Information System audit check list for Zemen Bank

1. Information System Project Management

1.1. User • Is there an annual plan covering areas requiring computerization approved by Top Management?
requirements • Is plan in line with the Banks overall IS Strategy?
• Has a functional manager or a committee been identified as responsible sponsors for an area
requiring computerization?
• Have the costs of computerization been budgeted and included in the overall IT Budget of the Bank?
• Has a detailed plan been made by the IT Department, clearly providing the date of commencement,
activities involved, target date of final implementation and estimated costs for each area identified?
• Has this plan been approved by the Sponsor?
• Has a document been prepared clearly detailing the following requirements:
o Functionality
o In case of replacement, the problems faced in the existing system and need for
o Replacement
o Performance
o Security
o Operations Risk Mitigation
o Acceptance Criteria for the System
o Changes in the operating procedures required to implement the proposed system and persons
responsible and plan for effecting the changes
o Transition / Migration from existing to proposed plan for a smooth transition
o Interface requirement with Other Computer Systems
• Has the requirements been graded as Vital, Essential and Desirable?
• Has the Sponsor approved the requirement document?
1.2. prioritization • Do the business and IT identify and define IT-enabled investment programs, IT services, assets and
and scheduling related IT projects?
or Portfolio/ • Is there a process is in place that enables identification and prioritization (based on business
Program benefits) of IT programs and projects supporting the IT tactical plan?
management • Verify whether business goals and expected business outcomes are documented and reasonable and
whether sufficient information related to budget and effort is present.
• Verify the effectiveness of communication of program/project outcomes to all stakeholders in a
message that is appropriate to the business unit and its level of responsibility.
• Determine that the portfolio management procedures use appropriate criteria to define and prioritize
the different projects and programs.

1.3. planning • Does an approved project and quality plan exist? If so, is it kept up to date, and by whom?
• Does the plan require management/user approval at specified points?
• Has the project plan been prepared to allow for traceability (measuring and assessing objectives/
deliverables)? If not, is there an alternative means of traceability?
• Is the objective of the project to fulfill the requirements of a contract? If so, are contract reviews
performed?
• Is the retention of project related records managed?
• Are reviews and progress evaluations included in the Project Plan? If so, do these reviews include
preventative / corrective action measures?
• What project interfaces exist? Are they identified in the Project Plan and how are they managed?
E.g. liaison with customer / stakeholders, reporting lines, functions within the project organization.

1.4. Resource • Has resource planning and control been applied on the project?
management • Does a resource plan exist for the project?
• How does the project ensure that the remaining resources are sufficient to meet the project
objectives?

1
 • Does a time-related process exist to determine the dependencies and duration of activities to ensure
timely completion of the project?
1.4.1. Time • Is there a clear timetable?
• Has the project defined and documented inter-relationships, logical interactions and
interdependencies? E.g. project network diagrams.
• Who is responsible for establishing the duration of the activities within the project?
• Has the ‘estimation of duration’ been linked to project resource planning?
• Has time allocation been planned for quality practices within the project?
• What is the format of the project schedule?
• Have key events, milestones, progress evaluations, critical and near-critical activities been identified
in the schedule?
• Changes that affect the project objectives - does the customer/ stakeholder agree to these before
implementation?
• How often is the schedule revised?

• How are the project costs managed to ensure that the project is completed within the original budget
1.4.2. Cost constraints?
• Have project costs been clearly identified and documented? If so, by whom?
• Have the project costs been linked to the activity definition process?
• Has the project cost estimation involved significant cost related risk? If so, how are these managed?
• Has the project budget been established based on the project cost estimation process and is it
accordance with the approved accounting procedures within the organization?
• Is the project budget consistent with the project requirements, assumptions, risks and contingencies?
Is this documented?
• What is the process for project purchasing / expenditure requirements?
• Has this process been documented and communicated to those responsible for authorizing
expenditure or authorizing work that may have cost implications?
• Are project expenditure records reviewed, managed and maintained?
• Are the root causes for budget variances, both favorable and unfavorable identified? If so, is this part
of a project budget review?

• Has a project organizational structure been established?

• Is the project organizational structure encouraging for communication and cooperation between the
1.4.3. Personnel project participants?
• Is the project organizational structure appropriate for project scope, size and local conditions?
• Does the project organizational structure identify customer / stakeholders?
• Are accountability, authority, responsibility and job descriptions defined and documented?
• How often is the project organizational structure reviewed for validity and adequacy?
• Were selection criteria prepared for staff allocation?
• Has education, knowledge and experience been accounted for in the allocation of project staff?
• Has the project manager been involved in the appointment of key team members?
• Is project staff efficiency and effectiveness being monitored?
• Is the project team being recognized and rewarded?
• Does the project environment encourage excellence, good working relationships, trust, respect and
open communication?

1.5. Training • Determine if a training plan was developed and is in writing.

• Determine that the training plan contains data entry training, backup, user operations, balancing, and
reconciliation.
o Are all aspects of the system covered:
o Data entry, Backups,
o Management reporting
o Disaster recovery
o User operations
o Ongoing operations training

2
 o Balancing and reconciliation's
o Does the training include vendor techniques?
• Review the training plan to determine if training will be completed prior to implementation of the
system.
o Will critical personnel be trained early in the training?
o Will the most critical employees be trained first?
o Will there be staff trained to train others?
o Are differences in account handling noted for training?
• Determine who will be trained - management staff, entry clerks, etc.
o Will there be different levels of training: Management reporting, data entry clerks, operations,
Call centers?
o Will all appropriate levels of staff be trained?
o Will there be technical training for end-users?
o Will training be mandatory rather than optional - pressure of “real” work can often be used as
a reason not to attend training?
o Will there be any method of evaluation at the end so that trainees can prove their competence
to operate the new system, and the effectiveness of the training methods can be ascertained?
o Is there a procedure to ensure future new starters will be trained?
1.6. Monitoring and • Does the project plan consist of a communication plan?
tracking • Is there formal reporting procedure on the progress of the project?
• Do ‘Project Progress Reports’ form part of the project communication?
• Are all deviations documented?
• Are all extensions approved by the project team and management?
• Are all relevant parties notified of any extensions or changes to the project plan?
• Is the project communication plan monitored and reviewed to ensure it continues to meet the needs of
the project?
• Do project meetings consist of meeting agendas?
1.7. Risk management, • Which project management processes exist (documented or not) within the organization e.g. cost,
quality control resource and time related processes to ensure the project is managed efficiently and effectively?
checks • Do Project Management guidelines and processes exist within the organization / project
organization to ensure quality?
• How often are risks identified through the project life cycle?
• How are these risks managed?
• Is probability of the occurrence and impact of the identified risk assessed?
• What techniques are being used in the project to prioritize, manage and record the identified risks
and their resolutions?
• Are risks that may impact time schedules or project budget, identified and maintained separately?
• Does the project plan consist of a contingency plan?
• Do project risks form part of project progress reports?
1.8. Delivery. • At project closure, are all the project records retained for a specified time?
• At project closure, is a complete project review conducted irrespective of the reason for project
closure?
• At project closure, does the originating organization collate, store, update and retrieve information
from the project?
• At project closure, are reviews performed of project performance, highlighting experience from the
project and is the customer involved?
• Was expenditure within budget and objectives achieved and the project accounted for accurately?
• Post implementation review

3
 2. Information System Development

2.1 Acquisition and • Has the Requirements Document been translated clearly into product acceptance criteria? Has
Implementation Acceptance Criteria been classified into:
of Packaged 'Show Stoppers'
Software 'Allowable Customizations’
'Desirable positive features'

2.1.1. Product & Vendor • Does the IT Department have a technology standard for product selection?
Selection Criteria • Does the Technology standard cover:
o Architecture
o Open Database standards
o Interfaces and API Standards
o Security Standards
• Are the Product Selection criteria consistent with the IT platform of the Bank?
• Does the Bank have clearly laid down and approved guideline for selection of product vendors?
• Does the Vendor Selection guideline address the following:
o Market Presence
o Years in operation
o Technology alliances
o Desired size
o Customer base and existing implementation
o Support
o Possibilities of partnership or strategic alliance
o Source code availability
o Local Support in case of foreign vendors
• Has the selection criteria been decided by the IT Department in consultation with User Departments?
• Has the Sponsor approved the Selection Criteria?
• Does the policy of the bank permit beta-site installations? If yes are criteria for selection distinctly
different from regular guideline?
• Does the IT Department use scoring model for evaluating the products and vendor?
• Do the scoring criteria consider the following factors:
o Extent of customization and work around solutions
o Security Features
o Technology fit
o Performance & Scalability
o No. of installations
o Existing customer reference
o Cost
o Vendor Standing

2.1.2. Vendor Selection • Does the IT Department have a system to identify potential vendors for an area ( such as subscription to
Process magazines; rating reports and reports of specialized agencies such as Gartner, IDC, Data Quest etc.,)
• Are reports of specialized independent rating agencies used for short listing Vendors?
• Does the Bank have a system of floating formal RFP (Request for Proposal) for systems with estimated
budget exceeding a certain amount?
• Is there a core team comprising of personnel from IT Department, Functional Departments and Internal
Audit Department in charge of vendor selection and implementation?
• Is the process of selection for each area approved by the Sponsor?
• Are Meetings of the Core Team documented?
• Does Team use prepared check lists for
(a) Product Evaluation
(b) Site Visits
(c) Customer Reference

4
 • Is final evaluation and selection fully documented and approved by the Sponsor?
• Does the document clearly reflect the rationale used for the selection?

2.1.3. Contracting • Does the bank have approved terms and conditions for Product Licensing Agreements?
• Do the Licensing terms contain:
a) Escrow mechanism for Source codes. Does this process suffice value for money?
b) Facilities for minor customization
c) Maintenance and Upgrades
• Does the Bank have a Service Level Agreement with Product Vendors for Support and Maintenance?
• Where the contract is entered with a Distributor or Reseller is there a commitment to ensure that the
actual owner would support the Bank in case of relationship between the owner and the reseller breaks?
• Does the contract clearly segregate duties and responsibilities of the Bank and the Vendor?
• Does the contract include a clause to protect the Bank from the Vendor using the bank data?
• Does the contract clearly specify the product base lines?
• Is gap analysis between the requirement and the selected product carried out and documented?
• Does this document act as the basis for further implementation plans?

2.1.4. Implementation
• Does the Bank’s policy provide for parallel run of previous system during the implementation period?
• Is there an agreed plan for implementation? Has the plan been approved by the Sponsor, Vendor and IT
Department?
• Does the implementation plan clearly identify product customization requirements, user acceptance
criteria and test for such customization?
• Does the implementation plan address data migration from previous systems?
• Does the implementation cover the following:
a) User Departments’ involvement and their role
b) User Training
c) System Administration Training
d) Acceptance Testing
e) Role of Vendor and period of Support
f) Required IT Infrastructure plan
g) Risk Involved and actions required to mitigate risks
• Does the responsibility for accuracy of key parameters / Static Data rest with the functional department?
• Is there a list of areas which will be controlled by the Vendor during the implementation phase?
• Does Bank have a test environment to simultaneously allow familiarization during the implementation
process? Have errors identified during the implementation phase been documented and the root cause of
the errors analyzed and confirmed by the Software Vendor?
• If there are bugs and errors due to design flaws, are they escalated to higher levels in Software Vendors’
organization and the bank?
• Is Test packs developed by user groups for testing customization delivered by the vendor?
• Is there a clearly identified data integration strategy during customization period? (If customization
involves additional elements of data to be captured)
• Is the result of testing properly documented?
• Are necessary changes to System documents carried out on customization?
• Are all following documents handed over by the Vendor?
o System Documentation covering Design and Program Documentation
o Data Dictionary
o Installation Manual
o User Manual
o Trouble Shooting

5
2.1.5. Post • Does the IT Department have a proper archival system for these documents?
Implementation • In cases where source code is given by the Vendor, has the IT department done a technical conversion
Issues and issued a confirmation of satisfactory compilation / performance?
• Is there a system to issue formal Acceptance Certificate signed off by User Department, IT Department
and the Sponsor?
• Has the IT Department taken the required consequential action for Backups, Disaster Recovery and
Performance Tuning?
• If Source codes are delivered, are the source codes base lined as per IT Department Procedures?
• Has the IT Department in consultation with User Department worked out Database Controls?
• Has IT Department introduced a system to track problems reported by users, escalation to vendor and
their resolution?
• Is there a system of measuring vendors’ support with the agreed service levels?
• Is there an identified System Administrator who is responsible for managing access to the system, back
up and ensuring data base controls?

2.2. Software developed • Has IT department adopted any Standardized quality processes such as ISO, SEI CMM etc., for Software
in-house development?
• Has Non compliance reported in such quality audit are properly attended to and rectified?
• Is there a system in place to reveal the outcome of the audit to the staff of the Bank at respective levels?
• Whether a structure is in place for effective Software Audit so that reliable results can be obtained?

2.2.1. Audit at • Are the programs developed by drafting the formal specifications, defining scope, application, input data
program level elements, output requirements, process work flow etc.?
• Is software tested for quality assurance?
• Is quality assurance team different from development team?
• Are data / test results preserved for future reference?
• Are there temporary patches developed by just copying a few set of legacy programs? If so, are they
tested properly before deployment and limitations and conditions, which such programs cannot handle, is
communicated to users and appropriate control procedures are put in place?
• Do all the program source codes contain a Title area, specifying the author, date of creation, last date of
modification and other relevant information?
• Are there adequate input validation checks built into data entry programs?
• Whether the following manuals are prepared?
o Systems operations / Installation Manual
o User Manual
• Are there well-established testing procedures? Does the testing procedure cover
o What, When and How to Test?
o Positive (Test done by processing valid data and checking if the results are accurate) and Negative
Testing? (Test done by processing invalid data and checking if the program generates necessary
error messages)
o Performance and scalability?
o Recording and maintaining test results?
• Whether parallel testing at a few pilot installations done after completing pre-implementation testing?
• Whether programs successfully implemented have passed the test for accuracy of outputs generated?
• Whether the source code location with ownership for future up-gradation is well established?
• Whether every patch / update is authorized by a competent authority?
• Whether the development consider security requirement as per approved security policy?

6
2.2.2. Audit at • Are operational controls such as distinct user passwords are in place and are enforced?
Application • Whether necessary ‘Regulatory Compliance’ requirements have been taken into account by the user?
Level • Whether SRS has taken into account the Error / Fraud / Disclosure / Interruption / Organizational Risks
etc.?
• Whether input / output controls are in place?
• Are validations controls in place, viz. Field / Transactions / File with appropriate error reporting?
• Are appropriate data classifications with security in place, viz. Read only for users, Read/ Write for
authorized persons?
• Is audit trail built into the systems?
• Does the system provide for ‘exception reporting’ ?
• Whether adequate firewalls set up to ensure that any outside access being provided is limited in scope ad
does not intrude on sensitive data areas?
• Whether user acceptance is recorded along with test plan data / test data / test results for future
reference?
• Whether the user sign off has been obtained?

• Is updated organizational chart being kept?

2.2.3. Audit at • Are the duties of developers and operators of the system distinctly segregated?
Organizational • Is job rotation in place?
Level • Whether software implementation plan has been approved by the controlling authority?
• Whether provision has been made for maintenance of software library?
• Is there a system in place for software distribution?
• Are error reporting and control mechanisms in place?
• Is there a system for post completion ‘Review Audit’?
• Is there a standard and secure procedure for up-keep of source / object code?
• Are security controls including Disaster Recovery sites in place?
• Is the data conversion audited?
• Are all changeovers from one system to another system authorized by a competent authority?
• Are the training requirements for users properly identified?
• Is the DRP in place at all operating offices?
• Are documentations available at operational stage to facilitate formal changeover of jobs?

2.3. Software • For software development outsourcing, are there laid down criteria for selection of vendors?
Outsourcing • Whether formal outsourcing strategy for necessary interface with the vendor is in place?
• Is the outsourcing activities evaluated based on the following practices?
o What is the objective behind Outsourcing?
o What are the in-house capabilities in performing job?
o What is the economic viability?
o What are the in-house infrastructure deficiencies and the time factor involved?
o What are the Risks and security concerns?
o What are the outsourcing arrangement and fall back method?
o What are arrangements for obtaining the source code for the software?
• Is there formal approval system in place from the Head of the user department?
• Does the user department representative ‘Expert Officer’ visit the vendor’s premises for reviewing the
capability and quality of software development activities?
• Does the vendor present the progress of software development at periodic intervals?
• Is there a formal product hand over and project completion system in place?
• Is there an Agreement entered by the Bank with the Vendor for completion of the software development
in time. Whether any penalty clause exists for delayed completion of work?

7
 3. IT Governance
3.1. Business strategy vs. • Whether the business strategy is documented and business objectives have been defined and the
IT strategy role of IT has been clearly spelt out in the Business Strategy?
• Are there Changes in Business Strategy affecting IT Strategy?
• Whether information technology issues as well as opportunities are adequately assessed and
reflected in the organization’s strategy, long term and short term plans.
• Whether assessments are made periodically by the bank to ensure that IT initiatives are
supporting the organization mission and goals?
• Whether major developments in technology (hardware, software, communication etc.) are
assessed for their impact on the business strategy and necessary corrective steps, wherever
needed, are taken?

3.2. Long term IT • Whether long term IT strategy exists and documented?
strategy • Whether the Long Term plan covers
o Existing and Proposed Hardware & Networking Architecture for the Bank and its
rationale
o Broad strategy for procurement of hardware, software solutions, vendor development and
management
o Standards for hardware / software prescribed by the proposed architecture
o Strategy for outsourcing, in-sourcing, procuring off the shelf software, and in-house
development
o Information Security architecture
o IT Department’s organizational structure
o Desired level of IT Expertise in Banks human resources, plan to bridge the gap, if any
o Strategies converted into clear IT Initiatives with a broad time frame
o IT Costs and cost management
o Plan for transition, if any
• Whether the Long Term plan is approved by the Board?
• Whether organization structure of IT has been made part of the IT plan?
• Whether IT long-range plan is supporting the achievement of the organization’s overall Mission
and Goals?
• Whether a structured approach to the long-range planning process is established?
• Whether the plan is covering what, who, how, when and why of IT?
• Whether prior to developing or changing the long term information technology plan,
management of the information services function have assessed the existing information
systems in terms of degree of business automation, functionality, stability, complexity, costs,
strengths and weaknesses in order to determine the degree to which the existing systems support
the organization’s business requirements?
• Whether organizational model and changes to it, geographical distribution, technological
evolution, costs, legal and regulatory requirements, requirements of third-parties or the market,
planning horizon, business process re-engineering, staffing, in or out sourcing etc. are taken into
account at the time of planning process?
• Whether plan refers to other plans such as the organizational plan and the information risk
management plan?
• Whether process exists to timely and accurately modify the long range IT plan taking into
account changes to the organization’s plan and in business and information technology
conditions?
• Whether a security committee, comprising of senior functionaries from IT Department,
Business Group, IT Security Department and Legal Department is formed to provide
appropriate direction to formulate, implement, monitor and maintain IT security in the entire
organization?

3.3. Short Range IT • Whether long-range IT plans are converted to short-range IT plans regularly for achievability?
Plans • Whether the IT Short range plan covers the following
o Plan for initiatives specified in the Long range plan or initiatives that support the long
range plans
8
 o System wise transition strategy
o Responsibility and plan for achievement
• Whether adequate resources are allocated for achieving the short-range plans?
• Whether short-range plans are amended and changed periodically as necessary in response to
changing business and information technology conditions?
• Whether assessments are made on a continuous basis about the implementation of short range
plans?
• Whether clear-cut responsibilities are fixed for achieving the short range IT Plan?
3.4. Enterprise • Is there a standard enterprise architecture used in the organization?
architecture • Is there standard reference model used to measure the different aspects of performance
objectives?
• Is the information architecture model defined and maintained in the context of the entire
organization, and is it documented in an understandable manner for business and IT
management?
• Is the information architecture model consistent and aligned with the organization’s strategy
and the IT strategic and tactical plans?
• Is the information architecture model regularly and routinely reviewed for adequacy
(flexibility, functionality, cost-effectiveness, security, failure resiliency, compliance and user
satisfaction, and updated as necessary?
• Are the organization’s IT assets documented in a structured manner to facilitate understanding,
management and planning for IT investments?
• Are the IT investments delivering real results?

3.5. Policies and • Are policies and procedures properly documented, communicated, understood and
procedures implemented?
• Do procedures reflect the regular changes in business focus and environment?
• Are procedures frequently reviewed and updated?
• Are the controls embedded in procedures fulfill necessary control objectives while making the
process as efficient and practical as possible?

3.6. Risk management • Is there a framework to help establish effective governance and management of IT risk?
• Is there a generic list of common, potentially adverse, IT-related risk scenarios that could
impact the realization of business objectives?
• Are there tools and techniques to understand concrete risks to business operations, as opposed
to generic checklists of controls or compliance requirements?
• Management needs to be able to compare IT Risks with other risks.
• Is there proper translation of technical risks to business risks
• Can use Probability x Business Impact as the metric. The business should supply the Impact.
• Is a Common Risk View Established and Maintained?
• Is well-informed decisions made about the extent of the risk, the risk appetite and the risk
tolerance of the enterprise?
• Is there a clear understanding how to respond to the risk?
• To prioritize and manage IT risk, do the enterprise’s key stakeholders, including board
members and executive management, the very people who should be accountable for risk
management within the enterprise, have a full understanding?
• Is there a clear risk response plan to avoid, mitigate, transfer, accept, and eliminate?

3.7. Information system

management
practices
3.7.1. HR management • Are there confidentiality, conflict of interest and none compete agreements for newly hired
employees?
• Is there a published code of conduct for the organization that specifies the responsibilities of all
employees?
• Are there well defined policies and procedures for promotion and adhered?
• Is training provided on regular basis to all employees based on areas where employee expertise
9
 is lacking?
• Is employee assessment/performance evaluation standard and have regular feature for all IS
staff?
• When is deletion/revocation of assigned logon IDs and passwords performed for a terminating
employee?
3.7.2.Outsourcing
practices • Is the scope of services to be provided clearly defined?
• Are service levels (i.e. performance standards) and remedies defined?
• Is the renewal period for the terms of agreement specified?
• Are the procedures to change the scope of services defined?
• Is there the right to audit the outsourcing company’s implementation of the contract?

3.7.3.Organizational • Are only changes that are authorized, evaluated and prioritized and the resources required
change entering in to the change process?
management • Are there any organizational standards, procedures and guidelines for identifying, classifying
and approving change requests?
• Is a process exists to classify change requests as an infrastructure or application change?
• Is a process exists to perform a risk assessment focused on the impact of the change on other
systems or applications?
• Is there a process to perform an impact analysis on changes to determine the effect the change
would have on the business process’s integrity and availability?
• Is there a process for performing an analysis of any compliance issues that would be affected by
the change request?
• Is a resource budget assigned to each change request?
• Is there a list that exists of appropriate change requesters for each application?
• Verify that the appropriate approvers within IT operations, IT systems development and the
business owner have approved the change and their approval is documented
• Are the change requests subject to prioritization?
• If prioritization is performed, determine if appropriate members of management regularly
authorize the priority.
• Is there a definition for an emergency change?
• Is there a process used to review testing procedures before an emergency change is accepted
into a production?
• Is there list of authorized requesters for emergency changes exists?
• Are the emergency changes executed from a temporary or test library, or copied into the
protected production library?
3.7.4. Financial • Has a financial framework been implemented to effectively manage the investment and cost of
Management IT assets and services through portfolios of IT-enabled investments, business cases and IT
budgets?
• have the Financial Management Framework process and responsibilities been defined to:

Drive IT budgeting and cost and benefit management?

Enable fair, transparent, repeatable and comparable estimation of IT costs and
benefits for input to the portfolio of IT-enabled business programs (including a cost
structure)?

Maintain the IT asset and services portfolios and ensure that their maintenance
Audit/Assurance Objective?
• Are inputs and outputs of the financial frameworks been defined and that management makes
regular improvements to the framework based on available financial information?

• Is a quality management system (QMS) exist to provide a standard, formal and continuous
3.7.5. Quality approach to quality management that is aligned with business requirements? And is the process
manage monitored and measured for effectiveness?
ment • Has each important process, project or objective been defined quality plan that is in alignment
with the enterprise quality management criteria and policies?
• Was the QMS developed with input from IT management, other stakeholders and relevant
enterprise wide frameworks?
10
 • Is IT quality plan aligned with enterprise quality management criteria and policies?
• Are findings from each quality review communicated to IT management and other stakeholders
in a timely manner to enable remedial action to be taken?
• How management supports the QMS and effectively communicates the approach (e.g., through
regular, formal quality training programs)?
• Does management identify and document the process root causes for nonconformance, and
communicates findings to IT management and other stakeholders in a timely manner to enable
remedial action to be taken?
• Review IT standards and frameworks to determine if they are appropriate for the systems, data
and information in the environment.
• Inspect the authorization of deviations to IT standards to validate adherence to or
noncompliance with mandated or adopted standards
• Confirm the process for applying changes in mandated or adopted standards within the
organization.
3.7.6. Performance • Are there established performance models? Are they updated periodically?
optimization • Is performance data gathered, analyzed, reported and used?
• Is the alignment of Service delivery with the service requirements evaluated?
• Are SLAs Managed and Reported?
3.7.6.1. Maturity • Is there a standard maturity and process improvement model used that provides the enterprise
models with essential elements of effective processes?
• Are Key Goal Indicators(KGIs), Key Performance Indicators (KPIs)
3.8. IS Organizational Is the organizational structure routinely evaluated against business needs; resources and functions
Structure and are adjusted as business requirements warrant?
Responsibilities • Are the requirements and budgets subject to a needs analysis prior to preparation?
• Is there a defined review process to ascertain if the budget and needs analysis is matched
against business needs?
• Is the review and approval process for IT resources properly documented?
• Are periodic management reviews of key processes performed to identify which are critical to
the organization and consideration of the availability of individuals with the relevant skills,
experience and knowledge to fulfill the critical roles?
• Are there qualified resources available with the appropriate skills, experience and knowledge,
who could provide job redundancy for key processes?
• Is there appropriate interim coverage of staff to support key programs, projects and processes,
during time-off requests, vacations and leaves of absence?
• Is Periodic review and update of contact lists that include the primary personnel and alternative
contacts performed?
• Is there documentation to assist interim personnel in the execution of key processes?
• Is there cross-training of backup personnel?

3.8.1. Roles and • Are the job descriptions and structures in the IS department adequate?
responsibilities • Are key IT personnel identified and documented to minimize reliance on a single individual
performing a critical job function?

3.8.2. Segregation of • Are there compensating controls in the IS department for lack of segregation of duties?
duties within IS • Which of the following compensating controls are used: Audit trials, Reconciliations, Exception
and Controls reporting, Transaction logs, Supervisory reviews?
• Who is responsible for transaction authorization?
• Does management perform periodic check to detect unauthorized entry of transactions?
• Is custody of corporate assets including data determined and assigned appropriately?
• Are controls over access to data provided by combination of physical, system and application
security in the user area and IPF
• Does the IS department use user authorization tables as a user access control lists?

11
 4. Hardware Reviews
4.1. HW acquisition plan
4.2. Acquisition of HW
4.3. Capacity management
and monitoring
4.4. Preventive maintenance
schedule
4.5. HW availability and
utilization reports
4.6. Problem logs
4.7. Job accounting system
reports
• Is the plan aligned with business requirements?
• Is the plan synchronized with business requirement?
• Is the plan synchronized with IS plans?
• Have criteria for the acquisition of hardware been developed?
• Is the environment adequate to accommodate current hardware and to add new?
• Are hardware and software specifications, installation requirements adequately
documented?
• Is the acquisition in line with the acquisition plan?
• Have Information System management staff issued written policy statements regarding the
acquisition and use of hardware , and it is communicated to the users
• Have procedures and forms been established to facilitate the acquisition approval process?
• Are requests accompanied by a cost benefit analysis?
• Are purchases routed through the purchasing department to streamline process, avoid
duplication, and take advantage of quality and quantity benefits?
• Are criteria used in the hardware performance monitoring plan?
• Is continues review performed of hardware and system software performance and capacity?
• Is monitoring adequate for equipment that has been programmed to contact its manufacturer
in the case of equipment failure?
• Is the prescribed maintenance frequency recommended by the respective hardware vendors
being observed?
• Is maintenance done during off-peak workload periods
• Is preventive maintenance performed at times other than when the system is performing
critical or sensitive applications?
• Is scheduling adequate to meet workload schedules and user requirements
• Is scheduling sufficiently flexible to accommodate required hardware preventive
maintenance?
• Are IS resources readily available for critical application programs?
• Have IS management staff reviewed hardware malfunctions, reruns, abnormal system
terminations and operator actions?
12
 5. Operating System Reviews
5.1. System SW • Do they comply with short and long range IS plans?
selection procedures • Do they meet the IS requirements?
• Are they properly aligned with the objective of the business?
• Do they include IS processing and control requirements?
• Do they include an overview of the capabilities of the software and control options?
5.2. Feasibility study • Are the proposed system objectives and purposes consistent with the request / proposal?
Selection process • Are same selection criteria applied to all proposals?
• Has the cost benefit analysis of system software procedures addressed?
o Direct financial costs associated with the product
o Cost of product maintenance
o Hardware requirement and capacity of the product
o Training and technical support requirements
o Impact of the product on processing reliability
o Impact on data security
o Financial stability of the vendor’s operations
5.3. System SW security • Have procedures been established to restrict the ability to circumvent logical security access controls?
• Have procedures been implemented to limit access to the system interrupt capability?
• Have procedures been implemented to manage software patches and keep the system software up-to
date?
• Are existing physical and logical security provisions adequate to restrict access to the master consol?
• Were vendor supplied installation passwords for the system software changed at the time of
installation?

5.4. System SW • Are controls adequate in

implementation o Change procedures
o Authorization procedures
o Access security features
o Documentation requirements
o Audit trials
o Access control over software in production
5.5. Authorization • Have additions, deletions, or changes to access authorization been documented
documentation • Does documentation exist of any attempted violations? If so, has there been follow-up?

5.6. System • Are the following areas adequately documented?

documentation o Installation control systems
o Parameter tables
o Exit definitions
o Activity logs / reports
5.7. System SW • Is documentation available for changes made to system software?
maintenance • Are current versions of software supported by vendor?
activities
5.8. System SW change • Is access to libraries containing system software limited?
controls • Are changes to software adequately tested and documented
• Is software authorized properly?
5.9. Controls over the • Have all appropriate levels of software been implemented?
installation of • Have predecessor updates taken place?
changed system SW • Has a written plan been established for testing changes to system software?
• Are test procedures adequate to provide reasonable assurance that changes applied to the system
correct known problems and that they don’t create new problems?
• Are tests being completed as planned?
• Have problems encountered during testing been resolved and were the changes retested?
• Have fallback or restoration procedures been put in place in case of production failure?

13
 6. Database Review
6.1. Logical schema
6.2. Physical schema
6.3. Access time reports
6.4. Database security
controls
6.5. Interfaces with other
program /software
6.6. Backup and disaster
recovery procedures and
controls
6.7. Database supported IS
controls
•Do all entities in E-R diagram exist as tables or views?
•Are all relations represented through foreign keys?
•Are constraints specified clearly?
•Are nulls for foreign keys allowed when they are in accordance with the cardinality
expressed in the entity-relationship model?
• Has allocation of initial and extension space for tables, logs, indexes and temporary
areas been done based on the requirements?
• Are indexes by primary key or keys of frequent access present?
• If the database is not normalized, is justification accepted?
• Are indexes used to minimize access time?
• Have indexes been constructed correctly?
• If open searches not based on indexes are used, are they justified?
• Are security levels for all users and their roles identified within the database, and
access rights for all users and /or groups of users justified?
• Are integrity and confidentiality of data not affected by data import and export
procedures?
• Have mechanisms and procedures been put in place to ensure the adequate handling of
consistency and integrity during concurrent accesses?
• Do backup and disaster recovery procedures exist to ensure the reliability and
availability of the database?
• Are there technical controls to ensure high availability and/or fast recovery of the
database?
• Is access to shared data appropriate?
• Are adequate change procedures utilized to ensure the integrity of the database
management software/
• Is data redundancy minimized by the DBMS’s data dictionary maintained?
14
 7. Network Infrastructure and Implementation Review

7.1. Physical controls

7.1.1. NW HW devices • Are network hardware devices located in a secure facility and restricted to the
7.1.2. File server network administrator?
7.1.3. Documentation • Is the housing of network file servers locked or otherwise secured to prevent removal
of boards, chips or the computer itself?

7.1.4. Key logs • Are the keys to the network file server facilities controlled to prevent the risk of
unauthorized access?
• Are keys assigned to the appropriate people?
• Select sample keys held by unauthorized people and test.
7.1.5. NW wiring closet • Is the wiring physically secured?
and transmission
wiring
7.2. Environmental controls

7.2.1. Server • Are temperature and humidity controls adequate?

facility • Have static electricity guards been put in place?
• Have electric surge protectors been put in place?
• Has a fire suppression system been put in place and is it tested / inspected regularly?
• Are fire extinguishers located nearby and regulated regularly?
• Are the main network components equipped with uninterrupted power supply (UPS)?
• Has electromagnetic insulation been put in place?
• Is the network components power supply properly controlled to ensure that it remains
within the manufacturers specifications?
• Are the backup media protected from environmental damage?
• Is the server facility kept free of dust, smoke and other matter, particularly food?

7.3. Logical security controls

7.3.1. Passwords • Are users assigned unique password?

• Are users required to change the passwords on a periodic basis?
• Are passwords encrypted and not displayed on the computer screen when entered?

7.3.2. NW use access
• Is network user access based on written authorization and given on a need -to -know
/need-to-do bases and based on the individual’s responsibilities?
• Are network workstations automatically disabled after a short period of inactivity?
• Is remote access to the system supervisor prohibited?
• Are all log-on attempts to the supervisor account captured in the computer system?
• Are activities by supervisor or administrative accounts subject to independent review?
• Is up-to-date information regarding all communication lines connected to the outside
maintained by the network supervisor?

7.3.3. NW access change • Are network access change requests authorized by the appropriate manager? Are
requests standard forms used?
• Are requests for additions, changes and deletion of network logical access
documented?

7.3.4. Test plans • Are appropriate implementation, conversion and acceptance test plans developed for
the organization’s distributed data processing network, hardware and communication
links?

7.3.5. Security reports • Is only authorized access occurring?

15

7.3.6. Security mechanisms
7.3.7. NW operation
procedures
7.3.8. Interview the person
responsible for
maintaining NW security
7.3.9. Interview users
• Are security reports reviewed adequately and in a timely manner?
• In the case of unauthorized users, are follow-up procedures are adequate and timely?
• Have all sensitive files / datasets in the network been identified and have the
requirements for their security been determined?
• Are all changes to the operating system software used by the network and made by IS
management or (at user sites) controlled? Can these changes be detected promptly by
the network administrator or those responsible for the network?
• Do individuals have access only to authorized applications, transaction processes and
datasets?
• Are system commands affecting more than one network site restricted to one terminal
and to an authorized individual with an overall network control responsibility and
security clearance?
• Is encryption being used on the network to encode sensitive data?
• Were procedures established to ensure effective controls over the hardware and
software used by the departments served by the distributed processing network?
• Are security policies and procedures appropriate to the environment:

Highly distributed- Is security under individual user management?

Distributed- Is security under the direction of user management, but adheres to
the guidelines established by IS management?

Mixed- Is security under the direction of individual user management, but overall
responsibility remains within IS management?

Centralized- Is security under the direction of management, with IS management
staff maintaining a close relationship with user management?

Highly centralized- Is security under the complete control of IS management?
• Do procedures exist to ensure that data compatibility is applied properly to the entire
network’s datasets and that the requirements for their security have been determined?
• Have adequate restart and recovery mechanisms been installed at every user location
served by the distributed processing network?
• Has the IS distributed network been designed to ensure that failure of service at any
one site will have minimal effect on the continued service to other sites served by the
network?
• Are there provisions to ensure consistency with the laws and regulations governing
transmission of data?
• Is the person aware of the risks associated with physical and logical access that must
be minimized?
• Is the person aware of the need to actively monitor logons and to account for
employee changes
• Is the person knowledgeable in how to maintain and monitor access?
• Are the users aware of management policies regarding network security and
confidentiality?
16
 8. IS Operation Reviews
8.1. Observation of IS
personnel
8.2. Operator access
8.3. Operator manuals
8.4. Access to the library
8.5. Contents and location of
offline storage
8.6. File handling procedures
8.7. Data entry
• Have controls been put in place to ensure efficiency of operations and adherence to
established standards and policies?
• Is adequate supervision present?
• Have controls been put in place regarding IS management review, data integrity and
security?
• Is access to files and documentation libraries restricted?
• Are responsibilities for the operation of computer and related peripheral equipment
limited?
• Is access to correcting program and data problems restricted?
• Should access to utilities that allow system fixes to software and/or data be restricted?
• Is access to production source code and data libraries (including run procedures)
limited?
• Are instructions adequate to address:

The operation of the computer and its peripheral equipment?

Start-up and shutdown procedures?

Actions to be taken in the event of machine /program failure?

Records to be retained?

Routine job duties and restricted activities
• Is the librarian prevented from accessing computer hardware?
• Does the librarian have access only to the tape management system?
• Is access to the library facilities provided to authorized staff only?
• Is removal of files restricted by production scheduling software?
• Does the librarian handle the receipt and return of foreign media entering the library?
• Are logs of the sign-in and sign-out of data files and media maintained?
• Are offline file storage media containing production system programs and data clearly
marked with their contents?
• Are offline library facilities located away from the computer room?
• Are policies and procedures adequate for:
o Administering the offline library?
o Checking out/in media, including requirements for signature authorization?
o Identifying, labeling, delivering and retrieving offsite backup files?
o Inventorying the system for onsite and offsite media, including the specific
storage locations for each tape?
o Secure disposal/ destruction of media, including requirements for signature
authorization?
• Have procedures been established to control the receipt and release of files and
secondary storage media to/from other locations?
• Are internal tape labels used to help ensure that the correct media are mounted for
processing?
• Are these procedures adequate and in accordance with management’s intent and
authorization?
• Are these procedures being followed?
• Are input documents authorized and do the documents contain appropriate signature?
• Are batch totals reconciled?
• Does segregation of duties exist between the person who keys the data and the person
who reviews the keyed the keyed data for accuracy and errors?
• Are control reports being produced? Are the reports accurate? Are the reports
maintained and reviewed?
17
 8.8. Lights-out operations • Remote access to the master console is often granted to standby operators for
contingency purpose such as automated software failure. Is access to security sufficient
to guard against unauthorized use?
• Do contingency plans allow for the proper identification of a disaster in the unattended
facility?
• Are the automated operation software and manual contingency procedures documented
and tested adequately at the recovery site?
• Are proper program change controls and access controls present?
• Are tests of the software performed on a periodic basis, especially after changes or
updates are applied?
• Do assurances exist that errors are not hidden by the software and that all errors result in
operator notification?

9. Scheduling Reviews

9.1. Regularly scheduled applications • Are the items included in the SLA?
9.2. Input deadlines • Are the items functioning according to the SLA?

9.3. Data preparation time

9.4. Estimated processing time
9.5. Output deadlines
9.6. Procedures for collecting, reporting
and analyzing key performance
indicators
9.7. Job schedule
• Have critical applications been identified and the highest priority
assigned to them?
• Have processing priorities been established for other applications and
are the assigned priorities justified?
• Is scheduling of rush/ rerun jobs consistent with their assigned priority?
• Do scheduling procedures facilitate optimal use of computer resources
while meeting service requirements?
• Do operators record jobs that are to be processed and the required data
files?
• Do operators schedule jobs for processing on a predetermined basis and
perform them using either automated scheduling software or a manual
schedule?

9.8. Daily job schedule
• Is number of personnel assigned to each shift adequate to support the
workload?
• Does the daily job schedule serve as an audit trial? Does the schedule
provide each shift of computer operators with the work to be done, the
sequence in which programs are to be run and indication when lower-
priority job can be done?
• At the end of the shift, does each operator pass to the work scheduler or
the next shift of operators a statement of the work completed and
reasons any scheduled work was not finished?

18
9.9. Consol log • Were jobs run and completed according to the schedule?
• If not, are the reasons valid?

9.10. Exception processing logs • Do operators obtain written or electronic approval from owners when
scheduling request–only jobs?
• Do operators record all exception processing requests?
• Do operators review the exception processing request log to determine
the appropriateness of procedures performed?

9.11. Re-executed jobs • Are all re-execution of jobs properly authorized and logged for IS
management review?
• Are procedures established for rerunning jobs to ensure that the correct
input files are being used and subsequent jobs in the sequence also are
rerun, if appropriate?

9.12. Personnel • Are personnel who are capable of assigning, changing job schedules or
job priorities authorized to do so?

19
 10. Problem Management Reporting Reviews

10.1. Interviews with IS • Have documented procedures been developed to guide IS operations personnel
operations personnel in logging, analyzing, resolving and escalating problems in a timely manner in
accordance with management’s intent and authorization?

10.2. Procedures used by the IS • Are procedures for recording, evaluating, and resolving or escalating any
department operating or processing problems adequate?
10.3. Operations documentation • Are procedures used by the IS department to collect statistics regarding online
processing performance adequate and is the analysis accurate and complete?
• Are all problems identified by IS operation being recorded for verification and
resolution?

10.4. Performance records • Do problems exist during processing?

10.5. Outstanding error log • Are the reasons for delays in application program processing valid?
entries • Are significant and recurring problems identified, and actions taken to prevent
10.6. Help desk call logs their recurrence?
• Were processing problems resolved in a timely manner and was the resolution
complete and reasonable?
• Are there any recurring problems that are not being reported to IS
management?

20
 11. Disaster Recovery
11.1. Backup Procedures
11.2. Off-site Storage Facility
11.3. Disaster Recovery Plan
11.4. Recovery strategies
• Review the backup materials. Determine if the backup and recovery procedures
are being followed.
• Interview IS personnel to determine if they have been cross-trained. Review
training records to determine the amount of cross-training provided.
• Take a tour of the off-site storage facility. Determine if the facility is adequate.
• Compare the log of items stored at the facility with the items present at the
facility. Determine if the log is complete and up-to-date.
• Obtain and review a copy of the disaster recovery plan and the alternate site
agreement. Determine if they are complete and current, and if executive
management has signed off on the plan.
• Determine who was responsible in developing the plan and if users and all facets
of data processing were adequately involved in its development.
• Determine if a risk assessment has been prepared and if it appears reasonable.
• Determine if executive management has approved the funding for an alternate
and testing of the disaster recovery plan. Observe a test of the plan.
• Review the results of the test of the disaster recovery plan. Determine if
corrective action has been taken on any problems incurred during the test.
• Visit the alternate processing site. Assess its suitability and compatibility with
the current computer facility.
• Interview users and/or IS personnel to determine if they have been trained in
their responsibilities in the event of an emergency or disaster. Also determine if
they are aware of manual procedures that are to be used when processing is
delayed for an extended period of time.
• Ensure that adequate and effective contingency plans have been established to
support the prompt recovery of crucial enterprise functions and IT facilities in
the event of major failure or disaster;
• Ensure that all mandated disaster recovery, business continuity, and security
requirements have adequate compliance policies and procedures in place;
• Ensure the survival of the business and to minimize the implications of a major
enterprise and/or IT failure;
• Ensure that all the potential risks to the enterprise and its IT facilities are
identified and assessed in preparation of the contingency plans;
• Ensure the optimum contingency arrangements are selected and cost effectively
provided;
• Ensure that an authorized and documented disaster recovery / business
continuity plan is created, maintained up-to-date, and securely stored;
• Ensure that the recovery plan is periodically tested for its relevance and
effectiveness;
• Ensure that all internal and external parties to the recovery process are fully
aware of their responsibilities and commitments;
• Ensure that appropriate liaison is maintained with external parties (i.e. insurers,
emergency services, suppliers, etc.);
• Ensure that both the damaged and recovery sites are secure and that systems are
securely operated in support of the enterprise;
• Ensure that systems and procedures are adequately and accurately documented
to aid the recovery process; and
• Ensure that public and media relations would be effectively addressed during an
emergency in order to minimize adverse publicity and business implications.
21
 12. Information security management

12.1. IS Security Policy • Whether a well-documented security policy is available?

• Whether Inventory of IT assets are made part of the policy?
• Whether inventory of IT assets is kept at branch / office level?
• Whether policies related to IT activities are listed in the security policy?
• Whether the policy takes into account the business strategy / plan for the next 3 – 5 years?
• Whether the policy takes into account the legal requirements?
• Whether the policy takes into account the regulatory requirements?
• Whether the policy is approved and adopted by the Board of Directors / Top
Management?
Whether the policy is communicated to all concerned and is understood by them?
Whether the following major security areas are covered in the policy “:
- PC and LAN, MAN and WAN security
- Physical Security to IS establishments
- Handling of confidential information
- Handling of security incidents
- Privacy related issues for outside entities
- E-mail security
- Application security
- Interface Security
- Password Security
- Operating system security, web site security
- Database security
- Anti-virus and piracy policy
- Archived and Backed up data security
- Procedures for handling incidence of security breach
- Disaster Recovery Plan
- Use of cryptology and related security
- Persons responsible for implementing security policy and consequence for willful violation
of the Security Policy
• Whether a review process is in place for reviewing the policy at periodic intervals and /or
on any other major event?

12.2. Implementation of
Security Policy
• Whether documented security policy is made available to all the levels of users to the
extent relevant to them?
• Whether continuous awareness programs are conducted for security awareness?
• Whether the role of Information Security Officer with responsibilities for implementation
of the Security Policy has been assigned?
• Whether detailed procedures for each policy statement are developed?
• Whether suitable methodologies are adopted for implementation?
• Whether suitable security tools are selected for implementation?
• Whether the roles of the implementers are clearly defined?
• Whether the budgetary allocation for implementation of IS security is assessed and
documented?
• Whether periodic security audits are carried out?
• Whether on the basis of audit reports or any other vital information suggestions for
updating the security policies are conveyed to the right / appropriate management?
• Whether management demonstrates adherence to the Security Policy?
• Whether new entrants are given adequate exposure to the security policy?
• Whether in case breaches of security policy the root cause is analysed and preventive and
corrective actions are taken?
• Whether incidence-reporting procedures have been followed?
• Whether the Information Security Officer is made responsible for reporting
noncompliance with the approved policy and incidents of security breaches to the Top
Management, and to initiate and effect corrective action?
22
12.3. Inventory and • Are classes or levels of sensitivity and criticality to information resources assigned? And
classification of are specific security rules established for each class?
Information assets • Is the level of access controls that should be applied to each information asset defined?
• Is the data classification include:
• The owner of the information asset?
• Who has access rights?
• The level of access to be granted?
• Who is responsible for determining the access rights and access levels?
• What approvals are needed for access?
• The extent and the depth of security controls

12.4. System access • Is access to computerized information resources Established, managed and controlled both
permission at the physical and logical level?
• Is the physical and logical system access on a documented need-to-know, least privilege
and segregation of duties basis?
• Have all vendor-supplied, default passwords, or similar "published" access codes for all
installed operating systems, database management systems, network devices, application
packages, and any other commercially produced IT products been changed or disabled?

12.5. Privacy • Is the nature of personally identifiable information associated with business processes
management Pinpointed?
issues • Are the collection, use, disclosure and destruction of personally identifiable information
documented?
• Does accountability for privacy issues exist?
• Be the foundation for informed policy, operations and system design decisions based on an
understanding of privacy risk and the options available for mitigating that risk
• Are legal requirements regarding privacy from laws, regulations, and contract agreements
identified and understood?
• Are personal sensitive data are correctly managed in respect to these requirements?
• Are the correct security measures are adopted?
• Is management’s privacy policy takes in to consideration the requirement of applicable
privacy laws and regulations?

12.6. Critical success • Is there a strong commitment and support by the senior management on security
factors to awareness training?
information • IS Professional risk based approach used systematically to identify sensitive and critical
security information resources to ensure that there is a clear understanding of the treats and risks?
management • Are appropriate risk assessment activities undertaken to mitigate unacceptable risks and to
ensure that residual risks are at an acceptable level?

12.7. Information • Is the security of the organization’s information and information processing facilities that
security and are accessed, processed, communicated to or managed by external parties maintained?,
external parties and should not be reduced by the external party products or services
• Is any access to the organization’s information processing facilities and processing and
communication of information by external parties controlled?
• Are controls agreed to and defined in a agreement with external parties?
• Are the risks to organization’s information and information processing facilities from
business processes involving external parties identified and appropriate controls
implemented before granting access?
• Is the type of access the external party will have to the information and information
processing facility defined?
• Is the value and sensitivity of the information involved, and it’s criticality for business
operations considered?
• Are the controls necessary to protect information that is not intended to be accessible by
external parties implemented?

23
 • Are the external party personnel involved in handling the organization’s information
identified?
• How the organization or personnel authorized to have access can be identified, the
authorization verified, and how often this needs to be reconfirmed?
• Are the different means and controls employed by external party when storing, processing,
communicating, sharing and exchanging information known?
• Is the impact of access not being available to the external party when required, and the
external party entering or receiving inaccurate or misleading information assessed?
• Are there practices and procedures to deal with information security incidents and
potential damages, and the terms and conditions for the continuation of external party
access in the case of an information security incident?
• Are there legal and regulatory requirements and other contractual obligations relevant to
the external party that should be taken in to account?
• How the interests of any other stakeholders may be affected by the arrangements?

12.8. Human • Are there proper information security practices in place to ensure that employees,
resource contractors and third party users understand their responsibilities, and are suitable for the
security and roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities?
third parties • Are security responsibilities addressed prior to employment in adequate job description,
and in terms and conditions of employment?
• Are all candidates for employment, contractors and third party users adequately screened,
especially for sensitive jobs?
• Do employees, contractors and third party users of information processing facilities sign
an agreement on their security roles and responsibilities, including the need to maintain
confidentiality?
• Are security roles and responsibilities of employees, contractors and third party users
defined and documented in accordance with the organization’s information security
policy?

12.9. Computer • Are the possible computer crimes identified and the appropriate security mechanisms
crime issues designed?
and exposures • Are different legal issues associated with computer security taken in to consideration?

12.10. Security • IS there a formal incident response capability that is established?

incident • Is there a formal documented plan and does it contain vulnerabilities identification,
handling and reporting and incident response procedures to common security related threats?
response • Are the organization and the management of an incident response capability should be
coordinated or centralized with the establishment of key roles and responsibilities?
• Are employees and contractors made aware of the procedures for reporting the different
types of incidents that might have an impact on the security of organizational assets?
• Is there an automated intrusion detection system in place?

12.11. Logical access • Are the logical access controls enact and substantiate management designed policies and
procedures intended to protect the organizational assets?
• Are the controls designed to reduce risks to a level acceptable to the organization?
• Is the logical access control effective in accomplishing information security objectives and
avoiding losses resulting from exposures?

12.11.1. Logical • Do the logical access controls identify the possible accidental or intentional unauthorized
access technical exposures interfering with normal processing?
exposures
12.11.2. Paths of • Are all points of entry in organizational information resource infrastructure known and
logical access documented?
• Are all access points of entry to an organization’s IS infrastructure have the appropriate
levels of access security?
24
 • Are all points of entry known and support management’s effort in obtaining the resources
to identify and manage all access paths?

12.11.3. Identificatio • Are there strong authentication methods?

n and • Is there the potential for users to bypass the authentication mechanism?
authenticatio • How is the confidentiality and integrity of the stored authentication information kept?
n • Is the authentication information and information transmitted over the network encrypted?
• Do users have the knowledge on the risks associated with sharing authentication elements?
• Are there any multifactor authentications used?
• Are default system accounts, such as Guest, Administrator and Admin. renamed whenever
technically possible?
• Are logon IDs not used after a predetermined period of time deactivated to prevent
possible misuse?
• Does the system automatically disconnect a logon session if no activity has occurred for a
period of time?
• Do Passwords require a combination of at least three different characters?
• Does the system enforce regular password changes?
• Does the system permit previous passwords to be used again?
• Is password catching disabled in all workstations?

12.11.4.Authorization • Is there a documented access control on need-to-know and need-to-do bases by the type of
issues access?
• Is there a list of computerized files and facilities that are applicable to across security
layers for networks, platforms, databases and applications that should be protected by
logical access controls?
• Is there an Access Control List (ACL) which is a register of users who have permission to
use a particular system resource, and the types of access permitted?
• Are there ways to control remote and distributed sites?

12.11.5. Remote • Are remote access risks identified?

access • Are there policies and standards for remote access?
security • Are there proper authorizations?
• Are there efficient identification and authentication mechanisms?
• Is there effective system and network management?
12.11.6.Access rights to • Are there audit logs to record who accesses data?
system logs • Are the audit logs reviewed?
• How often are the system logs reviewed?
• What is logged, who/what has access to the logs and how long logs are retained?
• Are access rights to system logs for security administrators to perform the above tasks
strictly controlled?

12.11.7.Storing, • How is backup media stored? Who has access to it? Is it up-to-date?
retrieving, • How is the disposal of media previously used to hold confidential information done?
transporting and • How is equipment sent for offsite maintenance managed?
disposing of • What mechanisms are used to preserve information during shipment or storage?
confidential
information
12.12. NW • Are network control functions separated and the duties rotated on a regular basis? where
infrastructure possible
security • Does NW control software restrict operator access from performing certain functions?
• Des the NW control SW maintain an audit trial of all operator activities?
• Are audit trials periodically reviewed by operations management to detect any
unauthorized network operations activities?

25
 • Are network operation standards and protocols documented and made available to the
operators, and reviewed periodically to ensure compliance?
• Is Network access by the system engineers monitored and reviewed closely to detect
unauthorized access to the network?
• Is analysis performed to ensure workload balance, fast response time and system
efficiency?
• Is data encryption used, where appropriate, to protect messages from disclosure during
transmission?
• Are there access control lists (ACLs) in place on network devices to control who has
access to shared data?
12.12.1.LAN security • Are ownership of programs, files and storage declared?
• Is access limited to a read only basis?
• Is record and file locking Implemented to prevent simultaneous update?
• Are user ID/password sign-on procedures enforced, including the rules relating to password
length, format and change frequency?
• Are switches used to implement port security policies rather than hubs and non-manageable
switches?
• Are local traffic encrypted using IPSec (IP security) protocol?
• Are the risks associated with virtualization identified and strong physical and logical access
controls implemented?
• Is there appropriate network segregation, including the avoidance of virtual machines in the
demilitarized zone (DMZ) and the placement of management tools on a separate network
segment?
12.12.2.Client–server • Is the impact of loss of network availability on the business or service identified?
security • Are network components including hardware, software and communications up to date?
• Is the use of synchronous and asynchronous modems to connect to other networks all
authorized and discriminate?
• Access to confidential data, and data modification may be unauthorized, business may be
interrupted, and data may be incomplete and inaccurate
• Are application code and data located on a single machine enclosed in a secured computer
room?
12.12.3.Wireless • Are the potential threats in wireless networks identified and controls implemented?
security threats • Are there security measures and practices o mitigate the wireless threats and to bring their
and risk risks o a manageable level?
mitigation
12.13. Internet threats • Are there proper controls in place when a company connects o the internet?
and security • Are all dedicated connections to the Internet and other external networks properly
documented, authorized, and protected by firewalls, intrusion detection systems, virtual
private networks (or other forms of encrypted communication,) and incident response
capability?
• Is risk assessment performed periodically over the development and redesign of internet
based web applications?
• Are encryption techniques applied to protect information assets passing over the internet?
• Is there a common desktop environment to control in an automated manner, what is
displayed on a user’s desktop?
12.13.1. Firewalls • Are all router, switches, wireless access points, and firewall configurations secured ad do
they conform to documented security standards?
• Is the firewall configured to translate(hide) internal IP addresses, using network address
translation (NAT)
• Are firewall policies maintained regularly?
• Is the use of modems when firewall strictly controlled or prohibited altogether?
12.13.2. Intrusion • Is there an intrusion detection system running in the background and notifying
detection administrators when it detects a perceived threat?
systems
12.13.3. Encryption • Are there adequate cryptographic tools in place to govern data encryption, and have these
26
 tools been properly configured?
12.13.4. Viruses • Are there sound policies and procedures in place o control viruses?
• Are all computer systems protected with up-to-date anti-virus software and other defenses
against malicious software attacks?
• Is a licensed virus scanner installed on all servers and n all work stations?
•
12.14. Environmental • Is the power supply to the computer equipment properly controlled to ensure ha power
Exposures and remains within the manufacturer’s specification?
Controls • Are the air conditioning, humidity and ventilation control systems for the computer
equipment adequate to maintain temperatures within manufacturers’ specification?
• Is the computer equipment protected from the effects of static electricity, using an antistatic
rug or antistatic spray?
• Is the computer equipment kept free of dust, smoke and other particulate matter such as
food?
• Are backup media protected from damage due to temperature extremes, the effects of
magnetic fields and water damage?
• Are electrical surge protectors on sensitive and expensive computer equipment visually
observed?
• Are there fireproof walls, floors and ceilings in the computer room?
• Are there fire suppression systems in place?
• Are there documented and tested emergency evacuation plans?
12.15. Physical Access • Are buildings, paper records, and sensitive IT resources (e.g., computer and network
Exposures and equipment, storage media, and wiring closets) within them properly secured from
Controls unauthorized access, tampering, damage, and/or theft by an intruder with malicious intent?
• Are the servers, network equipment and other sensitive IT resources physically secured?

12.15.1. Exposures • Are the possible physical access exposures that exist from accidental or intentional
violation of access paths identified and appropriate controls put in place?
12.15.2. Possible • Are the hardware facilities reasonably protected against forced entry?
perpetrators • Are keys to the computer facilities adequately controlled to reduce the risk of unauthorized
access?
• Are computer terminals locked or otherwise secured to prevent removal of boards, chips
and the computer itself?
• Are authorized equipment passes required before computer equipment can be removed
from its normal secure surroundings?
12.15.3. Access • Are the physical access controls limit access only to those individuals authorized by
controls management?

27
 13. E- Banking
13.1.1. Security controls • Is there a security policy duly approved by the Board of Directors? Is there segregation of
duty of Security Officer/Group dealing exclusively with information systems security and
Information Technology Division which actually implements the computer systems? Is the
role of an Information Security Officer independent in nature?
• Is the role of an information system auditor independent in nature? (It should be
independent of Operations and Technology Unit)
• Bank should ensure that Information Systems Auditor forms part of their Internal Audit
Team.
• Bank should acquire tools for monitoring systems and the networks against intrusions and
attacks. These tools should be used regularly to avoid security breaches. Bank should
review their security infrastructure and security policies regularly and optimize them in the
light of their own experiences and changing technologies. They should educate their
security personnel and also the end-users on a continuous basis.
• Bank should subscribe for the Systems Alerts/Patches. Information Systems Auditor should
ensure that all vulnerable patches are applied on a periodic to prevent outsiders exploiting
the Bank’s systems.
• Under the present legal requirements there is an obligation on Banks to maintain secrecy
and confidentiality of customer’s accounts. In the Internet banking scenario, the risk of
Banks not meeting the above obligation is high on account of several factors. Despite all
reasonable precautions, banks may be exposed to enhanced risk of liability to customers on
account of breach of secrecy, denial of service etc., because of hacking/ other technological
failures. Does the bank, therefore, institute adequate risk control measures to manage such
risks?
• In order to address the risk of liability to customers on account of breach of secrecy, denial
of service etc., does the Bank follow a privacy policy?

The Bank should safeguard, according to strict standards of security and

confidentiality, any information customers share with them.

The Bank will not reveal customer information to any external organization
unless they have previously informed the customer in disclosures or agreements,
have been authorized by the customer, or are required by law or our regulators.

Whenever Banks hire other organizations to provide support services, they should
require them to conform to our privacy standards and to allow us to audit them
for compliance.

13.1.2. Logs of activity

• Ensure that auditing is enabled in the web server’s operating system and whether the logs
are reviewed and authenticated by authorized officials periodically.
• Check if audit trail is enabled on the firewall to log the changes made to the rule base
settings and verify whether the logged entries are approved by higher authorities in the IT
Department.
• Whether the system administrators are monitoring the logs produced by the Intruder
Detection System (IDS) (An intrusion detection system helps in recognizing Security
threats and is capable of scanning packets for vulnerabilities. It ensures that distributed
denial of service attacks are prevented) and escalating the access violations to the attention
of senior management in IT department for guidance. Are these documented and
appropriate corrective actions taken?
• Check whether audit trails are enabled for administration activities and whether entries
logged in the audit trail are in accordance with process flow chart and no unauthorized
activity has been carried out.

13.1.3. Web Server • Is the web server configured to be a stand-alone unit without any membership to any
domain inside the Bank’s IT architecture?

28
• Ensure whether the web server is ported with latest versions of patches and service packs.
Specifically, the OS vendor releases patches and service packs with appropriate fixes to
prevent Denial of Service attack. These should have been applied to prevent such attacks
on the web server.
• All security settings applicable to the operating system in which the web server operates
should have been implemented as per IT security policy. Check and ensure this.
• With regard to Super User account :-
Check whether the super user account in the web server is enabled for login only on the
system console and not from across the network. Perhaps this is applicable to all user
accounts in the web server.
Check if appropriate parameters are implemented in the operating system of the web server
so that the super user account will lock out if too many unsuccessful attempts are made
across the network, but remain unlocked at the system console.
• Check if sensitive operating system related executable program files and data files on the
web server are not stored on public area but in any other secure location with audit duly
enabled.
• IP routing should be disabled in the web server. Check and confirm this.
• Ensure that unauthorized ports for e.g., UDP port No.443 are not allowed inside the web
server. Also, ensure that unnecessary services like ftp, messenger, SMTP, telnet, etc. are not
installed and active on the web server.
• The facility to shutdown the machine should be restricted to the system console on the web
server. Check and ensure this.
• Access to floppy drive, CD-ROM drive, etc. should be restricted in the web server to
interactive only to prevent these devices from being shared by all processes on the system.
Check and ensure this.

29
14. ATM Audit
14.1. Handling of ATM access
cards
14.2. Storage of keys and their
replacement at every
staff change.
14.3. Reconciliation of cash
balance to general ledger
account
14.4. Tracing accuracy of
appropriate fee charges to
income statement accounts
14.5. Physical security
14.6. Card management
14.7. Infrastructure and
support
• How many staff/officers/executives are responsible for operating the ATM System in the
branch?
• What are their specific duties?
• Management of unpersonalized cards
• Is the ATM Safe under dual control?
• If yes, the same may be verified from the key charge register.
• Give names with titles and positions of relevant individuals.
• ATM cash audits, and that there is evidence of dual control when accessing the cash.
• What is the capacity of Cash Dispenser? Compare this with the Cash in ATM limit for
the branch.
• When is cash replenished in the ATM (i.e. when out of cash or after pre-set intervals)?
• Does Cash in ATM safe tally with Cash in ATM detail printed on the roll?
• Does physical Cash in ATM reconcile with balance as per Banking System? (Attach
working).
• Accuracy and timeliness of reconciliation of teller records vs. ATM slips showing
disbursements and replenishments
• Are the records of ATM cardholders, fee status, renewal of cards, hot/warm cards being
properly documented? (Attach printout).
• In case of offsite ATM, what security arrangements are used while cash feed-in?
• Is there any security/burglary alarm arrangement in place for ATM?
• Does the facility have any blind spots such as drapes or shades to block observation?
• Is the temperature of ATM room (both inside and outside the wall) within acceptable
limits?
• Is there any back-up Power arrangement for ATM? If yes, for how long the ATM
operations can be supported by it?
• Is there adequate lighting arrangement to facilitate clients using the ATM at night?
• Are new ATM Cards mailed to clients on regular basis? If yes, are ATM Cards and
PIN mailer mailed at different time intervals?
• Are the particulars of new ATM cards fed immediately on their receipt by the branch?
• Are ATM charges recovered on the same day as well if any?
• Look at captured card logs and procedures, what procedure is being followed to
account for the captured cards?
• Do the captured cards remain under dual control?
• Is there any record of capture cards - delivery?
• What is the procedure for destruction of wasted and spoiled cards?
• Is branch maintaining any record for them?
• PIN change etc
• What kind of communication link is being used for connecting ATM and Branch host
server with the ATM Controller?
• Is there a record of service/complaint calls made to help desk? How many service calls
were made during the last 3 months?
• Is there adequate stock of ATM printer paper and ribbon?
• What arrangement is being used for security of ATM Rolls? Are they being pasted in a
systematic manner?
• Does ATM print current time/date when logged in Supervisor Mode?
30