Total Number of Subscribers: 428   

Powered by Prime Academy  
In pursuit of excellence    

    Date: 3 June 2008  

Compiled by Mr. M. Sathya Kumar  

IT Governance Audit

Introduction :

Mandeep Singh had spent 15 years in the US handling Internal Audit. He was basically a CA, who had also completed his CPA and CISA. He was working in a pharmaceutical company which had operations across the globe. The company had a wide area network with integration of suppliers and customers on the network. Technology was used to leverage the company’s competitive advantage and was critical for the company’s continuing growth.

As a CISA, he had played an important role in defining the IT control reviews. He had been using COBIT versions for this purpose from its initial days. As appropriate, he incorporated the relevant applicable parts of other guidelines, standards and frameworks in the audit processes. With SOX becoming predominant in regulation, he had also participated in establishing structures for providing assurance on control adequacy for certification purposes.

Mandeep was recently hired by an Indian multi-national with activities in different parts of the world to head their Internal Audit function. Given his affinity for IT, he planned to review IT control adequacy as a part of his initial audit programme.

The organisation had a globally renowned ERP for managing their operations with the server located in India. The infrastructure in the organisation was being managed by an outsourced vendor. At different locations, Wi-Fi connectivity was also in place. The IT infrastructure was extended to suppliers and also to customers, including intimat-ing order status to customers using short messaging system (SMS).

Methodology :

Given the complexity in the overall systems, the entire audit was divided into two main parts — Part I — General Control Review and Part II — Technical Effectiveness and Efficiency Review. This was done to keep the managerial dimension separate from the operational dimension. Mandeep thought that once he is able to impress on the management the criticality of the managerial dimension, any investments required for the operational dimension would be easier to make.

He created a team consisting of a DISA, IT professional and himself to execute the audit.

As a team, an initial training on COBIT was under-taken. Based on his past experience, an elaborate questionnaire was compiled. This was suitably modified as per the organisation’s requirement and changes in COBIT. Meetings were scheduled. Tools to be used for audit firmed up. Mainly a Data Analysis Software was to be used and a tool for COBIT-based review.

Gist of observations and recommendations :

The audit covered all four domains of COBIT and its 34 high-level objectives. (Refer Table 1)

Table 1

(Source : COBIT 4 - ISACA Research Foundation)

Planning and organisation :

Strategic planning :

Only operational plans were prepared unitwise and presented at the beginning of the year for management approval. There was no strategic plan being prepared. As and when required, indents were raised and sent for the approval of the Director — IT. On approval, the investment was committed and made.

IT strategic plan should cover investment/operational budget, funding sources, sourcing strategy, acquisition strategy, and regulatory requirements. The strategic plan is designed to improve key stakeholders’ understanding of IT opportunities and limitations, assess current performance and clarify the level of investment required. The business strategy and priorities are to be reflected in portfolios and executed by the IT tactical plan(s), which establishes concise objectives, plans and tasks understood and accepted by both business and IT. Further, the strategic planning process would help identify where the business (strategy) is critically dependent on IT and be a basis for mediation between imperatives of the business and the technology, so that agreed priorities can be established.

Organisation — Role expectations :

The current role of IT was to ensure that the systems are operating as per user requirements and in the process interacting with hardware, software and consumables’ vendors and obtaining the required services from them.

The IT officials were required to take on the enhanced role of ‘Information’ managers. Ef-fectively they are managing or controlling resources that are capturing data and generating information. It is, therefore, their responsibility to ensure that data and information is appropriately handled and managed.

In line with the redefined responsibilities, the IT professional would take the lead in establishing an information classification scheme that applies throughout the enterprise, based on the criticality and sensitivity (e.g., public, confidential, top secret) of enterprise data. This scheme includes details about data ownership, definition of appropriate security levels and protection controls, and a brief description of data retention and destruction requirements, criticality and sensitivity. It is used as the basis for applying controls such as access controls, archiving or encryption. Without adequate information labelling and handling procedures in place, it is left to the individual’s understanding of how to handle the storage, transmission and destruction of confidential and sensitive informa-tion.

Adequacy of segregation of duties :

Given the small size of the team, it was working seamlessly and there was no segregation of duties. Based on the availability of the company official, activities were being performed. Currently, in emergencies, the assistance of engineers from other service providers was taken. There was no formal understanding with them on this issue.

Installing proximity card-based access control system would ensure an access audit trail and thus improve controls. Specific responsibilities should be identified for such employees. The contract clauses should provide protection to the organisation against any misuse on the contract employees’ part.

IT Security policy :

The existing IT policy was drafted in 2003. It had not been updated. Parts of the same were incomplete and/or dated. Further, the policy was not being signed off by each and every IT user.

Given the wide-ranging activities of the organisa-tion and the differences in laws on privacy, the presence and implementation of at least a formal and approved security policy document is vital. A security policy proves management’s commitment in ensuring the security of information in the organisation. It also proves to be an invaluable resource to prove due care and diligence in the event of liabilities. In the absence of a policy document duly communicated to all users of IT services, any serious misuse of the resources by any employee would result in implication of the company directors too.

Any IT security policy should be read and under-stood by all IT users and should be made a part of their job descriptions

Acquisition and implementation :

Use of unlicensed software :

The organisation had a policy of using only licensed software. A spot-check of software installed on various computers was done. On some machines, unlicensed copies of the operating system and office software were being used. Further, a check on the database licences owned and used also highlighted the need for a higher number of licences. There did not exist documented application installation policies for the computers in general office use. There was, therefore, a possibility of a user knowingly/unknowingly installing some malicious software of their system, which could jeopardise the reliability and security of the network.

Use of unlicensed software would invite penal action from software vendors/associations including legal notices to the Board.

Network segregation :

It is required as per security best practices to separate networks having different functionalities and risk levels. This means that the Internet, local network, server network, client network, public exposed servers (E-mail), etc. need to be separated by an adequate packet filter (Firewall). The firewall implementation topology, at its various offices, protects the organisation only from the Internet and there was no segregation between the user LAN, the server network and the public exposed servers (E-mail).

Since the intra-organisation traffic was not filtered through the firewall, any virus infecting even a single system would have spread unhindered through the entire network including the servers. Hacker compromise of a single desktop would have exposed the entire network.

Absence of software documentation and change control procedures :

The design documentation for the ERP implemented was not available at a single location. Further, some of the documents were also not available. Changes effected since the Go-Live date, were not adequately documented. Either the requests were only available, or the requests and related modification documentation was available. There were no defined change control procedures in place. Different practices were being followed. This department also had a fairly high attrition rate. Difficulty was already being faced by the IT staff in identifying coding issues and debugging problems faced in the field.

In the absence of a documented change control procedure with adequate logs and audit trails in place, it is extremely difficult to troubleshoot and diagnose system failures. This also leads to the existing documentation, if any, to be out of sync of the latest configuration and set-up.

Elaborate documentation should be available with the IT function for the implemented software in addition to manuals provided by the vendors. This may outline the use of the software in different business situations. This provides for user-learning and guidance.

A system of change management should be established starting with the requirement for change, approval of the change and details of the change effected.

Maintain software upgrades and patch management :

Software upgrades were done as per the develop-ment cycle of the vendors and/or assessment of later versions available. Manual or automated patch management systems were found to be in place, but were not uniformly implemented across the network.

Most viruses exploit missing patches and infect systems to bring the entire network to a standstill. In most cases, even the best anti-virus software is rendered ineffective.

Most software vendors such as Microsoft, release periodic patches, which fix bugs in the system or simply provide additional features. These patches are free, but play a very important role in the reliability and security of the systems and data. Patches can be downloaded and installed manually or through automated patch management systems.

Review of supplier contracts :

Contracts for software/hardware supply and maintenance were entered into with various vendors. This was more in the nature of terms and conditions attached to purchase orders. There were no specific agreements as to service levels entered into with vendors in most of the cases, except branded vendors for servers and network services. Further, clauses as to non-disclosure of data/information, ownership of intellectual property including developments made using company data, environment, security commitments on company data at vendor end and on security quality in applications developed/modified for company requirement, responsibility and liability for misuse of remote access provided, termination respon-sibilities and liabilities were not covered in the terms and conditions currently documented. Vendor confirmation to the orders issued was not held on records in all cases.

There is a need to set up a procedure for establish-ing, modifying and terminating contracts for all suppliers. The procedure should cover, at a minimum, legal, financial, organisational, documentary, performance, security, intellectual property and termination responsibilities and liabilities (including penalty clauses). All contracts and contract changes should be reviewed by legal advisors.

Delivery and support :

Lack of asset classification :

There was no system of asset classification followed. In the absence of such a classification scheme, it would have been extremely difficult to assess the resources to be deployed for their protection. It would also have been very difficult to assess the damage caused in case of any disaster.

A classification scheme that applies throughout the enterprise, based on the criticality and sensitivity (e.g., public, confidential, top secret) of enterprise data should be introduced. This scheme includes details about data ownership, definition of appropriate security levels and protection controls, and a brief description of data retention and destruction requirements, criticality and sensitivity. It should be used as the basis for applying controls such as access controls, archiving or encryption. Without adequate information labelling and handling procedures in place, it is left to the individual’s understanding of how to handle the storage, transmission and destruction of confidential and sensitive information.

Access control :

No access control policy was defined for the access to IT resources within the organisation. There was no log of the people entering and leaving the server room. It is required that critical infrastructure such as the server room be protected with automated access controls which can be used to irrevocably prove accountability, deterrent against possible thefts and also to prevent tampering of sensitive systems by unauthorised personnel.

There was no evidence of the software event logs being analysed for anomalies or preserved for the purpose of audit. A hacker typically attempts to hack into a system by modifying/deleting or creating critical system files. These attempts can be monitored by in-built utilities in the operating system itself or using third-party tools. Without any system of file monitoring and log analysis procedures in place, a successful hack or a hack attempt in progress will be undetected. It will also be very difficult for reversing the changes made to the system by the hacker.

In the absence of an access control policy, it is possible that unauthorised user get access to confidential and sensitive information, causing information leaks and thereby jeopardising the security of the information.

Firewall :

The firewall installed was a free software with very basic filtering capabilities. The firewall implementa-tion topology was protecting the organisation only from the Internet. A firewall functions as the barrier between two or more networks. It filters traffic based on preset conditions such as who can access what, from where and when. A fully functional and capable firewall is all the more important when connecting to the Internet or separating the user network from client network.

Since this was a freeware, its capacities were very limited with very basic features and inadequate logging and reporting features. Since the intra-organisation traffic was not filtered through the firewall, any virus infecting even a single system would have spread unhindered through the entire network including the servers. Hacker compromise of a single desktop would expose the entire network. This would have serious consequences in case of a hacker break-in or a virus outbreak.

User rights :

User right assignments were decided typically by the head of the department or the IT staff. The existence of rights for employees who have left the organisation were verified. No such user had been assigned rights to any software.

No documented password policy :

As a security measure, users have to change their password at regular intervals, but, there was no documented password policy in place, which detailed important password details, such as password length, password reuse, password format, etc.

There were no measures in place to ensure that users do not reuse recent password, thus invalidat-ing the security provided by regular password changes. There was also no ‘acceptable password syntax’ defined, which would have detected and discouraged easy-to-guess passwords to be defined by users on the system.

Most of the computers had an auto log-on method of system initialisation. However, it was observed that employees were generally aware of the passwords of their colleagues in the same department.

Laptop use :

Laptops were typically used by the senior management. While they would be generally aware of the pros and cons of handling and using laptops, it would be beneficial if the ownership of guiding users is centralised with the IT department personnel who are expected to be experts on the subject. Such a policy would be a good basis for guidance.

In almost all cases, the laptops contain sensitive and confidential information. Without documented procedures in place for the safeguard and handling of laptops, loss or misuse of the laptops can lead to major loss of confidential and sensitive information.

No documented incident management procedures :

There were no documented incident management procedures in place. Incident response plans dictate the actions to be followed by an identified group of personnel in response to any information data security violation incident in the organisation. In the absence of an incident response plan in place, it will be very difficult, if not impossible, to co-ordinate the actions of the personnel required to minimise the damage caused, recover from the loss caused and also to implement corrective measures to ensure that there is no recurrence of the incident.

In the absence of any records, no specific instance was highlighted.

No E-mail policy :

There was no acceptable use policy in place for electronic mail. Due to the absence of an acceptable use policy for electronic mail, it was possible for a user to transmit confidential and sensitive information to unauthorised users or entities outside the organisation. It was also possible that the user might have received e-mails containing malicious data, such as viruses or Trojan horses which could have jeopardised the reliability and security of the network.

Environment security — Congested server room :

A server room has to afford free movement to facilitate easy shifting of equipment as well as to accommodate multiple personnel for extended duration for time-consuming activities such as system installation, troubleshooting, etc. The server room was found to be very congested with barely enough space for 2-3 people. It would be very difficult to accommodate any expansion in capacities. The server room was also found to be used for storing IT department files and books.

Due to space congestion, troubleshooting which may include moving of the server rack would have been highly hampered. Due to the presence of files and books in racks in the server room, there would be frequent entry-exit of personnel further compromising on the security of the server room.

Conclusion :

Based on the review, a general decision was taken to have the IT certified under ISO 27001 and also adopt COBIT for reviewing maturity of IT Governance. The report was presented at the Monthly Executive Committee Meeting along with an awareness presentation on various incidents of IT facilities being compromised in different ways. The need for enhanced security awareness in the organisation was also emphasised. There was a general appreciation of the efforts put in by the Internal Audit and Mandeep was well inducted into the top management team.

Sourced Article is by Deepjee Singhal Manish Pipalia are Mumbai based Chartered Accountants.

Rewards waiting for feedback at
E-mail : smarttrainee@gmail.com

www.primeonlinetest.com

Prime Academy - In Pursuit of excellence

Click here to contact us, if you are unable to view the content properly