For as a case presentation of IT & IS audit paper

May 3, 2012
Report Prepared by: Muhammad Kamran Imam, ICMAP Stage 6 kamranimam@rocketmail.com Registration # 20053076

Hyderabad

Security Assessment Report

Contents
EXECUTIVE SUMMARY INTRODUCTION SCOPE BACK GROUND INFORMATION SAFWCO PHYSICAL & ENVIRONMENTAL SECURITY POLICY MAJOR CONCERNS SUMMARY ACTION 3 4 4 5 6 9 14 15

Presented for IS & IT audit case presentation

Security Assessment Report

Executive Summary
The activity is designed and conducted to assess all the security risk attached with IT operations of SAFWCO. The overall Assessment results show that there are some control implemented in this regard but still some of related matters are need to be addressed and action are yet to be taken by organization. Such as 1. Information security policy is not fully implemented and some of matters are ignored while designing Backup of data and disaster aversion Policy for Data management. 2. Fire security and air conditioning is not up to the mark as compare to international benchmark procedures.

3. Unavailability of cipher locks and access control.

Top List
The list below contains the top findings, weaknesses, or Concerns discovered during the security assessment. Some of the issues listed here are from more than one section of the assessment report findings. Additional information about each is provided elsewhere in the report. It is recommended that these be evaluated and addressed as soon as possible. These should be considered significant and may impact the operations of the SAFWCO.

1. Information Security Policy

An information security policy is the primary guide for the implementation of all security measures. There is no formal policy specific to the SAFWCO. Recommendation: Develop an information security policy that specifically addresses the needs of the SAFWCO and its mission. Use that policy as a basis for an effective security program.

2. Temperature and Humidity Control

There is no humidity control and related devices placement Recommendation: The server room should be visited on regular intervals to determine if temperature and humidity are adequate. Also automatic temperature and humidity measurement device should be installed in the server room in order to alert for the raise in temperature

3. Emergency Evacuation Plans (Natural Disaster)

There is no evacuation system for staff and other people if any misshape Recommendation: Emergency evacuation plan should cover, whether it describes how to leave in an organized manner that does not leave the facilities physically insecure.

4. There is no entryway access control system

Recommendation: Evaluate available and suitable entryway access systems.

Page 3

Security Assessment Report

Introduction
This report is an assessment report for SAWFCO physical security assessment .The assessment identifies major lapses in Server rooms as well as related security of IT administration room. For the matter of conducting the activity of assessment lot of points are included in working papers and make it sure that all related instruments and points are checked as per standards, policy and procedures applicable and implemented by The SAFWCO.

Scope
The following activities are within the scope of this project: Interviews with key staff members in charge of policy, administration, dayto-day operations, system administration, and facilities management. A Visual Walk Through of the facilities with administrative and facilities personnel to assess physical security. Test the environmental control execution with respect of practical guidelines and related functionality of system. Out of Scope The following activities are NOT part of this security assessment: Other then Buildings, IT server Room or facilities. Social Engineering to acquire sensitive information from staff members. Testing other then Disaster Recovery Plans, Business Continuity Plans, or Emergency Response Plans.

Presented for IS & IT audit case presentation

Security Assessment Report

Background Information
Having long number of clients The SAFWCO arrange web based software namely MIS and FIS (for their data base management and accounts operations) designed by local programmer. Organizations all related data are properly entered stored and retrieved to and from server located at head office ground floor where a room is allocated for this purpose and there is related room for the IT staff. The organization has developed some little controls for I .T operations and still on the way of its developments phase.

SAFWCO (Sindh agriculture forestry workers coordinating organization)

SAFWCO is a Micro finance Institute who is based in Hyderabad in the Sindh province of Pakistan and mostly work with low income men and women .This organization is working as Non profit organization under section (42) of companies ordinance .The whole credit line is provided to this organization by PPAF (Pakistan poverty Alleviation fund) at the mark up of 8% at reducing balance method. There are five credit products for different clients of low level income community. There are three districts in which this organization is working or providing micro loans to poor people in interior sindh. Recently due to increase in credit line from donor this organization not only expand phenomenally in result of which they developed their business value chain process and Today the organization collective client served are more then 50,000 with Pak rupees 1500 millions disbursement to various client for various purposes. In this years there is normal volume of clients served are near about 30,000 in number and around 400 millions Pak Rupees have been disbursed.

Page 5

Security Assessment Report

SAFWCO Physical & Environmental Security Policy

(Glimpse of policy)
1. PURPOSE AND SCOPE This policy provides guidance to implement minimum requirements that will reduce the exposure of computer equipment to physical and environmental damage and assist in achieving an optimum level of protection for the Organization IT Systems. The policy contained in this chapter covers all the Organization IT System resources maintained in-house or in the interest of the Organization. These policies are mandatory and apply to all organizational units, employees, contractors, and others having access to and/or using the IT System resources of the Organization. This policy applies to all IT Systems currently in existence and any new automated technology acquired after the effective date of this policy document. BACKGROUND In the early days of computer technology, securing the system in a controlled environment with very limited access protected the computers and the information they processed. Although major changes in computer environments have occurred, physical security is still vitally important. Physical security measures are a tangible defense that must be taken to protect the facility, equipment, and information from theft, tampering, careless misuse, and natural disasters.

POLICY
1. Staff and equipment require a safe, secure, and technically sound physical environment. While it is necessary to comply with each of the areas addressed, appropriate adjustments or allowances may be made for the organization, physical plant, and any special requirements of the individual office or facility. Deviation from the minimum requirements must be annotated on the system risk assessment and the Office Head or Facility Director must be aware and acknowledge this deviation in the accreditation of the system. 2. There must be, at a minimum, a cipher lock or suitable substitute on each door to the computer room. 3. Only personnel who require access to perform their official duties will be permitted in the computer room. 4. A log will be kept of all personnel who were issued the combination/key to the computer and the person will be required to sign for that combination/key. 5. The combination of a cipher lock will be changed frequently, especially when a person who was previously given the combination leaves the organization. Presented for IS & IT audit case presentation

Security Assessment Report

6. Keys or card keys will be returned to the Organization upon separation, transfer, or termination. 7. Loss of keys or disclosure of cipher key code will be reported to the ISO immediately. 8. A computer room access roster will be established. 9. There will be signs posted designating the room as a Restricted Area. 10. Contract maintenance personnel and others not authorized unrestricted access but who are required to be in the controlled area, will be escorted by an authorized person at all times when they are within the controlled area. 11. All access to the computer room will be logged, and logs reviewed monthly by the ISO to determine if access is still required. 12. There shall be no signs to indicate that an information system is located in any particular building or area. 13. The main computer room should have certain structural physical security features.

The computer room:

Should be located in the center of the building Should not have windows The computer room walls should extend from true floor to true ceiling Failure to meet these requirements must be annotated in the risk assessment

14. Media used to record and store sensitive software or data will be labeled, protected, controlled and secured when not in use. 15. Physical access controls will also be implemented not only in the area containing system hardware, but also locations of wiring used to connect elements of the system, supporting services (such as electric power), backup media, communications closets, and any other elements required for the systems operation. 16. It is important to review the effectiveness of physical access controls in each area, both during normal business hours and at other times particularly when an area may be unoccupied. 17. A computer room will have appropriate environmental security controls implemented, which include measures implemented to mitigate damage to IT System resources caused by fire, electrical surges and outages, water, and climate control failure.

Fire & Smoke

Install smoke detectors near computer equipment and check them periodically. Keep fire extinguishers in and near computer rooms, and be sure all those with authorized access know where they are and how to use them. Enforce no smoking, no eating, and no drinking policies. Periodically hold fire drills. Keep all rooms containing computers at reasonable temperatures, following manufacturers recommendations?

Climate

Page 7

Security Assessment Report

Keep the humidity level at 20-30 percent. Install gauges and alarms that warn you if the environmental controls are getting out of range. These alarms will be monitored at all times. Equip all heating and cooling systems with air filters to protect against dust and other particulate matter. Protect your systems from the various types of water damage. Flooding can result from rain or ice buildup outside, toilet or sink overflow inside, or water from sprinklers used to fight a fire. Maintain plastic sheeting to protect the equipment if the sprinklers go off. Avoid locating computer rooms in the basement. Connect all IT System resources to a non-interruptible power supply (UPS) that is tested periodically. Connect all critical IT System equipment to backup emergency generators. Install anti-static carpeting in each facility. Install a line filter on your computers power supply. A voltage spike can destroy your computers power supply.

Water

Electricity

Presented for IS & IT audit case presentation

Security Assessment Report

Major Concerns
Listed below are the Concerns discovered during the assessment relating to policy. These are considered significant and steps should be taken to address them.

1. Implementation of information security policy

Explanation The SAFWCO has no information Data security policy that is specific to its needs and goals. Risk There are several risks in not having an information security policy. Mistakes can be made in strategic planning without a guideline for security. Resources may be wasted in protecting low value assets, while high value assets go unprotected. Without a policy, all security measures are merely ad hoc in nature and may be misguided. Periodically review and update the policy.

Recommendations

2. FIRE Extinguishers
Explanation All the related fire extinguisher are either placed inside the server room where all.. Risk There are possibilities that at the time of outbreak of fire at the facility all the fire extinguisher will not be available to related person and may cause heavy damages despite of available cure. There should be a well known and marked position in the office where all the staff have easily access There should all so be certain steps training to staff about how to tackle fire and how to operate extinguishers. It is recommended to use FM 200 gas as the fire suppression system as this is environment friendly. This agent suppresses fire by discharging as a gas onto the surface of combusting materials. Large amounts of heat energy are absorbed from the surface of the burning material, lowering its temperature below the ignition point. FM-200 fire suppression systems have low atmospheric lifetimes, global warming and ozone depletion potentials.

Recommendations

Page 9

Security Assessment Report

Fire alarms should be placed strategically throughout the facility. The resulting audible alarm should be linked to a monitored guard station.

3. Air conditioning
Explanation There is no efficient air conditioning system installed in the server room for maintaining a constant temperature. Risk Systems heat sink may not be easily remove from system and may cause damages to servers and related computers. It is recommended to have the temperature of the server room in control. Because network devices dissipates large amount of heat when in the working state. So A/C should be installed and in the working state to minimize the temperature of the server room to keep the devices working
efficiently.

Recommendations

4. Temperature and Humidity Control

Explanation

There is no temperature and humidity measurement device is installed in the IT / server room. Risk In the absence of temperature and humidity measurement devices, increased temperature in the server room cannot be measured which results in inefficiency of the network devises. If the humidity is other than normal range, the network equipments start showing sign of corrosion resulting in permanent loss of system and data.

Recommendations The server room should be visited on regular intervals to determine if temperature and humidity are adequate. Also automatic temperature and humidity measurement device should be installed in the server room in order to alert for the raise in temperature.

5. Smoke Detectors Explanation There is no multiple smoke detectors installed in the IT/ server room as major area is not covered for efficient detection of fire.
Presented for IS & IT audit case presentation

Security Assessment Report

Risk Absence of smoke detectors and fire alarm will not indicate the presence of fire in the server room, which will result damage to equipment hence financial loss

Recommendations

Smoke detectors should be installed above and below the ceiling tiles throughout the facilities and below the raised computer room floor. The detectors should produce an audible alarm when activated and be linked to a monitored station (preferably by the fire department). The location of the smoke detectors above the ceiling tiles and below the raised floor should be marked on the tiling for easy identification and access. Smoke detectors
should supplement, not replace, and fire suppression systems.

6. Measure for Lightening, storms, Floods and other natural disaster

Explanation There is no possible estimations and expectation for any above such natural disasters but there are handsome chances of floods and lightening problems as well as electromagnetic waves Risk Head office building is located near river bank which is half mile away from building. Last year flood and current year rains have created a risk of floods to the head office building. There is no incident of earth quake reported in City but slight waves of earth quake which are of low level magnitude but still earth quake can never be opt out from probable natural disasters. By shifting server room from ground floor to first floor may easily remove the concern risk of floor and there should be no window in the room with also ceilings and floor must be insulated from fire and heat from materials. Data multiple forms and storage location can be change once if it is assumed that there is natural disasters risk to it operations. Short-term interruptions, such as sags, spikes and surges, can be controlled by UPS devices. For long-term interruptions, which last from a few hours to several days, require the use of alternate power generators. Anti static flooring required to in the server room

Recommendations

7. Emergency Evacuation Plans (Natural Disaster)

Explanation We noted that there are no procedures defined for the emergency evacuations of the employees in case of any disaster. Risk
Page 11

Security Assessment Report

In the absence of properly documented and tested emergency evacuation plan, there is a threat of life if the employees are not aware about the emergency exit / procedures in case of the disaster. Recommendation Emergency evacuation plan should cover, whether it describes how to leave the IPFs in an organized manner that does not leave the facilities physically insecure. A sample of IS employees should be interviewed to determine if they are familiar with the documented plan. The emergency evacuation plans should be posted throughout the facilities.

8. Building Concerns Several key doors within the building are unlocked or can be forced open
Explanation There are several important doors in the interior SAFWCO office area that are normally unlocked or can be forced open even when locked. The door to the utility room is a hollow core wooden door with no lock. The utility room contains the wiring panel for the telephones, a junction for the fiber optic cable, and the alarm system box.. The system administrators office containing the files and is usually unlocked and open. Risk These doors protect valuable assets of the SAFWCO. A determined attacker, thief, or disgruntled employee could get through these important doors with minimal effort to steal and/or destroy. Recommendations

Replace current doors with stronger fire doors. Replace existing door hardware with high security locks.

9. Security Perimeter Concerns

Explanation An entryway access control system limits physical access to a secure area to authorized personnel with the correct PIN number or access card. These systems have either a control panel where a correct PIN number must be entered before entry is allowed or a unique access card (contact or contactless) for each person to enter. Advanced systems provide log information each time personnel enter the secure area. Risk
Presented for IS & IT audit case presentation

Security Assessment Report

There are several risks in not having an entryway access control system. Unauthorized people can enter secure areas unescorted. There is no record of personnel entries into secure areas. It is not possible to disable access for a specific person. Evaluate available and suitable entryway access systems. Develop appropriate procedures for assigning and removing access. Install an appropriate system and assign access rights.

Recommendations

The backup media Concerns

Explanation The backup media are stored near the backup system on an open shelf in the server area. The media could be stolen, misplaced, accidentally erased, dropped, or destroyed in a fire. If a system or data must be recovered, the media may not be available or functional when needed. Risk The operation of the SAFWCO can be impacted if the backup media are not available due to theft, damage, or fire. Recommendations Purchase and install a lockable, fireproof media safe. Secure it to the floor and/or wall.

Page 13

Security Assessment Report

Summary
1. There is no possible estimations and expectation for any above such natural disasters but there are handsome chances of floods and lightening problems as well as electromagnetic waves 2. An entryway access control system limits physical access to a secure area to authorized personnel with the correct PIN number or access card. These systems have either a control panel where a correct PIN number must be entered before entry is allowed or a unique access card (contact or contactless) for each person to enter. Advanced systems provide log information each time personnel enter the secure area. 3. The backup media are stored near the backup system on an open shelf in the server area. The media could be stolen, misplaced, accidentally erased, dropped, or destroyed in a fire. If a system or data must be recovered, the media may not be available or functional when needed. 4. The door to the utility room is a hollow core wooden door with no lock. The utility room contains the wiring panel for the telephones, a junction for the fiber optic cable, and the alarm system box. The system administrators office containing the files and is usually unlocked and open. 5. There is no efficient air conditioning system installed in the server room for maintaining a constant temperature. 6. There is no efficient air conditioning system installed in the server room for maintaining a constant temperature. 7. In the absence of temperature and humidity measurement devices, increased temperature in the server room cannot be measured which results in inefficiency of the network devises. If the humidity is other than normal range, the network equipments start showing sign of corrosion resulting in permanent loss of system and data.

Presented for IS & IT audit case presentation

Security Assessment Report

Action Plan
It is recommended to have the temperature of the server room in control. Because network devices dissipates large amount of heat when in the working state. So A/C should be installed and in the working state to minimize the temperature of the server room to keep the devices working efficiently. It is recommended to use FM 200 gas as the fire suppression system as this is environment friendly. This agent suppresses fire by discharging as a gas onto the surface of combusting materials. Large amounts of heat energy are absorbed from the surface of the burning material, lowering its temperature below the ignition point. FM-200 fire suppression systems have low atmospheric lifetimes, global warming and ozone depletion potentials. Fire alarms should be placed strategically throughout the facility. The resulting audible alarm should be linked to a monitored guard station. The server room should be visited on regular intervals to determine if temperature and humidity are adequate. Also automatic temperature and humidity measurement device should be installed in the server room in order to alert for the raise in temperature. Smoke detectors should be installed above and below the ceiling tiles throughout the facilities and below the raised computer room floor. The detectors should produce an audible alarm when activated and be linked to a monitored station (preferably by the fire department). The location of the smoke detectors above the ceiling tiles and below the raised floor should be marked on the tiling for easy identification and access. Smoke detectors should supplement, not replace, and fire suppression systems. Fire alarms should be placed strategically throughout the facility. The resulting audible alarm should be linked to a monitored guard station. Short-term interruptions, such as sags, spikes and surges, can be controlled by UPS devices. For long-term interruptions, which last from a few hours to several days, require the use of alternate power generators Other concerns, outside of natural threats, are man-made. They include terrorist threats/attacks, vandalism, electrical shock and equipment failure. To reduce the risk of flooding, the computer room should not be located in the basement or top floor. If located in a multistory building, studies show that the best location for the computer roomthe location which reduces the risk of fire, smoke and water damageis on the middle floors (e.g., third, fourth, fifth or sixth floor).

Page 15