Information Security Governance: Government Considerations for the Cloud Comp...Booz Allen Hamilton
How users can take advantage of the cloud computing environment’s benefits without experiencing excessive security risks or new legal or regulatory compliance challenges.
Information Security Governance: Government Considerations for the Cloud Comp...Booz Allen Hamilton
How users can take advantage of the cloud computing environment’s benefits without experiencing excessive security risks or new legal or regulatory compliance challenges.
Business-Driven Identity and Access Governance: Why This New Approach MattersEMC
This white paper explains why taking a business-driven approach to identity and access governance (IAG) can enable organizations to easily prove compliance, minimize risk, and enable the business to be productive.
Making Executives Accountable for IT SecuritySeccuris Inc.
How do we make executives accountable for IT Security?
Michael outlines the general challenges, details key items of concern and discusses the focus areas that can be taken to improve the daily governance of IT security in your organization.
The importance of role management in information security. In today's world, information security and management of information security is an important aspect. Therefore, it is very important to understand the importance of role assignment and role management while considering the implementation of security policies and standards.
This Slideshare presentation is a partial preview of the full business document. To view and download the full document, please go here:
http://flevy.com/browse/business-document/it-security-and-governance-template-312
This Word Document provides a template for an IT Security & Governance Policy and is easily customisable. Areas cover are: Security, Data Back-Up, Virus Protection, Internet & Email usage, Remote & 3rd Party Network Access, User-Account Management, Procurement, Asset Management and IS Service Continuity Planning
Cloud Computing - Emerging Opportunities in the CA ProfessionBharath Rao
In the present era, everything runs in the cloud. The development of Cloud computing technology and led to a sharp decrease of Capital Expenditure for industries. It has also led to their solutions being made available everywhere and at any device.
This article provides functional knowledge as to how a Chartered Accountant may provide value addition for the development of Internal Controls that protect the Confidentiality, Integrity, Availabilty and Privacy of the data being used by the Cloud.
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...IJNSA Journal
The need for information security within small to mid-size companies is increasing. The risks of information security breach, data loss, and disaster are growing. The impact of IT outages and issues on the company are unacceptable to any size business and their clients. There are many ways to address the security for IT departments. The need to address risks of attacks as well as disasters is important to the IT security policies and procedures. The IT departments of small to medium companies have to address these security concerns within their budgets and other limited resources.Security planning, design, and employee training that is needed requires input and agreement from all levels of the company and management. This paper will discuss security needs and methods to implement them into a corporate infrastructure.
TWO-LAYER SECURE PREVENTION MECHANISM FOR REDUCING E-COMMERCE SECURITY RISKSijcsit
E-commerce is an important information system in the network and digital age. However, the network intrusion, malicious users, virus attack and system security vulnerabilities have continued to threaten the operation of the e-commerce, making e-commerce security encounter serious test. How to improve ecommerce security has become a topic worthy of further exploration. Combining routine security test and
security event detection procedures, this paper proposes the Two-Layer Secure Prevention Mechanism (TLSPM). Applying TLSPM, routine security test procedure can identify security vulnerability and defect,and develop repair operations. Security event detection procedure can timely detect security event, and assist follow repair. TLSPM can enhance the e-commerce security and effectively reduce the security risk
of e-commerce critical data and asset.
E-commerce is an important business transaction system in the network age. However, the network
intrusion, malicious users, virus attack and system security vulnerabilities have continued to threaten the
operation of the e-commerce, making e-commerce security encounter serious test. In order to avoid system
security flaw and defect caused user great loss, how to reduce e-commerce security risk has become a topic
worthy of further exploration. In this paper, the critical security requirement for the e-commerce system is
investigated and deduced the compliance, availability and manageability quality characteristics for ecommerce
software security requirement. Applying the quantified quality characteristics and proposes a
Security Requirement Quality Measurement (SRQM) model. Based on SRQM model, the paper develops a
Security Requirement Quality Improvement (SRQI) procedure to identify problem and defect of security
requirement quality. And assist in timely to adjust and revise the defects of security requirement quality,
enhance the e-commerce security effectively.
It implement-it-asset-management-executive-briefVisal Thach
IT asset management (ITAM)’s real value doesn’t emerge from compliance; it comes from strengthening other IT services.
Proactive asset management can prevent an audit from happening.
Treat ITAM like a process, not a project.
Impact and Result
Develop an IT asset management standard operating procedure.
Draft a list of technical requirements for an ITAM solution to help generate a shortlist.
Save thousands on lost or stagnant equipment and costly data breaches.
Improve other processes by leveraging IT asset data.
Streamlining Identity and Access Management through Unified Identity and Acce...happiestmindstech
Effective identity and access management enables private and public enterprises to manage identities and access in and out of the business boundaries to meet various business objectives. The benefits of IAM are more
or less the same for organizations irrespective of the nature of business. Similarly, the challenges and issues associated with IAM are similar to all industry segments.
A survey on identification of ranking fraud for mobile applicationseSAT Journals
Abstract Now a day, mobile App is an exceptionally prevalent and surely understood idea because of the quick progression in the portable innovation and cell phones. Because of the extensive number of versatile Apps, ranking fraud is the key test before the versatile App market. In this paper we are proposing a ranking fraud discovery framework for portable Apps. The proposed framework mines the leading sessions, for example, leading sessions of portable applications to precisely find the ranking fraud. Other than this, by displaying Apps ranking, rating and review practices utilizing measurable theories tests, we examine three sorts of confirmations, they are ranking based proofs, rating based proofs and review based confirmations. Proposed an aggregation method to combine all the proof for fraud detection. Keywords: Ranking Fraud, Fraud For Mobile, Identification Mobile Fraud
Business-Driven Identity and Access Governance: Why This New Approach MattersEMC
This white paper explains why taking a business-driven approach to identity and access governance (IAG) can enable organizations to easily prove compliance, minimize risk, and enable the business to be productive.
Making Executives Accountable for IT SecuritySeccuris Inc.
How do we make executives accountable for IT Security?
Michael outlines the general challenges, details key items of concern and discusses the focus areas that can be taken to improve the daily governance of IT security in your organization.
The importance of role management in information security. In today's world, information security and management of information security is an important aspect. Therefore, it is very important to understand the importance of role assignment and role management while considering the implementation of security policies and standards.
This Slideshare presentation is a partial preview of the full business document. To view and download the full document, please go here:
http://flevy.com/browse/business-document/it-security-and-governance-template-312
This Word Document provides a template for an IT Security & Governance Policy and is easily customisable. Areas cover are: Security, Data Back-Up, Virus Protection, Internet & Email usage, Remote & 3rd Party Network Access, User-Account Management, Procurement, Asset Management and IS Service Continuity Planning
Cloud Computing - Emerging Opportunities in the CA ProfessionBharath Rao
In the present era, everything runs in the cloud. The development of Cloud computing technology and led to a sharp decrease of Capital Expenditure for industries. It has also led to their solutions being made available everywhere and at any device.
This article provides functional knowledge as to how a Chartered Accountant may provide value addition for the development of Internal Controls that protect the Confidentiality, Integrity, Availabilty and Privacy of the data being used by the Cloud.
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...IJNSA Journal
The need for information security within small to mid-size companies is increasing. The risks of information security breach, data loss, and disaster are growing. The impact of IT outages and issues on the company are unacceptable to any size business and their clients. There are many ways to address the security for IT departments. The need to address risks of attacks as well as disasters is important to the IT security policies and procedures. The IT departments of small to medium companies have to address these security concerns within their budgets and other limited resources.Security planning, design, and employee training that is needed requires input and agreement from all levels of the company and management. This paper will discuss security needs and methods to implement them into a corporate infrastructure.
TWO-LAYER SECURE PREVENTION MECHANISM FOR REDUCING E-COMMERCE SECURITY RISKSijcsit
E-commerce is an important information system in the network and digital age. However, the network intrusion, malicious users, virus attack and system security vulnerabilities have continued to threaten the operation of the e-commerce, making e-commerce security encounter serious test. How to improve ecommerce security has become a topic worthy of further exploration. Combining routine security test and
security event detection procedures, this paper proposes the Two-Layer Secure Prevention Mechanism (TLSPM). Applying TLSPM, routine security test procedure can identify security vulnerability and defect,and develop repair operations. Security event detection procedure can timely detect security event, and assist follow repair. TLSPM can enhance the e-commerce security and effectively reduce the security risk
of e-commerce critical data and asset.
E-commerce is an important business transaction system in the network age. However, the network
intrusion, malicious users, virus attack and system security vulnerabilities have continued to threaten the
operation of the e-commerce, making e-commerce security encounter serious test. In order to avoid system
security flaw and defect caused user great loss, how to reduce e-commerce security risk has become a topic
worthy of further exploration. In this paper, the critical security requirement for the e-commerce system is
investigated and deduced the compliance, availability and manageability quality characteristics for ecommerce
software security requirement. Applying the quantified quality characteristics and proposes a
Security Requirement Quality Measurement (SRQM) model. Based on SRQM model, the paper develops a
Security Requirement Quality Improvement (SRQI) procedure to identify problem and defect of security
requirement quality. And assist in timely to adjust and revise the defects of security requirement quality,
enhance the e-commerce security effectively.
It implement-it-asset-management-executive-briefVisal Thach
IT asset management (ITAM)’s real value doesn’t emerge from compliance; it comes from strengthening other IT services.
Proactive asset management can prevent an audit from happening.
Treat ITAM like a process, not a project.
Impact and Result
Develop an IT asset management standard operating procedure.
Draft a list of technical requirements for an ITAM solution to help generate a shortlist.
Save thousands on lost or stagnant equipment and costly data breaches.
Improve other processes by leveraging IT asset data.
Streamlining Identity and Access Management through Unified Identity and Acce...happiestmindstech
Effective identity and access management enables private and public enterprises to manage identities and access in and out of the business boundaries to meet various business objectives. The benefits of IAM are more
or less the same for organizations irrespective of the nature of business. Similarly, the challenges and issues associated with IAM are similar to all industry segments.
A survey on identification of ranking fraud for mobile applicationseSAT Journals
Abstract Now a day, mobile App is an exceptionally prevalent and surely understood idea because of the quick progression in the portable innovation and cell phones. Because of the extensive number of versatile Apps, ranking fraud is the key test before the versatile App market. In this paper we are proposing a ranking fraud discovery framework for portable Apps. The proposed framework mines the leading sessions, for example, leading sessions of portable applications to precisely find the ranking fraud. Other than this, by displaying Apps ranking, rating and review practices utilizing measurable theories tests, we examine three sorts of confirmations, they are ranking based proofs, rating based proofs and review based confirmations. Proposed an aggregation method to combine all the proof for fraud detection. Keywords: Ranking Fraud, Fraud For Mobile, Identification Mobile Fraud
Hi fellas,
Here is a ppt which helps you to have some basic idea on Web servers, Application servers, Shared and Dedicated Hosting, Back up server and SSL concepts...
Technology pool is amazingly very vast.
This is a drop of it.
In this presentation, we will discuss in depth about the importance of technology in business, what IT governance is and its impact.
To know more about Welingkar School’s Distance Learning Program and courses offered, visit:
http://www.welingkaronline.org/distance-learning/online-mba.html
IT Governance and Compliance: Its Importance and the Best Practices to Follow...GrapesTech Solutions
With new technology coming in every day, the need for IT governance and compliance is essential. IT governance and compliance are not only necessary for consumers but also for businesses. A strong IT governance plan can help add immense value to your business.
Many businesses are not aware of the importance of IT governance and Its Compliance. Hence it is important first to understand IT Governance and the Compliance Standards.
Explore the Significance of IT Governance and Compliance in 2024. Explore best practices for effective management, ensuring security, and meeting regulatory standards in the dynamic IT landscape.
For unparalleled IT management service in Folsom, Total Secure Technology is the trusted service provider. Our tailored IT management service Folsom solutions cater to businesses of all sizes, ensuring seamless operations and maximum efficiency. With our expertise, businesses can focus on their core objectives while we handle the complexities of IT management in Folsom. Trust Total Secure Technology for comprehensive IT management service in Folsom, delivering unmatched reliability and security.
IT Solutions For Your Bayou Vista, TX Small BusinessRion Technologies
IT solutions encompass a broad range of services and products designed to address the technological needs of businesses and organizations. These solutions ensure the optimal functioning of computer systems, networks, databases, and software applications, vital for daily operations.
Attacks on the enterprise are getting increasingly sophisticated. Current solutions available do not seem to be adequate given the innovativeness, precision and persistence of these attacks in different forms and of different dimensions. Organisations thus want to increase the sophistication of their employees and also of the solutions to be deployed given this backdrop.
Managed IT services are not limited to a specific industry or business size. Organizations of all sizes, from small startups to large enterprises, can benefit from these services. Businesses with limited IT resources find managed services particularly valuable, allowing them to access top-notch IT expertise without the need for a dedicated in-house IT team.
Tech Savvy Strategies Navigating IT Considerations in Carve-Out Planning and ...AVENDATA
In the context of corporate carve-outs, the role of technology is crucial in ensuring the smooth transition of business units to separate entities. This involves a comprehensive assessment of IT infrastructure and systems, including hardware, software, networks, and data centers, to determine their suitability for transition. This assessment serves as the foundation for strategic decision-making and resource allocation throughout the carve-out process.
Data migration and integration challenges are also essential in carve-out transactions, as it ensures the secure and efficient transfer of data from the parent company to the carve-out entity. A robust data migration strategy should be developed, considering factors such as data volume, complexity, sensitivity, and regulatory compliance requirements. Data integration tools can be used to harmonize disparate data sets and facilitate business continuity post-carve-out.
Application rationalization and transition are crucial in carve-out transactions, as they often involve a complex ecosystem of applications and software systems that support business operations. A thorough assessment of the application landscape is necessary to identify redundant, outdated, or non-core applications that can be rationalized or retired. A phased approach to application transition is needed, prioritizing critical systems while minimizing disruption to ongoing operations.
Cybersecurity and risk management are top concerns in carve-out transactions, as the separation of business units can create vulnerabilities and increase the risk of data breaches or cyberattacks. Implementing robust cybersecurity measures, conducting security assessments, penetration testing, and vulnerability scans, and developing incident response plans and contingency measures are essential.
IT governance and compliance are essential in carve-out transactions, particularly in regulated industries like healthcare, finance, or pharma. Establishing clear roles, responsibilities, and decision-making processes for IT governance within the carve-out entity is crucial.
Similar to RSM India publication - How Robust is your IT System (18)
THE NEW AXIS OF FINANCIAL REPORTING - IND AS AND ICDSRSM India
The New Axis of Financial Reporting – IND AS & ICDS: This publication is intended to provide the readers, a broad understanding of applicability of Ind AS and Income Computation and Disclosure Standards (ICDS), some key differences with IFRS and Accounting Standards (AS) presently applied by companies.
RSM India Newsflash - Startup India: Launch of 'Portal & Mobile App' and 'FAQs'RSM India
The ‘Startup India’ initiative was launched by the Prime Minister of India, Shri Narendra Modi on 16 January 2016 at Vigyan Bhavan, New Delhi and as part of the event, a Startup India Action Plan was released. The Action Plan highlighted various initiatives envisaged by the Government to develop a conducive Startup ecosystem in the country, one of the integral part being the launching of ‘Startup India portal and mobile app.’ Accordingly, the portal and app have been launched.
Also, frequently asked questions (FAQs) have been issued recently by the Department of Industrial Policy and Promotion.
Our newsflash captures:
A. Key features of the portal and app
B. Recently released FAQs
Publication - RSM India Budget 2016 Key AspectsRSM India
We are pleased to enclose herewith our publication viz. 'India Budget 2016 – Key Aspects'which provides a broad overview of the Union Budget 2016-17 presented on 29thFebruary 2016. While we have largely covered direct and indirect tax proposal of the Indian Government for the fiscal year 2016-17, other major policy initiatives having significant impact on the business in general, have been briefly dealt with.
In the midst of an uncertain global economic outlook, India is emerging as the new ‘global economic hotspot’. The Indian economy is estimated to grow at 7.6% in FY 2015-16 and is expected to grow at 7% to 7.75% in FY 2016-17, making it the fastest growing major economy in the world. The Union Budget 2016 is primarily driven with the objective of accelerating investment in infrastructural sector, fiscal consolidation and reducing litigation.
In our budget publication, we have analysed the significant budget proposals and have additionally included the following reference chapters:
• G20 Countries - Comparative Corporate and Personal Tax Rates
• DTAA Rates
• Tax Incentives for Businesses
• Direct Taxes and Service Tax Compliance Calendar
• TDS Chart
We trust you will find the same useful.
IFRS in India - RSM India publication (pre 2010)RSM India
This book, published (before 2010) by RSM India group, intended to provide its readers a broad understanding of IFRS requirements in India and some key differences between IFRS and Indian Accounting Standards.
Operations Consulting Overview - RSM India publicationRSM India
This book, published by RSM India group (before 2010), intends to give an overview of the various standards and the Operations Consulting services offered by us.
Accessing Capital, An Insight - RSM India publication (2011)RSM India
This publication by RSM India group, published in April 2011, is general in nature and endeavors to to analyse certain significant aspects of tapping capital.
Doing Business in India - RSM India publication (2012)RSM India
The aim of this book, published by RSM India group in 2012, is to provide general information about doing business in India and every effort has been made to ensure the contents are accurate and current. However, tax rates, legislation and economic conditions referred to in this publication are only accurate at the time of writing.
RSM India - Service Tax Regulations In India-An Insight (2013)RSM India
This publication by RSM India group (dated September 2013) intends to provide a broad overview of Service Tax Regulations prevalent in India and primary assistance to those transacting service business in India.
RSM India publication - India Budget 2015 HighlightsRSM India
This publication offers a broad outline of the highlights of Union Budget 2015. Contains the proposals and amendments as given in the Finance Bill, 2015
RSM India Publication - Executive remuneration - Certain Tax & Legal AspectsRSM India
This publication provides a broad outline of certain tax regulations and other related aspects of Executive Remuneration prevailing in India and relating to income from salaries
Newsflash - increase in MVAT rate with effect from 1 October 2015RSM India
On 30th September 2015, Maharashtra VAT Department has issued the Notification VAT. 1515/C.R. 128A/Taxation-1. and VAT. 1515/C.R. 128B/Taxation-1 for increase in MVAT Rate with effect from 1 October 2015.
We have summarized the said notification in form of newsflash and trust you will find the same useful.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
2. RSM Astute Consulting Group
Indian member of RSM International
Personnel strength of about 950
Consistently ranked amongst India's top 6 Accounting and Consulting groups
(Source : International Accounting Bulletin - September 2010 and September 2011)
Nationwide presence
International delivery capabilities
RSM International
6th largest network of independent
accounting and consulting firms in the world
Annual combined fee income of US$ 3.9 billion
700 offices across 94 countries
www.astuteconsulting.com
3. How Robust Is Your
Information Technology System?
How robust is your IT system?RSM Astute Consulting
4. Contents
Section I: IT Systems Assurance - A Holistic View
Section II: Progressive IT Systems Assurance Model
Section III: Journey towards Perfection
Section IV: Creating Excellence in IT Systems
Assurance
Annexure I
Annexure II
1-4
6-9
11-61
Chapter 1: IT Management Framework 11
Chapter 2: IT Infrastructure Management 16
Chapter 3: Application Controls 24
Chapter 4: Identity and Access Management 29
Chapter 5: Project Management - Transformation 33
Chapter 6: Operations Framework 40
Chapter 7: Protecting Data Layer 47
Chapter 8: Business Continuity Planning Framework 50
Chapter 9: Human Interface to IT Systems 54
Chapter 10: Compliance and Regulatory Framework 56
Chapter 11: Impact of Contemporary Trends 60
63-67
68
69
How Robust Is Your
Information Technology System?
RSM Astute ConsultingHow robust is your IT system?
6. Section I: IT Systems Assurance – A Holistic View
1.1 Introduction
1.2 ITSystemsAssurance–NeedandKeyDrivers
The Information Technology revolution has transformed the business landscape
across the globe in last two decades. Changes due to ERP systems, internet, social
networking, mobile computing, E-commerce have permeated through the entire life
cycle of any business organization. Organizations, irrespective of their nature, size
and industry, have witnessed a paradigm shift in the way they strategize, build and
operate their businesses around an IT eco-system. Information Technology has
become backbone for every business and in certain cases have become business
drivers like Banking & Financial sector, Airlines, Telecom, E-commerce Portals,
Manufacturingsector,etc.Theseindustrieshavecreatedtechnologyenabledbusiness
models that give them global reach and provide customer centric services with a
personalized experience. The internal levels of technology adoptions, associated
process changes, organizational risk profile and internal control systems have
undergone changes corresponding to the changes in the external world. Information
Technology Assurance Program is a continuous and dynamic program to ensure that
the internal control systems dependent on information technology of organizations
remaincurrent,comprehensive,effectiveandresponsivetosuchchanges.
Recognizing the need and importance of IT in business, organizations have invested
heavily in IT infrastructure, applications and all other supporting programs.
ManagementsareequallyconcernedonreturnonsuchITinvestments.Itisimperative
that given such critical role of IT in business today, management and stakeholders
review the IT systems in a structured and holistic manner and are concerned with
followingissues:
ØExistenceandeffectivenessofanITgovernanceframework
ØEffectivetechnologycontrolstoensuretransactionlevelintegrity
ØConfidentialityandtimelinessof informationprocessed
ØBusiness Continuity Plan (BCP) and Disaster Recovery Plan (DRP) ensuring
availabilityofdata
ØEffective compliance of regulatory requirements and adherence to industry
bestpractices
RSM Astute Consulting1 How robust is your IT system?
7. Various external and internal factors act as key drivers that compel the organization
toadoptacomprehensiveITsystemassuranceprogram.
1.2.1 ExternalFactors
ØRapidchangestoinformationtechnologiescreatingunknownrisks
ØIncreasingthirdpartydependenceonorganizationalkeyprocesses
ØIdentificationofnewvulnerabilitytosystemsondailybasis
ØEmergenceoforganizedandunorganizedhackercommunities
ØRising customer demands on service availability, process transparencies and
dataprivacy
ØStringentregulatoryframeworkandinternationalbenchmarkedstandards
ØFrequentacquisitionsandmergersleadingtocomplexITeco-systems
1.2.2 InternalFactors
ØVariance in organizational strategy, executive decision making process and
operationalenvironment
ØFragmentedapproachofmanagementtowardsadoptionoftechnology
ØInsufficient controls in terms of inadequate user training, lack of segregation
ofduties,inadequatetestingbeforedeployment
ØTrustedinsidersperpetratingfraud/misuseofthesystems
ØObsolesceofinformationassets
AgenericdepictionofthemotivationalfactorsforITAssuranceProgramissetbelow.
KeydriversofITassuranceprogram
System &
Process
Variances
Protection
from Internal
/ External
Misuse
Uninterrupted
Operation
needs
Global
Accessibility
of Data
Customer
Data Privacy
Changes to
Business /
Technology
Environment
IT Systems
Assurance
Industry
Regulation
2How robust is your IT system?RSM Astute Consulting
8. 1.3 ITSystemsAssurance-AHolisticProgram
IT systems assuranceprogram is a holistic program adopted by the businesses for the
purpose of ensuring achievements of their short term and long term goals with the
help of IT. It is imperative that the IT systems assurance program encompasses entire
life cycle of the business and is functional at the grass root levels. Hence, internal
control systems need to be effectiveat business, process, technology and operational
layers.
An assurance of IT system needs to include IT management framework, that
necessarily includes Organization IT strategy, IT Risk Management Program, IT
Structures, IT Architectures and IT Policies to ascertain soundness of the foundations
of IT systems. Such program needs to be necessarily applicable to all IT Assets,
includingdata,applications,infrastructure,people,toolsandtechnologies.
ITsystemsassuranceprogrammusttakeintoconsiderationtheimpactofinformation
technology on the overall functioning of the organization. Such program needs to cut
through financial, legal, regulatory, operational assurance requirements. Impact of
constant changes to the technology environment areas must be covered under IT
assurance program. It is also important that IT assurance program addresses long
termsustenancerequirementsoftheorganization.
Finally, IT systems assurance program needs to have specific business objectives.
Beyond technology factors, it is expected to ensure capital protection, provide
competitive advantages due to efficient internal control systems, facilitate IT
compliance requirements and infuse customer confidence about overall well-being of
theorganization.
In today’s world where IT risks are embedded at various levels, an IT assurance
programcannotbetrulyeffectiveunlessitisallencompassinginnature.
Anillustrativediagramofthesameisgivenonthenextpage.
RSM Astute Consulting3 How robust is your IT system?
11. Section II: Progressive IT Systems Assurance Model
Introduction
As the IT AssuranceProgram is comprehensive, organizations facevarious challenges during
its implementation and review. The IT maturity levels and business requirements for every
organization are different in nature. It is necessary to unfold the program in a structured
mannerassuitabletotheorganizationandindustry’suniqueneedsandthroughanorganized
change management process. There should be specific programs, processes and visible
outputs at every stage to give management a comfort and confidence that there is a
continuous progress in the IT assurance program. Typical concerns the management would
addressinstagewisemannerwouldinclude:
StageI
WhatisthecurrentorganizationITposture?
WhatarethecurrentITrisksandconcerns?
IstheorganizationdeployingtheappropriatemeasurestoaddressITrisks?
Has the organization assigned appropriate resources to implement such
measures?
Having assessed the macro level view of the organization IT risk program, managements
wouldtypicallyliketoassesstheprogressofanITriskmitigationprogram.
StageII
Whataretheorganization'sspecificpainareasandwhydotheyexist?
How deep-rooted are the risksand to what extent do they impact the organization'sIT
posture?
Hastheorganizationadoptedtherightmitigationmeasures?
Is it necessary to review and, implement the program in a simplified and progressive
manner?
StageIII
Further, the same organization would take an integrated view about the success of the IT
assurance program. Typically, the concerns that management would like to address / value
wouldinclude:
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
6How robust is your IT system?RSM Astute Consulting
14. IT Overview is more useful
when
Organizations have not
conducted IT review in the
past
IT Substantive checks are
more useful when
One or more IT Areas
requiring deep dive
IT Integrated checks are
more useful when
IT systems need to be
validated along with overall
internal control systems
Automated or system tools
are necessary due to high
volumes or nature of the
systems
Organizations have frequent
issues related to IT
management
There is a need to validate
the assumptions and
progress of IT evolution
Organization intends to
obtain industry specific
compliance or certification
The IT eco-systems need
significant changes
Detailed supporting to the
diagnostic reviews is
required
Major changes in the
organization information
processing systems need
validation
Mergers and Acquisitions
take place
Systems undergo major
changes
Organizations intend to take
long term view of process
improvements
The review time frames
available are short
Organizations are willing
spend adequate time to
focus specific issues
RSM Astute Consulting9 How robust is your IT system?
Illustrative usefulness of such reviews is tabulated below:
16. Chapter 1: IT Management Framework
1.1 Introduction
IT Managerial framework sets the context for all Information Technology initiatives.
The framework needs to be comprehensive and should take 360 degree view of the
organization requirements. The IT Management Framework includes Strategy,
Architecture, Structure, Risk Management and Policies. Each of these aspects are to
bedealtseparately.
1.1.1 AlignmentofITStrategywithBusinessGoals
Success of an IT System depends upon how closely the IT strategy, execution and
monitoring are linked to business goals. Some of the common deficiencies arise
when.
ITstrategiesarepreparedinisolationofbusinessstrategies.
BusinessestendtounderestimatethecriticalityofcertaindormantITissues.
CrossfunctionalteamsdonotparticipateinITstrategyprogram.
It is necessary that business goals are well defined and IT goals are derived from
individualbusinessgoals.
An illustration of how IT Strategy is aligned to Business Goals is shown in the figure
below.
Ø
Ø
Ø
BUSINESS GOALS IT GOALS
New Services
Functionality
Upgrades
Scalable
Architecture
IT Risk
Management
Business Strategy
Customer
Acquisition
New Products
Business
Expansion
Enterprise Risk
Management
RSM Astute Consulting11 How robust is your IT system?
17. 1.1.2 InformationArchitecture
Every business entity is supported by its individual functional units which have their
respective roles to play within the organization. Also, each functional unit is
dependentontheITsystemsforitsindividualdataprocessingneeds.
Thebelowgivendiagramdepictshowvariousfunctionalunitswithintheorganization
areconnectedtoeachotherthroughthedataprocessingneeds.
IT functional architecture gets defined after considering nature of information
exchange, volume of data processing, geographical locations of operations, data
processing,deploymentandscalabilityrequirementsandinternalcontrolsstructure.
Inthecurrentenvironmentoffrequentmergersandacquisitionsandotherstructural
changes, business interfaces and data processing need to undergo constant
changes.Unmanagedchangescreatelongtermrisksfortheorganization.
Such activities require due diligence, third party audits and sharper definition of
roles,responsibilitiesandliabilitiesincaseofsystembreaches.
Data
Processing
Needs
Human
Resource Legal &
Compliance
Material
Management
Project
Planning
Data
Center
Service
Provider
Customer
Services
Sales &
Distribution
Third Party
Production
Management
Operations
Accounts &
Finance
12How robust is your IT system?RSM Astute Consulting
18. 1.1.3 ITStructure
IT structure is necessaryto establishproper and efficientIT executionprocesswithin
theorganization.Tohaveappropriatechecksandbalanceswithin,itisnecessarythat
roles and responsibilities of various functions are well defined. Some of the common
deficienciesinclude:
Impropersegregationofdutiesindecisionmakingandexecutionprocess
Organizationsperformingprimarilybasedon“assumedresponsibilities”
Improperanalysisofworkcontents,estimatesandstaffalignment
Inadequatemechanismtomeasureskills
Agoodorganizationstructureisderivedfromwelldefinedworkbreakdownstructure
(WBS) and functional breakdown structure (FBS) hierarchy. With the level of
technologyabsorptionandprocessintegration,thestructuresneedtobedynamic.In
case of large organizations, the relationship between central units, individual
function units and various control functions needs to be well defined in such a way
thatoverallinternalcontrolsystemremainswellcoordinated,efficientandoptimum.
Certain functions if outsourced would be more effective, however, organization
needstohavetheownershipandaccountabilityforthesame.
1.1.4 ITRiskManagementFramework
With the increasing dependence on IT systems, organization’s vulnerability to IT risk
also increases. Thus, the success of the organization depends upon its ability to
contain IT risk which require it to create an IT risk management program. An IT risk
managementprogramneedstoemergefromEnterpriseRiskManagementprogram.
ITriskmanagementprogrammethodologyneedstobewelldefinedanddetailed.This
shouldcoverthefollowingaspects:
AssetIdentification,Classification,Valuation
AssessmentofThreatsandVulnerabilities
OverallRiskAssessment
RiskPrioritization
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
ERM
Control
Activities
Control over
Information
Systems
IT controls at
individual layer
RSM Astute Consulting13 How robust is your IT system?
19. Ø
Ø
Ø
Ø
Ø
Ø
ControlEvaluationwithCost-BenefitAnalysis
RiskTreatmentPlan:Acceptance,Avoidance,TransferandMitigation
1.1.5 ITPolicies
IT policy is the most important and critical part of IT assurance of the organization.
The coverage, depth and maturity of the policy varies from organization to
organization. Also, various industry and regulatory bodies make IT policy a
mandatoryrequirementforcompliance.
CommondeficienciesinITpolicymanagementinclude:
ITpoliciesarenot alignedwithchangesintechnologicalenvironment
ITpoliciesdonotadequatelyprovidethenecessarydirectiontoexecutionteam.
ITpoliciesdonotprovidenecessaryoperationallevelflexibility.
IT policies are not communicated to the staff and all the concerned persons in an
effectivemanner.
Management needs to ensure that IT polices remain the guiding force to the
organization’sITframework.
The effective management of IT policy and procedural framework with a layered
approacharedepictedinthefigurebelow.
ITPoliciesandProceduralStructure
Directional Policies
• Signed by Steering Committee
Functional Policies
• Signed by Functional Heads along with IT
Standards & Guidelines
• Signed by governing body
Detailed Operational Procedures
• Signed by operation owners
3 Characteristics
Vision statement
• Signed by the CEO
Comprehensiveness
Consistency
Communication
14How robust is your IT system?RSM Astute Consulting
20. 1.2 Reviews
AnoverviewoftheITmanagementframeworkneedstocover:
Existence, ownership and review process of strategy, risk management,
structure,architectureandpolicies
Changemanagementandapprovalprocess
AsubstantivereviewoftheITmanagementframeworkneedstocover:
Appropriatenessofthemethodsandstandardsadoptedbyorganization
ThefunctioningofITmanagementatindividualunitleveloftheorganization.
ExistenceanddetailingofStandardOperatingProcedures
AnintegratedreviewoftheITmanagementframeworkneedstocover:
The alignment of the entire IT management framework with business strategy,
enterpriserisksandoperationalplan
Ø
Ø
Ø
Ø
Ø
Ø
RSM Astute Consulting15 How robust is your IT system?
21. Chapter 2: IT Infrastructure Management
2.1 Introduction
Today no organization functions in isolation from the rest of world and is always
connectedexternallyandinternallythroughameshofnetwork.
Organizations provide connectivity to the external users such as customers,
suppliers, business partners, and other stakeholders. Also, internal users of the
organizationare permitted to connectto the organizationalnetwork through remote
accesses. Such accesses are provided through public / E-commerce websites, kiosks/
ATMchannels,mobilecommerceandserviceoutlets.Suchconnectivityisprovidedby
deploying lease lines MPLS, VPN, wireless technologies and other equivalent
mechanisms. Now-a-days, many financial transactions across banks, Government
institutions take place through interfaces and payment gateways. In the modern
world,suchconnectionsareoftenpartofglobalnetworks.
To facilitate external connectivity, organizations create interfacing architecture.
Consideringtheelementshostedinthearchitecturesthatarepronetoexternalrisks,
a separate network segment is created and special security measures are taken to
preventand/detectanydirect/indirect/potentialriskstothissegment.
Internally, users of the organization get connected on wide area network and local
area networks, using various connectivity techniques. The spread and complexity of
internal network depends on various factors including the number of locations,
number of users, nature of activities they perform, data processing volume and
overallsystemdeploymentarchitecture.
The internal network is divided into multiple segments using routers, switches,
firewalls, virtual LANs and various other techniques. These segments host various
servers, databases and information processing devices. The entire functional
architectureoftheorganizationismappedonthenetworkarchitecture.
There exist various types of technology solutions that are capable of controlling and
monitoring behaviour of various network elements. These are responsible for
enforcingcentralizedpoliciesthatincludemanagementofAnti-Virus,CentralDomain
Controllers, Authentication Servers, Data Protection Servers, Log Monitoring Servers
andmanymoreservices.
16How robust is your IT system?RSM Astute Consulting
22. Internal users ofthe organizationconsists ofvarious classesofusers such as normal
users and premium users E.g.administrators and the critical datacustodians. Eachof
these user classes require different levels and types of access with different level of
requirementfordataconfidentiality.
Inanutshell,organizationtypicalnetworkconsistsoffollowingbroadsegments:
Externalnetworksconnectingtotheorganization
Internalnetworksegmentcommunicatingwithexternalworld
Internalnetworksegmenthostingorganizationinfrastructure
Internalnetworksegmentfromwhereusersoperate
Schematicdiagramforthesameisdepictedonthenextpage.
In reality, the architectures could be more complex for most of the organizations as
the number of network elements run into hundreds, thousands or even beyond
dependingonthesizeoftheorganizationandvolumeofdataprocessing.
Further,thewaytheorganizationcreatesitsinternalnetworkdependsonitsbusiness
modelandgeographicalandfinancialconstraints.
Ø
Ø
Ø
Ø
RSM Astute Consulting17 How robust is your IT system?
24. 2.1.1 ExternalThreatstoOrganizationNetwork
Technologies create immense business opportunities by allowing connectivity to the
external world. This also brings in various risks for the business. Managements are
always concerned about fraudulent activities taking place on the network from
outside sources, (e.g. an attack on internal network through malwares and security
threats during e-commerce transactions). Any mis-configuration of elements can
result into vulnerability that can be exploited by external users. Some of the
vulnerabilitiespronetoexternalthreatsare:
Weaknesses in security architecture that allow direct access to internal network
fromexternalsources
Weak encryption techniques used during data transmission that allows data
sniffingandinterception
Inabilitytopreventvarioustypesoforganized/unorganizedhackingattemptson
the network that potentially can result into denial-of-service, web defacing and
all such equivalent consequences. These pose a reputational risk to the
organization
Data theft by unauthorized user accessing the network or information resource
likeserverthroughcompromisedcredentialsofauthorizedusers
Performance bottlenecks on the network impacting customer service and
externalinterfaceprocessingcapabilities
With the rising complexity of the technologies, ease of hacking tools, determined
socially disgruntled groups, international and business rivalries, the cyber-attack
possibilitiesarereal.
Organizationsneedtoenhancetheirabilitytohandlethreatmechanismsonrealtime
basisandkeeppacewiththerateatwhichexternalthreatprofilesarechanging.
Safeguardsfromexternalthreatstotheorganizationinclude:
Establishverystrongauthenticationmechanismstoexternalconnectivity
Encryptthedataflowingonnetwork
Createstrongtrafficmonitoringandfilteringmechanismatdifferentlayers
Keepexternalinfrastructuretestedandupgradedtopre-emptanyattacks
Carryvulnerabilityanalysisandpenetrationtestsandtakecorrectivemeasures
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
RSM Astute Consulting19 How robust is your IT system?
25. 2.1.2 InternalThreatstoOrganizationNetwork
Internal networks would be segmented into various zones and network traffic is
regulated using firewalls, switches, routers and various other devices. These devices
can be deployed across various regions, geographies and virtually create borderless
organizations. In spite of the best internal design, given the complexities involved,
concerns on system compromise due to flaws in internal network systems would
exist.
Incorrectconfigurationrisksinclude:
Creating unwanted internal navigation paths for users due to “open”
configurationsondevices
Improper user management and authentication configuration that allows entry
tounauthorizedusers
Weaknesses in administrative, accounting and auditing controls impacting
preventiveanddetectiveabilitiesoftheorganization
Unencryptedinterfacesthatcanbesniffedbymaleficuser
Redundant software residing in the system in the form of programs, utilities,
scripts
Weaknesses in centralized control architecture due to which organization
policiescannotbeenforcedonallinformationresources
Traffic anomalies and bottlenecks resulting in degraded services on internal
networks
Theefficiency,availabilityandsecurityoftheentirenetworkdependsonhowwellthe
business requirements are mapped on network devices and how these devices have
beenconfigured. Broadly,theseincludevarioustypesof:
Authenticationtechniques
Trafficmonitoringtechniques
Policyenforcementtechniques
Performancemeasurementtechniques
LoggingandMonitoringtechniques
Acombinationofmultiplesuchtechniquesatdifferentlayersinstructuredmanneris
necessary to create an efficient defence and monitoring architecture. An active
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
20How robust is your IT system?RSM Astute Consulting
26. vigilance on these outcome pre-empts several threats to the network in timely
manner.
A careful analysis of the events taking place across organization architecture
gives a good insight on the behavior of traffic flowing across networks. This
helps organizations to fine tune the security and performance in an on-going basis.
Safeguardstotheorganizationnetworkinclude:
Propernetworksegmentation
Sensitivesystemisolation
Datamanagementcontrols
Encryptingdataflows
Loggingandmonitoringsystemactivitiesincludingadministrativeactivities
2.1.3 InsiderThreatsforanOrganization
Managing the IT systems do contain human element and organizations need to have
trust environment to operate successfully. With the advent of technologies,
emergence of new vulnerability exploitation techniques and access to organization
data resources, organization is dependent on ‘trust level of an insider.’ Hence,
organizationsareconcernedoninsiderthreats.Theseinclude:
’Trusted’insidersmisusingthesystemsusingtheirprivilegesandrights
Exploitationofnetworkandapplicationweaknessesforindividualgains
Manipulationofaccessrightssoasto‘allow’fraudulentactivities
Suppressingsystemevidencesandlogs
Organizationsneedtocreatesafeguardsfromsuchthreats.Thesesafeguardsinclude:
Creating “need to know” based internal access systems with built-in segregation
ofduties
Performbackgroundchecksandhaveapracticeofperiodicjobrotations
Restrictedaccesstosystemevidencesandlogs
2.1.4 RiskRemediationthroughVulnerabilityAssessmentandClosure
In practice, it is not easy to achieve and retain completely secure systems
architecture.Vulnerabilitiesexistacrossallnetworklayers,devicesandtechnologies.
These vulnerabilities are detected through in-house tests or publicized by product
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
RSM Astute Consulting21 How robust is your IT system?
27. vendors or through global databases and need to be acted upon immediately.
Vulnerabilityassessmentsandremediationareactivitiesthattheorganizationneeds
to perform across on a continuous basis. This includes assessing the impact of the
same on the working environment, identifying remediation plan, appropriate testing
and releasing patches. Following best architecture, development and change
managementpracticesisthebestwaytostayawayfromvulnerabilityissues.
2.1.5 DifferenceinBusinessModelsInfluenceITControlSystems
In today’s organizations, several functions such as data center management, e-mail
management, day-to-day operations, storage management and application
management are outsourced to external parties. Cloud computing based
technologies are becoming popular as a result of which organizations’ data
processing activities are now carried out through a mesh of networks and functions
which are widely distributed. A truly modern organization can work on “hyper-
connected” model. This has significant impact on organizations’ internal control
systems.Anillustrationofthesameistabulatedbelow:
Correlation among Business Model and Information Architecture and how it impacts
internalcontrolssystem
Business Model
ClosedCentralized
Information Architecture
Centralized Assets/
Centralized IT Operations,
Individual units are users
Control
Complete,Internal
Distributed and Internally
Controlled
ClosedDecentralized Centralized framework, all
assets belong to the company,
however the deployment and
operational decision making
at individual business units
end
Outsourcing of IT Data
Centers
Infrastructure services
outsourced and rest is
managed internally
Strongly internally
controlled, External control
through SLA
Reduced organization direct
control, need effective
monitoring
HighLevelOutsourcing Infrastructure, Customer
handling services outsourced
and rest is managed internally
Limited control on IT
function, however
accountability cannot be
outsourced
SignificantOutsourcing Server + Application +
Operations are outsourced,
only data belongs to
organization
22How robust is your IT system?RSM Astute Consulting
28. IT assurance program and its transition need to be aligned as per the set-up of the
organization.
Review process on entire network architecture and processes are necessary to
evaluatetherobustnessofnetworkarchitecture.
AnoverviewofITinfrastructureneedstocover:
Adequacyoforganizationpoliciesandproceduresatdifferentlayers
Testchecksonproceduresaroundarchitecturemanagements
AdherencetoServiceLevelAgreementssignedwithvendors
SubstantivereviewofITinfrastructureneedstocover:
Networkdevicesconfiguration
Changemanagementprocesses
Technologyobsolescenceandvulnerabilityanalysis
Securitychecksoninternalnetworkpaths
IntegratedreviewofITinfrastructureneedstocover:
Administrativecontrolsandchecks
Indepthanalysisofsystemfiltersatdifferentlayers
Rootcauseanalysisofdifferentincidents
Anomaliesdetectedthroughtrafficmonitoringlogs
Businesscomplianceneedstobesupportedbyinfrastructure
2.2 NetworkReviews
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
RSM Astute Consulting23 How robust is your IT system?
29. Chapter 3: Application Controls
3.1 Introduction
Organizations develop and deploy applications in their environment for
automation of their business processes. Applications provide integration of
various functions, provide necessary work flow, increase internal operational
efficiencies and provide complete visibility to the management about the current
statusof thetransactionsatvariouslayers.Organizationalintelligenceisbuiltinto
the design of the application. Applications are normally scalable, used by large
segmentoftheorganizationandprocessvoluminousdata.Asapplicationsmature,
organizations become more dependent on application function. Every application
has its own architecture, platforms, functionality, and purpose. Application
controls become one of the most determining factors in evaluating the overall risk
postureoftheorganization.
Most organizations deploy either ERP or legacy systems solutions to support their
data processing needs. To have an effective implementation, application controls
need to be incorporated at the design stage and should take into account the
following.
LogicalAccesscontrol
Authenticationcontrol
Userinterfacecontrol
Inputvalidationcontrols
Dataprocessingandoutputcontrols
Functionalcontrols
Sessionlevelvalidation
Controlsbuiltaroundserver,databaseandoperatingsystemarchitecture
Scalabilityandperformancecontrols
Securecodingcontrols
3.1.1 EnterpriseResourcePlanning(ERP)andLegacySystems
An organization may have different IT applications to fulfill its information needs.
These needs may be fulfilled by legacy applications or integrated ERP applications.
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
24How robust is your IT system?RSM Astute Consulting
30. However ERP is preferred to legacy applications as it integrates the business
processes in seamless manner, adopts best industry practices and has in-built
featuressuchas:
OpenSystemarchitecture
Multi-tierArchitecture
EnterpriseDataModel
Accessiblethroughchannels
Multi-national,Multi-currencytransactions
IntegratedReal-Time
Abilitytostaywithcurrenttechnology
Strongintegrationwithbusinessprocesses
Providingintegratedturnkeysolutions
However,ERPsaresometimescumbersometoimplement,requirebusinessprocess
reengineering, good change management and acceptability at various levels and
sometimes have a long implementation phase. Hence, legacy systems continue to
occupy critical space in business IT architecture. Legacy systems are aligned to
organizational requirements and are firmly embedded into organization’s
processes. However, organizations need to take extra precaution to ensure that
they run on current technologies, follow strong development processes, have
strongbusinessintegrationandembedfunctionalcontrolsintothesystem.
3.1.2 SoftwareDevelopmentLifeCycle(SDLC)
SDLC or System Development Life Cycle is the process to create or change existing
information systems. A well-defined SDLC is necessary to have efficient
information systems. Various models have been created to fulfill the need of the
same. Some of them are waterfall, spiral, incremental and rapid application
development.
TheimportantSDLCstagesasperthemostcommonlyusedmethodare:
BusinessRequirementAnalysis
Feasibilitystudy
Systemrequirementstudy
Systemdesign
Development
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
RSM Astute Consulting25 How robust is your IT system?
31. Ø
Ø
Ø
Ø
Ø
Ø
Ø
Integrationandtesting
Acceptanceandreleasemanagement
Maintenance
Having a structured approach to software development leads to better control,
documentation, maintenance ease and higher development and design standards.
However,thismayincreasethedevelopmenttimeandcosts.Iforganizationsdesire
to have flexibility to suit the operational needs, such rationale should be
documented,approvedanditmustbeensuredthattheinternalcontrolsystemsare
not compromised for the sake of expediency. Also it is recommended that controls
should be embedded into the application in design stage and validated during
every stage of the project before the application is deployed in the live
environment.
3.1.3 SoftwareDevelopmentPractices
Software development is a complex and important area for all organizations. Apart
from having a structured approach, there is a need of adopting better practices to
have secure and well-designed software architecture. Some of the illustrative
practicesarementionedbelow.
Source code is a crucial intellectual property which not only satisfies the
business needs but also a repository of important organizational knowledge.
Software library should have strong access, archival and modification controls
andmonitoringmechanism.
Project system landscape should consist of three separate environments for
development, testing and production. Procedural controls should be
implemented to ensure that these activities are performed in their respective
environmentsonly.
Most of the web application software that is used for managing and providing
sensitive information across the web becomes target for improper or illegal
penetration. Anti-social elements and hackers attempt to hack the system for
personalgain.Securitycodingtestingverifiestheprotectionmechanismsused
forbuildingthesoftwarefromillegalhacking.
In-spiteofhavingthebestapplicationsoftware,implementationprocessesand
projects teams, there are reasons to rollback changes made to the application
systems. Hence a contingency plan should be in place to deal with such
situationseffectively.
26How robust is your IT system?RSM Astute Consulting
32. Anillustrativesystemlandscapeisshownbelow:
3.1.4 PlatformVulnerabilities
Information systems are platform centric in nature. They may be dependent on a
particular operating system, application software and development platform.
These vulnerabilities may be on a higher side if the system in question is a legacy
system developed by internal team or external vendor. The vulnerability may exist
due to weakness of individual platform or development weakness. Also these
platforms may become obsolete as vendor support for the platform might have
expired or the usage of platform has reduced in the market. To overcome these
weaknesses, platform vulnerabilities need to be identified and removed. Further,
information systems using obsolete platforms should be identified and upgraded
tocurrentplatforms.
Anoverviewofapplicationcontrolsneedstocover:
Applicationarchitecture
Applicationfunctions
Applicationsecurity
Applicationoperations
3.2 Reviews
Ø
Ø
Ø
Ø
System Landscape
Development Quality Production
Developers Testers Trainers Users
RSM Astute Consulting27 How robust is your IT system?
34. Chapter 4: Identity and Access Management
4.1 Introduction
User identity and access management is considered to be one of the most primary
requirements of any IT set-up. It essentially establishes credentials of the users and
the level and extent to which he or she is permitted to transact with the system. All
organizations irrespective of their size and criticality need to have a proper
mechanism to control user identities that access organizational systems. Today,
internal systems of the organizations are also used and accessed by external users
through various channels. Thus, user identity and access management is applicable
to each and every IT asset and each and every type of user. Organizations differ from
each other in terms of the volume, complexity, granularity, level of automation and
technologiesusedforauthentication.
Elements that need detailed consideration for effective identity and access
managementare:
Userrequestworkflowmanagement
Identificationandauthenticationmechanismofusers
Assignmentofrolesandprivilegemanagement
Privilegeandsecurityrequirements atindividualassetslevel
Mechanismstoenforce organizationalpoliciesatallgranularlevels
Monitoringexceptionsandtrackingmisuse
For a large sized organization with multiple assets and constant flux of various types
ofusers,theunderlyingprocesscomplexityrisesexponentially.Further,thestakesof
the organization are very large and any critical misuse by any user, apart from
operationallosses,mayresultinfinancialorreputationalimpact.
4.1.1 UserAccessmanagement
In case of public users accessing organization systems such as internet / mobile
banking, online transaction business models and users or channel partners
accessing organization resources through different channels, a strong identity and
accessmechanismsneedtobeimplemented.
Ø
Ø
Ø
Ø
Ø
Ø
RSM Astute Consulting29 How robust is your IT system?
35. Data Authorization
Administrator
User Administrator Profile Authorization
Administrator
Change transaction
selection
Change authorization
data
Maintain user master
records
Assigning roles and
profiles to the user
Activities
Performed
Creating authorization
Creating profiles
Aschematicviewofmappinguseraccessmanagementprocessesisdepictedbelow
Organizationsneed to differentiate between different setofadministration activities
which results in proper segregation of duties. A schematic view of the same is
tabulatedhereunder.
Different types of Administrator users
Different organizations achieve different levels of automation in user access
management processes E.g. usage of smart card / biometric technologies, controls
through two-factor or multi-factor authentications, integration of user identity
management with Active Directory or equivalent repository, implementation of
singlesignontechnologies.
4.1.2 UserLifeCycleManagement
A schematic representation of how identity and access management process
workflowsareautomatedisrepresentedinthediagramonthenextpage.
USER ROLE PROFILE AUTHORIZATION AUTHORIZATION
OBJECT
A detailed mapping of the business requirement is necessary to exercise granular level access controls.
30How robust is your IT system?RSM Astute Consulting
37. 4.3 Reviews
Overviewofidentityanduseraccessmanagementneedstocover:
Identityaccessmanagementpolicyandprocedures
Userslifecyclemanagementprocesses
Alignment of the identity and access management definitions with
organizationalrequirement
Adequacyofthecontrolsbuiltin
Substantivechecksreviewofuseridentityandaccessmanagementneedstocover:
RoleRepository
Rulesdefinedtoaccessorganizationaldata
Identityaccessmanagementpolicyandprocedurescompliance
FunctionalchecksonIdentityandUseraccessmechanism
Loggingandmonitoringofuserlifecycleprocesses
VerifyingtheUsermatrixtoascertainsegregationofduties
Integratedchecksreviewofuseridentityandaccessmanagementneedstocover:
Identityaccessarchitecturalreview
Reviewofactivitiesbyuserswithrootoradministrativeprivileges
Audittrailsreview
System-levelobjectsprivileges
Integration of User Identity Access Management process with other
organizationalprocesses
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
Ø
32How robust is your IT system?RSM Astute Consulting
38. Chapter 5: Project Management - Transformation
5.1 Introduction
5.2 Project Management
All companies irrespective of their nature and size of the business undergo major
changes to their information systems architecture through project implementation.
Every project has its own objectives, plans, roll out methodologies, key success
factors and specific deliverables. From management point of view such project
management needs to be de-risked as the investments in terms of time and money
are huge. Some of the ventures in ERP implementations, data centralization
initiatives, IT infrastructure upgrades face risks of cost overruns. Individual project
risks need to be identified, factored and mitigated at every stage of the project at
operatingandtransactionlevel.
Important IT Projects are generally implemented to transform the business model.
Theprocessofbusinesstransformationisdepictedinthediagrambelow:
Since, the stakes of the business in IT transformation project are very high, good
projectcontrolmanagementsystemneedstobeinplace.
5.2.1 Projectmanagementinvolvesmultiplesetofactivitiessuchas:
?Identifyingphases,tasks,milestones,specificdeliverables
?Resourceallocationandresourceoptimization
?Effectiveschedulemanagement
?Projectmonitoringandcontrolactivities
The use of Program Evaluation and Review Technique (PERT) or Critical Path Method
(CPM) techniques helps the organisation in identifying and focusing on key process
and milestones, allocating adequate resources and thereby reducing overall project
implementationtimeandcostwithoutaffectingeffectiveness.
Business
Process
Reengineering
ERP
Implementation
Data
Migration
Change To
Operational
Framework
Initial
Status
Transformed
Status
RSM Astute Consulting33 How robust is your IT system?
39. An execution cycle of the project goes through initiation, planning, implementation
andclosureprocess.Agoodprojectcontrolmanagementneedstoremainfocusedon
costcontrol,incorporatingsecurityandprocesscontrolsatrightstages.
Aschematicrepresentationofthesameisdepictedinthediagrambelow:
5.2.2 Risks
IneffectiveITprojectmanagementleadstovarioustypesofriskssuchas:
?Organizationalgoalsnotmetbythesystemsdeployed
?UnderutilizationofITresources
?LowerreturnoninvestmentinITassets
?Costover-runs
?Lowrelianceontheapplications
?Maintenanceofparallelrecords,dependenceonmanualchecksandcontrols
?Responsibilitiesandaccountabilitiescannotbefixedforlapsesanddelays
?Nolinkestablishedbetweentheprojectsobjectiveswithmanagementobjectives
?Inabilitytogetcompletevisibilityoftheprojectprogress
?Noidentifiedimprovementopportunities
Cost
Controls
Initiate
PlanClose
Security
Controls
Functional
ControlsImplement
Project
Execution
34How robust is your IT system?RSM Astute Consulting
41. ?
?Devisingprocessrestructuringplan
?Implementationofprocessrestructuringplan
5.3.2 Risks
Majorcausesoffailureofbusinessprocessreengineeringprojectsare:
?Lack of clarity on user requirements, definition as well as documentation and
communication.
?Weakmanagementcommitmentintermsofresourcesanddirection
?Weaktechnicalsupportduringandpostimplementation.
?Lesser involvement of all the departments of the organization at planning and
implementationstage.
5.3.3 Reviews
Overviewofbusinessprocessreengineeringneedstocover:
?AdequacyofthecoverageofBusinessProcessReengineeringprojects
?ChecksonBusinessProcessReengineeringimplementation
Substantivechecksinbusinessprocessreengineeringneedstocover:
?Effectiveness, design and operational controls post Business Process
Reengineering
?Trainingandacceptancelevelsofreengineeredbusinessprocess
Integratedchecksinbusinessprocessreengineeringneedstocover:
?Meetingofbusinessgoalswithrevisedprocesses
?EfficiencyoftheprocessespostBusinessProcessReengineeringimplementation
?ImpactofBusinessProcessReengineeringonoverallorganizationITposture
5.4.1 ERP implementation is very critical activity with high business and financial impact.
ManyinstancesofERPimplementationgetdelayedandresultinpartialconfiguration
or misconfiguration and do not completely fulfill the intended objective. This results
in underutilization of time, efforts and money invested in ERP systems and in some
Preparingblueprintoffutureprocesses(To-beprocess)
5.4 ERPimplementation
36How robust is your IT system?RSM Astute Consulting
42. instances parallel systems are also maintained to present financial results/ MIS to
management.
It is required that management pays attention and addresses the requirements of
implementation of ERP for effective and efficient use of IT and other resources
involved.Theactivitiesinanimplementationprojectwouldinvolve,amongstothers:
?Definingbusinessobjectivesexpected
?Review of existing systems with 'Gap Analysis’ and creation of new system
blueprints
?DefiningandconfiguringrequiredfeaturesinERPsystem
?Masterdatasanitization
?Creatingsystemprototypeandbuildingtestenvironment
?Useracceptanceandtraining
?Migratingtoproductionenvironment
?Postimplementationreview
ERPimplementationsshouldbedoneinphase-wisemannerforbettermanageability.
5.4.2 Risks
MajorcausesoffailureofERPimplementationprojectsare:
?Lack of clarity on user requirements, definition as well as documentation and
communication
?Weakmanagementcommitmentintermsofresourcesanddirection
?Weaktechnicalsupportduringandpostimplementation
?Lack of commitment from all the departments of the organization at planning
andimplementationstage
?Poorqualityofmasterdataandbasicsystemsfunctionalityconfiguration
?Too many customized features compromising the spirit of inbuilt checks and
controls
?Costconstraintsleadingtorestrictednumberofuserlicenses
5.4.3 Reviews
OverviewofERPimplementationneedstocover:
?ERPblueprint
RSM Astute Consulting37 How robust is your IT system?
44. 5.5.2 Risks
Someoftherisksofinefficientdatamigrationactivitiesareasunder:
?Mismatchofdata,incompletedataorincorrectdatainthenewsystem
?Revenue loss in the form of loss of receivables, delayed payments to vendors
attractingpenalty/interestcharges,legalclaimsincaseofdatainaccuracies
?Prolonged implementation activities resulting in parallel run and duplication of
efforts
5.5.3 Reviews
Overviewofdatamigrationactivitiesneedtocover:
?Datamigrationplan,schedule,rolesandresponsibilities
?DatamigrationsignoffProcess
Substantivechecksoverdatamigrationactivitiesneedtocover:
?Completenesschecksatdatacollectionlevel
?Correctnesschecksofdatasanity
?Authorization/datavalidationchecks
Integratedchecksindatamigrationactivitiesneedtocover:
?Effectivenesschecksonmigrationactivities
?Legalandcomplianceimplicationsofdatamigration
RSM Astute Consulting39 How robust is your IT system?
45. Chapter 6: Operations Framework
6.1 Introduction
6.2 DataCenter
IT Operational framework is the backbone of IT processes. Internal controls for IT
operations are aimed at efficient, effective and secured use of IT resources, so that
the output generated through the systems is reliable. It is the prime responsibility of
the management to define, document, approve and communicate the IT operational
framework through policies, procedures, instructions and guidelines. Some of the
areas of IT operational framework such as data center operations, data processing
operationsandincident/logmanagementarecoveredbelow.
6.2.1 Introduction
Data center is the central place in any organization where its key IT resources are
securely located. It helps in hosting as well as monitoring critical IT resources under
one roof. Organizations with stringent data uptime requirements host their servers
with certified data centers. Considering all standard data center requirements
including physical, environmental and infrastructure and their effectiveness,
professionaldatacentersareclassifiedasunder.
Data Centers hosting servers for various companies in shared or dedicated mode
certify themselves for ISO 27001, ITIL and SSEA 16 Type I, II, or TIA standards so as to
ensure security, delivery, quality process and to improve customer trust. Advanced
datacentersareabletoprovideDRmanagedsolution.
Organizations that host their services with data centers need to be careful while
choosing the services, configurations, service level agreements and non disclosure
agreements. In case of super sensitive data, the responsibilities of protection and
correspondingliabilitysharingforthesameshouldbedecidedbeforehand.
Data Center Tiers
TIER 1 TIER 2 TIER 3 TIER 4
Meaning Non-redundant
capacity components capacity equipment and are fully fault-tolerant
(single uplink and components multiple uplinks including uplinks
servers)
Which Small Businesses Medium Sized Large Businesses Enterprise /
Entity Businesses Corporation
uses this?
Uptime 99.671% 99.749% 99.982% 99.995%
Tier 1 + Redundant Tier 2 + Dual-powered Tier 3 + all components
40How robust is your IT system?RSM Astute Consulting
46. Key data center operations need to be governed by IS policy, procedure and
guidelineswhichinclude:
?Secure access to data center and critical servers, network devices and other
equipment
?Beginning of the day (BOD) and end of day (EOD) activities are part of overall
internalcontrolprocesses
?BackupandRecoveryactivitiesalongwithtesting
?CCTVsrecordingandmonitoringofactivities
?Monitoring and ensuring uptime of servers, network connectivity and other
equipment
?Electronicmediamanagement
?Environmental controls such as temperature, humidity, fire safety and
uninterruptedpowersupply
Data centers need to follow stringent norms of building construction. Data centers
should also have a tested evacuation and restoration plan to take care of various
eventualities.
6.2.2 PhysicalSecurityofDataCenter
Organizations need to attach high importance to physical security of the data center
assignificantinformationinvariousformsisprocessedattheselocations.
Depending on the sensitivity / importance of operations performed, physical
premises should be differently classified into zones and each zone must have
appropriate level of access restrictions and access identification and authorization
requirements. Surveillance cameras and access control mechanisms should be in
place to control and monitor sensitive areas. Physical access must be appropriately
restricted.Deliveryandloadingareasshouldbeisolatedfrominformationprocessing
facilitiestoavoidunauthorizedaccess.
A data center has large number of servers, network elements, system devices, safety
and security equipment. Further, data center typically provides connectivity to
internalandexternalworld.Physicalsecurityneedstobefactoredwhilechoosingthe
location, architecture and the internal layout designs to take care of all eventualities
andtopreventlossofhumanlifeandorganizationinformationprocessingabilities.
RSM Astute Consulting41 How robust is your IT system?
47. There exist international standards and guidelines that provide sufficient input to
buildasecuredatacenter
Adequate and appropriate controls like prior intimation and authorization, issue of
identity badge, entry register, escort by authorized personnel, surveillance, are
required to be implemented for controlling and monitoring visitors’ access to areas
whereinformationprocessingresourcesarelocated,e.g.operationalanddatacenter,
etc.
6.2.3 Risks
Risksobservedduetoweakinternalcontrolsforphysicalaccess:
?Physical damage to the data center society due to natural calamities or man-
madeattacks.
?DataCenterPremisesgettingcutofffromrestoftheorganization
?Unauthorizedaccesstoinformationorassetsincludingcyber-attacks
?Breachofconfidentialityofdatabytheftsofdevices
?Legalimpactsoutofmismanagementofhistoricaldataorarchives.
6.2.4 Reviews
Areviewofphysicalaccesscontrolneedstocover:
?Adequacyofinformationsecuritypolicyandprocedures
?Adequacy and appropriateness of mechanism to secure access to various areas
byphysicalvisit
?Managementoversightoverphysicalaccesscontrols
Substantivechecksofphysicalaccesscontrolsneedtocover:
?RevieworRecords,Logs
?Adherencetooperationalprocedures
?Adherencetoenvironmentalcontrols
Integratedchecksofphysicalaccesscontrolsneedstocover:
?Effectivenessofcontrolmechanismvis-à-visbusiness/functionalrequirements
?Industrybenchmarkcomparisonandcompliancetoorganizationalpolicies
42How robust is your IT system?RSM Astute Consulting
48. 6.3 OperationalControls
6.3.1 The Business operations include entire gamut of operational activities, few
illustrationsarementionedbelow.
?Callcenteroperationshandlingcustomerdataforqueryresolution
?Businessoperationshandlingactivitiessuchasbilling,collection,purchase,etc.
?Transactionprocessing,suchabatchuploads,chequeprinting,imageprocessing
?Day-to-dayoperationsatserviceandsalesoutlets
?Backendprocessingbythirdparties
?Public placeoperations including ATM, kiosks operations, cashcollectioncenters
andsoon
Organizationsalsoneedtohaveadministrativefunctionsatvariouslayers,suchas
?Operatingsystem
?Database
?Applications
?Variousinfrastructurelayers
Anyoperationalerrorinadministrationfunctionhashugecoststotheorganizationin
terms of downtimes, reliability of systems, and loss of productivity. Incorrect
configurations of business parameters can directly have business, revenue,
reputationimpact. Further, as administrators are oftentrusted resources, there exist
possibilitiesofsystemmisuse.
Day-to-day checks and balances, security procedures and periodic revalidations are
necessarytoensurecorrectness,completenessofthedataprocessing.
All normal IT operations and Business operations constantly undergo changes as per
the organizational needs. In practice, they face practical issues that disrupt
operations due to various reasons. A good organization is able to establish good
incidentmanagementandlogmanagementsystem.
6.3.2 ChangeManagement
As all entities of the business constantly undergo changes, effective change control
managementprocessesareverycriticaltotheprocessofITassurance.
Achangemanagementcontrolprocessneedstoaddressthefollowing:
?Planningandcommunicationrelatedtochangemanagement
RSM Astute Consulting43 How robust is your IT system?
50. value and can trace / detect system anomalies, frauds and provide a rich source for
troubleshootingactivities.
Some of the illustrative events that should be captured by log management are as
follows:
?Activitystartandfinishtimes
?Userloginlogouttimeincludingsuccessesandfailureindication
?Systemerrorsandexceptions
?Confirmationofthecorrecthandlingofdatafilesandcomputeroutput
?Logicalaccessattempts
?Creationanddeletionofsystemlevelobjects
?Transactionlogs
Administrative logs need to be created, captured, and diverted without allowing
system administrators to intervene into the system. Log collectors that collect the
data through mirrored activities should not add to performance overheads to the
mainsystem.
Logs across various devices and applications need to be normalized in case of
aggregation and correlation requirements. A well configured correlation engine
builds an intelligence to detect various types of system exceptions, frauds and
symptomsofcyberattacksatanearlystage.
High end organizations create security operation center to monitor events on real
timebasis.
6.3.5 PeriodicReviewofControlPractices
Periodic review of the internal controls established is required to assess the control
design effectiveness and operational effectiveness. Thisenables the management to
assessthestateofoverallITgovernancepracticeswithintheorganization.
Suchreviewsarepreferredif
?Carriedoutatregularinterval
?Comprehensiveinnature
?Matchtheorganizationalpracticeswithindustrybestpractices
?Performedbyindependentreviewers
RSM Astute Consulting45 How robust is your IT system?
51. 6.3.6 Risks
Risksarisingduetoweakoperationalcontrolsareasfollows:
?Disrupted operational activities due to delay or unstructured approach of
respondingsecurityincident
?Recurringbreakdownofsystems/applicationduetopoormaintenance
?Pro-longed application development activities due to unplanned change
managementactivities
?Non-availabilityofolddataduetoinadequatebackupandrestorationpractices
?System misuse or fraudulent activities do not get noticed during the operational
flow
6.3.7 Reviews
Overviewofoperationalcontrolsneedstocover:
?Adequacyofoperationalpoliciesandprocedures
?Definition of roles and responsibilities towards operations as well as information
security
?ChecksandbalancesbuiltintoalltheaspectsofIToperationsmanagement
Substantivechecksofoperationalcontrolsneedtocover:
?Batchprocesscontrols
?Systemchangemanagementcontrols
?Incidentmanagementwithrootcauseanalysis
?Detailedreviewoflogmanagementarchitecture
Integratedchecksofoperationalcontrolsneedtocover:
?Effectivenessofoperationalframework
?Fulfillmentofcompliance requirementsrelatedtooperationalcontrols
46How robust is your IT system?RSM Astute Consulting
52. Chapter 7: Protecting Data Layer
7.1 Introduction
Thetraditional approach ofinformation security is focusedon enterprisearchitecture,
whereas significant part of enterprise’s sensitive data is in unstructured formats.
There exist challenges with protecting unstructured data, especially, in light of the
trend of outsourcing and offshoring. The consequences of data leakage can result in
loss of competitive advantage, possible financial liability, litigation and violation of
intellectual property regulations. International bodies and Governments have passed
stringent legislations that require organizations to build reasonable practices to
protectdataassets.
Data classification is an essential prerequisite for data protection strategy and
implementation. A good data classification is necessary not only from technical and
operational point of view, but also for optimizing system designs and controlling costs
of the organization. A good data flow analysis of the documents gives insights to the
dataprotectionrequirements.
Information resources are classifiedaccording to levels ofits sensitivity and criticality
taking into account business, legal, regulatory, contractual and internal requirements.
For each classification level, different set of handling procedures need to be devised
that cover processing, storage, transmission, and destruction of data. It is also
essentialthatforallinformationdataownersanddatacustodiansareidentified.
Additional controls are necessary for roaming users operating through hand-held
devices. In the light of fast changing and user friendly technologies, the risk of data
exposure is high and often the business needs to leverage on the ease of the data
access. It is therefore challenging to establish an appropriate trade-off between the
diverse objectives of the business. Improper exercise results into cost and project
overrunswithoutfulfillingthedataprotectionobjectives.
An illustration of impact of cost due to unclassified and unmanaged data is shown on
thenextpage.
An open network with multiple open USB drives increases overheads on Data Leakage
Protection(DLP)monitoringengine.
RSM Astute Consulting47 How robust is your IT system?
53. Stamping of documents with digital rights is necessary to ensure that the documents
are handled safely across entire data flow. There is an increasing trend to protect the
data that has moved out of the organisation through information rights management
technologies.Thisessentiallyisamodelforborderlessdataprotectionsrequirements.
Data protection controls are extremely important for PCI DSS compliance (for
protection of credit card), HIPAA compliance (for protection of medical records),
compliance to privacy laws as well as to protect sensitive information such as
companies marketing and strategic plans, customers call data records, legal
documents and creative work protection. Compliance to these laws enhances the
reputationandincreasesthecustomertrustlevel.
Followingaresomeoftherisksinvolvedinweakcontrolsoverdata:
ØUnauthorized access (confidentiality), usage and modification (integrity) of
classifiedinformation
ØLeakageofclassifiedbusinessinformation
ØBreach of contractual obligations to ensure adequate protection to information
andassets
ØViolationoflegalprovisionstoensureprivacyofpersonaldata
Anoverviewofdataprotectioncontrolswouldneedtocover:
ØAdequacyofinformationsecuritypolicyandprocedures
7.2 Risks
7.3 Reviews
End Points
DLP End-user
Monitoring Server
DLP
Core Engine
Open USB Drive
* Malware Threats
* Data Copy Threats
*More the number of USB
drives open, more the load on
the server & deployment cost
DLP
rules
48How robust is your IT system?RSM Astute Consulting
55. Chapter 8: Business Continuity Planning Framework
8.1 Introduction
Natural disasters and business disruptions beyond the control ofthe organization are
necessarily part of the organizations risks profile and risk management strategy.
Natural disaster/physical threats could also lead to unauthorized access to critical
data, loss of critical data or unavailability of resources which could hamper the
business continuity of an organization eventually leading to monetary loss for the
organization.
Natural disasters/physical threats could damage the system wherein they are beyond
repair. The retrieval of data from a physical damage is a time consuming and an
expensiveaffairwhichalsoinvolvesriskofincompletedataorinconsistentdatabeing
restored.
Inthemoderndigitalizedworld,organizationsalsoneedtobuildcyberresilience.This
includes hardening digital infrastructure to be more resistant to attacks, penetration
and disruption; improving ability to defend against sophisticated and agile cyber
threatsandrecoveringquicklyfromcyberincidents.
8.1.1 DefiningtheLevelofCriticality
The linkage between BCP and DRP is often talked about and there exists a perception
that business continuity plans are normally associated with disasters. It needs to be
understood that Business Continuity Plan needs to exist for any disruption,
momentary, temporary or long term. A local commotion, traffic disruptions or one
office unit getting cut-off from rest of the organization also needs to be taken into
consideration while planning for business continuity. Normally, crisis levels for
operationsneedtobedefinedandcontinuityplansneedtobetailormadeaccordingly.
Crisis level needs to be defined taking into consideration financial, process, impact,
legal,contractual,peopleimpactandseverityofthesame.
The level of criticality needs to be identified and analyzed at individual assets as well
ascorporatelevel.
8.1.2 DisasterRecoverySite(DR)
Successful recovery of business operations and restoration to normalcy with
minimum impact on resources in case of any planned/unplanned event is the only
50How robust is your IT system?RSM Astute Consulting
56. evidence that proves effectiveness of business continuity management. For this,
appropriatedisasterrecoverypolicyandproceduresneedtobedefined,documented,
approved and communicated by the management. Besides that, appropriate
infrastructurehastobesetupatdisasterrecoverysitetoensuremeetingtherecovery
timeobjective(RTO)andrecoverypointobjective(RPO)definedinbusinesscontinuity
plan.
Considerationsforsettingupdisasterrecoveryplaninclude
ØRecoveryObjectives
ØNatureofDRsitedesired
ØLogisticsofRecovery
ØGeographicconsiderations
ØDesignvs.OpportunityCost
8.1.3 BCP/DRCycle
AtypicalcycleofBCP/DRcoveractivitiesdepictedbyfollowingdiagram
Triggers may include any abnormal activity such as system cut-off, performance
degradation,operationalfailure,disaster.
Sometimes it is not possible to replicate all the business functions to DR site. Hence
thescaleddownversionofcriticalactivitiestoalternatesitecanbeconsidered.
8.1.4 TestPlanCoverage
TestingofBCPissometimesconsideredasanoperationaloverheadandorganizations
finddifficultiesinschedulingforthesame.AgoodBCPhasmultipleobjectivesandthe
frequency to test each objective could vary so as to give total assurance that the plan
Triggers
Invoke BCP
Assess level of
Crises
Invoke continuity
Programme as per
the level
* Triggers mainly include system cut-off, performance degradation, link goes down, operational failure, disaster
Synchronization
Alternate Site
Operation
Diversion
Communication
Backend Checks
Transition Restoration Assessment Learning
System
Recoveries
Network
Recoveries
Synchronization
Communication
Financial Impact
Litigation Impact
System / Process
Impact
People Impact
Corrective Actions
Program
Improvements
Skill Improvements
Refined program
RSM Astute Consulting51 How robust is your IT system?
57. is working and current. This also reduces downtime of the environment and helps
betterplanning.
8.1.5 Formalannouncementofdisaster
It is required that the organization formally announces the fact of disaster and
working state of operations from disaster recovery site. Similarly, restoration of
primary site and resumption of operations from the same also need to be formally
communicatedtoallthestakeholders.
8.1.6 Contingencyandsecuritybreach
Organizations need to exercise utmost precaution that no security breach occur
during or after the contingency plan is evoked. This is because, quite often
organizations cannot create same set of security measures as that configured in
originalsite.
RisksduetoindequateBCP:
ØLossofhumanlifeorassetsorinformation
ØDisruption/discontinuanceofbusinessoperations
ØFinanciallossesduetolossofassetsand/orbusiness
ØLossofreputation/credibility
ØNon-compliancewithtime-boundregulatoryrequirements
Anoverviewofbusinesscontinuityplanneedstocover:
ØAdequacyofbusinesscontinuityanddisasterrecoveryplanandprocedures
ØMethodologyforbusinessimpactanalysisandriskassessment
ØAdequacyofbackupofdata,off-sitestorageandperiodicdatarestoration
ØAwarenessondisasterrecoveryplanandcontingency
Substantivechecksofbusinesscontinuityplanneedstocover:
ØTestingofbackup,off-sitedatastorageandperiodicdatarestorationactivities
ØEffectivenessdrillsonevacuationanddisasterrecovery
8.2 Risks
8.3 Reviews
52How robust is your IT system?RSM Astute Consulting
58. Ø
ØReviewofactualworkdoneonthedisasterrecoverysite
ØValidation of Business Impact Analysis, Recovery Time and Recovery Time
Objectives
ØEmergencyhandlingprocedures
Integratedchecksofbusinesscontinuityplanneedstocover:
ØAnalyzingInterdependenciesofthesystemsandimpactoneco-system
ØValidatingLegal,Financialandotherimplications
ØEffectivenessofbusinesscontinuityplanvis-à-visbusinessrequirements
ØCompliance with legal / contractual obligations of data confidentiality and
availability
Availabilityofdataandotherresourcesatdisasterrecoverysite
RSM Astute Consulting53 How robust is your IT system?
59. Chapter 9: Human Interface to IT Systems
9.1 Introduction
Humaninterfaceisconsideredastrongaswellasaweaklinkinthechainofinformation
systemmanagement.Participationofemployeesmustbeincreasedthroughrepetitive
programs to ensure that they are aware of end user responsibilities towards the
organizationsuchas:
ØTake all reasonable precautions to protect information systems against
unauthorizedaccess,use,disclosure, modification,duplicationordestruction
ØUseinformationsystemsonlyasappropriatetotheirjobresponsibilities
ØUse information systems in manner, which ensures compliance with laws and
internalpoliciesandprocedures
ØReportsecurityproblemsorissuesthroughappropriatechannels
ØFollowsystemsandprocedureseffectively
9.1.1 UserAwareness
Organizations need to motivate employees adequately to participate in IT
implementation, risk management, incident response, disaster management and
whistleblowingprogramstosafeguardITinvestments.
With the increasing outsourced and hosting activities, third parties, such as channel
partners, data entry operators, vendors, customers, auditors, regulators, connected
entities, payment gateways and various intermediate agencies, participate in IT
operations. Manually, courier agencies carry backup tape, ATM and financial PIN
numbers, statements and customer confidential data. Apart from conventional third
party Non Disclosure Agreements, it is necessary to ensure that liability in caseofdata
securitybreachorotherwisemustbeformalized.
Training of users constitutes a major factor towards success of IT system deployment.
An effective training program enhances system utilization, reduces operational errors
andhelpsinearlydetectionofsystemanomalies.
IT security policy and procedures should categorically include the consequences
of violation of information security controls which would include penalty / punitive
action, depending upon the context and severity of breach that may include, but is
notlimitedto
54How robust is your IT system?RSM Astute Consulting
60. Ø
ØSuspension
ØTermination
ØLegalProceedings
ØFinancialcompensationforlosses
Following factors make it important to pay due attention to human interface while
addressingITsystemsassurance:
ØLackofuserawarenessonmanagementofinformationsystems
ØSignificantriskofinsidercomputerfraud
ØCollusionofexternal(vendors)andinternal(employees)forfraudorinformation
leakage
ØAbsence of adequate measures to ensure employee screening before assigning
keyresponsibilities
ØLackofmaker-checkercontrolandsegregationofduties
ØManipulationandalterationofevidenceorlogs
ØEmployees or users not rotating their responsibilities, thus creating excessive
peopledependencies.
ØTrusted users misusing the system resources are one of the major reasons why
organizationssometimesfacesignificantfinancialorreputationlosses.
Overviewofhumaninterfaceincludesreviewof:
ØNon-disclosureandconfidentialityagreementwithvendorandthirdparties
ØAwarenessandtrainingprocess
Substantivechecksofhumaninterfaceincludereviewof:
ØEmployeescreeningprocess
ØRoledefinitionsandprofilingrequirements
ØSegregationofdutiesandStructuralchecks/balances
Integratedchecksofhumaninterfaceincludereviewof:
ØTrainingEffectiveness
ØSafeguardsfromsuspiciousactivities
Warning/Caution
9.2 Risks
9.3 Reviews
RSM Astute Consulting55 How robust is your IT system?
61. Chapter 10: Compliance and Regulatory Framework
10.1 Introduction
10.2 ISO/IEC27001:2005Standard
10.3 BS25999/ISO22301Standard
InformationTechnologySystemshaveaveryhighandlongtermimpactontheinternal
controls of the organization as well external customer services. Therefore, regulators
and governing bodies across nations have created various frameworks, mandatory
standards,suggestiveguidelinestoensureproperITgovernance.Apartfromthesame,
industries, consortiums, voluntary groups have contributed to the evolution of best
practices and technical standards in diverse areas of IT management. Some of these
areillustratedbelow:
This standard provides a model for establishing, implementing, operating, monitoring,
maintaining and improving an Information Security Management System (ISMS). The
standard adopts the “Plan – Do – Check – Act” (PDCA) model, which is applied to
structure all ISMS processes. Compliance to the standard leads to certification by
accredited agencies – helps enhance customer confidence, meet contractual
requirements, and assure stake holders about confidentiality, integrity and availability
ofinformation.
Alignment of organizational information security management systems with
internationallyrecognizedpracticesfacilitates:
ØSystematiceffortstoimproveinternalcontrolsandoperationalefficiency
ØAssurance to clients / customers and other stakeholders on standard practices
toensureconfidentiality,integrityandavailabilityoftheirdata
Thisstandard providescomprehensive methodologyfor developing and implementing
business continuity within organizations. Adopting these standard practices
improvises the resilience of the organization when faced with crisis situation. Major
activitiesforadoptingthisstandardinclude:
ØBusinessImpactAnalysis
ØIdentificationofcriticalactivities
56How robust is your IT system?RSM Astute Consulting
62. Determiningcontinuityrequirements
ØEvaluatingthreatstocriticalactivities
ØDevisingriskresponsestoreducelikelihoodandimpactofincidents
ØDevisingstrategytofacilitatecontinuityorrecoveryofcriticalactivities
All types of organization can adopt standard practices advocated by internationally
recognizedbodyofstandardswhichhelpsin:
ØAdopting structured and organized measures to minimize the impact of
businessdisruption
ØAssurance to clients/customers and other stakeholders on availability of
servicesincaseofdisaster.
ØImprovedcompliancewithregulatoryrequirementsandmanagementpolicies
ØRecognitionofStandardsBodythroughcertification
ØImprovesimageoftheorganization
In May 2012, ISO has released ISO 22301 Standard which specifies requirement for
settingupandmanaginganeffectiveBusinessContinuityManagementSystem(BCMS)
This standard stands for Payment Card Industry – Data Security Standards. In modern
digitizedworld,significantamountoffinancialtransactionstakeplacethroughcredit/
debitcardsandequivalentinstruments.Assuchpaymentsarerealtime,globalandare
processed through multiple channels. This involves huge monetary transactions
globally involving, customers, financial institutions and payment processors who are
always concerned about veracity of the transactions. Various security measures were
deployed in the past to ensure sanity and confidentiality of transactions. In order to
generate uniformity and trust levels of the systems, American Express, Discover
Financial Services, JCB, MasterCard Worldwide and Visa International, established a
universal PCI DSS standard. This standard is applicable to all industries, bankers,
merchants, processors who are capturing, storing, processing and transmitting
paymentcard datain any format. PCI DSS is one ofthe most comprehensive standards
to comply with, as it handles process and technology requirements simultaneously. A
singleareaofnon-complianceattractshugepenalties.
ITIL is a public framework that describes best practice in IT service management
applicable to all the service organizations. It provides a framework for the governance
Ø
10.4 PCIDSS
10.5 ITIL–V3Framework
RSM Astute Consulting57 How robust is your IT system?
63. of IT, and focuses on the continual measurement and improvement of the quality of IT
service delivered, from both a business and a customer perspective. This focus is a
major factor in ITIL’s worldwide success and has contributed to itsprolific usage and to
the key benefits obtained by those organizations deploying the techniques and
processesthroughouttheirorganizations.
The Center for Internet Security (CIS) is focused on enhancing the cyber security
readiness and response of public and private sector entities. CIS Security Benchmarks
improves organization's security posture by helping them reduce the risk of business
and e-commerce disruptions resulting from inadequate technical security controls. It
provides enterprises with consensus best practice standards for security
configurations, as well as resources for measuring information security status and for
makinginformeddecisionsaboutsecurityinvestments.CIShasacomprehensivelistof
benchmarks for different operating systems, databases, browsers and virtual
platforms.
Computer Emergency Response Team (CERT) has introduced Operationally Critical
Threat,Asset,andVulnerabilityEvaluation(OCTAVE)method.OCTAVEisanapproachfor
managing information security risks. It has been designed to be sufficiently flexible to
accommodate unique needs ofthe organization. Organizations should create teams of
business and IT tailored to the organization's unique risk environment, security and
resiliencyobjectivesandriskbasedassessment.
Stringent penal actions introduced through the amendment under various sections of
the Information Technology Act, 2000 has attracted the attention of organizations
operating in India to ensure protection of personal information of customers, vendors,
businesspartners,employeesandthethirdparties.Stringentlawsondataprivacywith
penalties exist across globe. Privacy of personal information has to be ensured at the
timeofcollection,processing(use,transfer,disclosureanddisposal)aswellasstorage.
Organization has to devise comprehensive privacy policy and framework to address
thedataprivacyrequirements.
All organizations including intermediary services providers are now legally compelled
to protect customer sensitive information. Negligence in implementing and
10.6 CISBenchmarks
10.7 OctaveMethodology
10.8 DataPrivacyRequirementsfromLegalandCompliancePerspective
58How robust is your IT system?RSM Astute Consulting
64. maintaining reasonable security practice can lead to litigations and impact
organization'sreputation. Thereasonablemeasuresneedtoinclude:
ØMeasures to prevent unauthorized access and use of personal information of
customersorthirdparties
ØMeasures to prevent incidents of data theft, identity theft, credit card fraud,
bogusinsuranceclaims,mortgagefraud,etc.
ØMeasures need to cover life cycle including data collected, processed, stored,
transmittedordisposedoffbytheorganization
Adopting ISO 27001 Standard is one of the ways organizations can claim to have
followedreasonablesecuritypractices.
FollowingarethekeyregulationsgoverningintellectualpropertyrightsinIndia:
ØCopyrightAct,1957
ØTradeMarksAct,1958
ØPatentsAct,1970
Besidesthese,thereareotheractslikeGeographicalIndicationsofGoods(Registration
andProtection)Act,1999,DesignsAct,2000,etc.whichprotecttheuniquepropertiesof
aproductoraworkofdistinctfeatures.
Copyright Act protects computer software which may be of ‘Freeware’, ‘Shareware’, or
paid ‘Licensed’ nature. A license may be time-based license, user-based license or
feature-based license. A software license prohibits modification, adaptation,
translation, decompiling, reverse engineering, disassembling, etc. of the respective
softwareandanyviolationattractspenalaction.
10.9 LawsRelatedtoIntellectualProperty
RSM Astute Consulting59 How robust is your IT system?
65. Chapter 11: Impact of Contemporary Trends
11.1 Virtualization
11.2 CloudComputing
11.3 MobileComputing
Information Technology and Information Technology Enabled Services (ITES) are constantly
shaping the industries. Therefore, the best of the IT assurance programs cannot be static. In
fact, IT assurance program has more challenges to meet as the IT environment change may
cut through several dimensions of the organization. Changes due to contemporary trends
needtobeacceptedinastructuredandcontrolledmannertomakealongtermsuccessoutof
thesame.Someofthesetrendsarediscussedfortheillustrationpurpose.
Virtualizationreferstothecreationofavirtualinstanceofhardware,operatingsystem,
storage device, network resources or software. It’s not limited to the servers or critical
resources but can be further extended to the individual assets using VDI or Virtual
desktop infrastructure. Virtualization benefits the organization by helping in
consolidation, flexible architectures, increased resource utilization and a more
efficient Disaster recovery mechanism. Also virtualization is the initial step for
organizations to move towards cloud computing. But security, performance and
reliability considerations are seen as major deterrent towards adoption of the
technology. Organizations can overcome these deterrents by adopting good
management practices in deployment, laying security controls and addressing
virtualization related techniques (E.g. VM management) in accordance with the
changedscenario.
Cloud computing has emerged as a strong trend impacting the way IT serves the
business. It offers software, platform and infrastructure as a service (SaaS, PaaS &
IaaS). This has increased scalability, adoption of newer technologies and the available
options. Thisis in-spite ofthe reducedcostsand change-over periods it offer. However,
this also comes at a risk of reduced control, security and reliability due to increased
vendor dependence. These concerns need to be addressed by creating long term
strategy, realistic goals mapped to the system designs. Security concerns, autonomy
issuesandperformancestandardsshouldbefocusedatthedesignlevelitself.
Thedependencyofmodernlifetoduemobilecomputingisevidentfromtheincreasing
use of Netbooks, tablets and Smartphones. The varied types of devices has resulted
changes in the UI (User Interface), the operating systems and the applications used.
Mobile computinghas resulted in BOYD (bring your own device) concept. It is a concept
60How robust is your IT system?RSM Astute Consulting
66. which helps organizationsin savingcosts, helps in faster adoption oftechnologies and
achieves greater employee satisfaction. However, organizations also lose the control
over the way these devices are used resulting in security issues. Organizations can
overcome these issues by defining clear policies, laying minimum security
requirements, mandating use of organization sanctioned security tools and have a
processtoretrieveorganizationaldatafrompersonaldevices.
Social media has evolved as the modern way to communicate with diverse sets of
interested groups. These technologies have changed the way we network, collaborate,
publish and receive feedbacks. Direct revenue growth through social media may be a
challenge; but it helpsa lotin customer care, product development and brand building.
These benefits come along with risks like brand hijacking, data leakage, security,
intellectualproperty&legalrisks.Disgruntledemployeesandcustomerstry todefame
the organization through social media. These risks can be overcome with strong
policies,processes,training,toolsthattracetheoriginsofmessages.
Globalization and economic trends has led organizations towards changed strategy of
IT outsourcing. This benefits organization in focussing on core business activities and
re-strategizingwhilereducingcostsandworkingmore efficiently. However, this comes
with attached risk related to security, privacy, continuity and performance.
Organizations need to mitigate these risks by clearly defining security controls,
performance benchmarks and vendor’s exit responsibilities. Also organizations need
tocloselymonitorthevendor’sperformanceandgetthemvalidatedfromindependent
sourcesasthestrategiesandcontrolsaredifferentforOutsourcingframework.
In the world of shrinking resources, organizations are looking for alternative sources
for cost efficient and work effective methods. Green IT is one such approach which
involves manufacture, management, use and disposal of information technology
resourcesthatminimizesthedamagetoenvironment.Someoftheinitiativesinclude:
ØPurchasingandusingenergyefficientdesktops,serversandotherITequipment
ØSetupenergyefficientdatacenterwithmorePowerUsageEffectivenessratings
ØVirtualizationofresourcestoreduceoverallresourcerequirements
ØRecyclingofITequipment
ØUseofminimumtoxicmateriallikeleadandmercuryinmanufacturingprocess
11.4 SocialMedia
11.5 ITOutsourcing
11.6 GreenIT
RSM Astute Consulting61 How robust is your IT system?
68. Section IV:
Creating Excellence in IT Systems Assurance
1.1 Introduction
1.2 MeasuringITEffectiveness
The role of IT as an enabler to the business is well understood. Innovations of new
products and adopting new technologies are normally appreciated. In spite of the
same, disconnect often exists between management vision and ground realities. IT
systems should be leveraged such that they exceed the expectations of the
managementvision.
There is always a continuous thrust on creating excellence through IT systems.
Thoughthisisavastarea,someoftheillustrationsarecitedbelow.
Organizationsneedtohavecomprehensiveandquantitativemeasurementswith360
degree IT view with the intention of controlling costs of assignments. Quantitative
Dashboards need to be based on statistics, graphs, trends and deviation controls,
suchas:
ØAveragetimetakentodeploysoftwarechanges
ØEffectivenessofsecurityfiltersatdifferentlayersofsystemsarchitecture
ØUtilizationofassetsbasedonvariousparameters
ØReductioninaggregatequantitativerisks
ØDowntimeoftheITsystem/Totaluptimeofthesystemforthemonth
ØTimetakenforrecovery
ØNumberofincidentsinamonthanalyzedonmultipleparameters
It is an exerciseto identify, measure and track the progress ofIT suitableto the client
environment. Large organizations having high-end eco systems have more complex
and interlinked parameters and these need to be projected across various units such
asgeographicallocations,systems/subsystems,assetsandthesamewillberequired
atdetailedoraggregatelevel.
It is possible to create quantitative models on IT Health Status monitoring suitable to
the organization environment. Quantitative models require substantial level of first
time effort, but they introduce objectivity to complex topic of IT environment, are
RSM Astute Consulting63 How robust is your IT system?
69. more easily understood at various levels, create common body language and help
organizationstotracktheprogress.
Apart from the individual dashboards organizations would like to have an overall
assessment of IT maturity status. Maturity can be objectively measured by
aggregating all the maturity status of individual control points. This is an elaborate
exercise.Suchmeasurementsifdoneonannualbasis,giveatoplevelofviewofareas
thatneedattentionandhelpstotracktheprogressobjectively.
An illustration based on generally accepted IT Governance framework like CoBiT can
beapplied,resultofwhichcouldlooklikeadiagramgivenbelow:
Every organization in today’s world has to comply with various regulatory
requirementsasexplainedatvariousplacesinthisdocument.Further,differentunits
of the organization need to comply to specific standard such as SOX, PCI DSS, ISO
27001, BS 25999, SSAE16, Quality frameworks, Capability Maturity Models, Six-Sigma /
leanmethodology,statutoryrequirementssetbyRBI,TRAIandotherindustrybodies.
Companiesaresubjectedtofrequentauditsforthesame.
Handled in any suboptimal manner, this leads to major processing overheads for the
organization. Documentation becomes non-standard, record keeping involves
duplication of efforts, audits involve overlaps and compliances are sometimes
tedioustomaintainandareseenasoperationaloverheads.
Organizations need to have a common compliance denominations along with
sufficientoperationalflexibilitybuiltintotheprocess.
1.3 MeasuringITMaturity
1.4 AdheringtoMultipleComplianceFrameworks
CoBiT Maturity - An Alternate view
Effectiveness
Efficiency
Confidentiality
IntegrityAvailability
Compliance
Reliability
61
67
70
6366
59
54
64How robust is your IT system?RSM Astute Consulting
70. 1.5 BuildingExcellenceinOperatingProcedures
1.6 DataAnalyticsandE-AuditMigration
1.7 IntelligentRiskEngines
Goodstandardoperatingproceduresarecorelevelrequirementofallcompliances. A
good standard operating procedure needs to be practical, simple and close to the
operating environment. A single procedural document should stand the test of
adequacy seen from multiple perspectives including governance, operations,
compliance. Such operating procedures provide a sound basis for performance of
the organization, have the necessary flexibility to accommodate operational
variances in controlled manner, create efficiencies for the organization. Good and
excellentoperatingproceduressuitabletotheorganizationalrequirementsreflectas
tohowinternalcontrolsystemsworkwithintheorganization.
With the growing volume of transactions across various systems, good data analytic
tools are necessary enhance to audit effectiveness. They are able to see through
transactions using pre-defined business rule with multiple permutations and
effective sampling techniques. These tools help an auditor to narrow down on the
exceptionidentificationanddetectanomaliesinanobjectivemanner. Suchtoolscan
also be deployed in the production environment to facilitate concurrent or real time
monitoring.
Migration from traditional audit processes to E-audit processes is journey that
involvescarefulplanning,simulationanddeploymentasdepictedbelow:
As the global threats of cyber crime are increasing, there exist global intelligence
networkthatareabletodetectcertainthreatsinrealtimemanner.
E-Audit Migration Plan of Migration to E-Audit
INITIATION PHASE PILOT PHASE MIGRATION TO CONCURRENT
/ CONTINUOUS AUDIT
1 2 3
ØEvaluationofOrganization
InformationArchitecture
ØIdentification of Transactions
tobeconsideredunderE-
Auditpilotphase
ØDefine Audit rules for
transaction monitoring
for identified transactions
of identified systems
ØSimulate the E-Audit and
refine the Rule Definition
ØIntegrate E-Audit with
Base systems and
Configure exception
monitoring and alert
based rules
ØAutomate E-Audit
process for concurrent
checks
RSM Astute Consulting65 How robust is your IT system?
71. These are essentially collaborative network that keep track of millions of malware
signatures, blacklisted and infected web-sites, and botnets, analyze behavior of the
source transactions, apply intelligent risk engines that generate/ pre-empts/
quarantines early threat warning from cyber-attacks. Such technologies need to be
deployedandconfiguredappropriately.
Similarly,incaseofdetectingelectronic,mobilebanking,moneylaunderingfraudsan
intelligence system needs to be built that performs transaction and behavior
analysis. Such systems help in generating early warning signals for suspicious
transactions.
Some organizations presume that an audit activity is to be performed subsequent to
completion of tasks. Also, there is a view that an audit participation during the stage
of roll out / implementation compromises audit independence. Since IT systems
typicallyarerolledoutwithlongtermobjectivesandhighimpactontheorganization
eco-system, concurrent IT Audit becomes a very critical need for the management to
ensure that the controls are built at the design stage itself. System specifications,
design documents, project management, planned upgrades, disaster recovery drills,
data analytic tools, system monitoring outputs are some of the examples where
concurrentITAuditbringspowerfulvalueadditionstotheorganization.
Large corporate houses tend to diversify across various sectors. Every business
vertical has its own unique information technology needs. Many times, such group
creates a set of common services to be provided to other group of companies.
Such groups can benefit by isolating centralized requirements and company
specific IT requirements. An IT assurance program can be tailor-made to different
group functional models. Apart from conventional IT assurance, such program needs
to also focus on consolidation opportunities, process optimization, technology
standardization,resourceutilizationandeffectivenessofdeployment.
Success of IT assurance program needs to get reflected in the Balanced Business
Scorecard. Typical outcome of such program is tabulated for illustrative purpose on
thenextpage.
1.8 ConcurrentITAudit
1.9 ITSystemsAssuranceforGroupCompanies
1.10 ITSystemsAssurance:ABalancedScorecard
66How robust is your IT system?RSM Astute Consulting