How I Structure Security Controls Portal

Main Page - Security Control: Identification & Authentication (IAC)

Identification & Authentication (IAC) - User Provisioning & De-Provisioning

User Provisioning & De-Provisioning

Internal Audit Schedule:  Week 40

Week 40 is the week of the year that I will be auditing this specific control in the  "Test of Operating Effectiveness".

Control Statement

FormAssembly Inc. has implemented mechanisms to utilize a formal user registration and de-registration process that governs the assignment of access rights

Goal

Does the organization utilize a formal user registration and de-registration process that governs the assignment of access rights?

Test of Design

Provisioning Inquire of appropriate personnel to determine the process for provisioning access to the system.

  1. Inspect a sample provisioning request or provisioning policy to determine the process for provisioning access to the system.

Test of Operating Effectiveness

  1. Obtain and inspect a listing of all system accounts and associated roles created during the period.
  2. Obtain and inspect a listing of all new hired employees during the period.
  3. Select an annualized sample based on the population of newly provisioned accounts/roles to the system to determine if they were provisioned appropriately. (NOTE: If the system does not contain a field such as “created date” a population of provisioned accounts can be determined by comparing a user listing from prior to the period start with the current listing OR comparing the current user listing to the list of new hired team members).
  4. For the selected sample, obtain and inspect evidence that all of the account access granted was the account access requested.
  5. For the selected sample, obtain and inspect evidence that all of the account access granted was approved by the appropriate personnel.
  6. For the selected sample, obtain and inspect evidence that the account access granted was approved prior to being provisioned.