INFORMATION SYSTEM AUDIT REPORT

-Neeraj Kant
 Introduction: Information security is the protection of information from a wide range of threats in order
to ensure business continuity and minimize a range of business risks. Essentially it is the preservation of
confidentiality, integrity and availability of information. This is particularly important with the increase in
interconnected computing environments and ever increasing threats.
Audit Performance: We have visited every branch of your District co-operative bank, and examine the
Information system security by segregating it in to 8 controls:-

1. Physical Security
2. Environmental Control & Power
3. Computer(End Point) Security
4. Access Management
5. Banking Application
6. User Security Awareness.
7. Bank Customer Data Protection.
8. Network Communication

Compliance Status of Branches

No of
IS Audit Domain
Controls 01 02 03 04

Physical Security 17 3 4 4 5
Environmental Control & Power 14 9 7 8 8
Computer(End Point) Security 13 9 7 6 8
Access Management 6 4 2 4 4
Banking Application 12 6 8 8 6
User Security Awareness 3 3 3 3 3
Bank Customer Data Protection 5 3 5 3 3
Network Communication 14 9 12 6 8
Total 84 46 48 42 45
Compliance Status of Branches
No of
IS Audit Domain
Controls 05 06 07 08 09

Physical Security 17 5 4 3 0 2
Environmental Control & Power 14 8 8 6 7 8
Computer(End Point) Security 13 8 8 7 4 4
Access Management 6 4 4 4 1 3
Banking Application 12 6 6 8 8 6
User Security Awareness 3 3 3 3 3 2
Bank Customer Data Protection 5 3 3 3 3 3
Network Communication 14 8 8 10 7 9
Total 84 45 44 44 33 36

-Neeraj Kant
 Compliance Status of Branches
No of
IS Audit Domain
Controls 10 11 12 13 14

Physical Security 17 3 1 1 0 0
Environmental Control & Power 14 9 9 9 9 9
Computer(End Point) Security 13 9 6 6 8 7
Access Management 6 5 4 5 4 4
Banking Application 12 7 6 5 8 5
User Security Awareness 3 3 3 3 3 3
Bank Customer Data Protection 5 3 3 5 3 3
Network Communication 14 10 8 7 8 7
Total 84 49 40 39 43 38

Major Observation & Recommendations:

SN IS Domain Key Observation Recommendation

1 Physical Security
1. Physical Security Guard facility has not 1. At least one Security
been provided to the branches. Guard must be
2. We found that there is no such record as present.
Inventory movement specially 2. Inventory/ Media
media/information processing equipment record
equipment movement record maintain should be maintained
for the security and record purpose also separately with the
it was observed that in case of purpose of movement.
maintenance, installation or repairment 3. IT asset should be
of any equipment only bill/Service Letter labeled for the better
issued by the Vendor. monitoring in the
3. IT assets have not been labeled. branch.
4. Asset record is being maintained in 4. CCTV cameras should
System and manual register as well but be installed in the
register are not updated. branches and backup
5. Cameras were not installed in any of 90 days should be
branch. maintained.
5. Access to CCTV console
operation should be
password protected
and must be
confidential.

-Neeraj Kant
2 Environmental 1. Fire extinguishers were not installed in 1. Minimum 2 fire
Security the branches. extinguishers should
2. There has no power backup in the be installed in the
branches. branches.
2. There have to power
backup such as
inverter DG or solar
energy. In case of
interruption of first
power connection.
3 Computer(End 1. We found that antivirus were not 1. Licensed Antivirus
Point) Security installed in the systems package should be
2. USB ports of the PCs were not disabled. installed in the systems
and
2. USB ports should be
disabled

4 Access User access registration is managing by IT cell
Management itself and all the user-ids are non generic.
In few branches only on PC was available.
User access right should be
closely monitored and there
should be PC in appropriate
number to run the branch
operation efficiently.

5 Banking We found banking applications are password Session time out during
Application protected with the alphanumeric keys however inactivity should be fixed.
there is no specific timing for the session out of IT policy and Internet
a particular user in case of inactivity. usage/policy should be
circulate to branch.

6 User Security We observe that most of the service request, There should be a formal
Awareness reporting or complaint of different kind of procedure for reporting
security incidents is being done by either various kinds of security
whatsapp or telephonic conversation. incidents.

7 Bank Data As per our observation customer data are Customer data should
Protection secure with the branches however records maintain in organized manner.
maintenance should be improved as we found In case of any hardware item
records were kept in unorganized manner. is taken out by the vendor it
should be ensure that
equipment does not contain
any sensitive data.

-Neeraj Kant
8 Network We found network connections are secure but Network equipment should
Communication network equipments were kept open. place inside of the box and in
the secure place.

-Neeraj Kant