When performing IT audits, the Principle of Least Privilege is a term you may hear thrown around quite a bit, but how many novice auditors new to IT audit actually understand what is implied by this within an IT environment? From my experience, not many.
The most common place I see the term surface is when assessing firewalls, but the same principle also applies to all areas related to IT management including physical security.
What is the Principle of Least Privilege and why do Auditors Care?
Paraphrasing Wikipedia: The Principle of Least Privilege dictates that every abstraction layer (applications, operating systems, firmware, hardware, etc.) and every module (processes, users, programs), should only have access to the data and resources necessary to fulfil its business need.
In the case of performing Information System audits, this principle becomes relevant at all areas of review. For example:
|Focus Area||Control Examples|
Surveys show that 40 – 80% of IT security incidents result from internal incidents often as result of an employee being granted too much access to systems and data. As an IT auditor and security expert this is where we can make a difference – by helping companies ensure that they have the appropriate access controls in place at their company and that those controls function as expected. When it comes to security it’s not all about hacking and viruses.