Application Control Review. August 4, 2012

Transcription

1 Application Control Review August 4, 2012

2 Application Controls Review - Scope Web security Access Controls Password Controls Service Level Agreement Database Access Controls Perimeter Security Controls Interface Controls Change Management Data Sanitisation Business Continuity/Disaster Recovery Plan Input, Processing and Output Controls Data Backup Data Retention and Retrieval System Documentation Application Security Life Cycle (ASLC) Backend Update Controls Review of application logs Customer/user complaints Database Operating system Web servers Networking and Security of Assets

3 Web Security Segregation between internet and intranet architecture of application Data encryption while in transit on third party network Forced browsing or directory/path traversal not allowed SQL Injection not allowed Hidden form fields not used in validations Adequate session management Critical data encrypted while in storage Adequate server side validations used in client data input validations Vulnerability analysis and penetration testing

4 Access Controls Whether user access rights justify their job roles Whether Administrator have access to transactions menus/masters parameter settings Whether any unauthorised users being provided access to any critical application file/data folders/menus etc 4) whether sample user creation requests as per LAM meet the actual user rights in system Whether periodical review of user access rights carried out Review of the profiles created in the application carried out periodically for its validity jointly with the user groups. whether profiles as per ACM and per application documented

5 Password Controls Password policy enforcement (length, expiry, complexity, history, periodic change, repeatation,etc) as per Security Policy password is not shown on screen when typing and is encrypted in database Initial passwords or reset passwords should not be communicated to users through un-secured means such as unprotected clear text s system forces user to change password on first login or first usage after reset System allows users to change password on his own Are there any default passwords used User account is locked after x number of unsuccessful attempts or x number of days of inactivity User is informed of his last login date and time application does not allow concurrent login to same user

6 Service Levels Whether AMC/SLA for the application support exist with clear mention of the scope of the services and basis for the billing/charges Whether any of the AMC/SLA terms is inadequate or unreasonable or inconsistent vis IT Security policy whether terms of SLA are periodically monitored for compliance. eg. review sample payments made to service provider as per the SLA clause for support services Whether proper approval exists for support services/annual maintenance contract Whether payments made to vendors for CRs etc are tracked vis a vis SLA/AMC terms and the approvals

7 Database Access Controls Whether any backend database update can be carried out Whether users have direct database access Whether critical passwords such as database connection string is encrypted when stored. Whether procedure laid down to correct data errors / problems observed at the database level and database integrity monitored through periodic reports; Review which user ID is used for trouble shooting at application and database level and identify its privileges How this id credentials are protected and its usage monitored for unauthorised activities

8 Perimeter Security Controls Review the firewall rules for internet facing applications Enquire for the services and protocols allowed for ports (other than 80 or 443) for web servers and for non database ports on database server in DMZ Whether appropriate justification and approval available for these services Network based security controls implemented for third party systems connecting to network eg. Firewall

9 Interface Controls See the related documentation and architecture diagram to get the knowledge about the interface and review the interface log files Whether adequate interface logs are generated & maintained for automated interface with application Whether system checks exist (through interface logs etc) to detect or restrict failures/ errors / omissions / duplicate records during interface data exchange. Whether authentication/authorisation procedure between the interfacing applications is weak e.g. clear text passwords, invalidated user credentials or unrestricted permissions to the interfacing user ID or unrestricted access to interfacing programs etc Folders/servers used for transfer are having unauthorised access

10 Change Management Review sample Change Rrequests(CRs) for type of CRs, process flow and supporting documentation as given herein Review pending CRs for status, reasons and monitoring,ageing of CRs and risk attached review the ACM for related authorisations Whether deployment approval from Business Head sought before deployment of CR to live Whether adequate testing (eg. unit/system/regression testing) is carried out prior to deployment in live Whether UAT sign-off evidenced whether proper BRS is available in support of CRs which are deployed or in process of development whether test cases /test results are available whether release notes obtained from vendor for important patches / CR deliveries with proper ref. of CRs

11 Data Sanitisation Whether customer demographics or any other sensitive data sanitized in UAT environment Whether developers have access to live environment Whether there is proper segregation of Development & UAT & Live environment Whether UAT is in sync with live, if yes how evidenced? Whether segregation of duties & roles clearly defined between development and production support team Whether adequate procedure & documentation exist for moving program changes to live

12 Business continuity/disaster Recovery(DR) Whether DR plan document is adequate in terms of its contents/scope/ coverage of system components / activities Whether DR drills carried out at regular intervals/ Whether DR drill reports available Whether the coverage of DR drills & participation is as per test plan given in doc Whether any significant deficiency noted in DR drill

13 Input, Processing and Output Controls Whether system accepts any invalid / out of range / incorrect or duplicate data inputs Whether data accuracy for critical fields implemented through Range Check, validity checks duplicate checks) Whether adequate system controls built to identify data entry errors / exceptions (such as invalid inputs, duplicate items, backdated entries etc) In case of batch uploads, whether system checks whether all transactions in a batch file are uploaded without any omission and errors, also adequate batch upload controls (such as controls totals tallying) exist. check whether erroneous records are segregated with rejection report/reasons.

14 Input, Processing and Output Controls Review the critical functionalities wherein complex data processing is involved, e.g. interest calculation etc. Review the documentation for such data processing logics (whether in built as part of application feature or developed through report etc during customisation) check whether bulk processing of inputs through batch uploads may result in any exceptional data item being processed erroneously

15 Data Backup Controls Whether backup policy / procedure is laid down for frequency, type of backup, media, period, contents/files to be backed up, storage location, restoration testing media recycle / rotation schedule etc conveyed to DB Administrator Back up is performed through systemic controls at regular intervals as per back up policy set up (eg. Net Backup). Review the back up logs / alerts generated and sent to application owner for success or failures of scheduled back up activity Check whether copy of back up is kept at off-site location. Review the process of off-site storage, labelling of off-site back up copy Check the latest back up restoration testing confirmation for critical data base files as well as application files, as confirmed by user

16 Data Retention and Retrieval Whether any data purged in the application whether data retention and data purging procedures documented for the application data Whether any guideline relating to data retention applicable to the data in the application Whether any data required to be retained has been purged Whether data retrieval tested for the data to which data retention policy is applicable

17 System Documentation Whether updated user and system manuals available Whether these manuals cover all application modules including critical data processing logic and all interfaces (such as interest calculation or bucketing of overdues etc) and menus/sub menus and explain its functionalities Document is updated periodically for all changes

18 Application Security Life Cycle (ASLC) Identify various types of data being processed by application, Check whether data classification is done as per IS Security Policy through formal document Verify whether adequate data protection controls adopted for handling of sensitive data as per said policy (eg. data exchanged outside network or through removable media in unencrypted form or unsecured way without any control) Whether documents required for ASLC Risk assessment (including SOP etc.) are completed and submitted Whether RR sign off obtained and review the open items Periodically review of ASLC

19 Other Controls Database Operating System Web servers Networking and Security of Assets

20 Best Practices

21 User Management Generic / Extraneous users present Good Practice Process to manage default / transferred / exemployees Periodic review vis-à-vis HR records Periodic confirmation from the user supervisor Excess privileges assigned to users Good Practice Periodic Access Control Matrix sign off Business function vis-à-vis application profile

22 Password Management Password Sharing Good Practice Password sharing (including admin) restrictions Application concurrency restriction Strict Reprimands (e.g. employee warnings) Sealed envelope / Password Vault for super user ids of application, DB, OS Onsite and Offsite maintenance Sealed envelope tracking register Password Vault application

23 Password Management Password encryption (Connection strings/database storage) Application user / DB connection password stored in clear text / unapproved weak password algorithms Good Practice Hashing Password encryption algorithm usage as prescribed in IT Security policy. Connection string (Application to DB) should be encrypted

24 Interface Controls Manual / Partially Automated Interface (Inter- Application) Good Practice IP / Login ID / Digital Certificate based restriction Privilege controls over processing user / folders (e.g. Transit) Interface logs Vulnerable upload / download process Good Practice Maker / Checker control Integrity & Input Validation (e.g. Duplication, file type, standardized format etc.)

25 Maker / Checker Controls Maker checker controls not implemented for Critical business function Administrative activities (including user management) Good Practice Preventive application control for critical business functions and admin activities Detective controls (e.g. audit trail review & sign off) for identifying unauthorised activities

26 Application Security Life Cycle (ASLC) Non-adherence to ASLC process Good Practice Every application to undergo ASLC review at induction stage Non-alignment to IT Security policies to be identified and communicated to the vendor Residual risks to be signed off Risk review need to be carry out after major change The periodicity for renewal of ASLC

27 Some Learnings

28 Learning Usage of application database id for updation Sharing of user credentials during their leave period A single person responsible for upload of the text dump to application Sharing of generic user id having admin rights Failure of online market rates Updates

29 Learning (contd.) Transferred/resigned employees found active on AD multiple user ids used to create as well as verify transaction with their different user ids by same user Use of administrative id on local desktops Mismatch in IT asset inventory User can bypass the authentication of the application by manipulating link in the browser Admin User Access with Blank Password CCTV camera captures keyboard keys

30 Learning (contd.) No server side validation for the parameters entered by the user for many service requests Customer demographic details are copied in test environment without any data sanitisation Possibility of making bill payment through other customers account Further outsourcing of activities by vendor without permission VRM details not recorded tel no,date and time of call

31 Thank you