The NBFC (Non-Banking Financial Company) sector has been grown in size and complexities over the years. The Reserve Bank of India has been issuing regular guidelines on System Audit and controls for the NBFC. Network security Audit has been made mandatory indirectly with specific mention in RBI audit Considering the need of regulators, customers and as market differentiator, Jupiter Capital Services Ltd decided to pro-actively make arrangement for independent IS Audit of Network Security of remote operation including work from home and thereafter, series of discussions were held by entity team with IS auditor to understand the different modules, models, features and controls were prepared considering business rules of banking and regulatory requirements.
ABOUT THE AUDITEE
Jupiter Capital Services Ltd is one of the leading NBFC registered under RBI regulation as a Systemically Important Non-Deposit Accepting Core Investment Company. It has offices in every major city of the country. Jupiter Capital Services Ltd provide different types of loan to the customers but major areas are:-
1. Commercial loans 2. Housing loans 3. Vehicle loans
In addition to the above there are three Strategic Business Units (SBUs): –
1. Technology Division for providing end-to-end engineering solutions 2. Legal division for loan and security related issues. 3. International Business Division for providing service worldwide.
Jupiter Capital Services Ltd has head office in Mumbai and 5 regional offices. As it as NBFC, every business process should be secured at high level.
ABOUT THE AUDITOR
The Auditing firm of this assignment is VNY & Associates. The firm is established in 2015 and having an experience of 5 years in the field of Auditing, Taxation, System Audit, etc.
Partners – 3 No. of employees: 15 No. of Articles: 20 Located at: Saket, Delhi Here in this case audit will be handles by a team leading by CA “A” with 8 members including 2 paid employees and 6 articles. The audit team for this particular assignment consist of the following qualified members who are as follows:: Name : : A :
VNY & Associates Chartered Accountants are one of the famous chartered accountants firms in India and are engaged in providing Information System Auditing services across India. We are also recognized as provider of information System Audit services and our core competences are listed below:
1. SAP, Oracle & JDE process reviews 2. Review and Framing of ‘IS’ Policies, Procedures and Practices 3. Review of Physical & Logical Access Controls 4. Review of Operating System Controls 5. Review of Application Systems Controls 6. Review of Database Controls 7. Review of Network Management 8. Review of ‘Application Support’ and ‘System Maintenance’ Processes 9. Review of ‘Disaster Recovery & Business Continuity Plans’ 10. Review of IS Environment 11. Risk Assessment & Suggestions 12. Business Process Re-Engineering reviews 13. Post Implementation reviews of Business Processes and Practices and Suggestions
Jupiter Capital Services Ltd. has been using Information Technology as a key enabler for facilitating business process Owners and enhancing services to its customers. The senior management of the company has been very proactive in directing the management and deployment of Information Technology. Mostly all of the mission critical applications in the company have been computerized and networked with proper security. Implementation of network security has empowered the company that their authorized user connect seamlessly all its legitimate vendors, customers and partners to achieve improved business efficiency and with proper security which helps it to achieve superior connection excellence and business security.
Networking at remote operation in Jupiter Capital Services Ltd has posed unique challenges arising out of the need to properly secure the networking at each device. Each employee has been provided separate laptop for their working and they carry the devices at client location and upload the data from there. Some of the employees are working from home to save operational cost. Company has already implemented the network security policy separately for the devices used in remote location or employee working from their place. Communication from the clients about their business insights relevant for loan should be made through only secured networks as these type of information are sensitive and needs to be protected.ISA 3.0 Video Lectures & Question Bank
₹6,165.00Limited Time Offer get 40% discount Coupon “rajat40”
The Information System Audit should be executed as per the Audit Charter prepared by the company and agreed upon by the Auditors. The purpose, authority, responsibilities and accountability are defined in the Audit Charter. To comply with relevant standards issued by the ICAI and globally accepted standards for the purpose of Information System Audit and to establish an Information Security Framework for assurance that all required aspects of information security is covered.
Our scope is covered followings-
1. Review of security and controls at network layer.
2. Review of all the key functionalities and related Security and Access Controls as designed at the parameter level.
3. Review how the banking process business rules and regulatory requirements have been designed and built in the package.
4. Review of process which connects the remote device to network using VPN.
5. Mapping of best practices of security and controls to evaluate how security and control are designed and integrated
6. Review of pending unresolved issued of last year and current year.
7. To ensure that violation, if any, in the system and procedures of the bank are brought to the notice of the management immediately so that timely corrective and remedial steps can be taken and avoid repetition.
1. IT security policy for mobiles devices used on a network 2. Network Security Policy that lists the rights and responsibilities of all staff, employees, and consultants. 3. Acceptable network usage policy. 4. Signed security agreement with network providers. 5. Contingency plan in case of network failure or security breach
1. The company will make available the necessary computer time, software resources and support facilities for the assignment. 2. During the course of the IS Audit, the auditors will use ACL, IDEA Software, SQL Commands, Baseline Security Analyzer, Belarc Security Advisor, Free Port Scanner and Third Party Access Control Software as computer audit assistance techniques (CAAT) for the verification of the system with Windows 10 computer connected to the server having abc operating system with use of Mumbai and Ahmedabad branch of one of the customer of the company. 3. As an auditor we will use Integrated Test Facility (ITF) for audit of regulatory requirements embedded in the application software. We will use correct as well as incorrect data to check the error reporting capabilities of the network software. 4. Automated Flowcharting Programs would be used to interpret the source code of the application software & to generate flowcharts indicating flow of information. 5. Mapping Program would be used, which identifies the unexecuted codes in the coding of the software which will help us to draw attention of the management and software development team.
1. User Manuals and Technical Manuals 2. Source code of the software 3. Rules, Regulations, guidelines and circulars issued for the company 4. Security policies of the company etc. 5. Network Security Policy that lists the rights and responsibilities of all staff, employees, and consultants. 6. Acceptable network usage policy.
When undertaking an initial security audit, it is important to use the most up-to-date compliance requirements to uphold security protocols. This clearly defines what CISOs should be looking at, and helps in shaping and setting up the future of your automated security monitoring and assessments. The Audit will be conducted to review the following steps are in place and updated:-
The scope of the auditing process is to clearly define. It should include all access layers: wired, wireless and VPN connections. In this manner, the scope of the audit will ultimately include all software and devices, in all locations, so as to ultimately define the security perimeter for the company.
The next step is to list potential threats to the security perimeter. Common threats to include in this step would be: Malware – worms, Trojan horses, spyware and ransom ware – the most popular form of threats to any organization in the last few years. Employee exposure – making sure that employees in all locations change their passwords periodically and use a certain level of sophistication; (especially with sensitive company accounts) as well as protection against phishing attacks and scams. Malicious Insiders – once on boarding has taken place- employees, contractors and guests – there is the risk of theft or misuse of sensitive information. DDoS Attacks – Distributed Denial of Service attacks happen when multiple systems flood a targeted system such as a web server, overload it and destroy its functionality. BYOD, IoT – these devices tend to be somewhat easier to hack and therefore must be completely visible on the network. Physical breaches, natural disasters – less common but extremely harmful when they occur.
There are many factors that go into creating the priorities and risk scoring. Cyber security trends – working with a network access control system in place that factors in the most common and current threats along with the less frequent, could save you and your CISOs a lot of time and cut costs, while at the same time defending the organization in an optimal framework. Compliance – includes the kind of data that is to be handled, whether the company stores/transmits sensitive financial or personal information, who specifically has access to which systems. Organization history – If the organization has experienced a data breach or cyber-attack in the past. Industry trends – understanding the types of breeches, hacks and attacks within your specific industry should be factored in when creating your scoring system.
At this point you should start to have an initial security posture available for each item included in your initial scope definition. Ideally, with the right access control systems in place, no internal biases affect your initial audit or any continuous risk assessments performed automatically later on. Additionally, making sure that all connected devices have the latest security patches, firewall and malware protection will assure more accuracy in your ongoing assessments.
Establishing a corresponding set of processes designed to eliminate the risks discussed in step 2 includes a few solutions that should be included in this step:
Network monitoring – establishing continuous automated monitoring and creating automated risk assessments will lead to improved risk management. Cyber offenders are typically working to gain access to networks. Activating software that automatically takes notice of new devices, software updates/changes, security patches, firewall installments and malware protection is the best way for any organization to protect itself. Ideally your CISOs should be alerted to any questionable device, software, activity, unknown access attempts, and more, so as to be a step ahead of any harmful activity whether it is maliciously done or not. Software Updates – Making sure that everyone on the network has the latest software updates and patches, firewalls etc. It is highly recommended to take advantage of this built-in feature in Network Access Control Software that alerts you when those are required. Data backups and data segmentation – relatively simple but crucial steps, because obviously consistent and frequent data back-ups along with segmentation will ensure minimal damage should your organization ever fall to malware or physical cyber-attacks. Employee education and awareness – training for new employees and continuous security updates for all employees to make sure best practices are implemented company-wide, such as how to spot phishing campaigns, increasing password complexity, two-factor authentication and more.
1. IT security policy for mobiles devices used on a network 2. Network Security Policy that lists the rights and responsibilities of all staff, employees, and consultants. 3. Acceptable network usage policy. 4. Signed security agreement with network providers. 5. Contingency plan in case of network failure or security breach.
During the course of the Network Security Audit of the NBFC, the IS Auditors of the company has complied with the standards and guidelines as detailed below:
1. Information Technology Act, 2000. 2. Section 7(A) of the Act –Audit of documents i.e. Electronic Form. 3. Section 43A of the Act – Body corporate dealing with sensitive data. 4. Section 72(A) of the Act – Disclosure of the information without the consent of the person concerned The Banking Regulation Act, 1949. 5. ISO 27001- Information System- 6. COBIT 5 7. IT Audit and Assurance standards and Guidelines issued by ISACA 8. ISO 1206 – Using the work of other experts 9. Circular issued by the Reserve Bank of India as on 13.01.2016 10. ISO 19600- Compliance 11. ISO 31000- Risk Assessment 12. ISO 22301- Business Continuity Planning 13. DBOD circular on Internet Banking 14. Guidance note for Banks on Risks and Controls in Computer and Telecommunication System 15. Other Globally Accepted Standards issued by the relevant authorities 16. www.isaca.org/cobit 17. www.rbi.gov.in 18. www.dbs.gov.in
(i) IS Audit Program is as detailed below:-
Review Network diagrams to understand the network infrastructure. Review the physical and logical access controls to the network. Review the applicable policies, standards, procedures and guidance on network. Review Maker-checker concept to reduce the risk of error and misuse and to ensure reliability of data/information Review the Information Security and Cyber Security; Review the adequacy to file regulatory returns to RBI Review the BCP policy duly approved by the Board ensuring regular oversight of the Board by way of periodic Review whether the requirements as regards Mobile Financial Services, Social Media and Digital Signature Certificates are properly met. Arrangement for backup of data with periodic testing. Review whether internet connections are protected through industry recognized firewall.
(ii) Observation and Recommendations:-1 Control : Security Policy Observation : Proper documentation for security policy is made by management and it is time to time but it is not effectively executed in the software. Recommendation : It is advisable the each employee should aware of the security policy and proper training should be given at the time of joining. 2 Control : Disaster Recovery Plan Observation : There is option for disaster Recovery Plan for the customer in case of security breach or network failure. Recommendation : It is advisable to compulsory have disaster recovery plan in the system. 3 Control : Network Diagram Observation : Network diagrams do not follow diagramming conventions. It is not using the conventional device icons to represent devices like routers, L-3 switches etc. Recommendation : Diagram should conform to standard conventions. They should be updated as and when changes occur to network. 4 Control : Audit Log Observation : Audit log policy is not consistent across servers in terms of network logging, log file size and retention period. Audit logs configurations on all servers allow overwriting on reaching of defined maximum log size. Recommendation : Consistent audit log policy should be applied across servers and logs should be promptly backed up and manually cleared to obviate the need for overwriting. Wherever required, log size may be suitably increased. 5 Control : VPN Access Observation : New employees are getting VPN access but the Old employee working at remote location doesn’t provided VPN access and they are working using normal public network Recommendation : VPN adds extra layer of security by hiding IP addresses, encrypt the data and mask the location of user. Ensure that all your remote employees have access to the VPN service. If necessary hold a meeting or share tutorials on how to use a VPN efficiently to protect company network 6 Control : Third party remote access platform Observation : Employees are using Remote desktop service to hold meeting without getting adjustment of network suitability by IT team Recommendation : IT team should choose the RDS very wisely before begin any exchange of information or holding meetings. 7 Control : Multi factor authentication Observation : Company doesn’t have multi factor authentication, only the login id is used to connect to network. Recommendation : IT team should set up multi factor authentication systems for each employee who needs to log into their company user profile remotely. Combination of user ID along with a one-time-password (OTP) sent to the user’s personal registered number.
Other recommendations for remote operations:-
1. Make 2FA (Two-Factor Authentication) mandatory. 2. Educate your employees about cyber security risks and their vulnerabilities as they work from home. 3. Teach your employees how to identify phishing and steps they need to take if they get phished. 4. Provide a point of contact and clear guidelines in case there is a security breach. 5. Make the use of a standard password manager solution mandatory. 6. Conduct phishing audits to test the preparedness of your remote employees. 7. Ensure regular backups are conducted. 8. Keep “read-only” as the default when granting file share permissions. 9. Use an email filtering solution to filter inbound as well as outbound messages. 10. Protect against spam, malware, and phishing by using mail filters.
We have conducted Network Security audit of the Jupiter Capital Services Ltd focusing on remote operations including Work from Home as per the terms and scope agreed upon between the management and the auditors. We have taken care of the international reporting standards issued by ISACA while conducting the audit assignment. We have tested the software thoroughly then also our report is prone to audit risk associated with the audit itself.
Although the company has managed to secure their network but there are key areas which we have identified that are related to authentication for connect to network, employees are unaware about the security policy of the company, Disaster recovery plans are not in place, use of third party RDS without consulting IT team, etc. We have made recommendations regarding our findings which may become helpful to the management.
There other findings as well which are also important to be solved as soon as possible. There are guidelines in case of security breach; there are no proper authorization controls in place for connecting the network, etc. Necessary recommendations
Limited Time Offer get 40% discount
ISA 3.0 Video Lecture
ISA 3.0 Module Wise and Topic Wise Quiz
Complete course in 1 Week
Course Duration 6 Months