Para 3.22.40 — MSO (Audit)

MSO (Audit)mso-audit

3.22.40 The most common form of logical access control is login identifiers (ids) followed by password authentication. For passwords to be effective there must be appropriate password policies and procedures, which are known to all staff and are adhered to. Menu restrictions can be effective in controlling access to applications and system utilities. Systems may be able to control access by identifying each individual user through their unique login ids and then having a pre-defined profile of authorised menus for each. The IT Auditor should consider how easy it would be for users to ‘break out’ of the menu system and gain unauthorised access to the operating system or other applications. Some computer systems may be able to control user access to applications and data files by using file permissions. These ensure that only those users with the appropriate access rights can read, write, delete or execute files.
# Operation and File Controls

What This Means

Access to computer systems must be controlled through login IDs, passwords, and menu restrictions. Organisations should have clear password policies that all staff know and follow. IT Auditors should check whether users can bypass menu restrictions to reach the operating system or other applications they are not authorised to use. File permissions should ensure only users with proper access rights can read, write, delete, or execute files.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Key Points

1Login IDs and passwords are the most common form of logical access control
2Menu restrictions can limit user access to only authorised applications and system utilities
3File permissions control who can read, write, delete, or execute specific files
4IT Auditors should test whether users can break out of menu systems to gain unauthorised access
5Password policies must be documented, communicated to all staff, and consistently followed

Practical Example

A government accounts office uses a financial management system where each clerk has a unique login ID. The system menu only shows options relevant to their role — a data entry clerk sees only voucher entry screens, not the master data maintenance or report generation modules. During audit, the IT Auditor tries pressing function keys or keyboard shortcuts to see if the clerk can escape the menu and access the Windows command prompt or other restricted applications.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Frequently Asked Questions

What should an IT Auditor look for when reviewing password controls?▼

The auditor should check that a documented password policy exists, that it covers password length, complexity, expiry, and reuse restrictions, and that staff are aware of and actually follow these rules in practice.

Why are menu restrictions alone not sufficient for access control?▼

Menu restrictions can sometimes be bypassed by technically savvy users who break out of the menu system to access the underlying operating system. That is why file-level permissions and other logical controls should supplement menu restrictions.

What is the difference between logical and physical access control?▼

Logical access control uses software mechanisms like passwords, user IDs, and file permissions to restrict system access. Physical access control involves locks, security guards, and restricted entry to server rooms to prevent unauthorised physical contact with hardware.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Para 3.22.40 — MSO (Audit)

Original Rule Text

What This Means

Key Points

Practical Example

Frequently Asked Questions

Related Rules