Security and Control Risk assessment of Toll Bridge operations
ABC Toll Company is a Road Toll Bridge Authority set up as an autonomous company by the Government of India. The company is responsible for managing the Bangalore-Hassan Toll Bridge. Users of the bridge have to pay toll charges as per the classification of vehicle. The bridge is expected to be available for use on a 24 x 7 basis. The toll bridge collection system is completely automated and collections are made through 8 toll centers at both sides of the bridge. The IT department of the company has a business continuity plan. The senior management is concerned about the impact of the failure of IT on the continuous operations of the bridge. The Government wanted an independent assurance on the integrity of the information processed to ensure there is no revenue leakage.
Our firm, JDS & Associates, Chartered Accountants, has been appointed for conducting IS Audit on Toll bridge operation of ABC Toll Co. . The IS Audit Team consist of two Chartered Accountants (Mrs. Sonali Surana and Mr. Jitendra Rathi and Mr. Dau Daga) who are also DISA qualified, they carry with them an experience of five years in the field of IS Audit. The team also includes a software engineer, who is also a Chartered Accountant (Mr. Sahil), having immense knowledge in the field of technology. Further, it includes four assistants who have already been involved in IS Audit.
2. Auditee Environment
The company’s IT environment as related to bridge operations consists of a Mini-Computer with Windows Server 2008 as an operating system This computer is connected to a standby server with a disk-mirroring facility and users are shifted instantly to the standby server in case the main server is down. The PC network platform comprises Windows workstations that are installed at each of the 8 Toll booths. There are 4 workstations kept as standby (2 each) at the East and West Toll Plaza. Connectivity to the servers is provided through physical cabling from the toll booths to the toll plaza. The toll booths have electrical power through a UPS with a battery backup of 2 hours and a generator to provide power to the servers and computers. There are smoke detector alarms installed at Toll plazas and toll booths. Fire extinguishers have been installed at the Toll plazas and toll booths. The company has insured all the IT assets.
The toll revenue process is highly dependent on several systems; therefore, IT general controls (ITGCs) around supporting systems were reviewed and tested. ITGCs are intended to provide a foundation to support the operating effectiveness of application controls that support toll revenue collection processes and the accuracy and completeness of electronic audit evidence (e.g., system-generated reports). The systems and processes included as part of this component of the audit were selected based on the degree to which they impact or support the overall toll revenue process and include the following systems:
• Oracle Database – Oracle stores transactional data generated and transmitted by the respective toll plazas. For this database, IA tested the effectiveness of controls in place around Computer Operations (e.g., data backups, job scheduling, and batch processing).
• Quantis – Quantis supports customer service center operations including the maintenance of customer account information and processing of payments. For this system, IA tested the effectiveness of controls in place around logical security (i.e., access-based controls).
• ECMS – ECMS (Electronic cash management system) is ABC Toll company’s general ledger system developed by a third-party vendor, XYZ Technologies, Inc. For this application, IA tested the effectiveness of controls in place around logical security, computer operations, and change management.
3. Overview of Business Processes
The Toll Application software captures 2 images of the vehicles (one at entry and one at exit from the toll booth). This can be used for the control and auditing of collection operations. The system has an Auditing menu for verifying the images with the collections made by operators. This system upon receiving a trigger from the Alarm Contact Closure triggers a specific camera related to the trigger. The application software also gets inputs from the 8 cameras at the top of toll booths which capture and automatically sends an output signal to the Quad Switcher, which feeds the camera image to the system thereby capturing the image related to this data, and storing both data and image to the software. The processing of toll at the tollbooth takes place sequentially is explained:
(A) When a vehicle enters the lane the following takes place.
- The camera captures the image of the vehicle as it passes a specific point near the toll booth.
- The operator classifies the vehicle visually and selects the classification category of the vehicle.
- The correct monetary value is acquired and displayed to the operator.
The above is termed an Event and the event is stored in the workstation and also transmitted to the Server. This is done via a specific application trigger, which is allocated to that particular lane’s classification buttons.
(B) After the toll operator has collected the money, he presses the update key which validates the event and opens the boom facilitating the vehicle to enter the bridge. This is also termed as an event and stored in the database. The details of the event with its unique transaction id, date, time, image, classification category, operator id, and lane id are captured and sent to the server.
(C) The event is also stored as a sequence to the event from the classification button. In addition, an image of the vehicle exiting the lane is captured and stored together with the relevant data.
(D) Once the two Events namely, entry of Classification and pressing of Validation key have been received by the application, this is recorded as a complete transaction. Should one of the Events, such as the classification or validation not get triggered in allocated sequence (i.e. separately) the application software stores this as a violation with the lane identifier. An image is also captured with the violation information.
(E) All the toll collections are manually collected by the toll operators in cash and the computers at the toll booth is physically connected to the server stored at the east plaza. The objective of toll operations is to ensure 24 hours availability of bridge for toll users after collection of toll.
The Tollbooths at the East and West Plaza are the key control points were all toll users have to halt and pay their toll charges. The computers at toll booths are used for controlling the collections and provide the normal input points for the Application software.
In case of non-availability of Computers at the toll booths on account of any reason, the toll will be operated manually by the operators under the personal supervision of the officers, and all the collections are entered in the computer at the toll plaza through a separate menu. The duration for which the computers were not available is also captured by the software.
1. Objective of Audit
The objectives of this audit were (1) to verify and test controls that exist to ensure revenue data captured at the point of origin is completely and accurately recorded to the financial statements, (2) to verify and test physical safeguarding controls (including the use of security and surveillance, data analytics, monitoring and reporting, and counts / other reconciling activities), (3) to review the IT general controls around supporting systems, and (4) to assess the adequacy of all BCP related controls, and also provide assurance to the Government about the integrity of information processing using IT.
2. Methodology and Strategy adapted for the execution of the assignment
During the course of the compliance audit we assessed the activated for compliance with Organisation’s IT security policies and procedure, external regulations i.e. IT Act 2000, IT (Amendment) Act, 2008, ISO 27001, and best practices. In the course of our work, we interviewed process owner and conducted specific testing of control in key areas.
3. Summary of Procedures Performed and Results
During audit testing of the key controls identified within the toll collection processes, a sample of detailed toll-related data was reviewed and tested for completeness and accuracy as applicable. The transactional data reviewed was from April 1, 2014, through March 31, 2015.
Overall, the results of this audit confirmed that numerous internal controls specific to toll collections and the IT supporting systems are in place and operating effectively and as intended. In addition, audit identified 11 findings/opportunities that could potentially further strengthen the overall control environment. The table below provides an overview of these findings.
|Process Over viewed|
|Toll Collection Process|
|IT General Control|
4. Documents reviewed
List of documents submitted to us-
|S. No||Name of Document|
|1.||Information Security Policy|
|2.||User Management and Access Control Policy|
|3.||Network Security Policy|
|4.||Application Software Policy|
|5.||Disaster Recovery Plan|
|6.||BCP and Response Management Policy|
|7.||Back up procedures|
|9.||User creation modification and deletion policy|
|10.||Encryption policy and procedure|
|11.||Media disposal policy|
|12.||Media and document retention policy|
|13.||System description and technical overview of toll collection|
|14.||Toll plaza IT Plan approved by ABC Ltd with covering letter|
|15.||Installation/Modification to the existing toll system|
5. Findings and Recommendations
|S. No.||Activity||Finding of Auditor|
|1.||Review of the Job description of toll system employees||The procedure of access and authorization to toll information facility were not defined (Entering, leaving, escort, Registration, and visitor pass)|
|The computer room was not locked and access was not restricted.|
|Environmental controls were not in place.|
|Security awareness training was not conducted.|
|2.||Review Operating System||The devices were not updated with the latest security patches and hence were vulnerable.|
|The audit trail was not enabled for the administrator.|
|Guest user id was not disabled.|
|A maximum number of invalid login attempts has not been specified.|
|There was no audit trail for the maintenance of the user profile.|
|The application system did not have an adequate password policy.|
|Report on canceled transactions is not generated through the application system.|
|3.||Review of toll system equipment in operation along with its integration.||Two systems integrated automatic vehicle classification system was not working.|
|The auditee did not have system security policies and procedures in place.|
|4.||Physical security||There is no policy regarding physical access control.|
|Physical access to toll information processing facility was not limited to approved personnel only.|
|Smoke – heat rise detector was not installed.|
|The computer room was not locked and access was not restricted.|
|5..||Logical security||Password validity was not set for the users.|
|6..||Application security||There is no audit trail for the maintenance of the user profile.|
|7.||Database security||The use of triggers was not monitored.|
|A database audit trail was not enabled.|
|8.||Network and application security||Security devices such as firewall were not implemented.|
|Information security guidelines defining minimum configuration requirements for any device/link were not documented|
|Network data monitoring tools were not used|
|The audit trail was not maintained.|
|9.||Verify that all toll system equipment including all support systems (sensor-based data capture) is working properly and effectively||Two incident capture camera equipment was not working.|
|10.||The organization has not implemented security control measures as per ISO/IEC 27001 standard as required under section 43A of the information technology act and rules framed thereunder.|
|11.||Backup & Restoration||A restoration check of backup was not been conducted which may compromise the integrity and availability of information.|
- On a recurring, scheduled basis (e.g. weekly), IT should be notified by HR Department regarding any contractors or employees that have been terminated or are no longer performing work.
- Where possible, automated reporting mechanisms should be established as a means of reducing the potential human error in generating and/or transmitting this reporting to ABC IT.
- IT should develop a comprehensive approach to using the termination information received to systematically identify and disable all accesses previously retained by each individual at the network layer, as well as all downstream company applications and databases. If feasible, Management should consider implementing random self-assessments to ensure compliance with the stated process.
- All user accounts at the network layer and all critical applications should be recertified every quarter.
- A mechanism should be devised to track all user accounts that are sent out to the ABC representatives for certification to ensure that corresponding responses are captured for each account. This creates one-for-one accountability and traceability.
7. BCP Plan
- BCP Head or Business Continuity Co-ordinator
A senior official is designated as the Head of BCP activity.
His or her responsibilities include:
• Developing an enterprise-wide BCP and prioritization of business objectives and critical operations that are essential for recovery
• Consider the integration of the institution’s role in financial markets;
• Regularly update business continuity plans based on changes in business processes, audit recommendations, and lessons learned from testing
• Follow a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, management and monitoring, and testing
• Consider all factors and decide upon declaring a “crisis”
- BCP Committee / Crisis Management Team
A BCP Committee has been set up consisting of senior officials from departments like HR, IT, Legal, Business, and Information Security, which is charged with the implementation of BCP. It is instituted with the following broad mandate:
• To exercise, maintain, and to invoke business continuity plan, as needed
• Communicate, train, and promote awareness
• Ensure that the Business Continuity Plan (BCP) fits with other plans and requirements of concerned authorities
• Budgetary issues
• Ensure training and awareness on BCP to concerned teams and employees
• Co-ordinating the activities of another recovery, continuity, response teams and handling key decision-making
• They determine the activation of the BCP
• Other functions entail handling legal matters evolving from the disaster and handling public relations and media inquiries
- BCP Teams
Teams have been built that can cater to various aspects of BCP at the central office, as well as individual controlling offices or a branch level, as required. Among the teams that can be considered based on need, are the incident response team, emergency action and operations team, team from particular business functions, damage assessment team, IT teams for hardware, software, network support, supplies team, team for organizing logistics, relocation team, administrative support team, coordination team.
The audit program for the said assignment has been developed considering the broad aspects that will aid in grasping the effectiveness and efficiency of the Business Continuity Management process of the Organisation. For developing the audit program the mission and the business-critical functions have been thoroughly understood and the environment (both economical and physical), has been deeply researched so as to build a consciousness about the impact it may have on the Organisation. Some of the aspects that are to be catered to under the audit are:
Procedural aspects of BCP
- Whether BCP takes into account the potential of wide-area disasters, which impact an entire region, and for resulting loss or inaccessibility of staff. Whether it considers and addresses interdependencies, both market-based and geographic, among financial system participants as well as infrastructure service providers.
- Whether the organization has necessary backup sites for its critical payment systems.
- Whether there is a practice to run some critical processes and business operations from primary and secondary sites, wherein each would provide back-up to the other.
- Whether all critical processes have been documented to reduce dependency on personnel for scenarios where the staff is not able to reach the designated office premises.
- Whether Backup/standby personnel have been identified for all critical roles.
- Whether the BCP adopted has been disseminated to all concerned, including the customers, so that the awareness would enable them to react positively and in consonance with the BCP. This would help maintain the customer’s faith in the organisation, and the possibility of a major impact would be exponentially minimized.
- Whether the BCP is a detailed one, to be relied upon for encountering natural calamity/ disaster situations.
- Whether adequate consideration is given to the availability of basic amenities such as electricity, water, and first-aid box in all offices.
- Whether the support infrastructure, namely the electrical systems, air-conditioning environment, and other support systems have any single point of failure and there is a building management and monitoring system to constantly and continuously monitor the resources.
- In-house telecommunications systems and wireless transmitters on buildings should have backup power. Redundant systems, such as analog line phones and satellite phones (where appropriate), and other simple measures, such as ensuring the availability of extra batteries for mobile phones, may prove essential to maintaining communications in a wide-scale infrastructure failure.
- Whether the possible fallback arrangements have been considered, also whether an agreement has been reached for carrying out alternative services in coordination with the service providers, contractors, suppliers, setting out roles and responsibilities of each party, for meeting emergencies. Also, whether there are provisions of imposition of penalties (including legal action), in the event of noncompliance or non-co-operation.
- Whether the evacuation plans are amended as per the new requirements.
- Whether critical papers, files, servers are stored on the ground floors where there is the possibility of floods or waterlogging. Whether they are stored on top floors in taller buildings that are more prone to be impacted by a probable fire.
- Whether critical documents are kept in fire-proof and water-proof storage areas.
- Whether there are alternative means of power source (like ample diesel storage/ emergency battery backup etc.) for an extended period of power cuts.
- Whether the Recovery Point Objective (RPO) and the Recovery Time Objective (RTO) have been sufficiently defined. Whether there is a practice in place of taking backups and sending them off-site at regular intervals (preferably daily) or replication of data to an off-site location, which overcomes the need to restore the data.
- Whether the critical operations and services, key internal and external dependencies, and appropriate resilience levels have been identified. Whether the risks and impact of those risks from the point of view of the business disruptions have been identified and quantified.
- Whether the performance of the technology solution architecture for operations has been quantified so that steps may be taken to ensure that performance degradations do not take place due to increasing loads.
- Whether the solution architecture has to be designed with high availability, and no single point of failure. It should be possible to identify the fault and correct the same without any degradation in performance.
- Whether a periodic investigation is carried out, of the outages that are experienced from time to time, which are mini disasters that result in nonavailability of services for a short period, systems not responding when transactions are initiated at the branch level, delivery channels not functioning for a brief period to pave ways for ensuring that the customer service is not affected.
- Whether there is the availability of appropriate technology solutions to measure and monitor the functioning of products.
- Are there competent technical people within the system to resolve issues expeditiously.
- Whether the organization conducts periodical review and upgrades the DR solutions from time to time and ensures that all the critical applications and services have a perfect replica in terms of performance and availability.
- Whether the DR drills are conducted periodically and whether they strictly comply with the set parameters.
- Whether the communication capability is compatible. The adequacy of voice and data capacity needs to be checked and whether they are commensurate with the organization’s size, complexity, and overall risk profile.
- Whether a system is in place to monitor the service relationship with telecommunications providers to manage the inherent risks more effectively.
- If the recovery site is occupied when an organization wants to invoke the same, where and how the organization does the recovery.
- Whether the vendor can personally cover the full range of equipment and telecommunication needs. Whether there is sufficient vendor staff to handle multiple invocations.
- Whether the standby site is safe for staff, whether it is convenient for public transport, whether it has rest, shower, catering facilities, adequate parking space, etc.
- Is the site secure, and will the organization’s data remain confidential.
- What are the qualifications and skills of the vendor‘s support staff?
- Are they certified as members of professional bodies like DRII or BCI?
- Will the vendor‘s support staff help the organization recover? If so, how many?
- Whether the Organisation has in place quick and reliable access to expertise for tracking suspicious behavior, monitoring users, and performing forensics.
- Whether there is a system of automatic reporting to the authorities concerned.
Tools & Techniques
- Simulation testing
- Automated tools
- Documentation reviews
- Internal Control Auditing
- Penetration Testing
- Technical recovery testing
- CAAT tools like Audit Expert Systems, Decision Support Systems
Logistic arrangements required
Access to the organization’s IS facilities including the hardware setup throughout, server room, server system, sensitive system software utilities, access to the password policy, services and ports accessibility, access to various logs maintained be it usage log, activity log, etc., the license copies should be made available for all kinds of software. Access to the network settings to assess the traffic flow and for analyzing the Network Security controls including logical locations of Security components like firewall, IDS/IPS, proxy server, antivirus server, email Systems, VSAT IDUs, etc. in various zones. Access to documents related to the BCP, the DRP, the communication channels, the agreements with various vendors (including the one with Prosys), documents related to the disaster recovery site based at Bangalore, results of a prior test conducted, meetings with the Board and the senior management.
A checklist has been prepared to get an insight into the potency of the BCP and DRP institutionalized by the organization. The checklist covers the various areas identified as essential for the smooth execution of the plan as and when required to be performed. This checklist will be put to use for recording observations and for collecting evidence that become the basis of the opinion to be given, upon the overall evaluation.
Policy and Procedure
- Whether there exist any exceptions to the scope of BCP i.e. in terms of location or any specific area, and whether the management has justifications for exclusion of the same?
- What is the time limit for such exclusion and what is the current strategy of covering such exclusions?
- Verify the sign-off on the policy to get assurance that the policy and procedure documents are approved by the Senior Management.
- Does the business continuity plan ensure the resumption of IS operations during major information system failures? It is to be checked that IS disaster recovery plan is in line with strategies, goals, and objectives of the Organization’s overall BCP.
- Are users (managerial, operational, administrative, and technical experts) involved in the preparation of a business continuity plan?
- Does the policy and procedure documents include the following:
- List of critical information assets.
- List of the vendor for service level agreements.
- Current and future business operations.
- Identification of potential threats and vulnerabilities.
- Involvement of technical and operational experts in the preparation of BCP and Disaster recovery plans.
- Recovery procedure to minimize losses and interruptions in business operations.
- Disaster recovery teams.
- Training and test drills.
- Compliance with statutory and regulatory requirements.
- Are the BCP policy and procedures circulated to all concerned?
- Is the business continuity plan updated and reviewed regularly? It is to be checked by verifying the minutes of the meeting where the policy and procedures are reviewed.
- Has the management identified potential threats/vulnerabilities to business operations? This information can be gathered by analyzing the environment study report or the risk assessment report.
- Are the risks evaluated by the Management?
- Has the organization selected the appropriate method for risk evaluation?
- Has the organization carried out the assessment of internal controls?
- Has the organization taken an appropriate decision on the risks identified?
- Are the risk assessment carried out at regular intervals? The frequency of such an assessment is to be assessed.
Business Impact Analysis
- Does the organization carry out business impact analysis (BIA) for business operations?
- Has the organization identified a BIA team?
- Are RTO and RPO defined by the management?
- Whether the organization has measured BIA? Whether it may be in terms of loss of business or loss of goodwill, etc.
- Is the business impact analysis carried out at a regular interval?
Development and Implementation of the BCP and DRP
- Has the organization prioritized recovery of interrupted business operations based on RTO and RPO?
- Has the organization identified the various BCP and DRP Teams?
- Are the responsibilities for each team documented?
- Does the BCP document(s) include the following?
- Scope and objective.
- Roles and responsibilities of BCP and DRP Teams.
- Incident declaration.
- Contact list.
- Evacuation and stay-in procedure.
- Activity priorities.
- Human resource and welfare procedure.
- Escalation procedures.
- Procedure for resumption of business activities.
- Media communication.
- Legal and statutory requirements.
- Backup and restore procedures.
- Offsite operating procedures
- Are the copies of up-to-date BCP Documents stored offsite?
- Does the offsite facility have adequate security requirements? The logical access, physical access, and environmental control of the offsite are to be verified.
- Does the BCP include training for employees?
- Whether the organization has an adequate media and document backup and restoration procedures?
- Are logs for backup and restoration maintained and reviewed?
- Whether the media library has adequate access control?
- Are the BCP and DRP communicated to all the concerned?
Maintenance of BCP and DRP
- Whether the business continuity plan is tested at regular intervals?
- Has the organization reviewed the gap analysis of testing results?
- How has the organization decided to reduce the gaps identified, what is the time limit set for addressing the same?
- Has the organization got a testing plan?
- Are test drills conducted at appropriate intervals?
- Do organization documents and analyses have testing results?
- Has the organization prepared action points to rectify the testing results?
- Does the organization carry out retesting activity for action points?
- Does the organization review the BCP and DRP at regular intervals?
- Whether a review of the BCP includes the following?
- BCP policy and procedure
- Scope and exclusion of BCP
- Inventory of IS assets
- The validating assumption made while risk assessment and preparation of BCP
- and DRP
- Risk assessment
- Business impact analysis
- Back up of system and data
- Training to employees
- Test drills
A business continuity plan is a documented collection of procedures and information that is developed and maintained in readiness to deliver continuity of critical services in the event of a disruption. ABC Toll Co. has an integrated security program that includes a Business Continuity Planning (BCP) Program that has been formulated keeping in view all the aspects of the environment.
The objective of the audit was to examine ABC Toll Co. BCP management control framework. In the professional judgment of the Audit Team Leader, sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. The audit findings and conclusion are based on a comparison of the conditions that existed as of the date of the audit, against established criteria that were agreed upon with management. Further, the evidence was gathered by applicable Standards and best practices.
The organization’s BCP Program has shown considerable amount of potency. The BCP Committee / Crisis Management Team has been working diligently to further enhance its BCP Program including the development of a governing framework, methodology for developing continuity plans, a central repository for holding continuity plans and corporate leadership to the Branches and regions in the development of continuity plans. These actions have better positioned the Co. to provide for continuity readiness.
The audit highlights some areas where additional actions would serve to further strengthen the emergency management culture at the ABC Toll Co. and to better align the program to the Standard on Business Continuity Management : ISO 22301. For example, while the business impact analysis document contains many of the essential elements, its scope should be expanded to include all elements outlined in the standard. Strengthened business impact analysis practices would improve the quality of information derived from the analysis and allow for improved decision making in order to develop a list of “critical services” and the development of corresponding recovery strategies.
The audit sampled plans and noted that they could be more comprehensive, including explicit identification of dependencies and thoroughly described recovery strategies to better prepare the department for business disruptions. As well, the implementation of a permanent maintenance cycle will increase the likelihood of having accurate, up-to-date plans in the event of a disruption to operations. Management has agreed with the recommendations and has developed an action plan which will serve to further strengthen the Co’s business continuity planning program.
Audit Criterion, Findings and Recommendations
- Audit Criterion: Scope of Business Continuity Plan
- Findings: ABC Toll Co. has a BCP in place. However, it has been noticed that the policy does not clearly mention the powers of the BCP head and the steps he should take in the hour of need. There is a requirement of even minute decentralized plan development so has to hold the BCP committee and sub-teams more responsible and accountable. The plans in certain instances had little information regarding what actions to take and how the recovery could be conducted. In such situations, the employees needing to react to emergencies may not make the best decisions, and the recovery of the activity may exceed maximum allowable downtime. If the policy further details all the elements one has to consider so as to take complete hold of the emergency situation, it would be stronger.
- Recommendation: It is recommended that the BCP policy be updated with a more detailed description of the departmental program, as well as roles and responsibilities of the BCP head and the teams and have it approved by the senior management.
- Audit Criterion: Quantum and documentation of review of Business Continuity Plans and adequacy of key information.
- Findings: We expected that the Co., frequently reviewed the BCP so as to keep it abreast with the changing needs of the dynamic environment. Our detailed review noted the following:
Plans generally did not contain an updated mechanism of emergency situation assessment. Four of the plans did not indicate an alternative work location. Without knowing the approved alternate work location employees could make inappropriate decisions at the time of emergency, with a resulting delay in recovery.
Resource requirements were inconsistently indicated in plans. Some plans had listed the required resources but did not guide the user on how to get them at the onset of an interruption. Inadequate resources will result in delayed recovery times.
- Recommendation: It is recommended that the frequency of reviewing the BCP policy should be consistent and adequate throughout. The policy should be updated thoroughly with each review.
- Audit Criterion: BIA and the critical areas
Findings: We found that though the function of BIA was carried out properly but too many critical areas were identified which do not actually come under the purview of the BCP criterion. Rather, they were services supporting the infrastructure in place to support critical service delivery. There were minor discrepancies in categorisation of qualitative and quantitative impacts resulting from business interruptions. While the maximum allowable downtime (MAD) was given, there was no clear justification. Thus, a subjective assessment of impacts may lead to incorrect MAD maximum allowable downtime. Further, the repercussions of having such a long list contributed to the inability to complete the plans and arrangements required for each critical service. However, the deviation do not require high amount of consideration but should be duly removed so as to foster efficiency at all levels.
Recommendation: It is Recommended that the BIA’s should be reviewed periodically so that Risk Assessment can be made according to the change in the requirements. Further the Risk Assessment procedure should be made more justifiable so that the priority of the critical areas can be defined and measures can be taken accordingly.
- Audit Criterion: Business continuity activities, plans and arrangements
- Findings: ABC Toll Co. has documented continuity plans in the departmental BCP database. Few, records were missing for the assessment of recovery options to demonstrate that the most appropriate recovery strategy was selected by senior management. The sampling exercise previously mentioned also established that 75 percent of the critical services had documented continuity plans. However, 25 percent of plans reviewed do not yet have agreements between the BCP coordinator and the responsible authority that the plan is complete. In addition, recovery strategies were described for only 40 percent of the level one critical services reviewed. The activation procedures section of continuity plans would benefit from having explicit reference to the BCP Co-ordinator’s authority and the responsibilities of the Crisis Management Team.
Although a systems audit was not performed on the departmental BCP database, there were reports of plans being lost and some details in the database are missing in the print version of the plans. In the case of recovery strategies, for example, it is possible to list resources, quantities, requirements and assigns responsibilities in the database; however, the print version contains only resources and quantities, and would benefit from presenting requirements and responsibilities communicated in the database. In the event of a disruption, printed copies of plans may be the ones available for use and should, therefore, contain all the details required for implementation.
- Recommendation: It is recommended that the Management engage in more rigorous quarterly sign off of respective business continuity plans, including descriptions of recovery strategies, and approve the plans.
- Audit Criterion: Strategies for Data protection
- Findings: The Co. has a system of replication of data to an off-site location, which overcomes the need to restore the data, which makes use of storage area network technology. The disaster recovery site of the Co. is situated in Bangalore. The Co. has also properly defined the Recovery Point Objective (RPO) and the Recovery Time Objective (RTO) based upon the first principles, so that the employees are aware about the severity and criticality of the aspects well in advance. In addition to preparing for the need to recover systems, Co. has also implemented precautionary measures with an objective of preventing a disaster in the first place like there are local mirrors of systems / data, to minimise the effect of power surges on delicate electronic equipment, surge protectors have been implanted, installation of uninterrupted power supply (UPS) / backup generator to keep systems going in the event of a power failure, installation of fire alarms, fire extinguishers, other security measures have also been taken for the protection of Data.
- Recommendation: The RPO and RTO is though are defined out of first principles, measures should be taken to follow values which are considered in the industry practice so as to keep the same on realistic grounds.
- Audit Criterion: IT deployment and network infrastructure
- Findings: The major weaknesses observed in IT deployment was that the systems were not updated at various instances, the anti-virus software were not on auto-update mode in some of the systems, few of the systems failed to handle interruption, some software faced integrity issues and ineffective process isolation, the necessary levels of access controls were not in place, some utility programs were observed to be performing outside the security system, without producing an audit trail of activity. There were fallacies observed in the review work by the IS management staff in times of hardware malfunctions, reruns, abnormal terminations, etc. There is also a need for for regularly updating the additions, deletions and changes to access authorisation. The Co. has alternate facilities for providing continuous internet access when the primary facilities falter. However, it was found that the internet access through the alternate facilities were restricted to few systems only, this could be fatal if in the emergency situations only those systems are affected. It was also observed that the network wasn’t able to provide the expected throughput when bombarded with multiple users. Thus, an increase in the capacity to handle marathon pressure is utmost important. Some sensitive files were skipped to be identified and hence, their security wasn’t aptly determined. User awareness about the network security and confidentiality was also observed to be compromised in several cases.
- Recommendation: The system criteria require to be reviewed periodically and to look after the security issues, the reviews must be frequent and the solutions to the observations must be rapidly implemented to improve the preparation level. It is also required to ensure that data compatibility is applied properly to all the network’s datasets and that the requirements for their security is regularly reviewed. Measures should be taken for increased user awareness.