Scribd
Upload
778 views

Auditing Operating Systems: Audit Objectives Relating To Access Privileges

The document discusses auditing operating system security. It outlines four key areas to examine: 1) controlling access privileges to ensure separation of duties, 2) implementing strong password controls with regular changes, 3) preventing malicious programs like viruses, and 4) maintaining adequate system audit trails to detect unauthorized access and failures. The auditor's role is to verify policies and procedures are in place in these areas and are effective through procedures like reviewing user access rights and logs.

Uploaded by

Iryne Kim Palatan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
778 views

Auditing Operating Systems: Audit Objectives Relating To Access Privileges

The document discusses auditing operating system security. It outlines four key areas to examine: 1) controlling access privileges to ensure separation of duties, 2) implementing strong password controls with regular changes, 3) preventing malicious programs like viruses, and 4) maintaining adequate system audit trails to detect unauthorized access and failures. The auditor's role is to verify policies and procedures are in place in these areas and are effective through procedures like reviewing user access rights and logs.

Uploaded by

Iryne Kim Palatan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

I.

Auditing Operating Systems


Operating System- computer’s control program that allows users and their applications to share
and access common computer resources.
Three Main Tasks of Operating Systems
 It translates high-level languages, such as COBOL, C++, BASIC, and SQL, into the machine-
level language that the computer can execute.
 Allocates computer resources to users, workgroups, and applications.
 Manages the task of job scheduling and multiprogramming.
Operating System Objectives
a) OS must protect itself from users
b) OS must protect users from each other
c) OS must protect users from themselves
d) OS must be protected from itself
e) OS must be protected from its environment

Operating System Security- involves policies, procedures, and controls that determine who can
access the operating system, which resources they can use, and what actions they can take.

Security Components
1) Log-on procedure- operating system’s first line of defense against unauthorized access.
2) Access token- contains key information about the user, including user ID, password, user
group, and privileges granted to the user.
3) Access control list- assigned to each IT resource which controls access to the resources.
4) Discretionary access privileges- allows owner to grant access privilege to other users.

Three Sources of Threats


 Privilege personnel who abuse their authority.
 Individuals who browse the operating system to identify and exploit security flaws.
 Individuals who intentionally or accidentally insert viruses or other forms of destructive
programs into the operating system.

OS Controls and Audit Tests


*Areas to be examined;
1. Controlling Access Privileges- privileges should be carefully administered and
closely monitored for compliance with organizational policy and principles of internal
control.
Audit Objectives relating to Access Privileges:
-To verify that access privileges are granted in a manner that is consistent with the need to
separate incompatible functions and is in accordance with the organization’s policy.
 Audit Procedures:
 Review organizations’ policies for separating incompatible functions and ensure that
they promote reasonable security.
 Review the privileges of a selection of user groups and individuals to determine if their
access rights are appropriate for their job descriptions and positions.
 Review personnel records to determine whether privileged employees undergo an
adequately intensive security clearance check in compliance with company policy.
 Review employee records to determine whether users have formally acknowledged
their responsibility to maintain the confidentiality of company data.
 Review the users’ permitted log-on times.

2. Password Control
Password- secret code the user enters to gain access to systems, applications, data
files, or a network server.
Common forms of contra-security behavior
 forgetting passwords and being locked out of the system
 failing to change passwords on a frequent basis
 Post-it syndrome
 Simplistic passwords that computer criminal easily anticipates
Reusable Passwords- user defines the password to the system once and then
reuses it to gain future access.
One-Time Passwords- user’s password changes continuously.
Audit Objectives relating to passwords:
-To ensure that the organization has an adequate and effective password policy for
controlling access to the operating system.
 Audit Procedures:
 Verify that all users are required to have passwords
 Verify that new users are instructed in the use of passwords and the importance of
password control.
 Review password control procedures to ensure that passwords are changed regularly.
 Review password file to determine that weak passwords are identified and disallowed.
 Verify that the password file is encrypted and that the encryption key is properly
secured.
 Assess the adequacy of password standards such as length and expiration interval.
 Review the account lockout policy and procedures.

3. Controlling Against Malicious and Destructive Programs

Audit Objectives relating to viruses and other destructive programs:


-To verify that effective management policies and procedures are in place to
prevent the introduction and spread of destructive programs.
 Audit Procedures:
 Through interviews, determine that operations personnel have been educated about
computer viruses and are aware of the risky computing practices that can introduce
and spread viruses and other malicious programs.
 Verify that new software is tested on standalone workstations prior to being
implemented on the host or network server.
 Verify that the current version of antiviral software is installed on the server and that
upgrades are regularly downloaded to workstations.

4. System Audit Trail Controls


System audit trail- logs that record activity at the system, application and user
level.
Keystroke monitoring- recording both the users keystrokes and the system’s
responses.
Event monitoring- summarizes key activities related to system resources.
Security Objectives:
Detecting unauthorized access to the system
Facilitating the reconstruction of events
Promoting personal accountability.

Audit Objectives relating to system audit trails:


-To ensure that the established system audit trail is adequate for preventing and
detecting abuses, reconstructing key events that precede systems failures and
planning resource allocation.
 Audit Procedures:
 Auditor should verify that the audit trail has been activated according to
organization policy.
 Scan the log for unusual activity
 Select a sample of security violation cases and evaluate their disposition to assess
the effectiveness of the security group.

You might also like