Technology Audit

1
INSPACE TECHNOLOGIES
IT audit (information technology audit) An IT
audit is the examination and evaluation of an
organization's information technology
infrastructure, policies and operations. Informati
on technology audits determine whether IT
controls protect corporate assets, ensure data
integrity and are aligned with the business's
overall goals. IT auditors examine not only
physical security controls, but also overall
business and financial controls that involve
information technology systems. Because
operations at modern companies are increasingly
computerized, IT audits are used to ensure
information- related controls and processes are
working properly. The primary objectives of an
IT audit include. Evaluate the systems and
processes in place that secure company
data. Determine risks to a company's information
assets, and help identify methods to minimize
those risks. Ensure information management
processes are in compliance with IT-specific
laws, policies and standards. Determine
inefficiencies in IT systems and associated
management.
2
IT Infrastructure
IT infrastructure refers to the composite
hardware, software, network resources and
services required for the existence, operation
and management of an enterprise IT environment.
It allows an organization to deliver IT solutions
and services to its employees, partners and/or
customers and is usually internal to an
organization and deployed within owned
facilities. Techopedia explains IT
Infrastructure IT infrastructure consists of all
components that somehow play a role in overall
IT and IT-enabled operations. It can be used for
internal business operations or developing
customer IT or business solutions. Typically, a
standard IT infrastructure consists of the
following components Hardware Servers,
computers, data centers, switches, hubs and
routers, and other equipment Software Enterprise
resource planning (ERP), customer relationship
management (CRM), productivity applications and
more Network Network enablement, internet
connectivity, firewall and security Meat ware
Human users, such as network administrators (NA),
developers, designers and end users with access
to any IT appliance or service are also part of
an IT infrastructure, specifically with the
advent of user-centric IT service development.
3
Network Auditing
Network auditing is a must for any organization.
Networks are dynamic entities they grow,
shrink, change and divide themselves
continuously. Network administrators cannot even
assume this process is entirely under their
control. Users add devices and sometimes even new
hardware to the network infrastructure. Even
worse, it is not the first time a user would
install software they need without informing the
administrator. These activities can have drastic
repercussions on network security. To solve this,
an administrator needs to perform regular
network auditing and monitor any changes to the
preset baseline. Network auditing is a process
in which your network is mapped both in terms of
software and hardware. The process can be
daunting if done manually, but luckily some
tools can help automate a large part of the
process. The administrator needs to know what
machines and devices are connected to
the network. He should also know what operating
systems are running and to what service
pack/patch level. Another point on the checklist
should be what user accounts and groups are on
each machine as well as what shares are available
and to whom. A good network audit will also
include what hardware makes up each machine,
what policies affect that machine and whether it
is a physical or a virtual machine. The more
detailed the specification the better. Once the
machines running on our network are mapped, the
administrator should then move to audit what
software is running on each of the machines.
This can be done manually, through an
application, or simply asking each machine owner
to run a script that
4
would automatically catalogue applications and
send the administrator an email with a report of
the software installed. After the software
inventory is done, the process can then
catalogue the services which are installed, which
are running and which are stopped. The audit for
the machines can be finalized by noting which
ports each machine listens on and what software
is actually running at the time of the
audit. Once the administrator concludes auditing
the computers on the network, s/he can move on
to cataloguing the devices. These can include
printers, fax machines, routers, access points,
network storage and any other device that has
connectivity with the network. Once this is
done, the network audit would be complete, but
the data will now need to be analyzed. Is any
machine running unauthorized software or
hardware? Is any machine lacking necessary
patches? After these and other relevant
questions to each specific network are addressed
and machines that werent up to standard are
brought in line, the administrator now has an
effective security/inventory baseline for all
machines on the network.
ERP Software Consulting Implementation Project
Management Inspace ERP software or IT
consulting and IPM service is a full-fledged
hand holding program which encompasses the
following Identifying the Product/vendor based
on business need/budget Creating a roadmap for
implementation Create a Project Management Office
Team (PMO) to implement as per roadmap Facilitate
and train the users on the adoption of new
technology through Change Management process
5
What is ERP Consulting ? Inspace selects a few
ERP products and solutions that are available in
the market, suitable for the clients business
needs and evaluate them to be used by the
client, based on the technological
environment. Process The IT infrastructure is
studied and the business process of the client
is understood before implementation. Requirements
are analysed and documented. The project scope
is defined. Then different products and
solutions are analysed meticulously and the
process for the chosen products goes through
several steps before implementation. The basic
functionality of the product and the technology
on which the product is based are considered.
The vendor who supplies the product/solution is
minutely scanned and checked for efficiency and
reliability of product delivery. The prices of
different products and solutions are also
examined in great detail and the best deal is
obtained for the clients for implementation. Tech
nology Audit What is Technology Audit? Technology
Audit which is an auditing service done to
understand the present technology utilization
level of an organization. This is very similar
to an Accounting Audit that is conducted in
almost every company. It provides a benchmark
for, where the business is now, in terms of
technology. The audit can help identify strengths
and weaknesses. It's really a snapshot of the
organization's technology infrastructure. The
evaluation of the collected evidence determines
if the
6
information technology is operating effectively
and efficiently to achieve the organization's
business goals or objectives.
Why we need to do Technology Audit? The
Technology Audit for organizations from any
domain is a MUST to ensure optimum performance
in the day to day operations and decision
making. It helps the organization to understand
and utilize technology MORE EFFECTIVELY.
The success of this Audit is that it does not
recommend investing more rather it helps to get
more out of existing technology
investments. Our Technology Audit includes
various components and addresses the critical
and major pain points of different IT areas as
detailed below Power Infrastructure Audit

• Sudden power failure of UPS
• Over-utilisation and under- utilisation of UPS
  capacity
• UPS power cabling issues
• Battery backup for the load applied
• Climate control measures taken
• up for the UPS and Battery placement
• Fire Hazards that pose a potential threat to the
  environment.

7

• Audit Recommendations
• Safe and Climate controlled placement of UPS
  Batteries
• Overloading or Under loading of UPS
• Possible resolution of UPS issues

• Network Infrastructure Audit
• Network speed drops
• Sudden connectivity failure with devices
• Wireless signal strength issues
• Network architecture and design
• Cable routing and type of cables being utilised
• Active and passive network components
• Audit Recommendations
• Network architecture design as per best
  practices
• Cabling standards and routing
• Network equipment safe placement environment
• Active Passive (wired wireless) components
  maintenance
• High-availability setup for minimal downtime

8

• Possible resolution of network performance issues
• Internet/Intranet Connectivity Audit
• Internet connectivity speed drops
• Failover and load-balancing setup
• Bandwidth utilisation
• Unauthorised usage of internet services
• Content filtering to avoid certain categories of
  websites
• Firewall setup (policies for allowing/disallowing
  the users access to websites)
• Email services (unauthorised sending of emails,
  blocking of attachments, controlling size or
  type of attachments).
• Audit Recommendations
• Internet bandwidth usage requirements
• Restriction of Unauthorised bandwidth usage
• Load balancing failover configuration
• Email filtering for data monitoring
• Firewall policies for optimal security

• Increased downtime of servers,
• Recovery from crash (both physical and virtual),
• Storage space management,
• Operating system compatibility issues,
• Automated backup and restoration of the
  backed-up data
• Performance of server, storage and backup
  operations

equipment
for optimum
Audit Recommendations
9

• Optimal configuration for servers based on the
  user load
• Storage technology and space based on usage and
  forecast
• Best practices Backup and Restoration process
• Maintenance of Server equipment for minimal
  downtime
• Possible resolution of server, storage and backup
  issues
• Desktop, Laptop Thin Clients Audit
• Recovery from crashes and minimising the downtime
• Repair / replacement and upgrade spares
  availability

• Standard hardware

configuration

• across the organisation
• End-to-end audit or sampling audit can be scoped
  as required.
• Audit Recommendations
• Optimal configuration for desktops/laptops based
  on the usage parameters
• Maintenance of desktop/laptop including spares as
  per best practices
• Asset tagging maintenance
• Possible resolution of desktop/laptop issues.

• Core Application (ERP / SW) Audit
• Using MS Excel to take reports after investing
  in ERP,
• Utilisation levels of the Application by users
  (module-wise)
• Scope for improvement areas
• Functional audit on the mapping the business
  requirement with the functionality
• Technical audit on the coding (coding

10

• standards and best practices).
• Audit Recommendations
• Fitment of the existing application vis-à-vis the
  business process
• Utilisation levels of existing application
  department/module-wise
• Module-wise recommendations for optimal usage
• Technical architecture design as per best
  practices
• Coding methodology as per best practices

• SW License Compliance Audit
• Unauthorised usage of software by staff
• Legal compliance issue due to pirated
  applications
• Find actual gaps in the license
• Identify open source alternatives to reduce
  investments
• Audit Recommendations
• Identification of unlicensed software and gap in
  available licenses
• Recommendation on open source / freeware
  alternatives

• IT Data Security Audit
• Vulnerable network
• USB / Email data leakage
• Physical security (entry/exit registering, CCTV
  surveillance)

• End-to-end Logical (including VA-PT audits)
• Data and equipment theft

security
11

• Audit Recommendations
• Recommendation for mitigating VA-PT Gaps
• Harden Server environment for robust security
• Firewall policy and monitoring
• Recommendations for physical security as per best
  practices

• Key User Audit
• Collective view of the key users driving the
  organisation
• Understand training requirements
• Identify the key expectations of majority stake
  holders.
• Audit Recommendations
• Key Users knowledge level for utilising
  technology investment of company
• Recommendation for areas of training required by
  key users.

Vulnerability Assessment Penetration
Testing Vulnerability Assessment services are a
series of tests performed on a system to
identify the vulnerability of the system. This is
a Security Assessment conducted to understand
the vulnerabilities and by this process the
vulnerabilities are identified and exposed to the
security experts who in turn are able to
quantify and prioritise such vulnerabilities.
12

• Basically a vulnerability of a system refers to
  the inability of the system to withstand a
  hostile threat to its environment and
• the effects that may be caused by this hostile
  attack.
• Vulnerability assessment has many things in
  common with risk assessment. Wiki states that
  assessments are typically performed according to
  the following steps
• Cataloguing assets and capabilities (resources)
  in a system
• Assigning quantifiable value (or at least rank
  order) and importance to those resources
• Identifying the vulnerabilities or potential
  threats to each resource
• Mitigating or eliminating the most serious
  vulnerabilities for the most valuable resources

Penetration Test (PT) Penetration Tests are
different from vulnerability assessment
services, in that they simulate an actual attack
on a computer system or network as it would
have been from an external or internal threat.
By this method we are able to evaluate the
computer or network's security levels based on
the defined objective of the test. Thus a
vulnerability penetration test can help
determine whether a system is vulnerable to
attack, if the defences were sufficient and which
defences (if any) were defeated in the
penetration test.
13

• Why VA-PT is required?
• As new technologies emerge and change the IT
  scenarios, newer audit security challenges are
  given to be faced by corporates. Thus the
  business that do transaction over the internet
  are at high risk, though other companies are also
  at risk when being exposed to
• external networks. Thus many unforeseen traps
  with multiple vulnerabilities and numerous
  threats do manifest themselves in the least
  expected time and at the least expected place.
  Thus in order to take-up such challenges and
  address then, a robust system with appropriate
  security policies, adequate controls, periodic
  review and monitoring are to be in place to
  protect the organisation's information assets.
  Hence it is highly recommended to carry out
• an indepth Network Assessment comprising of VA-PT
  audits in a periodic manner to ensure software
  compliance to controls established and the
  policies set in the organisation and further to
  evaluate whether they are adequate to address
  all the threats.
• What Do We Gain by VA-PT?
• In-depth testing of IT infrastructure leads to
  understanding of the effectiveness of security
  systems in place
• Testing the ability of network defenders to
  successfully detect and respond to the attacks
• Enables planned investment to secure the IT
  setup resulting in better ROI
• Helps to identify the security gaps and secure
  them

14

• Focus and prioritise high-risk and threats rather
  than false encounters
• Optional Software Assessment to understand the
  vulnerabilities within
• Process and policy in place helps to run regular
  and periodic tests
• Assessing the magnitude of potential business and
  operational impacts of successful attacks