CCO-01 4.3.

3 During the audit, interview with the i-FICS System Administrator,

review of the User Access Provisioning Procedure v1.4 dated Jan 16,
2012 and relevant records against the iFICS system could not find the
Access Creation and Revocation Form v1.2 for the following
revocation exercise :
1. Mohd Shafizan Ismail resigned as at 5 May 2013.
2. Samsuri Nasrudi resigned as at 2 Jan 2013.
3. Muhd Hairul Fariz resigned as at 29 Dec 2012.
4. Nurul Izwana Abd Rahman resigned as at 7 Jan 2013.
Clause 4.3.3 states that records shall be established and maintained
to provide evidence of conformity to requirements and the effective
operation of the ISMS.
Asmidah/Norazlin Minor iFics System Administrator had overlooked on
the form revocation exercise even though in
the iFics system all the above IDs have been
inactive.
CCO-02 A.6.2.3 During the audit, interview with the Property Management and
Administration (PMA) personnel and HMS Infrastructure Manager and
review of the Building Service Agreement between HeiTech and KCSB
valid from 1 July 2011 to 30 June 2013 found that the confidentiality
clauses in Clause 5.3 (page 9) states that:
The Building Manager, its agents, servants and employees shall not
divulge any confidential information communicated to or acquired by
the Building Manager or its agents, servants and employees in the
course of carrying out the services.
Further audit could not find :
1. Any further descriptions of the terms confidential information
2. Any records relating to a separate NDA document being signed
between HeiTech and KCSB or with its personnel.
Control A.6.2.3 states that agreements with third parties involsing
accessing, processing, communicating or managing the organizations
information or information processing facilities shall cover all
relevant security requirements.
Amirudin
(PMA)/Hj Roslan
Minor Already stated in Building Maintenance
Contract clause 5.3. The issue was higlighted
after the contract was signed on 10 October
2011.
NCR Status for 2013 (Call Center Operation)
Reference
No.
Element Findings Responsibility Category Status Root Cause of Non Conformance
Reference
No.
Element Findings Responsibility Category Status Root Cause of Non Conformance
CCO-03 A.8.2.2 During the audit, verification of the Training Analysis as at
31/10/12 against the HMS/BS-CCO Staff List Y2013 found that
there are staffs who did not attend any ISMS related Training as
follows:
1. Asmidah Abdullah never attended ISMS User Awareness but last
attended ISMS Procedure Training on 27/07/2011.
2. Mohd Fairuz Faizal Zainal last attended ISMS User Awareness and
ISMS Essential on 12/6/2005 and 20-21/8/2007 respectively.
3. Ahmad Shahir Mohamed Jalil only attended ISMS User Awareness
on 8/4/2009.
4. Zuraini Anuar last attended ISMS User Awareness on 7/4/2009.
5. Rasidah Misran last attended ISMS User Awareness on 13/7/2010.
Control A.8.2.2 states that all employee of the organization and,
where relevant, contractors and third party users shall receive
appropriate awareness training and regular updates in organizational
policies and procedures, as relevant for their job function.
Faryna/Norazlin Minor CCO focus to send a new staff for the
awareness and did not aware that the current
staff needs to go again for the training or
awareness.
CCO-04 A.9.1.4 During the audit, site verification to the physical security covering
CCO areas and loading area at Ground Floor observed that all fire
extinguishers has expired as below;
1. CCO Reporting 07/05/2013 (G1).
2. CCO Care Line 07/05/2013 (G4).
3. Communication Room 13/05/2013 (G7).
Additionally, one (1) unit of fire extinguisher in front of the loading
lift is not labeled.
Control A.9.1.4 states that physical protection against damage from
fire, flood, earthquake, explosion, civil unrest, and other forms of
natural or man-made disaster shall be designed and applied.
Amirudin
(PMA)/Hj Roslan
Minor
CCO-05 4.3.3 During the audit, interview with the auditee on the maintenance of
supporting utilities could not find the Preventive Maintenance
Schedule/Plan for Y2013.

Clause 4.3.3 states that records shall be established and maintained
to provide evidence of conformity to requirements and the effective
operation of the ISMS. They shall be protected and controlled.
Amirudin
(PMA)/Hj Roslan
Minor The Preventive Maintenance Schedule Y2013
could not be submitted as promised since the
auditee was admitted to hospital on that day.
Reference
No.
Element Findings Responsibility Category Status Root Cause of Non Conformance
CCO-06 A.10.1.2 During the audit, interview with the Change Coordinator, review of
the Change Management Procedure v1.4 dated Oct 22, 2012 against
relevant records from Jan. to May 2013 revealed the followings:
1. The Appendix C Default CAB does not include the CAB
Committee under CCO.
2. The procedure does not describe on the allocation of change
category (Major/Minor) by the Change Analyst.
3. All the changes (7 nos) were implemented prior to verification and
approval by the Change Analyst.
Control A.10.1.2 states that changes to information processing
facilities and systems shall be controlled.
Ruziati Minor 2.Change Analyst had overlooked on the
Minor/Major category.
3. Change Coordinator is lack of knowledge on
the CAB meeting that must be conducted
before the implementation of change.
CCO-07 A.11.2.2 During the audit, interview with the i-FICS System Administrator,
review of the User Access Provisioning Procedure v1.4 dated Jan. 16,
2012 and relevant records against the iFICS system revealed that the
IDs for the following personnel are still active :
1. Abd Halim Masri DR Consultant who resigned on 6 April, 2013.
2. Sharoul Awang Osman Service Center Leader who resigned on 27
April, 2013.
Control A.11.2.2 emphasizes the importance of ensuring that the
allocation and use of privileges to be restricted and controlled.
Asmidah/Norazlin Minor The alert or notification of resigned staff does
not reach to IFICS System Administrator, hence
led to the IDs still active in the iFics system.
CCO-08 A.11.2.4 During the audit, interview with the PABX System Administrator and
review of the User Access Provisioning Procedure v1.4 dated Jan. 16,
2012 against relevant records found that the Quarterly User Privilege
Access List for quarter 1, 2013 has yet to be produced for further
verification and approval.
Control A.11.2.4 states that management shall review users access
rights at regular intervals using a formal process.
Rahmat/Faryna/
Norazlin
Minor CCO person in charge had overlooked to
produce User Privilege Access List for Quarter
1.
Reference
No.
Element Findings Responsibility Category Status Root Cause of Non Conformance
CCO-09 A.12.6.1 During the audit, review of the Penetration Test Tracker for CCO
revealed that all findings have been mitigated and the status are
Closed. However, further interview with the auditee could not
verify any evidences or records on the mitigation action as follows:
1. 172.19.18.130 (Projector Server)
Upgrade to RealVNC Free Edition 5.0.3.
- Configure the OS to 'Allow connections only from computers
running Remote Desktop with Network Level Authentication'
setting if it is available.
- Change RDP encryption level to one of 1. High, 2. FIPS
Compliant
2. 172.19.1.40 (iFICS Server) Configure on better cipher being
change to 2048.
Control A.12.6.1 states that timely information about technical
vulnerabilities of information systems being used shall be obtained,
the organization's exposure to such vulnerabilities evaluated, and
appropriate measures taken to address the associated risk.
Fairuz
Faizal/Norazlin
Minor DMS team has overlooked to produce the
report.
CCO-10 A.14.1.3 During the audit, interview with the auditee and review of the
Business Continuity Plan v1.0 dated March 2012 revealed that there is
inconsistency of defining the frequency of reviewing the plan as
follows:
1. Under Section 1.1 Purpose, the frequency of review is stated as
yearly.
2. Under Section 1.2 Responsibility, the frequency of review is stated
as half-yearly basis.
Further interview could not find any updated plan established for
Y2013.
Control A.14.1.3 states that plans shall be developed and
implemented to maintain or restore operations and ensure
availability of information at the required level and in the required
time scales following interruption to, or failure of, critical business
processes.
Faryna/Norazlin Minor Business Continuity Plan has not been
reviewed since 2012.
Major
Minor 10
Observation
Total Closed
Total O/standing
Action
The Access Creation and Revocation form have
been filled in by System Administrator.
1. Mohd Shafizan Ismail resigned as at 5 May
2013.( Revoke on 7 May 2013)
2. Samsuri Nasrudi resigned as at 2 Jan 2013.(
Revoke on 10 Jan 2013)
3. Muhd Hairul Fariz resigned as at 29 Dec
2012.( Revoke on 10 Jan 2013)
4. Nurul Izwana Abd Rahman resigned as at 7
Jan 2013. (Revoke on 5 February)
System Administrator will follow the
revocation exercise and ensure form is filled
up.
28-Jun-13 Siti Rozani
The NDA was made for every KCSB staff and was
submitted to En. Ahmad Abdul Ghani.
The NDA was made for every KCSB staff and
was submitted to En. Ahmad Abdul Ghani but
was rejected as the contract should be with
company, not with staff.
Siti Rozani
Auditor Remarks
Correction Corrective Action Plan
NCR Status for 2013 (Call Center Operation)
Target
Completion
Actual
Completion
Action
Auditor Remarks
Correction Corrective Action Plan
Target
Completion
Actual
Completion
CCO had sent most of the staff to the awareness
on 21 June 2013.
To plan on training schedule for the staff to
attend the awareness/training internally on
yearly basis.
Fatiha
Mas Dewi
The Preventive Maintenance Schedule Y2013 was
submitted after the auditee was discharged
from hospital.
Mas Dewi
Action
Auditor Remarks
Correction Corrective Action Plan
Target
Completion
Actual
Completion
1. To include CAB committee under CCO in
Change Management Procedure v1.4
2. A Minor/Major category has been stated by
Change Analyst in Change Management Form
3. Starting June 2013, all changes must be
verified and approved by Change Analyst ( to
check on date)
The CAB meeting will be conducted on 10 July
to discuss and get approval on 3 items of
changes which to be implemented after 10
July.
10-Jul-13 Siti Rozani
System Admin had revoked the ID of Abd Halim
Masri And Sharoul Awang on May 2013.
The Cessation Clearance Checklist Form(HMS)
had included IFICS System Administrator for ID
revocation. ( Faryna and Asmidah name for
person in charge)
May, 2013 Siti Rozani
User Privilage Access List for Quarter 1, 2013
has been produced on June 2013.
To include the exercise on monthly and
quarterly basis in CCO dashboard.
12-Jul-13 Siti Rozani
Action
Auditor Remarks
Correction Corrective Action Plan
Target
Completion
Actual
Completion
The report has been produced on 28 June 2013. To follow up with DMS after the Penetration
Test and and close findings with the
report/evidences.
28-Jun-13 Fatiha
To review Business Continuity Plan v1.0 on
yearly basis and to establish the plan on Q4.
To review the latest Business Continuity Plan
before the implementation of BCP in Q4 2013.
Q4,2013 Mas Dewi
Closed
CLOSE OUTSTANDING
CCO
Major
Minor
Observation
Total 0 0
CCO
O/Standing Major Minor Observation
10