Professional Documents
Culture Documents
Conducted By:
1. Mashkoor Ahmed Khan, VP/Team Leader
2. Imam Bakhsh, OG-II/Team Member
Table of Contents
Sr. No. Description Page No.
1 Executive Summary
1.01 RDC Profile
1.02 Gist of Significant EDP Audit Findings
1.03 Conclusion and Recommendations
2 IS Audit of RDC Islamabad (Introduction)
2.01 Mission
2.02 Background
2.03 Objectives
2.04 Scope & Methodology
2.05 Disclaimer
3 General Controls
3.01 Surveillance System
3.02 Hardware Inventory
3.03 Emergency Exit
3.04 Instructions for Emergency
3.05 Identification (ID) Cards
3.06 Humidity and Temperature Recorder
4 Organizational Controls
4.01 Mandatory Leave Plan
4.02 Hardware Maintenance Log
4.03 Tagging of Fixed Assets
4.04 Maintenance Record of Computer Applications’ Users
4.05 ATM Support Officer Complaint Log Book
4.06 Maintenance of Leave Record
4.07 Abnormal ATM Down-Time
4.08 Delayed Submission of DTRs
4.09 Information of User IDs
4.10 Non-Completion of KYC Formalities
4.11 Access Control Facility Evaluation
5 Continuity of Operations
5.01 Testing of Backup Tapes
6 Operating System Platform Security
6.01 General Security System Values
1. Executive Summary
1.01 RDC Profile:
The Regional Data Centre (RDC) provides automation services to 131 Branches under the jurisdiction
of four regions, i.e. Islamabad, Rawalpindi, Jhelum and Gilgit. Out of the total 131 branches, only 29
branches are online and the remaining branches are working offline and classified as BBO branches.
Total
Sr. Online BBO
Region No. of ATM
No. Branches Branches
Branches
1 Islamabad 16 7 23 18
2 Rawalpindi 11 55 66 9
3 Jhelum 1 27 28 -
4 Gilgit 1 13 14 -
Total 29 102 131 27
The total staff members at RDC Islamabad are 21 comprising of one executive and 20 Officers.
Summary of staff members is as under:
Detail of Accounts maintained at the branches under the juridiction of auditee RDC: (Imam this
information is dated ????)
XYZ
XYZ
Provides IT support to 131 branches in Islamabad, Rawalpindi, Jhelum and Gilgit Regions
(To monitor and facilities the operation of online banking of branches and ATMs).
To updates / post data (Day books etc.) of all BBO branches either directly by branches or
via RDC.
Operational support to the branches for updatiion of PLS, Current & Advances accounts,
deduction of withholding tax, Zakat, classification of Operative/Inoperative accounts etc.
To generate and dispatch the A/C statements biannually of all branches under RDC
Islamabad.
Operation of Provident fund, Payroll, S& T, Weekly Schedule Telegram (WST)
2.02 Background:
Pursuant to Bank’s Audit Policy approved by the Board of Directors, EDP Audit & Automation Wing
was formed within the Audit Group, Head Office in 2001. EDP A&AW being part of the overall audit
process is one of the facilitators for good corporate governance. It involves the process of collecting
and evaluating evidence to determine whether the existing IT systems safeguard assets, maintains
data integrity, achieve organizational goals effectively, and efficiently utilize the available resources.
In the light of banks audit policy as well as in conformity with the internationally accepted best
practices, the standards for the Professional Practice of Internal Auditing set out by the Institute of
Internal Auditors and the principles laid down by the Information System Control & Audit
Association, a risk based approach of IS audit has been adopted objectively and independently.
Accordingly, various functions / softwares/ applications etc are selected for the IS audit based on the
level of risk involved therein.
The primary objective of this audit assignment is to assess and adequacy of the effectiveness of the
controls to manage the operational / business risk associated with the deployment of technology in
the banking operations and to suggest the improvement in the controls to minimize the risks as per
best practices and standards.
To assess the adequacy and effectiveness of internal controls over user management, data input,
processing and output reports at various levels.
To assess the adequacy and effectiveness of internal controls over the LAN / WAN
management.
To assess the adequacy and effectiveness of internal controls over the management of various
systems, software, communication equipments within RDCs & branches.
To assess the adequacy and effectiveness of internal controls over physical security of the place
of business / operations and IT equipments.
To assess the adequacy and effectiveness of internal controls over management of Disaster
Recovery system / Business Continuity Planning.
To assess the effectiveness and efficiency of Anti-Virus, Firewalls, DMZs, and Callback
Modems, etc.
The scope of this audit encompasses the examination and evaluation of the adequacy and
effectiveness of internal controls and quality of performance being carried out at Regional Data
Center. The purpose of the review for adequacy of the system of internal control is to ascertain
whether it provides reasonable assurance that the objectives and goals are being met efficiently and
effectively.
IS Audit of RDC was conducted and the following tasks were reviewed:
Methodology:
Various operations / functions of the RDC were reviewed on random sample basis. During the audit,
interviews of various staff were conducted to understand the functions being performed by them.
Further different documents / reports were reviewed and analyzed besides the physical check up of
the system & devices to review the effectiveness and efficiency of the system at RDC.
2.05 Disclaimer:
It may be pointed out that the scope of this audit is limited as above. The review was conducted on
the basis of information and record provided by the RDC management. The audit was conducted
during the period from 14th September to 18th September 2009 and period of review was from the last
date of previous audit to the start date of this audit. However, any other changes, which occur
subsequent to that may be furnished to Audit Group for future reference.
.
3. General Controls
General level controls are designed to protect the organization from physical and environmental disasters. The Physical Security
domain addresses the threats, vulnerabilities, and countermeasures that can be utilized to physically protect an enterprise’s
resources and sensitive information. These resources include personnel, the facility in which they work, and the data,
equipment, support systems, and media with which they work. Physical security often refers to the measures taken to protect
systems, buildings, and their related supporting infrastructure against threats that are associated with the physical
environment.
A general controls review attempts to gain an overall impression of the controls that are present in the environment surrounding
the information systems. These include the organizational and administrative structure of the IS function, the existence of policies
and procedures for the day-to-day operations, availability of staff and their skills and the overall control environment. It is
important for the EDP auditor to obtain an understanding of these as they are the foundation on which other controls reside. A
general controls review would also include the infrastructure and environmental controls. A review of the data center should
cover the adequacy of air conditioning (temperature, humidity), power supply (uninterruptible power supplies, generators) and
smoke detectors/fire suppression systems, a conducive clean and dust free environment, protection from floods and water seepage
as well as neat and identifiable electrical and network cabling. The critical areas to be covered are:-
CCTV cameras are necessary in data centers to capture and record the activities that can
subsequently help in detecting and preventing incidents of unauthorized access to the critical
areas for malicious activities, in case of need.
It is however observed that the CCTV/surveillance cameras have not been installed at the RDC. The
same observation was raised in the last audit report and the auditee management committed to get
the cameras / surveillance system installed in July 2009, however the matter is still unresolved.
Recommendations:
The CCTV/surveillance cameras should be installed on urgent basis to improve the preventive and
detective controls at RDC.
Management Comments:
The Hardware Inventory provides a list of components, system information and devices installed on a
system for their effective control and management.
It is however observed that the detailed Hardware Inventory List has not been maintained at the
RDC.
Recommendations:
The RDC should keep the complete record of Hardware Inventory giving detail of System Model,
Hard Disk Model, CDRW/DVD Model, Serial No., Date of Purchase or Supply and Source of Supply,
etc.
Management Comments:
An emergency exit in a structure represents a special exit for emergencies such as a fire or other
emergencies. The combined use of regular and emergency exits allows a faster evacuation incase of
emergencies. Further, the emergency exit provides an alternate safe passage if the regular exit is not
accessible.
During the audit, it has been observed that there was no Emergency Exit in the RDC to evacuate the
premises in case of emergency.
Recommendations:
The RDC management should consider the options for the emergency exit to avoid the potential risks
to the life of staff working in the premises.
Management Comments:
In many emergencies, timely actions could be the key to save someone's life. Further, it is extremely
important to know what to do in the emergency situations. In this regard, the display of improtant
instructions to habndle the emergency situations, the improtant telephone numbers etc on prominent
place is highly desireable.
It is however observed that the instructions for emergencies and emergency phone numbers were not
pasted at prominent places in the auditee RDC.
Recommendations:
The instructions for emergencies and the list of emergency phone numbers should be pasted at
prominent places in the RDC and all the staff should be directed to go through these instructions for
actions in case of need.
Management Comments:
The Identification Cards are used in any organization to identify the emplyees and to see their
authority to enter in any specific / secured areas of opertions at the premises.
It was however observed that the employees of the auditee Regional Data Centre were not wearing
the ID Cards while on duty.
Recommendations:
Employees should be instructed to wear NBP ID Cards prominently while in the RDC premises. This
practice will facilitate the to restrict the unauthorized access of persons in the RDC and can further
be monitored through CCTV.
Management Comments:
Excessive humidity in the server room not only increases the chance of early rusting of metallic
components in the Computer hardware but it may also cause heavy dew drops generation into the
things which are taken from or to the server room (i.e. from higher temperature to the lower
temperature or vice versa), e.g. backup tapes, CD ROMs, etc. Similarly, abnormal temperature and
humidity affects the performance of computers and reduce their life.
The auditee RDC has installed the Humidity and Temperature Recorder in the Server Room to
maintain the temperature & humidity at optimum level, however, the recording of Humidity and
Temperature was set on “OFF” mode. Accordingly, record of changes in temperature & humidity was
not being maintained and monitored in the RDC.
Recommendations:
Un-optimized environment affects the efficiency of computer equipments. RDC Management should
put the recording of humidity recorder and temperature recorder on “ON” mode and periodically
monitor the environment conditions like inside the Server room to optimize the efficiency of costly
equipments.
Management Comments:
4. Organizational Controls
The review of a Organizational controls determines if the organizational structure, the IT resources used, and the control
policies and procedures in place are adequate to foster effective management information support. The Management must be
clearly involved in the IT planning and decision-making process. Specific steps are as follows: -
1) Review job descriptions to see if the descriptions match the positions, if employees have duties in non-IT areas, be
aware of any conflicts, which might exist
Continuous long stay of the staff on one particular seat reduces the effectiveness of the internal
control environment and may lead to fraudulent activities.
It was however, observed that the mandatory leave plan was not prepared at RDC which was
required as per President Office Circular No. 47 dated 08-11-2002.
Recommendations:
The auditee management should prepare Annual Mandatory Leave Plan and allow each member of
staff to avail mandatory leaves as per circular referred above.
Management Comments:
The Maintenance Log of IT equipment is maintained for recording historical repairing. If hardware
maintenance log is not maintained then certain information like frequency of recurring problems
etc. cannot be obtained. During the audit, it was observed that the hardware maintenance logs were
not maintained by the auditee management.
Recommendation:
A hardware maintenance log should be maintained and even minor problems should be recorded.
This would help the staff of the RDC as well as the IT Group and vendors in having a record of past
trends to decide the future strategy.
Management Comments:
Tagging of the fixed assets helps in timely recognition and stock taking of inventory in addition to
prevent their unauthorized movement.
It was however observed that the RDC has not tagged the available fixed assets with distinct
numbers.
Recommendation:
All the fixed assets at the RDC should be codified or properly tagged.
Management Comments:
The documentation of User IDs provides important evidence of the date and time of the issuance of
User ID to an individual in addition to the establishment of the authority of the person requesting or
authorising for the creation of user ID. Furthermore, the accountability of the actions of the users can
be carried out according to the rights and authorities allocated to them.
According to Head Office instructions, the RDC receives the request forms (User
Addition/Modification/Deletion Form) from the branches for creation, modification or deletion of
User IDs for EBS with appropriate authorities as per job requirements. The concerned Branch
Manager authenticated these request forms, it was however observed that some of the formalities
were not completed in the following cases before the creation of user IDs.
1. Signatures of the requesting officers were not found on the requst forms. Some instances are
as under:
2. In all the cases, the recommending officer has not verified the signature of the requesting
officer before formally request the RDC.
3. In all of the cases, the signatures of the recommending officer/Branch Manager were found
not verified by the RDC staff before creation of User IDs.
Recommendations:
The concerned staff should complete the missing formalities to complete the documentation.
Management Comments:
As per Head Office Instruction Circular No. 47/2005 dated 28-04-2005, the Branches and RDCs need
to maintain the logs of errors/problems (ATM Support Officer Complaint Log Book) on realtime basis
to ensure timely action besides accontability of the responsible staff. The ATM Support Officer
Complaint Log Book provides complete detail regarding machine maintenance.
However, the audit team observed that RDC was maintaining incomplete report, which did not show
the record of errors/problems and the actions taken to rectify the problem. Due to non-maintenance
of this record/report, the RDC and IT Group Management do not get factual position of errors,
timeliness of the action by the staff for correction and total down time of each ATM machine on
daily basis.
Recommendations:
The RDC management should maintain the ATM Support Officer Complaint Log Book according to
specified format. The format of ATM Maintenance Log Book is attached as per Annexure-1.
Management Comments:
The leave record at the RDC has been maintained in detail as per Head Office instructions. However,
some discrepancies have been observed in alloaction of utilized leaves from available Privilege Leave
and other leaves’ balances. For instance, the availment of 45 days Hajj leaves of Mr. Ikram-ul-Haq
and Mr. Wasi-ur-Rehman were made out of Frozen Leaves Balances despite the fact that sufficient
Privilege Leaves balances were available for utilization. The concerned staff however, rectified the
leave record on audit pointation.
The Leave Record Register was not initialed by the concerned staff.
Recommendations:
The concerned staff should review the leave record of other staff and rectify the similar cases, if any.
Also the leave record Register should be initialed periodically.
Management Comments:
While reviewing the Down-Time Report of ATMs being operated under the RDC, it was observed
that the average downtime of ATMs was 23.09% in first quarter and 28.58% in second quarter of
2009. This heavy downtime tentamounts to the closure/non-operation of the ATMs for over 6 hours
on daily basis.
Major causes of the ATMs non-functioning includes breakdown of power, communication errors and
functional errors of the ATMs. The most contributing factor of ATMs downtime is power failure
which accounted for 71% of overall ATMs downtime.
Recommendations:
The operational management should take corrective action for continuous power supply by using
efficient UPS and generators to reduce the ATMs downtime. The matter may also be referred to the
Regional Operations and Compliance Chiefs for their necessary action.
Management Comments:
While reviewing the status of DTRs sent by BBO branches to Head Office (directly or through RDC),
it was observed that some branches have not sent the daily DTRs data to the Head Office. Detail of
some missing DTRs as on 16-09-2009 is appended below:
Missing /
Sr. Branch Gap
Branch Name Region Pending
No. Code Days
DTRs
1 882 Blue Area Branch Islamabad Islamabad 12-09-2009 4
2 590 Lilla Town Branch Jhelum 12-09-2009 4
3 1733 Thaniel Kamal Branch Jhelum 12-09-2009 4
4 815 Churghushti Branch Attock Rawalpindi 12-09-2009 4
5 968 Mukhad Branch Attock Rawalpindi 12-09-2009 4
6 1351 Kamra Branch Attock Rawalpindi 12-09-2009 4
7 486 Main Branch Sakardu Gilgit 09-09-2009 7
8 504 Chillas Branch Gilgit 14-09-2009 2
9 873 Karimabad Branch Gilgit 15-07-2009 63
10 874 Mehdiiabad Branch Gilgit 07-09-2009 9
11 885 Astore Branch Gilgit 04-09-2009 12
12 886 Gupis Branch Gilgit 07-09-2009 9
13 888 Khaplu Branch Gilgit 10-09-2009 6
14 893 Janglot Branch Gilgit 08-08-2009 39
15 1434 Jutyal Cantt. Branch Gilgit 10-09-2009 6
In case of disaster at the branches particularly at the Gilgit Region, the updated data may not be
obtained from Head Office for restoration. Further, late / delayed submission of the DTRs by
branches results into incomplete data and its backup at HO for generation of various reports.
Recommendations:
RDC should seek help of ROC in timely submission of DTRs by the branches. In exceptional cases;
approval of the ROC may by made a requirement for delinquent branches before the RDC conveys
hash values to these branches for continuing their operations before sending DTRs to HO.
Management Comments:
According to Security and QA Unit, IT Group, the RDCs must verify the validity of the User IDs from
branches and regions after every 15 days and must sent the report to IT Security and QA Unit.
During the audit, it has been observed that the RDC was not in practice of sending the information
regarding User IDs to the braches for verification or QA Unit, IT Group, Head Office.
Recommendations:
The RDC management should send the information regarding User IDs to QA Unit, IT Group,
Head Office, after verification from branches.
Management Comments:
The procedural discrepancy like non-inserting CNIC Numbers has been observed during the course
of audit. There are 4762 accounts in the branches under the jurisdiction of the auditee RDC for which
the incomplete or old NIC numbers have been incorporated. Some instances are as under:
Sr. No. Branch Code Application No. Application Date C.N.I.C. No.
1 394 2807 04-09-2006 13
2 1725 4537 20-05-2006 27
3 1732 397 11-05-2004 101
4 1732 379 24-04-2004 121
5 1732 220 15-12-2003 204
6 1732 249 29-01-2004 210
7 1732 318 15-03-2004 210
8 1732 1328 16-03-2006 210
9 1732 699 09-12-2004 210
10 1732 864 16-03-2005 210
11 1732 354 06-04-2004 212
12 1732 340 25-03-2004 226
13 1732 421 26-05-2004 226
14 1732 1164 11-10-2005 232
15 1732 345 29-03-2004 253
16 1732 301 05-03-2004 333
17 1732 1333 24-03-2006 345
18 1732 258 14-02-2004 372
19 1732 298 05-03-2004 374
20 1732 322 16-03-2004 374
Recommendations:
Persons with in-genuine credentials may get their accounts opened for fraudulent/ unauthorized
transactions.
Management Comments:
For each security standard and their related implementation specifications, each organization needs
to establish a criteria regarding Access Control Facility Evaluation.
During audit, it has been observed that the auditee RDC has not implemented any Access Control
Facility evaluation criteria.
Recommendations:
The auditee RDC management should implement Access Control Facility evaluation criteria
as per mentioned under below:
Identification/Authentication Function:
Verify the user's claimed identify is verifiable, and user identification is a unique, auditable
representation that can be identified for accountability.
Verify that mechanisms exist to restrict access of computer resources (i.e. programs, data files
transaction and commands) to authorized users.
Ensure that sufficient security information about user actions or processing acting on their
behalf is logged and provides a management trail to support the ability to audit.
Verify administration controls ensure the continued protection of data as defined by the
owner and that security deviations are detected and corrected.
Management Comments:
5. Continuity of Operations
Disaster recovery for systems typically focuses on making alternative processes and resources available for transaction
processing. A Disaster Recovery Plan (DRP) should reduce the length of recovery time necessary and the costs associated with
recovery. Proper planning will mitigate the risk and impact of a major business interruption. Although DRP results in an increase
of pre- and post-incident operational costs, the extra costs are more than offset by reduced recovery and business impact costs. A
disaster can be classified as a disruption that causes critical information resources to be inoperative for a period of time, adversely
affecting business operations. Business Continuity Plans (BCP) is the result of a process of plan creation to ensure that critical
business functions can withstand a variety of emergencies. Disaster-recovery plans deal with the immediate restoration of the
organization's business systems while the business continuity plan also deals with the long-term issues before, during, and after
the disaster. The critical areas to be covered are:-
There is no policy regarding restoration and checking of validity, accuracy and consistency of Data
Backups. In the absence of this policy, the validity and accuracy of Data backup cannot be ensured.
Further, no evidence of testing of the data backup during the audit period was observed at the RDC.
Recommendations:
Every type of backup media should be periodically checked to ensure their reliability through
restoration process on separate machine / partition to avoid the surprises in case of need.
The process should be conducted by an authorized peronnel who should document at minimum the
testing date, type of data and result of testing.
Management Comments:
An Operating system defines user interfaces permits user to share hardware, permits user to share data, schedule resources among
users, Informs users of any errors that occur with the processor, allows system file management, communication between
operating system and application programs etc.
A review of the Operating system (OS/400) is performed to asses the level of security on AS 400 machines in the bank. During
the review, the critical areas that are covered are:-
1) Network attributes
5) User Management
6) Sensitive Commands
7) Critical Libraries.
iSeries™ Environment
General Security System Values specify the existence level of control / security on the system. During
audit, following discrepancies were found in General Security System Values:
The QALWOBJRST system value determines whether objects that are security-sensitive may
be restored to your system. You can use it to prevent anyone from restoring a system state
object or an object that adopts authority.
The detail of QALWOBJRST (IBM Recommended Value and Current Value) is as under:
IBM NBP
Parameter Current Value
Recommended Value Recommended Value
QALWOBJRST *NONE - *ALL
The QALWOBJRST system value provides a method to protect your system from programs
that may cause serious problems. For normal operations, consider setting this value to
*NONE.
The QCRTAUT system value is used to determine the public authority for a newly created
object if the following conditions are met:
The create authority (CRTAUT) for the library of the new object is set to *SYSVAL.
The new object is created with public authority (AUT) of *LIBCRTAUT.
The detail of CRTAUT (IBM Recommended Value and Current Value) is as under:
IBM NBP
Parameter Current Value
Recommended Value Recommended Value
QCRTAUT *CHANGE - *EXCLUDE
The QINACTITV system value specifies in minutes how long the system allows a job to be
inactive before taking action. A workstation is considered inactive if it is waiting at a menu or
display, or if it is waiting for message input with no user interaction. Some examples of user
interaction are:
Emulation sessions through Client Access are included. Local jobs that are signed on to a
remote system are excluded. Jobs that are connected by file transfer protocol (FTP) are
excluded. Prior to Version 4, Release 2, telnet jobs were also excluded. To control the
time-out of FTP connections, change the INACTTIMO parameter on the Change FTP
Attribute (CHGFTPA) command. To control the time-out of telnet sessions prior to V4R2,
use the Change Telnet Attribute (CHGTELNA) command.
Following are examples of how the system determines which jobs are inactive:
A user uses the system request function to start a second interactive job. A system
interaction, such as the Enter key, on either job causes both jobs to be marked as
active.
A Client Access job may appear inactive to the system if the user is performing PC
functions such as editing a document without interacting with the AS/400 system.
The QINACTMSGQ system value determines what action the system takes when an inactive
job exceeds the specified interval.
When the system is started, it checks for inactive jobs at the interval specified by the
QINACTITV system value. For example, if the system is started at 9:46 in the morning and
the QINACTITV system value is 30 minutes, it checks for inactive jobs at 10:16, 10:46, 11:16,
and so on. If it discovers a job that has been inactive for 30 minutes or more, it takes the
action specified by the QINACTMSGQ system value. In this example, if a job becomes
inactive at 10:17, it will not be acted upon until 11:16. At the 10:46 check, it has been inactive
for only 29 minutes.
The QINACTITV and QINACTMSGQ system values provide security by preventing users
from leaving inactive workstations signed on. An inactive workstation might allow an
unauthorized person access to the system.
The detail of QINACTITV (IBM Recommended Value and Current Value) is as under:
IBM NBP
Parameter Current Value
Recommended Value Recommended Value
QINACTITV 60 10 10
1. What is the recommendation for QINACTITV? Do we agree with the current value?
2. What about the current value and recommended value for QINACTMSQ?
3. Which IBM OS 400 version release is in use at NBP? Based on the release version settings
to control inactive FTP and telnet sessions change for QINACTITV and INACTTIMO.
Accordingly the recommendations should include settings to be used for these parameters.
The QLMTSECOFR system value controls whether a user with all-object (*ALLOBJ) or
service (*SERVICE) special authority can sign on to any workstation. Limiting powerful user
profiles to certain well-controlled workstations provides security protection.
The detail of QLMTSECOFR (IBM Recommended Value and Current Value) is as under:
IBM NBP
Parameter Current Value
Recommended Value Recommended Value
QLMTSECOFR 1(ON) 0 0
What is the recommendation? Does the value of 0 carries more risk than a value of 1 ?
The QMAXSGNACN system value determines what the system does when the maximum
number of sign-on attempts is reached at a workstation.
The system disables a device by varying it off. The device is disabled only if the sign-on
attempts that are not valid are consecutive on the same device. One valid sign-on resets the
count of incorrect sign-on attempts for the device.
The system disables a user profile by changing the Status parameter to *DISABLED. The user
profile is disabled when the number of incorrect sign-on attempts for the user reaches the
value in the QMAXSIGN system value, regardless of whether the incorrect sign-on attempts
were from the same or different devices. One valid sign-on resets the count of incorrect sign-
on attempts in the user profile.
If you create the QSYSMSG message queue in QSYS, the message sent (CPF1397) contains the
user and device name. Therefore, it is possible to control the disabling of the device based on
the device being used.
If the QSECOFR profile is disabled, you may sign on as QSECOFR at the console and enable
the profile. If the console is varied off and no other user can vary it on, you must IPL the
system to make the console available.
The detail of QMAXSGNACN (IBM Recommended Value and Current Value) is as under:
IBM NBP
Parameter Current Value
Recommended Value Recommended Value
QMAXSGNACN 3 1 1
If you change the value from 1 to 0, the system removes the decryptable authentication
information from the system.
The encrypted data field of a validation list entry is typically used to store authentication
information. Applications specify whether to store the encrypted data in a decryptable or
non-decryptable form. If the applications choose a decryptable form and the QRETSVRSEC
value is changed from 1 to 0, the encrypted data field information is removed from the entry.
If the encrypted data field of a validation list entry is stored in a non-decryptable from, it is
not affected by the QRETSVRSEC system value.
If you have a large number of user profiles or validation lists on your system when you make
this change, the CHGSYSVAL command may run for an extensive period of time.
The detail of QRETSVRSEC (IBM Recommended Value and Current Value) is as under:
IBM NBP
Parameter Current Value
Recommended Value Recommended Value
QRETSVRSEC 0(off) - 1
The Security-Related System Values specify system values that relate to security on the system. There
was following discrepancy in Security-Related System Values:
The QAUTOVRT system value specifies whether pass-through virtual devices and TELNET
full screen virtual devices (as opposed to the workstation function virtual device) are
automatically configured.
A virtual device is a device description that does not have hardware associated with it. It is
used to form a connection between a user and a physical workstation attached to a remote
system.
Allowing the system to automatically configure virtual devices makes it easier for users to
break into your system using pass-through or telnet. Without automatic configuration, a user
attempting to break in has a limited number of attempts at each virtual device. The limit is
defined by the security officer using the QMAXSIGN system value. With automatic
configuration active, the actual limit is higher. The system sign-on limit is multiplied by the
number of virtual devices that can be created by the automatic configuration support. This
support is defined by the QAUTOVRT system value.
The detail of QAUTOVRT (IBM Recommended Value and Current Value) is as under:
IBM NBP
Parameter Current Value
Recommended Value Recommended Value
QAUTOVRT 0(OFF) 2500 1000
The System Values that apply to Passwords specify the requirements for the passwords settings. There
were following discrepancies in System Values that apply to Passwords:
The detail of QPWDMINLEN (IBM Recommended Value and Current Value) is as under:
IBM NBP
Parameter Current Value
Recommended Value Recommended Value
QPWDMINLEN 6 4 4
Recommended Value 6, to prevent users from assigning passwords that are easily guessed,
such as initials or a single character.
The QPWDPOSDIF system value controls the position of each character in a new password.
This provides additional security by preventing users from using the same character
(alphabetic or numeric) in a position corresponding to the same position in the previous
password.
The detail of QPWDPOSDIF (IBM Recommended Value and Current Value) is as under:
IBM NBP
Parameter Current Value
Recommended Value Recommended Value
QPWDPOSDIF 0 (OFF) - 1
To enhance the security of passwords, the recommended value should be set as “0”.
System Values that Control Auditing specify the security controls on the system. There was following
discrepancy in System Values that Control Auditing:
The QAUDLVL system value determines which security-related events are logged to the
security audit journal (QAUDJRN) for all system users. You can specify more than one value
for the QAUDLVL system value, unless you specify *NONE.
The detail of QAUDLVL (IBM Recommended Value and Current Value) is as under:
IBM NBP
Parameter Current Value
Recommended Value Recommended Value
QAUDLVL Minimum - *CREATE
*AUTFAIL *DELETE
*SERVICE *OBJMGT
*SAVRST
Optional *SECURITY
*SECURITY *SPLFDTA
*CREATE *PRTDTA
*DELETE
*NETCMN
*OBJMGT
*OPTICAL
*PGMFAIL
*JOBDTA
*PRTDTA
Network attributes control how your system communicates with other systems. Some network
attributes control how remote requests to process jobs and access information are handled. These
network attributes directly affect security on your system.
There were following discrepancies in System Values that apply to Network Attributes:
The PCSACC network attribute determines how the Client Access licensed program processes
requests from attached personal computers to access objects. The PCSACC network attribute
controls whether personal computer jobs can access objects on the AS/400 system, not
whether the personal computer can use workstation emulation.
The detail of PCSACC (IBM Recommended Value and Current Value) is as under:
IBM NBP
Parameter Current Value
Recommended Value Recommended Value
PCSACC Preferred - *OBJAUT
*REGFAC
or
*REJECT
Acceptable
program name
Normal security measures on your system may not be sufficient protections if the Client
Access program is installed on your system. For example, if a user has *USE authority to a file
and the PCSACC network attribute is *OBJAUT, the user can use the Client Access program
and a program on the personal computer to transfer that entire file to the personal computer.
The user can then copy the data to a PC diskette or tape and remove it from the premises.
Was the above mentioned activity verified and tested at RDC Islamabad to support the
finding? What will be the method to prevent access to objects in case if the PCSACC value is
set to *OBJAUT as recommended value.
The DDMACC network attribute determines how the system processes requests from other
systems to access data using the distributed data management (DDM) or the distributed
relational database function.
The detail of DDMACC (IBM Recommended Value and Current Value) is as under:
IBM NBP
Parameter Current Value
Recommended Value Recommended Value
DDMACC *REJECT - *OBJAUT
Spool control (*SPLCTL) special authority allows the user to perform all spool control functions, such
as changing, deleting, displaying, holding and releasing spooled files. The user can perform these
functions on all output queues, regardless of any authorities for the output queue or the OPRCTL
parameter for the output queue.
*SPLCTL special authority also allows the user to manage job queues, including holding, releasing,
and clearing the job queue. The user can perform these functions on all job queues, regardless of any
authorities for the job queue or the OPRCTL parameter for the job queue.
During audit, it has been observed that some CIF and Cash user profiles have been configured with
*SPLCTL special authority. The user with *SPLCTL special authority can perform any operation on
any spooled file in the system. Confidential spooled files cannot be protected from a user with
*SPLCTL special authority. Some instances are appended below with annexure - 2.
Recommendations:
The auditee RDC is advised to arrange the authorites to User Profiles according to their job.
Management Comments:
Limited Capability applies to commands that are run from the command line, File Transfer Protocol
(FTP), REXEC, using the QCAPCMD API, or an option from a command grouping menu. You can
use the Limit capabilities field in the user profile to limit the user’s ability to enter commands. You
can also use it to override the initial program, initial menu, current library and
attention-key-handling program specified in the user profile. This field is one tool for preventing
users from experimenting on the system.
During audit, it has been observed that some Cash user profiles have been configured as “*NO” with
Limited Capabiity special authority. Some instances are as under:
Sr. No. User Profile Group Profile User Class Owner Limited Capability
1 C0415TOQIR GROUPONLINE *USER “GRPPRF *NO
2 C0474ASHRF GROUPONLINE *USER “GRPPRF *NO
3 C0474FERWA GROUPONLINE *USER “GRPPRF *NO
If the Limited Capability special authority for User Profile has been configured as “*NO”, then user
can perform following functions:
Recommendations:
Using an initial menu, restricting command line use and providing access to the menu allow you to
set up an environment for a user who does not need or want to access system functions.
Management Comments:
It was observed that the auditee RDC has not implemented the Standard Security Measures according
to the IT Circular Letter 01/2007 dated 16-06-2007 captioned as “Standard Security Measures for
Personal / Desktop Computers – Local Security Settings” for windows environment. Approximately
all the computers at RDC were found without the configuration instructed vide above referred
circular. The detail is a under:
A security template is a file, which represents a security configuration. Security templates are
representations of may be applied to a local computer. By using Local Security Setting, account
policies, local policies, public key policies and IP security policies can be modified for your local
computer.
Recommendations:
Local Security Policy should be implemented to improve the security of the systems placed at RDC.
Management Comments:
A file system is the overall structure in which files are named, stored, and organized. Windows 2000
and Windows XP Professional support three file systems FAT, FAT32, and NTFS.
During audit, it was observed that some computers of the auditee RDC were using FAT32 filing
system. The detail is as under:
A file system is the underlying structure a computer uses to organize data on a hard disk.
Recommendations:
NTFS is the recommended file system for Windows 2000 and Windows XP Professional because it
supports several features that others do not i.e. security, fault tolerance, performance and
convenience. NTFS has always been a more powerful file system than FAT and FAT32.
In order to maintain access control on files and folders and support limited accounts, use of NTFS is
recommended. If FAT32 is used in a PC, all the LAN users will have access to all its files on hard
drive, regardless of their account type (administrator, limited, or standard.) NTFS is a secured file
system that allows you to control or restrict access to individual files or directories. For example, if
some one wants to allow your coworkers to view your files, but not change them, you can do this by
using the access control lists (ACLs) provided by NTFS.
The following table describes the compatibility of each file system with various operating
systems.
A computer running Windows XP or Access is available through Access is available only through
Windows 2000 can access files on an MS-DOS, all versions of Windows 95 OSR2, Windows 98,
NTFS partition. A computer running Windows, Windows NT, Windows Millennium Edition,
Windows NT 4.0 with Service Pack 4 Windows 2000, Windows XP Windows 2000 and Windows XP.
or later might be able to access some and OS/2.
files. Other operating systems allow no
access.
The following table compares disk and file sizes possible with each file system.
Volumes much larger than 2 terabytes In Windows XP, you can format a
Does not support domains.
(TB) are possible. FAT32 volume up to 32 GB only.
The RDC Management should convert file system from FAT32 to NTFS.
Management Comments:
A firewall wall helps to keep computers more secure by restricting information that comes from other
computers. Firewall gives more control over the data in PC and provides a line of defense against
people or programs (including viruses and worms) that try to connect to your computer without
invitation.
A firewall guards the "doors" to the computer—that is, the ports through which Internet/network traffic
comes in and goes out. The firewall only lets traffic through the ports that you have specified can be used.
This has two security benefits:
Programs on your computer cannot use unguarded ports to contact the outside
world without your permission.
During the review, it was observed that most of the computers of the RDC are operating without a
firewall. This is a security threat because the computers are connected with each other.
The finding should be supported by instances and the type of firewall software that should be
installed whether network based or host based firewall.
Recommendations:
Management Comments:
7. Network Security
The controls over Network implementations are reviewed to ensure that standards are in place for designing and selecting
Network architecture and for ensuring that the costs of procuring and operating the network does not exceed the benefits. The
unique nature of each network makes it difficult to define standard audit procedures. Modern networks are mixed with several
several kinds of devices and topologies (LANs, WANs, WLANs, WWANs etc.)
Communication networks (wide area or local area) generally include devices connected to the network as well as program and
files supporting network operations. Control is established through a network control terminal and specialized communication
software. IS auditor performing detailed network assessments and access control reviews, determines the points of entry to the
system and then must review the associated controls. Network control functions should be performed by technically qualified
operators. Network control functions should be separated, and the duties should be rotated on a regular basis, when possible
Network-control software must restrict operator access from performing certain functions (such as the capability to amend or
delete operator activity logs).Operations management should periodically review audit trails, to detect any unauthorized network
operations activities. Network operations standards and protocols should be documented and made available to the operations,
and should be periodically reviewed to ensure compliance. Network access by the system engineers should be closely monitored
and reviewed to detect unauthorized access to the network. Analysis should be performed to ensure workload balance, fast
response time, and system efficiency. The communications software should maintain a terminal identification file, to check the
authentication of a terminal when it tries to send or receive messages. When appropriate, data encryption should be used to
protect messages from disclosure during transmission.
The critical areas that are covered under Network Environment are:-
1) Network Utilization
2) Network Infrastructure Security
3) Network Backup Systems
4) Network Documentation and under ATM Controls the critical areas to be reviewed are:
1) Review measures to establish proper customer identification and maintenance of their confidentiality
2) Review of file maintenance and retention system to trace transactions
3) Review of execution reports to provide audit rail
4) Review daily transactions of ATM machine transactions
5) Review procedures made for retained cards
6) Review key management procedures
Absence of Anti-Virus application exposes the system to vulnerabilities. Any virus/worm or malicious
application can destroy system as well as data.
Pirated software is illegal. These unlicensed Anti-Virus applications can destroy confidential data and
bank cannot sue the manufacturer.
It was observed that the computer named “admin” was using EST NOD32 Antivirus 4 application,
which is un-licensed and has not been approved by National Bank of Pakistan.
Recommendations:
Management Comments:
By using administrator account, the user exposes him/her to huge security risks. If a Trojan horse or
virus can attack on your machine while you are using an administrator account, it can get its hooks
deep into the operating system.
During audit, it has been observed that almost all employees log-on as Administrator user on
Microsoft Windows XP instead of limited accounts.
Recommendations:
The single most important step you can take to protect your machine from viruses, worms and
hackers is to use a "limited user" account for everyday computer use. Limited accounts are called that
because they are limited—user cannot install software or change certain computer settings when
he/she logged on with a limited account. Limited accounts are more secure because they offer some
protection from spyware and viruses.
For that reason, the RDC staff should use a limited account for
day-to-day computing.
Management Comments:
protect data in transit, for example data being transferred via networks. Encryption is one of your
biggest defenses.
The encryptors have not been installed on following Branches or other Regional Data Centres which
have the links with RDC Islamabad. It means the communication of highly sensitive Financial &
Non-Financial data between these branches and RDCs is un-secured.
Recommendations:
The RDC should immediately take up the matter with ITG to install the Encryptors on all links
currently without encryptors.
Management Comments:
There are sixteen encryptors have been installed on the branches under the auditee RDC. Except two
branches, no other Encryptor was found functioning. The list of non-functioning encryptors is as
under:
Recommendations:
Communication without encryptors is extremely risky. RDC should take the corrective steps to
functional the encryptors to secure data traffic on NBP’s network.
Management Comments:
The Active Directory is at the heart of any Microsoft Network. An active directory does a variety of
functions including the provision of information on objects, helps organize these objects for easy
retrieval and access, allows access by end users and administrators and allows the administrator to set
security up for the directory.
Active Directory also allows administrators to assign policies, deploy software and apply critical
updates to a system. Active Directory stores information and settings in a central database and allows
administrator to update all end-users computers with new software, patches, files, etc. simply by
updating one object in a main PC.
During the audit, it was observed that the Active Directory has not been fully implemented which
can result into audit control failures including: control of system and user environments, password
management, use of role based authority, and enforced logging to create audit trails.
Recommendations:
The implementation of active directory is recommended to get results of efficient working of
centralized environment, effective working of networking communication equipments and proper
monitoring of the activities in a system.
Management Comments:
It was however observed that concerned staff at RDC was simply reviewing the operational status of
ATMs on hourly basis and directs the concerned braches / staff for corrective action to restore the
ATMs if needed. There was no activity to record the automatic logs of the run time ATM errors for
the review of the RDC and Regional Office management for their perusal and to ensure the necessary
preventive measures for similar errors.
Recommendations:
The RDC management should introduce the effective ATM management system in coordination with
the Regional Management and the ITG to ensure the continuous availability of ATM services to the
clients.
Management Comments:
1) Data input controls related to the control of information prior to system input
2) Processing Controls
3) Data Output Controls
4) Access Control
5) Program Change Controls
iSeries™ Environment
Finding No. 8.01 User Profiles with Default Passwords:
Passwords are the keys to enter a system and the complicated passwords prove as more effective keys
as compared to the simple one. Further, the easier or default passwords can easily be guessed by the
co workers and can be used for unauthorized activities.
While reviewing the system, it was observed that 121 users created on the system for various banking
activities have sofar not changed their default password despite lapse of a long time, since there is not
maximum time period defined for the expiry of the passwords. The list of user profiles with default
passwords is as under:-
Sr. Password
User Profile Status Text
No. Expired
1 ATMLINK *ENABLED *NO User create for ATM switching 21-10-2003
2 BACKUP *ENABLED *NO ATM Link 1
3 CAMSTST1 *ENABLED *NO User for backup
4 CIF0330001 *ENABLED *NO As requsted by Head Office
5 CIF0474002 *ENABLED *NO CIF User for Branch 330
6 CIF0474003 *ENABLED *NO CIF User for Branch 474
7 CIF0474004 *ENABLED *NO CIF User for Branch 474
8 CIF0474005 *ENABLED *NO CIF User for Branch 474
9 CIF0474006 *ENABLED *NO CIF User for Branch 474
10 CIF0474007 *ENABLED *NO CIF User for Branch 474
11 CIF0501001 *ENABLED *NO CIF User for Branch 501
Recommendations:
Change the system value to *ENABLED” with a reasonable expiry period. This will protect a new user
profile from being used by someone else who is not authorized.
Furthermore, use the password composition system values to prevent users from assigning trivial
passwords. RDC management should implement appropriate measures, including the
implementation of an IT security policy regarding passwords.
Management Comments:
Dear Imam! 8.02 and 8.04 appear same, u can merge them into one.
Part of the security features of the system is a password expiration policy. Regular changing of
passwords, in some environments, is a sound policy that adds to system security. The Password
Expiration Interval system value controls the number of days allowed before a password must be
changed. If a user attempts to sign on after the password has expired, the system shows a display
requiring that the password be changed before the user is allowed to sign on.
During audit, it has been observed that the auditee RDC did not implement Password Expiration
Policy. There are 298 enabled User Profiles (Annexure – 3 is attached) and 283 Passwords
(Annexure - 4 is attached) have not been expired, which have not been changed according to
Password Expiration Internal.
Recommendations:
A password change is required according to the organization’s security guidelines, which is 30 days in
NBP. The risk level is at the highest if users are never required to change login password and vice
versa
Management Comments:
The Maximum Sign-On Attempts (QMAXSIGN) value controls the number of consecutive incorrect
sign-on attempts by a users. When the maximum number of incorrect sign-on attempts is reached,
the QMAXSGNACN system value determines the action to be taken and normally, the user is
blocked to carryout further attempts as a security measure.
During audit, it was observed that QMAXSIGN system value has been set as ENABLED which allows
the users to keep the incorrect / Not Valid Sign-on” attempting without any limit. The detail is as
under:
Sr. No. User Profile System Value Status Not Valid Sign-ons
1 C0395BILAL *ENABLED 77
2 T1623SAGIR *ENABLED 70
3 CIF0341006 *ENABLED 68
4 C0425SAJAD *ENABLED 45
5 C1932EJAZ *ENABLED 45
6 T1780FERWA *ENABLED 36
7 CIF0341001 *ENABLED 32
8 C1780GHORI *ENABLED 232
9 ITM *ENABLED 24
10 C0341TQEER *ENABLED 20
11 T0395QAYUM *ENABLED 20
12 CIF1858001 *ENABLED 19
13 T0642ZAHID *ENABLED 19
14 T1623HANIF *ENABLED 17
15 CIF1780001 *ENABLED 16
16 C1531ARSHD *ENABLED 14
17 T0474SAEED *ENABLED 14
18 T0332SHKEL *ENABLED 11
19 WASI *ENABLED 11
20 CIF0341002 *ENABLED 10
21 V0425ARIF *ENABLED 10
22 C0399TARIQ *ENABLED 9
23 C0854AHMED *ENABLED 9
24 C1858ASIF *ENABLED 9
25 T0341NASIR *ENABLED 9
26 T0880FIDA *ENABLED 9
27 C0332IMRAN *ENABLED 8
28 IKRAM *ENABLED 8
29 T0341TQEER *ENABLED 8
30 T0854SHAH *ENABLED 8
31 CIF0474001 *ENABLED 7
32 CIF0854001 *ENABLED 7
33 CIF1725001 *ENABLED 7
34 C0415SAMIR *ENABLED 7
35 C0880NAEEM *ENABLED 7
36 C1932AMBER *ENABLED 7
37 G0501SAEED *ENABLED 7
38 T0854ALI *ENABLED 7
39 CIF0341003 *ENABLED 6
40 C0330KHALD *ENABLED 6
41 S0474ULLAH *ENABLED 6
42 CIF0341005 *ENABLED 5
43 CIF0344001 *ENABLED 5
44 C0341AHSAN *ENABLED 5
45 C0341NIGHT *ENABLED 5
46 C0977INAYT *ENABLED 5
47 C9876STF15 *ENABLED 5
48 N1858TAHIR *ENABLED 5
49 T1623ZAHID *ENABLED 5
Recommendations:
The Maximum Sign-On Attempts (QMAXSIGN) system value should be implemented as per security
policy to guard against the attempts of frauds and forgeries.
Management Comments:
Dear Imam! 8.02 and 8.04 appear same, u can merge them into one.
The Password Expiration Interval (QPWDEXPITV) system value controls the number of days
allowed before a password must be changed. If a user attempts to sign on after the password has
expired, the system shows a display requiring that the password be changed before the user is allowed
to sign on.
During audit, it has been observed that the Password Expiration Interval for some users has been set
as “NOMAX”. It means these users are not required to change their passwords for unlimited period.
The detail is as under:
Sr. No. User Profile System Value Status Expiration Interval Password Expired
1 ATMFTP *ENABLED *NOMAX *NO
2 ATMIBM *ENABLED *NOMAX *NO
Recommendations:
The National Bank of Pakistan has approved 30 days system value for Password Expiration Interval.
The RDC management should implement appropriate measures, including the Password Expiration
Interval.
Management Comments:
Finding No. 8.05 More than one Super User Profiles in one Branch:
Users of computer applications have equal significance as that of keys of strong room in a bank.
The purpose of allocating Super User ID is to ensure that data is entered by the authorized person
only with full responsibility on entered data. The Super User Profile is a logical control held by a
senior officer say Operations Manager of the branch to control or supervise the overall working of the
branch staff. According to policy, there should be one super user in each branch.
During review of the Super User IDs, it was however noted that the RDC has created two Super User
IDs for each branch in three branches. The detail is as under:
Recommendations:
Guidance / Policy related to more than one super user at branches should be asked from the ITG and
the number of users in a branch should be capped accordingly.
Management Comments:
Although, the BBO branches send the DTRs data to Head Office (directly or through RDC). However,
this data does not contain the non-financial data e.g. profiles of User IDs etc. Due to this, it is not
possible for the auditor to check any un-authorized manipulation in the system by the BBO branch
users during the audit of RDCs.
Recommendations:
ITG should be consulted to incorporate the data regarding the number of users in BBO branches and
their activity logs in the DTRs.
Management Comments:
Dear Imam! There is no audit finding in the text of Finding # 8.07. all this is a suggestion. U may
delete it.
The AS/400 family of systems covers a wide range of users. A small system might have three to five
users, and a large system might have several thousand users. Some installations have all their
workstations in a single, relatively secure, area. Others have widely distributed users, including users
who connect by dialing in and indirect users connected through personal computers or system
networks.
Security on the AS/400 system is flexible enough to meet the requirements of this wide range of users
and situations. You need to understand the features and options available so that you can adapt them
to your own security requirements.
Confidentiality:
Protecting against disclosing information to unauthorized people.
Restricting access to confidential information.
Protecting against curious system users and outsiders.
Integrity:
Protecting against unauthorized changes to data.
Restricting manipulation of data to authorized programs.
Providing assurance that data is trustworthy.
Availability:
Preventing accidental changes or destruction of data.
Protecting against attempts by outsiders to abuse or destroy system resources.
System Security can be implemented through s ystem values, which allow you to customize
many characteristics of your system. A group of system values is used to define system-wide security
settings.
Although, Security & QA Unit, Information Technology Group, has recommended some system
values but a wide range of System Values is un-recommended.
Recommendations:
System security is often associated with external threats, such as hackers or business rivals. However,
protection against system accidents by authorized system users is often the greatest benefit of a
well-designed security system. In a system without good security features, pressing the wrong key
might result in deleting important information. System security can prevent this type of accident.
The best security system functions cannot produce good results without good planning. Security that
is set up in small pieces, without planning, can be confusing. It is difficult to maintain and to audit.
Planning does not imply designing the security for every file, program and device in advance. It does
imply establishing an overall approach to security on the system and communicating that approach to
application designers, programmers and system users.
As you plan security on your system and decide how much security you need, consider these
questions:
Is there a company policy or standard that requires a certain level of security?
Do the company auditors require some level of security?
How important is your system and the data on it to your business?
How important is the error protection provided by the security features?
What are your company security requirements for the future?
Information Technology Group should recommended remaining system values for the
guidence of technical staff and IS Auditors.
Management Comments:
We are thankful to all staff members of NBP Regional Data Centre Islamabad for their co-operation
and help.