IT Security Audit: Real-world Example

Here you will see findings of an access control audit in an International Insurance Company

Finding -1: When external consultants or contracted staff terminate their business relation, their accounts across all IT systems were still active. 

Solution: A process involving the Human Resources department was designed and supported by an automated workflow.

Finding -2: When role changes occurred, access rights on the file server weren’t modified accordingly.  

Solution: The related human resources process was improved and security operations was involved.

Finding -3: Admin password on production databases weren’t forced to change.

Solution: Configuration settings were changed. 

Finding -4: When critical transactions on the database were examined, the identities of some transactions weren’t possible to be  traced back, the identity of  these transactions were generic. The transactions we have examined had a critical monetary affect to the business processes.

Solution: Application code was modified to ensure that account identities were included in the transactions.

Finding -5: Db admins had also system admin user rights which caused conflict of interest.

Solution: Statements to avoid conflict of interest were included in the security policy and related policy statements were implemented. It was ensured that privileged accounts were reviewed. An automated reminder task was implemented.

Finding -6: There were generic user accounts, where the identity couldn’t be identified.

Solution: All generic account names were reviewed and removed. A related  statement was included in the security policy

Finding -7: Some service accounts had login rights.

Solution: All service accounts were reviewed and corrected.

Finding -8: There was no defined rule about the approvers of access requests in the information security policy. In some cases only the manager of the requester approved the access requests. 

Solution: A related statement was included in the policy. Information owners were nominated. A procedure was written and implemented

Finding -9: Firewall rule requests weren’t approved which caused control weaknesses in cyber security.

Solution: Firewall rule changes were included in the change management process.