Project Report

of
DISA 2.0 Course
 CERTIFICATE

Project report of DISA 2.0 Course

This is to certify that we have successfully completed the DISA 2.0 course training
conducted at:

____________________________________________from______________to_______
______

and we have the required attendance. We are submitting the Project

titled:________________

______________________________________________________________________
______

We hereby confirm that we have adhered to the guidelines issued by CIT, ICAI for the
project. We also certify that this project report is the original work of our group and each
one of us have actively participated and contributed in preparing this project. We have
not shared the project details or taken help in preparing project report from anyone
except members of our group.

1. Name……….……………………………….……DISA
No………........Signed…………………….…………
2. Name……….……………………………….……DISA
No………........Signed…………………….…………
3. Name……….……………………………….……DISA
No………........Signed…………………….…………
Place: ____________

Date: _____________
 Table of Contents

Details of Case Study/Project (Problem)

Project Report (solution)

1. Introduction
2. Auditee Environment
3. Background
4. Situation
5. Terms and Scope of assignment
6. Logistic arrangements required
7. Methodology and Strategy adapted for execution of assignment
8. Documents reviewed
9. References
10. Deliverables
11. Format of Report/Findings and Recommendations
12. Summary/Conclusion
 Project Report

Title:_______________________________________________

A. Details of Case Study/Project (Problem)

B. Project Report (solution)

1. Introduction
A. Please provide your understanding in one or two para information about the auditee
covering nature of business, organisation structure, technology infrastructure,
policies and procedures, etc.)

B. Please provide one or two para information about audit firm (fictitious name)
including your experience, team composition, skill-sets and team leader. Please do not
include actual names of group members as members of assignment team in the project
report so as to maintain confidentiality of the project.

2. Auditee Environment
Please provide complete details of nature of business, organisation structure,
technology deployed. The Technology deployed must include information of system
software, database and application software). Provide specific details of regulatory
requirements and overview of specific internal policies and procedures such as
information security policy. This has to be as detailed as possible. Please make
suitable assumptions and add more details as required.

3. Background
Please provide details highlighting the client need for the assignment. Provide reasons
why the enterprise wants the assignment to be done in 2-3 paras.

4. Situation
Please provide details of existing scenario which has given rise to the need for the
assignment. Provide all the details of the current situation. Include here the identified
problem areas and control weaknesses.
 5. Terms and Scope of assignment
Please provide details of terms and scope of assignment clearly identifying areas being
reviewed or area in which consulting is required.

6. Logistic arrangements required

Please provide details of logistics required for execution of assignment including
hardware, system software, application software, data, documentation, etc. Please
include details of any CAAT tools used.

7. Methodology and Strategy adapted for execution of assignment

Please provide details of structured methodology which is adapted from ICAI
standards/guidelines, International standards/guidelines and best practices as relevant
for the assignment. This may include how the standards, guidelines and best practices
are used for preparing specific audit plan, audit program or detailed audit procedures.

8. Documents reviewed
Please provide list of sample documents reviewed during the assignment, such as
information security policy, organisation structure, vendor contracts or SLA, access
matrix, audit findings, etc. These documents will be the basis for review and coupled
with the all the prior information can be used for identifying control weaknesses and
providing recommendations.

9. References
Please provide list of specific standards, guidelines and best practices or other
references to be used in performing the assignment. Please include reference of
specific section of background material, ICAI and international
standards/guidelines/best practices and websites or publications as used in the
assignment.

10. Deliverables
Please provide details of specific deliverables of the assignment. These would include
the draft IS Audit Report, Final IS Audit report, executive summary, detailed findings
and recommendations, etc.
 11. Format of Report/ Findings and Recommendations
Please provide report in standard/specific format as required. Each of the findings is
also to be provided in the standard/specific format. You may adapt this from best
practices or customize these as required.

12. Summary/Conclusion
Please provide overall summary/conclusion of the assignment. This could be in two to
three paras.

Objectives of ensuring
traffic flow as quickly as
possible •Operations
backup activated including
general stand-by & Traffic
Management team.
(Responsibility: Operations
Manager) •Traffic
management resources
and installations to be
available at all times.
(Responsibility :
Operations Manager)
•Traffic management
operational plans for
convoy vehicle plan, shut-
off vehicle and stop/go
scenarios to be reviewed
(Responsibility: Operations
Manager) •Liaison with
emergency serviced
statutory agencies
(Responsibility: Operations
Manager) •Assessment
made on accommodation
provision (Responsibility:
Business Manager)
•Review of remote secure
server access
requirements
(Responsibility: ICT
Manager) •Staffing
assessment made
including emergency
stand-by/key staff review
and temporary stand-
down of non-essential staff
(Responsibility:
Operations, Engineering
Services & Business
Managers) •Review of key
staff transit arrangements
including an assessment
on the policy protocol
(Responsibility: Operations
Manager) •Crisis
communications plan
activated including key
personnel contacts &
media briefings.
(Responsibility:
Communications
Manager). •Contact
insurance section for
advice Responsibility:
Business Manager)
•Availability of core
maintenance procedures,
documents, plans and
back-up arrangements
including contact with
contractors by
area/function
(Responsibility:
Engineering Services
Manager) 12.Conclusion
The project is aimed at
highlighting the security
and control weakness in
the existing ETC system.
However due to
advancement of
technology, it is
recommended that the
ETC system using the RFID
technology shall be
studied and implemented.
This RFID once
implemented, will facilitate
tracking all kinds of
vehicles, minimizing the
revenue leakages, and
thereby eliminating the
control weaknesses in the
legacy systems. Future, on
the operational aspect, it
will eliminate the long
queues in the manual
counters, increases the
efficiency and it
guarantees to be a highly
stable technology. With
the elimination of human
interaction in the entire
toll collection process, we
can create a better ETC
system to be
implemented. It can also
significantly improve the
efficiency of toll stations
and the traffic abilities of
the toll road.
Vulnerabilities

Listed below are the application security vulnerabilities discovered during the
assessment. These are considered significant and steps should be taken to address
them.

Sensitive information within the database is not encrypted

Explanation

Sensitive information in databases can be encrypted to protect confidentiality. If an

attacker gets unauthorized access to the database, sensitive information still cannot be
read.
Risk
If an attacker gains access to the database, sensitive information stored in the database
can be viewed and modified.

Recommendations

∑Examine changes required to support encrypted database tables.

∑Modify web and database software to work with encrypted data.

∑Safely store and protect the encryption keys.

Page 13

ABC TOLL COMPANY

Source Code for the Application is not received.

Explanation

Any application that is developed has a source code of its own; it is like a master
document which explains all the coding and programming that were used in making the
application. When purchasing a Third party software / application, one needs to make
sure that the company obtains the source code of the same along-with the application.
Source code is required for future maintenance and updation of the application / software.

Risk

In absence of the source code, the maintenance and updation of the application would
not be possible. Let us understand this with the help of an example, suppose the Vendor
from whom the application was purchased, for some reason is now not available (e.g.
Bankruptcy, etc.). Now, if any other person wants to provide for the maintenance activity
or other updation activities, one would not be able to do so without the source code of
the application. In such a case, the application shall be rendered completely useless.

Recommendations

The company should ask the vendor for the source code of the application as it is very
much required. The company may even sign a non-disclosure agreement with the vendor
if the vendor insists on the same.

14 | P a g e
SECURITY AND CONTROL RISK ASSESSMENT REPORT

Physical Security

ABC Toll Company has Toll Booths, Toll Plaza, Main Server Building, and Back-
up Server Building. These are the main points of concern for the company
when it comes to physical security.

Following are some of the concerns that have been observed during our
exercise which are listed down:

Vulnerabilities

Listed below are the physical security vulnerabilities discovered during the
assessment. These are considered significant and steps should be taken to
address them. The list is divided into a list of vulnerabilities that relate to the
security perimeter, and the server rooms. The building group contains
vulnerabilities within the ABC TOLL COMPANY office. The security perimeter
group includes the exterior office windows, doors, alarm system, and the
surrounding area. The server room are specific to rooms containing server
equipment.

1.Introduction A.ABC Toll

Company is a Toll Bridge
Authority is a company set
up by The Government of
India. The said company is
responsible for managing the
Banglore –Hassan Toll
Bridge. The company is a
fully owned government
company, The company has
mainly been divided into The
Operations Department, IT
Department and Security
Department. The company
follows a Three Tier
Management system i.e. The
Top Level Management, The
Departmental Heads, and
The Operators and other
employees at the Bottom
Level. The company has an
IT Department, the IT
infrastructure of the
company includes high end
devices including Mini –
Computers, Cameras at the
Toll Booth, Workstations,
Main Server as well as a
Backup Server, UPS and
Generators, Smoke
Detection systems have also
been installed. The company
has a system of maintaining
full transaction logs starting
from when a vehicle enters a
toll booth lane and ends
after the same exits along-
with photographs. B.“PQR &
Affiliates LLP” is a chartered
accountancy firm registered
with Institute ofChartered
Accountants of India(ICAI)
having its head office at
Banglore. We have an
experience of Five Years in
providing quality services to
our clients. We have a team
of Three Full time Practicing
Chartered Accountants as
Partners, Two
CharteredAccountants as full
time employees, Two MCA’s
as employees for systems
development and
maintenance, 2 interns
pursuing BCA Course, and
Thirteen Articled Clerks
working in our organization.
Two of the Partners are DISA
Certified professionals, of
which Mr. Abdul James Patel
shall lead the assignment
related to ABC Toll
Company.5 | P a g e