Project Report

Of
DISA 2.0 Course
 CERTIFICATE

Project report of DISA 2.0 Course

This is to certify that we have successfully completed the DISA 2.0 course training
conducted at:

Hyderabad from 13th August 2016 to 18th September 2016.Review of Security and Control
practices of Cloud Computing service provider. We hereby confirm that we have adhered to
the guidelines issued by CIT, ICAI for the project. We also certify that this project report is
the original work of our group and each one of us have actively participated and
contributed in preparing this project. We have not shared the project details or taken help in
preparing project report from anyone except members of our group.

Project Team:
Name ISA No Membership Number

Place: Hyderabad.

Date: 20th October, 2016.

 Table of Contents

Details of Case Study/Project (Problem)

Zebra Cloud Solutions (ZCS) Ltd offers cost effective cloud computing solution and caters
to banking, insurance, healthcare, manufacturing, supply chain and technology industry. It
is one of the top cloud companies in India providing flexible payment, security, round-the-
clock technical support and option of use by pay basis pricing. It offers complete computing
solution provider including SaaS, PaaS and IaaS services on the public, private and hybrid
computing model.

The management of ZCS considering the enormous potential of Cloud computing services
has opened its office in India with Bangalore as its Head office and data centres at
Mumbai, Hyderabad, Chennai, Pune and Delhi. It is offering state of the art cloud
computing offerings to customers in India with assurance of data being available within in
India. They want to provide independent IS Audit covering security and control practices so
as to provide assurance to the management, regulators and customers in India.

Situation

ZCS has 100+ servers in its data center in India. These servers are also networked with
500+ servers which hold the worldwide business data of customer of ZCS. These servers
are also connected to the global offices of ZCS and their customers through high-speed
networks and telecommunication systems. The company is state of art Technology
infrastructure and has well trained staff organised as per specific job responsibility and
comprehensive access policy designed to not only protect but also ensure availability of
data. To protect its data, ZCS has put in place a comprehensive Information Security
System as mandated by ISO27001& ISAE 3402 Type I standards. The company has used
best of breed security and control practices for implementing security for IT infrastructure.
This security system is subject to rigorous audit by independent ISO auditors before
certification and is also subject to regular IS Audit using global best practices.

Scope of the assignment

The management of ZCS has approached Us to perform an independent IS Audit of the

security and control practices so as to provide assurance to the management, regulators
and customers in India. We have been provided list of key security and control practices
and are required to review the adequacy of these control practices and also provide
additional detailed procedures as relevant to Indian regulations considering Information
Technology Act and other compliances applicable for Indian companies.
 Current Security and Control practices

• Internal theft: One of the security vulnerability comes from unscrupulous internal
employees. Such employees can pass data to competitors in their business.
Locating data in highly-secure data center of Wilson Solutions deters such
employees from stealing data because they are under surveillance. Data center
personnel employed by ZCS have their backgrounds verified extensively during the
recruitment process. They will not have an understanding of the customers’
businesses as much as an internal employee of the customer. So their interest in the
data is greatly reduced, thereby mitigating data theft risks.

• Physical access control: The data center is a sensitive zone. Only authorized
personnel can enter it. The entry is controlled through automatic access control
systems linked to security alarms. This prevents public access and stray entries. All
such entries are automatically logged in entry logs.

• Physical access monitoring: The area in and around the data center is monitored
24X7 through surveillance cameras which capture the images of those entering that
area. The video records are archived. Security guard views the video monitor.

• Login access control: This is a two dimensional access control measure. First,
only authentic users can login. Second, they can login only to the relevant
transaction screens for which they have permissions. Such access policies are
administered through the deployment module of ZCS platform. This mechanism
prevents any unauthorized access to both transactions and data. ZCS trains
customers to use specific modules so that access policies can be set by an
administrator designated by the customer. This way, customer will have absolute
control over the access.

• Audit trail: Even authentic usage is tracked. Who logged in, when did the login
happen, what was the duration of the login, what is the usage pattern, are there
unusual usages noticed – these are the possible ways by which tracking happens.
Such trails discourage anyone from attempting to misuse. Thus, frauds can be both
prevented and detected.

• Data transport over internet: Data movement over the internet – from the
customers’ office(s) to ZCS data center – is like goods moving on the road transport
highways. Both are vulnerable to theft. Such transaction data is protected through
encryptions and transported over a secure sockets layer. This prevents theft.
Encryption renders data meaningless thus making the theft harmless.

• Firewall: Data arriving via the internet at the data center is filtered through the
firewall. This is like immigration control, designed to detect illegal entrants. Only
authentic customer data finally reaches the server. Firewall policies are continually
updated as per
 the information security management system implemented in Wilson Systems. This
protects customers’ data from malicious software attacks.

• Fire and natural calamities: Disasters can happen and affect data and business
activities. Fire, earthquakes and floods can ruin data and disrupt operations. Wilson
has implemented a disaster recovery mechanism to handle such crisis. First, the
data center itself is subject to fire safety regulations. Second, all data is stored on
high speed storage area networks. From this storage, data is backed up according
to the data backup policy implemented as required by the information security
systems. Daily, weekly and monthly back-ups are taken. The media containing the
backed-up data are stored in fire-proof vaults. A copy of the same is stored in a
different physical location. In the event of any disaster, the data available on the
back-up media will be restored for operations to continue.

• Privacy: Privacy is ensured in following ways.

1. Internal privacy: Where one department data cannot be viewed or altered by
another department. For Example: accounts data not being allowed for a stores
person.

2. External privacy: Where a customer’s data is not available to anybody else.

This is established by allocating separate databases for each customer. Also, the
servers dedicated to the customers run on separate networks. So traffic from
other networks including Wilson employees’ networks cannot come into this
network.

3. External privacy involving government and regulatory bodies: These are

strictly governed by contractual agreements with the customers. Any request for
data belonging to customers will not be entertained without the involvement of
the customers.

Project Report (solution)

1. Introduction
2. Auditee Environment
3. Background
4. Situation
5. Terms and Scope of assignment
6. Logistic arrangements required
7. Methodology and Strategy adapted for execution of assignment
8. Documents reviewed
9. References
10. Deliverables
 11. Format of Report/Findings and Recommendations
12. Summary/Conclusion

1. Introduction

The importance of cloud computing is increasing and it is receiving a growing

attention in the scientific and industrial communities. Cloud computing enables
convenient, on-demand network access to a data.

Zebra cloud solutions ltd formally known as ZCS ltd a potential service provider for
cloud computing which provide services for different industries in India, the ZCS is a
state of art technology infrastructure which has well trained staff organized with
specific staff responsibilities and comprehensive access policy designed for not only
to protect data but also ensuring the availability of data round the clock.

We JRL associates, Chartered Accountants, led by CA. Ju holder of DISA certificate

having an experience of 3 years in IS audit and his team RS and LR, both Chartered
Accountants, who are having an experience of two years in IS audit.

2. Auditee Environment:

ZCS ltd a cloud computing service provider has its head office at Bangalore and
data centers at Mumbai, Chennai, Hyderabad and Delhi which has 100+ servers in
the data centers in India which are also networked with 500+ servers which hold
data of the Customers globally. To protect its data the company has adopted a
comprehensive information security system mandated by ISO27001 & ISAE 3402
type 1 standard.

3. Background :

The main need of audit was to access the adequacy and effectiveness of the
controls designed and implemented by ZCS ltd, including an assessment of
the following components
• Internal Theft
• Physical access control
• Physical access monitoring
• Logical access control
 • Audit trail
• Data transport over internet
• Firewall
• Fire and natural calamities
• Privacy
a. Internal Privacy
b. External Privacy
c. External Privacy involving government and regulatory bodies.

4. Situation

ZCS ltd a service provider of cloud computing solutions in order to develop their Indian
market and provide assurance to Indian customers and regulators an independent IS audit
need to be conducted for security and control practices adopted by the ZCS ltd.

5. Terms and scope of management

The scope of this audit is limited to cover the security and control practices adopted by the
management and also provide additional detailed procedure as relevant to Indian regulations
considering Information technology Act and other compliances applicable for Indian
companies.
Detailed Audit Programme:

Audit Program for Human Resources

S.No Audit Procedures Yes/N Done by

o

Is the Human Resources Department, well-staffed and Ju

equipped with Personal with required Expertise in area of
1 Staffing and Hiring? Yes

Is there a Policy of Recruitment for the Organisation, clearly Yes Ju

defining Roles and responsibilities of the Human Resource

Department relating to Staffing and Recruitment and is it

clearly defined and communicated. Does the Policy provide

2 sufficient guidance on recruitment and selection process?

Check whether all the requests for Personal by various Yes Ju

departments are supported with Proper Authorization from

Senior Managers / Department Heads? The Request should

clearly define the Job Role, Required Qualifications of the

3 Candidate, Experience (if any), procedure of Selection, etc.

Check whether the Advertisements for Hiring clearly specify Yes Ju

and co-relates to the Job-Request raised by the

4 Departments?

Check whether the Forms filled by the Applicants for the Yes Ju

jobs captures all the Data relating to the Personal Data, Past

Job History and other relevant information are properly and

5 fully filled.

Is the Selection Criteria of the various Applicants based on Yes Ju

the Principles of the Organisation and Guidance provided by

The Hiring Policy? Are the selections based on the Merit and

6 meet the required criteria in the Job Request.

7 Are back-ground checks like verifying the authenticity of the Yes Ju

documents submitted by the Applicant done? Background
check of the Applicant like status of social network,
 contacting the previous employer about the conduct of the
Applicant with the previous employer should be done. Are
the findings of this search corroborated with the Details
submitted by the Applicant?

Is the Documentation is complete at every stage of Hiring Yes Ju

and it is properly signed off and there is proper

8 accountability?

Are all the New recruits given sufficient Knowledge on the Yes Ju
Policies of the Organisation relating to the various policies

of the Organisation, especially relating to Non-Disclosure of

9 Information, Whistle Blower Policy, etc.

Ensure that the Term of Employment is properly drafted Yes RS

containing the Terms & Conditions and ensure the Contracts
10 are signed off by the New Employees.

Is there a whistle-blower policy available in the LR

Organisation? Is it properly communicated to all the Yes

Employees. Is there a mechanism of recording of complaints

reported, go through a list of such complaints raised in the

11 past and see the action taken for the disposal of the issue?

Are all employees regularly signing off the Non-Disclosure Yes LR

of Information Agreement of the Customer data, Prevention

of Insider Trading, Compliance with Sarbanes-Oxley Act,

12 Information Technology Act, etc.

Whether all the Outsourced employees working in the Yes LR

Campuses have also signed the Non-Disclosure

Agreements? Whether there principle employer has done a
proper background on these before taking them for
13 employment?

Ensure there is policy of Compulsory Rotation of Employees Yes LR

between Different projects, so that Employee can be at the

14 same project for more than 1 year.

15 Any Policy/deviation by the Employees should be reported to Yes RS

the Managers straight away and proper action should be
 taken by them for the disposal of the issue

Are Exit Interview conducted when the Employees leave Yes RS

the organisation,are the interview conducted holistically,

16 capturing the reasons for leaving the Organisation?

Ensure that the Employee gets sign­off from various  Yes RS
departments like Finance, Security, IS, Hardware, etc., before 
leaving the Organisation. All the Customer data like papers, 
17 documents, etc with the Employee should be asked to left back

The   Employees   should   be   asked   to   sign   a   contract,   which Yes RS

specifies that he is not going to use any of the Organisation or
the Customer’s data in the next employment? 

18

Audit Program for Physical Access Controls

S.No Audit Procedures Yes/N Done by

o

Whether there is a policy regarding physical access control Ju

1 and is a part of the security policy of the organisation? Yes

2 Whether there is a mechanism to review the policy regularly? Yes Ju

3 Whether the policy on the following are appropriate Yes Ju

- Lay out of facilities

- Physical and Logical Security

- Safety

- Access

- Maintenance

- Signage

- Visitors

- Health

- Safety and environmental requirements

- Entrance and exit procedures

 - Regulatory requirements

- Legal requirements

Whether the Data Centers and Information Yes Ju

Systems
4 facility are located in a place which is not obvious
externally?
Whether the facility is located in least accessible Yes Ju
area or /
5 and access is limited to approved personnel only?

Whether the physical access control procedures Yes Ju

are
adequate for employees, vendors,equipment and
facility
6 maintenance staff?

Whether ‘Key’ management procedures and Yes Ju

practices are
adequate? Whether review andupdates are carried
out on a
7 least access needed basis?

Whether the access and authorization policies on Yes Ju

the
following adequate?
-Entering / Leaving
-Escort
-Registration
-Visitor passes
8 -Surveillance cameras

Whether the policies laid down are implemented? Yes Ju

9

Whether periodic review of access profiles is Yes Ju

10 carried out?

Whether revocation, response and escalation LR

process in the
11 event of security breachappropriate? Yes

Whether security for portable and off-site devices Yes LR

12 adequate?

13 Whether control of visitors adequately addressed? Yes LR

Whether
issues like registration, pass,escort, logbook for
check in
 and check out are handled properly?

Whether the visitor are required to authenticate his Yes LR

identity
by means of a business card, photo identification
card,
14 driver’s license etc.

Whether computing facilities are located above Yes RS

ground
level? Whether water leakage,seepage etc. are
15 prevented?

Whether air-conditioning, ventilation and humidity Yes RS

control procedures in place, testedperiodically and
given adequate
attention? Environment in the Data center should
be
controlled by having adequate cooling systems
without
16 which servers/systems would crash.

Whether security awareness is created not only in Yes RS

17 IS
function but also across theorganisation?
Whether physical security is continually addressed Yes RS
and
whether physical security is ensured at suppliers
facilities
also in cases where organisation’s’ assets either
physical or
18 data are processed at supplier’s facilities?

Is there security check in place, so that Ju

Photography of the
Data Center facilities is prohibited by the Yes
Employees and
Outsiders? Information boards should be clearly
19 placed at
difference points saying Photography is prohibited.
20 Whether UPS is available? If so, is it covered under Yes Ju
maintenance?
Whether alternate or re-routing telecommunication Yes Ju
21 lines
are available?
Whether alternative water, gas, air-conditioning Yes Ju
22 and
humidity resources are available?
 Are All un-used power sockets, telephone points Ju
should be
23 closed? Yes

Whether all access routes are identified and Yes Ju

24 controls are in
place?
Ensure that there are no multiple access points to Yes LR
the IS
facilities, facilities should have a single point of
25 entry and
exit.
26 Ensure that all the Windows / other openings are Yes LR
closed?
Whether hazardous commodities are not stored in RS
the IS
27 area? Yes

Whether appropriate access controls like password, Yes RS

swipe
card, bio-metric devices etc.are in place and
adequate
28 controls exist for storing the data / information on
them?
Whether access to the IS facility & Data Centers is Yes LR
enabled only through ID cards / badges, etc., are
there controls to
ensure that the issue and re-collection of such
access
devices are authorisedand recorded. Such
unissued ID
Card/badges should be stored in safe vaults. A
Stock of
such ID Card/badges should be taken count
periodically.
29 Any missing cases should be immediately
reported?
Whether access to Data Centers is given to Yes LR
30 Employees on
need basis only based on the job-profile?
Whether there is mechanism to monitor ID Cards / LR
badges
issued remaining unused for more than two Yes
31 months, such
ID cards/badges if required can be taken back.
32 In case of Stolen or lost ID Cards / badges, such Yes LR
incidents
should be reported quickly to the Security
Department, A
 FIR with the local Police Authorities should be filed
informing the incident.
In case of Employees are leaving the Yes RS
Organisations, the ID
Cards / badges issued to them should be taken
33 back and
revoked.
In case of outsourced software, whether all Yes RS
maintenance
work is carried out only in the presence of / with
the
knowledge of appropriate Maintenance
34 Department or
Security Staff?

Audit Program for Physical Access Monitoring

S.No Audit Procedures Yes/No Done by

Are the surveillance equipment like CC Cameras Ju

installed
at all the Entry & Exit Points recording the Yes
movements of
1 the personal inside the facility?

Are the CC Camera are located in such a place so Yes Ju

that it not
2 easily visible to the visitors?

In case of CC Cameras are not working, such Yes Ju

cameras
should be immediately worked and is there a
regular
3 maintenance of the Cameras?

Are there any blind spots, where there are no Yes Ju

images
captured? In such places is there a compensating
control
4 should be in place.

Are there any real-time physical intrusion alarms Yes Ju

and
whether the Physical access violations are
immediately
5 attended by the security personal?

6 Are the Access violations recorded, escalated to Yes Ju

 higher
authorities and appropriateaction taken on the
violations

Are the CC Camera Footage retained for sufficient Yes RS

period
of Time and check whether there are regular
period check
7 on the retrieval of the stored data?

Ensure the CC camera have night vision to Yes RS

capture footage
8 during the nights?

Are Deadman Doors installed at the entrances to Yes LR

the Data
Centers and IS facilities to secure access to
authorised
9 personnel only.

Is the location of CC Camera control room ideally Yes LR

located,
in order to reach the various facilities at the
10 quickest time?

Audit Program for Logical Access Controls

S.No Audit Procedures Yes/N Done by

o

Whether the user access management policy and Ju

procedure
are documented?Whether the user access Yes
management
policy and procedure are approved by the
1 management?

2 Whether the user access management policy and Yes Ju

procedure
document includes:
Scope and objective, Procedure for user ID
creation,
approval, review, suspension, and deletion,
Granting access
to third parties, Password management, User
access rights
assignment & modifications, Emergency access
Granting,
 Monitoring access violations, Review and update of
document.

Whether User ID & access rights are granted with Yes Ju

an
approval from appropriate level
of IS and functional head?(Verify the user ID
creation,
granting of access right and approval process). Are
such
request for creation of User ID clearly documents
and they
3 based on the job profile of the employee?

Whether the organization follows the principle of Yes Ju

segregation of duties adequately in granting
access rights?
(Verify Access rights should be given on need to
know and
need to do basis – without unchecked
4 concentration of
power.)
5 Whether USER IDs are in unique format? Yes Ju

Whether invalid log in attempts are monitored and Yes Ju

UserIDs
6 are suspended on specific attempt?

Whether the organisation follows complex Yes Ju

composition for
password parameters? Minimum length for
password
should be 8 letter and should contain a
combination of
7 Upper and lower alphabets and special characters?

Is there a Clear-cut policy in place for granting Yes Ju

access to the
Customers and third parties? Is it communicated
with them
while entering to a service agreement? Have the
Customers
8 consented to it?

9 Is the admin access granted to the Customer as Yes Ju

per the
initial agreement entered with the Customer? Is
the admin
right grant is for the same customer only, can it be
 used for the other Customer? (This to ensure there
is clear
delineation between different customers)

What is procedure for handling customer requests Yes Ju

on User
Access? Is it clearly defined and communicated to
the
10 customer?

Whether users are forced to change password on LR

first logon
and at periodic intervals? IS the Periodic Interval Yes
set for
11 change is as per sensitivity of the Role?

Whether the organisation implemented clear Yes LR

screen and
clear desk policies? Is the maximum idle time less
than 15
12 Minutes?

Whether the organisation restricted concurrent log- Yes LR

on?
Verify whether that the User ID access is restricted
to one
13 Terminal only? Whether users’ IDs are shared?

Whether User IDs and Password are communicated Yes LR

to the
user in a secured manner initially or at the time of
14 resetting?

Whether the organisation reviews user IDs and Yes RS

access rights
15 at periodic intervals?

Whether the organisation monitors logs for the Yes RS

16 user access?

Whether policy and procedure documents reviewed Yes RS

17 and
updated at regular intervals?
Whether the access to scheduled job is restricted Yes RS
to the
18 authorised?

19 Whether an emergency user creation is according Ju

to the
policy and procedure for User Access
 Management? Yes

Whether periodic review process ensures user Yes Ju

accounts
20 align with business needs and removal on
termination/transfer?
Whether passwords are shadowed and use strong Yes Ju
21 hash
functions?
Review the process for setting initial passwords for Yes Ju
new
users and communicating those passwords and
22 evaluate the
tracking of each account to a specific employee.
Whether the use of groups and access levels set Ju
for a
specific group determines the restrictiveness of Yes
23
their use?
Ensure that the facility to logon as super/root user Yes Ju
24 is
restricted to system console for security reasons.
From the log file, identify the instances of use of Yes LR
sensitive
passwords such as super user and verify if records
have
been maintained with reason for the same. Ensure
that such
25 instances have been approved/ authorized by the
management.
From the log file, identify the instances of Yes RS
unsuccessful
logon attempts to super user account and check
the terminal
ID / IP address from which it is happening. Check if
appropriate reporting and escalation procedures
26 are in place
for such violations

Audit Program for Audit Trails

S.No Audit Procedures Yes/N Done by

o

1 Whether the logging of Audit trails commensurate Ju

with the
business needs? Is there a clear policy showing the Yes
 events to
be logged, period of retention of the Audit logs,
Review of Audit Trails, etc? Is the period for
retention adequate?

Does the audit trail associate with the Yes Ju

product/service support
the ability to log and review all actions performed
by systems
operators, systems managers, system engineers,
system
administrators, highly privileged accounts and
emergency
2 IDs?

Does the Audit Trails capture the relevant data like Yes Ju
date and
time stamping, User Id, Terminal Number and
Session ID,
3 etc?

Are the Audit trails reviewed regularly, what is Yes LR

period
frequency of such review and who conducts such
4 views? Are
unusual patterns are noticed and reported?
Are the Access Control Violations of Users Yes LR
communicated to
their respective Managers and Customers
5 regularly?

Is there a process in place to log and review Yes RS

actions
performed by emergency IDs associated with the
product/service? Are all the Emergency actions
later on
6 signed off by the appropriate Heads?

On the Scrutiny of the list of Audit Trails, are there Yes RS

any
transactions, which are un-necessary logged? Such
7 Transactions can be omitted.

Audit Program for Networks

S.No Audit Procedures Yes/N Done by

o
 Verify whether there is an Acceptable usage Policy, Ju
Internet Access Policy, Email and Communication
Policy, Network Security Policy, remote Access Yes
Policy,
BYOD Policy, Encryption Policy, Privacy Policy? Are
the policies clearly defined and communicated to
the
1 various stakeholders?

Obtain or prepare logical and physical diagrams of Yes Ju

the
network and attached local and wide area
networks,
including the systems’ vendor and model
description,
physical location, and applications and data
residing
2 and processing on the servers and workstations

Using the information obtained in the prior steps, Yes Ju

document the server and directory location of the
significant application programs and data within
the
network; document the flow of transactions
between
3 systems and nodes in the network.

Assess whether the trusted domains are under the Yes Ju

same
physical and administrative control and are
4 logically
located within the same sub-network.
Determine that router filtering is being used to Yes Ju
prevent
external network nodes from spoofing the IP
address of
5 a trusted domain.

Determine that the Administrator/SuperUser and Yes Ju

Guest
accounts have passwords assigned to them (by
attempting to log on without providing a
password).
Also ascertain that the Administrator account
password
is well controlled and used/known by only the
system
6 administrator and one backup person
 Review the account properties settings active in Yes Ju
each
user’s individual profile, which may override the
global
7 account policy.

List out the security permissions for all system Yes Ju

directories and significant application programs
and
directories and ensure that they are consistent
with
8 security policy.

Review and assess permissions assigned to groups Yes Ju

and
individual accounts, noting that Full Control (all
permissions) and Change (Read, Write, Execute,
and
Delete) permissions are restricted to authorized
9 users.

Review the audit log for suspicious events and Yes Ju

follow
10 up on these events with the security administrator.

Determine the types of accounts that were used to LR

access
11 the routers Yes

Determine what users had access to these Yes LR

12 accounts.

13 Were access attempts to the routers logged? Yes LR

Determine if all accounts had passwords and Yes LR

determine the
14 strength of the passwords.

Was simple network management protocol (SNMP) Yes RS

used to
15 configure the network?

Determine the version of SNMP employed by the Yes RS

Company. (Version one stores passwords in clear-
text
16 format. Version two adds encryption of passwords.)

17 Determine if open shortest path first (OSPF) was Yes RS

defined on
the router. Determined the authentication
 mechanism that
was employed in the Company's implementation of
OSPF.
Determine whether directed broadcast Yes RS
functionality was
enabled on the router. This setting, if enabled,
could allow a
denial-of-service (DoS) attack of the network
(Smurf
18 attack).

Obtain population of routers with modems and Ju

obtain the
19 telephone numbers of the routers. Yes

Determine if users were properly authenticated Yes Ju

20 when
remotely accessing the routers.
Determine how changes to the router environment Yes Ju
21 were
made.
Were there procedures for changing router Yes LR
configurations?
22 If so, were these procedures well-documented and
consistent with security policy?
Determine if changes to the router configuration Yes RS
23 were
documented.
Was there a separation of duties within the change Yes LR
24 control
of the router environment?

Audit Program for Firewall

S.No Audit Procedures Yes/N Done by

o

Verify if there is a Firewall Policy, Comment Ju

whether
is it commensurate with the Organisation Yes
requirements?
1 Is it updated frequently?

2 Obtain background information about the Yes Ju

firewall(s), in
place, e.g., segment diagrams, software, hardware,
 routers, version levels, host names, IP addresses,
connections, any specific policies for an overview
of
the firewall security

Determine that the firewall components, both Yes Ju

logical
3 and physical, agree with the firewall strategy.

Determine whether the firewall components are Yes Ju

the
4 latest possible version and security patches are
current.
Determine that the root cannot telnet to the Yes Ju
5 system.

Determine the telnet OS banner and other banners Yes Ju

such
6 as FTP banner, etc. has been eliminated.

Ensure that there are no compilers/interpreters on Yes RS

the
7 firewall.

Ensure that a lockdown rule has been placed at the Yes RS

beginning of the rule base. The lockdown rule
protects
the firewall, ensuring that whatever other rules are
put
in later, it will not inadvertently compromise the
8 firewall.

Obtain and review the connections table for time Yes RS

out
9 limits and number of connections

Attempt to test the rule base by scanning secured Yes RS

10 network segments from other network segments

Identify accessible resources behind the firewall LR

that
are to be encrypted and determine the connections Yes
are
11 encrypted

Determine if there is a change control process in Yes LR

place
12 for the rule base.

13 Determine the use of the firewall's automatic Yes LR

 notification/alerting features and archiving the
detail
intruder information to a database for future
analysis.

Review the audit log for suspicious events and Yes LR

follow
14 up on these events with the security administrator.

Audit Program for Business Continuity Plan

S.No Audit Procedures Yes/N Done by

o

Is there a business continuity plan for the Ju

Organisation?
Verify whether it is properly documented and Yes
1 implemented?

It the scope and objectives of a BCP are clearly Yes Ju

defined in
the policy document?Whether there exist any
exceptions
to the scope of BCP i.e. in terms of location or any
specific area, and whether the management has
2 justifications for exclusion of the same?

Are the policy and procedure documents approved Yes Ju

by the
3 Top Management?

Does the business continuity plan ensure the Yes Ju

resumption
4 of IS operations during major information system
failures?
Whether fire prevention and control measures Yes Ju
5 implemented are adequate and testedperiodically?

Whether computing facilities are situated in a Yes Ju

building
that is fire resistant and wall, floorand false ceiling
are
6 non-combustible?

Whether smoking restriction in computing facilities Yes Ju

are in
7 place?

8 Whether smoke / heat-rise detectors installed and Yes Ju

 connected to the fire alarm system? Is there a
policy of
regular maintenance of such detector in place?

Whether fire instructions are clearly posted and fire Yes Ju

9 al/arm buttons clearly visible?

Whether emergency power-off procedures are laid Yes Ju

down
and evacuation plan with clearresponsibilities in
10 place?

Whether fire drill and training are conducted LR

periodically?
11 Yes

Are the retrieval of backups of Media Storage are Yes LR

tested
frequently? Does the RTO & RPO meet the SLA
12 entered?

Are users involved in the preparation of business Yes LR

13 continuity plan?

Does the policy and procedure documents include Yes LR

the
following
List of critical information assets.
List of vendor for service level agreements.
14 Current and future business operations.

Are the BCP policy and procedures circulated to all Yes RS

concerned? Is the business continuity plan updated
and
15 reviewed regularly

Has the management identified potential Yes RS

threats/vulnerabilities to business operations? Are
the
16 risks evaluated by the Management?

Does the organisation carry out business impact Yes RS

analysis
17 (BIA) for business operations?Has the organisation
identified a BIA team?
18 Are RTO and RPO defined by the management? Are Yes RS
RTO & RPO defined by the management in line
with the
Service Level Agreement entered by the Company
with
 its Customers?

Has the organisation prioritized recovery of RS

interrupted
19 business operations? Yes

Has the organisation identified the various BCP and Yes RS

20 DRP
Teams?
21 Are the responsibilities for each team Yes LR
documented?
Does the BCP document(s) include the following? Yes LR
22 Scope and objective.
Roles and responsibilities of BCP and DRP
Are the copies of up-to-date BCP Documents stored LR
offsite
23 Yes

Does the BCP include training to employees, Are Yes LR

24 the
BCP and DRP communicated to all the concerned?
Whether the organisation has an adequate media Yes Ju
25 and
document backup and restoration procedures.
26 Are logs for backup and restoration maintained and Yes Ju
reviewed?
Whether the business continuity plan is tested at Ju
regular
interval? Has the organisation reviewed the gap Yes
analysis
of testing results? How has the organisation
decided to
reduce the gaps identified, what is the time limit
27 set for
addressing the same?
28 Has the organisation got a testing plan? Yes LR

Are test drills conducted at appropriate intervals? Yes Ju

Do
organisation documents and analyses have testing
results?Has the organisation prepared action points
to
rectify the testing results?Does the organisation
29 carry *out
retesting activity for action points?
Does the organisation review the BCP and DRP at Yes RS
30 regular
intervals?
Audit Program for Privacy Audit

S.No Audit Procedures Yes/N Done by

o

Has the Organisation assessed the various Ju

Statutory
and Regulatory Laws of various countries effecting Yes
1 it?

Has the Organisation have a Privacy Policy defining Yes Ju

the Classification of Information, Ownership of the
Information, Data Privacy, Accountability, etc., Are
the Agreements entered into with the customer in
line
2 with the Policy?

Are the policies properly educated and Yes Ju

communicated
3 with the Internal and External Stakeholders?

Is the Policy updated regularly according to the Yes Ju

4 changes in various legislatures effecting the Data
Privacy?
Are the Routers and Audit Logs configured Yes Ju
according
5 to the Privacy Policy documents.

Does the Organisation have Data Maps providing Yes Ju

detailed information about how information is
being
received, utilized, managed, and passed on by
your
6 organization internally and externally?

Is there a monitoring mechanism in place Yes Ju

collecting
various violations of the policy and steps taken for
7 resolution of them?

Is there a clear perimeter demarcation of different Yes Ju

8 Departments, to restrict the flow of information?

Are there Privacy Audits conducted by External Yes Ju

Audit
Teams, are the finding of the Audit worked upon
and
9 resolved.
Detailed Audit report:

S.No Audit findings and Risk Recommendation

The guest badges issued while Security team should collect

giving access to the facility for the temporary badges issued
a while
particular day are not the guest leaving the premises
collecting back properly
Risk: It may lead to
unauthorized access to the
1 location.

There is no specific procedure there should be a formal

for creation, modification and procedure for changing the
retrieving of security badges security
issued to full time employees badges issued when there is
Risk: When there is a change change in rolls of full time
is rolls of the employees employees
without
change in the master data of
the employees which leads to
2 unauthorized access to data

The entry and exit logs are not The logs need to be maintained
maintained properly and the for a minimum period of 2
data is years.
available for last six months
only
Risk: Retrieving the
information required in future
may not be
3 possible

The lighting system around the High beam lighting system

boundary wall is not sufficient need to be installed
Risk: Sufficient lighting allows
guard and employees to see
the
places of possible concealment
4 or access.

5 The fence around the Security policy need to be

boundary wall is at low height revised and increase the height
 and there is no proper of fence.
procedure of regular checks by
staff for holes or damages.
Risk:
It may lead to unauthorized
access in to the data centre

The CC cameras installed The CC cameras need to be

around the data centre does installed to cover total
not cover the total parameter parameter around the data
of the data centre
centre.
Risk:
Control over the surrounding
6 area may not be possible

Role based access control The policy of giving access

system is not available in the rights to employees based on
organization. roles
Risk: need to be implemented
This may lead to access of
data by the non – role
7 employees

The time limit for change of The password policy need to be

password was not available in
the system.
Risk:
This may lead to misuse of
8 passwords by other employees
changed and force the
employees to change the
passwords every 90days

The SLA does not specify the SLA should specifically mention
no of days the logs has to be about the period for which the
retained. logs be stored
Risk:
The back dated logs pertaining
to earlier period cannot be
9 retrieved

The firewall policy was not The firewall policy need to

updated frequently updated frequently
Risk:
Non updation leads to loss of
10 data and unauthorized access
to data centre
11 The fire drill are not conducted Fire drills need to be conducted
periodically
 Risk: at regular intervals
In event of fire it leads to
recovery failure

The list of important phone The DCP should contain the

no’s required during disaster important phone no required
were not available with the during the disaster.
employees
Risk:
It leads to delay in recovery of
12 disaster.

SOURCES OF REFERENCE:
Checklists for IS Audit – Issued by RBI
ISA 2.0 Study Material
Internet