1.

1 INTRODUCTION
Information system security involves understanding and managing of risks involved with network traffic and security, protecting IT assets, data, electing and implementing effective controls to ensure confidentiality, integrity and making sure information and communication systems that store, process and transmit data are available at all times. There has been an increase in security threats due to ease of obtaining and using hacking tools, steady advance in sophistication and effectiveness of attack technology and the dire consequences of new and more destructive cyber-attacks etc., could affect the countrywide network of computerized enhanced reservation and ticketing(CONCERT)

1.2

IT Security Audits

. INFORMATION SECURITY AUDIT The objective of this audit was to identify the vulnerable areas of CONCERT system that could be easily breached and also with a view to assessing whether adequate and effective information access controls, network controls and operational system were implemented to protect confidentiality, integrity and availability of the systems and data and offer recommendations. Information security audits are a vital tool for governance and control of agency IT assets. This Guideline suggests actions to make the efforts of auditors and agencies more productive, efficient, and effective.

1.1 Roles and Responsibilities

Agencies should assign an individual to be responsible for managing the IT Security Audit Program for the E-seva. While the individual assigned this responsible will vary from agency to agency, it is recommended that this responsibility be assigned either to the E-seva Internal Audit Director, where one is available or to the Information Security Officer (ISO).

1.2 IT Security Audits

Information security audits are a vital tool for governance and control of agency IT assets. IT security audits assist agencies in evaluating the adequacy and effectiveness of controls and procedures designed to protect COV information and IT systems. This Guideline suggests actions to make the efforts of auditors and agencies more productive, efficient, and effective.

1.3

Roles and Responsibilities

Agencies should assign an individual to be responsible for managing the IT Security Audit program for the agency. While the individual assigned this responsible will vary from agency to agency, it is recommended that this responsibility be assigned either to the agency Internal Audit Director, wher one is available or to the Information Security Officer (ISO).

2 Planning 2.1 Coordination

As stated in the Audit Standard, at a minimum, IT systems that contain sensitive data relative to one or more of the criteria of confidentiality, integrity, or availability, shall be assessed at least once every three years. For maximum efficiency, the E-sevas IT Security Audit Program should be designed to place reliance on any existing audits being conducted, such as those by the E-seva internal audit organization, Certified information System Audit, or third party audits of any service provider. When IT Security Audit Guideline

2.2

IT Security Audit Plan

The IT security audit plan helps the agency schedule the necessary IT Security Audits of the sensitive systems identified in the data and system classification step in the risk management process. The V-Tech uses the IT security audit plan to identify and document the: 1. Sequencing of the IT Security Audits relative to both risk and the business cycle of the firm to avoid scheduling during peak periods; 2. Frequency of audits commensurate with risk and sensitivity 3. Resources to be used for the audit such as Internal Auditors, the Auditor of Public Accounts staff or a private firm that the agency deems to have adequate experience, expertise and independence.

SCOPE
2

The scope included an assessment of the entire network system in e-Seva. The key personnel in various departments were interviewed so as to identify critical data and ascertain how the network was being used. We reviewed system logs for all network components to determine stability issues. All the network hardware which was considered to be critical to e-Seva business initiative was also reviewed to determine single points of failure. We also assessed the various network perimeter devices to ascertain vulnerabilities and evaluated some of the e-Seva practices that could lead to system breaches. The security controls were also assessed to determine whether adequate access control has been put in place.

Opening Meeting
The audit meeting was opened with a word of prayer by the Assistant Director of E-seva. The director e- seva then welcomed all the members present in the meeting

He Introduced he audit team from V-Tech company to the department members and also part of his team They Reviewed the audit plan, scope and objectives for the audit and the timeline it will take for the audit to be complete .it was decided that the audit would take almost three weeks Establishes the official communication link between department representative and audit team .

AUDIT TEAM 1. Elizabeth Birgen BIT-1-4067-3/2010 CERTIFICATIONS

CISA Lead Auditor

Certified Information Systems Auditor (CISA). IBM DB2 Universal Database

Over 10 years experience in auditing major companies in Kenya. She is responsible for auditing operation systems

Experienced Global IT Service Delivery Manager leading an international organization of Database and System Administrators located in the US, Mexico and India. Extremely familiar with challenges, issues and opportunities associated with managing IT outsourcing contracts and vendors.

2. David Rotich CERTIFICATIONS CSSP CCIE

BIT-1-2333-2/2010

CSSP Auditor

Experienced IT auditor and information security specialist.He is responsible for auditing Network security controls Reduced the number of Incident tickets assigned to the organization by over 80% over a one year period of time. Accountable for Service Level Agreements and Disaster Recovery exercises for multiple clients.

3. Linda Bunei BIT -1-2342-1/2011 CERTIFICATIONS Oracle BDA ITIL

ORACLE Auditor

Has 5 years experience in auditing oracle systems. She is responsible for auditing acces controls

Developed and implemented a process to monitor database activity of Powerful Users. Developed and implemented a process to allow clients to review database access on a quarterly basis. Verified and approved that all Change and Release Management changes have proper approval, are documented, performed according to documented procedures and, that there is an audit trail of changes performed.

Executing audit
Operational Systems 1. Documentation relating to software, hardware, network, error handling, etc. was noted to be incomplete. 2. Assets and data were not classified on the basis of risk perception. 3. Complete technical documentation including the source code was not obtained. This made it impossible for identification of any unauthorized programme running in the software application package. 4. There was no documented disaster recovery plan defining the roles, responsibilities, rules and structures in the event of any disaster accidental or otherwise. 5. No alternative site was identified for data Centre activities in case of any disaster.
4

Operational Systems Recommendations 1. Documentations of the software, hardware, network and error handling issues should be complete and precise at any given time. 2. Risky data and assets should be given higher security priority 3. Complete documentation with code is essential because it will help other programmers to go through them and know what the program is expected to do and be able to know help other programmers navigate through your code easily in order to find bugs or to determine where to add new features. 4. They should come up with disaster recovery process plans consisting of defining rules, processes, and disciplines to ensure that the critical business processes or telecommunications resources upon which their operations depend, these key elements to disaster plans should be emphasized Establish a planning group, perform risk assessment and audits Establish priorities for applications and networks Prepare inventory and documentation plan

5. There should be an alternate site disaster recovery; the two main issues are the reconfiguring or rebuilding infrastructure, and moving data between the primary site and the alternate site. 6. Develop adequate back up strategies The recommended number of backups should be taken and the back up procedures should be in place They should automate the backup with automating scripts just in case there is no personnel to do it, back-up will run as always and once a while they should try testing the backup file by trying to do a recovery to check its validity.

Network controls 1. No review of functioning of network management tools was undertaken by the management to identify weaknesses. 2. There was a difference in number of transactions as reported by eSeva and two participating departments which indicated that data transmission was incomplete on some days.
5

3. Protocol analyzers, essential for ensuring network security were not used. 4. Data was not classified as per sensitivity and was transmitted in clear text between eSeva 5. Centres to data center instead of in an encrypted form. The risk of splicing the wire and re-routing the data or tampering the data by way of unauthorized access could not be ruled out. 6. Technical experts did not test the reliability of firewalls. Penetration test reports were also not produced to audit. 7. The logs of internet transactions were not maintained on a continuous basis. They were neither archived nor reviewed. Network Controls Recommendations 1. Develop intrusion detection strategies for the computer. Many of the common intrusion detection methods depend on the existence of various logs that the systems produce and on the availability of auditing tools that analyze those logs. In the deployment plan, the kinds of information that will be collected and managed on each computer in support of security should be described. 2. The number of transactions on documentation should tally with the number reported from their systems 3. They should set up protocol analyzers and packet sniffer that analyses the network traffic and displays the traffic situation on your network in real time 4. Data should be classified as per sensitivity and should be encrypted while being sent over a network to prevent the unauthorized personnel from accessing it. 5. They need to test their firewalls to prevent unauthorized persons from gaining access to a private network and occasionally do a penetration test, to evaluate the security of a computer system or network by simulating an attack from malicious outsiders. 6. Backups of Web server logs are required. Backups of configuration and installation information are also required unless there is a configuration management system that can be used to recover or rebuild a system from a trusted baseline. 7. Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
6

8. Education and training of employees on the proper use of the computer security system and the importance of data security.

Access Controls 1. There was an incident of theft, which indicated lack of physical security. 2. Password policy Password policy did not exist with respect to the eSeva application, Oracle, database and operating system. There was no restriction on unsuccessful login attempts. There was no system of maintaining emergency passwords, which had to be kept in a sealed cover with responsible authority for use in unforeseen situations. There was no documented well-defined.procedure for creating user accounts. The system did not provide for transaction logs, but did not provide for audit trail, which could trace the flow of transactions and processing at every stage. It was noticed that the application allowed deletion of data without authentication.

Access Control Recommendations 1. The servers should be kept in a room under lock and key and the people who have access to the key should be accountable at all times. Change lock combinations annually or following any possible security compromise. 2. System resource profiles include a number of security-related parameters, in a particular related to the use of passwords. It is possible to set restrictions on password composition, complexity, aging, expiration and history. In addition it is also possible to set rules for locking accounts after a number of failed login attempts, a maximum number of concurrent sessions for a user, and rules to disconnect idle users. 3. There should be a proper documentation procedure for creating new users in the system and deleting old users who are no longer in service. 4. Oracle provide for various methods of authentication. The most usual method would probably be Oracle-based authentication based on username and password. It is also possible to use host-

based authentication, which is based on operating system user accounts being passed on to Oracle. Auditing in Oracle is the monitoring and recording of activities within the database. 5. Oracle provides functions for auditing almost any action within the database (viewing, modifying information, executing programs, deleting

CLOSING MEETING
The meeting ended after three hours and the following were to be put in place to make sure that there is security in the e- seva: Everyday new computer viruses are being released and it is essential that business is protected from these viruses by keeping the anti-virus software up to date. If possible, companies should look at policies whereby computers that do not have the most up to date anti-virus software installed are not allowed to connect to the network. As computer viruses can spread by means other than email, it is important that unwanted traffic is blocked from entering the network by using a firewall. Sensitive areas with a companys network should also be further segmented and protected using additional firewalls. For users that use computers for business away from the protection of the companys network, such as home PCs or laptops, a personal firewall should be installed to ensure the computer is protected. All incoming and outgoing email should be filtered for computer viruses. This filter should ideally be at the perimeter of the network to prevent computer viruses. Emails with certain file attachments commonly used by computer viruses to spread themselves, such as .EXE, .COM and .SCR files, should also be prevented from entering the network. Ensure that all users know to never open an email attachment they are not expecting. Even when the email is from a known source, caution should be exercised when opening attachments. Recent viruses have spread because they appear to be from addresses familiar to the user. Ensure that all files downloaded from the Internet are scanned for computer viruses before being used. Ideally this scanning should be done from one central point on the network to ensure that all files are properly scanned.

SECURITY POLICIES FOR E-SEVA PROJECT Security Procedure Manual

Introduction Scope Sanctions Audit controls procedures Person or entity authentication Information access management Disaster recovery plan Risk management plan Appendix A. Confidentiality Declaration Appendix B. Data Protection Statement

INTRODUCTION The purpose of this policy is to outline essential roles and responsibilities within the E-seva community for creating and maintaining an environment that safeguards data from threats to personal, professional and institutional interests and to establish a comprehensive data security program in compliance with applicable law. This policy is also designed to establish processes for ensuring the security and confidentiality of confidential information and to establish administrative, technical, and physical safeguards to protect against unauthorized access or use of this information. SCOPE This policy applies to all E-seva staff, whether full- or part-time, paid or unpaid, temporary or permanent, as well as to all other members of the community. This policy applies to all information collected, stored or used by or on behalf of any operational unit, department and person within the community in connection with government operations POLICIES 1.1 Sanctions E-SEVA shall discipline workforce personnel who violate E-SEVAs security policies and Procedures or violate the E-seva Security Rules.

PERSONNEL
IT Manager Security Officer Privacy Officer Human Resources E-SEVA Workforce Members System Administrator Senior Management PROCEDURES 1. Security Violations That Prompt Consideration of Disciplinary Action. a) Human Resources may discipline a workforce member, in accordance with the Discipline and Dismissal Policy of the Privacy Manual , who violates either the Security Rule or this Manual relating to the safeguarding of information (a Security Violation). b) Human Resources may also discipline managers or supervisors, if their lack of diligence or lack of supervision contributes to a subordinates Security Violation. 2. Investigation of Security Violation. a) A workforce member who becomes aware of a Security Violation shall promptly communicate the report to the Security Officer and his or her supervisor or Human Resources b) After receiving a reported Security Violation, the Security Officer or someone designated by him or her shall determine the facts and circumstances surrounding the violation, and report the findings to Human Resources. 3. Imposition of Discipline. Human Resources shall impose sanctions for a Security Violation in accordance with the Discipline and Dismissal Policy of the Privacy Manual. 4. Reporting of Security Violations. The failure to report a known Security Violation because each workforce member has an obligation to report any Security Violation of which the workforce member becomes aware to the Security Officer and to his or her supervisor or the Human Resources Department. POLICY
10

1.1 Audit Controls E-SEVA shall record and examine activity in information systems that contain or use electronic database for the purposes of identifying suspect activity, identifying high-risk activity, identifying security breaches, responding to potential security weaknesses, and assessing E-SEVAs security program.

IMPACTED SYSTEMS
This policy shall apply to all computer systems that contain or access electronic PHI, including, but not limited to, network servers, application servers, desktop computer systems, laptops, data management systems, and server devices. PROCEDURES 1. Implementation of Audit Control Mechanisms a) The System Administrator shall ensure that all computer systems that contain or access electronic Database have in place audit controls for recording and examining activity. b) The System Administrator shall configure any new computer system received by ESEVA to record or examine activity on the system, if not already contained on the new system. The System Administrator shall not bring this new system online until audit controls have been established. 2. Activity to Be Logged System Administrator shall implement software on E-SEVA information systems (including applications or processes) containing or accessing electronic Database that records system activity such as logon, logoff, file access, file activity, attempted logons, and failed logons concurrent with the system activity. 3. Information Logged The implemented audit control mechanism shall identify: a. Who or what is accessing data; b. When the data is accessed; c. What data was accessed; d. The activity that occurred (read only, add, delete, modify data); e. Whether data is accessed by anyone outside of E-SEVA; and f. Successful and unsuccessful login attempts.
11

4.

Respond to System Activity System Administrator shall promptly respond to any observed or reported suspect activity. System Administrator should follow E-SEVA Security Incident Procedures with respect to any suspect activity.

5.

Audit Trails. E-SEVA shall maintain audit trails showing system activity for a minimum of 6 years. The Security Officer shall be responsible for maintaining the audit trail information. Audit trail information and reports containing audit trails shall remain confidential. The audit trail shall contain:

a. b. c. d. e. 6. a. b.

The type of event; The User associated with the event; The date the event occurred; The method or program used to access the information system; and The activities undertaken with respect to the data accessed. Review System Activity Security Officer-on-call shall oversee the review of audit trails at least monthly. Security Officer shall review audit trails at least semi-annually in accordance with the procedures set out in E-SEVAs Security Management Policy The System Administrator shall work with the Security Officer in reviewing the audit logs. Specifically, System Administrator shall identify for the Security Officer any suspect activity and any potential security weaknesses. for E-SEVAs audit control system. Security Officer or Privacy

Officer shall be responsible for determining whether an external review is necessary System Administrator shall add automated monitoring software to E-SEVAs computer systems that contain or access electronic Database that logs activities within the computer systems and notifies or alarms security personnel upon detecting any suspicious activity. The System administrator shall review and report to Security

c.

Officer detected suspicious activity.

Section 1.2: Person or Entity Authentication

POLICY
12

E-SEVA shall employ technical safeguards to verify that a person or entity seeking access to the servers is the one claimed. This policy shall apply to all E-SEVA locations. End Users shall be familiar with this policy. PROCEDURE
1. Personnel Responsibility

a.

Implementation of Procedures.

System Administrator shall initiate and oversee the

implementation of the following procedures for person and entity authentication, either singly or in combination, to authenticate that the person or entity seeking access to electronic protected health information is the one claimed. b. Monitoring Access Attempts. System Administrator shall review access logs to monitor and detect unauthorized access attempts.

2.
a. i.

Person Authentication
Person Password Authentication. System Administrator shall assign to each E-SEVA workforce personnel and any other person that must access the servers stored on E-SEVAs computer systems each Users unique User ID pursuant to the Access Control Policy

ii.

Users shall select passwords in accordance with the procedures described in the Access Control Policy

iii.

Each User shall enter a password along with his or her unique User ID to authenticate his or her identity. A User shall be denied access if the password entered does not

match the password assigned to the User ID entered by the User. b. i. End User Responsibility Users shall be responsible for keeping their User IDs and passwords shall be confidential and be forbidden from sharing their User IDs and passwords with anyone, unless authorized by System Administrator. ii. If User becomes aware that someone has improperly obtained his or her User ID and password or has improperly accessed E-SEVAs health care operations-related electronic system through the use of the User ID and password, the User shall immediately notify the Security Officer or System Administrator. System Administrator shall promptly disable access rights to that User ID.
13

iii.

If Users unique User ID and password are improperly used to gain access to the databases, the User may be subject to discipline in accordance with E-SEVAs Sanctions Policy, which may include the loss of his or her access rights.

3.
a. i.

Entity Authentication.
Entity Password Authentication. System Administrator shall assign to each entity needing access to E-SEVAs electronic information system containing PHI a unique ID pursuant to the Access Control.

ii.

Entities shall select passwords in accordance with the procedures described in the Access Control Policy.

iii.

Each entity shall enter a password along with the unique User ID assigned to it to authenticate its identity. An entity shall be denied access if the password entered does not match the password assigned to the User ID entered by the entity.

b. i.

Entity Responsibility. Entities shall be responsible for maintaining the confidentiality of their unique User IDs and the passwords. Entities shall not make E-SEVAs assigned User IDs and their passwords available company-wide. The unique User ID and password shall only be provided to those entity personnel with a need to know to perform a service on ESEVAs behalf. An entity may lose its access rights for failing to protect the confidentiality of the unique User ID and password.

ii.

If an entity determines that any of its personnel or any other person or entity has improperly obtained its User ID and password or has improperly accessed health E-SEVAs

care operations-related electronic system through the use of the User ID and

password, the entity shall immediately notify Security Officer. System Administrator shall promptly disable access rights to that entitys User ID. iii. The Security Officer shall determine the proper response to an entitys failure to properly safeguard its User ID and password. Such response may include a

recommendation to the Chief Operating Officer to deny access rights to the entity or termination of the business relationship.

14

4.

Two-factor Authentication.
E-SEVA has determined at this time not to require two-factor authentication based upon its risks analysis and cost/benefits analysis. The Security Officer shall review this determination on an annual basis to determine whether it is reasonable and appropriate to implement two-factor authentication. Person and Entity Authentication

5.

Digital Signature Authentication.

E-SEVA has determined at this time not to require digital signature authentication based on public key encryption due to a lack of infrastructure support. Security Officer shall review this determination on an annual basis to determine whether it is reasonable and appropriate to implement such digital signature authentication.

1.3 Information Access Management POLICY E-SEVA shall establish procedures that (i) assign and manage access to electronic protected Government information in a manner commensurate with the role of each workforce member, and (ii) are consistent with the Security Rule. This policy shall apply to all E-SEVA personnel. SYSTEMS AFFECTED This policy shall apply to E-SEVAs computer systems that contain or access the databases, including, but not limited to, network servers, application servers, desktop computer systems, laptops, handheld devices, data management systems, and infrastructure devices. PROCEDURES 1. Access Authorization a) The Security Officer shall establish role-based access as set forth in the Access Control Policy and Workforce Security Policy. b) The authorization criteria shall include required levels of training and training certification requirements commensurate with the level of access in accordance with the Security Awareness and Training Policy. The access level shall be established by either the Security Officer or his or hers designee, and approval may be for a limited period. Renewal or a change of access level may require full re-evaluation of access needed and may require additional training.

15

c) A member of the workforce shall not be authorized to access another workforce members client record unless it is for the purpose of treatment, payment, or health care operations associated for the member of the workforce whose record is accessed. 2. Access Establishment a) Information Security shall implement the following procedures to ensure appropriate access and access authorization: i. Upon hire, each workforce member shall be identified by the security class applicable to their job functions. ii. User department shall ensure that new workforce members complete the appropriate access request form in order to establish the appropriate level of access and to request a unique user identification number. The department head of the new workforce member shall sign the access request form to verify accuracy. iii. Once approval is obtained and the appropriate access request form has been signed by all necessary parties, as set forth above, Information Security or Director on Call will assign appropriate access. 3. Access Modification. a. If a workforce members employment is terminated or if a workforce member leaves ESEVA or if a workforce members position is changed so that the workforce member is performing a different role: i ii User department shall notify Security Officer. Security Director and Security Officer-on-call shall implement the procedures set forth in the Workforce Security of this Manual if the workforce member is being terminated. iii System Administrator shall modify or terminate access upon instruction from Security Officer or Director-on-call, as set forth in the Access Control Policy of this Manual.

POLICY E-seva shall establish procedures for responding to an emergency or other occurrence that damages E-SEVAs information systems that contain electronic protected personal information including implementation of a Data Backup Plan, a Disaster Recovery Plan and an Emergency Mode Operation Plan. PROCEDURES
16

1.

Data Backup Plan. The IT Manager-on-call shall oversee the implementation of the

following procedures that provide for the creation and maintenance of retrievable exact copies of electronic INFORMATION. a. Personnel Responsibility. The IT Manager-on-call shall establish specific backup schedules and procedures for E-SEVAs networks and computer systems. b. Daily Backups. E-SEVA shall back up all software, applications, files, data, and messages related to its personal care operations stored on E-SEVAs networks and other information systems to tape, CD-ROM, disk, or other storage media c. Backup Validation. The IT Manager-on-call or his or her designee shall validate the

accuracy, completeness and integrity of the backup performed each night. IT Manager-on-call shall act to promptly resolve errors shown by the validation process and shall either resolve the errors or seek outside technical support to assist in the resolution of errors in the backup process. d. Onsite Storage. The storage media from the previous day or current week shall be stored onsite in an area secured in a safe. have the combination to this safe. e. (i) Offsite Storage. The Security Officer shall approve an environmentally secure offsite location that Security officer and the E-seva Management shall

provides adequate security and protection from fire and other disasters for storage of a copy of E-SEVAs backup media. (ii) The IT Manager-on-call shall cause to be sent three days per week a copy of the stored

data to the offsite location. (iii) (iv) E-SEVA shall store up to 5 weeks of backup data at the offsite facility. The Security Officer and designated administrators for backup and restoration shall be

entrusted with keys and granted passwords to access the offsite storage area. f. Restoration of Lost Data. For backup data stored offsite, the Security Officer and

IT Manager-on-call shall develop a plan for the retrieval of such backup data. The Security Officer shall ensure that any necessary backup data is retrieved from the offsite location using the most expedient means practical in case of a partial or complete system failure. 2. Disaster Recovery Plan. The Security Officer and IT Manager-on-call shall oversee the

implementation of the following procedures to restore any loss of data in the case of a
17

catastroinformationc event such as an emergency, fire, vandalism, system failure, or natural disaster. a. Disaster Assessment. Once a disaster has occurred, IT Manager-on-call shall assess the effect of the disaster on E-SEVAs personal care operations information system to determine any lost functionality and loss of data. If IT Manager-on-call has determined that data has been lost, IT Manager-on-call should consult with the Security Officer on whether to implement this Disaster Recovery Plan. b. Personnel Responsibility. IT Manager-on-call is responsible for

implementation of this Disaster Recovery Plan and the restoration of any lost data. c. Notify Administrators. IT Manager-on-call shall notify security personnel of the disaster The administrators

and notify the designated administrators for backup and restoration.

for backup and restoration shall be designated by the Security Officer and the IT Manager-oncall. d. Secure Facilities. In the event of a catastroinformationc event, E-SEVA security personnel shall immediately ensure that all facilities housing E-SEVAs personal care operations information systems remain secure under the circumstances. E-SEVA

security personnel shall limit access to facilities to only the following authorized personnel to assist in disaster recovery: (i) (ii) (iii) (iv) (v) e. Security Officer; Facilities Manager; IT Manager-on-call; Administrators for backup and restoration; and Approved outside vendors to assist in disaster recovery. Password Access. IT Manager-on-call and other administrators for backup and

restoration shall have access to system passwords to perform restores of necessary systems and data. f. Onsite Backup Data. The IT Manager-on-call shall ensure that the

administrators for backup and restoration have access to any backup media stored onsite if necessary to restore software, applications, information and data to E-SEVA information systems.

18

g.

Systems

Architecture and

Diagrams.

The

IT Manager-on-call

and

administrators for backup and restoration shall develop and maintain detailed descriptions of E-SEVAs main system hardware components to help rebuild the system in the event of disaster. The administrators for backup and restoration shall maintain updated profiles for each system configuration and maintain lists of installed software, including current installed patches, drivers, and O/S distribution media. h. Offsite Storage. The Security Officer shall determine whether offsite backup files are

necessary. (i) IT Manager-on-call and/or administrators for backup and restoration shall retrieve all

necessary backup files stored offsite. (ii) Backup media shall be retrieved so that data can be restored as soon as reasonably

permitted under the circumstances. 3. Emergency Mode Operation Plan. Callier Center Management shall oversee the

implementation of the following procedures to enable continuation of critical business processes for protection of the security of electronic INFORMATION while operating in emergency mode. a. Emergency. For the purposes of this Emergency Mode Operation Plan, an Emergency

shall be defined as an incident that either disables, wholly or partially, or substantially impairs E-SEVAs personal care operations central computing system or any computer system or network that contains or allows access to INFORMATION for a period of 48 hours. e. Backup Servers. If necessary, IT Manager-on-call shall ensure that E-SEVAs

backup servers containing critical security applications are brought online to safeguard and continue critical business processes, applications (such as firewalls), and virus protection software, that protect computer systems and networks that contain electronic information . 5.RISK MANAGEMENT POLICY Overview Risk management is the ongoing process of identifying risks and implementing plans to address them. Often, the number of assets potentially at risk outweighs the resources available to manage them. It is therefore important to know where to apply available resources to mitigate risk in a cost-effective and efficient manner.
19

This policy lays the framework for a formal risk management program by establishing responsibility for risk identification and analysis, security planning for risk mitigation, and program management and oversight. It is important to note that program management and oversight is a university-wide responsibility that calls for the active involvement of executive leadership, departmental management, data stewards, and others with information management responsibility 1.

Policy Statements 1. The E-seva Risk Management Officer (RMO) is responsible for coordinating the development and maintenance of risk management policies, procedures, standards and forms for the University. 2. The RMO is responsible for the ongoing development and day-to-day management of the universitys Risk Management Program (Program) for information privacy and security. 3. Organizational Unit heads shall ensure that risk assessments are performed at least once annually on all computing systems and/or business processes under their units control that involve non-public information, following guidance from the RMO on assessment method, format, content, and frequency. 4. Organizational Unit heads shall submit the risk assessment results and associated remediation plans to the RMO for review. Remediation plans shall include specific actions with expected completion dates, as well as an account of residual risks. 5. The RMO shall advise the Head of Information Services on risk management strategies and provide periodic reports on Program progress. Policy Implementation The RMO is responsible for coordinating the implementation of this policy and for providing guidance on the interpretation of specific policy requirements. Definitions Risk: The potential of harm to the University or its stakeholders.

20

Risk Assessment: A qualitative or quantitative evaluation of the nature and magnitude of risk to government information. The evaluation is based upon known or theoretical vulnerabilities and threats, as well as the likelihood of the threats being realized and the potential impact to the the firm and its stakeholders. Risk Management: The process of evaluating and responding to risks to goverment information for the purpose of reducing those risks to acceptable levels. Risk management is inclusive of the risk assessment process, and uses the results of risk assessments to make decisions on the acceptance of risks or on taking action to reduce those risks.

Checklist for perfoming Audit

Application Systems Controls The application system before being implemented has to be reviewed by the auditor if various controls suggested by Users are incorporated in the application system. The various controls,which have to be included in the system are as follows: Logical Access Controls 1. Does the software allow creation of user-IDs in the same name more than once? Does the software encrypt the passwords one way and store the same in encrypted form? 2. 3. Does the software display the password as it is keyed in? Does the software lock the user-ID if it is used for 3 unsuccessful times to logon to the system? 4. 5. Does the software force the User to change the password at set periodical intervals? Does the software maintain password history i.e., does not allow the same password to be used again on rotation basis? 6. 7. Is there any audit trail for the maintenance of User profiles? Does the software have provision to create and maintain user-IDs based on users designations and positions held?
21

8. 9.

Can DBA change others password? If so is it reflected in the audit trail? If a user-id record is deleted, does the software delete it physically or logically? Does the software capable of producing a report of logically deleted User-IDs?

10. Does the software have provision to restrict different menu options to different user-Ids based on user level (based on designation / powers, etc.)? 11. Does the software have provision for defining access rights to users such as, Read Only,Read and Write, Modify, Delete, etc.? 12. Does the software allow automatic logical deletion of inactive users after certain period of time? 13. Does the system maintain password length to be of minimum 6 or 8 characters or as indicated in the password policy? 14. Can the user-IDs be created without passwords? 15. Does the system limit the maintenance of system control parameters to privileged user level having sufficient authority only?

CRYPTOGRAPHY
16. Is there a cryptography/encryption policy for various types of classified information that travels/gets stored within and outside the E-sevas network(s)?

NETWORK INFORMATION SECURITY

17. Have the Network data monitoring tools (e.g., sniffers, datascopes, and probes) utilized by the product/service been approved by the e-sevas IT Department? 19.Has dial-in connectivity been prohibited on network-connected machine (server and workstation) except where documented and explicitly approved in writing by BusinessManagement and the IT Department.

20.Have the remote control products used in a dial in environment been approved by the IT Department explicitly?

Backup and recovery

Software
22

21.Verify if a latest copy of backup of software (Operating System, RDBMS, application,etc.) is taken and preserved at the user site. Data 22. Verify if different types of data backup are taken periodically at specified intervals as advised by the software developer / vendor. 23 Are there proper records for noting the media in which different data backups are stored, data type, location where it is stored, date of backup, due date for recycle, etc. - Check if appropriate parameters are implemented in the operating system of the web server so that the super user account will lock out if too many unsuccessful attempts are made across the network, but remain unlocked at the system console. 24.Check if sensitive operating system related executable program files and data files on the web server are not stored on public area but in any other secure location with audit duly enabled. 25.IP routing should be disabled in the web server. Check and confirm this. 26.Ensure that unauthorized ports for e.g., UDP port No.443 are not allowed inside the webserver. Also, ensure that unnecessary services like ftp, messenger, SMTP, telnet, etc. are not installed and active on the web server. 27.The facility to shutdown the machine should be restricted to the system console on the web server. Check and ensure this. 28.Access to floppy drive, CD-ROM drive, etc. should be restricted in the web server to interactive only to prevent these devices from being shared by all processes on the system. Check and ensure this. Logs of activity 29.Ensure that auditing is enabled in the web servers operating system and whether the logs are reviewed and authenticated by authorized officials periodically. 30.Check if audit trail is enabled on the firewall to log the changes made to the rule base settings and verify whether the logged entries are approved by higher authorities in the IT Department. 31.Check Whether the system administrators are monitoring the logs produced by the Intruder Detection System (IDS) (An intrusion detection system helps in recognizing Security threats and is capable of scanning packets for vulnerabilities.
23

It ensures that distributed denial of service attacks are prevented) and escalating the access violations to the Checklists for IS Audit Database Controls It is important to ensure the following with reference to databases: Database is physically secure and free of any corruption Access to the database is restricted and permitted only to authorized personnel Referential Integrity of the data is ensured at all times Accuracy of the contents of the database is verified periodically Database is also technically verified periodically, in terms of storage space, performance tuning and backup Backups of the database are periodically retrieved and ensured that they are in order

24

REFFERENCES
1.http://www.isect.com 2.http://www.sas70exam.com 3.information security management handbook 4th edition by Tiptoh.H and Crause M. 4.Litchfield, David. Hackproofing Oracle Application Server (A guide to securing Oracle 9). NGSSoftware Insight Security Research Publication, 10 January 2002. URL: http://www.nextgenss.com/papers/hpoas.pdf (5 March 2002) 5) Theriault, Marlene and Heney, William. Oracle Security. Sebastopol, CA: OReilly & Associates, Inc, 1998.

25

OUTLINE 1.1 introduction ............................................................................................................................... 1 information security audit ............................................................................................................... 1 1.1 roles and responsibilities ........................................................................................................... 1 1.2 it security audits ....................................................................................................................... 1 1.3 2 2.1 2.2 roles and responsibilities ....................................................................................................... 2 planning..................................................................................................................................... 2 coordination .......................................................................................................................... 2 it security audit plan .............................................................................................................. 2

opening meeting .............................................................................................................................. 3 executing audit ................................................................................................................................ 4 closing meeting ............................................................................................................................... 8 security procedure manual........................................................................................................... 9 personnel ....................................................................................................................................... 10 impacted systems .......................................................................................................................... 11 section 1.2: person or entity authentication ................................................................................ 12 Person authentication ................................................................................................................... 13 Entity authentication. .................................................................................................................... 14 Two-factor authentication. ........................................................................................................... 15 Digital signature authentication. ................................................................................................... 15 checklist for perfoming audit ....................................................................................................... 21 cryptography ................................................................................................................................. 22 network information security ........................................................................................................ 22 backup and recovery ..................................................................................................................... 22 refferences ..................................................................................................................................... 25

26