it is audit report

8/3/2019 It is Audit Report

http://slidepdf.com/reader/full/it-is-audit-report 1/15

For as a case presentation

of

IT & IS audit paper

May 3, 2012

Report Prepared by:

Muhammad Kamran Imam, ICMAP Stage 6

[email protected]

Registration # 20053076

Hyderabad



Security Assessment Report

Presented for IS & IT audit case presentation

Contents

EXECUTIVE SUMMARY 3

INTRODUCTION 4

SCOPE 4

BACK GROUND INFORMATION 5

SAFWCO PHYSICAL & ENVIRONMENTAL SECURITY POLICY 6

MAJOR CONCERNS 9

SUMMARY 14

ACTION 15




Executive Summary

The activity is designed and conducted to assess all the security risk attached with IT operations of

SAFWCO. The overall Assessment results show that there are some control implemented in this

regard but still some of related matters are need to be addressed and action are yet to be taken by

organization.

Such as

1. Information security policy is not fully implemented and some of matters are ignored

while designing Backup of data and disaster aversion Policy for Data management.

2. Fire security and air conditioning is not up to the mark as compare to international

benchmark procedures.

3. Unavailability of cipher locks and access control.

Top List

The list below contains the ―top‖ findings, weaknesses, or Concerns discovered during the security

assessment. Some of the issues listed here are from more than one section of the assessment reportfindings. Additional information about each is provided elsewhere in the report.

It is recommended that these be evaluated and addressed as soon as possible. These should be

considered significant and may impact the operations of the SAFWCO.

1. Information Security Policy

An information security policy is the primary guide for the implementation of all security

measures. There is no formal policy specific to the SAFWCO.

Recommendation: Develop an information security policy that specifically addresses the needs of

the SAFWCO and its mission. Use that policy as a basis for an effective security program.

2. Temperature and Humidity Control

There is no humidity control and related devices placement

Recommendation: The server room should be visited on regular intervals to determine if

temperature and humidity are adequate. Also automatic temperature and humidity measurement

device should be installed in the server room in order to alert for the raise in temperature

3. Emergency Evacuation Plans (Natural Disaster) There is no evacuation system for staff and other people if any misshape

Recommendation: Emergency evacuation plan should cover, whether it describes how to leave

in an organized manner that does not leave the facilities physically insecure.

4. There is no entryway access control system

Recommendation: Evaluate available and suitable entryway access systems.





Introduction

This report is an assessment report for SAWFCO physical security assessment .The assessment

identifies major lapses in Server rooms as well as related security of IT administration room. For

the matter of conducting the activity of assessment lot of points are included in working papers

and make it sure that all related instruments and points are checked as per standards, policy and

procedures applicable and implemented by The SAFWCO.

Scope

The following activities are within the scope of this project:

Interviews with key staff members in charge of policy, administration, day-to-day operations, system administration, and facilities management.

A Visual Walk Through of the facilities with administrative and facilitiespersonnel to assess physical security.

Test the environmental control execution with respect of practical

guidelines and related functionality of system.

Out of Scope

The following activities are NOT part of this security assessment:

Other then Buildings, IT server Room or facilities.

Social Engineering to acquire sensitive information from staff members.

Testing other then Disaster Recovery Plans, Business Continuity Plans, orEmergency Response Plans.




Background Information

Having long number of clients The SAFWCO arrange web based software namely MISand FIS (for their data base management and accounts operations) designed by localprogrammer. Organizations all related data are properly entered stored and retrieved toand from server located at head office ground floor where a room is allocated for thispurpose and there is related room for the IT staff. The organization has developed somelittle controls for I .T operations and still on the way of its developments phase.

SAFWCO

(Sindh agriculture forestry workers coordinating organization )

SAFWCO is a Micro finance Institute who is based in Hyderabad in the Sindh province of Pakistan and mostly work with low income men and women .This organization is working

as Non profit organization under section (42) of companies ordinance .The whole credit

line is provided to this organization by PPAF (Pakistan poverty Alleviation fund) at the

mark up of 8% at reducing balance method.

There are five credit products for different clients of low level income community. There

are three districts in which this organization is working or providing micro loans to poor

people in interior sindh. Recently due to increase in credit line from donor thisorganization not only expand phenomenally in result of which they developed their

business value chain process and

Today the organization collective client served are more then 50,000 with Pak rupees1500 millions disbursement to various client for various purposes. In this year’s there isnormal volume of clients served are near about 30,000 in number and around 400

millions Pak Rupees have been disbursed.





SAFWCO Physical & Environmental Security Policy

(Glimpse of policy)

1. PURPOSE AND SCOPE

This policy provides guidance to implement minimum requirements that will reduce the exposure

of computer equipment to physical and environmental damage and assist in achieving an optimum

level of protection for the Organization IT Systems.

The policy contained in this chapter covers all the Organization IT System resources maintained

in-house or in the interest of the Organization. These policies are mandatory and apply to all

organizational units, employees, contractors, and others having access to and/or using the IT

System resources of the Organization.

This policy applies to all IT Systems currently in existence and any new automated technology

acquired after the effective date of this policy document.

BACKGROUND

In the early days of computer technology, securing the system in a controlled environment with

very limited access protected the computers and the information they processed. Although major

changes in computer environments have occurred, physical security is still vitally important.

Physical security measures are a tangible defense that must be taken to protect the facility,

equipment, and information from theft, tampering, careless misuse, and natural disasters.

POLICY

1. Staff and equipment require a safe, secure, and technically sound physical environment.

While it is necessary to comply with each of the areas addressed, appropriate adjustmentsor allowances may be made for the organization, physical plant, and any specialrequirements of the individual office or facility. Deviation from the minimum

requirements must be annotated on the system risk assessment and the Office Head or

Facility Director must be aware and acknowledge this deviation in the accreditation of the

system.

2. There must be, at a minimum, a cipher lock or suitable substitute on each door to the

computer room.

3. Only personnel who require access to perform their official duties will be permitted in the

computer room.

4. A log will be kept of all personnel who were issued the combination/key to the computer

and the person will be required to sign for that combination/key.

5. The combination of a cipher lock will be changed frequently, especially when a person

who was previously given the combination leaves the organization.




6. Keys or card keys will be returned to the Organization upon separation, transfer, or

termination.

7. Loss of keys or disclosure of cipher key code will be reported to the ISO immediately.

8. A computer room access roster will be established.

9. There will be signs posted designating the room as a ―Restricted Area‖.

10. Contract maintenance personnel and others not authorized unrestricted access but who arerequired to be in the controlled area, will be escorted by an authorized person at all times

when they are within the controlled area.

11. All access to the computer room will be logged, and logs reviewed monthly by the ISO to

determine if access is still required.

12. There shall be no signs to indicate that an information system is located in any particular

building or area.

13. The main computer room should have certain structural physical security features.

The computer room:

Should be located in the center of the building

Should not have windows

The computer room walls should extend from true floor to true ceiling

Failure to meet these requirements must be annotated in the risk assessment

14. Media used to record and store sensitive software or data will be labeled, protected,

controlled and secured when not in use.

15. Physical access controls will also be implemented not only in the area containing system

hardware, but also locations of wiring used to connect elements of the system, supporting

services (such as electric power), backup media, communications closets, and any other

elements required for the system’s operation.

16. It is important to review the effectiveness of physical access controls in each area, bothduring normal business hours and at other times – particularly when an area may be

unoccupied.

17. A computer room will have appropriate environmental security controls implemented,

which include measures implemented to mitigate damage to IT System resources caused

by fire, electrical surges and outages, water, and climate control failure.

Fire & Smoke

Install smoke detectors near computer equipment – and check them

periodically.

Keep fire extinguishers in and near computer rooms, and be sure all thosewith authorized access know where they are and how to use them.

Enforce no smoking, no eating, and no drinking policies.

Periodically hold fire drills.

Climate

Keep all rooms containing computers at reasonable temperatures,

following manufacturer’s recommendations?





Keep the humidity level at 20-30 percent.

Install gauges and alarms that warn you if the environmental controls are

getting out of range. These alarms will be monitored at all times.

Equip all heating and cooling systems with air filters to protect against dust

and other particulate matter.

Water Protect your systems from the various types of water damage. Flooding

can result from rain or ice buildup outside, toilet or sink overflow inside, or

water from sprinklers used to fight a fire. Maintain plastic sheeting to

protect the equipment if the sprinklers go off.

Avoid locating computer rooms in the basement.

Electricity

Connect all IT System resources to a non-interruptible power supply (UPS)

that is tested periodically.

Connect all critical IT System equipment to backup emergency generators.

Install anti-static carpeting in each facility.

Install a line filter on your computer’s power supply. A voltage spike can

destroy your computer’s power supply.




Major Concerns

Listed below are the Concerns discovered during the assessment relating to policy. These

are considered significant and steps should be taken to address them.

1. Implementation of information security policy

Explanation

The SAFWCO has no information Data security policy that is specific to its needs

and goals.

Risk

There are several risks in not having an information security policy.

Mistakes can be made in strategic planning without a guideline forsecurity.

Resources may be wasted in protecting low value assets, while high value

assets go unprotected. Without a policy, all security measures are merely ad hoc in nature and

may be misguided.

Recommendations

Periodically review and update the policy.

2. FIRE Extinguishers

Explanation

All the related fire extinguisher are either placed inside the server room where all..

Risk

There are possibilities that at the time of outbreak of fire at the facility allthe fire extinguisher will not be available to related person and may cause

heavy damages despite of available cure.

Recommendations

There should be a well known and marked position in the office where allthe staff have easily access

There should all so be certain steps training to staff about how to tackle fireand how to operate extinguishers.

It is recommended to use FM 200 gas as the fire suppression system as thisis environment friendly. This agent suppresses fire by discharging as a gasonto the surface of combusting materials. Large amounts of heat energy areabsorbed from the surface of the burning material, lowering its temperaturebelow the ignition point. FM-200 fire suppression systems have lowatmospheric lifetimes, global warming and ozone depletion potentials.





Fire alarms should be placed strategically throughout the facility. Theresulting audible alarm should be linked to a monitored guard station.

3. Air conditioning

Explanation

There is no efficient air conditioning system installed in the server room for

maintaining a constant temperature.

Risk

Systems heat sink may not be easily remove from system and may causedamages to servers and related computers.

Recommendations

It is recommended to have the temperature of the server room in control.

Because network devices dissipates large amount of heat when in theworking state. So A/C should be installed and in the working state to

minimize the temperature of the server room to keep the devices working

efficiently.

4. Temperature and Humidity Control

Explanation

There is no temperature and humidity measurement device is installed in the IT / server room.

Risk

In the absence of temperature and humidity measurement devices,increased temperature in the server room cannot be measured which results

in inefficiency of the network devises. If the humidity is other than normalrange, the network equipments start showing sign of corrosion resulting in

permanent loss of system and data.

Recommendations

The server room should be visited on regular intervals to determine if

temperature and humidity are adequate. Also automatic temperature and

humidity measurement device should be installed in the server room in

order to alert for the raise in temperature.

5. Smoke Detectors

Explanation

There is no multiple smoke detectors installed in the IT/ server room as major areais not covered for efficient detection of fire.




Risk

Absence of smoke detectors and fire alarm will not indicate the presence of fire in the server room, which will result damage to equipment hence

financial loss

Recommendations

Smoke detectors should be installed above and below the ceiling tiles

throughout the facilities and below the raised computer room floor. Thedetectors should produce an audible alarm when activated and be linked to

a monitored station (preferably by the fire department). The location of the

smoke detectors above the ceiling tiles and below the raised floor should bemarked on the tiling for easy identification and access. Smoke detectors

should supplement, not replace, and fire suppression systems.

6. Measure for Lightening, storms, Floods and other natural disaster

Explanation

There is no possible estimations and expectation for any above such natural

disasters but there are handsome chances of floods and lightening problems as well

as electromagnetic waves

Risk

Head office building is located near river bank which is half mile awayfrom building. Last year flood and current year rains have created a risk of

floods to the head office building.

There is no incident of earth quake reported in City but slight waves of earth quake which are of low level magnitude but still earth quake can

never be opt out from probable natural disasters.

Recommendations

By shifting server room from ground floor to first floor may easily remove

the concern risk of floor and there should be no window in the room with

also ceilings and floor must be insulated from fire and heat from materials.

Data multiple forms and storage location can be change once if it isassumed that there is natural disasters risk to it operations.

Short-term interruptions, such as sags, spikes and surges, can be controlledby UPS devices. For long-term interruptions, which last from a few hours

to several days, require the use of alternate power generators.

Anti static flooring required to in the server room

7. Emergency Evacuation Plans (Natural Disaster) Explanation

We noted that there are no procedures defined for the emergency evacuations of

the employees in case of any disaster.Risk





In the absence of properly documented and tested emergency evacuation plan,

there is a threat of life if the employees are not aware about the emergency exit /

procedures in case of the disaster.Recommendation

Emergency evacuation plan should cover, whether it describes how to leave the

IPFs in an organized manner that does not leave the facilities physically insecure.A sample of IS employees should be interviewed to determine if they are familiarwith the documented plan. The emergency evacuation plans should be posted

throughout the facilities.

8. Building Concerns

Several key doors within the building are unlocked or can be forced open

Explanation

There are several important doors in the interior SAFWCO office area that arenormally unlocked or can be forced open even when locked. The door to the utilityroom is a hollow core wooden door with no lock. The utility room contains the

wiring panel for the telephones, a junction for the fiber optic cable, and the alarm

system box.. The system administrator’s office containing the files and is usuallyunlocked and open.

Risk

These doors protect valuable assets of the SAFWCO. A determined attacker, thief,

or disgruntled employee could get through these important doors with minimal

effort to steal and/or destroy.

Recommendations

Replace current doors with stronger fire doors.

Replace existing door hardware with high security locks.

9. Security Perimeter Concerns

Explanation An entryway access control system limits physical access to

a secure area to authorized personnel with the correct PIN number or access card.

These systems have either a control panel where a correct PIN number must beentered before entry is allowed or a unique access card (contact or contactless) for

each person to enter. Advanced systems provide log information each timepersonnel enter the secure area.

Risk




There are several risks in not having an entryway access control system.

Unauthorized people can enter secure areas unescorted.

There is no record of personnel entries into secure areas.

It is not possible to disable access for a specific person.

Recommendations

Evaluate available and suitable entryway access systems.

Develop appropriate procedures for assigning and removing access.

Install an appropriate system and assign access rights.

The backup media Concerns

Explanation

The backup media are stored near the backup system on an open shelf in the server

area. The media could be stolen, misplaced, accidentally erased, dropped, ordestroyed in a fire. If a system or data must be recovered, the media may not be

available or functional when needed.

Risk

The operation of the SAFWCO can be impacted if the backup media are notavailable due to theft, damage, or fire.

Recommendations

Purchase and install a lockable, fireproof media safe. Secure it to the floorand/or wall.





Summary

1. There is no possible estimations and expectation for any above such natural

disasters but there are handsome chances of floods and lightening problems as wellas electromagnetic waves

2. An entryway access control system limits physical access to a secure area toauthorized personnel with the correct PIN number or access card. These systems

have either a control panel where a correct PIN number must be entered beforeentry is allowed or a unique access card (contact or contactless) for each person to

enter. Advanced systems provide log information each time personnel enter the

secure area.

3. The backup media are stored near the backup system on an open shelf in the serverarea. The media could be stolen, misplaced, accidentally erased, dropped, or

destroyed in a fire. If a system or data must be recovered, the media may not be

available or functional when needed.

4.

The door to the utility room is a hollow core wooden door with no lock. The utilityroom contains the wiring panel for the telephones, a junction for the fiber optic

cable, and the alarm system box. The system administrator’s office containing thefiles and is usually unlocked and open.

5. There is no efficient air conditioning system installed in the server room formaintaining a constant temperature.

6. There is no efficient air conditioning system installed in the server room for

maintaining a constant temperature.

7. In the absence of temperature and humidity measurement devices, increased

temperature in the server room cannot be measured which results in inefficiency of

the network devises. If the humidity is other than normal range, the network equipments start showing sign of corrosion resulting in permanent loss of system

and data.




Action Plan

It is recommended to have the temperature of the server room in control. Becausenetwork devices dissipates large amount of heat when in the working state. So A/Cshould be installed and in the working state to minimize the temperature of theserver room to keep the devices working efficiently.

It is recommended to use FM 200 gas as the fire suppression system as this isenvironment friendly. This agent suppresses fire by discharging as a gas onto thesurface of combusting materials. Large amounts of heat energy are absorbed fromthe surface of the burning material, lowering its temperature below the ignitionpoint. FM-200 fire suppression systems have low atmospheric lifetimes, globalwarming and ozone depletion potentials.

Fire alarms should be placed strategically throughout the facility. The resultingaudible alarm should be linked to a monitored guard station.

The server room should be visited on regular intervals to determine if temperatureand humidity are adequate. Also automatic temperature and humidity measurement

device should be installed in the server room in order to alert for the raise intemperature.

Smoke detectors should be installed above and below the ceiling tiles throughoutthe facilities and below the raised computer room floor. The detectors should

produce an audible alarm when activated and be linked to a monitored station(preferably by the fire department). The location of the smoke detectors above the

ceiling tiles and below the raised floor should be marked on the tiling for easy

identification and access. Smoke detectors should supplement, not replace, and fire

suppression systems. Fire alarms should be placed strategically throughout the facility. The resulting

audible alarm should be linked to a monitored guard station.

Short-term interruptions, such as sags, spikes and surges, can be controlled by UPSdevices. For long-term interruptions, which last from a few hours to several days,require the use of alternate power generators

Other concerns, outside of natural threats, are man-made. They include terrorist

threats/attacks, vandalism, electrical shock and equipment failure.

To reduce the risk of flooding, the computer room should not be located in thebasement or top floor. If located in a multistory building, studies show that the best

location for the computer room — the location which reduces the risk of fire, smoke

and water damage — is on the middle floors (e.g., third, fourth, fifth or sixth floor).

it is audit report

Documents