Professional Documents
Culture Documents
Identification-and-Access-Management-Practice-Aid
Identification-and-Access-Management-Practice-Aid
Identification-and-Access-Management-Practice-Aid
Management (IAM)
Internal Audit Practice Aid
Program Description
This practice aid relies on the National Institute of Standards and Technology (NIST) special
publication 800-53 rev. 5, Security and Privacy Controls for Federal Information Systems and
Organizations. The SP 800-53 rev. 5 is a freely available security control framework. The
controls referenced in this practice aid are a subset of controls specifically selected to support a
healthy IAM process. The auditor is at liberty to include or exclude any of these controls based
on their risk environment. These controls are referenced with a two-letter identifier followed by a
control number such as AC-2; which would reference the second control in the Access Control
family, “Account Management”.
There are no specific Federal statutes that apply to Identification and Access Management.
Individual State Transportation Agencies may have state specific statutes or regulations that
govern System Development Projects that should be considered during an engagement.
1
Catalogue of Federal Domestic Assistance (CFDA#)
The scope of this engagement includes a review of the controls over the Identification and
Access Management (IAM) process. This guide is intended to be generic enough to cover a wide
range of user types and systems. It is expected that the auditor will first perform a level risk
assessment of user types and systems to focus on those with the highest risk.
Audit Objectives
Specifically, the audit objectives are to determine whether internal controls were adequate to
ensure:
Appropriate identification and access management policy implementation.
Appropriate risk management practices are employed.
Appropriate identification, account management, and password methodologies are
implemented.
Audit Program.........................................................................................................................3
Objective A: Determine if appropriate identification and access management (IAM)
policy is implemented.....................................................................................3
Objective B: Determine if appropriate risk management practices are employed...............4
Objective C: Determine if appropriate identification methodologies are implemented......4
Objective D: Determine if appropriate account management methodologies are
implemented....................................................................................................5
Objective E: Determine if appropriate account password methodologies are implemented.6
Glossary....................................................................................................................................8
2
Audit Program
Personnel Security
Personnel termination (PS-4)
Personnel transfer (PS-5)
Access agreements (PS-6)
3
External personnel security (PS-7)
Step 5. Verify IAM processes are integrated with Human Resource (HR)
processes such as onboarding, change of duty assignment, and terminations. (AC-
2, PS-1, PS-4, PS-5)
Step 6. Determine if all systems and user types within scope are required to
comply with IAM policy (for external users, there should be contractual
obligation). (AC-1, AC-3, PS-6, PS-7, PT-1)
Step 7. Determine if policy allows for exemptions; if it does, request and review
policy exemptions. Review exemptions for limitations, periodic review for
continued applicability, risk assessment, and approval. (AC-1)
Step 1. Obtain and review approved risk management procedures for IAM. (RA-
1)
Step 2. Obtain and review the most recent risk assessment for IAM for the system
and user types in scope. (RA-3)
Step 3. Obtain and review any other risk assessment documentation that may be
pertinent. (RA-3)
Step 4. Determine if risks identified in Steps 2 and 3 above are addressed and
IAM follows approved risk management procedures obtained in step 1.
Step 1. Identify who is responsible for implementing IAM controls. (AC-1, IA-1)
Step 2. Obtain and review account provisioning procedures. (AC-1, IA-1)
Step 3. Obtain and review account transfer and termination procedures (from IT,
HR, and possibly business units). (PS-1)
Step 4. Obtain and review user access revalidation procedures. (AC-2, AC-6)
Step 5. For each system under review, obtain and review a sample segregation of
duty tables/ documentation for the user types within scope. (AC-5)
4
Step 6. For each system under review, obtain a sample of user accounts.
Step 7. Identify account approvers/ data/ system owners.
Step 8. Verify procedures obtained in Steps 1-5 were followed and proper
approvals were obtained (Step 7.) for the sample of user accounts obtained in Step
6 above. (AC-2)
Step 1. For each system under review, verify the IAM process adheres to IAM
policy and functions accordingly. (AC-1)
Step 2. Verify IAM staff have the appropriate level of skill, experience, and
training to perform all IAM duties assigned. (AC-2)
Step 3. For each system under review, verify that each user type account is
authenticated using an approved process prior to gaining access to the system.
(AC-3)
Step 4. For each system under review, verify that all user types follow the
agency’s defined identity verification process. (AC-3)
Step 5. For each system under review, verify that access control (AC) databases
are secured behind firewall and DMZ. (SC-28)
Step 6. For each system under review, review and verify access to the AC
databases are appropriately controlled by the use of encryption and least privilege.
(SC-28, AC-6)
Step 7. For each system under review, verify account identifiers are uniquely
defined and does not contain sensitive information such as SSN. (IA-2, IA-4)
Step 8. For each system under review, determine if any account identifier is
shared by individuals or systems. (IA-2, IA-4)
Step 9. For each system under review, determine and verify account usage is
regularly and adequately monitored. (AC-2)
Step 10. For each system under review and if privileged accounts are in scope, determine if
privileged account identifiers are used for any general purpose tasks where
elevated privilege is not required. (AC-2(7), AC-6(2))
Step 11. For each system under review, determine if, by policy and automated procedure,
accounts are to be disabled after a standard number of failed attempts. (AC_1,
AC-7)
5
Step 12. For each system under review, verify the system enforces account lock after a
standard number of failed attempts. (AC-7)
Step 13. For each system under review, determine if, by policy, user sessions are
automatically disconnected or locked after a standard amount of time. (AC-2, AC-
11, AC-12)
Step 14. For each system under review, verify the system enforces a user session lock or
disconnect after a specified amount of time. (AC-11, AC-12)
Step 15. For each system under review, determine if/how activity logs are generated,
securely stored, and reviewed by authorized staff/ management. (AU-2, AU-6))
Step 16. For each system under review, determine if data/ system owners and security
specialists routinely receive and review access change reports. (AC-3)
Step 17. For each system under review, determine if user accounts can be logged in from
multiple endpoints simultaneously. (If allowed, determined legitimacy). (AC-10)
6
Step 10. For each system under review, determine if temporary passwords are
randomly generated. (IA-5)
Step 11. For each system under review, verify that any challenge and response questions
for password change do not allow any PII or sensitive information. (IA-5)
Step 12. For each system under review, verify transmission of passwords is only over
cryptographically protected channels. (IA-5)
Step 13. For each system under review, verify that a process has been established for
reissuing shared/group account credentials (if deployed) when individuals are
removed from the group. (IA-5)
7
Glossary
Access Control: The process of granting or denying specific requests for obtaining and using
information and related information processing services; and to enter specific physical facilities
(e.g., Federal buildings, military establishments, and border crossing entrances). (NIST.gov)
Access Management: Access Management is the set of practices that enables only those
permitted the ability to perform an action on a particular resource. The three most common
Access Management services you encounter every day perhaps without realizing it are: Policy
Administration, Authentication, and Authorization. (NIST.gov)
Approvers: A member of the organization that determines the organization's official approval or
rejection of an app. (NIST.gov)
Channel: An information transfer path within a system. May also refer to the mechanism by
which the path is effected. (NIST.gov)
DMZ: A perimeter network or screened subnet separating an internal network that is more
trusted from an external network that is less trusted. (NIST.gov)
Firewall: A gateway that limits access between networks in accordance with local security
policy. (NIST.gov)
Identifier: Unique data used to represent a person’s identity and associated attributes. A name or
a card number are examples of identifiers. A unique label used by a system to indicate a specific
entity, object, or group. (NIST.gov)
8
Identification and Authentication for Agency Users: Uniquely identify and authenticate
organizational users and associate that unique identification with processes acting on behalf of
those users. (NIST.gov)
Information Flow Enforcement: Enforce approved authorizations for controlling the flow of
information within the system and between connected system. (NIST.gov)
Information Input Validation: Checking the valid syntax and semantics of system inputs—
including character set, length, numerical range, and acceptable values—verifies that inputs
match specified definitions for format and content. (NIST.gov)
Least Privilege: The principle that users and programs should only have the
necessary privileges to complete their tasks. (NIST.gov)
PII (Personally Identifiable Information): Information that can be used to distinguish or trace
an individual’s identity, either alone or when combined with other information that is linked or
linkable to a specific individual. (NIST.gov)
Separation of Duties: Separation of duties refers to the principle that no user should be given
enough privileges to misuse the system on their own. Separation of duties can be enforced either
statically (by defining conflicting roles, i.e., roles which cannot be executed by the same user) or
dynamically (by enforcing the control at access time). (NIST.gov)
9
Session Lock: Session locks are temporary actions taken when users stop work and move away
from the immediate vicinity of information systems but do not want to log out because of the
temporary nature of their absences. (NIST.gov)
10