Project Report

Of
DISA 3.0 Course

Network Security Audit of Remote Operation Including WFH Page 1

 CERTIFICATE

Project report of DISA 3.0 Course

This is to certify that we have successfully completed the DISA 3.0 course training
conducted at DLH portal from 7 November 2020 to 29 November 2020 and we have the
required attendance. We are submitting the Project titled:-

Network Security Audit of Remote Operation Including WFH

We hereby confirm that we have adhered to the guidelines issued by DAAB, ICAI for the
project. We also certify that this project report is the original work of our group and each
one of us have actively participated and contributed in preparing this project. We have not
shared the project details or taken help in preparing project report from anyone except
members of our group.

1. Name CA VIKASH SHARMA DISA No. 63671

2. Name CA NEELAM KOTHARI DISA No. 63711

3. Name CA YASHESH GARG DISA No. 63656

Place: Delhi

Date: November 17, 2020

Network Security Audit of Remote Operation Including WFH Page 2

 Table of Contents

Covering Letter
Details of Case Study/Project (Problem)

S. NO. Index Page No.

1 Introduction 6-7

2 Background 8

3 Auditee Environment 8

4 Terms and Scope of Assignment 9

5 Documents reviewed 9

6 Logistics arrangements 10

7 Methodology and Strategy 11-12

8 References 13

9 Finding and Recommendation 14-16

10 Conclusion 17

Network Security Audit of Remote Operation Including WFH Page 3

To,

The Chief Financial Officer,

Jupiter Capital Services Ltd

Sub: Submission of Network Security Audit Report.

Dear Sir,

In terms of our engagement letter dated November 10, 2020, VNY & Associates, Chartered
Accountants has carried out an independent security audit of Network at remote operations
of Jupiter Capital Services Ltd. This engagement was primarily focused on conducting audit
of Network security as to check the how much the network is secured for operations at
remote location including operations at Work from Home.

We have conducted the audit as per engagement letter. We tried to find out the root cause
of the problem & also given recommendation to the management to follow up. The
information contained herein and our report is confidential. It is intended only for the sole
use and information of the Company, and only in connection with the purpose for which
audit has been done. It is to be noted that any reproduction, copying or otherwise quoting
of this report or any part thereof, can be done only with our prior permission in writing.

In the following report, we have summarized the audit observations together with
recommendations in order to address the control weaknesses and associated risks.

Thanking You,

Yours Faithfully,

For M/s VNY & Associates

Chartered Accountants

Network Security Audit of Remote Operation Including WFH Page 4

A. Details of Case Study/Project (Problem)
The NBFC (Non-Banking Financial Company) sector has been grown in size and
complexities over the years. The Reserve Bank of India has been issuing regular
guidelines on System Audit and controls for the NBFC. Network security Audit has been
made mandatory indirectly with specific mention in RBI audit Considering the need of
regulators, customers and as market differentiator, Jupiter Capital Services Ltd decided
to pro-actively make arrangement for independent IS Audit of Network Security of
remote operation including work from home and thereafter, series of discussions were
held by entity team with IS auditor to understand the different modules, models,
features and controls were prepared considering business rules of banking and
regulatory requirements.

Network Security Audit of Remote Operation Including WFH Page 5

 B. Project Report (solution)
Title: Network Security Audit of Remote Operation Including WFH

1. Introduction

ABOUT THE AUDITEE

Jupiter Capital Services Ltd is one of the leading NBFC registered under RBI regulation as a
Systemically Important Non-Deposit Accepting Core Investment Company. It has offices in
every major city of the country.

Jupiter Capital Services Ltd provide different types of loan to the customers but major areas
are:-

 Commercial loans
 Housing loans
 Vehicle loans

In addition to the above there are three Strategic Business Units (SBUs): -

 Technology Division for providing end-to-end engineering solutions

 Legal division for loan and security related issues.
 International Business Division for providing service worldwide.

Jupiter Capital Services Ltd has head office in Mumbai and 5 regional offices. As it as NBFC,
every business process should be secured at high level.

Network Security Audit of Remote Operation Including WFH Page 6

ABOUT THE AUDITOR

The Auditing firm of this assignment is VNY & Associates. The firm is established in 2015 and
having an experience of 5 years in the field of Auditing, Taxation, System Audit, etc.

Composing

Partners – 3

No. of employees: 15

No. of Articles: 20

Located at: Saket, Delhi

Here in this case audit will be handles by a team leading by CA Vikash Sharma with 8
members including 2 paid employees and 6 articles.

The audit team for this particular assignment consist of the following qualified members
who are as follows:

S.no Name Qualification

1 Vikash Sharma CA, DISA Team Leader
2 Neelam Kothari CA, DISA Member
3 Yashesh Garg CA, DISA Member

VNY & Associates Chartered Accountants are one of the famous chartered accountants
firms in India and are engaged in providing Information System Auditing services across
India. We are also recognized as provider of information System Audit services and our core
competences are listed below:

 SAP, Oracle & JDE process reviews

 Review and Framing of 'IS' Policies, Procedures and Practices
 Review of Physical & Logical Access Controls
 Review of Operating System Controls
 Review of Application Systems Controls
 Review of Database Controls
 Review of Network Management
 Review of 'Application Support' and 'System Maintenance' Processes
 Review of 'Disaster Recovery & Business Continuity Plans'
 Review of IS Environment
 Risk Assessment & Suggestions
 Business Process Re-Engineering reviews
 Post Implementation reviews of Business Processes and Practices and Suggestions

Network Security Audit of Remote Operation Including WFH Page 7

 2. Background of Auditee
Jupiter Capital Services Ltd. has been using Information Technology as a key enabler
for facilitating business process Owners and enhancing services to its customers. The
senior management of the company has been very proactive in directing the
management and deployment of Information Technology. Mostly all of the mission
critical applications in the company have been computerized and networked with
proper security.

Implementation of network security has empowered the company that their

authorized user connect seamlessly all its legitimate vendors, customers and
partners to achieve improved business efficiency and with proper security which
helps it to achieve superior connection excellence and business security.

3. Auditee Environment
Networking at remote operation in Jupiter Capital Services Ltd has posed unique
challenges arising out of the need to properly secure the networking at each device.
Each employee has been provided separate laptop for their working and they carry
the devices at client location and upload the data from there. Some of the
employees are working from home to save operational cost.

Company has already implemented the network security policy separately for the
devices used in remote location or employee working from their place.

Communication from the clients about their business insights relevant for loan
should be made through only secured networks as these type of information are
sensitive and needs to be protected.

Network Security Audit of Remote Operation Including WFH Page 8

 4 Terms and Scope of Assignment
The Information System Audit should be executed as per the Audit Charter prepared
by the company and agreed upon by the Auditors. The purpose, authority,
responsibilities and accountability are defined in the Audit Charter.

To comply with relevant standards issued by the ICAI and globally accepted
standards for the purpose of Information System Audit and to establish an
Information Security Framework for assurance that all required aspects of
information security is covered.

Our scope is covered followings-

 Review of security and controls at network layer.
 Review of all the key functionalities and related Security and Access Controls
as designed at the parameter level.
 Review how the banking process business rules and regulatory requirements
have been designed and built in the package.
 Review of process which connects the remote device to network using VPN.
 Mapping of best practices of security and controls to evaluate how security
and control are designed and integrated
 Review of pending unresolved issued of last year and current year.
 To ensure that violation, if any, in the system and procedures of the bank are
brought to the notice of the management immediately so that timely
corrective and remedial steps can be taken and avoid repetition.

5 Documents Reviewed
 IT security policy for mobiles devices used on a network
 Network Security Policy that lists the rights and responsibilities of all staff,
employees, and consultants.
 Acceptable network usage policy.
 Signed security agreement with network providers.
 Contingency plan in case of network failure or security breach.

Network Security Audit of Remote Operation Including WFH Page 9

6 Logistics arrangement required
 The company will make available the necessary computer time, software resources
and support facilities for the assignment.
 During the course of the IS Audit, the auditors will use ACL, IDEA Software, SQL
Commands, Baseline Security Analyzer, Belarc Security Advisor, Free Port Scanner
and Third Party Access Control Software as computer audit assistance techniques
(CAAT) for the verification of the system with Windows 10 computer connected to
the server having abc operating system with use of Mumbai and Ahmedabad branch
of one of the customer of the company.
 As an auditor we will use Integrated Test Facility (ITF) for audit of regulatory
requirements embedded in the application software. We will use correct as well as
incorrect data to check the error reporting capabilities of the network software.
 Automated Flowcharting Programs would be used to interpret the source code of
the application software & to generate flowcharts indicating flow of information.
 Mapping Program would be used, which identifies the unexecuted codes in the
coding of the software which will help us to draw attention of the management and
software development team.

Documentation required:
 User Manuals and Technical Manuals
 Source code of the software
 Rules, Regulations, guidelines and circulars issued for the company
 Security policies of the company etc.
 Network Security Policy that lists the rights and responsibilities of all staff,
employees, and consultants.
 Acceptable network usage policy.

Network Security Audit of Remote Operation Including WFH Page 10

7 Methodology and Strategy
When undertaking an initial security audit, it is important to use the most up-to-date
compliance requirements to uphold security protocols. This clearly defines what
CISOs should be looking at, and helps in shaping and setting up the future of your
automated security monitoring and assessments. The Audit will be conducted to
review the following steps are in place and updated:-

Step 1: The Scope of the Security Perimeter

The scope of the auditing process is to clearly define. It should include all access
layers: wired, wireless and VPN connections. In this manner, the scope of the audit
will ultimately include all software and devices, in all locations, so as to ultimately
define the security perimeter for the company.

Step 2: Defining the Threats

The next step is to list potential threats to the security perimeter. Common threats
to include in this step would be:
Malware – worms, Trojan horses, spyware and ransom ware – the most popular
form of threats to any organization in the last few years.
Employee exposure – making sure that employees in all locations change their
passwords periodically and use a certain level of sophistication; (especially with
sensitive company accounts) as well as protection against phishing attacks and
scams.
Malicious Insiders – once on boarding has taken place- employees, contractors and
guests – there is the risk of theft or misuse of sensitive information.
DDoS Attacks – Distributed Denial of Service attacks happen when multiple systems
flood a targeted system such as a web server, overload it and destroy its
functionality.
BYOD, IoT – these devices tend to be somewhat easier to hack and therefore must
be completely visible on the network.
Physical breaches, natural disasters – less common but extremely harmful when
they occur.

Step 3: Prioritizing and Risk Scoring

There are many factors that go into creating the priorities and risk scoring.
Cyber security trends – working with a network access control system in place that
factors in the most common and current threats along with the less frequent, could
save you and your CISOs a lot of time and cut costs, while at the same time
defending the organization in an optimal framework.

Network Security Audit of Remote Operation Including WFH Page 11

 Compliance – includes the kind of data that is to be handled, whether the company
stores/transmits sensitive financial or personal information, who specifically has
access to which systems.
Organization history – If the organization has experienced a data breach or cyber-
attack in the past.
Industry trends – understanding the types of breeches, hacks and attacks within
your specific industry should be factored in when creating your scoring system.

Step 4: Assessing the Current Security Posture

At this point you should start to have an initial security posture available for each
item included in your initial scope definition. Ideally, with the right access control
systems in place, no internal biases affect your initial audit or any continuous risk
assessments performed automatically later on. Additionally, making sure that all
connected devices have the latest security patches, firewall and malware
protection will assure more accuracy in your ongoing assessments.

Step 5: Formulating Automated Responses and Remediation Action

Establishing a corresponding set of processes designed to eliminate the risks
discussed in step 2 includes a few solutions that should be included in this step:
Network monitoring – establishing continuous automated monitoring and creating
automated risk assessments will lead to improved risk management. Cyber offenders
are typically working to gain access to networks. Activating software that
automatically takes notice of new devices, software updates/changes, security
patches, firewall installments and malware protection is the best way for any
organization to protect itself. Ideally your CISOs should be alerted to any
questionable device, software, activity, unknown access attempts, and more, so as
to be a step ahead of any harmful activity whether it is maliciously done or not.
Software Updates – Making sure that everyone on the network has the latest
software updates and patches, firewalls etc. It is highly recommended to take
advantage of this built-in feature in Network Access Control Software that alerts you
when those are required.
Data backups and data segmentation – relatively simple but crucial steps, because
obviously consistent and frequent data back-ups along with segmentation will
ensure minimal damage should your organization ever fall to malware or physical
cyber-attacks.
Employee education and awareness – training for new employees and continuous
security updates for all employees to make sure best practices are implemented
company-wide, such as how to spot phishing campaigns, increasing password
complexity, two-factor authentication and more.

Network Security Audit of Remote Operation Including WFH Page 12

 8 References
During the course of the Network Security Audit of the NBFC, the IS Auditors of the
company has complied with the standards and guidelines as detailed below:

 Information Technology Act, 2000.

 Section 7(A) of the Act –Audit of documents i.e. Electronic Form.
 Section 43A of the Act – Body corporate dealing with sensitive data.
 Section 72(A) of the Act – Disclosure of the information without the consent of the
person concerned The Banking Regulation Act, 1949.
 ISO 27001- Information System-
 COBIT 5
 IT Audit and Assurance standards and Guidelines issued by ISACA
 ISO 1206 – Using the work of other experts
 Circular issued by the Reserve Bank of India as on 13.01.2016
 ISO 19600- Compliance
 ISO 31000- Risk Assessment
 ISO 22301- Business Continuity Planning
 DBOD circular on Internet Banking
 Guidance note for Banks on Risks and Controls in Computer and Telecommunication
System
 Other Globally Accepted Standards issued by the relevant authorities
 www.isaca.org/cobit
 www.rbi.gov.in
 www.dbs.gov.in

Network Security Audit of Remote Operation Including WFH Page 13

 9 Findings and Recommendations
(i) IS Audit Program is as detailed below:-

Sr. Questions Yes No Documentation

No.

1 Review Network diagrams to understand the √ Done

network infrastructure.

2 Review the physical and logical access √ Done

controls to the network.

3 Review the applicable policies, standards, √ Done

procedures and guidance on network.

4 Review Maker-checker concept to reduce the √ Done

risk of error and misuse and to ensure
reliability of data/information

5 Review the Information Security and Cyber √ Done

Security;

6 Review the adequacy to file regulatory √ Done

returns to RBI

7 Review the BCP policy duly approved by the √ Done

Board ensuring regular oversight of the Board
by way of periodic

8 Review whether the requirements as regards √ Done

Mobile Financial Services, Social Media and
Digital Signature Certificates are properly
met.

9 Arrangement for backup of data with periodic √ Done

testing.

10 Review whether internet connections are √ Done

protected through industry recognized
firewall.

Network Security Audit of Remote Operation Including WFH Page 14

 (ii) Observation and Recommendations:-

No. Control Observation Recommendation

1. Security Policy Proper documentation for It is advisable the each employee

security policy is made by should aware of the security
management and it is time to policy and proper training should
time but it is not effectively be given at the time of joining.
executed in the software.

2. Disaster There is option for disaster It is advisable to compulsory have

Recovery Plan Recovery Plan for the customer in disaster recovery plan in the
case of security breach or system.
network failure.

3. Network Network diagrams do not follow Diagram should conform to

Diagram diagramming conventions. It is standard conventions. They
not using the conventional device should be updated as and when
icons to represent devices like changes occur to network.
routers, L-3 switches etc.

4. Audit Log Audit log policy is not consistent Consistent audit log policy should
across servers in terms of be applied across servers and logs
network logging, log file size and should be promptly backed up
retention period. Audit logs and manually cleared to obviate
configurations on all servers allow the need for overwriting.
overwriting on reaching of Wherever required, log size may
defined maximum log size. be suitably increased.

5. VPN Access New employees are getting VPN VPN adds extra layer of security
access but the Old employee by hiding IP addresses, encrypt
working at remote location the data and mask the location of
doesn’t provided VPN access and user. Ensure that all your remote
they are working using normal employees have access to the
public network VPN service. If necessary hold a
meeting or share tutorials on how
to use a VPN efficiently to protect
company network

6. Third party Employees are using Remote IT team should choose the RDS
remote access desktop service to hold meeting very wisely before begin any
without getting adjustment of exchange of information or

Network Security Audit of Remote Operation Including WFH Page 15

 platform network suitability by IT team holding meetings.

7. Multi factor Company doesn’t have multi IT team should set up multi factor
authentication factor authentication, only the authentication systems for each
login id is used to connect to employee who needs to log into
network. their company user profile
remotely. Combination of user ID
along with a one-time-password
(OTP) sent to the user’s personal
registered number.

Other recommendations for remote operations:-

 Make 2FA (Two-Factor Authentication) mandatory.
 Educate your employees about cyber security risks and their
vulnerabilities as they work from home.
 Teach your employees how to identify phishing and steps they need to
take if they get phished.
 Provide a point of contact and clear guidelines in case there is a security
breach.
 Make the use of a standard password manager solution mandatory.
 Conduct phishing audits to test the preparedness of your remote
employees.
 Ensure regular backups are conducted.
 Keep “read-only” as the default when granting file share permissions.
 Use an email filtering solution to filter inbound as well as outbound
messages.
 Protect against spam, malware, and phishing by using mail filters.

Network Security Audit of Remote Operation Including WFH Page 16

 10 Conclusions
We have conducted Network Security audit of the Jupiter Capital Services Ltd
focusing on remote operations including Work from Home as per the terms and
scope agreed upon between the management and the auditors. We have taken care
of the international reporting standards issued by ISACA while conducting the audit
assignment. We have tested the software thoroughly then also our report is prone to
audit risk associated with the audit itself.

Although the company has managed to secure their network but there are key areas
which we have identified that are related to authentication for connect to network,
employees are unaware about the security policy of the company, Disaster recovery
plans are not in place, use of third party RDS without consulting IT team, etc. We
have made recommendations regarding our findings which may become helpful to
the management.

There other findings as well which are also important to be solved as soon as
possible. There are guidelines in case of security breach; there are no proper
authorization controls in place for connecting the network, etc. Necessary
recommendations are provided by us to the management to overcome the findings
of us.

The recommendations suggested by us are suggestive in nature and not mandatory

the management may look for alternative solutions to the findings.

Network Security Audit of Remote Operation Including WFH Page 17