued on 8 November 2006.

1. 1.1 1.1.1

BACKGROUND Linkage to Standards Standard S6 Performance of Audit Work states, IS audit staff should be supervised to provide reasonable assurance that audit objectives are accomplished and applicable professional auditing standards are met. During the course of the audit, the IS auditor should obtain sufficient, reliable and relevant evidence to achieve the audit objectives. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence. Standard S10 IT Governance states, The IS auditor should review and assess whether the IS function aligns with the organisations mission, vision, values, objectives and strategiesThe IS auditor should review and assess the effectiveness of IS resources and performance management processes. Linkage to COBIT Control process AI1 Identify automated solutions states, Control over the IT process of identify automated solutions that satisfies the business requirement for IT of translating business functional and control requirements into an effective and efficient design of automated solutions by focusing on identifying technically feasible and cost-effective solutions is achieved by: Defining business and technical requirements Undertaking feasibility studies as defined in the development standards Approving (or rejecting) requirements and feasibility study results and is measured by the: Number of projects where stated beliefs were not achieved due to incorrect feasibility assumptions Percent of feasibility studies signed off by the business process owner Percent of users satisfied with functionality delivered Control process AI3 Acquire and maintain technology infrastructure states, Control over the IT process of acquire and maintain technology infrastructure that satisfies the business requirement for IT of acquiring and maintaining an integrated and standardised IT infrastructure by focusing on providing appropriate platforms for the business applications in line with the defined IT architecture and technology standards is achieved by: Producing a technology acquisition plan that aligns to the technology infrastructure plan Planning infrastructure maintenance Implementing internal control, security and auditability measures and is measured by the: Percent of platforms that are not in line with the defined IT architecture and technology standards Number of critical business processes supported by obsolete (or soon to be) infrastructure Number of infrastructure components that are no longer supportable (or will not be in the near future) Control process AI5 Procure IT resources states, Control over the IT process of procure IT resources that satisfies the business requirement for IT of improving ITs cost-efficiency and its contribution to business profitability by focusing on acquiring and maintaining IT skills that respond to the delivery strategy, an integrated and standardised IT infrastructure, and reducing IT procurement risk is achieved by: Obtaining professional legal and contractual advice Defining procurement procedures and standards Procuring requested hardware, software and services in line with defined procedures and is measured by the: Number of disputes related to procurement contracts Reduced purchasing cost Percent of key stakeholders satisfied with suppliers Percent of platforms Control objective AI3.1 states, Produce a plan for the acquisition, implementation and maintenance of the technological infrastructure that meets established business functional and technical requirements and is in accord with the organisations technology direction. The plan should consider future flexibility for capacity additions, transition costs, technical risks and the lifetime of the investment for technology upgrades. Assess the complexity costs and the commercial viability of the vendor and product when adding new technical capability. COBIT Reference Selection of the most relevant material in COBIT applicable to the scope of the particular audit is based on the choice of specific COBIT IT processes and consideration of COBITs control objectives and associated management practices. The process and control objectives to be selected and adapted may vary depending on the specific scope and terms of reference of the assignment. To meet the requirement, the processes in COBIT most likely to be relevant, selected and adapted are classified below as primary and secondary. Primary: PO1Define a strategic IT plan. PO3Determine technological direction. PO5Manage the IT investment. PO8Manage quality. PO9Assess and manage IT risks. PO10Manage projects. AI1Identify automated solutions. AI3Acquire and maintain technology infrastructure. AI5Procure IT resources. DS1Define and manage service levels. DS3Manage performance and capacity.

1.1.2

1.2 1.2.1

1.2.2

1.2.3

1.2.4

1.3 1.3.1 1.3.2 1.3.3

Page 2 G36 Biometric Controls

1.3.4

1.3.5

DS4Ensure continuous service. DS5Ensure systems security. DS7Educate and train users. M1Monitor and evaluate IT performance. M2Monitor and evaluate internal control. ME3Ensure regulatory compliance. Secondary: PO6Communicate management aims and direction. AI6Manage changes. DS9Manage the configuration. DS10Manage problems. DS11Manage data. The information criteria most relevant to biometric controls are: PrimaryEffectiveness, efficiency and availability SecondaryConfidentiality, integrity and reliability Purpose of the Guideline The traditional means of identification and authenticationthe keystones to access controlis based on something you know, such as a personal identification number (PIN) or password and something you have, such as smart cards or automated teller machine (ATM) cards. Apart from the need to rely upon ones memory either to memorise the password or to carry the card, both these approaches do not distinguish the person in a unique manner. Passwords and token-based systems have their drawbacks and often lead to bottlenecks, especially during crisis. With the advancement of technology, there is a paradigm shift toward a more reliable means of access control to something you are, i.e., biometric-based access controls. Accuracy is the critical characteristic of a biometric access control system. Usually identification is a one-to-many search of an individuals characteristics from a database of stored images, while authentication is a one-to-one search to verify a claim to an identity made by an individual. A biometric is normally applied for identification in physical access controls and for authentication in logical access controls. The system fails if it is not able to separate an authentic person from an impostor. It is important that the incidence of either a false rejection (false negative) or a false acceptance (false positive) is low and at a rate considered acceptable to the organisation as a result of a cost/risk assessment. With increased deployment of security architecture incorporating biometric technology, it has become imperative that the IS auditor be aware of the risks and countermeasures related to such technology. The IS auditor reviewing a system of biometric controls should have good insight into the technology, business process and control objective to ensure that the business objectives are achieved. It is in this context that there is a need for a guideline to provide guidance to IS auditors who review biometric controls while carrying out audit assignments. Guideline Application This guideline provides guidance in applying IS Auditing Standard S6 Performance of Audit Work and S10 IT Governance. The IS auditor should consider this guideline in determining how to achieve implementation of the previously mentioned standards, use professional judgement in its application and be prepared to justify any departure. When applying this guideline, the IS auditor should consider its guidance in relation to other relevant ISACA standards and guidelines. BIOMETRIC CONTROLS Introduction The word biometric is derived from the Greek words bio and metric meaning life measurement. It is defined as the automated identification or verification of an individual based on physiological or behavioural characteristics. The science of biometrics exploits the advantage of uniqueness of an individuals physiological or behavioural characteristics. Biometric controls refer to the use of individuals physiological or behavioural characteristics to design policies, procedures, practices and organisational structures to provide reasonable assurance that business objectives, with reference to identification and authorisation, are achieved and that undesirable events will be prevented or detected and corrected. Typically biometric systems perform the functions listed in figure 1. Figure 1Typical Biometric System Functions Enrollment Data storage Data acquisition Transmission The enrollment process requires the intended user to provide the system a biometric sample that will be digitally converted and stored in a repository as a reference template. Many biometric systems use multiple samples, and the average of all the templates is used in the creation of a reference template. Individual reference templates are stored in an accessible repository for verification of the users biometrics during real-time access. Storage can be local in the biometric device, remote in a central repository, in portable tokens such as smart cards, or a combination of these methods. Data are acquired for identification and authentication of valid users to gain access. Data are acquired every time the user wishes to gain access. A transmission channel is used by the system to transmit the data acquired for the purpose of identification and authentication. This channel may be internal to the biometric system or external such as a local area network (LAN).

1.4 1.4.1

1.4.2

1.4.3

1.4.4 1.5 1.5.1 1.5.2 1.5.3 2. 2.1 2.1.1 2.1.2 2.1.3

G36 Biometric Controls Page 3

Figure 1Typical Biometric System Functions Signal processing Decision 2.2 2.2.1 2.2.2 2.2.3 2.3 2.3.1 Signal processing or image processing involves the matching and validating of the data acquired with the data stored. The reference template stored in the repository is matched with the data acquired, and the result is based upon the quality of matching. This is the function where a match or no match decision is made for allowing or denying access to the user.

Identification vs. Authentication Biometrics is the automated process for identifying or authenticating the identity of a living person based on physiological or behavioral characteristics. In biometrics, identification involves a one-to-many search of individual characteristics from the repository of data. Authentication in biometrics involves the one-to-one search to verify a claim to an identity made by the individual. Typically, a biometric uses identification in physical controls and authentication in logical controls. Performance Measures Performance measures are designed to provide a baseline for help in evaluation of products. IS auditors should consider these measures in evaluating the performance of the biometric systems during the course of the audit assignment. The primary measures in biometric systems are as follows and shown in figure 2. Figure 2Sample Graph of FAR, FRR and CER (illustrative) False rejection rate (FRR) or type I errorThe measure of the percentage of times a valid subject has been falsely rejected by the system. FRR (%) = number of false rejections * 100/total number of unique attempts. FRR False acceptance rate (FAR) or type II error FAR The measure of the percentage of times an invalid subject has been falsely accepted by the system. FAR (%) = number of false acceptance * 100/total number of unique attempts. Cross-over error rate (CER)A measure representing the percent at which FRR equals FAR. This is the point on the graph where the CER FAR and FRR intersect. The cross-over rate indicates a system with good balance over sensitivity and performance. Enrollment timeThe time taken to initially enroll a new subject with a system by providing samples for creation of reference templates. FAR decreases as sensitivity increases and FRR increases with increase in sensitivity of biometric system Failure to enroll rate (FTER)Used to determine the rate of failed enrollment attempts. FTER = number of unsuccessful enrollments/total number of users attempting to enroll. Throughput rateThe time taken by the system to validate transaction data with the data in repository to process the identification or authentication function. This is the rate at which enrolled subjects are processed for acceptance or rejection by the system. Types of Biometric Systems Biometric systems are broadly classified under two categories; one based on physiological characteristics, i.e., what we are and the other based on behavioural characteristics, i.e., what we do. Various biometric systems based on physiological characteristics are listed in figure 3. Biometric System Fingerprint Fingertip Finger joint Hand geometry Retina scan Iris recognition Wrist veins Knuckle creases Face recognition Facial thermograph Figure 3Biometric Systems Based on Physiological Characteristics Data Enrollment/Acquisition An image is obtained when the subject firmly presses his/her finger against a glass or polycarbonate plate. Blood vessel pattern under the skin is captured. Finger section between first and second joint is captured. Vertical and horisontal images are simultaneously captured by cameras to obtain a threedimensional record of the length, width and height of the hand and fingers. An image of the blood vessel pattern of the retina on the inside rear portion of the eyeball is captured by a camera. An image of the iris (coloured portion of the eye surrounding the pupil) is captured by a camera. The vein pattern on the wrist is captured. Knuckle crease patterns are captured while grasping a bar. Facial images are captured by high-quality cameras. Heat patterns of the facial tissue are captured using thermal devices.

2.3.2

2.3.3

2.3.4

2.3.5 2.3.6

2.3.7

2.4 2.4.1 2.4.2

Page 4 G36 Biometric Controls

2.4.3

Various biometric systems based on behavioural characteristics are listed in figure 4. Figure 4Biometric Systems Based on Behavioural Characteristics Biometric System Data Enrollment/Acquisition Voice recognition Voice is digitally converted into voiceprint and stored in binary numbers. Keystroke dynamics The subjects dwell time (length of time the key is held down) and flight time (time taken to move between keys) are measured. Signature dynamics The subjects signature is compared, and speed, pressure and timing during signature are monitored.

2.5 2.5.1 2.5.2 2.5.3 2.5.4 2.5.5 2.6 2.6.1

Data Storage Reference templates should be stored in an accessible repository for easy retrieval and comparison. Local storage within the biometric reader device enables quick availability of reference templates and faster matching and allows flexibility in deployment. However, the system will require re-enrollment upon system crash if not adequately supported by the backup and restore process. Large organisations store reference templates in a central repository that allows users to enroll at central locations and be recognised by networked biometric devices. A central repository allows backup, restore and auditable features. Retrieval will be relatively slower, especially where the data size/volume is large. Reference templates should be stored on smart cards where the user carries the biometric reference samples and the user is responsible for the privacy, confidentiality, availability and integrity of the reference template. Smart cards may also have additional security features, such as encryption and digital signatures to further secure the device. Confidentiality and integrity of data should be managed so that personal information is protected from unauthorised access. Risks and Controls in Biometric System The IS auditor should be aware of the risks and control measures typical to the biometric system. The most common risks and countermeasures are listed in figure 5. Figure 5Common Biometric System Risks and Countermeasures Examples Possible Countermeasures Artificial finger used on fingerprint Multimodal biometrics, vitality Spoofing and mimicry attacks biometric device detection, interactive authentication Fake template stored in server Encryption, intrusion detection Fake template risk system (IDS), smart cards Data intercepted during transmission Interactive authentication, rejection Transmission risk during enrollment or data acquisition of identical signals, system integration The same template used in different Hash functions, encoding algorithms Cross-system risk applications with different security levels Malicious code, Trojan, etc. System integration, wellComponent alternation risk implemented security policy Enrollment, administration and Data altered during enrollment, Well-implemented security policy system use risk administration or system use Flashing light to optical sensor, changing Well-implemented security policy Noise and power loss risk temperature or humidity of fingerprint Power analysis and differential power Noise generators, low power Power and timing analysis risk analysis garner data on biometric consumption chips in biometric template. devices Fingerprint remaining on the sensor Technology assessment, multimodal Residual characteristic risk copied by various means access Similar template/similar An illegitimate user has a template Technology assessment, multimodal characteristics risk similar to a legitimate user. access, calibration review An intruder uses brute force to deceive Account lock after number of Brute-force attack risk the system. unsuccessful attempts Captured digital signal injected into Secure transmission; heat sensor authentication system activated scanner (warm body Injection risk present); date/time stamps in digital representation of images The invasive nature of biometrics Training and awareness of users Users rejection techniques could cause users to reject and the selection of the least using the system. intrusive technique possible Some techniques depend on face or Monitoring of CER Changes in physical characteristics hand characteristics, but these human aspects change with the years. Coherence with other techniques used Cost-benefit analysis Cost of integration with other for legacy systems than have to be legacy systems integrated Risk of loss of data Hard disk/hardware failure Data backup and restoration Risks

G36 Biometric Controls Page 5

3. 3.1 3.1.1

AUDIT PROCEDURE Selecting and Acquiring the Biometric System The IS auditor should consider reviewing the following processes relating to selecting and acquiring a biometric system: The goals of installing the biometric system, and alignment of these goals to the business objectives of the organisation The study on the selection of the biometric system, based on risk analysis and asset classification, including consideration of privacy and legal matters The risk analysis impacts and mitigation plan The impact on business from the use of biometric controls The effect of biometric controls on employees, customers and business partners The return on investment for a biometric system vs. traditional access systems, such as user ID and password authentication The obsolescence of the biometric product The compliance of the product to industry and national/international standards The market analysis of product performance and supplier service support Vendor certification and product certification The intrusiveness of the system for data collection User acceptability within similar industry and in other industry/organisations Legal considerations and users rights (privacy) Operation and Maintenance of the Biometric System The IS auditor should consider reviewing the following aspects relating to operation and maintenance of the biometric system: The biometric policy and its alignment to the security policy of the organisation The security confidentiality, integrity and availability (CIA) of biometric information, restricted access to data repository Monitoring the efficiency of the biometric system through analysis of data, such as enrollment time, success rates, failure rates, throughput time, down time, false positives, false negatives, mean time between failure (MTBF), mean time to repair (MTTR) and FTER The interface of the biometric system with other applications and systems (e.g., single sign-on) Interface with other biometric systems in the organisation Analysis of operation and maintenance cost Data storage capacity requirements Data security, backup and restore procedures Upgrade and patch management Destruction of user records after termination from the company Business continuity in case of biometric system failure and availability of standby systems/compensating controls Appropriate change control where role-based access is used User Training and Acceptance The IS auditor should consider reviewing the following aspects relating to user training and acceptance of the biometric system: Communication of biometric policy within the organisation Commitment to securing the biometric information and privacy of genuine users Commitment to relevant privacy and biometric laws and regulations Awareness by the users of the biometric authentication system Identification of owner roles and responsibility for the biometric system Identification of training needs, training schedule, help desk and support service Training on usage of the system, protection, and system and self hygiene Availability of documented training material and sign boards Acceptance by users of the system in the organisation Risk of uncooperative users to damage or sabotage the system System Performance The IS auditor should consider reviewing the following aspects relating to system performance of the biometric system: Interface of the system with applications Process for enrollment, re-enrollment and removal of users Subject and system contact requirements Testing, verification, validation and approval of the system Testing of access definition and administrator privileges Protection against tampering or sabotage Protection against compromise of data Backup of data Business continuity planning (BCP) in case of system failure and testing of BCP Periodic testing (e.g., brute force) Resistance to counterfeiting and reliability over prolonged usage Application and Database Controls The IS auditor should consider reviewing the following aspects relating to access controls and configuration settings of the biometric system: Platform security configuration settings, including restricting access to all biometric information of individuals to only those with a current and strict business need

3.2 3.2.1

3.3 3.3.1

3.4 3.4.1

3.5 3.5.1

Page 6 G36 Biometric Controls

 3.6 3.6.1

Intrusion detection controls Transaction controls Encryption of network, including lines Encryption of stored data in repository Change management (software and hardware) Database administration and maintenance Installation of hardware and software

Audit Trials The IS auditor should consider reviewing the following aspects relating to audit trail of biometric system: Access log Activity log Change log Log of denial of access System downtime log AUDIT CONSIDERATIONS Historic Concerns Over Biometric System Use The following are concerns that need to be addressed when considering the use of biometrics: Privacy concernsCertain health events such as diabetes or strokes cause changes in the blood vessel pattern in the retina. Organisations using a retina-based biometric system may improperly obtain health information that may be used to the detriment of the system user. All laws and regulations regarding using and capturing physical characteristics must be considered prior to installing any biometric system. Intrusiveness of data collectionThe users sensitivity to intrusion into his/her personal space during a scan Perceived health maladiesConcern over contagious diseases by contact with a contaminated surface (e.g., fingerprint scanner) Skill to use the systemCertain users may not have the required skill (e.g., literacy or ability) to use the system or may suspect the actual performance of the system. Operating conditions (e.g., greasy hand, dusty areas) may hamper the performance of the system. Robustness of the systemBiometric technology is not foolproof and needs to overcome problems related to reliability of biometric applications. Impact of false rejections and acceptance, from both operational and reputation viewpoints, must be reviewed. Risk of tampering and sabotage by insiders also cannot be ruled out. Cost of deploymentCost of deploying biometric devices on every access point may be expensive and may consume resources. AccuracyThe possibility of unauthorised users gaining access and authorised users being denied access exists. Resistance to changeThere may be instances of users who are resistant to use biometric systems. Local regulatory and statutory requirements with respect to use of biometric systems and acceptability of system to the using community EFFECTIVE DATE This guideline is effective for all IS audits beginning on or after 1 February 2007. A full glossary of terms can be found on the ISACA web site at www.isaca.org/glossary.

4. 4.1 4.1.1

5. 5.1

ISACA 2006-2007 Standards Board Chair, Sergio Fleginsky, CISA ICI Paints, Uruguay Brad David Chin, CISA, CPA Google Inc., USA Maria Gonzalez, CISA HomeLand Office, Spain John Ho Chi, CISA, CISM, CBCP, CFE Ernst & Young, Singapore Andrew MacLeod, CISA, CIA, FCPA, MACS, PCP Brisbane City Council, Australia Meera Venkatesh, CISA, CISM, ACS, CISSP, CWA Microsoft Corporation, USA Ravi Muthukrishnan, CISA, CISM, FCA, ISCA Ikanos Communications, India John G. Ott, CISA, CPA AmerisourceBergen, USA Jason Thompson, CISA, CIA KPMG, USA Corresponding member, John Beveridge, CISA, CISM, CFE, CGFM Office of the Massachusetts State Auditor, USA References IT Governance Institute, Risk and Control of Biometric Technology, USA, 2004 Copyright 2006 Information Systems Audit and Control Association 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Telephone: +1.847.253.1545 Fax: +1.847.253.1443 E-mail: standards@isaca.org Web site: www.isaca.org

G36 Biometric Controls Page 7