Information Technology

Information Technology Services

Information technology, once a back-office function, now dictates business processes within an organisation. The management of IT is a fast-paced balancing act between the issues facing the business, technology problems and opportunities and the IT management agenda itself.

IAB's Information Technology Services Group works with you to help you understand and effectively manage your IT risks. We provide a clear framework to evaluate your risks, and offer proven tools and methodologies to assess, control, monitor and measure them.

Our services cover:

Implementation process

We will provide an independent assessment of how your project is tracking when compared to the approved plan for implementation

The review will independently identify any variations or omissions which may impact the successful completion of the project. The effectiveness of the project controls will be assessed and if required recommendations provided to ensure, where possible, all exposures are minimised.

Implementation planning

The review will assess the implementation plan for the project to ensure that all risks which may impact the successful completion of the project have been identified and appropriate controls defined.

The reliance on project implementation plan as a tool to control the successful completion of the project is based on several key assumptions with regard to completeness and accuracy. This review is intended to identify any weaknesses in the project implementation plan and to provide recommendations for improve-ment, and re-assure management as to the suitability of the plan in achieving the desired outcome, namely the successful completion of the project.

Data conversion

The review of Data Conversion is in two parts. Firstly the data conversion plan is reviewed to assess the adequacy of controls proposed and, secondly, following conversion to provide an independent assessment as to the completeness and accuracy of the process.

The conversion of data carries a high risk of error or omission. Standard input and process controls are often not enforced as part of data conversion process. The successful implementation of a project, where there is a component of data conversion, is reliant on the accuracy and completeness of the conversion process. The review of Data Conversion will ensure that risk of disruption to critical functions is minimised.

Project - acceptance test

The review of Acceptance Testing is in two parts. Firstly, the Acceptance Test plan will be assessed to ensure that a comprehensive program of testing has been devised which will address the high risk functions. Secondly, the testing process will be reviewed to provide an independent assessment as to the completeness and accuracy.

Acceptance testing is one of the last opportunities to identify any risks or exposures in the system. There is often significant pressure at this stage, in order to meet deadlines or due to budgetary constraints, to fast-track this process. The development and actioning of an agreed, comprehensive and formal plan will assist in the successful implementation of a solution, with minimum disruption to critical functions.

Systems development methodology

The review will determine if a structured approach is employed that is consistent with generally accepted concepts and practices in the computing field (Australian Standards AS3563.1, AS3563.2). The review will also verify that the business Systems Development Methodology

(SDM) is formalised (ie documented), approved and supported by the executive management. The review will assess the flexibility and suitability of the methodology for use within the organisation.

The investment in the selection of new Information Technology solutions, whether developed in-house, outsourced or packaged is usually a major investment. The risks and costs associated with the selection of an inappropriate solution are high. The adherence to a suitable Systems Development Methodology has been shown as the most effective and efficient control over the process.

Program change control

Our expert consultants will assess the process of implementing program change in the Information Technology environment, specifically to ensure that all program changes promoted to production are authorised and that the source code accurately reflects the object code in production. Program change controls ensure that the integrity of all applications is maintained during their promotion from the development and testing environment to the production environment.

The protection of the corporate data asset requires that the integrity of all processes which act upon the data must be of the highest standard.

It is essential to put into practice management policies which protect this asset. During the life cycle of a system, modifications, problem rectification and enhancements are routinely carried out. Effective "Change Control Procedures" are a critical control mechanism.

Physical information technology environment

This review will assess the physical environment controls over the areas that house computer equipment and software to ensure confidentiality, integrity, protection, and managed availability of computer facilities and systems. The environment review will assess adherence to Australian Standards AS2834, AS3590.2, AS1680.2.2.

The increasing focus on Information Technology systems depends on the delivery of a reliable, secure and efficient service. The physical environment housing the critical IT equipment is a key element in the ability to deliver such a service.

Personal computer software licensing

We will determine if appropriate policies and procedures are in place to limit the risks associated with the use of unlicensed software. The review will confirm that these policies and procedures are being adhered to by undertaking a detailed review of the Personal Computers in use within the organisation.

Currently the Business Software Association of Australia (BSAA), in conjunction with various software publishers, is targeting organisations in both the private and public sectors.

To-date this campaign has been successful in obtaining fines and damages of up to $250,000 and often results in negative publicity for the organisations involved. The Software Licensing review will identify any exposures in this area.

Logical access security VAX/VMS

Our expert consultants will verify that the logical access security as implemented on your VAX/VMS systems, and the supporting framework of policies and procedures, are effective in promoting a computer system which is secure, reliable and efficient.

The operating system security is the first line of defence in the protection of the valuable corporate data asset. The implementation of effective access security measures at the operating system level forms the basis of a comprehensive and reliable approach to access security.

File backup and recovery

We will assess the adequacy of your organisation's data Backup and Recovery strategy. The assessment will cover policies and procedures currently in place for the production, storage and maintenance of system backups, in order to ensure that they provide an effective mechanism to maintain data and system integrity.

The File Backup and Recovery review provides senior management with an assurance of the integrity of the current data backup process. Opportunities for improved control will, of course, be indicated. If file backup and recovery procedures are not reviewed on a regular basis, errors or deterioration in the process may occur. An effective data backup strategy is fundamental to corporate disaster recovery.

Disaster recovery planning

Our expert consultants will assess the adequacy of the Disaster Recovery Plan (DRP), supporting policies and procedures to ensure that critical Information Technology services can be recovered on a timely basis in the event of a disaster.

A review of the DRP provides assurance to Senior Management that the organisation is prepared for a disaster should it occur. Reliance on critical systems can then be assured.

Business continuity planning

IAB's Information Technology Services Group will introduce appropriate measures, in the form of a Business Continuity Plan (BCP), which will ensure that, following a disaster or other incident, the main business functions can be restored within an acceptable period of time.

This project will result in the development of a Business Continuity Plan which is supported by an appropriate internal framework, has been communicated to all key areas of the organisation, has been proven by live testing and which can be readily maintained.

Systems penetration testing

The objective of Systems Penetration Test is to identify ways in which an internal or external attacker can penetrate your organisation's IT systems. Penetration testing is a practical approach to systems security.

We will attempt to penetrate all key environments such as:

The network: (Gain physical access to a login prompt, gain remote access to a login prompt, obtain a valid user ID and password, gain access to an existing live session, access network resources, physical access attacks, floor walk attacks, war dialler attacks, brute force attacks, social engineering attacks and script search attacks).

The mainframe: (Gain physical access to a login prompt, gain remote access to a login prompt, obtain a valid user ID and password, gain access to an existing live session, access mainframe resources, access the command line, access system files and security tables, dumpster diving attacks, default account attacks, keystroke logging attacks, backup media attacks, shoulder snooping attacks, live session attacks, session hijacking attacks and access request attacks).

Applications: (Access business applications, access sensitive business data, gain physical access to work areas, gain physical access to info storage, gain physical access to printers/faxes, terminal emulation attacks, IP address spoofing attacks, system reboot attacks and system-specific technical attacks).

Information Technology (IT) management

Our consultants will work in consultation with you to assess the Information Technology (IT) management processes. We will ensure that the use of IT resources is managed in a manner which promotes the efficiency, effectiveness, reliability and economy of the information technology functions.

Strategy: Is there an effective IT strategy in place? Is the strategy current, comprehensive and in accordance with the Corporate Plan?

Business needs: Are business requirements being provided by the most appropriate and cost-effective means?

Costs: Are IT costs managed effectively to ensure maximum return? Is expenditure appropriately recorded, reported and measured against budgets?

Functional management: Are the following functions effectively managed to allow achievement of the objectives of efficiency, effectiveness, reliability and economy?

- Application Development and Support;
- Network Administration and Support;
- Operations and Help Desk;
- Back-up and Recovery Strategies and Plans;
- Training and Staffing;
- Standards and Procedures; and
- Security and Controls.

Network administration and security

The network operating system security is the first line of defence in the protection of the valuable corporate data asset. The implementation of effective access security measures at the operating system level forms the basis of a comprehensive and reliable approach to access security.

IAB's Information Technology Services Group will verify that the logical access security as implemented on your organisation's network operating system, and the supporting framework of policies and procedures, are effective in promoting a computer system which is secure, reliable and efficient.

Windows NT server

The objective of the Windows NT Security Review is to assess the adequacy of manual and computerised controls which help prevent unauthorised access to the Windows NT operating system environment. Our areas of focus for the review will include the following:

- Administration Controls;
- User and Group Security;
- File and Printer Security;
- Registry Security;
- Security Logging and Auditing;
- System Integrity and Availability; and
- Program Change Controls.

Remote access security

The protection of the corporate data assets and control over access to financial systems requires that all elements in the access control process must be of the highest standard. Security is only as good as the weakest link. Our review will assess the effectiveness of remote access security controls (both physical and logical) to ensure that they have taken all appropriate steps to prevent unauthorised access to sensitive information and resources.

Management and the people responsible for implementing systems security will be provided with an evaluation of the current remote access environment which identifies any areas for improvement together with practical suggestions for correcting them and tips to prevent any recurrence.

Application controls

We will participate in the definition of user requirements to ensure that users are aware of the risks and exposures associated with each function and of potential controls which may be incorporated into the requirements definition.

The identification of potential controls to minimise exposures prior to the finalisation of the user requirements definition, allows for the inclusion of effective and relevant controls at minimal cost. The addition of controls following the selection or development of the application is less effective and usually more costly, (both implementation and maintenance costs).

IT risk assessment

Our expert consultants will identify and assess your organisation's computing environment. We will give a high level indication of the ability of the Information Technology function to provide business management with a data processing service that is secure, reliable and timely. The business and audit risk of each key component of the IT environment will also be assessed to ensure that resources are directed at higher risk areas.