Tag Archives: group

Some Periodic Reviews Provide Little Assurance

securityI’ve written before how some periodic reviews provide management with little assurance, but management doesn’t realize how little.

My previous post focused mostly on server access. In this post, I want to look at normal user access.

For example, let’s assume your company has a policy that states that all IDs must be assigned within an Active Directory group. In other words, IDs are assigned to groups, and groups are assigned to assets; IDs should not be assigned directly to an asset.

Assume the control you are testing states that user access is reviewed annually.

Continue reading

Leave a comment

Filed under Audit, Security, Technology

Auditor Struggles, Part 4

This is Part 4 of a Case File series that describes how real auditors tried to apply questionable methods to auditing and data profiling. See Part 1, Part 2, Part 3.

Does the Process X team provide metrics around their process?” I asked.

“Yes,” the most senior auditor replied, showing me the web page where the Process X metrics were displayed.

After reviewing the page briefly, I said, “I see they do metrics by month. You have a year’s data; are you planning to understand how they prepare their metrics and re-calculate them to see if you get the same numbers?”

Continue reading

Leave a comment

Filed under Audit, Case Files, Data Analytics, Excel

Auditor Struggles, Part 3

This is Part 3 of a Case File series that describes how real auditors tried to apply questionable methods to auditing and data profiling. See Part 1 and Part 2.

I looked at the third page of the handout and asked, “What is this?”

“A list of Active Directory (AD) groups and the user IDs in each group. I searched AD for any group containing the system name,” the junior auditor said, “and identified these 6 groups. I then downloaded all the members of these groups from AD into Excel.”

Continue reading

Leave a comment

Filed under Audit, Case Files, Data Analytics, Excel

Auditor Struggles, Part 1

Some auditors struggle with basic auditing. So when these auditors try to data analysis, well you can imagines how that goes.

I recently met with a team of auditors to give them input on what data profiling would be appropriate to perform. And what analytics might be insightful.

This is Part 1 of a 4-part Case File series that describes how real auditors tried to apply questionable methods to auditing and data profiling. Do not try these methods at home or work. Don’t even dream about them, awake or asleep. 

Continue reading

5 Comments

Filed under Audit, Case Files, Excel

Use LinkedIn to get an IT Audit job

If you’re looking for an IT Audit job, here’s how to use LinkedIn to get noticed.

new-auditorIn a nutshell, you need to enhance your LinkedIn profile so that everyone knows you’re working hard at learning IT auditor skills.

If you’re already working as an IT auditor, use these suggestions to get noticed more and move ahead (or into another company with more opportunities).

Continue reading

4 Comments

Filed under Audit, Certification, Employment, How to..., Technology

ACL: Automate Active Directory Downloads

Here’s a way to automate the download of data from Active Directory (AD), specifically group members, into ACL using adfind and the ACL Execute command.

I’ll walk you through it step-by-step.

Even if you don’t use ACL, you might gain a better understanding of AD and LDAP in general….

Continue reading

1 Comment

Filed under ACL, Audit, How to..., Scripting (ACL), Technology, Written by Skyyler

Periodic Access Review Problems

One of my current clients is trying really hard to do periodic access reviews.

They know that mistakes are made in granting access, that users get access and eventually don’t need it anymore, but don’t tell anyone, and that some users leave the company without their manager’s knowledge (I never have understood how that happens, but it does; it has happened in every Fortune 500 company in which I’ve worked).

Continue reading

8 Comments

Filed under Audit, Security, Technology

Optimize ACL Scripts

Have you been following the “Optimizing Script Performance” series on the ACL Blog? aclkevin has been offering some great tips.

In case you missed them:

Continue reading

Leave a comment

Filed under ACL, Data Analytics, Scripting (ACL), Written by Skyyler

How to Audit User Access

How to Audit User AccessWhen checking system access, make sure you look at all the different items that affect the user’s access. For example, the user might need one or more of the following:

  • Application ID
  • Application role or group
  • Membership in an local server group, Active Directory (AD) group, or UNIX Group
  • Access to the application’s share and/or folder on the server
  • Database ID
  • Database role, including access permissions (read/write)
  • Other permission (from a home-grown application code or enterprise identify management system)

Continue reading

5 Comments

Filed under Audit, How to..., Security, Technology