Professional Documents
Culture Documents
1. Introduction
AMG Software (AMG) is the world's leading provider of management solutions that ensure the availability,
performance, and recovery of business-critical applications. AMG calls this application service assurance
and it means that the applications its customers rely on most stay up and running, around the clock. For
more than 20 years, the largest and most successful companies have relied on AMG Software. AMG
Software is among the world's largest independent software vendors, a Forbes 500 company and a
member of the S&P 500, with revenues of $2.3 billion in the last 12 months. The company is
headquartered in Houston, Texas, with offices worldwide.
1. Outsourcing vendor
2. DLF Software (DLF) is focused on providing Offshore Development Services (ODS) to Global Clients
who include 25 of the Fortune 500 corporations of the world. With a penchant for working closely with
clients and organizing work according to the client's needs, DLF believes in working with the customer as
its Partner in Progress and participating in mutual growth both quantitatively and qualitatively. From its
inception, DLF has been one of the fastest growing major software companies in India and is rated
amongst the top 10 software export houses in India. DLF is headquartered in Bangalore and is
represented through offices in the USA, Europe, South East Asia and Japan.
2. Background
AMG has outsourced software development through ODS mode to DLF. AMG has supplied IT
infrastructure for these services and has also recruited required personnel who work at DLF for the
software projects of AMG. AMG wanted an independent assurance on the security and usage of the
technology as also protection of the IPR of AMG. Abraham and Associates (AAA) is a practising CA firm
based at Bangalore and offers IS Assurance services with a team of DISAs and IT security professionals.
Leading to the proposal, Mr. Bentley, Manager, OEM of AMG based on research on google had identified
AAA for providing assurance services and had contacted AAA through Email. The need for IS Assurance
services for conducting IS audit with the objective of providing assurance on protection of Intellectual
property\security audit was communicated. Based on this, AAA had sent their profile offering their
services outlining their experience in this area and providing sample proposals and deliverables of such
type of reviews executed by AAA. The scope, objectives, fees and deliverables were finalised after
detailed discussion to meet specific requirement of AMG and this was communicated to DLF.
3. Situation
The need of AMG was understood to be the requirement of an assurance that the intellectual property
including assets and access to such assets (hardware, software, manuals, media, etc.) of AMG used at
the AMG labs at DLF in Bangalore are adequately secured (physically and logically) from unauthorised
and inappropriate use through adequate and appropriate physical, environmental and logical access
controls. Hence, an independent review was to be conducted on the process and methods in place at
AMG labs at DLF so as to provide assurance that there are adequate and appropriate safeguards and
procedures that prevent unauthorized access, mishandling and damage to any of the assets of AMG at
AMG labs at DLF and all the facilities provided by AMG are being used for the purposes of AMG's
operations by personnel authorised or assigned for AMG's operations only at DLF allocated work site.
4. Objectives of Assignment
Based on the detailed discussions with Mr. Ben Crocker and visit to the AMG Labs at DLF, the primary
objectives of the assignment of Security Audit are finalised as follows:
Provide assurance to AMG that the intellectual property of AMG including assets and access to
such assets (hardware, software, manuals, media, etc.) used at the AMG labs at DLF in
Bangalore are adequately secured (physically and logically) from unauthorised and inappropriate
use through adequate and appropriate physical, environmental and logical access controls;
Review the process and methods in place at AMG labs at DLF so as to provide assurance to
AMG that there are adequate and appropriate safeguards and procedures that prevent
unauthorized access, mishandling and damage to any of the assets of AMG at AMG labs at DLF;
Review whether all the facilities provided by AMG are being used for the purposes of AMG's
operations by personnel authorised or assigned for AMG's operations only at DLF;
Validate the process and methods at AMG labs at BLF against available norms and standards of
AMG wherever available
all these users work on a common project and require a similar set of permissions for testing the
software no individual logins have been created.
The users are not allowed to download source code from the servers at AMG and therefore have
to access the same at the Houston through telnet sessions. The access rights and the user id
with passwords are controlled by the system administration at Houston.
Access to the source code of software under development / maintenance / testing etc., is given
by AMG as per procedures followed by them. The code is accessed online.
The management of the above access control procedures are solely with AMG and the same are
not controlled or monitored by DLF. Hence the procedures or policies that govern such accesses
to the servers at Houston are outside the scope of this review.
Individual workstations also have a user id and password for the users to login into their
desktops.
A sample test of the individual work stations was carried out ensure that they have screen savers
with passwords or session locks with passwords so that open telnet sessions are not accessible
to any other user if the original user is not at his/her desk.
New users are given access only to the local resources at the time of joining the AMG group at
DLF by the IS department locally.
The domain accesses that grant them access to the information resources at AMG, Houston are
given and controlled by AMG.
6. Deliverables
Provide IS Audit report to management of AMG with reasonable assurance that Identified
controls as relevant are in place at the AMG Labs at DLF;
Provide detailed report covering findings for each of significant control weaknesses and advise
management of AMG on corrective actions to be initiated. Include management comment from
DLF on audit findings and recommendations with agreed action plan.
7. Format of Report/Findings
Please use extracts from SLA and the contents from relevant section of the DISA background material
and relevant best practices as required as the benchmark for evaluation of the controls. IS Audit report
may be prepared based on standards of reporting issued by ICAI and ISACA.
Source code development is undertaken on an online basis through the resources at the AMG facility in
Houston. Configuration management tools that are in use at AMG perform the configuration management
of software under development/maintenance. DLF here has no control over the configuration/change
management procedures that are to be followed during the system development or maintenance phases
of SDLC. Therefore in lieu of such practices DLF does not maintain any records/documents that record
the changes incorporated to software during maintenance/ developmental activities.
Hardware:
DLF as per the agreement with AMG is not allowed to open any of the machines that are sent to them by
AMG for the purposes of the usage at their labs. In lieu of this clause DLF does not maintain any
configuration of hardware sent to them by AMG nor does it carry out any maintenance activities on such
machines. However DLF does maintain an inventory of all the hardware that is supplied by AMG as per
details that are entered in the invoices.