1.

Review ICT Policy or Meet with Database administration personnel to obtain an understanding of the

account management process. Consider:

Have formal account management procedures been developed?

a) Are formal procedures in place over the creation of new user accounts?

b)Are formal procedures in place over the modification of existing accounts?

c) Do all Database level IDs follow a consistent naming convention?

d) Are all account IDs unique?

e) Does the Human Resources department provide security administration personnel with periodic
reports of terminated and transferred employees?

f) Have the systems been configured to automatically disable accounts that have been inactive for an
excessive time period

2.If available, review documented procedures in place to support user account management activities.

3. Request a listing of all database accounts from the responsible database Administrator

4. Review the system account listing and determine if all IDs follow a consistent naming convention and
comply with existing standards.

5. Determine if any accounts exist which have been inactive for over 90 days and have not been disabled

6. Request a report that summarizes all terminations that have occurred with the last

three months. Verify that the accounts for all terminated employees have been

disabled or removed from the systems

7. Judgmentally select a sample of accounts from the account listing requested and review the
following:

a)Are all account IDs unique and in compliance with existing naming

conventions?

b) Is appropriate documentation available to support the authorization of each

account and the approval of all access rights and privileges granted to each
account?

c)Is documentation available which supports periodic reviews of user access

rights?

8. On a sample Basis, select a number of users as per sample guideline and obtain their access request
form.

Verify that the access request form has been approved by

Using the sampling guideline, select an appropriate sample of the Weekly Security Report for the review
done for audit trail of database administrator logs during the period under review;

Database users

i. Identify networks and network services which are allowed to be accessed.

ii. Define authorisation procedures for determining who is allowed to access which networks and
networked services.

Network configuration file

Incidents recorded

Pentest report