Risk and Control of Biometric Technologies

superfluitysmackoverSécurité

23 févr. 2014 (il y a 3 années et 3 mois)

138 vue(s)

© IT Governance Institute 2004


www.isaca.org/auditprograms

1


Information Systems Audit and Control
Association

www.isaca.org



Risk and Control of

Biometric Technologies


Self Assessment and
I
nternal Control Questionnaires



Informa
tion Systems Audit and Control Association


With more than 28,000 members in more than 100 countries, the Information Systems Audit and Control Association

(ISACA
®
) (
www.isaca.org
) is a recognized worldwide leader in IT governance, control, security and as
surance.
Founded in 1969, ISACA sponsors international conferences, publishes the
Information Systems Control Journal
™,
develops international information systems auditing and control standards, and administers the globally respected
Certified Information
Systems Auditor™ (CISA
®
) designation earned by more than 34,000 professionals since
inception, and Certified Information Security Manager (CISM™) designation, a groundbreaking credential earned by
5,000 professionals in its first two years.


IT Governance
Institute


The IT Governance Institute (
www.itgi.org
) was established in 1998 to advance international thinking and standards in
directing and controlling an enterprise’s information technology. Effective IT governance helps ensure that IT supports
busines
s goals, optimizes business investment in IT, and appropriately manages IT
-
related risks and opportunities. The
IT Governance Institute offers symposia, original research and case studies to assist enterprise leaders and boards of
directors in their IT gov
ernance responsibilities.


Purpose of Audit Programs and Internal Control Questionnaires

One of ISACA’s goals is to ensure that educational products support member and industry information needs.
Responding to member requests for useful audit programs, ISA
CA
’s Education Board

has released audit programs and
internal control questionnaires for member use through K
-
NET.
These check lists were developed for a recently
released publication
Risk and Control of
Biometric

Technologie
s

available in the ISACA bookst
ore.


Control
Objectives for Information and r
elated Technology

Control Objec
tives for Information and r
elated Technology

(
C
OBI
T
®
) has been developed as a general
ly applicable and
accepted standard for good information technology (IT) security and control practices that provides a reference
framework for management, users, and IS audit, control and security practitioners. The
se

questionnaires reference

key
C
OBI
T

co
ntrol objectiv
es.


Disclaimer

ITGI
,
ISACA
and the author of
this document
have designed the publication primarily as an educational resource for
control professionals
.
ISACA makes no claim that use of this product will assure a successful outcome. The publ
ication
should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are
re
a
sonably directed to obtaining the same results. In determining the propriety of any sp
e
cific proc
e
dure or test, the
control
s prof
essional should apply his/
her own professional judgment to the specific control circumstances presented
by the particular systems or i
n
formation technology enviro
n
ment.

Users are cautioned
not

to consider these audit
programs and internal control que
stionnaires to be all
-
inclusive or applicable to all organizations. They should be used
as a starting point to build upon based on an organization’s constraints, policies, practices and operational environment.



© IT Governance Institute 2004


2


Self
-
assessment Questionnaire


The purpose

of this self
-
assessment questionnaire is to provide the audit, control and security
professional with a methodology for evalu
ating the subject matter of the IT Governance Institute

publication

Risk and Control of Biometric Technologies
. It examines key is
sues and components
that need to be considered for this topic. The review questions have been developed and reviewed
with regard to C
OBI
T.
Note: The professional should customize the self
-
assessment questionnaire
to define each specific organization’s cons
traints, policies and practices.


Question
No.

Question Description

C
OBI
T
Reference

Biometrics Planning and Organization

1

Has the organization determined the goals of installing the biometric
system?

PO1

2

Was a study conducted prior to selection of th
e biometric
authentication mechanisms in place? Did the study include privacy
and legal considerations and overall risk?

PO3

PO9

3

Has a process been implemented to ensure the organization is aware
of ongoing privacy law changes as they relate to the acqu
isition and
retention of biometric information?

PO8

4

Has a process been implemented to ensure periodic legal
assessments of the biometrics program are completed?

PO8

5

Did the risk assessment include the effect of biometric use on
customers, employees a
nd business partners? Is the risk assessment
update ongoing?

PO9

6

Did the study conducted include payback from the investment in
biometrics?

PO5

7

Has the organization researched the biometric vendor’s plans to
慶潩搠潢獯l敳捥湣攠ef⁴h攠ei潭整ri挠灲o摵
ct?

偏ㄱ

偏9

8

坡猠t桥⁢i潭整ri挠cy獴敭⁦畬ly⁴e獴e搠慮搠捯c灡p敤eto⁶敮摯e
獰scifi捡tio湳⁡湤⁩n摵dtry⁳ 慮a慲d猠s獵s栠慳 t桥⁕h
-
扡b敤⁎eti潮ol
Bi潭整ri挠呥Tti湧⁃敮e敲r h敲 獩t敳)⁴漠敮o畲攠慣cur慣y⁡湤
f畮uti潮慬ity?

偏ㄱ

9

After⁩d敮eific慴i潮Ⱐo
慶攠ell⁲i獫猠扥敮⁡摤r敳獥搠dr⁤ t敲mi湥搠t漠
扥⁷楴桩渠慮⁡捣数t慢l攠r慮g攠e潲⁴h攠扵ei湥獳?

偏9



f猠s⁰ 潣o獳 i渠nla捥⁴漠敮our攠潮e潩湧⁴e獴i湧Ⱐ敳灥捩ally⁡ ter
獹獴敭⁵灤慴敳 慮搠a慴捨cs㼠䅲攠?慴c桥h 慰灬i敤e煵q捫ly⁡ ter
k湯n渠獥捵city⁨潬敳⁡r攠i
d敮eifi敤⁡湤⁴桥⁰ht捨ci猠慶慩l慢a政

偏ㄱ

a匵


© IT Governance Institute 2004


3


Question
No.

Question Description

C
OBI
T
Reference

11

Have a policy and plan been created for the use of biometrics within
the organization to ensure that its use meets business needs and does
not increase, thereby causing unacceptable risk?

PO9

12

Does th
e biometrics policy include a commitment to securing the
biometric information and privacy of the enrollees?

PO8

DS5

13

Does the biometrics policy include a commitment to comply with
relevant privacy and biometric laws and regulations?

PO8

14

Has the bio
metric policy been communicated to all enrollees in the
biometric program?

PO6

15

Is there ongoing monitoring of biometric use to determine how it is
being used, success rates, failure rates, complaints and total use
number? Is this information being used

to adjust the system, add
features or determine that it should be terminated or replaced?

PO5

PO11

16

Will the biometric information acquired during the enrollment
process be released outside of the entity?

PO8

PO9

17

Do the users of the system know th
at biometric authentication is in
use and have they provided their consent?

PO6

18

Has an owner of the biometrics program been identified within the
organization with responsibilities for monitoring and use assigned?

PO1

19

Does the owner of the biometr
ics program have means to keep
current with the biometric industry and technology trends?

PO11

20

Have roles, responsibilities, and authorities (as they are related to
the biometrics program) been documented and communicated?

PO6

PO7

21

Has the biometric

technology been reviewed to ensure it can
interface with other biometric systems?

PO5

22

Does the owner of the biometric(s) in use ensure that its use is
consistent with organization plans and policy? How is this being
measured?

DS5


© IT Governance Institute 2004


4


Question
No.

Question Description

C
OBI
T
Reference

23

Does management e
nsure that information collected for biometric
use is not shared with other entities unless fully approved and in
compliance with laws and regulations?

DS5

PO8

24

Is the system owner assigned the responsibility to ensure the system
stays current with laws

and regulations? Is information created
ongoing to ensure this compliance and research?

PO8

25

Is system cost being monitored and compared to plans and the
payback expected?

PO5

26

Has management committed adequate resources to the biometrics
program?

P
O7

PO5

Training

27

Have all training needs been identified?

DS7

28

Have system users been properly trained regarding how to use the
biometric authentication mechanism(s)?

DS7

29

Have the help desk and other support services been properly trained
to as
sist biometric system users, including use of back
-
up systems
and enrollment processes?

DS7

30

Is technical support available to support the biometric system,
including failure and back
-
up systems and processes?

DS8

31

Is the process defined for enrollm
ent and is it well known and easily
implemented? Have users been properly trained in the enrollment
process?

DS7

Security and System Controls

32

Has management developed security plans that address physical and
logical controls over biometric data, soft
ware and hardware?

DS5

33

Does management review and approve personnel enrollments?

DS5

34

Is monitoring performed to determine biometric access and are logs
created and reviewed for unauthorized or unusual access or activity?

DS5


© IT Governance Institute 2004


5


Question
No.

Question Description

C
OBI
T
Reference

35

Is a process in pla
ce to report security incidents and respond to
breaches, especially unauthorized disclosure or capture of biometric
data?

DS5

36

Does security of biometric data extend to interfacing systems and
equipment?

DS5

37

Is there a process to ensure changes to
the biometrics software and
hardware are properly tested, approved and performed in a
controlled manner?

AI6

DS5

38

Has management implemented processes to ensure that the
biometrics hardware cannot be tampered with?

DS5

39

Has management implemented co
ntrols to ensure that the biometric
information of the user population could not be duplicated and used
by people other than the owner of the biometric?

DS5

40

Has management designed back
-
up processes to be used in the event
of biometric system failure?

Have these processes been tested and
found to be functional with reasonable levels of security in place
during their operation?

DS4

41

Have processes been implemented to ensure data are backed up
timely and ongoing to allow system recovery and recovery
of the
biometric data?

DS4

42

Is there a test environment for the biometrics application and
hardware?

AI6

43

Are periodic physical security reviews that are intended to identify
weaknesses in the biometrics program completed?

DS5



© IT Governance Institute 2004


6


Internal Control Qu
estionnaire


The purpose of this internal control questionnaire is to provide the audit, control and security
professional with a methodology for evaluating the subject matter of

IT Governance Institute
publication
Risk and Control of Biometric Technologi
es
. It examines key issues and components
that need to be considered for this topic. The review questions have been developed and reviewed
with regard to C
OBI
T.
Note: The professional should customize the
internal control

questionnaire
to define each speci
fic organization’s constraints, policies and practices.


Question No.

Question Description

C
OBI
T
Reference

Biometrics Security Planning and Training

1

Has a biometrics security plan been documented (or a section of the
overall security plan) that outline
s all aspects of the company’s
扩潭整ri捳⁰r潧r慭?


DS5

2

Is the biometrics security plan reviewed periodically for currency?

DS5

3

Does the security plan specifically address the control structure as it
relates to the biometrics environment?

DS5

4

Has a

comprehensive risk assessment been performed as related to
biometrics use in the entity?

PO9

5

Has management reviewed the potential impact of biometric misuse
or abuse within the entity, including the social impact to employees,
customers and the overal
l public? Do the users of the system know
that biometric authentication is in use and have they provided their
consent?

DS5

PO6

PO8

6

Has the business properly assessed the impact of all applicable laws
and regulations prior to using biometric controls an
d/or sharing
biometric information, including privacy laws and potential impact
of pending legislation?

PO8

7

Has an owner of the biometrics program been identified within the
entity?

PO1

8

Have the biometrics technology hardware, application and
applica
tion database been classified as sensitive?

PO9

DS5

9

Have the users, programmers and administrators been properly
trained in the use of the biometric technology?

DS7

10

Is there a requirement for an independent audit of the biometric
application (at lea
st annually)?

M4


© IT Governance Institute 2004


7


Question No.

Question Description

C
OBI
T
Reference

11

Does the ongoing security training for employees contain
information related to the biometrics program?

DS7

12

Have the employees who administer the biometric program or
develop interface programs been appropriately trained relating t
o the
biometric technology?

DS7

13

Are employees who administer the biometric program assigned in a
trusted role?

DS5

14

Is the biometric application subject to periodic security reviews for
accuracy of the access control/user interface list? Is there a
process
to periodically update the risk assessment of the biometric process
and its effect on the business, users and the public? Is the result of
the risk assessment provided to senior management and properly
reviewed and addressed?

DS5

PO9

15

Are defici
encies in the biometric technology promptly addressed?

PO10

DS5

16

Is there a process to monitor the progress made on corrective actions
related to the biometrics program?

PO10

DS5

17

Do all personnel have access to the biometrics training information
fo
r reference?

DS7

Security and Access

18

Is there a process to verify identity before user enrollment in the
biometric system?

DS5

19

Are multiple forms of identification reviewed during the enrollment
process to confirm identity?

DS5

20

Is there a docu
mented process for granting access within the
biometrics application? Does the documentation include procedures
for re
-
enrollment?

DS5

21

Are access authorizations:



Documented on standard forms (physical or electronic format)
and maintained on file



Approv
ed by senior managers



Securely transferred to security managers

DS5


© IT Governance Institute 2004


8


Question No.

Question Description

C
OBI
T
Reference

22

Is there a standard form used to document approval for user
interfaces?

DS5

23

Is there a process to quickly remove or suspend terminated or
transferred employees’ access from the bio
metric application and
database? Is there a process to remove employees who are on
temporary leave?

DS5

24

Has a process been developed for removing users from the biometric
database who have requested removal? Does the process ensure that
their biometric

data are completely erased?

DS5

25

Are there controls in place to ensure direct update access to the
biometric database is controlled?

DS5

26

If a central repository of digital representations of biometrics is in
use, is access severely restricted to
only those persons fully
requiring access to perform their job responsibilities?

DS5

27

How are biometric samples protected in a scenario where templates
are stored in a central repository as well as on local biometric
devices or tokens?

DS5

28

Does acc
ess require strict authentication mechanisms that rival the
controls of biometrics?

DS5

29

Is access to the biometric database logged to provide audit trails of
access and changes? Are audit logs reviewed and backed up to
ensure the trail is maintained?
Are access assignments to the
database reviewed at least annually?

DS5

M4

30

Is there a group that independently administers the biometric
application? Are these individuals designated in trusted roles? Have
they had background checks a proper training to

support the role?

DS5

31

Has the number of personnel who can gain administrator access to
the biometrics application and related databases been reviewed and
approved by management?

DS5

32

Are the administrators of the biometric application required to
c
hange their passwords on a periodic basis? Are strict password
controls employed to ensure that passwords cannot be easily guessed
or cracked?

DS5

33

Are the administrators of the biometric application required to have
strong password characteristics?

DS
5


© IT Governance Institute 2004


9


Question No.

Question Description

C
OBI
T
Reference

34

Is there a process to manage temporary users?

DS5

35

Have the access paths to the biometrics application and related
databases been identified and reviewed for security weaknesses?

DS5

36

Does the biometric application maintain user interface acti
vity logs?

DS5

37

Do the activity logs contain information on positive and negative
identification?

DS5

38

Are the activity logs reviewed on a periodic basis by security
management?

DS5

39

Has the entity established a process for incident response, in t
he
event that unauthorized biometric use is detected?

DS5

40

Are the computers, network lines and equipment used in the
authentication process properly secured and monitored to ensure
their security?

DS5

41

Have the operating system platforms for the bio
metric application
and database been assessed for security weaknesses?

DS5

42

Is the central repository that contains the biometric data encrypted?

DS5

43

Is the transmission of the biometric information encrypted?

DS5

Physical Controls

44

Are visitor
s to sensitive areas containing the
biometrics application
and related databases

required to formally sign in be escorted?

DS12

DS5

45

Are the biometrics application and related databases housed in a
physically secure location? Are they protected in a cag
e or more
secure location than other systems in the data center?

DS12

DS5

46

Does management review logs of personnel who are gaining
physical access to the facilities containing the biometrics application
and related databases?

DS12

DS5


© IT Governance Institute 2004


10


Question No.

Question Description

C
OBI
T
Reference

47

Do the facili
ties that contain the biometrics application and related
databases contain:



Fire suppression and prevention devices (e.g., smoke detectors,
fire extinguishers and sprinkler systems)?



Redundant air
-
cooling systems?



An uninterruptible power supply (UPS) or b
ack
-
up generator?

DS12

DS4

48

Has the biometrics verification hardware been physically secured?

DS12

DS5

49

Have processes been implemented to ensure that the biometrics
hardware cannot be tampered with?

DS12

DS5

50

Has the entity implemented controls
to ensure that the biometric
information of the user population could not be duplicated and used
by people other than the owner of the biometric (spoofing controls)?

DS5

51

Are the biometrics application and database backup tapes kept in a
secure location
? Are these tapes encrypted or secured from
unauthorized access via software and physical controls?

DS5

52

Are backup mechanisms in place in the event the biometrics
technology becomes temporarily disabled? Is the process used as an
alternative to biometr
ic authentication used only when absolutely
needed? Is the process adequately controlled with reasonable
authentication processes that do not severely weaken the
authentication process? (Backup processes often are less stringent
and are used by potential s
ystem hackers as an easier entry method.)

DS5

DS4

53

Is there a secondary backup biometric system?

DS5

DS4

Biometric Selection and Update Process

54

Was the process of identifying the biometric application controlled?

PO1

PO3

55

Have all of the entitie
s needs been addressed by the current
biometric technology? If not, is there a plan to deal with those not
covered?

PO1

56

Have the vendors
supplied evidence and/or a certification of the
software’s abilities?

PO1

57

Are changes to the biometrics applica
tion and related databases
made in a controlled manner?

AI6


© IT Governance Institute 2004


11


Question No.

Question Description

C
OBI
T
Reference

58

Are changes to the biometrics application and related databases
approved by management prior to implementation?

AI6

DS5

59

Are there structured development and test environments for the
biom
etrics application?

AI6

60

Was testing completed to determine the likelihood of false negatives
or positives? Are the results of testing within the vendor
specifications and industry standards?

PO11

61

Are changes to the biometrics application and related databases
approved by security management?

AI6

62

Are there processes in place to ensure that the biometric software is
current, and that the latest patches have been tested and installed
from the vend
or?

DS5

PO11

63

Has management formally reviewed and approved the acceptable
percentage of false positive biometric readings it is willing to allow?

PO11

DS5