x

Information System Audit Report – V 1.0 – January 2023

Document Version Control

Document Name Information Systems Audit Report – 2023

Prepared By
INFORMATION SYSTEM AUDIT REPORT
Ajay Mehta– Qadit Systems and Solutions Pvt Limited
Reviewed & Approved Version 1.0 – January 2023
By
Report Date

Version Number 1.0

Document Status Draft

By

Confidential Page 1 of 24
 Information System Audit Report – V 1.0 – January 2023

Table of Contents
1. Executive Summary......................................................................................................................................................3
1.1. Background..............................................................................................................................................................3
1.2. Scope Covered in this Report..................................................................................................................................3
1.3. Rating of Findings....................................................................................................................................................4
1.4. Summary of findings................................................................................................................................................5
2. Detailed Findings..........................................................................................................................................................6
2.1. Review of Policies and Procedures.........................................................................................................................6
2.2. IT Governance.........................................................................................................................................................6
2.3. Business Continuity Planning and Disaster Recovery.............................................................................................8
2.4. Asset Management..................................................................................................................................................9
2.5. Logical Access control...........................................................................................................................................10
2.6. Anti-Virus / Anti Malware Controls.........................................................................................................................11
2.7. Vulnerability Assessment/Configuration review.....................................................................................................12
2.8. Email Security........................................................................................................................................................13
2.9. Backups and Recovery Procedures......................................................................................................................14
2.10. Incident Management Process..............................................................................................................................15
2.11. Endpoint Security...................................................................................................................................................16
2.12. Physical and Environmental Security....................................................................................................................17
2.13. AWS Infrastructure.................................................................................................................................................18
2.14. Area for Improvement............................................................................................................................................22
3. Disclaimer....................................................................................................................................................................23

Confidential Page 2 of 24
 Information System Audit Report – V 1.0 – January 2023

1. Executive Summary

1.1. Background
Kreon Finnancial has appointed Qadit Systems and Solutions Private Limited (Qadit Systems) to perform an IS Audit on TPNFL IT
Systems (Digital Lending Division) of Kreon Finnancial Services Limited. This report presents the findings from the audit.

1.2. Scope Covered in this Report

The scope of Audit is defined based on the “Master Direction - Information Technology Framework for the NBFC Sector”
issued by Reserve Bank of India on 08th June 2017 and our audit is restricted to StuCred division of Kreon Finnancial Services
Limited.

Confidential Page 3 of 24
 Information System Audit Report – V 1.0 – January 2023

1.3. Rating of Findings

Following criteria have been used to rate the findings based on the expected resulting impact.

● Financial / Non-financial impact likely to be material

● Loss of Confidentiality/ Integrity/ Availability
High
● Service to customer is affected
● Possible Legal / Statutory Impacts

● Financial / Non-financial impact likely to be significant

● Moderate impact
Medium
● Moderate probability of attack (Layered security may play a role)
● If not rectified, impact may escalate to ‘High’ category

● Financial / Non-financial impact likely to be insignificant

● Unlikely to impact operations
Low
● If not rectified, issue has potential to escalate to ‘Medium’ or ‘High’
category

Confidential Page 4 of 24
 Information System Audit Report – V 1.0 – January 2023

1.4. Summary of findings

Risk categorization Total

S.no Scope area
High Medium Low observation
2.1. Review of Policies and Procedures 0 1 0 1
2.2. IT Governance 1 1 0 2
Business Continuity Planning and Disaster
1 0 0 1
2.2. Recovery
2.4. Asset Management 0 0 2 2
2.5. Logical Access control 1 2 1 4
2.6. Anti-Virus / Anti Malware Controls 2 0 0 2
2.7. Vulnerability Assessment/Configuration review 1 0 0 1
2.8. Email Security 2 0 0 2
2.9. Backups and Recovery Procedures 0 0 1 1
2.10. Incident Management Process 0 2 0 2
2.11. Endpoint Security 0 1 0 1
2.12. Physical and Environmental Security 1 3 0 4
2.13. AWS Infrastructure 9 10 0 19
Total 18 20 4 42

2. Detailed Findings

2.1. Review of Policies and Procedures

Confidential Page 5 of 24
 Information System Audit Report – V 1.0 – January 2023

Management
S.no Observation Impact Risk Rating Recommendation
Response

To create a strong
information security
Without an information
policy, companies
security policy, a
should form a dedicated
company could
security team, identify
experience security
risks and vulnerabilities,
breaches, legal
develop a clear and
consequences, damage
comprehensive policy,
We Observed that, to reputation, financial
train employees on best
Information security losses, and a
1 High practices, regularly
and cyber security competitive
monitor and review the
policy is not available disadvantage. It's
policy, and seek expert
important for companies
advice if necessary. By
to have a clear policy in
taking these steps,
place to protect their
companies can protect
sensitive data and
their sensitive data and
prevent these negative
minimize the risk of
impacts
security breaches and
cyber-attacks.

Confidential Page 6 of 24
 Information System Audit Report – V 1.0 – January 2023

2.2. IT Governance

Risk
S.no Observation Recommendation Management Response
Rating
i. StuCred has not performed Risk It is recommended to
assessment of its IT functions to undertake comprehensive risk
determine: assessment of their IT systems
a.    Identification of critical High at least on a yearly basis.
business function
b.    Business impact analysis
ii. MIS system not implemented to It is recommended to setup
generate reports for Top MIS to generate reports for Top
Management summarising Management summarising
financial position including financial position including
operating and non-operating operating and non-operating
revenues and expenses, cost revenues and expenses, cost
benefit analysis of segments / Medium benefit analysis of segments /
verticals, cost of funds, etc. verticals, cost of funds, etc as
per section B clause VI of
Master Direction - Information
Technology Framework for the
NBFC Sector dated 8th June
2017

Confidential Page 7 of 24
 Information System Audit Report – V 1.0 – January 2023

2.3. Business Continuity Planning and Disaster Recovery

Risk
S.no Observation Recommendation Management Response
Rating
i. Business continuity and disaster It is recommended to test
recovery plan is not been tested. High business continuity and
recovery plan on yearly basis.

Confidential Page 8 of 24
 Information System Audit Report – V 1.0 – January 2023

2.4. Asset Management

Risk
S.no Observation Recommendation Management Response
Rating
i. It was observed that Assets are It is recommended to insert a
not categorized based on their criticality column in IT asset
criticality. Low register and assign criticality
to IT assets.
ii. IT asset reconciliation or audit is It is recommended to have a
not conducted reconciliation audit with IT
Low asset register and physical
inventory check.

Confidential Page 9 of 24
 Information System Audit Report – V 1.0 – January 2023

2.5. Logical Access control

Risk
S.no Observation Recommendation Management Response
Rating
i. There are no procedures in place It is recommended to have the
to ensure that there is a periodic procedures to ensure that
check for, and removal of, there is a periodic check for,
redundant user IDs and accounts. and removal of, redundant
Medium
● Operating system (Linux, user IDs and accounts
Windows & MAC)
● StuCred business
application
ii. Review of User Logs are not It is recommended to review
conducted at periodic intervals. Low the user logs on periodic basis

iii. Users are not forced to change It is recommended that user

their passwords at regular shall be forced to change their
intervals passwords at regular intervals
● Operating system (Linux, High (recommended 90 days)
Windows & MAC)
● StuCred business
application
iv. System does not maintain a list of It is recommended that the
previous passwords to ensure system maintain a list of
that old passwords are not being previous passwords
reused. (recommended 5) to ensure
Medium
● Operating system (Linux, that old passwords are not
Windows & MAC) being reused
● StuCred business
application

Confidential Page 10 of 24
 Information System Audit Report – V 1.0 – January 2023

2.6. Anti-Virus / Anti Malware Controls

Risk
S.no Observation Recommendation Management Response
Rating
i. Daily Scan for virus is not It is recommended to schedule
scheduled in the system. Only auto scan on daily basis.
manual scan by IT Admin is High
performed on a weekly basis.
ii Antivirus is not installed in web It is recommended to install
server and database server antivirus in servers.
High

Confidential Page 11 of 24
 Information System Audit Report – V 1.0 – January 2023

2.7. Vulnerability Assessment/Configuration review

Risk
S.no Observation Recommendation Management Response
Rating
i. No periodical vulnerability It is recommended to conduct
assessment is conducted for: Vulnerability Assessment on
● Stucred web and mobile periodic basis (at least yearly
app (Business application) High once)
● Firewall
● Router
● Switch

Confidential Page 12 of 24
 Information System Audit Report – V 1.0 – January 2023

2.8. Email Security

Risk
S.no Observation Recommendation Management Response
Rating
i. Email security like attachment It is recommended to implement
scanning, spam blocking, E-Mail Security.
password policy, data leakage is High
not implemented
ii. Password policy like complexity, It is recommended to implement
length, password expiry, restrict password complexity, length,
reuse of old password etc are not High expiry, restrict reuse of old
implemented password.

Confidential Page 13 of 24
 Information System Audit Report – V 1.0 – January 2023

2.9. Backups and Recovery Procedures

Risk
S.no Observation Recommendation Management Response
Rating
i. Back up of Firewall and router It is recommended to have
configuration and rules files are backup of Firewall and router
not done. Low configuration and rules files.

Confidential Page 14 of 24
 Information System Audit Report – V 1.0 – January 2023

2.10. Incident Management Process

Risk
S.no Observation Recommendation Management Response
Rating
i. Incident Register is not maintained It is recommended that
to record the incident report. Medium Incident Register be
maintained.
ii. Incidents raised are not It is recommended that
categorized with criticality Medium Incidents be categorized with
criticality

Confidential Page 15 of 24
 Information System Audit Report – V 1.0 – January 2023

2.11. Endpoint Security

Risk
S.no Observation Recommendation Management Response
Rating
i. There is no Mobile Device It is recommended to have
Management (MDM) application Mobile Device Management
used for controlling access to Medium application to manage all the
emails, remote wiping and portable devices
blocking.

Confidential Page 16 of 24
 Information System Audit Report – V 1.0 – January 2023

2.12. Physical and Environmental Security

Risk
S.no Observation Recommendation Management Response
Rating
i. The procedures for the safe It is recommended to display
evacuation of personnel in an the safe evacuation of
emergency is not displayed at Medium personnel in an emergency at
prominent places. prominent places.

ii. Fire alarm system and smoke It is recommended to install fire

detectors are not installed to
identify the fire break-out or any
eventuality in the premises.
iii. Fire extinguisher in workstation
area was not installed
alarm system and smoke
Medium detectors in the premises.
It is recommended to install fire
extinguisher in appropriate
High locations within the office

CCTV logs are currently It is recommended to maintain

iv maintained for 25 days. The 45 days CCTV backup to
company’s documented policy Medium adhere with the documented
requires these logs to be policy of the organisation.
maintained for 45 days.

Confidential Page 17 of 24
 Information System Audit Report – V 1.0 – January 2023

2.13. AWS Infrastructure

Risk
S.no Observation Recommendation Management Response
Rating
i. Administrator privileges are Privileges to end users must
provided to developers accessing be restricted based on SoD
High
the portal and SoD is not being and least privileges policy
followed

ii. Public access to S3 buckets is Access to buckets containing

not restricted. critical or confidential data
High must be restricted from public
access.

iii. Security documentation of AWS List of resources being

resources is not available accessed by the various teams
Medium
must be documented and
reviewed

iv. Formal Change management, Formal document mentioning

Incident response and DR plans the critical resources with their
are not available for the AWS RTO and RPO and corrective
infrastructure actions with response to
Medium
incidents must be defined.
Any Change in AWS
infrastructure must be
recorded.

Confidential Page 18 of 24
 Information System Audit Report – V 1.0 – January 2023

Risk
S.no Observation Recommendation Management Response
Rating
v. Details of approval and version Network diagram should be
control is not available for approved and version details
Medium
network diagram for AWS of document should be
infrastructure maintained.

vi. AWS config has not been Asset management tools (eg:
enabled for resource AWS Config) and alerts
High
management regarding the usage and
utilization must be configured

vii. Classification of resources are Critical resources must be

not being done classified and provided secure
Medium
access based on need-to-know
basis

viii. VPN is not being configured for VPN may be implemented for
access to AWS infrastructure High secure remote access of AWS
resources.

ix. VAPT reports for AWS Periodic scanning of AWS

infrastructure is not available resources and configuration
High
checks helps in securing the
AWS infra.

x. Encryption is not enabled for S3 S3 buckets storing confidential

buckets High information needs to be
encrypted

xi. Key are used to access instance It is recommended to maintain

and rotated every quarter but no record/ log of key rotation
Medium
record of the same has been
maintained.

Confidential Page 19 of 24
 Information System Audit Report – V 1.0 – January 2023

Risk
S.no Observation Recommendation Management Response
Rating
xii. Cryptographic policy has not Cryptographic policies need to
been configured configured and enabled for
High
security and integrity of data
transmitted and stored

xiii. CloudWatch alarms are not CloudWatch alarms needs to

configured to log successful or High be configured for failed login
failed login attempts attempts

xiv. CloudWatch has not been Alerts must be in place to

configured for monitoring notify admin in case of any
resource utilisation and performance issue. Threshold
Medium
operational health levels must be configured
beyond which alert must be
sent.

xv. CloudWatch alarms are not being CloudWatch metric filter should
configured for authentication be established for failed
High
failures console authentication
attempts

xvi. S3 access logging has not been S3 server access logging must
enabled High be enabled and reviewed
periodically

xvii. AWS DR configuration has not AWS infrastructure mentioning

been specified as part of the DRP the critical resources must be
High
and backup documentation available as part of the DR
documentation

Confidential Page 20 of 24
 Information System Audit Report – V 1.0 – January 2023

Risk
S.no Observation Recommendation Management Response
Rating
xviii. Multiple available regions/zones Multiple regions must be
are not available for DR purposes High enabled for availability and
fault tolerance of instances

xix. CloudWatch alarm has not been CloudWatch shall be

configured for auto recovery of configured for auto recovery of
C2. Medium EC2 instance in case of any
system failure without the need
for any manual intervention.

Confidential Page 21 of 24
 Information System Audit Report – V 1.0 – January 2023

2.14. Area for Improvement

S.no Observation Recommendation Management Response

i. i. Amazon guard duty has not i. AWS guard duty can be configured
been enabled for IDS alerts as its threat database is
ii. IDS/IPS has not been enabled periodically updated in AWS
for the EC2 instances ii. IDS and IPS can be configured to
alert in case of any malicious activity
and report to admin.

ii. AWS shield services have not Shield helps reduce downtime and
been enabled latency. Management may consider
implementing the same
iii. Amazon Macie has not been Amazon Macie can be configured for
enabled managing the sensitive data and
providing security solutions
iv. CloudEndure has not been It is recommended to configure
configured CloudEndure to protect data loss from
attacks and threats.
v. Amazon inspector has not been AWS inspector helps in security
configured for EC2 assessment of applications deployed
on AWS

Confidential Page 22 of 24
 Information System Audit Report – V 1.0 – January 2023

3. Disclaimer

● This is a status as on date (01st February 2023) report.

● The report is prepared based on evidence received from StuCred as on 01st February 2023

● The report is a report of non-compliances / issues. Observations in the nature of positive assurances have not been included in
this report.

● Recommendations in this report are based on best practices and towards the objective of improving IT Controls. Management
needs to take a holistic view of the recommendations and assess impact of recommendations on operations before
implementation of the same.

● Recommendations should be tested in a test environment to ensure that such settings do not have any adverse impact on the
organization’s operations, before rolling it out on live environment.

End of Report

Confidential Page 23 of 24