Application Control Review

August 4, 2012

Application Controls Review -Scope� Web security

� Access Controls

� Password Controls

� Service Level Agreement

Database Access Controls

� Data Backup

� Data Retention and Retrieval

� System Documentation

� Application Security LifeCycle (ASLC)

� Database Access Controls

� Perimeter Security Controls

� Interface Controls

� Change Management

� Data Sanitisation

� Business Continuity/DisasterRecovery Plan

� Input, Processing and OutputControls

Cycle (ASLC)

� Backend Update Controls

� Review of application logs

� Customer/user complaints

� Database

� Operating system

� Web servers

� Networking and Security ofAssets

Web Security

� Segregation between internet and intranet architecture of application

� Data encryption while in transit on third party network

� Forced browsing or directory/path traversal not allowed� SQL Injection not allowed� Hidden form fields not used in validations� Adequate session management� Critical data encrypted while in storage� Adequate server side validations used in client data input

validations� Vulnerability analysis and penetration testing

Access Controls� Whether user access rights justify their job roles� Whether Administrator have access to transactions

menus/masters parameter settings� Whether any unauthorised users being provided access to any

critical application file/data folders/menus etc 4) whethercritical application file/data folders/menus etc 4) whethersample user creation requests as per LAM meet the actual userrights in system

� Whether periodical review of user access rights carried out� Review of the profiles created in the application carried out

periodically for its validity jointly with the user groups.� whether profiles as per ACM and per application documented

Password Controls� Password policy enforcement (length, expiry, complexity,

history, periodic change, repeatation,etc) as per Security Policy� password is not shown on screen when typing and is encrypted

in database� Initial passwords or reset passwords should not be

communicated to users through un-secured means such ascommunicated to users through un-secured means such asunprotected clear text emails

� system forces user to change password on first login or firstusage after reset

� System allows users to change password on his own� Are there any default passwords used� User account is locked after x number of unsuccessful attempts

or x number of days of inactivity� User is informed of his last login date and time� application does not allow concurrent login to same user

Service Levels

� Whether AMC/SLA for the application support exist with clear mention of the scope of the services and basis for the billing/charges

� Whether any of the AMC/SLA terms is inadequate or unreasonable or inconsistent vis IT Security policy whether unreasonable or inconsistent vis IT Security policy whether terms of SLA are periodically monitored for compliance. eg. review sample payments made to service provider as per the SLA clause for support services

� Whether proper approval exists for support services/annual maintenance contract

� Whether payments made to vendors for CRs etc are tracked vis a vis SLA/AMC terms and the approvals

Database Access Controls� Whether any backend database update can be carried out� Whether users have direct database access� Whether critical passwords such as database connection string

is encrypted when stored.� Whether procedure laid down to correct data errors / problems

observed at the database level and database integrity monitoredthrough periodic reports;

� Review which user ID is used for trouble shooting at applicationand database level and identify its privileges

� How this id credentials are protected and its usage monitoredfor unauthorised activities

Perimeter Security Controls� Review the firewall rules for internet facing applications� Enquire for the services and protocols allowed for ports (other

than 80 or 443) for web servers and for non database ports ondatabase server in DMZ

� Whether appropriate justification and approval available for� Whether appropriate justification and approval available forthese services

� Network based security controls implemented for third partysystems connecting to network eg. Firewall

Interface Controls� See the related documentation and architecture diagram to get

the knowledge about the interface and review the interface logfiles

� Whether adequate interface logs are generated & maintainedfor automated interface with applicationfor automated interface with application

� Whether system checks exist (through interface logs etc) todetect or restrict failures/ errors / omissions / duplicate recordsduring interface data exchange.

� Whether authentication/authorisation procedure between theinterfacing applications is weak e.g. clear text passwords,invalidated user credentials or unrestricted permissions to theinterfacing user ID or unrestricted access to interfacingprograms etc

� Folders/servers used for transfer are having unauthorisedaccess

Change Management� Review sample Change Rrequests(CRs) for type of CRs, process

flow and supporting documentation as given herein� Review pending CRs for status, reasons and monitoring ,Ageing

of CRs and risk attached� review the ACM for related authorisationsreview the ACM for related authorisations� Whether deployment approval from Business Head sought

before deployment of CR to live� Whether adequate testing (eg. unit/system/regression testing)

is carried out prior to deployment in live� Whether UAT sign-off evidenced� whether proper BRS is available in support of CRs which are

deployed or in process of development� whether test cases /test results are available� whether release notes obtained from vendor for important

patches / CR deliveries with proper ref. of CRs

Data Sanitisation� Whether customer demographics or any other sensitive data

sanitized in UAT environment� Whether developers have access to live environment� Whether there is proper segregation of Development & UAT &

Live environmentLive environment� Whether UAT is in sync with live, if yes how evidenced?� Whether segregation of duties & roles clearly defined between

development and production support team� Whether adequate procedure & documentation exist for moving

program changes to live

Business continuity/Disaster Recovery(DR)� Whether DR plan document is adequate in terms of its

contents/scope/ coverage of system components / activities� Whether DR drills carried out at regular intervals/ Whether DR

drill reports available� Whether the coverage of DR drills & participation is as per test� Whether the coverage of DR drills & participation is as per test

plan given in doc� Whether any significant deficiency noted in DR drill

Input, Processing and Output Controls� Whether system accepts any invalid / out of range / incorrect or

duplicate data inputs� Whether data accuracy for critical fields implemented through

Range Check, validity checks duplicate checks)� Whether adequate system controls built to identify data entryWhether adequate system controls built to identify data entry

errors / exceptions (such as invalid inputs , duplicate items,backdated entries etc)

� In case of batch uploads, whether system checks whether alltransactions in a batch file are uploaded without any omissionand errors, also adequate batch upload controls (such ascontrols totals tallying) exist.

� check whether erroneous records are segregated with rejectionreport/reasons.

Input, Processing and Output Controls� Review the critical functionalities wherein complex data

processing is involved , e.g. interest calculation etc.� Review the documentation for such data processing logics

(whether in built as part of application feature or developedthrough report etc during customisation)through report etc during customisation)

� check whether bulk processing of inputs through batch uploadsmay result in any exceptional data item being processederroneously

Data Backup Controls� Whether backup policy / procedure is laid down for frequency,

type of backup, media, period, contents/files to be backed up,storage location, restoration testing media recycle / rotationschedule etc conveyed to DB Administrator

� Back up is performed through systemic controls at regularBack up is performed through systemic controls at regularintervals as per back up policy set up (eg. Net Backup). Reviewthe back up logs / alerts generated and sent to applicationowner for success or failures of scheduled back up activity

� Check whether copy of back up is kept at off-site location.Review the process of off-site storage , labelling of off-site backup copy

� Check the latest back up restoration testing confirmation forcritical data base files as well as application files, as confirmedby user

Data Retention and Retrieval� Whether any data purged in the application� whether data retention and data purging procedures

documented for the application data� Whether any guideline relating to data retention� Whether any guideline relating to data retention

applicable to the data in the application� Whether any data required to be retained has been

purged� Whether data retrieval tested for the data to which

data retention policy is applicable

System Documentation

� Whether updated user and system manuals available

� Whether these manuals cover all application modules including critical data processing logic and all interfaces (such as interest calculation or bucketing of overdues etc) and menus/sub menus and explain its functionalities and explain its functionalities

� Document is updated periodically for all changes

Application Security Life Cycle (ASLC)

� Identify various types of data being processed by application,

� Check whether data classification is done as per IS Security Policy through formal document

� Verify whether adequate data protection controls adopted for handling of sensitive data as per said policy (eg. data handling of sensitive data as per said policy (eg. data exchanged outside network or through removable media in unencrypted form or unsecured way without any control)

� Whether documents required for ASLC Risk assessment (including SOP etc.) are completed and submitted

� Whether RR sign off obtained and review the open items

� Periodically review of ASLC

Other Controls

� Database

� Operating System

� Web servers

Networking and Security of Assets� Networking and Security of Assets

Best Practices

User Management� Generic / Extraneous users present

� Good Practice� Process to manage default / transferred / ex-employees

Periodic review vis-à-vis HR records� Periodic review vis-à-vis HR records

� Periodic confirmation from the user supervisor

� Excess privileges assigned to users

� Good Practice� Periodic Access Control Matrix sign off

� Business function vis-à-vis application profile

Password Management

� Password Sharing

� Good Practice� Password sharing (including admin) restrictions

Application concurrency restriction� Application concurrency restriction

� Strict Reprimands (e.g. employee warnings)

� Sealed envelope / Password Vault for super user ids of application, DB, OS� Onsite and Offsite maintenance

� Sealed envelope tracking register

� Password Vault application

Password Management� Password encryption (Connection strings/Database storage)� Application user / DB connection password stored in clear text / unapproved weak password algorithmsin clear text / unapproved weak password algorithms

� Good Practice� Hashing

� Password encryption algorithm usage as prescribed in IT Security policy.

� Connection string (Application to DB) should be encrypted

Interface Controls� Manual / Partially Automated Interface (Inter-Application)

� Good Practice� IP / Login ID / Digital Certificate based restriction� IP / Login ID / Digital Certificate based restriction

� Privilege controls over processing user / folders (e.g. Transit)

� Interface logs

� Vulnerable upload / download process

� Good Practice� Maker / Checker control

� Integrity & Input Validation (e.g. Duplication, file type, standardized format etc.)

Maker / Checker Controls

� Maker checker controls not implemented for� Critical business function

� Administrative activities (including user management)management)

� Good Practice� Preventive application control for critical business functions and admin activities

� Detective controls (e.g. audit trail review & sign off) for identifying unauthorised activities

Application Security Life Cycle (ASLC)

� Non-adherence to ASLC process

� Good Practice� Every application to undergo ASLC review at induction stageinduction stage

� Non-alignment to IT Security policies to be identified and communicated to the vendor

� Residual risks to be signed off

� Risk review need to be carry out after major change

� The periodicity for renewal of ASLC

Some Learnings

Learning

� Usage of application database id for updation

� Sharing of user credentials during their leaveperiod

A single person responsible for upload of the� A single person responsible for upload of thetext dump to application

� Sharing of generic user id having admin rights

� Failure of online market rates Updates

Learning (contd.)

� Transferred/resigned employees found active on AD

� multiple user ids used to create as well as verify transaction with their different user ids by same user

� Use of administrative id on local desktops� Use of administrative id on local desktops

� Mismatch in IT asset inventory

� User can bypass the authentication of the application by manipulating link in the browser

� Admin User Access with Blank Password

� CCTV camera captures keyboard keys

Learning (contd.)

� No server side validation for the parametersentered by the user for many service requests

� Customer demographic details are copied in test environment without any data test environment without any data sanitisation

� Possibility of making bill payment through other customers account

� Further outsourcing of activities by vendor without permission

� VRM details not recorded tel no,date and timeof call

Thank youThank you