In response to the increasing threat, IT audit units of banks have set an

expectation for internal audit to perform an independent and objective

assessment of the organization’s capabilities of managing the associated risks. A
first step in meeting this expectation is for internal audit to conduct an IT risk
assessment and distill the findings into a concise report for the audit committee,
which can provide the basis for a risk-based, multilayer internal audit plan to help
and manage IT risks.
In this article we will discuss the basic IT security issues, including the common
threats that all of the financial organizations like banks are facing in their day-to-
day activities.

An audit can be anything from a full-scale analysis of business practices to a

sysadmin monitoring log files. The scope of an audit depends on the goals. The
basic approach to performing a security assessment is to gather information
about the targeted organization, research security recommendations and alerts
for the platform, test to confirm exposures and write a risk analysis report.

BB Guideline on ICT Security

Bangladesh Bank issued ‘Guideline on ICT Security’ for banks and non-bank
financial institutions on May, 2015 Version 3.0. This Guideline covers all
information that are electronically generated, received, stored, replicated, printed,
scanned and manually prepared. The provisions of this Guideline are applicable
for:

a) Banks and NBFIs for all of their information systems.

b) All activities and operations required to ensure data security including facility
design, physical security, application security, network security, ICT risk
management, project management, infrastructure security management, service
delivery management, disaster recovery and business continuity management,
alternative delivery channels management, acquisition and development of
information systems, usage of hardware and software, disposal policy and
protection of copyrights and other intellectual property rights.
IT Security
Information Technology Security also known as, IT Security is the process of
implementing measures and systems designed to securely protect and safeguard
information (business and personal data, voice conversations, still images,
motion pictures, multimedia presentations, including those not yet conceived)
utilizing various forms of technology developed to create, store, use and
exchange such information against any unauthorized access, misuse,
malfunction, modification, destruction, or improper disclosure, thereby preserving
the value, confidentiality, integrity, availability, intended use and its ability to
perform their permitted critical functions.
Cyber threats are growing to be more sophisticated and hackers are developing
more ways to access electronic data all the time. Recent studies have shown that
the average cost of a data breach is upwards of $3.79 million, an increase of
23% since 2013.

IT Security threats
Some It security threats include the following:

The Internet usages

The appearance of the Internet usage over the last few years has proved to
supply some incredible benefits to daily life, but it also poses some potential
threats to security, too. When so many electronics are connected to each other
and giving off a constant stream of data, a whole new set of cyber threats
emerge.

Since the Internet became available to the wider public, sufficient attention hasn’t
been paid to it to ensure that the encryption of sensitive data is completed and
access is fully restricted. But that only means that preventative measures need to
be made to ensure that the data continues to remain untouched.

Ransomware
Ransomware Trojans are a type of cyberware that is designed to extort money
from a victim. Often, Ransomware will demand a payment in order to undo
changes that the Trojan virus has made to the victim’s computer. These changes
can include:

 Encrypting data that is stored on the victim’s disk – so the victim can no longer
access the information
 Blocking normal access to the victim’s system
The most common ways in which Ransomware Trojans are installed are: Via
phishing emails, as a result of visiting a website that contains a malicious
program. While ransomware is less common in the world of IT, its impact is
growing.

This sort of attack encrypts data and renders it unusable until the victim pay the a
ransom. The best way to avoid an attack with ransomware is to have real-time
security protection, and hiring an IT security specialist to perform regular backup
routines. The best option is to act before cyber security is at risk and protect most
important data before it becomes an issue.

Spear Phishing
Spear phishing is an email or electronic communications scam targeted towards
a specific individual, organization or business. Although often intended to steal
data for malicious purposes, cybercriminals may also intend to install malware on
a targeted user’s computer.

As with emails used in regular phishing expeditions, spear-phishing messages

appear to come from a trusted source. Phishing messages usually appear to
come from a large and well-known company or website with a broad membership
base, such as Google or PayPal. In the case of spear phishing, however, the
apparent source of the email is likely to be an individual within the recipient’s own
company—generally someone in a position of authority—or from someone the
target knows personally.

The targeting of higher-ups in business is on the rise and cyber criminals are
accessing incredibly sensitive data through spear phishing at an unprecedented
rate. In an enterprise, security-awareness training for employees and executives
alike will help reduce the likelihood of a user falling for spear-phishing emails.

This training typically educates enterprise users on how to spot phishing emails
based on suspicious email domains or links enclosed in the message, as well as
the wording of the messages and the information that may be requested in the
email.

The Cloud computing

Cloud computing is a type of Internet-based computing that provides shared
computer processing resources and data to computers and other devices on
demand. It is a model for enabling global, on-demand access to a shared pool of
configurable computing resources (e.g. computer networks, servers, storage,
applications and services), which can be rapidly provisioned and released with
minimal management effort.

Cloud computing and storage solutions provide users and enterprises with
various capabilities to store and process their data in either privately owned or
third-party data centers that may be located far from the user–ranging in distance
from across a city to across the world.

Cloud software has become a blessing to businesses everywhere by providing

an easy, fast way to exchange data without having to be physically present.
Unfortunately, like any third-party vendor, using an outside platform means that
data might be at risk for a breach. Keeping an eye on what sort of services that
are being used in the cloud and being fully aware of the security standards that
cloud services provide can go a long way in keeping data safe.

Here are a few more reasons why IT security is more important than ever:
Vulnerabilities and attacks
Vulnerability is a system susceptibility or flaw. Vulnerabilities are documented in
the Common Vulnerabilities and Exposures (CVE) database. An exploitable
vulnerability is one for which at least one working attack or “exploit” exists.

To secure a computer system, it is important to understand the attacks that can

be made against it and these threats can typically be classified into one of the
categories below:

Backdoors
A backdoor in a computer system, a cryptosystem or an algorithm, is any secret
method of bypassing normal authentication or security controls. They may exist
for a number of reasons, including by original design or from poor configuration.
They may have been added by an authorized party to allow some legitimated
access or by an attacker for malicious reasons; but regardless of the motives for
their existence, they create vulnerability.

Denial-of-service attack
Denial of service attacks (DoS) are designed to make a machine or network
resource unavailable to its intended users. Attackers can deny service to
individual victims, such as by deliberately entering a wrong password enough
consecutive times to cause the victim account to be locked or they may overload
the capabilities of a machine or network and block all users at once.

While a network attack from a single IP address can be blocked by adding a new
firewall rule, many forms of Distributed Denial of Service (DDoS) attacks are
possible, where the attack comes from a large number of points and defending is
much more difficult. Such attacks can originate from the zombie computers of a
botnet, but a range of other techniques are possible including reflection and
amplification attacks, where innocent systems are fooled into sending traffic to
the victim.

Direct-access attacks
An unauthorized user gaining physical access to a computer is most likely able to
directly copy data from it. They may also compromise security by making
operating system modifications, installing software worms, key loggers, covert
listening devices or using wireless mice.

Even when the system is protected by standard security measures, these may be
able to be by-passed by booting another operating system or tool from a CD-
ROM or other bootable media. Disk encryption and Trusted Platform Module are
designed to prevent these attacks.
Eavesdropping
Eavesdropping is the act of secretly listening to a private conversation, typically
between hosts of a network. Even machines that operate as a closed system (i.e.
with no contact to the outside world) can be eavesdropped upon via monitoring
the faint electro-magnetic transmissions generated by the hardware.

Spoofing
Spoofing, in general, is a fraudulent or malicious practice in which
communication is sent from an unknown source disguised as a source known to
the receiver. Spoofing is most prevalent in communication mechanisms that lack
a high level of security.

Tampering
Tampering describes a malicious modification of products. So-called “Evil Maid”
attacks and security services planting of surveillance capability into routers are
examples.

Privilege escalation
Privilege escalation describes a situation where an attacker with some level of
restricted access is able to, without authorization, elevate their privileges or
access level. So for example a standard computer user may be able to fool the
system into giving them access to restricted data; or even to “become root” and
have full unrestricted access to a system.

Phishing
Phishing is the attempt to acquire sensitive information such as usernames,
passwords, and credit card details directly from users. Phishing is typically
carried out by email spoofing or instant messaging and it often directs users to
enter details at a fake website whose look and feel are almost identical to the
legitimate one.

Click jacking
Click jacking, also known as “UI redress attack” or “User Interface redress
attack”, is a malicious technique in which an attacker tricks a user into clicking on
a button or link on another webpage while the user intended to click on the top
level page. This is done using multiple transparent or opaque layers. The
attacker is basically “hijacking” the clicks meant for the top level page and routing
them to some other irrelevant page, most likely owned by someone else.

Social engineering
Social engineering aims to convince a user to disclose secrets such as
passwords, card numbers, etc. by, for example, impersonating a bank, a
contractor, or a customer.
Here’s an example of organizing threats, attacks, vulnerabilities and
countermeasures for Input/Data validation:

Threats/Attacks for Input/Data Validation

  Buffer overflows
 Cross-site scripting
 SQL injection
 Query string manipulation
 Form field manipulation
 Cookie manipulation
 HTTP header manipulation Vulnerabilities for Input/Data Validation
 Using non-validated input in the Hypertext Markup Language (HTML) output
stream
 Using non-validated input used to generate SQL queries
 Relying on client-side validation
 Using input file names, URLs, or user names for security decisions
 Using application-only filters for malicious input
 Looking for known bad patterns of input
 Trusting data read from databases, file shares, and other network resources
 Failing to validate input from all sources including cookies, query string
parameters, HTTP headers, databases, and network resources Countermeasures for
Input/Data Validation
 Do not trust input
 Validate input: length, range, format, and type
 Constrain, reject, and sanitize input
 Encode output
BB Guideline on Information System Audit
Bangladesh Bank issued ‘Guidelines on Internal Control & Compliance in Banks’
for Banks on March 8, 2016 through BRPD Circular No. 03. As per guideline:

IS or IT Audit is “the process of collecting and evaluating evidence to determine

whether a computer system safeguards assets, maintains data integrity, allows
organizational goals to be achieved effectively and uses resources efficiently”
(Definition: Legendary Ron Weber).

Primary goal of the IS audit department of a bank is to determine information and

related technological security loopholes and recommend feasible solution. IS
Audit is all about examining whether the IT processes and IT Resources combine
together to fulfill the intended objectives of the organization to ensure
effectiveness, efficiency and economy in its operations while complying with the
extant rules.
Information system auditors should develop and implement a risk-based IS audit
strategy in compliance with IS audit standards, regulatory guidelines and internal
policies to ensure that key areas are included. IS auditors should evaluate the
effectiveness of the IT governance structure to determine whether IT decisions,
directions and performance support bank’s strategies and objectives.

IS auditors also evaluate risk management practices to determine whether the

bank’s IS-related risks are properly managed. IS auditors should conduct audit
on overall information and related technological security aspects covering the
followings:

a. IT Asset Management

b. IT Service & Facility Management
c. Physical (client/server interface, telecommunication, server, data storage,
intranet, internet)
d. & Environmental Security
e. User & Access Management
f. Database Access & Network Security Management
g. Data Center Security
h. Change & Patch Management
i. Problem & Incident Management
j. IT Strategies, IT budget
k. Audit trails &Data Privacy Protection Management
l. IT Service Contract & Agreements and Vendor Management
m. IT Risk Management
n. Data Integrity &Transaction control
o. Data Retention & Disposal
p. System Acquisition, Development Management
q. Business Continuity & Disaster Recovery
Information System Audit
Information System Audit is the process of collecting and evaluating evidence to
determine whether a computer system has been designed to maintain data
integrity, safeguard assets, allows organizational goals to be achieved effectively
and uses resources efficiently.

An effective information system audit leads the organization to achieve its

objectives and an efficient information system uses minimum resources in
achieving the required objectives.

The objective of undertaking an IT audit is to evaluate a bank’s computerized

information system (CIS) in order to ascertain whether the CIS produces timely,
accurate, complete and reliable information outputs, as well as ensuring
confidentiality, integrity, availability and reliability of data and adherence to
relevant legal and regulatory requirements. IT auditors evaluate the adequacy of
internal controls in computer systems to mitigate the risk of loss due to errors,
fraud and other acts and disasters or incidents that cause the system to be
unavailable. Audit objectives will vary according to the nature or category of
audit. IT Security Audit is done to protect entire system from the most common
security threats which includes the following:

 Network vulnerabilities and intrusions

 Performance problems and flaws in applications
 Improper alteration or destruction of data (information integrity)
 Access to confidential data
 Unauthorized access of the department computers & branches
 Password disclosure compromise
 Virus infections
 Denial of service attacks
 Open ports, which may be accessed from outsiders (Unrestricted modems &
unnecessarily open ports)
IT Audits may be conducted to:
 To ensure integrity, confidentiality and availability of information system(s) and
resources.
 To investigate possible security vulnerabilities and incidents in order to ensure
conformance to the Bank’s security policies.
 To ensure software systems deployed conforms to the Bank’s software
implementation policy
 To ensure changes made to any systems conforms to the Bank’s Change
Control/Change Management policy
 To ensure regular Backup of data and business critical system is taken &
preserved.
 To ensure Restore of both data and full system is carried out on a regular basis, so
that data integrity can be ensured and the Bank can be prepared for any possible
disaster
 To monitor user or system activity where appropriate
 To investigate security incidents as when required.
An IT audit is different from a financial statement audit. While a financial audit’s
purpose is to evaluate whether an organization is adhering to standard
accounting practices, the purposes of an IT audit are to evaluate the system’s
internal control design and effectiveness. This includes, but is not limited to,
efficiency and security protocols, development processes, and IT governance or
oversight.

Installing controls are necessary but not sufficient to provide adequate security.
People responsible for security must consider if the controls are installed as
intended, if they are effective if any breach in security has occurred and if so,
what actions can be done to prevent future breaches.

These inquiries must be answered by independent and unbiased observers.

These observers are performing the task of information systems auditing. In an
Information Systems (IS) environment, an audit is an examination of information
systems, their inputs, outputs, and processing.

Preparedness / Pre-Audit activities

Auditors must make certain assumptions when bidding on a project, such as
having access to certain data or staff. But once the auditor is on board, don’t
assume anything; everything should be spelled out in writing, such as receiving
copies of policies or system configuration data. These assumptions should be
agreed to by both sides and include input from the units whose systems will be
audited.

Nobody likes surprises. Involve the business and IT unit managers of the audited
systems early on. This will smooth the process as a dispute over the auditor’s
access. Consider the case of one respected auditing firm that requested that
copies of the system password and firewall configuration files be e-mailed to
them.

Some activities mentioned here under to ease the process:

1. Team Leaders should specify restrictions, such as time of day and testing
methods to limit impact on production systems. Most organizations concede that
denial-of-service or social engineering attacks are difficult to counter, so they
may restrict these from the scope of the audit.

2. Make sure the auditors conform to the policy on handling proprietary

information. If the organization forbids employees from communicating sensitive
information through non-encrypted public e-mail, the auditors must respect and
follow the policy. The audit report itself contains proprietary data and should be
handled appropriately, hand delivered and marked proprietary and/or encrypted if
sent through e-mail.

3. Give the auditors an indemnification statement authorizing them to probe the

network.

The Audit officer will be responsible for internal Audit within the department and
operations of branches. When requested and for the purpose of performing an
audit, any access needed will be provided to members of Internal Audit team.
This access may include:

 User level and/or system level access to any computing or communications device
 Access to information (electronic, hardcopy, etc.) that may be produced,
transmitted or stored on respective Dept. equipment or premises
 Access to work areas (Data Center, DR site, NOC, labs, offices, cubicles, storage
areas, etc.)
 Access to reports / documents created during internal audit.
 Interactively monitor and log traffic on the Bank’s corporate network in
conjunction with Bank’s WAN connectivity provider
 Moving machines involved in an incident to a safe location for analysis or to
ensure evidence is captured and preserved securely
 All sorts of System(s) and user activity logs/ audit trails to verify that privileges
were used only for their intended and approved purposes.
 User level and/or Admin level access to any computing or communications
devices
 Network or host scans and obtain any applicable information
 Audit rights of access to any Service level agreement or Annual maintenance
contract with External parties or Internal parties as when appropriate
 External or internal parties premises to justify the ability of the service provider
before engaging them to provide any service for the Bank(s) interest.
 All types of licenses/IPR (intellectual property rights) related documents or logs
aligned with any software or hardware used in Bank’s ICT infrastructure.
Risk Analysis and Assessment
The auditor(s) will perform a risk analysis and assessment on the overall ICT
system of the organization. This risk analysis and assessment will include all
systems and subsystems directly or indirectly involved in the production of
financial and critical information of Bank.

Based on these results, the auditor will rank the systems according to the risks
attached to them. This will form the basis for prioritizing the audit frequency.

IT Audit Methodology & Frequency

All IT audits will be conducted according to the yearly Audit plan approved by the
honorable Board Audit Committee and/or inspection would be carried surprise
basis as when required. Preliminary audit process consists of following phases:

 Personnel interviews
 Files and documentations verifications
 Justifications of IT inventories
 Reviews of Service Level Agreement and Annual Maintenance Contract(s)
 Health checkup of Server & workstations
 Network scans, Vulnerability scanning &
 Business impact analysis of respective Information system(s)
Audit Requests for Specific Cause
A request may be made for an audit for a specific cause. The request may come
from a variety of sources including, but not limited to, Branches, Human
Resources, Risk Management, IT Security Officer and/or a member of Board
Audit

A request for an audit for specific cause must include time frame, frequency, and
nature of the request. The request must be reviewed and approved by Head of
ICCD.

Evaluation and Reporting of Audit Findings

Audit information that is routinely gathered must be reviewed in a timely manner
by the individual/department responsible for the activity/process (e.g., weekly,
monthly, quarterly, etc.).

The reporting process shall allow for meaningful communication of the audit
findings to those departments/units sponsoring the activity.

 Significant findings shall be reported immediately in a written format. Incident log

in this regard to be maintained by the concerned branch / division.
 Routine findings shall be reported to the CEO as well as to Board Audit through
Head of ICCD in a written structured report format.
 Whenever indicated through evaluation and reporting, appropriate corrective
actions must be undertaken. These actions shall be documented and shared with the
responsible and sponsoring departments/branches.
Auditing Business Associate and/or Vendor Access and Activity
Periodic monitoring of business associate and vendor information system activity
shall be carried out to ensure that access and activity is appropriate for privileges
granted and necessary to the arrangement between the organization and the
external agency.

Concern Department / organization must reassess the business relationship if it

is determined that the business associate or vendor has exceeded the scope of
access privileges.

If it is determined that a business associate has violated the terms of the

business associate agreement/addendum, authority of the concerned
organization must take immediate action to remedy the situation. Continued
violations may result in discontinuation of the business relationship
Audit Log Security Controls and Backup
Audit logs must be protected from unauthorized access or modification, so the
information they contain will be available if needed to evaluate a security
incident. Audit trail information shall be stored on a separate system to minimize
the impact auditing may have on the privacy system and to prevent access to
audit trails by those with system administrator privileges.

This is done to apply the security principle of “separation of duties” to protect

audit trails from hackers. Audit trails maintained on a separate system would not
be available to hackers who may break into the network and obtain system
administrator privileges. A separate system would allow IT security Audit team to
detect hacking security incidents.

Audit logs maintained within an application should be backed-up as part of the

application’s regular backup procedure.

IT security Audit team must audit internal back-up, storage and data recovery
processes to ensure that the information is readily available in the manner
required. Auditing of data back-up processes should be carried out on a periodic
basis.

Workforce Training, Education, Awareness and Responsibilities

IT security Audit workforce members are provided training, education, and
awareness on safeguarding the security of business. IT security Audit team
commitment to auditing access and activity of the information applications,
systems, and networks is communicated through new employee orientation,
ongoing training opportunities and events and applicable policies.

Workforce members are made aware of responsibilities with regard to privacy

and security of information as well as applicable sanctions/corrective disciplinary
actions should the auditing process detects a workforce member’s failure to
comply with organizational policies.

External Audits of Information Access and Activity

Information system audit information and reports gathered from contracted
external audit firms, business associates and vendors shall be evaluated and
appropriate corrective action steps taken as indicated. Prior to contracting with
an external audit firm, the concern organization shall:

 Outline the audit responsibility, authority and accountability.

 Choose an audit firm that is independent of other organizational operations.
 Ensure technical competence of the audit firm staff.
 Require the audit firm’s adherence to applicable codes of professional ethics.
 Obtain a signed compliant business associate agreement.
 Assign organizational responsibility for supervision of the external audit firm.
Audit Reporting and Compliance
Each audit will result in a follow-up report possibly including an action plan which
will be presented to the branch manager or respective head of the divisions. The
head of IT division or branch manager or respective head(s) of division(s) are
responsible for taking appropriate action to complete the tasks on the
remediation plan within the agreed-upon deadlines.

Retention of Audit Information

Audit logs and trail report information shall be maintained based on
organizational needs. There is no standard or law addressing the retention of
audit log/trail information. Retention of this information shall be based on:

 Organizational history and experience.

 Available storage space
Reports summarizing audit activities shall be retained for a period of twelve
years.

Governing Policies of IT Audit

Audit observations will be considered and reported according to the auditor’s
judgment based on bank’s financial, operational and reputational risk. However,
Information System auditor(s) may use ICT Policy, Information Security
Management (ISM) Policy of an organization, and Bangladesh Bank ICT policy
along with any ISO, COBIT, PCIDSS and ISACA standards, on an “as-required”
basis.

Information system audit ensures control over the entire banking operational
process from the initial idea or proposal to acceptance of a fully operational
system is to be complied satisfactorily with the aspect of system capability that
leads to effective use of ICT resources.

Types of IT audits
Various authorities have created differing classifications to distinguish the various
types of IT audits. Goodman & Lawless state that there are three specific
systematic approaches to carry out an IT audit:

 Technological innovation process audit. This audit constructs a risk profile for
existing and new projects. The audit will assess the length and depth of the company’s
experience in its chosen technologies, as well as its presence in relevant markets, the
 organization of each project, and the structure of the portion of the industry that deals
with this project or product, organization and industry structure.
 Innovative comparison audit. This audit is an analysis of the innovative abilities of
the company being audited, in comparison to its competitors. This requires
examination of company’s research and development facilities, as well as its track
record in actually producing new products.
 Technological position audit: This audit reviews the technologies that the business
currently has and that it needs to add. Technologies are characterized as being either
“base”, “key”, “pacing” or “emerging”.
Others describe the spectrum of IT audits with five categories of audits:

 Systems and Applications: An audit to verify that systems and applications are
appropriate, are efficient, and are adequately controlled to ensure valid, reliable,
timely, and secure input, processing, and output at all levels of a system’s activity.
System and process assurance audits form a subtype, focusing on business process-
centric business IT systems. Such audits have the objective to assist financial auditors.
 Information Processing Facilities: An audit to verify that the processing facility is
controlled to ensure timely, accurate, and efficient processing of applications under
normal and potentially disruptive conditions.
 Systems Development: An audit to verify that the systems under development
meet the objectives of the organization and to ensure that the systems are developed in
accordance with generally accepted standards for systems development
 Management of IT and Enterprise Architecture: An audit to verify that IT
management has developed an organizational structure and procedures to ensure a
controlled and efficient environment for information processing.
 Client/Server, Telecommunications, Intranets, and Extranets: An audit to verify
that telecommunications controls are in place on the client (computer receiving
services), server, and on the network connecting the clients and servers.
In an Information Security (IS) system, there are two types of auditors and audits:
internal and external. IS auditing is usually a part of accounting internal auditing,
and is frequently performed by corporate internal auditors.
IT SECURITY AND INFORMATION SYSTEM AUDIT IN BANKS
 by Mohammad Ziaullah Khan  - June 17, 2017