System Audit - A Government Enterprise
Business Requirement
- Review the configurations deployments security and console policy
- Messaging architecture, application security including DLP features in email
- administration including Access governance & management of access and high privilege accounts
- Change, and capacity mana ement and controls Log
- Mobile Device Management (MDM) controls
- Data migration process from Zoho to 0365
- Backup and disaster recovery
- Review o a erence to contractua arrangement including SLA, security certifications, attestations and related reports of service providers
- Compliance with relevant RBI Cyber security framework requirements
Key Finding
- Logs review and audit trails not enabled for specific transactions that need to be secured from data and user perspective
- Data Transfer and Risk management policies not ade uate
- Security management practices have not been implemented and antivirus policy and capture and review of server logs not enabled and not in place
- Intranet site not adequately protected and LNV Diary was compromised as there was no user id and password protection through two-way authentication and controls
- Asset register and IT asset management not aligned with serial number as there is no data labelling
- Service vendors not available
- No Third party assurance in place
- CIA practices not in place
- No Policy for IT, Security, Disposal, Data transfer, Data Security, Network and IT procurement
Key Finding
Our proprietary SPARK framework was used to
perform the audit with our enabled risk library that
includes:
- Check points for specific area
- Mapping with ISO 27001 clauses and controls
- IT asset management framework review
- Quality management and IT act best practices
- Key metrics and measures for incident management & reporting
- Enabled risk library with domain & technolog risks
Business Benefit and Result
- Better compliance management & security adherence
- IT Asset management
- Physical & logical security effectiveness
- Proactive risk management and controls definition
- Email security and Data loss prevention controls review