Imrul Sadat Project
Information
System Audit And Inspection by
Imrul
Sadat
Firming
industry is now highly dependent on Information Technology for daily work. Information
technology becomes heart of the Firming
sector now. All accounting transaction of a Firm is done through Information Technology
,which is creating high risk for the Firm . To minimize the risk Firm need to develop an internal audit
department for auditing IT based business process. Internal audit department
need to develop procedure and guideline for their internal auditors.
Information system auditing is a new type of auditing for Firm which is different from financial auditing. As a Firmer therefore I decided to do my Masters project
on this new field of Information System auditing for Firm..
1.1 Objectives of the Report
I
regular staff of XX Firm limited. The
main objective of the report is to conduct Information System auditing on various department and work station es of XX Firm Limited. Thus attention is geared
toward following specific objectives.
a) To conduct standard
ICT audit on various division of Firm.
b) Prepare a comprehensive audit report on XX
Firm Limited .
c) Advise Firm management on basis of audit
observation regarding its risk issues
1.2 Information System (IS) Auditing
Information system audit check Information
System and Network of a organization to assess whether the information system
and Network Infrastructure is capable to provide security for its total system .Information
System audit is conducted by internal or
external audit team of Firm .It try to
find out security holes, which may cause of
fraudulent activity. Various auditing
standard has been developed e.g. Bangladesh Firm ICT guideline .
IT audit is different from financial audit. Financial
audit check whether standard accounting
practice is followed or not but
Information system audit find out information system threats .Information is
most valuable asset of Firm. Information
system auditor evaluate the system thus guard
an organization’s information.
The IT audit evaluate the following :
1.Avalibility: Checking whether Firm’s computer system is available for the
business all the time or not.
2.Confidentiality : Checking whether Firm’s computer system disclose information
only to authorized user or not.
3.Integrity : Checking whether Firm’s computer system’s e information accurate
,reliable , timely or not.
4.Information Asset risk: Assess information asset risk of the Firm and find out method to minimize the
risk..
Importance of IS
auditing in Firm.
1. Information System Auditing find out threats in ICT operation and advice
the Firm to minimize the threat.
2.To
comply with Bangladesh Firm ICT
guideline information system auditing is necessary.
3.It
increase effectiveness and efficiency of ICT operation information system
auditing is necessary.
Following different
audit techniques used during IS audit
1.Verbal questioning ,written
questionnaire .
2.Visual inspection of the systems,
locations, spaces, rooms, and objects .
3.Observations
.
4.Analysis of files (including
electronic data).
5.Technical examination (e.g. testing of
alarm systems, access control systems,
applications).
6. Observation of previous audit report.
.
1.3 Auditing XX Firm Ltd
XX Firm Ltd
is a private commercial Firm operating since 1995.It is a d Work
station Firm.It is one of leading Firm of the country based on accounting principal .It has now 129 work station es with
two subsidiary company Securities Ltd, Investment Ltd. It introduced on line Firming solution ,real time Firming solution for its client .As employee
of XX Firm Ltd
I decided to do this project on
this Firm. I performed IT audit from
01/06/2017 to 29/06/2017 in Principal Work
station of XX Firm Limited where I am also a regular
employee . I also visited head office and data centre several times for audit
purpose .
1.4 Category of ICT operation of XX Firm Ltd
Depending on ICT
operation there are two type of Firm in
our country they are as follows,
1.
Centralized ICT Operation
2.
Decentralized ICT operation
Centralized ICT
operation manage business application through Data Center(DC) .The DC
continuously back up data .All work station es and booths are connected through
WAN. Decentralized ICT operation manage distributed business application
through WAN. XX Firm Ltd ICT operation
is centralized .
1.5 Sources of data
Both primary and
secondary data have been collected. I have gathered primary data by personal
interview of the employees of Firm..
Mainly I have discussed with them verbally. I collected information from them.
I used data base, official manuals and several books. For preparing the report smoothly
and accurately I used primary and secondary data.
Primary
sources:
- Direct
observation of information system.
- Questioning
with concerned persons.
Secondary
sources:
1.6 Limitations of the
report
The analysis of the
overall IT activities of Firm is not easy. So the report was completed
under following :
- Firm’s IT systems are highly sensitive
and without permission from concerned authority the auditing operation can
not be performed .
- As
audit report is a confidential report for a organization and it is not open report..
- Due
to time restrictions, the report is concentrated in selected areas only.
Chapter:
02
ICT Security ManagemenT audit
ICT Security
Management ensure that the ICT functions
and operations are efficiently and effectively managed. Firm need to make its own policy ,guideline
,internal and external audit team ,training to manage ICT security. A standard
audit policy necessary for a Firm which
guide auditor ,employee of a Firm to
follow the rule .We know that ICT is very progressing and changing field , so
the documentation regarding ICT security management need to change periodically
.
2.1 ICT Policy, Standard and Procedure
Firm need to have policy statement , fixed
standards and procedure for IT auditing which need to update periodically. I
checked Firm’s policy and checked
auditing procedure and found following audit objections.
1. The XX Firm Ltd have an ‘ICT Security Policy’ which is approved by the board. The policy requires
regular update to deal with changes in
the ICT environment but the policy is not updated more than a year.
2. No separate ICT
security professional employed in separate ICT security department .. The Firm’s IT department is now respon e for providing IT security .A separate ICT
security department is must be establish as per Bangladesh Firm’s guideline.
2.2 Documentation
The head office
audit division , IT division as well as its work station es need to have
necessary documentation.
1.
The XX Firm Ltd shall have a organogram for ICT department but it is
not updated and recent changes are not reflected in the organogram. It is
advised to update the organogram.
2. In Principal Work station During audit no ICT support unit/section/personnel is
found in the work station organogram.
3. In Principal Work
station power user is supporting IT
operation within the work station but he
having no approved job description.
4. In IT division as well as in Principal work
station one employee performing
multiple ICT tasks .So a clear segmentation of task is
necessary.
5. Detailed
design document for all ICT
systems/services (e.g. Data Center design, Network design, Power Layout
for Data Center, etc.) is not found in
one place. All design and layout plan must be kept in one place under a respon e
person .
6. There is prescheduled roster for sensitive ICT tasks but it is not maintained strictly. Some of
employees found not maintaining prescheduled roster . (e.g. Network Monitoring, Security Guard for
Data Center, ATM Monitoring, etc.).
7. Updated “Operating Procedure” for all
ICT functional activities is not maintained (e.g. Backup Management, Database
Management, Network Management).
8. Approved requisition forms for some ICT operation(Like
user close, change user name) not found.
2.3 Internal
Information System Audit
Audit
observation regarding internal audit is given below.
1 Internal
Information System (IS) audit are found carried out by Internal Audit
Department of the Firm but auditors not
having sufficient skill, education and certification to perform IS audit. There
is no CISA certified auditor .CISA certification is now benchmark qualification
in this regard. Internal IS audit are
found conducted by personnel with not having sufficient IS Audit expertise and skills. Engagement of
certified IS auditor having adequate audit experience in this area is advised.
2. Computer-Assisted-Auditing Tools (CAATs ) is
not used to perform IS audit planning,
auditing, control , management .Using
CAATs is advised as per Bangladesh ICT policy.
3. Internal Information System audit are done
periodically at least once a year. The report is preserved for regulators as
and when required. The XX Firm Ltd audit
issues are properly tracked , completely recorded but not followed up and rectified properly. In Principal work station
I found some last year objections are not rectified
yet. So it is advised to rectify previous audit objections immediately.
2.4 External Information System Audit
As per
Bangladesh Firm ICT guideline external
auditor for information system auditing must be engaged along with internal
audit team of the Firm . Sometime expert external system auditor may
perform more detail and depth audit than internal audit .The following is the
audit objection regarding External Information System Auditing.
1. The XX Firm Ltd not engaging external auditor(s) for their information
systems auditing in-line with their regular financial and internal audit. It is advised to engage external
auditor.
2.5 Standard
Certification
Standard
certificate is necessary to make ICT activity and infrastructure industry
standard . Audit observation regarding standard certification is given below.
1.Iindustry
standard certification e.g. ISO certification related to their Information System Security,
Quality of ICT Service Delivery, Business Continuity Management, Payment Card
Data Security, etc is not obtained.
2.6 Security Awareness
and Training
IT awareness training is a
regulatory requirement by Bangladesh Firm. Following are audit observation regarding security
awareness and training.
1. All IT
relevant personnel are not getting proper training, education, updates and
awareness of the ICT security activities as relevant with their job function.
2. All XX Firm Ltd ICT personnel not having Foundation Training .
3. All staff of the Firm not having security awareness training .
2.7 Insurance
ICT asset must be insured to provide protection from financial loss if
something catastrophic happens to business .The audit observation regarding
insurance is given below.
1. All ICT asset
are not insurance covered .Adequate insurance coverage or risk coverage fund is necessary.
Chapter:
03
Infrastructure Security Management audit
ICT Infrastructure
includes all data, application, database, operating systems
and networks. Various form of attack may hit ICT Infrastructure in many ways. A
IS auditor regularly check various components if ICT infrastructure and check
lack of compliance .
3.1 Asset Management
I conducted audit on ICT assets and found following audit
findings.
1. ICT asset procurement must complied with the
procurement policy of Firm .But some of
the asset ( UPS, Keyboard , Mouse ,Network cables) not following asset
procurement policy. It is advised to follow standard procurement
policy for all type of asset.
2. Each ICT
asset not assigned to a custodian (an
individual or entity) who will be respon e for the development, maintenance,
usage, security and integrity of that asset.
3. All ICT
assets are not identified and labeled. There is no classification in the leveling.
4. ICT asset inventory not stating significant details (e.g. owner, custodian,
purchase date, location, license number, configuration, etc.).It is advised to
maintain inventory with details mentioned.
5. ICT asset inventory is not updated.
6. Information
system assets must be adequately protected from unauthorized access, misuse or
fraudulent modification, insertion, deletion, substitution, suppression or
disclosure.
The level of
supervision need to be increased .
7. There is no Disposal Policy for information system
asset protection. All data in storage
media is not destroyed before disposal .
8. Portable
devise(Pen drive, Portable Hard Disk) is
used with out prior permission
from authority.
9. Some of
software used by employees are not licensed. It is advised l not to use any
software that has not been legally purchased or otherwise legitimately
obtained.
10. The is no approved list of Software which will only be used in
any computer . It is advised to make a approved list of software immediately.
11. In work
station level some of unauthorized or
pirated software is used which must
strictly be prohibited throughout the Firm .
3.2 Desktop/Laptop
Devices Controls
Desktop of user is always subject to attack so IS auditor need
to audit all Desktop / I conducted audit
and found following audit findings.
1. Desktop
computers are found connected to UPS to prevent damage of data and hardware .Some of UPS battery is found damaged .It is
advised to check UPS battery periodically .
2. Unattended
computer is not automatically locked .Before
leaving a desktop or laptop computer unattended, users shall apply the "Lock Workstation" feature.
3. Desktop
computers, laptops, monitors, etc. are found turned off at the end of each
workday .The is no assigned person respon e to check it after end of each work
day.
4. Laptops,
computer media and any other forms of removable storage containing sensitive
information (e.g. CD ROMs, Zip disks, PDAs, Flash drives, external hard-drives)
are not stored in a secured location or locked cabinet when not in use.
5. Access to USB
port for Desktop computers are not controlled.
6. Other
information storage media containing confidential data such as paper, files,
tapes, etc. are found not stored in a secured location or locked cabinet when
not in use.
7. In work
station level some Individual users install or download software
applications without prior
authorization.
8. Viruses are not
reported .
9. Viruses cleaned/ deleted without expert assistance .
10. In work
station same identification (ID) and authentication
(password) are found used by multiple user.
11. Computers are
not placed above the floor level .
3.3 Server/Network Room/Rack Controls
Server/Network Room/Rack Controls are always subject to attack therefore it requires auditing.
The following are audit findings.
1.
Server/network room/rack is glass enclosure but not locked and no assigned respon e person is found.
2. Physical
access are found restricted, visitors logbook exist
but not maintained properly. Some
employees enter server room without entering their name on entry resister
3.Access
authorization list is not maintained and reviewed on regular basis.
4. No provision to replace the server and network
devices within shortest pos e time in case of any disaster.
3.4 Networks Security Management
Following are
audit observation regarding network security management.
1.No written
documentation on baseline standards is
found to ensure security for Operating
Systems, Databases, Network equipments and portable devices which shall meet
organization’s policy.
2. Regular
enforcement standards are not applied
uniformly and non-compliances are detected and raised for investigation.
3. All type of
cables including UTP, fiber, power shall have proper labeling for further
corrective or preventive maintenance works but most of cables found not labeled.
4. Mechanism are found in place to encrypt and
decrypt sensitive data travelling through WAN or public network. But the
mechanism need to be follow-up and updated updated .
5. Network security
devices, such as firewalls to protect
the network perimeters is installed .But it is not monitored periodically
6. Rules on
network security devices is not checked on a regular basis to determine that
such rules are appropriate and relevant.
7. All unused
ports of access switch are not shut-off .
3.5 Cryptography
The primary
application of cryptography is to protect privacy of sensitive information. Cryptography is commonly used in
Firms
to protect sensitive customer information such as PINs relating to applications (e.g. ATMs, payment cards and
online financial systems). The following is audit observation regarding
cryptography.
1. There is no
established cryptographic key management
policy and procedures covering generation, distribution, installation, renewal,
revocation and expiry.
3.6 Malicious Code Protection
Following are audit objection regarding malicious code
protection or virus protection..
1. Anti-virus
packages are installed not in all computers .
2. Files received
on electronic media by mail of uncertain
origin or unknown networks is not checked for malicious code before use.
3. The
anti-virus package is found up to date with the latest virus definition file
using an automated and timely process.
4. All computers
in the network is not getting updated
signature of anti-virus software automatically from the server.
5. Virus auto
protection mode are not enabled in some
of computers to screen disks, tapes, CDs or other media for viruses.
6.Awareness
program for the end users about computer viruses and their prevention mechanism
is not complied.
3.7 Internet Access Management
Internet access with in the Firm must be under close supervision and must
be routed through secure gateway .The audit objection regarding internet use is
given below.
1. Internet
access are not provided to employees
according to the approved Internet Access Policy .Some employees are using
internet without approval. Internet must be used only for official work and it
must be monitored.
2. Access
to the internet from Firm premises
must not compromise information security of Firm . Some of employees use internet for
their personal purpose in office premises hampering information security of the
Firm .
3. Access to the
Internet from Firm premises and systems
is routed through secure gateways. But gateway is not monitored and not checked
on regular basis.
4. Use of
locally attached modems with Firms’
systems in order to establish a connection with the Internet or any third-party
or public network via broadband, ISDN or PSTN services is prohibited unless
specifically approved. A circular in this regard must be forwarded to all work
station es.
3.8 Email Management
The audit
objection regarding e mail use is given below.
1. Email system are not used according to the Firm’s 's policy. Employees are found sending
personal E mail using Firm’s E mail
system . An employee found to have violated this policy may be subject to
disciplinary action.
2. Email shall
not be used to communicate confidential information to external parties unless
encrypted using approved encryption facilities. Work station level employees are found unaware of
encryption facilities , A training in this regard is necessary.
3. Employee’s E
mail is not checked on regular basis. Information transmitted by email must not
be defamatory, abusive which damage the reputation of the Firm. The willful transmission of any such
material is likely to result in disciplinary action . Concerned department
shall perform regular review and monitoring of email services.
3.9 Vulnerability
Assessment and Penetration Testing
Vulnerability
assessment (VA) is the process of identifying, assessing and discovering
security vulnerabilities in a system. Audit objection regarding Vulnerability Assessment and Penetration
Testing is given below.
1. Vulnerability
assessment and penetration testing is not conducted periodically to detect security vulnerabilities in the ICT
environment , on network infrastructure and internet-based systems
2. After
Vulnerability assessment and penetration testing a process to remedy issues is not identified
and gaps are not addressed .No documentation on previous VA is
found.
3.10 Patch Management
Patch is updated
pice of code of a software which is designed to update. Audit objection
regarding patch management is given below.
1. The Firm
need to establish and ensure that the
patch management procedures include identification, categorization and
prioritization of security patches. To implement security patches in a timely
manner, there is no patch management team.
2. Testing of
security patches before deployment into the production environment is not done.
3.11 Security
Monitoring
Audit
observation regarding security monitoring is given below.
1.Security logs
of systems, applications and network devices for anomalies is not regularly
reviewed . Logs are found protected and retained for defined period to
facilitate future investigation.
Chapter:
04
Data Center Controls audit
As data center is the heart of an
information system including standard disaster recovery site, its security is
very much important both physically and environmentally. Violating proper
security measures may cause a huge loss of data including business
interruption. In a critical situation a Firm may go out of business due to data loss.
Permanent loss of data will close a Firming business forever. So guidelines to protect our data center and
disaster recovery site must be followed
4.1 Physical Security
Physical security plays important role in data center .Physical access to
data centre is restricted for selected person. Data centre having some physical security audit observation which is
given below.
1. Physical
security are found applied to the information processing area or Data Center.
DC is a restricted area and unauthorized access are found strictly prohibited
.There is no respon e officer is found to restrict unauthorized access.
2. Grant access
to the DC is not need to have basis.
Physical access of staff to the DC are not revoked immediately if it is no
longer required.
3. Vendors must
take written permission all time and must be accompanied by an authorized
employee for granting access to DC. Vendors visited DC many times but no
written permission is found.
4. Access
authorization list are not maintained
and reviewed periodically for the authorized person to access the Data Center.
5. The Firm employed
physical, human and procedural controls for 24 hours such as the use of
security guards, card access system,
surveillance system .Some point in DC not covered by surveillance system
.
6. An inventory
of all computing equipment, associated equipment and consumables housed in DC is not updated.
4.2 Environmental Security
The environment of data centre is strictly controlled .Temperature of
data centre raise because electrical power produce heat in air .If heat is not
removed the temperature will keep on rising .By controlling air ,humidity the
server component kept within the manufacture specified temperature/humidity
range.
1.ASHRAE's(American
Society of Heating, Refrigeration and Air-Conditioning Engineers ) "Thermal Guidelines for Data
Processing Environments" recommends a temperature range of 16–24 °C (61–75
°F) and humidity range of 40–55% with a maximum dew point of 15°C as optimal
for data center conditions is not maintained .
2.
Data Center in multi-tenant facilitated
building which is a violation of
Bangladesh Firm guideline.
3. Layout design
of Data Center including power supply and network connectivity not properly
documented.
4. Full
functioning development and test environment is not available .It is advised to separate Development and test
environment from production.
5. Some powered
off and unused router devise are found in DC .Any accessories or devices not
associated with Data Center and powered off devices shall not be allowed to
store in the Data Center. Separate store room is in place to keep all sorts of
unused and redundant IT equipments.
6. Closed
Circuit Television (CCTV) camera are found installed but the CCTV not
sufficient for all sides monitoring. It is advised to increase number of CCTV
camera.
7. The sign of
"No eating, drinking or smoking" are not found in display.
8. Dedicated
office vehicles for any of the emergencies not available on-site. Availing of public
transport is advised to avoid while carrying critical equipments outside the Firm’s premises to avoid the risk of any
causality.
4.3 Fire Prevention
Data centre must be fire protected .IS auditor need to audit various
issues regarding fire prevention. Audit observation regarding fire
protection of data centre is given
below.
1. Wall, ceiling
and door of Data Center are not all fire-resistant.
2. Fire
suppression equipments are installed but not tested periodically.
3. Automatic
fire/smoke alarming system are found installed but not tested periodically.
4. No fire
detector below the raised floor found.
5. Some data cables in the Data Center are not found
concealed.
6. Flammable items
such as paper, plastics , are found in Data Center.
Chapter:
05
Data Access Control audit
Access control provide assurance
that data and application are protected against attack .Data access is
authorizing one to access data, change data ,system access, privileged user
activity . Data access distinguish Administrators and users .For example admin
may be able to remove the data but general user may not .The Firm must grant access right and system
privilege based on their job responsibility.
It must be checked that no person using his own rank and position are
accessing confidential data, application or system resources. There two type of
control
1.
Physical Control
2.
Logical Control
Keeping computer in safe place
provide physical control whereas a software program to detect unauthorized
access provide logical control .
5.1 User Access Management
User access data
using unique ID .Each ID having grant access right according to their part of
responsibility. The Firm authority must
monitor and grant Access properly .The following are some audit findings.
1. Each user
must have a unique User ID and a valid password. In work station level one user ID and password is shared by a
group. Specially work station admin
password is shared.
2. User ID
Maintenance form with access privileges are found duly not approved by the
appropriate authority. Some time it is approved by junior staff of IT division.
3. User access
privileges is not kept updated for job
status changes.
4. User access
privileges are not regularly reviewed to verify that privileges are granted
appropriately.
5.2 Password
Management
Audit observation regarding password management is given below.
1. Password
definition parameters shall ensure that minimum password length is maintained
according to Firm's Policy (at least 6
characters).
2. Password are not
found combination of at least three of stated criteria like uppercase,
lowercase, special characters and numbers.
3. Maximum
validity period of password shall not be beyond the number of days permitted in
the Firm's Policy (maximum 30 days
cycle).
4. Parameter to
control maximum number of invalid logon attempts are found specified properly
in the system according to the Firm’s
Policy (maximum 3 consecutive times).
5.
Administrative passwords of Operating System, Database and Business
Applications are found not kept in a
safe custody with sealed envelope.
5.3 Input Control
Audit observation regarding Input Control is given below.
1. No Session
time-out period for users .
2. Operating
time schedule of users’ input for Firming
applications are not implemented.
3. Software
shall not allow the same user to be both maker and checker of the same
transaction unless otherwise permitted from appropriate authority. In practice
checker password is sometime shared by
several makers and they verify their own transaction without checking .This
type of practice must be stopped.
4. Sensitive
data and fields of Firming applications are
not restricted from being accessed.
5.4 Privileged Access Management
Information
security relies on trusting a small group of skilled staff, who are found
subject to proper checks and balances. Audit observation regarding Privileged Access Management is given below.
1.Entry level junior staff are assigned in critical
operations and security functions .
2)Following
controls and security practices for privileged users are advised to follow:
a) Number of
privileged users are should be limited and fixed by the management.
b) Grant privileged access on a “need-to-have” basis;
c) Review privileged users’ activities on a timely basis;
d) Prohibit sharing of privileged accounts.
e) Disallow vendors from gaining privileged access .
Chapter:
06
Business
Continuity and Disaster Recovery Management audit
Firm keep record of public money therefore business
continuity plan is very important for a Firm. Firm need to have proper planning on Business
Continuity and Disaster Recovery Management . The primary objective of Business
Continuity Plan (BCP) is to survive in a
disaster and to re-establish normal business operations within least pos e time
and minimum financial and reputational loss.
6.1 Business Continuity Plan (BCP)
ICT opration is heart of a organization. Company is dependent on ICT to
run their daily business .If ICT operation become unavailable , Firm’s
operation may be stopped completely ,therefore a updated business continuity
plan is must for a Firm..Audit
observation regarding Business Continuity Plan (BCP) is given below. The BCP plan
need to address
1.
Backup plan
2.
Recovery process
3.
Restore process.
1. Approved
Business Continuity Plan addressing the recovery from disaster to continue its
operation is not updated for last one year.
2. One copy of
BCP fount in head office .Documents related to BCP need to keep in some secured off-site locations.
3. BCP need to address and update the followings:
a) Action plan
to restore business operations within the specified time frame for:
i)
office hour disaster
ii) outside office hour disaster.
b) Emergency
contacts, addresses and phone numbers of employees, venders and agencies.
c) Grab list of
items such as backup tapes, laptops, flash drives, etc.
d) Disaster
recovery site map
6.2 Disaster Recovery
Plan (DRP)
Disaster recovery site is a backup location. It is a place where a Firm can relocate following disaster like fire
,flood , terrorist threat. .Audit observation regarding Disaster Recovery Plan
(DRP) is given below.
1.Scenario
analysis to identify and address various types of contingency scenarios is not
included in DRP. Contingency scenario may be fire, flood, terrorist attack. In
DRP all type of scenario must be included.
2. Disaster Recovery Site (DRS) in different seismic zone is not
established . Disaster Recovery Site (DRS) which is geographically separated from
the primary site (minimum of 10 kilometers radial distance but choice of
different seismic zone will be preferred).
3. Real-time
data replication is enhancing the Firm’s recovery capability but more copy of
replication is necessary.
4. An up-to-date
and tested copy of the DR plan are not found more than one off site location.
One copy are found stored in the office for ready reference.
5. DR plan is
not tested and validated annually. The effectiveness of recovery
requirements and the ability of staff to execute is not tested annually.
6. DR test
documentation not including Test Result. Test report not communicated to
management and other stakeholders .
6.3 Data Backup and
Restore Management
Data backup help
to recover and continue the business . Following are audit observation
regarding data backup and restore management.
1. Data backup
and recovery policy is not updated.
2. There is no
detailed planned backup schedule as per local and regulatory requirement. The
details of the planned backup schedule for each business application must
include the retention period for backed-up or archived information and the
retention period is consistent with local legal and regulatory requirements.
3. Media
contained backed-up information is not labeled with the information content,
backup cycle, backup serial identifier, backup date and classification of the
information content.
4. Periodic
testing and validation of the recovery capability of backup media and assess
whether it is adequate and sufficiently effective to support the Firm’s recovery process is not done.
Chapter:
07
Conclusion
Conclusion
Information system
auditing is a vast area and it is very difficult to cover whole for a single
person and within short period of time. At the end of audit I presented audit observation to management . I expect
my audit findings and observations will help the Firm to find out and rectify security threats.
I also expect that this report will help to assess and review organization’s IT based business. For more
effective audit Firm need to employ external auditor from independent audit firm. Financial
audit findings is monitored and rectified but information system audit findings are not monitored
and rectified like financial audit findings. Now a days information system is
heart of Firming therefore information
system audit findings must be rectified properly.
Appendix
ICT
Security Audit Checklist
XX Firm Ltd., Principal Work station ,
As on 01-06-2017
Sl
|
Subject
|
Y
|
N
|
|
1
|
Does the work station have up to date ‘ICT Security Policy’ of the
Firm
|
|
|
|
2
|
Work station shall have updated organogram
|
|
|
|
3
|
Firm shall have ICT support
unit/section/personnel (Business/ICT) in the work station organogram.
|
|
|
|
4
|
Each individual
within ICT department/division/unit/section shall have approved Job
Description (JD) with fallback resource person.
|
|
|
|
5
|
Firm shall maintain segregation of duties
for ICT tasks.
|
|
|
|
6
|
Firm shall maintain detailed Network design
document for all ICT critical systems/services
|
|
|
|
7
|
Firm shall have approved relevant
requisition/acknowledgement forms for different ICT
request/operation/services.
|
|
|
|
8
|
Firm
shall have User Manual of all applications for internal/external
users.
|
|
|
|
9
|
The work station shall take appropriate measures to address
the recommendations made in the last Audit Report (external/internal). This
must be documented and kept along with the Audit Report.
|
|
|
|
10
|
Firm
shall ensure that all relevant personnel are getting proper training,
education, updates and awareness of the ICT security activities as relevant
with their job function.
|
|
|
|
11
|
Firm
shall also ensure the minimum level of Business Foundation Training
for ICT personnel.
|
|
|
|
12
|
Firm
shall arrange security awareness training/workshop for all staff.
|
|
|
|
13
|
Adequate
insurance coverage or risk coverage fund shall be maintained so that costs of
loss and/or damage of the ICT assets can be mitigated.
|
|
|
|
14
|
The Firm shall form an ICT Risk Management
Committee to govern overall ICT risks and relevant mitigation measures.
|
|
|
|
15
|
ICT security
department/unit/cell shall report status of identified ICT security risk to
the ICT security committee and Risk Management Committee periodically.
|
|
|
|
16
|
Firm
shall establish a process to log the information system related
problems.
|
|
|
|
17
|
The Firm
shall have the process of workflow to escalate any problem to a
concerned person to get a quick, effective and orderly response.
|
|
|
|
18
|
Problem findings
and action steps taken during the problem resolution process shall be
documented.
|
|
|
|
19
|
A trend analysis
of past problems shall be performed to facilitate the identification and
prevention of similar problems.
|
|
|
|
20
|
All ICT assets
shall be clearly identified and labeled. Labeling shall reflect the
established classification of assets.
|
|
|
|
21
|
Firm
shall maintain an ICT asset inventory stating significant details
(e.g. owner, custodian, purchase date, location, license number,
configuration, etc.).
|
|
|
|
22
|
Firm
shall review and update the ICT asset inventory periodically.
|
|
|
|
23
|
Information
system assets shall be adequately protected from unauthorized access, misuse
or fraudulent modification, insertion, deletion, substitution, suppression or
disclosure.
|
|
|
|
24
|
Firm
shall approve list of Software which will only be used in any
computer.
|
|
|
|
25
|
Use of
unauthorized or pirated software must strictly be prohibited throughout the Firm
.
|
|
|
|
26
|
Is any Close Circuit Television
(CCTV) camera installed for monitoring
|
|
|
|
27
|
i.
Is
the camera working properly and angles are appropriate to cover the required
area?
|
|
|
|
28
|
ii.
Are
there adequate manpower to operate CCTV system and recording checked
regularly?
|
|
|
|
29
|
iii. Is monthly backup preserved at
an external device (other than Pen Drive) for CCTV videos.
|
|
|
|
30
|
Is Burger alarm
working properly
|
|
|
|
31
|
Desktop computers
shall be connected to UPS to prevent damage of data and hardware.
|
|
|
|
32
|
Before leaving a
desktop or laptop computer unattended, users shall apply the "Lock
Workstation" feature. If not applied then the device will be
automatically locked within 5 minutes (S-4.2.1.1.j).
|
|
|
|
33
|
Confidential or
sensitive information that stored in laptops must be encrypted.
|
|
|
|
34
|
Desktop
computers, laptops, monitors, etc. shall be turned off at the end of each
workday.
|
|
|
|
35
|
Laptops, computer
media and any other forms of removable storage containing sensitive
information (e.g. diskettes, CD ROMs, Zip disks, PDAs, Flash drives, external
hard-drives) shall be stored in a secured location or locked cabinet when not
in use.
|
|
|
|
36
|
Access to USB
port for Desktop/Laptop computers shall be controlled.
|
|
|
|
37
|
Other information
storage media containing confidential data such as paper, files, tapes, etc.
shall be stored in a secured location or locked cabinet when not in use.
|
|
|
|
38
|
Individual users
must not install or download software applications and/or executable files to
any desktop or laptop computer without prior authorization.
|
|
|
|
39
|
Any kind of
viruses shall be reported immediately.
|
|
|
|
40
|
Viruses shall not
be cleaned/ deleted without expert assistance unless otherwise instructed.
|
|
|
|
41
|
User
identification (ID) and authentication (password) shall be required to access
all desktops and laptops whenever turned on or restarted.
|
|
|
|
42
|
Standard virus
detection software must be installed on all desktop and laptop computers and
shall be configured to check files when read and routinely scan the system
for viruses.
|
|
|
|
43
|
All computers
shall be placed above the floor level and away from windows.
|
|
|
|
44
|
Access to the
Internet from Firm premises and
systems must be routed through secure gateways.
|
|
|
|
45
|
Any local
connection directly to the Internet from Firm premises or systems, including
standalone PCs and laptops, is prohibited unless approved by Firm Information Security.
|
|
|
|
46
|
Employees shall
be prohibited from establishing their own connection to the Internet using Firms’ systems or premises.
|
|
|
|
47
|
Use of locally
attached modems with Firms’ systems in
order to establish a connection with the Internet or any third-party or
public network via broadband, ISDN or PSTN services is prohibited unless
specifically approved.
|
|
|
|
48
|
Internet access
provided by the Firm must not be used
to transact any commercial business activity that is not done by the Firm. Personal business interests of staff
or other personnel must not be conducted.
|
|
|
|
49
|
Internet access
provided by the Firm must not be used
to engage in any activity that knowingly contravenes any criminal or civil
law or act. Any such activity will result in disciplinary action of the
personnel involved.
|
|
|
|
50
|
c) Keep the
operating system and applications up-to-date with patches
|
|
|
|
51
|
e) Securely
configure applications and browsers
|
|
|
|
52
|
Email system
shall be used according to the Firm’s
policy.
|
|
|
|
53
|
Access to email
system shall only be obtained through official request.
|
|
|
|
54
|
Email shall not
be used to communicate confidential information to external parties unless
encrypted using approved encryption facilities.
|
|
|
|
55
|
Employees must
consider the confidentiality and sensitivity of all email content, before
forwarding email or replying to external parties.
|
|
|
|
56
|
Information
transmitted by email must not be defamatory, abusive, involve any form of
racial or sexual abuse, damage the reputation of the Firm, or contain any material that is
harmful to employees, customers, competitors, or others. The willful
transmission of any such material is likely to result in disciplinary action.
|
|
|
|
57
|
Firm email system is principally provided
for business purposes. Personal use of the Firm email system is only allowed under
management discretion and requires proper permission; such personal use may
be withdrawn or restricted at any time.
|
|
|
|
58
|
Corporate email
address must not be used for any social networking, blogs, groups, forums,
etc. unless having management approval.
|
|
|
|
59
|
Email
transmissions from the Firm must have
a disclaimer stating about confidentiality of the email content and asking
intended recipient. (S-5.5.1.3.d & S-5.5.1.5.2)
|
|
|
|
60
|
The Firm shall only grant user access to ICT
systems and networks on a need-to-use basis and within the period when the
access is required.
|
|
|
|
61
|
The Firm shall closely monitor non-employees
(contractual, outsourced, or vendor staff) for access restrictions.
|
|
|
|
62
|
Each user must
have a unique User ID and a valid password.
|
|
|
|
63
|
User ID
Maintenance form with access privileges shall be duly approved by the
appropriate authority. Work station Managers/Department heads/Divisional heads
will approve individual user id and access privilege as applicable.
(S-5.1.1.4)
|
|
|
|
64
|
User access shall
be locked for 3 unsuccessful login attempts. (S-5.1.1.2)
|
|
|
|
65
|
User access
privileges must be kept updated for job status changes. Access privileges
shall be changed/ locked within 24 hours when users' status changed or user
left the Firm. (S-5.1.1.5)
|
|
|
|
66
|
The Firm shall ensure that records of user
access are uniquely identified and logged for audit and review purposes.
|
|
|
|
67
|
The Firm shall perform regular reviews of user
access privileges to verify that privileges are granted appropriately.
|
|
|
|
68
|
Password
definition parameters shall ensure that minimum password length is maintained
– at least 6 characters, combination of uppercase, lowercase, numbers &
special characters. (S-5.1.2.1)
|
|
|
|
69
|
Software shall
not allow the same user to be both maker and checker of the same transaction.
(S-5.1.3.1)
|
|
|
|
70
|
Management
approval must be in place for delegation of authority. (S-5.1.3.1)
|
|
|
|
71
|
c) There should be separate room for
implementation of security devices, router and other network devices.
|
|
|
|
72
|
Firm must have an approved Business
Continuity Plan addressing the recovery from disaster to continue its
operation.
|
|
|
|
73
|
The needs of the
target audience shall be identified, appropriate budgets obtained and
priorities established.
|
|
|
|
74
|
The work plan
shall clearly mention the main activities with the required resources,
timelines and milestones.
|
|
|
|
75
|
Awareness
building collaterals can be created in the form of:
|
|
|
|
76
|
a) Leaflets and
brochures
|
|
|
|
77
|
b) Safety tips in
account statements and envelopes
|
|
|
|
78
|
f) Screensavers
|
|
|
|
79
|
g) Electronic
newsletters
|
|
|
|
80
|
h) DVDs with
animated case studies and videos
|
|
|
|
81
|
a) The Network
and Server room should be under lock and Key
|
|
|
|
82
|
b) Access should
be controlled with restricted access and access log should be maintaining
|
|
|
|
83
|
d) IT
infrastructures should be under CCTV coverage and the video footage data
should be preserved for at least one year
|
|
|
|
84
|
a) IT environment
should be free from flammable items and establish sufficient fire protection
system. The employees should be trained on fire fighting system.
|
|
|
|
85
|
c) The electric
power supply to the IT equipments should be at recommended voltage level and
there should be proper earthing system in all connection points. There should
be UPS and necessary power backup system to ensure 24/7 power facility for
Servers, Networking devices and CCTVs
|
|
|
|
86
|
d) There should
be sufficient alarming system to alert on exceptional/unexpected environment
conditions
|
|
|
|
87
|
There should be
documented operating procedures for every ICT operations. Operating
procedures shall be maintained and available for the users related to their
job function.
|
|
|
|
|
SN
|
Question
|
Asset Management
|
1
|
Do
you perform any compatibility assessment prior to procure any new ICT asset?
If Yes, How?
|
2
|
Do
you follow the procurement policy for
the ICT asset procurement? Please provide the procurement policy.
|
|
3
|
All
the ICT assets assigned to a custodian?
|
|
4
|
How
the assets are classified? (desktop/laptop/printer/Physical Server/VM/IP
phone etc.)
|
|
5
|
Are
all the ICT assest clearly identified and labeled?
|
|
6
|
Please
provide us the asset inventory - hardware (ex. Desktop, laptop, printer etc.)
|
|
7
|
Please
provide us the asset inventory - software (ex. MS Office, McAfee AV etc.)
|
|
8
|
Do
you review and update the ICT asset inventory periodically?
(quarterly/yearly)
|
|
9
|
Please
provide us the asset disposal policy
|
|
10
|
Do
you have any guideline for the use of portable devices (USB, external
HDD, etc.)? Please provide.
|
|
11
|
Do
you have any policy to return back organizational assets (laptop, mobile
phone etc.) from employees/external parties upon termination of their
employment? Please provide
|
|
12
|
Please
provide approved software list (Open Office, MS Office 2010, Adobe reader XI
or later, McAfee antivirus etc.)
|
|
13
|
Do
you only use legitimate/licensed software? How do you restrict use of
unauthorizes/pirated software?
|
|
14
|
Did
you outsourced any software (ex. McAfee antivirus)? If yes, do you have SLA
with the vendor?
|
|
Desktop/Laptop Device
Control
|
15
|
Are
all the desktops connceted to UPS?
|
16
|
Does
the autometic lockdown policy for unattended desktop/laptop enforced?
|
|
17
|
Do
you encrypt mobile devices (laptops, smart phones)?
|
|
18
|
Do
you turn off the desktop, laptop, UPS at the end of each workday?
|
|
19
|
Do
you store removable storage media (CD ROMs, external HDD, flash drives,
backup tapes, papers containing confidential data (licenses etc.) in a locked
cabinet/secured location when not in use?
|
|
20
|
How
do you control access to USB port for desktop/laptops?
|
|
21
|
Does
individual user take any prior authorization before download/install software
application and/or executable files
|
|
22
|
Antivirus
software installed in all workstations?
|
|
23
|
Are
all the workstations configured to log security related events (unauthorized
access attemts, modification to system software etc.)
|
|
24
|
Are
all the desktops placed above the floor level and away for windows?
|
|
BYOD Control
|
25
|
Do
you allow BYOD (smart phones, tablet)? If yes, what measures you have taken
to securing, monitoring and controlling the device (encryption, remote wipe,
backup)
|
Server Security
Controls
|
26
|
Please
provide the list of Servers (Physical an Virtual)
|
27
|
What
is the authentication and authorization system to access a server?
|
|
28
|
Please
provide list of users who have access to Servers
|
|
29
|
Remote
access is enabled in the Server? Users can access Servers remotely (from
intranet, from VPN, from the internet)?
|
|
30
|
After
how much time inactive session is expired?
|
|
31
|
How
the activities of System Administration logged? The logging elements include:
- All authentication - privilege escalation - user additions and deletions - access control changes - job sechedule start-up - system integrity information - log entries must be time and date stamped |
|
32
|
Do
you test configuration settings, new patches and service packs in a test
environment before applying to production servers?
|
|
33
|
Do
you have any separate file server, print server?
|
|
34
|
Do
you take backup for Servers (both physical and virtual)
|
|
35
|
Do
you allow file sharing between host and guest OSs in a virtual environment?
|
|
36
|
Does
the Server displays a trespassing banner at login?
|
Glossary and Acronyms
2FA
|
-
Two-Factor Authentication
|
ADC
|
-
Alternative Delivery Channel
|
AMC
|
-
Annual Maintenance Contract
|
AML
|
-
Anti-Money Laundering
|
ATM
|
-
Automated Teller Machine
|
BCP
|
-
Business Continuity Plan
|
BIA
|
-
Business Impact Analysis
|
BRD
|
-
Business Requirement Document
|
BYOD
|
-
Bring Your Own Device
|
CAAT
|
-
Computer-Assisted-Auditing Tool
|
CCTV
|
-
Close Circuit Television
|
CD
ROM
|
-
Compact Disk Read Only Memory
|
CDs
|
-
Compact Disks
|
CEO
|
-
Chief Executive Officer
|
CIO
|
-
Chief Information Officer
|
CISO
|
-
Chief Information Security Officer
|
CNP
|
-
Card Not Present
|
CTO
|
-
Chief Technology Offier
|
DC
|
-
Data Center
|
DDoS
|
-
Distributed Denial of Service
|
DoS
|
-
Denial of Service
|
DR
|
-
Disaster Recovery
|
DRP
|
-
Disaster Recovery Plan
|
DRS
|
-
Disaster Recovery Site
|
DVD
|
-
Digital Video Disc
|
E-mail
|
-
Electronic Mail
|
EOD
|
-
End of Day
|
ICC
|
-
Internal Control and Compliance
|
ICT
|
-
Information and Communication Technology
|
IDS
|
-
Intrusion Detection System
|
IPS
|
-
Intrusion Prevention System
|
IS
|
-
Information System
|
ISDN
|
-
Integrated Services Digital Network
|
ICT
|
-
Information and Communication Technology
|
IVR
|
-
Interactive Voice Response
|
JD
|
-
Job Description
|
KRIs
|
-
Key Risk Indicators
|
MITMA
|
-
Man-in-the-Middle Attack
|
Work station Firm Job Circular 2017
Job
Title
|
Educational
Requirement
|
Assistant Vice President as
Information System (IS) Auditor
|
Candidates must have CSE/EEE or
equivalent degree from recognized university with CISA Certification for the post
|
https://www.youtube.com/watch?v=O45UiSqBA6Q
ReplyDelete