RSM India publication - How Robust is your IT System

How Robust Is YourInformation Technology System?

RSM Astute Consulting Group

Indian member of RSM International

Personnel strength of about 950

Consistently ranked amongst India's top 6 Accounting and Consulting groups(Source : International Accounting Bulletin - September 2010 and September 2011)

Nationwide presence

International delivery capabilities

RSM International

6th largest network of independentaccounting and consulting firms in the world

Annual combined fee income of US$ 3.9 billion

700 offices across 94 countries

www.astuteconsulting.com


How robust is your IT system?RSM Astute Consulting

Contents

Section I: IT Systems Assurance - A Holistic View

Section II: Progressive IT Systems Assurance Model

Section III: Journey towards Perfection

Section IV: Creating Excellence in IT SystemsAssurance

Annexure I

Annexure II

1-4

6-9

11-61

Chapter 1: IT Management Framework 11

Chapter 2: IT Infrastructure Management 16

Chapter 3: Application Controls 24

Chapter 4: Identity and Access Management 29

Chapter 5: Project Management - Transformation 33

Chapter 6: Operations Framework 40

Chapter 7: Protecting Data Layer 47

Chapter 8: Business Continuity Planning Framework 50

Chapter 9: Human Interface to IT Systems 54

Chapter 10: Compliance and Regulatory Framework 56

Chapter 11: Impact of Contemporary Trends 60

63-67

68

69


RSM Astute ConsultingHow robust is your IT system?

Section I: IT Systems Assurance- A Holistic View

Section I: IT Systems Assurance – A Holistic View

1.1 Introduction

1.2 IT Systems Assurance – Need and Key Drivers

The Information Technology revolution has transformed the business landscape across the globe in last two decades. Changes due to ERP systems, internet, social networking, mobile computing, E-commerce have permeated through the entire life cycle of any business organization. Organizations, irrespective of their nature, size and industry, have witnessed a paradigm shift in the way they strategize, build and operate their businesses around an IT eco-system. Information Technology has become backbone for every business and in certain cases have become business drivers like Banking & Financial sector, Airlines, Telecom, E-commerce Portals, Manufacturing sector, etc. These industries have created technology enabled business models that give them global reach and provide customer centric services with a personalized experience. The internal levels of technology adoptions, associated process changes, organizational risk profile and internal control systems have undergone changes corresponding to the changes in the external world. Information Technology Assurance Program is a continuous and dynamic program to ensure that the internal control systems dependent on information technology of organizations remain current, comprehensive, effective and responsive to such changes.

Recognizing the need and importance of IT in business, organizations have invested heavily in IT infrastructure, applications and all other supporting programs. Managements are equally concerned on return on such IT investments. It is imperative that given such critical role of IT in business today, management and stakeholders review the IT systems in a structured and holistic manner and are concerned with following issues:

ØExistence and effectiveness of an IT governance framework

ØEffective technology controls to ensure transaction level integrity

ØConfidentiality and timeliness of information processed

ØBusiness Continuity Plan (BCP) and Disaster Recovery Plan (DRP) ensuring availability of data

ØEffective compliance of regulatory requirements and adherence to industry best practices

RSM Astute Consulting1 How robust is your IT system?

Various external and internal factors act as key drivers that compel the organization to adopt a comprehensive IT system assurance program.

1.2.1 External Factors

ØRapid changes to information technologies creating unknown risksØIncreasing third party dependence on organizational key processesØIdentification of new vulnerability to systems on daily basisØEmergence of organized and unorganized hacker communitiesØRising customer demands on service availability, process transparencies and

data privacyØStringent regulatory framework and international benchmarked standardsØFrequent acquisitions and mergers leading to complex IT eco-systems

1.2.2 Internal Factors

ØVariance in organizational strategy, executive decision making process and operational environment

ØFragmented approach of management towards adoption of technologyØInsufficient controls in terms of inadequate user training, lack of segregation

of duties, inadequate testing before deployment ØTrusted insiders perpetrating fraud/ misuse of the systems ØObsolesce of information assets

A generic depiction of the motivational factors for IT Assurance Program is set below.

Key drivers of IT assurance program

System & Process

Variances

Protection from Internal

/ External Misuse

Uninterrupted Operation

needs

Global Accessibility

of Data

Customer Data Privacy

Changes to Business / Technology

Environment

IT Systems Assurance

Industry Regulation

2How robust is your IT system?RSM Astute Consulting

1.3 IT Systems Assurance - A Holistic Program

IT systems assurance program is a holistic program adopted by the businesses for the purpose of ensuring achievements of their short term and long term goals with the help of IT. It is imperative that the IT systems assurance program encompasses entire life cycle of the business and is functional at the grass root levels. Hence, internal control systems need to be effective at business, process, technology and operational layers.

An assurance of IT system needs to include IT management framework, that necessarily includes Organization IT strategy, IT Risk Management Program, IT Structures, IT Architectures and IT Policies to ascertain soundness of the foundations of IT systems. Such program needs to be necessarily applicable to all IT Assets, including data, applications, infrastructure, people, tools and technologies.

IT systems assurance program must take into consideration the impact of information technology on the overall functioning of the organization. Such program needs to cut through financial, legal, regulatory, operational assurance requirements. Impact of constant changes to the technology environment areas must be covered under IT assurance program. It is also important that IT assurance program addresses long term sustenance requirements of the organization.

Finally, IT systems assurance program needs to have specific business objectives. Beyond technology factors, it is expected to ensure capital protection, provide competitive advantages due to efficient internal control systems, facilitate IT compliance requirements and infuse customer confidence about overall well-being of the organization.

In today’s world where IT risks are embedded at various levels, an IT assurance program cannot be truly effective unless it is all encompassing in nature.

An illustrative diagram of the same is given on the next page.


Important aspects of IT systems assurance program:

ØIt needs to be dynamic to suit ever changing needs of businesses

ØIt needs to be granular to capture risks embedded into business processes

ØIt needs to be operational in all phases of organization evolution

ØIt needs to be customized to suit the organization's unique needs

Finance

DataProcessing Legal and

Regulatory

Technology

Operations

HumanResource

Information SystemsAssurance

Threats-Internal and External Sources

Protection-Procedural and Tool Based

Information Assets Cross Functional View

People

Tools

Infrastructure

Application

Data

I.T. FrameworkStrategy

Risk ManagementStructures

ArchitecturesPolicies

Business Objectives

Capital ProtectionCompetitive AdvantageComplianceCustomer Confidence


Section II: Progressive IT SystemsAssurance Model

Section II: Progressive IT Systems Assurance Model

Introduction

As the IT Assurance Program is comprehensive, organizations face various challenges during its implementation and review. The IT maturity levels and business requirements for every organization are different in nature. It is necessary to unfold the program in a structured manner as suitable to the organization and industry’s unique needs and through an organized change management process. There should be specific programs, processes and visible outputs at every stage to give management a comfort and confidence that there is a continuous progress in the IT assurance program. Typical concerns the management would address in stage wise manner would include:

Stage I

What is the current organization IT posture?

What are the current IT risks and concerns?

Is the organization deploying the appropriate measures to address IT risks?

Has the organization assigned appropriate resources to implement suchmeasures?

Having assessed the macro level view of the organization IT risk program, managements would typically like to assess the progress of an IT risk mitigation program.

Stage II

What are the organization's specific pain areas and why do they exist?

How deep-rooted are the risks and to what extent do they impact the organization's IT posture?

Has the organization adopted the right mitigation measures?

Is it necessary to review and, implement the program in a simplified and progressive manner?

Stage III

Further, the same organization would take an integrated view about the success of the IT assurance program. Typically, the concerns that management would like to address / value would include:

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø


Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

How do IT risks have an impact on organization business eco-system?

Are the risk mitigation measures effective?

Are there previously unidentified risks?

Is the organization able to achieve its compliance postures?

Is the organization leading in the IT Risks Management practices?

It is imperative that the roll out of IT assurance program is mapped on the above management concerns with tangible deliverables at every stage.

Accordingly, IT progressive assurance program consists of:

IT Preliminary assurance through overview

IT environment assurance through substantive checks

End-to-End IT assurance through integrated checks

The usefulness of such reviews is tabulated on the next page for illustration purpose.


Prog

ress

ive

IT A

ssur

ance

Mod

el

Leve

l 1:

IT P

relim

inar

y As

sura

nce

Leve

l 2:

IT E

nvir

onm

ent

Assu

ranc

eLe

vel 3

:En

d-to

-End

IT A

ssur

ance

Over

view

Subs

tant

ive

Chec

ksIn

tegr

ated

Che

cks

Ø Ø Ø Ø Ø Ø Ø Ø Ø Ø

IT M

anag

eria

l Fra

mew

ork

Stra

tegy

, Ar

chite

ctur

e, S

truc

ture

Ris

k M

anag

emen

t, Po

licie

sIT

Infr

astr

uctu

re M

anag

emen

tAp

plic

atio

n Co

ntro

l Man

agem

ent

Iden

tity

and

Acce

ss m

anag

emen

tPr

ojec

t Man

agem

ent

Oper

atio

nal F

ram

ewor

kDa

ta L

ayer

Pro

tect

ion

Busi

ness

Con

tinui

ty F

ram

ewor

kHu

man

inte

rfac

eCo

mpl

ianc

e &

Regu

lato

ry F

ram

ewor

k

Ø Ø Ø Ø Ø Ø Ø Ø Ø Ø Ø Ø

Orga

niza

tion

Unit

Leve

l Fra

mew

ork

Stan

dard

Ope

ratin

g Pr

oced

ures

Asse

t Cla

ssifi

catio

n, R

isk

Anal

ysis

Netw

ork

/ Con

figur

atio

n Co

ntro

lsDe

sign

, Con

figur

atio

n Co

ntro

lUs

er-R

ole-

Auth

enti

cati

on

man

agem

ent

Proj

ect R

isk

Man

agem

ent

Oper

atio

nal P

roce

ss C

ontr

ols

Data

Flo

w /

Stor

age

Cont

rols

Busi

ness

Con

tinui

ty T

est e

valu

atio

nBa

ckgr

ound

Che

cks

/ Tra

inin

gPr

epar

ing

for C

ompl

ianc

e

Ø Ø Ø Ø Ø Ø Ø Ø Ø Ø Ø Ø

Busi

ness

Goa

l Alig

nmen

tIT

Ris

ks m

appi

ng o

n ER

MIT

Str

uctu

ral R

evie

ws

Tool

Bas

ed S

can

Data

Ana

lysi

s an

d M

igra

tion

Chec

ksHR

Mas

ter D

ata

Inte

grat

ion

Retu

rn o

n In

vest

men

tCo

ncur

rent

/Effe

ctiv

enes

s Ch

ecks

Inte

llect

ual P

rope

rty

Prot

ectio

nBu

sine

ss Im

pact

Ana

lysi

sIT

Mat

urity

Mea

sure

men

tIn

dust

ry s

tand

ards

/ Ce

rtifi

catio

n

l

Wha

t is

my

IT P

ostu

re?

Wha

t are

my

mai

n ris

ks/ c

once

rns?

l

Am

I do

ing

the

right

thin

gs?

l

l

Why

are

my

pain

are

as?

l

Am

I do

ing

the

thin

gs ri

ghtly

?

l

How

dee

p ar

e th

e ris

ks?

l

How

IT R

isks

tran

slat

e to

bus

ines

s ?

l

Am

I th

e in

dust

ry le

ader

?

l

Are

risk

miti

gatio

n pl

ans

wor

king

?

l

IT R

isk

Diag

nost

ic R

evie

w R

epor

t.l

Wha

t sh

ould

you

do

in n

ext

12 m

onth

s

to

mit

igat

e ri

sks?

l

How

is E

nter

pris

e Ri

sk e

ffec

tive

ly

man

aged

thr

ough

IT?

l

How

sho

uld

you

mea

sure

you

r

ind

ustr

y st

andi

ng ?

l

Tech

nica

l Ris

k As

sess

men

t Re

port

l

How

are

you

pro

gres

sing

wit

h re

spec

t to

r

isk

mit

igat

ion

plan

s ?

Deliv

erie

s


IT Overview is more useful when

Organizations have not conducted IT review in the past

IT Substantive checks are more useful when

One or more IT Areas requiring deep dive

IT Integrated checks are more useful when

IT systems need to be validated along with overall internal control systems

Automated or system tools are necessary due to high volumes or nature of the systems

Organizations have frequent issues related to IT management

There is a need to validate the assumptions and progress of IT evolution

Organization intends to obtain industry specific compliance or certification

The IT eco-systems need significant changes

Detailed supporting to the diagnostic reviews is required

Major changes in the organization information processing systems need validation

Mergers and Acquisitions take place

Systems undergo major changes

Organizations intend to take long term view of process improvements

The review time frames available are short

Organizations are willing spend adequate time to focus specific issues


Illustrative usefulness of such reviews is tabulated below:

Section III: Journey towards Perfection

Chapter 1: IT Management Framework

1.1 Introduction

IT Managerial framework sets the context for all Information Technology initiatives. The framework needs to be comprehensive and should take 360 degree view of the organization requirements. The IT Management Framework includes Strategy, Architecture, Structure, Risk Management and Policies. Each of these aspects are to be dealt separately.

1.1.1 Alignment of IT Strategy with Business Goals

Success of an IT System depends upon how closely the IT strategy, execution and monitoring are linked to business goals. Some of the common deficiencies arise when.

IT strategies are prepared in isolation of business strategies.

Businesses tend to underestimate the criticality of certain dormant IT issues.

Cross functional teams do not participate in IT strategy program.

It is necessary that business goals are well defined and IT goals are derived from individual business goals.

An illustration of how IT Strategy is aligned to Business Goals is shown in the figure below.

Ø

Ø

Ø

BUSINESS GOALS IT GOALS

New Services

FunctionalityUpgrades

ScalableArchitecture

IT RiskManagement

Business Strategy

CustomerAcquisition

New Products

BusinessExpansion

Enterprise RiskManagement


1.1.2 Information Architecture

Every business entity is supported by its individual functional units which have their respective roles to play within the organization. Also, each functional unit is dependent on the IT systems for its individual data processing needs.

The below given diagram depicts how various functional units within the organization are connected to each other through the data processing needs.

IT functional architecture gets defined after considering nature of information exchange, volume of data processing, geographical locations of operations, data processing, deployment and scalability requirements and internal controls structure.

In the current environment of frequent mergers and acquisitions and other structural changes, business interfaces and data processing need to undergo constant changes. Unmanaged changes create long term risks for the organization.

Such activities require due diligence, third party audits and sharper definition of roles, responsibilities and liabilities in case of system breaches.

DataProcessing

Needs

Human Resource Legal &

Compliance

MaterialManagement

ProjectPlanning

DataCenterServiceProvider

CustomerServices

Sales &Distribution

Third Party

ProductionManagement

Operations

Accounts &Finance


1.1.3 IT Structure

IT structure is necessary to establish proper and efficient IT execution process within the organization. To have appropriate checks and balances within, it is necessary that roles and responsibilities of various functions are well defined. Some of the common deficiencies include:

Improper segregation of duties in decision making and execution process

Organizations performing primarily based on “assumed responsibilities”

Improper analysis of work contents, estimates and staff alignment

Inadequate mechanism to measure skills

A good organization structure is derived from well defined work breakdown structure (WBS) and functional breakdown structure (FBS) hierarchy. With the level of technology absorption and process integration, the structures need to be dynamic. In case of large organizations, the relationship between central units, individual function units and various control functions needs to be well defined in such a way that overall internal control system remains well coordinated, efficient and optimum. Certain functions if outsourced would be more effective, however, organization needs to have the ownership and accountability for the same.

1.1.4 IT Risk Management Framework

With the increasing dependence on IT systems, organization’s vulnerability to IT risk also increases. Thus, the success of the organization depends upon its ability to contain IT risk which require it to create an IT risk management program. An IT risk management program needs to emerge from Enterprise Risk Management program.

IT risk management program methodology needs to be well defined and detailed. This should cover the following aspects:

Asset Identification, Classification, Valuation

Assessment of Threats and Vulnerabilities

Overall Risk Assessment

Risk Prioritization

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

ERMControl

Activities

Control overInformation

SystemsIT controls at

individual layer


Ø

Ø

Ø

Ø

Ø

Ø

Control Evaluation with Cost-Benefit Analysis

Risk Treatment Plan: Acceptance, Avoidance, Transfer and Mitigation

1.1.5 IT Policies

IT policy is the most important and critical part of IT assurance of the organization. The coverage, depth and maturity of the policy varies from organization to organization. Also, various industry and regulatory bodies make IT policy a mandatory requirement for compliance.

Common deficiencies in IT policy management include:

IT policies are not aligned with changes in technological environment

IT policies do not adequately provide the necessary direction to execution team.

IT policies do not provide necessary operational level flexibility.

IT policies are not communicated to the staff and all the concerned persons in an effective manner.

Management needs to ensure that IT polices remain the guiding force to the organization’s IT framework.

The effective management of IT policy and procedural framework with a layered approach are depicted in the figure below.

IT Policies and Procedural Structure

Directional Policies

• Signed by Steering Committee

Functional Policies

• Signed by Functional Heads along with IT

Standards & Guidelines

• Signed by governing body

Detailed Operational Procedures

• Signed by operation owners

3 Characteristics

Vision statement

• Signed by the CEO

ComprehensivenessConsistencyCommunication


1.2 Reviews

An overview of the IT management framework needs to cover:

Existence, ownership and review process of strategy, risk management, structure, architecture and policies

Change management and approval process

A substantive review of the IT management framework needs to cover:

Appropriateness of the methods and standards adopted by organization

The functioning of IT management at individual unit level of the organization.

Existence and detailing of Standard Operating Procedures

An integrated review of the IT management framework needs to cover:

The alignment of the entire IT management framework with business strategy, enterprise risks and operational plan

Ø

Ø

Ø

Ø

Ø

Ø


Chapter 2: IT Infrastructure Management

2.1 Introduction

Today no organization functions in isolation from the rest of world and is always connected externally and internally through a mesh of network.

Organizations provide connectivity to the external users such as customers, suppliers, business partners, and other stakeholders. Also, internal users of the organization are permitted to connect to the organizational network through remote accesses. Such accesses are provided through public / E-commerce websites, kiosks/ ATM channels, mobile commerce and service outlets. Such connectivity is provided by deploying lease lines MPLS, VPN, wireless technologies and other equivalent mechanisms. Now-a-days, many financial transactions across banks, Government institutions take place through interfaces and payment gateways. In the modern world, such connections are often part of global networks.

To facilitate external connectivity, organizations create interfacing architecture. Considering the elements hosted in the architectures that are prone to external risks, a separate network segment is created and special security measures are taken to prevent and / detect any direct / indirect / potential risks to this segment.

Internally, users of the organization get connected on wide area network and local area networks, using various connectivity techniques. The spread and complexity of internal network depends on various factors including the number of locations, number of users, nature of activities they perform, data processing volume and overall system deployment architecture.

The internal network is divided into multiple segments using routers, switches, firewalls, virtual LANs and various other techniques. These segments host various servers, databases and information processing devices. The entire functional architecture of the organization is mapped on the network architecture.

There exist various types of technology solutions that are capable of controlling and monitoring behaviour of various network elements. These are responsible for enforcing centralized policies that include management of Anti-Virus, Central Domain Controllers, Authentication Servers, Data Protection Servers, Log Monitoring Servers and many more services.


Internal users of the organization consists of various classes of users such as normal users and premium users E.g. administrators and the critical data custodians. Each of these user classes require different levels and types of access with different level of requirement for data confidentiality.

In a nutshell, organization typical network consists of following broad segments:

External networks connecting to the organization

Internal network segment communicating with external world

Internal network segment hosting organization infrastructure

Internal network segment from where users operate

Schematic diagram for the same is depicted on the next page.

In reality, the architectures could be more complex for most of the organizations as the number of network elements run into hundreds, thousands or even beyond depending on the size of the organization and volume of data processing.

Further, the way the organization creates its internal network depends on its business model and geographical and financial constraints.

Ø

Ø

Ø

Ø


Typi

cal N

etw

ork


2.1.1 External Threats to Organization Network

Technologies create immense business opportunities by allowing connectivity to the external world. This also brings in various risks for the business. Managements are always concerned about fraudulent activities taking place on the network from outside sources, (e.g. an attack on internal network through malwares and security threats during e-commerce transactions). Any mis-configuration of elements can result into vulnerability that can be exploited by external users. Some of the vulnerabilities prone to external threats are:

Weaknesses in security architecture that allow direct access to internal network from external sources

Weak encryption techniques used during data transmission that allows data sniffing and interception

Inability to prevent various types of organized / unorganized hacking attempts on the network that potentially can result into denial-of-service, web defacing and all such equivalent consequences. These pose a reputational risk to the organization

Data theft by unauthorized user accessing the network or information resource like server through compromised credentials of authorized users

Performance bottlenecks on the network impacting customer service and external interface processing capabilities

With the rising complexity of the technologies, ease of hacking tools, determined socially disgruntled groups, international and business rivalries, the cyber-attack possibilities are real.

Organizations need to enhance their ability to handle threat mechanisms on real time basis and keep pace with the rate at which external threat profiles are changing.

Safeguards from external threats to the organization include:

Establish very strong authentication mechanisms to external connectivity

Encrypt the data flowing on network

Create strong traffic monitoring and filtering mechanism at different layers

Keep external infrastructure tested and upgraded to pre-empt any attacks

Carry vulnerability analysis and penetration tests and take corrective measures

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø


2.1.2 Internal Threats to Organization Network

Internal networks would be segmented into various zones and network traffic is regulated using firewalls, switches, routers and various other devices. These devices can be deployed across various regions, geographies and virtually create borderless organizations. In spite of the best internal design, given the complexities involved, concerns on system compromise due to flaws in internal network systems would exist.

Incorrect configuration risks include:

Creating unwanted internal navigation paths for users due to “open” configurations on devices

Improper user management and authentication configuration that allows entry to unauthorized users

Weaknesses in administrative, accounting and auditing controls impacting preventive and detective abilities of the organization

Unencrypted interfaces that can be sniffed by malefic user

Redundant software residing in the system in the form of programs, utilities, scripts

Weaknesses in centralized control architecture due to which organization policies cannot be enforced on all information resources

Traffic anomalies and bottlenecks resulting in degraded services on internal networks

The efficiency, availability and security of the entire network depends on how well the business requirements are mapped on network devices and how these devices have been configured. Broadly, these include various types of:

Authentication techniques

Traffic monitoring techniques

Policy enforcement techniques

Performance measurement techniques

Logging and Monitoring techniques

A combination of multiple such techniques at different layers in structured manner is necessary to create an efficient defence and monitoring architecture. An active

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø


vigilance on these outcome pre-empts several threats to the network in timely manner.

A careful analysis of the events taking place across organization architecture gives a good insight on the behavior of traffic flowing across networks. This helps organizations to fine tune the security and performance in an on-going basis. Safeguards to the organization network include:

Proper network segmentation

Sensitive system isolation

Data management controls

Encrypting data flows

Logging and monitoring system activities including administrative activities

2.1.3 Insider Threats for an Organization

Managing the IT systems do contain human element and organizations need to have trust environment to operate successfully. With the advent of technologies, emergence of new vulnerability exploitation techniques and access to organization data resources, organization is dependent on ‘trust level of an insider.’ Hence, organizations are concerned on insider threats. These include:

’Trusted’ insiders misusing the systems using their privileges and rights

Exploitation of network and application weaknesses for individual gains

Manipulation of access rights so as to ‘allow’ fraudulent activities

Suppressing system evidences and logs

Organizations need to create safeguards from such threats. These safeguards include:

Creating “need to know” based internal access systems with built-in segregation of duties

Perform background checks and have a practice of periodic job rotations

Restricted access to system evidences and logs

2.1.4 Risk Remediation through Vulnerability Assessment and Closure

In practice, it is not easy to achieve and retain completely secure systems architecture. Vulnerabilities exist across all network layers, devices and technologies. These vulnerabilities are detected through in-house tests or publicized by product

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø


vendors or through global databases and need to be acted upon immediately. Vulnerability assessments and remediation are activities that the organization needs to perform across on a continuous basis. This includes assessing the impact of the same on the working environment, identifying remediation plan, appropriate testing and releasing patches. Following best architecture, development and change management practices is the best way to stay away from vulnerability issues.

2.1.5 Difference in Business Models Influence IT Control Systems

In today’s organizations, several functions such as data center management, e-mail management, day-to-day operations, storage management and application management are outsourced to external parties. Cloud computing based technologies are becoming popular as a result of which organizations’ data processing activities are now carried out through a mesh of networks and functions which are widely distributed. A truly modern organization can work on “hyper-connected” model. This has significant impact on organizations’ internal control systems. An illustration of the same is tabulated below:

Correlation among Business Model and Information Architecture and how it impacts internal controls system

Business Model

Closed Centralized

Information Architecture

Centralized Assets/ Centralized IT Operations, Individual units are users

Control

Complete, Internal

Distributed and Internally Controlled

Closed Decentralized Centralized framework, all assets belong to the company, however the deployment and operational decision making at individual business units end

Outsourcing of IT Data Centers

Infrastructure services outsourced and rest is managed internally

Strongly internally controlled, External control through SLA

Reduced organization direct control, need effective monitoring

High Level Outsourcing Infrastructure, Customer handling services outsourced and rest is managed internally

Limited control on IT function, however accountability cannot be outsourced

Significant Outsourcing Server + Application + Operations are outsourced, only data belongs to organization


IT assurance program and its transition need to be aligned as per the set-up of the organization.

Review process on entire network architecture and processes are necessary to evaluate the robustness of network architecture.

An overview of IT infrastructure needs to cover:

Adequacy of organization policies and procedures at different layers

Test checks on procedures around architecture managements

Adherence to Service Level Agreements signed with vendors

Substantive review of IT infrastructure needs to cover:

Network devices configuration

Change management processes

Technology obsolescence and vulnerability analysis

Security checks on internal network paths

Integrated review of IT infrastructure needs to cover:

Administrative controls and checks

In depth analysis of system filters at different layers

Root cause analysis of different incidents

Anomalies detected through traffic monitoring logs

Business compliance needs to be supported by infrastructure

2.2 Network Reviews

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø


Chapter 3: Application Controls

3.1 Introduction

Organizations develop and deploy applications in their environment for automation of their business processes. Applications provide integration of various functions, provide necessary work flow, increase internal operational efficiencies and provide complete visibility to the management about the current status of the transactions at various layers. Organizational intelligence is built into the design of the application. Applications are normally scalable, used by large segment of the organization and process voluminous data. As applications mature, organizations become more dependent on application function. Every application has its own architecture, platforms, functionality, and purpose. Application controls become one of the most determining factors in evaluating the overall risk posture of the organization.

Most organizations deploy either ERP or legacy systems solutions to support their data processing needs. To have an effective implementation, application controls need to be incorporated at the design stage and should take into account the following.

Logical Access control

Authentication control

User interface control

Input validation controls

Data processing and output controls

Functional controls

Session level validation

Controls built around server, database and operating system architecture

Scalability and performance controls

Secure coding controls

3.1.1 Enterprise Resource Planning (ERP) and Legacy Systems

An organization may have different IT applications to fulfill its information needs. These needs may be fulfilled by legacy applications or integrated ERP applications.

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø


However ERP is preferred to legacy applications as it integrates the business processes in seamless manner, adopts best industry practices and has in-built features such as:

Open System architecture

Multi-tier Architecture

Enterprise Data Model

Accessible through channels

Multi-national, Multi-currency transactions

Integrated Real-Time

Ability to stay with current technology

Strong integration with business processes

Providing integrated turnkey solutions

However, ERPs are sometimes cumbersome to implement, require business process reengineering, good change management and acceptability at various levels and sometimes have a long implementation phase. Hence, legacy systems continue to occupy critical space in business IT architecture. Legacy systems are aligned to organizational requirements and are firmly embedded into organization’s processes. However, organizations need to take extra precaution to ensure that they run on current technologies, follow strong development processes, have strong business integration and embed functional controls into the system.

3.1.2 Software Development Life Cycle (SDLC)

SDLC or System Development Life Cycle is the process to create or change existing information systems. A well-defined SDLC is necessary to have efficient information systems. Various models have been created to fulfill the need of the same. Some of them are waterfall, spiral, incremental and rapid application development.

The important SDLC stages as per the most commonly used method are:

Business Requirement Analysis

Feasibility study

System requirement study

System design

Development

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø


Ø

Ø

Ø

Ø

Ø

Ø

Ø

Integration and testing

Acceptance and release management

Maintenance

Having a structured approach to software development leads to better control, documentation, maintenance ease and higher development and design standards. However, this may increase the development time and costs. If organizations desire to have flexibility to suit the operational needs, such rationale should be documented, approved and it must be ensured that the internal control systems are not compromised for the sake of expediency. Also it is recommended that controls should be embedded into the application in design stage and validated during every stage of the project before the application is deployed in the live environment.

3.1.3 Software Development Practices

Software development is a complex and important area for all organizations. Apart from having a structured approach, there is a need of adopting better practices to have secure and well-designed software architecture. Some of the illustrative practices are mentioned below.

Source code is a crucial intellectual property which not only satisfies the business needs but also a repository of important organizational knowledge. Software library should have strong access, archival and modification controls and monitoring mechanism.

Project system landscape should consist of three separate environments for development, testing and production. Procedural controls should be implemented to ensure that these activities are performed in their respective environments only.

Most of the web application software that is used for managing and providing sensitive information across the web becomes target for improper or illegal penetration. Anti-social elements and hackers attempt to hack the system for personal gain. Security coding testing verifies the protection mechanisms used for building the software from illegal hacking.

In-spite of having the best application software, implementation processes and projects teams, there are reasons to rollback changes made to the application systems. Hence a contingency plan should be in place to deal with such situations effectively.


An illustrative system landscape is shown below:

3.1.4 Platform Vulnerabilities

Information systems are platform centric in nature. They may be dependent on a particular operating system, application software and development platform. These vulnerabilities may be on a higher side if the system in question is a legacy system developed by internal team or external vendor. The vulnerability may exist due to weakness of individual platform or development weakness. Also these platforms may become obsolete as vendor support for the platform might have expired or the usage of platform has reduced in the market. To overcome these weaknesses, platform vulnerabilities need to be identified and removed. Further, information systems using obsolete platforms should be identified and upgraded to current platforms.

An overview of application controls needs to cover:

Application architecture

Application functions

Application security

Application operations

3.2 Reviews

Ø

Ø

Ø

Ø

System Landscape

Development Quality Production

Developers Testers Trainers Users


Substantive review of application controls needs to cover:

Detailed design of the application architecture

Detailed functionality of application

Detailed security features of an application

Integrated review of application controls needs to cover:

Operational and financial effectiveness review

Ability of the application to meet functional, security, compliance and regulatory needs

Ø

Ø

Ø

Ø

Ø


Chapter 4: Identity and Access Management

4.1 Introduction

User identity and access management is considered to be one of the most primary requirements of any IT set-up. It essentially establishes credentials of the users and the level and extent to which he or she is permitted to transact with the system. All organizations irrespective of their size and criticality need to have a proper mechanism to control user identities that access organizational systems. Today, internal systems of the organizations are also used and accessed by external users through various channels. Thus, user identity and access management is applicable to each and every IT asset and each and every type of user. Organizations differ from each other in terms of the volume, complexity, granularity, level of automation and technologies used for authentication.

Elements that need detailed consideration for effective identity and access management are:

User request workflow management

Identification and authentication mechanism of users

Assignment of roles and privilege management

Privilege and security requirements at individual assets level

Mechanisms to enforce organizational policies at all granular levels

Monitoring exceptions and tracking misuse

For a large sized organization with multiple assets and constant flux of various types of users, the underlying process complexity rises exponentially. Further, the stakes of the organization are very large and any critical misuse by any user, apart from operational losses, may result in financial or reputational impact.

4.1.1 User Access management

In case of public users accessing organization systems such as internet / mobile banking, online transaction business models and users or channel partners accessing organization resources through different channels, a strong identity and access mechanisms need to be implemented.

Ø

Ø

Ø

Ø

Ø

Ø


Data Authorization Administrator

User Administrator Profile Authorization Administrator

Change transaction selection

Change authorization data

Maintain user master records

Assigning roles and profiles to the user

Activities Performed

Creating authorization

Creating profiles

A schematic view of mapping user access management processes is depicted below

Organizations need to differentiate between different set of administration activities which results in proper segregation of duties. A schematic view of the same is tabulated hereunder.

Different types of Administrator users

Different organizations achieve different levels of automation in user access management processes E.g. usage of smart card / biometric technologies, controls through two-factor or multi-factor authentications, integration of user identity management with Active Directory or equivalent repository, implementation of single sign on technologies.

4.1.2 User Life Cycle Management

A schematic representation of how identity and access management process workflows are automated is represented in the diagram on the next page.

USER ROLE PROFILE AUTHORIZATION AUTHORIZATIONOBJECT

A detailed mapping of the business requirement is necessary to exercise granular level access controls.


4.2 Risks

Some of the common deficiencies at operational level include

Improper management of organization role repository

Manual or inefficient way of tracking user management request

Lack of centralized visibility of the roles granted to the user across all resources

Delays in suspension/ termination/ revocation of user access rights

Diluting role-based access control mechanisms without establishing equivalent controls while granting permission.

In spite of the level of technology adoptions and process automation, there do exist operational gaps and technical loopholes due to which organizations face system access related issues.

Ø

Ø

Ø

Ø

Ø

X

Business Partners Employees Third Parties Contract Expiry

Request for grantingaccess for a resource

Timely Termination

User Life CycleManagement

Granting andRevoking Access

Joining

TransferSeperation

MasterRepository of

Users

Role Repository

Authentication &Approval Rules

Assets

Repository of Assetsbased access rules

Data Application Infrastructure Tools Other resources


4.3 Reviews

Overview of identity and user access management needs to cover:

Identity access management policy and procedures

Users life cycle management processes

Alignment of the identity and access management definitions with organizational requirement

Adequacy of the controls built in

Substantive checks review of user identity and access management needs to cover:

Role Repository

Rules defined to access organizational data

Identity access management policy and procedures compliance

Functional checks on Identity and User access mechanism

Logging and monitoring of user life cycle processes

Verifying the User matrix to ascertain segregation of duties

Integrated checks review of user identity and access management needs to cover:

Identity access architectural review

Review of activities by users with root or administrative privileges

Audit trails review

System-level objects privileges

Integration of User Identity Access Management process with other organizational processes

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø

Ø


Chapter 5: Project Management - Transformation

5.1 Introduction

5.2 Project Management

All companies irrespective of their nature and size of the business undergo major changes to their information systems architecture through project implementation. Every project has its own objectives, plans, roll out methodologies, key success factors and specific deliverables. From management point of view such project management needs to be de-risked as the investments in terms of time and money are huge. Some of the ventures in ERP implementations, data centralization initiatives, IT infrastructure upgrades face risks of cost overruns. Individual project risks need to be identified, factored and mitigated at every stage of the project at operating and transaction level.

Important IT Projects are generally implemented to transform the business model. The process of business transformation is depicted in the diagram below:

Since, the stakes of the business in IT transformation project are very high, good project control management system needs to be in place.

5.2.1 Project management involves multiple set of activities such as:

?Identifying phases, tasks, milestones, specific deliverables

?Resource allocation and resource optimization

?Effective schedule management

?Project monitoring and control activities

The use of Program Evaluation and Review Technique (PERT) or Critical Path Method (CPM) techniques helps the organisation in identifying and focusing on key process and milestones, allocating adequate resources and thereby reducing overall project implementation time and cost without affecting effectiveness.

BusinessProcess

Reengineering

ERPImplementation

DataMigration

Change ToOperationalFramework

InitialStatus

TransformedStatus


An execution cycle of the project goes through initiation, planning, implementation and closure process. A good project control management needs to remain focused on cost control, incorporating security and process controls at right stages.

A schematic representation of the same is depicted in the diagram below:

5.2.2 Risks

Ineffective IT project management leads to various types of risks such as:

?Organizational goals not met by the systems deployed

?Underutilization of IT resources

?Lower return on investment in IT assets

?Cost over-runs

?Low reliance on the applications

?Maintenance of parallel records, dependence on manual checks and controls

?Responsibilities and accountabilities cannot be fixed for lapses and delays

?No link established between the projects objectives with management objectives

?Inability to get complete visibility of the project progress

?No identified improvement opportunities

CostControls

Initiate

PlanClose

SecurityControls

FunctionalControlsImplement

ProjectExecution


5.2.3 Reviews

An overview of project control needs to cover:

?Adequacy of project planning and monitoring process

?High level review of project control parameters

?Overall user and management satisfaction levels

Substantive checks on project management need to cover:

?Planned vs. actual progress of the program

?Proposed vs. actual deliverables at various stages

?Alerts on cost, security and functional controls

Integrated checks on project management need to cover:

?Changes to the organization IT posture pre and post implementation of theproject

5.3.1 Business Process Re-engineering is a pre-requisite for ensuring success of IT project implementation.

With the change in technology environment, the way the business operates also needs to change. However, certain old and counter-productive methods continue. This results in lower return on investment in IT assets and other resources. Business Process Re-engineering is a technique to rebuild organization process around specific business objectives.

Some of the other factors which necessitate process re-engineering are as follows:

?Ineffective manual controls and unreliable systems.

?Over dependence on people

?Long turnaround time of organizational processes

?Cost over-runs and wastage of resources

Major activities of any business process engineering involve:

?Identification of business objectives

?Evaluation of current business processes (As-is process)

5.3 Business Process Re-engineering


?

?Devising process restructuring plan

?Implementation of process restructuring plan

5.3.2 Risks

Major causes of failure of business process reengineering projects are:

?Lack of clarity on user requirements, definition as well as documentation andcommunication.

?Weak management commitment in terms of resources and direction

?Weak technical support during and post implementation.

?Lesser involvement of all the departments of the organization at planning andimplementation stage.

5.3.3 Reviews

Overview of business process reengineering needs to cover:

?Adequacy of the coverage of Business Process Reengineering projects

?Checks on Business Process Reengineering implementation

Substantive checks in business process reengineering needs to cover:

?Effectiveness, design and operational controls post Business ProcessReengineering

?Training and acceptance levels of reengineered business process

Integrated checks in business process reengineering needs to cover:

?Meeting of business goals with revised processes

?Efficiency of the processes post Business Process Reengineering implementation

?Impact of Business Process Reengineering on overall organization IT posture

5.4.1 ERP implementation is very critical activity with high business and financial impact. Many instances of ERP implementation get delayed and result in partial configuration or misconfiguration and do not completely fulfill the intended objective. This results in underutilization of time, efforts and money invested in ERP systems and in some

Preparing blueprint of future processes (To-be process)

5.4 ERP implementation


instances parallel systems are also maintained to present financial results/ MIS to management.

It is required that management pays attention and addresses the requirements of implementation of ERP for effective and efficient use of IT and other resources involved. The activities in an implementation project would involve, amongst others:

?Defining business objectives expected

?Review of existing systems with 'Gap Analysis’ and creation of new systemblueprints

?Defining and configuring required features in ERP system

?Master data sanitization

?Creating system prototype and building test environment

?User acceptance and training

?Migrating to production environment

?Post implementation review

ERP implementations should be done in phase-wise manner for better manageability.

5.4.2 Risks

Major causes of failure of ERP implementation projects are:

?Lack of clarity on user requirements, definition as well as documentation andcommunication

?Weak management commitment in terms of resources and direction

?Weak technical support during and post implementation

?Lack of commitment from all the departments of the organization at planningand implementation stage

?Poor quality of master data and basic systems functionality configuration

?Too many customized features compromising the spirit of inbuilt checks andcontrols

?Cost constraints leading to restricted number of user licenses

5.4.3 Reviews

Overview of ERP implementation needs to cover:

?ERP blueprint


?

?Organizational policies on ERP utilization

?Basic configuration and access controls

Substantive checks in ERP implementation needs to cover:

?Functional processes and controls mapped to ERP

?Detailed review of system and deployment architecture

?Detailed review of ERP configuration and access control

Integrated checks in ERP implementation needs to cover:

?Training and utilization effectiveness

?Impact of customization to ERP system

?Overall impact of ERP implementation on organizational environment

5.5.1 Adequate controls are required while migrating from one technology platform to another (say, from manual system to ERP system.) These controls are needed at every stage right from the planning stage to 'go live' stage. One of the key milestones of any systems implementation is data migration that involves building up database of records to work on the new systems.

The desired scenario is to put in place effective controls at the data migration stage to ensure correctness, completeness and reliability of data migrated from old system to the new system. Some of these include:

?Completeness checks at data collection level

?Correctness checks of data sanitization

?Authorization / data validation checks

?Integrity checks at data upload stage

?Data signoff post upload in the new system

Some of the pain areas that need to be addressed during data migration include:

?Incompatibility of data definitions and structures

?Validation and control differences across systems

?Determination of data volume and scope to be migrated

?Designing archival, retrieval and retention policies and procedures

Design of system, functional and deployment architecture

5.5 Data Migration


5.5.2 Risks

Some of the risks of inefficient data migration activities are as under:

?Mismatch of data, incomplete data or incorrect data in the new system

?Revenue loss in the form of loss of receivables, delayed payments to vendorsattracting penalty/ interest charges, legal claims in case of data inaccuracies

?Prolonged implementation activities resulting in parallel run and duplication ofefforts

5.5.3 Reviews

Overview of data migration activities need to cover:

?Data migration plan, schedule, roles and responsibilities

?Data migration signoff Process

Substantive checks over data migration activities need to cover:

?Completeness checks at data collection level

?Correctness checks of data sanity

?Authorization / data validation checks

Integrated checks in data migration activities need to cover:

?Effectiveness checks on migration activities

?Legal and compliance implications of data migration


Chapter 6: Operations Framework

6.1 Introduction

6.2 Data Center

IT Operational framework is the backbone of IT processes. Internal controls for IT operations are aimed at efficient, effective and secured use of IT resources, so that the output generated through the systems is reliable. It is the prime responsibility of the management to define, document, approve and communicate the IT operational framework through policies, procedures, instructions and guidelines. Some of the areas of IT operational framework such as data center operations, data processing operations and incident / log management are covered below.

6.2.1 Introduction

Data center is the central place in any organization where its key IT resources are securely located. It helps in hosting as well as monitoring critical IT resources under one roof. Organizations with stringent data uptime requirements host their servers with certified data centers. Considering all standard data center requirements including physical, environmental and infrastructure and their effectiveness, professional data centers are classified as under.

Data Centers hosting servers for various companies in shared or dedicated mode certify themselves for ISO 27001, ITIL and SSEA 16 Type I, II, or TIA standards so as to ensure security, delivery, quality process and to improve customer trust. Advanced data centers are able to provide DR managed solution.

Organizations that host their services with data centers need to be careful while choosing the services, configurations, service level agreements and non disclosure agreements. In case of super sensitive data, the responsibilities of protection and corresponding liability sharing for the same should be decided beforehand.

Data Center Tiers

TIER 1 TIER 2 TIER 3 TIER 4

Meaning Non-redundantcapacity components capacity equipment and are fully fault-tolerant(single uplink and components multiple uplinks including uplinksservers)

Which Small Businesses Medium Sized Large Businesses Enterprise /Entity Businesses Corporationuses this?

Uptime 99.671% 99.749% 99.982% 99.995%

Tier 1 + Redundant Tier 2 + Dual-powered Tier 3 + all components


Key data center operations need to be governed by IS policy, procedure and guidelines which include:

?Secure access to data center and critical servers, network devices and other equipment

?Beginning of the day (BOD) and end of day (EOD) activities are part of overall internal control processes

?Backup and Recovery activities along with testing

?CCTVs recording and monitoring of activities

?Monitoring and ensuring uptime of servers, network connectivity and other equipment

?Electronic media management

?Environmental controls such as temperature, humidity, fire safety and uninterrupted power supply

Data centers need to follow stringent norms of building construction. Data centers should also have a tested evacuation and restoration plan to take care of various eventualities.

6.2.2 Physical Security of Data Center

Organizations need to attach high importance to physical security of the data center as significant information in various forms is processed at these locations.

Depending on the sensitivity / importance of operations performed, physical premises should be differently classified into zones and each zone must have appropriate level of access restrictions and access identification and authorization requirements. Surveillance cameras and access control mechanisms should be in place to control and monitor sensitive areas. Physical access must be appropriately restricted. Delivery and loading areas should be isolated from information processing facilities to avoid unauthorized access.

A data center has large number of servers, network elements, system devices, safety and security equipment. Further, data center typically provides connectivity to internal and external world. Physical security needs to be factored while choosing the location, architecture and the internal layout designs to take care of all eventualities and to prevent loss of human life and organization information processing abilities.


There exist international standards and guidelines that provide sufficient input to build a secure data center

Adequate and appropriate controls like prior intimation and authorization, issue of identity badge, entry register, escort by authorized personnel, surveillance, are required to be implemented for controlling and monitoring visitors’ access to areas where information processing resources are located, e.g. operational and data center, etc.

6.2.3 Risks

Risks observed due to weak internal controls for physical access:

?Physical damage to the data center society due to natural calamities or man-made attacks.

?Data Center Premises getting cut off from rest of the organization

?Unauthorized access to information or assets including cyber-attacks

?Breach of confidentiality of data by thefts of devices

?Legal impacts out of mismanagement of historical data or archives.

6.2.4 Reviews

A review of physical access control needs to cover:

?Adequacy of information security policy and procedures

?Adequacy and appropriateness of mechanism to secure access to various areas by physical visit

?Management oversight over physical access controls

Substantive checks of physical access controls need to cover:

?Review or Records, Logs

?Adherence to operational procedures

?Adherence to environmental controls

Integrated checks of physical access controls needs to cover:

?Effectiveness of control mechanism vis-à-vis business/functional requirements

?Industry benchmark comparison and compliance to organizational policies


6.3 Operational Controls

6.3.1 The Business operations include entire gamut of operational activities, few illustrations are mentioned below.

?Call center operations handling customer data for query resolution?Business operations handling activities such as billing, collection, purchase, etc.

?Transaction processing, such a batch uploads, cheque printing, image processing

?Day-to-day operations at service and sales outlets

?Backend processing by third parties

?Public place operations including ATM, kiosks operations, cash collection centers and so on

Organizations also need to have administrative functions at various layers, such as

?Operating system

?Database

?Applications

?Various infrastructure layers

Any operational error in administration function has huge costs to the organization in terms of downtimes, reliability of systems, and loss of productivity. Incorrect configurations of business parameters can directly have business, revenue, reputation impact. Further, as administrators are often trusted resources, there exist possibilities of system misuse.

Day-to-day checks and balances, security procedures and periodic revalidations are necessary to ensure correctness, completeness of the data processing.

All normal IT operations and Business operations constantly undergo changes as per the organizational needs. In practice, they face practical issues that disrupt operations due to various reasons. A good organization is able to establish good incident management and log management system.

6.3.2 Change Management

As all entities of the business constantly undergo changes, effective change control management processes are very critical to the process of IT assurance.

A change management control process needs to address the following:

?Planning and communication related to change management


Approval tracking process

?Business Impact Analysis including business security impact

?Appropriate testing and acceptance

?Implementation of change to production environment

?Handling emergency changes and special processes

?Monitoring production environment for changes and Rollback controls

?Tracking changes to configuration items

?Retention Requirements

Change management process needs to exist at all assets, all layers to establish authenticity and auditability. Schematic change management process cycle is depicted below.

6.3.3 Incident Management

A formal incident response capability across all operational units should be established to minimize damage from security incidents, to recover and to learn from such incidents. It should include detection, initiation, evaluation, containment, eradication, recovery, closure of incident, evidence collection and preserving admissible evidence if necessary.

6.3.4 Log Management

Log management is perhaps the most critical activity for verifying that systems are functional and controlled. Logs collected in secure manner provide crucial evidential

?

Origin &Authorization

Traceability& Evidence

Testing &Validation

Change

Management

Process

Deployment&

Monitoring


value and can trace / detect system anomalies, frauds and provide a rich source for troubleshooting activities.

Some of the illustrative events that should be captured by log management are as follows:

?Activity start and finish times

?User login logout time including successes and failure indication

?System errors and exceptions

?Confirmation of the correct handling of data files and computer output

?Logical access attempts

?Creation and deletion of system level objects

?Transaction logs

Administrative logs need to be created, captured, and diverted without allowing system administrators to intervene into the system. Log collectors that collect the data through mirrored activities should not add to performance overheads to the main system.

Logs across various devices and applications need to be normalized in case of aggregation and correlation requirements. A well configured correlation engine builds an intelligence to detect various types of system exceptions, frauds and symptoms of cyber attacks at an early stage.

High end organizations create security operation center to monitor events on real time basis.

6.3.5 Periodic Review of Control Practices

Periodic review of the internal controls established is required to assess the control design effectiveness and operational effectiveness. This enables the management to assess the state of overall IT governance practices within the organization.

Such reviews are preferred if

?Carried out at regular interval

?Comprehensive in nature

?Match the organizational practices with industry best practices

?Performed by independent reviewers


6.3.6 Risks

Risks arising due to weak operational controls are as follows:

?Disrupted operational activities due to delay or unstructured approach of responding security incident

?Recurring breakdown of systems/application due to poor maintenance

?Pro-longed application development activities due to unplanned change management activities

?Non-availability of old data due to inadequate backup and restoration practices

?System misuse or fraudulent activities do not get noticed during the operational flow

6.3.7 Reviews

Overview of operational controls needs to cover:

?Adequacy of operational policies and procedures

?Definition of roles and responsibilities towards operations as well as information security

?Checks and balances built into all the aspects of IT operations management

Substantive checks of operational controls need to cover:

?Batch process controls

?System change management controls

?Incident management with root cause analysis

?Detailed review of log management architecture

Integrated checks of operational controls need to cover:

?Effectiveness of operational framework

?Fulfillment of compliance requirements related to operational controls


Chapter 7: Protecting Data Layer

7.1 Introduction

The traditional approach of information security is focused on enterprise architecture, whereas significant part of enterprise’s sensitive data is in unstructured formats. There exist challenges with protecting unstructured data, especially, in light of the trend of outsourcing and offshoring. The consequences of data leakage can result in loss of competitive advantage, possible financial liability, litigation and violation of intellectual property regulations. International bodies and Governments have passed stringent legislations that require organizations to build reasonable practices to protect data assets.

Data classification is an essential prerequisite for data protection strategy and implementation. A good data classification is necessary not only from technical and operational point of view, but also for optimizing system designs and controlling costs of the organization. A good data flow analysis of the documents gives insights to the data protection requirements.

Information resources are classified according to levels of its sensitivity and criticality taking into account business, legal, regulatory, contractual and internal requirements. For each classification level, different set of handling procedures need to be devised that cover processing, storage, transmission, and destruction of data. It is also essential that for all information data owners and data custodians are identified.

Additional controls are necessary for roaming users operating through hand-held devices. In the light of fast changing and user friendly technologies, the risk of data exposure is high and often the business needs to leverage on the ease of the data access. It is therefore challenging to establish an appropriate trade-off between the diverse objectives of the business. Improper exercise results into cost and project overruns without fulfilling the data protection objectives.

An illustration of impact of cost due to unclassified and unmanaged data is shown on the next page.

An open network with multiple open USB drives increases overheads on Data Leakage Protection (DLP) monitoring engine.


Stamping of documents with digital rights is necessary to ensure that the documents are handled safely across entire data flow. There is an increasing trend to protect the data that has moved out of the organisation through information rights management technologies. This essentially is a model for borderless data protections requirements.

Data protection controls are extremely important for PCI DSS compliance (for protection of credit card), HIPAA compliance (for protection of medical records), compliance to privacy laws as well as to protect sensitive information such as companies marketing and strategic plans, customers call data records, legal documents and creative work protection. Compliance to these laws enhances the reputation and increases the customer trust level.

Following are some of the risks involved in weak controls over data:

ØUnauthorized access (confidentiality), usage and modification (integrity) of classified information

ØLeakage of classified business information

ØBreach of contractual obligations to ensure adequate protection to information and assets

ØViolation of legal provisions to ensure privacy of personal data

An overview of data protection controls would need to cover:

ØAdequacy of information security policy and procedures

7.2 Risks

7.3 Reviews

End Points

DLP End-userMonitoring Server

DLPCore Engine

Open USB Drive* Malware Threats* Data Copy Threats

*More the number of USBdrives open, more the load onthe server & deployment cost

DLPrules


Ø

ØInformation security awareness for end users

Substantive checks over data protection need to cover:

ØData flow analysis for selective classified data elements

ØUser-role-authentication management related to data flow

ØRules for acceptable use of information processing assets

ØLogical access and logging controls

ØData encryption and Data leak prevention controls

Integrated checks over data protection need to cover

ØCompliance with legal / contractual obligations of data privacy and confidentiality

Information and assets classification methodology


Chapter 8: Business Continuity Planning Framework

8.1 Introduction

Natural disasters and business disruptions beyond the control of the organization are necessarily part of the organizations risks profile and risk management strategy. Natural disaster/physical threats could also lead to unauthorized access to critical data, loss of critical data or unavailability of resources which could hamper the business continuity of an organization eventually leading to monetary loss for the organization.

Natural disasters/physical threats could damage the system wherein they are beyond repair. The retrieval of data from a physical damage is a time consuming and an expensive affair which also involves risk of incomplete data or inconsistent data being restored.

In the modern digitalized world, organizations also need to build cyber resilience. This includes hardening digital infrastructure to be more resistant to attacks, penetration and disruption; improving ability to defend against sophisticated and agile cyber threats and recovering quickly from cyber incidents.

8.1.1 Defining the Level of Criticality

The linkage between BCP and DRP is often talked about and there exists a perception that business continuity plans are normally associated with disasters. It needs to be understood that Business Continuity Plan needs to exist for any disruption, momentary, temporary or long term. A local commotion, traffic disruptions or one office unit getting cut-off from rest of the organization also needs to be taken into consideration while planning for business continuity. Normally, crisis levels for operations need to be defined and continuity plans need to be tailor made accordingly. Crisis level needs to be defined taking into consideration financial, process, impact, legal, contractual, people impact and severity of the same.

The level of criticality needs to be identified and analyzed at individual assets as well as corporate level.

8.1.2 Disaster Recovery Site (DR)

Successful recovery of business operations and restoration to normalcy with minimum impact on resources in case of any planned/unplanned event is the only


evidence that proves effectiveness of business continuity management. For this, appropriate disaster recovery policy and procedures need to be defined, documented, approved and communicated by the management. Besides that, appropriate infrastructure has to be setup at disaster recovery site to ensure meeting the recovery time objective (RTO) and recovery point objective (RPO) defined in business continuity plan.

Considerations for setting up disaster recovery plan include

ØRecovery Objectives

ØNature of DR site desired

ØLogistics of Recovery

ØGeographic considerations

ØDesign vs. Opportunity Cost

8.1.3 BCP / DR Cycle

A typical cycle of BCP/ DR cover activities depicted by following diagram

Triggers may include any abnormal activity such as system cut-off, performance degradation, operational failure, disaster.

Sometimes it is not possible to replicate all the business functions to DR site. Hence the scaled down version of critical activities to alternate site can be considered.

8.1.4 Test Plan Coverage

Testing of BCP is sometimes considered as an operational overhead and organizations find difficulties in scheduling for the same. A good BCP has multiple objectives and the frequency to test each objective could vary so as to give total assurance that the plan

Triggers

Invoke BCP

Assess level ofCrises

Invoke continuityProgramme as perthe level

* Triggers mainly include system cut-off, performance degradation, link goes down, operational failure, disaster

SynchronizationAlternate SiteOperationDiversionCommunicationBackend Checks

Transition Restoration Assessment Learning

SystemRecoveriesNetworkRecoveriesSynchronizationCommunication

Financial ImpactLitigation ImpactSystem / ProcessImpactPeople Impact

Corrective ActionsProgramImprovementsSkill ImprovementsRefined program


is working and current. This also reduces downtime of the environment and helps better planning.

8.1.5 Formal announcement of disaster

It is required that the organization formally announces the fact of disaster and working state of operations from disaster recovery site. Similarly, restoration of primary site and resumption of operations from the same also need to be formally communicated to all the stakeholders.

8.1.6 Contingency and security breach

Organizations need to exercise utmost precaution that no security breach occur during or after the contingency plan is evoked. This is because, quite often organizations cannot create same set of security measures as that configured in original site.

Risks due to indequate BCP:

ØLoss of human life or assets or information

ØDisruption/ discontinuance of business operations

ØFinancial losses due to loss of assets and/or business

ØLoss of reputation/credibility

ØNon-compliance with time-bound regulatory requirements

An overview of business continuity plan needs to cover:

ØAdequacy of business continuity and disaster recovery plan and procedures

ØMethodology for business impact analysis and risk assessment

ØAdequacy of backup of data, off-site storage and periodic data restoration

ØAwareness on disaster recovery plan and contingency

Substantive checks of business continuity plan needs to cover:

ØTesting of backup, off-site data storage and periodic data restoration activities

ØEffectiveness drills on evacuation and disaster recovery

8.2 Risks

8.3 Reviews


Ø

ØReview of actual work done on the disaster recovery site

ØValidation of Business Impact Analysis, Recovery Time and Recovery Time Objectives

ØEmergency handling procedures

Integrated checks of business continuity plan needs to cover:

ØAnalyzing Interdependencies of the systems and impact on eco-system

ØValidating Legal, Financial and other implications

ØEffectiveness of business continuity plan vis-à-vis business requirements

ØCompliance with legal / contractual obligations of data confidentiality and availability

Availability of data and other resources at disaster recovery site


Chapter 9: Human Interface to IT Systems

9.1 Introduction

Human interface is considered a strong as well as a weak link in the chain of information system management. Participation of employees must be increased through repetitive programs to ensure that they are aware of end user responsibilities towards the organization such as:

ØTake all reasonable precautions to protect information systems against unauthorized access, use, disclosure, modification, duplication or destruction

ØUse information systems only as appropriate to their job responsibilities

ØUse information systems in manner, which ensures compliance with laws and internal policies and procedures

ØReport security problems or issues through appropriate channels

ØFollow systems and procedures effectively

9.1.1 User Awareness

Organizations need to motivate employees adequately to participate in IT implementation, risk management, incident response, disaster management and whistle blowing programs to safeguard IT investments.

With the increasing outsourced and hosting activities, third parties, such as channel partners, data entry operators, vendors, customers, auditors, regulators, connected entities, payment gateways and various intermediate agencies, participate in IT operations. Manually, courier agencies carry backup tape, ATM and financial PIN numbers, statements and customer confidential data. Apart from conventional third party Non Disclosure Agreements, it is necessary to ensure that liability in case of data security breach or otherwise must be formalized.

Training of users constitutes a major factor towards success of IT system deployment. An effective training program enhances system utilization, reduces operational errors and helps in early detection of system anomalies.

IT security policy and procedures should categorically include the consequencesof violation of information security controls which would include penalty / punitive action, depending upon the context and severity of breach that may include, but isnot limited to


Ø

ØSuspensionØTerminationØLegal ProceedingsØFinancial compensation for losses

Following factors make it important to pay due attention to human interface while addressing IT systems assurance:

ØLack of user awareness on management of information systemsØSignificant risk of insider computer fraudØCollusion of external (vendors) and internal (employees) for fraud or information

leakageØAbsence of adequate measures to ensure employee screening before assigning

key responsibilitiesØLack of maker-checker control and segregation of dutiesØManipulation and alteration of evidence or logsØEmployees or users not rotating their responsibilities, thus creating excessive

people dependencies.ØTrusted users misusing the system resources are one of the major reasons why

organizations sometimes face significant financial or reputation losses.

Overview of human interface includes review of:

ØNon-disclosure and confidentiality agreement with vendor and third partiesØ Awareness and training process

Substantive checks of human interface include review of:

ØEmployee screening processØRole definitions and profiling requirementsØSegregation of duties and Structural checks / balances

Integrated checks of human interface include review of:

ØTraining Effectiveness ØSafeguards from suspicious activities

Warning/Caution

9.2 Risks

9.3 Reviews


Chapter 10: Compliance and Regulatory Framework

10.1 Introduction

10.2 ISO/IEC 27001:2005 Standard

10.3 BS 25999 / ISO 22301 Standard

Information Technology Systems have a very high and long term impact on the internal controls of the organization as well external customer services. Therefore, regulators and governing bodies across nations have created various frameworks, mandatory standards, suggestive guidelines to ensure proper IT governance. Apart from the same, industries, consortiums, voluntary groups have contributed to the evolution of best practices and technical standards in diverse areas of IT management. Some of these are illustrated below:

This standard provides a model for establishing, implementing, operating, monitoring, maintaining and improving an Information Security Management System (ISMS). The standard adopts the “Plan – Do – Check – Act” (PDCA) model, which is applied to structure all ISMS processes. Compliance to the standard leads to certification by accredited agencies – helps enhance customer confidence, meet contractual requirements, and assure stake holders about confidentiality, integrity and availability of information.

Alignment of organizational information security management systems with internationally recognized practices facilitates:

ØSystematic efforts to improve internal controls and operational efficiency

ØAssurance to clients / customers and other stakeholders on standard practices to ensure confidentiality, integrity and availability of their data

This standard provides comprehensive methodology for developing and implementing business continuity within organizations. Adopting these standard practices improvises the resilience of the organization when faced with crisis situation. Major activities for adopting this standard include:

ØBusiness Impact Analysis

ØIdentification of critical activities


Determining continuity requirementsØEvaluating threats to critical activitiesØDevising risk responses to reduce likelihood and impact of incidentsØDevising strategy to facilitate continuity or recovery of critical activities

All types of organization can adopt standard practices advocated by internationally recognized body of standards which helps in:

ØAdopting structured and organized measures to minimize the impact of business disruption

ØAssurance to clients/customers and other stakeholders on availability of services in case of disaster.

ØImproved compliance with regulatory requirements and management policiesØRecognition of Standards Body through certificationØImproves image of the organization

In May 2012, ISO has released ISO 22301 Standard which specifies requirement for setting up and managing an effective Business Continuity Management System (BCMS)

This standard stands for Payment Card Industry – Data Security Standards. In modern digitized world, significant amount of financial transactions take place through credit / debit cards and equivalent instruments. As such payments are real time, global and are processed through multiple channels. This involves huge monetary transactions globally involving, customers, financial institutions and payment processors who are always concerned about veracity of the transactions. Various security measures were deployed in the past to ensure sanity and confidentiality of transactions. In order to generate uniformity and trust levels of the systems, American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, established a universal PCI DSS standard. This standard is applicable to all industries, bankers, merchants, processors who are capturing, storing, processing and transmitting payment card data in any format. PCI DSS is one of the most comprehensive standards to comply with, as it handles process and technology requirements simultaneously. A single area of non-compliance attracts huge penalties.

ITIL is a public framework that describes best practice in IT service management applicable to all the service organizations. It provides a framework for the governance

Ø

10.4 PCI DSS

10.5 ITIL – V3 Framework


of IT, and focuses on the continual measurement and improvement of the quality of IT service delivered, from both a business and a customer perspective. This focus is a major factor in ITIL’s worldwide success and has contributed to its prolific usage and to the key benefits obtained by those organizations deploying the techniques and processes throughout their organizations.

The Center for Internet Security (CIS) is focused on enhancing the cyber security readiness and response of public and private sector entities. CIS Security Benchmarks improves organization's security posture by helping them reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls. It provides enterprises with consensus best practice standards for security configurations, as well as resources for measuring information security status and for making informed decisions about security investments. CIS has a comprehensive list of benchmarks for different operating systems, databases, browsers and virtual platforms.

Computer Emergency Response Team (CERT) has introduced Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) method. OCTAVE is an approach for managing information security risks. It has been designed to be sufficiently flexible to accommodate unique needs of the organization. Organizations should create teams of business and IT tailored to the organization's unique risk environment, security and resiliency objectives and risk based assessment.

Stringent penal actions introduced through the amendment under various sections of the Information Technology Act, 2000 has attracted the attention of organizations operating in India to ensure protection of personal information of customers, vendors, business partners, employees and the third parties. Stringent laws on data privacy with penalties exist across globe. Privacy of personal information has to be ensured at the time of collection, processing (use, transfer, disclosure and disposal) as well as storage.Organization has to devise comprehensive privacy policy and framework to address the data privacy requirements.

All organizations including intermediary services providers are now legally compelled to protect customer sensitive information. Negligence in implementing and

10.6 CIS Benchmarks

10.7 Octave Methodology

10.8 Data Privacy Requirements from Legal and Compliance Perspective


maintaining reasonable security practice can lead to litigations and impact organization's reputation. The reasonable measures need to include:

ØMeasures to prevent unauthorized access and use of personal information of customers or third parties

ØMeasures to prevent incidents of data theft, identity theft, credit card fraud, bogus insurance claims, mortgage fraud, etc.

ØMeasures need to cover life cycle including data collected, processed, stored, transmitted or disposed off by the organization

Adopting ISO 27001 Standard is one of the ways organizations can claim to have followed reasonable security practices.

Following are the key regulations governing intellectual property rights in India:

ØCopyright Act, 1957

ØTrade Marks Act, 1958

ØPatents Act, 1970

Besides these, there are other acts like Geographical Indications of Goods (Registration and Protection) Act, 1999, Designs Act, 2000, etc. which protect the unique properties of a product or a work of distinct features.

Copyright Act protects computer software which may be of ‘Freeware’, ‘Shareware’, or paid ‘Licensed’ nature. A license may be time-based license, user-based license or feature-based license. A software license prohibits modification, adaptation, translation, decompiling, reverse engineering, disassembling, etc. of the respective software and any violation attracts penal action.

10.9 Laws Related to Intellectual Property


Chapter 11: Impact of Contemporary Trends

11.1 Virtualization

11.2 Cloud Computing

11.3 Mobile Computing

Information Technology and Information Technology Enabled Services (ITES) are constantly shaping the industries. Therefore, the best of the IT assurance programs cannot be static. In fact, IT assurance program has more challenges to meet as the IT environment change may cut through several dimensions of the organization. Changes due to contemporary trends need to be accepted in a structured and controlled manner to make a long term success out of the same. Some of these trends are discussed for the illustration purpose.

Virtualization refers to the creation of a virtual instance of hardware, operating system, storage device, network resources or software. It’s not limited to the servers or critical resources but can be further extended to the individual assets using VDI or Virtual desktop infrastructure. Virtualization benefits the organization by helping in consolidation, flexible architectures, increased resource utilization and a more efficient Disaster recovery mechanism. Also virtualization is the initial step for organizations to move towards cloud computing. But security, performance and reliability considerations are seen as major deterrent towards adoption of the technology. Organizations can overcome these deterrents by adopting good management practices in deployment, laying security controls and addressing virtualization related techniques (E.g. VM management) in accordance with the changed scenario.

Cloud computing has emerged as a strong trend impacting the way IT serves the business. It offers software, platform and infrastructure as a service (SaaS, PaaS & IaaS). This has increased scalability, adoption of newer technologies and the available options. This is in-spite of the reduced costs and change-over periods it offer. However, this also comes at a risk of reduced control, security and reliability due to increased vendor dependence. These concerns need to be addressed by creating long term strategy, realistic goals mapped to the system designs. Security concerns, autonomy issues and performance standards should be focused at the design level itself.

The dependency of modern life to due mobile computing is evident from the increasing use of Netbooks, tablets and Smartphones. The varied types of devices has resulted changes in the UI (User Interface), the operating systems and the applications used. Mobile computing has resulted in BOYD (bring your own device) concept. It is a concept


which helps organizations in saving costs, helps in faster adoption of technologies and achieves greater employee satisfaction. However, organizations also lose the control over the way these devices are used resulting in security issues. Organizations can overcome these issues by defining clear policies, laying minimum security requirements, mandating use of organization sanctioned security tools and have a process to retrieve organizational data from personal devices.

Social media has evolved as the modern way to communicate with diverse sets of interested groups. These technologies have changed the way we network, collaborate, publish and receive feedbacks. Direct revenue growth through social media may be a challenge; but it helps a lot in customer care, product development and brand building. These benefits come along with risks like brand hijacking, data leakage, security, intellectual property & legal risks. Disgruntled employees and customers try to defame the organization through social media. These risks can be overcome with strong policies, processes, training, tools that trace the origins of messages.

Globalization and economic trends has led organizations towards changed strategy of IT outsourcing. This benefits organization in focussing on core business activities and re-strategizing while reducing costs and working more efficiently. However, this comes with attached risk related to security, privacy, continuity and performance. Organizations need to mitigate these risks by clearly defining security controls, performance benchmarks and vendor’s exit responsibilities. Also organizations need to closely monitor the vendor’s performance and get them validated from independent sources as the strategies and controls are different for Outsourcing framework.

In the world of shrinking resources, organizations are looking for alternative sources for cost efficient and work effective methods. Green IT is one such approach which involves manufacture, management, use and disposal of information technology resources that minimizes the damage to environment. Some of the initiatives include:

ØPurchasing and using energy efficient desktops, servers and other IT equipment

ØSet up energy efficient data center with more Power Usage Effectiveness ratings

ØVirtualization of resources to reduce overall resource requirements

ØRecycling of IT equipment

ØUse of minimum toxic material like lead and mercury in manufacturing process

11.4 Social Media

11.5 IT Outsourcing

11.6 Green IT


Section IV: Creating Excellence in IT Systems Assurance

Section IV: Creating Excellence in IT Systems Assurance

1.1 Introduction

1.2 Measuring IT Effectiveness

The role of IT as an enabler to the business is well understood. Innovations of new products and adopting new technologies are normally appreciated. In spite of the same, disconnect often exists between management vision and ground realities. IT systems should be leveraged such that they exceed the expectations of the management vision.

There is always a continuous thrust on creating excellence through IT systems. Though this is a vast area, some of the illustrations are cited below.

Organizations need to have comprehensive and quantitative measurements with 360 degree IT view with the intention of controlling costs of assignments. Quantitative Dashboards need to be based on statistics, graphs, trends and deviation controls, such as:

ØAverage time taken to deploy software changes

Ø Effectiveness of security filters at different layers of systems architecture

ØUtilization of assets based on various parameters

ØReduction in aggregate quantitative risks

ØDowntime of the IT system / Total uptime of the system for the month

ØTime taken for recovery

ØNumber of incidents in a month analyzed on multiple parameters

It is an exercise to identify, measure and track the progress of IT suitable to the client environment. Large organizations having high-end eco systems have more complex and interlinked parameters and these need to be projected across various units such as geographical locations, systems/ subsystems, assets and the same will be required at detailed or aggregate level.

It is possible to create quantitative models on IT Health Status monitoring suitable to the organization environment. Quantitative models require substantial level of first time effort, but they introduce objectivity to complex topic of IT environment, are


more easily understood at various levels, create common body language and help organizations to track the progress.

Apart from the individual dashboards organizations would like to have an overall assessment of IT maturity status. Maturity can be objectively measured by aggregating all the maturity status of individual control points. This is an elaborate exercise. Such measurements if done on annual basis, give a top level of view of areas that need attention and helps to track the progress objectively.

An illustration based on generally accepted IT Governance framework like CoBiT can be applied, result of which could look like a diagram given below:

Every organization in today’s world has to comply with various regulatory requirements as explained at various places in this document. Further, different units of the organization need to comply to specific standard such as SOX, PCI DSS, ISO 27001, BS 25999, SSAE16, Quality frameworks, Capability Maturity Models, Six-Sigma / lean methodology, statutory requirements set by RBI, TRAI and other industry bodies. Companies are subjected to frequent audits for the same.

Handled in any suboptimal manner, this leads to major processing overheads for the organization. Documentation becomes non-standard, record keeping involves duplication of efforts, audits involve overlaps and compliances are sometimes tedious to maintain and are seen as operational overheads.

Organizations need to have a common compliance denominations along with sufficient operational flexibility built into the process.

1.3 Measuring IT Maturity

1.4 Adhering to Multiple Compliance Frameworks

CoBiT Maturity - An Alternate viewEffectiveness

Efficiency

Confidentiality

IntegrityAvailability

Compliance

Reliability

61

67

70

6366

5954


1.5 Building Excellence in Operating Procedures

1.6 Data Analytics and E-Audit Migration

1.7 Intelligent Risk Engines

Good standard operating procedures are core level requirement of all compliances. A good standard operating procedure needs to be practical, simple and close to the operating environment. A single procedural document should stand the test of adequacy seen from multiple perspectives including governance, operations, compliance. Such operating procedures provide a sound basis for performance of the organization, have the necessary flexibility to accommodate operational variances in controlled manner, create efficiencies for the organization. Good and excellent operating procedures suitable to the organizational requirements reflect as to how internal control systems work within the organization.

With the growing volume of transactions across various systems, good data analytic tools are necessary enhance to audit effectiveness. They are able to see through transactions using pre-defined business rule with multiple permutations and effective sampling techniques. These tools help an auditor to narrow down on the exception identification and detect anomalies in an objective manner. Such tools can also be deployed in the production environment to facilitate concurrent or real time monitoring.

Migration from traditional audit processes to E-audit processes is journey that involves careful planning, simulation and deployment as depicted below:

As the global threats of cyber crime are increasing, there exist global intelligence network that are able to detect certain threats in real time manner.

E-Audit Migration Plan of Migration to E-Audit

INITIATION PHASE PILOT PHASE MIGRATION TO CONCURRENT/ CONTINUOUS AUDIT

1 2 3

ØEvaluation of OrganizationInformation Architecture

ØIdentification of Transactions to be considered under E-Audit pilot phase

ØDefine Audit rules for transaction monitoringfor identified transactionsof identified systems

ØSimulate the E-Audit andrefine the Rule Definition

ØIntegrate E-Audit withBase systems andConfigure exceptionmonitoring and alertbased rules

ØAutomate E-Auditprocess for concurrentchecks


These are essentially collaborative network that keep track of millions of malware signatures, blacklisted and infected web-sites, and botnets, analyze behavior of the source transactions, apply intelligent risk engines that generate/ pre-empts/ quarantines early threat warning from cyber-attacks. Such technologies need to be deployed and configured appropriately.

Similarly, in case of detecting electronic, mobile banking, money laundering frauds an intelligence system needs to be built that performs transaction and behavior analysis. Such systems help in generating early warning signals for suspicious transactions.

Some organizations presume that an audit activity is to be performed subsequent to completion of tasks. Also, there is a view that an audit participation during the stage of roll out / implementation compromises audit independence. Since IT systems typically are rolled out with long term objectives and high impact on the organization eco-system, concurrent IT Audit becomes a very critical need for the management to ensure that the controls are built at the design stage itself. System specifications, design documents, project management, planned upgrades, disaster recovery drills, data analytic tools, system monitoring outputs are some of the examples where concurrent IT Audit brings powerful value additions to the organization.

Large corporate houses tend to diversify across various sectors. Every business vertical has its own unique information technology needs. Many times, such group creates a set of common services to be provided to other group of companies. Such groups can benefit by isolating centralized requirements and company specific IT requirements. An IT assurance program can be tailor-made to different group functional models. Apart from conventional IT assurance, such program needs to also focus on consolidation opportunities, process optimization, technology standardization, resource utilization and effectiveness of deployment.

Success of IT assurance program needs to get reflected in the Balanced Business Scorecard. Typical outcome of such program is tabulated for illustrative purpose on the next page.

1.8 Concurrent IT Audit

1.9 IT Systems Assurance for Group Companies

1.10 IT Systems Assurance: A Balanced Scorecard


Business / Balance Scorecard and How IT Assurance Program help you

Financial Perspective ØReduction in misuse of assets

ØAbility to control revenue leakages and frauds

ØIncrease return on IT investment

Customer Perspective ØCustomer confidence on data confidentiality

ØData Security through all channels of business interaction

ØAssured service levels

Internal Perspective ØIT Process Efficiencies

ØEnhanced internal control systems

Innovation Perspective ØAdoption of new technologies

The list of best practices is really an unending list. As rightly considered, there is no end to excellence. It is equally important to note that in spite of the honest intents, in reality best practices, cannot be followed by organizations at every stage. The evolving phases of the business, socio-economic factors, political environments, risk appetite of the management, availability of the management staff, financial, operational and behavioral constraints dominate the internal control systems of the organization. An organization needs to adopt dynamic, practical and result oriented internal control framework in line with the best practices. This is done after taking into account compensatory controls, checks and balances and assessing short term or long term impact on the organization.

1.11 Adopting Best Practices Suitable to Your Needs


Annexure I

Characteristics of successful IT Assurance Program for an Organization

IT Systems Assurance Practices should be independent of

ØTechnologies

ØBusiness product

ØSystem Platform

ØServices

IT Assurance Practices should be linked to

ØBusiness objectives

ØInternal Audit and Risk Management Program

ØOperational excellence initiatives within an organization

ØRegulatory audit requirements

Good IT system assurance practices should be

ØRealistic and implementable

ØHandled with due diligence and professional care

ØSensitive to client confidentiality requirements

Good assurance measures should focus on

ØRemoval of the root cause

ØValue addition for the business


Annexure II

Certain Legislations Governing Information Security

Online Protection and Enforcement of Digital Trade Act (USA, 2011)

ØCyber Intelligence Sharing and Protection Act (USA, 2011)

ØDigital Economy Act, 2010 (UK)

ØElectronic Transactions and Commerce Law (UAE, 2002)

ØElectronic Transactions Act (Canada, 2001)

ØInformation Technology Act, 2000 (India)

ØElectronic Transactions Act, 1999 (Australia)

ØThe Digital Millennium Copyright Act Of 1998 (USA)

ØData Protection Act, 1998 (UK)

ØNo Electronic Theft Act (NET Act – USA, 1997)

ØMalaysian Computer Crimes Act, 1997 (Malaysia, 1997)

ØUniform Electronic Transactions Act (USA, 1996)

ØComputer Misuse Act, 1990 (UK)

ØComputer Security Act of 1987 (USA)

ØComputer Fraud and Abuse Act (USA, 1986)

ØThe Credit Card Fraud Act of 1984 (USA)

ØFederal Data Protection Act (Russia, 1970)

ØThe Patents Act, 1970 (India)

ØThe Trade Mark Act, 1958 (India)

ØThe Copyright Act, 1957 (India)

Ø


Mumbai13th Floor, Bakhtawar229, Nariman PointMumbai - 400 021.

3rd Floor, Ahura Centre82, Mahakali Caves RoadAndheri (E), Mumbai - 400 093.

608, Sagar Tech Plaza BSakinaka, Andheri (E)Mumbai - 400 072.

Bengaluru (Bangalore)"Sujaya" No. 1007, 2nd Cross13th Main, HAL II StageBangalore - 560 038.

ChennaiAbhinav Centre, 2nd FloorNo. 4 Co-operative ColonyOff. Chamiers RoadAlwarpet, Chennai - 600 018.

1A, Chamiers Apartments62/121, Chamiers RoadR. A. Puram, Chennai - 600 028.

Kolkata2058/A, Mercantile BuildingsBlock "A", 9, Lalbazar StreetKolkata - 700 001.

New Delhi - NCR3rd Floor, Tower-BB-37, Sector-1Noida - 201 301.

SuratB/604-605, Tirupati PlazaAthwa Gate, NanpuraSurat - 395 001.

T-720, Belgium TowerOpp. Linear Bus StopRing Road, Surat - 395 002.

Ahmedabad504, Narnarayan ComplexNavrangpuraAhmedabad - 380 009.

Hyderabad217, Swapnalok Complex92, Sarojini Devi RoadSecunderabad - 500 003.

GandhidhamPlot No. 41, Ward 10-A"Divyasarika", GurukulGandhidham - 370 201. (Kutch - Gujarat)

RSM Astute Consulting Group

New Delhi-NCR

Aurangabad

T (91-22) 6696 0644 / 6121 4444 F (91-22) / E [email protected] www.astuteconsulting.com

Offices: Mumbai, New Delhi-NCR, Chennai, Kolkata, Bengaluru, Surat, Ahmedabad, Hyderabad, Gandhidham.

2820 5685 2287 5771

Aurangabad and

For further information please contact:

RSM Astute Consulting Group13th Floor, Bakhtawar, 229, Nariman Point, Mumbai - 400 021.

RSM Astute Consulting Group is a member of RSM network. Each member of the RSM network is an independent accounting and advisory firm which practices in its own right. The RSM network is not itself a separate legal entity in any jurisdiction. This publication is intended to provide a broad overview of Information Technology Systems Assurance to organizations which function on highly automated processes and on a real time basis. Every effort has been made to ensure the contents are accurate and current. Information in this publication is in no way intended to replace or supersede independent or other professional advice. This publication should not be relied upon for taking actions or decisions without appropriate professional advice and it may be noted that nothing contained in this publication should be regarded as our opinion and facts of each case will need to be analyzed based on specific facts. While all reasonable care has been taken in preparation of this publication, we accept no responsibility for any liability arising from any statements or errors contained in this publication. © RSM Astute Consulting, 2012

RSM India publication - How Robust is your IT System

Technology

Transcript of RSM India publication - How Robust is your IT System