IT Audit RDC Islamabad-2009

EDP Audit & Automation Wing, Audit & Inspection Group
Head Office, I.I. Chundrigar Road, Karachi.

Ph.: (021) 9212100 (50 Lines)
Website: www.nbp.com.pk
National Bank of Pakistan

Draft IS Audit Report – 2009
NBP Regional Data Centre Islamabad
Audit Conducted During 14-09-2009 To 18-09-2009
Conducted By:
1. Mashkoor Ahmed Khan, VP/Team Leader
2. Imam Bakhsh, OG-II/Team Member
(This Report is highly Confidential)
IS Audit Report 2009 – NBP Regional Data Centre Islamabad

Regional Audit Office (Northern Region), Islamabad
Page 1 of 55
Ph.: (021) 9212100 (50 Lines)
Table of Contents
Sr. No. Description Page No.
1 Executive Summary
1.01 RDC Profile
1.02 Gist of Significant EDP Audit Findings
1.03 Conclusion and Recommendations
2 IS Audit of RDC Islamabad (Introduction)
2.01 Mission
2.02 Background
2.03 Objectives
2.04 Scope & Methodology
2.05 Disclaimer
3 General Controls
3.01 Surveillance System
3.02 Hardware Inventory
3.03 Emergency Exit
3.04 Instructions for Emergency
3.05 Identification (ID) Cards
3.06 Humidity and Temperature Recorder
4 Organizational Controls
4.01 Mandatory Leave Plan
4.02 Hardware Maintenance Log
4.03 Tagging of Fixed Assets
4.04 Maintenance Record of Computer Applications’ Users
4.05 ATM Support Officer Complaint Log Book
4.06 Maintenance of Leave Record
4.07 Abnormal ATM Down-Time
4.08 Delayed Submission of DTRs
4.09 Information of User IDs
4.10 Non-Completion of KYC Formalities
4.11 Access Control Facility Evaluation
5 Continuity of Operations
5.01 Testing of Backup Tapes
6 Operating System Platform Security
6.01 General Security System Values

Page 2 of 55
Ph.: (021) 9212100 (50 Lines)
Sr. No. Description Page No.

6.02 Security-Related System Values
6.03 System Values that Apply to Password
6.04 System Values that Control Auditing
6.05 Security and Network Attributes
6.06 Spool Control (*SPLCTL) Special Authority
6.07 Limited Capability Special Authority
6.08 Local Security Setting
6.09 File System
6.10 Firewall
Network Security
7
7.01 Anti-virus
7.02 Usage of Administrator Account
7.03 Communication Links without Encryptors
7.04 Non-Functioned Encryptors
7.05 Active Directory
7.06 Non-Effective ATM Network Management System
8 Application Level Security & Controls
8.01 User Profiles with Default Passwords
8.02 Password Expiration
8.03 Maximum Sign-On Attempts
8.04 Password Expiration Interval
8.05 More than one Super User Profiles in one Branch
8.06 Non-Financial Data of BBO System
8.07 System Values
9 EDP Audit Rating

Page 3 of 55
Ph.: (021) 9212100 (50 Lines)
1. Executive Summary
1.01 RDC Profile:
The Regional Data Centre (RDC) provides automation services to 131 Branches under the jurisdiction
of four regions, i.e. Islamabad, Rawalpindi, Jhelum and Gilgit. Out of the total 131 branches, only 29
branches are online and the remaining branches are working offline and classified as BBO branches.
Name of the Regional Data Centre Islamabad

Name of the IT Manager Ch. Shafiq Humayun (VP)
Date of Posting of IT Manager 2007
Telephone Nos. of RDC 051-9205477, 9206184, 9209724
Fax No. of RDC
E-Mail Address of RDC
Version of Server iSeries™
Version of Operating System OS/400
Total No. of Significant Findings
The detail of branches under the jurisdiction of RDC Islamabad is as under:-
Total
Sr. Online BBO
Region No. of ATM
No. Branches Branches
Branches
1 Islamabad 16 7 23 18
2 Rawalpindi 11 55 66 9
3 Jhelum 1 27 28 -
4 Gilgit 1 13 14 -
Total 29 102 131 27
The total staff members at RDC Islamabad are 21 comprising of one executive and 20 Officers.
Summary of staff members is as under:
Sr. No. Designation Total

1 Executive 1
2 Officer Grade – I 7
3 Officer Grade – II 11
4 Officer Grade – III 2
Total Staff 21

Page 4 of 55
Ph.: (021) 9212100 (50 Lines)
Detail of Accounts maintained at the branches under the juridiction of auditee RDC: (Imam this
information is dated ????)
No. of No. of No. of

Sr. No. of
Category of Branches PLS Current Adv. Salary
No. Branches
Accounts Accounts Accounts
1 Online Branches 29 198,590 32,710 30,348
2 BBO Branches 102 306,445 117,636 59,157
Total 131 505,035 150,346 89,505
1.02 Gist of Significant Audit Findings:
XYZ
1.03 Conclusion and Recommendations:
XYZ

Page 5 of 55
Ph.: (021) 9212100 (50 Lines)
2. IS Audit of RDC Islamabad

The major applications include EBS for Online branches & BBO for Offline and other applications
include Signature Verification System, CIF, ATM Operations, CBR System, Payroll system, CAMS,
IBR, NBP ROZGAR, and number of small application running for different domains. ITG computing
systems mainly resided in an IBM AS-400 machine operating under the OS-400 (operating system).
Main functions of the RDC are as under:
 Provides IT support to 131 branches in Islamabad, Rawalpindi, Jhelum and Gilgit Regions
(To monitor and facilities the operation of online banking of branches and ATMs).
 To updates / post data (Day books etc.) of all BBO branches either directly by branches or
via RDC.
 Operational support to the branches for updatiion of PLS, Current & Advances accounts,
deduction of withholding tax, Zakat, classification of Operative/Inoperative accounts etc.
 To generate and dispatch the A/C statements biannually of all branches under RDC
Islamabad.
 Operation of Provident fund, Payroll, S& T, Weekly Schedule Telegram (WST)
2.02 Background:
Pursuant to Bank’s Audit Policy approved by the Board of Directors, EDP Audit & Automation Wing
was formed within the Audit Group, Head Office in 2001. EDP A&AW being part of the overall audit
process is one of the facilitators for good corporate governance. It involves the process of collecting
and evaluating evidence to determine whether the existing IT systems safeguard assets, maintains
data integrity, achieve organizational goals effectively, and efficiently utilize the available resources.
In the light of banks audit policy as well as in conformity with the internationally accepted best
practices, the standards for the Professional Practice of Internal Auditing set out by the Institute of
Internal Auditors and the principles laid down by the Information System Control & Audit
Association, a risk based approach of IS audit has been adopted objectively and independently.
Accordingly, various functions / softwares/ applications etc are selected for the IS audit based on the
level of risk involved therein.
2.03 Audit Objectives:
The primary objective of this audit assignment is to assess and adequacy of the effectiveness of the
controls to manage the operational / business risk associated with the deployment of technology in
the banking operations and to suggest the improvement in the controls to minimize the risks as per
best practices and standards.

Page 6 of 55
Ph.: (021) 9212100 (50 Lines)
Main IS Audit objectives are as under:
 To assess the adequacy and effectiveness of internal controls over user management, data input,
processing and output reports at various levels.
 To assess the adequacy and effectiveness of internal controls over the LAN / WAN
management.
 To assess the adequacy and effectiveness of internal controls over the management of various
systems, software, communication equipments within RDCs & branches.
 To assess the adequacy and effectiveness of internal controls over physical security of the place
of business / operations and IT equipments.
 To assess the adequacy and effectiveness of internal controls over management of Disaster
Recovery system / Business Continuity Planning.

 To assess the effectiveness and efficiency of Anti-Virus, Firewalls, DMZs, and Callback
Modems, etc.
2.04 Scope & Methodology:

Scope:
The scope of this audit encompasses the examination and evaluation of the adequacy and
effectiveness of internal controls and quality of performance being carried out at Regional Data
Center. The purpose of the review for adequacy of the system of internal control is to ascertain
whether it provides reasonable assurance that the objectives and goals are being met efficiently and
effectively.
IS Audit of RDC was conducted and the following tasks were reviewed:
 General Control Environment

 Organizational Control Environment
 Business Continuity Operations
 Network Security
 Operating System Level Security & Controls
 Application Level Security & Controls
 ATM Management

Page 7 of 55
Ph.: (021) 9212100 (50 Lines)
Methodology:
Various operations / functions of the RDC were reviewed on random sample basis. During the audit,
interviews of various staff were conducted to understand the functions being performed by them.
Further different documents / reports were reviewed and analyzed besides the physical check up of
the system & devices to review the effectiveness and efficiency of the system at RDC.
2.05 Disclaimer:
It may be pointed out that the scope of this audit is limited as above. The review was conducted on
the basis of information and record provided by the RDC management. The audit was conducted
during the period from 14th September to 18th September 2009 and period of review was from the last
date of previous audit to the start date of this audit. However, any other changes, which occur
subsequent to that may be furnished to Audit Group for future reference.
.

Page 8 of 55
Ph.: (021) 9212100 (50 Lines)
3. General Controls
General level controls are designed to protect the organization from physical and environmental disasters. The Physical Security
domain addresses the threats, vulnerabilities, and countermeasures that can be utilized to physically protect an enterprise’s
resources and sensitive information. These resources include personnel, the facility in which they work, and the data,
equipment, support systems, and media with which they work. Physical security often refers to the measures taken to protect
systems, buildings, and their related supporting infrastructure against threats that are associated with the physical
environment.
A general controls review attempts to gain an overall impression of the controls that are present in the environment surrounding
the information systems. These include the organizational and administrative structure of the IS function, the existence of policies
and procedures for the day-to-day operations, availability of staff and their skills and the overall control environment. It is
important for the EDP auditor to obtain an understanding of these as they are the foundation on which other controls reside. A
general controls review would also include the infrastructure and environmental controls. A review of the data center should
cover the adequacy of air conditioning (temperature, humidity), power supply (uninterruptible power supplies, generators) and
smoke detectors/fire suppression systems, a conducive clean and dust free environment, protection from floods and water seepage
as well as neat and identifiable electrical and network cabling. The critical areas to be covered are:-
1) Physical Access Controls

2) Physical Security
3) Environmental Controls
Finding No. 3.01 Surveillance System:
CCTV cameras are necessary in data centers to capture and record the activities that can
subsequently help in detecting and preventing incidents of unauthorized access to the critical
areas for malicious activities, in case of need.
It is however observed that the CCTV/surveillance cameras have not been installed at the RDC. The
same observation was raised in the last audit report and the auditee management committed to get
the cameras / surveillance system installed in July 2009, however the matter is still unresolved.
Recommendations:
The CCTV/surveillance cameras should be installed on urgent basis to improve the preventive and
detective controls at RDC.
Management Comments:

Page 9 of 55
Ph.: (021) 9212100 (50 Lines)
Finding No. 3.02 Hardware Inventory:
The Hardware Inventory provides a list of components, system information and devices installed on a
system for their effective control and management.
It is however observed that the detailed Hardware Inventory List has not been maintained at the
RDC.
Recommendations:
The RDC should keep the complete record of Hardware Inventory giving detail of System Model,
Hard Disk Model, CDRW/DVD Model, Serial No., Date of Purchase or Supply and Source of Supply,
etc.
Finding No. 3.03 Emergency Exit:
An emergency exit in a structure represents a special exit for emergencies such as a fire or other
emergencies. The combined use of regular and emergency exits allows a faster evacuation incase of
emergencies. Further, the emergency exit provides an alternate safe passage if the regular exit is not
accessible.
During the audit, it has been observed that there was no Emergency Exit in the RDC to evacuate the
premises in case of emergency.
Recommendations:
The RDC management should consider the options for the emergency exit to avoid the potential risks
to the life of staff working in the premises.

Page 10 of 55
Ph.: (021) 9212100 (50 Lines)
Finding No. 3.04 Instructions for Emergency:
In many emergencies, timely actions could be the key to save someone's life. Further, it is extremely
important to know what to do in the emergency situations. In this regard, the display of improtant
instructions to habndle the emergency situations, the improtant telephone numbers etc on prominent
place is highly desireable.
It is however observed that the instructions for emergencies and emergency phone numbers were not
pasted at prominent places in the auditee RDC.
Recommendations:
The instructions for emergencies and the list of emergency phone numbers should be pasted at
prominent places in the RDC and all the staff should be directed to go through these instructions for
actions in case of need.
Finding No. 3.05 Identification (ID) Cards:
The Identification Cards are used in any organization to identify the emplyees and to see their
authority to enter in any specific / secured areas of opertions at the premises.
It was however observed that the employees of the auditee Regional Data Centre were not wearing
the ID Cards while on duty.
Recommendations:
Employees should be instructed to wear NBP ID Cards prominently while in the RDC premises. This
practice will facilitate the to restrict the unauthorized access of persons in the RDC and can further
be monitored through CCTV.

Page 11 of 55
Ph.: (021) 9212100 (50 Lines)
Finding No. 3.06 Humidity and Temperature Recorder:
Excessive humidity in the server room not only increases the chance of early rusting of metallic
components in the Computer hardware but it may also cause heavy dew drops generation into the
things which are taken from or to the server room (i.e. from higher temperature to the lower
temperature or vice versa), e.g. backup tapes, CD ROMs, etc. Similarly, abnormal temperature and
humidity affects the performance of computers and reduce their life.
The auditee RDC has installed the Humidity and Temperature Recorder in the Server Room to
maintain the temperature & humidity at optimum level, however, the recording of Humidity and
Temperature was set on “OFF” mode. Accordingly, record of changes in temperature & humidity was
not being maintained and monitored in the RDC.
Recommendations:
Un-optimized environment affects the efficiency of computer equipments. RDC Management should
put the recording of humidity recorder and temperature recorder on “ON” mode and periodically
monitor the environment conditions like inside the Server room to optimize the efficiency of costly
equipments.

Page 12 of 55
Ph.: (021) 9212100 (50 Lines)
4. Organizational Controls
The review of a Organizational controls determines if the organizational structure, the IT resources used, and the control
policies and procedures in place are adequate to foster effective management information support. The Management must be
clearly involved in the IT planning and decision-making process. Specific steps are as follows: -
1) Review job descriptions to see if the descriptions match the positions, if employees have duties in non-IT areas, be
aware of any conflicts, which might exist
2) Review d o c u m e n t a t i o n , policies and procedures, to determine if they are current.
3) Review Training needs and policies.
Finding No. 4.01 Mandatory Leave Plan:
Continuous long stay of the staff on one particular seat reduces the effectiveness of the internal
control environment and may lead to fraudulent activities.
It was however, observed that the mandatory leave plan was not prepared at RDC which was
required as per President Office Circular No. 47 dated 08-11-2002.
Recommendations:
The auditee management should prepare Annual Mandatory Leave Plan and allow each member of
staff to avail mandatory leaves as per circular referred above.
Finding No. 4.02 Hardware Maintenance Log:
The Maintenance Log of IT equipment is maintained for recording historical repairing. If hardware
maintenance log is not maintained then certain information like frequency of recurring problems
etc. cannot be obtained. During the audit, it was observed that the hardware maintenance logs were
not maintained by the auditee management.
Recommendation:

Page 13 of 55
Ph.: (021) 9212100 (50 Lines)
A hardware maintenance log should be maintained and even minor problems should be recorded.
This would help the staff of the RDC as well as the IT Group and vendors in having a record of past
trends to decide the future strategy.
Finding No. 4.03 Tagging of Fixed Assets:
Tagging of the fixed assets helps in timely recognition and stock taking of inventory in addition to
prevent their unauthorized movement.
It was however observed that the RDC has not tagged the available fixed assets with distinct
numbers.
Recommendation:
All the fixed assets at the RDC should be codified or properly tagged.
Finding No. 4.04 Maintenance Record of Computer Applications’ Users:
The documentation of User IDs provides important evidence of the date and time of the issuance of
User ID to an individual in addition to the establishment of the authority of the person requesting or
authorising for the creation of user ID. Furthermore, the accountability of the actions of the users can
be carried out according to the rights and authorities allocated to them.
According to Head Office instructions, the RDC receives the request forms (User
Addition/Modification/Deletion Form) from the branches for creation, modification or deletion of
User IDs for EBS with appropriate authorities as per job requirements. The concerned Branch
Manager authenticated these request forms, it was however observed that some of the formalities
were not completed in the following cases before the creation of user IDs.

Page 14 of 55
Ph.: (021) 9212100 (50 Lines)
1. Signatures of the requesting officers were not found on the requst forms. Some instances are
as under:
Sr. User IDs

Name of Officer Branch Name Date of Request
No. Created
C0341SAJID
1 Sajid Mehmood Main Branch Islamabad 11-09-2009
T0341SAJID
2 Abdul Waheed Cantonment Board Branch Rawalpindi 18-08-2009 S0642AAMIR
C1531IMRAN
3 Imran Alam Industrial Area Branch Islamabd 13-06-2009
T1531IMRAN
2. In all the cases, the recommending officer has not verified the signature of the requesting
officer before formally request the RDC.
3. In all of the cases, the signatures of the recommending officer/Branch Manager were found
not verified by the RDC staff before creation of User IDs.
Recommendations:
The concerned staff should complete the missing formalities to complete the documentation.
Finding No. 4.05 ATM Support Officer Complaint Log Book:
As per Head Office Instruction Circular No. 47/2005 dated 28-04-2005, the Branches and RDCs need
to maintain the logs of errors/problems (ATM Support Officer Complaint Log Book) on realtime basis
to ensure timely action besides accontability of the responsible staff. The ATM Support Officer
Complaint Log Book provides complete detail regarding machine maintenance.
However, the audit team observed that RDC was maintaining incomplete report, which did not show
the record of errors/problems and the actions taken to rectify the problem. Due to non-maintenance
of this record/report, the RDC and IT Group Management do not get factual position of errors,
timeliness of the action by the staff for correction and total down time of each ATM machine on
daily basis.

Page 15 of 55
Ph.: (021) 9212100 (50 Lines)
Recommendations:
The RDC management should maintain the ATM Support Officer Complaint Log Book according to
specified format. The format of ATM Maintenance Log Book is attached as per Annexure-1.
Finding No. 4.06 Maintenance of Leave Record:
The leave record at the RDC has been maintained in detail as per Head Office instructions. However,
some discrepancies have been observed in alloaction of utilized leaves from available Privilege Leave
and other leaves’ balances. For instance, the availment of 45 days Hajj leaves of Mr. Ikram-ul-Haq
and Mr. Wasi-ur-Rehman were made out of Frozen Leaves Balances despite the fact that sufficient
Privilege Leaves balances were available for utilization. The concerned staff however, rectified the
leave record on audit pointation.
The Leave Record Register was not initialed by the concerned staff.
Recommendations:
The concerned staff should review the leave record of other staff and rectify the similar cases, if any.
Also the leave record Register should be initialed periodically.
Finding No. 4.07 Abnormal ATM Down-Time:
While reviewing the Down-Time Report of ATMs being operated under the RDC, it was observed
that the average downtime of ATMs was 23.09% in first quarter and 28.58% in second quarter of
2009. This heavy downtime tentamounts to the closure/non-operation of the ATMs for over 6 hours
on daily basis.

Page 16 of 55
Ph.: (021) 9212100 (50 Lines)
Major causes of the ATMs non-functioning includes breakdown of power, communication errors and
functional errors of the ATMs. The most contributing factor of ATMs downtime is power failure
which accounted for 71% of overall ATMs downtime.
Recommendations:
The operational management should take corrective action for continuous power supply by using
efficient UPS and generators to reduce the ATMs downtime. The matter may also be referred to the
Regional Operations and Compliance Chiefs for their necessary action.
Finding No. 4.08 Delayed Submission of DTRs:
While reviewing the status of DTRs sent by BBO branches to Head Office (directly or through RDC),
it was observed that some branches have not sent the daily DTRs data to the Head Office. Detail of
some missing DTRs as on 16-09-2009 is appended below:
Missing /
Sr. Branch Gap
Branch Name Region Pending
No. Code Days
DTRs
1 882 Blue Area Branch Islamabad Islamabad 12-09-2009 4
2 590 Lilla Town Branch Jhelum 12-09-2009 4
3 1733 Thaniel Kamal Branch Jhelum 12-09-2009 4
4 815 Churghushti Branch Attock Rawalpindi 12-09-2009 4
5 968 Mukhad Branch Attock Rawalpindi 12-09-2009 4
6 1351 Kamra Branch Attock Rawalpindi 12-09-2009 4
7 486 Main Branch Sakardu Gilgit 09-09-2009 7
8 504 Chillas Branch Gilgit 14-09-2009 2
9 873 Karimabad Branch Gilgit 15-07-2009 63
10 874 Mehdiiabad Branch Gilgit 07-09-2009 9
11 885 Astore Branch Gilgit 04-09-2009 12
12 886 Gupis Branch Gilgit 07-09-2009 9
13 888 Khaplu Branch Gilgit 10-09-2009 6
14 893 Janglot Branch Gilgit 08-08-2009 39
15 1434 Jutyal Cantt. Branch Gilgit 10-09-2009 6

Page 17 of 55
Ph.: (021) 9212100 (50 Lines)
16 1705 Sost Branch Gilgit 19-08-2009 28

17 1709 Keris Branch Gilgit 07-09-2009 9
18 1713 Gulmit Branch Gilgit 30-08-2009 17
19 2029 Gah Kuch Branch Gilgit 28-08-2009 19
In case of disaster at the branches particularly at the Gilgit Region, the updated data may not be
obtained from Head Office for restoration. Further, late / delayed submission of the DTRs by
branches results into incomplete data and its backup at HO for generation of various reports.
Recommendations:
RDC should seek help of ROC in timely submission of DTRs by the branches. In exceptional cases;
approval of the ROC may by made a requirement for delinquent branches before the RDC conveys
hash values to these branches for continuing their operations before sending DTRs to HO.
Finding No. 4.09 Information of User IDs:
According to Security and QA Unit, IT Group, the RDCs must verify the validity of the User IDs from
branches and regions after every 15 days and must sent the report to IT Security and QA Unit.
During the audit, it has been observed that the RDC was not in practice of sending the information
regarding User IDs to the braches for verification or QA Unit, IT Group, Head Office.
Recommendations:
The RDC management should send the information regarding User IDs to QA Unit, IT Group,
Head Office, after verification from branches.

Page 18 of 55
Ph.: (021) 9212100 (50 Lines)
Finding No. 4.10 Non-Completion of KYC Formalities:
The procedural discrepancy like non-inserting CNIC Numbers has been observed during the course
of audit. There are 4762 accounts in the branches under the jurisdiction of the auditee RDC for which
the incomplete or old NIC numbers have been incorporated. Some instances are as under:
Sr. No. Branch Code Application No. Application Date C.N.I.C. No.
1 394 2807 04-09-2006 13
2 1725 4537 20-05-2006 27
3 1732 397 11-05-2004 101
4 1732 379 24-04-2004 121
5 1732 220 15-12-2003 204
6 1732 249 29-01-2004 210
7 1732 318 15-03-2004 210
8 1732 1328 16-03-2006 210
9 1732 699 09-12-2004 210
10 1732 864 16-03-2005 210
11 1732 354 06-04-2004 212
12 1732 340 25-03-2004 226
13 1732 421 26-05-2004 226
14 1732 1164 11-10-2005 232
15 1732 345 29-03-2004 253
16 1732 301 05-03-2004 333
17 1732 1333 24-03-2006 345
18 1732 258 14-02-2004 372
19 1732 298 05-03-2004 374
20 1732 322 16-03-2004 374
Recommendations:
Persons with in-genuine credentials may get their accounts opened for fraudulent/ unauthorized
transactions.
It is advised to RDC/Branch Management to complete the desired formalities immediately before

allowing the further operations into the said accounts and ensures to comply with the formalities in
future without fail.

Page 19 of 55
Ph.: (021) 9212100 (50 Lines)
Finding No. 4.11 Access Control Facility Evaluation:
For each security standard and their related implementation specifications, each organization needs
to establish a criteria regarding Access Control Facility Evaluation.
During audit, it has been observed that the auditee RDC has not implemented any Access Control
Facility evaluation criteria.
Recommendations:
The auditee RDC management should implement Access Control Facility evaluation criteria
as per mentioned under below:
 Identification/Authentication Function:
Verify the user's claimed identify is verifiable, and user identification is a unique, auditable
representation that can be identified for accountability.
 Resource Access Control Function:
Verify that mechanisms exist to restrict access of computer resources (i.e. programs, data files
transaction and commands) to authorized users.
 Accountability and Auditability
Ensure that sufficient security information about user actions or processing acting on their
behalf is logged and provides a management trail to support the ability to audit.
 Administration (applies to all categories above)
Verify administration controls ensure the continued protection of data as defined by the
owner and that security deviations are detected and corrected.

Page 20 of 55
Ph.: (021) 9212100 (50 Lines)

Page 21 of 55
Ph.: (021) 9212100 (50 Lines)
5. Continuity of Operations
Disaster recovery for systems typically focuses on making alternative processes and resources available for transaction
processing. A Disaster Recovery Plan (DRP) should reduce the length of recovery time necessary and the costs associated with
recovery. Proper planning will mitigate the risk and impact of a major business interruption. Although DRP results in an increase
of pre- and post-incident operational costs, the extra costs are more than offset by reduced recovery and business impact costs. A
disaster can be classified as a disruption that causes critical information resources to be inoperative for a period of time, adversely
affecting business operations. Business Continuity Plans (BCP) is the result of a process of plan creation to ensure that critical
business functions can withstand a variety of emergencies. Disaster-recovery plans deal with the immediate restoration of the
organization's business systems while the business continuity plan also deals with the long-term issues before, during, and after
the disaster. The critical areas to be covered are:-
1) Disaster recovery &
2) Backup Policies and procedures.
Finding No. 5.01 Testing of Backup Tapes:
There is no policy regarding restoration and checking of validity, accuracy and consistency of Data
Backups. In the absence of this policy, the validity and accuracy of Data backup cannot be ensured.
Further, no evidence of testing of the data backup during the audit period was observed at the RDC.
Recommendations:
Every type of backup media should be periodically checked to ensure their reliability through
restoration process on separate machine / partition to avoid the surprises in case of need.
The process should be conducted by an authorized peronnel who should document at minimum the
testing date, type of data and result of testing.

Page 22 of 55
Ph.: (021) 9212100 (50 Lines)
6. Operating System Platform Security
An Operating system defines user interfaces permits user to share hardware, permits user to share data, schedule resources among
users, Informs users of any errors that occur with the processor, allows system file management, communication between
operating system and application programs etc.
A review of the Operating system (OS/400) is performed to asses the level of security on AS 400 machines in the bank. During
the review, the critical areas that are covered are:-
1) Network attributes
2) Sign on Systems Wide Values
3) Password System and Security Values
4) User Profiles Security
5) User Management
6) Sensitive Commands
7) Critical Libraries.
Critical areas reviewed under PC Based Operating system are:
1) User account access security

2) File System
3) Ports
4) Firewalls
5) Local Security policies
6) Service Packs, etc.
iSeries™ Environment
Finding No. 6.01 General Security System Values:
General Security System Values specify the existence level of control / security on the system. During
audit, following discrepancies were found in General Security System Values:
1. Allow Restoring of Security-Sensitive Objects (QALWOBJRST):
The QALWOBJRST system value determines whether objects that are security-sensitive may
be restored to your system. You can use it to prevent anyone from restoring a system state
object or an object that adopts authority.
The detail of QALWOBJRST (IBM Recommended Value and Current Value) is as under:

Page 23 of 55
Ph.: (021) 9212100 (50 Lines)
IBM NBP
Parameter Current Value
Recommended Value Recommended Value
QALWOBJRST *NONE - *ALL
The QALWOBJRST system value provides a method to protect your system from programs
that may cause serious problems. For normal operations, consider setting this value to
*NONE.
2. Authority for New Objects (QCRTAUT):
The QCRTAUT system value is used to determine the public authority for a newly created
object if the following conditions are met:
 The create authority (CRTAUT) for the library of the new object is set to *SYSVAL.
 The new object is created with public authority (AUT) of *LIBCRTAUT.
The detail of CRTAUT (IBM Recommended Value and Current Value) is as under:
IBM NBP
QCRTAUT *CHANGE - *EXCLUDE
3. Inactive Job Time-Out Interval (QINACTITV):
The QINACTITV system value specifies in minutes how long the system allows a job to be
inactive before taking action. A workstation is considered inactive if it is waiting at a menu or
display, or if it is waiting for message input with no user interaction. Some examples of user
interaction are:
 Using the Enter key

 Using the paging function
 Using function keys
 Using the Help key
Emulation sessions through Client Access are included. Local jobs that are signed on to a
remote system are excluded. Jobs that are connected by file transfer protocol (FTP) are
excluded. Prior to Version 4, Release 2, telnet jobs were also excluded. To control the
time-out of FTP connections, change the INACTTIMO parameter on the Change FTP
Attribute (CHGFTPA) command. To control the time-out of telnet sessions prior to V4R2,
use the Change Telnet Attribute (CHGTELNA) command.
Following are examples of how the system determines which jobs are inactive:

Page 24 of 55
Ph.: (021) 9212100 (50 Lines)
 A user uses the system request function to start a second interactive job. A system
interaction, such as the Enter key, on either job causes both jobs to be marked as
active.
 A Client Access job may appear inactive to the system if the user is performing PC
functions such as editing a document without interacting with the AS/400 system.
The QINACTMSGQ system value determines what action the system takes when an inactive
job exceeds the specified interval.
When the system is started, it checks for inactive jobs at the interval specified by the
QINACTITV system value. For example, if the system is started at 9:46 in the morning and
the QINACTITV system value is 30 minutes, it checks for inactive jobs at 10:16, 10:46, 11:16,
and so on. If it discovers a job that has been inactive for 30 minutes or more, it takes the
action specified by the QINACTMSGQ system value. In this example, if a job becomes
inactive at 10:17, it will not be acted upon until 11:16. At the 10:46 check, it has been inactive
for only 29 minutes.
The QINACTITV and QINACTMSGQ system values provide security by preventing users
from leaving inactive workstations signed on. An inactive workstation might allow an
unauthorized person access to the system.
The detail of QINACTITV (IBM Recommended Value and Current Value) is as under:
IBM NBP
QINACTITV 60 10 10
1. What is the recommendation for QINACTITV? Do we agree with the current value?
2. What about the current value and recommended value for QINACTMSQ?
3. Which IBM OS 400 version release is in use at NBP? Based on the release version settings
to control inactive FTP and telnet sessions change for QINACTITV and INACTTIMO.
Accordingly the recommendations should include settings to be used for these parameters.
4. Limit Security Officer (QLMTSECOFR):
The QLMTSECOFR system value controls whether a user with all-object (*ALLOBJ) or
service (*SERVICE) special authority can sign on to any workstation. Limiting powerful user
profiles to certain well-controlled workstations provides security protection.
The detail of QLMTSECOFR (IBM Recommended Value and Current Value) is as under:

Page 25 of 55
Ph.: (021) 9212100 (50 Lines)
IBM NBP
QLMTSECOFR 1(ON) 0 0
What is the recommendation? Does the value of 0 carries more risk than a value of 1 ?
5. Action When Sign-On Attempts Reached (QMAXSGNACN):
The QMAXSGNACN system value determines what the system does when the maximum
number of sign-on attempts is reached at a workstation.
The system disables a device by varying it off. The device is disabled only if the sign-on
attempts that are not valid are consecutive on the same device. One valid sign-on resets the
count of incorrect sign-on attempts for the device.
The system disables a user profile by changing the Status parameter to *DISABLED. The user
profile is disabled when the number of incorrect sign-on attempts for the user reaches the
value in the QMAXSIGN system value, regardless of whether the incorrect sign-on attempts
were from the same or different devices. One valid sign-on resets the count of incorrect sign-
on attempts in the user profile.
If you create the QSYSMSG message queue in QSYS, the message sent (CPF1397) contains the
user and device name. Therefore, it is possible to control the disabling of the device based on
the device being used.
If the QSECOFR profile is disabled, you may sign on as QSECOFR at the console and enable
the profile. If the console is varied off and no other user can vary it on, you must IPL the
system to make the console available.
The detail of QMAXSGNACN (IBM Recommended Value and Current Value) is as under:
IBM NBP
QMAXSGNACN 3 1 1
6. Retain Server Security (QRETSVRSEC):
QRETSVRSEC system value determines whether decryptable authentication information

associated with user profiles or validation list (*VLDL) entries can be retained on the host
system. This does not include the AS/400 user profile password.

Page 26 of 55
Ph.: (021) 9212100 (50 Lines)
If you change the value from 1 to 0, the system removes the decryptable authentication
information from the system.
The encrypted data field of a validation list entry is typically used to store authentication
information. Applications specify whether to store the encrypted data in a decryptable or
non-decryptable form. If the applications choose a decryptable form and the QRETSVRSEC
value is changed from 1 to 0, the encrypted data field information is removed from the entry.
If the encrypted data field of a validation list entry is stored in a non-decryptable from, it is
not affected by the QRETSVRSEC system value.
If you have a large number of user profiles or validation lists on your system when you make
this change, the CHGSYSVAL command may run for an extensive period of time.
The detail of QRETSVRSEC (IBM Recommended Value and Current Value) is as under:
IBM NBP
QRETSVRSEC 0(off) - 1
What are recommendations?
Finding No. 6.02 Security-Related System Values:
The Security-Related System Values specify system values that relate to security on the system. There
was following discrepancy in Security-Related System Values:
1. Automatic Configuration of Virtual Devices (QAUTOVRT):
The QAUTOVRT system value specifies whether pass-through virtual devices and TELNET
full screen virtual devices (as opposed to the workstation function virtual device) are
automatically configured.
A virtual device is a device description that does not have hardware associated with it. It is
used to form a connection between a user and a physical workstation attached to a remote
system.
Allowing the system to automatically configure virtual devices makes it easier for users to
break into your system using pass-through or telnet. Without automatic configuration, a user
attempting to break in has a limited number of attempts at each virtual device. The limit is
defined by the security officer using the QMAXSIGN system value. With automatic
configuration active, the actual limit is higher. The system sign-on limit is multiplied by the

Page 27 of 55
Ph.: (021) 9212100 (50 Lines)
number of virtual devices that can be created by the automatic configuration support. This
support is defined by the QAUTOVRT system value.
The detail of QAUTOVRT (IBM Recommended Value and Current Value) is as under:
IBM NBP
QAUTOVRT 0(OFF) 2500 1000
Finding No. 6.03 System Values that Apply to Password:
The System Values that apply to Passwords specify the requirements for the passwords settings. There
were following discrepancies in System Values that apply to Passwords:
1. Minimum Length of Passwords (QPWDMINLEN):
The QPWDMINLEN system value controls the minimum number of characters in a

password.
The detail of QPWDMINLEN (IBM Recommended Value and Current Value) is as under:
IBM NBP
QPWDMINLEN 6 4 4
Recommended Value 6, to prevent users from assigning passwords that are easily guessed,
such as initials or a single character.
2. Character Position Difference for Passwords (QPWDPOSDIF):
The QPWDPOSDIF system value controls the position of each character in a new password.
This provides additional security by preventing users from using the same character
(alphabetic or numeric) in a position corresponding to the same position in the previous
password.
The detail of QPWDPOSDIF (IBM Recommended Value and Current Value) is as under:
IBM NBP
QPWDPOSDIF 0 (OFF) - 1
To enhance the security of passwords, the recommended value should be set as “0”.

Page 28 of 55
Ph.: (021) 9212100 (50 Lines)
Finding No. 6.04 System Values that Control Auditing:
System Values that Control Auditing specify the security controls on the system. There was following
discrepancy in System Values that Control Auditing:
1. Auditing Level (QAUDLVL):
The QAUDLVL system value determines which security-related events are logged to the
security audit journal (QAUDJRN) for all system users. You can specify more than one value
for the QAUDLVL system value, unless you specify *NONE.
The detail of QAUDLVL (IBM Recommended Value and Current Value) is as under:
IBM NBP
QAUDLVL Minimum - *CREATE
*AUTFAIL *DELETE
*SERVICE *OBJMGT
*SAVRST
Optional *SECURITY
*SECURITY *SPLFDTA
*CREATE *PRTDTA
*DELETE
*NETCMN
*OBJMGT
*OPTICAL
*PGMFAIL
*JOBDTA
*PRTDTA
What are the recommendations ??
Finding No. 6.05 Security and Network Attributes:
Network attributes control how your system communicates with other systems. Some network
attributes control how remote requests to process jobs and access information are handled. These
network attributes directly affect security on your system.
There were following discrepancies in System Values that apply to Network Attributes:
1. Client Request Access (PCSACC) Network Attribute:

Page 29 of 55
Ph.: (021) 9212100 (50 Lines)
The PCSACC network attribute determines how the Client Access licensed program processes
requests from attached personal computers to access objects. The PCSACC network attribute
controls whether personal computer jobs can access objects on the AS/400 system, not
whether the personal computer can use workstation emulation.
The detail of PCSACC (IBM Recommended Value and Current Value) is as under:
IBM NBP
PCSACC Preferred - *OBJAUT
*REGFAC
or
*REJECT
Acceptable
program name
Normal security measures on your system may not be sufficient protections if the Client
Access program is installed on your system. For example, if a user has *USE authority to a file
and the PCSACC network attribute is *OBJAUT, the user can use the Client Access program
and a program on the personal computer to transfer that entire file to the personal computer.
The user can then copy the data to a PC diskette or tape and remove it from the premises.
Was the above mentioned activity verified and tested at RDC Islamabad to support the
finding? What will be the method to prevent access to objects in case if the PCSACC value is
set to *OBJAUT as recommended value.
2. DDM Request Access (DDMACC) Network Attribute:
The DDMACC network attribute determines how the system processes requests from other
systems to access data using the distributed data management (DDM) or the distributed
relational database function.
The detail of DDMACC (IBM Recommended Value and Current Value) is as under:
IBM NBP
DDMACC *REJECT - *OBJAUT
What are the recommendations??
Finding No. 6.06 Spool Control (*SPLCTL) Special Authority:

Page 30 of 55
Ph.: (021) 9212100 (50 Lines)
Spool control (*SPLCTL) special authority allows the user to perform all spool control functions, such
as changing, deleting, displaying, holding and releasing spooled files. The user can perform these
functions on all output queues, regardless of any authorities for the output queue or the OPRCTL
parameter for the output queue.
*SPLCTL special authority also allows the user to manage job queues, including holding, releasing,
and clearing the job queue. The user can perform these functions on all job queues, regardless of any
authorities for the job queue or the OPRCTL parameter for the job queue.
During audit, it has been observed that some CIF and Cash user profiles have been configured with
*SPLCTL special authority. The user with *SPLCTL special authority can perform any operation on
any spooled file in the system. Confidential spooled files cannot be protected from a user with
*SPLCTL special authority. Some instances are appended below with annexure - 2.
Recommendations:
The auditee RDC is advised to arrange the authorites to User Profiles according to their job.
Finding No. 6.07 Limited Capability Special Authority:
Limited Capability applies to commands that are run from the command line, File Transfer Protocol
(FTP), REXEC, using the QCAPCMD API, or an option from a command grouping menu. You can
use the Limit capabilities field in the user profile to limit the user’s ability to enter commands. You
can also use it to override the initial program, initial menu, current library and
attention-key-handling program specified in the user profile. This field is one tool for preventing
users from experimenting on the system.
During audit, it has been observed that some Cash user profiles have been configured as “*NO” with
Limited Capabiity special authority. Some instances are as under:
Sr. No. User Profile Group Profile User Class Owner Limited Capability
1 C0415TOQIR GROUPONLINE *USER “GRPPRF *NO
2 C0474ASHRF GROUPONLINE *USER “GRPPRF *NO
3 C0474FERWA GROUPONLINE *USER “GRPPRF *NO
If the Limited Capability special authority for User Profile has been configured as “*NO”, then user
can perform following functions:

Page 31 of 55
Ph.: (021) 9212100 (50 Lines)
 Change Initial Program

 Change Initial Menu
 Change Current Library
 Change Attention Program
 Enter Commands
Recommendations:
Using an initial menu, restricting command line use and providing access to the menu allow you to
set up an environment for a user who does not need or want to access system functions.

Page 32 of 55
Ph.: (021) 9212100 (50 Lines)
Microsoft Windows Environment
Finding No. 6.08 Local Security Setting:
It was observed that the auditee RDC has not implemented the Standard Security Measures according
to the IT Circular Letter 01/2007 dated 16-06-2007 captioned as “Standard Security Measures for
Personal / Desktop Computers – Local Security Settings” for windows environment. Approximately
all the computers at RDC were found without the configuration instructed vide above referred
circular. The detail is a under:
Parameters Current Value Required Value

Enforce Password History 0 Password 24 Passwords
Maximum Password Age 42 Days 30 Days
Minimum Password Age 0 Day 0 Day
Minimum Password Length 0 Character 8 Characters
Password must meet complexity requirement Disabled Enabled
Account lockout duration Not Applicable 15 Minutes
0 Invalid Logon 5 Invalid Logon
Account lockout threshold
Attempts Attempts
Audit Account Logon events No Auditing Success, Failure
Audit Account Management No Auditing Success, Failure
Audit Directory Services No Auditing Success, Failure
Audit Logon Events No Auditing Success, Failure
Audit Object Access No Auditing Success
Audit Policy Change No Auditing Success, Failure
Audit Privilege Use No Auditing Success, Failure
Audit Process Tracking No Auditing Success, Failure
Audit System Events No Auditing Success, Failure
Audit: Shutdown system immediately if unable to log Disabled Enabled
security audits
Interactive logon: Prompt user change Password before 14 Days 7 Days
expire
Interactive logon: Don’t require CTRL+ALT+DEL Not Defined Disabled
Shutdown: Clear virtual memory page file Disabled Enabled
Size of Application, System and Security log 512 KB 1024 KB
It is a voilation of bank’s security policy and against the uniformity/standarization.
A security template is a file, which represents a security configuration. Security templates are
representations of may be applied to a local computer. By using Local Security Setting, account

Page 33 of 55
Ph.: (021) 9212100 (50 Lines)
policies, local policies, public key policies and IP security policies can be modified for your local
computer.
Recommendations:
Local Security Policy should be implemented to improve the security of the systems placed at RDC.
Finding No. 6.09 File System:
A file system is the overall structure in which files are named, stored, and organized. Windows 2000
and Windows XP Professional support three file systems FAT, FAT32, and NTFS.
During audit, it was observed that some computers of the auditee RDC were using FAT32 filing
system. The detail is as under:
Sr. Hard Disk

Computer Name User Name
No. Drives
1 Rdc Mr. Wasi-ur-Rehman, OG-I C
2 Rdcisl-7048d90b Mr. Najam-us-Saqib, OG-II C&D
3 Rdc Mr. Fazal Mehmood, OG-I D
4 Asma Mrs. Asma Mehmood, OG-III F
A file system is the underlying structure a computer uses to organize data on a hard disk.
Recommendations:
NTFS is the recommended file system for Windows 2000 and Windows XP Professional because it
supports several features that others do not i.e. security, fault tolerance, performance and
convenience. NTFS has always been a more powerful file system than FAT and FAT32.
In order to maintain access control on files and folders and support limited accounts, use of NTFS is
recommended. If FAT32 is used in a PC, all the LAN users will have access to all its files on hard
drive, regardless of their account type (administrator, limited, or standard.) NTFS is a secured file
system that allows you to control or restrict access to individual files or directories. For example, if
some one wants to allow your coworkers to view your files, but not change them, you can do this by
using the access control lists (ACLs) provided by NTFS.

Page 34 of 55
Ph.: (021) 9212100 (50 Lines)
The following table describes the compatibility of each file system with various operating
systems.
NTFS FAT FAT32
A computer running Windows XP or Access is available through Access is available only through
Windows 2000 can access files on an MS-DOS, all versions of Windows 95 OSR2, Windows 98,
NTFS partition. A computer running Windows, Windows NT, Windows Millennium Edition,
Windows NT 4.0 with Service Pack 4 Windows 2000, Windows XP Windows 2000 and Windows XP.
or later might be able to access some and OS/2.
files. Other operating systems allow no
access.
The following table compares disk and file sizes possible with each file system.
NTFS FAT FAT32
Recommended minimum volume size Volumes from floppy disk

Volumes from 512 MB to 2 TB.
is approximately 10 megabytes (MB). size up to 4 gigabytes (GB).
Volumes much larger than 2 terabytes In Windows XP, you can format a
Does not support domains.
(TB) are possible. FAT32 volume up to 32 GB only.
Cannot be used on floppy disks. - Does not support domains.
File size limited only by size of

Maximum file size is 2 GB. Maximum file size is 4 GB.
volume.
The RDC Management should convert file system from FAT32 to NTFS.

Page 35 of 55
Ph.: (021) 9212100 (50 Lines)
Finding No. 6.10 Firewall:
A firewall wall helps to keep computers more secure by restricting information that comes from other
computers. Firewall gives more control over the data in PC and provides a line of defense against
people or programs (including viruses and worms) that try to connect to your computer without
invitation.
A firewall guards the "doors" to the computer—that is, the ports through which Internet/network traffic
comes in and goes out. The firewall only lets traffic through the ports that you have specified can be used.
This has two security benefits:
 No one can enter into your computer through an unguarded port.
 Programs on your computer cannot use unguarded ports to contact the outside
world without your permission.
During the review, it was observed that most of the computers of the RDC are operating without a
firewall. This is a security threat because the computers are connected with each other.
The finding should be supported by instances and the type of firewall software that should be
installed whether network based or host based firewall.
Recommendations:
 IT Group should provide a good firewall solution to the RDC.

Page 36 of 55
Ph.: (021) 9212100 (50 Lines)
7. Network Security
The controls over Network implementations are reviewed to ensure that standards are in place for designing and selecting
Network architecture and for ensuring that the costs of procuring and operating the network does not exceed the benefits. The
unique nature of each network makes it difficult to define standard audit procedures. Modern networks are mixed with several
several kinds of devices and topologies (LANs, WANs, WLANs, WWANs etc.)
Communication networks (wide area or local area) generally include devices connected to the network as well as program and
files supporting network operations. Control is established through a network control terminal and specialized communication
software. IS auditor performing detailed network assessments and access control reviews, determines the points of entry to the
system and then must review the associated controls. Network control functions should be performed by technically qualified
operators. Network control functions should be separated, and the duties should be rotated on a regular basis, when possible
Network-control software must restrict operator access from performing certain functions (such as the capability to amend or
delete operator activity logs).Operations management should periodically review audit trails, to detect any unauthorized network
operations activities. Network operations standards and protocols should be documented and made available to the operations,
and should be periodically reviewed to ensure compliance. Network access by the system engineers should be closely monitored
and reviewed to detect unauthorized access to the network. Analysis should be performed to ensure workload balance, fast
response time, and system efficiency. The communications software should maintain a terminal identification file, to check the
authentication of a terminal when it tries to send or receive messages. When appropriate, data encryption should be used to
protect messages from disclosure during transmission.
The critical areas that are covered under Network Environment are:-
1) Network Utilization
2) Network Infrastructure Security
3) Network Backup Systems
4) Network Documentation and under ATM Controls the critical areas to be reviewed are:
1) Review measures to establish proper customer identification and maintenance of their confidentiality
2) Review of file maintenance and retention system to trace transactions
3) Review of execution reports to provide audit rail
4) Review daily transactions of ATM machine transactions
5) Review procedures made for retained cards
6) Review key management procedures
Finding No. 7.01 Anti-Virus:
Absence of Anti-Virus application exposes the system to vulnerabilities. Any virus/worm or malicious
application can destroy system as well as data.
Pirated software is illegal. These unlicensed Anti-Virus applications can destroy confidential data and
bank cannot sue the manufacturer.
It was observed that the computer named “admin” was using EST NOD32 Antivirus 4 application,
which is un-licensed and has not been approved by National Bank of Pakistan.
Recommendations:

Page 37 of 55
Ph.: (021) 9212100 (50 Lines)
It is recommended to install licensed Anti-virus application (Symantec End Point Security)

and update it on regular basis.
Finding No. 7.02 Usage of Administrator Account:
By using administrator account, the user exposes him/her to huge security risks. If a Trojan horse or
virus can attack on your machine while you are using an administrator account, it can get its hooks
deep into the operating system.
During audit, it has been observed that almost all employees log-on as Administrator user on
Microsoft Windows XP instead of limited accounts.
Recommendations:
The single most important step you can take to protect your machine from viruses, worms and
hackers is to use a "limited user" account for everyday computer use. Limited accounts are called that
because they are limited—user cannot install software or change certain computer settings when
he/she logged on with a limited account. Limited accounts are more secure because they offer some
protection from spyware and viruses.
For that reason, the RDC staff should use a limited account for
day-to-day computing.
Finding No. 7.03 Communication Links without Encryptors:
The encryption is the process of transforming information (referred to as plaintext) using an

algorithm (called cipher) to make it unreadable to unathorized people. Encryption is also used to

Page 38 of 55
Ph.: (021) 9212100 (50 Lines)
protect data in transit, for example data being transferred via networks. Encryption is one of your
biggest defenses.
The encryptors have not been installed on following Branches or other Regional Data Centres which
have the links with RDC Islamabad. It means the communication of highly sensitive Financial &
Non-Financial data between these branches and RDCs is un-secured.
Sr. No. Branch Code Branch Name Region Media

1 1858 Bank Road Branch Rawalpindi Dxx
2 399 Satellite Town Branch Rawalpindi Dxx
3 1449 Gulshan Taxila Branch Rawalpindi Dxx+Radio
4 415 Wah Cantt. Branch Rawalpindi Dxx+Radio
5 395 City Branch Rawalpindi Dxx
6 1542 HIT Branch Rawalpindi I-Direct
7 880 B-Block Branch Islamabad Dxx
8 1732 P.M. Sectt. Branch Islamabad Dxx
9 1531 Industrial Area Branch Islamabad Dxx
10 1628 Morriot Branch Islamabad
11 425 Main Branch Gilgit Gilgit Dxx
12 344 Civil Lines Branch Jehlum Rawalpindi Dxx
Regions
1 Jhelum Region Dxx
WAN Circuit
1 Islamabad / Karachi Dxx
2 Islamabad / Peshwar Fiber
3 Islamabad / Mirpur (A.K.) Fiber
4 Islamabad / Muzaffabad (A.K.) Fiber
Recommendations:
The RDC should immediately take up the matter with ITG to install the Encryptors on all links
currently without encryptors.

Page 39 of 55
Ph.: (021) 9212100 (50 Lines)
Finding No. 7.04 Non-Functioned Encryptors:
There are sixteen encryptors have been installed on the branches under the auditee RDC. Except two
branches, no other Encryptor was found functioning. The list of non-functioning encryptors is as
under:
Sr. Manufacturer Manufacturer

Branch Name
No. RDC End Branch End
1 Aabpara Branch Islamabad safe net Cylink
2 A.I.O.U. Branch Islamabad safe net safe net
3 Gujar Khan Branch safe net safe net
4 PIMS Branch Islamabad safe net
5 F-8 Branch Islamabad safe net safe net
6 Airport Branch Islamabad safe net safe net
7 Cantt. Board Branch Rawalpindi safe net
8 Super Market Branch Islamabad safe net Cylink
9 G.H.Q. Branch Rawalpindi Cylink Cylink
10 G-9 Branch Islamabad Cylink Cylink
11 Foreign Office Branch Islamabad Cylink Cylink
12 Cantt. Branch Rawalpindi Cylink
13 S-Block Branch Islamabad Cylink Cylink
14 Shalimar Branch Rawalpindi Cylink safe net
Recommendations:
Communication without encryptors is extremely risky. RDC should take the corrective steps to
functional the encryptors to secure data traffic on NBP’s network.
Finding No. 7.05 Active Directory:
The Active Directory is at the heart of any Microsoft Network. An active directory does a variety of
functions including the provision of information on objects, helps organize these objects for easy

Page 40 of 55
Ph.: (021) 9212100 (50 Lines)
retrieval and access, allows access by end users and administrators and allows the administrator to set
security up for the directory.
Active Directory also allows administrators to assign policies, deploy software and apply critical
updates to a system. Active Directory stores information and settings in a central database and allows
administrator to update all end-users computers with new software, patches, files, etc. simply by
updating one object in a main PC.
During the audit, it was observed that the Active Directory has not been fully implemented which
can result into audit control failures including: control of system and user environments, password
management, use of role based authority, and enforced logging to create audit trails.
Recommendations:
The implementation of active directory is recommended to get results of efficient working of
centralized environment, effective working of networking communication equipments and proper
monitoring of the activities in a system.
Finding No. 7.06 Non-Effective ATM Network Management System:
A comprehensive ATM Network Management System covers Fault Management, Performance

Management, Security Management etc to ensure the availability of continuous operations of ATM
services for the end users.
It was however observed that concerned staff at RDC was simply reviewing the operational status of
ATMs on hourly basis and directs the concerned braches / staff for corrective action to restore the
ATMs if needed. There was no activity to record the automatic logs of the run time ATM errors for
the review of the RDC and Regional Office management for their perusal and to ensure the necessary
preventive measures for similar errors.
Recommendations:
The RDC management should introduce the effective ATM management system in coordination with
the Regional Management and the ITG to ensure the continuous availability of ATM services to the
clients.

Page 41 of 55
Ph.: (021) 9212100 (50 Lines)

Page 42 of 55
Ph.: (021) 9212100 (50 Lines)
8. Application Level Security & Controls

It relates to transactions and current data belonging to any application computer system and are, therefore,
specific for every single application. Objectives of Application Controls, which may be manual or
programmed, include assurance of entirety and accuracy of records and validity of inputs recorded as
result from manual or programmed processing. Application controls ensure that proper procedures
have been established to maintain the accuracy and integrity of the data, whether implemented at
application level, back-end database level or at both. Application level controls include:-
1) Data input controls related to the control of information prior to system input
2) Processing Controls
3) Data Output Controls
4) Access Control
5) Program Change Controls
iSeries™ Environment
Finding No. 8.01 User Profiles with Default Passwords:
Passwords are the keys to enter a system and the complicated passwords prove as more effective keys
as compared to the simple one. Further, the easier or default passwords can easily be guessed by the
co workers and can be used for unauthorized activities.
While reviewing the system, it was observed that 121 users created on the system for various banking
activities have sofar not changed their default password despite lapse of a long time, since there is not
maximum time period defined for the expiry of the passwords. The list of user profiles with default
passwords is as under:-
Sr. Password
User Profile Status Text
No. Expired
1 ATMLINK *ENABLED *NO User create for ATM switching 21-10-2003
2 BACKUP *ENABLED *NO ATM Link 1
3 CAMSTST1 *ENABLED *NO User for backup
4 CIF0330001 *ENABLED *NO As requsted by Head Office
5 CIF0474002 *ENABLED *NO CIF User for Branch 330

Page 43 of 55
Ph.: (021) 9212100 (50 Lines)

18 CIF0854001 *ENABLED *YES CIF User for Branch 854
25 CIF1575001 *ENABLED *YES CIF User for Branch 1575
39 C0341KHAN *ENABLED *NO CAMS for 0341 Sultan Ayaz Khan
40 C0341SAJID *ENABLED *NO CAMS for 0341 Sajid Mahmood
41 C0344AAMIR *ENABLED *NO 0344 – Aamir
42 C0394NASIM *ENABLED *NO User for Nasim Ullah OG-II 0394 for enquiry
43 C0415AMIR *ENABLED *YES Back Office 0415 - Amir
44 C0415SAMIR *ENABLED *YES Back Office 0415 - AVP Sheikh Amir Rashid
45 C0425BAQAR *ENABLED *YES User for 0425 Baqar
46 C0642ZAHID *ENABLED *NO Raja Zahid Cant Cant Board Branch
47 C0854ASH *ENABLED *NO Deposit for 0854 Ayesha GM
48 C0854KAMRAN *ENABLED *YES Deposit for 0854 Kamran Khalid
49 C0854RAZA *ENABLED *YES Deposit for 0854 Rizwan Akbar
50 C0977SAEED *ENABLED *YES Saeed-Uz-Zaman 0977
51 CIF0880001 *ENABLED *YES CIF User for Branch BBO
52 C1351IMRAN *ENABLED *NO Cash/TFR for 1531 - Imran Alam

Page 44 of 55
Ph.: (021) 9212100 (50 Lines)
53 C1351ABBAS *ENABLED *NO Deposit for 1531

54 C1351IMRAN *ENABLED *NO Cash/TFR for 1531 - Imran Alam
55 C1531KAZMI *ENABLED *NO Deposit for 1531
56 C1542SALEM *ENABLED *NO Deposit 1542 Saleem
57 C1694AHMED *ENABLED *NO Deposit for 1694 Ahmed
58 C1694GHZAN *ENABLED *NO Deposit for 1694 Ghazanfar
59 DBCPAYISL *ENABLED *NO
60 EBSCONVERT *ENABLED *NO User for conversion from Batch to Online
61 EBSMIG *DISABLED *YES Migration user for GBS to EBS
62 EFTISL *DISABLED *YES EFT user for Islamabad
63 F0415SHOAB *ENABLED *NO Foreign Currency for 0415 - Shehzad Iqbal
64 F1725KHOKR *ENABLED *YES FEX for 1725
65 GRPATM *ENABLED *YES Group Profile for EBS ATM System
66 GRPBATCH *ENABLED *YES Group Profile for EBS Batch System (Data File)
67 GRPCIF *ENABLED *NO Group Profile for CIF Sotware
68 GRPITM *ENABLED *YES ITM-ITM Operator User Profile
69 GRPONLINE *ENABLED *YES Group Profile for EBS System (Data File)
70 GRPRISK *ENABLED *YES
71 G03325SHKEL *ENABLED *NO General Ledger for 0332-SHKEL
72 GO880ZAHID *ENABLED *NO General Ledger for 0880-ZAHID
73 G1694GHAZAN *ENABLED *NO General Ledger for 1694-GHAZANFAR
74 IBTMGR *ENABLED *NO User for Inter Branch Transaction
75 IBTUSER *ENABLED *NO User for Inter Branch Transaction
76 INTAUDISL *ENABLED *YES Internal Auditors (EBS) as on 10-08-2009
77 ITMIUSR *ENABLED *YES ITM - Batch submission User Profile
78 I0341USR2 *ENABLED *YES IBT User for 0341 for OPS Managaer
79 I0501USR1 *ENABLED *NO IBT User for 0501
80 I1623USR1 *ENABLED *NO IBT User for 1623
81 NBPKHI *DISABLED *YES EFT/PASS-THRU Link User for RCC, Karachi
82 OPERATOR *ENABLED *NO Syster Operator
83 PFKPO *ENABLED *NO Group Profile for P.F. Data Entry
84 PFOPTR01 *ENABLED *NO Group Profile for P.F. Data Entry
90 RETAIL *ENABLED *NO User for Retail Group
91 SAIBANHO *ENABLED *NO User profile for Saibaan Islamabad 25-02-2006
92 SALMAN *ENABLED *NO Mr. Salman Head Office
93 SBP *ENABLED *NO View/Query for 0341 for SBP Audit

Page 45 of 55
Ph.: (021) 9212100 (50 Lines)
94 SPRBATCH2 *ENABLED *NO Super User for EBS (Batch)

95 SPRMOEEN *ENABLED *NO Super User for EBS (Batch)
96 S0344SARIM *ENABLED *NO OPS Manager - 0344
97 S0642AAMIR *ENABLED *NO Super User Cantt BD Br-Aamir
98 T0341BACHA *ENABLED *YES Transfer Scroll 0341 - Bacha
99 T0341KHAN *ENABLED *NO Transfer Scroll 0341 - Sultan Ayaz Khan
100 T0341NIGHT *ENABLED *NO Transfer Scroll 0341 - Nighat
101 T0341SAJID *ENABLED *NO Transfer Scroll 0341 - Sajid Mahmood
102 T0344AAMIR *ENABLED *NO Transfer Scroll - Aamir
103 T0344SAJID *ENABLED *NO Transfer Scroll - Muhammad Sajid
104 T0399QAZI *ENABLED *NO Transfer Scroll - 0399 - Qazi Rizwan Dilawar
105 T0415AMIR *ENABLED *YES Back Office 0415 - Amir
106 T0425BAQAR *ENABLED *YES Transfer Scroll for 0415-Baqar
107 T0642ZAHID *ENABLED *NO Transfer Scroll for Zahid
108 T0977HABIB *ENABLED *YES Transfer Scroll for 0977 - Habib
109 T1531IMRAN *ENABLED *NO Transfer Scroll for 1531 - Imran Alam
110 T1531KAZMI *ENABLED *NO Transfer Scroll for 1531
111 T1542SALEM *ENABLED *NO Transfer Scroll for 1542 - Saleem
112 T1575SHUKT *ENABLED *YES Transfer Scroll for Airport Branch
113 T1623HANIF *ENABLED *NO Transfer Scroll for 1623 - Hanif Ahmed
114 T1632ZAHID *ENABLED *NO Transfer Scroll for 1623 - Zahid Ikram
115 T1694AHMED *ENABLED *NO Transfer Scroll for 1696
116 T1694SYEDA *ENABLED *NO Transfer Scroll for 1696
117 T1780FERWA *ENABLED *YES Transfer Scroll for 1780-Ferwa
118 T1780HAMID *ENABLED *NO Transfer Scroll for 1780-Hamid
119 T9876REMIT *ENABLED *NO User for 9876-Remittance
120 V0394ARIF *ENABLED *NO View User-0394-Arif Munir Qureshi
121 V0425AKBAR *ENABLED *YES View/Query for 0425 Chief Manager
Recommendations:
Change the system value to *ENABLED” with a reasonable expiry period. This will protect a new user
profile from being used by someone else who is not authorized.
Furthermore, use the password composition system values to prevent users from assigning trivial
passwords. RDC management should implement appropriate measures, including the
implementation of an IT security policy regarding passwords.

Page 46 of 55
Ph.: (021) 9212100 (50 Lines)
Dear Imam! 8.02 and 8.04 appear same, u can merge them into one.
Finding No. 8.02 Password Expiration:
Part of the security features of the system is a password expiration policy. Regular changing of
passwords, in some environments, is a sound policy that adds to system security. The Password
Expiration Interval system value controls the number of days allowed before a password must be
changed. If a user attempts to sign on after the password has expired, the system shows a display
requiring that the password be changed before the user is allowed to sign on.
During audit, it has been observed that the auditee RDC did not implement Password Expiration
Policy. There are 298 enabled User Profiles (Annexure – 3 is attached) and 283 Passwords
(Annexure - 4 is attached) have not been expired, which have not been changed according to
Password Expiration Internal.
Recommendations:
A password change is required according to the organization’s security guidelines, which is 30 days in
NBP. The risk level is at the highest if users are never required to change login password and vice
versa
RDC management should implement appropriate measures, including the implementation of an IT

security policy regarding passwords.
Finding No. 8.03 Maximum Sign-On Attempts:
The Maximum Sign-On Attempts (QMAXSIGN) value controls the number of consecutive incorrect
sign-on attempts by a users. When the maximum number of incorrect sign-on attempts is reached,
the QMAXSGNACN system value determines the action to be taken and normally, the user is
blocked to carryout further attempts as a security measure.

Page 47 of 55
Ph.: (021) 9212100 (50 Lines)
During audit, it was observed that QMAXSIGN system value has been set as ENABLED which allows
the users to keep the incorrect / Not Valid Sign-on” attempting without any limit. The detail is as
under:
Sr. No. User Profile System Value Status Not Valid Sign-ons
1 C0395BILAL *ENABLED 77
2 T1623SAGIR *ENABLED 70
3 CIF0341006 *ENABLED 68
4 C0425SAJAD *ENABLED 45
5 C1932EJAZ *ENABLED 45
6 T1780FERWA *ENABLED 36
8 C1780GHORI *ENABLED 232
9 ITM *ENABLED 24
10 C0341TQEER *ENABLED 20
11 T0395QAYUM *ENABLED 20
13 T0642ZAHID *ENABLED 19
14 T1623HANIF *ENABLED 17
16 C1531ARSHD *ENABLED 14
17 T0474SAEED *ENABLED 14
18 T0332SHKEL *ENABLED 11
19 WASI *ENABLED 11
21 V0425ARIF *ENABLED 10
22 C0399TARIQ *ENABLED 9
23 C0854AHMED *ENABLED 9
24 C1858ASIF *ENABLED 9
25 T0341NASIR *ENABLED 9
26 T0880FIDA *ENABLED 9
27 C0332IMRAN *ENABLED 8
28 IKRAM *ENABLED 8
29 T0341TQEER *ENABLED 8
30 T0854SHAH *ENABLED 8
34 C0415SAMIR *ENABLED 7
35 C0880NAEEM *ENABLED 7
36 C1932AMBER *ENABLED 7
37 G0501SAEED *ENABLED 7

Page 48 of 55
Ph.: (021) 9212100 (50 Lines)
38 T0854ALI *ENABLED 7
40 C0330KHALD *ENABLED 6
41 S0474ULLAH *ENABLED 6
44 C0341AHSAN *ENABLED 5
45 C0341NIGHT *ENABLED 5
46 C0977INAYT *ENABLED 5
47 C9876STF15 *ENABLED 5
48 N1858TAHIR *ENABLED 5
49 T1623ZAHID *ENABLED 5
Recommendations:
The Maximum Sign-On Attempts (QMAXSIGN) system value should be implemented as per security
policy to guard against the attempts of frauds and forgeries.
Dear Imam! 8.02 and 8.04 appear same, u can merge them into one.
Finding No. 8.04 Password Expiration Interval:
The Password Expiration Interval (QPWDEXPITV) system value controls the number of days
allowed before a password must be changed. If a user attempts to sign on after the password has
expired, the system shows a display requiring that the password be changed before the user is allowed
to sign on.
During audit, it has been observed that the Password Expiration Interval for some users has been set
as “NOMAX”. It means these users are not required to change their passwords for unlimited period.
The detail is as under:
Sr. No. User Profile System Value Status Expiration Interval Password Expired
1 ATMFTP *ENABLED *NOMAX *NO
2 ATMIBM *ENABLED *NOMAX *NO

Page 49 of 55
Ph.: (021) 9212100 (50 Lines)
3 ATMLINK *ENABLED *NOMAX *NO

4 BACKUP *ENABLED *NOMAX *NO
5 CAMSTST1 *ENABLED *NOMAX *NO
6 C1732SALIM *ENABLED *NOMAX *NO
7 EADMN *ENABLED *NOMAX *NO
8 EBSCONVERT *ENABLED *NOMAX *NO
9 EBSIBT *ENABLED *NOMAX *NO
10 EUSER *ENABLED *NOMAX *NO
11 FAZAL *ENABLED *NOMAX *NO
12 IBTMGR *ENABLED *NOMAX *NO
13 IBTUSR *ENABLED *NOMAX *NO
14 INQUIRY *ENABLED *NOMAX *NO
15 I0330USR1 *ENABLED *NOMAX *NO
18 I0341USR2 *ENABLED *NOMAX *YES
32 I1235A *ENABLED *NOMAX *YES

Page 50 of 55
Ph.: (021) 9212100 (50 Lines)

46 MOEEN *ENABLED *NOMAX *NO
47 OPERATOR *ENABLED *NOMAX *NO
48 SAIBANHO *ENABLED *NOMAX *NO
49 SPRFAISAL *ENABLED *NOMAX *NO
50 SPRIKRAM *ENABLED *NOMAX *NO
51 SPRONLINE *ENABLED *NOMAX *NO
52 SPRSARA *ENABLED *NOMAX *NO
53 SPRSHAKIR *ENABLED *NOMAX *NO
54 SPRWASI *ENABLED *NOMAX *NO
55 T1732SALIM *ENABLED *NOMAX *NO
56 T1780FERWA *ENABLED *NOMAX *YES
57 T1780HAMID *ENABLED *NOMAX *NO
58 T1780SAEED *ENABLED *NOMAX *NO
Recommendations:
The National Bank of Pakistan has approved 30 days system value for Password Expiration Interval.
The RDC management should implement appropriate measures, including the Password Expiration
Interval.
Finding No. 8.05 More than one Super User Profiles in one Branch:
Users of computer applications have equal significance as that of keys of strong room in a bank.
The purpose of allocating Super User ID is to ensure that data is entered by the authorized person
only with full responsibility on entered data. The Super User Profile is a logical control held by a
senior officer say Operations Manager of the branch to control or supervise the overall working of the
branch staff. According to policy, there should be one super user in each branch.

Page 51 of 55
Ph.: (021) 9212100 (50 Lines)
During review of the Super User IDs, it was however noted that the RDC has created two Super User
IDs for each branch in three branches. The detail is as under:
Sr. No. Branch Name Branch Code User Profile

1 S0341FARUK
1 Main Branch Islamabad 0341
2 S0341NASIR
1 S0474FERWA
2 Ministry of Foreign Affairs Branch Islamabad 0474
2 S0474ULLAH
1 S1628AHMAD
3 Marriot Hotel Branch Islamabad 1628
2 S1628AKRAM
Recommendations:
Guidance / Policy related to more than one super user at branches should be asked from the ITG and
the number of users in a branch should be capped accordingly.
Finding No. 8.06 Non-Financial Data of BBO System:
Although, the BBO branches send the DTRs data to Head Office (directly or through RDC). However,
this data does not contain the non-financial data e.g. profiles of User IDs etc. Due to this, it is not
possible for the auditor to check any un-authorized manipulation in the system by the BBO branch
users during the audit of RDCs.
Recommendations:
ITG should be consulted to incorporate the data regarding the number of users in BBO branches and
their activity logs in the DTRs.

Page 52 of 55
Ph.: (021) 9212100 (50 Lines)
Dear Imam! There is no audit finding in the text of Finding # 8.07. all this is a suggestion. U may
delete it.
Finding No. 8.07 System Values:
The AS/400 family of systems covers a wide range of users. A small system might have three to five
users, and a large system might have several thousand users. Some installations have all their
workstations in a single, relatively secure, area. Others have widely distributed users, including users
who connect by dialing in and indirect users connected through personal computers or system
networks.
Security on the AS/400 system is flexible enough to meet the requirements of this wide range of users
and situations. You need to understand the features and options available so that you can adapt them
to your own security requirements.
System security has three important objectives:
Confidentiality:
 Protecting against disclosing information to unauthorized people.
 Restricting access to confidential information.
 Protecting against curious system users and outsiders.
Integrity:
 Protecting against unauthorized changes to data.
 Restricting manipulation of data to authorized programs.
 Providing assurance that data is trustworthy.
Availability:
 Preventing accidental changes or destruction of data.
 Protecting against attempts by outsiders to abuse or destroy system resources.
System Security can be implemented through s ystem values, which allow you to customize
many characteristics of your system. A group of system values is used to define system-wide security
settings.
Although, Security & QA Unit, Information Technology Group, has recommended some system
values but a wide range of System Values is un-recommended.
Recommendations:

Page 53 of 55
Ph.: (021) 9212100 (50 Lines)
System security is often associated with external threats, such as hackers or business rivals. However,
protection against system accidents by authorized system users is often the greatest benefit of a
well-designed security system. In a system without good security features, pressing the wrong key
might result in deleting important information. System security can prevent this type of accident.
The best security system functions cannot produce good results without good planning. Security that
is set up in small pieces, without planning, can be confusing. It is difficult to maintain and to audit.
Planning does not imply designing the security for every file, program and device in advance. It does
imply establishing an overall approach to security on the system and communicating that approach to
application designers, programmers and system users.
As you plan security on your system and decide how much security you need, consider these
questions:
 Is there a company policy or standard that requires a certain level of security?
 Do the company auditors require some level of security?
 How important is your system and the data on it to your business?
 How important is the error protection provided by the security features?
 What are your company security requirements for the future?
Information Technology Group should recommended remaining system values for the
guidence of technical staff and IS Auditors.

Page 54 of 55
Ph.: (021) 9212100 (50 Lines)
We are thankful to all staff members of NBP Regional Data Centre Islamabad for their co-operation
and help.
(Mashkoor Ahmed Khan)

Vice President/Team Leader

Page 55 of 55

IT Audit RDC Islamabad-2009

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IT Audit RDC Islamabad-2009

Uploaded by

Copyright:

Available Formats

EDP Audit & Automation Wing, Audit & Inspection Group

Head Office, I.I. Chundrigar Road, Karachi.

National Bank of Pakistan

(This Report is highly Confidential)

IS Audit Report 2009 – NBP Regional Data Centre Islamabad

IS Audit Report 2009 – NBP Regional Data Centre Islamabad

Sr. No. Description Page No.

IS Audit Report 2009 – NBP Regional Data Centre Islamabad

Name of the Regional Data Centre Islamabad

The detail of branches under the jurisdiction of RDC Islamabad is as under:-

Sr. No. Designation Total

IS Audit Report 2009 – NBP Regional Data Centre Islamabad

No. of No. of No. of

1.02 Gist of Significant Audit Findings:

1.03 Conclusion and Recommendations:

IS Audit Report 2009 – NBP Regional Data Centre Islamabad

2. IS Audit of RDC Islamabad

Main functions of the RDC are as under:

2.03 Audit Objectives:

IS Audit Report 2009 – NBP Regional Data Centre Islamabad

Main IS Audit objectives are as under:

2.04 Scope & Methodology:

 General Control Environment

IS Audit Report 2009 – NBP Regional Data Centre Islamabad

IS Audit Report 2009 – NBP Regional Data Centre Islamabad

1) Physical Access Controls

Finding No. 3.01 Surveillance System:

IS Audit Report 2009 – NBP Regional Data Centre Islamabad

Finding No. 3.02 Hardware Inventory:

Finding No. 3.03 Emergency Exit:

IS Audit Report 2009 – NBP Regional Data Centre Islamabad

Finding No. 3.04 Instructions for Emergency:

Finding No. 3.05 Identification (ID) Cards:

IS Audit Report 2009 – NBP Regional Data Centre Islamabad

Finding No. 3.06 Humidity and Temperature Recorder:

IS Audit Report 2009 – NBP Regional Data Centre Islamabad

2) Review d o c u m e n t a t i o n , policies and procedures, to determine if they are current.

3) Review Training needs and policies.

Finding No. 4.01 Mandatory Leave Plan:

Finding No. 4.02 Hardware Maintenance Log:

IS Audit Report 2009 – NBP Regional Data Centre Islamabad

Finding No. 4.03 Tagging of Fixed Assets:

Finding No. 4.04 Maintenance Record of Computer Applications’ Users:

IS Audit Report 2009 – NBP Regional Data Centre Islamabad

Sr. User IDs

Finding No. 4.05 ATM Support Officer Complaint Log Book:

IS Audit Report 2009 – NBP Regional Data Centre Islamabad

Finding No. 4.06 Maintenance of Leave Record:

Finding No. 4.07 Abnormal ATM Down-Time:

IS Audit Report 2009 – NBP Regional Data Centre Islamabad

Finding No. 4.08 Delayed Submission of DTRs:

IS Audit Report 2009 – NBP Regional Data Centre Islamabad

16 1705 Sost Branch Gilgit 19-08-2009 28

Finding No. 4.09 Information of User IDs:

IS Audit Report 2009 – NBP Regional Data Centre Islamabad

Finding No. 4.10 Non-Completion of KYC Formalities:

It is advised to RDC/Branch Management to complete the desired formalities immediately before

IS Audit Report 2009 – NBP Regional Data Centre Islamabad

Finding No. 4.11 Access Control Facility Evaluation:

 Resource Access Control Function:

 Accountability and Auditability

 Administration (applies to all categories above)

IS Audit Report 2009 – NBP Regional Data Centre Islamabad