Case Study - Security

How to secure a Bank's Effectiveness

• High level audit plan and terms of reference
• Detailed audit plan
• Preparation of ICQs and audit program
• Interviews and discussions with process owners and key players
• Review of documentation and application and mapping to business process
• Extensive testing to establish effectiveness, integrity and reliability
  
  
• Data collection and analysis using CAAT's to verify reliability and integrity of data, interfaces and processing
  
• Draft audit report and management response
  
• Sify also provided training on COBIT and IS Audit Best Practices by conducting intensive workshops involving case studies, group discussions and COBIT exam. The training program comprised 'on the job' practical sessions on the methodology of conducting IS Audit.

• Though the core banking applications were running at the bank for over 3 years, they had never been audited before. The initial configurations of CBS remained inact. Over the years, more interfaces/integrations were bought into the system but they were not properly documented
  
• Sify realized the need for frequency of communication between the project team and the business users.It set up several communication interfaces that proved effective in addressing the implementation challenges.
  
• Sify's team along with the bank's management focused on formal kick-off meetings, presentations to chief executives and team leaders and process owners. This interface was used for the delivery, discussion and finalization of draft audit reports for every application. The practice heads made mid-course reviews and presentations to the bank's senior management

• The client is a leading bank in Mauritius with over 25% market share of domestic commercial banking assets. The bank has modern service delivery channels comprising 102 ATM's and 1400 point of sale terminals, apart from phone banking, Internet Banking and e-commerce banking solutions

• The bank had implemented a Core Banking Solution of a leading banking finance provider from India that covers corporate, retail, treasury and various delivery operations of the bank. In view of the business critically of CBS, the bank decided to carry out a comprehensive post-implementation review by a third-party testing and business assurance service provider

• The bank turned to Sify, a global provider of information assurance consulting solutions, to perform an independent assessment of the CBS. As part of the assurance program, the bank also engaged Sify to conduct a training program on best practices in IS Audit and COBIT, and IT governance framework.

• Sify Assure engaged a strategic project team comprising banking professionals with extensve working knowledge in banking technollogy and IT management. The project team conducted the 'test of design' and 'test of effectiveness' of controls relating to CBS and other solutions and delivery systems integrated with the application.

• Sify's review focused primarily on the application controls and IT process controls in terms of effectivenss. security, and reliability
  

• While carrying out the application controls review, it covered ITprocess reviews of policies and procedures, change management , problem management, maintenance, back-up/restore and disaster recovery
  

• While assessing the user / parameter / security administration processes, Sify ensured that there is proper segregation of duties, role definitions and supervisory control on sensitive tasks such as reports, log monitoring, maker / checker etc.
  

• Sify also conducted supervisory reviews of process integrity and availability of the client's data center operations