DS5.3 Identity Management (1 of 4)
All users (internal, external and temporary) and their activity on IT systems (business application, system operation, development and maintenance) should be uniquely identifiable.
Illustrative Controls and the TIBCO LogLogic Solution
Ensuring all users have uniquely identifiable IDs and that accurate and complete audit trails can be maintained. Deficiencies in this area can significantly impact accountability. For example, users logging in using shared IDs can modify financial records. This can prevent future audits to identify who have modified the data.
To satisfy this control objective, administrators must ensure all logins are not shared. Administrators must review the ID list to identify IDs that can be a generic ID and question who is using it and why it is there. Administrators must also validate that attempts to gain unauthorized access to financial reporting systems and subsystems are logged and are followed up on a timely basis. Monitor and verify all user access to programs and data. Review this access to ensure that there is segregation of duties as well as all access privileges are properly assigned and approved.