Blog

Home Blog Information System Controls, Risk Management & Assessment
27
Apr 2017

A step forward to GST
By Shah Sangoi & Associates LLP

Introduction
The growing dependence of most organization’s on Information Systems and the related risks, benefits and opportunities, have made Information Systems Control, Risk Management & Risk Assessment an increasingly critical tool for any organization. As without assurance on Information Systems, enterprises cannot feel certain that the information on which they base their mission-critical decisions are reliable, confidential, secure and available when needed. An Information Systems Controls, Risk Management & Risk Assessment evaluates the Information Systems from different perspectives such as security, quality, efficiency, reliability, etc. and reports on the risks and its impact on the organization and also suggest measures to eliminate or minimize the risks.

Key factors of an Information System
Information System mostly revolves around the three key factors i.e. Confidentiality, Integrity & Availability (CIA). Having said that an, organization should always take a note to have best IT & Information System practice in place to achieve CIA for any system or an organization as a whole. To achieve best IT & Information System policy an organization should have proper IT policy & procedures in place.

Key Information Technology Assets
Any organization has five main IT Assets as mentioned above, to protect these assets from the internal and external environment it is very important to have proper IT policy & procedures in place. To have proper IT policy & procedures there should be proper Risk Management & Risk Assessment done for these assets keeping in mind the CIA of the Information & Resources.
We as Shah Sangoi & Associates LLP can be an aid for your organization to set up proper System Controls and have all your policy & procedures in place. As setting up proper System Controls and doing proper Risk Management & Risk Assessment will help organization to achieve CIA of a system. It will also help the organization to set up proper controls to protect itself from internal and external environment.
We at Shah Sangoi & Associates LLP can also assist to safeguard your IT Assets. We can provide following kind of service related to Information System Controls, Risk Management & Risk Assessment.

List of Services related to Information System Controls, Risk Management & Risk Assessments are as follows:

Flow of Normal System Control Assignment:

IT Policies, Procedures & Documentation

  • Brief organization IT Policy
  • Preparing Network Architecture Diagrams and Documentation
    • Network Diagram
    • Diagram/Listing of hosts and servers running financial applications
    • Preparing Change Management Policy and Procedures
    • Management of Network Hardware and Software Inventory
  • Computer Operations Policies and Procedures
    • Preparing Security Policy
    • Preparing Password Policy
    • Preparing Acceptable Use Policy
  • Incident Response Policy (Required if any incident such as fire takes place)
  • Security Awareness Training
  • Firewall Configuration and Rule Structuring
    • Software Selection Policy and Procedures
    • Remote Access Policy
    • Acceptable Use Policies - May be covered in the employee manual
  • Preparing Email Policy
  • Preparing Instant Messaging Policy
  • Preparing Internet Usage Policy
  • Preparing Software Policy
  • Preparing Disaster Recovery Plans & Procedure/Business Contingency Plan
    • Preparing Data Backup and Recovery Policy
  • Listing of IT Related Insurance Coverage
  • Copies of Vendor Contracts and Service Level Agreements
  • Setting up Help Desk for Internal IT related issues
  • Any other policy as per the need of Organization
    People/Organizational Documentation:
  • Preparing Organization Chart
  • Setting up user security policy
  • Preparing user usage policy
    Hardware Controls include:
  • Servers
  • Workstations
  • Network hubs
  • Communication devices
  • Laptops/Computers etc
  • Printers
    Software Controls include:
  • Operating Systems
  • Critical Applications
  • Licensing
  • Upgrade Policies
  • User Training & Awareness
    General Controls include:
  • Application access controls
  • Physical access controls
  • Logical access controls
  • Environmental controls
  • Security controls
    Business Continuity/Disaster Recovery:
  • BCP manual, including Business Impact Analysis, Risk Assessment and Disaster Recovery process
  • Implementation of policies
  • Back-up procedures and recovery mechanism using back-ups
  • Storage of Back-up (Remote site, DRS etc.)
  • Redundancy – Equipment, Network, Site etc.
  • DRS installation and Drills - Management statement on targeted resumption capability (in terms of time required & extent of loss of data)
  • Evidence of achieving the set targets during the DRS drills in event of various disaster scenarios
    Data communication/Network controls include:
  • Network Administration – Redundancy, Monitoring, breakdown resolution etc.
  • WAN/LAN Management – Connectivity provisions for business continuity
  • Encryption - Router based as well as during transmission
  • Connection Permissions – Restriction on need to have basis
  • Fallback mechanism – Dial-up connections controls etc.
  • Hardware based Signing Process
  • Incidences of access violations in last year & corrective actions taken
    Security Controls – General Office Infrastructure include:
  • Security Policy & quality of implementation of the same
  • LAN security control and monitoring
  • OS & Database Security controls & monitoring
  • Internet connection controls – Firewall protection, Intrusion Detection System, Access rights and privileges
  • Virus protection – Controls to mitigate the Virus attacks/Outbreaks
  • Secured (digitally signed) e-mail with other entities like SEBI, other partners
  • Email Archival Implementation
    Performance audit include:
  • Comparison of changes in transaction volumes since previous audit
  • Review of systems (hardware, software, network) performance over period
  • Review of the current volumes against the last Performance Test performed

The scope of Information System Control, Risk Management & Risk Assessment is not restricted to the above mentioned list of service. The scope can be increase or decreases taking in view size of the organization and the criticality of the organizations IT Assets and the type of assignment to be conducted.

The above mentioned services are just to give an overview of types of services we provide which can be increased and are not restricted as mentioned above.

We can provide complete details of all the above mentioned services and any other services i.e. how the assignment will be conducted, a brief scope of the assignment and fees for the assignment on request of the management.

Shah Sangoi & Associates LLP. All rights reserved Developed & maintained by WebIdeas