Project Report - ISA
Project Report - ISA
Project Report - ISA
of
DISA 2.0 Course
REPORT ON REVIEW OF SECURITY AND CONTROL PRACTICES OF ZEBRA CLOUD SOLUTIONS LTD. – A CLOUD
2
COMPUTING SERVICE PROVIDER
CERTIFICATE
Project report of DISA 2.0 Course
This is to certify that we have successfully completed the DISA 2.0 course training conducted at:
Nagpur from 1st November 2018 to 25th November 2018 and we have the required attendance.
We are submitting the Project titled: REPORT ON REVIEW OF SECURITY AND CONTROL
PRACTICES OF CLOUD COMPUTING SERVICE PROVIDER.
We hereby confirm that we have adhered to the guidelines issued by CIT, ICAI for the project.
We also certify that this project report is the original work of our group and each one of us have
actively participated and contributed in preparing this project. We have not shared the project
details or taken help in preparing project report from anyone except members of our group.
Place: Nagpur
Date: 08/12/2018
Contents
A. Details of Case Study/Project (Problem).................................................................................................4
B. Project Report.........................................................................................................................................5
1. Introduction.............................................................................................................................................5
2. Auditee Environment...............................................................................................................................7
3. Background............................................................................................................................................18
4. Situation................................................................................................................................................19
5. Terms and Scope of Assignment............................................................................................................22
6. Logistic Arrangements Required............................................................................................................23
7. Methodology and Strategy Adopted for Execution of Assignment........................................................25
8. Documents Reviewed............................................................................................................................28
9. References.............................................................................................................................................30
10. Deliverables, Timeframe and Fees.......................................................................................................33
11. Format of Report/Findings and Recommendations.............................................................................34
12. Summary/Conclusion...........................................................................................................................54
Annexures..................................................................................................................................................56
Project Report
Title: Report on Review of Security and Control Practices of Cloud
Computing Service Provider
The audit assignment requires the following deliverables from the IS auditors:
To prepare an audit program with detailed procedures for each audit area to ensure review of
existing security and control practices.
To provide additional detailed security and control procedures as relevant to Indian regulations
considering Information Technology Act and other compliances as applicable to Indian
companies.
To provide an independent report so as to provide assurance to the management on security
and control practices with specific recommendations on areas of improvement.
B. Project Report
1. Introduction
Zebra Cloud Solutions (“ZCS”) Ltd. is a cloud computing service provider with its Head Office located at
Bengaluru and data centers at Mumbai, Hyderabad, Chennai, Pune and Delhi. It provides cloud-based
services to banking, insurance, healthcare, manufacturing, supply chain and technology industry all over
the globe. It has more than a hundred servers in its data centers in India which are in turn connected to
more than five hundred servers which hold the worldwide business data of customers of ZCS. ZCS offers
three types of cloud computing services to its clients:
Infrastructure as a Service (IaaS)
Platform as a Service (PaaS)
Software as a Service (SaaS)
Since ZCS offers its services using the internet and stores a huge amount of its customers’ data, it is
particularly important for ZCS to provide a high level of protection to its information assets. The business
model of ZCS is such that its servers are always connected to the internet and even the slightest
negligence in terms of security and control will have a significantly adverse effect on its business.
ABCD & Co. is a partnership firm with four partners – Mr. A, Mr. B, Ms. C, and Mrs. D. The firm was
established in 1985 and has more than 30 years experience in statutory audits. Since the year 2000, the
firm has diversified its practice in the domain of IS audits. The firm has more than ten qualified
computer application and network graduates in its employment. Over the years, the firm has been
successful in establishing a strong network of technical experts which assist the firm in its system audit
assignments. All the partners of the firm are qualified Chartered Accountants and hold the coveted
Diploma in Information Systems Audit (DISA) certification. The partners of the firm have assisted their
clients in areas related to IT-related risk management and security review and analysis. The partners
hold directorial positions in many technology companies across the country. This has helped them in
being updated about the latest technological developments. Additionally, the partners have actively
participated in drafting, development and amendments of many laws related to Information Technology
in the country.
As per the audit plan for the ZCS audit assignment, a six-member audit team was formed. Mr. A, the
principal partners of the firm, acted as the audit engagement partner for the assignment. Mr. P, a
Chartered Accountant and DISA certificate holder, employed in ABCD & Co. acted as the team leader. He
was assisted in the audit exercise by Ms. Q, a Chartered Accountant. Mr. R, a post-graduate in computer
application assisted Mr. P and Ms. Q. The audit team also comprised of Ms. S, an IT Engineer who
specializes in cloud computing and network analysis. She is a freelance IT expert and has participated in
numerous IS audits in the past.
The audit team for the Information Systems audit of ZCS comprised of the following members:
2. Auditee Environment
2.1 Nature of Business
Zebra Cloud Solutions (ZCS) Ltd. offers cost effective cloud computing solution and caters to banking,
insurance, healthcare, manufacturing, supply chain and technology industry. As per National Institute of
Standards and Technology, US, cloud computing is defined as, “A model for enabling ubiquitous,
convenient, on-demand network access to a shared pool of configurable computing resources (e.g.
networks, servers, storage, applications, and services) that can be rapidly provisioned and released with
minimal management effort or service provider interaction.” 1
It is one of the top cloud companies in India providing flexible payment, security, round-the-clock
technical support and option of use by pay basis pricing.
It offers complete computing solution provider including Infrastructure as a Service (IaaS), Platform as a
Service (PaaS) and Software as a Service (SaaS). A brief description along with examples of these services
is mentioned below:
Infrastructure as a Service (IaaS): With this service, infrastructure capability provided to the
consumer is to provision processing, storage, networks and other fundamental computing
resources where the consumer is able to deploy and run arbitrary software, which can include
operating systems and applications. The consumer does not manage or control the underlying
cloud infrastructure but has control over operating systems, storage and deployed applications.
Platform as a Service (PaaS): In this service, the capability provided to the consumer is to deploy
onto the cloud infrastructure consumer-created or acquired applications created using
programming languages, libraries, services, and tools supported by the provider. The consumer
does not manage or control the underlying cloud infrastructure including network, servers,
operating systems, or storage, but has control over the deployed applications and possibly
configurations settings for the application-hosting environment.
Software as a Service (SaaS): The capability provided to the consumer is to use the provider’s
applications running on a cloud infrastructure. The applications are accessible from various
client devices through a thin client interface such as a web browser (e.g., web-based email) or a
program interface. The consumer does not manage or control the underlying cloud
infrastructure including network, servers, operating systems, storage, or even individual
application capabilities, with the possible exception of limited user specific application
configuration settings.2
1
Cloud Computing definition referenced from ISA Module VIII published by ICAI (Page No. 71)
2
Cloud Service Models referenced from ISA Module VIII published by ICAI (Page No. 73)
The following diagram3 shows the different layers under the management of ZCS and its customers. In
traditional model, all the layers of the architecture are to be managed by the customers as they are on
the customers’ premises.
Customers manage
Applications Applications Applications Applications
ZCS manages
O/S O/S O/S O/S
ZCS manages
Virtualization Virtualization Virtualization Virtualization
ZCS delivers its services by employing three different kinds of cloud deployment models 4:
Public Cloud: The cloud infrastructure is provisioned for open use by the general public. It may be
owned, managed, and operated by a business, academic, or government organization, or some
combination of them. It exists on the premises of the ZCS.
Private Cloud: The cloud infrastructure is provisioned for exclusive use by a single organization
comprising multiple consumers. It may be owned, managed, and operated by the organization, a third
party, or some combination of them, and it may exist on or off premises.
3
Layers of Management for different Service Models referenced from ISA Module VIII published by ICAI (Page No.
72)
4
Cloud Deployment Models referenced from ISA Module VIII published by ICAI (Page No. 74)
Hybrid Cloud: The cloud infrastructure is a composition of two or more distinct cloud infrastructures
(private or public) that remain unique entities, but are bound together by standardized or proprietary
technology that enables data and application portability.
ZCS offers a host of services to its customers as depicted in the following table:
ZCS has adopted a functional structure of organization. The CEO is at the top of the organization. He is
reported to by Chief Information Security Officer, Chief Financial Officer, Chief Sales Officer, Chief
Technology Officer and Chief Administration Officers. Various Vice Presidents (VPs) of different functions
report to the VPs of the company. The company’s organization structure is shown in the figure below:
Chief Executive
Officer
Chief Chief
Chief Financial Chief Sales Chief Technology
Information Administration
Officer Officer Officer
Security Officer Officer
VP – Application
VP - Taxation. VP – Sales VP - Engineering VP – Legal
Security
VP – Data
VP - M&A VP – Advertising VP – Strategy VP - CSR
Security
17
NetDocuments description as retrieved from https://www.netdocuments.com/en-us/document-management/
18
SAP SuccessFactors description as retrieved from https://www.successfactors.com/en_us/solutions.html
ZCS has deployed Virtualized Multi-Tenanted Data Center (VMDC) 19 network infrastructure. The
infrastructure is a proprietary network solution offered by Cisco Solutions. The infrastructure is
beneficial for a Cloud Computing Service Provider like ZCS that offers IaaS, PaaS and SaaS services to its
customers. The infrastructure is shown in the following figure:
Subscriber A.
Application 1
10G Ethernet
App 1 4G Fabric Channel
App 2
Subscriber A.
Application 2
IP-
NGN
Subscriber B.
Application 2
App 2
Partners
2.3.1.1. Network Application Software: This is the Solutions component layer in which software
solutions from Cisco and other third parties are deployed. The following table gives the details of the
applications deployed in this layer:
19
Cisco VMDC architecture retrieved from
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_Center/VMDC/1-1/vmdcDg11/overview.html
2.3.1.2. Virtual Compute: The Virtual Compute farm contains 256 UCS B200 servers (dual quad-core
Intel Xeon X5570 CPU at 2.93 GHz and 72 GB RAM) organized into a VMware ESX cluster; and 128
servers. The Converged Network Adapters (CNAs) provide Local Area Network (LAN) and Storage Area
Network (SAN) connectivity to the servers, which run VMware ESX4.0 hypervisor. The CNAs provide LAN
and SAN services to the hypervisor.
2.3.1.3. Virtual Switch (VSwitch): Cisco Nexus 1000V acts as the virtual access layer for the virtual
machines (VMs). There is one Nexus 1000V virtual supervisor module (VSM) per ESX cluster. Each ESX
server runs an instance of the Nexus 1000V Virtual Ethernet Module (VEM).
2.3.1.4. Storage Area Network (SAN): This consists of storage arrays that support Fiber Channel (FC) and
information lifecycle management (ILM) services. The storage arrays connect through SAN switches to
the switches in the access layer.
2.3.1.5. VM Virtual Access Layer: This layer allows access for the virtual machine. Switches (Cisco Nexus
1000V DVS) act as the virtual access layer for the virtual machines (VMs).
2.3.1.6. Services Layer: A Data Center Service Node (DSN) virtual switching system (VSS) provides
security services for the hosts. The Application Control Engine (ACE-20) and Firewall Services Module
(FWSM) provide virtual firewall and server load-balancing services to the VMs. Dual FWSM and ACE
modules are configured in an active/active high availability design to make sure that ZCS does not
experience down time in case of external attacks.
2.3.1.7. Peering: Redundant routers act as Data Center/Wide Area Network edge routers and provide
10GE connectivity for Internet services. The router allows access to cloud customers.
6. Firewalls (Core and Cisco Firepower 9000 Each of the 2 zones is protected by 2
Segment) Series Firewall separate clusters of high performing
firewalls
7. Internet Router Cisco Network To connect the data center to ISPs.
Convergence System 6000
Series Router
8. Data Center Services Cisco Catalyst 6500 E Delivers up to 2 terabits per second of
Node and Virtual system bandwidth capacity and 80
Switching System Gbps per-slot for all slots.
ZCS primarily uses Microsoft Windows Server 2019 and Juniper Network and Security Manager (NSM) -
in order to provide efficient cloud computing services to its clients. The following table shows the list of
system software installed by ZCS:
ZCS uses a host of applications software and tools to ensure maximum efficiency in service delivery. The
following table shows the list of application software deployed by ZCS:
software
SAP SAP ERP 14.0.0.1 Enterprise Resource Planning
Software
Microsoft SQL Server 2017 Relational Database
Management System
ZCS is offering state of the art cloud computing offerings as mentioned in the previous sections to its
customers in India with assurance of data being available in India. The significant regulations relevant to
ZCS are as follows:
ZCS comes under the purview of Information Technology (IT) Act, 2000 (amended in 2008). The relevant
sections of the IT Act, 2000 are reproduced hereunder:
Section 7A Audit of documents i.e. in Electronic Form: Where in any law for the time being in
force, there is a provision for audit of documents, records or information, that provision shall
also be applicable for audit of documents, records or information processed and maintained in
electronic form.
Section 43A: A body corporate who is possessing, dealing or handling any sensitive personal
data or information, and is negligent in implementing and maintaining reasonable security
practices resulting in wrongful loss or wrongful gain to any person, then such body corporate
may be held liable to pay damages to the person so affected. It is important to note that there is
no upper limit specified for the compensation that can be claimed by the affected party in such
circumstances.
Section 72A: Disclosure of information, knowingly and intentionally, without the consent of the
person concerned and in breach of the lawful contract has been also made punishable with
imprisonment for a term extending to three years and fine extending to INR 5,00,000.
Since ZCS has its shares listed on the Bombay Stock Exchange and the National Stock Exchange, Clause
49 of the Listing Agreement on Corporate Governance as mandated by the Securities Exchange Board of
India (SEBI) is applicable to the company. The relevant provision of the Clause 49 of the Listing
Agreement regarding audit committee is as follows:
The role of the audit committee sharpened with specific responsibilities including recommending
appointment of Auditors and monitoring their independence and performance, approval of related
party transactions, scrutiny of inter-corporate loans and investments, valuation of undertaking/assets
etc. Audit committee is contemplated as a major vehicle for ensuring controls, sound financial reporting
and overall good corporate governance. Internal audit reports relating to internal control weaknesses
are to be reviewed by the Audit committee.
As ZCS is a company, the Company Auditor’s Report Order (CARO) 24, 2016 is applicable to it. It requires
verifying the adequacy of internal control procedures and determining whether there were any
continuing failures to correct major weaknesses in internal controls. It also requires to report whether
any frauds on or by the company had been noticed or reported.
Control over IT assets is shared by ZCS and its customers. ZCS, on its part provides highly secure services
and platforms and provides a wide range of security characteristics which its customers can use. ZCS
communicates its policies regarding security and control environment to its customers. ZCS provides
certificates, and reports directly to its customers under a Non-Disclosure Agreement (NDA). It obtains
industry certifications and third-party attestations. It also publishes information about its security and
control practices in whitepapers and web site content.
Specific control definition: Major controls are important for customers’ control environment
and require an external certification of the effectiveness of these key controls.
General control standard compliance: With the ISO 27001 certification, ZCS complies with a
broad, comprehensive security standard and follows best practices in maintaining a secure
environment.
ZCS provides information about its risk and compliance program to enable customers to incorporate ZCS
controls into their governance framework.
Risk Management: ZCS management has developed a strategic business plan which includes risk
identification and the implementation of controls to mitigate or manage risks. ZCS management
re-evaluates the strategic business plan at least biannually.
Control Environment: ZCS manages a comprehensive control environment that includes
policies, processes and control activities that leverage various aspects of overall control
environment. This control environment is in place for the secure delivery of AWS’ service
offerings.
24
CARO requirements as referenced from ISA Module II published by ICAI (Page 86)
25
AWS Risk and Compliance Overview retrieved from
https://d1.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Overview.pdf
ZCS has implemented a formal information security program designed to protect the confidentiality,
integrity, and availability of customers’ systems and data. ZCS publishes a security whitepaper that is
available on the public website that addresses how it can help customers secure their data.
3. Background
The management of ZCS considering the enormous potential of Cloud computing services has opened its
office in India with Bangalore as its Head office and data centers at Mumbai, Hyderabad, Chennai, Pune
and Delhi. It is offering state of the art cloud computing offerings to customers in India with assurance of
data being available within in India.
ZCS has undertaken significant measures in the past to improve the security and control in the
organization. However, more and more prospective customers of the organization are demanding for
assurance from independent auditors. It was realized by the organization that an audit by an
independent Information Systems (IS) auditor will enable its prospective customers to rely on the
strength of ZCS’s ability to provide efficient and secure cloud services. The greater the level of
assurance, the more confidence a customer will have in ZCS. It is with this intention that the
management of ZCS has appointed independent IS auditors “ABCD & Co.” to conduct a review of the
organization’s security and control practices.
The details of the objective and scope of work undertaken during the course of this audit have been
outlined in the “Objective of the Assignment” and “Scope of Work” sections in the sections that follow.
4. Situation
ZCS has more than 100 servers in its data center in India. These servers are also networked more than
500 servers which hold the worldwide business data of customer of ZCS. These servers are also
connected to the global offices of ZCS and their customers through high-speed networks and
telecommunication systems. To protect its data, ZCS has put in place a comprehensive Information
Security System. The company has used best of breed security and control practices for implementing
security for IT infrastructure. This security system is subject to rigorous audit by independent IS auditors
and is also subject to regular IS Audit using global best practices. An overview of the current security and
control scenario at ZCS is as follows:
Internal theft: One of the security vulnerabilities comes from unscrupulous internal employees. Such
employees can pass data to competitors in their business. Locating data in highly-secure data center of
ZCS deters such employees from stealing data because they are under surveillance. Data center
personnel employed by ZCS have their backgrounds verified extensively during the recruitment process.
They will not have an understanding of the customers’ businesses as much as an internal employee of
the customer. So their interest in the data is greatly reduced, thereby mitigating data theft risks.
Physical access control: The data center is a sensitive zone. Only authorized personnel can enter it. The
entry is controlled through automatic access control systems linked to security alarms. This prevents
public access and stray entries. All such entries are automatically logged in entry logs.
Physical access monitoring: The area in and around the data center is continuously monitored through
surveillance cameras which capture the images of those entering that area. The video records are
archived. Security guard views the video monitor.
Login access control: This is a two dimensional access control measure. First, only authentic users can
login. Second, they can login only to the relevant transaction screens for which they have permissions.
Such access policies are administered through the deployment module of ZCS platform. This mechanism
prevents any unauthorized access to both transactions and data. ZCS trains customers to use specific
modules so that access policies can be set by an administrator designated by the customer. This way,
customer will have absolute control over the access.
Audit trail: Even authentic usage is tracked. Who logged in, when did the login happen, what was the
duration of the login, what is the usage pattern, are there unusual usages noticed – these are the
possible ways by which tracking happens. Such trails discourage anyone from attempting to misuse.
Thus, frauds can be both prevented and detected.
Data transport over internet: Data movement over the internet – from the customers’ office(s) to ZCS
data center – is like goods moving on the road transport highways. Both are vulnerable to theft. Such
transaction data is protected through encryptions and transported over a secure sockets layer. This
prevents theft. Encryption renders data meaningless thus making the theft harmless.
Firewall: Data arriving via the internet at the data center is filtered through the firewall. This is like
immigration control, designed to detect illegal entrants. Only authentic customer data finally reaches
the server. Firewall policies are continually updated as per the information security management system
implemented in ZCS. This protects customers’ data from malicious software attacks.
Fire and natural calamities: Disasters can happen and affect data and business activities. Fire,
earthquakes and floods can ruin data and disrupt operations. ZCS has implemented a disaster recovery
mechanism to handle such crisis. First, the data center itself is subject to fire safety regulations. Second,
all data is stored on high speed storage area networks. From this storage, data is backed up according to
the data backup policy implemented as required by the information security systems. Daily, weekly and
monthly back-ups are taken. The media containing the backed-up data are stored in fire-proof vaults. A
copy of the same is stored in a different physical location. In the event of any disaster, the data available
on the back-up media will be restored for operations to continue.
Internal privacy: One department’s data cannot be viewed or altered by another department.
For Example: HR data not being allowed for a Finance person.
External privacy: Where a customer’s data is not available to anybody else. This is established by
allocating separate databases for each customer. Also, the servers dedicated to the customers
run on separate networks. So traffic from other networks including ZCS employees’ networks
cannot come into this network.
External privacy involving government and regulatory bodies: These are strictly governed by
contractual agreements with the customers. Any request for data belonging to customers will
not be shared with regulatory bodies without the involvement of the customers.
When the marketing team of ZCS engages with prospective customers, they experience that the
customers are hesitant about sharing their data with ZCS. The reason for this hesitation is that the
customers are comfortable about having their data stored on their premises. Additionally, prospective
customers of the organization are demanding for assurance from independent auditors. It was realized
by the organization that an audit by an independent Information Systems (IS) auditor will enable its
prospective customers to rely on the strength of ZCS’s ability to provide efficient and secure cloud
services. The greater the level of assurance, the more confidence a customer will have in ZCS.
With more and more businesses in India going online for their day-to-day operations, Government
regulations regarding online operations have become stringent. The Information Technology Act, 2000
(amended in 2008) has been introduced in India to regulate electronic data and records in the country.
Globally, many changes have taken place in the regulations related to information security and privacy.
For instance, the European Union has introduced General Data Protection Regulation (GDPR) for all
individuals within the European Union. The draft bill on Personal Data Protection has already been
drafted by the Ministry of Electronics and Information Technology. Once the bill is passed as an Act, ZCS
will have to abide by more regulations for data security.
The management at ZCS realizes that the potential for company’s growth is huge. ZCS offers an all
encompassing suite of services to its clients including IaaS, PaaS and SaaS. As internet connectivity in
India improves and more enterprise operations move online, the role of a cloud service provider like ZCS
becomes extremely important. It is with this view that the management of ZCS has felt a need for an
audit from an independent IS auditor to review its existing security and control practices.
The current scenario of security and controls demonstrate the following problem areas:
Based 26on our understanding of ZCS’ needs for conducting audit of its security and control practices, it
was decided to focus on Review of Physical and Logical Access Controls. We propose the scope of review
and the terms of reference as laid down in the following paragraphs.
The envisaged terms of reference are based on the personal discussions key members of assignment
team had with the internal audit team of ZCS on 5 th November, 2018 at Bengaluru. The detailed scope,
review and methodology followed are given in the annexure. The methodology would be further
enhanced and refined as the audit progresses based on the specific needs of the audit environment.
Broadly, the scope of review primary from security and controls point of view would involve:
1. Physical Access Controls: Physical access controls restrict physical access to resources and protect
them from intentional and unintentional loss or impairment.
2. Environmental Security Controls: These controls make sure that the information security
infrastructure and facilities should not only provide a conducive environment for the effective and
efficient functioning of the information processing facility but should also protect the contents of such
facilities from undesirable variations in the environment.
3. Logical Access Controls: Logical access controls prevent and detect unauthorized access to
information assets and resources while ensuring that authorized users can access the information
resources as per their role and responsibilities.
4. Network Security Controls: These controls are important to implement as networks are far more
vulnerable to external threats than standalone systems. Especially for a cloud computing service
provider like ZCS, Network Security Controls are extremely critical.
5. Application Controls: These controls ensure achievement of ZCS’s business objectives of timely,
accurate and reliable information.
6. Review of controls to ensure alignment with IT Act, 2000, Clause 49 of Listing Agreement and CARO,
2016: We will review the adequacy of controls to make sure that they are as per the norms stipulated by
these regulations.
26
Scope and Terms of Reference sourced from ISA Module II published by ICAI (Page 101)
ZCS’s headquarter is located at Bengaluru. Its data centers are located at Mumbai, Hyderabad, Chennai,
Pune and Delhi. Since the office of “ABCD & Co.” is located at Mumbai, logistics arrangements involved
travelling of the Information System audit team to Bengaluru, Hyderabad, Chennai, Pune and Delhi. The
logistics arrangement was done by the auditors themselves. Mr. P was responsible in taking the prior
appointments of the concerned persons at ZCS. Thereafter, travelling arrangements were made with
assistance from the travel agents JP Travel Co. Pvt. Ltd. at Nagpur. The duration of the audit lasted for
about six months during which multiple visits were made at the offices and data centers of ZCS to review
its security and controls.
It will be necessary for ZCS to appoint one coordinator who will be part of the discussion on the work
plan initially and continue to work with the ABCD & Co. team till the assignment is complete. ZCS will
make available the necessary computer time, software resources and support facilities necessary for
completing the assignment within the agreed timeframe. The conduct of the assignment should be
adequately communicated to the required personnel so as to facilitate extensive cooperation from the
respective personnel. We will require the following infrastructure:
One laptop: The laptop will be used at the data center as well as the offices of ZCS to review its
operations.
One printer: A printer would be used to print out the reports as required
A copier machine: If ZCS team feels that any document is required to be copied, a copier
machine will be used
Sitting area and storage space: Adequate area for sitting and storing the belongings of the audit
team
Conference area: Suitable facility for discussion amongst our team and your designated staff
Operating System: Windows 10 is compatible with the audit tools employed by ABCD & Co.
Microsoft Office 365: The reports and presentations will be made by ABCD & Co. in MS Office
365. MS Access will be used to access the database.
Microsoft SQL Server: Since ZCS MS SQL server, ABCD & Co. will need access to the server to
understand database controls
Commvault Complete Backup and Recovery: ABCD & Co. will require access to the backup
software to understand data integrity controls.
Symantec Endpoint Protection: ABCD & Co. will understand the level of protection against
malicious software and programs by studying the policies and logs in the antivirus software
Science Logic Server Monitoring: We will review the performance of the servers in the data
center by using Science Logic Server Monitoring.
Snort IDS: The level of protection at ZCS against network intrusions will be reviewed using Snort
IDS.
SAP ERP: We will require access to SAP system of ZCS to understand the transmission of data
and review logical access controls.
Computer Assisted Audit Techniques (CAAT) Tools
o WizRule: It is a tool to evaluate data quality based on data content, data patterns, rules
and relationships.
o Vanity Integrity: It processes data content in conjunction with metadata to abstract
business rules and relationships.
6.2.4 Documentation
User Manuals and Technical Manuals: These manuals will help us in understanding the usage of
system software and applications hosted by ZCS.
Service Level Agreements: They will help us understand the contractual obligations and
compliances required to be followed by ZCS while serving its clients.
Organization chart outlining the organization hierarchy and job responsibilities: Organization
chart will enable us to make sure that controls in place are as per job responsibilities.
Circulars/guidelines issued to employees: Circulars and guidelines issued to employees will help
us in ensuring that employees have the appropriate access controls.
Any other documentation as identified by us during the course of the assignment: If the audit
team recognizes the need to refer to any other documents, the same should be made available
to it.
The primary objective of the assignment is to conduct a review of physical access controls,
environmental security controls, logical access controls, network security controls and application
controls.
ABCD & Co. will adopt the latest and globally recognized standard for IS audit - Control Objectives for
Information and Related Technology (COBIT) as issued by the Information Systems Audit and Control
Association (ISACA), USA.
Additionally, we have used the following Standards on Auditing (SAs) issued by The Institute of
Chartered Accountants of India (ICAI):
SA 402: Audit Considerations Relating to Entities Using Service Organizations: Since ZCS is a cloud
computing service provider to many clients, the standard was used to understand the nature and
significance of the services provided by ZCS to its clients.
SA 530 Audit Sampling: We used statistical and non-statistical sampling to design and select the audit
sample, performed tests of controls and tests of details, and evaluated the results from the sample.
SA 620 Using the Work of an Expert: Since cloud computing is dependent on web services, we used this
standard to take the help of an expert – Ms. S, who is a freelance web services expert to assess the risks
in ZCS’s web services.
i. Deploy a core team of 4-5 IS audit personnel in batches of 2-3 as per the skill sets and tasks
required, under the personal direction and liaison of the Engagement Partner, Mr. A.
ii. ZCS must designate a person at a senior level to coordinate between ABCD & Co. and ZCS. The
audit team would also comprise of one person from ZCS from systems and audit group each.
iii. Detailed systematic audit procedures would be finalized after completing review of the
documentation and discussion with staff and users.
In tune with the terms and scope of reference of the assignment, we will adapt the methodology from
COBIT.
The above mentioned objectives shall be achieved through the following structured methodology:
Our audit team would perform the following tasks and include the following procedures:
1. Visit the data center and observe the physical and environmental controls.
2. Undertake an in-depth analysis of all control aspects as implemented at ZCS. In doing so, the following
objectives would be kept in mind while setting the overall goals:
3. Review the system architecture in operation; understand how the various modules interact within the
overall system.
4. Review how each module in the system has been tested including the documentation prepared in
respect of each.
5. Review the methods employed for implementation of the system, including post-implementation
review procedures undertaken to ensure that the objectives set out were actually achieved.
6. Understand the business processes and review how these have been mapped in the information
systems by tracing the modules with a top down approach.
7. Review the modules by performing detailed documented tests of all the menu options and their
related effects.
8. Review the controls established over the continuity of stored data, necessary to ensure that once data
is updated to a file, the data remains correct and current on the file.
9. Review the in-built controls for stored data so as to ensure that only authorized persons have access
to data on computer files.
10. Review the controls established which ensure that all transactions are input and accepted for further
processing and that transactions are not processed twice.
11. Review the controls established so as to ensure that only valid transactions are processed.
12. Review the procedures established for back-up and recovery of files in the package.
13. Review controls established for the development, documentation and amendment of programs so as
to ensure that they go live as intended.
15. Present the Cloud Security Alliance Consensus Assessment Initiative questionnaire (presented in
Annexure II) to the relevant IT personnel to assess the levels of security and controls in the organization.
8. Documents Reviewed
9. References
10.1 Deliverables
1. Draft report along with the executive summary of the review’s result together with the
recommendations of findings and risk analysis of findings.
2. Final report incorporating management’s comment and agreed priority plan of action based on the
exposure analysis.
10.2 Timeframe
The expected time for the assignment is approximately 8 weeks. We would require a lead time of two
weeks for commencing the assignment. The availability of coordinating team, user involvement,
availability of resources and information by the auditee would also impact the audit duration and time
schedule, which would be communicated to the auditee in advance.
10.3 Fees
The fees for this assignment is Rs. x.xx Lakhs (GST at the rate of 18% will be added extra) which would be
payable as follows:
Travelling, boarding, lodging and conveyance expenses of the audit team shall be reimbursed on actual
basis on outstation travel.
11.1.1 Introduction
Zebra Cloud Solutions (“ZCS”) Ltd. is a cloud computing service provider with its Head Office located at
Bengaluru and data centers at Mumbai, Hyderabad, Chennai, Pune and Delhi. It provides cloud-based
services to banking, insurance, healthcare, manufacturing, supply chain and technology industry all over
the globe. It has more than a hundred servers in its data centers in India which are in turn connected to
more than five hundred servers which hold the worldwide business data of customers of ZCS. ZCS offers
three types of cloud computing services to its clients:
Since ZCS offers its services using the internet and stores a huge amount of its customers’ data, it is
particularly important for ZCS to provide a high level of protection to its information assets. The business
model of ZCS is such that its servers are always connected to the internet and even the slightest
negligence in terms of security and control will have a significantly adverse effect on its business.
11.1.2 Scope
Based on our understanding of ZCS’ needs for conducting audit of its security and control practices, it
was decided to focus on Review of Physical and Logical Access Controls. We propose the scope of review
and the terms of reference as laid down in the following paragraphs.
The envisaged terms of reference are based on the personal discussions key members of assignment
team had with the internal audit team of ZCS on 5th November, 2018 at Bengaluru. The detailed scope,
review and methodology followed are given in the annexure. The methodology would be further
enhanced and refined as the audit progresses based on the specific needs of the audit environment.
Broadly, the scope of review primary from security and controls point of view would involve:
1. Physical Access Controls: Physical access controls restrict physical access to resources and protect
them from intentional and unintentional loss or impairment.
2. Environmental Security Controls: These controls make sure that the information security
infrastructure and facilities should not only provide a conducive environment for the effective and
efficient functioning of the information processing facility but should also protect the contents of such
facilities from undesirable variations in the environment.
3. Logical Access Controls: Logical access controls prevent and detect unauthorized access to
information assets and resources while ensuring that authorized users can access the information
resources as per their role and responsibilities.
4. Network Security Controls: These controls are important to implement as networks are far more
vulnerable to external threats than standalone systems. Especially for a cloud computing service
provider like ZCS, Network Security Controls are extremely critical.
5. Application Controls: These controls ensure achievement of ZCS’s business objectives of timely,
accurate and reliable information.
6. Review of controls to ensure alignment with IT Act, 2000 Clause 49 of Listing Agreement and CARO,
2016: We will review the adequacy of controls to make sure that they are as per the norms stipulated by
these regulations.
The IS auditor team will carry out the following activities in relation to the Information System Audit
around the above mentioned areas:
Out of Scope
Limitations:
The IS Auditor team has assumed that the information provided by the various application owners at
ZCS is true and correct to the best of their knowledge. Further, the IS Auditor team has depended on
such information provided.
11.1.4 Methodology
The above mentioned objectives shall be achieved through the following structured methodology:
This final report is prepared solely for the Internal Audit team of ZCS, Bengaluru. The report is meant for
the use of those to whom it is addressed and should not be disclosed to any other parties. We will not
accept any liability/responsibility to any third party with whom this report is shared / shown or into
whose tender it may come.
Unrestricted circulation of the report even within ZCS is associated with a risk of some internal
employees trying to exploit the reported weaknesses before they are actually plugged. Consequently,
you should not make our report available to any third party except the regulators unless we have
specifically agreed with you the basis on which our report may be made available
In order to provide management with an indication as to the significance of risk involved and the priority
with which the same needs to be addressed, all risks have been rated in accordance with the
classifications given below:
High Risk Risks that could seriously compromise the internal control framework, data integrity
and / or operational efficiency. These risks need to be addressed with utmost priority.
Medium Risk Risks that could compromise, the systems internal control, data integrity and / or
operational efficiency and should therefore be addressed, but with a lower priority than
those rated as high. Alternatively these are significant control issues, which should be
addressed in the medium term because other compensating controls exist which cover
the acknowledged business risk.
Low Risk Risks that do not seriously affect the system in the short term, However failure to
address these risks may lead to long-term inefficiencies and non-compliance thereby
adversely affecting the existing control framework.
11.1.7 Acknowledgments
We would like to take this opportunity to thank the management and staff at all levels of ZCS for the
assistance we received from them during the course of our review. We would be happy to provide
further clarification that ZCS might need about any matter contained in this report.
Section I contains the project scope, our approach, summary of key observations and recommendations
etc.
Section II contains our observations relating to physical access controls, environmental security controls,
logical access controls, network security controls and application controls.
11.1.9 Table & Graph representing areas and risk rating wise number of observations
Area High Level Risk # Medium Level Risk # Low Level Risk # Total
Physical Access Controls 6 11 18 35
Environmental Security 8 15 21 44
Controls
Logical Access Controls 9 16 26 51
Network Security Controls 7 12 25 44
Application Controls 4 17 22 43
Regulatory Review 4 10 14 28
Total… 38 81 126 245
30
25
20
15
10
0
Physical Access Environmental Logical Access Network Security Application Regulatory Review
Controls Security Controls Controls Controls Controls
29
Logical Access Controls and audit procedures referenced from ISA Module IV by ICAI, Page No. 106-108
30
Network Security Controls, SMIME and Audit Techniques referenced from ISA Module IV by ICAI, Page 128
31
IDS referenced from ISA Module IV by ICAI, Page 133
32
SIEM and SOC referenced from ISA Module IV by ICAI, Page 135
33
Cloud auditing issues referenced from ISA Module VIII by ICAI, Page 84
34
OWASP referenced from Cloud Security Alliance Security Guidance for Critical Areas of Focus in Cloud Computing
3.0 available at https://downloads.cloudsecurityalliance.org/assets/research/security-guidance/csaguide.v3.0.pdf
Following is the number of controls checked in each application and the number of control gaps
observed against the controls checked:
11.1.12 Quick Wins for ZCS – High Risk Observations with Low Implementation Effort
Note: Implementation efforts are arrived based on IS Auditor’s past experiences. Implementation efforts
are categorized into the following:
For example: If a risk can be remediated by means of changes in the configuration just by putting a check
in the checkbox then its implementation effort is mentioned as Low. If a risk can be remediated only by
changing /instituting a business process with involvement of multiple departments then its
implementation effort is mentioned as High.
10
9
8
7
6
5
4
3
2
1
0
Physical Access Environmental Logical Access Network Security Application Regulatory
Controls Security Controls Controls Controls Controls Review
All observations and recommendations contained in this report have been discussed with the
management and internal audit team. ZCS should now devise a time bound action plan, identifying the
responsibility and ownership to implement the control recommendations in order to address the control
weaknesses and associated risks. The implementation priority can be decided on the basis of risk ratings
identified below:
11.2.1.1 Control
Employees must follow the fire drill procedures, vacate their desks and assemble at
assembly points.
Recommendation
Employees must be trained about fire drills and must be told the implications of not
following the fire drill directives strictly.
Employees who do not take fire drills seriously must be penalized.
Evidence:
The audit team observed fire drills at all the sites.
11.2.1.2 Control
Management review of physical access controls and discussion with employees.
Recommendation
Management needs to review and revise the existing physical access controls with the
employees.
Evidence:
The audit team interviewed employees.
11.2.1.3 Control
Screening of vehicles entering the facility by security guards.
Recommendation
Security personnel must be conveyed that they must screen the vehicles before they enter
the premises.
Evidence:
The audit team witnessed the security procedures at the premises’ entrance gates.
11.2.1.4 Control
Documentation of physical control policy and standards.
Recommendation
Management must formally document the physical control policy and standards.
Evidence:
The audit team asked for the physical control policy document and the same was not obtained.
11.2.1.5 Control
Observation of data center entry/exit CCTV feed by security guard.
Recommendation
More than one security guard must be present in the CCTV control room to observe the
feed.
Evidence:
The audit team visited the CCTV control room and observed the routines of the security guards.
11.2.2.1 Control
Use of radio emission shields to control radio emissions.
Recommendation
There should be a shielding strategy in place against interference and unauthorized access
through emissions.
Evidence:
The audit team visited the data centers and observed the absence of radio shielding equipment.
11.2.2.2 Control
Air intake vents, grills and roofs must be safe from human entry.
Recommendation
Additional measures such as alarms should be installed in vents, grills and roofs are
observed to have human presence.
Evidence:
The audit team visited the data centers and measured the air vents, grills and roofs. Building
maps also reveal the dimensions of the air vents, grills and roofs.
11.2.2.3 Control
Cables, plumbing pipes, smoke detectors and water detectors must be concealed and in
working condition.
Out of order smoke detectors will delay fire detection and can lead to damage of critical IT
assets.
Recommendation
Cables must be concealed and must not be allowed to be loose.
Smoke detectors must be checked regularly to ensure early detection and safeguard the
resources from fires.
Evidence:
The audit team assessed the electrical circuit layouts of the facilities and verified with actual
cables which were found to be hanging loose. We also checked whether the smoke detectors
were in working condition.
11.2.3.1 Control
Documentation of privileged and special purpose logons.
Recommendation
Logons with special privileges must be well documented and controlled as they have access
across domains.
Logs should be maintained about usage of privileged and special purpose logons.
Evidence:
The audit team sought the documentation of privileged and special purpose logons but the
same was not present.
11.2.3.2 Control
Access must be based on least privileges and need to know-need to do basis.
Recommendation
We recommend that access to users must be restricted only to their respective domains.
Access Control Lists should be reviewed and cross-domain access must not be allowed.
Evidence:
The audit team observed the audit trails for activities of users in different domains. Additional
user access tests were performed to verify permissions.
11.2.3.3 Control
Password policy must be enforced in a way that simple passwords are not allowed.
Recommendation
We recommend that access to users must be restricted only to their respective domains.
Access Control Lists should be reviewed and cross-domain access must not be allowed.
Evidence:
The audit team reviewed the Access Control Lists. Interviews with users were conducted to
understand if they follow the password policy.
11.2.4.1 Control
Using encrypted email messages to convey private keys to customers.
Recommendation
Encrypted emails techniques must be used to inform the private keys to the customers.
We suggest SMIME (Secure Multipurpose Mail Extensions) using Microsoft Exchange for
encrypted emails.
Evidence:
The audit team reviewed the email policy of the organization. We also looked into the data flow
diagrams and understood the decryption mechanism.
11.2.4.2 Control
Use of Intrusion Detection System (IDS) in the network.
Recommendation
Intrusion Detection System should be installed so as to act as a next line of defense beyond
firewalls.
Evidence:
The audit team observed network diagrams and traced the actual network in the organization.
IDS were not found to be employed on the networks.
11.2.4.3 Control
Enhancing incident response by using Security Incident and Event Management (SIEM) tools.
Recommendation
Security Incident and Event Management (SIEM) tools must be employed in addition to
setting up a Security Operations Center (SOC) to monitor network logs and enhance incident
response capability.
Evidence:
The audit team reviewed the network logs. There were no tools installed on the systems for
monitoring these logs.
11.2.5.1 Control
Defining boundaries between ZCS and consumers to ensure clear identification of
responsibilities regarding security controls.
Recommendation
The Service Level Agreements must define the trust boundaries between ZCS and customers
to ensure that the responsibilities to implement security controls are clearly defined.
Evidence:
The audit team reviewed the SLAs between ZCS and its customers. No trust boundaries were
defined in the SLAs.
11.2.5.2 Control
Performing Cloud-specific multi-tenancy tests on applications.
Recommendation
We recommend employing Open Web Application Security Project (OWASP) as
recommended by Cloud Security Alliance to improve Application Security
Evidence:
The audit team observed testing environment and test policy of the organization.
11.2.6.1 Control
Management and data owners must be aware about the regulatory requirements as
stipulated by Section 43A of IT Act, 2008.
It was observed that the management as well as data owners were unaware about the
above regulatory requirements.
Recommendation
Train the data owners by making them aware about the relevant sections of the IT Act,
2008.
Evidence:
The audit team reviewed the security controls and measures and lacunae were observed in the
same as compared to what is recommended by the IT Act.
11.2.6.2 Control
Valuation and safeguarding of IT assets by audit committee as per Clause 49 of Listing
Agreement of SEBI.
Recommendation
The audit committee must be apprised of the requirements of the Clause 49 of the Listing
Agreement issued by SEBI regarding IT assets too.
Evidence:
The audit team observed the minutes of the audit committee’s meetings.
11.2.6.3 Control
Verify the adequacy of internal control procedures to adhere to CARO, 2016 norms.
Recommendation
We recommend that the senior management must discuss internal controls in each of their
meetings to make sure that they satisfy the requirements of CARO, 2016.
Evidence:
The audit team observed the minutes of the board meetings.
12. Summary/Conclusion
Based on our review our overall conclusions on specific areas are:
Our review of security and access controls at ZCS confirms that appropriate physical access controls
have been implemented by the Company. Our test checks have revealed that physical access controls
are reliable. However, there are some areas (strict implementation of fire drill policy, periodic review of
physical controls, and formal documentation of physical access controls) where controls need to be
strengthened and these have been discussed in the report.
Our review of environmental security controls at ZCS confirms the company’s assets are safeguarded
from environmental threats. However, a few additional controls have been recommended by us
wherever lacunae were observed by the audit team. These pertain to radio emission shielding, right
sizing the air vents, doors and ceilings, concealing the cables and ascertaining the working condition of
smoke and water detectors.
ZCS has a robust system of Logical Access Controls throughout the organization. Based on our review,
we have suggested improvements particularly for documentation of special privileges logons, domain-
only access, and stringent enforcement of password policy.
Our review of network security controls at ZCS confirms that the company has implemented adequate
controls from the network security point of view. We have recommended certain improvements
particularly about installing IDS, incorporating email encryption system and logs monitoring to enhance
the level of network security.
Application Controls
Apart from the fact that the SLAs of ZCS with its customers do not segregate responsibilities to
implement security controls and application tests must incorporate cloud-specific testing, we confirm
that ZCS has appropriate Application Controls in place.
Regulatory Review
ZCS operates in the cloud domain which involves processing of a high volume of data of customers.
Regulations pertaining to security policy are evolving faster than usual. A company like ZCS must make
sure that its data is well protected and there are appropriate internal controls along with periodic
reviews of the same to ensure that the company adheres to regulatory requirements. We have
recommended specific guidelines to the management and data owners so as to facilitate abiding by the
IT Act, 2008, Clause 49 of the Listing Agreement and CARO 2016.
Further Action
We consider that the recommendations in this report would be very useful for making the security and
control practices at ZCS more strong and improving their effectiveness. We would like to affirm that the
matters included in this report are those which came to our notice during our review by following
normal Information System audit procedures by complying with globally applicable Information Systems
Auditing Standards, Guidelines and procedures that apply specifically to Information Systems Auditing
issued by Information Systems Audit and Control Association, USA and Security and Control Practices as
outlined in COBIT 5 issued by ISACA as adapted to ZCS operations for review of security and controls.
Further, on account of limitations of scope and time, we have used sample test and test check approach.
Hence, certain areas, which are outside the scope of this review are not covered.
Annexures
Annexure – 1. Terms of Assignment 35
The parties to the Agreement shall be ABCD & Co. and the Zebra Cloud Solutions (ZCS) Limited, and
neither may assign or transfer rights or obligations under the Agreement or part of such Agreement to
any other party without prior written approval by the other party. In the event of any inconsistencies
between the terms stated in the Letter of Agreement and these Terms of Engagement, the Letter of
Engagement shall supersede the Terms of Engagement.
1.2 Confidentiality
The parties shall be under a mutual duty to safeguard the confidentiality of all material, records and
information about the other party as well as all information received from the other party in connection
with the performance of the engagement.
Unless otherwise stipulated in the Agreement, both parties shall agree to use electronic communication
through such means as emailing of all documents and messages of relevance to this Agreement.
If a potential or actual conflict of interest has been identified, and ABCD & Co. believes that the interests
of the client may be adequately safeguarded through the implementation of relevant procedures, ABCD
& Co. will discuss and agree such procedures with the client.
ABCD & Co. shall be responsible for the service rendered under the Agreement in accordance with the
general rules of Indian law. Any limitations on the overall liability for damages shall be stated in the
Letter of Engagement. ABCD & Co. shall assume no responsibility for any indirect loss or consequential
damage, including loss of goodwill, image, earnings, profit or data.
This Agreement is to be construed, performed and enforced in accordance with the laws of India with
exclusive jurisdiction of the courts of Mumbai. English will be the governing language.
35
Terms of Reference of Deloitte Touche Tohmatsu Limited (UK) referenced from
https://www2.deloitte.com/content/dam/Deloitte/dk/Documents/audit/ForretningsbetingelserUK01012017.pdf
36
AWS response to CSA Questionnaire referenced from
https://citadel-information.com/wp-content/uploads/2012/08/amazon-web-services-risk-and-compliance-
whitepaper-2012-1.pdf