RSM India publication - How Robust is your IT System

How Robust Is Your
Information Technology System?

RSM Astute Consulting Group
Indian member of RSM International
Personnel strength of about 950
Consistently ranked amongst India's top 6 Accounting and Consulting groups
(Source : International Accounting Bulletin - September 2010 and September 2011)
Nationwide presence
International delivery capabilities
RSM International
6th largest network of independent
accounting and consulting firms in the world
Annual combined fee income of US$ 3.9 billion
700 offices across 94 countries
www.astuteconsulting.com

How Robust Is Your
How robust is your IT system?RSM Astute Consulting

Contents
Section I: IT Systems Assurance - A Holistic View
Section II: Progressive IT Systems Assurance Model
Section III: Journey towards Perfection
Section IV: Creating Excellence in IT Systems
Assurance
Annexure I
Annexure II
1-4
6-9
11-61
Chapter 1: IT Management Framework 11
Chapter 2: IT Infrastructure Management 16
Chapter 3: Application Controls 24
Chapter 4: Identity and Access Management 29
Chapter 5: Project Management - Transformation 33
Chapter 6: Operations Framework 40
Chapter 7: Protecting Data Layer 47
Chapter 8: Business Continuity Planning Framework 50
Chapter 9: Human Interface to IT Systems 54
Chapter 10: Compliance and Regulatory Framework 56
Chapter 11: Impact of Contemporary Trends 60
63-67
68
69
How Robust Is Your
RSM Astute ConsultingHow robust is your IT system?

Section I: IT Systems Assurance
- A Holistic View

Section I: IT Systems Assurance – A Holistic View
1.1 Introduction
1.2 ITSystemsAssurance–NeedandKeyDrivers
The Information Technology revolution has transformed the business landscape
across the globe in last two decades. Changes due to ERP systems, internet, social
networking, mobile computing, E-commerce have permeated through the entire life
cycle of any business organization. Organizations, irrespective of their nature, size
and industry, have witnessed a paradigm shift in the way they strategize, build and
operate their businesses around an IT eco-system. Information Technology has
become backbone for every business and in certain cases have become business
drivers like Banking & Financial sector, Airlines, Telecom, E-commerce Portals,
Manufacturingsector,etc.Theseindustrieshavecreatedtechnologyenabledbusiness
models that give them global reach and provide customer centric services with a
personalized experience. The internal levels of technology adoptions, associated
process changes, organizational risk profile and internal control systems have
undergone changes corresponding to the changes in the external world. Information
Technology Assurance Program is a continuous and dynamic program to ensure that
the internal control systems dependent on information technology of organizations
remaincurrent,comprehensive,effectiveandresponsivetosuchchanges.
Recognizing the need and importance of IT in business, organizations have invested
heavily in IT infrastructure, applications and all other supporting programs.
ManagementsareequallyconcernedonreturnonsuchITinvestments.Itisimperative
that given such critical role of IT in business today, management and stakeholders
review the IT systems in a structured and holistic manner and are concerned with
followingissues:
ØExistenceandeffectivenessofanITgovernanceframework
ØEffectivetechnologycontrolstoensuretransactionlevelintegrity
ØConfidentialityandtimelinessof informationprocessed
ØBusiness Continuity Plan (BCP) and Disaster Recovery Plan (DRP) ensuring
availabilityofdata
ØEffective compliance of regulatory requirements and adherence to industry
bestpractices
RSM Astute Consulting1 How robust is your IT system?

Various external and internal factors act as key drivers that compel the organization
toadoptacomprehensiveITsystemassuranceprogram.
1.2.1 ExternalFactors
ØRapidchangestoinformationtechnologiescreatingunknownrisks
ØIncreasingthirdpartydependenceonorganizationalkeyprocesses
ØIdentificationofnewvulnerabilitytosystemsondailybasis
ØEmergenceoforganizedandunorganizedhackercommunities
ØRising customer demands on service availability, process transparencies and
dataprivacy
ØStringentregulatoryframeworkandinternationalbenchmarkedstandards
ØFrequentacquisitionsandmergersleadingtocomplexITeco-systems
1.2.2 InternalFactors
ØVariance in organizational strategy, executive decision making process and
operationalenvironment
ØFragmentedapproachofmanagementtowardsadoptionoftechnology
ØInsufficient controls in terms of inadequate user training, lack of segregation
ofduties,inadequatetestingbeforedeployment
ØTrustedinsidersperpetratingfraud/misuseofthesystems
ØObsolesceofinformationassets
AgenericdepictionofthemotivationalfactorsforITAssuranceProgramissetbelow.
KeydriversofITassuranceprogram
System &
Process
Variances
Protection
from Internal
/ External
Misuse
Uninterrupted
Operation
needs
Global
Accessibility
of Data
Customer
Data Privacy
Changes to
Business /
Technology
Environment
IT Systems
Assurance
Industry
Regulation
2How robust is your IT system?RSM Astute Consulting

1.3 ITSystemsAssurance-AHolisticProgram
IT systems assuranceprogram is a holistic program adopted by the businesses for the
purpose of ensuring achievements of their short term and long term goals with the
help of IT. It is imperative that the IT systems assurance program encompasses entire
life cycle of the business and is functional at the grass root levels. Hence, internal
control systems need to be effectiveat business, process, technology and operational
layers.
An assurance of IT system needs to include IT management framework, that
necessarily includes Organization IT strategy, IT Risk Management Program, IT
Structures, IT Architectures and IT Policies to ascertain soundness of the foundations
of IT systems. Such program needs to be necessarily applicable to all IT Assets,
includingdata,applications,infrastructure,people,toolsandtechnologies.
ITsystemsassuranceprogrammusttakeintoconsiderationtheimpactofinformation
technology on the overall functioning of the organization. Such program needs to cut
through financial, legal, regulatory, operational assurance requirements. Impact of
constant changes to the technology environment areas must be covered under IT
assurance program. It is also important that IT assurance program addresses long
termsustenancerequirementsoftheorganization.
Finally, IT systems assurance program needs to have specific business objectives.
Beyond technology factors, it is expected to ensure capital protection, provide
competitive advantages due to efficient internal control systems, facilitate IT
compliance requirements and infuse customer confidence about overall well-being of
theorganization.
In today’s world where IT risks are embedded at various levels, an IT assurance
programcannotbetrulyeffectiveunlessitisallencompassinginnature.
Anillustrativediagramofthesameisgivenonthenextpage.

ImportantaspectsofITsystemsassuranceprogram:
ØItneedstobedynamictosuiteverchangingneedsofbusinesses
ØItneedstobegranulartocapturerisksembeddedintobusinessprocesses
ØItneedstobeoperationalinallphasesoforganizationevolution
ØItneedstobecustomizedtosuittheorganization'suniqueneeds
Finance
Data
Processing Legal and
Regulatory
Technology
Operations
Human
Resource
Information Systems
Assurance
Threats-InternalandExternalSources
Protection-ProceduralandToolBased
Information Assets Cross Functional View
People
Tools
Infrastructure
Application
Data
I.T. Framework
Strategy
Risk Management
Structures
Architectures
Policies
Business Objectives
Capital Protection
Competitive Advantage
Compliance
Customer Confidence

Section II: Progressive IT Systems
Assurance Model

Section II: Progressive IT Systems Assurance Model
Introduction
As the IT AssuranceProgram is comprehensive, organizations facevarious challenges during
its implementation and review. The IT maturity levels and business requirements for every
organization are different in nature. It is necessary to unfold the program in a structured
mannerassuitabletotheorganizationandindustry’suniqueneedsandthroughanorganized
change management process. There should be specific programs, processes and visible
outputs at every stage to give management a comfort and confidence that there is a
continuous progress in the IT assurance program. Typical concerns the management would
addressinstagewisemannerwouldinclude:
StageI
WhatisthecurrentorganizationITposture?
WhatarethecurrentITrisksandconcerns?
IstheorganizationdeployingtheappropriatemeasurestoaddressITrisks?
Has the organization assigned appropriate resources to implement such
measures?
Having assessed the macro level view of the organization IT risk program, managements
wouldtypicallyliketoassesstheprogressofanITriskmitigationprogram.
StageII
Whataretheorganization'sspecificpainareasandwhydotheyexist?
How deep-rooted are the risksand to what extent do they impact the organization'sIT
posture?
Hastheorganizationadoptedtherightmitigationmeasures?
Is it necessary to review and, implement the program in a simplified and progressive
manner?
StageIII
Further, the same organization would take an integrated view about the success of the IT
assurance program. Typically, the concerns that management would like to address / value
wouldinclude:
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø

Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
HowdoITriskshaveanimpactonorganizationbusinesseco-system?
Aretheriskmitigationmeasureseffective?
Aretherepreviouslyunidentifiedrisks?
Istheorganizationabletoachieveitscompliancepostures?
IstheorganizationleadingintheITRisksManagementpractices?
ItisimperativethattherolloutofITassuranceprogramismappedontheabovemanagement
concernswithtangibledeliverablesateverystage.
Accordingly,ITprogressiveassuranceprogramconsistsof:
ITPreliminaryassurancethroughoverview
ITenvironmentassurancethroughsubstantivechecks
End-to-EndITassurancethroughintegratedchecks
The usefulness of such reviews is tabulated on the next page for illustration purpose.

ProgressiveITAssuranceModel
Level1:
ITPreliminaryAssurance
Level2:
ITEnvironmentAssurance
Level3:
End-to-EndITAssurance
OverviewSubstantiveChecksIntegratedChecks
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
ITManagerialFrameworkStrategy,
Architecture,StructureRiskManagement,
Policies
ITInfrastructureManagement
ApplicationControlManagement
IdentityandAccessmanagement
ProjectManagement
OperationalFramework
DataLayerProtection
BusinessContinuityFramework
Humaninterface
Compliance&RegulatoryFramework
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
OrganizationUnitLevelFramework
StandardOperatingProcedures
AssetClassification,RiskAnalysis
Network/ConfigurationControls
Design,ConfigurationControl
User-Role-Authenticationmanagement
ProjectRiskManagement
OperationalProcessControls
DataFlow/StorageControls
BusinessContinuityTestevaluation
BackgroundChecks/Training
PreparingforCompliance
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
BusinessGoalAlignment
ITRisksmappingonERM
ITStructuralReviews
ToolBasedScan
DataAnalysisandMigrationChecks
HRMasterDataIntegration
ReturnonInvestment
Concurrent/EffectivenessChecks
IntellectualPropertyProtection
BusinessImpactAnalysis
ITMaturityMeasurement
Industrystandards/Certification
lWhatismyITPosture?
Whataremymainrisks/concerns?
lAmIdoingtherightthings?
l
lWhyaremypainareas?
lAmIdoingthethingsrightly?
lHowdeeparetherisks?
lHowITRiskstranslatetobusiness?
lAmItheindustryleader?
lAreriskmitigationplansworking?
lITRiskDiagnosticReviewReport.
lWhatshouldyoudoinnext12months
tomitigaterisks?
lHowisEnterpriseRiskeffectively
managedthroughIT?
lHowshouldyoumeasureyour
industrystanding?
lTechnicalRiskAssessmentReport
lHowareyouprogressingwithrespectto
riskmitigationplans?
Deliveries

IT Overview is more useful
when
Organizations have not
conducted IT review in the
past
IT Substantive checks are
more useful when
One or more IT Areas
requiring deep dive
IT Integrated checks are
more useful when
IT systems need to be
validated along with overall
internal control systems
Automated or system tools
are necessary due to high
volumes or nature of the
systems
Organizations have frequent
issues related to IT
management
There is a need to validate
the assumptions and
progress of IT evolution
Organization intends to
obtain industry specific
compliance or certification
The IT eco-systems need
significant changes
Detailed supporting to the
diagnostic reviews is
required
Major changes in the
organization information
processing systems need
validation
Mergers and Acquisitions
take place
Systems undergo major
changes
Organizations intend to take
long term view of process
improvements
The review time frames
available are short
Organizations are willing
spend adequate time to
focus specific issues
Illustrative usefulness of such reviews is tabulated below:

Section III: Journey towards Perfection

Chapter 1: IT Management Framework
1.1 Introduction
IT Managerial framework sets the context for all Information Technology initiatives.
The framework needs to be comprehensive and should take 360 degree view of the
organization requirements. The IT Management Framework includes Strategy,
Architecture, Structure, Risk Management and Policies. Each of these aspects are to
bedealtseparately.
1.1.1 AlignmentofITStrategywithBusinessGoals
Success of an IT System depends upon how closely the IT strategy, execution and
monitoring are linked to business goals. Some of the common deficiencies arise
when.
ITstrategiesarepreparedinisolationofbusinessstrategies.
BusinessestendtounderestimatethecriticalityofcertaindormantITissues.
CrossfunctionalteamsdonotparticipateinITstrategyprogram.
It is necessary that business goals are well defined and IT goals are derived from
individualbusinessgoals.
An illustration of how IT Strategy is aligned to Business Goals is shown in the figure
below.
Ø
Ø
Ø
BUSINESS GOALS IT GOALS
New Services
Functionality
Upgrades
Scalable
Architecture
IT Risk
Management
Business Strategy
Customer
Acquisition
New Products
Business
Expansion
Enterprise Risk
Management

1.1.2 InformationArchitecture
Every business entity is supported by its individual functional units which have their
respective roles to play within the organization. Also, each functional unit is
dependentontheITsystemsforitsindividualdataprocessingneeds.
Thebelowgivendiagramdepictshowvariousfunctionalunitswithintheorganization
areconnectedtoeachotherthroughthedataprocessingneeds.
IT functional architecture gets defined after considering nature of information
exchange, volume of data processing, geographical locations of operations, data
processing,deploymentandscalabilityrequirementsandinternalcontrolsstructure.
Inthecurrentenvironmentoffrequentmergersandacquisitionsandotherstructural
changes, business interfaces and data processing need to undergo constant
changes.Unmanagedchangescreatelongtermrisksfortheorganization.
Such activities require due diligence, third party audits and sharper definition of
roles,responsibilitiesandliabilitiesincaseofsystembreaches.
Data
Processing
Needs
Human
Resource Legal &
Compliance
Material
Management
Project
Planning
Data
Center
Service
Provider
Customer
Services
Sales &
Distribution
Third Party
Production
Management
Operations
Accounts &
Finance

1.1.3 ITStructure
IT structure is necessaryto establishproper and efficientIT executionprocesswithin
theorganization.Tohaveappropriatechecksandbalanceswithin,itisnecessarythat
roles and responsibilities of various functions are well defined. Some of the common
deficienciesinclude:
Impropersegregationofdutiesindecisionmakingandexecutionprocess
Organizationsperformingprimarilybasedon“assumedresponsibilities”
Improperanalysisofworkcontents,estimatesandstaffalignment
Inadequatemechanismtomeasureskills
Agoodorganizationstructureisderivedfromwelldefinedworkbreakdownstructure
(WBS) and functional breakdown structure (FBS) hierarchy. With the level of
technologyabsorptionandprocessintegration,thestructuresneedtobedynamic.In
case of large organizations, the relationship between central units, individual
function units and various control functions needs to be well defined in such a way
thatoverallinternalcontrolsystemremainswellcoordinated,efficientandoptimum.
Certain functions if outsourced would be more effective, however, organization
needstohavetheownershipandaccountabilityforthesame.
1.1.4 ITRiskManagementFramework
With the increasing dependence on IT systems, organization’s vulnerability to IT risk
also increases. Thus, the success of the organization depends upon its ability to
contain IT risk which require it to create an IT risk management program. An IT risk
managementprogramneedstoemergefromEnterpriseRiskManagementprogram.
ITriskmanagementprogrammethodologyneedstobewelldefinedanddetailed.This
shouldcoverthefollowingaspects:
AssetIdentification,Classification,Valuation
AssessmentofThreatsandVulnerabilities
OverallRiskAssessment
RiskPrioritization
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
ERM
Control
Activities
Control over
Information
Systems
IT controls at
individual layer

Ø
Ø
Ø
Ø
Ø
Ø
ControlEvaluationwithCost-BenefitAnalysis
RiskTreatmentPlan:Acceptance,Avoidance,TransferandMitigation
1.1.5 ITPolicies
IT policy is the most important and critical part of IT assurance of the organization.
The coverage, depth and maturity of the policy varies from organization to
organization. Also, various industry and regulatory bodies make IT policy a
mandatoryrequirementforcompliance.
CommondeficienciesinITpolicymanagementinclude:
ITpoliciesarenot alignedwithchangesintechnologicalenvironment
ITpoliciesdonotadequatelyprovidethenecessarydirectiontoexecutionteam.
ITpoliciesdonotprovidenecessaryoperationallevelflexibility.
IT policies are not communicated to the staff and all the concerned persons in an
effectivemanner.
Management needs to ensure that IT polices remain the guiding force to the
organization’sITframework.
The effective management of IT policy and procedural framework with a layered
approacharedepictedinthefigurebelow.
ITPoliciesandProceduralStructure
Directional Policies
• Signed by Steering Committee
Functional Policies
• Signed by Functional Heads along with IT
Standards & Guidelines
• Signed by governing body
Detailed Operational Procedures
• Signed by operation owners
3 Characteristics
Vision statement
• Signed by the CEO
Comprehensiveness
Consistency
Communication

1.2 Reviews
AnoverviewoftheITmanagementframeworkneedstocover:
Existence, ownership and review process of strategy, risk management,
structure,architectureandpolicies
Changemanagementandapprovalprocess
AsubstantivereviewoftheITmanagementframeworkneedstocover:
Appropriatenessofthemethodsandstandardsadoptedbyorganization
ThefunctioningofITmanagementatindividualunitleveloftheorganization.
ExistenceanddetailingofStandardOperatingProcedures
AnintegratedreviewoftheITmanagementframeworkneedstocover:
The alignment of the entire IT management framework with business strategy,
enterpriserisksandoperationalplan
Ø
Ø
Ø
Ø
Ø
Ø

Chapter 2: IT Infrastructure Management
2.1 Introduction
Today no organization functions in isolation from the rest of world and is always
connectedexternallyandinternallythroughameshofnetwork.
Organizations provide connectivity to the external users such as customers,
suppliers, business partners, and other stakeholders. Also, internal users of the
organizationare permitted to connectto the organizationalnetwork through remote
accesses. Such accesses are provided through public / E-commerce websites, kiosks/
ATMchannels,mobilecommerceandserviceoutlets.Suchconnectivityisprovidedby
deploying lease lines MPLS, VPN, wireless technologies and other equivalent
mechanisms. Now-a-days, many financial transactions across banks, Government
institutions take place through interfaces and payment gateways. In the modern
world,suchconnectionsareoftenpartofglobalnetworks.
To facilitate external connectivity, organizations create interfacing architecture.
Consideringtheelementshostedinthearchitecturesthatarepronetoexternalrisks,
a separate network segment is created and special security measures are taken to
preventand/detectanydirect/indirect/potentialriskstothissegment.
Internally, users of the organization get connected on wide area network and local
area networks, using various connectivity techniques. The spread and complexity of
internal network depends on various factors including the number of locations,
number of users, nature of activities they perform, data processing volume and
overallsystemdeploymentarchitecture.
The internal network is divided into multiple segments using routers, switches,
firewalls, virtual LANs and various other techniques. These segments host various
servers, databases and information processing devices. The entire functional
architectureoftheorganizationismappedonthenetworkarchitecture.
There exist various types of technology solutions that are capable of controlling and
monitoring behaviour of various network elements. These are responsible for
enforcingcentralizedpoliciesthatincludemanagementofAnti-Virus,CentralDomain
Controllers, Authentication Servers, Data Protection Servers, Log Monitoring Servers
andmanymoreservices.

Internal users ofthe organizationconsists ofvarious classesofusers such as normal
users and premium users E.g.administrators and the critical datacustodians. Eachof
these user classes require different levels and types of access with different level of
requirementfordataconfidentiality.
Inanutshell,organizationtypicalnetworkconsistsoffollowingbroadsegments:
Externalnetworksconnectingtotheorganization
Internalnetworksegmentcommunicatingwithexternalworld
Internalnetworksegmenthostingorganizationinfrastructure
Internalnetworksegmentfromwhereusersoperate
Schematicdiagramforthesameisdepictedonthenextpage.
In reality, the architectures could be more complex for most of the organizations as
the number of network elements run into hundreds, thousands or even beyond
dependingonthesizeoftheorganizationandvolumeofdataprocessing.
Further,thewaytheorganizationcreatesitsinternalnetworkdependsonitsbusiness
modelandgeographicalandfinancialconstraints.
Ø
Ø
Ø
Ø

TypicalNetwork

2.1.1 ExternalThreatstoOrganizationNetwork
Technologies create immense business opportunities by allowing connectivity to the
external world. This also brings in various risks for the business. Managements are
always concerned about fraudulent activities taking place on the network from
outside sources, (e.g. an attack on internal network through malwares and security
threats during e-commerce transactions). Any mis-configuration of elements can
result into vulnerability that can be exploited by external users. Some of the
vulnerabilitiespronetoexternalthreatsare:
Weaknesses in security architecture that allow direct access to internal network
fromexternalsources
Weak encryption techniques used during data transmission that allows data
sniffingandinterception
Inabilitytopreventvarioustypesoforganized/unorganizedhackingattemptson
the network that potentially can result into denial-of-service, web defacing and
all such equivalent consequences. These pose a reputational risk to the
organization
Data theft by unauthorized user accessing the network or information resource
likeserverthroughcompromisedcredentialsofauthorizedusers
Performance bottlenecks on the network impacting customer service and
externalinterfaceprocessingcapabilities
With the rising complexity of the technologies, ease of hacking tools, determined
socially disgruntled groups, international and business rivalries, the cyber-attack
possibilitiesarereal.
Organizationsneedtoenhancetheirabilitytohandlethreatmechanismsonrealtime
basisandkeeppacewiththerateatwhichexternalthreatprofilesarechanging.
Safeguardsfromexternalthreatstotheorganizationinclude:
Establishverystrongauthenticationmechanismstoexternalconnectivity
Encryptthedataflowingonnetwork
Createstrongtrafficmonitoringandfilteringmechanismatdifferentlayers
Keepexternalinfrastructuretestedandupgradedtopre-emptanyattacks
Carryvulnerabilityanalysisandpenetrationtestsandtakecorrectivemeasures
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø

2.1.2 InternalThreatstoOrganizationNetwork
Internal networks would be segmented into various zones and network traffic is
regulated using firewalls, switches, routers and various other devices. These devices
can be deployed across various regions, geographies and virtually create borderless
organizations. In spite of the best internal design, given the complexities involved,
concerns on system compromise due to flaws in internal network systems would
exist.
Incorrectconfigurationrisksinclude:
Creating unwanted internal navigation paths for users due to “open”
configurationsondevices
Improper user management and authentication configuration that allows entry
tounauthorizedusers
Weaknesses in administrative, accounting and auditing controls impacting
preventiveanddetectiveabilitiesoftheorganization
Unencryptedinterfacesthatcanbesniffedbymaleficuser
Redundant software residing in the system in the form of programs, utilities,
scripts
Weaknesses in centralized control architecture due to which organization
policiescannotbeenforcedonallinformationresources
Traffic anomalies and bottlenecks resulting in degraded services on internal
networks
Theefficiency,availabilityandsecurityoftheentirenetworkdependsonhowwellthe
business requirements are mapped on network devices and how these devices have
beenconfigured. Broadly,theseincludevarioustypesof:
Authenticationtechniques
Trafficmonitoringtechniques
Policyenforcementtechniques
Performancemeasurementtechniques
LoggingandMonitoringtechniques
Acombinationofmultiplesuchtechniquesatdifferentlayersinstructuredmanneris
necessary to create an efficient defence and monitoring architecture. An active
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø

vigilance on these outcome pre-empts several threats to the network in timely
manner.
A careful analysis of the events taking place across organization architecture
gives a good insight on the behavior of traffic flowing across networks. This
helps organizations to fine tune the security and performance in an on-going basis.
Safeguardstotheorganizationnetworkinclude:
Propernetworksegmentation
Sensitivesystemisolation
Datamanagementcontrols
Encryptingdataflows
Loggingandmonitoringsystemactivitiesincludingadministrativeactivities
2.1.3 InsiderThreatsforanOrganization
Managing the IT systems do contain human element and organizations need to have
trust environment to operate successfully. With the advent of technologies,
emergence of new vulnerability exploitation techniques and access to organization
data resources, organization is dependent on ‘trust level of an insider.’ Hence,
organizationsareconcernedoninsiderthreats.Theseinclude:
’Trusted’insidersmisusingthesystemsusingtheirprivilegesandrights
Exploitationofnetworkandapplicationweaknessesforindividualgains
Manipulationofaccessrightssoasto‘allow’fraudulentactivities
Suppressingsystemevidencesandlogs
Organizationsneedtocreatesafeguardsfromsuchthreats.Thesesafeguardsinclude:
Creating “need to know” based internal access systems with built-in segregation
ofduties
Performbackgroundchecksandhaveapracticeofperiodicjobrotations
Restrictedaccesstosystemevidencesandlogs
2.1.4 RiskRemediationthroughVulnerabilityAssessmentandClosure
In practice, it is not easy to achieve and retain completely secure systems
architecture.Vulnerabilitiesexistacrossallnetworklayers,devicesandtechnologies.
These vulnerabilities are detected through in-house tests or publicized by product
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø

vendors or through global databases and need to be acted upon immediately.
Vulnerabilityassessmentsandremediationareactivitiesthattheorganizationneeds
to perform across on a continuous basis. This includes assessing the impact of the
same on the working environment, identifying remediation plan, appropriate testing
and releasing patches. Following best architecture, development and change
managementpracticesisthebestwaytostayawayfromvulnerabilityissues.
2.1.5 DifferenceinBusinessModelsInfluenceITControlSystems
In today’s organizations, several functions such as data center management, e-mail
management, day-to-day operations, storage management and application
management are outsourced to external parties. Cloud computing based
technologies are becoming popular as a result of which organizations’ data
processing activities are now carried out through a mesh of networks and functions
which are widely distributed. A truly modern organization can work on “hyper-
connected” model. This has significant impact on organizations’ internal control
systems.Anillustrationofthesameistabulatedbelow:
Correlation among Business Model and Information Architecture and how it impacts
internalcontrolssystem
Business Model
ClosedCentralized
Information Architecture
Centralized Assets/
Centralized IT Operations,
Individual units are users
Control
Complete,Internal
Distributed and Internally
Controlled
ClosedDecentralized Centralized framework, all
assets belong to the company,
however the deployment and
operational decision making
at individual business units
end
Outsourcing of IT Data
Centers
Infrastructure services
outsourced and rest is
managed internally
Strongly internally
controlled, External control
through SLA
Reduced organization direct
control, need effective
monitoring
HighLevelOutsourcing Infrastructure, Customer
handling services outsourced
and rest is managed internally
Limited control on IT
function, however
accountability cannot be
outsourced
SignificantOutsourcing Server + Application +
Operations are outsourced,
only data belongs to
organization

IT assurance program and its transition need to be aligned as per the set-up of the
organization.
Review process on entire network architecture and processes are necessary to
evaluatetherobustnessofnetworkarchitecture.
AnoverviewofITinfrastructureneedstocover:
Adequacyoforganizationpoliciesandproceduresatdifferentlayers
Testchecksonproceduresaroundarchitecturemanagements
AdherencetoServiceLevelAgreementssignedwithvendors
SubstantivereviewofITinfrastructureneedstocover:
Networkdevicesconfiguration
Changemanagementprocesses
Technologyobsolescenceandvulnerabilityanalysis
Securitychecksoninternalnetworkpaths
IntegratedreviewofITinfrastructureneedstocover:
Administrativecontrolsandchecks
Indepthanalysisofsystemfiltersatdifferentlayers
Rootcauseanalysisofdifferentincidents
Anomaliesdetectedthroughtrafficmonitoringlogs
Businesscomplianceneedstobesupportedbyinfrastructure
2.2 NetworkReviews
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø

Chapter 3: Application Controls
3.1 Introduction
Organizations develop and deploy applications in their environment for
automation of their business processes. Applications provide integration of
various functions, provide necessary work flow, increase internal operational
efficiencies and provide complete visibility to the management about the current
statusof thetransactionsatvariouslayers.Organizationalintelligenceisbuiltinto
the design of the application. Applications are normally scalable, used by large
segmentoftheorganizationandprocessvoluminousdata.Asapplicationsmature,
organizations become more dependent on application function. Every application
has its own architecture, platforms, functionality, and purpose. Application
controls become one of the most determining factors in evaluating the overall risk
postureoftheorganization.
Most organizations deploy either ERP or legacy systems solutions to support their
data processing needs. To have an effective implementation, application controls
need to be incorporated at the design stage and should take into account the
following.
LogicalAccesscontrol
Authenticationcontrol
Userinterfacecontrol
Inputvalidationcontrols
Dataprocessingandoutputcontrols
Functionalcontrols
Sessionlevelvalidation
Controlsbuiltaroundserver,databaseandoperatingsystemarchitecture
Scalabilityandperformancecontrols
Securecodingcontrols
3.1.1 EnterpriseResourcePlanning(ERP)andLegacySystems
An organization may have different IT applications to fulfill its information needs.
These needs may be fulfilled by legacy applications or integrated ERP applications.
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø

However ERP is preferred to legacy applications as it integrates the business
processes in seamless manner, adopts best industry practices and has in-built
featuressuchas:
OpenSystemarchitecture
Multi-tierArchitecture
EnterpriseDataModel
Accessiblethroughchannels
Multi-national,Multi-currencytransactions
IntegratedReal-Time
Abilitytostaywithcurrenttechnology
Strongintegrationwithbusinessprocesses
Providingintegratedturnkeysolutions
However,ERPsaresometimescumbersometoimplement,requirebusinessprocess
reengineering, good change management and acceptability at various levels and
sometimes have a long implementation phase. Hence, legacy systems continue to
occupy critical space in business IT architecture. Legacy systems are aligned to
organizational requirements and are firmly embedded into organization’s
processes. However, organizations need to take extra precaution to ensure that
they run on current technologies, follow strong development processes, have
strongbusinessintegrationandembedfunctionalcontrolsintothesystem.
3.1.2 SoftwareDevelopmentLifeCycle(SDLC)
SDLC or System Development Life Cycle is the process to create or change existing
information systems. A well-defined SDLC is necessary to have efficient
information systems. Various models have been created to fulfill the need of the
same. Some of them are waterfall, spiral, incremental and rapid application
development.
TheimportantSDLCstagesasperthemostcommonlyusedmethodare:
BusinessRequirementAnalysis
Feasibilitystudy
Systemrequirementstudy
Systemdesign
Development
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø

Ø
Ø
Ø
Ø
Ø
Ø
Ø
Integrationandtesting
Acceptanceandreleasemanagement
Maintenance
Having a structured approach to software development leads to better control,
documentation, maintenance ease and higher development and design standards.
However,thismayincreasethedevelopmenttimeandcosts.Iforganizationsdesire
to have flexibility to suit the operational needs, such rationale should be
documented,approvedanditmustbeensuredthattheinternalcontrolsystemsare
not compromised for the sake of expediency. Also it is recommended that controls
should be embedded into the application in design stage and validated during
every stage of the project before the application is deployed in the live
environment.
3.1.3 SoftwareDevelopmentPractices
Software development is a complex and important area for all organizations. Apart
from having a structured approach, there is a need of adopting better practices to
have secure and well-designed software architecture. Some of the illustrative
practicesarementionedbelow.
Source code is a crucial intellectual property which not only satisfies the
business needs but also a repository of important organizational knowledge.
Software library should have strong access, archival and modification controls
andmonitoringmechanism.
Project system landscape should consist of three separate environments for
development, testing and production. Procedural controls should be
implemented to ensure that these activities are performed in their respective
environmentsonly.
Most of the web application software that is used for managing and providing
sensitive information across the web becomes target for improper or illegal
penetration. Anti-social elements and hackers attempt to hack the system for
personalgain.Securitycodingtestingverifiestheprotectionmechanismsused
forbuildingthesoftwarefromillegalhacking.
In-spiteofhavingthebestapplicationsoftware,implementationprocessesand
projects teams, there are reasons to rollback changes made to the application
systems. Hence a contingency plan should be in place to deal with such
situationseffectively.

Anillustrativesystemlandscapeisshownbelow:
3.1.4 PlatformVulnerabilities
Information systems are platform centric in nature. They may be dependent on a
particular operating system, application software and development platform.
These vulnerabilities may be on a higher side if the system in question is a legacy
system developed by internal team or external vendor. The vulnerability may exist
due to weakness of individual platform or development weakness. Also these
platforms may become obsolete as vendor support for the platform might have
expired or the usage of platform has reduced in the market. To overcome these
weaknesses, platform vulnerabilities need to be identified and removed. Further,
information systems using obsolete platforms should be identified and upgraded
tocurrentplatforms.
Anoverviewofapplicationcontrolsneedstocover:
Applicationarchitecture
Applicationfunctions
Applicationsecurity
Applicationoperations
3.2 Reviews
Ø
Ø
Ø
Ø
System Landscape
Development Quality Production
Developers Testers Trainers Users

Substantivereviewofapplicationcontrolsneedstocover:
Detaileddesignoftheapplicationarchitecture
Detailedfunctionalityofapplication
Detailedsecurityfeaturesofanapplication
Integratedreviewofapplicationcontrolsneedstocover:
Operationalandfinancialeffectivenessreview
Ability of the application to meet functional, security, compliance and
regulatoryneeds
Ø
Ø
Ø
Ø
Ø

Chapter 4: Identity and Access Management
4.1 Introduction
User identity and access management is considered to be one of the most primary
requirements of any IT set-up. It essentially establishes credentials of the users and
the level and extent to which he or she is permitted to transact with the system. All
organizations irrespective of their size and criticality need to have a proper
mechanism to control user identities that access organizational systems. Today,
internal systems of the organizations are also used and accessed by external users
through various channels. Thus, user identity and access management is applicable
to each and every IT asset and each and every type of user. Organizations differ from
each other in terms of the volume, complexity, granularity, level of automation and
technologiesusedforauthentication.
Elements that need detailed consideration for effective identity and access
managementare:
Userrequestworkflowmanagement
Identificationandauthenticationmechanismofusers
Assignmentofrolesandprivilegemanagement
Privilegeandsecurityrequirements atindividualassetslevel
Mechanismstoenforce organizationalpoliciesatallgranularlevels
Monitoringexceptionsandtrackingmisuse
For a large sized organization with multiple assets and constant flux of various types
ofusers,theunderlyingprocesscomplexityrisesexponentially.Further,thestakesof
the organization are very large and any critical misuse by any user, apart from
operationallosses,mayresultinfinancialorreputationalimpact.
4.1.1 UserAccessmanagement
In case of public users accessing organization systems such as internet / mobile
banking, online transaction business models and users or channel partners
accessing organization resources through different channels, a strong identity and
accessmechanismsneedtobeimplemented.
Ø
Ø
Ø
Ø
Ø
Ø

Data Authorization
Administrator
User Administrator Profile Authorization
Administrator
Change transaction
selection
Change authorization
data
Maintain user master
records
Assigning roles and
profiles to the user
Activities
Performed
Creating authorization
Creating profiles
Aschematicviewofmappinguseraccessmanagementprocessesisdepictedbelow
Organizationsneed to differentiate between different setofadministration activities
which results in proper segregation of duties. A schematic view of the same is
tabulatedhereunder.
Different types of Administrator users
Different organizations achieve different levels of automation in user access
management processes E.g. usage of smart card / biometric technologies, controls
through two-factor or multi-factor authentications, integration of user identity
management with Active Directory or equivalent repository, implementation of
singlesignontechnologies.
4.1.2 UserLifeCycleManagement
A schematic representation of how identity and access management process
workflowsareautomatedisrepresentedinthediagramonthenextpage.
USER ROLE PROFILE AUTHORIZATION AUTHORIZATION
OBJECT
A detailed mapping of the business requirement is necessary to exercise granular level access controls.

4.2 Risks
Someofthecommondeficienciesatoperationallevelinclude
Impropermanagementoforganizationrolerepository
Manualorinefficientwayoftrackingusermanagementrequest
Lackofcentralizedvisibilityoftherolesgrantedtotheuseracrossallresources
Delaysinsuspension/termination/revocationofuseraccessrights
Diluting role-based access control mechanisms without establishing equivalent
controlswhilegrantingpermission.
In spite of the level of technology adoptions and process automation, there do exist
operational gaps and technical loopholes due to which organizations face system
accessrelatedissues.
Ø
Ø
Ø
Ø
Ø
X
Business Partners Employees Third Parties Contract Expiry
Request for granting
access for a resource
Timely Termination
User Life Cycle
Management
Granting and
Revoking Access
Joining
Transfer
Seperation
Master
Repository of
Users
Role Repository
Authentication &
Approval Rules
Assets
Repository of Assets
based access rules
Data Application Infrastructure Tools Other resources

4.3 Reviews
Overviewofidentityanduseraccessmanagementneedstocover:
Identityaccessmanagementpolicyandprocedures
Userslifecyclemanagementprocesses
Alignment of the identity and access management definitions with
organizationalrequirement
Adequacyofthecontrolsbuiltin
Substantivechecksreviewofuseridentityandaccessmanagementneedstocover:
RoleRepository
Rulesdefinedtoaccessorganizationaldata
Identityaccessmanagementpolicyandprocedurescompliance
FunctionalchecksonIdentityandUseraccessmechanism
Loggingandmonitoringofuserlifecycleprocesses
VerifyingtheUsermatrixtoascertainsegregationofduties
Integratedchecksreviewofuseridentityandaccessmanagementneedstocover:
Identityaccessarchitecturalreview
Reviewofactivitiesbyuserswithrootoradministrativeprivileges
Audittrailsreview
System-levelobjectsprivileges
Integration of User Identity Access Management process with other
organizationalprocesses
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø

Chapter 5: Project Management - Transformation
5.1 Introduction
5.2 Project Management
All companies irrespective of their nature and size of the business undergo major
changes to their information systems architecture through project implementation.
Every project has its own objectives, plans, roll out methodologies, key success
factors and specific deliverables. From management point of view such project
management needs to be de-risked as the investments in terms of time and money
are huge. Some of the ventures in ERP implementations, data centralization
initiatives, IT infrastructure upgrades face risks of cost overruns. Individual project
risks need to be identified, factored and mitigated at every stage of the project at
operatingandtransactionlevel.
Important IT Projects are generally implemented to transform the business model.
Theprocessofbusinesstransformationisdepictedinthediagrambelow:
Since, the stakes of the business in IT transformation project are very high, good
projectcontrolmanagementsystemneedstobeinplace.
5.2.1 Projectmanagementinvolvesmultiplesetofactivitiessuchas:
?Identifyingphases,tasks,milestones,specificdeliverables
?Resourceallocationandresourceoptimization
?Effectiveschedulemanagement
?Projectmonitoringandcontrolactivities
The use of Program Evaluation and Review Technique (PERT) or Critical Path Method
(CPM) techniques helps the organisation in identifying and focusing on key process
and milestones, allocating adequate resources and thereby reducing overall project
implementationtimeandcostwithoutaffectingeffectiveness.
Business
Process
Reengineering
ERP
Implementation
Data
Migration
Change To
Operational
Framework
Initial
Status
Transformed
Status

An execution cycle of the project goes through initiation, planning, implementation
andclosureprocess.Agoodprojectcontrolmanagementneedstoremainfocusedon
costcontrol,incorporatingsecurityandprocesscontrolsatrightstages.
Aschematicrepresentationofthesameisdepictedinthediagrambelow:
5.2.2 Risks
IneffectiveITprojectmanagementleadstovarioustypesofriskssuchas:
?Organizationalgoalsnotmetbythesystemsdeployed
?UnderutilizationofITresources
?LowerreturnoninvestmentinITassets
?Costover-runs
?Lowrelianceontheapplications
?Maintenanceofparallelrecords,dependenceonmanualchecksandcontrols
?Responsibilitiesandaccountabilitiescannotbefixedforlapsesanddelays
?Nolinkestablishedbetweentheprojectsobjectiveswithmanagementobjectives
?Inabilitytogetcompletevisibilityoftheprojectprogress
?Noidentifiedimprovementopportunities
Cost
Controls
Initiate
PlanClose
Security
Controls
Functional
ControlsImplement
Project
Execution

5.2.3 Reviews
Anoverviewofprojectcontrolneedstocover:
?Adequacyof projectplanningandmonitoringprocess
?Highlevelreviewofprojectcontrolparameters
?Overalluserandmanagementsatisfactionlevels
Substantivechecksonprojectmanagementneedtocover:
?Plannedvs.actualprogressoftheprogram
?Proposedvs.actualdeliverablesatvariousstages
?Alertsoncost,securityandfunctionalcontrols
Integratedchecksonprojectmanagementneedtocover:
?Changes to the organization IT posture pre and post implementation of the
project
5.3.1 Business Process Re-engineering is a pre-requisite for ensuring success of IT project
implementation.
With the change in technology environment, the way the business operates also
needs to change. However, certain old and counter-productive methods continue.
This results in lower return on investment in IT assets and other resources. Business
Process Re-engineering is a technique to rebuild organization process around
specificbusinessobjectives.
Someoftheotherfactorswhichnecessitateprocessre-engineeringareasfollows:
?Ineffectivemanualcontrolsandunreliablesystems.
?Overdependenceonpeople
?Longturnaroundtimeoforganizationalprocesses
?Costover-runsandwastageofresources
Majoractivitiesofanybusinessprocessengineeringinvolve:
?Identificationofbusinessobjectives
?Evaluationofcurrentbusinessprocesses(As-isprocess)
5.3 BusinessProcessRe-engineering

?
?Devisingprocessrestructuringplan
?Implementationofprocessrestructuringplan
5.3.2 Risks
Majorcausesoffailureofbusinessprocessreengineeringprojectsare:
?Lack of clarity on user requirements, definition as well as documentation and
communication.
?Weakmanagementcommitmentintermsofresourcesanddirection
?Weaktechnicalsupportduringandpostimplementation.
?Lesser involvement of all the departments of the organization at planning and
implementationstage.
5.3.3 Reviews
Overviewofbusinessprocessreengineeringneedstocover:
?AdequacyofthecoverageofBusinessProcessReengineeringprojects
?ChecksonBusinessProcessReengineeringimplementation
Substantivechecksinbusinessprocessreengineeringneedstocover:
?Effectiveness, design and operational controls post Business Process
Reengineering
?Trainingandacceptancelevelsofreengineeredbusinessprocess
Integratedchecksinbusinessprocessreengineeringneedstocover:
?Meetingofbusinessgoalswithrevisedprocesses
?EfficiencyoftheprocessespostBusinessProcessReengineeringimplementation
?ImpactofBusinessProcessReengineeringonoverallorganizationITposture
5.4.1 ERP implementation is very critical activity with high business and financial impact.
ManyinstancesofERPimplementationgetdelayedandresultinpartialconfiguration
or misconfiguration and do not completely fulfill the intended objective. This results
in underutilization of time, efforts and money invested in ERP systems and in some
Preparingblueprintoffutureprocesses(To-beprocess)
5.4 ERPimplementation

instances parallel systems are also maintained to present financial results/ MIS to
management.
It is required that management pays attention and addresses the requirements of
implementation of ERP for effective and efficient use of IT and other resources
involved.Theactivitiesinanimplementationprojectwouldinvolve,amongstothers:
?Definingbusinessobjectivesexpected
?Review of existing systems with 'Gap Analysis’ and creation of new system
blueprints
?DefiningandconfiguringrequiredfeaturesinERPsystem
?Masterdatasanitization
?Creatingsystemprototypeandbuildingtestenvironment
?Useracceptanceandtraining
?Migratingtoproductionenvironment
?Postimplementationreview
ERPimplementationsshouldbedoneinphase-wisemannerforbettermanageability.
5.4.2 Risks
MajorcausesoffailureofERPimplementationprojectsare:
?Lack of clarity on user requirements, definition as well as documentation and
communication
?Weakmanagementcommitmentintermsofresourcesanddirection
?Weaktechnicalsupportduringandpostimplementation
?Lack of commitment from all the departments of the organization at planning
andimplementationstage
?Poorqualityofmasterdataandbasicsystemsfunctionalityconfiguration
?Too many customized features compromising the spirit of inbuilt checks and
controls
?Costconstraintsleadingtorestrictednumberofuserlicenses
5.4.3 Reviews
OverviewofERPimplementationneedstocover:
?ERPblueprint

?
?OrganizationalpoliciesonERPutilization
?Basicconfigurationandaccesscontrols
SubstantivechecksinERPimplementationneedstocover:
?FunctionalprocessesandcontrolsmappedtoERP
?Detailedreviewofsystemanddeploymentarchitecture
?DetailedreviewofERPconfigurationandaccesscontrol
IntegratedchecksinERPimplementationneedstocover:
?Trainingandutilizationeffectiveness
?ImpactofcustomizationtoERPsystem
?OverallimpactofERPimplementationonorganizationalenvironment
5.5.1 Adequate controls are required while migrating from one technology platform to
another(say,frommanualsystemtoERPsystem.)Thesecontrolsareneededatevery
stagerightfromtheplanningstageto'golive'stage.Oneofthekeymilestonesofany
systems implementation is data migration that involves building up database of
recordstoworkonthenewsystems.
Thedesiredscenarioistoputinplaceeffectivecontrolsatthedatamigrationstageto
ensure correctness, completeness and reliability ofdatamigrated from old system to
thenewsystem.Someoftheseinclude:
?Completenesschecksatdatacollectionlevel
?Correctnesschecksofdatasanitization
?Authorization/datavalidationchecks
?Integritychecksatdatauploadstage
?Datasignoffpostuploadinthenewsystem
Someofthepainareasthatneedtobeaddressedduringdatamigrationinclude:
?Incompatibilityofdatadefinitionsandstructures
?Validationandcontroldifferencesacrosssystems
?Determinationofdatavolumeandscopetobemigrated
?Designingarchival,retrievalandretentionpoliciesandprocedures
Design ofsystem,functionalanddeploymentarchitecture
5.5 DataMigration

5.5.2 Risks
Someoftherisksofinefficientdatamigrationactivitiesareasunder:
?Mismatchofdata,incompletedataorincorrectdatainthenewsystem
?Revenue loss in the form of loss of receivables, delayed payments to vendors
attractingpenalty/interestcharges,legalclaimsincaseofdatainaccuracies
?Prolonged implementation activities resulting in parallel run and duplication of
efforts
5.5.3 Reviews
Overviewofdatamigrationactivitiesneedtocover:
?Datamigrationplan,schedule,rolesandresponsibilities
?DatamigrationsignoffProcess
Substantivechecksoverdatamigrationactivitiesneedtocover:
?Completenesschecksatdatacollectionlevel
?Correctnesschecksofdatasanity
?Authorization/datavalidationchecks
Integratedchecksindatamigrationactivitiesneedtocover:
?Effectivenesschecksonmigrationactivities
?Legalandcomplianceimplicationsofdatamigration

Chapter 6: Operations Framework
6.1 Introduction
6.2 DataCenter
IT Operational framework is the backbone of IT processes. Internal controls for IT
operations are aimed at efficient, effective and secured use of IT resources, so that
the output generated through the systems is reliable. It is the prime responsibility of
the management to define, document, approve and communicate the IT operational
framework through policies, procedures, instructions and guidelines. Some of the
areas of IT operational framework such as data center operations, data processing
operationsandincident/logmanagementarecoveredbelow.
6.2.1 Introduction
Data center is the central place in any organization where its key IT resources are
securely located. It helps in hosting as well as monitoring critical IT resources under
one roof. Organizations with stringent data uptime requirements host their servers
with certified data centers. Considering all standard data center requirements
including physical, environmental and infrastructure and their effectiveness,
professionaldatacentersareclassifiedasunder.
Data Centers hosting servers for various companies in shared or dedicated mode
certify themselves for ISO 27001, ITIL and SSEA 16 Type I, II, or TIA standards so as to
ensure security, delivery, quality process and to improve customer trust. Advanced
datacentersareabletoprovideDRmanagedsolution.
Organizations that host their services with data centers need to be careful while
choosing the services, configurations, service level agreements and non disclosure
agreements. In case of super sensitive data, the responsibilities of protection and
correspondingliabilitysharingforthesameshouldbedecidedbeforehand.
Data Center Tiers
TIER 1 TIER 2 TIER 3 TIER 4
Meaning Non-redundant
capacity components capacity equipment and are fully fault-tolerant
(single uplink and components multiple uplinks including uplinks
servers)
Which Small Businesses Medium Sized Large Businesses Enterprise /
Entity Businesses Corporation
uses this?
Uptime 99.671% 99.749% 99.982% 99.995%
Tier 1 + Redundant Tier 2 + Dual-powered Tier 3 + all components

Key data center operations need to be governed by IS policy, procedure and
guidelineswhichinclude:
?Secure access to data center and critical servers, network devices and other
equipment
?Beginning of the day (BOD) and end of day (EOD) activities are part of overall
internalcontrolprocesses
?BackupandRecoveryactivitiesalongwithtesting
?CCTVsrecordingandmonitoringofactivities
?Monitoring and ensuring uptime of servers, network connectivity and other
equipment
?Electronicmediamanagement
?Environmental controls such as temperature, humidity, fire safety and
uninterruptedpowersupply
Data centers need to follow stringent norms of building construction. Data centers
should also have a tested evacuation and restoration plan to take care of various
eventualities.
6.2.2 PhysicalSecurityofDataCenter
Organizations need to attach high importance to physical security of the data center
assignificantinformationinvariousformsisprocessedattheselocations.
Depending on the sensitivity / importance of operations performed, physical
premises should be differently classified into zones and each zone must have
appropriate level of access restrictions and access identification and authorization
requirements. Surveillance cameras and access control mechanisms should be in
place to control and monitor sensitive areas. Physical access must be appropriately
restricted.Deliveryandloadingareasshouldbeisolatedfrominformationprocessing
facilitiestoavoidunauthorizedaccess.
A data center has large number of servers, network elements, system devices, safety
and security equipment. Further, data center typically provides connectivity to
internalandexternalworld.Physicalsecurityneedstobefactoredwhilechoosingthe
location, architecture and the internal layout designs to take care of all eventualities
andtopreventlossofhumanlifeandorganizationinformationprocessingabilities.

There exist international standards and guidelines that provide sufficient input to
buildasecuredatacenter
Adequate and appropriate controls like prior intimation and authorization, issue of
identity badge, entry register, escort by authorized personnel, surveillance, are
required to be implemented for controlling and monitoring visitors’ access to areas
whereinformationprocessingresourcesarelocated,e.g.operationalanddatacenter,
etc.
6.2.3 Risks
Risksobservedduetoweakinternalcontrolsforphysicalaccess:
?Physical damage to the data center society due to natural calamities or man-
madeattacks.
?DataCenterPremisesgettingcutofffromrestoftheorganization
?Unauthorizedaccesstoinformationorassetsincludingcyber-attacks
?Breachofconfidentialityofdatabytheftsofdevices
?Legalimpactsoutofmismanagementofhistoricaldataorarchives.
6.2.4 Reviews
Areviewofphysicalaccesscontrolneedstocover:
?Adequacyofinformationsecuritypolicyandprocedures
?Adequacy and appropriateness of mechanism to secure access to various areas
byphysicalvisit
?Managementoversightoverphysicalaccesscontrols
Substantivechecksofphysicalaccesscontrolsneedtocover:
?RevieworRecords,Logs
?Adherencetooperationalprocedures
?Adherencetoenvironmentalcontrols
Integratedchecksofphysicalaccesscontrolsneedstocover:
?Effectivenessofcontrolmechanismvis-à-visbusiness/functionalrequirements
?Industrybenchmarkcomparisonandcompliancetoorganizationalpolicies

6.3 OperationalControls
6.3.1 The Business operations include entire gamut of operational activities, few
illustrationsarementionedbelow.
?Callcenteroperationshandlingcustomerdataforqueryresolution
?Businessoperationshandlingactivitiessuchasbilling,collection,purchase,etc.
?Transactionprocessing,suchabatchuploads,chequeprinting,imageprocessing
?Day-to-dayoperationsatserviceandsalesoutlets
?Backendprocessingbythirdparties
?Public placeoperations including ATM, kiosks operations, cashcollectioncenters
andsoon
Organizationsalsoneedtohaveadministrativefunctionsatvariouslayers,suchas
?Operatingsystem
?Database
?Applications
?Variousinfrastructurelayers
Anyoperationalerrorinadministrationfunctionhashugecoststotheorganizationin
terms of downtimes, reliability of systems, and loss of productivity. Incorrect
configurations of business parameters can directly have business, revenue,
reputationimpact. Further, as administrators are oftentrusted resources, there exist
possibilitiesofsystemmisuse.
Day-to-day checks and balances, security procedures and periodic revalidations are
necessarytoensurecorrectness,completenessofthedataprocessing.
All normal IT operations and Business operations constantly undergo changes as per
the organizational needs. In practice, they face practical issues that disrupt
operations due to various reasons. A good organization is able to establish good
incidentmanagementandlogmanagementsystem.
6.3.2 ChangeManagement
As all entities of the business constantly undergo changes, effective change control
managementprocessesareverycriticaltotheprocessofITassurance.
Achangemanagementcontrolprocessneedstoaddressthefollowing:
?Planningandcommunicationrelatedtochangemanagement

Approvaltrackingprocess
?BusinessImpactAnalysisincludingbusinesssecurityimpact
?Appropriatetestingandacceptance
?Implementationofchangetoproductionenvironment
?Handlingemergencychangesandspecialprocesses
?MonitoringproductionenvironmentforchangesandRollbackcontrols
?Trackingchangestoconfigurationitems
?RetentionRequirements
Change management process needs to exist at all assets, all layers to establish
authenticity and auditability. Schematic change management process cycle is
depictedbelow.
6.3.3 IncidentManagement
A formal incident response capability across all operational units should be
establishedtominimizedamagefromsecurityincidents,torecoverandtolearnfrom
such incidents. It should include detection, initiation, evaluation, containment,
eradication, recovery, closure of incident, evidence collection and preserving
admissibleevidenceifnecessary.
6.3.4 LogManagement
Log management is perhaps the most critical activity for verifying that systems are
functional and controlled. Logscollected in secure manner provide crucial evidential
?
Origin &
Authorization
Traceability
& Evidence
Testing &
Validation
Change
Management
Process
Deployment
&
Monitoring

value and can trace / detect system anomalies, frauds and provide a rich source for
troubleshootingactivities.
Some of the illustrative events that should be captured by log management are as
follows:
?Activitystartandfinishtimes
?Userloginlogouttimeincludingsuccessesandfailureindication
?Systemerrorsandexceptions
?Confirmationofthecorrecthandlingofdatafilesandcomputeroutput
?Logicalaccessattempts
?Creationanddeletionofsystemlevelobjects
?Transactionlogs
Administrative logs need to be created, captured, and diverted without allowing
system administrators to intervene into the system. Log collectors that collect the
data through mirrored activities should not add to performance overheads to the
mainsystem.
Logs across various devices and applications need to be normalized in case of
aggregation and correlation requirements. A well configured correlation engine
builds an intelligence to detect various types of system exceptions, frauds and
symptomsofcyberattacksatanearlystage.
High end organizations create security operation center to monitor events on real
timebasis.
6.3.5 PeriodicReviewofControlPractices
Periodic review of the internal controls established is required to assess the control
design effectiveness and operational effectiveness. Thisenables the management to
assessthestateofoverallITgovernancepracticeswithintheorganization.
Suchreviewsarepreferredif
?Carriedoutatregularinterval
?Comprehensiveinnature
?Matchtheorganizationalpracticeswithindustrybestpractices
?Performedbyindependentreviewers

6.3.6 Risks
Risksarisingduetoweakoperationalcontrolsareasfollows:
?Disrupted operational activities due to delay or unstructured approach of
respondingsecurityincident
?Recurringbreakdownofsystems/applicationduetopoormaintenance
?Pro-longed application development activities due to unplanned change
managementactivities
?Non-availabilityofolddataduetoinadequatebackupandrestorationpractices
?System misuse or fraudulent activities do not get noticed during the operational
flow
6.3.7 Reviews
Overviewofoperationalcontrolsneedstocover:
?Adequacyofoperationalpoliciesandprocedures
?Definition of roles and responsibilities towards operations as well as information
security
?ChecksandbalancesbuiltintoalltheaspectsofIToperationsmanagement
Substantivechecksofoperationalcontrolsneedtocover:
?Batchprocesscontrols
?Systemchangemanagementcontrols
?Incidentmanagementwithrootcauseanalysis
?Detailedreviewoflogmanagementarchitecture
Integratedchecksofoperationalcontrolsneedtocover:
?Effectivenessofoperationalframework
?Fulfillmentofcompliance requirementsrelatedtooperationalcontrols

Chapter 7: Protecting Data Layer
7.1 Introduction
Thetraditional approach ofinformation security is focusedon enterprisearchitecture,
whereas significant part of enterprise’s sensitive data is in unstructured formats.
There exist challenges with protecting unstructured data, especially, in light of the
trend of outsourcing and offshoring. The consequences of data leakage can result in
loss of competitive advantage, possible financial liability, litigation and violation of
intellectual property regulations. International bodies and Governments have passed
stringent legislations that require organizations to build reasonable practices to
protectdataassets.
Data classification is an essential prerequisite for data protection strategy and
implementation. A good data classification is necessary not only from technical and
operational point of view, but also for optimizing system designs and controlling costs
of the organization. A good data flow analysis of the documents gives insights to the
dataprotectionrequirements.
Information resources are classifiedaccording to levels ofits sensitivity and criticality
taking into account business, legal, regulatory, contractual and internal requirements.
For each classification level, different set of handling procedures need to be devised
that cover processing, storage, transmission, and destruction of data. It is also
essentialthatforallinformationdataownersanddatacustodiansareidentified.
Additional controls are necessary for roaming users operating through hand-held
devices. In the light of fast changing and user friendly technologies, the risk of data
exposure is high and often the business needs to leverage on the ease of the data
access. It is therefore challenging to establish an appropriate trade-off between the
diverse objectives of the business. Improper exercise results into cost and project
overrunswithoutfulfillingthedataprotectionobjectives.
An illustration of impact of cost due to unclassified and unmanaged data is shown on
thenextpage.
An open network with multiple open USB drives increases overheads on Data Leakage
Protection(DLP)monitoringengine.

Stamping of documents with digital rights is necessary to ensure that the documents
are handled safely across entire data flow. There is an increasing trend to protect the
data that has moved out of the organisation through information rights management
technologies.Thisessentiallyisamodelforborderlessdataprotectionsrequirements.
Data protection controls are extremely important for PCI DSS compliance (for
protection of credit card), HIPAA compliance (for protection of medical records),
compliance to privacy laws as well as to protect sensitive information such as
companies marketing and strategic plans, customers call data records, legal
documents and creative work protection. Compliance to these laws enhances the
reputationandincreasesthecustomertrustlevel.
Followingaresomeoftherisksinvolvedinweakcontrolsoverdata:
ØUnauthorized access (confidentiality), usage and modification (integrity) of
classifiedinformation
ØLeakageofclassifiedbusinessinformation
ØBreach of contractual obligations to ensure adequate protection to information
andassets
ØViolationoflegalprovisionstoensureprivacyofpersonaldata
Anoverviewofdataprotectioncontrolswouldneedtocover:
ØAdequacyofinformationsecuritypolicyandprocedures
7.2 Risks
7.3 Reviews
End Points
DLP End-user
Monitoring Server
DLP
Core Engine
Open USB Drive
* Malware Threats
* Data Copy Threats
*More the number of USB
drives open, more the load on
the server & deployment cost
DLP
rules

Ø
ØInformationsecurityawarenessforendusers
Substantivechecksoverdataprotectionneedtocover:
ØDataflowanalysisforselectiveclassifieddataelements
ØUser-role-authenticationmanagementrelatedtodataflow
ØRulesforacceptableuseofinformationprocessingassets
ØLogicalaccessandloggingcontrols
ØDataencryptionandDataleakpreventioncontrols
Integratedchecksoverdataprotectionneedtocover
ØCompliance with legal / contractual obligations of data privacy and
confidentiality
Informationandassetsclassificationmethodology

Chapter 8: Business Continuity Planning Framework
8.1 Introduction
Natural disasters and business disruptions beyond the control ofthe organization are
necessarily part of the organizations risks profile and risk management strategy.
Natural disaster/physical threats could also lead to unauthorized access to critical
data, loss of critical data or unavailability of resources which could hamper the
business continuity of an organization eventually leading to monetary loss for the
organization.
Natural disasters/physical threats could damage the system wherein they are beyond
repair. The retrieval of data from a physical damage is a time consuming and an
expensiveaffairwhichalsoinvolvesriskofincompletedataorinconsistentdatabeing
restored.
Inthemoderndigitalizedworld,organizationsalsoneedtobuildcyberresilience.This
includes hardening digital infrastructure to be more resistant to attacks, penetration
and disruption; improving ability to defend against sophisticated and agile cyber
threatsandrecoveringquicklyfromcyberincidents.
8.1.1 DefiningtheLevelofCriticality
The linkage between BCP and DRP is often talked about and there exists a perception
that business continuity plans are normally associated with disasters. It needs to be
understood that Business Continuity Plan needs to exist for any disruption,
momentary, temporary or long term. A local commotion, traffic disruptions or one
office unit getting cut-off from rest of the organization also needs to be taken into
consideration while planning for business continuity. Normally, crisis levels for
operationsneedtobedefinedandcontinuityplansneedtobetailormadeaccordingly.
Crisis level needs to be defined taking into consideration financial, process, impact,
legal,contractual,peopleimpactandseverityofthesame.
The level of criticality needs to be identified and analyzed at individual assets as well
ascorporatelevel.
8.1.2 DisasterRecoverySite(DR)
Successful recovery of business operations and restoration to normalcy with
minimum impact on resources in case of any planned/unplanned event is the only

evidence that proves effectiveness of business continuity management. For this,
appropriatedisasterrecoverypolicyandproceduresneedtobedefined,documented,
approved and communicated by the management. Besides that, appropriate
infrastructurehastobesetupatdisasterrecoverysitetoensuremeetingtherecovery
timeobjective(RTO)andrecoverypointobjective(RPO)definedinbusinesscontinuity
plan.
Considerationsforsettingupdisasterrecoveryplaninclude
ØRecoveryObjectives
ØNatureofDRsitedesired
ØLogisticsofRecovery
ØGeographicconsiderations
ØDesignvs.OpportunityCost
8.1.3 BCP/DRCycle
AtypicalcycleofBCP/DRcoveractivitiesdepictedbyfollowingdiagram
Triggers may include any abnormal activity such as system cut-off, performance
degradation,operationalfailure,disaster.
Sometimes it is not possible to replicate all the business functions to DR site. Hence
thescaleddownversionofcriticalactivitiestoalternatesitecanbeconsidered.
8.1.4 TestPlanCoverage
TestingofBCPissometimesconsideredasanoperationaloverheadandorganizations
finddifficultiesinschedulingforthesame.AgoodBCPhasmultipleobjectivesandthe
frequency to test each objective could vary so as to give total assurance that the plan
Triggers
Invoke BCP
Assess level of
Crises
Invoke continuity
Programme as per
the level
* Triggers mainly include system cut-off, performance degradation, link goes down, operational failure, disaster
Synchronization
Alternate Site
Operation
Diversion
Communication
Backend Checks
Transition Restoration Assessment Learning
System
Recoveries
Network
Recoveries
Synchronization
Communication
Financial Impact
Litigation Impact
System / Process
Impact
People Impact
Corrective Actions
Program
Improvements
Skill Improvements
Refined program

is working and current. This also reduces downtime of the environment and helps
betterplanning.
8.1.5 Formalannouncementofdisaster
It is required that the organization formally announces the fact of disaster and
working state of operations from disaster recovery site. Similarly, restoration of
primary site and resumption of operations from the same also need to be formally
communicatedtoallthestakeholders.
8.1.6 Contingencyandsecuritybreach
Organizations need to exercise utmost precaution that no security breach occur
during or after the contingency plan is evoked. This is because, quite often
organizations cannot create same set of security measures as that configured in
originalsite.
RisksduetoindequateBCP:
ØLossofhumanlifeorassetsorinformation
ØDisruption/discontinuanceofbusinessoperations
ØFinanciallossesduetolossofassetsand/orbusiness
ØLossofreputation/credibility
ØNon-compliancewithtime-boundregulatoryrequirements
Anoverviewofbusinesscontinuityplanneedstocover:
ØAdequacyofbusinesscontinuityanddisasterrecoveryplanandprocedures
ØMethodologyforbusinessimpactanalysisandriskassessment
ØAdequacyofbackupofdata,off-sitestorageandperiodicdatarestoration
ØAwarenessondisasterrecoveryplanandcontingency
Substantivechecksofbusinesscontinuityplanneedstocover:
ØTestingofbackup,off-sitedatastorageandperiodicdatarestorationactivities
ØEffectivenessdrillsonevacuationanddisasterrecovery
8.2 Risks
8.3 Reviews

Ø
ØReviewofactualworkdoneonthedisasterrecoverysite
ØValidation of Business Impact Analysis, Recovery Time and Recovery Time
Objectives
ØEmergencyhandlingprocedures
Integratedchecksofbusinesscontinuityplanneedstocover:
ØAnalyzingInterdependenciesofthesystemsandimpactoneco-system
ØValidatingLegal,Financialandotherimplications
ØEffectivenessofbusinesscontinuityplanvis-à-visbusinessrequirements
ØCompliance with legal / contractual obligations of data confidentiality and
availability
Availabilityofdataandotherresourcesatdisasterrecoverysite

Chapter 9: Human Interface to IT Systems
9.1 Introduction
Humaninterfaceisconsideredastrongaswellasaweaklinkinthechainofinformation
systemmanagement.Participationofemployeesmustbeincreasedthroughrepetitive
programs to ensure that they are aware of end user responsibilities towards the
organizationsuchas:
ØTake all reasonable precautions to protect information systems against
unauthorizedaccess,use,disclosure, modification,duplicationordestruction
ØUseinformationsystemsonlyasappropriatetotheirjobresponsibilities
ØUse information systems in manner, which ensures compliance with laws and
internalpoliciesandprocedures
ØReportsecurityproblemsorissuesthroughappropriatechannels
ØFollowsystemsandprocedureseffectively
9.1.1 UserAwareness
Organizations need to motivate employees adequately to participate in IT
implementation, risk management, incident response, disaster management and
whistleblowingprogramstosafeguardITinvestments.
With the increasing outsourced and hosting activities, third parties, such as channel
partners, data entry operators, vendors, customers, auditors, regulators, connected
entities, payment gateways and various intermediate agencies, participate in IT
operations. Manually, courier agencies carry backup tape, ATM and financial PIN
numbers, statements and customer confidential data. Apart from conventional third
party Non Disclosure Agreements, it is necessary to ensure that liability in caseofdata
securitybreachorotherwisemustbeformalized.
Training of users constitutes a major factor towards success of IT system deployment.
An effective training program enhances system utilization, reduces operational errors
andhelpsinearlydetectionofsystemanomalies.
IT security policy and procedures should categorically include the consequences
of violation of information security controls which would include penalty / punitive
action, depending upon the context and severity of breach that may include, but is
notlimitedto

Ø
ØSuspension
ØTermination
ØLegalProceedings
ØFinancialcompensationforlosses
Following factors make it important to pay due attention to human interface while
addressingITsystemsassurance:
ØLackofuserawarenessonmanagementofinformationsystems
ØSignificantriskofinsidercomputerfraud
ØCollusionofexternal(vendors)andinternal(employees)forfraudorinformation
leakage
ØAbsence of adequate measures to ensure employee screening before assigning
keyresponsibilities
ØLackofmaker-checkercontrolandsegregationofduties
ØManipulationandalterationofevidenceorlogs
ØEmployees or users not rotating their responsibilities, thus creating excessive
peopledependencies.
ØTrusted users misusing the system resources are one of the major reasons why
organizationssometimesfacesignificantfinancialorreputationlosses.
Overviewofhumaninterfaceincludesreviewof:
ØNon-disclosureandconfidentialityagreementwithvendorandthirdparties
ØAwarenessandtrainingprocess
Substantivechecksofhumaninterfaceincludereviewof:
ØEmployeescreeningprocess
ØRoledefinitionsandprofilingrequirements
ØSegregationofdutiesandStructuralchecks/balances
Integratedchecksofhumaninterfaceincludereviewof:
ØTrainingEffectiveness
ØSafeguardsfromsuspiciousactivities
Warning/Caution
9.2 Risks
9.3 Reviews

Chapter 10: Compliance and Regulatory Framework
10.1 Introduction
10.2 ISO/IEC27001:2005Standard
10.3 BS25999/ISO22301Standard
InformationTechnologySystemshaveaveryhighandlongtermimpactontheinternal
controls of the organization as well external customer services. Therefore, regulators
and governing bodies across nations have created various frameworks, mandatory
standards,suggestiveguidelinestoensureproperITgovernance.Apartfromthesame,
industries, consortiums, voluntary groups have contributed to the evolution of best
practices and technical standards in diverse areas of IT management. Some of these
areillustratedbelow:
This standard provides a model for establishing, implementing, operating, monitoring,
maintaining and improving an Information Security Management System (ISMS). The
standard adopts the “Plan – Do – Check – Act” (PDCA) model, which is applied to
structure all ISMS processes. Compliance to the standard leads to certification by
accredited agencies – helps enhance customer confidence, meet contractual
requirements, and assure stake holders about confidentiality, integrity and availability
ofinformation.
Alignment of organizational information security management systems with
internationallyrecognizedpracticesfacilitates:
ØSystematiceffortstoimproveinternalcontrolsandoperationalefficiency
ØAssurance to clients / customers and other stakeholders on standard practices
toensureconfidentiality,integrityandavailabilityoftheirdata
Thisstandard providescomprehensive methodologyfor developing and implementing
business continuity within organizations. Adopting these standard practices
improvises the resilience of the organization when faced with crisis situation. Major
activitiesforadoptingthisstandardinclude:
ØBusinessImpactAnalysis
ØIdentificationofcriticalactivities

Determiningcontinuityrequirements
ØEvaluatingthreatstocriticalactivities
ØDevisingriskresponsestoreducelikelihoodandimpactofincidents
ØDevisingstrategytofacilitatecontinuityorrecoveryofcriticalactivities
All types of organization can adopt standard practices advocated by internationally
recognizedbodyofstandardswhichhelpsin:
ØAdopting structured and organized measures to minimize the impact of
businessdisruption
ØAssurance to clients/customers and other stakeholders on availability of
servicesincaseofdisaster.
ØImprovedcompliancewithregulatoryrequirementsandmanagementpolicies
ØRecognitionofStandardsBodythroughcertification
ØImprovesimageoftheorganization
In May 2012, ISO has released ISO 22301 Standard which specifies requirement for
settingupandmanaginganeffectiveBusinessContinuityManagementSystem(BCMS)
This standard stands for Payment Card Industry – Data Security Standards. In modern
digitizedworld,significantamountoffinancialtransactionstakeplacethroughcredit/
debitcardsandequivalentinstruments.Assuchpaymentsarerealtime,globalandare
processed through multiple channels. This involves huge monetary transactions
globally involving, customers, financial institutions and payment processors who are
always concerned about veracity of the transactions. Various security measures were
deployed in the past to ensure sanity and confidentiality of transactions. In order to
generate uniformity and trust levels of the systems, American Express, Discover
Financial Services, JCB, MasterCard Worldwide and Visa International, established a
universal PCI DSS standard. This standard is applicable to all industries, bankers,
merchants, processors who are capturing, storing, processing and transmitting
paymentcard datain any format. PCI DSS is one ofthe most comprehensive standards
to comply with, as it handles process and technology requirements simultaneously. A
singleareaofnon-complianceattractshugepenalties.
ITIL is a public framework that describes best practice in IT service management
applicable to all the service organizations. It provides a framework for the governance
Ø
10.4 PCIDSS
10.5 ITIL–V3Framework

of IT, and focuses on the continual measurement and improvement of the quality of IT
service delivered, from both a business and a customer perspective. This focus is a
major factor in ITIL’s worldwide success and has contributed to itsprolific usage and to
the key benefits obtained by those organizations deploying the techniques and
processesthroughouttheirorganizations.
The Center for Internet Security (CIS) is focused on enhancing the cyber security
readiness and response of public and private sector entities. CIS Security Benchmarks
improves organization's security posture by helping them reduce the risk of business
and e-commerce disruptions resulting from inadequate technical security controls. It
provides enterprises with consensus best practice standards for security
configurations, as well as resources for measuring information security status and for
makinginformeddecisionsaboutsecurityinvestments.CIShasacomprehensivelistof
benchmarks for different operating systems, databases, browsers and virtual
platforms.
Computer Emergency Response Team (CERT) has introduced Operationally Critical
Threat,Asset,andVulnerabilityEvaluation(OCTAVE)method.OCTAVEisanapproachfor
managing information security risks. It has been designed to be sufficiently flexible to
accommodate unique needs ofthe organization. Organizations should create teams of
business and IT tailored to the organization's unique risk environment, security and
resiliencyobjectivesandriskbasedassessment.
Stringent penal actions introduced through the amendment under various sections of
the Information Technology Act, 2000 has attracted the attention of organizations
operating in India to ensure protection of personal information of customers, vendors,
businesspartners,employeesandthethirdparties.Stringentlawsondataprivacywith
penalties exist across globe. Privacy of personal information has to be ensured at the
timeofcollection,processing(use,transfer,disclosureanddisposal)aswellasstorage.
Organization has to devise comprehensive privacy policy and framework to address
thedataprivacyrequirements.
All organizations including intermediary services providers are now legally compelled
to protect customer sensitive information. Negligence in implementing and
10.6 CISBenchmarks
10.7 OctaveMethodology
10.8 DataPrivacyRequirementsfromLegalandCompliancePerspective

maintaining reasonable security practice can lead to litigations and impact
organization'sreputation. Thereasonablemeasuresneedtoinclude:
ØMeasures to prevent unauthorized access and use of personal information of
customersorthirdparties
ØMeasures to prevent incidents of data theft, identity theft, credit card fraud,
bogusinsuranceclaims,mortgagefraud,etc.
ØMeasures need to cover life cycle including data collected, processed, stored,
transmittedordisposedoffbytheorganization
Adopting ISO 27001 Standard is one of the ways organizations can claim to have
followedreasonablesecuritypractices.
FollowingarethekeyregulationsgoverningintellectualpropertyrightsinIndia:
ØCopyrightAct,1957
ØTradeMarksAct,1958
ØPatentsAct,1970
Besidesthese,thereareotheractslikeGeographicalIndicationsofGoods(Registration
andProtection)Act,1999,DesignsAct,2000,etc.whichprotecttheuniquepropertiesof
aproductoraworkofdistinctfeatures.
Copyright Act protects computer software which may be of ‘Freeware’, ‘Shareware’, or
paid ‘Licensed’ nature. A license may be time-based license, user-based license or
feature-based license. A software license prohibits modification, adaptation,
translation, decompiling, reverse engineering, disassembling, etc. of the respective
softwareandanyviolationattractspenalaction.
10.9 LawsRelatedtoIntellectualProperty

Chapter 11: Impact of Contemporary Trends
11.1 Virtualization
11.2 CloudComputing
11.3 MobileComputing
Information Technology and Information Technology Enabled Services (ITES) are constantly
shaping the industries. Therefore, the best of the IT assurance programs cannot be static. In
fact, IT assurance program has more challenges to meet as the IT environment change may
cut through several dimensions of the organization. Changes due to contemporary trends
needtobeacceptedinastructuredandcontrolledmannertomakealongtermsuccessoutof
thesame.Someofthesetrendsarediscussedfortheillustrationpurpose.
Virtualizationreferstothecreationofavirtualinstanceofhardware,operatingsystem,
storage device, network resources or software. It’s not limited to the servers or critical
resources but can be further extended to the individual assets using VDI or Virtual
desktop infrastructure. Virtualization benefits the organization by helping in
consolidation, flexible architectures, increased resource utilization and a more
efficient Disaster recovery mechanism. Also virtualization is the initial step for
organizations to move towards cloud computing. But security, performance and
reliability considerations are seen as major deterrent towards adoption of the
technology. Organizations can overcome these deterrents by adopting good
management practices in deployment, laying security controls and addressing
virtualization related techniques (E.g. VM management) in accordance with the
changedscenario.
Cloud computing has emerged as a strong trend impacting the way IT serves the
business. It offers software, platform and infrastructure as a service (SaaS, PaaS &
IaaS). This has increased scalability, adoption of newer technologies and the available
options. Thisis in-spite ofthe reducedcostsand change-over periods it offer. However,
this also comes at a risk of reduced control, security and reliability due to increased
vendor dependence. These concerns need to be addressed by creating long term
strategy, realistic goals mapped to the system designs. Security concerns, autonomy
issuesandperformancestandardsshouldbefocusedatthedesignlevelitself.
Thedependencyofmodernlifetoduemobilecomputingisevidentfromtheincreasing
use of Netbooks, tablets and Smartphones. The varied types of devices has resulted
changes in the UI (User Interface), the operating systems and the applications used.
Mobile computinghas resulted in BOYD (bring your own device) concept. It is a concept

which helps organizationsin savingcosts, helps in faster adoption oftechnologies and
achieves greater employee satisfaction. However, organizations also lose the control
over the way these devices are used resulting in security issues. Organizations can
overcome these issues by defining clear policies, laying minimum security
requirements, mandating use of organization sanctioned security tools and have a
processtoretrieveorganizationaldatafrompersonaldevices.
Social media has evolved as the modern way to communicate with diverse sets of
interested groups. These technologies have changed the way we network, collaborate,
publish and receive feedbacks. Direct revenue growth through social media may be a
challenge; but it helpsa lotin customer care, product development and brand building.
These benefits come along with risks like brand hijacking, data leakage, security,
intellectualproperty&legalrisks.Disgruntledemployeesandcustomerstry todefame
the organization through social media. These risks can be overcome with strong
policies,processes,training,toolsthattracetheoriginsofmessages.
Globalization and economic trends has led organizations towards changed strategy of
IT outsourcing. This benefits organization in focussing on core business activities and
re-strategizingwhilereducingcostsandworkingmore efficiently. However, this comes
with attached risk related to security, privacy, continuity and performance.
Organizations need to mitigate these risks by clearly defining security controls,
performance benchmarks and vendor’s exit responsibilities. Also organizations need
tocloselymonitorthevendor’sperformanceandgetthemvalidatedfromindependent
sourcesasthestrategiesandcontrolsaredifferentforOutsourcingframework.
In the world of shrinking resources, organizations are looking for alternative sources
for cost efficient and work effective methods. Green IT is one such approach which
involves manufacture, management, use and disposal of information technology
resourcesthatminimizesthedamagetoenvironment.Someoftheinitiativesinclude:
ØPurchasingandusingenergyefficientdesktops,serversandotherITequipment
ØSetupenergyefficientdatacenterwithmorePowerUsageEffectivenessratings
ØVirtualizationofresourcestoreduceoverallresourcerequirements
ØRecyclingofITequipment
ØUseofminimumtoxicmateriallikeleadandmercuryinmanufacturingprocess
11.4 SocialMedia
11.5 ITOutsourcing
11.6 GreenIT

Section IV: Creating Excellence in IT Systems Assurance

Section IV:
Creating Excellence in IT Systems Assurance
1.1 Introduction
1.2 MeasuringITEffectiveness
The role of IT as an enabler to the business is well understood. Innovations of new
products and adopting new technologies are normally appreciated. In spite of the
same, disconnect often exists between management vision and ground realities. IT
systems should be leveraged such that they exceed the expectations of the
managementvision.
There is always a continuous thrust on creating excellence through IT systems.
Thoughthisisavastarea,someoftheillustrationsarecitedbelow.
Organizationsneedtohavecomprehensiveandquantitativemeasurementswith360
degree IT view with the intention of controlling costs of assignments. Quantitative
Dashboards need to be based on statistics, graphs, trends and deviation controls,
suchas:
ØAveragetimetakentodeploysoftwarechanges
ØEffectivenessofsecurityfiltersatdifferentlayersofsystemsarchitecture
ØUtilizationofassetsbasedonvariousparameters
ØReductioninaggregatequantitativerisks
ØDowntimeoftheITsystem/Totaluptimeofthesystemforthemonth
ØTimetakenforrecovery
ØNumberofincidentsinamonthanalyzedonmultipleparameters
It is an exerciseto identify, measure and track the progress ofIT suitableto the client
environment. Large organizations having high-end eco systems have more complex
and interlinked parameters and these need to be projected across various units such
asgeographicallocations,systems/subsystems,assetsandthesamewillberequired
atdetailedoraggregatelevel.
It is possible to create quantitative models on IT Health Status monitoring suitable to
the organization environment. Quantitative models require substantial level of first
time effort, but they introduce objectivity to complex topic of IT environment, are

more easily understood at various levels, create common body language and help
organizationstotracktheprogress.
Apart from the individual dashboards organizations would like to have an overall
assessment of IT maturity status. Maturity can be objectively measured by
aggregating all the maturity status of individual control points. This is an elaborate
exercise.Suchmeasurementsifdoneonannualbasis,giveatoplevelofviewofareas
thatneedattentionandhelpstotracktheprogressobjectively.
An illustration based on generally accepted IT Governance framework like CoBiT can
beapplied,resultofwhichcouldlooklikeadiagramgivenbelow:
Every organization in today’s world has to comply with various regulatory
requirementsasexplainedatvariousplacesinthisdocument.Further,differentunits
of the organization need to comply to specific standard such as SOX, PCI DSS, ISO
27001, BS 25999, SSAE16, Quality frameworks, Capability Maturity Models, Six-Sigma /
leanmethodology,statutoryrequirementssetbyRBI,TRAIandotherindustrybodies.
Companiesaresubjectedtofrequentauditsforthesame.
Handled in any suboptimal manner, this leads to major processing overheads for the
organization. Documentation becomes non-standard, record keeping involves
duplication of efforts, audits involve overlaps and compliances are sometimes
tedioustomaintainandareseenasoperationaloverheads.
Organizations need to have a common compliance denominations along with
sufficientoperationalflexibilitybuiltintotheprocess.
1.3 MeasuringITMaturity
1.4 AdheringtoMultipleComplianceFrameworks
CoBiT Maturity - An Alternate view
Effectiveness
Efficiency
Confidentiality
IntegrityAvailability
Compliance
Reliability
61
67
70
6366
59
54

1.5 BuildingExcellenceinOperatingProcedures
1.6 DataAnalyticsandE-AuditMigration
1.7 IntelligentRiskEngines
Goodstandardoperatingproceduresarecorelevelrequirementofallcompliances. A
good standard operating procedure needs to be practical, simple and close to the
operating environment. A single procedural document should stand the test of
adequacy seen from multiple perspectives including governance, operations,
compliance. Such operating procedures provide a sound basis for performance of
the organization, have the necessary flexibility to accommodate operational
variances in controlled manner, create efficiencies for the organization. Good and
excellentoperatingproceduressuitabletotheorganizationalrequirementsreflectas
tohowinternalcontrolsystemsworkwithintheorganization.
With the growing volume of transactions across various systems, good data analytic
tools are necessary enhance to audit effectiveness. They are able to see through
transactions using pre-defined business rule with multiple permutations and
effective sampling techniques. These tools help an auditor to narrow down on the
exceptionidentificationanddetectanomaliesinanobjectivemanner. Suchtoolscan
also be deployed in the production environment to facilitate concurrent or real time
monitoring.
Migration from traditional audit processes to E-audit processes is journey that
involvescarefulplanning,simulationanddeploymentasdepictedbelow:
As the global threats of cyber crime are increasing, there exist global intelligence
networkthatareabletodetectcertainthreatsinrealtimemanner.
E-Audit Migration Plan of Migration to E-Audit
INITIATION PHASE PILOT PHASE MIGRATION TO CONCURRENT
/ CONTINUOUS AUDIT
1 2 3
ØEvaluationofOrganization
InformationArchitecture
ØIdentification of Transactions
tobeconsideredunderE-
Auditpilotphase
ØDefine Audit rules for
transaction monitoring
for identified transactions
of identified systems
ØSimulate the E-Audit and
refine the Rule Definition
ØIntegrate E-Audit with
Base systems and
Configure exception
monitoring and alert
based rules
ØAutomate E-Audit
process for concurrent
checks

These are essentially collaborative network that keep track of millions of malware
signatures, blacklisted and infected web-sites, and botnets, analyze behavior of the
source transactions, apply intelligent risk engines that generate/ pre-empts/
quarantines early threat warning from cyber-attacks. Such technologies need to be
deployedandconfiguredappropriately.
Similarly,incaseofdetectingelectronic,mobilebanking,moneylaunderingfraudsan
intelligence system needs to be built that performs transaction and behavior
analysis. Such systems help in generating early warning signals for suspicious
transactions.
Some organizations presume that an audit activity is to be performed subsequent to
completion of tasks. Also, there is a view that an audit participation during the stage
of roll out / implementation compromises audit independence. Since IT systems
typicallyarerolledoutwithlongtermobjectivesandhighimpactontheorganization
eco-system, concurrent IT Audit becomes a very critical need for the management to
ensure that the controls are built at the design stage itself. System specifications,
design documents, project management, planned upgrades, disaster recovery drills,
data analytic tools, system monitoring outputs are some of the examples where
concurrentITAuditbringspowerfulvalueadditionstotheorganization.
Large corporate houses tend to diversify across various sectors. Every business
vertical has its own unique information technology needs. Many times, such group
creates a set of common services to be provided to other group of companies.
Such groups can benefit by isolating centralized requirements and company
specific IT requirements. An IT assurance program can be tailor-made to different
group functional models. Apart from conventional IT assurance, such program needs
to also focus on consolidation opportunities, process optimization, technology
standardization,resourceutilizationandeffectivenessofdeployment.
Success of IT assurance program needs to get reflected in the Balanced Business
Scorecard. Typical outcome of such program is tabulated for illustrative purpose on
thenextpage.
1.8 ConcurrentITAudit
1.9 ITSystemsAssuranceforGroupCompanies
1.10 ITSystemsAssurance:ABalancedScorecard

RSM India publication - How Robust is your IT System

RSM India publication - How Robust is your IT System

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (12)

Similar to RSM India publication - How Robust is your IT System

Similar to RSM India publication - How Robust is your IT System (18)

More from RSM India

More from RSM India (20)

Recently uploaded

Recently uploaded (20)

RSM India publication - How Robust is your IT System