Académique Documents
Professionnel Documents
Culture Documents
2 Systems Review
2.1 No documentation and Implementation of IT Policy
Observation: The organization has not defined, documented and The Information System The process of Once
implemented Information Security Policy & Procedures which Security policies and documenting the approved, it
includes the following but not limited to: procedures give detailed IS policies will be
o Password construction policy directions to the and procedures implemente
• Authorization and access controls organization’s efforts have now been d by
• Record retention period towards information initiated; the first November
• Security incidence response process security. It also reflects cut draft will be onwards.
• Training and Awareness program organization’s IT circulated for
• System development and maintenance alignment to the approval.
business objectives.
• Physical Security review
It is recommended that
• Change Management procedure
the organization
• Review of logs documents and
• IT Risk assessment implements the
• Business Continuity Plan information security
policy and procedures.
Implications: In the absence of the information security policy
and procedures, there will not be any clear direction towards the
information security implementation. The ad-hoc measures taken
may not be able to ensure the security of the business information.
default user names, default ports etc. same while installing become a part of d by
new hardware. it. November
Implications: Inadequate hardening and lack of review of The hardening onwards.
hardening documents may leave the operating platform vulnerable documentation and
to the information security threats. hardening itself should
be reviewed periodically
and updated for new
vulnerabilities identified.
• Root Cause: People/Process
• Risk Category: High
Observation: Passwords complexity is not enabled in the The organization should This has been Immediate
password policies defined on the domain controller of Navision strengthen the password addressed and
server and the same was found on individual machines also. policy on the DC based now been
on the best industry implemented.
Implications: practices.
If the password policies are not strong enough, it may lead to
unauthorized access to the information systems.
Observation: Review of the logs is not documented. It was It is recommended that The same will be Once
informed that the IT department does this review on a periodic the responsibility be addressed and approved, it
basis but the periodicity and the documentation as regards the fixed to the identified once the policy will will be
date and results are not documented for any future reference. The personnel be be framed it will implemente
reliability of Log review cannot be validated. documented formally. A become a part of d by
it. November
Observation: User Maintenance Procedure is not present. There The User Creation- The formats have Will be
is no formal process for introducing a new joiner to the system by
Modification-Deletion or now been implemente
way of formal documented process for creating, approving and deactivation should be introduced, d by
allocating the user ID. Also, there is no formal documented process
done in a systematic henceforth all new October
for the modification and deactivation of the User Ids. manner, with proper user IDs are End.
authorization and should created only after
Implications: If the user maintenance procedure is not be documented. It is filling the user ID
standardized and well documented, the practice of grant and suggested that the creation form and
revoke of access rights may not be tracked properly. Users may organization adapts the for till the user IDs
get some unauthorized or excess rights which will remain practice of having User already issued, for
undetected leading to vulnerability in the information systems Maintenance Forms. this from will be
security. Also, the access rights of filled and
the user should be documented.
communicated to
• Root Cause: People him/her formally along
with its role and
• Risk Category: High
responsibility. The users
Observation: Booting from external devices is enabled on server. The organization should Noted, the same Will be
Use of peripheral storage devices is allowed in the organization's document the business has now been implemente
network. need of having access to disabled on half of d by
CD ROM drive, if any, the server and the October
Implications: If the use of peripheral storage device is allowed on else it should be other which is left End.
the server then there is a possibility that the person with malicious disabled. will be done in the
intentions will boot the server from CD Rom or Pen drive (having Employees and third next down time.
Operating System on it) and gain the access to the hard drives of parties/visitors should be
the servers which otherwise are not accessible to him. Also, he can asked to declare the
format the hard disks of the server. media while entering the
organization. There
There is also a possibility that the confidential business should be a policy and
information is copied on the CD ROM or pen drive which will lead procedure of allowing
to the information leakage. access to storage
devices. The
organization should carry
out surprise checks for
• Root Cause: People
such devices. Punitive
• Risk Category: Medium action should be defined
and communicated to
the employees and third
parties if the policy is not
obeyed.
2.8 Default user “Administrator” exists on the critical servers
Observation: The default user “Administrator” exists on the The organization should All the To take
critical servers like Navision, Citrix, Antivirus, DC, Backup server.
assign unique User IDs to administrators revised
the administrator group. have unique user response.
Implications: The use of default Ids on critical servers weakens IDs and passwords
the security of the servers. The probability of the servers getting and all individuals
compromised increases if defaults are not changed. are himself
responsible for
• Root Cause: People their accountability
• Risk Category: High of actions.
Observation: It was informed that the initial password for As a good practice the Noted, single-sign
Navision application is communicated to the users in plain text password should never on process has
format by way of email. The user is not forced systemically to be communicated in been initiated,
change the password after the first login. plain text format which is however, the same
Observation: Information Assets are not classified and Information has varying Mr.Virender and
appropriately labeled. degree of sensitivity and Mr.Deepak will
criticality. Classification decide the same.
Implications: The Information & Physical assets (like critical of information ensures
financial data, pricing policies, designs and patterns etc.) of the that appropriate controls
organization may not get inventoried, classified and labeled based are implemented to
on their level of criticality to the organization’s business. Without protect the information.
classification, appropriate controls to secure the information may It is recommended that
not get implemented. the vendor should
classify the information.
If there is no nominated owner who will be responsible for
appropriate level of protection of the asset, the accountability of
the security may not be fixed.
Observation: Inventory is not reviewed periodically. Further, The asset inventory is The process of By October
there is no documented review process for all these inventory needed for fixing the periodic review will onwards
items. The owner for each asset is not identified and documented. responsibility for be started from
maintenance of October onwards
Implications: In the absence of the review of inventory, appropriate controls on and it will be
availability of the asset in case of urgent need or for continuity of the information asset to documented and
business in case of disaster cannot be ensured. the owner. Such become a part of
Also, there are chances of having excess inventory. information is needed for the policy as a
If the owner is not defined, the accountability for protection of recovering from disaster, periodicity of half-
asset remains unidentified. if any. It is also a basis of yearly basis.
risk assessment. It is
recommended that the
• Root Cause: People
organization maintain
• Risk Category: Medium and review the inventory
register for hardware as
well as software and
should carry out risk
assessment on a periodic
basis.
Observation: The password for SA user of the SQL server was It is recommended that The same has now Immediate
observed to be weak; the password length was only 4 characters. the password of such been implemented
sensitive accounts and a complex
Implications: Weak password of this sensitive account may lead should be strong enough. password is in
to unauthorized access and data leakage. Also, the organization place.
may evaluate the option
of disabling "SA" user
• Root Cause: People
and creating a different
• Risk Category: High administrator account
with SA privileges
2.13 Absence of Email-disclaimer
Observation: During our course of review, it was observed that Email Disclaimer helps The same has Will be
there is no disclaimer for official email communication. the organization in some been drafted and implemente
situations that might approved by legal. d by 30th
exempt the organization September.
Implications: In the absence of the email disclaimer, the from liability. More
organization will not be able to restrict its responsibility towards importantly, it may well
acts of its employees, since it cannot prove that it has acted prevent the actual
responsibly and done everything in its power to stop employees occurrence of lawsuits
from committing offenses like transmission of viruses, against your organization
misstatement, breach of confidentiality etc. since the mere presence
of the statement might
deter most persons from
• Root Cause: People seeking legal
• Risk Category: Medium compensation from your
organization. Therefore,
the use of disclaimers is
always recommended.
Observation: Backup procedure includes identifying all Backup testing is a vital The same has Will be
applications key to the organization, identifying the responsible part in ensuring the been addressed implemente
person for the backup procedure, analyzing actual procedures availability of data. and will be done d from 1st
performed, and determining the appropriateness of handling Proper documentation on regular basis. October.
related media but as observed backup procedure is there in place should be maintained to
but documentation of backup test is not done. track the activity and
reuse of media as
Implications: If the backup and restoration activity is not recommended by
documented, the tracking of media used, results of backup and manufacturer of the
restoration are not documented then management of the media backup media.
Observation: The backup copies of Navision application, which is The backups should be The same has Will be
identified by the organization as critical data, are not stored in fire stored securely in the been addressed implemente
resistant cabinet. It was informed that weekly full backup is stored fire resistant cabinet on and being d by
at the residence of the responsible personnel but without site to ensure the purchased, November
documentation. Reconciliation of the tape in/out is performed at availability of the data in released by 25th onwards.
main premises but it is not stored in the fire resistant cabinet. case of disaster. September. A fire-
Also, gate pass is not prepared and documented for tracking the proof cabinet will
movement of the backup tapes. Possibly the data backup be stored off-site
to offsite must on daily at registered office
Further, the backup movement to offsite location is being done at basis. Further the in Delhi.
the week end; hence any loss of data during the week may not be company may do the IT
recoverable. risk assessment to
evaluate the criticality of
Implications: If the backups are not stored in fire resistant the data.
cabinet, it may lead to unavailability of the data in case of
disaster.
2.16 Absence of Incident management procedure It is recommended that The same will be Once
the organization identify addressed and approved, it
Observation: The Security incident response process does not the security incidents once the policy will will be
exist to monitor security vulnerability at the application and associated with the be framed it will implemente
database level and support timely response. business processes and become a part of d by
define corrective actions it. November
Implications: In the absence of incidence management to be taken in such onwards.
procedure, appropriate corrective actions may not be taken. situations.
Observation: Formal Information security trainings and People play the most The Information Will be
awareness programs are not provided to new employees and sensitive role in the IS Security trainings implemente
existing employees of the organization on periodic basis. security. Awareness will be conducted d by
about the information on periodic basis. November
Implications: If the employees are not made aware about the security and social onwards.
Information security, the people with mal-intention may take engineering techniques
advantage and breach the security. Also, the lack of knowledge must be spread by way
may lead to error, which will lead to security incident. of posters, newsletters,
trainings and seminars.
A periodic training
• Root Cause: People
calendar must be in
• Risk Category: Medium place.
Observation: Change Management procedure describes how the The organization should The same will be Once
specific requirements of a change are documented and assessed document and addressed and approved, it
for impact, timing and resource purposes and the same should be implement the change once the policy will will be
reported to all affected organizations as needed throughout the and release be framed it will implemente
process. As noted above, the details and status of the change management policy and become a part of d by
request are not recorded and documented. procedure. it. November
onwards.
Observation: A computer network diagram is a schematic The organization should The Same has Will be
depicting the nodes and connections amongst nodes in a computer prepare and maintain the already implemente
network or, more generally, any telecommunications network. But network diagram. implemented for d by
an updated network diagram is not there. WAN. For LAN, it October
will do shortly. end.
Implications: Identification of problems and issues in the network
will be difficult to identify.
Observation: On the sample desktops selected from variousIt is suggested that the A proper policy of Will be
basic
departments, it was observed that the security was weak. E.g. health check the periodic review implemente
should be carried out on
Windows firewall was found disabled, antivirus solution was not of various d by
updated etc. the computers on machines will be October
periodic basis. done and basic onwards.
Implications: The systems may become vulnerable to the Preventive and user education will
information security threats, virus attack, down load of corrective actions should be in practice and
be planned in the form of calendar will be
unauthorized software harmful to the system etc. internal review. prepared for the
same to ensure it
• Root Cause: People will be done once
in three months.
• Risk Category: Medium
Observation: The organization has not documented the business It is recommended that The same will be
continuity strategy and plan. the organization addressed and we
documents and will explore on
Implications: Every organization should have a business implements the BCP. this.
continuity plan that seeks to ensure that its information systems
are available and running at all times to support and enable the
business to function and grow. In spite of all precautions and
preventive controls, disasters can occur. Some disasters cannot be
controlled and/or prevented. In such cases, the business continuity
plan should also enable recovery of information systems within an
acceptable time frame to avoid any serious damage to the
business. But, in the absence of BCP, the vendor may not be able
to meet contractual obligations and may suffer losses in the
business.
Observation: Formal IT risk assessment is a determination of the It is recommended that We Will do after
value and potential risks that can occur in the salon environment. the formal IT risk having Business
It is also a legal document, concluded by a professional, and is assessment be carried Continuity Plan.
aimed to help the employer and employees decrease and reduce out by involving IT as
the high probability of their risks but it is not followed by well as functional
Observation: Physical log book for Data center was not found at Physical log book should The Physical log-
the time of audit. be maintained inside the book has now
data center and the been implemented
Implications: In the absence of log book, the tracking of the visits sensitive areas to track with an immediate
by personnel to the sensitive areas will not be done. the visitors to these effect.
• Root Cause: People areas. This logbook
should be reviewed
• Risk Category: Medium
periodically.
2.25 Results of Audit Tool Win Audit run on Critical Servers It is suggested that the As, per the
Organization should have company plan all
On the Navision server, the result of Win Audit tool revealed the a proper hardening critical servers will
following observations: guidelines. The be move to new
implementation of these server and a
Observation: guidelines on the servers periodic review of
During our testing, we have found that default user should be reviewed various security
"Administrator" exists. periodically. The measures will
During our testing, we have found that password age is 155 hardening document taken care as a
days. itself should be reviewed part of Security
periodically. policy.
In the testing result, the backup operations were failed to
complete on account of insufficient disk space.
In testing result, USB drive not disabled and this leads to
weak security parameter setting.
During our testing, automatic updates enabled.
In the testing result, Freeware Antivirus solution was
installed and last update was on 27/12/08.
In the testing results, we have found that time was set as
per US time.
Similar observations were found on other critical servers as well.