Scribd Logo
Upload

Welcome to Scribd!

  • Bank: Axis Bank: 1 Fully Complied Partial Complied Non Complied

    Uploaded by

    Subhajit Ghosh
    8 views23 pages
    The document outlines the results of an IT security audit conducted at Axis Bank. It includes details on the compliance of 21 different IT security controls that were audited, including inventory management, network security, user access control, and data leak prevention. The audit findings indicate whether each control was fully compliant, partially compliant, or non-compliant based on evidence collected and identify action owners for remediation.

    Original Description:

    Original Title

    my (3)

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document outlines the results of an IT security audit conducted at Axis Bank. It includes details on the compliance of 21 different IT security controls that were audited, including inventory management, network security, user access control, and data leak prevention. The audit findings indicate whether each control was fully compliant, partially compliant, or non-compliant based on evidence collected and identify action owners for remediation.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    8 views23 pages

    Bank: Axis Bank: 1 Fully Complied Partial Complied Non Complied

    Uploaded by

    Subhajit Ghosh
    The document outlines the results of an IT security audit conducted at Axis Bank. It includes details on the compliance of 21 different IT security controls that were audited, including inventory management, network security, user access control, and data leak prevention. The audit findings indicate whether each control was fully compliant, partially compliant, or non-compliant based on evidence collected and identify action owners for remediation.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 23

    Bank: Axis Bank

    1 Fully complied Partial complied Non complied


    3 2 1

    2 Evidence collection
    Report/
    Documentation
    Verbal
    Screenshot
    Physical Check

    3 Audit Findings
    Confirmatory
    Non-Confirmatory

    4 Deficiency
    Significant deficiency
    Deficiency
    No Deficiency

    5 Action Owner
    Shreya
    Susmita
    Souvik
    Anik
    Ghosh

    6 Control Type
    Preventive
    Detective
    Deterrent
    Bank: A

    Requirements Description Date of audit


    1 Inventory Management of Business IT Assets
    1.1 1/2/2021
    1.2 1/2/2021
    1.3 1/2/2021
    2 Preventing execution of unauthorised software
    2.1 1/2/2021
    2.2 1/3/2021
    2.3 1/4/2021
    2.4 1/4/2021
    3 Environmental Controls
    3.1 1/4/2021
    3.2 1/4/2021
    4 Network Management and Security
    4.1 1/4/2021
    4.2 1/5/2021
    4.3 1/6/2021
    4.4 1/6/2021
    4.5 1/6/2021
    4.6 1/7/2021
    4.7 1/8/2021
    4.8 1/8/2021
    4.9 1/9/2021
    4.1 1/10/2021
    5 Secure Configuration
    5.1 1/10/2021
    5.2 1/10/2021
    6 Application Security Life Cycle (ASLC)
    6.1 1/10/2021
    6.2 1/11/2021
    6.3 1/12/2021
    6.4 1/12/2021
    6.5 1/13/2021
    6.6 1/14/2021
    6.7 1/14/2021
    6.8 1/15/2021
    6.9 1/16/2021
    7 Patch/Vulnerability & Change Management
    7.1 1/16/2021
    7.2 1/16/2021
    7.3 1/17/2021
    7.4 1/18/2021
    7.5 1/19/2021
    7.6 1/19/2021
    7.7 1/19/2021
    8 User Access Control / Management
    8.1 1/19/2021
    8.2 1/20/2021
    8.3 1/21/2021
    8.4 1/22/2021
    8.5 1/23/2021
    8.6 1/24/2021
    8.7 1/25/2021
    8.8 1/25/2021
    8.9 1/26/2021
    8.1 1/27/2021
    9 Authentication Framework for Customers
    9.1 1/28/2021
    9.2 1/28/2021
    9.3 1/29/2001
    10 Secure mail and messaging systems
    10.1 1/30/2021
    10.2 1/30/2021
    12 Removable Media
    12.1 1/31/2021
    12.2 1/31/2021
    12.3 2/1/2021
    12.4 2/1/2021
    12.5 2/2/2021
    13 Advanced Real-time Threat Defence and Management
    13.1 2/3/2021
    13.2 2/4/2021
    13.3 2/4/2021
    13.4 2/4/2021
    14 Anti-Phishing
    14.1 2/5/2021
    15 Data Leak prevention strategy
    15.1 2/6/2021
    15.2 2/7/2021
    16 Maintenance, Monitoring, and Analysis of Audit Logs
    16.1 2/8/2021
    16.2 2/8/2021
    16.3 2/9/2021
    17 Audit Log settings
    17.1 2/10/2021
    20 Risk based transaction monitoring
    20.1 2/11/2021
    20.2 2/12/2021
    24 Customer Education and Awareness
    24.1 2/12/2021
    24.2 2/13/2021
    24.3 2/13/2021
    Bank: Axis Bank

    Compliance Reason of Finding Evidence collection Source of EvidencAudit Findings Control Type

    2 Up-to-date inventory is maintained


    Report/DocumentatAnnual Report Non confirmityDetective
    3 Classification of data ia done Screenshot Observation Confirmity Deterrent
    1 Stored data is not encrypted and Report/DocumentatDocumentation Non confirmityPreventive

    2 Up-to-date and centralised inventVerbal Interview with t Non confirmityDeterrent


    1 End-user applications are not cenPhysical Check Observation Non confirmityPreventive
    2 There is a continuous monitor o Verbal Interview with th Non confirmityDetective
    3 It has a clearly defined framewo Report/DocumentatAnnual Report Confirmity Deterrent

    3 Prtection of servers from naturalVerbal Interview with theConfirmity Deterrent


    2 Proper monitor of temperature aVerbal Interview with theNon confirmityDetective

    3 Up-to-date network architectureVerbal Interview with theConfirmity Preventive


    2 centralised inventory connected Verbal Interview with t Non confirmityPreventive
    3 All the network devices are conf Report/DocumentatMonthly report Confirmity Detective
    3 controls are there to secure wireReport/DocumentatAnnual Report Confirmity Preventive
    3 Identify authorised hardware / mPhysical Check Observation Confirmity Preventive
    1 Proper IDS/IPS are not there Screenshot Observation Non confirmityDetective
    3 Detects and does remedy of any u Verbal Interview with t Confirmity Detective
    3 Standard Operating Procedures (SOP
    Verbal Interview with theConfirmity Deterrent
    1 Security Operation Centre does nScreenshot Observation Non confirmityDeterrent
    2 Boundary defences is there but itReport/DocumentatMonthly report Non confirmityDeterrent

    2 Documentation of baseline securit Report/DocumentatDocumentation Non confirmityDetective


    3 Periodically evaluate critical dev Verbal Interview with theConfirmity Detective

    2 Information security is incorprated


    Verbal Interview with t Non confirmityPreventive
    1 Source code audit is not done Report/DocumentatAnnual Report Non confirmityPreventive
    1 Secure coding practices is not imReport/DocumentatMonthly report Non confirmityPreventive
    2 Security requirements relating toVerbal Interview with t Non confirmityDetective
    3 Development, test and productioVerbal Interview with t Confirmity Detective
    1 secure coding principles and secuScreenshot Observation Non confirmityPreventive
    3 OWASP controls are followed Report/DocumentatDocumentation Confirmity Deterrent
    1 “containerized” apps on mobile/sScreenshot Observation Non confirmityDetective
    3 Adoption of new technologies is Verbal Interview with theConfirmity Detective

    1 Documented risk-based strategy Ri eport/DocumentatDocumentation Non confirmityDetective


    2 Status of patches is identified b Verbal Interview with th Non confirmityDetective
    3 Changes to business application Verbal Interview with theConfirmity Preventive
    2 VAPT is conducted for pre-imple Verbal Interview with theNon confirmityPreventive
    3 Application security testing is do Report/DocumentatMonthly report Confirmity Detective
    2 Root cause is identified but prop Screenshot Observation Non confirmityPreventive
    3 Periodically evaluation of the ac Report/DocumentatMonthly report Confirmity Detective

    2 Lack of secure access to the bankReport/DocumentatAnnual Report Non confirmityDeterrent


    3 Carefully protected customer accReport/DocumentatAnnual Report Confirmity Preventive
    3 Administrative rights on end-use Verbal Interview with theConfirmity Preventive
    2 centralised authentication and auVerbal Interview with t Non confirmityDeterrent
    1 Monitor of privileged/superuser/aReport/DocumentatMonthly report Non confirmityDetective
    1 controls to minimize invalid log Verbal Interview with t Non confirmityDetective
    3 abnormal change in pattern of l Report/DocumentatMonthly report Confirmity Detective
    3 Proper installation Physical Check Observation Confirmity Deterrent
    1 Remote locking of mobile phone Screenshot Observation Non confirmityDeterrent
    1 Attachment is not checked/measScreenshot Observation Non confirmityDetective

    3 Proper Password policy is there aVerbal Interview with internal ITConfirmity


    team Deterrent
    3 Multifactor Authentication is Checked
    theScreenshot
    Log in process for Customer as well
    Confirmity
    as domain accounts
    Deterrent
    2 Assurance from the system shoulScreenshot Observation Non Confirmity

    2 Passwords are strong but the lar Screenshot Observation Non ConfirmityPreventive
    1 Email retention and backup plan Report/Documentat
    Checked the email policy for the
    Non
    employees
    ConfirmityPreventive

    3 Implemented policy for restricti Report/Documentat


    Checked Removable MediaConfirmity
    Policy Preventive
    1 media types and information is nPhysical Check Tested Client Software
    Non ConfirmityDetective
    2 Antivirus is not in place, system Screenshot Observation Non ConfirmityPreventive
    2 Endpoint management system shReport/Documentat
    Checked Removable MediaNon
    Policy
    ConfirmityDetective
    3 Devices are locked securely whenPhysical Check
    Checked Removable storageConfirmity
    devices Detective

    1 CIS Controls are not implemente Verbal


    Interview with Information securityNon
    Risk ConfirmityDeterrent
    Department
    3 Antivirus is in place, better endpoPhysical check Log Monitoring Confirmity Preventive
    2 IP address is not static before whiPhysicalChecked
    check Accounts and whitelisted
    Nondomains
    ConfirmityDeterrent
    3 Secure Internet for users netwo Screenshot
    Checcked the connection and network
    Confirmity
    security Deterrent

    1 Extended validation for SSL Certi Screenshot Checked BrowserNon ConfirmityDetective

    1 Proper Data encryption should b Report/Documentat


    Checked DLP PolicyNon ConfirmityPreventive
    3 System's har drives are unreadabReport/DocumentatAnalized InventoryConfirmity Preventive

    3 Consultation is done with stakehoVerbal Interview with St Confirmity Detective


    1 There is no proper system utility Physical Check Checked User Id, Non ConfirmityDeterrent
    2 No proper Audit policy is mainta Report/DocumentatChecked Audit PolNon ConfirmityDetective

    2 Physical Check Checked client syst Periodically valid Non confirmityDetective

    1 Screenshot Observation Transaction monitNon confirmityDetective


    2 Report/Documentation Monthly report Proper alternate Confirmity Preventive

    2 Physical Check Query with the clienCustomer awarenes


    Non confirmityDetective
    3 Verbal Interview with the cCustomers reportsConfirmity Detective
    3 Verbal Interview with the cCustomers don't sConfirmity Detective
    Deficiency Action Owner

    Significant deficiency Shreya


    No Deficiency Souvik
    Deficiency Susmita

    Deficiency Shreya
    Significant deficiency Souvik
    No Deficiency Susmita
    Significant deficiency Shreya

    Significant deficiency
    Deficiency Susmita

    Deficiency Anik
    Deficiency Souvik
    Significant deficiency Shreya
    Deficiency Shreya
    No Deficiency Ghosh
    Significant deficiency Souvik
    No Deficiency Ghosh
    Significant deficiency Ghosh
    No Deficiency Susmita
    No Deficiency Anik

    Deficiency Souvik
    Deficiency Anik

    Deficiency Ghosh
    Significant deficiency Souvik
    Significant deficiency Ghosh
    Susmita
    Significant deficiency Souvik
    Deficiency Susmita
    Significant deficiency Anik
    No Deficiency Shreya
    No Deficiency Ghosh

    No Deficiency Ghosh
    Deficiency Susmita
    No Deficiency Anik
    Significant deficiency Shreya
    Deficiency Ghosh
    Significant deficiency Susmita
    No Deficiency Anik

    Significant deficiency Shreya


    Deficiency Anik
    Significant deficiency Ghosh
    No Deficiency Susmita
    Deficiency Ghosh
    Deficiency Shreya
    No Deficiency Susmita
    No Deficiency Ghosh
    No Deficiency Souvik
    No Deficiency Shreya

    No Deficiency Shreya
    No Deficiency Susmita
    Significant Deficiency Souvik

    Significant Deficiency Anik


    Deficiency Ghosh

    No Deficiency Shreya
    Deficiency Susmita
    Significant Deficiency Souvik
    Significant Deficiency Anik
    No Deficiency Ghosh

    Deficiency Shreya
    No Deficiency Susmita
    Significant Deficiency Souvik
    No Deficiency Anik

    Deficiency Ghosh

    Deficiency Shreya
    No Deficiency Susmita

    No Deficiency Souvik
    Deficiency Anik
    Significant Deficiency Ghosh

    Deficiency Ghosh

    Significant deficiency Anik


    No Deficiency Souvik

    Significant deficiency Ghosh


    Deficiency Shreya
    Deficiency Susmita
    Audit Findings - multiple -

    Action Owner Count of Audit Findings Total no. of audits


    Anik 12 80
    Ghosh 17 70
    Shreya 15
    60
    Souvik 13
    Susmita 15 50
    Total Result 72 40

    30

    20

    10

    0
    Anik Ghosh Shreya Souvik Susmita Total
    Result

    Action O Control Type


    Anik
    Detective
    Deterrent
    Preventive
    Ghosh
    Detective
    Deterrent
    Preventive
    Shreya
    Detective
    Deterrent
    Preventive
    Souvik
    Detective
    Deterrent
    Preventive
    Susmita
    Detective
    Deterrent
    Preventive
    Total Result

    Action Owner - multiple - Compliance Category


    Compliance Count of Compliance
    14%

    1
    2
    3
    Compliance Category

    1 20
    14%
    2 23
    3 29 1
    2
    Total Result 72
    16% 3
    50% Total Result

    20%

    Count of Source of Evidence


    73
    Total no. of audits

    Count of Audit Findings

    Souvik Susmita Total


    Result

    Count of Deficiency
    12 Total
    12 4
    4
    10 4
    17
    8 10

    2
    6
    5
    15
    4
    6
    2 5
    4
    0 12
    Anik Ghosh Shreya Souvik Susmita Total Result
    4
    3
    5
    14
    6
    3
    5
    70

    e Category Control Type Count of Evidence collection


    Detective 31
    Deterrent 18
    %

    1
    2
    3
    e Category

    Preventive 23
    %
    Total Result 72
    1
    2
    16% 3 Evidence collected per control type
    Total Result
    80

    70

    60
    20%
    50
    C
    40

    30

    20

    10

    0
    Detective Deterrent Preventive Total Result
    Action Owner - multiple - Audit Findings
    Audit Findings Count of Deficiency
    Confirmity 30
    Non confirmity 41
    Total Result 71

    Control Type

    Susmita Total Result


    llected per control type

    Count of Evidence collection

    Preventive Total Result


    Confirmity
    Non confirmity
    Total Result
    IT AUDIT DA

    Total no. of audits


    80

    70

    60

    50

    Count of Audit Findings


    40

    30

    20

    10

    0
    Anik Ghosh Shreya Souvik Susmita Total Result

    Total
    12

    10

    2
    4

    0
    Anik Ghosh Shreya

    Compliance Category

    14%

    1
    2
    16% 3
    50% Total Result

    20%
    IT AUDIT DASHBOARD

    Audit Findings

    Confirmity
    Count of Audit Findings Non confirm
    Total Result

    Total

    Control Ty
    reya Souvik Susmita Total
    Result

    Evidence collected per control type


    80

    70

    60

    50
    Count of Evidence collecti
    40

    30

    20

    10

    0
    Detective Deterrent Preventive Total Result
    Confirmity
    Non confirmity
    Total Result

    Control Type
    Total
    Result

    Count of Evidence collection

    You might also like