How To Write A Bank Audit



Similar documents
Employment in Poland 2012

BRIEFING NOTE. Taxation of factoring in Poland

Polish Financial Supervision Authority. Guidelines

How To Run An International Business Process Outsourcing Company

ITALY POLAND JOINT SCIENCE AND TECHNOLOGY COOPERATION CALL FOR JOINT PROJECT PROPOSALS CLOSING DATE: 10/06/2015

Service Support Kasse Initiatives, LLC. ITIL Configuration Management - 1. version 2.0

Shell s Health, Safety and Environment (HSE) management system (see Figure 11-1) provides the framework for managing all aspects of the development.

UoD IT Job Description

Cloud Infrastructure Security Management

Enterprise Security Architecture

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

KPMG in India s Software testing services Test consulting case studies

Microsoft Services Premier Support. Security Services Catalogue

Job Description. Radiography Services Manager

REPORT of the Supervisory Board of Mediatel S.A. for the period from 1 January 2009 to 31 December 2009

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

ESKISP Manage security testing

{Add company name} {Add geographical location} {Add/edit as required} Enterprise Architect. {Add local information}

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13

Certification Report

Cisco Unified Computing. Optimization Service

Data Classification Technical Assessment

Annual Report 2007 COMMERCIAL FINANCE

ITIL. Lifecycle. ITIL Intermediate: Continual Service Improvement. Service Strategy. Service Design. Service Transition

IT Services Management Service Brief

Application Support Solution

Cyber Essentials Scheme. Protect your business from cyber threats and gain valuable certification

Router and Vetting G-Cloud Service Definition

Decision on adequate information system management. (Official Gazette 37/2010)

Salary Guide 2012 Czech 2012 Republic

STAFF VACANCIES Ref. 1527TAAST4

Begin with the end in mind

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland

Cisco Nexus Planning and Design Service

Role Profile Job Description .NET Senior Analyst Developer Purpose of job: Context and environment: Global Business Services Our mission:

Contact Centre Integration Assessment

IBM Sterling Order Management

Polish Agency for Enterprise Development

Certification as a model of recognising and improving personnel s competences in OSH

State of Oregon. State of Oregon 1

Qulliq Energy Corporation Job Description

SALARY REPORT Shared Services Centres Business Process Outsourcing. Temporary & permanent recruitment

The Cadence Partnership Service Definition

ISO Information Security Management Services (Lot 4)

ITIL: Service Operation

Mariusz-Jan Radło, Ph.D.

A SECURITY ARCHITECTURE FOR AGENT-BASED MOBILE SYSTEMS. N. Borselius 1, N. Hur 1, M. Kaprynski 2 and C.J. Mitchell 1

We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review

Understanding Vulnerability Management Life Cycle Functions

Overview of EAM Services. A Fully Integrated Global EAM Service Provider

Practitioner Certificate Software Asset Management Syllabus. Version 2.0

IT Services Management Service Brief

Intel Security Certified Product Specialist Security Information Event Management (SIEM)

Information Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project

White Paper CLINICAL RESEARCH IN POLAND AN INTRODUCTION

THE TAURON POLSKA ENERGIA S.A. CAPITAL GROUP KATOWICE, ULICA KS. PIOTRA ŚCIEGIENNEGO 3 CONSOLIDATED FINANCIAL STATEMENTS FOR THE FINANCIAL YEAR 2014

Corporate Incident Response. Why You Can t Afford to Ignore It

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Service Definition Document

Doing Business in Slovakia

In a Search for Regulations on Risk Management, Internal Control and Internal Audit

Technology and Cyber Resilience Benchmarking Report December 2013

ABB in Poland Always at the forefront

Rulebook on Information Security Incident Management General Provisions Article 1

Information Services Strategy

-Blue Print- The Quality Approach towards IT Service Management

Implementation of ANSI/AAMI/IEC Medical Device Software Lifecycle Processes.

CAPABILITY MATURITY MODEL & ASSESSMENT

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP

Application of software tools during audits. Ing. Martin Lejsal September 2011

Information on the appointed Members of the Supervisory Board:

Data Sheet: Endpoint Security Symantec Network Access Control Comprehensive Endpoint Enforcement

IT Security. Securing Your Business Investments

Offshore outsourcing of business services Threat or Opportunity

Data Administrator. (Salary as advertised) Havering 15 per week Permanent 1. Main purpose of the role. 2. Reporting and working relationships

Transcription:

PROPOSAL FOR KNF RECOMMENDATION D COMPLIANCE AUDIT relating to bank information technology management and security of IT infrastructure www.bakertilly.pl

INTRODUCTION Recommendation D is a collection of 22 recommendations issued by KNF and divided into the following areas: - strategy and organisation of information technology areas and...security of IT infrastructure - development of IT infrastructure - maintenance and operations of IT infrastructure - management of IT infrastructure security. The detailed scope relating to the areas mentioned above is set out below in Section 6 Recommendations List. Implementation of Recommendation D requires an initial process of thorough verification of the as-is situation relating to the maintenance of IT systems, followed by adjustment to meet KNF requirements. The aim of this proposal is to support your bank in the process of meeting these Recommendation D requirements. KNF requires banks to implement Recommendation D not later than by 31 December 2014.

DETAILS OF THE PROJECT The following scheme shows the main phases of a Recommendation D implementation project. Identification and documentation of AS IS situation Gap identification and analysis Proposal of a remedial process Monitoring of a remedial process implementation Audit report preparation and delivery

DETAILS OF THE PROJECT Phase 1 Identification and documentation of AS IS situation The goal of this phase is analysis of the AS IS processes relating to the development of applications and IT infrastructure, as well as the maintenance and security of IT systems. Phase 1 covers the collection of documentation currently operating in the bank, specifically procedures, processes, instructions, regulations and records proving that the procedures are used in daily practice. After the analysis of documentation, interviews with bank representatives from the units responsible for IT infrastructure as well as the business units that cooperate directly with IT (e.g. development units on every level of the organisational structure of the bank) will be conducted. Deliverable for Phase 1: A report describing AS IS analysis in IT concerning areas covered by Recommendation D. Phase 2 Gap identification and analysis The goal of this phase is to analyse the tools and procedures which are already implemented/currently functioning and compare these with the requirements of Recommendation D. Deliverable for Phase 2: A report describing gaps as compared to Recommendation D requirements and a Risk Analysis in the relevant IT areas. The report will address every Recommendation D requirement and evaluate the maturity of the process by reference to the Deming cycle illustrated below

DETAILS OF THE PROJECT The report will cover evaluation of every recommendation including existence of tools, their completeness and efficiency, evidence of the tools and procedures operation, and level of staff competences and consciousness. The result will be evaluation of specific areas on every level of the organisation in the bank. The Risk Analysis will be conducted based on a proven methodology of risk evaluation in the IT areas specified by Recommendation D. Phase 3 Proposal of the remedial process The goal of this phase is to plan a process to remedy the areas evaluated as not sufficient to meet Recommendation D requirements. Several scenarios of project realisation will be presented. Deliverable for Phase 3: A description of the remedy process realisation plan and a proposed project schedule. Phase 4 Monitoring of the remedial process implementation The goal of this phase is to support the project implementation through project management, security management and network security. Deliverable for Phase 4: Weekly reporting on the implementation progress. Phase 5 Audit report preparation and delivery The goal of this phase is to conduct efficiency verification of implemented tools in line with the requirements of Recommendation D. Deliverable for Phase 5: A final audit report.

PROJECT SCHEDULE No. Task name Duration 1 Identification and documentation of AS IS situation 3 weeks AS IS report 2 Gap identification and analysis 3 weeks Evaluation Report 3 Proposal of a remedial process 2 weeks Remedial Plan 4 Monitoring the remedial process implementation TBD depending on the accepted scope of the realisation 5 Final audit report 3 weeks PRICE OF SERVICES As the scope of work will be specific to every client, the price will be estimated after initial analysis and after agreeing the scope of a specific project. The price evaluation will be delivered within 4 working days after receiving all relevant information necessary to calculate the price.

COMPETENCES The team dedicated for the project realisation is composed of staff experienced in project implementations in banks in the following areas: IT security management IT project management IT maintenance IT architecture IT system administration Servers and database administration Network administration Access management The team composition is based on the individual requirements of a project. RECOMMENDATION LIST The following section sets out the list of recommendations required by KNF under Recommendation D. Strategy and organisation of IT infrastructure and security of IT infrastructure Recommendation 1 The Bank Supervisory Board should manage IT areas and IT infrastructure security, and the Bank Management Board should provide tools for efficient and correct management.

RECOMMENDATION LIST Recommendation 2 The bank should have an information management system in the area of IT and IT security, providing every recipient of such information with an adequate knowledge level of the area. Recommendation 3 The Bank should define and implement an IT and IT security strategy in accordance with the Bank s strategy. Recommendation 4 The Bank should define the rules of cooperation and the scope of responsibilities in the business, IT technology and IT security. This should provide an effective and safe level of resource for Bank IT infrastructure. Recommendation 5 Organisational solutions and HR resources in the area of IT infrastructure should be appropriate for the Bank s profile and should enable the Bank to accomplish tasks in these areas effectively. Development of IT infrastructure Recommendation 6 The Bank should have formal rules of conducting IT infrastructure projects appropriate for the scale and type of projects which are conducted. Recommendation 7 The Bank s IT systems should be developed and enhanced in a way which supports its operations and taking into account IT systems security.

RECOMMENDATION LIST IT infrastructure maintenance and operations Recommendation 8 The Bank should have formal rules of data management used in its banking activities, covering management of architecture, management of data quality and providing adequate support for the Bank s activity. Recommendation 9 The Bank should have formal rules for IT infrastructure management, so that its architecture, its components (configuration management), capacity management and documentation provide adequate support for banking activities and security of processed data. Recommendation 10 The bank should have formal rules of cooperation with external IT services providers, ensuring data security and correctness of IT infrastructure functioning, including also services provided by the units which are part of the Bank s holding capital. Recommendation 11 The Bank should have formal rules and technical mechanisms and tools providing an adequate level of logical access to data and information and physical access to the key IT infrastructure components. Recommendation 12 The Bank should provide an adequate level of IT infrastructure protection against malicious software. Recommendation 13 The Bank should provide internal users of IT systems with support in the scope of problem solving and incident management concerning maintenance and operations, specifically in the case of disruptions and unexpected events disrupting the normal usage of systems.

RECOMMENDATION LIST Recommendation 14 The Bank should take necessary steps in order to achieve and maintain an adequate level of staff qualifications in the context of IT infrastructure and data and information processed in the Bank. Recommendation 15 The Bank System for business continuity should cover conditions concerning IT infrastructure and data processed by these systems. Recommendation 16 If the Bank provides services by electronic channels, the Bank should have adequate technical and organisational solutions providing verification of identity and security of data and clients assets. The Bank should educate its clients about rules of safe usage of bank electronic channels. Recommendation 17 The Bank should have formal rules of desktop software management, efficiently securing and mitigating the risk related to software exploitation. Recommendation 18 The Bank should have a formal, efficient security management system, covering activities related to identification, evaluation, control, mitigation and reporting of risk in this scope. The security management system should be integrated with the reporting system in the Bank. Recommendation 19 The Bank should classify information and information systems in accordance with rules required for adequate security levels.

RECOMMENDATION LIST Recommendation 20 The Bank should have formal rules of security incident management, covering identification, registration, analysis, prioritisation, solution searching and taking remedial actions and removal of causes. Recommendation 21 The Bank should provide compatibility of IT infrastructure with legal requirements, internal and external regulations, signed contracts and standards adopted within the Bank. Recommendation 22 IT technology areas and IT security should be subject to regular independent audits.

ABOUT US We are a leading professional service firm of accountants, auditors, business and tax advisers and IT specialists. As independent members of Baker Tilly International, we are committed to providing the best possible service to our clients in Poland and beyond using our knowledge, experience and the global resources of Baker Tilly International. With over 400 professional staff serving multinational and domestic clients in Poland, the Czech Republic and Slovakia, we have earned an enviable reputation for our quality of services, proactive approach, technical excellence and focus on communication and reporting. We make sure to apply strategic thinking to get the best for every Client from every service. We Provide Solutions: In Poland from our offices across the country in Warsaw, Wrocław, Kraków and Łódz In Central Europe providing seamless integration of solutions in our Polish offices and also in Prague and Brno in the Czech Republic and in Bratislava in the Slovak Republic Globally as an independent member of Baker Tilly International. Contact us: Agnieszka Frommholz IT Group Director T +48 22 295 30 00 DL +48 22 295 30 20 M +48 502 192 272 E afrommholz@bakertilly.pl Dariusz Stefaniuk Project Manager T +48 22 295 30 00 DL +48 22 295 30 11 M +48 601 322 170 E dstefaniuk@ca-staff.eu Dawid Woś Account Manager T +48 22 295 30 00 DL +48 22 295 30 24 M +48 607 660 065 E dwos@ca-staff.eu

Headquarter Baker Tilly Poland Sp. z o.o. ul. Hrubieszowska 2 01-209 Warszawa Other offices Wrocław ul. Legnicka 51/53 54-203 Wrocław Kraków ul. Smoleńsk 18/1 31-112 Kraków Łódź ul. Nawrot 114 90-029 Łódź T: +48 22 295 30 00 F: +48 22 295 30 01 T: +48 71 733 13 00 F: +48 71 733 13 01 T: +48 12 334 91 00 F: +48 12 334 91 01 T: +48 42 671 85 60 F: +48 42 671 85 61 contact@bakertilly.pl www.bakertilly.pl Join our group

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information