LOGIN

HOME / DISA PROJECT REPORT / DISA PROJECT REPORT ON AUDIT OF OUTSOURCED SOFTWARE DEVELOPMENT

Disa Project Report on Audit of Outsourced

Software Development

Project Report
Audit of Outsourced Software Development

Table of Contents 
1. 1. Introduction
2. 2. Outsourcing vendor
3. 3. Background
4. 4. Situation
5. 5. Objectives of Assignment
6. 6. Audit observations of IT Environment and practices
6.1. A. Physical access controls
6.2. B. Logical Access Controls
6.3. C. Disaster Recovery Plan
7. 7. Deliverables
8. 8. Format of Report/Findings
9. 9. Extracts from Service Level Agreement (SLA)
9.1. Clause 6.6: Maintenance of Records
9.2. Clause 10.4: Disaster Recovery
9.3. Clause 10.2: Backup and Storage
 9.3. Clause 10.2: Backup and Storage
9.4. Clause 10.1: Generally
9.5. Clause 10.3: User and Access Restrictions
9.6. Related Links

1. Introduction
AMG Software (AMG) is the world’s leading provider of management solutions that ensure the
availability, performance, and recovery of business-critical applications. AMG calls this
application service assurance and it means that the applications its customers rely on most
stay up and running, around the clock. For more than 20 years, the largest and most successful
companies have relied on AMG Software. AMG Software is among the world’s largest
independent software vendors, a Forbes 500 company and a member of the S&P 500, with
revenues of $2.3 billion in the last 12 months. The company is headquartered in Houston,
Texas, with offices worldwide.

2. Outsourcing vendor
DLF Software (DLF) is focused on providing Offshore Development Services (ODS) to Global
Clients who include 25 of the Fortune 500 corporations of the world. With a penchant for
working closely with clients and organizing work according to the client’s needs, DLF believes in
working with the customer as its Partner in Progress and participating in mutual growth both
quantitatively and qualitatively. From its inception, DLF has been one of the fastest growing
major software companies in India and is rated amongst the top 10 software export houses in
India. DLF is headquartered in Bangalore and is represented through offices in the USA, Europe,
South East Asia and Japan.

3. Background
AMG has outsourced software development through ODS mode to DLF. AMG has supplied IT
infrastructure for these services and has also recruited required personnel who work at DLF for
the software projects of AMG. AMG wanted an independent assurance on the security and
usage of the technology as also protection of the IPR of AMG. Abraham and Associates (AAA)
is a practising CA firm based at Bangalore and offers IS Assurance services with a team of
DISAs and IT security professionals.

Leading to the proposal, Mr. Bentley, Manager, OEM of AMG based on research on google had
identified AAA for providing assurance services and had contacted AAA through Email. The
need for IS Assurance services for conducting IS audit with the objective of providing assurance
on protection of Intellectual property\security audit was communicated. Based on this, AAA had
sent their profile offering their services outlining their experience in this area and providing
sample proposals and deliverables of such type of reviews executed by AAA. The scope,
objectives, fees and deliverables were finalised after detailed discussion to meet specific
 objectives, fees and deliverables were finalised after detailed discussion to meet specific
requirement of AMG and this was communicated to DLF.

4. Situation
The need of AMG was understood to be the requirement of an assurance that the intellectual
property including assets and access to such assets (hardware, software, manuals, media, etc.)
of AMG used at the AMG labs at DLF in Bangalore are adequately secured (physically and
logically) from unauthorised and inappropriate use through adequate and appropriate physical,
environmental and logical access controls. Hence, an independent review was to be conducted
on the process and methods in place at AMG labs at DLF so as to provide assurance that there
are adequate and appropriate safeguards and procedures that prevent unauthorized access,
mishandling and damage to any of the assets of AMG at AMG labs at DLF and all the facilities
provided by AMG are being used for the purposes of AMG’s operations by personnel authorised
or assigned for AMG’s operations only at DLF allocated work site.

5. Objectives of Assignment
Based on the detailed discussions with Mr. Ben Crocker and visit to the AMG Labs at DLF, the
primary objectives of the assignment of Security Audit are finalised as follows:

Provide assurance to AMG that the intellectual property of AMG including assets and access
to such assets (hardware, software, manuals, media, etc.) used at the AMG labs at DLF in
Bangalore are adequately secured (physically and logically) from unauthorised and
inappropriate use through adequate and appropriate physical, environmental and logical
access controls;
Review the process and methods in place at AMG labs at DLF so as to provide assurance to
AMG that there are adequate and appropriate safeguards and procedures that prevent
unauthorized access, mishandling and damage to any of the assets of AMG at AMG labs at
DLF;
Review whether all the facilities provided by AMG are being used for the purposes of AMG’s
operations by personnel authorised or assigned for AMG’s operations only at DLF;
Validate the process and methods at AMG labs at BLF against available norms and
standards of AMG wherever available

6. Audit observations of IT Environment and

practices
As part of the planning for IS Audit, the AAA audit team has reviewed the security and control
procedures and had walk-through of the independent location at DLF which houses all the
technology and human resources of AMG as per contract. Key observations covering specific
areas are given below:
:
 areas are given below:

A. Physical access controls

Access into the premises is guarded by security guards.
To gain access into the building visitors or the employees have to sign the register maintained
at the security.
Visitors are given a visitors pass and are required to wait for the person whom they wish to
meet at the reception and are then escorted into the building by the concerned employee to
areas other than the AMG labs.
Visitors are not allowed into the AMG labs.
The access to the lab at the basement is granted upon the use of the swipe cards that are
issued to the employees associated to the AMG projects.
Temporary passes are also used to grant access to employees whose cards are to be
received from the manufacturer after capture of relevant details.
IS auditors were also given temporary cards to gain access to the lab during the period of
review.
The access to the lab on the first floor is granted after the use of a numeric combination on
the keypad device that authenticates the number and grants entry.
The door for the first floor lab does not automatically lock itself after it has been opened. If a
user is not careful in ensuring the door is locked after he/she enters or leaves the lab there
could be opportunities for unauthorised users to enter the lab without using the keypad
device.

B. Logical Access Controls

The users are classified into various groups for each of the projects they work on. Based on
this grouping the users create a group login at the root level in the OS at the AMG labs at
DLF. Since all these users work on a common project and require a similar set of permissions
for testing the software no individual logins have been created.
The users are not allowed to download source code from the servers at AMG and therefore
have to access the same at the Houston through telnet sessions. The access rights and the
user id with passwords are controlled by the system administration at Houston.
Access to the source code of software under development / maintenance / testing etc., is
given by AMG as per procedures followed by them. The code is accessed online.
The management of the above access control procedures are solely with AMG and the same
are not controlled or monitored by DLF. Hence the procedures or policies that govern such
accesses to the servers at Houston are outside the scope of this review.
Individual workstations also have a user id and password for the users to login into their
desktops.
A sample test of the individual work stations was carried out ensure that they have screen
savers with passwords or session locks with passwords so that open telnet sessions are not
accessible to any other user if the original user is not at his/her desk.
:
 accessible to any other user if the original user is not at his/her desk.
New users are given access only to the local resources at the time of joining the AMG group
at DLF by the IS department locally.
The domain accesses that grant them access to the information resources at AMG, Houston
are given and controlled by AMG.
C. Disaster Recovery Plan
There is a generic disaster recovery plan/procedure pertaining to all the operations of DLF in
place to ensure the successful revival of operation in the event of a disaster.
There are no back-up systems available for the systems supplied by AMG.
DLF owned desktops can be used should there be any disaster affecting them.
There is no redundancy for the telecommunication equipment.
Offsite storage of the media and other related materials is provided for in the fire proof
lockers in the other buildings of DLF.
The labs that house the AMG related systems have adequate fire detection and fire-fighting
capabilities including fire extinguishers, power cut off systems etc.
The power supply is backed up by a UPS backup facility which ensures continued supply of
power to the systems in the event of power failure/tripping off due to power surges etc. till
such time that the generator is switched on.
The generator that is common for all the operations of DLF supplies power to the computers
in the event of continued power disruption. The generator facility has enough stock of fuel to
run continuously for a period of 6 days.
The documented generic disaster recovery plan is the same is applicable to DLF as a whole
and is not customised to AMG labs.
There is no Disaster recovery plan for the systems that are supplied by AMG and the
communication capabilities of the labs.
Alternative processing capabilities for the systems supplied by AMG are not identified.
No annual maintenance contracts exist for AMG supplied machines

7. Deliverables
Provide IS Audit report to management of AMG with reasonable assurance that Identified
controls as relevant are in place at the AMG Labs at DLF;
Provide detailed report covering findings for each of significant control weaknesses and
advise management of AMG on corrective actions to be initiated. Include management
comment from DLF on audit findings and recommendations with agreed action plan.

8. Format of Report/Findings
Please use extracts from SLA and the contents from relevant section of the DISA background
material and relevant best practices as required as the benchmark for evaluation of the
controls. IS Audit report may be prepared based on standards of reporting issued by ICAI and
:
 ISACA.

The detailed findings should be in the following format:

Issue (ranked as high/medium or low)

Cause
Exposure
Recommendations
Management comment

9. Extracts from Service Level Agreement (SLA)

As part of the assignment, you have reviewed the SLA signed by DLF for AMG. Extracts from
these are given for your consideration. These provide the benchmark of security and controls to
be provided.

Clause 6.6: Maintenance of Records

DLF shall maintain complete, current, and accurate record of the number and location of the
Systems (and all components thereof) loaned to DLF pursuant to this Agreement (including all
extracts, adaptations, or transcriptions of any Software). As often as AMG may request, but no
less often than at least once every three months, DLF shall send AMG a copy of such record
certified as complete, current, and accurate by the a duly authorized representative of DLF
charged with general responsibility for the operation of the Systems.

Software:
Source code development is undertaken on an online basis through the resources at the AMG
facility in Houston. Configuration management tools that are in use at AMG perform the
configuration management of software under development/maintenance. DLF here has no
control over the configuration/change management procedures that are to be followed during
the system development or maintenance phases of SDLC. Therefore in lieu of such practices
DLF does not maintain any records/documents that record the changes incorporated to
software during maintenance/ developmental activities.

Hardware:
DLF as per the agreement with AMG is not allowed to open any of the machines that are sent
to them by AMG for the purposes of the usage at their labs. In lieu of this clause DLF does not
maintain any configuration of hardware sent to them by AMG nor does it carry out any
maintenance activities on such machines. However DLF does maintain an inventory of all the
hardware that is supplied by AMG as per details that are entered in the invoices.
:
 Clause 10.4: Disaster Recovery
1. DLF shall follow AMG conventions for protection and back up of data, including checking
source code in to AMG’s designated coordinator each week on or before a specified day set
by AMG.
2. As requested by AMG, DLF will establish and maintain off-site disaster recovery capabilities
that permit DLF to recover from a disaster and continue providing Services to and carrying
out Projects for AMG, including without limitation:

Storage of any AMG data, Work Product or Deliverables in an off-site protected vault for such
period as AMG specifies;
Such off-site protected vault having security and environmental protection systems to guard
against theft, fire, humidity and temperature;
Such security system providing controlled access and alarm systems restricting access to DLF
employees currently working on AMG Projects; and
Implementation of disaster recovery capabilities in the event of any failure of DLF information
technology systems which may jeopardize AMG data, Work Product or Deliverables. Upon
request, DLF will provide AMG with an executive summary of the current disaster recovery
plan, which may change from time to time. DLF shall test the operation and effectiveness of
DLF’s disaster recovery plan at least annually. In addition, DLF shall establish and maintain a
backup power supply system to guard against electrical outages.

Clause 10.2: Backup and Storage

So that lost or damaged data or materials can be reconstructed,
DLF shall establish and maintain procedures for backup on magnetic tape or other electronic
media and storage at an off-site storage facility, as applicable, of Systems, Deliverables and
other AMG data and materials in DLF’s custody and all storage media containing the same.

Clause 10.1: Generally

DLF shall establish and maintain security measures and safeguards reasonably satisfactory to
AMG

To protect against the destruction,

Loss, or alteration, and
The unauthorized access, use, or disclosure,

any Systems, Deliverables, or other data and materials which DLF from time to time may have
in DLF’s possession, custody or control at the Center or otherwise pursuant to this Agreement.
:
 Clause 10.3: User and Access Restrictions
1. DLF shall be responsible for ensuring that Systems, Deliverables and other AMG data and
materials in DLF’s custody are installed and used only on and/or in combination with
designated Systems installed at the Center pursuant to this Agreement as specified in the
Contract Addenda.
2. DLF will restrict access to such Systems, deliverables, data and materials at all times to DLF
employees who have a “need to know” subject to acceptable undertakings of confidentiality
and non-disclosure.
Related Links
1 Disa Project Report On Information Systems Audit Of Erp Software
2 Disa Project Report On Auditing Business Continuity Plan
3 Disa Project Report On Migrating To Cloud Based Erp Solution
4 Disa Project Report On Evaluation Of Software Development Project
5 Disa Project Report On Security And Control Risk Assessment Of Toll Bridge Operations
6 Disa Project Report On Review Of It Security Policies And Procedures In Audit
7 Disa Project Report On Audit Of Outsourced Software Development
8 Disa Project Report On Report Review Of Vendor Proposal Of Saas Services
9 Disa Project Report On Assessing Risks And Formulating Policy For Mobile Computing
10 Disa Project Report On Implementing Grc As Per Clause 49 Listing Requirements

21/02/2022
 DISA  DISA 3.0 PROJECT REPORT  DISA PROJECT REPORT
 DISA PROJECT REPORT ON AUDIT OF OUTSOURCED SOFTWARE DEVELOPMENT  ISA  ISA 2.0  ISA 3.0
 ISA SAMPLE PROJECT REPORT  PROJECT REPORT
:
 Buy Now

OUR TOP PRODUCTS

INFORMATION SYSTEMS AUDIT ( DISA ICAI )

₹4,500.00 – ₹6,165.00

FORENSIC ACCOUNTING & FRAUD DETECTION (FAFD) QUIZ

₹249.00

CONCURRENT AUDIT OF BANK MTP

₹665.00

Prokhata

Professional Khata for your Business

Mo: 83191-30080

Email: prokhata@gmail.com

PROKHATA (TM)

   
:
Apply Coupon RAJAT40 for 40% Discount Dismiss
: