I would like to know below feasibility related with security concerns and process to enable it. (for e.g 1. shows functionality should be available in bsa to avoid security issue)
1. application(bsa) affecting critical/sensitive information, for example, impacting financial, customer, control, regulatory and legal aspects, must provide for detailed audit trails/ logging capability with details like
- transaction id,
- date, time,
- originator id,
- authorizer id,
- actions undertaken by a given user id, etc.
Other details like
- logging the IP address of the client machine,
- terminal identity or location may also be considered.
2. Applications(bsa) must also provide for, inter-alia, logging unsuccessful logon attempts, access to sensitive options in the application, e.g., master record changes, granting of access rights, use of system utilities, changes in system configuration, etc.
3. Application(bsa) should store passwords in database using one way encryption, so that it cannot be retrieved even by the administrator. Also comments would be required such in what mechanism is used.
Application(bsa) Audit Trails:
1. Application should generate logs for security related events and should contain User-id of the person, Date and time of activity
2. The application should have facility to generate report of privileges for all user accounts (active and disabled)
• Application should generate logs for security related events. This includes, but is not limited to:
a. Login failures;
b. Use of privileged accounts;
c. Changes to user permissions or privileges;
d. Creation/deletion/disabling/enabling of user accounts
e. Data modifications; user and admin activity logging
• The log entries should contain the following details.
a. User-id of the person
b. Date and time of activity
c. Authorizer id
d. IP Address or terminal identity of the client machine
e. Logging of any master record changes
f. Use of system utilities or change in system configuration
5. Provision to protect the logging facility against unauthorized changes and operational problems like deactivation
6. Maker Checker Controls - Application(bsa) should have proper maker checker controls implemented for transactions and changes to masters.
7. Input Controls - Data input to applications (bsa) should be validated to ensure that the data is correct and appropriate. Input validation checks should detect errors like out-of-range values, invalid characters in data fields, missing or incomplete data, exceeding upper and lower data limits and unauthorized or inconsistent control data
8. Output Controls - Data output from an application(bsa) should be validated to ensure that the processing of stored information is correct and appropriate (e.g.. reconciliation control counts to ensure processing of all data, Providing sufficient information for a reader or subsequent processing system to determine the accuracy, completeness, precision and classification of the information.
Any help would be appreciated.