In response to the increasing threat, IT audit units of banks have set an expectation for internal audit to perform an independent and objective assessment of the organization’s capabilities of managing the associated risks. A first step in meeting this expectation is for internal audit to conduct an IT risk assessment and distill the findings into a concise report for the audit committee, which can provide the basis for a risk-based, multilayer internal audit plan to help and manage IT risks.
In this article we will discuss the basic IT security issues, including the common threats that all of the financial organizations like banks are facing in their day-to-day activities.
An audit can be anything from a full-scale analysis of business practices to a sysadmin monitoring log files. The scope of an audit depends on the goals. The basic approach to performing a security assessment is to gather information about the targeted organization, research security recommendations and alerts for the platform, test to confirm exposures and write a risk analysis report.
BB Guideline on ICT Security
Bangladesh Bank issued ‘Guideline on ICT Security’ for banks and non-bank financial institutions on May, 2015 Version 3.0. This Guideline covers all information that are electronically generated, received, stored, replicated, printed, scanned and manually prepared. The provisions of this Guideline are applicable for:
a) Banks and NBFIs for all of their information systems.
b) All activities and operations required to ensure data security including facility design, physical security, application security, network security, ICT risk management, project management, infrastructure security management, service delivery management, disaster recovery and business continuity management, alternative delivery channels management, acquisition and development of information systems, usage of hardware and software, disposal policy and protection of copyrights and other intellectual property rights.
Information Technology Security also known as, IT Security is the process of implementing measures and systems designed to securely protect and safeguard information (business and personal data, voice conversations, still images, motion pictures, multimedia presentations, including those not yet conceived) utilizing various forms of technology developed to create, store, use and exchange such information against any unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure, thereby preserving the value, confidentiality, integrity, availability, intended use and its ability to perform their permitted critical functions.
Cyber threats are growing to be more sophisticated and hackers are developing more ways to access electronic data all the time. Recent studies have shown that the average cost of a data breach is upwards of $3.79 million, an increase of 23% since 2013.
IT Security threats
Some It security threats include the following:
The Internet usages
The appearance of the Internet usage over the last few years has proved to supply some incredible benefits to daily life, but it also poses some potential threats to security, too. When so many electronics are connected to each other and giving off a constant stream of data, a whole new set of cyber threats emerge.
Since the Internet became available to the wider public, sufficient attention hasn’t been paid to it to ensure that the encryption of sensitive data is completed and access is fully restricted. But that only means that preventative measures need to be made to ensure that the data continues to remain untouched.
Ransomware Trojans are a type of cyberware that is designed to extort money from a victim. Often, Ransomware will demand a payment in order to undo changes that the Trojan virus has made to the victim’s computer. These changes can include:
- Encrypting data that is stored on the victim’s disk – so the victim can no longer access the information
- Blocking normal access to the victim’s system
The most common ways in which Ransomware Trojans are installed are: Via phishing emails, as a result of visiting a website that contains a malicious program. While ransomware is less common in the world of IT, its impact is growing.
This sort of attack encrypts data and renders it unusable until the victim pay the a ransom. The best way to avoid an attack with ransomware is to have real-time security protection, and hiring an IT security specialist to perform regular backup routines. The best option is to act before cyber security is at risk and protect most important data before it becomes an issue.
Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer.
As with emails used in regular phishing expeditions, spear-phishing messages appear to come from a trusted source. Phishing messages usually appear to come from a large and well-known company or website with a broad membership base, such as Google or PayPal. In the case of spear phishing, however, the apparent source of the email is likely to be an individual within the recipient’s own company—generally someone in a position of authority—or from someone the target knows personally.
The targeting of higher-ups in business is on the rise and cyber criminals are accessing incredibly sensitive data through spear phishing at an unprecedented rate. In an enterprise, security-awareness training for employees and executives alike will help reduce the likelihood of a user falling for spear-phishing emails.
This training typically educates enterprise users on how to spot phishing emails based on suspicious email domains or links enclosed in the message, as well as the wording of the messages and the information that may be requested in the email.
The Cloud computing
Cloud computing is a type of Internet-based computing that provides shared computer processing resources and data to computers and other devices on demand. It is a model for enabling global, on-demand access to a shared pool of configurable computing resources (e.g. computer networks, servers, storage, applications and services), which can be rapidly provisioned and released with minimal management effort.
Cloud computing and storage solutions provide users and enterprises with various capabilities to store and process their data in either privately owned or third-party data centers that may be located far from the user–ranging in distance from across a city to across the world.
Cloud software has become a blessing to businesses everywhere by providing an easy, fast way to exchange data without having to be physically present. Unfortunately, like any third-party vendor, using an outside platform means that data might be at risk for a breach. Keeping an eye on what sort of services that are being used in the cloud and being fully aware of the security standards that cloud services provide can go a long way in keeping data safe.
Here are a few more reasons why IT security is more important than ever:
Vulnerabilities and attacks
Vulnerability is a system susceptibility or flaw. Vulnerabilities are documented in the Common Vulnerabilities and Exposures (CVE) database. An exploitable vulnerability is one for which at least one working attack or “exploit” exists.
To secure a computer system, it is important to understand the attacks that can be made against it and these threats can typically be classified into one of the categories below:
A backdoor in a computer system, a cryptosystem or an algorithm, is any secret method of bypassing normal authentication or security controls. They may exist for a number of reasons, including by original design or from poor configuration. They may have been added by an authorized party to allow some legitimated access or by an attacker for malicious reasons; but regardless of the motives for their existence, they create vulnerability.
Denial of service attacks (DoS) are designed to make a machine or network resource unavailable to its intended users. Attackers can deny service to individual victims, such as by deliberately entering a wrong password enough consecutive times to cause the victim account to be locked or they may overload the capabilities of a machine or network and block all users at once.
While a network attack from a single IP address can be blocked by adding a new firewall rule, many forms of Distributed Denial of Service (DDoS) attacks are possible, where the attack comes from a large number of points and defending is much more difficult. Such attacks can originate from the zombie computers of a botnet, but a range of other techniques are possible including reflection and amplification attacks, where innocent systems are fooled into sending traffic to the victim.
An unauthorized user gaining physical access to a computer is most likely able to directly copy data from it. They may also compromise security by making operating system modifications, installing software worms, key loggers, covert listening devices or using wireless mice.
Even when the system is protected by standard security measures, these may be able to be by-passed by booting another operating system or tool from a CD-ROM or other bootable media. Disk encryption and Trusted Platform Module are designed to prevent these attacks.
Eavesdropping is the act of secretly listening to a private conversation, typically between hosts of a network. Even machines that operate as a closed system (i.e. with no contact to the outside world) can be eavesdropped upon via monitoring the faint electro-magnetic transmissions generated by the hardware.
Spoofing, in general, is a fraudulent or malicious practice in which communication is sent from an unknown source disguised as a source known to the receiver. Spoofing is most prevalent in communication mechanisms that lack a high level of security.
Tampering describes a malicious modification of products. So-called “Evil Maid” attacks and security services planting of surveillance capability into routers are examples.
Privilege escalation describes a situation where an attacker with some level of restricted access is able to, without authorization, elevate their privileges or access level. So for example a standard computer user may be able to fool the system into giving them access to restricted data; or even to “become root” and have full unrestricted access to a system.
Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details directly from users. Phishing is typically carried out by email spoofing or instant messaging and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.
Click jacking, also known as “UI redress attack” or “User Interface redress attack”, is a malicious technique in which an attacker tricks a user into clicking on a button or link on another webpage while the user intended to click on the top level page. This is done using multiple transparent or opaque layers. The attacker is basically “hijacking” the clicks meant for the top level page and routing them to some other irrelevant page, most likely owned by someone else.
Social engineering aims to convince a user to disclose secrets such as passwords, card numbers, etc. by, for example, impersonating a bank, a contractor, or a customer.
Here’s an example of organizing threats, attacks, vulnerabilities and countermeasures for Input/Data validation:
Threats/Attacks for Input/Data Validation
- Buffer overflows
- Cross-site scripting
- SQL injection
- Query string manipulation
- Form field manipulation
- Cookie manipulation
- HTTP header manipulation Vulnerabilities for Input/Data Validation
- Using non-validated input in the Hypertext Markup Language (HTML) output stream
- Using non-validated input used to generate SQL queries
- Relying on client-side validation
- Using input file names, URLs, or user names for security decisions
- Using application-only filters for malicious input
- Looking for known bad patterns of input
- Trusting data read from databases, file shares, and other network resources
- Failing to validate input from all sources including cookies, query string parameters, HTTP headers, databases, and network resources Countermeasures for Input/Data Validation
- Do not trust input
- Validate input: length, range, format, and type
- Constrain, reject, and sanitize input
- Encode output
BB Guideline on Information System Audit
Bangladesh Bank issued ‘Guidelines on Internal Control & Compliance in Banks’ for Banks on March 8, 2016 through BRPD Circular No. 03. As per guideline:
IS or IT Audit is “the process of collecting and evaluating evidence to determine whether a computer system safeguards assets, maintains data integrity, allows organizational goals to be achieved effectively and uses resources efficiently” (Definition: Legendary Ron Weber).
Primary goal of the IS audit department of a bank is to determine information and related technological security loopholes and recommend feasible solution. IS Audit is all about examining whether the IT processes and IT Resources combine together to fulfill the intended objectives of the organization to ensure effectiveness, efficiency and economy in its operations while complying with the extant rules.
Information system auditors should develop and implement a risk-based IS audit strategy in compliance with IS audit standards, regulatory guidelines and internal policies to ensure that key areas are included. IS auditors should evaluate the effectiveness of the IT governance structure to determine whether IT decisions, directions and performance support bank’s strategies and objectives.
IS auditors also evaluate risk management practices to determine whether the bank’s IS-related risks are properly managed. IS auditors should conduct audit on overall information and related technological security aspects covering the followings:
a. IT Asset Management
b. IT Service & Facility Management
c. Physical (client/server interface, telecommunication, server, data storage, intranet, internet)
d. & Environmental Security
e. User & Access Management
f. Database Access & Network Security Management
g. Data Center Security
h. Change & Patch Management
i. Problem & Incident Management
j. IT Strategies, IT budget
k. Audit trails &Data Privacy Protection Management
l. IT Service Contract & Agreements and Vendor Management
m. IT Risk Management
n. Data Integrity &Transaction control
o. Data Retention & Disposal
p. System Acquisition, Development Management
q. Business Continuity & Disaster Recovery
Information System Audit
Information System Audit is the process of collecting and evaluating evidence to determine whether a computer system has been designed to maintain data integrity, safeguard assets, allows organizational goals to be achieved effectively and uses resources efficiently.
An effective information system audit leads the organization to achieve its objectives and an efficient information system uses minimum resources in achieving the required objectives.
The objective of undertaking an IT audit is to evaluate a bank’s computerized information system (CIS) in order to ascertain whether the CIS produces timely, accurate, complete and reliable information outputs, as well as ensuring confidentiality, integrity, availability and reliability of data and adherence to relevant legal and regulatory requirements. IT auditors evaluate the adequacy of internal controls in computer systems to mitigate the risk of loss due to errors, fraud and other acts and disasters or incidents that cause the system to be unavailable. Audit objectives will vary according to the nature or category of audit. IT Security Audit is done to protect entire system from the most common security threats which includes the following:
- Network vulnerabilities and intrusions
- Performance problems and flaws in applications
- Improper alteration or destruction of data (information integrity)
- Access to confidential data
- Unauthorized access of the department computers & branches
- Password disclosure compromise
- Virus infections
- Denial of service attacks
- Open ports, which may be accessed from outsiders (Unrestricted modems & unnecessarily open ports)
IT Audits may be conducted to:
- To ensure integrity, confidentiality and availability of information system(s) and resources.
- To investigate possible security vulnerabilities and incidents in order to ensure conformance to the Bank’s security policies.
- To ensure software systems deployed conforms to the Bank’s software implementation policy
- To ensure changes made to any systems conforms to the Bank’s Change Control/Change Management policy
- To ensure regular Backup of data and business critical system is taken & preserved.
- To ensure Restore of both data and full system is carried out on a regular basis, so that data integrity can be ensured and the Bank can be prepared for any possible disaster
- To monitor user or system activity where appropriate
- To investigate security incidents as when required.
An IT audit is different from a financial statement audit. While a financial audit’s purpose is to evaluate whether an organization is adhering to standard accounting practices, the purposes of an IT audit are to evaluate the system’s internal control design and effectiveness. This includes, but is not limited to, efficiency and security protocols, development processes, and IT governance or oversight.
Installing controls are necessary but not sufficient to provide adequate security. People responsible for security must consider if the controls are installed as intended, if they are effective if any breach in security has occurred and if so, what actions can be done to prevent future breaches.
These inquiries must be answered by independent and unbiased observers. These observers are performing the task of information systems auditing. In an Information Systems (IS) environment, an audit is an examination of information systems, their inputs, outputs, and processing.
Preparedness / Pre-Audit activities
Auditors must make certain assumptions when bidding on a project, such as having access to certain data or staff. But once the auditor is on board, don’t assume anything; everything should be spelled out in writing, such as receiving copies of policies or system configuration data. These assumptions should be agreed to by both sides and include input from the units whose systems will be audited.
Nobody likes surprises. Involve the business and IT unit managers of the audited systems early on. This will smooth the process as a dispute over the auditor’s access. Consider the case of one respected auditing firm that requested that copies of the system password and firewall configuration files be e-mailed to them.
Some activities mentioned here under to ease the process:
1. Team Leaders should specify restrictions, such as time of day and testing methods to limit impact on production systems. Most organizations concede that denial-of-service or social engineering attacks are difficult to counter, so they may restrict these from the scope of the audit.
2. Make sure the auditors conform to the policy on handling proprietary information. If the organization forbids employees from communicating sensitive information through non-encrypted public e-mail, the auditors must respect and follow the policy. The audit report itself contains proprietary data and should be handled appropriately, hand delivered and marked proprietary and/or encrypted if sent through e-mail.
3. Give the auditors an indemnification statement authorizing them to probe the network.
The Audit officer will be responsible for internal Audit within the department and operations of branches. When requested and for the purpose of performing an audit, any access needed will be provided to members of Internal Audit team.
This access may include:
- User level and/or system level access to any computing or communications device
- Access to information (electronic, hardcopy, etc.) that may be produced, transmitted or stored on respective Dept. equipment or premises
- Access to work areas (Data Center, DR site, NOC, labs, offices, cubicles, storage areas, etc.)
- Access to reports / documents created during internal audit.
- Interactively monitor and log traffic on the Bank’s corporate network in conjunction with Bank’s WAN connectivity provider
- Moving machines involved in an incident to a safe location for analysis or to ensure evidence is captured and preserved securely
- All sorts of System(s) and user activity logs/ audit trails to verify that privileges were used only for their intended and approved purposes.
- User level and/or Admin level access to any computing or communications devices
- Network or host scans and obtain any applicable information
- Audit rights of access to any Service level agreement or Annual maintenance contract with External parties or Internal parties as when appropriate
- External or internal parties premises to justify the ability of the service provider before engaging them to provide any service for the Bank(s) interest.
- All types of licenses/IPR (intellectual property rights) related documents or logs aligned with any software or hardware used in Bank’s ICT infrastructure.
Risk Analysis and Assessment
The auditor(s) will perform a risk analysis and assessment on the overall ICT system of the organization. This risk analysis and assessment will include all systems and subsystems directly or indirectly involved in the production of financial and critical information of Bank.
Based on these results, the auditor will rank the systems according to the risks attached to them. This will form the basis for prioritizing the audit frequency.
IT Audit Methodology & Frequency
All IT audits will be conducted according to the yearly Audit plan approved by the honorable Board Audit Committee and/or inspection would be carried surprise basis as when required. Preliminary audit process consists of following phases:
- Personnel interviews
- Files and documentations verifications
- Justifications of IT inventories
- Reviews of Service Level Agreement and Annual Maintenance Contract(s)
- Health checkup of Server & workstations
- Network scans, Vulnerability scanning &
- Business impact analysis of respective Information system(s)
Audit Requests for Specific Cause
A request may be made for an audit for a specific cause. The request may come from a variety of sources including, but not limited to, Branches, Human Resources, Risk Management, IT Security Officer and/or a member of Board Audit
A request for an audit for specific cause must include time frame, frequency, and nature of the request. The request must be reviewed and approved by Head of ICCD.
Evaluation and Reporting of Audit Findings
Audit information that is routinely gathered must be reviewed in a timely manner by the individual/department responsible for the activity/process (e.g., weekly, monthly, quarterly, etc.).
The reporting process shall allow for meaningful communication of the audit findings to those departments/units sponsoring the activity.
- Significant findings shall be reported immediately in a written format. Incident log in this regard to be maintained by the concerned branch / division.
- Routine findings shall be reported to the CEO as well as to Board Audit through Head of ICCD in a written structured report format.
- Whenever indicated through evaluation and reporting, appropriate corrective actions must be undertaken. These actions shall be documented and shared with the responsible and sponsoring departments/branches.
Auditing Business Associate and/or Vendor Access and Activity
Periodic monitoring of business associate and vendor information system activity shall be carried out to ensure that access and activity is appropriate for privileges granted and necessary to the arrangement between the organization and the external agency.
Concern Department / organization must reassess the business relationship if it is determined that the business associate or vendor has exceeded the scope of access privileges.
If it is determined that a business associate has violated the terms of the business associate agreement/addendum, authority of the concerned organization must take immediate action to remedy the situation. Continued violations may result in discontinuation of the business relationship
Audit Log Security Controls and Backup
Audit logs must be protected from unauthorized access or modification, so the information they contain will be available if needed to evaluate a security incident. Audit trail information shall be stored on a separate system to minimize the impact auditing may have on the privacy system and to prevent access to audit trails by those with system administrator privileges.
This is done to apply the security principle of “separation of duties” to protect audit trails from hackers. Audit trails maintained on a separate system would not be available to hackers who may break into the network and obtain system administrator privileges. A separate system would allow IT security Audit team to detect hacking security incidents.
Audit logs maintained within an application should be backed-up as part of the application’s regular backup procedure.
IT security Audit team must audit internal back-up, storage and data recovery processes to ensure that the information is readily available in the manner required. Auditing of data back-up processes should be carried out on a periodic basis.
Workforce Training, Education, Awareness and Responsibilities
IT security Audit workforce members are provided training, education, and awareness on safeguarding the security of business. IT security Audit team commitment to auditing access and activity of the information applications, systems, and networks is communicated through new employee orientation, ongoing training opportunities and events and applicable policies.
Workforce members are made aware of responsibilities with regard to privacy and security of information as well as applicable sanctions/corrective disciplinary actions should the auditing process detects a workforce member’s failure to comply with organizational policies.
External Audits of Information Access and Activity
Information system audit information and reports gathered from contracted external audit firms, business associates and vendors shall be evaluated and appropriate corrective action steps taken as indicated. Prior to contracting with an external audit firm, the concern organization shall:
- Outline the audit responsibility, authority and accountability.
- Choose an audit firm that is independent of other organizational operations.
- Ensure technical competence of the audit firm staff.
- Require the audit firm’s adherence to applicable codes of professional ethics.
- Obtain a signed compliant business associate agreement.
- Assign organizational responsibility for supervision of the external audit firm.
Audit Reporting and Compliance
Each audit will result in a follow-up report possibly including an action plan which will be presented to the branch manager or respective head of the divisions. The head of IT division or branch manager or respective head(s) of division(s) are responsible for taking appropriate action to complete the tasks on the remediation plan within the agreed-upon deadlines.
Retention of Audit Information
Audit logs and trail report information shall be maintained based on organizational needs. There is no standard or law addressing the retention of audit log/trail information. Retention of this information shall be based on:
- Organizational history and experience.
- Available storage space
Reports summarizing audit activities shall be retained for a period of twelve years.
Governing Policies of IT Audit
Audit observations will be considered and reported according to the auditor’s judgment based on bank’s financial, operational and reputational risk. However, Information System auditor(s) may use ICT Policy, Information Security Management (ISM) Policy of an organization, and Bangladesh Bank ICT policy along with any ISO, COBIT, PCIDSS and ISACA standards, on an “as-required” basis.
Information system audit ensures control over the entire banking operational process from the initial idea or proposal to acceptance of a fully operational system is to be complied satisfactorily with the aspect of system capability that leads to effective use of ICT resources.
Types of IT audits
Various authorities have created differing classifications to distinguish the various types of IT audits. Goodman & Lawless state that there are three specific systematic approaches to carry out an IT audit:
- Technological innovation process audit. This audit constructs a risk profile for existing and new projects. The audit will assess the length and depth of the company’s experience in its chosen technologies, as well as its presence in relevant markets, the organization of each project, and the structure of the portion of the industry that deals with this project or product, organization and industry structure.
- Innovative comparison audit. This audit is an analysis of the innovative abilities of the company being audited, in comparison to its competitors. This requires examination of company’s research and development facilities, as well as its track record in actually producing new products.
- Technological position audit: This audit reviews the technologies that the business currently has and that it needs to add. Technologies are characterized as being either “base”, “key”, “pacing” or “emerging”.
Others describe the spectrum of IT audits with five categories of audits:
- Systems and Applications: An audit to verify that systems and applications are appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system’s activity. System and process assurance audits form a subtype, focusing on business process-centric business IT systems. Such audits have the objective to assist financial auditors.
- Information Processing Facilities: An audit to verify that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions.
- Systems Development: An audit to verify that the systems under development meet the objectives of the organization and to ensure that the systems are developed in accordance with generally accepted standards for systems development
- Management of IT and Enterprise Architecture: An audit to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing.
- Client/Server, Telecommunications, Intranets, and Extranets: An audit to verify that telecommunications controls are in place on the client (computer receiving services), server, and on the network connecting the clients and servers.
In an Information Security (IS) system, there are two types of auditors and audits: internal and external. IS auditing is usually a part of accounting internal auditing, and is frequently performed by corporate internal auditors.
An external auditor reviews the findings of the internal audit as well as the inputs, processing and outputs of information systems. The external audit of information systems is frequently a part of the overall external auditing performed by a Certified Public Accountant firm.