Information System Audit And Inspection by

Imrul Sadat, http://imrulsadat1.blogspot.com

Chapter: 01

Introduction

Firming industry is now highly dependent on Information Technology for daily work.
Information technology becomes heart of the Firming sector now. All accounting transaction of
a Firm is done through Information Technology ,which is creating high risk for the Firm . To
minimize the risk Firm need to develop an internal audit department for auditing IT based
business process. Internal audit department need to develop procedure and guideline for their
internal auditors. Information system auditing is a new type of auditing for Firm which is
different from financial auditing. As a Firmer therefore I decided to do my Masters project on
this new field of Information System auditing for Firm..

1.1 Objectives of the Report

I regular staff of IMRUL SADAT Firm limited. The main objective of the report is to conduct
Information System auditing on various department and work station es of IMRUL SADAT
Firm Limited. Thus attention is geared toward following specific objectives.

a) To conduct standard ICT audit on various division of Firm.

b) Prepare a comprehensive audit report on IMRUL SADAT Firm Limited .

c) Advise Firm management on basis of audit observation regarding its risk issues
1.2 Information System (IS) Auditing

Information system audit check Information System and Network of a organization to assess
whether the information system and Network Infrastructure is capable to provide security for its
total system .Information System audit is conducted by internal or external audit team of Firm
.It try to find out security holes, which may cause of fraudulent activity. Various auditing
standard has been developed e.g. Bangladesh Firm ICT guideline .

IT audit is different from financial audit. Financial audit check whether standard accounting
practice is followed or not but Information system audit find out information system threats
.Information is most valuable asset of Firm. Information system auditor evaluate the system
thus guard an organization’s information.

The IT audit evaluate the following :

1.Avalibility: Checking whether Firm’s computer system is available for the business all the
time or not.

2.Confidentiality : Checking whether Firm’s computer system disclose information only to

authorized user or not.

3.Integrity : Checking whether Firm’s computer system’s e information accurate ,reliable ,

timely or not.

4.Information Asset risk: Assess information asset risk of the Firm and find out method to
minimize the risk..

Importance of IS auditing in Firm.

1. Information System Auditing find out threats in ICT operation and advice the Firm to
minimize the threat.

2.To comply with Bangladesh Firm ICT guideline information system auditing is necessary.
3.It increase effectiveness and efficiency of ICT operation information system auditing is necessary.

Following different audit techniques used during IS audit

1.Verbal questioning ,written questionnaire .

2.Visual inspection of the systems, locations, spaces, rooms, and objects .

3.Observations .

4.Analysis of files (including electronic data).

5.Technical examination (e.g. testing of alarm systems, access control systems,

applications).

6. Observation of previous audit report.

1.3 Auditing IMRUL SADAT Firm Ltd

IMRUL SADAT Firm Ltd is a private commercial Firm operating since 1995.It is a d Work
station Firm.It is one of leading Firm of the country based on accounting principal .It has
now 129 work station es with two subsidiary company Securities Ltd, Investment Ltd. It
introduced on line Firming solution ,real time Firming solution for its client .As employee of
IMRUL SADAT Firm Ltd I decided to do this project on this Firm. I performed IT audit from
01/06/2017 to 29/06/2017 in Principal Work station of IMRUL SADAT Firm Limited where I
am also a regular employee . I also visited head office and data centre several times for audit
purpose .
 1.4 Category of ICT operation of IMRUL SADAT Firm Ltd

Depending on ICT operation there are two type of Firm in our country they are as follows,

1. Centralized ICT Operation

2. Decentralized ICT operation

Centralized ICT operation manage business application through Data Center(DC) .The DC
continuously back up data .All work station es and booths are connected through WAN.
Decentralized ICT operation manage distributed business application through WAN. IMRUL
SADAT Firm Ltd ICT operation is centralized .

1.5 Sources of data

Both primary and secondary data have been collected. I have gathered primary data by personal
interview of the employees of Firm.. Mainly I have discussed with them verbally. I collected
information from them. I used data base, official manuals and several books. For preparing the
report smoothly and accurately I used primary and secondary data.

Primary sources:

 Direct observation of information system.

 Questioning with concerned persons.

Secondary sources:
  Manual Documents and previous audit reports.

1.6 Limitations of the report

The analysis of the overall IT activities of Firm is not easy. So the report was completed under
following :

 Firm’s IT systems are highly sensitive and without permission from concerned authority
the auditing operation can not be performed .
 As audit report is a confidential report for a organization and it is not open report..
 Due to time restrictions, the report is concentrated in selected areas only.

.
Chapter: 02

ICT Security ManagemenT audit

ICT Security Management ensure that the ICT functions and operations are efficiently and
effectively managed. Firm need to make its own policy ,guideline ,internal and external audit
team ,training to manage ICT security. A standard audit policy necessary for a Firm which guide
auditor ,employee of a Firm to follow the rule .We know that ICT is very progressing and
changing field , so the documentation regarding ICT security management need to change
periodically .

2.1 ICT Policy, Standard and Procedure

Firm need to have policy statement , fixed standards and procedure for IT auditing which need
to update periodically. I checked Firm’s policy and checked auditing procedure and found
following audit objections.

1. The IMRUL SADAT Firm Ltd have an ‘ICT Security Policy’ which is approved by the
board. The policy requires regular update to deal with changes in the ICT environment but the
policy is not updated more than a year.

2. No separate ICT security professional employed in separate ICT security department .. The
Firm’s IT department is now respon e for providing IT security .A separate ICT security
department is must be establish as per Bangladesh Firm’s guideline.

2.2 Documentation
 The head office audit division , IT division as well as its work station es need to have necessary
documentation.

1. The IMRUL SADAT Firm Ltd shall have a organogram for ICT department but it is not
updated and recent changes are not reflected in the organogram. It is advised to update the
organogram.

2. In Principal Work station During audit no ICT support unit/section/personnel is found in the
work station organogram.

3. In Principal Work station power user is supporting IT operation within the work station but
he having no approved job description.

4. In IT division as well as in Principal work station one employee performing multiple ICT
tasks .So a clear segmentation of task is necessary.

5. Detailed design document for all ICT systems/services (e.g. Data Center design, Network
design, Power Layout for Data Center, etc.) is not found in one place. All design and layout plan
must be kept in one place under a respon e person .

6. There is prescheduled roster for sensitive ICT tasks but it is not maintained strictly. Some of
employees found not maintaining prescheduled roster . (e.g. Network Monitoring, Security
Guard for Data Center, ATM Monitoring, etc.).
7. Updated “Operating Procedure” for all ICT functional activities is not maintained (e.g.
Backup Management, Database Management, Network Management).

8. Approved requisition forms for some ICT operation(Like user close, change user name) not
found.

2.3 Internal Information System Audit

Audit observation regarding internal audit is given below.

1 Internal Information System (IS) audit are found carried out by Internal Audit Department of
the Firm but auditors not having sufficient skill, education and certification to perform IS audit.
There is no CISA certified auditor .CISA certification is now benchmark qualification in this
regard. Internal IS audit are found conducted by personnel with not having sufficient IS Audit
expertise and skills. Engagement of certified IS auditor having adequate audit experience in this
area is advised.

2. Computer-Assisted-Auditing Tools (CAATs ) is not used to perform IS audit planning,

auditing, control , management .Using CAATs is advised as per Bangladesh ICT policy.

3. Internal Information System audit are done periodically at least once a year. The report is
preserved for regulators as and when required. The IMRUL SADAT Firm Ltd audit issues are
properly tracked , completely recorded but not followed up and rectified properly. In Principal
work station I found some last year objections are not rectified yet. So it is advised to rectify
previous audit objections immediately.
2.4 External Information System Audit

As per Bangladesh Firm ICT guideline external auditor for information system auditing must be
engaged along with internal audit team of the Firm . Sometime expert external system auditor
may perform more detail and depth audit than internal audit .The following is the audit objection
regarding External Information System Auditing.

1. The IMRUL SADAT Firm Ltd not engaging external auditor(s) for their information
systems auditing in-line with their regular financial and internal audit. It is advised to engage
external auditor.

2.5 Standard Certification

Standard certificate is necessary to make ICT activity and infrastructure industry standard . Audit
observation regarding standard certification is given below.

1.Iindustry standard certification e.g. ISO certification related to their Information System
Security, Quality of ICT Service Delivery, Business Continuity Management, Payment Card
Data Security, etc is not obtained.

2.6 Security Awareness and Training

IT awareness training is a regulatory requirement by Bangladesh Firm. Following are audit
observation regarding security awareness and training.

1. All IT relevant personnel are not getting proper training, education, updates and awareness of
the ICT security activities as relevant with their job function.

2. All IMRUL SADAT Firm Ltd ICT personnel not having Foundation Training .

3. All staff of the Firm not having security awareness training .

2.7 Insurance

ICT asset must be insured to provide protection from financial loss if something catastrophic
happens to business .The audit observation regarding insurance is given below.

1. All ICT asset are not insurance covered .Adequate insurance coverage or risk coverage fund
is necessary.
Chapter: 03

Infrastructure Security Management audit

ICT Infrastructure includes all data, application, database, operating systems and networks.
Various form of attack may hit ICT Infrastructure in many ways. A IS auditor regularly check
various components if ICT infrastructure and check lack of compliance .

3.1 Asset Management

I conducted audit on ICT assets and found following audit findings.

1. ICT asset procurement must complied with the procurement policy of Firm .But some of the
asset ( UPS, Keyboard , Mouse ,Network cables) not following asset procurement policy. It is
advised to follow standard procurement policy for all type of asset.

2. Each ICT asset not assigned to a custodian (an individual or entity) who will be respon e for
the development, maintenance, usage, security and integrity of that asset.

3. All ICT assets are not identified and labeled. There is no classification in the leveling.

4. ICT asset inventory not stating significant details (e.g. owner, custodian, purchase date,
location, license number, configuration, etc.).It is advised to maintain inventory with details
mentioned.

5. ICT asset inventory is not updated.

6. Information system assets must be adequately protected from unauthorized access, misuse or
fraudulent modification, insertion, deletion, substitution, suppression or disclosure.

The level of supervision need to be increased .

7. There is no Disposal Policy for information system asset protection. All data in storage
media is not destroyed before disposal .
8. Portable devise(Pen drive, Portable Hard Disk) is used with out prior permission from
authority.

9. Some of software used by employees are not licensed. It is advised l not to use any software
that has not been legally purchased or otherwise legitimately obtained.

10. The is no approved list of Software which will only be used in any computer . It is advised
to make a approved list of software immediately.

11. In work station level some of unauthorized or pirated software is used which must strictly
be prohibited throughout the Firm .

3.2 Desktop/Laptop Devices Controls

Desktop of user is always subject to attack so IS auditor need to audit all Desktop / I
conducted audit and found following audit findings.

1. Desktop computers are found connected to UPS to prevent damage of data and hardware
.Some of UPS battery is found damaged .It is advised to check UPS battery periodically .

2. Unattended computer is not automatically locked .Before leaving a desktop or laptop

computer unattended, users shall apply the "Lock Workstation" feature.
3. Desktop computers, laptops, monitors, etc. are found turned off at the end of each workday
.The is no assigned person respon e to check it after end of each work day.

4. Laptops, computer media and any other forms of removable storage containing sensitive
information (e.g. CD ROMs, Zip disks, PDAs, Flash drives, external hard-drives) are not stored
in a secured location or locked cabinet when not in use.

5. Access to USB port for Desktop computers are not controlled.

6. Other information storage media containing confidential data such as paper, files, tapes, etc.
are found not stored in a secured location or locked cabinet when not in use.

7. In work station level some Individual users install or download software applications
without prior authorization.

8. Viruses are not reported .

9. Viruses cleaned/ deleted without expert assistance .

10. In work station same identification (ID) and authentication (password) are found used by
multiple user.

11. Computers are not placed above the floor level .

3.3 Server/Network Room/Rack Controls

Server/Network Room/Rack Controls are always subject to attack therefore it requires auditing.
The following are audit findings.

1. Server/network room/rack is glass enclosure but not locked and no assigned respon e person
is found.

2. Physical access are found restricted, visitors logbook exist but not maintained properly.
Some employees enter server room without entering their name on entry resister

3.Access authorization list is not maintained and reviewed on regular basis.

4. No provision to replace the server and network devices within shortest pos e time in case of
any disaster.
3.4 Networks Security Management

Following are audit observation regarding network security management.

1.No written documentation on baseline standards is found to ensure security for Operating
Systems, Databases, Network equipments and portable devices which shall meet organization’s
policy.

2. Regular enforcement standards are not applied uniformly and non-compliances are detected
and raised for investigation.

3. All type of cables including UTP, fiber, power shall have proper labeling for further corrective
or preventive maintenance works but most of cables found not labeled.

4. Mechanism are found in place to encrypt and decrypt sensitive data travelling through WAN
or public network. But the mechanism need to be follow-up and updated updated .

5. Network security devices, such as firewalls to protect the network perimeters is installed .But
it is not monitored periodically

6. Rules on network security devices is not checked on a regular basis to determine that such
rules are appropriate and relevant.
7. All unused ports of access switch are not shut-off .

3.5 Cryptography

The primary application of cryptography is to protect privacy of sensitive information.

Cryptography is commonly used in Firms to protect sensitive customer information such as
PINs relating to applications (e.g. ATMs, payment cards and online financial systems). The
following is audit observation regarding cryptography.

1. There is no established cryptographic key management policy and procedures covering

generation, distribution, installation, renewal, revocation and expiry.

3.6 Malicious Code Protection

Following are audit objection regarding malicious code protection or virus protection..

1. Anti-virus packages are installed not in all computers .

2. Files received on electronic media by mail of uncertain origin or unknown networks is not
checked for malicious code before use.

3. The anti-virus package is found up to date with the latest virus definition file using an
automated and timely process.

4. All computers in the network is not getting updated signature of anti-virus software
automatically from the server.

5. Virus auto protection mode are not enabled in some of computers to screen disks, tapes, CDs
or other media for viruses.

6.Awareness program for the end users about computer viruses and their prevention mechanism
is not complied.

3.7 Internet Access Management

Internet access with in the Firm must be under close supervision and must be routed
through secure gateway .The audit objection regarding internet use is given below.

1. Internet access are not provided to employees according to the approved Internet Access
Policy .Some employees are using internet without approval. Internet must be used only for
official work and it must be monitored.
2. Access to the internet from Firm premises must not compromise information security of
Firm . Some of employees use internet for their personal purpose in office premises hampering
information security of the Firm .

3. Access to the Internet from Firm premises and systems is routed through secure gateways.
But gateway is not monitored and not checked on regular basis.

4. Use of locally attached modems with Firms’ systems in order to establish a connection with
the Internet or any third-party or public network via broadband, ISDN or PSTN services is
prohibited unless specifically approved. A circular in this regard must be forwarded to all work
station es.

3.8 Email Management

The audit objection regarding e mail use is given below.

1. Email system are not used according to the Firm’s 's policy. Employees are found sending
personal E mail using Firm’s E mail system . An employee found to have violated this policy
may be subject to disciplinary action.

2. Email shall not be used to communicate confidential information to external parties unless
encrypted using approved encryption facilities. Work station level employees are found unaware
of encryption facilities , A training in this regard is necessary.
3. Employee’s E mail is not checked on regular basis. Information transmitted by email must not
be defamatory, abusive which damage the reputation of the Firm. The willful transmission of
any such material is likely to result in disciplinary action . Concerned department shall perform
regular review and monitoring of email services.

3.9 Vulnerability Assessment and Penetration Testing

Vulnerability assessment (VA) is the process of identifying, assessing and discovering security
vulnerabilities in a system. Audit objection regarding Vulnerability Assessment and Penetration
Testing is given below.

1. Vulnerability assessment and penetration testing is not conducted periodically to detect

security vulnerabilities in the ICT environment , on network infrastructure and internet-based
systems

2. After Vulnerability assessment and penetration testing a process to remedy issues is not
identified and gaps are not addressed .No documentation on previous VA is found.

3.10 Patch Management

Patch is updated pice of code of a software which is designed to update. Audit objection
regarding patch management is given below.

1. The Firm need to establish and ensure that the patch management procedures include
identification, categorization and prioritization of security patches. To implement security
patches in a timely manner, there is no patch management team.
2. Testing of security patches before deployment into the production environment is not done.

3.11 Security Monitoring

Audit observation regarding security monitoring is given below.

1.Security logs of systems, applications and network devices for anomalies is not regularly
reviewed . Logs are found protected and retained for defined period to facilitate future
investigation.

Chapter: 04

Data Center Controls audit

As data center is the heart of an information system including standard disaster recovery site, its
security is very much important both physically and environmentally. Violating proper security
measures may cause a huge loss of data including business interruption. In a critical situation a
Firm may go out of business due to data loss. Permanent loss of data will close a Firming
business forever. So guidelines to protect our data center and disaster recovery site must be
followed

4.1 Physical Security

Physical security plays important role in data center .Physical access to data centre is restricted
for selected person. Data centre having some physical security audit observation which is given
below.
1. Physical security are found applied to the information processing area or Data Center. DC is a
restricted area and unauthorized access are found strictly prohibited .There is no respon e officer
is found to restrict unauthorized access.

2. Grant access to the DC is not need to have basis. Physical access of staff to the DC are not
revoked immediately if it is no longer required.

3. Vendors must take written permission all time and must be accompanied by an authorized
employee for granting access to DC. Vendors visited DC many times but no written permission
is found.

4. Access authorization list are not maintained and reviewed periodically for the authorized
person to access the Data Center.

5. The Firm employed physical, human and procedural controls for 24 hours such as the use
of security guards, card access system, surveillance system .Some point in DC not covered by
surveillance system .

6. An inventory of all computing equipment, associated equipment and consumables housed in

DC is not updated.

4.2 Environmental Security

The environment of data centre is strictly controlled .Temperature of data centre raise because
electrical power produce heat in air .If heat is not removed the temperature will keep on rising
.By controlling air ,humidity the server component kept within the manufacture specified
temperature/humidity range.

1.ASHRAE's(American Society of Heating, Refrigeration and Air-Conditioning Engineers )

"Thermal Guidelines for Data Processing Environments" recommends a temperature range of
16–24 °C (61–75 °F) and humidity range of 40–55% with a maximum dew point of 15°C as
optimal for data center conditions is not maintained .

2. Data Center in multi-tenant facilitated building which is a violation of Bangladesh Firm

guideline.

3. Layout design of Data Center including power supply and network connectivity not properly
documented.

4. Full functioning development and test environment is not available .It is advised to separate
Development and test environment from production.

5. Some powered off and unused router devise are found in DC .Any accessories or devices not
associated with Data Center and powered off devices shall not be allowed to store in the Data
Center. Separate store room is in place to keep all sorts of unused and redundant IT equipments.

6. Closed Circuit Television (CCTV) camera are found installed but the CCTV not sufficient for
all sides monitoring. It is advised to increase number of CCTV camera.
7. The sign of "No eating, drinking or smoking" are not found in display.

8. Dedicated office vehicles for any of the emergencies not available on-site. Availing of public
transport is advised to avoid while carrying critical equipments outside the Firm’s premises to
avoid the risk of any causality.

4.3 Fire Prevention

Data centre must be fire protected .IS auditor need to audit various issues regarding fire
prevention. Audit observation regarding fire protection of data centre is given below.

1. Wall, ceiling and door of Data Center are not all fire-resistant.

2. Fire suppression equipments are installed but not tested periodically.

3. Automatic fire/smoke alarming system are found installed but not tested periodically.

4. No fire detector below the raised floor found.

5. Some data cables in the Data Center are not found concealed.

6. Flammable items such as paper, plastics , are found in Data Center.

 Chapter: 05

Data Access Control audit

Access control provide assurance that data and application are protected against attack .Data
access is authorizing one to access data, change data ,system access, privileged user activity .
Data access distinguish Administrators and users .For example admin may be able to remove the
data but general user may not .The Firm must grant access right and system privilege based on
their job responsibility. It must be checked that no person using his own rank and position are
accessing confidential data, application or system resources. There two type of control

1. Physical Control

2. Logical Control

Keeping computer in safe place provide physical control whereas a software program to detect
unauthorized access provide logical control .

5.1 User Access Management

User access data using unique ID .Each ID having grant access right according to their part of
responsibility. The Firm authority must monitor and grant Access properly .The following are
some audit findings.

1. Each user must have a unique User ID and a valid password. In work station level one user ID
and password is shared by a group. Specially work station admin password is shared.

2. User ID Maintenance form with access privileges are found duly not approved by the
appropriate authority. Some time it is approved by junior staff of IT division.

3. User access privileges is not kept updated for job status changes.

4. User access privileges are not regularly reviewed to verify that privileges are granted
appropriately.

5.2 Password Management

Audit observation regarding password management is given below.

1. Password definition parameters shall ensure that minimum password length is maintained
according to Firm's Policy (at least 6 characters).
2. Password are not found combination of at least three of stated criteria like uppercase,
lowercase, special characters and numbers.

3. Maximum validity period of password shall not be beyond the number of days permitted in the
Firm's Policy (maximum 30 days cycle).

4. Parameter to control maximum number of invalid logon attempts are found specified properly
in the system according to the Firm’s Policy (maximum 3 consecutive times).

5. Administrative passwords of Operating System, Database and Business Applications are

found not kept in a safe custody with sealed envelope.

5.3 Input Control

Audit observation regarding Input Control is given below.

1. No Session time-out period for users .

2. Operating time schedule of users’ input for Firming applications are not implemented.
3. Software shall not allow the same user to be both maker and checker of the same transaction
unless otherwise permitted from appropriate authority. In practice checker password is
sometime shared by several makers and they verify their own transaction without checking .This
type of practice must be stopped.

4. Sensitive data and fields of Firming applications are not restricted from being accessed.

5.4 Privileged Access Management

Information security relies on trusting a small group of skilled staff, who are found subject to
proper checks and balances. Audit observation regarding Privileged Access Management is
given below.

1.Entry level junior staff are assigned in critical operations and security functions .

2)Following controls and security practices for privileged users are advised to follow:

a) Number of privileged users are should be limited and fixed by the management.

b) Grant privileged access on a “need-to-have” basis;

c) Review privileged users’ activities on a timely basis;

d) Prohibit sharing of privileged accounts.

e) Disallow vendors from gaining privileged access .

Chapter: 06

Business Continuity and Disaster Recovery Management audit

Firm keep record of public money therefore business continuity plan is very important for a
Firm. Firm need to have proper planning on Business Continuity and Disaster Recovery
Management . The primary objective of Business Continuity Plan (BCP) is to survive in a
disaster and to re-establish normal business operations within least pos e time and minimum
financial and reputational loss.

6.1 Business Continuity Plan (BCP)

 ICT opration is heart of a organization. Company is dependent on ICT to run their daily business
.If ICT operation become unavailable , Firm’s operation may be stopped completely ,therefore a
updated business continuity plan is must for a Firm..Audit observation regarding Business
Continuity Plan (BCP) is given below. The BCP plan need to address

1. Backup plan

2. Recovery process

3. Restore process.

1. Approved Business Continuity Plan addressing the recovery from disaster to continue its
operation is not updated for last one year.

2. One copy of BCP fount in head office .Documents related to BCP need to keep in some
secured off-site locations.

3. BCP need to address and update the followings:

a) Action plan to restore business operations within the specified time frame for:

i) office hour disaster

ii) outside office hour disaster.

b) Emergency contacts, addresses and phone numbers of employees, venders and agencies.

c) Grab list of items such as backup tapes, laptops, flash drives, etc.
 d) Disaster recovery site map

6.2 Disaster Recovery Plan (DRP)

Disaster recovery site is a backup location. It is a place where a Firm can relocate following
disaster like fire ,flood , terrorist threat. .Audit observation regarding Disaster Recovery Plan
(DRP) is given below.

1.Scenario analysis to identify and address various types of contingency scenarios is not included
in DRP. Contingency scenario may be fire, flood, terrorist attack. In DRP all type of scenario
must be included.

2. Disaster Recovery Site (DRS) in different seismic zone is not established . Disaster
Recovery Site (DRS) which is geographically separated from the primary site (minimum of 10
kilometers radial distance but choice of different seismic zone will be preferred).

3. Real-time data replication is enhancing the Firm’s recovery capability but more copy of
replication is necessary.

4. An up-to-date and tested copy of the DR plan are not found more than one off site location.
One copy are found stored in the office for ready reference.

5. DR plan is not tested and validated annually. The effectiveness of recovery requirements and
the ability of staff to execute is not tested annually.
6. DR test documentation not including Test Result. Test report not communicated to
management and other stakeholders .

6.3 Data Backup and Restore Management

Data backup help to recover and continue the business . Following are audit observation
regarding data backup and restore management.

1. Data backup and recovery policy is not updated.

2. There is no detailed planned backup schedule as per local and regulatory requirement. The
details of the planned backup schedule for each business application must include the retention
period for backed-up or archived information and the retention period is consistent with local
legal and regulatory requirements.

3. Media contained backed-up information is not labeled with the information content, backup
cycle, backup serial identifier, backup date and classification of the information content.

4. Periodic testing and validation of the recovery capability of backup media and assess whether
it is adequate and sufficiently effective to support the Firm’s recovery process is not done.
Chapter: 07

Conclusion

Conclusion

Information system auditing is a vast area and it is very difficult to cover whole for a single
person and within short period of time. At the end of audit I presented audit observation to
management . I expect my audit findings and observations will help the Firm to find out and
rectify security threats. I also expect that this report will help to assess and review organization’s
IT based business. For more effective audit Firm need to employ external auditor from
independent audit firm. Financial audit findings is monitored and rectified but information
system audit findings are not monitored and rectified like financial audit findings. Now a days
information system is heart of Firming therefore information system audit findings must be
rectified properly.

Appendix
ICT Security Audit Checklist

IMRUL SADAT Firm Ltd., Principal Work station , As on 01-06-2017

Sl Subject Y N
Does the work station have up to date ‘ICT Security
1
Policy’ of the Firm
2 Work station shall have updated organogram
Firm shall have ICT support unit/section/personnel
3
(Business/ICT) in the work station organogram.
4 Each individual within ICT
department/division/unit/section shall have approved Job
Description (JD) with fallback resource person.
5 Firm shall maintain segregation of duties for ICT tasks.
Firm shall maintain detailed Network design document for
6
all ICT critical systems/services
Firm shall have approved relevant
7 requisition/acknowledgement forms for different ICT
request/operation/services.
Firm shall have User Manual of all applications for
8
internal/external users.

The work station shall take appropriate measures to

address the recommendations made in the last Audit Report
9
(external/internal). This must be documented and kept
along with the Audit Report.

Firm shall ensure that all relevant personnel are getting

10 proper training, education, updates and awareness of the
ICT security activities as relevant with their job function.
Firm shall also ensure the minimum level of Business
11
Foundation Training for ICT personnel.
Firm shall arrange security awareness training/workshop
12
for all staff.
Adequate insurance coverage or risk coverage fund shall be
13 maintained so that costs of loss and/or damage of the ICT
assets can be mitigated.
 The Firm shall form an ICT Risk Management Committee
14 to govern overall ICT risks and relevant mitigation
measures.
15 ICT security department/unit/cell shall report status of
identified ICT security risk to the ICT security committee
and Risk Management Committee periodically.
Firm shall establish a process to log the information
16
system related problems.
The Firm shall have the process of workflow to escalate
17 any problem to a concerned person to get a quick, effective
and orderly response.
Problem findings and action steps taken during the problem
18
resolution process shall be documented.
A trend analysis of past problems shall be performed to
19 facilitate the identification and prevention of similar
problems.
All ICT assets shall be clearly identified and labeled.
20 Labeling shall reflect the established classification of
assets.
Firm shall maintain an ICT asset inventory stating
21 significant details (e.g. owner, custodian, purchase date,
location, license number, configuration, etc.).
Firm shall review and update the ICT asset inventory
22
periodically.
Information system assets shall be adequately protected
from unauthorized access, misuse or fraudulent
23 modification, insertion, deletion, substitution, suppression
or disclosure.
Firm shall approve list of Software which will only be
24
used in any computer.
Use of unauthorized or pirated software must strictly be
25
prohibited throughout the Firm .
Is any Close Circuit Television (CCTV) camera installed
26
for monitoring
i. Is the camera working properly and angles are
27
appropriate to cover the required area?
 ii. Are there adequate manpower to operate CCTV system
28
and recording checked regularly?
iii. Is monthly backup preserved at an external device (other
29
than Pen Drive) for CCTV videos.
30 Is Burger alarm working properly
Desktop computers shall be connected to UPS to prevent
31
damage of data and hardware.
Before leaving a desktop or laptop computer unattended,
users shall apply the "Lock Workstation" feature. If not
32
applied then the device will be automatically locked within
5 minutes (S-4.2.1.1.j).
Confidential or sensitive information that stored in laptops
33
must be encrypted.
Desktop computers, laptops, monitors, etc. shall be turned
34
off at the end of each workday.
Laptops, computer media and any other forms of removable
storage containing sensitive information (e.g. diskettes, CD
35 ROMs, Zip disks, PDAs, Flash drives, external hard-drives)
shall be stored in a secured location or locked cabinet when
not in use.
Access to USB port for Desktop/Laptop computers shall be
36
controlled.
Other information storage media containing confidential
37 data such as paper, files, tapes, etc. shall be stored in a
secured location or locked cabinet when not in use.
38 Individual users must not install or download software
applications and/or executable files to any desktop or laptop
computer without prior authorization.
39 Any kind of viruses shall be reported immediately.
Viruses shall not be cleaned/ deleted without expert
40
assistance unless otherwise instructed.
User identification (ID) and authentication (password) shall
41 be required to access all desktops and laptops whenever
turned on or restarted.
 Standard virus detection software must be installed on all
desktop and laptop computers and shall be configured to
42
check files when read and routinely scan the system for
viruses.
All computers shall be placed above the floor level and
43
away from windows.
Access to the Internet from Firm premises and systems
44
must be routed through secure gateways.
Any local connection directly to the Internet from Firm
premises or systems, including standalone PCs and laptops,
45
is prohibited unless approved by Firm Information
Security.
Employees shall be prohibited from establishing their own
46 connection to the Internet using Firms’ systems or
premises.
Use of locally attached modems with Firms’ systems in
order to establish a connection with the Internet or any
47
third-party or public network via broadband, ISDN or PSTN
services is prohibited unless specifically approved.
Internet access provided by the Firm must not be used to
transact any commercial business activity that is not done
48
by the Firm. Personal business interests of staff or other
personnel must not be conducted.
49 Internet access provided by the Firm must not be used to
engage in any activity that knowingly contravenes any
criminal or civil law or act. Any such activity will result in
disciplinary action of the personnel involved.
c) Keep the operating system and applications up-to-date
50
with patches
51 e) Securely configure applications and browsers
52 Email system shall be used according to the Firm’s policy.
Access to email system shall only be obtained through
53
official request.
54 Email shall not be used to communicate confidential
 information to external parties unless encrypted using
approved encryption facilities.
Employees must consider the confidentiality and sensitivity
55 of all email content, before forwarding email or replying to
external parties.
Information transmitted by email must not be defamatory,
abusive, involve any form of racial or sexual abuse, damage
the reputation of the Firm, or contain any material that is
56
harmful to employees, customers, competitors, or others.
The willful transmission of any such material is likely to
result in disciplinary action.
Firm email system is principally provided for business
purposes. Personal use of the Firm email system is only
57 allowed under management discretion and requires proper
permission; such personal use may be withdrawn or
restricted at any time.
Corporate email address must not be used for any social
58 networking, blogs, groups, forums, etc. unless having
management approval.
Email transmissions from the Firm must have a disclaimer
59 stating about confidentiality of the email content and asking
intended recipient. (S-5.5.1.3.d & S-5.5.1.5.2)
The Firm shall only grant user access to ICT systems and
60 networks on a need-to-use basis and within the period when
the access is required.
The Firm shall closely monitor non-employees (contractual,
61
outsourced, or vendor staff) for access restrictions.
62 Each user must have a unique User ID and a valid password.
User ID Maintenance form with access privileges shall be
duly approved by the appropriate authority. Work station
63
Managers/Department heads/Divisional heads will approve
individual user id and access privilege as applicable. (S-
 5.1.1.4)
User access shall be locked for 3 unsuccessful login
64
attempts. (S-5.1.1.2)
User access privileges must be kept updated for job status
changes. Access privileges shall be changed/ locked within
65
24 hours when users' status changed or user left the Firm.
(S-5.1.1.5)
66 The Firm shall ensure that records of user access are
uniquely identified and logged for audit and review
purposes.
67 The Firm shall perform regular reviews of user access
privileges to verify that privileges are granted appropriately.

Password definition parameters shall ensure that minimum

password length is maintained – at least 6 characters,
68
combination of uppercase, lowercase, numbers & special
characters. (S-5.1.2.1)
Software shall not allow the same user to be both maker and
69
checker of the same transaction. (S-5.1.3.1)
Management approval must be in place for delegation of
70
authority. (S-5.1.3.1)
c) There should be separate room for implementation of
71
security devices, router and other network devices.
Firm must have an approved Business Continuity Plan
72 addressing the recovery from disaster to continue its
operation.
73 The needs of the target audience shall be identified,
appropriate budgets obtained and priorities established.
74 The work plan shall clearly mention the main activities with
the required resources, timelines and milestones.
Awareness building collaterals can be created in the form
75
of:
76 a) Leaflets and brochures
77 b) Safety tips in account statements and envelopes
78 f) Screensavers
79 g) Electronic newsletters
80 h) DVDs with animated case studies and videos
81 a) The Network and Server room should be under lock and
Key
82 b) Access should be controlled with restricted access and
access log should be maintaining
83 d) IT infrastructures should be under CCTV coverage and
the video footage data should be preserved for at least one
year
84 a) IT environment should be free from flammable items and
establish sufficient fire protection system. The employees
should be trained on fire fighting system.
85 c) The electric power supply to the IT equipments should be
at recommended voltage level and there should be proper
earthing system in all connection points. There should be
UPS and necessary power backup system to ensure 24/7
power facility for Servers, Networking devices and CCTVs
86 d) There should be sufficient alarming system to alert on
exceptional/unexpected environment conditions
87 There should be documented operating procedures for every
ICT operations. Operating procedures shall be maintained
and available for the users related to their job function.
 SN Question
Do you perform any
compatibility assessment prior
1
to procure any new ICT asset?
If Yes, How?
Do you follow the
procurement policy for the ICT
2
asset procurement? Please
provide the procurement policy.
All the ICT assets assigned to a
3
custodian?
How the assets are classified?
4 (desktop/laptop/printer/Physical
Asset Server/VM/IP phone etc.)
Management Are all the ICT assest clearly
5
identified and labeled?
Please provide us the asset
6 inventory - hardware (ex.
Desktop, laptop, printer etc.)
Please provide us the asset
7 inventory - software (ex. MS
Office, McAfee AV etc.)
Do you review and update the
8 ICT asset inventory
periodically? (quarterly/yearly)
Please provide us the asset
9
disposal policy
 Do you have any guideline for
the use of portable devices
10
(USB, external HDD, etc.)?
Please provide.
Do you have any policy to
return back organizational
assets (laptop, mobile phone
11 etc.) from employees/external
parties upon termination of
their employment? Please
provide
Please provide approved
software list (Open Office, MS
12
Office 2010, Adobe reader XI
or later, McAfee antivirus etc.)
Do you only use
legitimate/licensed software?
13
How do you restrict use of
unauthorizes/pirated software?
Did you outsourced any
software (ex. McAfee
14
antivirus)? If yes, do you have
SLA with the vendor?
Are all the desktops connceted
15
to UPS?
Desktop/Laptop
Does the autometic lockdown
Device Control
16 policy for unattended
desktop/laptop enforced?
 Do you encrypt mobile devices
17
(laptops, smart phones)?
Do you turn off the desktop,
18 laptop, UPS at the end of each
workday?
Do you store removable storage
media (CD ROMs, external
HDD, flash drives, backup
19 tapes, papers containing
confidential data (licenses etc.)
in a locked cabinet/secured
location when not in use?
How do you control access to
20
USB port for desktop/laptops?
Does individual user take any
prior authorization before
21 download/install software
application and/or executable
files
Antivirus software installed in
22
all workstations?
Are all the workstations
configured to log security
23 related events (unauthorized
access attemts, modification to
system software etc.)
Are all the desktops placed
24
above the floor level and away
 for windows?

Do you allow BYOD (smart

phones, tablet)? If yes, what
measures you have taken to
BYOD Control 25 securing, monitoring and
controlling the device
(encryption, remote wipe,
backup)
Please provide the list of
26
Servers (Physical an Virtual)
What is the authentication and
27 authorization system to access a
server?
Please provide list of users who
28
Server Security have access to Servers
Controls Remote access is enabled in the
Server? Users can access
29 Servers remotely (from
intranet, from VPN, from the
internet)?
After how much time inactive
30
session is expired?
 How the activities of System
Administration logged? The
logging elements include:
- All authentication
- privilege escalation
31 - user additions and deletions
- access control changes
- job sechedule start-up
- system integrity information
- log entries must be time and
date stamped
Do you test configuration
settings, new patches and
32 service packs in a test
environment before applying to
production servers?
Do you have any separate file
33
server, print server?
Do you take backup for Servers
34
(both physical and virtual)
Do you allow file sharing
35 between host and guest OSs in
a virtual environment?
Does the Server displays a
36
trespassing banner at login?
 Glossary and Acronyms

2FA - Two-Factor Authentication

ADC - Alternative Delivery Channel
AMC - Annual Maintenance Contract
AML - Anti-Money Laundering
ATM - Automated Teller Machine
BCP - Business Continuity Plan
BIA - Business Impact Analysis
BRD - Business Requirement Document
BYOD - Bring Your Own Device
CAAT - Computer-Assisted-Auditing Tool
CCTV - Close Circuit Television
CD ROM - Compact Disk Read Only Memory
CDs - Compact Disks
CEO - Chief Executive Officer
CIO - Chief Information Officer
CISO - Chief Information Security Officer

CNP - Card Not Present

CTO - Chief Technology Offier
DC - Data Center
DDoS - Distributed Denial of Service
DoS - Denial of Service
DR - Disaster Recovery
DRP - Disaster Recovery Plan
DRS - Disaster Recovery Site
DVD - Digital Video Disc
E-mail - Electronic Mail
EOD - End of Day
ICC - Internal Control and Compliance
ICT - Information and Communication
Technology
IDS - Intrusion Detection System
IPS - Intrusion Prevention System
IS - Information System
ISDN - Integrated Services Digital Network
ICT - Information and Communication
Technology
IVR - Interactive Voice Response
JD - Job Description
KRIs - Key Risk Indicators
MITMA - Man-in-the-Middle Attack
Work station Firm Job Circular 2017
 Job Title Educational Requirement
Assistant Vice President as
Candidates must have CSE/EEE or equivalent degree from
Information System (IS)
recognized university with CISA Certification for the post
Auditor