Project Report

Project Report
of
DISA 2.0 Course
REPORT ON REVIEW OF SECURITY AND CONTROL PRACTICES OF ZEBRA CLOUD SOLUTIONS LTD. – A CLOUD
2
COMPUTING SERVICE PROVIDER
CERTIFICATE
Project report of DISA 2.0 Course
This is to certify that we have successfully completed the DISA 2.0 course training conducted at:
Nagpur from 1st November 2018 to 25th November 2018 and we have the required attendance.
We are submitting the Project titled: REPORT ON REVIEW OF SECURITY AND CONTROL
PRACTICES OF CLOUD COMPUTING SERVICE PROVIDER.
We hereby confirm that we have adhered to the guidelines issued by CIT, ICAI for the project.
We also certify that this project report is the original work of our group and each one of us have
actively participated and contributed in preparing this project. We have not shared the project
details or taken help in preparing project report from anyone except members of our group.
1. Name: Ayush Narware DISA No: 56444 Signed: Ayush Narware

2. Name: Pushkar Thakare DISA No: 55981 Signed: Pushkar Thakare
Place: Nagpur
Date: 08/12/2018
ABCD & Co. |

3
Contents
A. Details of Case Study/Project (Problem).................................................................................................4
B. Project Report.........................................................................................................................................5
1. Introduction.............................................................................................................................................5
2. Auditee Environment...............................................................................................................................7
3. Background............................................................................................................................................18
4. Situation................................................................................................................................................19
5. Terms and Scope of Assignment............................................................................................................22
6. Logistic Arrangements Required............................................................................................................23
7. Methodology and Strategy Adopted for Execution of Assignment........................................................25
8. Documents Reviewed............................................................................................................................28
9. References.............................................................................................................................................30
10. Deliverables, Timeframe and Fees.......................................................................................................33
11. Format of Report/Findings and Recommendations.............................................................................34
12. Summary/Conclusion...........................................................................................................................54
Annexures..................................................................................................................................................56
ABCD & Co. |

4
Project Report
Title: Report on Review of Security and Control Practices of Cloud
Computing Service Provider
A. Details of Case Study/Project (Problem)

Zebra Cloud Solutions (ZCS) Ltd. is a cloud computing service provider that offers solutions like
Infrastructure as a Service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS) to its
clients spread across a wide range of sectors. As ZCS hosts its customers’ data on its servers, its
stakeholders (regulators, management and customers) are apprehensive regarding the security and
controls at ZCS vis-à-vis the storage of data. The management of ZCS is desirous of obtaining
independent assurance through an Information Systems (IS) Audit to provide assurance to its
stakeholders in India.
The audit assignment requires the following deliverables from the IS auditors:
 To prepare an audit program with detailed procedures for each audit area to ensure review of
existing security and control practices.
 To provide additional detailed security and control procedures as relevant to Indian regulations
considering Information Technology Act and other compliances as applicable to Indian
companies.
 To provide an independent report so as to provide assurance to the management on security
and control practices with specific recommendations on areas of improvement.
ABCD & Co. |

5
B. Project Report
1. Introduction
1.1 Zebra Cloud Solutions
Zebra Cloud Solutions (“ZCS”) Ltd. is a cloud computing service provider with its Head Office located at
Bengaluru and data centers at Mumbai, Hyderabad, Chennai, Pune and Delhi. It provides cloud-based
services to banking, insurance, healthcare, manufacturing, supply chain and technology industry all over
the globe. It has more than a hundred servers in its data centers in India which are in turn connected to
more than five hundred servers which hold the worldwide business data of customers of ZCS. ZCS offers
three types of cloud computing services to its clients:
 Infrastructure as a Service (IaaS)
 Platform as a Service (PaaS)
 Software as a Service (SaaS)
Since ZCS offers its services using the internet and stores a huge amount of its customers’ data, it is
particularly important for ZCS to provide a high level of protection to its information assets. The business
model of ZCS is such that its servers are always connected to the internet and even the slightest
negligence in terms of security and control will have a significantly adverse effect on its business.
1.2 ABCD & Co. (Audit Firm)
ABCD & Co. is a partnership firm with four partners – Mr. A, Mr. B, Ms. C, and Mrs. D. The firm was
established in 1985 and has more than 30 years experience in statutory audits. Since the year 2000, the
firm has diversified its practice in the domain of IS audits. The firm has more than ten qualified
computer application and network graduates in its employment. Over the years, the firm has been
successful in establishing a strong network of technical experts which assist the firm in its system audit
assignments. All the partners of the firm are qualified Chartered Accountants and hold the coveted
Diploma in Information Systems Audit (DISA) certification. The partners of the firm have assisted their
clients in areas related to IT-related risk management and security review and analysis. The partners
hold directorial positions in many technology companies across the country. This has helped them in
being updated about the latest technological developments. Additionally, the partners have actively
participated in drafting, development and amendments of many laws related to Information Technology
in the country.
As per the audit plan for the ZCS audit assignment, a six-member audit team was formed. Mr. A, the
principal partners of the firm, acted as the audit engagement partner for the assignment. Mr. P, a
Chartered Accountant and DISA certificate holder, employed in ABCD & Co. acted as the team leader. He
was assisted in the audit exercise by Ms. Q, a Chartered Accountant. Mr. R, a post-graduate in computer
application assisted Mr. P and Ms. Q. The audit team also comprised of Ms. S, an IT Engineer who
ABCD & Co. |

6
specializes in cloud computing and network analysis. She is a freelance IT expert and has participated in
numerous IS audits in the past.
The audit team for the Information Systems audit of ZCS comprised of the following members:
Sr. No. Member Role in Audit Assignment

1. Mr. A (B.Com., FCA, DISA) Audit Engagement Partner
2. Mr. P (B. Com., LL. B., ACA, DISA) Team Leader
3. Ms. Q (B. Com., ACA) Qualified CA Audit Team Member
4. Mr. R (MCA) Audit Assistant
5. Ms. S (B. Tech. (IT)) Technical Expert
ABCD & Co. |

7
2. Auditee Environment
2.1 Nature of Business
Zebra Cloud Solutions (ZCS) Ltd. offers cost effective cloud computing solution and caters to banking,
insurance, healthcare, manufacturing, supply chain and technology industry. As per National Institute of
Standards and Technology, US, cloud computing is defined as, “A model for enabling ubiquitous,
convenient, on-demand network access to a shared pool of configurable computing resources (e.g.
networks, servers, storage, applications, and services) that can be rapidly provisioned and released with
minimal management effort or service provider interaction.” 1
It is one of the top cloud companies in India providing flexible payment, security, round-the-clock
technical support and option of use by pay basis pricing.
2.1.1 Cloud Service Models of ZCS
It offers complete computing solution provider including Infrastructure as a Service (IaaS), Platform as a
Service (PaaS) and Software as a Service (SaaS). A brief description along with examples of these services
is mentioned below:
 Infrastructure as a Service (IaaS): With this service, infrastructure capability provided to the
consumer is to provision processing, storage, networks and other fundamental computing
resources where the consumer is able to deploy and run arbitrary software, which can include
operating systems and applications. The consumer does not manage or control the underlying
cloud infrastructure but has control over operating systems, storage and deployed applications.
 Platform as a Service (PaaS): In this service, the capability provided to the consumer is to deploy
onto the cloud infrastructure consumer-created or acquired applications created using
programming languages, libraries, services, and tools supported by the provider. The consumer
does not manage or control the underlying cloud infrastructure including network, servers,
operating systems, or storage, but has control over the deployed applications and possibly
configurations settings for the application-hosting environment.
 Software as a Service (SaaS): The capability provided to the consumer is to use the provider’s
applications running on a cloud infrastructure. The applications are accessible from various
client devices through a thin client interface such as a web browser (e.g., web-based email) or a
program interface. The consumer does not manage or control the underlying cloud
infrastructure including network, servers, operating systems, storage, or even individual
application capabilities, with the possible exception of limited user specific application
configuration settings.2
1
Cloud Computing definition referenced from ISA Module VIII published by ICAI (Page No. 71)
2
Cloud Service Models referenced from ISA Module VIII published by ICAI (Page No. 73)
ABCD & Co. |

8
The following diagram3 shows the different layers under the management of ZCS and its customers. In
traditional model, all the layers of the architecture are to be managed by the customers as they are on
the customers’ premises.
On premises IaaS PaaS SaaS
Customers manage
Applications Applications Applications Applications
Data Customers manage Data Data Data
Runtime Runtime Runtime Runtime
Middleware Middleware Middleware Middleware

Customers manage
ZCS manages
O/S O/S O/S O/S
ZCS manages
Virtualization Virtualization Virtualization Virtualization
Servers Servers Servers Servers

ZCS manages
Storage Storage Storage Storage
Networking Networking Networking Networking
2.1.2 Cloud Deployment Models of ZCS
ZCS delivers its services by employing three different kinds of cloud deployment models 4:
Public Cloud: The cloud infrastructure is provisioned for open use by the general public. It may be
owned, managed, and operated by a business, academic, or government organization, or some
combination of them. It exists on the premises of the ZCS.
Private Cloud: The cloud infrastructure is provisioned for exclusive use by a single organization
comprising multiple consumers. It may be owned, managed, and operated by the organization, a third
party, or some combination of them, and it may exist on or off premises.
3
Layers of Management for different Service Models referenced from ISA Module VIII published by ICAI (Page No.
72)
4
Cloud Deployment Models referenced from ISA Module VIII published by ICAI (Page No. 74)
ABCD & Co. |

9
Hybrid Cloud: The cloud infrastructure is a composition of two or more distinct cloud infrastructures
(private or public) that remain unique entities, but are bound together by standardized or proprietary
technology that enables data and application portability.
2.1.3 Services offered by ZCS
ZCS offers a host of services to its customers as depicted in the following table:
S. No. Service Cloud Service Brief Description Cloud Service

Category Model
1 Simple Storage Cloud Storage Provides cloud storage service IaaS
Service (S3)5 through a web interface that
allows easy storage and
retrieval at a low cost.
2 Elastic Compute Cloud Computing Provides secure, resizable IaaS
Cloud (EC2)6 compute capacity in the
cloud. It is designed to make
web-scale cloud computing
easier for developers.
3 CloudWatch7 Cloud Services CloudWatch provides data IaaS
Management and insights to monitor
applications, understand and
respond to system-wide
performance changes,
optimize resource utilization,
and get a unified view of
operational health.
4 CloudBroker8 Cloud Broker Services Helps to plan, buy, and IaaS
manage - or broker - IT
resources across all cloud
models from multiple
suppliers while reducing
compliance risk and overall IT
costs.
6 Turquoise9 General Purpose Cloud It is a platform that provides PaaS
Platform cloud-based virtual solutions
for various products such as
Artificial Intelligence,
Analytics, Databases,
Developer Tools, Internet of
Things, Mobile and Web.
7 Business Vantage10 Business Analytics It is capable of managing all of PaaS
5
Amazon S3 description as retrieved from https://aws.amazon.com/s3/
6
Amazon EC2 description as retrieved from https://aws.amazon.com/ec2/
7
Amazon CloudWatch description as retrieved from https://aws.amazon.com/cloudwatch/
8
IBM Cloud Broker description as retrieved from https://www.ibm.com/in-en/marketplace/cloud-brokerage-
solutions
9
Microsoft Azure description as retrieved from https://azure.microsoft.com/en-in/solutions/
ABCD & Co. |

10
the data. The clients can

analyze huge data with this
cloud-based product. It offers
full integration with all the
leading business analyst tools.
8 Simple Queue Integration Customers can send, store, PaaS
Service (SQS)11 and receive messages
between software
components at any volume,
without losing messages or
requiring other services to be
available using SQS.
9 Intelligent Development and It offers platform for PaaS
Platform12 Testing development and testing
tools for planning, building,
testing, releasing,
deployment, operations and
monitoring of developed
software.
10 SimpleDB13 Database It is a highly available cloud- PaaS
based database that offloads
the work of database
administration. Developers
simply store and query data
items via web services
requests and SimpleDB does
the rest.
11 FastBooks Online Accounting It is cloud-based accounting SaaS
(FBO)14 software that allows users to
input and access their data
through the web browser. It
helps users manage cash
flows, invoices, taxes and
helps them save costs by
creating the required reports.
12 ClickFast15 Content Management It enables publishers to SaaS
create, manage, and publish
content to any device.
13 Zebra On Demand Customer Relationship The cloud-based customer SaaS
(ZOD)16 Management (CRM) relationship management
10
Vantage description as retrieved from https://www.teradata.com/Products/Software/Vantage
11
Amazon SQS description as retrieved from https://aws.amazon.com/sqs/
12
Akamai DevOps platform description as retrieved from https://developer.akamai.com/devops
13
Amazon SimpleDB description as retrieved from https://aws.amazon.com/simpledb/
14
Intuit QuickBooks Online description as retrieved from https://quickbooks.intuit.com
15
Clickability description as retrieved from https://uplandsoftware.com/clickability/
16
Oracle On Demand description as retrieved from
http://www.oracle.com/us/products/applications/crmondemand/index.html
ABCD & Co. |

11
(CRM) software helps

organizations drive sales,
marketing, loyalty and service
effectiveness.
14 WebDocs (WD)17 Document It allows customers to easily SaaS
Management create, view, edit, and share
documents on any desktop,
tablet, or mobile device.
15 SuccessFactors18 Human Resources It includes a complete set of SaaS
Management integrated talent
management, robust
workforce analytics and other
HR processes.
2.2 Organization Structure
ZCS has adopted a functional structure of organization. The CEO is at the top of the organization. He is
reported to by Chief Information Security Officer, Chief Financial Officer, Chief Sales Officer, Chief
Technology Officer and Chief Administration Officers. Various Vice Presidents (VPs) of different functions
report to the VPs of the company. The company’s organization structure is shown in the figure below:
Chief Executive
Officer
Chief Chief
Chief Financial Chief Sales Chief Technology
Information Administration
Officer Officer Officer
Security Officer Officer
VP – Network VP – Finance & VP – VP - Human

VP – Marketing
Security Accounts Infrastructure Resources
VP – Application
VP - Taxation. VP – Sales VP - Engineering VP – Legal
Security
VP – Data
VP - M&A VP – Advertising VP – Strategy VP - CSR
Security
17
NetDocuments description as retrieved from https://www.netdocuments.com/en-us/document-management/
18
SAP SuccessFactors description as retrieved from https://www.successfactors.com/en_us/solutions.html
ABCD & Co. |

12
2.3 Technology Deployed
2.3.1 Network Infrastructure
ZCS has deployed Virtualized Multi-Tenanted Data Center (VMDC) 19 network infrastructure. The
infrastructure is a proprietary network solution offered by Cisco Solutions. The infrastructure is
beneficial for a Cloud Computing Service Provider like ZCS that offers IaaS, PaaS and SaaS services to its
customers. The infrastructure is shown in the following figure:
App. Virtual Storage IP-NGN

VSwitch Compute Access Services Aggregation Peering
Software Machine & SAN Backbone
Subscriber A.
Application 1
10G Ethernet
App 1 4G Fabric Channel
Subscriber B. VSwitch to Hardware

Application 1 VM to VSwitch
App 1 App to VM
Internet
App 2
Subscriber A.
Application 2
IP-
NGN
Subscriber B.
Application 2
App 2
Partners
App 1 Embedded Services:

Subscriber C. • Firewall
Application 1 • Application Control System
Subscriber C.
Application 2 • Secure Sockets Layer
App 2
VMWare, UCS Fabric DataCenter

Cisco & Nexus Storage Ethernet
Vsphere, Servers Interconne Services Routers
Third Party 1000V Arrays Switch
ESX4 ct Node (DSN)
Apps.
2.3.1.1. Network Application Software: This is the Solutions component layer in which software
solutions from Cisco and other third parties are deployed. The following table gives the details of the
applications deployed in this layer:
Vendor Component Software Versions

Cisco Virtual Supervisor Module (VSM) NX-OS 4.0(4)SV1(2)
Unified Computing System Manager (UCSM) 1.0(2d)
Application Control Engine (ACE20-MOD-K9) A2(1.6a)
VMWare vSphere Server Enterprise Plus 4.0.0 Build 162856
Sun Microsystems Java Runtime Environment 1.60_12 or above
19
Cisco VMDC architecture retrieved from
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_Center/VMDC/1-1/vmdcDg11/overview.html
ABCD & Co. |

13
2.3.1.2. Virtual Compute: The Virtual Compute farm contains 256 UCS B200 servers (dual quad-core
Intel Xeon X5570 CPU at 2.93 GHz and 72 GB RAM) organized into a VMware ESX cluster; and 128
servers. The Converged Network Adapters (CNAs) provide Local Area Network (LAN) and Storage Area
Network (SAN) connectivity to the servers, which run VMware ESX4.0 hypervisor. The CNAs provide LAN
and SAN services to the hypervisor.
2.3.1.3. Virtual Switch (VSwitch): Cisco Nexus 1000V acts as the virtual access layer for the virtual
machines (VMs). There is one Nexus 1000V virtual supervisor module (VSM) per ESX cluster. Each ESX
server runs an instance of the Nexus 1000V Virtual Ethernet Module (VEM).
2.3.1.4. Storage Area Network (SAN): This consists of storage arrays that support Fiber Channel (FC) and
information lifecycle management (ILM) services. The storage arrays connect through SAN switches to
the switches in the access layer.
2.3.1.5. VM Virtual Access Layer: This layer allows access for the virtual machine. Switches (Cisco Nexus
1000V DVS) act as the virtual access layer for the virtual machines (VMs).
2.3.1.6. Services Layer: A Data Center Service Node (DSN) virtual switching system (VSS) provides
security services for the hosts. The Application Control Engine (ACE-20) and Firewall Services Module
(FWSM) provide virtual firewall and server load-balancing services to the VMs. Dual FWSM and ACE
modules are configured in an active/active high availability design to make sure that ZCS does not
experience down time in case of external attacks.
2.3.1.7. Peering: Redundant routers act as Data Center/Wide Area Network edge routers and provide
10GE connectivity for Internet services. The router allows access to cloud customers.
2.3.2 Hardware Components
S. No. Component Manufacturer/ Brand Function

1. Core Routers (2 Nos) Cisco Carrier Routing To connect the Data Center to the
System (CRS-X)20 (Edge Routers) WAN. These are
configured in a High Availability mode,
and have IPsec implemented on them.
2. Core Switches (2 Nos) Cisco Catalyst 9500 Series In each of the two zones to provide for
Switches VLANs
3. ISDN Routers Cisco 4000 Series To connect to customers’ routers to
Integrated Services Router ISDN back up line.
4. Ethernet Switch Cisco ME 1200 Series For each of the racks
Carrier Ethernet Access
Devices
5. ACS Server Cisco Secure Access Control For Terminal Access Controller Access-
Server Control System – For authentication,
accounting, and authorization services
of all network devices including the
customers’ routers.
20
All Cisco products referenced from https://www.cisco.com/c/en/us/products/
ABCD & Co. |

14
6. Firewalls (Core and Cisco Firepower 9000 Each of the 2 zones is protected by 2
Segment) Series Firewall separate clusters of high performing
firewalls
7. Internet Router Cisco Network To connect the data center to ISPs.
Convergence System 6000
Series Router
8. Data Center Services Cisco Catalyst 6500 E Delivers up to 2 terabits per second of
Node and Virtual system bandwidth capacity and 80
Switching System Gbps per-slot for all slots.
2.3.2 System Software
ZCS primarily uses Microsoft Windows Server 2019 and Juniper Network and Security Manager (NSM) -
in order to provide efficient cloud computing services to its clients. The following table shows the list of
system software installed by ZCS:
Vendor Software Software Description

Versions
Microsoft Windows Server 2019 10.0.17763 Operating System
Juniper Network and Security NS-SM-S-BSE Network Monitoring/
Manager (NSM) Management Software
2.3.3 Application Software
ZCS uses a host of applications software and tools to ensure maximum efficiency in service delivery. The
following table shows the list of application software deployed by ZCS:
Vendor Software Software Description

Versions
Commvault21 Commvault Complete Backup 13.3.4.1 Standard backup and
and Recovery recovery functionality to
store protected data on
tape/disk media, including
de-duplication and
encryption capabilities.
Symantec22 Endpoint Protection V5i Antivirus/antimalware
software
Science Logic23 Science Logic Server 18.3.1.1 Server Monitoring and
Monitoring Management Software
Microsoft Access 2018 Database management
21
Commvault Complete Backup and Recovery description retrieved from https://www.commvault.com/complete-
backup
22
Symantec Endpoint Protection description retrieved from
https://www.symantec.com/security_response/definitions/download/detail.jsp?gid=sep
23
Science Logic Server Monitoring description retrieved from
https://sciencelogic.com/product/technologies/compute
ABCD & Co. |

15
software
SAP SAP ERP 14.0.0.1 Enterprise Resource Planning
Software
Microsoft SQL Server 2017 Relational Database
Management System
2.3.4 Regulatory Requirement
ZCS is offering state of the art cloud computing offerings as mentioned in the previous sections to its
customers in India with assurance of data being available in India. The significant regulations relevant to
ZCS are as follows:
2.3.4.1 Information Technology (IT) Act, 2000
ZCS comes under the purview of Information Technology (IT) Act, 2000 (amended in 2008). The relevant
sections of the IT Act, 2000 are reproduced hereunder:
 Section 7A Audit of documents i.e. in Electronic Form: Where in any law for the time being in
force, there is a provision for audit of documents, records or information, that provision shall
also be applicable for audit of documents, records or information processed and maintained in
electronic form.
 Section 43A: A body corporate who is possessing, dealing or handling any sensitive personal
data or information, and is negligent in implementing and maintaining reasonable security
practices resulting in wrongful loss or wrongful gain to any person, then such body corporate
may be held liable to pay damages to the person so affected. It is important to note that there is
no upper limit specified for the compensation that can be claimed by the affected party in such
circumstances.
 Section 72A: Disclosure of information, knowingly and intentionally, without the consent of the
person concerned and in breach of the lawful contract has been also made punishable with
imprisonment for a term extending to three years and fine extending to INR 5,00,000.
2.3.4.2 Clause 49 of the Listing Agreement on Corporate Governance
Since ZCS has its shares listed on the Bombay Stock Exchange and the National Stock Exchange, Clause
49 of the Listing Agreement on Corporate Governance as mandated by the Securities Exchange Board of
India (SEBI) is applicable to the company. The relevant provision of the Clause 49 of the Listing
Agreement regarding audit committee is as follows:
The role of the audit committee sharpened with specific responsibilities including recommending
appointment of Auditors and monitoring their independence and performance, approval of related
party transactions, scrutiny of inter-corporate loans and investments, valuation of undertaking/assets
etc. Audit committee is contemplated as a major vehicle for ensuring controls, sound financial reporting
and overall good corporate governance. Internal audit reports relating to internal control weaknesses
are to be reviewed by the Audit committee.
ABCD & Co. |

16
2.3.4.3 Company Auditor’s Report Order (CARO), 2016
As ZCS is a company, the Company Auditor’s Report Order (CARO) 24, 2016 is applicable to it. It requires
verifying the adequacy of internal control procedures and determining whether there were any
continuing failures to correct major weaknesses in internal controls. It also requires to report whether
any frauds on or by the company had been noticed or reported.
2.3.5 Overview of Internal Policies and Procedures25
Control over IT assets is shared by ZCS and its customers. ZCS, on its part provides highly secure services
and platforms and provides a wide range of security characteristics which its customers can use. ZCS
communicates its policies regarding security and control environment to its customers. ZCS provides
certificates, and reports directly to its customers under a Non-Disclosure Agreement (NDA). It obtains
industry certifications and third-party attestations. It also publishes information about its security and
control practices in whitepapers and web site content.
2.3.5.1 ZCS IT Control Information
ZCS provides its IT control information to customers in many ways:
 Specific control definition: Major controls are important for customers’ control environment
and require an external certification of the effectiveness of these key controls.
 General control standard compliance: With the ISO 27001 certification, ZCS complies with a
broad, comprehensive security standard and follows best practices in maintaining a secure
environment.
2.3.5.2 ZCS Risk and Compliance Program
ZCS provides information about its risk and compliance program to enable customers to incorporate ZCS
controls into their governance framework.
 Risk Management: ZCS management has developed a strategic business plan which includes risk
identification and the implementation of controls to mitigate or manage risks. ZCS management
re-evaluates the strategic business plan at least biannually.
 Control Environment: ZCS manages a comprehensive control environment that includes
policies, processes and control activities that leverage various aspects of overall control
environment. This control environment is in place for the secure delivery of AWS’ service
offerings.
24
CARO requirements as referenced from ISA Module II published by ICAI (Page 86)
25
AWS Risk and Compliance Overview retrieved from
https://d1.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Overview.pdf
ABCD & Co. |

17
2.3.5.3 Information Security
ZCS has implemented a formal information security program designed to protect the confidentiality,
integrity, and availability of customers’ systems and data. ZCS publishes a security whitepaper that is
available on the public website that addresses how it can help customers secure their data.
ABCD & Co. |

18
3. Background
The management of ZCS considering the enormous potential of Cloud computing services has opened its
office in India with Bangalore as its Head office and data centers at Mumbai, Hyderabad, Chennai, Pune
and Delhi. It is offering state of the art cloud computing offerings to customers in India with assurance of
data being available within in India.
ZCS has undertaken significant measures in the past to improve the security and control in the
organization. However, more and more prospective customers of the organization are demanding for
assurance from independent auditors. It was realized by the organization that an audit by an
independent Information Systems (IS) auditor will enable its prospective customers to rely on the
strength of ZCS’s ability to provide efficient and secure cloud services. The greater the level of
assurance, the more confidence a customer will have in ZCS. It is with this intention that the
management of ZCS has appointed independent IS auditors “ABCD & Co.” to conduct a review of the
organization’s security and control practices.
The details of the objective and scope of work undertaken during the course of this audit have been
outlined in the “Objective of the Assignment” and “Scope of Work” sections in the sections that follow.
ABCD & Co. |

19
4. Situation
4.1 Current Security and Control Scenario
ZCS has more than 100 servers in its data center in India. These servers are also networked more than
500 servers which hold the worldwide business data of customer of ZCS. These servers are also
connected to the global offices of ZCS and their customers through high-speed networks and
telecommunication systems. To protect its data, ZCS has put in place a comprehensive Information
Security System. The company has used best of breed security and control practices for implementing
security for IT infrastructure. This security system is subject to rigorous audit by independent IS auditors
and is also subject to regular IS Audit using global best practices. An overview of the current security and
control scenario at ZCS is as follows:
Internal theft: One of the security vulnerabilities comes from unscrupulous internal employees. Such
employees can pass data to competitors in their business. Locating data in highly-secure data center of
ZCS deters such employees from stealing data because they are under surveillance. Data center
personnel employed by ZCS have their backgrounds verified extensively during the recruitment process.
They will not have an understanding of the customers’ businesses as much as an internal employee of
the customer. So their interest in the data is greatly reduced, thereby mitigating data theft risks.
Physical access control: The data center is a sensitive zone. Only authorized personnel can enter it. The
entry is controlled through automatic access control systems linked to security alarms. This prevents
public access and stray entries. All such entries are automatically logged in entry logs.
Physical access monitoring: The area in and around the data center is continuously monitored through
surveillance cameras which capture the images of those entering that area. The video records are
archived. Security guard views the video monitor.
Login access control: This is a two dimensional access control measure. First, only authentic users can
login. Second, they can login only to the relevant transaction screens for which they have permissions.
Such access policies are administered through the deployment module of ZCS platform. This mechanism
prevents any unauthorized access to both transactions and data. ZCS trains customers to use specific
modules so that access policies can be set by an administrator designated by the customer. This way,
customer will have absolute control over the access.
Audit trail: Even authentic usage is tracked. Who logged in, when did the login happen, what was the
duration of the login, what is the usage pattern, are there unusual usages noticed – these are the
possible ways by which tracking happens. Such trails discourage anyone from attempting to misuse.
Thus, frauds can be both prevented and detected.
Data transport over internet: Data movement over the internet – from the customers’ office(s) to ZCS
data center – is like goods moving on the road transport highways. Both are vulnerable to theft. Such
ABCD & Co. |

20
transaction data is protected through encryptions and transported over a secure sockets layer. This
prevents theft. Encryption renders data meaningless thus making the theft harmless.
Firewall: Data arriving via the internet at the data center is filtered through the firewall. This is like
immigration control, designed to detect illegal entrants. Only authentic customer data finally reaches
the server. Firewall policies are continually updated as per the information security management system
implemented in ZCS. This protects customers’ data from malicious software attacks.
Fire and natural calamities: Disasters can happen and affect data and business activities. Fire,
earthquakes and floods can ruin data and disrupt operations. ZCS has implemented a disaster recovery
mechanism to handle such crisis. First, the data center itself is subject to fire safety regulations. Second,
all data is stored on high speed storage area networks. From this storage, data is backed up according to
the data backup policy implemented as required by the information security systems. Daily, weekly and
monthly back-ups are taken. The media containing the backed-up data are stored in fire-proof vaults. A
copy of the same is stored in a different physical location. In the event of any disaster, the data available
on the back-up media will be restored for operations to continue.
Privacy: Privacy is ensured in following ways:
 Internal privacy: One department’s data cannot be viewed or altered by another department.
For Example: HR data not being allowed for a Finance person.
 External privacy: Where a customer’s data is not available to anybody else. This is established by
allocating separate databases for each customer. Also, the servers dedicated to the customers
run on separate networks. So traffic from other networks including ZCS employees’ networks
cannot come into this network.
 External privacy involving government and regulatory bodies: These are strictly governed by
contractual agreements with the customers. Any request for data belonging to customers will
not be shared with regulatory bodies without the involvement of the customers.
4.2 Need for Current Assignment
When the marketing team of ZCS engages with prospective customers, they experience that the
customers are hesitant about sharing their data with ZCS. The reason for this hesitation is that the
customers are comfortable about having their data stored on their premises. Additionally, prospective
customers of the organization are demanding for assurance from independent auditors. It was realized
by the organization that an audit by an independent Information Systems (IS) auditor will enable its
prospective customers to rely on the strength of ZCS’s ability to provide efficient and secure cloud
services. The greater the level of assurance, the more confidence a customer will have in ZCS.
With more and more businesses in India going online for their day-to-day operations, Government
regulations regarding online operations have become stringent. The Information Technology Act, 2000
(amended in 2008) has been introduced in India to regulate electronic data and records in the country.
Globally, many changes have taken place in the regulations related to information security and privacy.
For instance, the European Union has introduced General Data Protection Regulation (GDPR) for all
ABCD & Co. |

21
individuals within the European Union. The draft bill on Personal Data Protection has already been
drafted by the Ministry of Electronics and Information Technology. Once the bill is passed as an Act, ZCS
will have to abide by more regulations for data security.
The management at ZCS realizes that the potential for company’s growth is huge. ZCS offers an all
encompassing suite of services to its clients including IaaS, PaaS and SaaS. As internet connectivity in
India improves and more enterprise operations move online, the role of a cloud service provider like ZCS
becomes extremely important. It is with this view that the management of ZCS has felt a need for an
audit from an independent IS auditor to review its existing security and control practices.
4.3 Identified Problem Areas and Control Weaknesses
The current scenario of security and controls demonstrate the following problem areas:
S. No. Area Description

1. Incident Response Contract Service Level Agreements (SLAs) with customers do not
define and actions to be taken for incidents such as security
violations
2. Data Security Data which is transmitted has been encrypted throughout. There is
no classification schema for the data as top secret, confidential,
company confidential, or public.
3. Data Integrity Data which is not in transit is stored at the data center in decrypted
or plain text form. It makes the data vulnerable to be stolen by data
center personnel.
4. Application Security Tools used for application development are not segregated as per
requirements of customers and there is no clear determination of
ownership of tools and services.
5. Data Back Up Data confidentiality is not ensured for the backup data as there is no
encryption of backed up data. It is stored in plain text.
6. Identity and Since entire logical access control is handled by the customer, there
Authentication is no clear policy or procedure in place regarding job function
Management changes and de-provisioning (or termination) of people.
7. Service Transition There is no planning for migration of data and data formats at the
Planning end of the service level agreement.
8. Compliance and Audit The SLAs do not mention whether the operating environment of ZCS
can be audited as per the customer’s audit charter without
restriction.
9. Business Continuity Business Continuity Management and Disaster Recovery Process are
and Disaster Recovery not assessed regularly.
10. Physical Security at The data center security camera feed is viewed by only one security
Data Center guard. At least two security guards must be stationed for the
viewing of security camera feeds to ensure complete security.
ABCD & Co. |

22
5. Terms and Scope of Assignment
Based 26on our understanding of ZCS’ needs for conducting audit of its security and control practices, it
was decided to focus on Review of Physical and Logical Access Controls. We propose the scope of review
and the terms of reference as laid down in the following paragraphs.
The envisaged terms of reference are based on the personal discussions key members of assignment
team had with the internal audit team of ZCS on 5 th November, 2018 at Bengaluru. The detailed scope,
review and methodology followed are given in the annexure. The methodology would be further
enhanced and refined as the audit progresses based on the specific needs of the audit environment.
Broadly, the scope of review primary from security and controls point of view would involve:
1. Physical Access Controls: Physical access controls restrict physical access to resources and protect
them from intentional and unintentional loss or impairment.
2. Environmental Security Controls: These controls make sure that the information security
infrastructure and facilities should not only provide a conducive environment for the effective and
efficient functioning of the information processing facility but should also protect the contents of such
facilities from undesirable variations in the environment.
3. Logical Access Controls: Logical access controls prevent and detect unauthorized access to
information assets and resources while ensuring that authorized users can access the information
resources as per their role and responsibilities.
4. Network Security Controls: These controls are important to implement as networks are far more
vulnerable to external threats than standalone systems. Especially for a cloud computing service
provider like ZCS, Network Security Controls are extremely critical.
5. Application Controls: These controls ensure achievement of ZCS’s business objectives of timely,
accurate and reliable information.
6. Review of controls to ensure alignment with IT Act, 2000, Clause 49 of Listing Agreement and CARO,
2016: We will review the adequacy of controls to make sure that they are as per the norms stipulated by
these regulations.
26
Scope and Terms of Reference sourced from ISA Module II published by ICAI (Page 101)
ABCD & Co. |

23
6. Logistic Arrangements Required
6.1 Travel Arrangements
ZCS’s headquarter is located at Bengaluru. Its data centers are located at Mumbai, Hyderabad, Chennai,
Pune and Delhi. Since the office of “ABCD & Co.” is located at Mumbai, logistics arrangements involved
travelling of the Information System audit team to Bengaluru, Hyderabad, Chennai, Pune and Delhi. The
logistics arrangement was done by the auditors themselves. Mr. P was responsible in taking the prior
appointments of the concerned persons at ZCS. Thereafter, travelling arrangements were made with
assistance from the travel agents JP Travel Co. Pvt. Ltd. at Nagpur. The duration of the audit lasted for
about six months during which multiple visits were made at the offices and data centers of ZCS to review
its security and controls.
6.2 Infrastructure Required
It will be necessary for ZCS to appoint one coordinator who will be part of the discussion on the work
plan initially and continue to work with the ABCD & Co. team till the assignment is complete. ZCS will
make available the necessary computer time, software resources and support facilities necessary for
completing the assignment within the agreed timeframe. The conduct of the assignment should be
adequately communicated to the required personnel so as to facilitate extensive cooperation from the
respective personnel. We will require the following infrastructure:
6.2.1 Hardware Required
 One laptop: The laptop will be used at the data center as well as the offices of ZCS to review its
operations.
 One printer: A printer would be used to print out the reports as required
 A copier machine: If ZCS team feels that any document is required to be copied, a copier
machine will be used
 Sitting area and storage space: Adequate area for sitting and storing the belongings of the audit
team
 Conference area: Suitable facility for discussion amongst our team and your designated staff
6.2.2 System Software Required
 Operating System: Windows 10 is compatible with the audit tools employed by ABCD & Co.
6.2.3 Application Software
 Microsoft Office 365: The reports and presentations will be made by ABCD & Co. in MS Office
365. MS Access will be used to access the database.
 Microsoft SQL Server: Since ZCS MS SQL server, ABCD & Co. will need access to the server to
understand database controls
ABCD & Co. |

24
 Commvault Complete Backup and Recovery: ABCD & Co. will require access to the backup
software to understand data integrity controls.
 Symantec Endpoint Protection: ABCD & Co. will understand the level of protection against
malicious software and programs by studying the policies and logs in the antivirus software
 Science Logic Server Monitoring: We will review the performance of the servers in the data
center by using Science Logic Server Monitoring.
 Snort IDS: The level of protection at ZCS against network intrusions will be reviewed using Snort
IDS.
 SAP ERP: We will require access to SAP system of ZCS to understand the transmission of data
and review logical access controls.
 Computer Assisted Audit Techniques (CAAT) Tools
o WizRule: It is a tool to evaluate data quality based on data content, data patterns, rules
and relationships.
o Vanity Integrity: It processes data content in conjunction with metadata to abstract
business rules and relationships.
6.2.4 Documentation
 User Manuals and Technical Manuals: These manuals will help us in understanding the usage of
system software and applications hosted by ZCS.
 Service Level Agreements: They will help us understand the contractual obligations and
compliances required to be followed by ZCS while serving its clients.
 Organization chart outlining the organization hierarchy and job responsibilities: Organization
chart will enable us to make sure that controls in place are as per job responsibilities.
 Circulars/guidelines issued to employees: Circulars and guidelines issued to employees will help
us in ensuring that employees have the appropriate access controls.
 Any other documentation as identified by us during the course of the assignment: If the audit
team recognizes the need to refer to any other documents, the same should be made available
to it.
ABCD & Co. |

25
7. Methodology and Strategy Adopted for Execution of Assignment
7.1 Primary Objective
The primary objective of the assignment is to conduct a review of physical access controls,
environmental security controls, logical access controls, network security controls and application
controls.
7.2 Standards Used
ABCD & Co. will adopt the latest and globally recognized standard for IS audit - Control Objectives for
Information and Related Technology (COBIT) as issued by the Information Systems Audit and Control
Association (ISACA), USA.
Additionally, we have used the following Standards on Auditing (SAs) issued by The Institute of
Chartered Accountants of India (ICAI):
SA 402: Audit Considerations Relating to Entities Using Service Organizations: Since ZCS is a cloud
computing service provider to many clients, the standard was used to understand the nature and
significance of the services provided by ZCS to its clients.
SA 530 Audit Sampling: We used statistical and non-statistical sampling to design and select the audit
sample, performed tests of controls and tests of details, and evaluated the results from the sample.
SA 620 Using the Work of an Expert: Since cloud computing is dependent on web services, we used this
standard to take the help of an expert – Ms. S, who is a freelance web services expert to assess the risks
in ZCS’s web services.
7.3 Audit Approach
Our audit approach for this assignment would be as follows:
i. Deploy a core team of 4-5 IS audit personnel in batches of 2-3 as per the skill sets and tasks
required, under the personal direction and liaison of the Engagement Partner, Mr. A.
ii. ZCS must designate a person at a senior level to coordinate between ABCD & Co. and ZCS. The
audit team would also comprise of one person from ZCS from systems and audit group each.
iii. Detailed systematic audit procedures would be finalized after completing review of the
documentation and discussion with staff and users.
In tune with the terms and scope of reference of the assignment, we will adapt the methodology from
COBIT.
7.4 Structured Methodology
The above mentioned objectives shall be achieved through the following structured methodology:
ABCD & Co. |

26
 Obtain an understanding of deployment of IT resources

 Obtain an understanding of the IT Strategy and internal control system
 Identify and scrutinize the IT related circulars issued
 Review the Organization Structure and Information Architecture
 Review the existing policies, procedures and practices
 Application of COBIT for formulating best IT practices for the policy and procedures at ZCS
 Formulation of draft report on our findings covering our review and benchmarking
 Presentation of final report with agreed action plan based on feedback of IT management and
internal Audit team at ZCS
7.5 Audit Plan
The audit plan would cover:
 Discussions with Internal Audit Team

 Discussions with Systems and Implementation Team
 Discussions with Users
 Review of Operating Systems (OS) documentation
 Review of environmental and physical security
 Review of data center security
 Examination of OS access rights
 Review of SAP Manuals
 Examination of selected modules access profiles
 Observation of the Users and the systems in operation
 Review of logical access controls
 Examination of computerized processing controls incorporated within the selected modules.
7.6 Audit Procedures
Our audit team would perform the following tasks and include the following procedures:
1. Visit the data center and observe the physical and environmental controls.
2. Undertake an in-depth analysis of all control aspects as implemented at ZCS. In doing so, the following
objectives would be kept in mind while setting the overall goals:
 Accurate and complete processing of data

 Error messages in case of incomplete/aborting of processing of data
 Optimize data handling and storage
 Better management of information
3. Review the system architecture in operation; understand how the various modules interact within the
overall system.
ABCD & Co. |

27
4. Review how each module in the system has been tested including the documentation prepared in
respect of each.
5. Review the methods employed for implementation of the system, including post-implementation
review procedures undertaken to ensure that the objectives set out were actually achieved.
6. Understand the business processes and review how these have been mapped in the information
systems by tracing the modules with a top down approach.
7. Review the modules by performing detailed documented tests of all the menu options and their
related effects.
8. Review the controls established over the continuity of stored data, necessary to ensure that once data
is updated to a file, the data remains correct and current on the file.
9. Review the in-built controls for stored data so as to ensure that only authorized persons have access
to data on computer files.
10. Review the controls established which ensure that all transactions are input and accepted for further
processing and that transactions are not processed twice.
11. Review the controls established so as to ensure that only valid transactions are processed.
12. Review the procedures established for back-up and recovery of files in the package.
13. Review controls established for the development, documentation and amendment of programs so as
to ensure that they go live as intended.
14. Review the network configurations and understand network controls.
15. Present the Cloud Security Alliance Consensus Assessment Initiative questionnaire (presented in
Annexure II) to the relevant IT personnel to assess the levels of security and controls in the organization.
ABCD & Co. |

28
8. Documents Reviewed
S. No. Area Document Purpose

1. Organization Organization Chart To understand the organization,
terms of employment and
segregation of roles and
responsibilities.
2. Interested Parties List of Stakeholders To understand the stakeholders
like promoters, management,
customers, and government
bodies.
3. Leadership  Strategies To obtain an evidence of
 Vision and mission leadership’s commitment to
document information security.
 Budget and contingency
plans
4. Policies  Information Security To understand organization’s

Policy commitment to information
 Information Classification security through formal
Policy documentation.
 Access Control Policy
 Password Management
Policy
 Bring Your Own Devices
(BYOD) Policy
 Mobile Usage policy
5. Communication to  Circulars Communication from senior
employees  Notifications management to employees
 Memos outlining the need for information
 Briefings sent to security practices and controls.
employees regarding
information security.
6. Control Documents Version control documents To ensure that whenever a
document is updated, its version is
updated in the version control
document.
7. Human Resources  Background Check To understand the procedures
records undertaken by the HR department
 Screening Documents to screen the candidates before
 Third Party Assurance they are formally employed.
 Termination records
 Exit interviews
8. Assets  Assets Inventory List of Information Technology
 List of Asset Owners assets and owners will help us
ABCD & Co. |

29
S. No. Area Document Purpose

identify the responsibility towards
assets use.
9. Media  Media Control Policy To review guidelines about usage
 Media Disposal Policy of portable storage media,
transport of storage media and
their disposal.
10. Logs  Event logs To verify that the relevant events
 Administrator logs are recorded in appropriate logs
 Security Logs
11. Network  Network Architecture To understand the network
 Network Security Policy architecture of the company and
make sure that adequate security
measures are in place.
12. Software  Software Installation To understand the lifecycle of
Policy software development in the
 Version Management organization and the controls in
 Change Approval place before a software goes live.
 Acquisition Policy
 Outsourced
Development Policy
13. Compliance  Past audit reports To understand any weaknesses
 Past review records identified by past audit exercises
ABCD & Co. |

30
9. References
S. No. Particulars Reference Page No.

1. Cloud ISA Module VIII, IT Professional Opportunities 71
Computing
definition
Computing
Service Models
3. Layers of ISA Module VIII, IT Professional Opportunities 72
Management
for different
Service Models
Deployment
Models
5. Amazon S3 https://aws.amazon.com/s3/ --
service
description
6. Amazon EC2 https://aws.amazon.com/ec2/ --
description
7. Amazon https://aws.amazon.com/cloudwatch/ --
CloudWatch
description
8. IBM Cloud https://www.ibm.com/in-en/marketplace/cloud-brokerage-solutions --
Broker
description
9. Microsoft https://azure.microsoft.com/en-in/solutions/ --
Azure
description
10. Vantage https://www.teradata.com/Products/Software/Vantage --
description
11. Amazon SQS https://aws.amazon.com/sqs/ --

description
12. Akamai DevOps https://developer.akamai.com/devops --
platform
description
13. Amazon https://aws.amazon.com/simpledb/ --
SimpleDB
description
14. Intuit https://quickbooks.intuit.com --
QuickBooks
Online
description
ABCD & Co. |

31

15. Clickability https://uplandsoftware.com/clickability/ --
description
16. Oracle On http://www.oracle.com/us/products/applications/ --
Demand crmondemand/index.html
description
17. NetDocuments https://www.netdocuments.com/en-us/document- --
description management/
18. SAP https://www.successfactors.com/en_us/solutions.html --
SuccessFactors
description
19. Cisco VMDC https://www.cisco.com/c/en/us/td/docs/solutions/ --
architecture Enterprise/Data_Center/VMDC/1-1/vmdcDg11/overview.html
20. Cisco Hardware https://www.cisco.com/c/en/us/products/ --
components
description
21. Commvault https://www.commvault.com/complete-backup --
Complete
Backup and
Recovery
description
22. Symantec https://www.symantec.com/security_response/definitions/ --
Endpoint download/detail.jsp?gid=sep
Protection
description
23. Science Logic https://sciencelogic.com/product/technologies/compute --
Server
Monitoring
description
24. CARO ISA Module II, Information Systems Assurance Services 86
requirements
25. AWS Risk and https://d1.awsstatic.com/whitepapers/compliance/ --
Compliance AWS_Risk_and_Compliance_Overview.pdf
Overview
26. Scope and ISA Module II, Information Systems Assurance Services 101
Terms of
Reference
27. Physical Access ISA Module IV, Protection of Information Assets 61
Controls and
audit
procedures
28. Environmental ISA Module IV, Protection of Information Assets 72-73
Security
Controls and
audit
procedures
29. Logical Access ISA Module IV, Protection of Information Assets 106-108
Controls and
ABCD & Co. |

32

audit
procedures
30. Network ISA Module IV, Protection of Information Assets 128
Security
Controls,
SMIME and
Audit
Techniques
31. IDS ISA Module IV, Protection of Information Assets 133
32. SIEM and SOC ISA Module IV, Protection of Information Assets 135
33. Cloud auditing ISA Module VIII, IT Professional Opportunities 84
issues
34. OWASP Cloud Security Alliance Security Guidance for Critical Areas of 123
Focus in Cloud Computing 3.0 available at
https://downloads.cloudsecurityalliance.org/assets/research/s
ecurity-guidance/csaguide.v3.0.pdf
35. Terms of Terms of Reference of Deloitte Touche Tohmatsu Limited (UK) --
Reference referenced from
https://www2.deloitte.com/content/dam/Deloitte/dk/Docum
ents/audit/ForretningsbetingelserUK01012017.pdf
36. Cloud Security AWS response to CSA Questionnaire referenced from --
Alliance https://citadel-information.com/wp-content/uploads/2012/08
Consensus /amazon-web-services-risk-and-compliance-whitepaper-2012-
Assessment 1.pdf
Initiative
Questionnaire
ABCD & Co. |

33
10. Deliverables, Timeframe and Fees
10.1 Deliverables
1. Draft report along with the executive summary of the review’s result together with the
recommendations of findings and risk analysis of findings.
2. Final report incorporating management’s comment and agreed priority plan of action based on the
exposure analysis.
3. Soft or hard copy of checklist used for the audit.
4. Soft or hard copy of audit methodology and documentation.
10.2 Timeframe
The expected time for the assignment is approximately 8 weeks. We would require a lead time of two
weeks for commencing the assignment. The availability of coordinating team, user involvement,
availability of resources and information by the auditee would also impact the audit duration and time
schedule, which would be communicated to the auditee in advance.
10.3 Fees
The fees for this assignment is Rs. x.xx Lakhs (GST at the rate of 18% will be added extra) which would be
payable as follows:
 50% advance when assignment is awarded

 50% on submission of the final report
10.4 Out of Pocket Expenses
Travelling, boarding, lodging and conveyance expenses of the audit team shall be reimbursed on actual
basis on outstation travel.
ABCD & Co. |

34
11. Format of Report/Findings and Recommendations

I. Executive Summary
11.1.1 Introduction
Zebra Cloud Solutions (“ZCS”) Ltd. is a cloud computing service provider with its Head Office located at
Bengaluru and data centers at Mumbai, Hyderabad, Chennai, Pune and Delhi. It provides cloud-based
services to banking, insurance, healthcare, manufacturing, supply chain and technology industry all over
the globe. It has more than a hundred servers in its data centers in India which are in turn connected to
more than five hundred servers which hold the worldwide business data of customers of ZCS. ZCS offers
three types of cloud computing services to its clients:
 Infrastructure as a Service (IaaS)

 Platform as a Service (PaaS)
 Software as a Service (SaaS)
Since ZCS offers its services using the internet and stores a huge amount of its customers’ data, it is
particularly important for ZCS to provide a high level of protection to its information assets. The business
model of ZCS is such that its servers are always connected to the internet and even the slightest
negligence in terms of security and control will have a significantly adverse effect on its business.
11.1.2 Scope
Based on our understanding of ZCS’ needs for conducting audit of its security and control practices, it
was decided to focus on Review of Physical and Logical Access Controls. We propose the scope of review
and the terms of reference as laid down in the following paragraphs.
The envisaged terms of reference are based on the personal discussions key members of assignment
team had with the internal audit team of ZCS on 5th November, 2018 at Bengaluru. The detailed scope,
review and methodology followed are given in the annexure. The methodology would be further
enhanced and refined as the audit progresses based on the specific needs of the audit environment.
Broadly, the scope of review primary from security and controls point of view would involve:
1. Physical Access Controls: Physical access controls restrict physical access to resources and protect
them from intentional and unintentional loss or impairment.
2. Environmental Security Controls: These controls make sure that the information security
infrastructure and facilities should not only provide a conducive environment for the effective and
efficient functioning of the information processing facility but should also protect the contents of such
facilities from undesirable variations in the environment.
ABCD & Co. |

35
3. Logical Access Controls: Logical access controls prevent and detect unauthorized access to
information assets and resources while ensuring that authorized users can access the information
resources as per their role and responsibilities.
4. Network Security Controls: These controls are important to implement as networks are far more
vulnerable to external threats than standalone systems. Especially for a cloud computing service
provider like ZCS, Network Security Controls are extremely critical.
5. Application Controls: These controls ensure achievement of ZCS’s business objectives of timely,
accurate and reliable information.
6. Review of controls to ensure alignment with IT Act, 2000 Clause 49 of Listing Agreement and CARO,
2016: We will review the adequacy of controls to make sure that they are as per the norms stipulated by
these regulations.
11.1.3 Scope Coverage and Limitations
The IS auditor team will carry out the following activities in relation to the Information System Audit
around the above mentioned areas:
 Physical Access Controls

 Environmental Security Controls
 Logical Access Controls
 Network Security Controls
 Application Controls
 Review of controls to ensure alignment with IT Act, 2000 Clause 49 of Listing Agreement and
CARO, 2016
Out of Scope
 Implementing remediation activities including changes in the physical, environmental, logical,

network and application controls are excluded from the scope.
 Review of business continuity processes.
Limitations:
The IS Auditor team has assumed that the information provided by the various application owners at
ZCS is true and correct to the best of their knowledge. Further, the IS Auditor team has depended on
such information provided.
11.1.4 Methodology
The above mentioned objectives shall be achieved through the following structured methodology:
 Obtain an understanding of deployment of IT resources

 Obtain an understanding of the IT Strategy and internal control system
ABCD & Co. |

36
 Identify and scrutinize the IT related circulars issued

 Review the Organization Structure and Information Architecture
 Review the existing policies, procedures and practices
 Application of COBIT for formulating best IT practices for the policy and procedures at ZCS
 Formulation of draft report on our findings covering our review and benchmarking
 Presentation of final report with agreed action plan based on feedback of IT management and
internal Audit team at ZCS
11.1.5 Purpose of the Report
This final report is prepared solely for the Internal Audit team of ZCS, Bengaluru. The report is meant for
the use of those to whom it is addressed and should not be disclosed to any other parties. We will not
accept any liability/responsibility to any third party with whom this report is shared / shown or into
whose tender it may come.
Unrestricted circulation of the report even within ZCS is associated with a risk of some internal
employees trying to exploit the reported weaknesses before they are actually plugged. Consequently,
you should not make our report available to any third party except the regulators unless we have
specifically agreed with you the basis on which our report may be made available
11.1.6 Risk Categorization
In order to provide management with an indication as to the significance of risk involved and the priority
with which the same needs to be addressed, all risks have been rated in accordance with the
classifications given below:
High Risk Risks that could seriously compromise the internal control framework, data integrity
and / or operational efficiency. These risks need to be addressed with utmost priority.
Medium Risk Risks that could compromise, the systems internal control, data integrity and / or
operational efficiency and should therefore be addressed, but with a lower priority than
those rated as high. Alternatively these are significant control issues, which should be
addressed in the medium term because other compensating controls exist which cover
the acknowledged business risk.
Low Risk Risks that do not seriously affect the system in the short term, However failure to
address these risks may lead to long-term inefficiencies and non-compliance thereby
adversely affecting the existing control framework.
11.1.7 Acknowledgments
We would like to take this opportunity to thank the management and staff at all levels of ZCS for the
assistance we received from them during the course of our review. We would be happy to provide
further clarification that ZCS might need about any matter contained in this report.
11.1.8 Reading the Report
ABCD & Co. |

37
Section I: Executive Summary
Section II: Detailed Observations
Section I contains the project scope, our approach, summary of key observations and recommendations
etc.
Section II contains our observations relating to physical access controls, environmental security controls,
logical access controls, network security controls and application controls.
11.1.9 Table & Graph representing areas and risk rating wise number of observations
Area High Level Risk # Medium Level Risk # Low Level Risk # Total
Physical Access Controls 6 11 18 35
Environmental Security 8 15 21 44
Controls
Logical Access Controls 9 16 26 51
Network Security Controls 7 12 25 44
Application Controls 4 17 22 43
Regulatory Review 4 10 14 28
Total… 38 81 126 245
30
25
20
15
10
0
Physical Access Environmental Logical Access Network Security Application Regulatory Review
Controls Security Controls Controls Controls Controls
High Level Risk # Medium Level Risk # Low Level Risk #
11.1.10 Key Observations (High Risk) and Recommendations
ABCD & Co. |

38
Key Observations Recommendations

Physical Access Controls
We observed a fire drill at the offices of ZCS. It was Employees must strictly follow the fire drill policy.
observed that a few employees chose to ignore It should be emphasized that fire drills are
the fire drill alarm and continued to work at their important and are intended to help save the
desks. Interviews with personnel disclosed that resources in case of a fire. Employees must be
many of them were not aware about assembly trained and made aware about the policy
points or the intention of a fire drill. 27 intentions.
We reviewed the procedures used by Management needs to review and revise the
management to ensure that individuals having existing physical access controls with the
access to sensitive facilities are adequately employees. Interviews with employees revealed
restricted and possess physical access many difficulties regarding the practicalities of
authorization. It was observed that the entry and exit points of sensitive facilities.
management does not hold periodic discussions
about the existing procedures of physical access
with the employees.
It was observed that security guards checked the Security guards must check the vehicles before
vehicles after they enter the premises of the their entry inside the gates. Mirrors must be used
company. to check the lower portions of the vehicles.
Physical security policies and standards are not Formal documentation of physical security policies
defined and implemented. and standards are important to ensure users can
be held accountable for their actions and the
policy direction is aligned with the business
strategy of the company.
Data center entry/exit CCTV feeds are observed by It is important that at least two security guards
only one security guard. must be employed to ensure integrity. It is
possible that a single security guard can turn out
to be corrupted and may allow and not report
unauthorized access.
Environmental Security Controls28
We observed the electronic shielding to control Radio emissions affect the data stored on
radio emissions that affect the servers. It was computer systems. There should be a shielding
observed that there was no shielding in the data strategy in place against interference and
center against radio emissions. unauthorized access through emissions.
We verified that air intake vents, protective grills, The air intake vents, grills and roofs must be of
and roofs. It was observed that the air intake suitable dimensions so that human entry would be
vents, grills and roofs were not safe from human restricted. Additional measures such as alarms
entry. should be installed in vents, grills and roofs are
observed to have human presence.
We checked the cables, plumbing pipes, smoke If cables are hanging loosely, there is a danger of
detectors and water detectors. A few cables were short circuit and thereafter a risk of fire. Cables
found to be hanging loosely. Two smoke detectors must be concealed. Smoke detectors must be
were found in out of working condition. checked regularly to ensure early detection and
safeguard the resources from fires.
Logical Access Controls29
27
Physical Access Controls and audit procedures referenced from ISA Module IV by ICAI, Page No. 61
28
Environmental Security Controls and audit procedures referenced from ISA Module IV by ICAI, Page No. 72-73
ABCD & Co. |

39

We checked the logons on sample basis and Logons with special privileges must be well
verified that they adhere with the password policy documented and controlled as they have access
of the organization. It was observed that privileged across domains.
and special purpose logons are not documented.
We reviewed the Access Control Lists to assess if We recommend that access to users must be
access is based on least privileges and need to restricted only to their respective domains. Access
know-need to do basis. It was observed that users Control Lists should be reviewed and cross-domain
in the marketing domain were able to access files access must not be allowed.
and records from the finance domain.
Password policy recommends a strong password. Password policy must make sure that simple
However, there is no procedure to ensure that a passwords or passwords which do not consist of a
password consists of numbers, symbols and letters combination of numbers, symbols, letters in upper
in upper and lower case. During our interviews and lower case are not accepted.
with users, we were told by many users that their
passwords are plain texts.
Network Security Controls
The customer’s data transmitted over the network Encrypted emails techniques must be used to
is encrypted using SSL encryption. However, the inform the private keys to the customers. We
private keys for decryption are emailed to the suggest SMIME30 (Secure Multipurpose Mail
clients in plain texts over email. Extensions) using Microsoft Exchange for
encrypted emails.
We observed that robust firewall policies are in Intrusion Detection System should be installed so
place. However, the network is devoid of any as to act as a next line of defense beyond firewalls.
31
Intrusion Detection System (IDS) thereby making They monitor activities to identify malicious or
them vulnerable to incidents caused by insiders, suspicious events.
people who would not be blocked by a firewall.
Since ZCS operates as a cloud computing service Security Incident and Event Management (SIEM)
provider, it has a wide network and massive logs tools must be employed in addition to setting up a
are generated in a brief duration of time. It is a Security Operations Center (SOC)32 to monitor
mammoth task to monitor and analyze these logs. network logs and enhance incident response
This restricts the incident response capability. capability.
Application Controls
ZCS has developed and deployed applications for The Service Level Agreements must define the
usage on the cloud. We observed the application trust boundaries33 between ZCS and consumers to
code documents and noted that there are no ensure that the responsibilities to implement
defined boundaries between ZCS and consumers security controls are clearly defined.
to ensure clear identification of responsibilities
regarding security controls.
We reviewed the Penetration Testing documents Traditional tests suffer from the drawback that
and interviewed the testers who test the they are not sufficient to test cloud applications
applications deployed by ZCS over the cloud. It was from the point of view of multi-tenancy. We
29
Logical Access Controls and audit procedures referenced from ISA Module IV by ICAI, Page No. 106-108
30
Network Security Controls, SMIME and Audit Techniques referenced from ISA Module IV by ICAI, Page 128
31
IDS referenced from ISA Module IV by ICAI, Page 133
32
SIEM and SOC referenced from ISA Module IV by ICAI, Page 135
33
Cloud auditing issues referenced from ISA Module VIII by ICAI, Page 84
ABCD & Co. |

40

observed that only traditional tests are performed. recommend employing Open Web Application
Security Project (OWASP)34 as recommended by
Cloud Security Alliance to improve Application
Security.
Regulatory Review
As per Sec. 43A of the IT Act, 2008, a body Train the data owners by making them aware
corporate possessing any sensitive personal data about the relevant sections of the IT Act, 2008.
or information in a computer resource which it Lack of training and awareness may result in
owns, is negligent in implementing and significant financial loss as well as reputation loss
maintaining reasonable security practices and for ZCS.
procedures and causes loss or gain to any person,
such person shall be liable to pay damages to the
person so affected.
As per Sec. 43A of the IT Act, 2008, disclosure of

information, knowingly and intentionally, without
the consent of the person concerned and in breach
of the lawful contract has been also made
punishable with imprisonment for a term
extending to three years and fine extending to INR
5,00,000
The management as well as data owners were

unaware about the above regulatory
requirements.
As per Clause 49 of the Listing Agreement issued The audit committee must be apprised of the
by SEBI, the role of the audit committee sharpened requirements of the Clause 49 of the Listing
with specific responsibilities including Agreement issued by SEBI regarding IT assets too.
recommending appointment of Auditors and The audit committee must take into consideration
monitoring their independence and performance, their duty towards valuation and safeguarding of
approval of related party transactions, scrutiny of IT assets too.
inter-corporate loans and investments, valuation
of undertaking/assets etc
We observed that the audit committee was

inclined to monitor only financial aspects of audit.
From our interviews of the committee and review
of minutes of the meetings, it does not consider IT
assets to be as important as financial assets.
As per CARO, 2016, the company has to verify the The senior management must review the internal
adequacy of internal control procedures and controls in the company. They must discuss the
determining whether there were any continuing controls in each of their meetings to make sure
failures to correct major weaknesses in internal that they satisfy the requirements of CARO, 2016.
controls
34
OWASP referenced from Cloud Security Alliance Security Guidance for Critical Areas of Focus in Cloud Computing
3.0 available at https://downloads.cloudsecurityalliance.org/assets/research/security-guidance/csaguide.v3.0.pdf
ABCD & Co. |

41

We observed that internal controls were not
reviewed periodically by the senior management.
Therefore, it was not in a position to identify and
correct weaknesses.
11.1.11 Overall Control Effectiveness within ZCS
Following is the number of controls checked in each application and the number of control gaps
observed against the controls checked:
Area Number of Controls Checked Number of Control Gaps

Observed
Physical Access Controls 4 3
Environmental Security Controls 6 4
Logical Access Controls 4 2
Network Security Controls 5 3
Application Controls 7 3
Regulatory Review 5 3
11.1.12 Quick Wins for ZCS – High Risk Observations with Low Implementation Effort
Note: Implementation efforts are arrived based on IS Auditor’s past experiences. Implementation efforts
are categorized into the following:
 High – Risks which will take more than 4 week to remediate/mitigate

 Medium – Risks which will take 1 week to 4 weeks to remediate/mitigate
 Low – Risks which will take less than 1 week to remediate/mitigate
For example: If a risk can be remediated by means of changes in the configuration just by putting a check
in the checkbox then its implementation effort is mentioned as Low. If a risk can be remediated only by
changing /instituting a business process with involvement of multiple departments then its
implementation effort is mentioned as High.
Area Number of High Level Risks No of Observations with Low

Implementation Effort
Corresponding to these Risks
Physical Access Controls 6 4
Environmental Security Controls 8 5
Logical Access Controls 9 4
Network Security Controls 7 4
Application Controls 4 2
Regulatory Review 4 1
ABCD & Co. |

42
10
9
8
7
6
5
4
3
2
1
0
Physical Access Environmental Logical Access Network Security Application Regulatory
Controls Security Controls Controls Controls Controls Review
Number of High Level Risks

No of Observations with Low Implementation Effort Corresponding to these Risks
11.1.13. Way Forward – Configuration and Manual Controls
All observations and recommendations contained in this report have been discussed with the
management and internal audit team. ZCS should now devise a time bound action plan, identifying the
responsibility and ownership to implement the control recommendations in order to address the control
weaknesses and associated risks. The implementation priority can be decided on the basis of risk ratings
identified below:
ABCD & Co. |

43
II. Detailed Observations
11.2.1 Physical Access Controls
11.2.1.1 Control
 Employees must follow the fire drill procedures, vacate their desks and assemble at
assembly points.
Assessment of design effectiveness

 The design of the control is ineffective.
Assessment of operational effectiveness

 All employees do not follow the fire drill procedures.
Risk / Implication – High

 If fire drills are not followed, in case of a real fire, employees will not evacuate the premises
and it may result in loss of human life.
Recommendation
 Employees must be trained about fire drills and must be told the implications of not
following the fire drill directives strictly.
 Employees who do not take fire drills seriously must be penalized.
Implementation Effort - Low
Evidence:
The audit team observed fire drills at all the sites.
11.2.1.2 Control
 Management review of physical access controls and discussion with employees.


 Management has not reviewed physical access controls and has not held discussions with
employees.

 Employees may not find physical access controls procedures practical to follow.
 There will be serious lapses in exercising physical control if employees are not clear about
the seriousness of the management.
Recommendation
 Management needs to review and revise the existing physical access controls with the
employees.
ABCD & Co. |

44
 Employees must be encouraged to give feedback to the management regarding

effectiveness and practicalities of physical access controls.
Evidence:
The audit team interviewed employees.
11.2.1.3 Control
 Screening of vehicles entering the facility by security guards.


 Security guards were observed to be allowing the vehicles inside the premises and then
checking the vehicles.

 It is possible that after vehicle is allowed inside the premises, it is revealed that the vehicle
users are unauthorized or may contain potentially hazardous equipment.
 Sensitive facilities may be affected seriously if unauthorized vehicles are allowed to enter
the premises.
Recommendation
 Security personnel must be conveyed that they must screen the vehicles before they enter
the premises.
Evidence:
The audit team witnessed the security procedures at the premises’ entrance gates.
11.2.1.4 Control
 Documentation of physical control policy and standards.


 The physical control policy and standards are not formally documented.

 Lack of formal documentation of physical security policy may indicate lack of seriousness on
the part of management about implementing the controls.
 Responsibilities may not be ascertained because physical control policy does not exist.
ABCD & Co. |

45
Recommendation
 Management must formally document the physical control policy and standards.
Implementation Effort - Medium
Evidence:
The audit team asked for the physical control policy document and the same was not obtained.
11.2.1.5 Control
 Observation of data center entry/exit CCTV feed by security guard.


 Only one security guard observes the data center CCTV feed.

 A single security guard may end up being corrupt and may allow unauthorized persons to
enter the facility without raising an alarm.
Recommendation
 More than one security guard must be present in the CCTV control room to observe the
feed.
Evidence:
The audit team visited the CCTV control room and observed the routines of the security guards.
11.2.2 Environmental Security Controls
11.2.2.1 Control
 Use of radio emission shields to control radio emissions.


 It was observed that there was no shielding in the data center against radio emissions.

 Radio emissions affect the data stored on computer systems.
 Using radio emissions, the customers’ data can be corrupted or erased causing a significant
loss to the company.
Recommendation
ABCD & Co. |

46
 There should be a shielding strategy in place against interference and unauthorized access
through emissions.
Evidence:
The audit team visited the data centers and observed the absence of radio shielding equipment.
11.2.2.2 Control
 Air intake vents, grills and roofs must be safe from human entry.


 It was observed that the air intake vents, grills and roofs were not safe from human entry.

 The air intake vents, grills and roofs must be of suitable dimensions so that human entry
would be restricted.
 Unauthorized persons can enter air intake vents, grills and roofs and reach the computer
systems thereby affecting the entire system.
Recommendation
 Additional measures such as alarms should be installed in vents, grills and roofs are
observed to have human presence.
Implementation Effort - High
Evidence:
The audit team visited the data centers and measured the air vents, grills and roofs. Building
maps also reveal the dimensions of the air vents, grills and roofs.
11.2.2.3 Control
 Cables, plumbing pipes, smoke detectors and water detectors must be concealed and in
working condition.


 A few cables were found to be hanging loosely. Two smoke detectors were found in out of
working condition.

 If cables are hanging loosely, there is a danger of short circuit and thereafter a risk of fire.
ABCD & Co. |

47
 Out of order smoke detectors will delay fire detection and can lead to damage of critical IT
assets.
Recommendation
 Cables must be concealed and must not be allowed to be loose.
 Smoke detectors must be checked regularly to ensure early detection and safeguard the
resources from fires.
Evidence:
The audit team assessed the electrical circuit layouts of the facilities and verified with actual
cables which were found to be hanging loose. We also checked whether the smoke detectors
were in working condition.
11.2.3 Logical Access Controls
11.2.3.1 Control
 Documentation of privileged and special purpose logons.


 It was observed that privileged and special purpose logons are not documented.

 Without proper documentation of privileged and special purpose logons, there is a risk of
such logons being misused.
 Employees with these logons can shun their responsibility if there is no proper
documentation.
Recommendation
 Logons with special privileges must be well documented and controlled as they have access
across domains.
 Logs should be maintained about usage of privileged and special purpose logons.
Evidence:
The audit team sought the documentation of privileged and special purpose logons but the
same was not present.
11.2.3.2 Control
 Access must be based on least privileges and need to know-need to do basis.
ABCD & Co. |

48


 It was observed that users in the marketing domain were able to access files and records
from the finance domain.

 Since cloud computing works on multi-tenancy principle, it is important that cross-domain
access should be restricted. Otherwise, the access can be misused and its effect will be
magnified.
Recommendation
 We recommend that access to users must be restricted only to their respective domains.
 Access Control Lists should be reviewed and cross-domain access must not be allowed.
Evidence:
The audit team observed the audit trails for activities of users in different domains. Additional
user access tests were performed to verify permissions.
11.2.3.3 Control
 Password policy must be enforced in a way that simple passwords are not allowed.


 Password policy does not alert users about necessity of special characters, numbers and
letters in upper and lower case.

 Plain text passwords can be easily deciphered by attackers.
 Attackers may obtain access to the system and thereby affect data of customers.
Recommendation
 We recommend that access to users must be restricted only to their respective domains.
 Access Control Lists should be reviewed and cross-domain access must not be allowed.
Evidence:
The audit team reviewed the Access Control Lists. Interviews with users were conducted to
understand if they follow the password policy.
ABCD & Co. |

49
11.2.4 Network Access Controls
11.2.4.1 Control
 Using encrypted email messages to convey private keys to customers.


 It was observed that the private keys for decryption of customers’ data are emailed to the
clients in plain texts over email.

 Attackers may easily steal the private keys intended for the customers.
 The private keys can be used to access and destroy the customers’ data thereby causing
heavy loss for the company.
Recommendation
 Encrypted emails techniques must be used to inform the private keys to the customers.
 We suggest SMIME (Secure Multipurpose Mail Extensions) using Microsoft Exchange for
encrypted emails.
Evidence:
The audit team reviewed the email policy of the organization. We also looked into the data flow
diagrams and understood the decryption mechanism.
11.2.4.2 Control
 Use of Intrusion Detection System (IDS) in the network.


 The network is devoid of any Intrusion Detection System (IDS) thereby making it vulnerable
to incidents caused by insiders, people who would not be blocked by a firewall.

 Firewalls cannot detect malicious events undertaken from within the organization. Any
disgruntled employee may run a malicious code to dangerously affect the system.
Recommendation
 Intrusion Detection System should be installed so as to act as a next line of defense beyond
firewalls.
ABCD & Co. |

50
 They must be configured to alert in case of suspicious activity.
Evidence:
The audit team observed network diagrams and traced the actual network in the organization.
IDS were not found to be employed on the networks.
11.2.4.3 Control
 Enhancing incident response by using Security Incident and Event Management (SIEM) tools.


 Many logs are generated throughout the network of the company. It is a difficult task to
monitor these logs.

 Logs are ineffective if they are merely generated but cannot be analyzed in a timely manner.
 In case of incidents like virus attack or malicious activities, logs monitoring will be delayed in
absence of SIEM tools.
Recommendation
 Security Incident and Event Management (SIEM) tools must be employed in addition to
setting up a Security Operations Center (SOC) to monitor network logs and enhance incident
response capability.
Implementation Effort – High
Evidence:
The audit team reviewed the network logs. There were no tools installed on the systems for
monitoring these logs.
11.2.5 Application Controls
11.2.5.1 Control
 Defining boundaries between ZCS and consumers to ensure clear identification of
responsibilities regarding security controls.


 It was observed that there are no defined boundaries between ZCS and consumers to
ensure clear identification of responsibilities regarding security controls.
ABCD & Co. |

51

 Any attack on the web applications hosted by ZCS on its cloud infrastructure may result in
disputes between the customers and ZCS regarding affixing responsibility.
Recommendation
 The Service Level Agreements must define the trust boundaries between ZCS and customers
to ensure that the responsibilities to implement security controls are clearly defined.
Evidence:
The audit team reviewed the SLAs between ZCS and its customers. No trust boundaries were
defined in the SLAs.
11.2.5.2 Control
 Performing Cloud-specific multi-tenancy tests on applications.


 It was observed that only traditional tests are performed.

 Traditional tests suffer from the drawback that they are not sufficient to test cloud
applications from the point of view of multi-tenancy.
Recommendation
 We recommend employing Open Web Application Security Project (OWASP) as
recommended by Cloud Security Alliance to improve Application Security
Evidence:
The audit team observed testing environment and test policy of the organization.
11.2.6 Regulatory Review
11.2.6.1 Control
 Management and data owners must be aware about the regulatory requirements as
stipulated by Section 43A of IT Act, 2008.

ABCD & Co. |

52
 It was observed that the management as well as data owners were unaware about the
above regulatory requirements.

 Insufficient controls and measures may be implemented by the company without
considering its regulatory implications. The IT Act, 2008 clearly states implementing and
maintaining reasonable security practices and procedures for a company like ZCS to avoid
loss of personal data.
Recommendation
 Train the data owners by making them aware about the relevant sections of the IT Act,
2008.
Evidence:
The audit team reviewed the security controls and measures and lacunae were observed in the
same as compared to what is recommended by the IT Act.
11.2.6.2 Control
 Valuation and safeguarding of IT assets by audit committee as per Clause 49 of Listing
Agreement of SEBI.


 It was observed that audit committee does not consider IT assets as important as financial
assets and it does not review the status of IT assets periodically.

 Insufficient attention to IT assets may lead to adverse reporting under the SEBI guidelines.
 It is possible that the Company’s shares may be delisted or stringent fines may be levied on
it.
Recommendation
 The audit committee must be apprised of the requirements of the Clause 49 of the Listing
Agreement issued by SEBI regarding IT assets too.
Evidence:
The audit team observed the minutes of the audit committee’s meetings.
11.2.6.3 Control
 Verify the adequacy of internal control procedures to adhere to CARO, 2016 norms.
ABCD & Co. |

53


 It was observed that internal controls are not reviewed periodically by the senior
management.

 Adverse reporting by the auditor under CARO, 2016 may lead to loss of trust of stakeholders
on the internal controls of the company.
 The company may suffer loss in its reputation.
Recommendation
 We recommend that the senior management must discuss internal controls in each of their
meetings to make sure that they satisfy the requirements of CARO, 2016.
Evidence:
The audit team observed the minutes of the board meetings.
ABCD & Co. |

54
12. Summary/Conclusion
Based on our review our overall conclusions on specific areas are:
Physical Access Controls
Our review of security and access controls at ZCS confirms that appropriate physical access controls
have been implemented by the Company. Our test checks have revealed that physical access controls
are reliable. However, there are some areas (strict implementation of fire drill policy, periodic review of
physical controls, and formal documentation of physical access controls) where controls need to be
strengthened and these have been discussed in the report.
Environmental Security Controls
Our review of environmental security controls at ZCS confirms the company’s assets are safeguarded
from environmental threats. However, a few additional controls have been recommended by us
wherever lacunae were observed by the audit team. These pertain to radio emission shielding, right
sizing the air vents, doors and ceilings, concealing the cables and ascertaining the working condition of
smoke and water detectors.
Logical Access Controls
ZCS has a robust system of Logical Access Controls throughout the organization. Based on our review,
we have suggested improvements particularly for documentation of special privileges logons, domain-
only access, and stringent enforcement of password policy.
Network Security Controls
Our review of network security controls at ZCS confirms that the company has implemented adequate
controls from the network security point of view. We have recommended certain improvements
particularly about installing IDS, incorporating email encryption system and logs monitoring to enhance
the level of network security.
Application Controls
Apart from the fact that the SLAs of ZCS with its customers do not segregate responsibilities to
implement security controls and application tests must incorporate cloud-specific testing, we confirm
that ZCS has appropriate Application Controls in place.
Regulatory Review
ZCS operates in the cloud domain which involves processing of a high volume of data of customers.
Regulations pertaining to security policy are evolving faster than usual. A company like ZCS must make
sure that its data is well protected and there are appropriate internal controls along with periodic
reviews of the same to ensure that the company adheres to regulatory requirements. We have
ABCD & Co. |

55
recommended specific guidelines to the management and data owners so as to facilitate abiding by the
IT Act, 2008, Clause 49 of the Listing Agreement and CARO 2016.
Further Action
We consider that the recommendations in this report would be very useful for making the security and
control practices at ZCS more strong and improving their effectiveness. We would like to affirm that the
matters included in this report are those which came to our notice during our review by following
normal Information System audit procedures by complying with globally applicable Information Systems
Auditing Standards, Guidelines and procedures that apply specifically to Information Systems Auditing
issued by Information Systems Audit and Control Association, USA and Security and Control Practices as
outlined in COBIT 5 issued by ISACA as adapted to ZCS operations for review of security and controls.
Further, on account of limitations of scope and time, we have used sample test and test check approach.
Hence, certain areas, which are outside the scope of this review are not covered.
ABCD & Co. |

56
Annexures
Annexure – 1. Terms of Assignment 35
1.1 Parties to Agreement
The parties to the Agreement shall be ABCD & Co. and the Zebra Cloud Solutions (ZCS) Limited, and
neither may assign or transfer rights or obligations under the Agreement or part of such Agreement to
any other party without prior written approval by the other party. In the event of any inconsistencies
between the terms stated in the Letter of Agreement and these Terms of Engagement, the Letter of
Engagement shall supersede the Terms of Engagement.
1.2 Confidentiality
The parties shall be under a mutual duty to safeguard the confidentiality of all material, records and
information about the other party as well as all information received from the other party in connection
with the performance of the engagement.
1.3 Electronic Communication
Unless otherwise stipulated in the Agreement, both parties shall agree to use electronic communication
through such means as emailing of all documents and messages of relevance to this Agreement.
1.4 Conflict of Interest
If a potential or actual conflict of interest has been identified, and ABCD & Co. believes that the interests
of the client may be adequately safeguarded through the implementation of relevant procedures, ABCD
& Co. will discuss and agree such procedures with the client.
1.5 Limitation of Responsibility
ABCD & Co. shall be responsible for the service rendered under the Agreement in accordance with the
general rules of Indian law. Any limitations on the overall liability for damages shall be stated in the
Letter of Engagement. ABCD & Co. shall assume no responsibility for any indirect loss or consequential
damage, including loss of goodwill, image, earnings, profit or data.
1.6 Applicable Law and Jurisdiction
This Agreement is to be construed, performed and enforced in accordance with the laws of India with
exclusive jurisdiction of the courts of Mumbai. English will be the governing language.
35
Terms of Reference of Deloitte Touche Tohmatsu Limited (UK) referenced from
https://www2.deloitte.com/content/dam/Deloitte/dk/Documents/audit/ForretningsbetingelserUK01012017.pdf
ABCD & Co. |

57
Annexure 2 - Cloud Security Alliance Consensus Assessment Initiative Questionnaire 36
Control Group Assessment Question ZCS Response

Audit Planning Do you produce audit assertions using a ZCS obtains certain industry
structured, industry accepted format? certifications and independent
third party attestations and
provides certain certifications to
its customers.
Independent Audits Do you allow tenants to view your audit ZCS provides third party
reports? attestations, certifications, and
other relevant compliance
reports directly to our customers
under NDA.
Information System Do you have the ability to logically All data stored by ZCS on behalf
Regulatory Mapping segment or encrypt customer data such of customers has strong tenant
that data may be produced for a single isolation security and control
tenant only, without inadvertently capabilities.
accessing another tenant's data?
Handling / Labeling / Are Policies and procedures established Customers retain control and
Security Policy for labeling, handling and security of ownership of their data and may
data and objects which contain data? implement a labeling and
handing policy and procedures
to meet their requirements.
Secure Disposal Do you support secure deletion (ex. ZCS uses the techniques detailed
degaussing / cryptographic wiping) of in DoD 5220.22-M (“National
archived data as determined by the Industrial Security Program
tenant? Operating Manual “) or NIST
800-88 (“Guidelines for Media
Sanitization”) to destroy data as
part of the decommissioning
process. If a hardware device is
unable to be decommissioned
using these procedures, the
device will be degaussed or
physically destroyed in
accordance with industry
standard practices.
Information Leakage Do you have controls in place to prevent ZCS has implemented security
data leakage or intentional/accidental management processes and
compromise between tenants in a other security controls designed
multitenant environment? to isolate each customer from
other customers.
Controlled Access Points Are physical security perimeters (fences, Physical security controls include
walls, barriers, guards, gates, electronic but are not limited to perimeter
36
AWS response to CSA Questionnaire referenced from
https://citadel-information.com/wp-content/uploads/2012/08/amazon-web-services-risk-and-compliance-
whitepaper-2012-1.pdf
ABCD & Co. |

58
surveillance, physical authentication controls such as fencing, walls,

mechanisms, reception desks and security staff, video surveillance,
security patrols) implemented? and other electronic means.
Unauthorized Persons Are ingress and egress points such as Physical access is strictly
Entry service areas and other points where controlled both at the
unauthorized personnel may enter the perimeter and at building ingress
premises monitored, controlled and points by professional security
isolated from data storage and process? staff utilizing video surveillance,
and other electronic means
Power / Do you provide tenants with Customers designate in which
Telecommunications documentation showing the transport physical region their data and
route of their data between your servers will be located.
systems?
User ID Do you support use of, or integration The ZCS Identity and Access
Credentials with, existing customer-based Single Management (IAM) service
Sign On (SSO) solutions to your service? provides identity federation to
the AWS Management Console.
Multi factor authentication is an
optional feature that a customer
can utilize.
Network Security For your IaaS offering, do you provide The ZCS website provides
customers with guidance on how to guidance on creating a layered
create a layered security architecture security architecture in a
equivalence using your virtualized number of white papers
solution? available
Clock Synchronization Do you utilize a synchronized time- In alignment with ISO 27001
service protocol (ex. NTP) to ensure all standards, ZCS information
systems have a common time systems utilize internal system
reference? clocks synchronized via NTP
(Network Time Protocol).
Quality Testing Do you provide your tenants with ZCS incorporates standards of
documentation which describes your quality as part of the system
quality assurance process? development lifecycle (SDLC)
processes which are in alignment
with ISO 27001 standard.
Insurance Is your organization insured by a 3rd ZCS provides customer
party for losses? remuneration for losses they
may incur due to outages in
alignment with our Service Level
Agreement.
Unauthorized Software Do you have controls in place to restrict Our program, processes and
Installations installation of unauthorized software on procedures for managing
your systems? malicious software is in
alignment with ISO 27001
standards.
ABCD & Co. |

Project Report - ISA

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Project Report - ISA

Uploaded by

Copyright:

Available Formats

1. Name: Ayush Narware DISA No: 56444 Signed: Ayush Narware

ABCD & Co. |

ABCD & Co. |

A. Details of Case Study/Project (Problem)

ABCD & Co. |

1.1 Zebra Cloud Solutions

1.2 ABCD & Co. (Audit Firm)

ABCD & Co. |

Sr. No. Member Role in Audit Assignment

ABCD & Co. |

2.1.1 Cloud Service Models of ZCS

ABCD & Co. |

On premises IaaS PaaS SaaS

Data Customers manage Data Data Data

Runtime Runtime Runtime Runtime

Middleware Middleware Middleware Middleware

Servers Servers Servers Servers

Storage Storage Storage Storage

Networking Networking Networking Networking

2.1.2 Cloud Deployment Models of ZCS

ABCD & Co. |

2.1.3 Services offered by ZCS

S. No. Service Cloud Service Brief Description Cloud Service

ABCD & Co. |

the data. The clients can

ABCD & Co. |

(CRM) software helps

2.2 Organization Structure

VP – Network VP – Finance & VP – VP - Human

ABCD & Co. |

2.3 Technology Deployed

2.3.1 Network Infrastructure

App. Virtual Storage IP-NGN

Subscriber B. VSwitch to Hardware

App 1 Embedded Services:

VMWare, UCS Fabric DataCenter

Vendor Component Software Versions

ABCD & Co. |

2.3.2 Hardware Components

S. No. Component Manufacturer/ Brand Function

ABCD & Co. |

2.3.2 System Software

Vendor Software Software Description

2.3.3 Application Software

Vendor Software Software Description

ABCD & Co. |

2.3.4 Regulatory Requirement

2.3.4.1 Information Technology (IT) Act, 2000

2.3.4.2 Clause 49 of the Listing Agreement on Corporate Governance

ABCD & Co. |

2.3.4.3 Company Auditor’s Report Order (CARO), 2016

2.3.5 Overview of Internal Policies and Procedures25

2.3.5.1 ZCS IT Control Information

ZCS provides its IT control information to customers in many ways:

2.3.5.2 ZCS Risk and Compliance Program

ABCD & Co. |

2.3.5.3 Information Security

ABCD & Co. |

ABCD & Co. |

4.1 Current Security and Control Scenario

ABCD & Co. |