Протокол

Назад к заданию

**Summary of IT Infrastructure and Compliance Discussion:**

1. **IT Infrastructure Overview:**
   - **Servers:** 
     - 2 MS SQL servers.
     - Kubernetes cluster (for container orchestration).
     - On-premises servers (physical/virtual).
     - Cloud infrastructure (Azure/other) is considered more secure.
   - **Databases:** 
     - MS SQL databases with clustering for redundancy.
     - Cloud databases are deemed adequately protected.
   - **Integration:** 
     - Use of integration accounts for third-party systems.
     - No local accounts for internal use (only for integration).

2. **Access Controls and Security:**
   - **Privileged vs. Non-Privileged Accounts:** 
     - Need to document access policies, including password rotation and privilege escalation.
     - Focus on **person-specific accounts** (not integration accounts) for audit compliance.
   - **Password Policies:** 
     - Enforced for domain accounts (Windows), but unclear for Linux servers.
     - No strict password policies for integration accounts (risk of stale credentials).
   - **Permissions:** 
     - Review access rights at application, OS, and database levels.
     - Ensure least privilege and segregation of duties.

3. **Disaster Recovery & Backup:**
   - **Backup Strategy:** 
     - Backups are company-wide, managed by internal teams.
     - No explicit mention of **hot backups** (real-time replication) for on-premises systems.
     - Admiins suggest hot backups are critical for compliance (e.g., for internal auditors).
   - **Risk Mitigation:** 
     - On-premises servers are identified as a "critical risk area" due to lack of redundancy.
     - Potential need for additional resources to implement hot backups.

4. **Regulatory Compliance (ЦБ Audit):**
   - **Audit Timeline:** 
     - Central Bank (ЦБ) audit is expected **by late October**, with preparations starting from **October 2nd**.
   - **Key Focus Areas:** 
     - ITGC (Information Technology General Controls) compliance.
     - Access controls, backup procedures, and system availability.
     - Documentation of access policies and audit trails.
   - **Challenges:** 
     - Need to address gaps in hot backups and password management for integration accounts.
     - Potential delays if audit scope expands beyond ITGC to include financial controls.

5. **Next Steps:**
   - **Audit Preparation:** 
     - Document access controls, password policies, and backup procedures.
     - Validate hot backup readiness for on-premises systems.
     - Engage internal teams (infrastructure, security) to align with audit requirements.
   - **Collaboration:** 
     - Coordinate with auditors to clarify scope (ITGC vs. financial controls).
     - Prepare a checklist for ITGC compliance, focusing on access, backups, and system resilience.

**Recommendations:**
- **Prioritize Hot Backups:** Implement real-time replication for critical on-premises systems to meet regulatory expectations.
- **Strengthen Password Policies:** Enforce regular password rotation for all accounts, including integration ones.
- **Document Access Controls:** Create a clear inventory of user permissions and ensure segregation of duties.
- **Audit Readiness:** Use the provided conversation as a framework to structure audit documentation and address gaps before the October deadline.

**Conclusion:** The conversation highlights the need for a structured approach to ITGC compliance, emphasizing access controls, backup strategies, and regulatory preparedness. Addressing these areas will help mitigate risks and ensure smooth audit compliance by late October.