Audit of Information Systems Infrastructure in an SME

 

Arun Kumar who had recently qualified as a Chartered Accountant has joined a Rs.150 crore company — ABC Ltd. as Internal Audit Manager. The owner was skeptical of his contribution as he was actively involved in routine decision-making on virtually daily basis. The appointment was however done as he wanted to slowly build a company that would go public at a later date. A culture of professionalism was desired to be introduced. Arun Kumar had also completed his DISA and was eager to use the knowledge in a live environment. He took the IT infrastructure for review during the first quarter.

The Company has two physical locations — Unit 1 and Unit 2. Since the corporate office was also in Unit 1, the core infrastructure of processing and security was also housed at Unit 1. Unit 2 was connected to Unit 1 by an 11 mbps RF Radio link. The infrastructure included a high-end IBM ERP server which was also used as the file server, mail server, firewall, broadband internet connectivity and a large number of users on LAN and WAN using desktops and laptops. At times, Sales persons also referred to the stock levels and put in orders from cyber cafes.

Methodology :

Arun also took the help of a technical expert who was conversant with network security and firewall configuration and set-up of servers. He referred to COBIT-IT governance standard from ISACA and used it to structure the overall audit. He also referred to BS 27001 and ISO 17799 standards for Information System Security. Given the scale of the IT infrastructure, he planned to focus on the basic set-ups. An initial review of the log books maintained gave an insight into the functional effectiveness and efficiency of the infrastructure. He took a comprehensive inventory of the Information System Assets and did a broad-level risk analysis to the organisation.

Gist of observations and recommendations :

1. Server stability review :

The server was loaded with more ‘responsibility’ than that which it was built to deliver, resulting in frequent downtime. The server’s initial RAM was 2 GB. A study of the load indicated a demand on RAM on an average of 3 GB. This increased paging leading to increased hard-disk activity. The periodicity increased since the time of introduction of the ERP. As a result, the servers used to crash. At times, the response time was also slow and the same was generally put down as related to teething trouble with implementation of ERP without going into details. This was the basis of investing in an additional RAM of 2 GB.

The server RAID configuration was improper, resulting in system instability and possible data loss. For rectifying this problem, it was recommended to add the required number of hard drives to rectify the RAID issues.

An elaborate system of back-ups was in place, but given the mission critical nature of this server — housing practically all the applications of the organisation — there was a need for redundancy. For further reducing server downtime, a standby server was also required.

The IBM ERP server was also used as the file server for both Unit 1 and Unit 2. On this server, all users stored their document files, such as Word, Excel, Autocad, etc. files. Users in Unit 2 access all their files from this server. File sharing uses a bandwidth intensive protocol, which in turn adversely affected the radio link between the two units.

It was recommended to have a separate file server for both Unit 1 and Unit 2 and the ERP server used purely for ERP purposes.

To reduce the system downtime from frequent power failures, low-capacity UPS has been connected to the servers and most of the desktops. These low-capacity UPS are not capable enough to accommodate the switchover from live power supply to the back-up generator set and leads to desktop/server restarts.

Arun Kumar recommended that a heavy-wattage central online UPS be purchased to replace the existing low-capacity UPS attached to each individual systems at Unit 1 and Unit 2.

There was no automated anti-virus and patch management systems in place, causing frequent virus outbreaks leading to system downtime, network degradation and data loss. Arun Kumar also recommended to implement automated anti-virus and patch management systems.

2. E-mail server review :

A desktop class email server has been implemented, which downloads emails collected on a common ‘catch-all’ email ID and then distributes it to the internal email IDs. There was also a lot of spam sent and received through their email server, leading to frequent blocking of the domain name by the ISP, leading to mail losses.

It was recommended to implement an anti-spam systems to effectively control the spam.

3. Connectivity review :

An RF radio link provides a 10mbps wireless link between Unit 1 and Unit 2. This link was observed to be highly unreliable, with packet losses and frequent link disconnection.

Arun Kumar recommended that the Radio RF link be rectified to improve reliability. If the problem still persists, then the company should shift to another Radio RF link provider with possibly better uptime SLA. VSAT is also recommended as a back-up link.

The WAN bandwidth is not controlled to ensure that critical applications, such as the ERP, always have the required bandwidth for reliable operations. The WAN bandwidth can be used up by bandwidth-intensive operations, such as file transfer, web browsing, email, voice, etc., adversely affecting ERP connectivity operations between Unit 2 and Unit 1. It was therefore recommended to implement a traffic shaping and bandwidth management system between the two units.

4. Internet link review :

The Company has a 512 kbps Internet link. To protect this Internet connection a firewall has been purchased, but the implementation was still in process. The model purchased was found to be inadequate for the immediate future requirements. The firewall was found to be running on an older version of the operating system. Due to an older OS in place, the firewall implementation was unreliable and ineffective. As the company requirement grows, the firewall will slow down the network response.

The planned implementation topology was also inadequate to appropriately protect all network segments and prevent virus outbreaks. The firewall implementation topology protects the organisation only from the Internet. Since the intra-organisation traffic is not filtered through the firewall, any virus infecting even a single system will spread unhindered through the entire network. Hacker compromise of a single desktop will expose the entire network.

It was recommended that latest firewalls be implemented with appropriate segregation of networks.

5. Wireless LAN implementation :

Wireless LAN implemented at Unit 2 is insecure, resulting in unauthorised users logging on to the network from outside the facility, leading to data compromise.

There is a need to secure the wireless implementation to incorporate global best practices, such as WPA2, MAC filtering, SSID scrambling, etc.

6. LAN cabling :

LAN cabling is done in very haphazard manner, leading to network instability. In the factory space, the cables have been cut and joined in a very unstructured manner. Cables have also been found to travel without adequate casing or capping. Data cabling is very sensitive to vibrations, electro-magnetic fields and improper terminations/taping. This leads to packets being dropped and also errors being raised in the network, which affects all systems connected on to the network.

Network cabling should be redone as per structured cabling requirements and all LAN cabling should be done from a central switching cabinet. Fibre should be used for connecting the central location with the factory space.

7. Software compliance :

There were some deficiencies in legal licences held by the company for the software in use. The company should use commercial software for the server implementation and use free software as much as possible for user applications such as office applications, archiver, etc.

8. Equipment siting :

Critical equipment such as servers, network switches and firewalls were found to be located without proper cable management and central siting. Centrally used equipment should be located in a server/switch cabinet for better security and management.

Conclusion :

A major programme of reinvestment was planned subsequent to the review and the entire infrastructure was upgraded. Arun was complimented by the management for his efforts. The Management initiated a discussion to initiate in a small way ‘consulting activity’ for other SME’s who also thought that their IT infrastructure is ‘secure’.

 

Article by Deepjee Singhal and Manish Pipalia Chartered Accountants