HOME

(INFORMATION TECHNOLOGY SECTION)

 

TO ALL OFFICES                                                       DATE:  12.10.2006

                                               

INFORMATIOM TECHNOLOGY CIRCULAR NO:          15

 REG: Information Systems Audit.

  

Information systems Audit ( IS Audit ) of the 25% branches of sponsor Bank and other offices takes place every year. Branches of our bank have been  computerized.  Therefore, we should be ready for  IS Audit.  Branches of sponsor bank audited in 2005-2006 revealed certain deficiencies. The under noted points will certainly create awareness among branches regarding IT security. 

The list of deficiencies are appended for attention of all concerned.

 Risk / Implication – Very High :

-          Anti Virus software was not enabled for automatic checking of viruses from

 floppy/CDROM/e-mail .

-          Reports viz,. Access log, Active Users, exceptional transactions were not

Printed and scrutinized by the authorized officials.

-          Users were not aware of the Business Continuity procedures.

-          Checksum generated at the day end was not verified by the authorized

Officials and not kept in dual custody overnight.

 Risk / Implication –  High:

                -    CD drive and floppy drive on PCs except PC of DBA, were not disabled.

                -    Passwords of sensitive users (DBA/Incumbent Incharge/Super User) were not

      kept in sealed cover in dual custody.

-     User IDs were not enabled/ disabled daily prior to start of work as per daily

 arrangement register .

-          User IDs of the employees who have been transferred/ resigned/retired

were not deleted.

-          Interest rates/service charges on revision were not incorporated timely and

authorized in the system. 

                                                                                                                                                   

-          Entire backup before migration of branch was not kept in CDs.

-          Off site backup was not kept regularly.

 

 Risk / Implication – Medium:

 -          PCs/Servers were not protected by boot/power on password.

-          Exceptional powers used by System Administrator were being authorized by the Incumbent.

-          Clear disk procedure was not followed.

-          Employees were not aware of the IT security procedures.

  

Risk / Implication – Low:

 -          Configuration details/baseline configuration of critical equipments not

maintained/mentioned in inventory register.

-          Gas based fire extinguishers were either not installed or not in working

condition/refilled after expiry and the staff was not aware of its usage.

-          The duties of IT functions were not clearly defined.

 

All the branch incumbents are advised to go through the above observations and ensure meticulous compliance of Bank guidelines on IT Security to obviate incidence of repetition of above irregularities.

 

                                                                                                                           GENERAL MANAGER

HOME