• IT Audit & Pentesting

IT Audit & Pentesting

Regulations are now focusing more on risk management and corporate governance, while companies also recognise threats like stolen data, defaced websites, the disruption of e-
commerce services, and other breaches that may lead to lost income, customers and reputation. The challenge is to balance the cost of implementing controls with the cost of doing
nothing. This is where IT Audit comes in. Our service gives you a quick and cost-effective diagnosis of your system security, highlighting vulnerable areas that you can then efficiently address.

What We Can Do?

PKF F.R.A.N.T.S can help your organization strategically align its IT infrastructure with its business strategy. To achieve this, we ensure the IT controls are aligned to protect the business from hacker attacks and security threats. We also can help your company meet regulatory requirements through an IT audit.

Our IT audit services are designed to identify and evaluate the quantity of risks and the quality of the controls and security measures in place over information systems.

The mostcritical objective of the IT examination is evaluating the protection of critical assets withinthe information systems.

Our Services

PKF F.R.A.N.T.S can provide a variety of solutions to decrease your IT risks:

  • IT general controls review
  • Technology risk assessment
  • Computer application audit
  • Application/systems development.
  • On-side& Off-Site physical security review
  • Penetration Testing & Vulnerability Assessment
  • Data security audit
  • Business continuity planning and disaster recovery
  • SOP Developments &Internal Audit
  • ISO Certification (27001)

Our Key Clients

  • Cedar Capital (Private) Limited
  • Aba Ali Habib Securities (Pvt.) Ltd
  • Abbasi Securities (Private) Limited
  • AKD Securites Limited
  • Alfa Adhi Securities Pvt. Limited
  • Arif Habib Limited
  • BMA Capital Management Limited
  • Elixir Securities Pakistan (Private) Limited
  • Foundation Securities (Private) Limited
  • Growth Securities (Private) Limited
  • IGI Finex Securities Limited
  • Next Capital Limited
  • Pearl Securities Limited
  • Ain Khanani Securities (Private) Limited
  • Standard Capital Securities (Pvt.) Limited
  • Summit Capital (Private) Limited (Subsidiary of Summit Bank)
  • AKD Securites Limited
  • Munir M. Ahmed Khanani Securities (Pvt.) Limited
  • H.M Securities (Pvt.) Limited
  • Multiline Securities (Pvt.) Ltd.
  • WE Financial Services Limited
  • Trade-In-Securities (Private) Limited
  • Pearl Securities Limited
  • Allied Bank Limited

The Key Benefits of IT Audit

Understand -industry best practices for protecting your information systems

Obtain -an independent and objective analysis of your organization

Minimize -critical business risks in your organization

Provide -business process improvement

Meet – board and fiduciary requirements

Align – your IT infrastructure with your business strategy

Our Expertise

PKF F.R.A.N.T.S relies on a team of experienced professionals to serve our clients. With our level andyears of experience, we can handle any size client from any industry. Some of theaccreditations that our professionals hold include:

  • Certified Information Systems Auditor (CISA)
  • Certified Information Security Manager (CISM)
  • Certified Information Systems Security Professional (CISSP)
  • Certified Information Technology Professional (CITP)
  • Certified in the Governance of Enterprise IT (CGEIT)

Overall Procedure & Methodology

The PKF F.R.A.N.T.S Information System Audit (IS) Risk Assessment methodology is designed to cover a review of all required policies and procedures implemented. Information Systems Audit would cover entire Information Systems Infrastructure which includes Core System, Servers & other hardware items, Operating Systems, Databases, Application Systems, Technologies, Networks, Facilities, and Process & People (but not limited to) of the undernoted:

  • Policy, Procedures, Gap Analysis and Risk Assessment
  • DC/DR Center (Physical and Environmental Security)
  • Operating Systems Audit of Servers, Systems and Networking Equipment’s
  • Application level Security Audit
  • Audit of DBMS and Data Security
  • Network Security
  • Internal Vulnerability Assessment/ Penetration Testing
  • Interfaces, Card, Delivery Channels (Internet Banking, Mobile Banking )
  • Backup & Recovery Process and Testing
  • Others (HR Management, Asset Management ,Inventory Management, Logging, Agreements,AMC, SLAs)
  • Acquisition and Implementation of Packaged Software
  • Physical Access Control
  • Maintenance
  • Database Controls
  • IT Governance
  • Long Term IT Strategy
  • Short Range IT Plan
  • User Management (Access Request)
  • User Awareness and Training
S. No Scope Work Procedure
1. Policy, Procedures, Standard Practices, Gap Analysis , Risk Assessment  & other regulatory requirements 1)    IT Security Policy & Procedures.

2)    Risk Assessment

3)    Gap Analysis

4)    Regulatory guidelines on Information Security & other legal requirements.

5)    Best practices of the industry including ISACA’s / ISO27001/Guidelines.

6)    Review & Recommendation of IT Policy/IS Policy and other IT related policies and procedures as per best practices of industry.

7)    IT Governance.

2.  

 

DC/DR Physical and Environmental Security

1)    Access control systems

2)    Fire / flooding / water leakage / gas leakage etc.

3)    Assets safeguarding, Handling of movement of Man/Material/ Media/ Backup / Software/ Hardware / Information.

4)    Air-conditioning of DC/ DRC, humidity control systems

5)    Electrical supply, Redundancy of power level, Generator, UPS capacity.

6)    Surveillance systems of DC / DRC

7)    Physical & environmental controls.

8)    Pest prevention (rodent prevention) systems

3.  

 

 

 

Operating Systems Audit of Servers, Systems and Networking Equipment’s

 

1)    Setup & maintenance of Operating Systems Parameters

2)    Updating of OS Patches

3)    OS Change Management Procedures

4)    Use of root and other sensitive Passwords

5)    Use of sensitive systems software utilities

6)    Vulnerability assessment & hardening of Operating systems.

7)    Users and Groups created, including all type of user’s management ensuring password complexity, periodic changes etc.

8)    File systems security of the OS

9)    Review of Access rights and privileges.

10) Services and ports accessibility

11) Review of Log Monitoring, its sufficiency, security, maintenance and backup.

4. Application level Security Audit 1)    Only authorized users should be able to edit, input or update data in the applications or carry out activities as per their role and/or functional requirements

2)    User maintenance, password policies are being followed  as per bank’s IT security policy

3)    Segregation of duties and accesses of production

4)    Staff and development staff with access control over development, test and production regions.

5)    Review of all types of Parameter maintenance and controls implemented.

6)    Authorization controls such as Maker Checker, Exceptions, Overriding exception & Error condition Authentication mechanism.

7)    Change management procedures including testing & documentation of change.

8)    Application interfaces with other applications and security in their data communication.

9)    Search for back door trap in the program.

10) Check for commonly known holes in the software.

11) Identify gaps in the application security parameter setup in line with the banks security policies and leading best practices

12) Audit of management controls including systems configuration/ parameterization & systems development.

13) Audit of controls over operations including communication network, data preparation and entry, production, file library, documentation and program library, Help Desk and technical support, capacity planning and performance, Monitoring of outsourced operations.

14) To review all types of Application Level Access

15) Controls including proper controls for access logs and audit trails for ensuring Sufficiency & Security of

16) Creation, Maintenance and Backup of the same.

5.  

Audit of DBMS and Data Security

1)    Authorization, authentication and access control are in place.

2)    Audit of data integrity controls including master table updates.

3)    Confidentiality requirements are met.

4)    Logical access controls which ensure the access to data is restricted to authorized users.

5)    Database integrity is ensured to avoid concurrency problems.

6)    Separation of duties.

7)    Database Backup Management.

8)    Security of database files viz. control files, redo log files, archive log files, initialization file, configuration file, Table space security etc.

9)    Password checkup of Systems and Sys Users (default password should not be there)

10) Checking of database privileges assigned to DBAs

6. Network Security  Security architecture of the entire network including:

1)    Understanding the traffic flow in the network at LAN & WAN level.

2)    Audit of Redundancy for Links and Devices in CBS Setup.

3)    Analyze the Network Security controls, which include study of logical locations of security components like firewall, IDS/IPS, proxy server, antivirus server, email systems, etc.

4)    Study of incoming and outgoing traffic flow among web servers, application servers and database servers, from security point of view.

5)    Routing protocols and security controls therein.

6)    Study and audit of network architecture from disaster recovery point of view.

7)    Privileges available to Systems Integrator and outsourced vendors.

8)    Review of all types of network level access controls, logs, for ensuring sufficiency & security of creation, maintenance and backup of the same.

9)    Secure Network Connections for CBS, ATM, Internet Banking, Mobile Banking and third party including client/ browser based security.

10) Evaluate centralized controls over Routers/Firewalls installed in Branches & their Password Management.

11) Checking of VLAN Architecture

12) VPN parameters

13) Allowed TCP ports

14) Checking of Firewall Access control List

15) Firewalls, Routers and Switches are using AAA model for all

16) User authentication

17) Enable passwords on the Routers are encrypted form and password complies with minimum characters in length.

18) Local and remote access to network devices is limited and restricted.

7. Internal Vulnerability Assessment/ Penetration Testing 1)    Analyze the finding from the tests conducted to eliminate false positive and false negatives

2)    Document the recommendations to counter and remedy the vulnerabilities to the best possible extent

3)    Prepare Audit document

4)    Discuss audit document with recommendations

8.  

 

Audit of ATM Card Management, ATM & PIN management, Internet Banking Mobile Banking and Branchless Banking

1)    Audit of ATM covering Application, Network Security, Functionality, Interface, Audit Trails, transmission security, authorization, Fallback / fail over procedures, Status Update, compliance to VISA & other standards.

2)    PIN Management (Generation & Re-generation etc.) of ATMs.

3)    Adequacy of security defenses.

4)    Scalability for expanding network in future & sharing arrangements.

5)    Connectivity to other networks

6)    Card management (Delivery of cards / PIN/storing of cards and reconciliation with settlement agency.)

7)    ATM operational controls, & Reconciliation

9.  

Backup & Recovery Process and Testing

1)    Audit of Backup & recovery testing procedures.

2)    Sufficiency checks of backup process.

3)    Audit of access controls, movement and storage of backup media.

4)    Audit of media maintenance procedures.

5)    Security of removable media.

6)    Controls for Prevention of Data Leakage through removable media or other means.

7)    Media disposal mechanisms and Database archival & purging procedures.

8)    Synchronization between DC & DRC databases.

9)    DR Services to be up for Branches, as per RTO & RPO of BCP 10) DR Testing

10) DR strategy

10.  

 

 

Core Banking System (Temenos 24 Version R12)

1)    Data Base architecture and design

2)    Data Integrity and Consistency

3)    Data flow of the system as per bank requirement

4)    Data Security and control mechanism

5)    Data Confidentiality as per the role

6)    Data Reliability of the system

7)    Parameterization process and procedure

8)    Interest calculation verification

9)    User management and control mechanism

10) History management of data and activities

11) Console operation process and procedure

12) Third party integration process and mechanism

13) Audit Trail Audit

14) Software Error Log

15) System exception alert mechanism

16) Change management procedures including testing (UTA) & documentation of change.

11. Others 1)    Inventory movement controls & maintenance, equipment maintenance and disposal measures, change & configuration management processes,

2)    Audit of Logging and monitoring processes

3)    Agreements, AMC, SLAs

4)    Data migration and up-gradation verification

5)    Benchmarking of service against existing system

Why PKF F.R.A.N.T.S?

PKF F.R.A.N.T.S is committed to excellence in the performance of the many services we offer. We can assist you across a wide spectrum of Information Technology services. In order to be successful in providing state-of-the-art services to our clients, we have assembled a highly skilled and dedicated
team to that allows us to perform at all levels of technology assessments and audits.
The background of our team is specifically IT orientated, and they have many years of experience and expertise working in all phases of Information Services, and supporting Information Technology environments. They have been responsible for managing large software installation projects, information systems reviews, new application system design, programming, data center re-
organization and re- staffing. They have worked in many industries but most consulting areas have been in general management, manufacturing, distribution and finance/banking industries.
In recent years, PKF F.R.A.N.T.S has specialized in managing and performing many risk-based internal technical reviews involving a variety of hardware, software and operating environments. These reviews include all aspects of computer security and business continuity planning. Reviews cover operations controls, systems development and documentation controls, hardware and systems controls, access controls, data and procedural controls, physical security, application and processing controls, compliance testing and off-site storage.
Some of the specific IT review experience includes:
• Midrange and large mainframe systems
• Communications equipment and networks
• Operating systems
• Physical Security
• Access Security
• Systems Development and Maintenance Control
• Organizational Controls
• Various Application Controls
• Data Security
• Business Continuity Planning

Firm Experiences in the Practice Area

  • Penetration testing and Vulnerability assessment of web application, mobile apps and networks. Handling more than a dozen clients of Pakistan Stock Exchange (formerly Karachi Stock Exchange) for past 3 years or so.
  • Consultancy on Security Solutions based such as Advance Security Solutions like DLP, ATP & Threat Intelligence.
  • Consultancy on Disaster Recovery, Backup & Archiving Solutions based on Veritas Inc.
  • Lead Consultant for Data Classification/ Categorization activity at Habib Bank Limited for implementation of DLP solution.
  • Consultancy for Data Security, Backup, Archiving & Cloud.
  • Digital Forensic Assignment for a leading bank to investigate financial fraud. Also uncovered the techniques used in financial fraud and produced court admissible evidences.
  • Security Audits & Penetration Testing projects. Schedule execution of Security tests as per SOW, finalize Vulnerability Assessment & Penetration Testing reports for various clients.