it is audit report
TRANSCRIPT
8/3/2019 It is Audit Report
http://slidepdf.com/reader/full/it-is-audit-report 1/15
For as a case presentation
of
IT & IS audit paper
May 3, 2012
Report Prepared by:
Muhammad Kamran Imam, ICMAP Stage 6
Registration # 20053076
Hyderabad
8/3/2019 It is Audit Report
http://slidepdf.com/reader/full/it-is-audit-report 2/15
Security Assessment Report
Presented for IS & IT audit case presentation
Contents
EXECUTIVE SUMMARY 3
INTRODUCTION 4
SCOPE 4
BACK GROUND INFORMATION 5
SAFWCO PHYSICAL & ENVIRONMENTAL SECURITY POLICY 6
MAJOR CONCERNS 9
SUMMARY 14
ACTION 15
8/3/2019 It is Audit Report
http://slidepdf.com/reader/full/it-is-audit-report 3/15
Security Assessment Report
Page 3
Executive Summary
The activity is designed and conducted to assess all the security risk attached with IT operations of
SAFWCO. The overall Assessment results show that there are some control implemented in this
regard but still some of related matters are need to be addressed and action are yet to be taken by
organization.
Such as
1. Information security policy is not fully implemented and some of matters are ignored
while designing Backup of data and disaster aversion Policy for Data management.
2. Fire security and air conditioning is not up to the mark as compare to international
benchmark procedures.
3. Unavailability of cipher locks and access control.
Top List
The list below contains the ―top‖ findings, weaknesses, or Concerns discovered during the security
assessment. Some of the issues listed here are from more than one section of the assessment reportfindings. Additional information about each is provided elsewhere in the report.
It is recommended that these be evaluated and addressed as soon as possible. These should be
considered significant and may impact the operations of the SAFWCO.
1. Information Security Policy
An information security policy is the primary guide for the implementation of all security
measures. There is no formal policy specific to the SAFWCO.
Recommendation: Develop an information security policy that specifically addresses the needs of
the SAFWCO and its mission. Use that policy as a basis for an effective security program.
2. Temperature and Humidity Control
There is no humidity control and related devices placement
Recommendation: The server room should be visited on regular intervals to determine if
temperature and humidity are adequate. Also automatic temperature and humidity measurement
device should be installed in the server room in order to alert for the raise in temperature
3. Emergency Evacuation Plans (Natural Disaster) There is no evacuation system for staff and other people if any misshape
Recommendation: Emergency evacuation plan should cover, whether it describes how to leave
in an organized manner that does not leave the facilities physically insecure.
4. There is no entryway access control system
Recommendation: Evaluate available and suitable entryway access systems.
8/3/2019 It is Audit Report
http://slidepdf.com/reader/full/it-is-audit-report 4/15
Security Assessment Report
Presented for IS & IT audit case presentation
Introduction
This report is an assessment report for SAWFCO physical security assessment .The assessment
identifies major lapses in Server rooms as well as related security of IT administration room. For
the matter of conducting the activity of assessment lot of points are included in working papers
and make it sure that all related instruments and points are checked as per standards, policy and
procedures applicable and implemented by The SAFWCO.
Scope
The following activities are within the scope of this project:
Interviews with key staff members in charge of policy, administration, day-to-day operations, system administration, and facilities management.
A Visual Walk Through of the facilities with administrative and facilitiespersonnel to assess physical security.
Test the environmental control execution with respect of practical
guidelines and related functionality of system.
Out of Scope
The following activities are NOT part of this security assessment:
Other then Buildings, IT server Room or facilities.
Social Engineering to acquire sensitive information from staff members.
Testing other then Disaster Recovery Plans, Business Continuity Plans, orEmergency Response Plans.
8/3/2019 It is Audit Report
http://slidepdf.com/reader/full/it-is-audit-report 5/15
Security Assessment Report
Page 5
Background Information
Having long number of clients The SAFWCO arrange web based software namely MISand FIS (for their data base management and accounts operations) designed by localprogrammer. Organizations all related data are properly entered stored and retrieved toand from server located at head office ground floor where a room is allocated for thispurpose and there is related room for the IT staff. The organization has developed somelittle controls for I .T operations and still on the way of its developments phase.
SAFWCO
(Sindh agriculture forestry workers coordinating organization )
SAFWCO is a Micro finance Institute who is based in Hyderabad in the Sindh province of Pakistan and mostly work with low income men and women .This organization is working
as Non profit organization under section (42) of companies ordinance .The whole credit
line is provided to this organization by PPAF (Pakistan poverty Alleviation fund) at the
mark up of 8% at reducing balance method.
There are five credit products for different clients of low level income community. There
are three districts in which this organization is working or providing micro loans to poor
people in interior sindh. Recently due to increase in credit line from donor thisorganization not only expand phenomenally in result of which they developed their
business value chain process and
Today the organization collective client served are more then 50,000 with Pak rupees1500 millions disbursement to various client for various purposes. In this year’s there isnormal volume of clients served are near about 30,000 in number and around 400
millions Pak Rupees have been disbursed.
8/3/2019 It is Audit Report
http://slidepdf.com/reader/full/it-is-audit-report 6/15
Security Assessment Report
Presented for IS & IT audit case presentation
SAFWCO Physical & Environmental Security Policy
(Glimpse of policy)
1. PURPOSE AND SCOPE
This policy provides guidance to implement minimum requirements that will reduce the exposure
of computer equipment to physical and environmental damage and assist in achieving an optimum
level of protection for the Organization IT Systems.
The policy contained in this chapter covers all the Organization IT System resources maintained
in-house or in the interest of the Organization. These policies are mandatory and apply to all
organizational units, employees, contractors, and others having access to and/or using the IT
System resources of the Organization.
This policy applies to all IT Systems currently in existence and any new automated technology
acquired after the effective date of this policy document.
BACKGROUND
In the early days of computer technology, securing the system in a controlled environment with
very limited access protected the computers and the information they processed. Although major
changes in computer environments have occurred, physical security is still vitally important.
Physical security measures are a tangible defense that must be taken to protect the facility,
equipment, and information from theft, tampering, careless misuse, and natural disasters.
POLICY
1. Staff and equipment require a safe, secure, and technically sound physical environment.
While it is necessary to comply with each of the areas addressed, appropriate adjustmentsor allowances may be made for the organization, physical plant, and any specialrequirements of the individual office or facility. Deviation from the minimum
requirements must be annotated on the system risk assessment and the Office Head or
Facility Director must be aware and acknowledge this deviation in the accreditation of the
system.
2. There must be, at a minimum, a cipher lock or suitable substitute on each door to the
computer room.
3. Only personnel who require access to perform their official duties will be permitted in the
computer room.
4. A log will be kept of all personnel who were issued the combination/key to the computer
and the person will be required to sign for that combination/key.
5. The combination of a cipher lock will be changed frequently, especially when a person
who was previously given the combination leaves the organization.
8/3/2019 It is Audit Report
http://slidepdf.com/reader/full/it-is-audit-report 7/15
Security Assessment Report
Page 7
6. Keys or card keys will be returned to the Organization upon separation, transfer, or
termination.
7. Loss of keys or disclosure of cipher key code will be reported to the ISO immediately.
8. A computer room access roster will be established.
9. There will be signs posted designating the room as a ―Restricted Area‖.
10. Contract maintenance personnel and others not authorized unrestricted access but who arerequired to be in the controlled area, will be escorted by an authorized person at all times
when they are within the controlled area.
11. All access to the computer room will be logged, and logs reviewed monthly by the ISO to
determine if access is still required.
12. There shall be no signs to indicate that an information system is located in any particular
building or area.
13. The main computer room should have certain structural physical security features.
The computer room:
Should be located in the center of the building
Should not have windows
The computer room walls should extend from true floor to true ceiling
Failure to meet these requirements must be annotated in the risk assessment
14. Media used to record and store sensitive software or data will be labeled, protected,
controlled and secured when not in use.
15. Physical access controls will also be implemented not only in the area containing system
hardware, but also locations of wiring used to connect elements of the system, supporting
services (such as electric power), backup media, communications closets, and any other
elements required for the system’s operation.
16. It is important to review the effectiveness of physical access controls in each area, bothduring normal business hours and at other times – particularly when an area may be
unoccupied.
17. A computer room will have appropriate environmental security controls implemented,
which include measures implemented to mitigate damage to IT System resources caused
by fire, electrical surges and outages, water, and climate control failure.
Fire & Smoke
Install smoke detectors near computer equipment – and check them
periodically.
Keep fire extinguishers in and near computer rooms, and be sure all thosewith authorized access know where they are and how to use them.
Enforce no smoking, no eating, and no drinking policies.
Periodically hold fire drills.
Climate
Keep all rooms containing computers at reasonable temperatures,
following manufacturer’s recommendations?
8/3/2019 It is Audit Report
http://slidepdf.com/reader/full/it-is-audit-report 8/15
Security Assessment Report
Presented for IS & IT audit case presentation
Keep the humidity level at 20-30 percent.
Install gauges and alarms that warn you if the environmental controls are
getting out of range. These alarms will be monitored at all times.
Equip all heating and cooling systems with air filters to protect against dust
and other particulate matter.
Water Protect your systems from the various types of water damage. Flooding
can result from rain or ice buildup outside, toilet or sink overflow inside, or
water from sprinklers used to fight a fire. Maintain plastic sheeting to
protect the equipment if the sprinklers go off.
Avoid locating computer rooms in the basement.
Electricity
Connect all IT System resources to a non-interruptible power supply (UPS)
that is tested periodically.
Connect all critical IT System equipment to backup emergency generators.
Install anti-static carpeting in each facility.
Install a line filter on your computer’s power supply. A voltage spike can
destroy your computer’s power supply.
8/3/2019 It is Audit Report
http://slidepdf.com/reader/full/it-is-audit-report 9/15
Security Assessment Report
Page 9
Major Concerns
Listed below are the Concerns discovered during the assessment relating to policy. These
are considered significant and steps should be taken to address them.
1. Implementation of information security policy
Explanation
The SAFWCO has no information Data security policy that is specific to its needs
and goals.
Risk
There are several risks in not having an information security policy.
Mistakes can be made in strategic planning without a guideline forsecurity.
Resources may be wasted in protecting low value assets, while high value
assets go unprotected. Without a policy, all security measures are merely ad hoc in nature and
may be misguided.
Recommendations
Periodically review and update the policy.
2. FIRE Extinguishers
Explanation
All the related fire extinguisher are either placed inside the server room where all..
Risk
There are possibilities that at the time of outbreak of fire at the facility allthe fire extinguisher will not be available to related person and may cause
heavy damages despite of available cure.
Recommendations
There should be a well known and marked position in the office where allthe staff have easily access
There should all so be certain steps training to staff about how to tackle fireand how to operate extinguishers.
It is recommended to use FM 200 gas as the fire suppression system as thisis environment friendly. This agent suppresses fire by discharging as a gasonto the surface of combusting materials. Large amounts of heat energy areabsorbed from the surface of the burning material, lowering its temperaturebelow the ignition point. FM-200 fire suppression systems have lowatmospheric lifetimes, global warming and ozone depletion potentials.
8/3/2019 It is Audit Report
http://slidepdf.com/reader/full/it-is-audit-report 10/15
Security Assessment Report
Presented for IS & IT audit case presentation
Fire alarms should be placed strategically throughout the facility. Theresulting audible alarm should be linked to a monitored guard station.
3. Air conditioning
Explanation
There is no efficient air conditioning system installed in the server room for
maintaining a constant temperature.
Risk
Systems heat sink may not be easily remove from system and may causedamages to servers and related computers.
Recommendations
It is recommended to have the temperature of the server room in control.
Because network devices dissipates large amount of heat when in theworking state. So A/C should be installed and in the working state to
minimize the temperature of the server room to keep the devices working
efficiently.
4. Temperature and Humidity Control
Explanation
There is no temperature and humidity measurement device is installed in the IT / server room.
Risk
In the absence of temperature and humidity measurement devices,increased temperature in the server room cannot be measured which results
in inefficiency of the network devises. If the humidity is other than normalrange, the network equipments start showing sign of corrosion resulting in
permanent loss of system and data.
Recommendations
The server room should be visited on regular intervals to determine if
temperature and humidity are adequate. Also automatic temperature and
humidity measurement device should be installed in the server room in
order to alert for the raise in temperature.
5. Smoke Detectors
Explanation
There is no multiple smoke detectors installed in the IT/ server room as major areais not covered for efficient detection of fire.
8/3/2019 It is Audit Report
http://slidepdf.com/reader/full/it-is-audit-report 11/15
Security Assessment Report
Page 11
Risk
Absence of smoke detectors and fire alarm will not indicate the presence of fire in the server room, which will result damage to equipment hence
financial loss
Recommendations
Smoke detectors should be installed above and below the ceiling tiles
throughout the facilities and below the raised computer room floor. Thedetectors should produce an audible alarm when activated and be linked to
a monitored station (preferably by the fire department). The location of the
smoke detectors above the ceiling tiles and below the raised floor should bemarked on the tiling for easy identification and access. Smoke detectors
should supplement, not replace, and fire suppression systems.
6. Measure for Lightening, storms, Floods and other natural disaster
Explanation
There is no possible estimations and expectation for any above such natural
disasters but there are handsome chances of floods and lightening problems as well
as electromagnetic waves
Risk
Head office building is located near river bank which is half mile awayfrom building. Last year flood and current year rains have created a risk of
floods to the head office building.
There is no incident of earth quake reported in City but slight waves of earth quake which are of low level magnitude but still earth quake can
never be opt out from probable natural disasters.
Recommendations
By shifting server room from ground floor to first floor may easily remove
the concern risk of floor and there should be no window in the room with
also ceilings and floor must be insulated from fire and heat from materials.
Data multiple forms and storage location can be change once if it isassumed that there is natural disasters risk to it operations.
Short-term interruptions, such as sags, spikes and surges, can be controlledby UPS devices. For long-term interruptions, which last from a few hours
to several days, require the use of alternate power generators.
Anti static flooring required to in the server room
7. Emergency Evacuation Plans (Natural Disaster) Explanation
We noted that there are no procedures defined for the emergency evacuations of
the employees in case of any disaster.Risk
8/3/2019 It is Audit Report
http://slidepdf.com/reader/full/it-is-audit-report 12/15
Security Assessment Report
Presented for IS & IT audit case presentation
In the absence of properly documented and tested emergency evacuation plan,
there is a threat of life if the employees are not aware about the emergency exit /
procedures in case of the disaster.Recommendation
Emergency evacuation plan should cover, whether it describes how to leave the
IPFs in an organized manner that does not leave the facilities physically insecure.A sample of IS employees should be interviewed to determine if they are familiarwith the documented plan. The emergency evacuation plans should be posted
throughout the facilities.
8. Building Concerns
Several key doors within the building are unlocked or can be forced open
Explanation
There are several important doors in the interior SAFWCO office area that arenormally unlocked or can be forced open even when locked. The door to the utilityroom is a hollow core wooden door with no lock. The utility room contains the
wiring panel for the telephones, a junction for the fiber optic cable, and the alarm
system box.. The system administrator’s office containing the files and is usuallyunlocked and open.
Risk
These doors protect valuable assets of the SAFWCO. A determined attacker, thief,
or disgruntled employee could get through these important doors with minimal
effort to steal and/or destroy.
Recommendations
Replace current doors with stronger fire doors.
Replace existing door hardware with high security locks.
9. Security Perimeter Concerns
Explanation An entryway access control system limits physical access to
a secure area to authorized personnel with the correct PIN number or access card.
These systems have either a control panel where a correct PIN number must beentered before entry is allowed or a unique access card (contact or contactless) for
each person to enter. Advanced systems provide log information each timepersonnel enter the secure area.
Risk
8/3/2019 It is Audit Report
http://slidepdf.com/reader/full/it-is-audit-report 13/15
Security Assessment Report
Page 13
There are several risks in not having an entryway access control system.
Unauthorized people can enter secure areas unescorted.
There is no record of personnel entries into secure areas.
It is not possible to disable access for a specific person.
Recommendations
Evaluate available and suitable entryway access systems.
Develop appropriate procedures for assigning and removing access.
Install an appropriate system and assign access rights.
The backup media Concerns
Explanation
The backup media are stored near the backup system on an open shelf in the server
area. The media could be stolen, misplaced, accidentally erased, dropped, ordestroyed in a fire. If a system or data must be recovered, the media may not be
available or functional when needed.
Risk
The operation of the SAFWCO can be impacted if the backup media are notavailable due to theft, damage, or fire.
Recommendations
Purchase and install a lockable, fireproof media safe. Secure it to the floorand/or wall.
8/3/2019 It is Audit Report
http://slidepdf.com/reader/full/it-is-audit-report 14/15
Security Assessment Report
Presented for IS & IT audit case presentation
Summary
1. There is no possible estimations and expectation for any above such natural
disasters but there are handsome chances of floods and lightening problems as wellas electromagnetic waves
2. An entryway access control system limits physical access to a secure area toauthorized personnel with the correct PIN number or access card. These systems
have either a control panel where a correct PIN number must be entered beforeentry is allowed or a unique access card (contact or contactless) for each person to
enter. Advanced systems provide log information each time personnel enter the
secure area.
3. The backup media are stored near the backup system on an open shelf in the serverarea. The media could be stolen, misplaced, accidentally erased, dropped, or
destroyed in a fire. If a system or data must be recovered, the media may not be
available or functional when needed.
4.
The door to the utility room is a hollow core wooden door with no lock. The utilityroom contains the wiring panel for the telephones, a junction for the fiber optic
cable, and the alarm system box. The system administrator’s office containing thefiles and is usually unlocked and open.
5. There is no efficient air conditioning system installed in the server room formaintaining a constant temperature.
6. There is no efficient air conditioning system installed in the server room for
maintaining a constant temperature.
7. In the absence of temperature and humidity measurement devices, increased
temperature in the server room cannot be measured which results in inefficiency of
the network devises. If the humidity is other than normal range, the network equipments start showing sign of corrosion resulting in permanent loss of system
and data.
8/3/2019 It is Audit Report
http://slidepdf.com/reader/full/it-is-audit-report 15/15
Security Assessment Report
Page 15
Action Plan
It is recommended to have the temperature of the server room in control. Becausenetwork devices dissipates large amount of heat when in the working state. So A/Cshould be installed and in the working state to minimize the temperature of theserver room to keep the devices working efficiently.
It is recommended to use FM 200 gas as the fire suppression system as this isenvironment friendly. This agent suppresses fire by discharging as a gas onto thesurface of combusting materials. Large amounts of heat energy are absorbed fromthe surface of the burning material, lowering its temperature below the ignitionpoint. FM-200 fire suppression systems have low atmospheric lifetimes, globalwarming and ozone depletion potentials.
Fire alarms should be placed strategically throughout the facility. The resultingaudible alarm should be linked to a monitored guard station.
The server room should be visited on regular intervals to determine if temperatureand humidity are adequate. Also automatic temperature and humidity measurement
device should be installed in the server room in order to alert for the raise intemperature.
Smoke detectors should be installed above and below the ceiling tiles throughoutthe facilities and below the raised computer room floor. The detectors should
produce an audible alarm when activated and be linked to a monitored station(preferably by the fire department). The location of the smoke detectors above the
ceiling tiles and below the raised floor should be marked on the tiling for easy
identification and access. Smoke detectors should supplement, not replace, and fire
suppression systems. Fire alarms should be placed strategically throughout the facility. The resulting
audible alarm should be linked to a monitored guard station.
Short-term interruptions, such as sags, spikes and surges, can be controlled by UPSdevices. For long-term interruptions, which last from a few hours to several days,require the use of alternate power generators
Other concerns, outside of natural threats, are man-made. They include terrorist
threats/attacks, vandalism, electrical shock and equipment failure.
To reduce the risk of flooding, the computer room should not be located in thebasement or top floor. If located in a multistory building, studies show that the best
location for the computer room — the location which reduces the risk of fire, smoke
and water damage — is on the middle floors (e.g., third, fourth, fifth or sixth floor).