Beruflich Dokumente
Kultur Dokumente
Of
DISA 2.0 Course
CERTIFICATE
This is to certify that we have successfully completed the DISA 2.0 course training
conducted at:
Hyderabad from 13th August 2016 to 18th September 2016.Review of Security and Control
practices of Cloud Computing service provider. We hereby confirm that we have adhered to
the guidelines issued by CIT, ICAI for the project. We also certify that this project report is
the original work of our group and each one of us have actively participated and
contributed in preparing this project. We have not shared the project details or taken help in
preparing project report from anyone except members of our group.
Project Team:
Name ISA No Membership Number
Place: Hyderabad.
Zebra Cloud Solutions (ZCS) Ltd offers cost effective cloud computing solution and caters
to banking, insurance, healthcare, manufacturing, supply chain and technology industry. It
is one of the top cloud companies in India providing flexible payment, security, round-the-
clock technical support and option of use by pay basis pricing. It offers complete computing
solution provider including SaaS, PaaS and IaaS services on the public, private and hybrid
computing model.
The management of ZCS considering the enormous potential of Cloud computing services
has opened its office in India with Bangalore as its Head office and data centres at
Mumbai, Hyderabad, Chennai, Pune and Delhi. It is offering state of the art cloud
computing offerings to customers in India with assurance of data being available within in
India. They want to provide independent IS Audit covering security and control practices so
as to provide assurance to the management, regulators and customers in India.
Situation
ZCS has 100+ servers in its data center in India. These servers are also networked with
500+ servers which hold the worldwide business data of customer of ZCS. These servers
are also connected to the global offices of ZCS and their customers through high-speed
networks and telecommunication systems. The company is state of art Technology
infrastructure and has well trained staff organised as per specific job responsibility and
comprehensive access policy designed to not only protect but also ensure availability of
data. To protect its data, ZCS has put in place a comprehensive Information Security
System as mandated by ISO27001& ISAE 3402 Type I standards. The company has used
best of breed security and control practices for implementing security for IT infrastructure.
This security system is subject to rigorous audit by independent ISO auditors before
certification and is also subject to regular IS Audit using global best practices.
• Internal theft: One of the security vulnerability comes from unscrupulous internal
employees. Such employees can pass data to competitors in their business.
Locating data in highly-secure data center of Wilson Solutions deters such
employees from stealing data because they are under surveillance. Data center
personnel employed by ZCS have their backgrounds verified extensively during the
recruitment process. They will not have an understanding of the customers’
businesses as much as an internal employee of the customer. So their interest in the
data is greatly reduced, thereby mitigating data theft risks.
• Physical access control: The data center is a sensitive zone. Only authorized
personnel can enter it. The entry is controlled through automatic access control
systems linked to security alarms. This prevents public access and stray entries. All
such entries are automatically logged in entry logs.
• Physical access monitoring: The area in and around the data center is monitored
24X7 through surveillance cameras which capture the images of those entering that
area. The video records are archived. Security guard views the video monitor.
• Login access control: This is a two dimensional access control measure. First,
only authentic users can login. Second, they can login only to the relevant
transaction screens for which they have permissions. Such access policies are
administered through the deployment module of ZCS platform. This mechanism
prevents any unauthorized access to both transactions and data. ZCS trains
customers to use specific modules so that access policies can be set by an
administrator designated by the customer. This way, customer will have absolute
control over the access.
• Audit trail: Even authentic usage is tracked. Who logged in, when did the login
happen, what was the duration of the login, what is the usage pattern, are there
unusual usages noticed – these are the possible ways by which tracking happens.
Such trails discourage anyone from attempting to misuse. Thus, frauds can be both
prevented and detected.
• Data transport over internet: Data movement over the internet – from the
customers’ office(s) to ZCS data center – is like goods moving on the road transport
highways. Both are vulnerable to theft. Such transaction data is protected through
encryptions and transported over a secure sockets layer. This prevents theft.
Encryption renders data meaningless thus making the theft harmless.
• Firewall: Data arriving via the internet at the data center is filtered through the
firewall. This is like immigration control, designed to detect illegal entrants. Only
authentic customer data finally reaches the server. Firewall policies are continually
updated as per
the information security management system implemented in Wilson Systems. This
protects customers’ data from malicious software attacks.
• Fire and natural calamities: Disasters can happen and affect data and business
activities. Fire, earthquakes and floods can ruin data and disrupt operations. Wilson
has implemented a disaster recovery mechanism to handle such crisis. First, the
data center itself is subject to fire safety regulations. Second, all data is stored on
high speed storage area networks. From this storage, data is backed up according
to the data backup policy implemented as required by the information security
systems. Daily, weekly and monthly back-ups are taken. The media containing the
backed-up data are stored in fire-proof vaults. A copy of the same is stored in a
different physical location. In the event of any disaster, the data available on the
back-up media will be restored for operations to continue.
1. Introduction
Zebra cloud solutions ltd formally known as ZCS ltd a potential service provider for
cloud computing which provide services for different industries in India, the ZCS is a
state of art technology infrastructure which has well trained staff organized with
specific staff responsibilities and comprehensive access policy designed for not only
to protect data but also ensuring the availability of data round the clock.
2. Auditee Environment:
ZCS ltd a cloud computing service provider has its head office at Bangalore and
data centers at Mumbai, Chennai, Hyderabad and Delhi which has 100+ servers in
the data centers in India which are also networked with 500+ servers which hold
data of the Customers globally. To protect its data the company has adopted a
comprehensive information security system mandated by ISO27001 & ISAE 3402
type 1 standard.
3. Background :
The main need of audit was to access the adequacy and effectiveness of the
controls designed and implemented by ZCS ltd, including an assessment of
the following components
• Internal Theft
• Physical access control
• Physical access monitoring
• Logical access control
• Audit trail
• Data transport over internet
• Firewall
• Fire and natural calamities
• Privacy
a. Internal Privacy
b. External Privacy
c. External Privacy involving government and regulatory bodies.
4. Situation
ZCS ltd a service provider of cloud computing solutions in order to develop their Indian
market and provide assurance to Indian customers and regulators an independent IS audit
need to be conducted for security and control practices adopted by the ZCS ltd.
The scope of this audit is limited to cover the security and control practices adopted by the
management and also provide additional detailed procedure as relevant to Indian regulations
considering Information technology Act and other compliances applicable for Indian
companies.
Detailed Audit Programme:
Check whether the Forms filled by the Applicants for the Yes Ju
jobs captures all the Data relating to the Personal Data, Past
5 fully filled.
The Hiring Policy? Are the selections based on the Merit and
8 accountability?
Are all the New recruits given sufficient Knowledge on the Yes Ju
Policies of the Organisation relating to the various policies
11 past and see the action taken for the disposal of the issue?
Ensure that the Employee gets signoff from various Yes RS
departments like Finance, Security, IS, Hardware, etc., before
leaving the Organisation. All the Customer data like papers,
17 documents, etc with the Employee should be asked to left back
18
- Safety
- Access
- Maintenance
- Signage
- Visitors
- Health
- Legal requirements
Does the Audit Trails capture the relevant data like Yes Ju
date and
time stamping, User Id, Terminal Number and
Session ID,
3 etc?
The entry and exit logs are not The logs need to be maintained
maintained properly and the for a minimum period of 2
data is years.
available for last six months
only
Risk: Retrieving the
information required in future
may not be
3 possible
The SLA does not specify the SLA should specifically mention
no of days the logs has to be about the period for which the
retained. logs be stored
Risk:
The back dated logs pertaining
to earlier period cannot be
9 retrieved
SOURCES OF REFERENCE:
Checklists for IS Audit – Issued by RBI
ISA 2.0 Study Material
Internet