SlideShare a Scribd company logo

Migrating to cloud based ERP Solution .pdf

P
PalakAggarwal50

Project report

Technology
1 of 28
Download to read offline
PROJECT REPORT ISA 2.0 Migrating to Cloud based ERP solution
ii TABLE OF CONTENTS Certificate 3 Details of Case Study / Project Prob. 4 Project Report – Introduction 5 Auditee Environment 6 Background 8 Situation 9 Terms and Scope of Assignment 11 Logistic Arrangements Required 12 Methodology and Strategy Adapted for Execution of Assignment 14 Documents Reviewed 22 References 23 Deliverables 24 Format of Report/Findings and Recommendations 27 Summary/Conclusion 28
Project Report ISA 2.0 Migrating to Cloud based ERP solution 3 CERTIFICATE This is to certify that we have successfully completed the ISA 2.0 course training conducted at: Hotel Pride Plaza, Bodakdev Cross Road, Ahmedabad from 1st Feb 2020 to 29th April 2020 and we have the required attendance. We are submitting the Project titled: Migrating to Cloud based ERP solution We hereby confirm that we have adhered to the guidelines issued by CIT, ICAI for the project. We also certify that this project report is the original work of our group and each one of us have actively participated and contributed in preparing this project. We have not shared the project details or taken help in preparing project report from anyone except members of our group. 1. Name : CA Dhaval Limbani (ISA No. 62188) 2. Name : CA Manoj Jajodia (ISA No. 62682) 3. Name : CA Ashish Mehta (ISA No. 62810) Place : Ahmedabad Date : 30-04-2020
Project Report ISA 2.0 Migrating to Cloud based ERP solution 4 DETAILS OF CASE STUDY / PROJECT PROB. ABC Infrastructure Ltd. (Auditee) provides Gas Pipeline Services and distribution, EPC Projects, Cross Country Pipeline Layering, Horizontal Directional Drilling across India. It is Well Equipped with total infrastructure and has kept in pace with the changing technology and construction team focused on Safety, Quality and Efficiency with cost effective project executed within time and budget. They are currently using stand-alone accounting and inventory package which has limited functionality. They have an aggressive business growth plans and found that the current software solution cannot meet their future requirements. ABC Infrastructure Ltd have decided to migrate to ‘Wilson’s On Cloud Solution (WOCS)- Standard Version’ a robust full suite of ERP Developed using Wilson Virtual works, a state-of- the-art software engineering and delivery platform. WOCS is expected to enable ABC to reap the benefits of the solutions with “Built in Best Practices” together with a highly “Flexible Framework” to ensure solution alignment to “dynamic business requirements” of ABC. The WOCS solution has standard product features which cannot be modify except based on the methodology followed by Wilson and the customer has to use the existing product without any changes. As a part of the software as service (SAS)development model, WOCS will not make any changes in the data entry screens/ Processes as per individual customers need.
Project Report ISA 2.0 Migrating to Cloud based ERP solution 5 1. PROJECT REPORT - INTRODUCTION ABC Infrastructure Ltd is provider of Gas Pipeline Services and distribution, EPC Projects across India, having adequate infrastructure of technology with respect to changing environment. Company is having four branch office and more than 300 employees including at branches. Out of 300 employees, more than 40 employees are engaged in finance and accounts departments. At present company is maintaining a non-integrated and stand-alone accounting software, which require maintaining huge documentation. Now with the changing environment and future business growth company board decided to migrate ‘Wilson’s On Cloud Solution (WOCS) an ERP software from existing non-integrated software. The new ERP software will provide all business process function start from Project execution, marketing, purchase management to payroll and inventory management, financial and management accounting etc. to know the real time business information. ABC Infrastructure Ltd (auditee) appointed M/s MAD & Associates (Chartered Accountants known as auditor) to conduct the Cloud ERP System Audit of auditee. Auditor firm is having 3 years’ experience in conducting IS Audit. Firm is having 3 partner (CAs), 2 system auditor (ISA) and 3 other technical staff all having good knowledge and experience in their respective domain. S.NO TEAM MEMBER NAME QUALIFICATION DESIGNATION 1 Mr. Dhaval Limbani FCA, ISA Team Leader 2 Mr. Manoj Jajodia FCA Co-Team Leader 3 Mr. Ashish Mehta FCA Co-Team Leader 4 Mr. Pranav Pandya FCA, ISA Team Member 5 Mr. Mihir Pandya M.Tech, Phd (IT), BE (Software) Software Engineer 6 Mr. Dhaval Chikani M.Tech, BE (Software) Software Engineer 7 Mr. Darshan Panchal Phd (IT-Hardware Engineer) Hardware Engineer
Project Report ISA 2.0 Migrating to Cloud based ERP solution 6 2. AUDITEE ENVIRONMENT ABC Infrastructure Ltd is provider of Gas Pipeline Services and distribution, EPC Projects across India. Since company is engaged in business of heavy infrastructure projects for Governments and big infrastructure companies. Company board consists of 7 directors, one Managing Director (CEO), one Finance Director (CFO), Sales & Marketing Director, Chief Operational Director (COO), Chief Information Office (CIO), 2 Executive directors. Board sets policy and procedure and laid down the strategy to complete business task, which will be executed and implemented by managerial and operational staff, which consists of each individual department head to operational level staff member. At present company is following a non – integrated accounting software which will no longer useful looking to changing business technology and growing changes in technology environment. At present company infrastructure is well equipped. But company is not following any ERP Software to integrate its all business function via one single platform. But MD is confident of the view that by providing adequate training we can train finance and accounts departments to cloud based ERP acquaintance. This will eliminate the need to purchase the necessary server and hardware storage, i.e. reduction in OPEX. Except respective tax laws, corporate law, labour law etc., IT Act 2000 company is not bound by any other legal compliance like RBI, SEBI, Banking Regulation, IRDA etc. The company has a compliance department which looks into matter relating to compliance the same is reviewed by internal auditor function. For effective operation of compliance department company have standard policies, procedure and guidance that defines regulatory standard requirement that apply to company.
Project Report ISA 2.0 Migrating to Cloud based ERP solution 7 Information Security Policy S.NO POINTS DESCRIPTION 1 Acceptable Use Policy Company has defined acceptable use of computer devices, equipments and employee security measure to protect organization resources. 2 Clean Desk Policy Company has defined minimum requirement to be fulfilled a clean desk policy such as sensitive or critical information of company, employees, customers, intellectual property to be secured in locked area. 3 Encryption Policy Company has defined the acceptable encryption algorithms for system security and protection from unauthorized access. 4 Digital Signature Acceptance Policy Company has defined when “Digital Signature” is considered acceptance means of validating the identity of a signer in electronic communications/ documents. 5 Password Policy Company has defined different high-level configuration password for system access, email access for security of information and identity. Further there is policy of changing password within 90 days. 6 Network Security Policy Company has defined overall network access such as remote access policy (use of software for use of remote access), wireless communication policy to connect company network, standard for minimum security configuration of routers and switches inside computer network. 7 Server Security Policy Company has defined requirement around installation of third-party software and security configuration for servers. Further, company has defined proper requirement for disposal of equipment such as hard drive, USB, CD Rom etc. 8 Business Continuity Management Policy Company has defined requirement to ensure continuity of critical business operation. It is designed to minimize the impact of unforeseen event to facilitate business to normal levels.
Project Report ISA 2.0 Migrating to Cloud based ERP solution 8 3. BACKGROUND Since Company decided to change its accounting tool from traditional to cloud based ERP (WOCS) in that, the most important thing for company is to migrate data first on ERP system. This can be done via batch processing under which data will upload first and then another person will approve these transactions. Once these data processed the next critical operation to reconcile these data with traditional data to check whether all data have been compiled and in proper way in which they require. In Cloud ERP system, system is hosted on cloud and ERP service provider takes care hosting of ERP system. This is based on Software as a Service (SaaS) module, wherein company will access the software, whereas service provider will manage software including operating system and execution environment. Now to check all these critical operation company wants an independent auditor function to check all these critical operation task. Auditor (MAD & Associates) will audit these function starts from beginning mapping of codes, ledgers, groups, data uploading, reconciliation, report spooling, trade checking to know functioning of all ERP Module whether or not data of vendor, inventory management, financial accounting, sales and purchase, payroll system etc. are working effectively and efficiently on cloud site as provided by cloud service provider. Auditor will also look system effect of one data entry on another ERP utility is proper and correct. For this purpose, auditor will thoroughly check the system configuration and settings are manipulated or modified. Further auditor will check IT Infrastructure configuration like operating system, servers, networking devices tool and security control thereof to check whether CIA (confidentially, integrity or availability) via unauthorized access, data manipulation etc., which may be big threat to organization as well. In addition to this, auditor will check whether vendor is responsible for maintaining hardware & software such as patches, upgrades, refreshes.
Project Report ISA 2.0 Migrating to Cloud based ERP solution 9 4. SITUATION The Auditee is currently using an ERP system which provides stand-alone accounting and inventory packages which has limited functionalities. The company has aggressive growth plans for which the current software solution is not enough. The company’s finance and accounts department has more than 40 employees and current software packages are stand-alone and non-integrated and extensive documentation is maintained. So, it has been decided by the management to migrate to cloud based ERP. The proposed Wilson’s solution provides a single version of the product at any point of time. All product feature upgrades and updates shall be made available as a part of the standard offering. Basically, the requirements are market driven and will prioritized based various criteria like Statutory needs, Best business practice, key business process etc. There are 14 modules included in the scope such as sales & shipping management, accounts receivable, purchase, HR & Payroll, etc. Moreover, the current staff is not computer savvy and have limited knowledge of using computers but the young MD has taken charge of training employees and the cost consideration based on model implementation of 10 user license shows cost benefit analysis and justification for the investment. So, seeing these current problems and the benefits of the cloud-based solution it has been decided by the management to migrate to cloud based ERP. The proposed solution also provides complete applications which are sold on a subscription model for a specific period. This model provides the capability to use the provider’s applications running on cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser. This brings in saving to ABC Infrastructure Ltd as there is no need to buy licenses for running programs on their own computers. The software solution is accessible using existing computers.
Project Report ISA 2.0 Migrating to Cloud based ERP solution 10 S. NO AREA OF RISK RISK FOCUSED AREA 1 Access Control Is there appropriate ingress or egress filtering? Are there ACLs that segment the environment from other resources? 2 Virtualization Is there a protected environment? How are host systems secured? Are resources utilized and released as expected? How are virtual resource interconnected? 3 Data Management and Data Storage Cloud provider may not be able to match in-house IT service availability, recovery time objectives (RTO), and recovery point objectives (RPO). Cloud providers may drastically change business model or discontinue cloud services. Due to technical architecture complexity and potential restrictions by the cloud provider, replicating data back to the enterprise or to another provider may be difficult. 4 Communication Channels What communication protocols are used to communicate with other data centers? Are there any clear text administration protocols used? Can you monitor communication in and out of the cloud as well as within the cloud? Are there any end user devices that can download data from the cloud? 5 Cloud Supporting Infrastructure Utilize ISO2700 and SOC2 / SOC3 (Assurance Reports on Controls at a Third-Party Service Organization) Trust Principles – Security, Availability, Processing Integrity, Confidentiality, Privacy Will administrators have “access” to the virtual data? 6 Software as a Service (SaaS) Examine tools used for usage tracking and licensing Examine accuracy of reporting Separation from other applications New risks may exist as cloud computing can expand and shorten the SDLC cycle.
Project Report ISA 2.0 Migrating to Cloud based ERP solution 11 5. TERMS AND SCOPE OF ASSIGNMENT Auditor’s Terms & Scope  How much security is enough?  Who is responsible for data security?  Criticality of application being sent to cloud.  Control issue specific to cloud service provider.  Identify internal control and regulatory deficiencies that would affect the organization.  Identify information security control concerns that could affect the reliability, accuracy and security of enterprises data due to weaknesses in the package solutions offered by the vendor.  Outsourcer’s Experience with SLA and vendor management  Review contractual compliance between cloud service provider and customer i.e. auditee.  Cloud Vendor’s policy on vulnerability management – reporting, commitment to following up, promptly responding to reports etc.  Provide management with an assessment of impact by implementation of Wilsons on cloud solutions, security policy and procedures and their operating effectiveness.  Information systems audit of all/any aspect of security policy, business continuity, environmental excess, physical excess, logical excess and application security.  What is impact on auditor when client has used “Cloud ERP System” and how data will be audited on cloud service provider.  Compliance with enterprises policy, procedures, Standards and practices as relevant.  Compliance with regulations as applicable.
Project Report ISA 2.0 Migrating to Cloud based ERP solution 12 6. LOGISTIC ARRANGEMENTS REQUIRED  Auditor requires following Hardware, Software (application and system), Information, and System Configuration documentation. S. NO POINTS DESCRIPTION 1 Hardware Auditor (MAD & Associates) need 7 laptop, 3 desktop, networking cables, data cable, power backup equipments for execution of the assignment. All hardware must be configured in such a manner to be compatible with software. 2 Software (Application as well as System) We need licensed software to be installed in all desktop, laptop so as to work in auditee IT environment with high bandwidth of internet speed. 3 Information We need the information to be audited that may be data, audio, video, electronic form data, images etc. 4 System Configuration Documents We need system configuration documentation from supplier or vendor of hardware, software, source code to understand technical things clearly.  It is systematic approach to manage sensitive company information to maintain the same in secure mode. It includes people, processes and IT System by applying a risk management process. Company (auditee) has taken certificate from ISO organization stating that it meets objectives of ISO 27001. The aim is to provide confidence and assurance to clients and customers that it follows best accepted business practices.  In order to obtain assurance that the data processed by the system is complete, valid and accurate and is giving the desired results, computer assisted audit techniques (CAAT) shall be used. Computer Assisted Audit Technique (CAATs) are computer-based tools, which help us in carrying out various automated tools to evaluate an IT system or data. These are very useful, where a significant volume of auditee data is available in electronic format. CAATs provide greater level of assurance as compared to other techniques, especially manual testing methods.1
Project Report ISA 2.0 Migrating to Cloud based ERP solution 13  Use of CAAT Tools (Computer Aided Audit Techniques):- The use of CAAT tools improves the audit process and help in data extraction and analyzing software. Following are the techniques:- S. NO POINTS DESCRIPTION 1 Generalized Audit Software This tool is effective & efficient for IS audit. In this method Access Control List (ACL) is table under which data is lock down as read only to prevent inadvertently changing data. In this method organization define access right to each system users. Every user has different right such as read only, read and modification, approval etc. 2 Utility Program These programs are used to perform common data processing function such as sorting, creating and printing files. This utility doesn’t contain feature such as automatic record counts or control totals. 3 Test Data Test data involve the auditors using a sample set of data to assess whether logic errors exist in a program and program meets organization objectives. It provides information about internal control and weakness if any exist. 4 Audit Expert System In this technique, auditor perform tests details of transaction and balance, analytical review procedure, compliance test IS general control, compliance test IS application control and vulnerability testing.
Project Report ISA 2.0 Migrating to Cloud based ERP solution 14 7. METHODOLOGY AND STRATEGY ADAPTED FOR EXECUTION OF ASSIGNMENT ISACA Cloud Computing Audit Program – Areas  Planning and Scoping the Audit:  Define the audit/assurance objectives  Define the boundaries of review  Identify and document risks  Define the change process  Define assignment success  Define the audit/assurance resources required  Define deliverables  Communications  Governing the Cloud:  Governance and Enterprise Risk Management (ERM)  Legal and Electronic Discovery  Compliance and Audit  Portability and Interoperability  Operating in the Cloud:  Incident Response, Notifications  Application security  Data Security and integrity  Identity and Access management  Virtualization
Project Report ISA 2.0 Migrating to Cloud based ERP solution 15  Audit Program under COBIT Framework: S. No COBIT Control Objective Audit Procedure 1 Benefit Management (Acquire, Plan and Organize) Review process for developing metrics for measuring benefits. E.g. Guidance from domain expert, industry analyst. 2 Supplier Contract Management (Acquire and Implement) Confirm through interviews with key staff members that the policies and standards are in place for establishing contracts with suppliers. E.g. Legal contract, financial contract, intellectual property contract etc. 3 Supplier Performance Monitoring (Deliver, Service and Support) Inspection of supplier service report to determine supplier performance is in alignment with pre-defined SLAs and supplier contract. 4 Identity Management (Deliver, Service and Support) Every user has unique and generic id and access right to system is as per documentary business process framework. 5 Network Security (Deliver, Service and Support) Confirm with organization that there is network security policy has been established and maintained in organization. Further confirm that all network components are updated regularly such as routers, VPN switches etc. 6 Information Exchange (Deliver, Service and Support) Confirm with organization that proper encryption policy in place to exchange information outside the organization. 7 Contract Compliance (Monitor and Evaluate) Review policies and procedure to ensure that contracts with third party service provider for compliance with applicable laws, regulation and contract commitments. 8 Data Integrity (Deliver, Service and Support) Determine that a policy has been defined and implemented to protect sensitive information from unauthorized access, have authentication codes and encryption. 9 Governance  Review organizational strategy and risk appetite, roles and responsibilities, insurance, and governance tasks
Project Report ISA 2.0 Migrating to Cloud based ERP solution 16  Monitor usage of cloud services through vendor provided dashboards or logging information available to the client.  Address issues promptly based on governance requirements and defined roles/responsibilities. 10 Data Management  Perform a data flow and privacy assessment by reviewing the data throughout its life cycle. Is it vulnerable at any point?  Ask for an overview of the dedicated, single- tenant and shared (multi-tenant) cloud services provided by the CSP.  Review data transfer to the CSP.  Data segregation: Review shared environments for data segregation, logical separation, and security in a multi-tenancy environment or utilize separate servers.  Data recovery: Review if the CSP can do a complete restoration in the event of a disaster or if they have data replication capabilities available for an alternate data location. Review where that alternate location is in addition to its recoverability capabilities. 11 Data Environment  Where are the data centers located? Can the CSP can commit to specific privacy requirements?  Review the applications and operating systems utilized. Use a data life cycle approach regarding what is stored and where.  Provide a description of how often are infrastructure components are updated, such as hardware and software. 12 Cyber Threat  What are patch and vulnerability management program practices? How does CSP ensure these program practices do not create a security risk for client infrastructure?  What is the vulnerability remediation process?
Project Report ISA 2.0 Migrating to Cloud based ERP solution 17  Review security monitoring processes utilized by the CSP.  Are there established application-level reviews, a defined Software Development Life Cycle process, and change notification and release management? 13 Infrastructure  Is there restricted and monitored access to assets all of the time?  How is an employee or third-party access to client data controlled?  Are staff background checks employed? How extensive are these background record reviews and are they reoccurring?  Vulnerability management: Patch vulnerabilities in virtual machine templates and offline virtual machines.  Network management. Secure network traffic between distributed cloud components. Detection for defense against attacks originating from within the cloud environment.  Review the perimeter for exposure to distributed denial-of-service attacks against public-facing cloud interfaces.  System security: Review where there may be vulnerable end-user systems interacting with cloud-based applications.  Discuss how the CSP handles secure intra- host communications among multiple virtual machines.  Who controls encryption keys? How are the encryption keys monitored? What is their storage and backup locations? Review encryption certifications and determine what they apply to, and test them. 14 Logs and Audit Trail  How long are logs and audit trails kept?  How does the CSP provide for tamper proofing of logs and audit trails?
Project Report ISA 2.0 Migrating to Cloud based ERP solution 18  Is there dedicated storage for logs and audit trails?  Can the CSP provide timely forensic investigations; e.g., eDiscovery and system analysis? 15 Availability  The client should review Service Level Agreement (SLA) uptime tolerance levels and check for “additional subtractions” disclaimers for the stated level  Does the CSP have resiliency (e.g., cluster systems, redundancy, and failover capabilities) and tests these abilities after changes or system updates?  Does the CSP test restores, and what actions require additional fees? Where is the location of the backups (e.g., on-site, off-site, replicated to another location)?  What file and directory versioning is available? Does the CSP have an incident response plan and can the CSP describe it?  What measures are employed to guard against threat and errors, use of multiple CSPs and denial of service (DoS) protection?  When do peaks in demand occur, and does the CSP have the capacity to handle such maximum load?  What service level guarantee does the CSP offer under Disaster Recovery/Business Continuity conditions? 16 Identity and Access Management  Provide information regarding authentication, restriction of access, or implementation of segregation of duties (SOD) for cloud provider staff.  Provide a description of the physical security measures in place within the CSP data centers, including server areas and access to host/network systems.
Project Report ISA 2.0 Migrating to Cloud based ERP solution 19  Review the types of access available: single- sign-on (SSO), authentication using the client identity management software, or two-factor authentication.  Does the client have administrative privileges and controls, and over which system components, software, and/or client users? 17 Encryption  Understand the environment for the service boundary, including the connection points to and from the data with encryption utilized for data in transit, data at rest, and the type of encryption.  Ensure that the CSP provides SSL from an established Certificate Authority (CA) and the SSL CA has its practices audited annually by a trusted third-party auditor; e.g., Symantec Webtrust audit or AICPA Webtrust Audit requirements.  SSL should provide a minimum of 128-bit, 256-bit optimum, encryption based on the 2048-bit global root. Determine the type of encryption.  Is there any encryption utilized for data at rest? For data in storage, how are encryption keys stored? For data backups that are data encrypted in transit or at rest? How are keys managed? 18 Privacy  How are digital identities and credentials protected in cloud applications? What client data is stored and used, and what is its disposal process?  Under what conditions might third parties (including government agencies) have access to confidential data?  Is there a guarantee that third party access to shared logs and resources will not reveal critical, sensitive information?
Project Report ISA 2.0 Migrating to Cloud based ERP solution 20 19 Regulatory Compliance  What are the compliance requirements of the vendor or third party?  The provider should demonstrate financial viability requirements.  Review vendor’s commitment to their and any third party utilized service to remain in such compliance.  Discuss the CPS’s commitment to maintaining the described level of security compliance and the interval of conformity updates. 20 Legal  Ensure that there is an engagement agreement: The right to audit and physically inspect; timely removal of data and its destruction; change control notifications; intellectual property; cloud staff hiring requirements; and training, confidentiality, backups, outsourced services to other vendors, certifications, and their maintenance renewal intervals. Ensure provider guarantees storage of the organization’s data in a particular location based on the contractual agreement.  What notification arrangements are in place for the cloud provider to notify the customer organization in the event of a suspected breach?  What forensic investigation tools and cloud provider staff training are in place for logging and preserving evidence of an alleged violation?  Agreed upon recourse needs to in place for security incidents, data breach, or failure to meet SLA’s.  Records management: Review the life cycle in terms of preservation, retention, eDiscovery, and disposal policies based on organization requirements.
Project Report ISA 2.0 Migrating to Cloud based ERP solution 21  Review rights to data by ensuring that the client organization is the data owner for all data and applications, including replicated copies, with the right to delete all customer information if instructed with assurance documentation and promptly as agreed to by the client and CSP.  Update the cloud contract over time to reflect operating changes.  Specify if there are any additional fees for termination of services, delivery, or erasure of data.
Project Report ISA 2.0 Migrating to Cloud based ERP solution 22 8. DOCUMENTS REVIEWED We have reviewed following document during execution of this assignment for identifying control and weakness thereof.  User Manuals and Technical Manuals relating to System Software and ERP.  Organization chart outlining the organization hierarchy and job responsibilities.  Access to circulars & guidelines issued to employees.  Access to user manuals and documentation relating to ERP Implementation by ABC Infrastructure Ltd  Any other documentation as identified by us as required for the assignment Security policy document relating to system.  Auditor has read and understand all the terms and conditions of SLA. Any terms which is harmful for the company, the same has been discussed with management in order to secure stakeholder interest.  Audit findings documents.
Project Report ISA 2.0 Migrating to Cloud based ERP solution 23 9. REFERENCES  Best practices relating to international accepted standard for IS Audit — COBIT (Control Objectives for Information and Related Technology, issued by the Information Systems Audit and Control Association, USA, COSO framework etc.  Information Systems Audit and Control Association- IS Auditing Guidelines.  Information Systems Audit 2.0 Course – Volume I- Module 1- Chapter-3 Part-1- Cloud and Mobile Computing.  Information Systems Audit 2.0 Course – Volume 1 – Module 2 – Chapter 2 – IS Audit in Phases.  ISACA Audit Program and CAAT Tools.  ISO Standard 27001.  Deloitte (2010); Heiser (2015); Lehigh (2016); O’Hanley & Tiller (2013).
Project Report ISA 2.0 Migrating to Cloud based ERP solution 24 10. DELIVERABLES  The following table summarizes the review area and relevant finding, auditor suggestion and risk rating. S. No Auditor’s Findings Auditor’s Recommendation / Suggestions Risk Rating 1 Technology Selection:- Before moving to cloud organization (auditee) did not performed cost benefit analysis. NIL Low 2 Physical Access Control:- Accessibility of data should be allowed to person authorized only. Since data may be sensitive to its stakeholder. Organization should apply biometric devices so that history can be saved. Organization should adopt maker and checker rule. Use Audit trail to check, who access the data previously and user activity. Use Clean Desk policy in order to secure sensitive data in paper form. Medium 3 Login Access Control :- In this scenario every user have unique login access control and they can access data for which they have permitted for transactions. This concept helps to prevent any unauthorized data accessibility. No user can approve or authenticate data. E.g. Login id password, using network monitoring and using access control. Medium 4 Audit Trail:- In this scenario we can identify who last logged in, user activity and time spent by previous users. With the help of this concept, user don’t work within the rights assigned to them in order to maintain data security and integrity, even if anybody attempts to work beyond rights to his/her. The same is traceable. User personal accountability also exists. Medium 5 Firewall:- Any data coming or going outside the organization boundary is filtered in firewall system. The Firewall act as a security between public and private network and checks any data packets coming from outside world into private network, since it checks data packets Medium
Project Report ISA 2.0 Migrating to Cloud based ERP solution 25 system in which firewall is installed is called Beston Host. for authentication and authorization etc. Organization should install all firewall namely proxy server, network level, application level and stateful inspection. 6 System Backup:- When the back-ups are taken of the system and data together, they are called total system’s back-up. Organization should have proper back up plan which specifies type of back up to be kept, frequency of the backup, location of back up etc. Following back up plan may be selected, Full Back up, Incremental Back up, Differential Back up, Mirror Back up. Medium 7 Service Level Agreement :- Any terms and condition which is harmful for auditee organization such as block out, disruption in service. Organization and CSP should meet in order to resolve the conflict and let them know about alternates sites by which service will be provided in case of emergency failure of main sites. Medium 8 Data Privacy and confidentiality:- Accessibility of customer data is restricted to respective organization and its authorized personnel, not to be shared with other organization or other personnel. Organization should establish policy in such a manner to maintain data privacy with other service receiver with same cloud service provider. High 9 Natural Disaster Events:- Organization should consider natural events such as earthquake, tsunami, flood, fire etc. Organization should have one additional BCP site with wholly IT Infrastructure in case of natural disaster so as to continuity of normal business function without disruption. High 10 Alternate Processing Facility Arrangements Security administrators shall have either of the arrangement with Cloud service provider regarding alternate processing facility arrangement. Cold site, Hot Site, Warm Site, Reciprocal Agreement. Further the contract must include the following High
Project Report ISA 2.0 Migrating to Cloud based ERP solution 26  how soon the site will be made available subsequent to a disaster;  the number of organizations that will be allowed to use the site concurrently in the event of a disaster;  the priority to be given to concurrent users of the site in the event of a common disaster;  what controls will be in place and working at the off-site facility. Implication of High, Medium and Low:- High:- The issue representing a finding that organization exposed to significant risk and require immediate resolution. Medium:- The issue representing a finding that organization exposed to risk that require resolution in near future. Low:- The issue represents a finding, which don’t require action from organization.
Project Report ISA 2.0 Migrating to Cloud based ERP solution 27 11. FORMAT OF REPORT/FINDINGS AND RECOMMENDATIONS As mentioned in Point No 10.
Project Report ISA 2.0 Migrating to Cloud based ERP solution 28 12. SUMMARY/CONCLUSION Cloud computing is increasingly assuming a prominent and leading role in businesses for the purpose of operational efficiency and cost reduction. In spite of the numerous benefits, users remain anxious about data protection and dependency on CSP for business continuity. As per the discussion held with the management, the BOD of the company has initiated corrective steps to overcome the “high implication findings” in observed in the audit and those, which have medium implication; BOD would take corrective action as soon as possible. Since the company has migrated to “Cloud based ERP System”, so initially it will be difficult to adopt the newer technological environment perfectly by organization as a whole. However, the management is optimistic about future guidance with respect to adoption of technological changes and impact thereof on the organization.

Recommended

Yoga at School.ppt
Yoga at School.pptYoga at School.ppt
Yoga at School.pptShama
 
Role of yoga as a therapy in digestive.pptx
Role of yoga as a therapy in digestive.pptxRole of yoga as a therapy in digestive.pptx
Role of yoga as a therapy in digestive.pptxGarimaSetia7
 
Shat-karmas - comprise of six groups of Yoga cleansing practices
Shat-karmas - comprise of six groups of Yoga cleansing practicesShat-karmas - comprise of six groups of Yoga cleansing practices
Shat-karmas - comprise of six groups of Yoga cleansing practicesKaruna Yoga Vidya Peetham
 
BHAGVAD GITA CHAPTER 14 FLOWCHARTS AND OVERVIEW
BHAGVAD GITA CHAPTER 14 FLOWCHARTS AND OVERVIEWBHAGVAD GITA CHAPTER 14 FLOWCHARTS AND OVERVIEW
BHAGVAD GITA CHAPTER 14 FLOWCHARTS AND OVERVIEWMedicherla Kumar
 
Shambavi
ShambaviShambavi
Shambavisaravandr
 
YOGA IN CONTEMPORARY INDIA: AN OVERVIEW
YOGA IN CONTEMPORARY INDIA: AN OVERVIEWYOGA IN CONTEMPORARY INDIA: AN OVERVIEW
YOGA IN CONTEMPORARY INDIA: AN OVERVIEWYogacharya AB Bhavanani
 
Hatha Yoga Benefits for Older People
Hatha Yoga Benefits for Older PeopleHatha Yoga Benefits for Older People
Hatha Yoga Benefits for Older PeopleVishwa Yoga Peeth
 
Ens. religioso 2ª série
Ens. religioso 2ª sérieEns. religioso 2ª série
Ens. religioso 2ª sérieGERALDOGOMESDEBARROS
 

Recommended

Yoga at School.ppt
Yoga at School.pptYoga at School.ppt
Yoga at School.pptShama
 
Role of yoga as a therapy in digestive.pptx
Role of yoga as a therapy in digestive.pptxRole of yoga as a therapy in digestive.pptx
Role of yoga as a therapy in digestive.pptxGarimaSetia7
 
Shat-karmas - comprise of six groups of Yoga cleansing practices
Shat-karmas - comprise of six groups of Yoga cleansing practicesShat-karmas - comprise of six groups of Yoga cleansing practices
Shat-karmas - comprise of six groups of Yoga cleansing practicesKaruna Yoga Vidya Peetham
 
BHAGVAD GITA CHAPTER 14 FLOWCHARTS AND OVERVIEW
BHAGVAD GITA CHAPTER 14 FLOWCHARTS AND OVERVIEWBHAGVAD GITA CHAPTER 14 FLOWCHARTS AND OVERVIEW
BHAGVAD GITA CHAPTER 14 FLOWCHARTS AND OVERVIEWMedicherla Kumar
 
Shambavi
ShambaviShambavi
Shambavisaravandr
 
YOGA IN CONTEMPORARY INDIA: AN OVERVIEW
YOGA IN CONTEMPORARY INDIA: AN OVERVIEWYOGA IN CONTEMPORARY INDIA: AN OVERVIEW
YOGA IN CONTEMPORARY INDIA: AN OVERVIEWYogacharya AB Bhavanani
 
Hatha Yoga Benefits for Older People
Hatha Yoga Benefits for Older PeopleHatha Yoga Benefits for Older People
Hatha Yoga Benefits for Older PeopleVishwa Yoga Peeth
 
Ens. religioso 2ª série
Ens. religioso 2ª sérieEns. religioso 2ª série
Ens. religioso 2ª sérieGERALDOGOMESDEBARROS
 
Yoga power point presentation
Yoga power point presentationYoga power point presentation
Yoga power point presentationkerrigangolden
 
Yogasutra of Patanjali presentation
Yogasutra of Patanjali presentationYogasutra of Patanjali presentation
Yogasutra of Patanjali presentationDr Ramesh Pattni
 
Narada Bhakti Sutras_Sanskrit.ppt
Narada Bhakti Sutras_Sanskrit.pptNarada Bhakti Sutras_Sanskrit.ppt
Narada Bhakti Sutras_Sanskrit.pptShama
 
Yoga: A Basic Understanding
Yoga: A Basic UnderstandingYoga: A Basic Understanding
Yoga: A Basic UnderstandingAnirudh Pulugurtha
 
Ashtang yoga-book
Ashtang yoga-bookAshtang yoga-book
Ashtang yoga-bookCecilia Cotero Torrecillas
 
Yoga Presentation
Yoga Presentation Yoga Presentation
Yoga Presentationslidestoday
 
Bhagavad gita 18 chapters summary | Rahul Singh
Bhagavad gita 18 chapters summary | Rahul SinghBhagavad gita 18 chapters summary | Rahul Singh
Bhagavad gita 18 chapters summary | Rahul SinghRahul Singh
 
Scientific Error in the Corrupted Bible
Scientific Error in the Corrupted BibleScientific Error in the Corrupted Bible
Scientific Error in the Corrupted Biblegreatest man
 
YOGA : 1 TO 10
YOGA : 1 TO 10YOGA : 1 TO 10
YOGA : 1 TO 10Yogacharya AB Bhavanani
 
Yoga
YogaYoga
YogaMoinak Das
 
Yoga Sutras
Yoga SutrasYoga Sutras
Yoga SutrasRaution Jaiswal
 
Ashtanga Vinyasa Yoga by Siddharth Jain
Ashtanga Vinyasa Yoga by Siddharth JainAshtanga Vinyasa Yoga by Siddharth Jain
Ashtanga Vinyasa Yoga by Siddharth JainSiddharthJain510
 
Yoga kundalini-upanishad
Yoga kundalini-upanishadYoga kundalini-upanishad
Yoga kundalini-upanishadkrishna reddy
 
Yoga and meditation lecture
Yoga and meditation lectureYoga and meditation lecture
Yoga and meditation lectureMaureen Spencer, RN, M.Ed.
 
Yoga- An Exercise for Life
Yoga- An Exercise for LifeYoga- An Exercise for Life
Yoga- An Exercise for Lifebazinga111
 
Vedas the origin of yoga
Vedas the origin of yogaVedas the origin of yoga
Vedas the origin of yogaSridharan S
 
Ens. religioso 2º ano
Ens. religioso 2º anoEns. religioso 2º ano
Ens. religioso 2º anoGERALDOGOMESDEBARROS
 
A Comparison of Cloud based ERP Systems
A Comparison of Cloud based ERP SystemsA Comparison of Cloud based ERP Systems
A Comparison of Cloud based ERP SystemsNakul Patel
 
Sparkhound Consulting Services Overview 2020
Sparkhound Consulting Services Overview 2020Sparkhound Consulting Services Overview 2020
Sparkhound Consulting Services Overview 2020Ron Ellis
 
Soais Payroll Outsourcing[2]
Soais Payroll Outsourcing[2]Soais Payroll Outsourcing[2]
Soais Payroll Outsourcing[2]Kiran N
 
The Mystery Is Solved Demystifying Integrations
The Mystery Is Solved Demystifying IntegrationsThe Mystery Is Solved Demystifying Integrations
The Mystery Is Solved Demystifying Integrationsdreamforce2006
 
SARP Enterprise Suite 6.2- Corporate Profile
SARP Enterprise Suite 6.2- Corporate ProfileSARP Enterprise Suite 6.2- Corporate Profile
SARP Enterprise Suite 6.2- Corporate ProfileAsmat Hayat
 

More Related Content

What's hot

Yoga power point presentation
Yoga power point presentationYoga power point presentation
Yoga power point presentationkerrigangolden
 
Yogasutra of Patanjali presentation
Yogasutra of Patanjali presentationYogasutra of Patanjali presentation
Yogasutra of Patanjali presentationDr Ramesh Pattni
 
Narada Bhakti Sutras_Sanskrit.ppt
Narada Bhakti Sutras_Sanskrit.pptNarada Bhakti Sutras_Sanskrit.ppt
Narada Bhakti Sutras_Sanskrit.pptShama
 
Yoga Presentation
Yoga Presentation Yoga Presentation
Yoga Presentationslidestoday
 
Bhagavad gita 18 chapters summary | Rahul Singh
Bhagavad gita 18 chapters summary | Rahul SinghBhagavad gita 18 chapters summary | Rahul Singh
Bhagavad gita 18 chapters summary | Rahul SinghRahul Singh
 
Scientific Error in the Corrupted Bible
Scientific Error in the Corrupted BibleScientific Error in the Corrupted Bible
Scientific Error in the Corrupted Biblegreatest man
 
Ashtanga Vinyasa Yoga by Siddharth Jain
Ashtanga Vinyasa Yoga by Siddharth JainAshtanga Vinyasa Yoga by Siddharth Jain
Ashtanga Vinyasa Yoga by Siddharth JainSiddharthJain510
 
Yoga kundalini-upanishad
Yoga kundalini-upanishadYoga kundalini-upanishad
Yoga kundalini-upanishadkrishna reddy
 
Yoga- An Exercise for Life
Yoga- An Exercise for LifeYoga- An Exercise for Life
Yoga- An Exercise for Lifebazinga111
 
Vedas the origin of yoga
Vedas the origin of yogaVedas the origin of yoga
Vedas the origin of yogaSridharan S
 

What's hot (17)

Yoga power point presentation
Yoga power point presentationYoga power point presentation
Yoga power point presentation
 
Yogasutra of Patanjali presentation
Yogasutra of Patanjali presentationYogasutra of Patanjali presentation
Yogasutra of Patanjali presentation
 
Narada Bhakti Sutras_Sanskrit.ppt
Narada Bhakti Sutras_Sanskrit.pptNarada Bhakti Sutras_Sanskrit.ppt
Narada Bhakti Sutras_Sanskrit.ppt
 
Yoga: A Basic Understanding
Yoga: A Basic UnderstandingYoga: A Basic Understanding
Yoga: A Basic Understanding
 
Ashtang yoga-book
Ashtang yoga-bookAshtang yoga-book
Ashtang yoga-book
 
Yoga Presentation
Yoga Presentation Yoga Presentation
Yoga Presentation
 
Bhagavad gita 18 chapters summary | Rahul Singh
Bhagavad gita 18 chapters summary | Rahul SinghBhagavad gita 18 chapters summary | Rahul Singh
Bhagavad gita 18 chapters summary | Rahul Singh
 
Scientific Error in the Corrupted Bible
Scientific Error in the Corrupted BibleScientific Error in the Corrupted Bible
Scientific Error in the Corrupted Bible
 
YOGA : 1 TO 10
YOGA : 1 TO 10YOGA : 1 TO 10
YOGA : 1 TO 10
 
Yoga
YogaYoga
Yoga
 
Yoga Sutras
Yoga SutrasYoga Sutras
Yoga Sutras
 
Ashtanga Vinyasa Yoga by Siddharth Jain
Ashtanga Vinyasa Yoga by Siddharth JainAshtanga Vinyasa Yoga by Siddharth Jain
Ashtanga Vinyasa Yoga by Siddharth Jain
 
Yoga kundalini-upanishad
Yoga kundalini-upanishadYoga kundalini-upanishad
Yoga kundalini-upanishad
 
Yoga and meditation lecture
Yoga and meditation lectureYoga and meditation lecture
Yoga and meditation lecture
 
Yoga- An Exercise for Life
Yoga- An Exercise for LifeYoga- An Exercise for Life
Yoga- An Exercise for Life
 
Vedas the origin of yoga
Vedas the origin of yogaVedas the origin of yoga
Vedas the origin of yoga
 
Ens. religioso 2º ano
Ens. religioso 2º anoEns. religioso 2º ano
Ens. religioso 2º ano
 

Similar to Migrating to cloud based ERP Solution .pdf

A Comparison of Cloud based ERP Systems
A Comparison of Cloud based ERP SystemsA Comparison of Cloud based ERP Systems
A Comparison of Cloud based ERP SystemsNakul Patel
 
Sparkhound Consulting Services Overview 2020
Sparkhound Consulting Services Overview 2020Sparkhound Consulting Services Overview 2020
Sparkhound Consulting Services Overview 2020Ron Ellis
 
Soais Payroll Outsourcing[2]
Soais Payroll Outsourcing[2]Soais Payroll Outsourcing[2]
Soais Payroll Outsourcing[2]Kiran N
 
The Mystery Is Solved Demystifying Integrations
The Mystery Is Solved Demystifying IntegrationsThe Mystery Is Solved Demystifying Integrations
The Mystery Is Solved Demystifying Integrationsdreamforce2006
 
SARP Enterprise Suite 6.2- Corporate Profile
SARP Enterprise Suite 6.2- Corporate ProfileSARP Enterprise Suite 6.2- Corporate Profile
SARP Enterprise Suite 6.2- Corporate ProfileAsmat Hayat
 
Smart technology profile
Smart technology profileSmart technology profile
Smart technology profileAqib Khan
 
Best Software Development Company |Salesforce Consulting Services in Singapor...
Best Software Development Company |Salesforce Consulting Services in Singapor...Best Software Development Company |Salesforce Consulting Services in Singapor...
Best Software Development Company |Salesforce Consulting Services in Singapor...InfoDrive Solutions
 
EESI New Profile 2014 v5
EESI New Profile 2014 v5EESI New Profile 2014 v5
EESI New Profile 2014 v5Antonio Delgado
 
I T E007 Warner 091807
I T E007 Warner 091807I T E007 Warner 091807
I T E007 Warner 091807Dreamforce07
 
Marco Ma 2016-NOV
Marco Ma 2016-NOVMarco Ma 2016-NOV
Marco Ma 2016-NOVMarco Ma
 
Metakortex Presentation
Metakortex PresentationMetakortex Presentation
Metakortex Presentationguest0df6b0
 
Maximizing ROI with Legacy Application Migration
Maximizing ROI with Legacy Application Migration Maximizing ROI with Legacy Application Migration
Maximizing ROI with Legacy Application MigrationMindfire LLC
 
Softengi - Inspired Software Engineering
Softengi - Inspired Software EngineeringSoftengi - Inspired Software Engineering
Softengi - Inspired Software EngineeringSoftengi
 
Softnology A Brief Look 2008
Softnology A Brief Look 2008Softnology A Brief Look 2008
Softnology A Brief Look 2008softnology
 

Similar to Migrating to cloud based ERP Solution .pdf (20)

A Comparison of Cloud based ERP Systems
A Comparison of Cloud based ERP SystemsA Comparison of Cloud based ERP Systems
A Comparison of Cloud based ERP Systems
 
Sparkhound Consulting Services Overview 2020
Sparkhound Consulting Services Overview 2020Sparkhound Consulting Services Overview 2020
Sparkhound Consulting Services Overview 2020
 
Soais Payroll Outsourcing[2]
Soais Payroll Outsourcing[2]Soais Payroll Outsourcing[2]
Soais Payroll Outsourcing[2]
 
The Mystery Is Solved Demystifying Integrations
The Mystery Is Solved Demystifying IntegrationsThe Mystery Is Solved Demystifying Integrations
The Mystery Is Solved Demystifying Integrations
 
SARP Enterprise Suite 6.2- Corporate Profile
SARP Enterprise Suite 6.2- Corporate ProfileSARP Enterprise Suite 6.2- Corporate Profile
SARP Enterprise Suite 6.2- Corporate Profile
 
Smart technology profile
Smart technology profileSmart technology profile
Smart technology profile
 
Project file
Project fileProject file
Project file
 
Best Software Development Company |Salesforce Consulting Services in Singapor...
Best Software Development Company |Salesforce Consulting Services in Singapor...Best Software Development Company |Salesforce Consulting Services in Singapor...
Best Software Development Company |Salesforce Consulting Services in Singapor...
 
EESI New Profile 2014 v5
EESI New Profile 2014 v5EESI New Profile 2014 v5
EESI New Profile 2014 v5
 
RFP.docx
RFP.docxRFP.docx
RFP.docx
 
I T E007 Warner 091807
I T E007 Warner 091807I T E007 Warner 091807
I T E007 Warner 091807
 
Marco Ma 2016-NOV
Marco Ma 2016-NOVMarco Ma 2016-NOV
Marco Ma 2016-NOV
 
Metakortex Presentation
Metakortex PresentationMetakortex Presentation
Metakortex Presentation
 
KTCV2016July
KTCV2016JulyKTCV2016July
KTCV2016July
 
Sai profile
Sai profileSai profile
Sai profile
 
Maximizing ROI with Legacy Application Migration
Maximizing ROI with Legacy Application Migration Maximizing ROI with Legacy Application Migration
Maximizing ROI with Legacy Application Migration
 
Softengi - Inspired Software Engineering
Softengi - Inspired Software EngineeringSoftengi - Inspired Software Engineering
Softengi - Inspired Software Engineering
 
Softnology A Brief Look 2008
Softnology A Brief Look 2008Softnology A Brief Look 2008
Softnology A Brief Look 2008
 
Business Intelligenze Corporate
Business Intelligenze CorporateBusiness Intelligenze Corporate
Business Intelligenze Corporate
 
Ansari Waheed CV - Galaxy IT Services
Ansari Waheed CV - Galaxy IT ServicesAnsari Waheed CV - Galaxy IT Services
Ansari Waheed CV - Galaxy IT Services
 

Recently uploaded

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

Migrating to cloud based ERP Solution .pdf

  • 1. PROJECT REPORT ISA 2.0 Migrating to Cloud based ERP solution
  • 2. ii TABLE OF CONTENTS Certificate 3 Details of Case Study / Project Prob. 4 Project Report – Introduction 5 Auditee Environment 6 Background 8 Situation 9 Terms and Scope of Assignment 11 Logistic Arrangements Required 12 Methodology and Strategy Adapted for Execution of Assignment 14 Documents Reviewed 22 References 23 Deliverables 24 Format of Report/Findings and Recommendations 27 Summary/Conclusion 28
  • 3. Project Report ISA 2.0 Migrating to Cloud based ERP solution 3 CERTIFICATE This is to certify that we have successfully completed the ISA 2.0 course training conducted at: Hotel Pride Plaza, Bodakdev Cross Road, Ahmedabad from 1st Feb 2020 to 29th April 2020 and we have the required attendance. We are submitting the Project titled: Migrating to Cloud based ERP solution We hereby confirm that we have adhered to the guidelines issued by CIT, ICAI for the project. We also certify that this project report is the original work of our group and each one of us have actively participated and contributed in preparing this project. We have not shared the project details or taken help in preparing project report from anyone except members of our group. 1. Name : CA Dhaval Limbani (ISA No. 62188) 2. Name : CA Manoj Jajodia (ISA No. 62682) 3. Name : CA Ashish Mehta (ISA No. 62810) Place : Ahmedabad Date : 30-04-2020
  • 4. Project Report ISA 2.0 Migrating to Cloud based ERP solution 4 DETAILS OF CASE STUDY / PROJECT PROB. ABC Infrastructure Ltd. (Auditee) provides Gas Pipeline Services and distribution, EPC Projects, Cross Country Pipeline Layering, Horizontal Directional Drilling across India. It is Well Equipped with total infrastructure and has kept in pace with the changing technology and construction team focused on Safety, Quality and Efficiency with cost effective project executed within time and budget. They are currently using stand-alone accounting and inventory package which has limited functionality. They have an aggressive business growth plans and found that the current software solution cannot meet their future requirements. ABC Infrastructure Ltd have decided to migrate to ‘Wilson’s On Cloud Solution (WOCS)- Standard Version’ a robust full suite of ERP Developed using Wilson Virtual works, a state-of- the-art software engineering and delivery platform. WOCS is expected to enable ABC to reap the benefits of the solutions with “Built in Best Practices” together with a highly “Flexible Framework” to ensure solution alignment to “dynamic business requirements” of ABC. The WOCS solution has standard product features which cannot be modify except based on the methodology followed by Wilson and the customer has to use the existing product without any changes. As a part of the software as service (SAS)development model, WOCS will not make any changes in the data entry screens/ Processes as per individual customers need.
  • 5. Project Report ISA 2.0 Migrating to Cloud based ERP solution 5 1. PROJECT REPORT - INTRODUCTION ABC Infrastructure Ltd is provider of Gas Pipeline Services and distribution, EPC Projects across India, having adequate infrastructure of technology with respect to changing environment. Company is having four branch office and more than 300 employees including at branches. Out of 300 employees, more than 40 employees are engaged in finance and accounts departments. At present company is maintaining a non-integrated and stand-alone accounting software, which require maintaining huge documentation. Now with the changing environment and future business growth company board decided to migrate ‘Wilson’s On Cloud Solution (WOCS) an ERP software from existing non-integrated software. The new ERP software will provide all business process function start from Project execution, marketing, purchase management to payroll and inventory management, financial and management accounting etc. to know the real time business information. ABC Infrastructure Ltd (auditee) appointed M/s MAD & Associates (Chartered Accountants known as auditor) to conduct the Cloud ERP System Audit of auditee. Auditor firm is having 3 years’ experience in conducting IS Audit. Firm is having 3 partner (CAs), 2 system auditor (ISA) and 3 other technical staff all having good knowledge and experience in their respective domain. S.NO TEAM MEMBER NAME QUALIFICATION DESIGNATION 1 Mr. Dhaval Limbani FCA, ISA Team Leader 2 Mr. Manoj Jajodia FCA Co-Team Leader 3 Mr. Ashish Mehta FCA Co-Team Leader 4 Mr. Pranav Pandya FCA, ISA Team Member 5 Mr. Mihir Pandya M.Tech, Phd (IT), BE (Software) Software Engineer 6 Mr. Dhaval Chikani M.Tech, BE (Software) Software Engineer 7 Mr. Darshan Panchal Phd (IT-Hardware Engineer) Hardware Engineer
  • 6. Project Report ISA 2.0 Migrating to Cloud based ERP solution 6 2. AUDITEE ENVIRONMENT ABC Infrastructure Ltd is provider of Gas Pipeline Services and distribution, EPC Projects across India. Since company is engaged in business of heavy infrastructure projects for Governments and big infrastructure companies. Company board consists of 7 directors, one Managing Director (CEO), one Finance Director (CFO), Sales & Marketing Director, Chief Operational Director (COO), Chief Information Office (CIO), 2 Executive directors. Board sets policy and procedure and laid down the strategy to complete business task, which will be executed and implemented by managerial and operational staff, which consists of each individual department head to operational level staff member. At present company is following a non – integrated accounting software which will no longer useful looking to changing business technology and growing changes in technology environment. At present company infrastructure is well equipped. But company is not following any ERP Software to integrate its all business function via one single platform. But MD is confident of the view that by providing adequate training we can train finance and accounts departments to cloud based ERP acquaintance. This will eliminate the need to purchase the necessary server and hardware storage, i.e. reduction in OPEX. Except respective tax laws, corporate law, labour law etc., IT Act 2000 company is not bound by any other legal compliance like RBI, SEBI, Banking Regulation, IRDA etc. The company has a compliance department which looks into matter relating to compliance the same is reviewed by internal auditor function. For effective operation of compliance department company have standard policies, procedure and guidance that defines regulatory standard requirement that apply to company.
  • 7. Project Report ISA 2.0 Migrating to Cloud based ERP solution 7 Information Security Policy S.NO POINTS DESCRIPTION 1 Acceptable Use Policy Company has defined acceptable use of computer devices, equipments and employee security measure to protect organization resources. 2 Clean Desk Policy Company has defined minimum requirement to be fulfilled a clean desk policy such as sensitive or critical information of company, employees, customers, intellectual property to be secured in locked area. 3 Encryption Policy Company has defined the acceptable encryption algorithms for system security and protection from unauthorized access. 4 Digital Signature Acceptance Policy Company has defined when “Digital Signature” is considered acceptance means of validating the identity of a signer in electronic communications/ documents. 5 Password Policy Company has defined different high-level configuration password for system access, email access for security of information and identity. Further there is policy of changing password within 90 days. 6 Network Security Policy Company has defined overall network access such as remote access policy (use of software for use of remote access), wireless communication policy to connect company network, standard for minimum security configuration of routers and switches inside computer network. 7 Server Security Policy Company has defined requirement around installation of third-party software and security configuration for servers. Further, company has defined proper requirement for disposal of equipment such as hard drive, USB, CD Rom etc. 8 Business Continuity Management Policy Company has defined requirement to ensure continuity of critical business operation. It is designed to minimize the impact of unforeseen event to facilitate business to normal levels.
  • 8. Project Report ISA 2.0 Migrating to Cloud based ERP solution 8 3. BACKGROUND Since Company decided to change its accounting tool from traditional to cloud based ERP (WOCS) in that, the most important thing for company is to migrate data first on ERP system. This can be done via batch processing under which data will upload first and then another person will approve these transactions. Once these data processed the next critical operation to reconcile these data with traditional data to check whether all data have been compiled and in proper way in which they require. In Cloud ERP system, system is hosted on cloud and ERP service provider takes care hosting of ERP system. This is based on Software as a Service (SaaS) module, wherein company will access the software, whereas service provider will manage software including operating system and execution environment. Now to check all these critical operation company wants an independent auditor function to check all these critical operation task. Auditor (MAD & Associates) will audit these function starts from beginning mapping of codes, ledgers, groups, data uploading, reconciliation, report spooling, trade checking to know functioning of all ERP Module whether or not data of vendor, inventory management, financial accounting, sales and purchase, payroll system etc. are working effectively and efficiently on cloud site as provided by cloud service provider. Auditor will also look system effect of one data entry on another ERP utility is proper and correct. For this purpose, auditor will thoroughly check the system configuration and settings are manipulated or modified. Further auditor will check IT Infrastructure configuration like operating system, servers, networking devices tool and security control thereof to check whether CIA (confidentially, integrity or availability) via unauthorized access, data manipulation etc., which may be big threat to organization as well. In addition to this, auditor will check whether vendor is responsible for maintaining hardware & software such as patches, upgrades, refreshes.
  • 9. Project Report ISA 2.0 Migrating to Cloud based ERP solution 9 4. SITUATION The Auditee is currently using an ERP system which provides stand-alone accounting and inventory packages which has limited functionalities. The company has aggressive growth plans for which the current software solution is not enough. The company’s finance and accounts department has more than 40 employees and current software packages are stand-alone and non-integrated and extensive documentation is maintained. So, it has been decided by the management to migrate to cloud based ERP. The proposed Wilson’s solution provides a single version of the product at any point of time. All product feature upgrades and updates shall be made available as a part of the standard offering. Basically, the requirements are market driven and will prioritized based various criteria like Statutory needs, Best business practice, key business process etc. There are 14 modules included in the scope such as sales & shipping management, accounts receivable, purchase, HR & Payroll, etc. Moreover, the current staff is not computer savvy and have limited knowledge of using computers but the young MD has taken charge of training employees and the cost consideration based on model implementation of 10 user license shows cost benefit analysis and justification for the investment. So, seeing these current problems and the benefits of the cloud-based solution it has been decided by the management to migrate to cloud based ERP. The proposed solution also provides complete applications which are sold on a subscription model for a specific period. This model provides the capability to use the provider’s applications running on cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser. This brings in saving to ABC Infrastructure Ltd as there is no need to buy licenses for running programs on their own computers. The software solution is accessible using existing computers.
  • 10. Project Report ISA 2.0 Migrating to Cloud based ERP solution 10 S. NO AREA OF RISK RISK FOCUSED AREA 1 Access Control Is there appropriate ingress or egress filtering? Are there ACLs that segment the environment from other resources? 2 Virtualization Is there a protected environment? How are host systems secured? Are resources utilized and released as expected? How are virtual resource interconnected? 3 Data Management and Data Storage Cloud provider may not be able to match in-house IT service availability, recovery time objectives (RTO), and recovery point objectives (RPO). Cloud providers may drastically change business model or discontinue cloud services. Due to technical architecture complexity and potential restrictions by the cloud provider, replicating data back to the enterprise or to another provider may be difficult. 4 Communication Channels What communication protocols are used to communicate with other data centers? Are there any clear text administration protocols used? Can you monitor communication in and out of the cloud as well as within the cloud? Are there any end user devices that can download data from the cloud? 5 Cloud Supporting Infrastructure Utilize ISO2700 and SOC2 / SOC3 (Assurance Reports on Controls at a Third-Party Service Organization) Trust Principles – Security, Availability, Processing Integrity, Confidentiality, Privacy Will administrators have “access” to the virtual data? 6 Software as a Service (SaaS) Examine tools used for usage tracking and licensing Examine accuracy of reporting Separation from other applications New risks may exist as cloud computing can expand and shorten the SDLC cycle.
  • 11. Project Report ISA 2.0 Migrating to Cloud based ERP solution 11 5. TERMS AND SCOPE OF ASSIGNMENT Auditor’s Terms & Scope  How much security is enough?  Who is responsible for data security?  Criticality of application being sent to cloud.  Control issue specific to cloud service provider.  Identify internal control and regulatory deficiencies that would affect the organization.  Identify information security control concerns that could affect the reliability, accuracy and security of enterprises data due to weaknesses in the package solutions offered by the vendor.  Outsourcer’s Experience with SLA and vendor management  Review contractual compliance between cloud service provider and customer i.e. auditee.  Cloud Vendor’s policy on vulnerability management – reporting, commitment to following up, promptly responding to reports etc.  Provide management with an assessment of impact by implementation of Wilsons on cloud solutions, security policy and procedures and their operating effectiveness.  Information systems audit of all/any aspect of security policy, business continuity, environmental excess, physical excess, logical excess and application security.  What is impact on auditor when client has used “Cloud ERP System” and how data will be audited on cloud service provider.  Compliance with enterprises policy, procedures, Standards and practices as relevant.  Compliance with regulations as applicable.
  • 12. Project Report ISA 2.0 Migrating to Cloud based ERP solution 12 6. LOGISTIC ARRANGEMENTS REQUIRED  Auditor requires following Hardware, Software (application and system), Information, and System Configuration documentation. S. NO POINTS DESCRIPTION 1 Hardware Auditor (MAD & Associates) need 7 laptop, 3 desktop, networking cables, data cable, power backup equipments for execution of the assignment. All hardware must be configured in such a manner to be compatible with software. 2 Software (Application as well as System) We need licensed software to be installed in all desktop, laptop so as to work in auditee IT environment with high bandwidth of internet speed. 3 Information We need the information to be audited that may be data, audio, video, electronic form data, images etc. 4 System Configuration Documents We need system configuration documentation from supplier or vendor of hardware, software, source code to understand technical things clearly.  It is systematic approach to manage sensitive company information to maintain the same in secure mode. It includes people, processes and IT System by applying a risk management process. Company (auditee) has taken certificate from ISO organization stating that it meets objectives of ISO 27001. The aim is to provide confidence and assurance to clients and customers that it follows best accepted business practices.  In order to obtain assurance that the data processed by the system is complete, valid and accurate and is giving the desired results, computer assisted audit techniques (CAAT) shall be used. Computer Assisted Audit Technique (CAATs) are computer-based tools, which help us in carrying out various automated tools to evaluate an IT system or data. These are very useful, where a significant volume of auditee data is available in electronic format. CAATs provide greater level of assurance as compared to other techniques, especially manual testing methods.1
  • 13. Project Report ISA 2.0 Migrating to Cloud based ERP solution 13  Use of CAAT Tools (Computer Aided Audit Techniques):- The use of CAAT tools improves the audit process and help in data extraction and analyzing software. Following are the techniques:- S. NO POINTS DESCRIPTION 1 Generalized Audit Software This tool is effective & efficient for IS audit. In this method Access Control List (ACL) is table under which data is lock down as read only to prevent inadvertently changing data. In this method organization define access right to each system users. Every user has different right such as read only, read and modification, approval etc. 2 Utility Program These programs are used to perform common data processing function such as sorting, creating and printing files. This utility doesn’t contain feature such as automatic record counts or control totals. 3 Test Data Test data involve the auditors using a sample set of data to assess whether logic errors exist in a program and program meets organization objectives. It provides information about internal control and weakness if any exist. 4 Audit Expert System In this technique, auditor perform tests details of transaction and balance, analytical review procedure, compliance test IS general control, compliance test IS application control and vulnerability testing.
  • 14. Project Report ISA 2.0 Migrating to Cloud based ERP solution 14 7. METHODOLOGY AND STRATEGY ADAPTED FOR EXECUTION OF ASSIGNMENT ISACA Cloud Computing Audit Program – Areas  Planning and Scoping the Audit:  Define the audit/assurance objectives  Define the boundaries of review  Identify and document risks  Define the change process  Define assignment success  Define the audit/assurance resources required  Define deliverables  Communications  Governing the Cloud:  Governance and Enterprise Risk Management (ERM)  Legal and Electronic Discovery  Compliance and Audit  Portability and Interoperability  Operating in the Cloud:  Incident Response, Notifications  Application security  Data Security and integrity  Identity and Access management  Virtualization
  • 15. Project Report ISA 2.0 Migrating to Cloud based ERP solution 15  Audit Program under COBIT Framework: S. No COBIT Control Objective Audit Procedure 1 Benefit Management (Acquire, Plan and Organize) Review process for developing metrics for measuring benefits. E.g. Guidance from domain expert, industry analyst. 2 Supplier Contract Management (Acquire and Implement) Confirm through interviews with key staff members that the policies and standards are in place for establishing contracts with suppliers. E.g. Legal contract, financial contract, intellectual property contract etc. 3 Supplier Performance Monitoring (Deliver, Service and Support) Inspection of supplier service report to determine supplier performance is in alignment with pre-defined SLAs and supplier contract. 4 Identity Management (Deliver, Service and Support) Every user has unique and generic id and access right to system is as per documentary business process framework. 5 Network Security (Deliver, Service and Support) Confirm with organization that there is network security policy has been established and maintained in organization. Further confirm that all network components are updated regularly such as routers, VPN switches etc. 6 Information Exchange (Deliver, Service and Support) Confirm with organization that proper encryption policy in place to exchange information outside the organization. 7 Contract Compliance (Monitor and Evaluate) Review policies and procedure to ensure that contracts with third party service provider for compliance with applicable laws, regulation and contract commitments. 8 Data Integrity (Deliver, Service and Support) Determine that a policy has been defined and implemented to protect sensitive information from unauthorized access, have authentication codes and encryption. 9 Governance  Review organizational strategy and risk appetite, roles and responsibilities, insurance, and governance tasks
  • 16. Project Report ISA 2.0 Migrating to Cloud based ERP solution 16  Monitor usage of cloud services through vendor provided dashboards or logging information available to the client.  Address issues promptly based on governance requirements and defined roles/responsibilities. 10 Data Management  Perform a data flow and privacy assessment by reviewing the data throughout its life cycle. Is it vulnerable at any point?  Ask for an overview of the dedicated, single- tenant and shared (multi-tenant) cloud services provided by the CSP.  Review data transfer to the CSP.  Data segregation: Review shared environments for data segregation, logical separation, and security in a multi-tenancy environment or utilize separate servers.  Data recovery: Review if the CSP can do a complete restoration in the event of a disaster or if they have data replication capabilities available for an alternate data location. Review where that alternate location is in addition to its recoverability capabilities. 11 Data Environment  Where are the data centers located? Can the CSP can commit to specific privacy requirements?  Review the applications and operating systems utilized. Use a data life cycle approach regarding what is stored and where.  Provide a description of how often are infrastructure components are updated, such as hardware and software. 12 Cyber Threat  What are patch and vulnerability management program practices? How does CSP ensure these program practices do not create a security risk for client infrastructure?  What is the vulnerability remediation process?
  • 17. Project Report ISA 2.0 Migrating to Cloud based ERP solution 17  Review security monitoring processes utilized by the CSP.  Are there established application-level reviews, a defined Software Development Life Cycle process, and change notification and release management? 13 Infrastructure  Is there restricted and monitored access to assets all of the time?  How is an employee or third-party access to client data controlled?  Are staff background checks employed? How extensive are these background record reviews and are they reoccurring?  Vulnerability management: Patch vulnerabilities in virtual machine templates and offline virtual machines.  Network management. Secure network traffic between distributed cloud components. Detection for defense against attacks originating from within the cloud environment.  Review the perimeter for exposure to distributed denial-of-service attacks against public-facing cloud interfaces.  System security: Review where there may be vulnerable end-user systems interacting with cloud-based applications.  Discuss how the CSP handles secure intra- host communications among multiple virtual machines.  Who controls encryption keys? How are the encryption keys monitored? What is their storage and backup locations? Review encryption certifications and determine what they apply to, and test them. 14 Logs and Audit Trail  How long are logs and audit trails kept?  How does the CSP provide for tamper proofing of logs and audit trails?
  • 18. Project Report ISA 2.0 Migrating to Cloud based ERP solution 18  Is there dedicated storage for logs and audit trails?  Can the CSP provide timely forensic investigations; e.g., eDiscovery and system analysis? 15 Availability  The client should review Service Level Agreement (SLA) uptime tolerance levels and check for “additional subtractions” disclaimers for the stated level  Does the CSP have resiliency (e.g., cluster systems, redundancy, and failover capabilities) and tests these abilities after changes or system updates?  Does the CSP test restores, and what actions require additional fees? Where is the location of the backups (e.g., on-site, off-site, replicated to another location)?  What file and directory versioning is available? Does the CSP have an incident response plan and can the CSP describe it?  What measures are employed to guard against threat and errors, use of multiple CSPs and denial of service (DoS) protection?  When do peaks in demand occur, and does the CSP have the capacity to handle such maximum load?  What service level guarantee does the CSP offer under Disaster Recovery/Business Continuity conditions? 16 Identity and Access Management  Provide information regarding authentication, restriction of access, or implementation of segregation of duties (SOD) for cloud provider staff.  Provide a description of the physical security measures in place within the CSP data centers, including server areas and access to host/network systems.
  • 19. Project Report ISA 2.0 Migrating to Cloud based ERP solution 19  Review the types of access available: single- sign-on (SSO), authentication using the client identity management software, or two-factor authentication.  Does the client have administrative privileges and controls, and over which system components, software, and/or client users? 17 Encryption  Understand the environment for the service boundary, including the connection points to and from the data with encryption utilized for data in transit, data at rest, and the type of encryption.  Ensure that the CSP provides SSL from an established Certificate Authority (CA) and the SSL CA has its practices audited annually by a trusted third-party auditor; e.g., Symantec Webtrust audit or AICPA Webtrust Audit requirements.  SSL should provide a minimum of 128-bit, 256-bit optimum, encryption based on the 2048-bit global root. Determine the type of encryption.  Is there any encryption utilized for data at rest? For data in storage, how are encryption keys stored? For data backups that are data encrypted in transit or at rest? How are keys managed? 18 Privacy  How are digital identities and credentials protected in cloud applications? What client data is stored and used, and what is its disposal process?  Under what conditions might third parties (including government agencies) have access to confidential data?  Is there a guarantee that third party access to shared logs and resources will not reveal critical, sensitive information?
  • 20. Project Report ISA 2.0 Migrating to Cloud based ERP solution 20 19 Regulatory Compliance  What are the compliance requirements of the vendor or third party?  The provider should demonstrate financial viability requirements.  Review vendor’s commitment to their and any third party utilized service to remain in such compliance.  Discuss the CPS’s commitment to maintaining the described level of security compliance and the interval of conformity updates. 20 Legal  Ensure that there is an engagement agreement: The right to audit and physically inspect; timely removal of data and its destruction; change control notifications; intellectual property; cloud staff hiring requirements; and training, confidentiality, backups, outsourced services to other vendors, certifications, and their maintenance renewal intervals. Ensure provider guarantees storage of the organization’s data in a particular location based on the contractual agreement.  What notification arrangements are in place for the cloud provider to notify the customer organization in the event of a suspected breach?  What forensic investigation tools and cloud provider staff training are in place for logging and preserving evidence of an alleged violation?  Agreed upon recourse needs to in place for security incidents, data breach, or failure to meet SLA’s.  Records management: Review the life cycle in terms of preservation, retention, eDiscovery, and disposal policies based on organization requirements.
  • 21. Project Report ISA 2.0 Migrating to Cloud based ERP solution 21  Review rights to data by ensuring that the client organization is the data owner for all data and applications, including replicated copies, with the right to delete all customer information if instructed with assurance documentation and promptly as agreed to by the client and CSP.  Update the cloud contract over time to reflect operating changes.  Specify if there are any additional fees for termination of services, delivery, or erasure of data.
  • 22. Project Report ISA 2.0 Migrating to Cloud based ERP solution 22 8. DOCUMENTS REVIEWED We have reviewed following document during execution of this assignment for identifying control and weakness thereof.  User Manuals and Technical Manuals relating to System Software and ERP.  Organization chart outlining the organization hierarchy and job responsibilities.  Access to circulars & guidelines issued to employees.  Access to user manuals and documentation relating to ERP Implementation by ABC Infrastructure Ltd  Any other documentation as identified by us as required for the assignment Security policy document relating to system.  Auditor has read and understand all the terms and conditions of SLA. Any terms which is harmful for the company, the same has been discussed with management in order to secure stakeholder interest.  Audit findings documents.
  • 23. Project Report ISA 2.0 Migrating to Cloud based ERP solution 23 9. REFERENCES  Best practices relating to international accepted standard for IS Audit — COBIT (Control Objectives for Information and Related Technology, issued by the Information Systems Audit and Control Association, USA, COSO framework etc.  Information Systems Audit and Control Association- IS Auditing Guidelines.  Information Systems Audit 2.0 Course – Volume I- Module 1- Chapter-3 Part-1- Cloud and Mobile Computing.  Information Systems Audit 2.0 Course – Volume 1 – Module 2 – Chapter 2 – IS Audit in Phases.  ISACA Audit Program and CAAT Tools.  ISO Standard 27001.  Deloitte (2010); Heiser (2015); Lehigh (2016); O’Hanley & Tiller (2013).
  • 24. Project Report ISA 2.0 Migrating to Cloud based ERP solution 24 10. DELIVERABLES  The following table summarizes the review area and relevant finding, auditor suggestion and risk rating. S. No Auditor’s Findings Auditor’s Recommendation / Suggestions Risk Rating 1 Technology Selection:- Before moving to cloud organization (auditee) did not performed cost benefit analysis. NIL Low 2 Physical Access Control:- Accessibility of data should be allowed to person authorized only. Since data may be sensitive to its stakeholder. Organization should apply biometric devices so that history can be saved. Organization should adopt maker and checker rule. Use Audit trail to check, who access the data previously and user activity. Use Clean Desk policy in order to secure sensitive data in paper form. Medium 3 Login Access Control :- In this scenario every user have unique login access control and they can access data for which they have permitted for transactions. This concept helps to prevent any unauthorized data accessibility. No user can approve or authenticate data. E.g. Login id password, using network monitoring and using access control. Medium 4 Audit Trail:- In this scenario we can identify who last logged in, user activity and time spent by previous users. With the help of this concept, user don’t work within the rights assigned to them in order to maintain data security and integrity, even if anybody attempts to work beyond rights to his/her. The same is traceable. User personal accountability also exists. Medium 5 Firewall:- Any data coming or going outside the organization boundary is filtered in firewall system. The Firewall act as a security between public and private network and checks any data packets coming from outside world into private network, since it checks data packets Medium
  • 25. Project Report ISA 2.0 Migrating to Cloud based ERP solution 25 system in which firewall is installed is called Beston Host. for authentication and authorization etc. Organization should install all firewall namely proxy server, network level, application level and stateful inspection. 6 System Backup:- When the back-ups are taken of the system and data together, they are called total system’s back-up. Organization should have proper back up plan which specifies type of back up to be kept, frequency of the backup, location of back up etc. Following back up plan may be selected, Full Back up, Incremental Back up, Differential Back up, Mirror Back up. Medium 7 Service Level Agreement :- Any terms and condition which is harmful for auditee organization such as block out, disruption in service. Organization and CSP should meet in order to resolve the conflict and let them know about alternates sites by which service will be provided in case of emergency failure of main sites. Medium 8 Data Privacy and confidentiality:- Accessibility of customer data is restricted to respective organization and its authorized personnel, not to be shared with other organization or other personnel. Organization should establish policy in such a manner to maintain data privacy with other service receiver with same cloud service provider. High 9 Natural Disaster Events:- Organization should consider natural events such as earthquake, tsunami, flood, fire etc. Organization should have one additional BCP site with wholly IT Infrastructure in case of natural disaster so as to continuity of normal business function without disruption. High 10 Alternate Processing Facility Arrangements Security administrators shall have either of the arrangement with Cloud service provider regarding alternate processing facility arrangement. Cold site, Hot Site, Warm Site, Reciprocal Agreement. Further the contract must include the following High
  • 26. Project Report ISA 2.0 Migrating to Cloud based ERP solution 26  how soon the site will be made available subsequent to a disaster;  the number of organizations that will be allowed to use the site concurrently in the event of a disaster;  the priority to be given to concurrent users of the site in the event of a common disaster;  what controls will be in place and working at the off-site facility. Implication of High, Medium and Low:- High:- The issue representing a finding that organization exposed to significant risk and require immediate resolution. Medium:- The issue representing a finding that organization exposed to risk that require resolution in near future. Low:- The issue represents a finding, which don’t require action from organization.
  • 27. Project Report ISA 2.0 Migrating to Cloud based ERP solution 27 11. FORMAT OF REPORT/FINDINGS AND RECOMMENDATIONS As mentioned in Point No 10.
  • 28. Project Report ISA 2.0 Migrating to Cloud based ERP solution 28 12. SUMMARY/CONCLUSION Cloud computing is increasingly assuming a prominent and leading role in businesses for the purpose of operational efficiency and cost reduction. In spite of the numerous benefits, users remain anxious about data protection and dependency on CSP for business continuity. As per the discussion held with the management, the BOD of the company has initiated corrective steps to overcome the “high implication findings” in observed in the audit and those, which have medium implication; BOD would take corrective action as soon as possible. Since the company has migrated to “Cloud based ERP System”, so initially it will be difficult to adopt the newer technological environment perfectly by organization as a whole. However, the management is optimistic about future guidance with respect to adoption of technological changes and impact thereof on the organization.