Get documents about "Internet Banking System
Document Sample
Audit Program Internet Banking System
Audit Procedure
Purpose:
The purpose of the audit program is to facilitate IT internal audit
team for XXX, to conduct an Internet Banking system review.
Professional judgment and discretion should be exercised in
executing the audit. This audit program should be used as a mere
guidance document and cannot be assumed as an exhaustive
audit checklist.
This audit program contains audit steps / procedures that should
be considered to assess the risks and controls (first assessed
independently and later on to consider residual risks) and
accordingly highlight unacceptable risk exposure and / or control
improvement points to XXX's Internet Banking system:
q considering the appropriateness of design of controls, and
effectiveness of such controls; and
q Determining whether a material risk continues to be exposed
or control weakness exists that may cause significant impact to
XXX.
The Audit Program includes the following sections:
I. Understanding the existing controls and process;
II. Audit Scope;
III. Audit objectives; and
IV. Audit procedures
I. Understanding the existing process and controls
This section will be completed after the audit review.
II Audit Scope
The objective of audit is to review security controls relating to the
Internet Banking System. The scope of this audit program will
include the review of following areas:
1. Security policies and procedures;
2. User accounts, groups and passwords;
3. Network security review;
4. Audit configurations;
5. Vendor Contracts and service level agreement.
6. Physical controls and Contingency planning
III Audit Objectives
Overall audit objective:
The security audit and review is to explore potential or existing
security risks within XXX's Internet Banking system.
Objective
To determine:
Existence of security policy and procedures for Internet Banking
system;
Compliance of security policies and procedures;
Operational procedures and internal controls are adequate to
ensure security and high availability
Security settings for the Internet Banking system are adequate to
prevent or detect unauthorized access to programs and data; and
Disaster recovery and contingency plans are in place
IV Audit Procedures
Policies and procedures for Internet Banking
(The following audit procedures is related to formal documentation
and distributed corporate security policy with specific configuration
guidelines for Internet Banking system)
Check for documented policies and procedures for Internet
Banking system.
Do the policies and procedures include the following items?
Access to, protection of, and disclosure of customers' confidential
information
Policies and procedures for system administration
Procedures for user administration
Polices and procedures for backup and recovery
Policies and procedures for network device management
Password policies and procedures
Monitor unauthorized attempts to access the bank's system
Virus detection and prevention
Do the policies and procedures include:
Role of an IT security officer
Role of the administrator
Management reporting responsibilities
Enforcement of policies and procedures
Penalty enforcement due to non-compliance of policies
User accounts, groups and passwords security
(To review and assess control procedures which ensure that only
authorized users may access the system and that each user/s
access privileges are commensurate with his or
her job responsibilities.)
User access and password control
(To ensure that the user and password controls are adequate to
prevent unauthorized access to system)
Review a sample of Internet Banking customers and ensure they
are only allowed access to accounts for which they are authorized
signers.
Are new users and groups added to the system only on written
authorization by the responsible Head of Department?
Determine User Registration Form or other controls in place for
creation of each user on system.
Ensure that the user accounts created in the Internet Banking
system are unique
Are passwords being checked regularly against obvious choices if
yes then what method is used for the same?
Do all users have passwords?
Does the system protect the default login names from unauthorized
use?
Have automatic password expiry dates been used.
Are there any guidelines for selection of strong passwords?
Is the Internet Banking system password policy configured in
compliance to the Bank’s security policies and procedures
Network security review
(To determine that the network architecture is appropriately
protected from unauthorized access (internal and external))
Review the network diagram and determine the critical network
devices (firewall, gateway router, IDS etc..)
Review the firewall rule/policies to determine if the services/ports
enabled, have been approved formally?
Determine the authentication method used by the network division
staff for remote network administration.
Is there a network address translation (NAT) mechanism for
isolating networks and preventing routes to propagate from the
network of one network segment into another network segment?
Verify if the IDS devices have been deployed with the latest
definition updates
Review the external consultant’s vulnerability assesment report to
determine the critical gaps.
Determine if management has taken appropriate and timely action
to address the gaps/deficiencies noted in the report.
Has the management established an incident response plan to to
handle potential network & system security incidents
Determine if measures are in place to protect the Internet Banking
system from viruses.
Verify if all the components of the Internet Banking System have
been hardened based on the Bank’s minimum security baseline
document
Auditing and logging control
Determine if audit logs have been enabled and are configured
based on the user requirements (IT security and audit).
Verify that unsuccessful login attempts are logged.
Identify any users for whom auditing has been disabled.
Verify if audit trails are configured to log any activity granting,
changing, or revoking systems access rights or privileges
Verify audit data is protected by the system so that access to it is
limited tdo only those authorized to view the audit data. In addition.
Verify audit data is protected from modification or deletion by
general users.
Verify if a process is in place for the audit logs to be reviewed and
discrepancies reported to the system owner.
Vendor Contracts and service level agreement.
Determine if the contracts contain the following information and are
reviewed by bank legal counsel, if appropriate:
Description of the work to be performed by the vendor.
Applications to be processed and services to be provided.
Responsibilities of both parties regarding addition or deletion of
applications.
Rights, responsibilities, and liability for each party.
Basis of costs and description of additional fees.
Ownership of software
Costs for satisfying special management requests, audit needs,
and regulatory requirements.
On-line communications availability, transmission line security,
and transaction authentication.
Operating hours for on-line communication network.
Responsibilities for security of the communications network
Audit rights and responsibilities.
Access, ownership, and control of customer data and other
confidential information.
Training.
Reasonable penalty and cancellation provisions.
Prohibition against assignment of contract by either party without
the other's consent.
Check all purchased software and hardware is covered by
support contracts and required licenses.
Check service contracts cover 24 x 7 supports for hardware and
software maintenance.
Check whether vendor contracts supports for patch and software
upgrade.
Verify if the vendor agreement has a ESCROW clause
mentioned clearly
Physical controls and Contingency planning.
Visit the Datacenter location and determine:
if access to the Internet Banking system is controlled
If adequate fire detection and suppressant equipment is
available.
If the server is connected to an uninterruptible power supply
(UPS) and whether it has been tested.
Review the backup policy. Determine the following:
A policy exists that defines adequate backup frequency and
retention periods for backup data.
The procedures relating to in-house and off-site storage of
backup data and programs are adequate.
Ensure critical backups are stored in a secure, off-site location.
Determine that written contingency and business resumption plans
have been developed for failure of the Internet Banking system.
Workpaper Performed
Control Objective Risk if Objective Not Met Control Technique Reference By
Critical audit objective (YES / Risks Rating
NO)
YES
YES
YES
YES
YES
Date Date Budget Actual Document Reviewed
Expected Completed Hours Hours Reference Source By
Remarks/Comments
Audit Program Area
AUDIT PROCEDURES Ref.
Done Time Date Date Checked
By Spent Expected Finished Remarks By:
Audit Program Area
Audit Procedure
Global Ref
No,
Control Objective Risks Control
Activity
Number
Control KeyControl? Frequency Owner Exceptions Type Document Mapping to
Description Reference Standards
AREA
DATE COMPLETED:
COMPLETED BY:
Question Yes No Comment
Finding Ref # Control Testing Finding
Management Response & Treatment
