rsm india publication - how robust is your it system
TRANSCRIPT
How Robust Is YourInformation Technology System?
RSM Astute Consulting Group
Indian member of RSM International
Personnel strength of about 950
Consistently ranked amongst India's top 6 Accounting and Consulting groups(Source : International Accounting Bulletin - September 2010 and September 2011)
Nationwide presence
International delivery capabilities
RSM International
6th largest network of independentaccounting and consulting firms in the world
Annual combined fee income of US$ 3.9 billion
700 offices across 94 countries
www.astuteconsulting.com
How Robust Is YourInformation Technology System?
How robust is your IT system?RSM Astute Consulting
Contents
Section I: IT Systems Assurance - A Holistic View
Section II: Progressive IT Systems Assurance Model
Section III: Journey towards Perfection
Section IV: Creating Excellence in IT SystemsAssurance
Annexure I
Annexure II
1-4
6-9
11-61
Chapter 1: IT Management Framework 11
Chapter 2: IT Infrastructure Management 16
Chapter 3: Application Controls 24
Chapter 4: Identity and Access Management 29
Chapter 5: Project Management - Transformation 33
Chapter 6: Operations Framework 40
Chapter 7: Protecting Data Layer 47
Chapter 8: Business Continuity Planning Framework 50
Chapter 9: Human Interface to IT Systems 54
Chapter 10: Compliance and Regulatory Framework 56
Chapter 11: Impact of Contemporary Trends 60
63-67
68
69
How Robust Is YourInformation Technology System?
RSM Astute ConsultingHow robust is your IT system?
Section I: IT Systems Assurance- A Holistic View
Section I: IT Systems Assurance – A Holistic View
1.1 Introduction
1.2 IT Systems Assurance – Need and Key Drivers
The Information Technology revolution has transformed the business landscape across the globe in last two decades. Changes due to ERP systems, internet, social networking, mobile computing, E-commerce have permeated through the entire life cycle of any business organization. Organizations, irrespective of their nature, size and industry, have witnessed a paradigm shift in the way they strategize, build and operate their businesses around an IT eco-system. Information Technology has become backbone for every business and in certain cases have become business drivers like Banking & Financial sector, Airlines, Telecom, E-commerce Portals, Manufacturing sector, etc. These industries have created technology enabled business models that give them global reach and provide customer centric services with a personalized experience. The internal levels of technology adoptions, associated process changes, organizational risk profile and internal control systems have undergone changes corresponding to the changes in the external world. Information Technology Assurance Program is a continuous and dynamic program to ensure that the internal control systems dependent on information technology of organizations remain current, comprehensive, effective and responsive to such changes.
Recognizing the need and importance of IT in business, organizations have invested heavily in IT infrastructure, applications and all other supporting programs. Managements are equally concerned on return on such IT investments. It is imperative that given such critical role of IT in business today, management and stakeholders review the IT systems in a structured and holistic manner and are concerned with following issues:
ØExistence and effectiveness of an IT governance framework
ØEffective technology controls to ensure transaction level integrity
ØConfidentiality and timeliness of information processed
ØBusiness Continuity Plan (BCP) and Disaster Recovery Plan (DRP) ensuring availability of data
ØEffective compliance of regulatory requirements and adherence to industry best practices
RSM Astute Consulting1 How robust is your IT system?
Various external and internal factors act as key drivers that compel the organization to adopt a comprehensive IT system assurance program.
1.2.1 External Factors
ØRapid changes to information technologies creating unknown risksØIncreasing third party dependence on organizational key processesØIdentification of new vulnerability to systems on daily basisØEmergence of organized and unorganized hacker communitiesØRising customer demands on service availability, process transparencies and
data privacyØStringent regulatory framework and international benchmarked standardsØFrequent acquisitions and mergers leading to complex IT eco-systems
1.2.2 Internal Factors
ØVariance in organizational strategy, executive decision making process and operational environment
ØFragmented approach of management towards adoption of technologyØInsufficient controls in terms of inadequate user training, lack of segregation
of duties, inadequate testing before deployment ØTrusted insiders perpetrating fraud/ misuse of the systems ØObsolesce of information assets
A generic depiction of the motivational factors for IT Assurance Program is set below.
Key drivers of IT assurance program
System & Process
Variances
Protection from Internal
/ External Misuse
Uninterrupted Operation
needs
Global Accessibility
of Data
Customer Data Privacy
Changes to Business / Technology
Environment
IT Systems Assurance
Industry Regulation
2How robust is your IT system?RSM Astute Consulting
1.3 IT Systems Assurance - A Holistic Program
IT systems assurance program is a holistic program adopted by the businesses for the purpose of ensuring achievements of their short term and long term goals with the help of IT. It is imperative that the IT systems assurance program encompasses entire life cycle of the business and is functional at the grass root levels. Hence, internal control systems need to be effective at business, process, technology and operational layers.
An assurance of IT system needs to include IT management framework, that necessarily includes Organization IT strategy, IT Risk Management Program, IT Structures, IT Architectures and IT Policies to ascertain soundness of the foundations of IT systems. Such program needs to be necessarily applicable to all IT Assets, including data, applications, infrastructure, people, tools and technologies.
IT systems assurance program must take into consideration the impact of information technology on the overall functioning of the organization. Such program needs to cut through financial, legal, regulatory, operational assurance requirements. Impact of constant changes to the technology environment areas must be covered under IT assurance program. It is also important that IT assurance program addresses long term sustenance requirements of the organization.
Finally, IT systems assurance program needs to have specific business objectives. Beyond technology factors, it is expected to ensure capital protection, provide competitive advantages due to efficient internal control systems, facilitate IT compliance requirements and infuse customer confidence about overall well-being of the organization.
In today’s world where IT risks are embedded at various levels, an IT assurance program cannot be truly effective unless it is all encompassing in nature.
An illustrative diagram of the same is given on the next page.
RSM Astute Consulting3 How robust is your IT system?
Important aspects of IT systems assurance program:
ØIt needs to be dynamic to suit ever changing needs of businesses
ØIt needs to be granular to capture risks embedded into business processes
ØIt needs to be operational in all phases of organization evolution
ØIt needs to be customized to suit the organization's unique needs
Finance
DataProcessing Legal and
Regulatory
Technology
Operations
HumanResource
Information SystemsAssurance
Threats-Internal and External Sources
Protection-Procedural and Tool Based
Information Assets Cross Functional View
People
Tools
Infrastructure
Application
Data
I.T. FrameworkStrategy
Risk ManagementStructures
ArchitecturesPolicies
Business Objectives
Capital ProtectionCompetitive AdvantageComplianceCustomer Confidence
4How robust is your IT system?RSM Astute Consulting
Section II: Progressive IT SystemsAssurance Model
Section II: Progressive IT Systems Assurance Model
Introduction
As the IT Assurance Program is comprehensive, organizations face various challenges during its implementation and review. The IT maturity levels and business requirements for every organization are different in nature. It is necessary to unfold the program in a structured manner as suitable to the organization and industry’s unique needs and through an organized change management process. There should be specific programs, processes and visible outputs at every stage to give management a comfort and confidence that there is a continuous progress in the IT assurance program. Typical concerns the management would address in stage wise manner would include:
Stage I
What is the current organization IT posture?
What are the current IT risks and concerns?
Is the organization deploying the appropriate measures to address IT risks?
Has the organization assigned appropriate resources to implement suchmeasures?
Having assessed the macro level view of the organization IT risk program, managements would typically like to assess the progress of an IT risk mitigation program.
Stage II
What are the organization's specific pain areas and why do they exist?
How deep-rooted are the risks and to what extent do they impact the organization's IT posture?
Has the organization adopted the right mitigation measures?
Is it necessary to review and, implement the program in a simplified and progressive manner?
Stage III
Further, the same organization would take an integrated view about the success of the IT assurance program. Typically, the concerns that management would like to address / value would include:
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
6How robust is your IT system?RSM Astute Consulting
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
How do IT risks have an impact on organization business eco-system?
Are the risk mitigation measures effective?
Are there previously unidentified risks?
Is the organization able to achieve its compliance postures?
Is the organization leading in the IT Risks Management practices?
It is imperative that the roll out of IT assurance program is mapped on the above management concerns with tangible deliverables at every stage.
Accordingly, IT progressive assurance program consists of:
IT Preliminary assurance through overview
IT environment assurance through substantive checks
End-to-End IT assurance through integrated checks
The usefulness of such reviews is tabulated on the next page for illustration purpose.
RSM Astute Consulting7 How robust is your IT system?
Prog
ress
ive
IT A
ssur
ance
Mod
el
Leve
l 1:
IT P
relim
inar
y As
sura
nce
Leve
l 2:
IT E
nvir
onm
ent
Assu
ranc
eLe
vel 3
:En
d-to
-End
IT A
ssur
ance
Over
view
Subs
tant
ive
Chec
ksIn
tegr
ated
Che
cks
Ø Ø Ø Ø Ø Ø Ø Ø Ø Ø
IT M
anag
eria
l Fra
mew
ork
Stra
tegy
, Ar
chite
ctur
e, S
truc
ture
Ris
k M
anag
emen
t, Po
licie
sIT
Infr
astr
uctu
re M
anag
emen
tAp
plic
atio
n Co
ntro
l Man
agem
ent
Iden
tity
and
Acce
ss m
anag
emen
tPr
ojec
t Man
agem
ent
Oper
atio
nal F
ram
ewor
kDa
ta L
ayer
Pro
tect
ion
Busi
ness
Con
tinui
ty F
ram
ewor
kHu
man
inte
rfac
eCo
mpl
ianc
e &
Regu
lato
ry F
ram
ewor
k
Ø Ø Ø Ø Ø Ø Ø Ø Ø Ø Ø Ø
Orga
niza
tion
Unit
Leve
l Fra
mew
ork
Stan
dard
Ope
ratin
g Pr
oced
ures
Asse
t Cla
ssifi
catio
n, R
isk
Anal
ysis
Netw
ork
/ Con
figur
atio
n Co
ntro
lsDe
sign
, Con
figur
atio
n Co
ntro
lUs
er-R
ole-
Auth
enti
cati
on
man
agem
ent
Proj
ect R
isk
Man
agem
ent
Oper
atio
nal P
roce
ss C
ontr
ols
Data
Flo
w /
Stor
age
Cont
rols
Busi
ness
Con
tinui
ty T
est e
valu
atio
nBa
ckgr
ound
Che
cks
/ Tra
inin
gPr
epar
ing
for C
ompl
ianc
e
Ø Ø Ø Ø Ø Ø Ø Ø Ø Ø Ø Ø
Busi
ness
Goa
l Alig
nmen
tIT
Ris
ks m
appi
ng o
n ER
MIT
Str
uctu
ral R
evie
ws
Tool
Bas
ed S
can
Data
Ana
lysi
s an
d M
igra
tion
Chec
ksHR
Mas
ter D
ata
Inte
grat
ion
Retu
rn o
n In
vest
men
tCo
ncur
rent
/Effe
ctiv
enes
s Ch
ecks
Inte
llect
ual P
rope
rty
Prot
ectio
nBu
sine
ss Im
pact
Ana
lysi
sIT
Mat
urity
Mea
sure
men
tIn
dust
ry s
tand
ards
/ Ce
rtifi
catio
n
l
Wha
t is
my
IT P
ostu
re?
Wha
t are
my
mai
n ris
ks/ c
once
rns?
l
Am
I do
ing
the
right
thin
gs?
l
l
Why
are
my
pain
are
as?
l
Am
I do
ing
the
thin
gs ri
ghtly
?
l
How
dee
p ar
e th
e ris
ks?
l
How
IT R
isks
tran
slat
e to
bus
ines
s ?
l
Am
I th
e in
dust
ry le
ader
?
l
Are
risk
miti
gatio
n pl
ans
wor
king
?
l
IT R
isk
Diag
nost
ic R
evie
w R
epor
t.l
Wha
t sh
ould
you
do
in n
ext
12 m
onth
s
to
mit
igat
e ri
sks?
l
How
is E
nter
pris
e Ri
sk e
ffec
tive
ly
man
aged
thr
ough
IT?
l
How
sho
uld
you
mea
sure
you
r
ind
ustr
y st
andi
ng ?
l
Tech
nica
l Ris
k As
sess
men
t Re
port
l
How
are
you
pro
gres
sing
wit
h re
spec
t to
r
isk
mit
igat
ion
plan
s ?
Deliv
erie
s
8How robust is your IT system?RSM Astute Consulting
IT Overview is more useful when
Organizations have not conducted IT review in the past
IT Substantive checks are more useful when
One or more IT Areas requiring deep dive
IT Integrated checks are more useful when
IT systems need to be validated along with overall internal control systems
Automated or system tools are necessary due to high volumes or nature of the systems
Organizations have frequent issues related to IT management
There is a need to validate the assumptions and progress of IT evolution
Organization intends to obtain industry specific compliance or certification
The IT eco-systems need significant changes
Detailed supporting to the diagnostic reviews is required
Major changes in the organization information processing systems need validation
Mergers and Acquisitions take place
Systems undergo major changes
Organizations intend to take long term view of process improvements
The review time frames available are short
Organizations are willing spend adequate time to focus specific issues
RSM Astute Consulting9 How robust is your IT system?
Illustrative usefulness of such reviews is tabulated below:
Section III: Journey towards Perfection
Chapter 1: IT Management Framework
1.1 Introduction
IT Managerial framework sets the context for all Information Technology initiatives. The framework needs to be comprehensive and should take 360 degree view of the organization requirements. The IT Management Framework includes Strategy, Architecture, Structure, Risk Management and Policies. Each of these aspects are to be dealt separately.
1.1.1 Alignment of IT Strategy with Business Goals
Success of an IT System depends upon how closely the IT strategy, execution and monitoring are linked to business goals. Some of the common deficiencies arise when.
IT strategies are prepared in isolation of business strategies.
Businesses tend to underestimate the criticality of certain dormant IT issues.
Cross functional teams do not participate in IT strategy program.
It is necessary that business goals are well defined and IT goals are derived from individual business goals.
An illustration of how IT Strategy is aligned to Business Goals is shown in the figure below.
Ø
Ø
Ø
BUSINESS GOALS IT GOALS
New Services
FunctionalityUpgrades
ScalableArchitecture
IT RiskManagement
Business Strategy
CustomerAcquisition
New Products
BusinessExpansion
Enterprise RiskManagement
RSM Astute Consulting11 How robust is your IT system?
1.1.2 Information Architecture
Every business entity is supported by its individual functional units which have their respective roles to play within the organization. Also, each functional unit is dependent on the IT systems for its individual data processing needs.
The below given diagram depicts how various functional units within the organization are connected to each other through the data processing needs.
IT functional architecture gets defined after considering nature of information exchange, volume of data processing, geographical locations of operations, data processing, deployment and scalability requirements and internal controls structure.
In the current environment of frequent mergers and acquisitions and other structural changes, business interfaces and data processing need to undergo constant changes. Unmanaged changes create long term risks for the organization.
Such activities require due diligence, third party audits and sharper definition of roles, responsibilities and liabilities in case of system breaches.
DataProcessing
Needs
Human Resource Legal &
Compliance
MaterialManagement
ProjectPlanning
DataCenterServiceProvider
CustomerServices
Sales &Distribution
Third Party
ProductionManagement
Operations
Accounts &Finance
12How robust is your IT system?RSM Astute Consulting
1.1.3 IT Structure
IT structure is necessary to establish proper and efficient IT execution process within the organization. To have appropriate checks and balances within, it is necessary that roles and responsibilities of various functions are well defined. Some of the common deficiencies include:
Improper segregation of duties in decision making and execution process
Organizations performing primarily based on “assumed responsibilities”
Improper analysis of work contents, estimates and staff alignment
Inadequate mechanism to measure skills
A good organization structure is derived from well defined work breakdown structure (WBS) and functional breakdown structure (FBS) hierarchy. With the level of technology absorption and process integration, the structures need to be dynamic. In case of large organizations, the relationship between central units, individual function units and various control functions needs to be well defined in such a way that overall internal control system remains well coordinated, efficient and optimum. Certain functions if outsourced would be more effective, however, organization needs to have the ownership and accountability for the same.
1.1.4 IT Risk Management Framework
With the increasing dependence on IT systems, organization’s vulnerability to IT risk also increases. Thus, the success of the organization depends upon its ability to contain IT risk which require it to create an IT risk management program. An IT risk management program needs to emerge from Enterprise Risk Management program.
IT risk management program methodology needs to be well defined and detailed. This should cover the following aspects:
Asset Identification, Classification, Valuation
Assessment of Threats and Vulnerabilities
Overall Risk Assessment
Risk Prioritization
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
ERMControl
Activities
Control overInformation
SystemsIT controls at
individual layer
RSM Astute Consulting13 How robust is your IT system?
Ø
Ø
Ø
Ø
Ø
Ø
Control Evaluation with Cost-Benefit Analysis
Risk Treatment Plan: Acceptance, Avoidance, Transfer and Mitigation
1.1.5 IT Policies
IT policy is the most important and critical part of IT assurance of the organization. The coverage, depth and maturity of the policy varies from organization to organization. Also, various industry and regulatory bodies make IT policy a mandatory requirement for compliance.
Common deficiencies in IT policy management include:
IT policies are not aligned with changes in technological environment
IT policies do not adequately provide the necessary direction to execution team.
IT policies do not provide necessary operational level flexibility.
IT policies are not communicated to the staff and all the concerned persons in an effective manner.
Management needs to ensure that IT polices remain the guiding force to the organization’s IT framework.
The effective management of IT policy and procedural framework with a layered approach are depicted in the figure below.
IT Policies and Procedural Structure
Directional Policies
• Signed by Steering Committee
Functional Policies
• Signed by Functional Heads along with IT
Standards & Guidelines
• Signed by governing body
Detailed Operational Procedures
• Signed by operation owners
3 Characteristics
Vision statement
• Signed by the CEO
ComprehensivenessConsistencyCommunication
14How robust is your IT system?RSM Astute Consulting
1.2 Reviews
An overview of the IT management framework needs to cover:
Existence, ownership and review process of strategy, risk management, structure, architecture and policies
Change management and approval process
A substantive review of the IT management framework needs to cover:
Appropriateness of the methods and standards adopted by organization
The functioning of IT management at individual unit level of the organization.
Existence and detailing of Standard Operating Procedures
An integrated review of the IT management framework needs to cover:
The alignment of the entire IT management framework with business strategy, enterprise risks and operational plan
Ø
Ø
Ø
Ø
Ø
Ø
RSM Astute Consulting15 How robust is your IT system?
Chapter 2: IT Infrastructure Management
2.1 Introduction
Today no organization functions in isolation from the rest of world and is always connected externally and internally through a mesh of network.
Organizations provide connectivity to the external users such as customers, suppliers, business partners, and other stakeholders. Also, internal users of the organization are permitted to connect to the organizational network through remote accesses. Such accesses are provided through public / E-commerce websites, kiosks/ ATM channels, mobile commerce and service outlets. Such connectivity is provided by deploying lease lines MPLS, VPN, wireless technologies and other equivalent mechanisms. Now-a-days, many financial transactions across banks, Government institutions take place through interfaces and payment gateways. In the modern world, such connections are often part of global networks.
To facilitate external connectivity, organizations create interfacing architecture. Considering the elements hosted in the architectures that are prone to external risks, a separate network segment is created and special security measures are taken to prevent and / detect any direct / indirect / potential risks to this segment.
Internally, users of the organization get connected on wide area network and local area networks, using various connectivity techniques. The spread and complexity of internal network depends on various factors including the number of locations, number of users, nature of activities they perform, data processing volume and overall system deployment architecture.
The internal network is divided into multiple segments using routers, switches, firewalls, virtual LANs and various other techniques. These segments host various servers, databases and information processing devices. The entire functional architecture of the organization is mapped on the network architecture.
There exist various types of technology solutions that are capable of controlling and monitoring behaviour of various network elements. These are responsible for enforcing centralized policies that include management of Anti-Virus, Central Domain Controllers, Authentication Servers, Data Protection Servers, Log Monitoring Servers and many more services.
16How robust is your IT system?RSM Astute Consulting
Internal users of the organization consists of various classes of users such as normal users and premium users E.g. administrators and the critical data custodians. Each of these user classes require different levels and types of access with different level of requirement for data confidentiality.
In a nutshell, organization typical network consists of following broad segments:
External networks connecting to the organization
Internal network segment communicating with external world
Internal network segment hosting organization infrastructure
Internal network segment from where users operate
Schematic diagram for the same is depicted on the next page.
In reality, the architectures could be more complex for most of the organizations as the number of network elements run into hundreds, thousands or even beyond depending on the size of the organization and volume of data processing.
Further, the way the organization creates its internal network depends on its business model and geographical and financial constraints.
Ø
Ø
Ø
Ø
RSM Astute Consulting17 How robust is your IT system?
Typi
cal N
etw
ork
18How robust is your IT system?RSM Astute Consulting
2.1.1 External Threats to Organization Network
Technologies create immense business opportunities by allowing connectivity to the external world. This also brings in various risks for the business. Managements are always concerned about fraudulent activities taking place on the network from outside sources, (e.g. an attack on internal network through malwares and security threats during e-commerce transactions). Any mis-configuration of elements can result into vulnerability that can be exploited by external users. Some of the vulnerabilities prone to external threats are:
Weaknesses in security architecture that allow direct access to internal network from external sources
Weak encryption techniques used during data transmission that allows data sniffing and interception
Inability to prevent various types of organized / unorganized hacking attempts on the network that potentially can result into denial-of-service, web defacing and all such equivalent consequences. These pose a reputational risk to the organization
Data theft by unauthorized user accessing the network or information resource like server through compromised credentials of authorized users
Performance bottlenecks on the network impacting customer service and external interface processing capabilities
With the rising complexity of the technologies, ease of hacking tools, determined socially disgruntled groups, international and business rivalries, the cyber-attack possibilities are real.
Organizations need to enhance their ability to handle threat mechanisms on real time basis and keep pace with the rate at which external threat profiles are changing.
Safeguards from external threats to the organization include:
Establish very strong authentication mechanisms to external connectivity
Encrypt the data flowing on network
Create strong traffic monitoring and filtering mechanism at different layers
Keep external infrastructure tested and upgraded to pre-empt any attacks
Carry vulnerability analysis and penetration tests and take corrective measures
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
RSM Astute Consulting19 How robust is your IT system?
2.1.2 Internal Threats to Organization Network
Internal networks would be segmented into various zones and network traffic is regulated using firewalls, switches, routers and various other devices. These devices can be deployed across various regions, geographies and virtually create borderless organizations. In spite of the best internal design, given the complexities involved, concerns on system compromise due to flaws in internal network systems would exist.
Incorrect configuration risks include:
Creating unwanted internal navigation paths for users due to “open” configurations on devices
Improper user management and authentication configuration that allows entry to unauthorized users
Weaknesses in administrative, accounting and auditing controls impacting preventive and detective abilities of the organization
Unencrypted interfaces that can be sniffed by malefic user
Redundant software residing in the system in the form of programs, utilities, scripts
Weaknesses in centralized control architecture due to which organization policies cannot be enforced on all information resources
Traffic anomalies and bottlenecks resulting in degraded services on internal networks
The efficiency, availability and security of the entire network depends on how well the business requirements are mapped on network devices and how these devices have been configured. Broadly, these include various types of:
Authentication techniques
Traffic monitoring techniques
Policy enforcement techniques
Performance measurement techniques
Logging and Monitoring techniques
A combination of multiple such techniques at different layers in structured manner is necessary to create an efficient defence and monitoring architecture. An active
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
20How robust is your IT system?RSM Astute Consulting
vigilance on these outcome pre-empts several threats to the network in timely manner.
A careful analysis of the events taking place across organization architecture gives a good insight on the behavior of traffic flowing across networks. This helps organizations to fine tune the security and performance in an on-going basis. Safeguards to the organization network include:
Proper network segmentation
Sensitive system isolation
Data management controls
Encrypting data flows
Logging and monitoring system activities including administrative activities
2.1.3 Insider Threats for an Organization
Managing the IT systems do contain human element and organizations need to have trust environment to operate successfully. With the advent of technologies, emergence of new vulnerability exploitation techniques and access to organization data resources, organization is dependent on ‘trust level of an insider.’ Hence, organizations are concerned on insider threats. These include:
’Trusted’ insiders misusing the systems using their privileges and rights
Exploitation of network and application weaknesses for individual gains
Manipulation of access rights so as to ‘allow’ fraudulent activities
Suppressing system evidences and logs
Organizations need to create safeguards from such threats. These safeguards include:
Creating “need to know” based internal access systems with built-in segregation of duties
Perform background checks and have a practice of periodic job rotations
Restricted access to system evidences and logs
2.1.4 Risk Remediation through Vulnerability Assessment and Closure
In practice, it is not easy to achieve and retain completely secure systems architecture. Vulnerabilities exist across all network layers, devices and technologies. These vulnerabilities are detected through in-house tests or publicized by product
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
RSM Astute Consulting21 How robust is your IT system?
vendors or through global databases and need to be acted upon immediately. Vulnerability assessments and remediation are activities that the organization needs to perform across on a continuous basis. This includes assessing the impact of the same on the working environment, identifying remediation plan, appropriate testing and releasing patches. Following best architecture, development and change management practices is the best way to stay away from vulnerability issues.
2.1.5 Difference in Business Models Influence IT Control Systems
In today’s organizations, several functions such as data center management, e-mail management, day-to-day operations, storage management and application management are outsourced to external parties. Cloud computing based technologies are becoming popular as a result of which organizations’ data processing activities are now carried out through a mesh of networks and functions which are widely distributed. A truly modern organization can work on “hyper-connected” model. This has significant impact on organizations’ internal control systems. An illustration of the same is tabulated below:
Correlation among Business Model and Information Architecture and how it impacts internal controls system
Business Model
Closed Centralized
Information Architecture
Centralized Assets/ Centralized IT Operations, Individual units are users
Control
Complete, Internal
Distributed and Internally Controlled
Closed Decentralized Centralized framework, all assets belong to the company, however the deployment and operational decision making at individual business units end
Outsourcing of IT Data Centers
Infrastructure services outsourced and rest is managed internally
Strongly internally controlled, External control through SLA
Reduced organization direct control, need effective monitoring
High Level Outsourcing Infrastructure, Customer handling services outsourced and rest is managed internally
Limited control on IT function, however accountability cannot be outsourced
Significant Outsourcing Server + Application + Operations are outsourced, only data belongs to organization
22How robust is your IT system?RSM Astute Consulting
IT assurance program and its transition need to be aligned as per the set-up of the organization.
Review process on entire network architecture and processes are necessary to evaluate the robustness of network architecture.
An overview of IT infrastructure needs to cover:
Adequacy of organization policies and procedures at different layers
Test checks on procedures around architecture managements
Adherence to Service Level Agreements signed with vendors
Substantive review of IT infrastructure needs to cover:
Network devices configuration
Change management processes
Technology obsolescence and vulnerability analysis
Security checks on internal network paths
Integrated review of IT infrastructure needs to cover:
Administrative controls and checks
In depth analysis of system filters at different layers
Root cause analysis of different incidents
Anomalies detected through traffic monitoring logs
Business compliance needs to be supported by infrastructure
2.2 Network Reviews
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
RSM Astute Consulting23 How robust is your IT system?
Chapter 3: Application Controls
3.1 Introduction
Organizations develop and deploy applications in their environment for automation of their business processes. Applications provide integration of various functions, provide necessary work flow, increase internal operational efficiencies and provide complete visibility to the management about the current status of the transactions at various layers. Organizational intelligence is built into the design of the application. Applications are normally scalable, used by large segment of the organization and process voluminous data. As applications mature, organizations become more dependent on application function. Every application has its own architecture, platforms, functionality, and purpose. Application controls become one of the most determining factors in evaluating the overall risk posture of the organization.
Most organizations deploy either ERP or legacy systems solutions to support their data processing needs. To have an effective implementation, application controls need to be incorporated at the design stage and should take into account the following.
Logical Access control
Authentication control
User interface control
Input validation controls
Data processing and output controls
Functional controls
Session level validation
Controls built around server, database and operating system architecture
Scalability and performance controls
Secure coding controls
3.1.1 Enterprise Resource Planning (ERP) and Legacy Systems
An organization may have different IT applications to fulfill its information needs. These needs may be fulfilled by legacy applications or integrated ERP applications.
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
24How robust is your IT system?RSM Astute Consulting
However ERP is preferred to legacy applications as it integrates the business processes in seamless manner, adopts best industry practices and has in-built features such as:
Open System architecture
Multi-tier Architecture
Enterprise Data Model
Accessible through channels
Multi-national, Multi-currency transactions
Integrated Real-Time
Ability to stay with current technology
Strong integration with business processes
Providing integrated turnkey solutions
However, ERPs are sometimes cumbersome to implement, require business process reengineering, good change management and acceptability at various levels and sometimes have a long implementation phase. Hence, legacy systems continue to occupy critical space in business IT architecture. Legacy systems are aligned to organizational requirements and are firmly embedded into organization’s processes. However, organizations need to take extra precaution to ensure that they run on current technologies, follow strong development processes, have strong business integration and embed functional controls into the system.
3.1.2 Software Development Life Cycle (SDLC)
SDLC or System Development Life Cycle is the process to create or change existing information systems. A well-defined SDLC is necessary to have efficient information systems. Various models have been created to fulfill the need of the same. Some of them are waterfall, spiral, incremental and rapid application development.
The important SDLC stages as per the most commonly used method are:
Business Requirement Analysis
Feasibility study
System requirement study
System design
Development
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
RSM Astute Consulting25 How robust is your IT system?
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Integration and testing
Acceptance and release management
Maintenance
Having a structured approach to software development leads to better control, documentation, maintenance ease and higher development and design standards. However, this may increase the development time and costs. If organizations desire to have flexibility to suit the operational needs, such rationale should be documented, approved and it must be ensured that the internal control systems are not compromised for the sake of expediency. Also it is recommended that controls should be embedded into the application in design stage and validated during every stage of the project before the application is deployed in the live environment.
3.1.3 Software Development Practices
Software development is a complex and important area for all organizations. Apart from having a structured approach, there is a need of adopting better practices to have secure and well-designed software architecture. Some of the illustrative practices are mentioned below.
Source code is a crucial intellectual property which not only satisfies the business needs but also a repository of important organizational knowledge. Software library should have strong access, archival and modification controls and monitoring mechanism.
Project system landscape should consist of three separate environments for development, testing and production. Procedural controls should be implemented to ensure that these activities are performed in their respective environments only.
Most of the web application software that is used for managing and providing sensitive information across the web becomes target for improper or illegal penetration. Anti-social elements and hackers attempt to hack the system for personal gain. Security coding testing verifies the protection mechanisms used for building the software from illegal hacking.
In-spite of having the best application software, implementation processes and projects teams, there are reasons to rollback changes made to the application systems. Hence a contingency plan should be in place to deal with such situations effectively.
26How robust is your IT system?RSM Astute Consulting
An illustrative system landscape is shown below:
3.1.4 Platform Vulnerabilities
Information systems are platform centric in nature. They may be dependent on a particular operating system, application software and development platform. These vulnerabilities may be on a higher side if the system in question is a legacy system developed by internal team or external vendor. The vulnerability may exist due to weakness of individual platform or development weakness. Also these platforms may become obsolete as vendor support for the platform might have expired or the usage of platform has reduced in the market. To overcome these weaknesses, platform vulnerabilities need to be identified and removed. Further, information systems using obsolete platforms should be identified and upgraded to current platforms.
An overview of application controls needs to cover:
Application architecture
Application functions
Application security
Application operations
3.2 Reviews
Ø
Ø
Ø
Ø
System Landscape
Development Quality Production
Developers Testers Trainers Users
RSM Astute Consulting27 How robust is your IT system?
Substantive review of application controls needs to cover:
Detailed design of the application architecture
Detailed functionality of application
Detailed security features of an application
Integrated review of application controls needs to cover:
Operational and financial effectiveness review
Ability of the application to meet functional, security, compliance and regulatory needs
Ø
Ø
Ø
Ø
Ø
28How robust is your IT system?RSM Astute Consulting
Chapter 4: Identity and Access Management
4.1 Introduction
User identity and access management is considered to be one of the most primary requirements of any IT set-up. It essentially establishes credentials of the users and the level and extent to which he or she is permitted to transact with the system. All organizations irrespective of their size and criticality need to have a proper mechanism to control user identities that access organizational systems. Today, internal systems of the organizations are also used and accessed by external users through various channels. Thus, user identity and access management is applicable to each and every IT asset and each and every type of user. Organizations differ from each other in terms of the volume, complexity, granularity, level of automation and technologies used for authentication.
Elements that need detailed consideration for effective identity and access management are:
User request workflow management
Identification and authentication mechanism of users
Assignment of roles and privilege management
Privilege and security requirements at individual assets level
Mechanisms to enforce organizational policies at all granular levels
Monitoring exceptions and tracking misuse
For a large sized organization with multiple assets and constant flux of various types of users, the underlying process complexity rises exponentially. Further, the stakes of the organization are very large and any critical misuse by any user, apart from operational losses, may result in financial or reputational impact.
4.1.1 User Access management
In case of public users accessing organization systems such as internet / mobile banking, online transaction business models and users or channel partners accessing organization resources through different channels, a strong identity and access mechanisms need to be implemented.
Ø
Ø
Ø
Ø
Ø
Ø
RSM Astute Consulting29 How robust is your IT system?
Data Authorization Administrator
User Administrator Profile Authorization Administrator
Change transaction selection
Change authorization data
Maintain user master records
Assigning roles and profiles to the user
Activities Performed
Creating authorization
Creating profiles
A schematic view of mapping user access management processes is depicted below
Organizations need to differentiate between different set of administration activities which results in proper segregation of duties. A schematic view of the same is tabulated hereunder.
Different types of Administrator users
Different organizations achieve different levels of automation in user access management processes E.g. usage of smart card / biometric technologies, controls through two-factor or multi-factor authentications, integration of user identity management with Active Directory or equivalent repository, implementation of single sign on technologies.
4.1.2 User Life Cycle Management
A schematic representation of how identity and access management process workflows are automated is represented in the diagram on the next page.
USER ROLE PROFILE AUTHORIZATION AUTHORIZATIONOBJECT
A detailed mapping of the business requirement is necessary to exercise granular level access controls.
30How robust is your IT system?RSM Astute Consulting
4.2 Risks
Some of the common deficiencies at operational level include
Improper management of organization role repository
Manual or inefficient way of tracking user management request
Lack of centralized visibility of the roles granted to the user across all resources
Delays in suspension/ termination/ revocation of user access rights
Diluting role-based access control mechanisms without establishing equivalent controls while granting permission.
In spite of the level of technology adoptions and process automation, there do exist operational gaps and technical loopholes due to which organizations face system access related issues.
Ø
Ø
Ø
Ø
Ø
X
Business Partners Employees Third Parties Contract Expiry
Request for grantingaccess for a resource
Timely Termination
User Life CycleManagement
Granting andRevoking Access
Joining
TransferSeperation
MasterRepository of
Users
Role Repository
Authentication &Approval Rules
Assets
Repository of Assetsbased access rules
Data Application Infrastructure Tools Other resources
RSM Astute Consulting31 How robust is your IT system?
4.3 Reviews
Overview of identity and user access management needs to cover:
Identity access management policy and procedures
Users life cycle management processes
Alignment of the identity and access management definitions with organizational requirement
Adequacy of the controls built in
Substantive checks review of user identity and access management needs to cover:
Role Repository
Rules defined to access organizational data
Identity access management policy and procedures compliance
Functional checks on Identity and User access mechanism
Logging and monitoring of user life cycle processes
Verifying the User matrix to ascertain segregation of duties
Integrated checks review of user identity and access management needs to cover:
Identity access architectural review
Review of activities by users with root or administrative privileges
Audit trails review
System-level objects privileges
Integration of User Identity Access Management process with other organizational processes
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
32How robust is your IT system?RSM Astute Consulting
Chapter 5: Project Management - Transformation
5.1 Introduction
5.2 Project Management
All companies irrespective of their nature and size of the business undergo major changes to their information systems architecture through project implementation. Every project has its own objectives, plans, roll out methodologies, key success factors and specific deliverables. From management point of view such project management needs to be de-risked as the investments in terms of time and money are huge. Some of the ventures in ERP implementations, data centralization initiatives, IT infrastructure upgrades face risks of cost overruns. Individual project risks need to be identified, factored and mitigated at every stage of the project at operating and transaction level.
Important IT Projects are generally implemented to transform the business model. The process of business transformation is depicted in the diagram below:
Since, the stakes of the business in IT transformation project are very high, good project control management system needs to be in place.
5.2.1 Project management involves multiple set of activities such as:
?Identifying phases, tasks, milestones, specific deliverables
?Resource allocation and resource optimization
?Effective schedule management
?Project monitoring and control activities
The use of Program Evaluation and Review Technique (PERT) or Critical Path Method (CPM) techniques helps the organisation in identifying and focusing on key process and milestones, allocating adequate resources and thereby reducing overall project implementation time and cost without affecting effectiveness.
BusinessProcess
Reengineering
ERPImplementation
DataMigration
Change ToOperationalFramework
InitialStatus
TransformedStatus
RSM Astute Consulting33 How robust is your IT system?
An execution cycle of the project goes through initiation, planning, implementation and closure process. A good project control management needs to remain focused on cost control, incorporating security and process controls at right stages.
A schematic representation of the same is depicted in the diagram below:
5.2.2 Risks
Ineffective IT project management leads to various types of risks such as:
?Organizational goals not met by the systems deployed
?Underutilization of IT resources
?Lower return on investment in IT assets
?Cost over-runs
?Low reliance on the applications
?Maintenance of parallel records, dependence on manual checks and controls
?Responsibilities and accountabilities cannot be fixed for lapses and delays
?No link established between the projects objectives with management objectives
?Inability to get complete visibility of the project progress
?No identified improvement opportunities
CostControls
Initiate
PlanClose
SecurityControls
FunctionalControlsImplement
ProjectExecution
34How robust is your IT system?RSM Astute Consulting
5.2.3 Reviews
An overview of project control needs to cover:
?Adequacy of project planning and monitoring process
?High level review of project control parameters
?Overall user and management satisfaction levels
Substantive checks on project management need to cover:
?Planned vs. actual progress of the program
?Proposed vs. actual deliverables at various stages
?Alerts on cost, security and functional controls
Integrated checks on project management need to cover:
?Changes to the organization IT posture pre and post implementation of theproject
5.3.1 Business Process Re-engineering is a pre-requisite for ensuring success of IT project implementation.
With the change in technology environment, the way the business operates also needs to change. However, certain old and counter-productive methods continue. This results in lower return on investment in IT assets and other resources. Business Process Re-engineering is a technique to rebuild organization process around specific business objectives.
Some of the other factors which necessitate process re-engineering are as follows:
?Ineffective manual controls and unreliable systems.
?Over dependence on people
?Long turnaround time of organizational processes
?Cost over-runs and wastage of resources
Major activities of any business process engineering involve:
?Identification of business objectives
?Evaluation of current business processes (As-is process)
5.3 Business Process Re-engineering
RSM Astute Consulting35 How robust is your IT system?
?
?Devising process restructuring plan
?Implementation of process restructuring plan
5.3.2 Risks
Major causes of failure of business process reengineering projects are:
?Lack of clarity on user requirements, definition as well as documentation andcommunication.
?Weak management commitment in terms of resources and direction
?Weak technical support during and post implementation.
?Lesser involvement of all the departments of the organization at planning andimplementation stage.
5.3.3 Reviews
Overview of business process reengineering needs to cover:
?Adequacy of the coverage of Business Process Reengineering projects
?Checks on Business Process Reengineering implementation
Substantive checks in business process reengineering needs to cover:
?Effectiveness, design and operational controls post Business ProcessReengineering
?Training and acceptance levels of reengineered business process
Integrated checks in business process reengineering needs to cover:
?Meeting of business goals with revised processes
?Efficiency of the processes post Business Process Reengineering implementation
?Impact of Business Process Reengineering on overall organization IT posture
5.4.1 ERP implementation is very critical activity with high business and financial impact. Many instances of ERP implementation get delayed and result in partial configuration or misconfiguration and do not completely fulfill the intended objective. This results in underutilization of time, efforts and money invested in ERP systems and in some
Preparing blueprint of future processes (To-be process)
5.4 ERP implementation
36How robust is your IT system?RSM Astute Consulting
instances parallel systems are also maintained to present financial results/ MIS to management.
It is required that management pays attention and addresses the requirements of implementation of ERP for effective and efficient use of IT and other resources involved. The activities in an implementation project would involve, amongst others:
?Defining business objectives expected
?Review of existing systems with 'Gap Analysis’ and creation of new systemblueprints
?Defining and configuring required features in ERP system
?Master data sanitization
?Creating system prototype and building test environment
?User acceptance and training
?Migrating to production environment
?Post implementation review
ERP implementations should be done in phase-wise manner for better manageability.
5.4.2 Risks
Major causes of failure of ERP implementation projects are:
?Lack of clarity on user requirements, definition as well as documentation andcommunication
?Weak management commitment in terms of resources and direction
?Weak technical support during and post implementation
?Lack of commitment from all the departments of the organization at planningand implementation stage
?Poor quality of master data and basic systems functionality configuration
?Too many customized features compromising the spirit of inbuilt checks andcontrols
?Cost constraints leading to restricted number of user licenses
5.4.3 Reviews
Overview of ERP implementation needs to cover:
?ERP blueprint
RSM Astute Consulting37 How robust is your IT system?
?
?Organizational policies on ERP utilization
?Basic configuration and access controls
Substantive checks in ERP implementation needs to cover:
?Functional processes and controls mapped to ERP
?Detailed review of system and deployment architecture
?Detailed review of ERP configuration and access control
Integrated checks in ERP implementation needs to cover:
?Training and utilization effectiveness
?Impact of customization to ERP system
?Overall impact of ERP implementation on organizational environment
5.5.1 Adequate controls are required while migrating from one technology platform to another (say, from manual system to ERP system.) These controls are needed at every stage right from the planning stage to 'go live' stage. One of the key milestones of any systems implementation is data migration that involves building up database of records to work on the new systems.
The desired scenario is to put in place effective controls at the data migration stage to ensure correctness, completeness and reliability of data migrated from old system to the new system. Some of these include:
?Completeness checks at data collection level
?Correctness checks of data sanitization
?Authorization / data validation checks
?Integrity checks at data upload stage
?Data signoff post upload in the new system
Some of the pain areas that need to be addressed during data migration include:
?Incompatibility of data definitions and structures
?Validation and control differences across systems
?Determination of data volume and scope to be migrated
?Designing archival, retrieval and retention policies and procedures
Design of system, functional and deployment architecture
5.5 Data Migration
38How robust is your IT system?RSM Astute Consulting
5.5.2 Risks
Some of the risks of inefficient data migration activities are as under:
?Mismatch of data, incomplete data or incorrect data in the new system
?Revenue loss in the form of loss of receivables, delayed payments to vendorsattracting penalty/ interest charges, legal claims in case of data inaccuracies
?Prolonged implementation activities resulting in parallel run and duplication ofefforts
5.5.3 Reviews
Overview of data migration activities need to cover:
?Data migration plan, schedule, roles and responsibilities
?Data migration signoff Process
Substantive checks over data migration activities need to cover:
?Completeness checks at data collection level
?Correctness checks of data sanity
?Authorization / data validation checks
Integrated checks in data migration activities need to cover:
?Effectiveness checks on migration activities
?Legal and compliance implications of data migration
RSM Astute Consulting39 How robust is your IT system?
Chapter 6: Operations Framework
6.1 Introduction
6.2 Data Center
IT Operational framework is the backbone of IT processes. Internal controls for IT operations are aimed at efficient, effective and secured use of IT resources, so that the output generated through the systems is reliable. It is the prime responsibility of the management to define, document, approve and communicate the IT operational framework through policies, procedures, instructions and guidelines. Some of the areas of IT operational framework such as data center operations, data processing operations and incident / log management are covered below.
6.2.1 Introduction
Data center is the central place in any organization where its key IT resources are securely located. It helps in hosting as well as monitoring critical IT resources under one roof. Organizations with stringent data uptime requirements host their servers with certified data centers. Considering all standard data center requirements including physical, environmental and infrastructure and their effectiveness, professional data centers are classified as under.
Data Centers hosting servers for various companies in shared or dedicated mode certify themselves for ISO 27001, ITIL and SSEA 16 Type I, II, or TIA standards so as to ensure security, delivery, quality process and to improve customer trust. Advanced data centers are able to provide DR managed solution.
Organizations that host their services with data centers need to be careful while choosing the services, configurations, service level agreements and non disclosure agreements. In case of super sensitive data, the responsibilities of protection and corresponding liability sharing for the same should be decided beforehand.
Data Center Tiers
TIER 1 TIER 2 TIER 3 TIER 4
Meaning Non-redundantcapacity components capacity equipment and are fully fault-tolerant(single uplink and components multiple uplinks including uplinksservers)
Which Small Businesses Medium Sized Large Businesses Enterprise /Entity Businesses Corporationuses this?
Uptime 99.671% 99.749% 99.982% 99.995%
Tier 1 + Redundant Tier 2 + Dual-powered Tier 3 + all components
40How robust is your IT system?RSM Astute Consulting
Key data center operations need to be governed by IS policy, procedure and guidelines which include:
?Secure access to data center and critical servers, network devices and other equipment
?Beginning of the day (BOD) and end of day (EOD) activities are part of overall internal control processes
?Backup and Recovery activities along with testing
?CCTVs recording and monitoring of activities
?Monitoring and ensuring uptime of servers, network connectivity and other equipment
?Electronic media management
?Environmental controls such as temperature, humidity, fire safety and uninterrupted power supply
Data centers need to follow stringent norms of building construction. Data centers should also have a tested evacuation and restoration plan to take care of various eventualities.
6.2.2 Physical Security of Data Center
Organizations need to attach high importance to physical security of the data center as significant information in various forms is processed at these locations.
Depending on the sensitivity / importance of operations performed, physical premises should be differently classified into zones and each zone must have appropriate level of access restrictions and access identification and authorization requirements. Surveillance cameras and access control mechanisms should be in place to control and monitor sensitive areas. Physical access must be appropriately restricted. Delivery and loading areas should be isolated from information processing facilities to avoid unauthorized access.
A data center has large number of servers, network elements, system devices, safety and security equipment. Further, data center typically provides connectivity to internal and external world. Physical security needs to be factored while choosing the location, architecture and the internal layout designs to take care of all eventualities and to prevent loss of human life and organization information processing abilities.
RSM Astute Consulting41 How robust is your IT system?
There exist international standards and guidelines that provide sufficient input to build a secure data center
Adequate and appropriate controls like prior intimation and authorization, issue of identity badge, entry register, escort by authorized personnel, surveillance, are required to be implemented for controlling and monitoring visitors’ access to areas where information processing resources are located, e.g. operational and data center, etc.
6.2.3 Risks
Risks observed due to weak internal controls for physical access:
?Physical damage to the data center society due to natural calamities or man-made attacks.
?Data Center Premises getting cut off from rest of the organization
?Unauthorized access to information or assets including cyber-attacks
?Breach of confidentiality of data by thefts of devices
?Legal impacts out of mismanagement of historical data or archives.
6.2.4 Reviews
A review of physical access control needs to cover:
?Adequacy of information security policy and procedures
?Adequacy and appropriateness of mechanism to secure access to various areas by physical visit
?Management oversight over physical access controls
Substantive checks of physical access controls need to cover:
?Review or Records, Logs
?Adherence to operational procedures
?Adherence to environmental controls
Integrated checks of physical access controls needs to cover:
?Effectiveness of control mechanism vis-à-vis business/functional requirements
?Industry benchmark comparison and compliance to organizational policies
42How robust is your IT system?RSM Astute Consulting
6.3 Operational Controls
6.3.1 The Business operations include entire gamut of operational activities, few illustrations are mentioned below.
?Call center operations handling customer data for query resolution?Business operations handling activities such as billing, collection, purchase, etc.
?Transaction processing, such a batch uploads, cheque printing, image processing
?Day-to-day operations at service and sales outlets
?Backend processing by third parties
?Public place operations including ATM, kiosks operations, cash collection centers and so on
Organizations also need to have administrative functions at various layers, such as
?Operating system
?Database
?Applications
?Various infrastructure layers
Any operational error in administration function has huge costs to the organization in terms of downtimes, reliability of systems, and loss of productivity. Incorrect configurations of business parameters can directly have business, revenue, reputation impact. Further, as administrators are often trusted resources, there exist possibilities of system misuse.
Day-to-day checks and balances, security procedures and periodic revalidations are necessary to ensure correctness, completeness of the data processing.
All normal IT operations and Business operations constantly undergo changes as per the organizational needs. In practice, they face practical issues that disrupt operations due to various reasons. A good organization is able to establish good incident management and log management system.
6.3.2 Change Management
As all entities of the business constantly undergo changes, effective change control management processes are very critical to the process of IT assurance.
A change management control process needs to address the following:
?Planning and communication related to change management
RSM Astute Consulting43 How robust is your IT system?
Approval tracking process
?Business Impact Analysis including business security impact
?Appropriate testing and acceptance
?Implementation of change to production environment
?Handling emergency changes and special processes
?Monitoring production environment for changes and Rollback controls
?Tracking changes to configuration items
?Retention Requirements
Change management process needs to exist at all assets, all layers to establish authenticity and auditability. Schematic change management process cycle is depicted below.
6.3.3 Incident Management
A formal incident response capability across all operational units should be established to minimize damage from security incidents, to recover and to learn from such incidents. It should include detection, initiation, evaluation, containment, eradication, recovery, closure of incident, evidence collection and preserving admissible evidence if necessary.
6.3.4 Log Management
Log management is perhaps the most critical activity for verifying that systems are functional and controlled. Logs collected in secure manner provide crucial evidential
?
Origin &Authorization
Traceability& Evidence
Testing &Validation
Change
Management
Process
Deployment&
Monitoring
44How robust is your IT system?RSM Astute Consulting
value and can trace / detect system anomalies, frauds and provide a rich source for troubleshooting activities.
Some of the illustrative events that should be captured by log management are as follows:
?Activity start and finish times
?User login logout time including successes and failure indication
?System errors and exceptions
?Confirmation of the correct handling of data files and computer output
?Logical access attempts
?Creation and deletion of system level objects
?Transaction logs
Administrative logs need to be created, captured, and diverted without allowing system administrators to intervene into the system. Log collectors that collect the data through mirrored activities should not add to performance overheads to the main system.
Logs across various devices and applications need to be normalized in case of aggregation and correlation requirements. A well configured correlation engine builds an intelligence to detect various types of system exceptions, frauds and symptoms of cyber attacks at an early stage.
High end organizations create security operation center to monitor events on real time basis.
6.3.5 Periodic Review of Control Practices
Periodic review of the internal controls established is required to assess the control design effectiveness and operational effectiveness. This enables the management to assess the state of overall IT governance practices within the organization.
Such reviews are preferred if
?Carried out at regular interval
?Comprehensive in nature
?Match the organizational practices with industry best practices
?Performed by independent reviewers
RSM Astute Consulting45 How robust is your IT system?
6.3.6 Risks
Risks arising due to weak operational controls are as follows:
?Disrupted operational activities due to delay or unstructured approach of responding security incident
?Recurring breakdown of systems/application due to poor maintenance
?Pro-longed application development activities due to unplanned change management activities
?Non-availability of old data due to inadequate backup and restoration practices
?System misuse or fraudulent activities do not get noticed during the operational flow
6.3.7 Reviews
Overview of operational controls needs to cover:
?Adequacy of operational policies and procedures
?Definition of roles and responsibilities towards operations as well as information security
?Checks and balances built into all the aspects of IT operations management
Substantive checks of operational controls need to cover:
?Batch process controls
?System change management controls
?Incident management with root cause analysis
?Detailed review of log management architecture
Integrated checks of operational controls need to cover:
?Effectiveness of operational framework
?Fulfillment of compliance requirements related to operational controls
46How robust is your IT system?RSM Astute Consulting
Chapter 7: Protecting Data Layer
7.1 Introduction
The traditional approach of information security is focused on enterprise architecture, whereas significant part of enterprise’s sensitive data is in unstructured formats. There exist challenges with protecting unstructured data, especially, in light of the trend of outsourcing and offshoring. The consequences of data leakage can result in loss of competitive advantage, possible financial liability, litigation and violation of intellectual property regulations. International bodies and Governments have passed stringent legislations that require organizations to build reasonable practices to protect data assets.
Data classification is an essential prerequisite for data protection strategy and implementation. A good data classification is necessary not only from technical and operational point of view, but also for optimizing system designs and controlling costs of the organization. A good data flow analysis of the documents gives insights to the data protection requirements.
Information resources are classified according to levels of its sensitivity and criticality taking into account business, legal, regulatory, contractual and internal requirements. For each classification level, different set of handling procedures need to be devised that cover processing, storage, transmission, and destruction of data. It is also essential that for all information data owners and data custodians are identified.
Additional controls are necessary for roaming users operating through hand-held devices. In the light of fast changing and user friendly technologies, the risk of data exposure is high and often the business needs to leverage on the ease of the data access. It is therefore challenging to establish an appropriate trade-off between the diverse objectives of the business. Improper exercise results into cost and project overruns without fulfilling the data protection objectives.
An illustration of impact of cost due to unclassified and unmanaged data is shown on the next page.
An open network with multiple open USB drives increases overheads on Data Leakage Protection (DLP) monitoring engine.
RSM Astute Consulting47 How robust is your IT system?
Stamping of documents with digital rights is necessary to ensure that the documents are handled safely across entire data flow. There is an increasing trend to protect the data that has moved out of the organisation through information rights management technologies. This essentially is a model for borderless data protections requirements.
Data protection controls are extremely important for PCI DSS compliance (for protection of credit card), HIPAA compliance (for protection of medical records), compliance to privacy laws as well as to protect sensitive information such as companies marketing and strategic plans, customers call data records, legal documents and creative work protection. Compliance to these laws enhances the reputation and increases the customer trust level.
Following are some of the risks involved in weak controls over data:
ØUnauthorized access (confidentiality), usage and modification (integrity) of classified information
ØLeakage of classified business information
ØBreach of contractual obligations to ensure adequate protection to information and assets
ØViolation of legal provisions to ensure privacy of personal data
An overview of data protection controls would need to cover:
ØAdequacy of information security policy and procedures
7.2 Risks
7.3 Reviews
End Points
DLP End-userMonitoring Server
DLPCore Engine
Open USB Drive* Malware Threats* Data Copy Threats
*More the number of USBdrives open, more the load onthe server & deployment cost
DLPrules
48How robust is your IT system?RSM Astute Consulting
Ø
ØInformation security awareness for end users
Substantive checks over data protection need to cover:
ØData flow analysis for selective classified data elements
ØUser-role-authentication management related to data flow
ØRules for acceptable use of information processing assets
ØLogical access and logging controls
ØData encryption and Data leak prevention controls
Integrated checks over data protection need to cover
ØCompliance with legal / contractual obligations of data privacy and confidentiality
Information and assets classification methodology
RSM Astute Consulting49 How robust is your IT system?
Chapter 8: Business Continuity Planning Framework
8.1 Introduction
Natural disasters and business disruptions beyond the control of the organization are necessarily part of the organizations risks profile and risk management strategy. Natural disaster/physical threats could also lead to unauthorized access to critical data, loss of critical data or unavailability of resources which could hamper the business continuity of an organization eventually leading to monetary loss for the organization.
Natural disasters/physical threats could damage the system wherein they are beyond repair. The retrieval of data from a physical damage is a time consuming and an expensive affair which also involves risk of incomplete data or inconsistent data being restored.
In the modern digitalized world, organizations also need to build cyber resilience. This includes hardening digital infrastructure to be more resistant to attacks, penetration and disruption; improving ability to defend against sophisticated and agile cyber threats and recovering quickly from cyber incidents.
8.1.1 Defining the Level of Criticality
The linkage between BCP and DRP is often talked about and there exists a perception that business continuity plans are normally associated with disasters. It needs to be understood that Business Continuity Plan needs to exist for any disruption, momentary, temporary or long term. A local commotion, traffic disruptions or one office unit getting cut-off from rest of the organization also needs to be taken into consideration while planning for business continuity. Normally, crisis levels for operations need to be defined and continuity plans need to be tailor made accordingly. Crisis level needs to be defined taking into consideration financial, process, impact, legal, contractual, people impact and severity of the same.
The level of criticality needs to be identified and analyzed at individual assets as well as corporate level.
8.1.2 Disaster Recovery Site (DR)
Successful recovery of business operations and restoration to normalcy with minimum impact on resources in case of any planned/unplanned event is the only
50How robust is your IT system?RSM Astute Consulting
evidence that proves effectiveness of business continuity management. For this, appropriate disaster recovery policy and procedures need to be defined, documented, approved and communicated by the management. Besides that, appropriate infrastructure has to be setup at disaster recovery site to ensure meeting the recovery time objective (RTO) and recovery point objective (RPO) defined in business continuity plan.
Considerations for setting up disaster recovery plan include
ØRecovery Objectives
ØNature of DR site desired
ØLogistics of Recovery
ØGeographic considerations
ØDesign vs. Opportunity Cost
8.1.3 BCP / DR Cycle
A typical cycle of BCP/ DR cover activities depicted by following diagram
Triggers may include any abnormal activity such as system cut-off, performance degradation, operational failure, disaster.
Sometimes it is not possible to replicate all the business functions to DR site. Hence the scaled down version of critical activities to alternate site can be considered.
8.1.4 Test Plan Coverage
Testing of BCP is sometimes considered as an operational overhead and organizations find difficulties in scheduling for the same. A good BCP has multiple objectives and the frequency to test each objective could vary so as to give total assurance that the plan
Triggers
Invoke BCP
Assess level ofCrises
Invoke continuityProgramme as perthe level
* Triggers mainly include system cut-off, performance degradation, link goes down, operational failure, disaster
SynchronizationAlternate SiteOperationDiversionCommunicationBackend Checks
Transition Restoration Assessment Learning
SystemRecoveriesNetworkRecoveriesSynchronizationCommunication
Financial ImpactLitigation ImpactSystem / ProcessImpactPeople Impact
Corrective ActionsProgramImprovementsSkill ImprovementsRefined program
RSM Astute Consulting51 How robust is your IT system?
is working and current. This also reduces downtime of the environment and helps better planning.
8.1.5 Formal announcement of disaster
It is required that the organization formally announces the fact of disaster and working state of operations from disaster recovery site. Similarly, restoration of primary site and resumption of operations from the same also need to be formally communicated to all the stakeholders.
8.1.6 Contingency and security breach
Organizations need to exercise utmost precaution that no security breach occur during or after the contingency plan is evoked. This is because, quite often organizations cannot create same set of security measures as that configured in original site.
Risks due to indequate BCP:
ØLoss of human life or assets or information
ØDisruption/ discontinuance of business operations
ØFinancial losses due to loss of assets and/or business
ØLoss of reputation/credibility
ØNon-compliance with time-bound regulatory requirements
An overview of business continuity plan needs to cover:
ØAdequacy of business continuity and disaster recovery plan and procedures
ØMethodology for business impact analysis and risk assessment
ØAdequacy of backup of data, off-site storage and periodic data restoration
ØAwareness on disaster recovery plan and contingency
Substantive checks of business continuity plan needs to cover:
ØTesting of backup, off-site data storage and periodic data restoration activities
ØEffectiveness drills on evacuation and disaster recovery
8.2 Risks
8.3 Reviews
52How robust is your IT system?RSM Astute Consulting
Ø
ØReview of actual work done on the disaster recovery site
ØValidation of Business Impact Analysis, Recovery Time and Recovery Time Objectives
ØEmergency handling procedures
Integrated checks of business continuity plan needs to cover:
ØAnalyzing Interdependencies of the systems and impact on eco-system
ØValidating Legal, Financial and other implications
ØEffectiveness of business continuity plan vis-à-vis business requirements
ØCompliance with legal / contractual obligations of data confidentiality and availability
Availability of data and other resources at disaster recovery site
RSM Astute Consulting53 How robust is your IT system?
Chapter 9: Human Interface to IT Systems
9.1 Introduction
Human interface is considered a strong as well as a weak link in the chain of information system management. Participation of employees must be increased through repetitive programs to ensure that they are aware of end user responsibilities towards the organization such as:
ØTake all reasonable precautions to protect information systems against unauthorized access, use, disclosure, modification, duplication or destruction
ØUse information systems only as appropriate to their job responsibilities
ØUse information systems in manner, which ensures compliance with laws and internal policies and procedures
ØReport security problems or issues through appropriate channels
ØFollow systems and procedures effectively
9.1.1 User Awareness
Organizations need to motivate employees adequately to participate in IT implementation, risk management, incident response, disaster management and whistle blowing programs to safeguard IT investments.
With the increasing outsourced and hosting activities, third parties, such as channel partners, data entry operators, vendors, customers, auditors, regulators, connected entities, payment gateways and various intermediate agencies, participate in IT operations. Manually, courier agencies carry backup tape, ATM and financial PIN numbers, statements and customer confidential data. Apart from conventional third party Non Disclosure Agreements, it is necessary to ensure that liability in case of data security breach or otherwise must be formalized.
Training of users constitutes a major factor towards success of IT system deployment. An effective training program enhances system utilization, reduces operational errors and helps in early detection of system anomalies.
IT security policy and procedures should categorically include the consequencesof violation of information security controls which would include penalty / punitive action, depending upon the context and severity of breach that may include, but isnot limited to
54How robust is your IT system?RSM Astute Consulting
Ø
ØSuspensionØTerminationØLegal ProceedingsØFinancial compensation for losses
Following factors make it important to pay due attention to human interface while addressing IT systems assurance:
ØLack of user awareness on management of information systemsØSignificant risk of insider computer fraudØCollusion of external (vendors) and internal (employees) for fraud or information
leakageØAbsence of adequate measures to ensure employee screening before assigning
key responsibilitiesØLack of maker-checker control and segregation of dutiesØManipulation and alteration of evidence or logsØEmployees or users not rotating their responsibilities, thus creating excessive
people dependencies.ØTrusted users misusing the system resources are one of the major reasons why
organizations sometimes face significant financial or reputation losses.
Overview of human interface includes review of:
ØNon-disclosure and confidentiality agreement with vendor and third partiesØ Awareness and training process
Substantive checks of human interface include review of:
ØEmployee screening processØRole definitions and profiling requirementsØSegregation of duties and Structural checks / balances
Integrated checks of human interface include review of:
ØTraining Effectiveness ØSafeguards from suspicious activities
Warning/Caution
9.2 Risks
9.3 Reviews
RSM Astute Consulting55 How robust is your IT system?
Chapter 10: Compliance and Regulatory Framework
10.1 Introduction
10.2 ISO/IEC 27001:2005 Standard
10.3 BS 25999 / ISO 22301 Standard
Information Technology Systems have a very high and long term impact on the internal controls of the organization as well external customer services. Therefore, regulators and governing bodies across nations have created various frameworks, mandatory standards, suggestive guidelines to ensure proper IT governance. Apart from the same, industries, consortiums, voluntary groups have contributed to the evolution of best practices and technical standards in diverse areas of IT management. Some of these are illustrated below:
This standard provides a model for establishing, implementing, operating, monitoring, maintaining and improving an Information Security Management System (ISMS). The standard adopts the “Plan – Do – Check – Act” (PDCA) model, which is applied to structure all ISMS processes. Compliance to the standard leads to certification by accredited agencies – helps enhance customer confidence, meet contractual requirements, and assure stake holders about confidentiality, integrity and availability of information.
Alignment of organizational information security management systems with internationally recognized practices facilitates:
ØSystematic efforts to improve internal controls and operational efficiency
ØAssurance to clients / customers and other stakeholders on standard practices to ensure confidentiality, integrity and availability of their data
This standard provides comprehensive methodology for developing and implementing business continuity within organizations. Adopting these standard practices improvises the resilience of the organization when faced with crisis situation. Major activities for adopting this standard include:
ØBusiness Impact Analysis
ØIdentification of critical activities
56How robust is your IT system?RSM Astute Consulting
Determining continuity requirementsØEvaluating threats to critical activitiesØDevising risk responses to reduce likelihood and impact of incidentsØDevising strategy to facilitate continuity or recovery of critical activities
All types of organization can adopt standard practices advocated by internationally recognized body of standards which helps in:
ØAdopting structured and organized measures to minimize the impact of business disruption
ØAssurance to clients/customers and other stakeholders on availability of services in case of disaster.
ØImproved compliance with regulatory requirements and management policiesØRecognition of Standards Body through certificationØImproves image of the organization
In May 2012, ISO has released ISO 22301 Standard which specifies requirement for setting up and managing an effective Business Continuity Management System (BCMS)
This standard stands for Payment Card Industry – Data Security Standards. In modern digitized world, significant amount of financial transactions take place through credit / debit cards and equivalent instruments. As such payments are real time, global and are processed through multiple channels. This involves huge monetary transactions globally involving, customers, financial institutions and payment processors who are always concerned about veracity of the transactions. Various security measures were deployed in the past to ensure sanity and confidentiality of transactions. In order to generate uniformity and trust levels of the systems, American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, established a universal PCI DSS standard. This standard is applicable to all industries, bankers, merchants, processors who are capturing, storing, processing and transmitting payment card data in any format. PCI DSS is one of the most comprehensive standards to comply with, as it handles process and technology requirements simultaneously. A single area of non-compliance attracts huge penalties.
ITIL is a public framework that describes best practice in IT service management applicable to all the service organizations. It provides a framework for the governance
Ø
10.4 PCI DSS
10.5 ITIL – V3 Framework
RSM Astute Consulting57 How robust is your IT system?
of IT, and focuses on the continual measurement and improvement of the quality of IT service delivered, from both a business and a customer perspective. This focus is a major factor in ITIL’s worldwide success and has contributed to its prolific usage and to the key benefits obtained by those organizations deploying the techniques and processes throughout their organizations.
The Center for Internet Security (CIS) is focused on enhancing the cyber security readiness and response of public and private sector entities. CIS Security Benchmarks improves organization's security posture by helping them reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls. It provides enterprises with consensus best practice standards for security configurations, as well as resources for measuring information security status and for making informed decisions about security investments. CIS has a comprehensive list of benchmarks for different operating systems, databases, browsers and virtual platforms.
Computer Emergency Response Team (CERT) has introduced Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) method. OCTAVE is an approach for managing information security risks. It has been designed to be sufficiently flexible to accommodate unique needs of the organization. Organizations should create teams of business and IT tailored to the organization's unique risk environment, security and resiliency objectives and risk based assessment.
Stringent penal actions introduced through the amendment under various sections of the Information Technology Act, 2000 has attracted the attention of organizations operating in India to ensure protection of personal information of customers, vendors, business partners, employees and the third parties. Stringent laws on data privacy with penalties exist across globe. Privacy of personal information has to be ensured at the time of collection, processing (use, transfer, disclosure and disposal) as well as storage.Organization has to devise comprehensive privacy policy and framework to address the data privacy requirements.
All organizations including intermediary services providers are now legally compelled to protect customer sensitive information. Negligence in implementing and
10.6 CIS Benchmarks
10.7 Octave Methodology
10.8 Data Privacy Requirements from Legal and Compliance Perspective
58How robust is your IT system?RSM Astute Consulting
maintaining reasonable security practice can lead to litigations and impact organization's reputation. The reasonable measures need to include:
ØMeasures to prevent unauthorized access and use of personal information of customers or third parties
ØMeasures to prevent incidents of data theft, identity theft, credit card fraud, bogus insurance claims, mortgage fraud, etc.
ØMeasures need to cover life cycle including data collected, processed, stored, transmitted or disposed off by the organization
Adopting ISO 27001 Standard is one of the ways organizations can claim to have followed reasonable security practices.
Following are the key regulations governing intellectual property rights in India:
ØCopyright Act, 1957
ØTrade Marks Act, 1958
ØPatents Act, 1970
Besides these, there are other acts like Geographical Indications of Goods (Registration and Protection) Act, 1999, Designs Act, 2000, etc. which protect the unique properties of a product or a work of distinct features.
Copyright Act protects computer software which may be of ‘Freeware’, ‘Shareware’, or paid ‘Licensed’ nature. A license may be time-based license, user-based license or feature-based license. A software license prohibits modification, adaptation, translation, decompiling, reverse engineering, disassembling, etc. of the respective software and any violation attracts penal action.
10.9 Laws Related to Intellectual Property
RSM Astute Consulting59 How robust is your IT system?
Chapter 11: Impact of Contemporary Trends
11.1 Virtualization
11.2 Cloud Computing
11.3 Mobile Computing
Information Technology and Information Technology Enabled Services (ITES) are constantly shaping the industries. Therefore, the best of the IT assurance programs cannot be static. In fact, IT assurance program has more challenges to meet as the IT environment change may cut through several dimensions of the organization. Changes due to contemporary trends need to be accepted in a structured and controlled manner to make a long term success out of the same. Some of these trends are discussed for the illustration purpose.
Virtualization refers to the creation of a virtual instance of hardware, operating system, storage device, network resources or software. It’s not limited to the servers or critical resources but can be further extended to the individual assets using VDI or Virtual desktop infrastructure. Virtualization benefits the organization by helping in consolidation, flexible architectures, increased resource utilization and a more efficient Disaster recovery mechanism. Also virtualization is the initial step for organizations to move towards cloud computing. But security, performance and reliability considerations are seen as major deterrent towards adoption of the technology. Organizations can overcome these deterrents by adopting good management practices in deployment, laying security controls and addressing virtualization related techniques (E.g. VM management) in accordance with the changed scenario.
Cloud computing has emerged as a strong trend impacting the way IT serves the business. It offers software, platform and infrastructure as a service (SaaS, PaaS & IaaS). This has increased scalability, adoption of newer technologies and the available options. This is in-spite of the reduced costs and change-over periods it offer. However, this also comes at a risk of reduced control, security and reliability due to increased vendor dependence. These concerns need to be addressed by creating long term strategy, realistic goals mapped to the system designs. Security concerns, autonomy issues and performance standards should be focused at the design level itself.
The dependency of modern life to due mobile computing is evident from the increasing use of Netbooks, tablets and Smartphones. The varied types of devices has resulted changes in the UI (User Interface), the operating systems and the applications used. Mobile computing has resulted in BOYD (bring your own device) concept. It is a concept
60How robust is your IT system?RSM Astute Consulting
which helps organizations in saving costs, helps in faster adoption of technologies and achieves greater employee satisfaction. However, organizations also lose the control over the way these devices are used resulting in security issues. Organizations can overcome these issues by defining clear policies, laying minimum security requirements, mandating use of organization sanctioned security tools and have a process to retrieve organizational data from personal devices.
Social media has evolved as the modern way to communicate with diverse sets of interested groups. These technologies have changed the way we network, collaborate, publish and receive feedbacks. Direct revenue growth through social media may be a challenge; but it helps a lot in customer care, product development and brand building. These benefits come along with risks like brand hijacking, data leakage, security, intellectual property & legal risks. Disgruntled employees and customers try to defame the organization through social media. These risks can be overcome with strong policies, processes, training, tools that trace the origins of messages.
Globalization and economic trends has led organizations towards changed strategy of IT outsourcing. This benefits organization in focussing on core business activities and re-strategizing while reducing costs and working more efficiently. However, this comes with attached risk related to security, privacy, continuity and performance. Organizations need to mitigate these risks by clearly defining security controls, performance benchmarks and vendor’s exit responsibilities. Also organizations need to closely monitor the vendor’s performance and get them validated from independent sources as the strategies and controls are different for Outsourcing framework.
In the world of shrinking resources, organizations are looking for alternative sources for cost efficient and work effective methods. Green IT is one such approach which involves manufacture, management, use and disposal of information technology resources that minimizes the damage to environment. Some of the initiatives include:
ØPurchasing and using energy efficient desktops, servers and other IT equipment
ØSet up energy efficient data center with more Power Usage Effectiveness ratings
ØVirtualization of resources to reduce overall resource requirements
ØRecycling of IT equipment
ØUse of minimum toxic material like lead and mercury in manufacturing process
11.4 Social Media
11.5 IT Outsourcing
11.6 Green IT
RSM Astute Consulting61 How robust is your IT system?
Section IV: Creating Excellence in IT Systems Assurance
Section IV: Creating Excellence in IT Systems Assurance
1.1 Introduction
1.2 Measuring IT Effectiveness
The role of IT as an enabler to the business is well understood. Innovations of new products and adopting new technologies are normally appreciated. In spite of the same, disconnect often exists between management vision and ground realities. IT systems should be leveraged such that they exceed the expectations of the management vision.
There is always a continuous thrust on creating excellence through IT systems. Though this is a vast area, some of the illustrations are cited below.
Organizations need to have comprehensive and quantitative measurements with 360 degree IT view with the intention of controlling costs of assignments. Quantitative Dashboards need to be based on statistics, graphs, trends and deviation controls, such as:
ØAverage time taken to deploy software changes
Ø Effectiveness of security filters at different layers of systems architecture
ØUtilization of assets based on various parameters
ØReduction in aggregate quantitative risks
ØDowntime of the IT system / Total uptime of the system for the month
ØTime taken for recovery
ØNumber of incidents in a month analyzed on multiple parameters
It is an exercise to identify, measure and track the progress of IT suitable to the client environment. Large organizations having high-end eco systems have more complex and interlinked parameters and these need to be projected across various units such as geographical locations, systems/ subsystems, assets and the same will be required at detailed or aggregate level.
It is possible to create quantitative models on IT Health Status monitoring suitable to the organization environment. Quantitative models require substantial level of first time effort, but they introduce objectivity to complex topic of IT environment, are
RSM Astute Consulting63 How robust is your IT system?
more easily understood at various levels, create common body language and help organizations to track the progress.
Apart from the individual dashboards organizations would like to have an overall assessment of IT maturity status. Maturity can be objectively measured by aggregating all the maturity status of individual control points. This is an elaborate exercise. Such measurements if done on annual basis, give a top level of view of areas that need attention and helps to track the progress objectively.
An illustration based on generally accepted IT Governance framework like CoBiT can be applied, result of which could look like a diagram given below:
Every organization in today’s world has to comply with various regulatory requirements as explained at various places in this document. Further, different units of the organization need to comply to specific standard such as SOX, PCI DSS, ISO 27001, BS 25999, SSAE16, Quality frameworks, Capability Maturity Models, Six-Sigma / lean methodology, statutory requirements set by RBI, TRAI and other industry bodies. Companies are subjected to frequent audits for the same.
Handled in any suboptimal manner, this leads to major processing overheads for the organization. Documentation becomes non-standard, record keeping involves duplication of efforts, audits involve overlaps and compliances are sometimes tedious to maintain and are seen as operational overheads.
Organizations need to have a common compliance denominations along with sufficient operational flexibility built into the process.
1.3 Measuring IT Maturity
1.4 Adhering to Multiple Compliance Frameworks
CoBiT Maturity - An Alternate viewEffectiveness
Efficiency
Confidentiality
IntegrityAvailability
Compliance
Reliability
61
67
70
6366
5954
64How robust is your IT system?RSM Astute Consulting
1.5 Building Excellence in Operating Procedures
1.6 Data Analytics and E-Audit Migration
1.7 Intelligent Risk Engines
Good standard operating procedures are core level requirement of all compliances. A good standard operating procedure needs to be practical, simple and close to the operating environment. A single procedural document should stand the test of adequacy seen from multiple perspectives including governance, operations, compliance. Such operating procedures provide a sound basis for performance of the organization, have the necessary flexibility to accommodate operational variances in controlled manner, create efficiencies for the organization. Good and excellent operating procedures suitable to the organizational requirements reflect as to how internal control systems work within the organization.
With the growing volume of transactions across various systems, good data analytic tools are necessary enhance to audit effectiveness. They are able to see through transactions using pre-defined business rule with multiple permutations and effective sampling techniques. These tools help an auditor to narrow down on the exception identification and detect anomalies in an objective manner. Such tools can also be deployed in the production environment to facilitate concurrent or real time monitoring.
Migration from traditional audit processes to E-audit processes is journey that involves careful planning, simulation and deployment as depicted below:
As the global threats of cyber crime are increasing, there exist global intelligence network that are able to detect certain threats in real time manner.
E-Audit Migration Plan of Migration to E-Audit
INITIATION PHASE PILOT PHASE MIGRATION TO CONCURRENT/ CONTINUOUS AUDIT
1 2 3
ØEvaluation of OrganizationInformation Architecture
ØIdentification of Transactions to be considered under E-Audit pilot phase
ØDefine Audit rules for transaction monitoringfor identified transactionsof identified systems
ØSimulate the E-Audit andrefine the Rule Definition
ØIntegrate E-Audit withBase systems andConfigure exceptionmonitoring and alertbased rules
ØAutomate E-Auditprocess for concurrentchecks
RSM Astute Consulting65 How robust is your IT system?
These are essentially collaborative network that keep track of millions of malware signatures, blacklisted and infected web-sites, and botnets, analyze behavior of the source transactions, apply intelligent risk engines that generate/ pre-empts/ quarantines early threat warning from cyber-attacks. Such technologies need to be deployed and configured appropriately.
Similarly, in case of detecting electronic, mobile banking, money laundering frauds an intelligence system needs to be built that performs transaction and behavior analysis. Such systems help in generating early warning signals for suspicious transactions.
Some organizations presume that an audit activity is to be performed subsequent to completion of tasks. Also, there is a view that an audit participation during the stage of roll out / implementation compromises audit independence. Since IT systems typically are rolled out with long term objectives and high impact on the organization eco-system, concurrent IT Audit becomes a very critical need for the management to ensure that the controls are built at the design stage itself. System specifications, design documents, project management, planned upgrades, disaster recovery drills, data analytic tools, system monitoring outputs are some of the examples where concurrent IT Audit brings powerful value additions to the organization.
Large corporate houses tend to diversify across various sectors. Every business vertical has its own unique information technology needs. Many times, such group creates a set of common services to be provided to other group of companies. Such groups can benefit by isolating centralized requirements and company specific IT requirements. An IT assurance program can be tailor-made to different group functional models. Apart from conventional IT assurance, such program needs to also focus on consolidation opportunities, process optimization, technology standardization, resource utilization and effectiveness of deployment.
Success of IT assurance program needs to get reflected in the Balanced Business Scorecard. Typical outcome of such program is tabulated for illustrative purpose on the next page.
1.8 Concurrent IT Audit
1.9 IT Systems Assurance for Group Companies
1.10 IT Systems Assurance: A Balanced Scorecard
66How robust is your IT system?RSM Astute Consulting
Business / Balance Scorecard and How IT Assurance Program help you
Financial Perspective ØReduction in misuse of assets
ØAbility to control revenue leakages and frauds
ØIncrease return on IT investment
Customer Perspective ØCustomer confidence on data confidentiality
ØData Security through all channels of business interaction
ØAssured service levels
Internal Perspective ØIT Process Efficiencies
ØEnhanced internal control systems
Innovation Perspective ØAdoption of new technologies
The list of best practices is really an unending list. As rightly considered, there is no end to excellence. It is equally important to note that in spite of the honest intents, in reality best practices, cannot be followed by organizations at every stage. The evolving phases of the business, socio-economic factors, political environments, risk appetite of the management, availability of the management staff, financial, operational and behavioral constraints dominate the internal control systems of the organization. An organization needs to adopt dynamic, practical and result oriented internal control framework in line with the best practices. This is done after taking into account compensatory controls, checks and balances and assessing short term or long term impact on the organization.
1.11 Adopting Best Practices Suitable to Your Needs
RSM Astute Consulting67 How robust is your IT system?
Annexure I
Characteristics of successful IT Assurance Program for an Organization
IT Systems Assurance Practices should be independent of
ØTechnologies
ØBusiness product
ØSystem Platform
ØServices
IT Assurance Practices should be linked to
ØBusiness objectives
ØInternal Audit and Risk Management Program
ØOperational excellence initiatives within an organization
ØRegulatory audit requirements
Good IT system assurance practices should be
ØRealistic and implementable
ØHandled with due diligence and professional care
ØSensitive to client confidentiality requirements
Good assurance measures should focus on
ØRemoval of the root cause
ØValue addition for the business
68How robust is your IT system?RSM Astute Consulting
Annexure II
Certain Legislations Governing Information Security
Online Protection and Enforcement of Digital Trade Act (USA, 2011)
ØCyber Intelligence Sharing and Protection Act (USA, 2011)
ØDigital Economy Act, 2010 (UK)
ØElectronic Transactions and Commerce Law (UAE, 2002)
ØElectronic Transactions Act (Canada, 2001)
ØInformation Technology Act, 2000 (India)
ØElectronic Transactions Act, 1999 (Australia)
ØThe Digital Millennium Copyright Act Of 1998 (USA)
ØData Protection Act, 1998 (UK)
ØNo Electronic Theft Act (NET Act – USA, 1997)
ØMalaysian Computer Crimes Act, 1997 (Malaysia, 1997)
ØUniform Electronic Transactions Act (USA, 1996)
ØComputer Misuse Act, 1990 (UK)
ØComputer Security Act of 1987 (USA)
ØComputer Fraud and Abuse Act (USA, 1986)
ØThe Credit Card Fraud Act of 1984 (USA)
ØFederal Data Protection Act (Russia, 1970)
ØThe Patents Act, 1970 (India)
ØThe Trade Mark Act, 1958 (India)
ØThe Copyright Act, 1957 (India)
Ø
RSM Astute Consulting69 How robust is your IT system?
Mumbai13th Floor, Bakhtawar229, Nariman PointMumbai - 400 021.
3rd Floor, Ahura Centre82, Mahakali Caves RoadAndheri (E), Mumbai - 400 093.
608, Sagar Tech Plaza BSakinaka, Andheri (E)Mumbai - 400 072.
Bengaluru (Bangalore)"Sujaya" No. 1007, 2nd Cross13th Main, HAL II StageBangalore - 560 038.
ChennaiAbhinav Centre, 2nd FloorNo. 4 Co-operative ColonyOff. Chamiers RoadAlwarpet, Chennai - 600 018.
1A, Chamiers Apartments62/121, Chamiers RoadR. A. Puram, Chennai - 600 028.
Kolkata2058/A, Mercantile BuildingsBlock "A", 9, Lalbazar StreetKolkata - 700 001.
New Delhi - NCR3rd Floor, Tower-BB-37, Sector-1Noida - 201 301.
SuratB/604-605, Tirupati PlazaAthwa Gate, NanpuraSurat - 395 001.
T-720, Belgium TowerOpp. Linear Bus StopRing Road, Surat - 395 002.
Ahmedabad504, Narnarayan ComplexNavrangpuraAhmedabad - 380 009.
Hyderabad217, Swapnalok Complex92, Sarojini Devi RoadSecunderabad - 500 003.
GandhidhamPlot No. 41, Ward 10-A"Divyasarika", GurukulGandhidham - 370 201. (Kutch - Gujarat)
RSM Astute Consulting Group
New Delhi-NCR
Aurangabad
T (91-22) 6696 0644 / 6121 4444 F (91-22) / E [email protected] www.astuteconsulting.com
Offices: Mumbai, New Delhi-NCR, Chennai, Kolkata, Bengaluru, Surat, Ahmedabad, Hyderabad, Gandhidham.
2820 5685 2287 5771
Aurangabad and
For further information please contact:
RSM Astute Consulting Group13th Floor, Bakhtawar, 229, Nariman Point, Mumbai - 400 021.
RSM Astute Consulting Group is a member of RSM network. Each member of the RSM network is an independent accounting and advisory firm which practices in its own right. The RSM network is not itself a separate legal entity in any jurisdiction. This publication is intended to provide a broad overview of Information Technology Systems Assurance to organizations which function on highly automated processes and on a real time basis. Every effort has been made to ensure the contents are accurate and current. Information in this publication is in no way intended to replace or supersede independent or other professional advice. This publication should not be relied upon for taking actions or decisions without appropriate professional advice and it may be noted that nothing contained in this publication should be regarded as our opinion and facts of each case will need to be analyzed based on specific facts. While all reasonable care has been taken in preparation of this publication, we accept no responsibility for any liability arising from any statements or errors contained in this publication. © RSM Astute Consulting, 2012