Information Systems Audit and Control

Association
www.isaca.org

Risk and Control of Biometric

Technologies

Self Assessment and Internal Control Questionnaires

Information Systems Audit and Control Association

With more than 28,000 members in more than 100 countries, the Information Systems Audit and Control Association
(ISACA®) (www.isaca.org) is a recognized worldwide leader in IT governance, control, security and assurance.
Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal™,
develops international information systems auditing and control standards, and administers the globally respected
Certified Information Systems Auditor™ (CISA®) designation earned by more than 34,000 professionals since
inception, and Certified Information Security Manager (CISM™) designation, a groundbreaking credential earned by
5,000 professionals in its first two years.

IT Governance Institute™
The IT Governance Institute (www.itgi.org) was established in 1998 to advance international thinking and standards in
directing and controlling an enterprise’s information technology. Effective IT governance helps ensure that IT supports
business goals, optimizes business investment in IT, and appropriately manages IT-related risks and opportunities. The
IT Governance Institute offers symposia, original research and case studies to assist enterprise leaders and boards of
directors in their IT governance responsibilities.

Purpose of Audit Programs and Internal Control Questionnaires

One of ISACA’s goals is to ensure that educational products support member and industry information needs.
Responding to member requests for useful audit programs, ISACA’s Education Board has released audit programs and
internal control questionnaires for member use through K-NET. These check lists were developed for a recently
released publication Risk and Control of Biometric Technologies available in the ISACA bookstore.

Control Objectives for Information and related Technology

Control Objectives for Information and related Technology (COBIT®) has been developed as a generally applicable and
accepted standard for good information technology (IT) security and control practices that provides a reference
framework for management, users, and IS audit, control and security practitioners. These questionnaires reference key
COBIT control objectives.

Disclaimer
ITGI, ISACA and the author of this document have designed the publication primarily as an educational resource for
control professionals. ISACA makes no claim that use of this product will assure a successful outcome. The publication
should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are
reasonably directed to obtaining the same results. In determining the propriety of any specific procedure or test, the
controls professional should apply his/her own professional judgment to the specific control circumstances presented
by the particular systems or information technology environment. Users are cautioned not to consider these audit
programs and internal control questionnaires to be all-inclusive or applicable to all organizations. They should be used
as a starting point to build upon based on an organization’s constraints, policies, practices and operational environment.

© IT Governance Institute 2004 www.isaca.org/auditprograms 1

Self-assessment Questionnaire
The purpose of this self-assessment questionnaire is to provide the audit, control and security
professional with a methodology for evaluating the subject matter of the IT Governance Institute
publication Risk and Control of Biometric Technologies. It examines key issues and components
that need to be considered for this topic. The review questions have been developed and reviewed
with regard to COBIT. Note: The professional should customize the self-assessment questionnaire
to define each specific organization’s constraints, policies and practices.

Question COBIT
Question Description
No. Reference
Biometrics Planning and Organization

1 Has the organization determined the goals of installing the biometric PO1
system?

2 Was a study conducted prior to selection of the biometric PO3

authentication mechanisms in place? Did the study include privacy PO9
and legal considerations and overall risk?

3 Has a process been implemented to ensure the organization is aware PO8

of ongoing privacy law changes as they relate to the acquisition and
retention of biometric information?

4 Has a process been implemented to ensure periodic legal PO8

assessments of the biometrics program are completed?
5 Did the risk assessment include the effect of biometric use on PO9
customers, employees and business partners? Is the risk assessment
update ongoing?

6 Did the study conducted include payback from the investment in PO5
biometrics?

7 Has the organization researched the biometric vendor’s plans to PO11

avoid obsolescence of the biometric product? PO9

8 Was the biometric system fully tested and compared to vendor PO11
specifications and industry standards (such as the US-based National
Biometric Testing Center or other sites) to ensure accuracy and
functionality?

9 After identification, have all risks been addressed or determined to PO9

be within an acceptable range for the business?
10 Is a process in place to ensure ongoing testing, especially after PO11
system updates and patches? Are patches applied quickly after DS5
known security holes are identified and the patch is available?

© IT Governance Institute 2004 2

 Question COBIT
Question Description
No. Reference
11 Have a policy and plan been created for the use of biometrics within PO9
the organization to ensure that its use meets business needs and does
not increase, thereby causing unacceptable risk?

12 Does the biometrics policy include a commitment to securing the PO8

biometric information and privacy of the enrollees? DS5

13 Does the biometrics policy include a commitment to comply with PO8

relevant privacy and biometric laws and regulations?

14 Has the biometric policy been communicated to all enrollees in the PO6
biometric program?

15 Is there ongoing monitoring of biometric use to determine how it is PO5

being used, success rates, failure rates, complaints and total use PO11
number? Is this information being used to adjust the system, add
features or determine that it should be terminated or replaced?

16 Will the biometric information acquired during the enrollment PO8

process be released outside of the entity? PO9

17 Do the users of the system know that biometric authentication is in PO6

use and have they provided their consent?

18 Has an owner of the biometrics program been identified within the PO1
organization with responsibilities for monitoring and use assigned?

19 Does the owner of the biometrics program have means to keep PO11
current with the biometric industry and technology trends?

20 Have roles, responsibilities, and authorities (as they are related to PO6
the biometrics program) been documented and communicated? PO7

21 Has the biometric technology been reviewed to ensure it can PO5

interface with other biometric systems?

22 Does the owner of the biometric(s) in use ensure that its use is DS5
consistent with organization plans and policy? How is this being
measured?

© IT Governance Institute 2004 3

 Question COBIT
Question Description
No. Reference
23 Does management ensure that information collected for biometric DS5
use is not shared with other entities unless fully approved and in PO8
compliance with laws and regulations?

24 Is the system owner assigned the responsibility to ensure the system PO8
stays current with laws and regulations? Is information created
ongoing to ensure this compliance and research?

25 Is system cost being monitored and compared to plans and the PO5
payback expected?
26 Has management committed adequate resources to the biometrics PO7
program? PO5

Training

27 Have all training needs been identified? DS7

28 Have system users been properly trained regarding how to use the DS7
biometric authentication mechanism(s)?

29 Have the help desk and other support services been properly trained DS7
to assist biometric system users, including use of back-up systems
and enrollment processes?
30 Is technical support available to support the biometric system, DS8
including failure and back-up systems and processes?

31 Is the process defined for enrollment and is it well known and easily DS7
implemented? Have users been properly trained in the enrollment
process?

Security and System Controls

32 Has management developed security plans that address physical and DS5
logical controls over biometric data, software and hardware?

33 Does management review and approve personnel enrollments? DS5

34 Is monitoring performed to determine biometric access and are logs DS5

created and reviewed for unauthorized or unusual access or activity?

35 Is a process in place to report security incidents and respond to DS5

breaches, especially unauthorized disclosure or capture of biometric
data?

© IT Governance Institute 2004 4

 Question COBIT
Question Description
No. Reference
36 Does security of biometric data extend to interfacing systems and DS5
equipment?

37 Is there a process to ensure changes to the biometrics software and AI6

hardware are properly tested, approved and performed in a DS5
controlled manner?

38 Has management implemented processes to ensure that the DS5

biometrics hardware cannot be tampered with?

39 Has management implemented controls to ensure that the biometric DS5

information of the user population could not be duplicated and used
by people other than the owner of the biometric?

40 Has management designed back-up processes to be used in the event DS4

of biometric system failure? Have these processes been tested and
found to be functional with reasonable levels of security in place
during their operation?
41 Have processes been implemented to ensure data are backed up DS4
timely and ongoing to allow system recovery and recovery of the
biometric data?

42 Is there a test environment for the biometrics application and AI6

hardware?
43 Are periodic physical security reviews that are intended to identify DS5
weaknesses in the biometrics program completed?

© IT Governance Institute 2004 5

Internal Control Questionnaire
The purpose of this internal control questionnaire is to provide the audit, control and security
professional with a methodology for evaluating the subject matter of IT Governance Institute
publication Risk and Control of Biometric Technologies. It examines key issues and components
that need to be considered for this topic. The review questions have been developed and reviewed
with regard to COBIT. Note: The professional should customize the internal control questionnaire
to define each specific organization’s constraints, policies and practices.

COBIT
Question No. Question Description
Reference
Biometrics Security Planning and Training

1 Has a biometrics security plan been documented (or a section of the DS5
overall security plan) that outlines all aspects of the company’s
biometrics program?

2 Is the biometrics security plan reviewed periodically for currency? DS5

3 Does the security plan specifically address the control structure as it DS5
relates to the biometrics environment?

4 Has a comprehensive risk assessment been performed as related to PO9

biometrics use in the entity?

5 Has management reviewed the potential impact of biometric misuse DS5

or abuse within the entity, including the social impact to employees, PO6
customers and the overall public? Do the users of the system know PO8
that biometric authentication is in use and have they provided their
consent?

6 Has the business properly assessed the impact of all applicable laws PO8
and regulations prior to using biometric controls and/or sharing
biometric information, including privacy laws and potential impact
of pending legislation?
7 Has an owner of the biometrics program been identified within the PO1
entity?
8 Have the biometrics technology hardware, application and PO9
application database been classified as sensitive? DS5
9 Have the users, programmers and administrators been properly DS7
trained in the use of the biometric technology?

10 Is there a requirement for an independent audit of the biometric M4

application (at least annually)?

© IT Governance Institute 2004 6

 COBIT
Question No. Question Description
Reference
11 Does the ongoing security training for employees contain DS7
information related to the biometrics program?

12 Have the employees who administer the biometric program or DS7

develop interface programs been appropriately trained relating to the
biometric technology?

13 Are employees who administer the biometric program assigned in a DS5

trusted role?

14 Is the biometric application subject to periodic security reviews for DS5

accuracy of the access control/user interface list? Is there a process PO9
to periodically update the risk assessment of the biometric process
and its effect on the business, users and the public? Is the result of
the risk assessment provided to senior management and properly
reviewed and addressed?

15 Are deficiencies in the biometric technology promptly addressed? PO10

DS5

16 Is there a process to monitor the progress made on corrective actions PO10

related to the biometrics program? DS5

17 Do all personnel have access to the biometrics training information DS7

for reference?

Security and Access

18 Is there a process to verify identity before user enrollment in the DS5

biometric system?
19 Are multiple forms of identification reviewed during the enrollment DS5
process to confirm identity?

20 Is there a documented process for granting access within the DS5

biometrics application? Does the documentation include procedures
for re-enrollment?

21 Are access authorizations: DS5

 Documented on standard forms (physical or electronic format)
and maintained on file
 Approved by senior managers
 Securely transferred to security managers

22 Is there a standard form used to document approval for user DS5

interfaces?

© IT Governance Institute 2004 7

 COBIT
Question No. Question Description
Reference
23 Is there a process to quickly remove or suspend terminated or DS5
transferred employees’ access from the biometric application and
database? Is there a process to remove employees who are on
temporary leave?
24 Has a process been developed for removing users from the biometric DS5
database who have requested removal? Does the process ensure that
their biometric data are completely erased?

25 Are there controls in place to ensure direct update access to the DS5
biometric database is controlled?

26 If a central repository of digital representations of biometrics is in DS5

use, is access severely restricted to only those persons fully
requiring access to perform their job responsibilities?

27 How are biometric samples protected in a scenario where templates DS5

are stored in a central repository as well as on local biometric
devices or tokens?

28 Does access require strict authentication mechanisms that rival the DS5
controls of biometrics?

29 Is access to the biometric database logged to provide audit trails of DS5

access and changes? Are audit logs reviewed and backed up to M4
ensure the trail is maintained? Are access assignments to the
database reviewed at least annually?

30 Is there a group that independently administers the biometric DS5

application? Are these individuals designated in trusted roles? Have
they had background checks a proper training to support the role?

31 Has the number of personnel who can gain administrator access to DS5
the biometrics application and related databases been reviewed and
approved by management?

32 Are the administrators of the biometric application required to DS5

change their passwords on a periodic basis? Are strict password
controls employed to ensure that passwords cannot be easily guessed
or cracked?

33 Are the administrators of the biometric application required to have DS5

strong password characteristics?

34 Is there a process to manage temporary users? DS5

© IT Governance Institute 2004 8

 COBIT
Question No. Question Description
Reference
35 Have the access paths to the biometrics application and related DS5
databases been identified and reviewed for security weaknesses?

36 Does the biometric application maintain user interface activity logs? DS5

37 Do the activity logs contain information on positive and negative DS5

identification?

38 Are the activity logs reviewed on a periodic basis by security DS5

management?

39 Has the entity established a process for incident response, in the DS5
event that unauthorized biometric use is detected?

40 Are the computers, network lines and equipment used in the DS5
authentication process properly secured and monitored to ensure
their security?

41 Have the operating system platforms for the biometric application DS5
and database been assessed for security weaknesses?

42 Is the central repository that contains the biometric data encrypted? DS5

43 Is the transmission of the biometric information encrypted? DS5

Physical Controls

44 Are visitors to sensitive areas containing the biometrics application DS12

and related databases required to formally sign in be escorted? DS5

45 Are the biometrics application and related databases housed in a DS12

physically secure location? Are they protected in a cage or more DS5
secure location than other systems in the data center?

46 Does management review logs of personnel who are gaining DS12

physical access to the facilities containing the biometrics application DS5
and related databases?

© IT Governance Institute 2004 9

 COBIT
Question No. Question Description
Reference
47 Do the facilities that contain the biometrics application and related DS12
databases contain: DS4
 Fire suppression and prevention devices (e.g., smoke detectors,
fire extinguishers and sprinkler systems)?
 Redundant air-cooling systems?
 An uninterruptible power supply (UPS) or back-up generator?
48 Has the biometrics verification hardware been physically secured? DS12
DS5

49 Have processes been implemented to ensure that the biometrics DS12

hardware cannot be tampered with? DS5

50 Has the entity implemented controls to ensure that the biometric DS5
information of the user population could not be duplicated and used
by people other than the owner of the biometric (spoofing controls)?

51 Are the biometrics application and database backup tapes kept in a DS5
secure location? Are these tapes encrypted or secured from
unauthorized access via software and physical controls?

52 Are backup mechanisms in place in the event the biometrics DS5

technology becomes temporarily disabled? Is the process used as an DS4
alternative to biometric authentication used only when absolutely
needed? Is the process adequately controlled with reasonable
authentication processes that do not severely weaken the
authentication process? (Backup processes often are less stringent
and are used by potential system hackers as an easier entry method.)

53 Is there a secondary backup biometric system? DS5

DS4
Biometric Selection and Update Process

54 Was the process of identifying the biometric application controlled? PO1

PO3

55 Have all of the entities needs been addressed by the current PO1
biometric technology? If not, is there a plan to deal with those not
covered?

56 Have the vendors supplied evidence and/or a certification of the PO1

software’s abilities?

57 Are changes to the biometrics application and related databases AI6

made in a controlled manner?

© IT Governance Institute 2004 10

 COBIT
Question No. Question Description
Reference
58 Are changes to the biometrics application and related databases AI6
approved by management prior to implementation? DS5

59 Are there structured development and test environments for the AI6
biometrics application?

60 Was testing completed to determine the likelihood of false negatives PO11

or positives? Are the results of testing within the vendor
specifications and industry standards?

61 Are changes to the biometrics application and related databases AI6

approved by security management?

62 Are there processes in place to ensure that the biometric software is DS5
current, and that the latest patches have been tested and installed PO11
from the vendor?

63 Has management formally reviewed and approved the acceptable PO11

percentage of false positive biometric readings it is willing to allow? DS5

© IT Governance Institute 2004 11