Cyber Security,

UNIT 14 CYBER SECURITY, RISK Risk Management,

Compliance and
MANAGEMENT,COMPLIANCE Audit

AND AUDIT

Objectives
After reading this unit you should be able to
• Understand the concept of cyber security governance,
• discuss about risk management and compliance
• Understand various types of security systems that are included in system
Audit

Structure
14.1 Introduction
14.2 Cyber security Governance
14.3 Risk Management
14.4 Compliance
14.5 System audit
14.6 Summary
14.7 Self-Assessment Questions

14.1 INTRODUCTION
An effective cyber security governance is of paramount importance to
successfully manage cyber security of an organization. It primarily deals
with cyber security policies, the roles and responsibilities of individuals and
overall risk appetite of the organization and the cyber security compliances,
which are regulatory, contractual and even legal in nature. Hence, cyber
security governance, risk management and compliance go hand in hand and
are often represented as GRC trio.

The cyber security policy is followed by supporting framework, procedures

and processes. The processes finally boil down to controls. Audit is a
function which examines the adequacy of cyber security policy and
effectiveness of the laid down controls and ensure that the defined controls
are properly followed.

14.2 CYBER SECURITY GOVERNANCE

Cyber security governance provides a strategic view of how an organisation
controls its security, including defining its risk appetite, building
accountability frameworks, and establishing who is responsible for making
decisions.

Cybersecurity governance involves process of establishing the architecture

that ensures a company's security programs;
325
Information Security - align with business objectives,
And Control
- comply with regulations and standards (such as ISO and PCI security
standards),
- defining roles and responsibilities at various levels in the organization
and,
- achieve objectives for managing security risk and ensuring compliance.

The cyber security policy should be aligned with business objectives and
business policy of the organization. This is the first and foremost requirement
of cyber security policy. This is followed by defining roles and
responsibilities of individuals in the organization and complying with the
internal policies, regulations, contractual and legal obligations.

14.2.1 Six Principles of Cyber Security Governance

Cyber Security Governance in an organization is generally described by way
of six principles. Let us have a look at them.
1. First Principle: Building a culture of cyber resilience
Resilience is the ability of an organization to attain normalcy after an
adverse incident. Cyber resilience is the ability of an organization to
enable business acceleration (enterprise resiliency) by preparing for,
responding to, and recovering from cyber threats. A cyber-resilient
organization can adapt to known and unknown crises, threats,
adversities, and challenges. The ultimate goal of cyber resiliency is to
help an organization thrive in the face of adverse conditions.
2. Second Principle: Establishing roles and responsibilities
Clearly defining an organisation’s cyber security roles and
responsibilities is an important step to achieve effective cyber security
governance. This also includes adequately empowering the individuals
to take decisions whenever needed. For instance, in case of an incident,
well-documented crisis management plan clearly states who is
responsible for which function while addressing the crisis.
3. Third Principle: Holistic risk management
Effective cyber security risk management is a core aspect of governance
and must be embedded within an organisation's overall risk framework.
A separate section in this unit is exclusively dedicated to risk
management and monitoring.
4. Fourth Principle: Cyber security collaboration
This can be achieved by establishing a cyber security committee and a
working group with representation from all the key stakeholders across
the business.
5. Fifth Principle: Set the direction of investment decisions.
Information security investments are intended to support organizational
objectives. Security governance entails ensuring that information
security is integrated with existing organization processes for capital and
operational expenditure, for legal and regulatory compliance, and for risk
reporting.
326
 Cyber Security,
6. Sixth Principle: Measuring resilience Risk Management,
Compliance and
The effectiveness of cyber security activity should be accurately Audit
measured and reported. Measurement and reporting provide the basis for
continuous improvement. Devising suitable KPIs (key performance
indicators) and monitoring them on a continuous basis helps in this. For
instance, as per the policy, if all the systems in the network should have
up-to-date anti-malware, actual achievement may be 98% on any day-the
KPI in this respect is 98%. Regular VAPT (vulnerability assessment and
penetration tests) exercises also help in measuring some of the KPIs.

14.2.2 Cyber Security - Roles and Responsibilities

The top management or the Board is accountable for cyber security in an
organization and the cyber security policy should be approved by the Board.
Accountability is ultimate answerability, which is different from mere
responsibility. For instance, when the IT Department is assigned with the job
of implementing certain information security controls in a system, say
Mobile Banking, they are just responsible for implementing so, whereas the
accountability of ensuring the required controls are in place lies with the
system or asset owner, i.e., the business owner of Mobile Banking. Whereas
the accountability with respect to ensuring cyber security controls in a
specific asset lies with the respective business owners, the accountability for
overall information security of the organization always lies with the top
management/the Board.

The information security policy is then followed by framework and

procedures. The procedures are ensured by devising suitable cyber security
controls. The adequacy and follow up of such controls is examined during
the process of audit and the observations are reported to a Board level
committee. This cycle ensures proper cyber security governance.
The Head of Information Security, who is generally called the Chief
Information Security Officer (CISO), is responsible for finalising the
information security policy upon consulting all the unit heads, Head of IT
and other stake holders, which will be ultimately approved by the Board.
The information security policy is then followed by framework and
procedures. The procedures are ensured by devising suitable cyber security
controls. So devised policy, framework, processes and controls are
communicated to all the stakeholders in the organization. Subsequently,
during the process of audit, the adequacy and practice of such controls is
examined and the observations are reported to a Board level committee. This
cycle ensures proper cyber security governance.

327
Information Security
Figure 14.1 Cyber Security Governance Structure
And Control

CISO is also responsible for risk assessment, continuous risk monitoring,

regulatory compliance and periodic security status report to the Board.
Three lines of defense: Apart from governance, there are three lines of
defense in ensuring cyber security in an organization.
i. The first line of defense is the IT security team, and asset owners who
actually ensure implementation of the required security controls in
systems.
ii. The second line of defense is the CISO and his team who take care of the
cyber security policy, risk management, compliance and periodical
reporting of the security status to the Board.
iii. The third line of defense is Audit.

14.3 RISK MANAGEMENT

Risk management, in the context of information security, is the practice of
minimising risks to organizational operations (e.g., mission, functions, image,
and reputation), organizational assets and persons. Managing risk is one of
the most important segments of information security. Risk management
involves risk identification, risk analysis, risk evaluation and risk treatment.

14.3.1 Steps in Risk Management

There are four major steps involved in risk management of an organization.
They are identification of risk, analysis of risk, evaluation of risk, response to
risk and monitoring risk.

Identify
Identification of risks involves identifying vulnerabilities in each of the assets
of organization and the threats that might exploit these vulnerabilities and the
probability of such exploitation. The risk associated with each information
asset is arrived at accordingly.
328
 Cyber Security,
Analyse Risk Management,
Compliance and
Analyse the severity of each risk by assessing how likely it is to occur and Audit
how significant the impact might be if it does. This step considers financial
risk, reputational risk, regulatory risk and operational risk. The combined
impact of these risks is called Business Impact Analysis (BIA).

Evaluate
The step follows above-mentioned BIA exercise and involves evaluation of
how each risk fits within the organization’s risk appetite, which helps in
prioritising the risks and finding respective ways to treat each risk.

Respond
This step involves making decision on how to respond to each risk. There are
generally four options:
• Treat (mitigate) the risk – The risks that fall in this category are those
which can be mitigated by taking suitable preventive measures and
security controls and modifying the risk's likelihood and/or impact.
• Tolerate (accept) the risk – In the cost-benefit analysis, if the impact of
risk is less than the benefit derived out of the asset, and if there are no
ways to mitigate the risk, the organization may take a call to accept the
risk.
• Terminate (avoid) the risk – As in above case, if there are now way to
mitigate the risk and but the cost / impact of risk is far more than the
benefit emanated from the asset, the organization may avoid the risk
entirely by ending or completely changing the activity causing the risk.
• Transfer (insure) the risk – After managing the risk in the above three
steps, there is generally left some residual risk which is left un-managed.
Such risk may be shared with another party, usually by outsourcing or
taking out insurance. Cyber insurance is one such example.

Monitor
Risk management is a never-ending process. Within this process,
implemented security measures are monitored, and reviewed on a regular
basis to ensure that they function as intended and that changes in the
environment have rendered them ineffective. Business needs, vulnerabilities,
and threats can all change over time.
Regular information system audits (IS audits) should be scheduled and
conducted by an independent party, i.e. someone not responsible for the
implementations or day-to-day management of Information Security. The
role of IS Audit is discussed in the section 14.5.

14.3.2 Major Types of Cyber Security Risks faced by Banks

In Banks, data breaches generally result in following types of risks.

• Financial Risk – Banks being financial institutions, the data breaches

often lead to financial risks. Money stolen by attacking payment systems
329
Information Security
like ATM, SWIFT or the money demanded by attacker after a successful
And Control
Ransomware attack or cost of failed operations during a DDoS attack,
are some of the examples of financial risk.
• Reputational Risk – Trust of the customers that lost or reduced due to a
data breach is reputational risk. For institutions like Banks, reputational
risk is one of the risks of paramounce important as Banks business
basically runs on trust.

• Compliance Risk - Non-compliance can be with Bank’s own policies,

mandatory requirements by regulators, viz., RBI and GoI and Legal and
other Contractual obligations. Non-compliance with own policies may
lead business loss and so with regulatory requirements may result in
Regulator’s wrath which may even lead to punitive measures. Legal and
contractual non-compliances may lead to legal implications.

• Operational risk – This is the risk of losses caused by flawed or failed

processes, policies, systems or events that disrupt business operations.
Employee errors, criminal activity such as fraud, and physical events are
among the factors that can trigger operational risk.

• National Security Risk – As banking is one of the critical systems of

the nation’s economy, a cyber security incident in any of the
systemically important banks will also pose national security risk.

Activity 14.1
Explain the cyber security governance structure of your bank or any other
organisation.
…………………………………………………………………………………
…………………………………………………………………………………
…………………………………………………………………………………
…………………………………………………………………………………
…………………………………………………………………………………
…………………………………………………………………………………

14.3.3 Business Impact Analysis (BIA)

It may be noted that the first four risks discussed above in section 14.3.2, i.e.,
financial risk, reputational risk, regulatory risk and operational risk, are
considered in computation of business impact (BI) through the exercise of
business impact analysis (BIA) for each asset. This is especially with respect
to banking industry’s systems. For instance, if an E-Mail system of a bank is
down for a few hours on account of an incident, the incident’s BI may be
relatively lower compared to an incident causing disruption in Mobile
banking or Internet Banking services. The BI will still be far more if the
whole core banking system is disrupted, because all banking services will
come to a grinding halt.

330
 Cyber Security,
Recovery Time Objective (RTO) Risk Management,
Compliance and
Recovery Time Objective is the maximum acceptable down-time for an asset Audit
in case of an incident. In a bank, based on BIA exercise, each asset’s RTO is
arrived at. For instance, for Mobile banking services, if the RTO is four
hours, the RTO of core banking services cannot be more than one or two
hours as the whole system of banking services will be impacted in the latter
case. On the other hand, RTO may be even a day for E-mail service
depending on size and complexity of the bank.

The RTO is also the basis for designing the Data Centre (DC) of a bank. For
the critical servers where redundancy is necessary, whether it should be by
means of hot-standby or cold-standby setup or even where neither is needed,
are all determined and the DC is designed accordingly. Also the type of the
Disaster Recovery Site (DRS) and its design are strategised accordingly.

Recovery Point Objective (RPO)

RPO represents acceptable data loss in case of a cyber incident. Recovery
Point Objective (RPO) is technically described as the maximum quantity of
data that can be lost after recovering from a cyber incident. RPO is measured
in terms of time after which the loss exceeds what an organisation considers
acceptable. In other words, if RPO is 15 minutes, it is acceptable to the
organization to lose a maximum of 15 minutes of data, which it is confident
to re-build before starting normal operations.
Understandably, for a Bank of considerable size which is extending 24x7
services to customers, viz., ATM, Mobile banking, Internet banking and even
automatically processing inward SWIFT messages 24x7, the RPO cannot be
more than zero. A zero RPO can be achieved only by way of storage level
mirroring and database level real-time replication. So RPO also plays a
crucial role in design of DC, DRS ensuring data level mirroring and even a
Near DR Site (NDRS) for ensuring storage level mirroring.

Figure 14.2 DC – DRS – Near DRS – Data replication & Storage

mirroring

Database level Replication

Data Centre Disaster
(DC) Recovery Site
(DRS)
Storage level Mirroring

Near DRS

331
Information Security
Storage level mirroring needs high bandwidth for transmission, i.e., generally
And Control
1 Gigabit per second or more which would become too costly to establish
between DC and DRS, as DRS is generally set up far away from DC, in a
different seismic zone. Hence, only database level replication is possible
between DC and DRS, which has some time lag. Hence, to ensure ‘zero’
RPO a near DRS is established which is connected to DC with high
bandwidth lines to enable storage level mirroring. Near DRS is generally a
smaller set up compared to DRS because at near DRS only the equipment
needed for storage level mirroring is established.

Whereas DRS facilitates ‘Availability’ of data and services, near DRS

facilitates ‘Integrity’ of data ensuring zero data loss in case of an incident.

14.4 CYBER SECURITY COMPLIANCE

Compliance, with respect to cyber security, refers to compliance with the
organization’s cyber security policy, regulatory requirements, contractual and
legal obligations.

Compliance with respect to internal policy is ensured by way of security

controls. Cyber security controls are derived from the defined processes,
which are the outcome of standards and framework. The standards and
framework are developed to ensure compliance with the cyber security
policy. Thus, the policy is ultimately translated down into security controls.

Figure 14.3 Translation Process of Infosec Policy into Controls

Infosec Standards & Processes Controls

Policy framework

In the same fashion as for internal Infosec policy, controls are developed for
complying with regulatory requirements, contractual and legal obligations.
The job of regular monitoring of controls is assigned to respective units.
Implementation and monitoring of such controls is audited by audit team
periodically, which is the third level of defense as discussed in the previous
section. The audit report is submitted to a Board level Audit Committee for
noting and suitable directions, thus making complete the cycle of compliance,
from requirements to controls to reporting.

For Banks in India, the CSITE wing of RBI (Cyber Security and IT
Examination) is the supervisor/regulator with respect to information security.
The cyber security guidelines, such as Cyber Security Framework (CSF) and
Master Direction on Digital Payment Security Controls are some of such
regulatory compliance requirements prescribed by RBI. Additionally, RBI
sends information security advisories and alerts to banks based on incidents
that have happened in India and globally.

CERT-In (Indian Computer Emergency Response Team) of Ministry of

Electronics and IT of GoI too releases security alerts regularly based on the
cyber security intelligence shared across all the CERT teams from other
countries and other sources.
332
 Cyber Security,
National Critical Information Infrastructure Protection Centre is an Risk Management,
organisation of the Government of India created under the Section 70A of the Compliance and
Information Technology Act, 2000, through a gazette notification in 2014. Audit

Protecting critical sectors such as Defense, Energy, Finance, Emergency

services, etc. from cyber-attacks by terrorist organizations, nation-states is the
main job of NCIIPC. Developing a map of all critical information
infrastructure in the country and assisting in case of any substantial cyber-
attack on any of the critical infrastructures, NCIIPC works in coordination
with CERT-In for suitable response and recovery.

14.4.1 RBI Guidelines and Master Directions

RBI, in 2015, established a cyber security wing, CSITE (Cyber Security and
IT Examination), which carries out IT Examination/IT Thematic
Examination of RBI Supervised Entities (SEs) to assess their cyber
resilience. Based on market intelligence and incidents reported by SEs,
CSITE issues cyber security advisories and alerts about the emerging threats
and suggested remedial actions and follows up for their implementation. A
Cyber Crisis Management Group (CCMG) is set up in CSITE to address any
major cyber incidents reported including suggesting ways to respond.
CSITE monitors through number of periodic/ad-hoc returns and assesses the
effectiveness of cyber security preparedness of SEs. It has developed Key
Risk Indicators (KRIs) consisting of 128 points to assess the cyber security
posture of SEs in an objective manner. Besides, CSITE has setup a wholly
owned IT Subsidiary, M/s ReBIT, which, along with other things, focuses on
cyber security within RBI as well as in SEs.
CSITE, from time to time, has been formulating cyber security guidelines for
supervised entities (SEs), viz., Cyber Security Framework (CSF), dated June
02, 2016 and Master Directions on Digital Payment Security Controls
(DPSC), dated February 02, 2022. The guidelines/master directions are
provided by RBI in detail with more than 100 points each. We provide
hereunder the broad requirements of each.

Broad Cyber Security Framework (CSF) Guidelines of 02.06.2016

There are about 120 requirements. These can be broadly grouped as follows.
1. Automated asset management and patch management solutions should
be in place.
2. An independent Cyber Security Policy approved by the Board should be
kept in place. This policy is reviewed at least on annual basis.
3. To deal with any cyber incidents with minimal disruption, a duly
approved cyber crisis management plan (CCMP) should be in place. The
plan should be tested on a regular basis.
4. IT architecture should be designed and developed conducive to cyber
security.
5. Organisational arrangements should be made to ensure a well defined
accountability in cyber security at every level
6. Cyber security surveillance should be enabled on 24x7 basis by way of a 333
Information Security
Security Operations Centre (SOC) which analyses all system, network
And Control
and application logs on a continuous basis.
7. Powerful identity and access management systems should be
implemented. Multi-factor authentication should be enabled wherever
necessary.
8. Comprehensive network and database security should be ensured.
Transmission of data within and outside of internal network should be
encrypted.
9. Customer data, especially the sensitive information, must be ensured
protection.
10. Regular vulnerability assessment exercises, penetration tests (VAPT)
should be conducted.
11. Cyber security preparedness indicators and key performance indicators
(KPIs) should be developed ad monitored on a regular basis and to be
reported to RBI in predefined formats.
12. Forensics facility should be kept available to facilitate investigation upon
an incident.
13. Continuous transaction monitoring system should be enabled to detect,
alert and prevent fraudulent transactions.
14. Cyber security awareness programs should be conducted covering all the
stakeholders encompassing top management, middle & junior
management, trusted partners, vendors and even customers.

Broad Digital Payment Security Controls (DPSC) Master Directions of

02.02. 2022
The Master Direction on Digital Payment Security Controls provides
necessary guidelines for Scheduled Commercial Banks (except RRBs), Small
Finance Banks, Payment Banks and Credit Card issuing NBFCs, to set up a
robust governance structure and implement common minimum standards of
security controls for digital payment products and services. The guidelines
are technology and platform agnostic and shall create an enhanced and
enabling environment for customers to use digital payment products in a
more safe and secure manner.

The Master Direction consolidates important control aspects broadly in the

following areas.

Governance and Management of Security Risks

This pertains to identification, analysis, monitoring and management of fraud
risk and compliance risk linked with digital payment products through risk
governance and risk management programs. Digital Payment Security
Policy should be approved by the Board and reviewed regularly.
Generic Controls:- Appropriate level of encryption at all channels
(especially internet) of digital payment systems. Web Application Firewall
to be implemented. Distributed Denial of Service(DDoS) to be mitigated.
334
 Cyber Security,
Application Security Life Cycle:-Applications must be protected in Risk Management,
accordance with a number of standards and guidelines, including OWASP, Compliance and
ISO 12812 data protection requirements, and NIST's threat catalogues, which Audit

must be followed from the beginning of the application development process.

Design > Development >Test>Deploy > Maintain

Authentication Framework:- Regulated Entities (Res) should implement

multi factor authentication (MFA) for payments and fund transfers through
electronic modes and payment applications. It is recommended that entities
use at least one authentication methodology that is generally dynamic or non-
replicable.

Fraud Risk Management:- Entities need to implement security controls in

terms of configuration aspects to identify any suspicious transactional
behaviour.

• Transaction velocity which includes fund transfers, withdrawals,

payments and adding new beneficiaries in a short span of time mostly in
customer accounts with zero transactions conducted through apps,
internet banking or card.
• Parameters linked with card counterfeiting (for instance, continuous
unsuccessful attempts to enter PINs or CVV indicate fake account
creation)
• New account parameters to detect unusual excess activity in new
accounts
• Geo-locations, time zones, IP address origin that indicate activity from
prohibited zones
• Transactions to mobile numbers or mobile wallets that have been
blacklisted previously for fraud activities.

Reconciliation mechanism:- A real time/ near-real time (not later than 24

hours from the time of receipt of settlement file(s)) reconciliation framework
for all digital payment transactions between RE and all other stakeholders
shall be put in place for better detection and prevention of suspicious
transactions.

Customer protection:- REs shall provide digital payment products and

services, to a customer only at her/ his option based on specific written or
authenticated electronic requisition along with a positive acknowledgement
of the terms and conditions. REs should provide a mechanism on their mobile
and internet banking application for their customers to, with necessary
authentication, identify/ mark a transaction as fraudulent for seamless and
immediate notification to his RE.

Awareness and grievance redressal mechanism:- REs may continuously

create public awareness on the types of threats and attacks used against the
consumers while using digital payment products and precautionary measures
to safeguard against the same.

Customers shall be cautioned against commonly known threats in recent

335
Information Security
times like phishing, vishing, reverse-phishing, remote access of mobile
And Control
devices and educated to secure and safeguard their account details,
credentials, PIN, card details, devices, etc.
REs shall adhere to extant instructions, updated from time to time, to put in
place system/s for online dispute resolution for resolving disputes and
grievances of customers pertaining to digital payments.
Internet Banking application security controls:-
1. Enable Captcha and adaptive authentication
2. Deactivate the session after a fixed period of inactivity
3. Secure delivery of initial password to be ensured
Mobile payment application security controls:-
1. Ensuring minimal data collection/ app permissions
2. Application sandbox/ containerization
3. REs shall ensure device binding of mobile application preferably through
a combination of hardware and software.
4. The mobile application should not store/ retain sensitive personal/
consumer authentication information such as user IDs, passwords, keys,
hashes etc.
Card payment security controls:-ATM and PCI related security controls
such as PCIDSS etc should be implemented.

14.4.2 Combination of Governance, Risk and Compliance

(GRC) and automation of GRC
Governance, risk management, and compliance (GRC) are three major tenets
of effective cybersecurity program management. Together, they enable an
organization to effectively meet compliance requirements, manage risk, and
standardise across the enterprise. On account of significant difficulty and
complexity in GRC functions, many organizations are nowadays opting to go
for automation of GRC.

Automation of GRC
Automation of GRC in cyber security or implementing a GRC management
platform has three benefits: transparency, efficiency, and accountability. A
modern GRC management tool provides enterprises with a configurable
solution that integrates seamlessly with an existing technology stack while
staying user friendly.

Following are some of the significant benefits that modern GRC management
tools have over legacy systems and manual spreadsheets:

Full Customisation - GRC management systems offer a fully customised

approach to identifying, measuring, and mitigating risk across the business
while assuring compliance with internal and external requirements.

336
 Cyber Security,
24/7 Automation -GRC management tools keep up with requirements while Risk Management,
decreasing the need for manual data entry. These solutions are dynamic in Compliance and
that they can track an organization's obligations, identify compliance gaps, Audit

and automate action using flexible processes. These qualities aid in

increasing team productivity and reducing the possibility of human error.

Complete Visibility and Management - Unlike spreadsheets, compliance

technologies allow all parties engaged in the compliance process to
collaborate on the platform. It also improves the team's project management
capabilities by incorporating integrated task management to track compliance
activities, set deadlines, and monitor activity in an auditable format.

Real-Time Reporting and Monitoring- Compliance software has dynamic

dashboards and reporting features. They update in real-time for executive
level insights into operational activities, backed by the automation and
integrated data sets indicated above.
Data & Security- Encrypted data storage and safe data transfers offer
compliance technologies a more secure approach to handle the GRC process.
Reduced Costs- Effective GRC software significantly cuts compliance
expenses.

For best benefits, an organisation should choose a GRC suite of tools that
may enable completely integrated GRC functions for fundamental
requirements such as risk, policy, and audit management by identifying,
measuring, mitigating, monitoring, and reporting risk across business
processes.

14.5 SYSTEM AUDIT

System Audit or Information System Audit (IS Audit) is the assurance
function in cyber security [Link] described above, in cyber security,
the first line of defense are security implementation and incident response,
which are the functions of IT Department and asset owners. The second line
of defense covers risk assessment, monitoring, regulatory compliance,
regulatory reporting, devising cyber security policy and continuous security
status reporting to the Board, which are the functions of CISO and his team.

The third line of defense in cyber security is IS Audit, which is conducted by

Audit Team in regular intervals. The IS Audit team functions completely
independent of IT and CISO teams and the consolidated audit report is
submitted to a Board level committee, generally the Audit Committee of
Board (ACB).

The IS Audit at broader level, checks the following:

1. Whether the information security policy is in conformity with the

business strategy of the bank or organisation.
2. Whether the framework and processes defined are in conformity with the
information security policy.

337
Information Security
3. Whether adequate controls are set in place to ensure that all the defined
And Control
processes are followed meticulously.
4. Whether all the set controls are effectively followed.
The gaps at every stage are identified and observations are made.
An IS audit is conducted in the following stages:
1. Determine the objectives and scope of the IS audit.
2. Create an audit plan to meet the IS audit objectives.
3. Collect and evaluate information on the relevant IT controls.
4. Perform audit tests and wherever appropriate, using Computer-Assisted
Audit Techniques (CAATs) such as data extraction and analysis software
or test data.
5. Report the findings of the IS audit.
6. Follow up.

The Audit Organization decides whether the audit will be performed by

internal or external auditors. While Internal Auditors have a better
understanding of the system and procedures, as well as the organization's
objectives, they may be influenced by management. In such cases, the audit
may fail to reveal something that the management dislikes. As a result,
internal auditing may not fully serve the purpose. External Auditors, on the
other hand, may be objective and unaffected, but they will need time to
understand the organization's systems and procedures. As a result, each
system has benefits and drawbacks. In any case, if the audit is conducted by
internal auditors, it must be ensured that the audit is conducted in an
influence-free environment.
The Process of Planning can be divided into the following steps for the
purposes of System Audit.
1. First of all, to review the most recent Audit Report and taking necessary
actions.
2. To obtain a preliminary understanding of the system to be audited and
properly documenting it.
3. To choose the most effective and efficient audit strategy and
documenting it.
4. Documenting the planed audit strategy.

14.5.1 IS Audit Controls & Approaches

All Commercial organizations are exposed to various risks irrespective of the
system they might use. Therefore, the organizations need to secure their
systems from potential risks. But the steps to be taken for security must be
cost effective. The security of the system can be ensured only through
various controls and strict implementation of those control measures. The
System Audit should ensure that the organization has taken appropriate
measures to secure their systems and also has adequate control measures to
ensure this security. The objective of the security and control measures is to
338
 Cyber Security,
prevent various risks arising out of Data Loss, Loss of costly Computer Risk Management,
Resources, Computer Errors, and Incorrect Decisions due to incorrect or Compliance and
fraudulent data, Disclosure of Secrecy/Privacy, Frauds and Embezzlements Audit

etc.

Controls may be broadly categorised into five types in a computerized

environment. There are broadly five types of controls, they are as follows.
A. Asset Management Controls
B. Preventive Controls
C. Detective Controls
D. Corrective & Recovery Controls
E. Audit Trails as Control Tool

A) Asset Management Controls

The first and foremost control in cyber security is maintaining a
comprehensive list of assets, hardware and software of the organization, both
authorized and un-authorized.

1. Inventory of Devices
Active configuration management and monitoring can be used to keep an
inventory of devices connected to the enterprise network, such as
servers, workstations, laptops, and remote devices, up to date. This
reduces attackers' ability to find and exploit unauthorised and
unprotected systems.

2. Inventory of Software
To mitigate or eliminate attacks, vulnerable or malicious software must
be identified by creating a list of authorised software for each type of
system and deploying tools to track software installed and monitor for
unauthorised or unnecessary software. For such controls, application
whitelising tools will come in handy.

B) Preventive Controls

1. Physical Security
Physical security means that only authorised individuals will be able to
physically access the system. This includes System Room Locking, Dead
Man's Door, and Secured Layout Plan, as well as Control via System Room
Access Register, Control via System Access Register, Locking
Arrangements, and so on.

Whereas the above are preventive controls for physical access, there are
detective controls such as Burglar Alarm and CCTV to detect unauthorised
physical access.

Similarly, displaying of sign-boards such as ‘restricted area, trespassers will

be prosecuted’, ‘you are under CCTV surveillance’ will be working as
deterrent controls, even though they are not strictly preventive controls.
339
Information Security
And Control
2. Environmental Controls
Clean and Uninterrupted Power: An organisation must ensure a smooth and
uninterrupted supply of power to ensure the smooth operation of the system
and the avoidance of data loss or corruption. This is accomplished by
providing a UPS system, a voltage stabiliser in bypass, and alternative power
sources such as generators.
Fire Control: Fire Control refers to the measures that must be taken to
prevent fire hazards. This also includes steps for raising awareness about fire
control. Displaying a 'No Smoking Board' in the System Room and other
important areas of the organisation, installing smoke detectors and fire
extinguishers, and avoiding stacking of unnecessary hazardous materials in
important areas of the office, particularly the System Room, are all fire
control mechanisms.

Temperature and humidity: The System Room must be clean and free of dust.
The temperature and humidity in the System Room must be controlled for
proper system maintenance. Aside from that, a Water Damage Control and
Pest Control system should be in place.

3. Logical Access Controls

Logical security controls comprise access controls at operating system and
application level. Even for physical security, logical access controls like
electronic access cards are used. Logical Security includes use of User-Id,
Encrypted Passwords, ID Cards, Biometrics Technology, Restrictions of
Rights to different Users, Restrictions regarding allocation of Supervisory
Rights etc. In most of the systems, these security features are available at
both the levels – at OS (operating system) level and at the Application
package level. The Auditor should ensure that at both the levels such security
features are implemented and maintained.

The Password secrecy is another important logical security feature in any

system. In case users freely reveal their passwords, any amount of security
features in the system will be futile. Thus, Auditors must ensure that the staff
members in the organization have a culture of maintaining secrecy of their
passwords. This apart, there are some other security features regarding
passwords which the organization should follow:

Password Expiry Date: Password expires automatically after a certain date so

that the Users will be compelled to change their passwords after the date of
expiry of the password.

Grace Login: How many times the Users will be allowed to login after expiry
of password.

Unique Password: Whether Users will be allowed to use the already used
password.

Minimum Password Length: Users will be forced to use a password of

minimum length of these many digits.

340 Generally, passwords must be at least 8 characters long and include upper
 Cyber Security,
and lower-case characters and at least one numeric character and one special Risk Management,
character. It is amazing to note that a ’brute force ‘tool which may crack a 4 Compliance and
character password in just 4 seconds, takes about 10 years to crack an 8 Audit

character password.

Review and Removal of Dormant Users: The IDs of the Users who are
transferred from the office, i.e., who are not required to use the system any
longer should be deleted from the system.

Restriction to Concurrent Connections: The Users should not be allowed to

connect to the system concurrently i.e., login more than one machine at a
time.

Restriction to Operating System: Excepting the System Administrators,

normal Users should not be given rights to access the Operating System.

Logging of all Activities: All activities performed by all Users are logged so
that controller will have the knowledge about various activities performed
and whether Users have done any activity beyond their rights due to any
mistake in allocating rights or otherwise.

Hours/Days Restriction for Users: Users may be restricted to the system on

Sundays or non- working days. Similarly, working hours in the system for the
Users can be restricted. All these features ensure that the Users cannot miss
utilize the system in the odd hours when nobody is there in the office.

Terminal Restriction for Users: Users should be restricted to work only in

one machine as in most of the cases, since they work in a network
environment, they can access to the system from any of the machines. Thus,
there is no need for the Users to work in more than one machine. Specific
terminal access may be restricted for each user.

Security Codes for Menu Access: In a menu driven package, some sensitive
menus may be given security codes so that only users required to use those
menus can do so.

This apart, using System Intrusion Detective Software, Locking out the Users
when they are not required to work are some methods of prevention and
detection of unauthorized Users in the system. Checking of Activity Log will
also highlight any unusual activity performed by the Users.

4. Secure configurations on Servers, Laptops and Workstations

To prevent attackers from taking advantage of services and settings that
allow easy access via networks and browsers, a secure image is created for all
new systems deployed to the enterprise, these standard images are hosted on
secure storage servers, these configurations are validated and updated on a
regular basis, and system images are tracked in a configuration management
system.

5. Anti-Malware
Malicious code is blocked from tampering with system settings or contents,
capturing sensitive data, or spreading. Workstations, servers, and mobile
341
Information Security
devices should all be continuously monitored and protected with automated
And Control
anti-virus and anti-spyware software. These anti-malware programmes are
updated on a daily basis on all computers. Network devices are prevented
from accessing removable media using auto-run programmes.

6. Application Security
By thoroughly checking internally generated and third-party application
software for security flaws, including coding errors and malware,
vulnerabilities in web-based and other application software are mitigated.
Web application firewalls (WAF) are used to explicitly examine all traffic for
high risk apps and user input for mistakes. OWASP (Open Web Application
Security Program) guidelines are popular in ensuring application security.

7. Input Controls
Thepurpose of Input controls is to prevent

1. Unintentional entry of wrong data,

• Intentional entry of fraudulent data,
• Preparation of false Input Forms,
• Alterationin Input Forms,
• Use of unauthorized Input Forms for data entry,
• Deliberate error during data entry.

In order to ensure that adequate controls are there at the point of input,
various steps are taken. These are Verification, Authorization, Clearance of
Exception Conditions, On Screen Transaction Checking, Checking of
Reports etc. In addition to these, Input Forms must bear Terminal Number
Stamp, Initials of Data Entry Operators, and Signatures of Appropriate
Authorities etc. Input Forms – Financial as well as Non-Financial should be
checked and preserved properly. In order to make the data entry and
verification more effective, Maker-Checker concept is introduced and hence
the duties of various roles are segregated. The concept of maker-checker is
that one person will make the data entry and the other person will check the
same so that erroneous/fraudulent data entry, if any, can be effectively
checked. It should also be ensured that overlapping of roles is avoided as far
as possible.

Input Controls will ensure that the data entering the system is correct and free
of any error which will ultimately give good, accurate output. Input Controls
basically ensure Maintenance of Data Integrity.

8. Processing Controls:
The purpose of Processing Controls is to ensure that the system processes the
data – financial as well as non-financial – correctly. This is ensured by
maintaining the integrity of the programs responsible for processing the data.
Programs may not run properly due to errors/corruptions due to accident or
by intentional damage. Some times due to malfunctioning of hardware also
342 program may not run properly. The System Auditors are to ensure that the
 Cyber Security,
Security relating to Processing by the system is inplace. This canbedone by Risk Management,
System Control and also by Manual Control. Compliance and
Audit
In Processing Control through the system, the Auditors copy the program
files running in the system. Then, the same is compared with the standard
version of the program and deviations, if any, can easily be detected. In
Manual Control, the Auditors depend mostly on the computer-generated
transactions which are verified with the same derived manually.

9. Wireless Device Control

Restricted information is protected from being transmitted over unencrypted
wireless or through unauthorized access [Link] traffic is encrypted.
It is ensured that all wireless access points are manageable using enterprise
management tools. Scanning tools are configured to detect wireless access
points.

10. Awareness Programs

All stakeholders are subjected to appropriate cyber security exercises and
training. This entails continuously assessing knowledge gaps by developing a
security skills assessment programme and mapping training against the skills
required for each job, as well as using the results to effectively allocate
resources to improve security practises.

11. Network Security and Configurations

Network security is one of the most essential controls in cyber security.
The flow of traffic is controlled via network borders, and content is policed
by searching for attacks and evidence of compromised machines via
multilayered boundary defences and the use of firewalls, proxies,
demilitarised zone (DMZ) perimeter networks, and other network-based
tools. Inbound and outbound traffic is filtered, including traffic from business
partner networks known as extranets. Configurations of firewalls, routers,
and switches are compared to standards for each type of network device. Any
deviations from the standard configurations are documented and approved,
and any temporary deviations are reversed when the business need is no
longer present.

Only authorised users and services are granted remote access. Host-based
firewalls are used to prevent the use of port-filtering and port-scanning tools,
as well as traffic that is not explicitly permitted. Remote access is restricted
on web servers, mail servers, file and print servers, and domain name system
(DNS) servers. The installation of unnecessary software components is
turned off. Unless remote access is required for business purposes, servers
are moved inside the firewall. To prevent security controls from being
circumvented, a strong, secure network engineering process is used. At least
three tiers of network architecture are deployed: DMZ, middleware, and
private network allow for the rapid deployment of new access controls to
deflect attacks.

343
Information Security
And Control
12. Account Monitoring and Control
The possibility of attackers impersonating legitimate users will be eliminated
by reviewing all system accounts and disabling any that are not associated
with a business process or owner. System access should be revoked
immediately for terminated employees or contractors. Dormant accounts are
disabled, and any files associated with such accounts are encrypted and
isolated. Strong passwords are used.

13. Access Management and Privileged User Monitoring & Control

Privileged user (administrative) accounts on servers, desktop and laptops are
protected and validated to generally prevent two common types of attacks:
(1) luring users into opening a malicious e-mail, attachment, or file, or
visiting a malicious website; and (2) cracking an administrative password and
gaining access to a target machine. Use strong passwords. To ensure these
controls, multi-factor authentication and anti-APT (anti-advanced persistent
attack) tools will be useful.

14. Data Classification and access controls on ‘Need to Know’ and ‘Least
Privileged Access' basis
Database Controls: The Database Controls ensure that the data in the
database is not corrupted by any means and the integrity of data in the
database is maintained. To this end, data in the database is copied to another
database or to any other storage media like magnetic tape. This method is
known as Back-Up. This ensures that even if the database of the system is
corrupted by any chance, the same can be restored back to, with the help of
the copied database. In addition to this, the Back-Up tapes should be stored in
off-site storage so that in case someuntoward incidents occur in the office,
tape backing up the data and kept in off-site storage will be safe and can be
used to restore data. The tapes should be restored occasionally to test that
they are maintained properly and contain the data completely and accurately.
Critical data is carefully identified and separated from information that is
readily available to internal network users to prevent attackers from gaining
access to highly sensitive data. Based on the impact of any data exposure, a
multilevel data classification scheme is established to ensure that only
authenticated users have access to nonpublic data and files.

15. Data Leakage Prevention (DLP)

Unauthorized transfer of sensitive data via network attacks and physical theft
is prevented by closely monitoring data movement across network
boundaries, both electronically and physically, to limit attacker exposure. A
centralised management framework is used to monitor people, processes, and
systems.

C) Detective Controls
Detective controls play a crucial role where all the existing preventive
controls fail to prevent an incident. The detection controls are generally
enabled by putting in place a 24x7 automated monitoring. A Security
344
 Cyber Security,
Operations Centre (SOC) is established for such monitoring. Risk Management,
Compliance and
16. Security Audit Logs Management Audit

Detailed logs are used to identify and uncover details about an attack, such as
the location, malicious software used, and activity on victim machines. Each
hardware device and the software installed on it generates standardised logs
that include the date, time stamp, source and destination addresses, and other
information about each packet and/or transaction. Such logs are examined
under defined scenarios on a 24x7 basis using SIEM (security incident and
event management) engine, which is a part of Security Operations Centre
(SOC) in a typical bank. Alerts are generated as pre-defined scenarios and
analysed and monitored until suitable action is taken.

17. Database Activity Monitoring (DAM)

Critical databases are identified and any activity on such databases, either
viewing or modifying, would generate an alert to enable further investigation
with respect to authority and genuineness of such activity. Such tools are
called database activity monitoring (DAM) tools and enable monitoring of
database related activity by external as well as internal users.

18. Continuous Vulnerability Assessment (VA), Penetration Test (PT)

and Remediation exercises
To proactively identify and repair software vulnerabilities reported by
security researchers or vendors, automated vulnerability scanning tools are
run regularly against all systems for timely remediation. Penetration Tests are
conducted to simulate attacks and remediate flaws to improve organizational
readiness. Regular internal and external penetration tests are conducted that
mimic an attack to identify vulnerabilities and gauge the potential damage.

D) Corrective and Recovery Controls

Corrective and recovery controls are most important in cyber crisis
management in case of an incident. Design and management of Disaster
Recovery Site (DRS) is one of such most important control measures in a
Bank. These controls mainly deal with incident response, data recovery
controls. Cyber crisis management plan including cyber insurance measures.

19. Incident Response Controls

An incident response plan with clearly delineated roles and responsibilities
for quickly discovering an attack and then effectively containing the damage,
eradicating the attacker‘s presence, and restoring the integrity of the network
and systems. A top management approved Cyber Crisis Management Plan
(CCMP) should be in place describing various crisis scenarios triaged into
respective criticality levels and suitable action plans.

20. Data Recovery Controls

In the instance of a cyber incident, systems should be in place to mitigate the
damage. A reliable plan is put in place to remove all traces of an attack.
Automatic backup of all information required to fully restore each system,
345
Information Security
including the operating system, application software, and data, must be
And Control
ensured. The frequency of data backup is determined by the sensitivity of the
data and ranges from weekly to continuous on-line backup. The restoration of
the backup is tested on a regular basis.

21. Cyber Insurance

After all the controls are exhausted, for those risks which could not be
adequately covered, cyber insurance is the tool to transfer the risk against
losses due to cyber incidents. The extent of monetary cover under the cyber
insurance varies from bank to bank based on their risk perception. For
instance, in India, it may vary from even less than 10 crore rupees to eve
more than 1000 crore rupees.

E) Audit Trails as Control Tool

Audit trail controls attempt to ensure that a chronological record of all events
that have occurred in a system is maintained. This record is needed to answer
queries, fulfil statutory requirements, deter irregularities, detect the
consequences of error, and allow system monitoring. Two types of audit trail
must be maintained. The accounting audit trail and operations audit trail. The
accounting audit trail shows the source and nature of data and processes that
update the database. The operations audit trail maintains a record of
attempted or actual resource consumption within a system.

The following sorts of data must be kept in the accounting audit trail:
1. Identity of the would be user of the system
2. Authentication information supplied
3. Action privileges requested
4. Terminal identifiers
5. Start and finish time
6. Number of login attempts
7. Resources provided/denied
8. Action privileges allowed/denied

Similar audit trail controls are also required at the database system level.

This data allows management or auditor to create the time series of events
that occurs when a user attempts to gain access to and employ system
resources. Periodically the audit trail should be analysed to detect any control
weaknesses in the system. Much of the data collected in the accounting audit
trail also serves the purposes of the operations audit trail.

The audit trail in the communication subsystem maintains the chronology of

events from the time a sender dispatches a message to the time a receiver
obtains the message.

22. Accounting Audit Trail

The accounting audit trail must allow a message to be traced through each
346
 Cyber Security,
node in the network. Some examples of data items that might be kept in the Risk Management,
accounting audit trail are: Compliance and
Audit
1. Unique identifier of the source code
2. Unique identifier of the person/process authorising dispatch of the
message
3. Time and dateat which message dispatched
4. Message sequence number
5. Unique identifier of each node in the network that the message traversed
6. Time and date at which each node in the network was traversed by the
message.

Given that a message should not be changed as it traverses a node in the

network, keeping all the above information may seem pointless. Indeed, if a
message traverses a public network or interchange network, the owner of the
network may not be willing to maintain or to supply the audit trail
information. Nevertheless, the audit trail information is needed if a message
is lost in the network or if it is suspected that a node has been compromised
or it is malfunctioning and unwanted changes are occurring to the message.
As always, what audit trail information should be kept and how long it should
be kept is a cost effective decision.

23. Operations Audit Trail

The operations audit trail in the communication subsystem is especially
important, as the performance and ultimately, the integrity of the network
depend on the availability of comprehensive operations audit trail data. Using
this data, a network supervisor can identify problem areas in the network and
reconfigure the network accordingly. Some examples of data items that might
be kept in the operations audit trail are:
1. Number of messages that have traversed each link
2. Number of messages that have traversed each node
3. Queue lengths at each node
4. Number of errors occurring on each link or at each node
5. Number of retransmissions that have occurred across each link
6. Log of errors to identify locations and patterns of errors
7. Log of system restarts
8. Message transit times between nodes and antinodes.

14.5.2 Competence of Computer Auditors

With the complexity of data processing, it is no longer realistic to expect one
person to have all the competence required to conduct all audits. Audit
competence must be put together on a team basis. The internal EDP audit
department/section should conduct operational audits of data processing
reviewing the computer centre, the procedure for the development of new
applications and also general controls over teleprocessing where this exists.
347
Information Security
These audits are set up as special operational audits.
And Control
Two questions remain to be dealt with from where do we obtain computer
specialists for computer audit work, how do we develop all internal auditors
to be competent to audit systems which have been computerized? Specialist
computer auditors are often drawn from the EDP department. The computer
manager would have the advantage of a qualified professional auditor on his
staff, and one who understands the principles of internal controls. In addition
to this, general training courses on computer auditing, should also be used.
Special qualifications in computer auditing, based on professional
examinations, can also be promoted. The subject matter of such examinations
changes from time to time to keep abreast of developments.

An IT auditor uses some general tools, technical guides and other resources
recommended by ISACA or any other accredited body. This is why many
audit organizations will encourage their employees to obtain relevant
certifications such as CISA (Certified Information Systems Auditor) which is
awarded by ISACA.

Activity 14.2
What do you understand by ‘Information System Audit’?

…………………………………………………………………………………
…………………………………………………………………………………

…………………………………………………………………………………
…………………………………………………………………………………

14.5.3 Emerging Trends in IS Audit

Most Information System Audit (IS Audit) teams are becoming acquainted
with auditing technology that allows for remote work and well-established
corporate IT systems, and many are beginning to use data analytics and Big
Data to inform their audits. However, it is now critical to keep an eye on
emerging technologies such as RPA (Robotic Process Automation), AI
(Artificial Intelligence), and Blockchain, which are still relatively uncommon
but are expected to grow rapidly. IS audit must stay one step ahead of any
risks or assurance gaps that arise as a result of these risks.

Other examples include virtual reality, the internet of behaviours, the internet
of things, bioinformatics, and natural language processing, as well as
quantum computing and 5G. RPA, AI, and blockchain are the most widely
used and well-established, so these are the ones that IS auditors are looking
into.

The main audit challenges are assessing any new risks that an emerging
technology introduces into the organisation once it is implemented, as well as
how management monitors and controls these risks. As a result, the IS audit
team must understand what the technologies will be used for, how they will
be used, and by whom.
348
 Cyber Security,
Risks associated with RPA (Robotic Process Automation) Risk Management,
Compliance and
Risks associated with RPA, which is used to automate frequently repeated Audit
processes that are critical for day-to-day business, include inappropriate
process selection, incorrect configuration, unexpected costs, security,
inadequate performance, and change management. For example, one
application of RPA could be a chatbot designed to filter common customer
questions. Incorrect configuration may cause the bot to delay passing
customers who require additional assistance to a human contact, alienating
customers.
Similarly, an RPA system may incur unexpected costs if, for example, a bot
replaces call centre staff but then requires specialised maintenance and more
skilled and expensive people to manage it. Other IS audit considerations
include whether a bot handles sensitive data that is subject to privacy or other
regulations, and whether it regularly connects to organisations outside of the
corporate firewall, introducing new risks of breaches or misused data.

The sheer volume of data passing through an RPA system may necessitate
new safeguards and checks. Management of an RPA system may also pose a
risk. If it is used to automate an area where frequent changes are
implemented, it may necessitate additional layers of processes each time this
occurs, which adds time and complexity.

Risks associated with AI (Artificial Intelligence)

AI introduces a new set of risks. The more data the system uses from more
sources, the more entry points and connections are formed, and the greater
the potential risks. There may also be physical risks if a company uses AI in
products like autonomous vehicles or to detect when heavy machinery needs
maintenance.

There have also been reports of AI systems being primed with data, which
results in inherent bias. If a system is designed using data collected over a
long period of time and is configured to make decisions based on prior
rationale, it is likely to make similar decisions, which may reflect observed
human biases from this time period. This increases the likelihood that a
company will not only shortlist the wrong candidates, but will also suffer
reputational damage and possibly legal costs. IS Audit should investigate
how this is monitored and whether bias is identified, managed, and corrected.

IS audit should also inquire about how the AI system can be modified if
external circumstances drastically change. AI is designed to evolve and
adapt, but it will do so within the parameters that it was given. If the world
changes quickly, as it did when the pandemic began, new parameters may be
required.

Both intentional and unintentional failures must be considered. The more

powerful and connected a system is, the more destructive it can be if
misused, putting trade secrets, plant operations, and security at risk.

349
Information Security
And Control
Risks associated with Blockchain Technology
Blockchain's strengths can also be its weaknesses. The inability to reverse
transactions and access data without the required keys makes the system
secure, but it also means that organisations must follow specific protocols
and management processes to avoid being locked out and to have clear
contingency plans.
Interoperability is essential for blockchain; it must be able to communicate
with multiple internal and external systems. IS audit must gain assurance that
it is capable of doing so and that it is thus functioning properly. Because
operating through network nodes exposes the organisation to cyber-attacks
and data hacks, security concerns must be addressed.

IS auditors should also ensure that the organisation has the necessary data
management processes in place and that it is in compliance with regulations.
Because the regulatory landscape for blockchain is still evolving, audit teams
should ensure that compliance managers are constantly monitoring
developments and adapting processes accordingly.

Further risks stem from the organization's transactions with unknown

external organisations– auditors should inquire whether this could expose
them to, for example, anti-money-laundering legislation violations.

Some enterprises internal IS audit teams are currently outsourcing or

collaborating on support for emerging technology audits.

14.5.4 RBI Guidelines on Information System Audit (IS

Audit)
The section includes audit charter/policy. Also it includes various stages like
planning, execution, Reporting and Follow-up and quality review of an IS
audit.

Roles & Responsibilities

1. Board of Directors and Senior Management: To meet the responsibility
to provide an independent audit function with sufficient resources to
ensure adequate IT coverage,theboardofdirectorsor its audit committee
should provide an internal audit function which is capable of evaluating
IT controls adequately.

2. Audit Committee of the Board: The Audit Committee should devote

appropriate and sufficient time to IS audit findings identified during IS
Audits and members of the Audit Committee would need to review
critical issues highlighted and provide appropriate guidance to the bank’s
management.

3. Internal Audit/Information System Audit function: Banks should have

a separate IS Audit function within the Internal Audit department led by
an IS Audit Head, assuming responsibility and accountability of the IS
audit function, reporting to the Chief Audit Executive (CAE) or Head of
InternalAudit.
350
 Cyber Security,
Critical Components and Processes Risk Management,
Compliance and
1. IS Audit: Because the IS Audit is an integral part of the Internal Audit
Auditors, auditors will also be required to be independent, competent and
exercise due professional care.
2. Outsourcing relating to IS Audit: Risk evaluation should be performed
prior to entering into an out sourcing agreement and reviewed
periodically in light of known and expected changes, as part of the
strategic planning or review process.
3. Audit Charter, Audit Policy to include IS – Audit: An Audit Charter/
Audit Policy is a document which guides and directs the activities of the
Internal Audit function. IS Audit, being an integral part of the Internal
Audit function, should also be governed by the same Audit Charter/
Audit Policy. The document should be approved by the Board of
Directors. IS Audit policy/charter should be subjected to an annual
review to ensure its continued relevance and effectiveness.
4. Planning an IS Audit: Banks need to carry out IS Audit planning using
the Risk Based Audit Approach. The approach involves aspects like IT
risk assessment methodology, defining the IS Audit Universe, scoping
and planning the audit, execution and follow up activities.
5. Executing IS Audit: During audit, auditors should obtain evidences,
performtest procedures, appropriately document findings, and concludea
report.
6. Reporting and Followup: This phase involves reporting audit findings to
the CA Eand Audit Committee. Before reporting the findings, it is
imperative that IS Auditors prepare an audit summary memorandum
providing overview of the entire audit processing from planningto audit
findings.

14.6 SUMMARY
An effective cyber security governance is of paramount importance to
successfully manage cyber security of an organization. Basically it deals with
cyber security policies, the roles and responsibilities of individuals and
overall risk appetite of the organization and the cyber security compliances,
which are regulatory, contractual and even legal in nature. Hence in this unit
we have discussed about Cyber Security Governance, Risk Management and
Compliance in detail.

We have talked about the six principles of cyber security governance & cyber
security governance structure. The major steps involved in risk management
of an organization and the types of risks faced by Banks and how these are
managed is also covered. compliance with the organization’s cyber security
policy, regulatory requirements, contractual and legal obligations have also
been discussed in detail. We have discussed the different aspects of how an
organisation controls its security, including defining its risk appetite, building
accountability frameworks, and establishing who is responsible for making
decisions.
351
Information Security
And Control 14.7 KEYWORDS
Risk management- in the context of information security, is the practice of
minimising risks to organizational operations, organizational assets and
persons.

Recovery Time Objective- is the maximum acceptabledown-time for an

asset in case of an incident.

Compliance- with respect to cyber security, refers to compliance with the

organization’s cyber security policy, regulatory requirements, contractual and
legal obligations.

National Critical Information Infrastructure Protection Centre- is an

organisation of the Government of India created under the Section 70A of the
Information Technology Act, 2000, through a gazette notification in 2014.

System Audit- also referred as Information System Audit (IS Audit) is the
assurance function in cyber security governance.

Database Controls:The Database Controls ensure that the data in the

database is not corrupted by any means and the integrity of data in the
database is maintained.

14.8 SELF-ASSESSMENT QUESTIONS

1. What do you understand by the term ‘Cyber Security Governance’?
Describe the principles of Cyber Security Governance.

2. Explain Risk Management in the context of information security. What

are the steps involved in risk management? Discuss the types of Cyber
Security Risks faced by Banks.

3. Discuss the Broad Digital Payment Security Controls (DPSC) Master

Directions of 02.02. 2022

4. Explain the types of controls used by banks to ensure cyber security

5. Discuss the emerging trends in Information System Audit (IS Audit)

352