Application Controls Review -Scope� Web security
� Access Controls
� Password Controls
� Service Level Agreement
Database Access Controls
� Data Backup
� Data Retention and Retrieval
� System Documentation
� Application Security LifeCycle (ASLC)
� Database Access Controls
� Perimeter Security Controls
� Interface Controls
� Change Management
� Data Sanitisation
� Business Continuity/DisasterRecovery Plan
� Input, Processing and OutputControls
Cycle (ASLC)
� Backend Update Controls
� Review of application logs
� Customer/user complaints
� Database
� Operating system
� Web servers
� Networking and Security ofAssets
Web Security
� Segregation between internet and intranet architecture of application
� Data encryption while in transit on third party network
� Forced browsing or directory/path traversal not allowed� SQL Injection not allowed� Hidden form fields not used in validations� Adequate session management� Critical data encrypted while in storage� Adequate server side validations used in client data input
validations� Vulnerability analysis and penetration testing
Access Controls� Whether user access rights justify their job roles� Whether Administrator have access to transactions
menus/masters parameter settings� Whether any unauthorised users being provided access to any
critical application file/data folders/menus etc 4) whethercritical application file/data folders/menus etc 4) whethersample user creation requests as per LAM meet the actual userrights in system
� Whether periodical review of user access rights carried out� Review of the profiles created in the application carried out
periodically for its validity jointly with the user groups.� whether profiles as per ACM and per application documented
Password Controls� Password policy enforcement (length, expiry, complexity,
history, periodic change, repeatation,etc) as per Security Policy� password is not shown on screen when typing and is encrypted
in database� Initial passwords or reset passwords should not be
communicated to users through un-secured means such ascommunicated to users through un-secured means such asunprotected clear text emails
� system forces user to change password on first login or firstusage after reset
� System allows users to change password on his own� Are there any default passwords used� User account is locked after x number of unsuccessful attempts
or x number of days of inactivity� User is informed of his last login date and time� application does not allow concurrent login to same user
Service Levels
� Whether AMC/SLA for the application support exist with clear mention of the scope of the services and basis for the billing/charges
� Whether any of the AMC/SLA terms is inadequate or unreasonable or inconsistent vis IT Security policy whether unreasonable or inconsistent vis IT Security policy whether terms of SLA are periodically monitored for compliance. eg. review sample payments made to service provider as per the SLA clause for support services
� Whether proper approval exists for support services/annual maintenance contract
� Whether payments made to vendors for CRs etc are tracked vis a vis SLA/AMC terms and the approvals
Database Access Controls� Whether any backend database update can be carried out� Whether users have direct database access� Whether critical passwords such as database connection string
is encrypted when stored.� Whether procedure laid down to correct data errors / problems
observed at the database level and database integrity monitoredthrough periodic reports;
� Review which user ID is used for trouble shooting at applicationand database level and identify its privileges
� How this id credentials are protected and its usage monitoredfor unauthorised activities
Perimeter Security Controls� Review the firewall rules for internet facing applications� Enquire for the services and protocols allowed for ports (other
than 80 or 443) for web servers and for non database ports ondatabase server in DMZ
� Whether appropriate justification and approval available for� Whether appropriate justification and approval available forthese services
� Network based security controls implemented for third partysystems connecting to network eg. Firewall
Interface Controls� See the related documentation and architecture diagram to get
the knowledge about the interface and review the interface logfiles
� Whether adequate interface logs are generated & maintainedfor automated interface with applicationfor automated interface with application
� Whether system checks exist (through interface logs etc) todetect or restrict failures/ errors / omissions / duplicate recordsduring interface data exchange.
� Whether authentication/authorisation procedure between theinterfacing applications is weak e.g. clear text passwords,invalidated user credentials or unrestricted permissions to theinterfacing user ID or unrestricted access to interfacingprograms etc
� Folders/servers used for transfer are having unauthorisedaccess
Change Management� Review sample Change Rrequests(CRs) for type of CRs, process
flow and supporting documentation as given herein� Review pending CRs for status, reasons and monitoring ,Ageing
of CRs and risk attached� review the ACM for related authorisationsreview the ACM for related authorisations� Whether deployment approval from Business Head sought
before deployment of CR to live� Whether adequate testing (eg. unit/system/regression testing)
is carried out prior to deployment in live� Whether UAT sign-off evidenced� whether proper BRS is available in support of CRs which are
deployed or in process of development� whether test cases /test results are available� whether release notes obtained from vendor for important
patches / CR deliveries with proper ref. of CRs
Data Sanitisation� Whether customer demographics or any other sensitive data
sanitized in UAT environment� Whether developers have access to live environment� Whether there is proper segregation of Development & UAT &
Live environmentLive environment� Whether UAT is in sync with live, if yes how evidenced?� Whether segregation of duties & roles clearly defined between
development and production support team� Whether adequate procedure & documentation exist for moving
program changes to live
Business continuity/Disaster Recovery(DR)� Whether DR plan document is adequate in terms of its
contents/scope/ coverage of system components / activities� Whether DR drills carried out at regular intervals/ Whether DR
drill reports available� Whether the coverage of DR drills & participation is as per test� Whether the coverage of DR drills & participation is as per test
plan given in doc� Whether any significant deficiency noted in DR drill
Input, Processing and Output Controls� Whether system accepts any invalid / out of range / incorrect or
duplicate data inputs� Whether data accuracy for critical fields implemented through
Range Check, validity checks duplicate checks)� Whether adequate system controls built to identify data entryWhether adequate system controls built to identify data entry
errors / exceptions (such as invalid inputs , duplicate items,backdated entries etc)
� In case of batch uploads, whether system checks whether alltransactions in a batch file are uploaded without any omissionand errors, also adequate batch upload controls (such ascontrols totals tallying) exist.
� check whether erroneous records are segregated with rejectionreport/reasons.
Input, Processing and Output Controls� Review the critical functionalities wherein complex data
processing is involved , e.g. interest calculation etc.� Review the documentation for such data processing logics
(whether in built as part of application feature or developedthrough report etc during customisation)through report etc during customisation)
� check whether bulk processing of inputs through batch uploadsmay result in any exceptional data item being processederroneously
Data Backup Controls� Whether backup policy / procedure is laid down for frequency,
type of backup, media, period, contents/files to be backed up,storage location, restoration testing media recycle / rotationschedule etc conveyed to DB Administrator
� Back up is performed through systemic controls at regularBack up is performed through systemic controls at regularintervals as per back up policy set up (eg. Net Backup). Reviewthe back up logs / alerts generated and sent to applicationowner for success or failures of scheduled back up activity
� Check whether copy of back up is kept at off-site location.Review the process of off-site storage , labelling of off-site backup copy
� Check the latest back up restoration testing confirmation forcritical data base files as well as application files, as confirmedby user
Data Retention and Retrieval� Whether any data purged in the application� whether data retention and data purging procedures
documented for the application data� Whether any guideline relating to data retention� Whether any guideline relating to data retention
applicable to the data in the application� Whether any data required to be retained has been
purged� Whether data retrieval tested for the data to which
data retention policy is applicable
System Documentation
� Whether updated user and system manuals available
� Whether these manuals cover all application modules including critical data processing logic and all interfaces (such as interest calculation or bucketing of overdues etc) and menus/sub menus and explain its functionalities and explain its functionalities
� Document is updated periodically for all changes
Application Security Life Cycle (ASLC)
� Identify various types of data being processed by application,
� Check whether data classification is done as per IS Security Policy through formal document
� Verify whether adequate data protection controls adopted for handling of sensitive data as per said policy (eg. data handling of sensitive data as per said policy (eg. data exchanged outside network or through removable media in unencrypted form or unsecured way without any control)
� Whether documents required for ASLC Risk assessment (including SOP etc.) are completed and submitted
� Whether RR sign off obtained and review the open items
� Periodically review of ASLC
Other Controls
� Database
� Operating System
� Web servers
Networking and Security of Assets� Networking and Security of Assets
User Management� Generic / Extraneous users present
� Good Practice� Process to manage default / transferred / ex-employees
Periodic review vis-à-vis HR records� Periodic review vis-à-vis HR records
� Periodic confirmation from the user supervisor
� Excess privileges assigned to users
� Good Practice� Periodic Access Control Matrix sign off
� Business function vis-à-vis application profile
Password Management
� Password Sharing
� Good Practice� Password sharing (including admin) restrictions
Application concurrency restriction� Application concurrency restriction
� Strict Reprimands (e.g. employee warnings)
� Sealed envelope / Password Vault for super user ids of application, DB, OS� Onsite and Offsite maintenance
� Sealed envelope tracking register
� Password Vault application
Password Management� Password encryption (Connection strings/Database storage)� Application user / DB connection password stored in clear text / unapproved weak password algorithmsin clear text / unapproved weak password algorithms
� Good Practice� Hashing
� Password encryption algorithm usage as prescribed in IT Security policy.
� Connection string (Application to DB) should be encrypted
Interface Controls� Manual / Partially Automated Interface (Inter-Application)
� Good Practice� IP / Login ID / Digital Certificate based restriction� IP / Login ID / Digital Certificate based restriction
� Privilege controls over processing user / folders (e.g. Transit)
� Interface logs
� Vulnerable upload / download process
� Good Practice� Maker / Checker control
� Integrity & Input Validation (e.g. Duplication, file type, standardized format etc.)
Maker / Checker Controls
� Maker checker controls not implemented for� Critical business function
� Administrative activities (including user management)management)
� Good Practice� Preventive application control for critical business functions and admin activities
� Detective controls (e.g. audit trail review & sign off) for identifying unauthorised activities
Application Security Life Cycle (ASLC)
� Non-adherence to ASLC process
� Good Practice� Every application to undergo ASLC review at induction stageinduction stage
� Non-alignment to IT Security policies to be identified and communicated to the vendor
� Residual risks to be signed off
� Risk review need to be carry out after major change
� The periodicity for renewal of ASLC
Learning
� Usage of application database id for updation
� Sharing of user credentials during their leaveperiod
A single person responsible for upload of the� A single person responsible for upload of thetext dump to application
� Sharing of generic user id having admin rights
� Failure of online market rates Updates
Learning (contd.)
� Transferred/resigned employees found active on AD
� multiple user ids used to create as well as verify transaction with their different user ids by same user
� Use of administrative id on local desktops� Use of administrative id on local desktops
� Mismatch in IT asset inventory
� User can bypass the authentication of the application by manipulating link in the browser
� Admin User Access with Blank Password
� CCTV camera captures keyboard keys
Learning (contd.)
� No server side validation for the parametersentered by the user for many service requests
� Customer demographic details are copied in test environment without any data test environment without any data sanitisation
� Possibility of making bill payment through other customers account
� Further outsourcing of activities by vendor without permission
� VRM details not recorded tel no,date and timeof call
Top Related