In this fast paced world, information systems and related technologies change the manner in which people work, interact and communicate. As organisations become more and more dependent on information systems and related technologies to a greater extent, technologies which were once an enabler to the core business of an organisation, have now become core to the organisation’s very survival.
Once an organisation’s business strategies, operations, infrastructure, platforms, etc. are transformed to embrace this information and related technologies in order to maintain their competitive advantage in the market place, two questions arise:
- How would an organisation ensure that those technologies are aligned with its very business and in turn, maximize the wealth of the organisation?
- How can one ensure that one’s sensitive data and information are protected from constantly emerging threats such as hacking, fraud etc?
We offer the following services to help organizations in this endeavour:
To internally arrange staff for an IT audit function is difficult for most companies due to the complications of most IT environments as they require several IT auditors. We can partner with the Internal Audit department of an organisation to perform audits in the high risk IT areas that the management and the Audit Committee need to address immediately. Our IT audit team will identify important audit issues and provide practicable solutions to assist the IT department in strengthening the company’s controls.
We examine areas such as Change Controls, Access Controls and IT Application Controls to enhance the organisation’s existing controls or to incorporate new controls.
- Perform Change Control and Access Control reviews for ERP packages, Commercial Off-The-Shelf (COTS) software, web-based applications, custom developed applications, end-user computing applications, etc.
- Review and strengthen existing IT application controls (e.g. correct shortcomings in segregation of duties and replace manual controls with automated IT controls)
- Identify opportunities to implement new application controls to streamline business process.
As an organisation’s Information System depends on the components that link together to provide the necessary service, a simple hardware fault or an email virus could bring the entire information system to a standstill.
Our infrastructure review looks into a client’s existing infrastructure and delivers key recommendations to ensure the business operates smoothly and the systems are finely tuned for outstanding performance. This will start with vendor and industry best practices for securing IT infrastructure and modify these to fit the organisation’s IT environment.Areas that are looked into are:
- Business Needs Assessment – The client’s business objectives are reviewed and analysed to ascertain whether its IT systems are aligned to meet that objective.
- Computer Operations Reviews – Backup and recovery, job scheduling, problem management, physical access, environmental controls, etc. are reviewed.
- Infrastructure Recommendations – The building, suite, room or cupboard in which the computer is housed, including aspects such as physical security (walls, CCTV, locks, guards, barbed wire, visitor procedures, etc), environmental controls (fire and flood protection, power supply, air conditioning), computer and network operations processes and management systems and the IT equipment itself, are looked into for recommending improvements.
- Software Licensing Audit – The focus here is on risks of overrun costs and litigation due to software piracy etc.
Threat and Vulnerability Assessments
Through our expertise, we can evaluate the internal threats from employees and contractors and the external threats to a company’s network and data. We also provide guidance on selecting and implementing software tools to monitor IT infrastructure security. Of the analysis, a report highlighting policies, procedures and “hardening” guidelines are documented for each IT infrastructure component.
- Perform threat and vulnerability assessments to identify internal employees or contractors with the ability to cause damage to mission critical IT systems
- Review Malicious Software
- Perform Database Management System Reviews: SQL Server, Oracle, Sybase, DB2, etc.
- Perform Operating System Reviews: Windows, UNIX, Linux, AS/400, etc.
- Perform Network Security Reviews: Firewalls, routers, switches, wireless devices, intrusion detection systems, etc.
- Execute Attack and Penetration (A&P) testing at Internet and Intranet levels using software tools and frameworks
- Test wireless and dial-in (remote access) security
- Review the organisation’s incident response programs
Our IT risk assessments are based on international frameworks established by the world’s leading professional associations for information systems security and control. With this, we help to ensure proper management of IT processes, in a manageable and logical structure by bridging the gaps between business risks, technical issues, and internal control needs.
We use questionnaires, interviews, and information requests of key IT data to create an IT risk assessment report that:
- Define the IS audit universe – through the identification of critical IT systems and related processes
- Provide a basis for the risk – based selection of discrete IT audits
Policy and Procedure Reviews
We help our clients to improve their IT policies and procedures by adapting the industry best practices most suitable to their organisations.
- Evaluate existing IT policies and procedures and compare these to industry best practices
- Develop new or improve existing IT policies and procedures
- Improve the processes for monitoring and enforcing IT policies and procedures across the company
By Kumar Manthri
(The writer is the Vice President of ISACA – Sri Lanka Chapter, and working as Assistant Manager IS Audit at SJMS Associates)
Plethora of Data: Are you managing them effectively enough?
Gone are the days where the only means to connect to the Internet was through the use of a desktop personal computer connected through a land telephone line found at only predetermined places (read more)