ACTIVITY Data centre operations

OBJECTIVE/RISK To ensure that roles are well defined, controls established & followed to ensure proper management of ICT resources. Corruption of data and loss/damage to other IT resources by unauthorized persons

KEY CONTROLS ICT department should be independent of the user departments, particularly the processing of transactions. (Flexcube manual page 8)

AUDIT TEST Verify whether the ICT department is independent of the user departments in particular the accounting/finance department. Check that the ICT team is not involved in processing of entries neither inputting nor authorization of the transactions. Is there strict control of entry & exit into the Data Centre? Is there a register to record entry into the Data Centre? Review the register to confirm that it contains the following information on people who enter the Data Centre; - the name of the person - the date and time of entry - the purpose of the entry - The time of exit. - Signature/initial of the visitor Check whether the register is reviewed and initialed by senior personnel of ICT. Verify whether there is a list of authorized personnel in the Data Centre. Are unauthorized personnel in to the Data Centre always accompanied by staff member and do they fill in the required information in the entrance register? Review the organization chart of the ICT department. Is there segregation of duties between the Business Systems and Infrastructure system teams? Check for any overlapping roles between the two units. By reviewing sample of staff files ensure that the roles are clearly defined for each staff member. Check that job descriptions for each staff match

RESULTS / WORK PAPER REF.

Entry to the data centre is restricted to authorized persons only. Entry of unauthorized persons should recorded in a register indicating the following: - the name of the visitor - date and time of entry - the purpose of visit - the time of exit - Signature/initial of the visitor. The register must be reviewed and initialed by the Manager, ICT. (Flexcube manual page 8)

Corruption of data and loss/damage to other IT resources by unauthorized persons Inefficiencies arising from overlapping roles

The list of authorized personnel into the Data Centre must be displayed in the data Centre. Visitors to the Data Centre must be accompanied by authorized personnel at all times. (Flexcube manual page 8) The role of ICT is segregated into Business system and Infrastructure system functions and there is no overlapping of duties between the two units. (ICT Continuity plan Chapter 2) Job description will be given to each staff member of the ICT team outlining the responsibilities of every ICT team member.

(HR procedure manual

with the roles being undertaken by the staff.

ACTIVITY Data centre operations (Contd)

OBJECTIVE/RISK

KEY CONTROLS The ICT team will be continuously trained, coached and guided in their designated roles. System changes will be thoroughly tested prior to implementation and user acceptance tests, UATs, done prior to implementation. The UAT results should be properly documented. Any exceptions noted in the course of User Acceptance Testing must be resolved before live implementation of the system. Users and data processing personnel should be adequately trained to handle all new applications. Retain Copies of all previous versions of programs and applications being replaced or upgraded. Changes to any applications and programs should be documented and authorized before implementation. Thereafter post-implementation review carried out and results analyzed.

Interruption to information processing due to inappropriately implemented system changes.

Business disruption when new changes fails and previous applications are not maintained

AUDIT TEST Review that all ICT staff members are adequately trained and experienced to handle their designated roles. Check that changes to systems or implementation of new systems are approved prior to implementation. Is adequate testing done prior to implementation. Are user acceptance tests properly conducted and documented? Verify that any exceptions noted during the User Acceptance Testing are resolved prior to live implementation. Are users and data processing personnel adequately trained to use new applications? Verify that a copy of the previous version of the program is retained for use in the event of problems arising with the amended version. Are there controls over authorization, implementation and documentation of changes to operating systems? Are post implementation reviews carried out, results documented and analysed? Are user manuals prepared for all new systems developed and revised for subsequent changes? Ensure that copies of user/operations manual are kept off-site? For purchased software, check that approval is obtained for purchase. Are there procedures addressing controls over selection, testing and acceptance of packaged software? Have these been followed? Are vendor warranties still in force for new software obtained?

RESULTS / WORK PAPER REF.

Ensure that staff are aware of how to carry out various activities Unauthorized procurement of ICT resources

Manuals must be prepared for all applications and systems in use at the Bank. Subsequent updates must be done for all revisions and upgrades. At least a copy of the user manual must be kept offsite. All purchases of software and other ICT resources must be appropriately approved.

ACTIVITY Systems access security

OBJECTIVE/RISK To ensure that information systems are accessed by authorized persons only. To guard against the risk of unauthorized access to the banks information resources.

KEY CONTROLS The Information Security Policy details the management (i.e choice, change and protection) of passwords. ( Information Security Policy 2.8) Passwords should contain minimum 5 and a maximum of 8 characters and should contain an alphanumeric character. (Information Security Policy 2.8.1) Each user will be allocated a unique password and a unique user account. (Information Security Policy 2.7.4) Users who forget their passwords should fill the System User Access Profile form, which is then authorized by their departmental heads before submission to ICT. (Information Security Policy 2.8.2) Staff members assigned user rights commensurate to their roles as per job descriptions.

AUDIT TEST Do formal procedures exist for the issue and subsequent control of passwords? Is proper password syntax being used i.e. minimum 5 and maximum 8 characters and include alphanumeric characters. Is each user allocated a unique password and user account? Are there satisfactory procedures for re-issuing passwords to users who have forgotten theirs?

RESULTS / WORK PAPER REF.

Unauthorized access to the banks information resources leading to corruption and manipulation of information.

Check that system access compatibilities are properly changed with regard to personnel status change. Are individual job responsibilities considered when granting users access privileges? Verify that there are procedures in place to ensure forced password change after 30 days for Flex-cube and 45 days for the Network. Do terminals automatically log-of after a certain period of time. Check that there is a limit of invalid passwords before the terminal closes down Check for any case of password sharing by the ICT personnel and obtain explanations for such. Are invalid password attempts reported? Review the reports.

Flex-cube system must be changed before 30 days while the Network passwords should be changed before expiry of 45 days. Passwords change prompts/ alerts are given before expiry of the respective durations. Application passwords must not be revealed or shared with any other users.(Information security policy 2.8.3 & 5.5) A Security Violation Report is generated from Flexcube and reviewed on a daily basis by the Assistant Manager-ICT.( FCT Control manual page 17)

ACTIVITY Systems access security (contd)

OBJECTIVE/RISK Unauthorized access to the banks information resources leading to corruption and manipulation of information

KEY CONTROLS User access rights are promptly revoked when an employee departs the service of the Bank. Users who progress on leave are disabled promptly. Users are re-instated on resumption of duty and completion of a System Users Access & Profile form. Users are guided through password management during their induction program when they join the services of the bank. (Information Security Policy 2.8.1)

AUDIT TEST Check whether System access rights are promptly revoked for all employees who leave the services of the Bank. Verify that access rights for user who proceed on leave are deactivated until resumption of duty. Do the users fill in a System User Access & Profile form on duty resumption? Check whether this form is duly approved. Review the training arrangements for staff in designing, changing and protecting their passwords to ensure restriction of access to systems by unauthorized people. Are all transactions properly authorized before being processed through the system computer? Check whether the system can detect batches or transactions which are input but not authorized. Are there established procedures to ensure that transactions or batches are not lost, duplicated or improperly changed? Check whether an error log is maintained and reviewed to identify recurring errors. Are all errors reported to the user departments for correction? Are persons responsible for data preparation and data entry independent of the output checking staff? Verify that persons responsible for data entry are prevented from amending master file data. Review that users adhere to data cut-off times to enable timely End of day runs. Peruse the End of Day Process Checklist/sign off forms file for the review/selected period to ensure that all listed activities are duly completed.

RESULTS / WORK PAPER REF.

Data control procedures

To ensure transactions are properly processed and that output is complete and accurate. Also to ensure that data/information stored in the banks systems is not corrupted or destroyed

Flexcube System will not process any unauthorized transactions. End of day procedures cannot be commenced in Flexcube system until all batches of transactions have been authorized. Violation report in Flexcube system provides details of all exceptional activities performed by the users during the day. ICT team does not carry out any data input nor authorize transactions in the system. This responsibility lies with the user departments. Cut off times have been set and communicated to all users to ensure that End of day process is commenced and completed as scheduled. The End of Day Process Checklist forms must be completed every day by the End of day Teams.

ACTIVITY Tapes and Disks control/ Back-up control

OBJECTIVE/RISK To ensure that adequate back-ups are regularly taken to allow data and information to be readily recovered as necessary; therefore minimum disruptions to operations.

KEY CONTROLS The Data Back-up policy defines the back-up requirement for data to minimize exposure to loss of mission critical data.(Information Security Policy Chapter 10 & The data Back-up Procedure manual page 2) The End of Day Process Checklist/sign-off forms must be completed every day by the End of day Team and reviewed by the Manager, ICT. Flexcube Data back-up is documented in the Data Back-up procedure Manual and the End of Day Process Checklist itemizes the EOD process. (Flexcube data Back-up Procedure manual & Flexcube End of day Cycle procedure manual)

AUDIT TEST Review the procedure for taking back-up of system and program files. Does the procedure specify the duration for retaining back-ups? Does the procedure detail how to reinstall the back-ups? Check that back-ups of all database related files are taken regularly. Verify that daily back-ups are taken? Check for evidence that daily End of Day Procedures are executed and back-ups taken. Who manages the End of day back-up team? Check that the back-up process is fully documented and showing the following: - date of data back-up - type of data back-up( additional or full) - number of generations - responsibility for data back-up - extent of data back-up ( files/directories) - data media on which the back-up data are stored - data back-up hardware and software (with version number) - data back-up parameters (type of data backup) - storage location of back-up copies Is the data back-up team adequately and regularly trained on data back-up, data restoration process, back-up media retention and storage? Review exceptions during the audit period when daily back-ups were not taken. Obtain explanations for such. Ensure that back-ups are stored at an off-site location away from the Data Centre. Verify that back-up tape and disks are securely stored at the off-site location? Does the off-site location have adequate physical controls?

RESULTS / WORK PAPER REF.

Business interruption in the event of system failure and unavailable back-ups. To minimize the risk of business interruptions occasioned by virus attacks on systems the bank is running on.

The ICT team should be adequately trained and regularly appraised on data back-up processes. All exceptions for data back-up must be approved by the Senior Manager ICT. Copies of Back-up tapes and disks are sent for safe custody at off-site locations while other copies are stored in a fire proof safe inside the computer room.

To minimize the risk of business interruptions occasioned by virus attacks on systems the bank is running on.

ACTIVITY Tapes and Disks control/ Back-up control (contd)

OBJECTIVE/RISK System recovery drawbacks due to non-operational backups causing delays in information processing System recovery drawbacks due to non-operational backups causing delays in information processing

KEY CONTROLS Regular testing of back-ups must be done and results documented.

AUDIT TEST Are back-ups regularly tested to ensure their compatibility with the existing system? Have the testing results been documented and reviewed?

RESULTS / WORK PAPER REF.

A hierarchical back-up cycle is established as follows: - daily back-ups are retained for 2 weeks - weekly back-ups are retained for 1 month - monthly back-ups are retained for 1 year - end of fiscal year and yearly data back-up is retained for the long-term ( Information Security policy manual 10.3.1)

Check that back-ups are retained for appropriate period as follows: - two weeks for daily back-ups - one month for weekly back-ups - one year for monthly back-ups - annual back-ups are retained for the long-term

System recovery drawbacks due to non-operational backups causing delays in information processing

Multiple back-ups should be generated for monthly and annual back-ups and each copy stored in a distinct archive storage location. ( Information Security policy manual 10.3.1)

Ensure that multiple back-ups copies are taken for monthly and annual back-ups and each copy stored in a distinct archive storage location. Identify the locations for each back-up copy.

ACTIVITY Physical & Environmental controls

OBJECTIVE/RISK Loss resulting from fire,

KEY CONTROLS Smoking should be inside the Data Centre and near all ICT installations.

Risk of loss resulting from fire.

An automated Fire Suppression System has been installed which will extinguish fire occurrences in the Data Centre by release of Inergen Gas. ( ICTCP 3.6 (8) Environmental Control Systems) The Fire Suppression System should be serviced regularly and certificate of working condition filed. (ICTCP 3.6 Environmental Control Systems)

To minimize the risk of loss resulting water/floods

Major IT installation should be kept raised above the floors to evade the risk of flooding. The Data Centre is fitted with 2 sets of Air Conditioners. ( ICTCP 3.6 (8) Environmental Control Systems)

AUDIT TEST Check that building material used around the Data Centre is fire resistant. Ensure that wall and floor coverings are non-combustible. Check that smoking is prohibited in the Data Centre or near any other IT installation. Check whether fire/smoke detectors have been installed in the Data Centre and near all key Electronic Data Processing areas. Have fire extinguishers been installed? Are the fire instructions clearly posted in conscipicous locations? Are fire drills and training regularly conducted? Check whether the fire equipments are regularly inspected and confirmed to be in working condition. Review the maintenance agreements for the fire equipments. Ascertain that they cover current period. Check that all IT equipments are located above the floor. Is the Data Centre installed with Air Conditioners which are in working condition? Review this?. Check whether the Air conditioner is regularly maintained/serviced? Is there a reliable power supply to the Data Centre and other IT locations? Does the bank have an alternative source of power such as a stand by generator? Review whether the alternative power supply is regularly serviced? Check whether all computer equipments are supported by stand by UPS. Check the general tidiness of the Data Centre. Are there littered papers around the area?

RESULTS / WORK PAPER REF.

Interruption to information processing due to electrical power interruptions

The Data Centre is connected to an automatic Generator Set and a 30KVA MGE Galaxy 3000 UPS connected to the mains supply and the Generator set. ( ICTCP 3.6 (1) Utility Systems ) All PCs are primarily served by standalone UPS for protection against any power failures. (ICTCP 3.6 (1) Utility Systems.)

ACTIVITY Virus control

OBJECTIVE/RISK To minimize the risk of business interruptions occasioned by virus attacks on systems the bank is running on. Unapproved software causing corruption of information hence losses

KEY CONTROLS The Information Security Policy details the manner of dealing with viruses control. (Information Security Policy section 2.13) Software shall only be acquired from approved vendors only. Exceptions to this rule must be appropriately sanctioned and approved.(FA procedure manual 1.1 procurements) The bank has a standard list of permissible software packages that users can run on their computers and employees must not install other software packages or permit automatic installation routines on computers.( Information security policy manual 8.3)

AUDIT TEST Is there a formal written anti-virus policy? Check that the policy has been communicated to all employees of the bank. Verify that there is an approved list of software suppliers. Review that software obtained during the audit period was sourced from these vendors. Was any software obtained from unapproved suppliers? Check for approval for such procurements. Are only approved software installed on the banks computer system? Is there a master library for authorized software? Who controls access to this library?

RESULTS / WORK PAPER REF.

To minimize the risk of business interruptions occasioned by virus attacks on systems the bank is running on.

All attachments to electronic mail messages should be scanned with authorized virus detection software package before opening and/or execution( information security policy 5.12) Employees should not open any attachments from unknown senders without approval from the ICT department ( Information security policy manual 5.12)

Are directories periodically reviewed for any suspicious files and reports documented? Check that such reports are reviewed by the Senior Manager ICT. Check that suspicious files are quarantined and deleted from the computer hard drive and network drive.

ACTIVITY Virus control (Contd)

OBJECTIVE/RISK To minimize the risk of business interruptions occasioned by virus attacks on systems the bank is running on.

KEY CONTROLS All computers must continuously run the current version of virus detection which will be automatically downloaded to each computer when the machine is connected to DTBKs internal networks.( Information Security Policy 8.6)

AUDIT TEST Verify that anti-virus software is installed on all computers. Is the anti-virus software regularly updated for new virus definitions? Verify that diskettes are formatted before re-use. Have procedures been developed to restrict and oversee the transfer of data between machines? Check that staff members have been prohibited from sharing machines. Has all staff been advised of the virus prevention procedures? Check that staff members informs the ICT team of any suspicion of virus infection

RESULTS / WORK PAPER REF.

To minimize the risk of business interruptions occasioned by virus attacks on systems the bank is running on. To minimize the risk of business interruptions occasioned by virus attacks on systems the bank is running on.

If Users suspect infection by a virus, they must stop using the involved computer, turn-off and disconnect from all networks and call the ICT department. .( Information Security Policy 8.8)

All files downloaded from the internet will be screened with virus detection software prior to use. (Information Security policy 7.5)

Are downloads from the internet controlled by locking the hard drive and routing through the network drive to prevent viruses (if any) from spreading?

10

ACTIVITY Use of the internet

OBJECTIVE/RISK The bank has a policy regarding the use of the internet regulating the flow of data and information.

KEY CONTROLS The internet policy applies to all workers who use the internet with DTBK computing or networking resources. Internet users are expected to be familiar with and comply with the policy.( Information Security Policy 7.2) Access to the internet will be provided to only those employees who have a legitimate need for such access. ( Information Security Policy 7.3)

AUDIT TEST Is there a policy regulating the use of the internet? If so, has the policy been properly communicated to the users and awareness being maintained? Check whether access to the internet is limited to authorized personnel only. Review prior management approvals for internet access. Are there unauthorized personnel accessing the internet? Check whether firewalls (security systems used to control and restrict internet use) have been installed at the bank to protect the banks information resources. Review that all non-text files downloaded from the internet are screened for viruses prior to being used. Is there evidence of testing of non-trusted material or software prior to use.

RESULTS / WORK PAPER REF.

To minimize the risk of business interruptions occasioned by virus attacks on systems the bank is running on. To minimize the risk of business interruptions occasioned by virus attacks on systems the bank is running on. To minimize the risk of business interruptions occasioned by virus attacks on systems the bank is running on.

DBTK firewalls routinely prevent users from connecting with certain non-business web sites. . ( Information Security Policy 7.24) All non-text files (databases, software object code, spreadsheets, formatted word processing package files etc) downloaded from Non-DTBK sources via the internet will be screened with virus detection software prior to being used.( Information Security Policy 7.5) The management reserves the right to examine without prior notice all information passing through or stored on the DTBK computers. . ( Information Security Policy 7.25)

Does the management conduct random reviews of electronic mails, files on personal computers, web browser cache files, logs of web sites visited and other information stored on DTBK computers to assure compliance with internal policies? Review action taken in cases where violations are observed.

11

ACTIVITY Personnel policies

OBJECTIVE/RISK To ensure that appropriate personnel policies exist allowing for segregations of duties. Poor performance and hence productivity by staff thus adversely affecting overall performance of the Bank

KEY CONTROLS All new staff members are provided with job descriptions and are sufficiently inducted into the ICT Department. ( HR policies & Procedure manual 7.4.1) Staff members are given on-job training to enhance their skills to enable them cope with the dynamism of the ICT industry.

AUDIT TEST Are new employees recruited according to job description and specifications? Are new personnel sufficiently trained/ inducted to handle their roles as enumerated in their job descriptions? Review whether staff are regularly trained and appraised to cope with the dynamism of the ICT industry? Check whether performance reviews are conducted regularly?

RESULTS / WORK PAPER REF.

Failure to irregularities manipulations. Failure to irregularities manipulations.

discover and discover and

Roles should be separated in a manner that no one person has unlimited access to the systems Periodic job rotation will be ensured and staff members will take leave regularly. ( HR policies & Procedure manual 13.1)

Check that duties are sufficiently separated to ensure no one person has uncontrolled access to the system which could compromise system security? Are job rotations and cross training conducted periodically? Is the rotation of duties of sufficient duration to disclose any irregularities or manipulations?

12

ACTIVITY Insurance

Disaster Recovery and Business continuity plans

OBJECTIVE/RISK To ensure that there is adequate insurance to cover equipment, software and documentation, storage media, replacement cost, data loss and business loss i.e. to minimize loss of earning emanating from failure/interruption of ICT systems To minimize the risk of disruption of business operation should disasters occur/strike.

KEY CONTROLS All ICT resources must be adequately insured at all times. The insurance should cover: - Equipment - Software and storage media - Loss of data and business interruption

AUDIT TEST Review the insurance file and ensure that adequate insurance exists to cover: - equipment - software - storage media - loss of data - business loss interruption Check whether the insurance is current. Is there a comprehensive contingency/Disaster Recovery plan which is documented? Has the Disaster Recovery and Business Continuity Plans been approved by the BOD? Does the contingency plan provide for recovery and extended processing of critical applications in the event of catastrophic disaster? Are all recovery plans approved and tested to ensure their adequacy in the event of disaster?

RESULTS / WORK PAPER REF.

The ICT Continuity Plan provides a written plan outlining the ICT recovery strategy in the event of an interruption on the continuous operations.( ICT Continuity Plan Chapter 1 page 3)

Poor coordination of disaster recovery efforts

The emergency Recovery Team comprises the following members: - General Manager, Finance & Operations - General Manager, Regional Risk - Senior Manager, ICT - Manager, Operations & Projects - Manager, Administration (ICT Continuity Plan 4.1 page 32) The information assets of the Bank are divided into two main categories of Business systems and Infrastructure systems.( ICT Contingency plan 2.1 & 2.2)

Are disaster recovery teams established to support the recovery effort? Are responsibilities of individuals within disaster recovery team defined and time allocated for completion of their tasks? Check that the recovery plans are communicated to the management and to all concerned personnel?

Poor coordination of disaster recovery efforts

Does the recovery plan identify the key processing priorities? Does the plan identify the key information assets (Business Systems and infrastructure systems) deployed at the Bank.

13

ACTIVITY Disaster Recovery and Business continuity plans (contd)

OBJECTIVE/RISK Interruption of business activities due to lack of an alternative data processing location.

KEY CONTROLS The bank has implemented a Database server at a contingency site at Capital Centre Branch. The server acts as a contingency server in case of failure of the Primary Database server at the Head Office( ICT Contingency Plan 3.3 page 20) The ICT continuity Plan will be maintained every six months. The Senior Manager ICT will ensure that the plan is maintained and appropriately updated every six months. ( ICT Continuity Plan Chapter 5 page 34) The change management procedure sets out a systematic approach to dealing with change. All persons requesting change must fill the System Change Request (SCR) Form which is submitted to ICT for review and onward transmission to OpsCo for approval considerations. The SCR form must contain the following information: - request date - originating unit/department - Initial of Head of Department initiating change. - Description of proposed changes - Benefits and justification of changes - Expected impact of the Changes All changes must be documented and backed up immediately.

AUDIT TEST Verify that an off-site location has been identified and set-up for recovery operations. Has hardware and software, and operating system been installed at the off-site location? User profiles for the offsite system should be created similar to those of the main system. Review whether the disaster recovery plan is tested regularly and results documented indicating the level of preparedness? Check whether the recovery strategy is periodically reviewed and updated. Is there a duly documented and approved change management policy/procedure? Review that person/department requesting the system changes complete a System Change Requests form and submitted to ICT for review. Is the form reviewed and authorized? Check that benefits and justification for system change are indicated in the form and that approval for change is obtained from OpsCo. ( Operations Committee) Review that the proposed system change is clearly described and ICT comments included in the System Change Form. Review that the details of the impact of nonimplementation of the change are clearly outlined and considered. Are all changes to programs and systems documented and backed up immediately

RESULTS / WORK PAP REF.

The risk of the continuity plan getting outdated

System Change Management

To avoid haphazard implementation of system change. To ensure that development and changes to programs are authorized, tested and approved prior to implementation.

14

15