Logical Access Provisioning and Management

The goal of Logical Access management should be that the right people have the right access to Information Technology systems. When appropriate access is in place, reliance on Information Technology to help ensure confidentiality, integrity, and availability of data is enabled.

The following questions are representative of topics that may be addressed, in order to assess the maturity and effectiveness of controls in place:

  • Have information systems security policies and procedures been established and documented?
  • Is the distribution of management/administrative-level accounts appropriate and reasonable?
  • Are adequate account activity monitoring and management practices, such as log parsing/review by management, in place?
  • Have effective and efficient perimeter/network defense controls surrounding intrusion detection and prevention been implemented?
  • Are controls surrounding password strength reasonable and adequate?
  • As necessary, are sufficient encryption controls in place?
  • As required, are controls in place over mobile devices/portable media effective and adequate?