As noted in Chapter 11.4 Population & Sampling, Automated controls are those controls performed by systems—not people—based on configurations, rulesets, or programming. An example of an automated control is forced password expiration after the number of days specified in the associated configuration.
For automated controls, testing must include evidence of both the configuration of the tool/system and a sample of one showing the tool/system is operating as expected. The following example includes a scenario and potential automated control testing approach.
| Scenario BUID: 1116.01j2Organizational.6 | CVID: 0121.0 The authentication of remote users is implemented using 1. a password or passphrase and 2. at least one of the following methods: a cryptographic based technique; biometric techniques; hardware tokens; software tokens; a challenge/response protocol; or certificate agents. The Assessed Entity is using a VPN software for users to remotely access the in-scope platform. The VPN software requires the user to login using their password and a software authenticator tool on their phone prior to granting access. |
Potential Automated Control Testing Approach
In this scenario, a potential automated control testing approach must address:
- The Configuration of the VPN software, and
- Walkthrough of one user remotely accessing the in-scope platform.
The External Assessor should review that the VPN software was configured to:
- Grant access to the corresponding IT environment (the environment where the in-scope platform will be accessed)
- Require a password for users to login
- Require the user to successfully authenticate via the software authenticator.
The External Assessor will then need to perform sufficient observation and/or inspection of one user accessing the in-scope platform using the VPN software, validating the VPN required a password and software authentication before granting access.