Information System Audit And Inspection by

Imrul Sadat

Chapter: 01

Introduction

Firming industry is now highly dependent on Information Technology for daily work. Information technology becomes heart of the Firming sector now. All accounting transaction of a Firm is done through Information Technology ,which is creating high risk for the Firm . To minimize the risk Firm need to develop an internal audit department for auditing IT based business process. Internal audit department need to develop procedure and guideline for their internal auditors. Information system auditing is a new type of auditing for Firm which is different from financial auditing. As a Firmer therefore I decided to do my Masters project on this new field of Information System auditing for Firm..

1.1 Objectives of the Report

I regular staff of XX Firm limited. The main objective of the report is to conduct Information System auditing on various department and work station es of XX Firm Limited. Thus attention is geared toward following specific objectives.

a) To conduct standard ICT audit on various division of Firm.

b) Prepare a comprehensive audit report on XX Firm Limited .

c) Advise Firm management on basis of audit observation regarding its risk issues

1.2 Information System (IS) Auditing

Information system audit check Information System and Network of a organization to assess whether the information system and Network Infrastructure is capable to provide security for its total system .Information System audit is conducted by internal or external audit team of Firm .It try to find out security holes, which may cause of fraudulent activity. Various auditing standard has been developed e.g. Bangladesh Firm ICT guideline .

IT audit is different from financial audit. Financial audit check whether standard accounting practice is followed or not but Information system audit find out information system threats .Information is most valuable asset of Firm. Information system auditor evaluate the system thus guard an organization’s information.

The IT audit evaluate the following :

1.Avalibility: Checking whether Firm’s computer system is available for the business all the time or not.

2.Confidentiality : Checking whether Firm’s computer system disclose information only to authorized user or not.

3.Integrity : Checking whether Firm’s computer system’s e information accurate ,reliable , timely or not.

4.Information Asset risk: Assess information asset risk of the Firm and find out method to minimize the risk..

Importance of IS auditing in Firm.

1. Information System Auditing find out threats in ICT operation and advice the Firm to minimize the threat.

2.To comply with Bangladesh Firm ICT guideline information system auditing is necessary.

3.It increase effectiveness and efficiency of ICT operation information system auditing is necessary.

Following different audit techniques used during IS audit

1.Verbal questioning ,written questionnaire .

2.Visual inspection of the systems, locations, spaces, rooms, and objects .

3.Observations .

4.Analysis of files (including electronic data).

5.Technical examination (e.g. testing of alarm systems, access control systems,

applications).

6. Observation of previous audit report.

1.3 Auditing XX Firm Ltd

XX Firm Ltd is a private commercial Firm operating since 1995.It is a d Work station Firm.It is one of leading Firm of the country based on accounting principal .It has now 129 work station es with two subsidiary company Securities Ltd, Investment Ltd. It introduced on line Firming solution ,real time Firming solution for its client .As employee of XX Firm Ltd I decided to do this project on this Firm. I performed IT audit from 01/06/2017 to 29/06/2017 in Principal Work station of XX Firm Limited where I am also a regular employee . I also visited head office and data centre several times for audit purpose .

1.4 Category of ICT operation of XX Firm Ltd

Depending on ICT operation there are two type of Firm in our country they are as follows,

1. Centralized ICT Operation

2. Decentralized ICT operation

Centralized ICT operation manage business application through Data Center(DC) .The DC continuously back up data .All work station es and booths are connected through WAN. Decentralized ICT operation manage distributed business application through WAN. XX Firm Ltd ICT operation is centralized .

1.5 Sources of data

Both primary and secondary data have been collected. I have gathered primary data by personal interview of the employees of Firm.. Mainly I have discussed with them verbally. I collected information from them. I used data base, official manuals and several books. For preparing the report smoothly and accurately I used primary and secondary data.

Primary sources:

Direct observation of information system.
Questioning with concerned persons.

Secondary sources:

Manual Documents and previous audit reports.

1.6 Limitations of the report

The analysis of the overall IT activities of Firm is not easy. So the report was completed under following :

Firm’s IT systems are highly sensitive and without permission from concerned authority the auditing operation can not be performed .
As audit report is a confidential report for a organization and it is not open report..
Due to time restrictions, the report is concentrated in selected areas only.

Chapter: 02

ICT Security ManagemenT audit

ICT Security Management ensure that the ICT functions and operations are efficiently and effectively managed. Firm need to make its own policy ,guideline ,internal and external audit team ,training to manage ICT security. A standard audit policy necessary for a Firm which guide auditor ,employee of a Firm to follow the rule .We know that ICT is very progressing and changing field , so the documentation regarding ICT security management need to change periodically .

2.1 ICT Policy, Standard and Procedure

Firm need to have policy statement , fixed standards and procedure for IT auditing which need to update periodically. I checked Firm’s policy and checked auditing procedure and found following audit objections.

1. The XX Firm Ltd have an ‘ICT Security Policy’ which is approved by the board. The policy requires regular update to deal with changes in the ICT environment but the policy is not updated more than a year.

2. No separate ICT security professional employed in separate ICT security department .. The Firm’s IT department is now respon e for providing IT security .A separate ICT security department is must be establish as per Bangladesh Firm’s guideline.

2.2 Documentation

The head office audit division , IT division as well as its work station es need to have necessary documentation.

1. The XX Firm Ltd shall have a organogram for ICT department but it is not updated and recent changes are not reflected in the organogram. It is advised to update the organogram.

2. In Principal Work station During audit no ICT support unit/section/personnel is found in the work station organogram.

3. In Principal Work station power user is supporting IT operation within the work station but he having no approved job description.

4. In IT division as well as in Principal work station one employee performing multiple ICT tasks .So a clear segmentation of task is necessary.

5. Detailed design document for all ICT systems/services (e.g. Data Center design, Network design, Power Layout for Data Center, etc.) is not found in one place. All design and layout plan must be kept in one place under a respon e person .

6. There is prescheduled roster for sensitive ICT tasks but it is not maintained strictly. Some of employees found not maintaining prescheduled roster . (e.g. Network Monitoring, Security Guard for Data Center, ATM Monitoring, etc.).

7. Updated “Operating Procedure” for all ICT functional activities is not maintained (e.g. Backup Management, Database Management, Network Management).

8. Approved requisition forms for some ICT operation(Like user close, change user name) not found.

2.3 Internal Information System Audit

Audit observation regarding internal audit is given below.

1 Internal Information System (IS) audit are found carried out by Internal Audit Department of the Firm but auditors not having sufficient skill, education and certification to perform IS audit. There is no CISA certified auditor .CISA certification is now benchmark qualification in this regard. Internal IS audit are found conducted by personnel with not having sufficient IS Audit expertise and skills. Engagement of certified IS auditor having adequate audit experience in this area is advised.

2. Computer-Assisted-Auditing Tools (CAATs ) is not used to perform IS audit planning, auditing, control , management .Using CAATs is advised as per Bangladesh ICT policy.

3. Internal Information System audit are done periodically at least once a year. The report is preserved for regulators as and when required. The XX Firm Ltd audit issues are properly tracked , completely recorded but not followed up and rectified properly. In Principal work station I found some last year objections are not rectified yet. So it is advised to rectify previous audit objections immediately.

2.4 External Information System Audit

As per Bangladesh Firm ICT guideline external auditor for information system auditing must be engaged along with internal audit team of the Firm . Sometime expert external system auditor may perform more detail and depth audit than internal audit .The following is the audit objection regarding External Information System Auditing.

1. The XX Firm Ltd not engaging external auditor(s) for their information systems auditing in-line with their regular financial and internal audit. It is advised to engage external auditor.

2.5 Standard Certification

Standard certificate is necessary to make ICT activity and infrastructure industry standard . Audit observation regarding standard certification is given below.

1.Iindustry standard certification e.g. ISO certification related to their Information System Security, Quality of ICT Service Delivery, Business Continuity Management, Payment Card Data Security, etc is not obtained.

2.6 Security Awareness and Training

IT awareness training is a regulatory requirement by Bangladesh Firm. Following are audit observation regarding security awareness and training.

1. All IT relevant personnel are not getting proper training, education, updates and awareness of the ICT security activities as relevant with their job function.

2. All XX Firm Ltd ICT personnel not having Foundation Training .

3. All staff of the Firm not having security awareness training .

2.7 Insurance

ICT asset must be insured to provide protection from financial loss if something catastrophic happens to business .The audit observation regarding insurance is given below.

1. All ICT asset are not insurance covered .Adequate insurance coverage or risk coverage fund is necessary.

Chapter: 03

Infrastructure Security Management audit

ICT Infrastructure includes all data, application, database, operating systems and networks. Various form of attack may hit ICT Infrastructure in many ways. A IS auditor regularly check various components if ICT infrastructure and check lack of compliance .

3.1 Asset Management

I conducted audit on ICT assets and found following audit findings.

1. ICT asset procurement must complied with the procurement policy of Firm .But some of the asset ( UPS, Keyboard , Mouse ,Network cables) not following asset procurement policy. It is advised to follow standard procurement policy for all type of asset.

2. Each ICT asset not assigned to a custodian (an individual or entity) who will be respon e for the development, maintenance, usage, security and integrity of that asset.

3. All ICT assets are not identified and labeled. There is no classification in the leveling.

4. ICT asset inventory not stating significant details (e.g. owner, custodian, purchase date, location, license number, configuration, etc.).It is advised to maintain inventory with details mentioned.

5. ICT asset inventory is not updated.

6. Information system assets must be adequately protected from unauthorized access, misuse or fraudulent modification, insertion, deletion, substitution, suppression or disclosure.

The level of supervision need to be increased .

7. There is no Disposal Policy for information system asset protection. All data in storage media is not destroyed before disposal .

8. Portable devise(Pen drive, Portable Hard Disk) is used with out prior permission from authority.

9. Some of software used by employees are not licensed. It is advised l not to use any software that has not been legally purchased or otherwise legitimately obtained.

10. The is no approved list of Software which will only be used in any computer . It is advised to make a approved list of software immediately.

11. In work station level some of unauthorized or pirated software is used which must strictly be prohibited throughout the Firm .

3.2 Desktop/Laptop Devices Controls

Desktop of user is always subject to attack so IS auditor need to audit all Desktop / I conducted audit and found following audit findings.

1. Desktop computers are found connected to UPS to prevent damage of data and hardware .Some of UPS battery is found damaged .It is advised to check UPS battery periodically .

2. Unattended computer is not automatically locked .Before leaving a desktop or laptop computer unattended, users shall apply the "Lock Workstation" feature.

3. Desktop computers, laptops, monitors, etc. are found turned off at the end of each workday .The is no assigned person respon e to check it after end of each work day.

4. Laptops, computer media and any other forms of removable storage containing sensitive information (e.g. CD ROMs, Zip disks, PDAs, Flash drives, external hard-drives) are not stored in a secured location or locked cabinet when not in use.

5. Access to USB port for Desktop computers are not controlled.

6. Other information storage media containing confidential data such as paper, files, tapes, etc. are found not stored in a secured location or locked cabinet when not in use.

7. In work station level some Individual users install or download software applications without prior authorization.

8. Viruses are not reported .

9. Viruses cleaned/ deleted without expert assistance .

10. In work station same identification (ID) and authentication (password) are found used by multiple user.

11. Computers are not placed above the floor level .

3.3 Server/Network Room/Rack Controls

Server/Network Room/Rack Controls are always subject to attack therefore it requires auditing. The following are audit findings.

1. Server/network room/rack is glass enclosure but not locked and no assigned respon e person is found.

2. Physical access are found restricted, visitors logbook exist but not maintained properly. Some employees enter server room without entering their name on entry resister

3.Access authorization list is not maintained and reviewed on regular basis.

4. No provision to replace the server and network devices within shortest pos e time in case of any disaster.

3.4 Networks Security Management

Following are audit observation regarding network security management.

1.No written documentation on baseline standards is found to ensure security for Operating Systems, Databases, Network equipments and portable devices which shall meet organization’s policy.

2. Regular enforcement standards are not applied uniformly and non-compliances are detected and raised for investigation.

3. All type of cables including UTP, fiber, power shall have proper labeling for further corrective or preventive maintenance works but most of cables found not labeled.

4. Mechanism are found in place to encrypt and decrypt sensitive data travelling through WAN or public network. But the mechanism need to be follow-up and updated updated .

5. Network security devices, such as firewalls to protect the network perimeters is installed .But it is not monitored periodically

6. Rules on network security devices is not checked on a regular basis to determine that such rules are appropriate and relevant.

7. All unused ports of access switch are not shut-off .

3.5 Cryptography

The primary application of cryptography is to protect privacy of sensitive information. Cryptography is commonly used in Firms to protect sensitive customer information such as PINs relating to applications (e.g. ATMs, payment cards and online financial systems). The following is audit observation regarding cryptography.

1. There is no established cryptographic key management policy and procedures covering generation, distribution, installation, renewal, revocation and expiry.

3.6 Malicious Code Protection

Following are audit objection regarding malicious code protection or virus protection..

1. Anti-virus packages are installed not in all computers .

2. Files received on electronic media by mail of uncertain origin or unknown networks is not checked for malicious code before use.

3. The anti-virus package is found up to date with the latest virus definition file using an automated and timely process.

4. All computers in the network is not getting updated signature of anti-virus software automatically from the server.

5. Virus auto protection mode are not enabled in some of computers to screen disks, tapes, CDs or other media for viruses.

6.Awareness program for the end users about computer viruses and their prevention mechanism is not complied.

3.7 Internet Access Management

Internet access with in the Firm must be under close supervision and must be routed through secure gateway .The audit objection regarding internet use is given below.

1. Internet access are not provided to employees according to the approved Internet Access Policy .Some employees are using internet without approval. Internet must be used only for official work and it must be monitored.

2. Access to the internet from Firm premises must not compromise information security of Firm . Some of employees use internet for their personal purpose in office premises hampering information security of the Firm .

3. Access to the Internet from Firm premises and systems is routed through secure gateways. But gateway is not monitored and not checked on regular basis.

4. Use of locally attached modems with Firms’ systems in order to establish a connection with the Internet or any third-party or public network via broadband, ISDN or PSTN services is prohibited unless specifically approved. A circular in this regard must be forwarded to all work station es.

3.8 Email Management

The audit objection regarding e mail use is given below.

1. Email system are not used according to the Firm’s 's policy. Employees are found sending personal E mail using Firm’s E mail system . An employee found to have violated this policy may be subject to disciplinary action.

2. Email shall not be used to communicate confidential information to external parties unless encrypted using approved encryption facilities. Work station level employees are found unaware of encryption facilities , A training in this regard is necessary.

3. Employee’s E mail is not checked on regular basis. Information transmitted by email must not be defamatory, abusive which damage the reputation of the Firm. The willful transmission of any such material is likely to result in disciplinary action . Concerned department shall perform regular review and monitoring of email services.

3.9 Vulnerability Assessment and Penetration Testing

Vulnerability assessment (VA) is the process of identifying, assessing and discovering security vulnerabilities in a system. Audit objection regarding Vulnerability Assessment and Penetration Testing is given below.

1. Vulnerability assessment and penetration testing is not conducted periodically to detect security vulnerabilities in the ICT environment , on network infrastructure and internet-based systems

2. After Vulnerability assessment and penetration testing a process to remedy issues is not identified and gaps are not addressed .No documentation on previous VA is found.

3.10 Patch Management

Patch is updated pice of code of a software which is designed to update. Audit objection regarding patch management is given below.

1. The Firm need to establish and ensure that the patch management procedures include identification, categorization and prioritization of security patches. To implement security patches in a timely manner, there is no patch management team.

2. Testing of security patches before deployment into the production environment is not done.

3.11 Security Monitoring

Audit observation regarding security monitoring is given below.

1.Security logs of systems, applications and network devices for anomalies is not regularly reviewed . Logs are found protected and retained for defined period to facilitate future investigation.

Chapter: 04

Data Center Controls audit

As data center is the heart of an information system including standard disaster recovery site, its security is very much important both physically and environmentally. Violating proper security measures may cause a huge loss of data including business interruption. In a critical situation a Firm may go out of business due to data loss. Permanent loss of data will close a Firming business forever. So guidelines to protect our data center and disaster recovery site must be followed

4.1 Physical Security

Physical security plays important role in data center .Physical access to data centre is restricted for selected person. Data centre having some physical security audit observation which is given below.

1. Physical security are found applied to the information processing area or Data Center. DC is a restricted area and unauthorized access are found strictly prohibited .There is no respon e officer is found to restrict unauthorized access.

2. Grant access to the DC is not need to have basis. Physical access of staff to the DC are not revoked immediately if it is no longer required.

3. Vendors must take written permission all time and must be accompanied by an authorized employee for granting access to DC. Vendors visited DC many times but no written permission is found.

4. Access authorization list are not maintained and reviewed periodically for the authorized person to access the Data Center.

5. The Firm employed physical, human and procedural controls for 24 hours such as the use of security guards, card access system, surveillance system .Some point in DC not covered by surveillance system .

6. An inventory of all computing equipment, associated equipment and consumables housed in DC is not updated.

4.2 Environmental Security

The environment of data centre is strictly controlled .Temperature of data centre raise because electrical power produce heat in air .If heat is not removed the temperature will keep on rising .By controlling air ,humidity the server component kept within the manufacture specified temperature/humidity range.

1.ASHRAE's(American Society of Heating, Refrigeration and Air-Conditioning Engineers ) "Thermal Guidelines for Data Processing Environments" recommends a temperature range of 16–24 °C (61–75 °F) and humidity range of 40–55% with a maximum dew point of 15°C as optimal for data center conditions is not maintained .

2. Data Center in multi-tenant facilitated building which is a violation of Bangladesh Firm guideline.

3. Layout design of Data Center including power supply and network connectivity not properly documented.

4. Full functioning development and test environment is not available .It is advised to separate Development and test environment from production.

5. Some powered off and unused router devise are found in DC .Any accessories or devices not associated with Data Center and powered off devices shall not be allowed to store in the Data Center. Separate store room is in place to keep all sorts of unused and redundant IT equipments.

6. Closed Circuit Television (CCTV) camera are found installed but the CCTV not sufficient for all sides monitoring. It is advised to increase number of CCTV camera.

7. The sign of "No eating, drinking or smoking" are not found in display.

8. Dedicated office vehicles for any of the emergencies not available on-site. Availing of public transport is advised to avoid while carrying critical equipments outside the Firm’s premises to avoid the risk of any causality.

4.3 Fire Prevention

Data centre must be fire protected .IS auditor need to audit various issues regarding fire prevention. Audit observation regarding fire protection of data centre is given below.

1. Wall, ceiling and door of Data Center are not all fire-resistant.

2. Fire suppression equipments are installed but not tested periodically.

3. Automatic fire/smoke alarming system are found installed but not tested periodically.

4. No fire detector below the raised floor found.

5. Some data cables in the Data Center are not found concealed.

6. Flammable items such as paper, plastics , are found in Data Center.

Chapter: 05

Data Access Control audit

Access control provide assurance that data and application are protected against attack .Data access is authorizing one to access data, change data ,system access, privileged user activity . Data access distinguish Administrators and users .For example admin may be able to remove the data but general user may not .The Firm must grant access right and system privilege based on their job responsibility. It must be checked that no person using his own rank and position are accessing confidential data, application or system resources. There two type of control

1. Physical Control

2. Logical Control

Keeping computer in safe place provide physical control whereas a software program to detect unauthorized access provide logical control .

5.1 User Access Management

User access data using unique ID .Each ID having grant access right according to their part of responsibility. The Firm authority must monitor and grant Access properly .The following are some audit findings.

1. Each user must have a unique User ID and a valid password. In work station level one user ID and password is shared by a group. Specially work station admin password is shared.

2. User ID Maintenance form with access privileges are found duly not approved by the appropriate authority. Some time it is approved by junior staff of IT division.

3. User access privileges is not kept updated for job status changes.

4. User access privileges are not regularly reviewed to verify that privileges are granted appropriately.

5.2 Password Management

Audit observation regarding password management is given below.

1. Password definition parameters shall ensure that minimum password length is maintained according to Firm's Policy (at least 6 characters).

2. Password are not found combination of at least three of stated criteria like uppercase, lowercase, special characters and numbers.

3. Maximum validity period of password shall not be beyond the number of days permitted in the Firm's Policy (maximum 30 days cycle).

4. Parameter to control maximum number of invalid logon attempts are found specified properly in the system according to the Firm’s Policy (maximum 3 consecutive times).

5. Administrative passwords of Operating System, Database and Business Applications are found not kept in a safe custody with sealed envelope.

5.3 Input Control

Audit observation regarding Input Control is given below.

1. No Session time-out period for users .

2. Operating time schedule of users’ input for Firming applications are not implemented.

3. Software shall not allow the same user to be both maker and checker of the same transaction unless otherwise permitted from appropriate authority. In practice checker password is sometime shared by several makers and they verify their own transaction without checking .This type of practice must be stopped.

4. Sensitive data and fields of Firming applications are not restricted from being accessed.

5.4 Privileged Access Management

Information security relies on trusting a small group of skilled staff, who are found subject to proper checks and balances. Audit observation regarding Privileged Access Management is given below.

1.Entry level junior staff are assigned in critical operations and security functions .

2)Following controls and security practices for privileged users are advised to follow:

a) Number of privileged users are should be limited and fixed by the management.

b) Grant privileged access on a “need-to-have” basis;

c) Review privileged users’ activities on a timely basis;

d) Prohibit sharing of privileged accounts.

e) Disallow vendors from gaining privileged access .

Chapter: 06

Business Continuity and Disaster Recovery Management audit

Firm keep record of public money therefore business continuity plan is very important for a Firm. Firm need to have proper planning on Business Continuity and Disaster Recovery Management . The primary objective of Business Continuity Plan (BCP) is to survive in a disaster and to re-establish normal business operations within least pos e time and minimum financial and reputational loss.

6.1 Business Continuity Plan (BCP)

ICT opration is heart of a organization. Company is dependent on ICT to run their daily business .If ICT operation become unavailable , Firm’s operation may be stopped completely ,therefore a updated business continuity plan is must for a Firm..Audit observation regarding Business Continuity Plan (BCP) is given below. The BCP plan need to address

1. Backup plan

2. Recovery process

3. Restore process.

1. Approved Business Continuity Plan addressing the recovery from disaster to continue its operation is not updated for last one year.

2. One copy of BCP fount in head office .Documents related to BCP need to keep in some secured off-site locations.

3. BCP need to address and update the followings:

a) Action plan to restore business operations within the specified time frame for:

i) office hour disaster

ii) outside office hour disaster.

b) Emergency contacts, addresses and phone numbers of employees, venders and agencies.

c) Grab list of items such as backup tapes, laptops, flash drives, etc.

d) Disaster recovery site map

6.2 Disaster Recovery Plan (DRP)

Disaster recovery site is a backup location. It is a place where a Firm can relocate following disaster like fire ,flood , terrorist threat. .Audit observation regarding Disaster Recovery Plan (DRP) is given below.

1.Scenario analysis to identify and address various types of contingency scenarios is not included in DRP. Contingency scenario may be fire, flood, terrorist attack. In DRP all type of scenario must be included.

2. Disaster Recovery Site (DRS) in different seismic zone is not established . Disaster Recovery Site (DRS) which is geographically separated from the primary site (minimum of 10 kilometers radial distance but choice of different seismic zone will be preferred).

3. Real-time data replication is enhancing the Firm’s recovery capability but more copy of replication is necessary.

4. An up-to-date and tested copy of the DR plan are not found more than one off site location. One copy are found stored in the office for ready reference.

5. DR plan is not tested and validated annually. The effectiveness of recovery requirements and the ability of staff to execute is not tested annually.

6. DR test documentation not including Test Result. Test report not communicated to management and other stakeholders .

6.3 Data Backup and Restore Management

Data backup help to recover and continue the business . Following are audit observation regarding data backup and restore management.

1. Data backup and recovery policy is not updated.

2. There is no detailed planned backup schedule as per local and regulatory requirement. The details of the planned backup schedule for each business application must include the retention period for backed-up or archived information and the retention period is consistent with local legal and regulatory requirements.

3. Media contained backed-up information is not labeled with the information content, backup cycle, backup serial identifier, backup date and classification of the information content.

4. Periodic testing and validation of the recovery capability of backup media and assess whether it is adequate and sufficiently effective to support the Firm’s recovery process is not done.

Chapter: 07

Conclusion

Information system auditing is a vast area and it is very difficult to cover whole for a single person and within short period of time. At the end of audit I presented audit observation to management . I expect my audit findings and observations will help the Firm to find out and rectify security threats. I also expect that this report will help to assess and review organization’s IT based business. For more effective audit Firm need to employ external auditor from independent audit firm. Financial audit findings is monitored and rectified but information system audit findings are not monitored and rectified like financial audit findings. Now a days information system is heart of Firming therefore information system audit findings must be rectified properly.

Appendix

ICT Security Audit Checklist

XX Firm Ltd., Principal Work station , As on 01-06-2017

Sl		Subject	Y	N
1		Does the work station have up to date ‘ICT Security Policy’ of the Firm
2		Work station shall have updated organogram
3		Firm shall have ICT support unit/section/personnel (Business/ICT) in the work station organogram.
4		Each individual within ICT department/division/unit/section shall have approved Job Description (JD) with fallback resource person.
5		Firm shall maintain segregation of duties for ICT tasks.
6		Firm shall maintain detailed Network design document for all ICT critical systems/services
7		Firm shall have approved relevant requisition/acknowledgement forms for different ICT request/operation/services.
8		Firm shall have User Manual of all applications for internal/external users.
9		The work station shall take appropriate measures to address the recommendations made in the last Audit Report (external/internal). This must be documented and kept along with the Audit Report.
10		Firm shall ensure that all relevant personnel are getting proper training, education, updates and awareness of the ICT security activities as relevant with their job function.
11		Firm shall also ensure the minimum level of Business Foundation Training for ICT personnel.
12		Firm shall arrange security awareness training/workshop for all staff.
13		Adequate insurance coverage or risk coverage fund shall be maintained so that costs of loss and/or damage of the ICT assets can be mitigated.
14		The Firm shall form an ICT Risk Management Committee to govern overall ICT risks and relevant mitigation measures.
15		ICT security department/unit/cell shall report status of identified ICT security risk to the ICT security committee and Risk Management Committee periodically.
16		Firm shall establish a process to log the information system related problems.
17		The Firm shall have the process of workflow to escalate any problem to a concerned person to get a quick, effective and orderly response.
18		Problem findings and action steps taken during the problem resolution process shall be documented.
19		A trend analysis of past problems shall be performed to facilitate the identification and prevention of similar problems.
20		All ICT assets shall be clearly identified and labeled. Labeling shall reflect the established classification of assets.
21	Firm shall maintain an ICT asset inventory stating significant details (e.g. owner, custodian, purchase date, location, license number, configuration, etc.).
22	Firm shall review and update the ICT asset inventory periodically.
23	Information system assets shall be adequately protected from unauthorized access, misuse or fraudulent modification, insertion, deletion, substitution, suppression or disclosure.
24	Firm shall approve list of Software which will only be used in any computer.
25	Use of unauthorized or pirated software must strictly be prohibited throughout the Firm .
26	Is any Close Circuit Television (CCTV) camera installed for monitoring
27	i. Is the camera working properly and angles are appropriate to cover the required area?
28	ii. Are there adequate manpower to operate CCTV system and recording checked regularly?
29	iii. Is monthly backup preserved at an external device (other than Pen Drive) for CCTV videos.
30	Is Burger alarm working properly
31	Desktop computers shall be connected to UPS to prevent damage of data and hardware.
32	Before leaving a desktop or laptop computer unattended, users shall apply the "Lock Workstation" feature. If not applied then the device will be automatically locked within 5 minutes (S-4.2.1.1.j).
33	Confidential or sensitive information that stored in laptops must be encrypted.
34	Desktop computers, laptops, monitors, etc. shall be turned off at the end of each workday.
35	Laptops, computer media and any other forms of removable storage containing sensitive information (e.g. diskettes, CD ROMs, Zip disks, PDAs, Flash drives, external hard-drives) shall be stored in a secured location or locked cabinet when not in use.
36	Access to USB port for Desktop/Laptop computers shall be controlled.
37	Other information storage media containing confidential data such as paper, files, tapes, etc. shall be stored in a secured location or locked cabinet when not in use.
38	Individual users must not install or download software applications and/or executable files to any desktop or laptop computer without prior authorization.
39	Any kind of viruses shall be reported immediately.
40	Viruses shall not be cleaned/ deleted without expert assistance unless otherwise instructed.
41	User identification (ID) and authentication (password) shall be required to access all desktops and laptops whenever turned on or restarted.
42	Standard virus detection software must be installed on all desktop and laptop computers and shall be configured to check files when read and routinely scan the system for viruses.
43	All computers shall be placed above the floor level and away from windows.
44	Access to the Internet from Firm premises and systems must be routed through secure gateways.
45	Any local connection directly to the Internet from Firm premises or systems, including standalone PCs and laptops, is prohibited unless approved by Firm Information Security.
46	Employees shall be prohibited from establishing their own connection to the Internet using Firms’ systems or premises.
47	Use of locally attached modems with Firms’ systems in order to establish a connection with the Internet or any third-party or public network via broadband, ISDN or PSTN services is prohibited unless specifically approved.
48	Internet access provided by the Firm must not be used to transact any commercial business activity that is not done by the Firm. Personal business interests of staff or other personnel must not be conducted.
49	Internet access provided by the Firm must not be used to engage in any activity that knowingly contravenes any criminal or civil law or act. Any such activity will result in disciplinary action of the personnel involved.
50	c) Keep the operating system and applications up-to-date with patches
51	e) Securely configure applications and browsers
52	Email system shall be used according to the Firm’s policy.
53	Access to email system shall only be obtained through official request.
54	Email shall not be used to communicate confidential information to external parties unless encrypted using approved encryption facilities.
55	Employees must consider the confidentiality and sensitivity of all email content, before forwarding email or replying to external parties.
56	Information transmitted by email must not be defamatory, abusive, involve any form of racial or sexual abuse, damage the reputation of the Firm, or contain any material that is harmful to employees, customers, competitors, or others. The willful transmission of any such material is likely to result in disciplinary action.
57	Firm email system is principally provided for business purposes. Personal use of the Firm email system is only allowed under management discretion and requires proper permission; such personal use may be withdrawn or restricted at any time.
58	Corporate email address must not be used for any social networking, blogs, groups, forums, etc. unless having management approval.
59	Email transmissions from the Firm must have a disclaimer stating about confidentiality of the email content and asking intended recipient. (S-5.5.1.3.d & S-5.5.1.5.2)
60	The Firm shall only grant user access to ICT systems and networks on a need-to-use basis and within the period when the access is required.
61	The Firm shall closely monitor non-employees (contractual, outsourced, or vendor staff) for access restrictions.
62	Each user must have a unique User ID and a valid password.
63	User ID Maintenance form with access privileges shall be duly approved by the appropriate authority. Work station Managers/Department heads/Divisional heads will approve individual user id and access privilege as applicable. (S-5.1.1.4)
64	User access shall be locked for 3 unsuccessful login attempts. (S-5.1.1.2)
65	User access privileges must be kept updated for job status changes. Access privileges shall be changed/ locked within 24 hours when users' status changed or user left the Firm. (S-5.1.1.5)
66	The Firm shall ensure that records of user access are uniquely identified and logged for audit and review purposes.
67	The Firm shall perform regular reviews of user access privileges to verify that privileges are granted appropriately.
68	Password definition parameters shall ensure that minimum password length is maintained – at least 6 characters, combination of uppercase, lowercase, numbers & special characters. (S-5.1.2.1)
69	Software shall not allow the same user to be both maker and checker of the same transaction. (S-5.1.3.1)
70	Management approval must be in place for delegation of authority. (S-5.1.3.1)
71	c) There should be separate room for implementation of security devices, router and other network devices.
72	Firm must have an approved Business Continuity Plan addressing the recovery from disaster to continue its operation.
73	The needs of the target audience shall be identified, appropriate budgets obtained and priorities established.
74	The work plan shall clearly mention the main activities with the required resources, timelines and milestones.
75	Awareness building collaterals can be created in the form of:
76	a) Leaflets and brochures
77	b) Safety tips in account statements and envelopes
78	f) Screensavers
79	g) Electronic newsletters
80	h) DVDs with animated case studies and videos
81	a) The Network and Server room should be under lock and Key
82	b) Access should be controlled with restricted access and access log should be maintaining
83	d) IT infrastructures should be under CCTV coverage and the video footage data should be preserved for at least one year
84	a) IT environment should be free from flammable items and establish sufficient fire protection system. The employees should be trained on fire fighting system.
85	c) The electric power supply to the IT equipments should be at recommended voltage level and there should be proper earthing system in all connection points. There should be UPS and necessary power backup system to ensure 24/7 power facility for Servers, Networking devices and CCTVs
86	d) There should be sufficient alarming system to alert on exceptional/unexpected environment conditions
87	There should be documented operating procedures for every ICT operations. Operating procedures shall be maintained and available for the users related to their job function.

	SN	Question
Asset Management	1	Do you perform any compatibility assessment prior to procure any new ICT asset? If Yes, How?
	2	Do you follow the procurement policy for the ICT asset procurement? Please provide the procurement policy.
	3	All the ICT assets assigned to a custodian?
	4	How the assets are classified? (desktop/laptop/printer/Physical Server/VM/IP phone etc.)
	5	Are all the ICT assest clearly identified and labeled?
	6	Please provide us the asset inventory - hardware (ex. Desktop, laptop, printer etc.)
	7	Please provide us the asset inventory - software (ex. MS Office, McAfee AV etc.)
	8	Do you review and update the ICT asset inventory periodically? (quarterly/yearly)
	9	Please provide us the asset disposal policy
	10	Do you have any guideline for the use of portable devices (USB, external HDD, etc.)? Please provide.
	11	Do you have any policy to return back organizational assets (laptop, mobile phone etc.) from employees/external parties upon termination of their employment? Please provide
	12	Please provide approved software list (Open Office, MS Office 2010, Adobe reader XI or later, McAfee antivirus etc.)
	13	Do you only use legitimate/licensed software? How do you restrict use of unauthorizes/pirated software?
	14	Did you outsourced any software (ex. McAfee antivirus)? If yes, do you have SLA with the vendor?
Desktop/Laptop Device Control	15	Are all the desktops connceted to UPS?
	16	Does the autometic lockdown policy for unattended desktop/laptop enforced?
	17	Do you encrypt mobile devices (laptops, smart phones)?
	18	Do you turn off the desktop, laptop, UPS at the end of each workday?
	19	Do you store removable storage media (CD ROMs, external HDD, flash drives, backup tapes, papers containing confidential data (licenses etc.) in a locked cabinet/secured location when not in use?
	20	How do you control access to USB port for desktop/laptops?
	21	Does individual user take any prior authorization before download/install software application and/or executable files
	22	Antivirus software installed in all workstations?
	23	Are all the workstations configured to log security related events (unauthorized access attemts, modification to system software etc.)
	24	Are all the desktops placed above the floor level and away for windows?
BYOD Control	25	Do you allow BYOD (smart phones, tablet)? If yes, what measures you have taken to securing, monitoring and controlling the device (encryption, remote wipe, backup)
Server Security Controls	26	Please provide the list of Servers (Physical an Virtual)
	27	What is the authentication and authorization system to access a server?
	28	Please provide list of users who have access to Servers
	29	Remote access is enabled in the Server? Users can access Servers remotely (from intranet, from VPN, from the internet)?
	30	After how much time inactive session is expired?
	31	How the activities of System Administration logged? The logging elements include: - All authentication - privilege escalation - user additions and deletions - access control changes - job sechedule start-up - system integrity information - log entries must be time and date stamped
	32	Do you test configuration settings, new patches and service packs in a test environment before applying to production servers?
	33	Do you have any separate file server, print server?
	34	Do you take backup for Servers (both physical and virtual)
	35	Do you allow file sharing between host and guest OSs in a virtual environment?
	36	Does the Server displays a trespassing banner at login?

Glossary and Acronyms

2FA	- Two-Factor Authentication
ADC	- Alternative Delivery Channel
AMC	- Annual Maintenance Contract
AML	- Anti-Money Laundering
ATM	- Automated Teller Machine
BCP	- Business Continuity Plan
BIA	- Business Impact Analysis
BRD	- Business Requirement Document
BYOD	- Bring Your Own Device
CAAT	- Computer-Assisted-Auditing Tool
CCTV	- Close Circuit Television
CD ROM	- Compact Disk Read Only Memory
CDs	- Compact Disks
CEO	- Chief Executive Officer
CIO	- Chief Information Officer
CISO	- Chief Information Security Officer
CNP	- Card Not Present
CTO	- Chief Technology Offier
DC	- Data Center
DDoS	- Distributed Denial of Service
DoS	- Denial of Service
DR	- Disaster Recovery
DRP	- Disaster Recovery Plan
DRS	- Disaster Recovery Site
DVD	- Digital Video Disc
E-mail	- Electronic Mail
EOD	- End of Day
ICC	- Internal Control and Compliance
ICT	- Information and Communication Technology
IDS	- Intrusion Detection System
IPS	- Intrusion Prevention System
IS	- Information System
ISDN	- Integrated Services Digital Network
ICT	- Information and Communication Technology
IVR	- Interactive Voice Response
JD	- Job Description
KRIs	- Key Risk Indicators
MITMA	- Man-in-the-Middle Attack

Work station Firm Job Circular 2017

Job Title	Educational Requirement
Assistant Vice President as Information System (IS) Auditor	Candidates must have CSE/EEE or equivalent degree from recognized university with CISA Certification for the post

Search This Blog

Imrul Sadat

Imrul Sadat Project

1.1 Objectives of the Report

1.5 Sources of data

1.6 Limitations of the report

Work station Firm Job Circular 2017

Comments

Post a Comment

Popular posts from this blog

Analog Computer By Imrul Sadat

IMRUL SADAT,http://imrulsadat1.blogspot.com