Documentos de Académico
Documentos de Profesional
Documentos de Cultura
DRAFT REPORT
This is a draft for discussion only. It represents work in progress and may contain preliminary information which is subject to change. This draft is subject to our Quality Assurance Review
TABLE OF CONTENTS
1.
2.
3. 4. 5. 6.
LIMITATION ................................................................................................................................. 9 SUMMARY OF FINDINGS ....................................................................................................... 10 DISCLAIMER ............................................................................................................................. 13 FINDINGS & RECOMMENDATION ........................................................................................ 14
6.1. GENERAL CONTROL FOR DATA CENTER FACILITIES ......................................................... 14 ANNEXURE 1 VULNERABILITY ASSESSMENT .............................................................................. 43 1. HP Data Protector Remote Command Execution (V01)................................................................. 43
7.
System Audit United Stock Exchange Ltd. 1. EXECUT IVE SUMM ARY
1.1. BACK GROUN D United stock Exchange Ltd (USE) engaged Deloitte Touch Tohmatsu India Private Limited (DTTIPL or Deloitte) for carrying out assessment of system and process controls at USE in terms of the scope of work mentioned herein below. The work has been performed in accordance with and subject to the terms and conditions set forth in the engagement letter dated XXXX.
1.2. SCOPE The scope of work covers policies & procedures, physical security and vulnerability assessment and penetration testing (VAPT), as required by USE specified in SEBI circulars CIR/MRD/DMS/13/2011 of November 29, 2011 and CIR/MRD/DMS/ 12 /2012 of April 13, 2012 read with Circular CIR/MRD/DMS/ 17 /2012, dated June 22, 2012. The domain areas under scope of work are as follows: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. General Controls Software change control Data Communication/Network Controls Security Controls- General Office Infrastructure Access policy and controls Electronic Document controls General access controls Performance audit Business Continuity/Disaster Recovery Facilities IT support and IT Asset Management Entity Specific software Electronic waste disposal Review of Last year System Audit Report and Action taken
Description
Trading platform and matching engine Front end application for trading Terminal for administrative activities.
Name
CDX FOW MOPS
System Audit United Stock Exchange Ltd. For application specific controls, the following sampled applications were tested:
CDX MOPS FOW
Management representation for no changes or incidents with FOW has not been shared with Deloitte.
1.3.
Issue Log
As per the audit report guidelines issued by the regulator, an executive summary has been formulated for each of the domains.
Line Item Description of the Observation Reference Process/ Unit Category of Findings Audited By Root Cause Analysis Remediation Target completion Date for Remedial Action The date by which remedial action must be/ will be completed Status Verified By Closing date
Description
Reference to the section in the detailed report where full background information of the findings are available Auditor
Responsibility
Auditor
Auditor
Auditor
Auditor
Auditee
Auditee
Auditor/Audi tee
Auditor /Audite e
Auditor
Auditor
2.
2.1. APPROAC H A high level explanation of our assessment approach and phases to meet USEs requirement is detailed below: Phase I Project kick off and Audit Plan
The objectives of this phase were to establish a project plan with the following: Finalized engagement scope & objectives Defined rules of engagement Identified & allocated resources for the project Arrangement for the necessary technical logistics Conduct project kick-off meeting Identify key stakeholders for the areas scoped in Schedule assessment interview sessions with key personnel Identify information and documentation on key business drivers, operating environments, security policies, standards, etc. that need to be collected Phase II Information Gathering, Curre nt State Asses sment
Deloitte team studied the existing IT Infrastructure and conducted current state assessment of the existing IT infrastructure. During this phase Deloitte gained an understanding of the IT processes in scope through study of existing process documentation including policies and procedures and by conducting interviews for the scoped in areas. Phase III Ga p An alysis & Draft Rep ort Generation The primary objective of the gap analysis phase of the AS IS Current state was to identify key inherent risks in the existing process and infrastructure and identify control mechanisms to mitigate these risks. Deloitte also performed user profiling and evaluated critical duties performed by personnel and evaluated whether there exist any incompatible duties which needed to be segregated.
2.2.
The observations during our IS audit have been classified as under type used to assess the category of gaps noted during the gap assessment is based on a qualitative criterion defined as follows: Major Non conformity A deficiency in auditees practices resulting in noncompliance to a mandatory requirement specified for the Auditee at the time of audit. In this category the deficiency would indicate additional risk of reputational risk, business interruption or financial loss to stakeholders. Minor Nonconformity A deficiency in auditees practices resulting in noncompliance to a mandatory requirement specified for the Auditee at the time of audit. Observation Suggestion
A deficiency in auditees practices resulting in non compliance to auditees approved policies and procedures/ standards.
An opportunity to improve the auditees practices based on the practices adopted by similar organizations or industry best practices.
The priority used to assess the level of risk of gaps noted during the gap assessment is based on a qualitative criterion defined as follows: High A High priority rating indicates that the gaps noted may lead to a relatively significant financial, legal/ regulatory or business operation impact and requires immediate attention of USE to remediate the issue. Medium A Medium risk rating indicates that the gaps noted may lead to a relatively moderate business operation impact and should be remediated by USE within a short period of time. Low A Low risk rating indicates that the gaps noted may lead to a relatively minimal business operation impact and should be remediated by USE within a span of at least one year of the report.
Priority Definition
System Audit United Stock Exchange Ltd. Throughout the report, prioritizations of gaps have been done based on our subjective analysis of the parameters for such classification in discussion with the management of USE.
The work was performed based on samples of selected data and controls. Given the nature of the assignment, the findings should not be considered an exhaustive list of all security and controls related issues that may be prevalent in the infrastructure and systems for USE and associated systems. The engagement did not cover: comprehensive functionality review; code review; penetration tests on any component of USEs application or network environment; revision of policies and procedures for various business processes; and running any tools on USE systems to collect data for performance metrics.
While DTTIPL has provided advice and recommendations, based on the results and the observations, all decisions in connection with the implementation of such advice and recommendations shall be the responsibility of, and made by, USE. The work is significantly based on the approved policies and procedure documents in use by USE as provided to us. DTTIPLs advice is solely based on the level of security observed during the review period.
System Audit United Stock Exchange Ltd. 4. Sr. SUMM ARY OF FINDIN GS Referenc e Assessment Domain Total Number of Observations Medium Complied Under Progress Suggestions/ No Actions Required Medium
Medium
Medium
Total
Total
Total
1 2 3 4
General control for data center facilities Software change control Data Communication/ network control Security Controlgeneral office infrastructure Access Policy & Controls Electronic Document Controls 1 -
1 3 4 3
2 -
3 3 5 3
5 6
6.5
No findings 1 1 -
Total
10
High
High
High
High
low
low
low
low
System Audit United Stock Exchange Ltd. Sr. Referenc e Assessment Domain Total Number of Observations Medium Complied Under Progress Suggestions/ No Actions Required Medium
Medium
Medium
Total
Total
Total
7 8 9
6.6 -
General Access Control Performance Business Continuity/Disaster Recovery Facilities IT support and IT asset Management Entity Specific Software Electronic Waste Disposal Vulnerability Assessment/ Database review
No findings No findings
10 11 12 13.
1 1 1
1 2 6
3 4
2 3 3 11
Total
11
High
High
High
High
low
low
low
low
System Audit United Stock Exchange Ltd. Sr. Referenc e Assessment Domain Total Number of Observations Medium Complied Under Progress Suggestions/ No Actions Required Medium
Medium
Medium
Total
Total
Total
Total
22
37
Total
12
High
High
High
High
low
low
low
low
5.
DISCL AIM ER
The work was performed based on samples of selected data and controls. Given the nature of the assignment, the findings should not be considered an exhaustive list of all security and controls related issues that may be prevalent in the infrastructure and systems for USEs USE and associated systems. While DTTIPL has provided advice and recommendations, based on the results and the observations, all decisions in connection with the implementation of such advice and recommendations shall be the responsibility of, and made by, USE. The work is significantly based on the approved policies and procedure documents in use by USE as provided to us. DTTIPLs advice is solely based on the level of security observed during the review period.
13
6. 6.1. Sr.
1
FINDINGS & RECOMM ENDAT ION GENERAL C ONT R OL F OR DAT A CENT ER F ACILIT IES Finding
Generic Administrator ID sysadmin.h is shared amongst 6 administrators. This was shared amongst Sanjyot Kharul, Vasant Sakpal, Sagar Desai, Mahendra Parab, Manish Vengurlekar and Ravi Kumar Chennuri. These are all employees of market place technologies. Moreover, it was noted that this ID is not required for beginning of day (BOD) and end of day (EOD) activities. Also, accountability cannot be established since this ID is shared amongst the administrators.
Nature of Deficiency
Operating Deficiency
Risk
Accountability for data modification cannot be established if common or group ids are used.
Priority
High
Recommendation
Unique IDs must be created for each of the 6 administrators. Accountability can be established for administrative activities conducted by each of the administrator users.
Responsibili ty
Windows Operations Team FOW application
Management Response
The MSSQL administrators have super admin privileges i.e. 'bsesa' in development and production environment. Noted that for daily activities they have BSERTRMS\rtrmsdbsaadmin (service owner used for restart),
Operating Deficiency
Accountability for data modification cannot be established if group ids are used.
High
Super admin privileged IDs should be maintained in the custody of authorized BSE personnel. These IDs should be shared only for deployment of a
14
15
The DR Data center located on Ground floor of PJ Towers has a single entry and exit point. Currently, there is no provision of a fire exit from the data center. Access enabled access cards currently not stored
Design
Lack of a separate fire exit may result in operational risk in the event of a disaster.
High
Provision should be made for a fire exit. Alternatively, a management approved exception must be taken for single entry and exit point. Access enabled access cards must be
Operational Deficiency
Medium
16
A formal process is not defined and implemented for review of the access to the DR data center by users as well as vendors. This was also reported in the ENY SEBI IS Audit Report dated April 2012
Design
Absence of review process for the physical access logs may result in unauthorized access not being detected
6.2. Sr.
Nature of Deficiency
Design
Risk
Lack of documented policies and procedures may result in inconsistencies. Lack of standardized and documented process may result in inconsistencies in the process.
Priority
High
Recommendation
Responsibility
Management Response
Change requests management is not standardized across the application, some change requests are tracked on
Medium
A standardized process should be implemented and followed for managing all change requests. A
17
18
Discrepancies noted in the change request forms for CDX and MOPS application: A clear guideline for defining the criticality of a CR is not documented. For the sample CR No. CR-CDX-1213-21: No physical copy of acceptance document was present. Acceptance was communicated verbally The change record has not been reviewed to validate the completeness of CR details. For migration into production
Lack of standardized and documented process may result in inconsistencies in the process.
Medium
A standardized process should be implemented and followed for managing all change requests. Approval Matrix must be defined, documented and approved specifying the roles for approving changes being made to CDX and MOPs application
19
20
21
6.3. Sr.
1
Nature of Deficiency
Operating Deficiency
Risk
Inconsistencies in the user access management process (i.e. registration and deregistration) may result in unauthorized access being granted to users. This may result into unauthorized data modification/delet ion due to privilege access.
Priority
High
Recommendation
Every user registration and deregistration on devices should follow the formal user access management process.
Responsibili ty
Network Administration Team
Management Response
22
23
24
6.4. Sr.
1
Nature of Deficiency
Operating Deficiency
Risk
New threats may go undetected by antivirus with old definitions.
Priority
Medium
Recommendation
Antivirus should be updated with Latest virus definitions to detect & quarantine new viruses and threats.
Responsibility
IT Helpdesk Team
Management Response
25
On the EPO console, it was observed that there are 11 systems with 7000.00 as virus definition file, 12 systems with 7005.00 as virus definition file, 17 systems with 7003.00 and 46 systems with 7006.00 as the virus definition file while the current definition file was 7007.00. A tracking mechanism is not in place to ensure and record the corrective action that has been taken for the identified systems with outdated DAT files. Also, root cause analysis is currently not being recorded for the work around/ corrective actions implemented on systems with recurring issues. A Patch management procedure document has not been defined for Sybase database. Patch management for Sybase database is currently not being conducted. Through corroborative
Medium
A process for tracking the updating outdated desktops should be defined and implemented by the IT Helpdesk team to ensure all systems are running with updated DAT definitions. Also, for issues relating to antivirus management, RCA must be conducted, recorded and documented by the Anti-virus helpdesk team. This should be maintained in a central repository for future reference.
IT Helpdesk Team
Lack of a documented process and control mechanism, for tracking, testing and deployment of the patches may result in
Medium
Standard Operating Procedures for Sybase patch management should be defined. A management risk acceptance must be approved and documented for
26
Medium
A formal process for reviewing failed archival logs must be defined, documented,
27
Windows OS is patched on a periodic basis through WSUS. However, there is no defined formal process defined through which UAT signoff is taken prior to deployment in production in environment on servers. Currently there is no control to track the patches deployed on the servers No documentation is
28
6.5. Sr.
Nature of Deficiency
Design
Risk
Lack of documented policies and procedures may result in
Priority
High
Recommendation
Define and implement IT policies and procedures for USE
Responsibili ty
USE
Management Response
29
30
6.6. Sr.
Nature of Deficiency
Risk
Priority
Recommendation
Responsibili ty
Management Response
31
Absence of a review and updation process of the policy and procedure documents may result in operational risk.
Low
All documents including forms as well as checklists should have version control. Policies and procedures must be reviewed on an annual basis. The version control for all documents should be updated on a periodic basis.
32
33
There is a standard operating procedure maintained for all the administrative activities conducted for Email management namely 'Email system administrators manual v1.3'. However, the approval details i.e. date and signature of the approvers is not captured for the SOP.
Operating Deficiency
Low
Approval details such as name, date and signature of the approvers must be documented in the standard operating procedure.
6.7.
34
Sr.
1
Finding
Currently USE is adhering to the BSE IT policies and procedures for performance monitoring; however there are no documented policy and procedures specifically for USE. The BSE IT Procedure ver. 1.4 and BSE - IS Policy ver. 1.3 does not cover requirements for performance audit review hence we are unable ascertain whether the performance reviews conducted are in line with management mandate.
Nature of Deficiency
Design
Risk
Absence of a formal performance management procedure and policy results in having practices that are followed on an informal basis and may not be consistently followed throughout the organization as intended by the management
Priority
Medium
Recommendation
Define the performance management process and maintain a formally updated and approved document
Responsibili ty
Management Response
6.8. Sr.
Nature of Deficiency
Risk
Priority
Recommendation
Responsibili ty
Management Response
35
Design
Medium
Operating Deficiency
36
Alternate team members for the business resumption team should be updated in the document.
Incomplete documentation of details in the BCP manual may hamper the business operations for a longer period of time. This may result in operational risk which may lead to data and reputational loss.
High
The RTO and RPO for the organization should be defined. Also, for each of the scoped in applications, the RTO and RPO should be defined and should meet the organizations recovery time and point objectives.
37
For certain floors, the emergency exits are currently secured using a lock and key. Through corroborative inquiry with the physical Security Head it was determined that in the event of a disaster, the locks would be broken. However, there are two entry and exit points.
DR facility for BSE is located at DAKC i.e. New Mumbai and is susceptible to common threats
Design
There is a possibility of secondary site exposed to same threats if both are present in the same seismic region.
High
Management should plan the DR setup in a different seismic zone to avoid similar threats.
6.9.
38
Sr.
Finding
Certain IT assets are being managed by USE through a manual process nomenclature used for labeling the asset is as follows: USEIL/11-09/PC/1 however the nomenclature has not been defined in the asset management policy and procedures. The insurance for the IT assets for USE has been taken from reliance. A risk confirmation letter was stared dated 11-02-2013 however the final policy has not been shared with the Deloitte team. Moreover the location details of each of their offices under coverage of the insurance have not been mentioned explicitly in this letter.
Nature of Deficiency
Risk
Priority
Recommendation
Responsibili ty
Management Response
For the Antivirus server, the CPU and memory is currently being monitored through Tivoli during trading hours for spike or sudden increase in the system parameters. Thresholds are defined at 90% on the Tivoli system. However, observed that there is no documented procedure
Lack of documented capacity monitoring process and periodic trend analysis monitoring may result in increasing system capacity utilization going undetected and resulting in
Medium
Document the capacity management process for effective management of the system resources of the Antivirus server. A proactive capacity management trend analysis process should be developed
39
and implemented by generating reports through Tivoli and reviewing the same on a periodic bias.
Lack of documented capacity monitoring process and periodic trend analysis monitoring may result in increasing system capacity utilization going undetected and resulting in performance issues for production systems.
Medium
Capacity monitoring must be tracked and recorded during market hours. This will help in identifying underlying issues through reviewing the trend analysis and proactive capacity monitoring.
MSSQL Database
Operating Deficiency
Lack periodic trend analysis monitoring may result in increasing system capacity utilization
Medium
Proactive capacity monitoring of system parameters will help in identifying underlying issues.
40
A consistent process must be adopted for management of details for disposed assets.
IT Helpdesk
Lack of documentation may result in inconsistencies in the process. Lack of alert mechanism for tracking renewal of licenses may result in usage of unlicensed software resulting in operational risk.
Medium
Standard operating procedures should be defined for Software License Management through Tivoli. The correct Issue and expiry date in the license details should be updated in Tivoli application. Also, renewal of the
IT Helpdesk
41
42
ANNEXURE 1 VULNERABILIT Y ASSESSM ENT 1. HP Data Prote ctor Remote Co mman d Ex ecution (V01) Vulnerable Systems Details of Vulnerability Observation Risk Priority Recommendation Respons ibility Managemen t response
43
44