3 During the audit, interview with the i-FICS System Administrator,
review of the User Access Provisioning Procedure v1.4 dated Jan 16, 2012 and relevant records against the iFICS system could not find the Access Creation and Revocation Form v1.2 for the following revocation exercise : 1. Mohd Shafizan Ismail resigned as at 5 May 2013. 2. Samsuri Nasrudi resigned as at 2 Jan 2013. 3. Muhd Hairul Fariz resigned as at 29 Dec 2012. 4. Nurul Izwana Abd Rahman resigned as at 7 Jan 2013. Clause 4.3.3 states that records shall be established and maintained to provide evidence of conformity to requirements and the effective operation of the ISMS. Asmidah/Norazlin Minor iFics System Administrator had overlooked on the form revocation exercise even though in the iFics system all the above IDs have been inactive. CCO-02 A.6.2.3 During the audit, interview with the Property Management and Administration (PMA) personnel and HMS Infrastructure Manager and review of the Building Service Agreement between HeiTech and KCSB valid from 1 July 2011 to 30 June 2013 found that the confidentiality clauses in Clause 5.3 (page 9) states that: The Building Manager, its agents, servants and employees shall not divulge any confidential information communicated to or acquired by the Building Manager or its agents, servants and employees in the course of carrying out the services. Further audit could not find : 1. Any further descriptions of the terms confidential information 2. Any records relating to a separate NDA document being signed between HeiTech and KCSB or with its personnel. Control A.6.2.3 states that agreements with third parties involsing accessing, processing, communicating or managing the organizations information or information processing facilities shall cover all relevant security requirements. Amirudin (PMA)/Hj Roslan Minor Already stated in Building Maintenance Contract clause 5.3. The issue was higlighted after the contract was signed on 10 October 2011. NCR Status for 2013 (Call Center Operation) Reference No. Element Findings Responsibility Category Status Root Cause of Non Conformance Reference No. Element Findings Responsibility Category Status Root Cause of Non Conformance CCO-03 A.8.2.2 During the audit, verification of the Training Analysis as at 31/10/12 against the HMS/BS-CCO Staff List Y2013 found that there are staffs who did not attend any ISMS related Training as follows: 1. Asmidah Abdullah never attended ISMS User Awareness but last attended ISMS Procedure Training on 27/07/2011. 2. Mohd Fairuz Faizal Zainal last attended ISMS User Awareness and ISMS Essential on 12/6/2005 and 20-21/8/2007 respectively. 3. Ahmad Shahir Mohamed Jalil only attended ISMS User Awareness on 8/4/2009. 4. Zuraini Anuar last attended ISMS User Awareness on 7/4/2009. 5. Rasidah Misran last attended ISMS User Awareness on 13/7/2010. Control A.8.2.2 states that all employee of the organization and, where relevant, contractors and third party users shall receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function. Faryna/Norazlin Minor CCO focus to send a new staff for the awareness and did not aware that the current staff needs to go again for the training or awareness. CCO-04 A.9.1.4 During the audit, site verification to the physical security covering CCO areas and loading area at Ground Floor observed that all fire extinguishers has expired as below; 1. CCO Reporting 07/05/2013 (G1). 2. CCO Care Line 07/05/2013 (G4). 3. Communication Room 13/05/2013 (G7). Additionally, one (1) unit of fire extinguisher in front of the loading lift is not labeled. Control A.9.1.4 states that physical protection against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disaster shall be designed and applied. Amirudin (PMA)/Hj Roslan Minor CCO-05 4.3.3 During the audit, interview with the auditee on the maintenance of supporting utilities could not find the Preventive Maintenance Schedule/Plan for Y2013.
Clause 4.3.3 states that records shall be established and maintained to provide evidence of conformity to requirements and the effective operation of the ISMS. They shall be protected and controlled. Amirudin (PMA)/Hj Roslan Minor The Preventive Maintenance Schedule Y2013 could not be submitted as promised since the auditee was admitted to hospital on that day. Reference No. Element Findings Responsibility Category Status Root Cause of Non Conformance CCO-06 A.10.1.2 During the audit, interview with the Change Coordinator, review of the Change Management Procedure v1.4 dated Oct 22, 2012 against relevant records from Jan. to May 2013 revealed the followings: 1. The Appendix C Default CAB does not include the CAB Committee under CCO. 2. The procedure does not describe on the allocation of change category (Major/Minor) by the Change Analyst. 3. All the changes (7 nos) were implemented prior to verification and approval by the Change Analyst. Control A.10.1.2 states that changes to information processing facilities and systems shall be controlled. Ruziati Minor 2.Change Analyst had overlooked on the Minor/Major category. 3. Change Coordinator is lack of knowledge on the CAB meeting that must be conducted before the implementation of change. CCO-07 A.11.2.2 During the audit, interview with the i-FICS System Administrator, review of the User Access Provisioning Procedure v1.4 dated Jan. 16, 2012 and relevant records against the iFICS system revealed that the IDs for the following personnel are still active : 1. Abd Halim Masri DR Consultant who resigned on 6 April, 2013. 2. Sharoul Awang Osman Service Center Leader who resigned on 27 April, 2013. Control A.11.2.2 emphasizes the importance of ensuring that the allocation and use of privileges to be restricted and controlled. Asmidah/Norazlin Minor The alert or notification of resigned staff does not reach to IFICS System Administrator, hence led to the IDs still active in the iFics system. CCO-08 A.11.2.4 During the audit, interview with the PABX System Administrator and review of the User Access Provisioning Procedure v1.4 dated Jan. 16, 2012 against relevant records found that the Quarterly User Privilege Access List for quarter 1, 2013 has yet to be produced for further verification and approval. Control A.11.2.4 states that management shall review users access rights at regular intervals using a formal process. Rahmat/Faryna/ Norazlin Minor CCO person in charge had overlooked to produce User Privilege Access List for Quarter 1. Reference No. Element Findings Responsibility Category Status Root Cause of Non Conformance CCO-09 A.12.6.1 During the audit, review of the Penetration Test Tracker for CCO revealed that all findings have been mitigated and the status are Closed. However, further interview with the auditee could not verify any evidences or records on the mitigation action as follows: 1. 172.19.18.130 (Projector Server) Upgrade to RealVNC Free Edition 5.0.3. - Configure the OS to 'Allow connections only from computers running Remote Desktop with Network Level Authentication' setting if it is available. - Change RDP encryption level to one of 1. High, 2. FIPS Compliant 2. 172.19.1.40 (iFICS Server) Configure on better cipher being change to 2048. Control A.12.6.1 states that timely information about technical vulnerabilities of information systems being used shall be obtained, the organization's exposure to such vulnerabilities evaluated, and appropriate measures taken to address the associated risk. Fairuz Faizal/Norazlin Minor DMS team has overlooked to produce the report. CCO-10 A.14.1.3 During the audit, interview with the auditee and review of the Business Continuity Plan v1.0 dated March 2012 revealed that there is inconsistency of defining the frequency of reviewing the plan as follows: 1. Under Section 1.1 Purpose, the frequency of review is stated as yearly. 2. Under Section 1.2 Responsibility, the frequency of review is stated as half-yearly basis. Further interview could not find any updated plan established for Y2013. Control A.14.1.3 states that plans shall be developed and implemented to maintain or restore operations and ensure availability of information at the required level and in the required time scales following interruption to, or failure of, critical business processes. Faryna/Norazlin Minor Business Continuity Plan has not been reviewed since 2012. Major Minor 10 Observation Total Closed Total O/standing Action The Access Creation and Revocation form have been filled in by System Administrator. 1. Mohd Shafizan Ismail resigned as at 5 May 2013.( Revoke on 7 May 2013) 2. Samsuri Nasrudi resigned as at 2 Jan 2013.( Revoke on 10 Jan 2013) 3. Muhd Hairul Fariz resigned as at 29 Dec 2012.( Revoke on 10 Jan 2013) 4. Nurul Izwana Abd Rahman resigned as at 7 Jan 2013. (Revoke on 5 February) System Administrator will follow the revocation exercise and ensure form is filled up. 28-Jun-13 Siti Rozani The NDA was made for every KCSB staff and was submitted to En. Ahmad Abdul Ghani. The NDA was made for every KCSB staff and was submitted to En. Ahmad Abdul Ghani but was rejected as the contract should be with company, not with staff. Siti Rozani Auditor Remarks Correction Corrective Action Plan NCR Status for 2013 (Call Center Operation) Target Completion Actual Completion Action Auditor Remarks Correction Corrective Action Plan Target Completion Actual Completion CCO had sent most of the staff to the awareness on 21 June 2013. To plan on training schedule for the staff to attend the awareness/training internally on yearly basis. Fatiha Mas Dewi The Preventive Maintenance Schedule Y2013 was submitted after the auditee was discharged from hospital. Mas Dewi Action Auditor Remarks Correction Corrective Action Plan Target Completion Actual Completion 1. To include CAB committee under CCO in Change Management Procedure v1.4 2. A Minor/Major category has been stated by Change Analyst in Change Management Form 3. Starting June 2013, all changes must be verified and approved by Change Analyst ( to check on date) The CAB meeting will be conducted on 10 July to discuss and get approval on 3 items of changes which to be implemented after 10 July. 10-Jul-13 Siti Rozani System Admin had revoked the ID of Abd Halim Masri And Sharoul Awang on May 2013. The Cessation Clearance Checklist Form(HMS) had included IFICS System Administrator for ID revocation. ( Faryna and Asmidah name for person in charge) May, 2013 Siti Rozani User Privilage Access List for Quarter 1, 2013 has been produced on June 2013. To include the exercise on monthly and quarterly basis in CCO dashboard. 12-Jul-13 Siti Rozani Action Auditor Remarks Correction Corrective Action Plan Target Completion Actual Completion The report has been produced on 28 June 2013. To follow up with DMS after the Penetration Test and and close findings with the report/evidences. 28-Jun-13 Fatiha To review Business Continuity Plan v1.0 on yearly basis and to establish the plan on Q4. To review the latest Business Continuity Plan before the implementation of BCP in Q4 2013. Q4,2013 Mas Dewi Closed CLOSE OUTSTANDING CCO Major Minor Observation Total 0 0 CCO O/Standing Major Minor Observation 10