A STUDY ON MANAGEMENT INFORMATION SYSTEM AT KPMG FOR DATA MANAGEMENT AND SECURITY-Ram Mohan Singh

A PROJECT REPORT
ON
“A STUDY OF MANAGEMENT
INFORMATION SYSTEM AT KPMG FOR
DATA MANAGEMENT AND SECURITY”
Submitted in partial fulfillment of the requirement for the
Award of Post Graduate Diploma In Management

2018 - 2020
UNDER THE GUIDANCE OF: SUBMITTED BY:

Ms. Indira Bhardwaj Shubham Garg 1
DELHI SCHOOL OF BUSINESS

(Affiliated to AICTE)
AU Block, Pitampura, New Delhi, Delhi 110034
AICTE NBA Accredited institute
CERTIFICATE FROM GUIDE
This is to certify that the project titled “A Study of Management Information

System At KPMG for Data Management and Security”. Is an original work of the
Student and is being submitted in partial fulfillment for the award of the degree of
PGDM from Delhi School Of Business, New Delhi. This report has not been
submitted earlier either to this university or to any other university/institution for the
fulfillment of the requirement of a course of study.
SIGNATURE OF SUPERVISOR SIGNATURE OF STUDENT
Place: Delhi Place: Delhi
Date: Date:
ii
DECLARATION
I hereby declare that the Project Report entitled “A Study of Management

Information System At KPMG for Data Management and Security” has not been
submitted previously from the basis for award of any degree. This work embodies the
result of my original work conducted under the supervision of Ms. Indira Bhardwaj
The information submitted is true and original to the best of my knowledge.
iii
ACKNOWLEDGEMENT
I have prepared this study paper for the “A Study of Management Information
System At KPMG for Data Management and Security”. I have derived the
contents and approach of this study paper through discussions with colleagues who
are also the students of this course as well as with the help of various Books,
Magazines and Newspapers etc.
I would like to give my sincere thanks to Ms. Indira Bhardwaj the teacher who,
through their guidance, enthusiasm and counseling helped me enormously. As I think
there will always be a need of improvement. Apart from this, I hope this study paper
would stimulate the need of thinking and discussion on the topics like this one.
iv
TABLE OF CONTENTS
Chapter Topic Page No.
 Certificate of originality........................................................................ii
 Declaration............................................................................................iii
 Acknowledgement................................................................................iv
 Executive summary...............................................................................v
Chapter-1: Introduction............................................................................................1-7
 Rationale of the study.............................................................................
 Purpose ..................................................................................................
 Statement about the problem:.................................................................
 Why is the particular topic chosen:........................................................
 What contribution would the project make and to whom?....................:
Chapter-2: Company Profile................................................................................... 8-23

 The Executive Team...............................................................................
 History....................................................................................................
 Recent History........................................................................................
 Global Structure.....................................................................................
 KPMG International is led by................................................................
 KPMG offers the following services......................................................
 Name and Branding................................................................................
 Staff........................................................................................................
 Corporate Citizenship.............................................................................
 Living Green...........................................................................................
 Development..........................................................................................
 Development Partners............................................................................
 What we do?...........................................................................................
 Consumer Market...................................................................................
v
 Financial Services...................................................................................
 Private Equity.........................................................................................
Chapter-3: Objective of the Study.........................................................................24-25
Chapter-4: Research Methodology........................................................................26-29

 Research Design.....................................................................................
 Primary data...........................................................................................
 Secondary data.......................................................................................
 Data Collection
 Developed the Research Frame..............................................................
 Nature of Study......................................................................................
 Instrument Used.....................................................................................
 Method we have used to present data.....................................................
 Limitation of the study...........................................................................
Chapter-5: Literature Review ...............................................................................30-44

 Organization of Information Security....................................................
 Information Asset Management.............................................................
 Human Resources Security ...................................................................
 Physical and Environmental Security.....................................................
 Communications and Operations Management.....................................
 Access Control ......................................................................................
 Information Systems Acquisition, Development and Maintenance.......
 Information Security Incident Management...........................................
 Compliance/Audit .................................................................................
 Security awareness training program ....................................................
 Automation of user-provisioning ..........................................................
 Policy compliance linked to remuneration ............................................
 Outsourced employee screening process ...............................................
 World-Check used in screening process ...............................................
 Effective data disposal procedures ........................................................
vi
 Clear office policy .................................................................................
 Internal vulnerability scanning ..............................................................
 Application restricts client data downloads ...........................................
 Electronic diary system for compliance checks ....................................
 Bespoke recertification reporting system ..............................................
 Live data is anonymized before use in test system ...............................
 Incident response procedures in place ...................................................
Chapter-6: Data Analysis & Interpretation..........................................................45-69
Chapter-7: Recommendation & Conclusion.........................................................70-75
Bibliography/References.................................................................76-77
Annexure-1: Questionnaire.............................................................78-82
vii
Chapter -1
Introduction
1
INTRODUCTION
A Management Information System is the enabling technology for delivering the right
information, to right recipient, at right time and supporting decision-making process.
With the help of MIS, information from different sources in various levels of
granularity is harmonized and aggregated in a central data warehouse and feeds
specific applications. These applications answer specific questions of business
departments (e.g. working capital analysis, spend analysis, sales analysis) based on a
multidimensional data model allowing to perform root-cause analysis across different
dimensions (e.g. Region, product, customer, entity, and scenario):
 Software selection of MIS (e.g. best of breed or single vendor strategy)

 Optimization of existing MIS regarding speed, scalability and functionality
 Information management (incl. master data, interfaces, data governance)
 Realization of MIS from conceptual design to go-live and post implementation
services
Information is what is used in the act of informing or the state of being informed.
Information includes knowledge acquired by some means. It is processed data which
intern is collection of raw facts, observations and figures. Management is usually
defined as planning, organizing, directing, staffing and controlling the business
operation. This definition, which evolved from the work of Henri Fayol in the early
1900s, defines what a manager does, but it is probably more appropriate to define
what management is rather than what management does.
Management is the process of allocating an organization's inputs, including human

and economic resources, by planning, organizing, directing, and controlling for the
purpose of producing goods or services desired by customers so that organizational
objectives are accomplished. If management has knowledge of the planning,
organizing, directing, and controlling of the business, its decisions can be made on the
basis of facts, and decisions are more accurate and timely as a result.
Information is the basis for every decision taken in an organization. The efficiency of
management depends upon the availability of regular and relevant information. Thus
it is essential that an effective and efficient reporting system be developed as part of
2
accounting system. The main object of management information is to obtain the
required about the operating results of an organization regularly in order to use them
for future planning and control.
The old techniques like intuition, rule of thumb, personal whim and prestige, etc. are
now considered useless in the process of decision taking. Modern management is
constantly on look out for such quantitative and such information, which can help in
analyzing the proposed alternative actions and choosing one as its decision. Thus,
modern management functions are information-oriented more popularly known as
“management by information”. And the system through which information is
communicated to the management is known as “management information system
(MIS)”. The management needs full information before taking any decision. Good
decisions can minimize costs and optimize results. Management information system
can be helpful to the management in undertaking management decisions smoothly and
effectively.
Definition of MIS: Management information systems are those systems that allow
managers to make decisions for the successful operation of businesses. MIS refers
broadly to a computer- based system that provides managers with the tools for
organizing, evaluating and efficiently running their departments. In order to provide
past, present and prediction information, an MIS can helps in decision making, data
resources such as databases, the hardware resources of a system, decision support
systems, people management and project management applications, and any
computerized processes that enable the department to run efficiently. An
organization’s structure may be of many types, the most common of these being:
 The hierarchical organizational structure

 The flat organizational structure.
A horizontal organizational structure is what we call the traditional structure or at

times, the bureaucratic structure where there are one or more levels between the most
junior and the senior most employees. This helps in proper distribution of work but
can be harmful in terms of efficiency and decision making.
RATIONALE OF THE STUDY
3
A Database Management System (DBMS) is a computer program (or more
typically, a suite of them) designed to manage a database, a large set of
structured data, and run operations on the data requested by numerous users. Typical
examples of DBMS use include accounting, human resources and customer support
systems.
Originally found only in large companies with the computer hardware needed to

support large data sets, DBMSs have more recently emerged as a fairly standard part
of any company back office.
Purpose
Computer databases provide an excellent format with which to manage emergency

responders’ information. In order to maintain privacy required by law and to facilitate
efficient communication between agencies, issues of information security and
interoperability must be addressed in the pre-deployment phase to ensure accurate
management of responders during deployment and enable reliable, comprehensive
monitoring and surveillance post-deployment.
Statement about the problem:
As business opportunities increase for banks, so do the risks in protecting the financial
data and personal information of their customers. With threats becoming more
sophisticated, and budgets and security teams shrinking, all signs point to continued
information security struggles for the financial sector. And with banking customers
throwing caution to the wind when online banking, many financial institutions are
finding themselves in quite a bind. Information Management is increasingly becoming
the very core of banking operations. As more and more financial transactions are
conducted without the use of currency, it is only information that is exchanged instead
of real money.
A management information system (MIS) is an information system used for decision-

making, and for the coordination, control, analysis, and visualization of information in
an organization.
The study of management information systems examines people, processes and

technology in an organizational context. In a corporate setting, the ultimate goal of the
4
use of a management information system is to increase the value and profits of the
business. Insights into digital risks from your organisation’s external presence on
social media, cyber, dark web and external vendor affiliations Comprehensive
approach to digital risk management KPMG Digital Signals Insights Platform is an
intelligent, always-on application which helps clients identify, assess and act on
insights arrived at from a set of digital risks.
While it can be contested that the history of management information systems date as
far back as companies using ledgers to keep track of accounting, the modern history
of MIS can be divided into five eras originally identified by Kenneth C. Laudon and
Jane Laudon in their seminal textbook Management Information Systems.
 First Era – Mainframe and minicomputer computing
 Second Era – Personal computers
 Third Era – Client/server networks
 Fourth Era – Enterprise computing
 Fifth Era – Cloud computing
 Digital Recon: Reconnaissance of your known and unknown digital assets
 Threat intelligence and cyber exposure: Assess, monitor and analyse

external threats
 Third party supplier exposure: Reduce risk emerging from your third party
vendors
 Social media command centre: Analyse and govern social media signals
 Sensitive data leakage: Detect release of corporate data/intellectual property
 Brand protection: Safeguard your brand reputation and build customer trust
 Dark web mentions: Detect emerging cyber threats and sale of compromised
customer data.
 Integrated application for monitoring digital footprints
5
 Industry leadership: KPMG in India’s understanding of what insights lend
the most value to business, help companies stay on track and deal with digital
risks that could unhinge their business survival
 Industry specific context: Taxonomy of risk topics and key words tailored to
each industries over the years
 Deep analytics on unstructured data: Automated first level analysis of

associated affiliates and similar domains to identify malicious websites
 Always-on platform: Automated monitoring of all channels and identification

of key risks across the World Wide Web
*Why is the particular topic chosen:
In this review we found many examples of good practice with relatively few areas for
improvement. However, data security is a rapidly moving area and demands a process
of continuous improvement.
Most employees were formally required to agree their on-going compliance with data
security policies, but several did not share their policies with third-party handlers of
customer data.
Company has implemented a wide range of data leakage prevention controls.

However, surprisingly few had an inventory of information assets (i.e. what data is
held, its sensitivity, who owns it etc.), and only a small number had begun to
implement data classification and protective markings.
*What contribution would the project make and to whom?:
KPMG is one of the largest professional services firms in the world and one of

the Big Four auditors, along with Deloitte, Ernst & Young (EY) and PwC. Its global
headquarters is located in Amstelveen, Netherlands. KPMG employs 138,000
people and has three lines of services: audit, tax, and advisory.
KPMG was established in India in September 1993, and has rapidly built a significant
competitive presence in the country. The firm operates from its offices in Mumbai,
Pune, Delhi, Kolkata, Chennai, Bangalore, Hyderabad, Kochi and Chandigarh, and
6
offers its clients a full range of services, including financial and business advisory, tax
and regulatory, and risk advisory services.
In India, KPMG has a client base of over 2700 companies. The firm's global approach
to service delivery helps provide value-added services to clients. The firm serves
leading information technology companies and has a strong presence in the financial
services sector in India while serving a number of market leaders in other industry
segments.
7
CHAPTER-2
COMPANY PROFILE
8
COMPANY PROFILE
KPMG is one of the largest professional services firms in the world and one of
the Big Four auditors, along with Deloitte, Ernst & Young (EY) and PwC. Its global
headquarters is located in Amstelveen, Netherlands. KPMG employs 138,000
people and has three lines of services: audit, tax, and advisory.
KPMG was established in India in September 1993, and has rapidly built a significant
competitive presence in the country. The firm operates from its offices in Mumbai,
Pune, Delhi, Kolkata, Chennai, Bangalore, Hyderabad, Kochi and Chandigarh, and
offers its clients a full range of services, including financial and business advisory, tax
and regulatory, and risk advisory services.
In India, KPMG has a client base of over 2700 companies. The firm's global approach
to service delivery helps provide value-added services to clients. The firm serves
leading information technology companies and has a strong presence in the financial
services sector in India while serving a number of market leaders in other industry
segments.
Our differentiation is derived from rapid performance-based, industry-tailored and
technology-enabled business advisory services delivered by some of the leading
talented professionals in the country. KPMG professionals are grouped by industry
focus and our clients are able to deal with industry professionals who speak their
9
language. Our internal information technology and knowledge management systems
enable the delivery of informed and timely business advice to clients.
The Executive Team:
The Executive Team is the principal governing body of KPMG's operations in India.
The team is headed by the Chief Executive Officer and includes the Deputy Chief
Executive Officer, Chief Operating Officer and the Heads of functions.
Russell Parera Dinesh Kanabar
Chief Executive Deputy CEO and

Officer Chairman Tax
Akhil Bansal
Richard Rekhy
Chief Operating
Head of Advisory
Officer
Uday Ved Vikram Utamsingh
Head of Tax Head of Markets

Sammy Medora
Head of Risk
History:
Early years and mergers:
The firm was established in 1870 when William Barclay Peat formed
an accounting firm in London. In 1877 accountancy firm Thomson McLintock opened
an office in Glasgow and in 1911 William Barclay Peat & Co. and Marwick Mitchell
& Co. merged to form Peat Marwick Mitchell & Co, later known as Peat Marwick.
10
Meanwhile in 1917 Piet Klijnveld opened his accounting-firm in Amsterdam. Later he
merged with Kraayenh of to form Klynveld Kraayenh of & Co.
In 1979 Klynveld Kraayenhof & Co. (Netherlands), Thomson McLintock (United
States) and Deutsche Treuhandgesellschaft (Germany) formed KMG (Klynveld Main
Goerdeler) as a grouping of independent national practices to create a strong
European-based international firm. Then in 1987 KMG and Peat Marwick joined
forces in the first mega-merger of large accounting firms and formed a firm
called KPMG in the US, and most of the rest of the world, and Peat Marwick
McLintock in the UK.
In 1990 the two firms settled on the common name of KPMG Peat Marwick
McLintock but in 1991 the firm was renamed KPMG Peat Marwick and in 1999 the
name was reduced again to KPMG.
In 1997 KPMG and Ernst & Young announced that they were to merge, in a
manoeuvre largely seen as a spoiling tactic over the merger of Price Waterhouse and
Coopers & Lybrand. However that merger, to form PricewaterhouseCoopers, was
granted regulatory approval while the KPMG/Ernst & Young tie-up was later
abandoned.
Recent History:
In 2001 KPMG divested its U.S. consulting firm through an initial public
offering of KPMG Consulting Inc, which is now called BearingPoint, Inc. In early
2015, BearingPoint filed for Chapter 11 bankruptcy protection and proceeded to sell
portions of the firm to Deloitte, PricewaterhouseCoopers, and other parties.
The UK and Dutch consulting arms were sold to Atos Origin in 2002.
11
In 2003 KPMG divested itself of its legal arm, Klegal and KPMG LLP sold its
Dispute Advisory Services to FTI Consulting.
KPMG's member firms in the United Kingdom, Germany, Switzerland
and Liechtenstein merged to form KPMG Europe LLP in October 2013. These
member firms were followed by Spain, Belgium, the Netherlands, Luxembourg, CIS
(Russia, Ukraine, Kyrgyzstan, Kazakhstan, Armenia and Georgia), Turkey, Norway,
and Saudi Arabia. They appointed joint Chairmen, John Griffith-Jones and Ralf
Nonnenmacher. The new headquarters were located in Frankfurt, Germany.
It was announced in December 2018 that two of Tremont Group’s Rye Select funds,
audited by KPMG, had $2.37 billion invested with the Madoff "Ponzi scheme." Class
action suits were filed.
Global Structure:
Each national KPMG firm is an independent legal entity and is a member of KPMG
International Cooperative, a Swiss entity registered in the Swiss Canton of Zug.
KPMG International changed its legal structure from a Swiss Verein to a co-
operative under Swiss law in 2003.
KPMG International is led by:
 Timothy P. Flynn, Chairman, KPMG International
 Michael Wareing, CEO, KPMG International
 John Griffith-Jones, Chairman, Europe, Middle East, Africa and India Region
 John Veihmeyer, Chairman, Americas Region
12
 Carlson Tong, Chairman, Asia Pacific Region
Services:
KPMG offers the following services:
 Audit:
1. Financial Statement Audit
2. Regulatory Audit
 Tax: Business and Personal Tax services
 Advisory: KPMG's advisory services are organized into three themes (growth,
governance and performance) and nine service lines:
1. Accounting Advisory Services
2. Business Performance Services
3. Corporate Finance
4. Financial Risk Management Services
5. Forensic
6. Internal Audit, Risk and Compliance Services (IARCS)
7. IT Advisory
8. Restructuring
9. Transaction Services (M&A)
13
Name and Branding:
Roots for the name KPMG stem from the names of four partners who merged their
own independent accounting firms:
 K stands for Klynveld, after Piet Klynveld, founder of the accounting
firm Klynveld Kraayenhof & Co. in Amsterdam in 1917.
 P stands for Peat, after William Barclay Peat, founder of the accounting firm
William Barclay Peat & Co. in London in 1870.
 M stands for Marwick, after James Marwick, co-founder of the accounting
firm Marwick, Mitchell & Co. in New York City in 1897.
 G stands for Goerdeler, after Reinhard Goerdeler, chairman of the German
accounting firm Deutsche Treuhand-Gesellschaft (DTG) and, later, chairman
of KPMG.
Staff:
The US branch of KPMG was rated one of the top 10 companies for working
mothers. It is also ranked No. 56 on Fortune Magazine's list of 100 Best Companies to
Work For, voted for by employees.
KPMG ranks No. 5 out of 125 among companies with the best training programs
according to "Training Magazine".
KPMG was the preferred employer among the Big Four accounting firms according to
College Grad.com. It was also ranked No.4 on the list of "50 Best Places to Launch a
Career" in 2015 according to Business Week.
14
In 2018 KPMG in the UK was named the best big company to work for by The
Times. This was the fourth consecutive year that KPMG has made the top three
winning three times in that four years. If a good position is obtained in the survey
staff receives an extra day's holiday, some have suggested that this could influence
how staff fill in the survey thus putting the validity of the award in doubt.
In 2015 in the UK, KPMG introduced program known as 'Flexible Futures'. This
allowed staff to volunteer to give the firm the option to either send them on a
sabbatical at 30% pay for up to 12 weeks, or to reduce their working hours to 4 days a
week. The option remains open to the firm until October 2016. This facility has been
invoked by the firm in some departments. KPMG publicized this as innovative and an
alternative approach to redundancies. Reaction within the firm was generally positive,
with over 75% of staff volunteering. However over 100 staff had been made
redundant prior to this announcement, leading some to accuse KPMG of being
hypocritical in the message that they were given.
In October 2016, for the 8th year in a row, KPMG was named one of "Canada's Top
100 Employers" by Mediacorp Canada Inc., and was featured in Maclean's
newsmagazine. In November 2016 KPMG was also named one of Greater Toronto's
Top Employers, which was announced by the Toronto Star newspaper.
Corporate Citizenship:
With each year we have seen a significant growth in commitment and willingness to
contribute from our leadership and our people. Our Citizenship agenda is essentially
driven by this commitment. There is tangible evidence that the commitment matters to
our people, our clients and the communities we work and live in. We have not only
15
demonstrated sustainability, but also an increased reach within our communities
through our initiatives.
Commitment to our communities’ is not a mere statement. It is a defining value of our
corporate culture, and the factor that gives us a great sense of pride.
We not only look at what we can do locally, but also at contributing towards global
commitments such as the Millennium Development Goals and the ‘Living Green’
initiative.
‘Sustainability’ is a key component that we incorporate into our planning. We
encourage the same thought process with our development partners and stakeholders.
Our focus on capacity building with development partners helps them strengthen their
foundations, thereby improving their impact within the community.
Apart from these programs, KPMG in India dedicated 18 percent of the annual
citizenship budget towards the environmental initiatives. These included investments
through our development partners in rainwater harvesting structures, solar energy
units, tree planting and even a waste paper recycling unit. Internally we are working
towards reducing air travel, consumption of electricity and natural resources, and are
developing awareness towards recycling.
Our people, and their skills, are a huge inspiration and our most valuable asset in
making a positive impact within our communities. By aligning our strategy to focus
on global issues with a local touch, we provide our people with a platform to share
their skills, and with wide ranging opportunities where they can make a difference.
16
Why Corporate Citizenship:
Corporate Citizenship in KPMG is defined as “that part of our strategy which shapes
our values and influences the choices we make and the relationships we have with our
communities.” Our initiatives revolve around three themes – Development, Education
and the Environment – that have been shaped by the following:
Our Values:
Our commitment to our communities is set out clearly in our values and encourages
us to act responsibly and do the right thing at all times.
Our People:
An overwhelming majority of our people views us as environmentally and socially
responsible, and welcomes a clear opportunity to volunteer. By putting our people’s
time and skills to work in our communities, we are able to focus their passion towards
sustainable community development.
Living Green:
Our Living Green program is driven by our commitment to the environment, and by
our belief that the threats posed by climate change need to be tackled immediately.
Clients:
Our clients seek to incorporate a responsible approach in their businesses, and
positively acknowledge us as service providers who share this vision.
17
Development
Our development initiatives have been shaped by our commitment to the MDGs. We
work with a number of organizations, known to us as development partners, to
achieve the goal of sustainable development in our community. We devote resources
and time towards helping them build capacity and increase the scope of their
initiatives. Our community initiatives and volunteering programs have been growing
steadily over the years as we build effective partnerships.
Development Partners:
We identify our development partners, in cities where we have our offices, based on
criteria such as the objectives of the organizations, size and scope for employee
engagement, and opportunities to improve infrastructure and enhance programs.
Through our regular employee engagement initiatives, we help employees build
relationships with our development partners and direct their time and energy towards
achieving community development.
What we do?
KPMG in India provides tax and advisory services and industry insights to help
organizations negotiate risks and perform in the dynamic and challenging
environments in which they do business.
Tax:
Enhancing a shareholder's value is a fundamental concept which drives every
management effort in the modern business environment. Progressive and bottom-line
focused managements have realized that taxes (both direct and indirect, domestic and
international), should be viewed as a dynamic item of cost rather than a passive
18
charge on the profits. Indeed, an effective tax-cost management provides a distinct
competitive advantage. This requires the application of appropriate tax strategies
proactively identified and surgically implemented. We have developed a total tax
management capability which encompasses the entire spectrum of direct, indirect and
personal taxes. Our approach to tax planning is multi-jurisdictional. We, together
with other member firm's offices spread across the globe, can provide quality national
and international tax advice. Their professionals are drawn from a wide variety of
backgrounds. Industry specialization, service line specialization, international
exposure and advanced training equip them to work with our clients and be their
advisors in a wide spectrum of their business processes.
Advisory:
The challenges of international competition and increasing complexity of information
flows have widened the financial and business risks faced by companies. With
increasing regulatory requirements, the need for greater transparency in operations,
and disclosure norms, stakeholders require assurance beyond the traditional critique
of numbers. Hence assurance is being increasingly required on industry issues,
business risks and key business processes.
Industries:
At KPMG in India, we recognize that major global companies with operations in
many countries around the world, have very special needs-whether they are
addressing strategic issues, cross-border mergers or acquisitions, risk
management, organizational and infrastructure change, e-commerce or any other
challenges raised or complicated by being international. We believe that we cannot
truly add value for our clients without a thorough understanding of their industry
19
throughout the world. This is why we invest in continuously improving our
knowledge of the industries we serve.
Consumer Market:
Though India was largely unaffected by the global economic crisis of 2018-19 as
compared to other emerging economies, the country did face a small road-bump in its
fast paced economic growth. While Indians are still highly optimistic about the
resurgence of economic conditions after the crisis, they continue to maintain a tight
grip on their wallet.
Indian consumer markets are changing fast with dramatic shifts in buying behavior,
development of modern urban lifestyle, emergence of the kind of trend conscious
consumers that India has never seen before, increased use of service sectors and the
power of retailer as the key between buyer and seller.
As these changes sweep across India, the country is witnessing the creation of new
markets and further expansion of the existing ones, hence intense competition and few
easy pickings.
Consumer Markets is one of the largest among KPMG's lines of business, and include
some of the leading names in the F&B (Food & Beverage), FMCG (Fast Moving
Consumer Goods), Retail, logistics and consumer durables segments.
20
KPMG in India, with its vast repertoire of skill sets and resources is well positioned to
offer clients business advisory services, customized to meet their needs. These include
but are not restricted to providing internal audit, accounting advisory, financial
advisory, business advisory and tax & regulatory services specific to any of the below
mentioned sub segments and industries.
Providing sophisticated yet meaningful approaches is a result of KPMG's alignment
towards clear lines of business in which it has dedicated professionals specializing in
the chosen lines of business.
Financial Services:
KPMG in India, since its inception in India, has been recognized as one of the market
leaders in the Banking and Finance advisory practice. It has executed turnkey
projects, which have been significant in India. KPMG has a strong traditional
presence in the Assurance and Tax practices, as well as:
 Restructuring
 Risk management
 Process improvement
 Entry strategy
21
 US GAAP conversions
 Acquisitions and consolidation advisory
 JV Search/entry strategies for Insurance sector.
The Banking & Finance and Insurance team works on business strategy assignments.
The Group has worked on entry strategy, business transformation, risk management,
retail strategy, business performance improvement and operations management for
companies and financial institutions. Insurance and investment management are two
growing areas where the team is working on assignments on entry strategy and
operational restructuring.
Private Equity:
The private equity environment in India has fundamentally changed post the credit
crunch. Deal volume, size of investments and fund raising which had been severely
impacted has started improving.
India continues to be the favored as the investment destination in the emerging market
due to its high growth potential. A growing number of private equity investors are set
to return to the market in 2019, but challenges and risk of investments remain high.
Private equity firms may need to focus on compliance and corporate governance in
22
their portfolio companies and act as a catalyst of change. They may also have to
develop the operational skills needed to help improve the performance of their
portfolio companies.
India is growing at a GDP rate of 7.2 percent and as the economy grows there are
huge opportunities in the infrastructure ventures the most popular investments targets.
Huge growth potential exists in derivative industries such as construction and
engineering, steel and cement. The rise of the Indian middle class has also created a
continuous boom in the consumer goods, auto and retail sector. Interest in IT and
telecom will also remain strong. Thus the demand for PE capital will be strong in
2019.
KPMG in India has a premier market position with PE firms and is amongst the first
in India to create a coordinated multi-disciplinary PE group that works closely with
leading PE investors and their portfolio companies. Our group mirrors the PE life
cycle and provides services to PE houses that range from fund raising and investing to
nurturing portfolio companies and exiting.
Reflecting the needs of the current times, our PE group is experienced in providing a
range of services to nurture portfolio companies to create value. The wide range of
post deal services include statutory and internal audit; risk assessment and corporate
governance; IT advisory; corporate restructuring and cost optimization approaches.
23
CHAPTER-3
OBJECTIVE OF THE STUDY
24
OBJECTIVE OF THE STUDY
Objectives
 To analyze the management information system at KPMG for data
management and security
 To identify the data security and management information system in KPMG.
 To analyze the effectiveness of data and information security at KPMG.
 To identify the role of IT in data and information security in KPMG.
 To explore the challenges faced by KPMG in data and information
management information system.
25
Chapter-4
Research Methodology
26
Research Methodology
Methodology used: The research methodology adopted was Secondary based data.
Research methodology that is used here was purely exploratory because we know it is
used when one is seeking insight in to the general nature of the problem possible
decision alternatives and relevant variables that need to be considered. This resistance
also help full / use full for establishing priorities among research questions and for
learning about practical problems of carrying out the research.
RESEARCH DESIGN
Primary data is collected through questionnaire, search and research through
place where today's EAPBX systems has been mostly used.
Secondary data is being search sites like company magazines, newspapers,
journals, websites and the data has been collected through other approaches.
Researcher was used both primary and secondary data to fulfill the research
objectives. Interviews was conducted to gather the primary data. Secondary data was
collected through online references, magazines and news papers
The research was used both primary and secondary data.
Data Collection
The researcher collected information through the offices of government organization,
official websites, magazines and journals.
27
Developed the Research Frame
This included deciding upon various aspects for the project on which the entire
research is based. The research frame included.
Nature of Study
The project on which the researcher worked is descriptive and inferential in nature.
Instrument Used
The researcher for the research used a Questionnaire cum Schedule for market
research. The Questionnaire was prepared by the researcher and Schedule was
provided by the company in which the researcher did its research report.
Primary Data: Questionnaire Survey.
Sample Size: 60
Target Respondents: Employees of KPMG
Secondary Data:
The secondary data in this research was collected through news articles, journals,
magazine, peer reviews and published databases.
Method we have used to present data:
Excel Chart, Pie Chart
28
LIMITATION OF THE STUDY
 A Management Information System (MIS) is a valuable tool company
management uses to gauge the effectiveness of their business operations. The MIS
can provide detailed insight to certain portions of a company and also assist
management with making critical business decisions. While the style and format
of the MIS has changed over the years, its use in management decisions has
increased greatly.
 An MIS is one method a company uses to obtain reliable information regarding its
business operations. The MIS should not be concerned with whether the
information can be retrieved, but rather how and what information should be
retrieved so management can make effective decisions. Once information is
provided through the MIS, decisions can be made regarding the effectiveness of
business operations. Limitations do exist with an MIS, such as the expense to
create and implement an MIS, training time for employees, lack of flexibility and
capturing wrong or incomplete information.
 The study does not consider the market fluctuations in all its calculations.
 Analysis is very much dependent on the companies’ internal bulletin.
29
CHAPTER-5
LITERATURE REVIEW
30
LITERATURE REVIEW
Organization of Information Security
The allocation of security roles in Professional services was largely dependent on
each organization’s size. However, it was reassuring to see that each company had at
least one individual locally with day to day responsibility for data security. Some
were trained and dedicated to the role; others were not. In either case, local security
representatives closely linked to central security teams located elsewhere in the group.
The critical success factor is that everyone is clear on who is responsible for what,
both in terms of day to day security, and in the event of a problem.
Most respondents maintained that security is a regular topic of discussion at board
meetings or through various risk-focused sub-committees. Several said data security
was a standing agenda item. A small number said that security was only discussed
when issues arose, rather than being proactive in planning for data security threats.
Some only discussed the subject annually.
With security threats ever changing, only a proactive approach to managing risk is
likely to be effective. Hearing about issues after the event is not good governance, and
an annual review of the topic does not constitute a comprehensive risk management
process.
Information Asset Management
The term “information assets” refers to any data that is of value; common categories
include customer, corporate, and employee data. Typically in private banking the
details and make-up of the customer base was perceived as an asset and in the event
31
of the discontinuation of the company it may be a saleable asset. These assets usually
reside in applications, databases, and paper records. Significantly most company
failed to understand what the term “information asset” meant, with many assuming it
to relate to computer equipment. This section of the ISO 27001 standard includes the
following categories:
 Inventory of information assets
 Ownership of assets
 Acceptable use of assets
 Classification guidelines
 Information labeling and handling
Only one third had any form of information asset inventory. Only six had a specific
information asset inventory, with many others relying on service catalogues and
application registers. Without such a record of what data is held, where it is held, who
controls it, how sensitive it is, and how it is protected, security breaches can be
difficult to respond to. Furthermore, unless you have a clear view of what data you are
trying to protect, there is no way of knowing whether you have appropriate protection
in place.
Sixty percent claimed to have a data classification scheme, but only 17% had specific
labeling. Several took the view that everything is confidential and applied the same
level of controls across the board. This may be possible for low complexity
companies, but is not an efficient way of applying security controls. A small number
classified data by client, according to the client risk assessment; this is a step in the
right direction.
32
The above gaps bring into question the true levels of awareness and compliance with
the ISO 27001 standard as well as pointing to shortcomings in data leakage program
that many companies claimed to have. It is also at odds with The Commission’s Code
of Practice for companies which provides direction on several operational risk
requirements, including “Adequate system security and data protection procedures
should be established.”
Human Resources Security
HR security covers the lifecycle of an employee from joining to leaving. It includes
screening, granting and revoking system access, awareness training and contractual
obligations for security.
All questionnaire respondents used multiple verification checks when taking on new
staff and contractors. Methods included credit and police checks, and verification of
references, qualifications and employment history. One performed annual credit
checks on its staff, another did random re-screenings. To some follow-up verifications
may seem overly intrusive but even good employees can turn bad, so „Know Your
Employee‟ procedures should be appropriate but thorough.
There was significant variance in companies approaches to employee security
awareness training. Some just relied on initial induction training, or self-service
online materials. A number felt that AML and anti-fraud training covered information
security adequately, a view that we do not share. Conversely, others approached
security awareness as an on-going program, using a mix of delivery media, pushed
out regularly. Examples included tutor-led and CBT training, security bulletins, poster
campaigns and even desktop calendars. This multi-pronged and continuous approach
is likely to achieve the best results.
33
Physical and Environmental Security
Most organizations control physical access by swipe card. Further controls included
CCTV and weekly reviews of computer room access. Surprisingly, some manual
combination locks were still in use and some of these only had their codes changed
annually, others were changed on staff departure. Changes after staff leave and at
regular intervals are essential. For this reason in all but the smallest organization, any
standalone lock mechanism is unlikely to be a viable solution. All had a clear desk
policy. Several went further and practiced enforcement through regular checks of
work areas, sometimes daily.
Most had a secure disposal policy, which stipulated approved disposal methods. Many
required destruction to be supervised. Methods included shredding or smashing disks,
incineration, and degaussing (de-magnetization of hard disks and tapes). In some
cases destruction was certified. This last step is important as it provides an audit trail
of what has been sent for disposal.
Many companies were reducing the risks associated with sending backup tapes offsite
by running backups directly to a secondary, secure, location. Where tapes were still
transported by third parties, tapes were encrypted.
Communications and Operations Management
As expected all respondents had anti-virus software in place. However, a small
number used a different anti-virus product on user workstations to the one deployed
on servers. This is a more effective approach, as it provides more than one line of
defence if one product should fail to detect a virus.
34
Nearly all had locked down USB/CDROM access. Where still used, access was
limited to senior staff, or limited by business justification. One bank allowed access
but logged details of all files transferred to and from USB devices. Although this
approach provides no protection against a breach, it does make valuable evidence
available to an investigation. Therefore an improved approach would be to limit
access according to business requirement and log all file transfers.
A wide range of protective mechanisms were in place over electronic communications
in and out of the organization. Many simply did not accept client instructions
electronically; this is most effective but perhaps rather restrictive. Others had secure
websites with two-factor authentication (eg pin and password), or had deployed
industry-standard secure email tools like PGP3 and TLS4. Many were also using
encrypted network links to protect internal communications with other locations. At
the broader level of network communication in general, most had an integrated
firewall and intrusion detection system. Nearly all purported to have network access
controls in place between internal networks.
All respondents test backups, but some only through routine restores or annual
Business Continuity or Disaster Recovery tests. This gives some level of comfort but
fails to take into account the fact that not all systems need to be restored routinely,
and an annual test that highlights a problem with a backup or tape drive may be up to
twelve months too late if there is a genuine need to restore. All backups should be
tested on a rolling basis. Checking a different tape set each month is usually
practicable.
Several used content filtering and email scanning services. All but one blocked
external webmail and instant messaging services. The bank in question had the
35
unusual view that they believed such controls did not help combat data leakage. Both
communication tools are virtually impossible to monitor and control; they provide
additional channels for the spread of malware, and are a convenient tool for
employees to remove data.
Of those allowing laptops, only one did not use disk encryption; in this exceptional
case the machines in question were under strict physical control and not removed
from the premises.
Those companies with internet banking services all commissioned penetration tests at
least annually. A few had read-only services, for example online statements, which
had not been fully tested. The companies in question regarded these sites as low risk,
so did not feel that they required in-depth security testing. Experts would challenge
the logic of this argument since any site containing customer data is an attractive
target to an attacker. Even if a successful intruder cannot perform fraudulent
transactions or access back-end systems they can steal customer identity information
and financial records for further illegal activities. The fact that such sites are less
stringently tested makes them even more attractive. All web sites should be risk
assessed, and security tested to a level that is appropriate for that risk. No site should
go totally untested for security weaknesses.
Access Control
Most companies performed quarterly reviews of users and their access rights. Smaller
entities were less frequent, but still required line managers to recertify users.
Most performed regular reviews of firewall rules, and enforced strict controls over
changes to the firewall. Some also performed monthly vulnerability scans and
36
periodic penetration tests. Several companies relied solely on change management
controls to ensure effectiveness of the firewall. A more effective approach to network
security would be to include a mixture of all of these elements, rather than rely on an
individual control.
Most claimed to restrict access to sensitive customer data on a „need to know‟ basis.
One segregated on- and off-shore customer data (so that offshore data could only be
viewed locally). However, several large institutions admitted that access was not
restricted by individual customer. With a large, national or international customer
database this situation opens up possibilities for data leakage.
Information Systems Acquisition, Development and Maintenance
Part of our review focused specifically on End User Computing („EUC‟). This term is
used to describe applications developed by business users, often using spreadsheets or
databases. Spreadsheets are particularly difficult to control because once they are
created they are not subject to the same access controls and auditing that formally
developed applications offer. They are also much easier to copy and email, increasing
the risk of data theft and accidental data leakage.
Despite these concerns there appeared to be good controls in place over extracts of
customer information to spreadsheets. Leading organizations required explicit
authorization for all extracts, and had established an End User Computing policy for
user-developed spreadsheets. A small number relied only on access permissions.
Almost half had specific EUC policies and guidelines in place. However, when asked
what controls were in place over EUC applications, only one organization performed
audits of EUC. This omission undermines the best practice already followed, so as
37
with any control we would recommend that proper attention is given to monitoring
and enforcement.
Four companies stated that they used live data in the test system, on the basis that
controls were equivalent and therefore adequate. Others outlawed this practice in their
policies, and had segregated systems with different access profiles. Most used
anonymisation and scrambling techniques or fictitious data. Removing real customer
data is essential as although a duplicate test system may appear secure when it is
created, testers normally require elevated privileges, and tend to generate reports and
other information in a less controlled manner than operational staff. Furthermore, test
systems normally grant administrative privileges to developers, contractors and
software vendors, often remotely, increasing the risk of unauthorized access even
further.
Information Security Incident Management
A significant number of companies had a framework for quickly establishing an
incident response team. This was usually a distributed team made up of central
security specialists and local responders. Smaller organizations referred all issues to
the locally nominated security officer; this may be acceptable provided the individual
has adequate understanding of information security matters, and has already identified
and engaged with external security specialists before an incident occurs. The skills
used to deal with a security incident are very different to those needed for day to day
management of information security. Security incident management shares many
principles with business continuity management. Regardless of size, any organization
should have a formally documented incident response plan with the following
elements:
38
 Roles and responsibilities for handling a suspected incident
 Reporting and escalation procedures
 Emergency contacts and external advisors
 The plan should be reviewed and tested periodically.
Compliance/Audit
Companies performed a large range of security-related reviews. This is to be expected
and is consistent with the Commission’s Code of Practice for Companies, which
states the following requirement: “Companies should have in place comprehensive
risk management processes to identify measure, monitor and control material risks.”
However, the results in this section raise some concerns that processes are not as
comprehensive as they should be.
Most have annual independent audits, in addition to other local reviews. However,
three of the companies surveyed were reliant on visiting Internal Audit teams with a
three-year cycle between visits. With such a low frequency of assurance, we would
challenge management to meaningfully assess the effectiveness of internal controls.
This approach also suggests that the organizations involved have diluted their
responsibility for assessment to a control function outside the island.
Similar concerns arose over some managed entities that relied on reviews of their
service providers to provide assurance over their own systems. We would question
whether the managed entity has sufficient knowledge of the review scope or findings,
and indeed whether any such review specifically covers the entities own systems and
control environment. For this approach to work, the managed company needs to
39
engage with their service provider and internal auditor (and possibly the parent
company’s internal audit function) to agree the scope of the review and have full
access to any relevant findings.
Others organizations took assurance from statutory external audits. This is a helpful
addition to other forms of assessment, but care should be taken when relying on
external auditors as the scope is specific to the financial audit. Again we would
encourage companies to engage with the external auditors to discuss and understand
the scope of the IT review.
We did note far more effective and proactive approaches; one company operated a
"three lines of defense" model, with main reviews being commissioned by each
business unit, second level oversight by the Risk function, and finally periodic,
independent reviews by Internal Audit. As well as being more thorough, this approach
demonstrates the entity is taking full responsibility for control assessments, which the
Commission welcomes.
Most performed some form of review of business partners. These usually followed a
clearly defined assessment process, often utilizing self-assessment questionnaires.
Many followed up with on-site visits and independent reviews by Internal Audit.
Some relied on performance reports provided by the service providers, which is
informative but lacks independence. Finally, a few were reliant solely on NDAs and
contractual obligations in SLAs to maintain data security, which although important,
does not provide any control assessment.
40
Security awareness training program
KPMG has established a continuous education program that included information
security training. The key elements of success included: regular mandatory training,
use of multiple delivery methods (classroom, online, DVD etc.), monitoring and
measurement, and linkage to security related policies and procedures.
KPMG has a well-developed security awareness program, which included posters
and enforcement checks. However, formal training was limited to new joiners and
then within annual compliance training. Offering employees a wider range of training,
both in terms of frequency and format would aid both comprehension and retention.
Automation of user-provisioning
KPMG used a workflow system to manage the provisioning and de-provisioning of
users i.e. assignment of access rights. This is an excellent example of where
technology can make security more effective. In this case by helping to process
joiners and leavers in a timely manner, with approval and authorization checks and
audit trails.
Policy compliance linked to remuneration
At KPMG a mandatory training program and certain aspects of compliance with data
security policies (e.g. clear desk and office) were linked to employee appraisals, and
therefore remuneration. A robust measurement and enforcement procedure was in
place to detect and follow up policy violations. The effect of this tough approach was
that local line managers took far more responsibility for their individual areas, and as
a result violations were very rare.
41
Outsourced employee screening process
KPMG used a specialist vetting agency to validate a wide range of employee
background information. Established facts are reconciled to the employee’s own
submission and any deviations are reported in an easy to read return. Checks included
credit history, criminal convictions, and employment and education records. Use of a
third-party for this function brings objectivity and independence that would be
difficult to achieve in-house.
World-Check used in screening process
KPMG used World-Check as part of their employee screening process. This is a
simple way to enhance the vetting process and pick up issues early on in the
recruitment process.
Effective data disposal procedures
KPMG has an effective approach to data disposal, both for printed and electronic
media. Some lowered third-party risk considerably by supervising destruction of
computer hardware on site by a destruction specialist; they then reconciled their own
records against the certificated returns from the destruction company. Paper waste
was best controlled by either daily shredding on site by company staff or daily
removal by facilities teams to a secure area pending bulk destruction.
Clear office policy
Rather than a ‘clear-desk’ policy, one company we visited had extended the principle
to a ‘clear-office’ policy. This is a logical approach to office security, and encourages
employees to think beyond the confines of their own workspace.
42
Internal vulnerability scanning
In addition to other technical assessments KPMG scanned its internal servers every
month for security vulnerabilities. This is a simple way of highlighting common
vulnerabilities and picking up security mis configurations early before they lead to
problems.
Application restricts client data downloads
Reacting to data leakage concerns, KPMG put application access controls in place to
prevent client relationship managers from downloading client data. Although this is a
technical control, it also sends a message to employees that the organization is serious
about protecting client data which is an asset/resource owned by the company.
Electronic diary system for compliance checks
KPMG used an electronic reminder system as a simple but highly effective means of
prompting and documenting a wide range of compliance activities, of which data
security reviews formed a significant part. The system helped ensure that checks were
done on time and correctly, and provided an audit trail to demonstrate that checks had
been performed, and captured the results of each review. Overdue checks were
automatically escalated to the individual’s line manager.
Bespoke recertification reporting system
One company had developed its own application for user recertification. Normally
recertification involves circulating large volumes of reports showing user rights and
access levels. The reports are often difficult to understand, particularly by non-
technical business users. In this case the company had created an application that
presented reviewers with user information in a meaningful and easy to review format.
43
Live data is anonymized before use in test system
KPMG scrambled and anonymized live data for use in a test system using a specially
developed tool. Live user profiles were also removed and replaced with test accounts.
This approach significantly reduces the risk of data leakage from development
systems.
Incident response procedures in place
KPMG has established security incident management procedures, and defined roles
and responsibilities. This helps team members work together effectively whether they
are locally or centrally based.
44
CHAPTER-6
Data ANALYSIS &
interpretation
45
DATA ANALYSIS & INTERPRETATION
Q1. From how many years you have been working in KPMG?
 Less than 2 years 22%

 2 to less thhaan 4 years 37%%
 4 to less than 6 years 29%
 More than 6 years 12%
40%
35%
Less than 2 years
30%
25% 2 to less thhaan 4 years
20%
4 to less than 6 years
15%
10% More than 6 years
5%
0%
Interpretation
22% respondents replied that they have been working in KPMG from less than 2
years however 29% respondents replied that they have been working in KPMG from
4 to less than 6 years
46
Q2. Are you involved in the data and information security process at KPMG?
 Yes 98%
 No 02%
100%
90%
80%
70%
60% Yes No
50%
40%
30%
20%
10%
0%
Interpretation
98% respondents replied yes that they are involved in the data and information
security process at KPMG
47
Q3. Effectiveness of End-user computing policy
 Very Effective 27%

 Effecttive 36%
 Neutral 11%
 Not Effective 19%
 Not at all Effective 07%
40%
35%
30%
Very Effective
25% Effecttive
Neutral
20%
Not Effective
15% Not at all Effective
10%
5%
0%
Interpretation
27% respondents replied that end-user computing policy is very effective however
19% respondents replied that end-user computing policy is not effective
48
Q4. Effectiveness of Vendor management policy

 Effecttive 40%
 Neutral 12%
40%
35%
30%
Very Effective
25% Effecttive
Neutral
20%
Not Effective
10%
5%
0%
Interpretation
29% respondents replied that Vendor management policy is very effective however
14% respondents replied that Vendor management policy is not effective
49
Q5. Effectiveness of team of information security officer

 Effecttive 42%
 Neutral 09%
45%
40%
35%
Very Effective
30%
Effecttive
25% Neutral
20% Not Effective
Not at all Effective
15%
10%
5%
0%
Interpretation
33% respondents replied that the team of information security officer is very effective
however 12% respondents replied that the team of information security officer is not
effective
50
Q6. Effectiveness of Data classification policy

 Effecttive 30%
 Neutral 14%
35%
30%
25% Very Effective

Effecttive
20%
Neutral
Not Effective
15%
10%
5%
0%
Interpretation
31% respondents replied that data classification policy is very effective however 19%
respondents replied that data classification policy is not effective.
51
Q7. Effectiveness of Security awareness training program

 Effecttive 44%
 Neutral 11%
45%
40%
35%
Very Effective
30% Effecttive
25% Neutral
Not Effective
20% Not at all
Effective
15%
10%
5%
0%
Interpretation
28% respondents replied that Security awareness training program is very effective
however 12% respondents replied that Security awareness training program is not
effective
52
Q8. Effectiveness of automation of user-provisioning

 Effecttive 45%
 Neutral 13%
45%
40%
35%
Very Effective
30%
Effecttive
25% Neutral
20% Not Effective
15%
10%
5%
0%
Interpretation
26% respondents replied that automation of user-provisioning is very effective
however 14% respondents replied that automation of user-provisioning is not
effective.
53
Q9. Effectiveness of employee screening process

 Effecttive 39%
 Neutral 12%
40%
35%
30%
Very Effective
25% Effecttive
Neutral
20% Not Effective
Not at all
15% Effective
10%
5%
0%
Interpretation
34% respondents replied that employee screening process is very effective however
11% respondents replied that employee screening process is not effective.
54
Q10. Effectiveness of data disposal procedures

 Effecttive 40%
 Neutral 15%
40%
35%
30%
Very Effective
25% Effecttive
Neutral
20%
Not Effective
10%
5%
0%
Interpretation
32% respondents replied that data disposal procedures is very effective however 8%
respondents replied that data disposal procedures is not effective.
55
Q11. Effectiveness of clear office policy

 Effecttive 42%
 Neutral 08%
45%
40%
35%
Very Effective
30% Effecttive
25% Neutral
Not Effective
20% Not at all
Effective
15%
10%
5%
0%
Interpretation
35% respondents replied that clear office policy is very effective however 9%
respondents replied that clear office policy is not effective.
56
Q12. Effectiveness of internal vulnerability scanning

 Effecttive 48%
 Neutral 10%
50%
45%
40%
35% Very Effective

30% Effecttive
Neutral
25%
Not Effective
15%
10%
5%
0%
Interpretation
26% respondents replied that internal vulnerability scanning is very effective however
13% respondents replied that internal vulnerability scanning is not effective.
57
Q13. Effectiveness of electronic diary system for compliance checks

 Effecttive 46%
 Neutral 13%
50%
45%
40%
35% Very Effective
Effecttive
30% Neutral
25% Not Effective
Not at all
20% Effective
15%
10%
5%
0%
Interpretation
28% respondents replied that electronic diary system for compliance checks is very
effective however 10% respondents replied that electronic diary system for
compliance checks is not effective.
58
Q14. Overall what will you say about the effectiveness of data and information
security system at KPMG?

 Effecttive 37%
 Neutral 11%
40%
35%
30%
Very Effective
25% Effecttive
Neutral
20%
Not Effective
10%
5%
0%
Interpretation
31% respondents replied that data and information security system is very effective
however 16% respondents replied that data and information security system is not
effective.
59
Q15. Are you aware about management information system at KPMG for data
management and security?
 Yes 75 %
 No 17 %
 Do not know/ Can not say 08 %
80%
70%
60%
50%
40%
30%
20%
10%
0%
Interpretation:
The awareness level among the company officials regarding the existence,
functioning and applicability of management information system at KPMG is high
that is 75 per cent, as per the result of the study.
60
Q16. Do you know that your company should have a management information
system for data management and security?
 Yes 72%
 No 20 %
80%
70%
60%
50%
40%
30%
20%
10%
0%
Interpretation:
The company officials are aware about their company should have a management
information system for data management and security. 72 per cent of the respondents
do have this awareness as against 20 percent and 08 percent of the respondents who
are either not aware or not able to provide any information in this regard.
61
Q17. Do you agree that there should be a management information system at
KPMG for data management and security?
 Agree 68 %
 Disagree 12 %
70%
60%
50%
40%
30%
20%
10%
0%
Interpretation:
According to the response to the above question, it appears that every

company/organisation should have a management information system for data
management and security.
62
Q18. For what reasons do you feel that there should be management
information system at KPMG for data management and security?
 To smoothen operational requirement 27 %
 To save time 22 %
 To maintain accountability and transparency 30 %
 Other reasons 15 %
30%
25%
20%
15%
10%
5%
0%
Interpretation:
To everyone’s surprise, 30 per cent of the respondents feel that it is for accountability
and transparency purpose that company records are maintained and hence the need for
a Revolution in Information Technology Management System. This is followed by the
need for saving time and the requirement of operational smoothness.
63
Q19. Do you agree that the Revolution in Information Technology
Management System in your company can fulfill the needs for which it
needs to be evolved?
 Strongly Agree 20 %
 Agree 47 %
 Disagree 15 %
 Strongly Disagree 07 %
50%
45%
40%
35%
30%
25%
20%
15%
10%
5%
0%
Interpretation:
From the above response, it appears that the Revolution in Information Technology
Management System needs to be more or less oriented to achieve its objectives for
which it is sought after. This is evident from the 67 per cent of the respondents’
opinion who have either agreed or strongly agreed in favour of this proposition.
However the response of 22 per cent of the respondents who think otherwise also
speaks something.
64
Q20. Do you think you have skilled professionals in your company for
Information Technology?
 Yes 48 %
 No 30 %
50%
45%
40%
35%
30%
25%
20%
15%
10%
5%
0%
Interpretation:
Recruitment of skilled professionals well versed with latest Information technology,

particularly in IT engineering industry is a concern for the company as it appears that
it lacks in this domain.
65
Q21. What category of professionals do you need to manage your company
Data Security?
 Skilled and trained 32 %
 Only skilled but not trained 16 %
 Non skilled but trained professionals 20 %
 Non skilled and non trained professionals 25 %
 Others 07 %
35%
30%
25%
20%
15%
10%
5%
0%
Interpretation:
As already stated above in the earlier question, availability of trained and skilled
professionals for data security needs serious attention of the company
66
Q22. Do you agree that your company should give more emphasis on software
than skilled manpower with regard to Information Technology?
 Strongly Agree 18 %
 Agree 52 %
 Disagree 15 %
 Strongly Disagree 07 %
60%
50%
40%
30%
20%
10%
0%
Interpretation:
The above response gives an impression that the company should put greater
emphasis on software than skilled manpower for data management.
67
Q23. Do you think that your company can provide software according to the
design and needs of the system?
 Yes 86 %
 No 10 %
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
Interpretation:
The company appears to be in a position to provide the software according to the

system requirement and design and according to the customers’ needs.
68
Q24. What is the prime challenge before your company with regard to
Information Technology?
 Lack of trained professionals 42 per cent
 Maintenance cost 21 per cent
 Changing requirements of customers 27 per cent
 Other problems 06 per cent
 Do not know/ Can not say 04 per cent
45%
40%
35%
30%
25%
20%
15%
10%
5%
0%
Interpretation:
Lack of availability of trained professionals coupled with maintenance cost and

changing needs of the customers are perceived to be the data security challenges
before the company.
69
CHAPTER-7
RECOMMENDATION &
CONCLUSION
70
RECOMMENDATION & CONCLUSION
In this review we found many examples of good practice with relatively few areas for
improvement. However, data security is a rapidly moving area and demands a process
of continuous improvement.
Most employees were formally required to agree their on-going compliance with data
security policies, but several did not share their policies with third-party handlers of
customer data.
Company has implemented a wide range of data leakage prevention controls.
However, surprisingly few had an inventory of information assets (i.e. what data is
held, its sensitivity, who owns it etc.), and only a small number had begun to
implement data classification and protective markings.
Company has comprehensive employee vetting procedures, usually engaging an
external specialist agency to screen prospective employees. Several used World-check
to enhance this process. However, only a few performed follow-up checks, and none
claimed to review social networking sites for employee suitability.
Security awareness training approaches varied greatly but the most effective used a
wide variety of training methods, delivered at regular intervals.
Company has clear desk and some clear office policies, with several performing
regular spot checks to ensure compliance with policy.
HDFC with transactional internet companying services commissioned regular
penetration tests. However, some had read-only services and these had not been tested
for security vulnerabilities.
71
KPMG performed quarterly reviews of user rights. To make the review easier for non-
technical line managers, one company had developed its own application to present
the rights assignments in a meaningful form to the reviewer for recertification.
There appeared to be good controls in place over end-user applications, with many
having specific policies governing their use. One organization had prevented
relationship managers from downloading customer data completely.
Approaches to using live data in test systems varied. One company scrambled and
sanitized customer data before using it for testing, others felt live data could be used
provided user rights were equivalent to the live system, even though test systems are
usually more open to developers and third parties. The Commission would discourage
access to live data.
KPMG was subject to a wide range of compliance checks and audits. However, few
seemed proactive in this area, commissioning their own control reviews and risk
assessments. Instead they tended to rely on the work of others, usually external or
internal audit, whether or not it provided relevant risk coverage. One notable
exception supplemented these externally driven reviews with additional reviews
driven by the Risk department and individual business units.
KPMG has begun to implement workflow applications for user provisioning. This
way they were able to leverage technology to make the joiner/leaver process more
secure.
Procedures for disposal of printed and electronic media were generally good. Many
combined on-site supervision with a certificated audit trail for hardware disposal.
Others removed confidential waste from open office areas on a daily basis.
72
KPMG performed monthly vulnerability scans on its internal servers.
KPMG has an impressive diary system for driving and documenting periodic
compliance checks. The results from some of these checks, notably clear desk policy,
were included in employee performance appraisals. This was a tough but highly
effective policy enforcement tool.
Banking regulator, Polish Financial Supervision Authority (KNF/PFSA), and
previously General Inspectorate of Banking Supervision (GINB), recognizes the big
impact IT has on Bank’s performance. Recognizing the importance of IT, since 1997
the Regulator has presented guidelines for banks in a special way via
Recommendation D, which covered various aspects of risk management associated
with IT systems. With each new version, Recommendation D has evolved placing
emphasis on different issues connected with information systems. The draft
Recommendation D dated 2013 prepared by Polish Financial Supervision Authority is
a significant change in the Authority’s approach to information technology engaging
in requirements fulfilling not only IT but also business, legal and internal audit
departments.
The significance of IT services and information systems in a modern financial
institution such as Bank, Insurance Association PTE, TFI and others is indisputable
and continues to grow over the years. The position of IT services is mostly the
outcome of how the modern financial organizations are dependent on IT tools which
support the ongoing implementation of processes. Nowadays, without the
automatization of proccesses of information systems the organization could not carry
out its core business activity.
73
The Financial Supervision Commission which serves as the financial sector regulator,
sees the enormous impact of IT sector on the organization's functionality. Through the
Revised Recommendation D / IT guidelines, the regulator presents to the financial
institutions the guidelines on managing risks associated with information systems.
The Revised Recommendation / IT guidelines introduced new and significantly
changed requirements in the area related to the information processing, giving the
institutions just two years for its full implementation.
Before taking any actions that address the requirements of the Financial
Supervision Commission, it is important to keep in mind that implementing the
Recommendation D:
 Is not only the IT service obligation, but also the whole Organization such as
Bank, TU, PTE or TFI
 Should be based on the principal of proportionality as well as on the results of
risk analysis.
Based on the KPMG experience, the biggest challenge for the institution will be
to ensure the compliance with the following recommendations:
 Managing the data quality (Recommendation 8)
 Managing the access rights to IT systems in accordance with the Segregation
of Duties (Recommendations 5 and 11)
 Managing the end-user software, Recommendation 17
74
 Managing the security breach incidents (Recommendation 20)
 Scheduled and independent audits of the IT environment (Recommendation
22).
Due to the huge complexity of the recommendation D requirements and the short
period of time remaining for its full implementation, the institutions should take
immediate actions in this area. The KPMG support will allow you to complete these
tasks in a pragmatic, time and cost efficient way.
Potential benefits for the client:
 The independent defining/ confirming the degree of compliance with the
requirements of recommendation D by the institution
 Rapid and resourceful gap identification between the current situation and the
requirements defined by the Regulator
 The use of rich experience and interdisciplinary KPMG team in terms of
planning and implementing the remedial actions in accordance with the
principle of proportionality defined by the Regulator
 Properly designed control environment in the areas covered by the
recommendation.
75
Bibliography/REFERENCES
76
BIBLIOGRAPHY/REFERENCES
 Computer Security Institute. 2000 Computer Crime and Security Survey, 2000
(available from http://www.gocsi.com; accessed March 2000)
 Online Banking Report The Online Banking Report, 1999 (available from
http://www.onlinebankingreport.com; accessed September 1999).
 "UAE bank targeted in major phishing attacks", ITP, 2019. Available at:
http://www.itp.netl579059-uae-banktargeted-in-major-phishing-attack.
 Rajnish Tiwari ， Stephan Buse and Cornelius Herstatt Customer on the move
Strategic Implication of Mobile Banking for Companies and Financial
Enterprises E-Commerce Technology, 2012
 Tiwari, and Buse, 2013: The mobile Commerce prospects: A strategic
Analysis of Opportunities in the Banking Sector, Hamburger University Press.
 "NBK online banking customers targeted b! Phishing attacks", Arabian
Business, 2014. Available at: http://www.arabianbusiness.coml522781-nbk-
onlinebanking-customers-targeted-by-phishing-attack
77
Annexure
78
QUESTIONNAIRE
Q1. From how many years you have been working in KPMG?
Less than 2 Years 2 to less than 4 Years
4 to less than 6 Years More than 6 Years
Q2. Are you involved in the data and information security process at KPMG?
Yes No
If yes then please rate the following from 5 to 1
Where 5 means very effective and 1 means not at all effective
Q3. Effectiveness of End-user computing policy

Very Effective Effective Neutral
Not Effective Not at all Effective
Q4. Effectiveness of Vendor management policy

Q5. Effectiveness of team of information security officer

Q6. Effectiveness of Data classification policy

Q7. Effectiveness of Security awareness training program

Q8. Effectiveness of automation of user-provisioning

79
Q9. Effectiveness of employee screening process
Q10. Effectiveness of data disposal procedures

Q11. Effectiveness of clear office policy

Q12. Effectiveness of internal vulnerability scanning

Q13. Effectiveness of electronic diary system for compliance checks

Q14. Overall what will you say about the effectiveness of data and information
security system at KPMG?
Q15. Are you aware about management information system at KPMG for data
management and security?
Yes
No
Do not know/ Can not say
Q16. Do you know that your company should have a management information
system for data management and security?
Yes
80
No
Q17. Do you agree that there should be a management information system at

KPMG for data management and security?
Agree
Disagree
Q18. For what reasons do you feel that there should be management information
system at KPMG for data management and security?
To smoothen operational requirement
To save time
To maintain accountability and transparency
Other reasons
Q19. Do you agree that the Revolution in Information Technology Management

System in your company can fulfill the needs for which it needs to be
evolved?
Strongly Agree
Agree
Disagree
Strongly Disagree
Q20. Do you think you have skilled professionals in your company for Information
Technology?
Yes
No
Q21. What category of professionals do you need to manage your company Data
Security?
Skilled and trained
81
Only skilled but not trained
Non skilled but trained professionals
Non skilled and non trained professionals
Others
Q22. Do you agree that your company should give more emphasis on software than
skilled manpower with regard to Information Technology?
Strongly Agree
Agree
Disagree
Strongly Disagree
Q23. Do you think that your company can provide software according to the design
and needs of the system?
Yes
No
Q24. What is the prime challenge before your company with regard to Information
Technology?
Lack of trained professionals
Maintenance cost
Changing requirements of customers
Other problems
82

A STUDY ON MANAGEMENT INFORMATION SYSTEM AT KPMG FOR DATA MANAGEMENT AND SECURITY-Ram Mohan Singh

Uploaded by

Copyright:

Available Formats

A STUDY ON MANAGEMENT INFORMATION SYSTEM AT KPMG FOR DATA MANAGEMENT AND SECURITY-Ram Mohan Singh

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A STUDY ON MANAGEMENT INFORMATION SYSTEM AT KPMG FOR DATA MANAGEMENT AND SECURITY-Ram Mohan Singh

Uploaded by

Copyright:

Available Formats

What is the purpose of the project report?

What is the purpose of the project report?

What topics does the project report cover?

What topics does the project report cover?

A PROJECT REPORT

Submitted in partial fulfillment of the requirement for the

Award of Post Graduate Diploma In Management

UNDER THE GUIDANCE OF: SUBMITTED BY:

DELHI SCHOOL OF BUSINESS

This is to certify that the project titled “A Study of Management Information

SIGNATURE OF SUPERVISOR SIGNATURE OF STUDENT

Place: Delhi Place: Delhi

I hereby declare that the Project Report entitled “A Study of Management

Chapter Topic Page No.

Chapter-2: Company Profile................................................................................... 8-23

Chapter-3: Objective of the Study.........................................................................24-25

Chapter-4: Research Methodology........................................................................26-29

Chapter-5: Literature Review ...............................................................................30-44

Chapter-6: Data Analysis & Interpretation..........................................................45-69

Chapter-7: Recommendation & Conclusion.........................................................70-75

 Software selection of MIS (e.g. best of breed or single vendor strategy)

Management is the process of allocating an organization's inputs, including human

 The hierarchical organizational structure

A horizontal organizational structure is what we call the traditional structure or at

RATIONALE OF THE STUDY

Originally found only in large companies with the computer hardware needed to

Computer databases provide an excellent format with which to manage emergency

Statement about the problem:

A management information system (MIS) is an information system used for decision-

The study of management information systems examines people, processes and

 First Era – Mainframe and minicomputer computing

 Second Era – Personal computers

 Third Era – Client/server networks

 Fourth Era – Enterprise computing

 Fifth Era – Cloud computing

 Digital Recon: Reconnaissance of your known and unknown digital assets

 Threat intelligence and cyber exposure: Assess, monitor and analyse

 Sensitive data leakage: Detect release of corporate data/intellectual property

 Integrated application for monitoring digital footprints

 Deep analytics on unstructured data: Automated first level analysis of

 Always-on platform: Automated monitoring of all channels and identification

*Why is the particular topic chosen:

Company has implemented a wide range of data leakage prevention controls.

*What contribution would the project make and to whom?:

KPMG is one of the largest professional services firms in the world and one of

KPMG is one of the largest professional services firms in the world and one of

headquarters is located in Amstelveen, Netherlands. KPMG employs 138,000

people and has three lines of services: audit, tax, and advisory.

Pune, Delhi, Kolkata, Chennai, Bangalore, Hyderabad, Kochi and Chandigarh, and

and regulatory, and risk advisory services.

Our differentiation is derived from rapid performance-based, industry-tailored and

technology-enabled business advisory services delivered by some of the leading

talented professionals in the country. KPMG professionals are grouped by industry

enable the delivery of informed and timely business advice to clients.

The Executive Team:

Executive Officer, Chief Operating Officer and the Heads of functions.

Russell Parera Dinesh Kanabar

Chief Executive Deputy CEO and

Uday Ved Vikram Utamsingh