Business Requirement
- Review the configurations deployments security and console policy
- Messaging architecture, application security including DLP features in email
- administration including Access governance & management of access and high privilege accounts
- Change, and capacity mana ement and controls Log
- Mobile Device Management (MDM) controls
- Data migration process from Zoho to 0365
- Backup and disaster recovery Review o a erence to contractua arrangement
- including SLA, security certifications, attestations and related reports of service providers
- Compliance with relevant RBI Cyber security framework requirements
Key Finding
- Logs review and audit trails not enabled for specific transactions that need to be secured from data and user perspective
- Data Transfer and Risk management policies not ade uate
- Security management practices have not been implemented and antivirus policy and capture and review of server logs not enabled and not in place
- Intranet site not adequately protected and LNV Diary was compromised as there was no user id and password protection through two-way authentication and controls
- Asset register and IT asset management not aligned with serial number as there is no data labelling
- Service vendors not available
- No Third party assurance in place
- CIA practices not in place No Policy for IT, Security, Disposal, Datatransfer, Data Security, Network and IT procurement
- Our proprietary SPARK framework was used to perform the audit with our enabled risk library that includes:
- Check points for specific area
- Mapping with ISO 27001 clauses and controls
- IT asset management framework review
- Quality management and IT act best practices
- Key metrics and measures for incident management & reporting
- Enabled risk library with domain & technolog risks
Business Benefit and Result
- Better compliance management & security adherence
- IT Asset management
- Physical & logical security effectiveness
- Proactive risk management and controls definition
- Email security and Data loss prevention controls review
