An IS auditor performing a telecommunication access control review should be concerned
PRIMARILY with the:
maintenance of access logs of usage of various system resources.
authorization and authentication of the user prior to granting access to system resources.
adequate protection of stored data on servers by encryption or other means.
accountability system and the ability to identify any terminal accessing system resources.
The authorization and authentication of users is the most significant aspect in a telecommunications
access control review, as it is a preventive control. Weak controls at this level can affect all other
aspects. The maintenance of access logs of usage of system resources is a detective control. The
adequate protection of data being transmitted to and from servers by encryption or other means is
a method of protecting information during transmission and is not an access issue. The
accountability system and the ability to identify any terminal accessing system resources deal with
controlling access through the identification of a terminal.