PROJECT REPORT

OF DISA 3.0
INFRASTRUCTURE AUDIT OF A BANK DATA CENTRE

Submitted By-

CA AYUSHI AGARWAL- 442177

CA TOSHIKA JAIN- 445784
 Infrastructure Audit of Bank Database Center

1. Introduction

ABC Bank is a leading bank in India. The Bank’s consolidated total assets stood at Rs. 13.77 trillion at
March 31, 2020. It was formed in 1955, the principal objective was to create a development financial
institution for providing medium-term and long-term project financing to Indian businesses. Until the late
1980s, ABC primarily focused its activities on project finance, providing long-term funds to a variety of
industrial projects. With the liberalization of the financial sector in India in the 1990s, ABC transformed its
business from a development financial institution offering only project finance to a diversified financial
services provider that, along with its subsidiaries and other group companies, offered a wide variety of
products and services. As India’s economy became more market-oriented and integrated with the world
economy, ABC capitalized on the new opportunities to provide a wider range of financial products and
services to a broader spectrum of clients.

2. Background

The IT environment of the ABC Bank is complex and involves large number of independent and
interdependent IT systems used in the operations of the Bank for processing and recording a large volume
of transactions at numerous locations. As a result, there is a high degree of reliance and dependency on
such IT systems for the financial reporting process of the Bank. Appropriate IT general controls and
application controls are required to ensure that such IT systems are able to process the data, as required,
completely, accurately and consistently for reliable financial reporting. The accuracy and reliability of the
financial reporting process depends on the IT systems and the related control environment, including: IT
general controls over user access management and change management across applications, networks,
database, and operating systems; IT automated application controls. Due to the importance of the impact of
the IT systems and related control environment on the Bank’s financial reporting process, we have
identified testing of such IT systems and related control environment as a key audit matter for the current
year audit.
 3. Situation

The Bank’s Technology initiatives are clearly focused on the customer. The Business Transformation
Programme encompassing technology is being implemented by the Bank with a view to provide its
customer, convenience banking on 24 X 7 basis in India and abroad through deployment of a single Core
Banking Solution platform across globe with integrated delivery channels like ATM, Internet, Phone,
Mobile, Kiosk, Call Centre etc.

ABC Bank’s technology deployment is not restricted to only core banking solution. It also covers other
applications like Enterprise wide General Ledger, Risk Management, Anti-Money Laundering, Cheque
Truncation, Credit Cards, Mutual Funds, On-line Trading, Data Warehousing, Customer Relationship
Management, SWIFT, RTGS, NEFT, Internet Payment gateway, Global Treasury, Human Resources
Management System, Employee Pay Roll, Cash Management, Mobile Banking, SMS delivery, Retail
Depository, Phone Banking, Risk Management, Knowledge Management etc. which are well integrated and
provide a seamless experience to customers of all segments and lines of business.

4. Auditee Environment

ABC Bank’s data center has mainframe network, on which customers' account information and other data
are stored. Security measures surrounding such data centers are usually very strong, as are systems of
climate control that keep the data center's computer systems from malfunctioning. Data center certainly
contains backup computers or mirror drives that protect against massive data loss. Such backup computers
or mirror drives are routinely dependent not only on electronic power but also on battery power, so that
they can continue to function in the case of an interruption of electronic power.

A data center's primary function is to centralize and organize the data processing and other information
technology (IT) services of a business or other organization. Locating all the computer hardware in a
special, climate-controlled environment makes it far easier for IT to manage both the servers and the
applications and data they hold. Data centers are generally sorted into two classifications:

Enterprise Data Centers

o The servers in these centers host the data and applications of a corporation or other entity.
o Access is generally restricted to employees and other approved users, rather than the public.
Internet data centers
o The servers in these data centers are public and usually have a browser-based interface
o They may have thousands of (most likely anonymous) users.

5. Auditor’s Detail

ATS & Associates is a multi service firm working across verticals of Assurance, Taxation, Accounting, ERP
Implementations, Management Consultancy, Cross Border Advisory, Investigations, Forensic Audits,
Corporate Litigations, Compliances, GRC, M&A’s and allied activities. We are also recognized as provider
of information System Audit services and our core competences are listed below:

• SAP, Oracle & JDE process reviews

• Review and Framing of 'IS' Policies, Procedures and Practices
• Review of Physical & Logical Access Controls
• Review of Operating System Controls
• Review of Application Systems Controls
• Review of Database Controls

The Firm has multiple departments and works as a full-service professional entity and is an expert at each of
the departments & activities engaged therein. Specialised teams built with hardworking individuals having a
core expertise manage & head the verticals that they are an expert at, thereby making the Firm an expert at
the tasks & engagements undertaken.

Composing

Partners – 8
No. of employees: 18
No. of Articles: 29
Located at: Sector 14, Mumbai

Audit will be handled by a team leading by CA Toshika Jain and CA Ayushi Agarwal with 10 members
comprising of 02 employees and 08 articles.
 6. Scope & Objectives

Audit objectives were identified for the audit of Information Technology Infrastructure:

1. Assess and gaining detailed information about the data center’s current status, fault tolerances, uncovering
potential weaknesses to avoid any downtime, providing recommendations regarding enhancements and / or
potential alternatives.

2. Review, examine, and assess the effectiveness of all IT operational activities, technological functions, and
main processes.

Audit scope were identified for the audit of Information Technology Infrastructure:

Access to the information processing facility or data center, visitors/vendor restriction, protection of assets,
identification of the information processing facility, access to offsite storage facility, policies and procedures,
personnel, incident management, safety and emergency procedures (fire and flooding hazard),
environmental control (temperature & humidity) monitoring, power system adequacy and redundancy
controls, etc.

However, specific attention will be paid on the following areas:

• Data center operating policies and procedures.

• Physical security controls.
• Environmental controls.
• Incident handling and management.
• Infrastructure maintenance
• Cabling, racking and telecommunications management.
• Service monitoring and availability management.
• Business continuity management.

7. Deliverables
• Provide IS Audit report to management of ABC Bank with reasonable assurance that identified
controls as relevant are in place.
• Provide detailed report covering findings for each of significant control weaknesses and advise
management of ABC on corrective actions to be initiated. Include management comment from ABC
on audit findings and recommendations with agreed action plan.
 8. Methodology & Strategy

S/N Audit Area Risk Control Test Procedures

Lack of separation of
duties, ambiguity in Dept. organogram,
business rules and Job descriptions,
inconsistency in procedure manuals
processes and and product Obtain the Data Centre
procedures. documentation. organogram as it relates to the
PEOPLE AND organizational structure as well as
1 PROCESS job descriptions.

Confirm that each staff has

documented job descriptions.

Interview all the staff in the data

center and ascertain the processes
and procedures required for the
performance of their job
functions.

Ascertain the risks associated with

the processes and confirm the
adequacy of controls (system and
manual) to minimize the risk.
 Inconsistent practices
and substandard
operation of the data
center due to lack of
ORGANIZATIO standard operating Document a standard
N AND manual. data center operating Have data center operating policy
ADMINISTRATI policy and manual. and manual been documented
O N OF THE and approved?
2 DATA CENTRE
Are they sufficiently descriptive to
guide in the administration and
operation of the data center?

Are the data center operators

aware of the existence of the
operating manual as well as its
provision?

Is there a procedure in place for

the periodic review of the
operating manual to ensure that it
reflect changes and improvement
in the data center operations and
ensure compliance to best
practice?

Risk of compromise
by the Data Centre
Operators due to
lack of duty rotation Verify that data center Operators
and monitoring of Maintain a duty ensure job rotated? Request for
operators’ activities. roaster to ensure job data center duty roaster and
rotation among the confirm rotation of duties in a
data center Operators. systematic manner.

Confirm that the duty roasters are

routinely reviewed by the Data
Centre Manager.
 Confirm that operator logbook is
maintained to record any
significant events/incidents in the
data center and corrective action
Maintain an operator taken by the operator. The log
logbook to capture book could be in the form of
significant events in incident management/reporting
the data center and software or portal.
corrective actions.

Confirm that every duty shift in

the data center writes a handover
report on completion of their
shift on activities carried out as
well as significant issues during
the shift to aid smooth takeover
by the next shift.

Confirm that the logbook or

portal is reviewed frequently by
management.

Maintain record of
End of Day (EOD) or
End of month (EOM)
activities and
processes to prevent
system breach,
suppression of
malicious acts or
service failures (in the
case of high
processing data centre Confirm that all EOD activities
using high end ERP and processes are captured in the
or banking software). EOD register or portal to prevent
suppression of malicious acts as
well as service failures.
 Confirm that EOD/EOM
activities and processes are
reviewed regularly by the Head of
Data Centre to ensure that no
service issues or malicious acts
are suppressed by the Operators.

Confirm that incidents recorded

during EOD/EOM processing
are promptly escalated to relevant
persons in management for
resolution. Take samples of such
incidents for verification if need
be.

Risk of business Ensure that resource monitoring

disruption due to software (like AppManger or
lack of capacity ManageEngine) are installed to
management, monitor capacity utilization of
monitoring as well as Implement capacity resources on all servers of interest
performance management and especially critical systems and
measurement of planning measures. applications.
business systems.

Request and examine system

resource utilization reports;
determine the times of peak
resource demand within the
processing day.
Determine how Data Center
management reacts to equipment
utilization information.
 Confirm that IT management (IT
Steering Committee) receives
feedback on system capacity
utilization reports, which they
may need in planning towards
acquisition of servers or
applications in the future as part
of its strategic functions.

Determine whether capacity

planning (processor, memory,
channels, disk, etc.) performed,
are consistent with, and integrated
into strategic long-term plans.

Implement
performance
measurement and
monitoring systems

Determine whether performance

measurement process services
and infrastructure (systems) are in
place.

Determine whether system

downtime is recorded or tracked.
 Confirm that alerts/notifications
are set to monitor agreed
resource thresholds for systems to
trigger/alert the Operators when
such thresholds are breach or
exceed. This is to prevent over
utilization of system resources in
a manner that will cause damage
to the infrastructure. For
example, set alert on disk space
utilization of the server disk drive,
Netapp storage, Dell EMC
storage, memory utilization, CPU
utilization, etc.

Confirm that system downtime or

outage is effectively monitored to
prevent service failure. For
example, monitor service
UPTIME on AIX/UNIX server.

Implement adequate
controls to ensure
accountability and
protection of backup
media produced at the
main facility as well as
Compromise, theft their transfer and
and unauthorized retrieval to and from Confirm that all tapes that are
access to backup the offsite storage sent to the offsite storage facility
media and offsite facility. are properly documented and
storage facility. authorized before their transfer.
Confirm that the method of
transfer of the tapes (by either till
box or safe) to the offsite storage
facility is secured and adequately
protected from theft or
compromise. Inspect the box or
safe as well as the process of tape
transfer to ensure their security.

Verify whether the tapes and

other media are encrypted to
prevent them from being
accessed or compromised in the
event of theft or loss.

Confirm that the default OEM

(Original Equipment
Manufacturer) encryption code
are changed and not used for
encrypting the tape drives during
backup. Symantec NetBackup
solution as well as other solutions
give room for the administrator to
create its own encryption codes
for use during back up.

Are all visitors to the off-site

facility required to sign a logbook
or register their presence
indicating their name, reason for
visiting, time and date?
 Are the processes of retrieval of
storage media (tape and hard
drives) documented and
adequately controlled to ensure
that the right tapes are retrieved
and there are proper
authorizations?

Are the storage media (tapes and

hard drives) properly index and
labeled to facilitate easy storage
and retrieval?

Ensure that data

center operators and
other personnel in the
main processing
Risk of inadequate facility are adequately
response in the event trained on how to Have the data center operators
of fire outbreak and respond in the event been adequately trained on what
ENVIRONMENT other emergencies. of fire outbreak. to do when the different types of
AL CONTROL & fire emergencies or security
MONITORING violation occur?
3 SYSTEMS.

Do the other personnel in the

main processing facility been
adequately sensitized on what to
do when fire emergencies occur?

Confirm that fire marshals have

been appointed to man key areas
of the main processing facility and
verify
 that they have been adequately
equipped with basic tools to
enable them coordinate
emergency evacuation activities.

Ensure that fire drills are

frequently conducted in the main
processing facility for all
occupants to create necessary
awareness on how to adequately
respond to emergency or fire
outbreaks.

Install fire equipment

and other emergency
controls and ensure
that they are
adequately maintained
and tested to respond
to any fire outbreak. Are the fire alarm pull boxes and
emergency power switches clearly
visible, marked and
unobstructed?

Are clear and adequate fire

instructions posted in all locations
within and around the data
center?

Confirm that emergency phone/

switch numbers of fire service
authorities are conspicuously
displayed in specific locations
around the main processing
facility for easy access and use in
the event of fire. For example,
dial 911 or 123, etc. as applicable.
Are smoke/heat detectors
periodically tested to ascertain
their working conditions and
ability to detect existence of fire
or smoke when the need arises?

Are smoke detectors strategically

installed under the raised floors
and on the ceiling of the data
center such that will easily detect
smoke or fire?

Are there enough fire alarm pull

boxes in and around the data
center?

Are the Operators assigned

individual responsibilities in the
event of fire outbreaks?

Are the operators trained

periodically in firefighting?
How frequently are fire drills
held?

Are FM200 fire extinguishers

installed in the data center for the
purpose of firefighting?

Are the FM200 fire fighters

promptly maintained and
serviced in line with the OEM
service lifecycle?

Are the firefighting equipment

periodically tested to ascertain its
working condition and ability to
respond to disaster in the event of
emergency?
 Are combustible materials found
within and around the data center
area?
Combustible materials must not
be kept in around the data center
as they are fire fuelers and could
aid spread of fire.

Implement controls
that will adequately
prevent flooding and
other disasters from
affecting the data
center.
Are the data center installed
above raised floor?

Are the materials used for the

raised floor or base of the data
center those that are not
combustible or aid the spread of
fire?

Are there water lines/pipes or

collectors that are through or
close to the data center area to
avoid flooding?

Are environmental monitoring

and control system (EMCS)
installed in the data center and
periodically tested to ensure that
temperature and humidity
conditions within the data center
are controlled and monitored.
 Are the EMCS configurations
adequate to ensure that
triggers/alerts are sent to
concerned persons when the
temperature and humidity
conditions within the data center
drops or increases

Risk of service Implement a trunked

disruption arising electrical wiring and
from physical cabling system in and Check to ensure that electrical
destruction of power around the data center power cables and wiring in
and data cables or to prevent physical around the data center are well
interception of damage. arranged in trunks to prevent
signals. physical damage.

Ensure that there were no

exposed power cables to prevent
electrocution of personnel.

Safeguard signal/data
cables in PVC trunks
to prevent signal
interception or
tapping for malicious Inspect all signal/data cables on
purpose. servers and network devices to
ensure that they are not exposed
to interference or tapping.

PHYSICAL AND Implement biometric Confirm that there is a procedure

LOGICAL Risk of unauthorized or smart card entry for granting access to users who
ACCESS physical or logical control device to have need to access the data
CONTROL TO access to the data restrict access to the center and establish the
THE DATA center. data center. authorization process.
4 CENTRE
Are all personnel entering the
data center made to enter through
an entry point controlled by
either a biometric or smartcard
access control device,
which is monitored by the Data
Center Manager?

Ensure that there is a procedure

for the review of the biometric or
smartcard activity logs. Confirm
that the review is done by the
Data Centre Manager.

Do biometric or smartcard
devices restrict and grant access
based on the individual's unique
access credential, or restrict
access to a door(s) for users or at
a given time of the day.

Do the means of gaining access,

i.e. biometric or smartcard
difficult to duplicate or
compromise?

Are there procedures in place for

deactivating user access on the
biometric or smartcard devices in
the event that they are disengaged
from the organization (either
voluntarily or terminated by the
company or if an employee
smartcard is lost or stolen?

Do the means of gaining access,

i.e. biometric/smartcard
automatically produce a silent or
audible alarm if illegal entry is
attempted?
Do the biometric/smartcard
devices automatically log and
report successful access and
unsuccessful attempts to the data
center?

Is the issuing, accounting for, and

retrieving the smartcard/biometric
an administrative process that is
carefully controlled?
Request for smartcards of users
that have exited from the
organization.

Can all active smartcards be

accounted for?

Confirm that the access logs of

the biometric or smartcard
devices are captured and retained
for a reasonable period. Verify
that the logs are backed up on
external media (tapes or HDD)
for retention for purpose of
investigation when the need arise.

Are there video cameras located

at strategic points in the
information processing facility
(data center) that are monitored
by security personnel? Is the
video surveillance recorded for
possible future playback?
 Is there an alarm system in place
that is linked to inactive entry
points to the information
processing facility or data center?

Are employees and visiting

technicians required to wear
photo IDs or identification
badges?

Are all visitors required to sign a

visitor's log indicating their name,
company represented, reason for
Monitor and restrict visiting, and person to see before
visitors’ access to the accessing the data center?
data center.

Before gaining access, are visitors

required to provide some method
of verification of identification,
i.e.
Company ID, business card,
vendor identification tag?

Are visitors required to wear

identification badges that are a
different color from employee
badges for easy identification?

Are visitors required to be

escorted by a responsible
employee? Such visitors include
friends, repairmen, computer
vendors, consultants (unless long
term, in which case special guest
access is provided), maintenance
personnel and external auditors.
 Are special service contract
personnel, such as cleaning staff
and off-site storage services,
bonded and monitored during
the discharge of their duties to
limit the financial exposure of the
organization or disruption of
service?

9. References

• ISO 27000 Family

• COBIT 5 Framework
• Study Material of ICAI DISA 3.0 Course
• ITAF(IT Assurance Framework)
• www.icai.org
• www.iso27001security.com
• www.jisajournal.com
• www.cloudaudit.org
• www.ifac.org
• www.aicpa.org
• www.whatis.com
• www.digit.in

10. Detailed Audit Report

Infrastructure Audit Report of Data Centre (situated at Malwa Road, Delhi) of ABC Bank Ltd:

The purpose of this audit was to evaluate the infrastructure and related controls of bank data centre.

We visited the bank data centre on 20 Jul 2020 and had following observations and
recommendations-

Page 21
Sr. No. Reported Area and Findings
1. AUDIT AREA– Environmental Controls
• The temperature in the Data center was
81 degrees on the day of the
walkthrough
• The Data Centre do not have water
sensors
• It do not have fire suppression,
although, hand held chemical
extinguishers are available.
• Significant clutter comprised of
combustible material found in the
Communications Room, which is a fire
code violation
2. AUDIT AREA– Backup and Recovery
• File server backup is not occurring on
non-financial data such as email, MS
Word documents, Excel spreadsheets,
and Share Drive documents.
• A formal annual testing of the file
servers doing mirrored backup of the
financial and non-financial data is not
being done
• Not able to do a full restore on either
the weekly or the annual system saves
due to capacity issues in the test
environment
Recommendations
• The cooling system needs to
be evaluated for capacity
issues, and needs to have
proper, routine maintenance
done
• Flood detection devices need
to be added under the raised
floors, and monitored.
• A fire suppression system
needs to be evaluated.
• Remove clutter and other
combustible materials from
the server rooms.
• Redundant backup of non-
financial data should be
ensured
• Begin testing the mirrored
backup
• Develop a plan for annual
testing of financial and non-
financial file server recovery.
Page 22
3. AUDIT AREA– Power Backup
• Lack of a back-up generators found
• Lack of routine maintenance on back-
up generator
• Lack of routine maintenance on the
Uninterruptable Power Supply (UPS)
4. AUDIT AREA– Physical Controls
• Physical access to the server rooms is
not always restricted to authorized
personnel, and is not reviewed on a
periodic basis. Entry to the data center
is through the use of a key pad. Anyone
with the code may enter. Currently, the
ability to track who has gone in is not
available, just the times that they enter.
• Estimates of the cost of a
backup generator need to be
provided so that senior
management can better assess
the current risk versus the cost
of the improvement.
• The backup generator needs
to have proper, routine
maintenance done
• The UPS units need to be
evaluated for load capacity,
and routine maintenance
needs to be done
• Ensure that only authorized
personnel have access to the
data centers.
• If a key pad entry is used
ensure that the key sequence
is changed periodically to help
prevent unauthorized access
by past employees or by
vendors who are no longer
authorized to have access.
• If swipe entry is used- Disable
swipe card when user no
longer needs access.
• Periodically review list of
authorized personnel.
Page 23
 11. Conclusion

The senior management must ensure that IT related policies framed are implemented in full and
employees at all levels are informed about the same. We also recommend the formation of an IT
Steering Committee in the organization who will look after the implementation of IT and IT
related
policies in the organization.

After successfully conducting Infrastructure Audit of ABC Bank, we are hoping that our
recommendations will be successfully followed up by the management which can help reducing
misuse of company resources, increase transparency, increase employee participation, increase
data security.

Page 24