Vous êtes sur la page 1sur 16

Genesis Colors (P) Ltd.

Internal Audit Report BDO Haribhakti


Consulting Pvt. Ltd

2 Systems Review
2.1 No documentation and Implementation of IT Policy

Observation: The organization has not defined, documented and The Information System The process of Once
implemented Information Security Policy & Procedures which Security policies and documenting the approved, it
includes the following but not limited to: procedures give detailed IS policies will be
o Password construction policy directions to the and procedures implemente
• Authorization and access controls organization’s efforts have now been d by
• Record retention period towards information initiated; the first November
• Security incidence response process security. It also reflects cut draft will be onwards.
• Training and Awareness program organization’s IT circulated for
• System development and maintenance alignment to the approval.
business objectives.
• Physical Security review
It is recommended that
• Change Management procedure
the organization
• Review of logs documents and
• IT Risk assessment implements the
• Business Continuity Plan information security
policy and procedures.
Implications: In the absence of the information security policy
and procedures, there will not be any clear direction towards the
information security implementation. The ad-hoc measures taken
may not be able to ensure the security of the business information.

Root Cause: People


Risk Category: High

2.2 No documented guideline for Servers and Desktop


machines
It is recommended that The same will be Once
Observation: There is no standard, documented hardening the organization addressed and approved, it
guideline for the servers and desktop machines. For e.g. hardening formulate the hardening once the policy will will be
is required to patch up the versatilities like unused services, guidelines and follow the be framed it will implemente

Private and Confidential 1


Genesis Colors (P) Ltd. Internal Audit Report BDO Haribhakti
Consulting Pvt. Ltd

default user names, default ports etc. same while installing become a part of d by
new hardware. it. November
Implications: Inadequate hardening and lack of review of The hardening onwards.
hardening documents may leave the operating platform vulnerable documentation and
to the information security threats. hardening itself should
be reviewed periodically
and updated for new
vulnerabilities identified.
• Root Cause: People/Process
• Risk Category: High

2.3 Weak password policy

Observation: Passwords complexity is not enabled in the The organization should This has been Immediate
password policies defined on the domain controller of Navision strengthen the password addressed and
server and the same was found on individual machines also. policy on the DC based now been
on the best industry implemented.
Implications: practices.
If the password policies are not strong enough, it may lead to
unauthorized access to the information systems.

• Root Cause: People


• Risk Category: High

2.4 Review of Logs not documented

Observation: Review of the logs is not documented. It was It is recommended that The same will be Once
informed that the IT department does this review on a periodic the responsibility be addressed and approved, it
basis but the periodicity and the documentation as regards the fixed to the identified once the policy will will be
date and results are not documented for any future reference. The personnel be be framed it will implemente
reliability of Log review cannot be validated. documented formally. A become a part of d by
it. November

Private and Confidential 2


Genesis Colors (P) Ltd. Internal Audit Report BDO Haribhakti
Consulting Pvt. Ltd

formal process may be onwards.


Implications: If the log reviews are not documented, the record set to define the
of accountability of the review the logs, sample size, sample periodicity of the log
chosen, result of the analysis, criteria/parameters for the analysis review, sample size,
of the logs etc. may remain undocumented. parameters based on
which the logs should be
In the absence of non documentation of the same, the trends reviewed, securely store
found in the earlier analysis will not be available for future use and and retain the logs with
correlating the results from various types of logs. the custodian and
dispose them securely
• Root Cause: People after the pre-defined
period.
• Risk Category: Medium

2.5 User Maintenance Procedure not available

Observation: User Maintenance Procedure is not present. There The User Creation- The formats have Will be
is no formal process for introducing a new joiner to the system by
Modification-Deletion or now been implemente
way of formal documented process for creating, approving and deactivation should be introduced, d by
allocating the user ID. Also, there is no formal documented process
done in a systematic henceforth all new October
for the modification and deactivation of the User Ids. manner, with proper user IDs are End.
authorization and should created only after
Implications: If the user maintenance procedure is not be documented. It is filling the user ID
standardized and well documented, the practice of grant and suggested that the creation form and
revoke of access rights may not be tracked properly. Users may organization adapts the for till the user IDs
get some unauthorized or excess rights which will remain practice of having User already issued, for
undetected leading to vulnerability in the information systems Maintenance Forms. this from will be
security. Also, the access rights of filled and
the user should be documented.
communicated to
• Root Cause: People him/her formally along
with its role and
• Risk Category: High
responsibility. The users

Private and Confidential 3


Genesis Colors (P) Ltd. Internal Audit Report BDO Haribhakti
Consulting Pvt. Ltd

and his access rights


should be reviewed
periodically to ensure
that active users are
physically present and
are having access rights
in line with his job
profile.
Access to external mail accounts
2.6
Observation: Access to external email accounts is allowed in the The organization should As a policy we are
corporate network of the organization. prohibit the use of not to restrict
external email accounts access to external
Implications: Access to external email accounts weakens the by having explicit policy email accounts.
security of the organization's business data as vital business and using systemic
information may be leaked out. controls.

• Root Cause: People


• Risk Category: Medium

2.7 Use of peripheral storage device

Observation: Booting from external devices is enabled on server. The organization should Noted, the same Will be
Use of peripheral storage devices is allowed in the organization's document the business has now been implemente
network. need of having access to disabled on half of d by
CD ROM drive, if any, the server and the October
Implications: If the use of peripheral storage device is allowed on else it should be other which is left End.
the server then there is a possibility that the person with malicious disabled. will be done in the
intentions will boot the server from CD Rom or Pen drive (having Employees and third next down time.
Operating System on it) and gain the access to the hard drives of parties/visitors should be
the servers which otherwise are not accessible to him. Also, he can asked to declare the

Private and Confidential 4


Genesis Colors (P) Ltd. Internal Audit Report BDO Haribhakti
Consulting Pvt. Ltd

format the hard disks of the server. media while entering the
organization. There
There is also a possibility that the confidential business should be a policy and
information is copied on the CD ROM or pen drive which will lead procedure of allowing
to the information leakage. access to storage
devices. The
organization should carry
out surprise checks for
• Root Cause: People
such devices. Punitive
• Risk Category: Medium action should be defined
and communicated to
the employees and third
parties if the policy is not
obeyed.
2.8 Default user “Administrator” exists on the critical servers

Observation: The default user “Administrator” exists on the The organization should All the To take
critical servers like Navision, Citrix, Antivirus, DC, Backup server.
assign unique User IDs to administrators revised
the administrator group. have unique user response.
Implications: The use of default Ids on critical servers weakens IDs and passwords
the security of the servers. The probability of the servers getting and all individuals
compromised increases if defaults are not changed. are himself
responsible for
• Root Cause: People their accountability
• Risk Category: High of actions.

2.9 Weak password policy

Observation: It was informed that the initial password for As a good practice the Noted, single-sign
Navision application is communicated to the users in plain text password should never on process has
format by way of email. The user is not forced systemically to be communicated in been initiated,
change the password after the first login. plain text format which is however, the same

Private and Confidential 5


Genesis Colors (P) Ltd. Internal Audit Report BDO Haribhakti
Consulting Pvt. Ltd

easily readable to is under


Implications: If the passwords are communicated in plain text anyone. The organization observation under
format and is not force-changed after the first log-in, there is a should force the change test module.
possibility of unauthorized access to the application. of initial password after
the first login.

• Root Cause: People


• Risk Category: High

2.10 No classification and labeling of Information Assets

Observation: Information Assets are not classified and Information has varying Mr.Virender and
appropriately labeled. degree of sensitivity and Mr.Deepak will
criticality. Classification decide the same.
Implications: The Information & Physical assets (like critical of information ensures
financial data, pricing policies, designs and patterns etc.) of the that appropriate controls
organization may not get inventoried, classified and labeled based are implemented to
on their level of criticality to the organization’s business. Without protect the information.
classification, appropriate controls to secure the information may It is recommended that
not get implemented. the vendor should
classify the information.
If there is no nominated owner who will be responsible for
appropriate level of protection of the asset, the accountability of
the security may not be fixed.

Also, the Recovery Time Objective, which is necessary for


designing appropriate recovery architecture for the recovery of
that asset, will not be done properly.

• Root Cause: People


• Risk Category: High

Private and Confidential 6


Genesis Colors (P) Ltd. Internal Audit Report BDO Haribhakti
Consulting Pvt. Ltd

2.11 Absence of Review of Inventory

Observation: Inventory is not reviewed periodically. Further, The asset inventory is The process of By October
there is no documented review process for all these inventory needed for fixing the periodic review will onwards
items. The owner for each asset is not identified and documented. responsibility for be started from
maintenance of October onwards
Implications: In the absence of the review of inventory, appropriate controls on and it will be
availability of the asset in case of urgent need or for continuity of the information asset to documented and
business in case of disaster cannot be ensured. the owner. Such become a part of
Also, there are chances of having excess inventory. information is needed for the policy as a
If the owner is not defined, the accountability for protection of recovering from disaster, periodicity of half-
asset remains unidentified. if any. It is also a basis of yearly basis.
risk assessment. It is
recommended that the
• Root Cause: People
organization maintain
• Risk Category: Medium and review the inventory
register for hardware as
well as software and
should carry out risk
assessment on a periodic
basis.

2.12 Weak password policy

Observation: The password for SA user of the SQL server was It is recommended that The same has now Immediate
observed to be weak; the password length was only 4 characters. the password of such been implemented
sensitive accounts and a complex
Implications: Weak password of this sensitive account may lead should be strong enough. password is in
to unauthorized access and data leakage. Also, the organization place.
may evaluate the option
of disabling "SA" user
• Root Cause: People
and creating a different
• Risk Category: High administrator account

Private and Confidential 7


Genesis Colors (P) Ltd. Internal Audit Report BDO Haribhakti
Consulting Pvt. Ltd

with SA privileges
2.13 Absence of Email-disclaimer

Observation: During our course of review, it was observed that Email Disclaimer helps The same has Will be
there is no disclaimer for official email communication. the organization in some been drafted and implemente
situations that might approved by legal. d by 30th
exempt the organization September.
Implications: In the absence of the email disclaimer, the from liability. More
organization will not be able to restrict its responsibility towards importantly, it may well
acts of its employees, since it cannot prove that it has acted prevent the actual
responsibly and done everything in its power to stop employees occurrence of lawsuits
from committing offenses like transmission of viruses, against your organization
misstatement, breach of confidentiality etc. since the mere presence
of the statement might
deter most persons from
• Root Cause: People seeking legal
• Risk Category: Medium compensation from your
organization. Therefore,
the use of disclaimers is
always recommended.

2.14 No documentation of Back up test

Observation: Backup procedure includes identifying all Backup testing is a vital The same has Will be
applications key to the organization, identifying the responsible part in ensuring the been addressed implemente
person for the backup procedure, analyzing actual procedures availability of data. and will be done d from 1st
performed, and determining the appropriateness of handling Proper documentation on regular basis. October.
related media but as observed backup procedure is there in place should be maintained to
but documentation of backup test is not done. track the activity and
reuse of media as
Implications: If the backup and restoration activity is not recommended by
documented, the tracking of media used, results of backup and manufacturer of the
restoration are not documented then management of the media backup media.

Private and Confidential 8


Genesis Colors (P) Ltd. Internal Audit Report BDO Haribhakti
Consulting Pvt. Ltd

may not be done appropriately.

• Root Cause: People


• Risk Category: Low

2.15 Backup copies not stored in Fire resistant cabinet

Observation: The backup copies of Navision application, which is The backups should be The same has Will be
identified by the organization as critical data, are not stored in fire stored securely in the been addressed implemente
resistant cabinet. It was informed that weekly full backup is stored fire resistant cabinet on and being d by
at the residence of the responsible personnel but without site to ensure the purchased, November
documentation. Reconciliation of the tape in/out is performed at availability of the data in released by 25th onwards.
main premises but it is not stored in the fire resistant cabinet. case of disaster. September. A fire-
Also, gate pass is not prepared and documented for tracking the proof cabinet will
movement of the backup tapes. Possibly the data backup be stored off-site
to offsite must on daily at registered office
Further, the backup movement to offsite location is being done at basis. Further the in Delhi.
the week end; hence any loss of data during the week may not be company may do the IT
recoverable. risk assessment to
evaluate the criticality of
Implications: If the backups are not stored in fire resistant the data.
cabinet, it may lead to unavailability of the data in case of
disaster.

• Root Cause: People


• Risk Category: Medium

2.16 Absence of Incident management procedure It is recommended that The same will be Once
the organization identify addressed and approved, it
Observation: The Security incident response process does not the security incidents once the policy will will be

Private and Confidential 9


Genesis Colors (P) Ltd. Internal Audit Report BDO Haribhakti
Consulting Pvt. Ltd

exist to monitor security vulnerability at the application and associated with the be framed it will implemente
database level and support timely response. business processes and become a part of d by
define corrective actions it. November
Implications: In the absence of incidence management to be taken in such onwards.
procedure, appropriate corrective actions may not be taken. situations.

• Root Cause: People


• Risk Category: High

2.17 Training on Information security not conducted

Observation: Formal Information security trainings and People play the most The Information Will be
awareness programs are not provided to new employees and sensitive role in the IS Security trainings implemente
existing employees of the organization on periodic basis. security. Awareness will be conducted d by
about the information on periodic basis. November
Implications: If the employees are not made aware about the security and social onwards.
Information security, the people with mal-intention may take engineering techniques
advantage and breach the security. Also, the lack of knowledge must be spread by way
may lead to error, which will lead to security incident. of posters, newsletters,
trainings and seminars.
A periodic training
• Root Cause: People
calendar must be in
• Risk Category: Medium place.

2.18 Details and status of Change request not documented

Observation: Change Management procedure describes how the The organization should The same will be Once
specific requirements of a change are documented and assessed document and addressed and approved, it
for impact, timing and resource purposes and the same should be implement the change once the policy will will be
reported to all affected organizations as needed throughout the and release be framed it will implemente
process. As noted above, the details and status of the change management policy and become a part of d by
request are not recorded and documented. procedure. it. November
onwards.

Private and Confidential 10


Genesis Colors (P) Ltd. Internal Audit Report BDO Haribhakti
Consulting Pvt. Ltd

Implications: Unauthorized changes may get implemented in the


production environment.

• Root Cause: People


• Risk Category: Medium

2.19 Updated network diagram not available

Observation: A computer network diagram is a schematic The organization should The Same has Will be
depicting the nodes and connections amongst nodes in a computer prepare and maintain the already implemente
network or, more generally, any telecommunications network. But network diagram. implemented for d by
an updated network diagram is not there. WAN. For LAN, it October
will do shortly. end.
Implications: Identification of problems and issues in the network
will be difficult to identify.

• Root Cause: People


• Risk Category: High

2.20 Preventive health check not done for desktops

Observation: On the sample desktops selected from variousIt is suggested that the A proper policy of Will be
basic
departments, it was observed that the security was weak. E.g. health check the periodic review implemente
should be carried out on
Windows firewall was found disabled, antivirus solution was not of various d by
updated etc. the computers on machines will be October
periodic basis. done and basic onwards.
Implications: The systems may become vulnerable to the Preventive and user education will
information security threats, virus attack, down load of corrective actions should be in practice and
be planned in the form of calendar will be

Private and Confidential 11


Genesis Colors (P) Ltd. Internal Audit Report BDO Haribhakti
Consulting Pvt. Ltd

unauthorized software harmful to the system etc. internal review. prepared for the
same to ensure it
• Root Cause: People will be done once
in three months.
• Risk Category: Medium

2.21 Absence of Business Continuity Plan

Observation: The organization has not documented the business It is recommended that The same will be
continuity strategy and plan. the organization addressed and we
documents and will explore on
Implications: Every organization should have a business implements the BCP. this.
continuity plan that seeks to ensure that its information systems
are available and running at all times to support and enable the
business to function and grow. In spite of all precautions and
preventive controls, disasters can occur. Some disasters cannot be
controlled and/or prevented. In such cases, the business continuity
plan should also enable recovery of information systems within an
acceptable time frame to avoid any serious damage to the
business. But, in the absence of BCP, the vendor may not be able
to meet contractual obligations and may suffer losses in the
business.

• Root Cause: People


• Risk Category: High

2.22 Risk Assessment for IT not done

Observation: Formal IT risk assessment is a determination of the It is recommended that We Will do after
value and potential risks that can occur in the salon environment. the formal IT risk having Business
It is also a legal document, concluded by a professional, and is assessment be carried Continuity Plan.
aimed to help the employer and employees decrease and reduce out by involving IT as
the high probability of their risks but it is not followed by well as functional

Private and Confidential 12


Genesis Colors (P) Ltd. Internal Audit Report BDO Haribhakti
Consulting Pvt. Ltd

organization. personnel. The results of


such assessment shall be
Implications: In the absence of formal IT risks assessment, some documented.
of the critical IT and IT security related issues remain unidentified It is recommended that
and hence the IT security will remain vulnerable to the threats such risk assessment be
posed by them. carried out at least
If the functional personnel are not involved in the risk assessment, annually or after any
the alignment of IT risks to business/functional risks may not be major change in the IT
done. infrastructure or process.

• Root Cause: People


• Risk Category: High

2.23 Physical Security

Observation: • The organization The same has Will be


• Water leakage and unstructured cabling was observed at shall take the been addressed implemente
the data center. prompt action to and as an effective d by
• Use of camera phone was allowed inside the data center. remove the water measure, we will October
• Unnecessary material was found stored in the data center; leakage from the have switch end.
battery bank was found in the data centre. data center. cleaned and
• A policy should be protection process Due to
• There is no proper iron-railing from the drive-way side.
set at high level to will be ensured. space
• Switch was found on second floor not in proper condition
prohibit the use of Further, constraint
nearby Wash Room area.—attach photos
video recording maintenance of we are
devices inside the Data centre has unable to
Implications: now been initiated
sensitive area. The shift battery
• The water leakage may cause short circuit in the cabling, and will be done bank once
notice should be
chances of which aggravated because of on immediate the w/h is
displayed and
messy/unstructured wiring. basis. shifted then
users/visitors
• Use of camera or camera phones inside the sensitive areas should be made we will shift
may lead to disclosure of critical IT infrastructure to the

Private and Confidential 13


Genesis Colors (P) Ltd. Internal Audit Report BDO Haribhakti
Consulting Pvt. Ltd

outsiders. aware that they the battery


• If unnecessary material is stored in the critical area, there are not allowed to bank
may be having hindrances in trouble shooting. Also there is carry any video
a risk of unauthorized access to the sensitive area as the recording device
unauthorized person may access this area under the pretext inside the
of taking out the material. sensitive areas.
• c) The room where
• Root Cause: People Data switch is
installed, should
• Risk Category: High
be not be used as
storage room. This
room should be
kept exclusively
for Network /
Voice data
connection
equipments &
other required
identified
infrastructure
assets.
2.24 Physical log book not available

Observation: Physical log book for Data center was not found at Physical log book should The Physical log-
the time of audit. be maintained inside the book has now
data center and the been implemented
Implications: In the absence of log book, the tracking of the visits sensitive areas to track with an immediate
by personnel to the sensitive areas will not be done. the visitors to these effect.
• Root Cause: People areas. This logbook
should be reviewed
• Risk Category: Medium
periodically.

Private and Confidential 14


Genesis Colors (P) Ltd. Internal Audit Report BDO Haribhakti
Consulting Pvt. Ltd

2.25 Results of Audit Tool Win Audit run on Critical Servers It is suggested that the As, per the
Organization should have company plan all
On the Navision server, the result of Win Audit tool revealed the a proper hardening critical servers will
following observations: guidelines. The be move to new
implementation of these server and a
Observation: guidelines on the servers periodic review of
 During our testing, we have found that default user should be reviewed various security
"Administrator" exists. periodically. The measures will
 During our testing, we have found that password age is 155 hardening document taken care as a
days. itself should be reviewed part of Security
periodically. policy.
 In the testing result, the backup operations were failed to
complete on account of insufficient disk space.
 In testing result, USB drive not disabled and this leads to
weak security parameter setting.
 During our testing, automatic updates enabled.
 In the testing result, Freeware Antivirus solution was
installed and last update was on 27/12/08.
 In the testing results, we have found that time was set as
per US time.
Similar observations were found on other critical servers as well.

Implications: Weak security parameter setting and the absence


of hardening guidelines may lead to security compromise.

• Root Cause: People


• Risk Category: High

2.26 Good to have practices:

a) It is suggested that the organization should take additional


measures to password protect the confidential business data. Also,
the organization may evaluate and use solutions for encryption

Private and Confidential 15


Genesis Colors (P) Ltd. Internal Audit Report BDO Haribhakti
Consulting Pvt. Ltd

when such data is being stored or transmitted.


b) The record of reuse of magnetic media should be maintained as
per manufacturer's instructions to ensure that the media is in
proper condition.
c) As a good practice, the user should not be allowed to change
the date and time.

Private and Confidential 16