Which policy helps an auditor to gain a better understanding of biometrics system in an organization?

A. BIMS Policy

B. BOMS Policy

C. BMS Policy

D. BOS Policy

The auditor should use a Biometric Information Management System (BIMS) Policy to gain better understanding of the biometric system in use.

Management of Biometrics

Management of biometrics should address effective security for the collection, distribution and processing of biometrics data encompassing:

Data integrity, authenticity and non-repudiation

Management of biometric data across its life cycle – compromised of the enrollment, transmission and storage, verification, identification, and termination process

Usage of biometric technology, including one-to-one and one-to-many matching, for identification and authentication

Application of biometric technology for internal and external, as well as logical and physical access control

Encapsulation of biometric data

Security of the physical hardware used throughout the biometric data life cycle

Techniques for integrity and privacy protection of biometric data.

Management should develop and approve a Biometric Information Management and Security (BIMS) policy. The auditor should use the BIMS policy to gain better understanding of the biometric system in use. With respect to testing, the auditor should make sure this policy has been developed and biometric information system is being secured appropriately.

The identification and authentication procedures for individual enrollment and template creation should be specified in BIMS policy.

The following were incorrect answers:

All other choices presented were incorrect answers because they are not valid policies.

The following reference(s) were/was used to create this question:

CISA review manual 2014 Page number 331 and 332