How To Write A Bank Audit

Transcription

1 PROPOSAL FOR KNF RECOMMENDATION D COMPLIANCE AUDIT relating to bank information technology management and security of IT infrastructure

2 INTRODUCTION Recommendation D is a collection of 22 recommendations issued by KNF and divided into the following areas: - strategy and organisation of information technology areas and...security of IT infrastructure - development of IT infrastructure - maintenance and operations of IT infrastructure - management of IT infrastructure security. The detailed scope relating to the areas mentioned above is set out below in Section 6 Recommendations List. Implementation of Recommendation D requires an initial process of thorough verification of the as-is situation relating to the maintenance of IT systems, followed by adjustment to meet KNF requirements. The aim of this proposal is to support your bank in the process of meeting these Recommendation D requirements. KNF requires banks to implement Recommendation D not later than by 31 December 2014.

3 DETAILS OF THE PROJECT The following scheme shows the main phases of a Recommendation D implementation project. Identification and documentation of AS IS situation Gap identification and analysis Proposal of a remedial process Monitoring of a remedial process implementation Audit report preparation and delivery

4 DETAILS OF THE PROJECT Phase 1 Identification and documentation of AS IS situation The goal of this phase is analysis of the AS IS processes relating to the development of applications and IT infrastructure, as well as the maintenance and security of IT systems. Phase 1 covers the collection of documentation currently operating in the bank, specifically procedures, processes, instructions, regulations and records proving that the procedures are used in daily practice. After the analysis of documentation, interviews with bank representatives from the units responsible for IT infrastructure as well as the business units that cooperate directly with IT (e.g. development units on every level of the organisational structure of the bank) will be conducted. Deliverable for Phase 1: A report describing AS IS analysis in IT concerning areas covered by Recommendation D. Phase 2 Gap identification and analysis The goal of this phase is to analyse the tools and procedures which are already implemented/currently functioning and compare these with the requirements of Recommendation D. Deliverable for Phase 2: A report describing gaps as compared to Recommendation D requirements and a Risk Analysis in the relevant IT areas. The report will address every Recommendation D requirement and evaluate the maturity of the process by reference to the Deming cycle illustrated below

5 DETAILS OF THE PROJECT The report will cover evaluation of every recommendation including existence of tools, their completeness and efficiency, evidence of the tools and procedures operation, and level of staff competences and consciousness. The result will be evaluation of specific areas on every level of the organisation in the bank. The Risk Analysis will be conducted based on a proven methodology of risk evaluation in the IT areas specified by Recommendation D. Phase 3 Proposal of the remedial process The goal of this phase is to plan a process to remedy the areas evaluated as not sufficient to meet Recommendation D requirements. Several scenarios of project realisation will be presented. Deliverable for Phase 3: A description of the remedy process realisation plan and a proposed project schedule. Phase 4 Monitoring of the remedial process implementation The goal of this phase is to support the project implementation through project management, security management and network security. Deliverable for Phase 4: Weekly reporting on the implementation progress. Phase 5 Audit report preparation and delivery The goal of this phase is to conduct efficiency verification of implemented tools in line with the requirements of Recommendation D. Deliverable for Phase 5: A final audit report.

6 PROJECT SCHEDULE No. Task name Duration 1 Identification and documentation of AS IS situation 3 weeks AS IS report 2 Gap identification and analysis 3 weeks Evaluation Report 3 Proposal of a remedial process 2 weeks Remedial Plan 4 Monitoring the remedial process implementation TBD depending on the accepted scope of the realisation 5 Final audit report 3 weeks PRICE OF SERVICES As the scope of work will be specific to every client, the price will be estimated after initial analysis and after agreeing the scope of a specific project. The price evaluation will be delivered within 4 working days after receiving all relevant information necessary to calculate the price.

7 COMPETENCES The team dedicated for the project realisation is composed of staff experienced in project implementations in banks in the following areas: IT security management IT project management IT maintenance IT architecture IT system administration Servers and database administration Network administration Access management The team composition is based on the individual requirements of a project. RECOMMENDATION LIST The following section sets out the list of recommendations required by KNF under Recommendation D. Strategy and organisation of IT infrastructure and security of IT infrastructure Recommendation 1 The Bank Supervisory Board should manage IT areas and IT infrastructure security, and the Bank Management Board should provide tools for efficient and correct management.

8 RECOMMENDATION LIST Recommendation 2 The bank should have an information management system in the area of IT and IT security, providing every recipient of such information with an adequate knowledge level of the area. Recommendation 3 The Bank should define and implement an IT and IT security strategy in accordance with the Bank s strategy. Recommendation 4 The Bank should define the rules of cooperation and the scope of responsibilities in the business, IT technology and IT security. This should provide an effective and safe level of resource for Bank IT infrastructure. Recommendation 5 Organisational solutions and HR resources in the area of IT infrastructure should be appropriate for the Bank s profile and should enable the Bank to accomplish tasks in these areas effectively. Development of IT infrastructure Recommendation 6 The Bank should have formal rules of conducting IT infrastructure projects appropriate for the scale and type of projects which are conducted. Recommendation 7 The Bank s IT systems should be developed and enhanced in a way which supports its operations and taking into account IT systems security.

9 RECOMMENDATION LIST IT infrastructure maintenance and operations Recommendation 8 The Bank should have formal rules of data management used in its banking activities, covering management of architecture, management of data quality and providing adequate support for the Bank s activity. Recommendation 9 The Bank should have formal rules for IT infrastructure management, so that its architecture, its components (configuration management), capacity management and documentation provide adequate support for banking activities and security of processed data. Recommendation 10 The bank should have formal rules of cooperation with external IT services providers, ensuring data security and correctness of IT infrastructure functioning, including also services provided by the units which are part of the Bank s holding capital. Recommendation 11 The Bank should have formal rules and technical mechanisms and tools providing an adequate level of logical access to data and information and physical access to the key IT infrastructure components. Recommendation 12 The Bank should provide an adequate level of IT infrastructure protection against malicious software. Recommendation 13 The Bank should provide internal users of IT systems with support in the scope of problem solving and incident management concerning maintenance and operations, specifically in the case of disruptions and unexpected events disrupting the normal usage of systems.

10 RECOMMENDATION LIST Recommendation 14 The Bank should take necessary steps in order to achieve and maintain an adequate level of staff qualifications in the context of IT infrastructure and data and information processed in the Bank. Recommendation 15 The Bank System for business continuity should cover conditions concerning IT infrastructure and data processed by these systems. Recommendation 16 If the Bank provides services by electronic channels, the Bank should have adequate technical and organisational solutions providing verification of identity and security of data and clients assets. The Bank should educate its clients about rules of safe usage of bank electronic channels. Recommendation 17 The Bank should have formal rules of desktop software management, efficiently securing and mitigating the risk related to software exploitation. Recommendation 18 The Bank should have a formal, efficient security management system, covering activities related to identification, evaluation, control, mitigation and reporting of risk in this scope. The security management system should be integrated with the reporting system in the Bank. Recommendation 19 The Bank should classify information and information systems in accordance with rules required for adequate security levels.

11 RECOMMENDATION LIST Recommendation 20 The Bank should have formal rules of security incident management, covering identification, registration, analysis, prioritisation, solution searching and taking remedial actions and removal of causes. Recommendation 21 The Bank should provide compatibility of IT infrastructure with legal requirements, internal and external regulations, signed contracts and standards adopted within the Bank. Recommendation 22 IT technology areas and IT security should be subject to regular independent audits.

12 ABOUT US We are a leading professional service firm of accountants, auditors, business and tax advisers and IT specialists. As independent members of Baker Tilly International, we are committed to providing the best possible service to our clients in Poland and beyond using our knowledge, experience and the global resources of Baker Tilly International. With over 400 professional staff serving multinational and domestic clients in Poland, the Czech Republic and Slovakia, we have earned an enviable reputation for our quality of services, proactive approach, technical excellence and focus on communication and reporting. We make sure to apply strategic thinking to get the best for every Client from every service. We Provide Solutions: In Poland from our offices across the country in Warsaw, Wrocław, Kraków and Łódz In Central Europe providing seamless integration of solutions in our Polish offices and also in Prague and Brno in the Czech Republic and in Bratislava in the Slovak Republic Globally as an independent member of Baker Tilly International. Contact us: Agnieszka Frommholz IT Group Director T DL M E [email protected] Dariusz Stefaniuk Project Manager T DL M E [email protected] Dawid Woś Account Manager T DL M E [email protected]

13 Headquarter Baker Tilly Poland Sp. z o.o. ul. Hrubieszowska Warszawa Other offices Wrocław ul. Legnicka 51/ Wrocław Kraków ul. Smoleńsk 18/ Kraków Łódź ul. Nawrot Łódź T: F: T: F: T: F: T: F: [email protected] Join our group