Information System Audit : © South-Asian Management Technologies Foundation Chapter 10 Case Study: Conducting an Information Systems Audit
Information System Audit : © South-Asian Management Technologies Foundation Important Security Issues in Bank User Access Management User Registration Authentication of Users Password Management System Limiting Sign-on Attempts Unattended Terminals Information Access Restriction
Information System Audit : © South-Asian Management Technologies Foundation Important Security Issues in Bank Use of System Utilities Limitation of Connection Time Warning External Users Audit Trails Fault Logging Logging and Reviewing of Events
Information System Audit : © South-Asian Management Technologies Foundation Steps of Information Systems Audit at a Bank Branch Commencement of audit Review of start-up operations General overview Overview of records Physical environment Hardware audit Software audit
Information System Audit : © South-Asian Management Technologies Foundation Steps of Information Systems Audit at a Bank Branch Network and communication audit Personnel awareness Password maintenance Logical environment Access to server Repair and maintenance Unauthorized programs and folders
Information System Audit : © South-Asian Management Technologies Foundation Steps of Information Systems Audit at a Bank Branch Day-end reports Backup Contingency plan
Information System Audit : © South-Asian Management Technologies Foundation Special Considerations in Core Banking Systems Migration controls Day-end controls –Exception report –List of users –Access log –List of rejected and cancelled entries Control over Periodical/Mass-Runs (System Generated Transactions) Control over Inter-SOL Transactions
Information System Audit : © South-Asian Management Technologies Foundation Special Considerations in Core Banking Systems Control over Proxy/Parking Transactions –System generated –User generated Mapping of Accounts Application Control Review –User profile maintenance –User-id maintenance –Password management
Information System Audit : © South-Asian Management Technologies Foundation Special Considerations in Core Banking Systems –Log-on attempts –Access logs and reviews –Virus detection and protection –Module interfacing Database and System Administration –Database administrator and system administrator –Segregation of duties –Access to super-user accounts
Information System Audit : © South-Asian Management Technologies Foundation Special Considerations in Core Banking Systems –Usage of passwords –Change in privilege levels –Problem management –Change management –Access to database logs –Encryption of data VPN level Storage level –Test of backup and periodic recovery
Information System Audit : © South-Asian Management Technologies Foundation Special Considerations in Core Banking Systems Firewalls –Bandwidth level estimation –Location of firewalls –Presence of proxy server –Restriction of network services –Port restrictions –Internet connection –Domain name system –IP address
Information System Audit : © South-Asian Management Technologies Foundation Special Considerations in Core Banking Systems –Router password management –Logging and review of logs –Demilitarized zone –Updating of patches for the firewall –Firewall operation in backup site Help Desk Information Security
Information System Audit : © South-Asian Management Technologies Foundation Special Considerations in Core Banking Systems Logs of Activity –Operating system logs –Firewall logs –Application system logs –SQL logs –ATM terminal access ID and log Departure from Normal Patterns Management Practices Operational Activities