**Summary of the IT Infrastructure and Audit Preparation Discussion:** ### **1. Server Infrastructure Overview:** - **On-Premises Systems:** - **MS SQL Servers:** 2 instances, likely for critical databases. - **Kubernetes Cluster:** Used for containerized applications. - **Linux Servers:** Mentioned as part of the infrastructure, though the conversation notes a lack of detailed knowledge about their configuration. - **Windows Servers:** Dominant in the environment, with some Linux integration for specific tasks. - **Cloud Infrastructure:** - **Azure/AWS:** Likely used for some services, as noted by the mention of "cloud" and the assumption that cloud environments are more secure. - **Single Point of Failure (SPOF):** Concerns about on-premises systems being a critical risk if not properly replicated or backed up. --- ### **2. Access Controls and Security:** - **Privileged vs. Non-Privileged Accounts:** - **Privileged Accounts:** Need strict monitoring, with hot backups and password policies enforced. - **Integration Accounts:** Used for system integrations (e.g., APIs, services), but not subject to the same scrutiny as user accounts. - **Password Policies:** - Domain-level policies enforced for Windows systems. - Local accounts (Linux) may lack standardized policies, raising risks of stale passwords. - **User Access:** - Focus on **personified accounts** (individual user access) rather than integration accounts. - No "personified" accounts currently exist, per the conversation. --- ### **3. Backup and High Availability (HA):** - **Backup Strategy:** - **Centralized Backups:** Shared company-wide, managed by the infrastructure team. - **On-Premises Systems:** Lack hot backups, which is a critical risk. - **Cloud Systems:** Considered more secure, with existing protections. - **Hot Backups:** - Required for critical systems to meet audit standards (e.g., Central Bank requirements). - Admins agree on the need for hot backups, but implementation is pending. --- ### **4. Audit Preparation (Central Bank / ITGC/ITTC):** - **Audit Timeline:** - **Target Date:** Mid-October 2023 (specifically, around October 2nd). - **Preparation Phase:** Ongoing, with the team preparing documentation and addressing risks. - **Key Audit Areas:** - **ITGC (IT General Controls):** Focus on access controls, password policies, backup procedures, and system availability. - **ITTC (IT Trust Controls):** Ensuring systems meet compliance standards, including hot backups and redundancy. - **Risks Identified:** - **On-Premises Systems:** Lack of hot backups and redundancy. - **Local Accounts:** Potential for outdated passwords and lack of monitoring. - **Integration Accounts:** May not be fully audited, but considered low-risk. --- ### **5. Next Steps and Collaboration:** - **Internal Audit Team:** Expected to join the process in October, requiring collaboration with the IT team. - **Documentation:** - Screenshots and audit trails will be used for compliance. - Standardized procedures (e.g., password policies, backup logs) need to be documented. - **Team Involvement:** - **IT Team:** Will focus on infrastructure, backups, and access controls. - **Finance Team:** Will handle financial aspects of the audit. - **External Auditors:** Will review compliance with Central Bank standards. --- ### **6. Key Concerns and Recommendations:** - **Critical Systems:** Ensure on-premises systems have hot backups to avoid SPOF risks. - **Password Policies:** Standardize and enforce policies for all accounts, including Linux servers. - **Documentation:** Prepare audit-ready documentation for ITGC/ITTC compliance. - **Collaboration:** Coordinate with the audit team and infrastructure team to address gaps before October. --- ### **Conclusion:** The conversation highlights a mix of on-premises and cloud infrastructure, with a focus on securing access, ensuring backups, and preparing for a Central Bank audit. The main risks are the lack of hot backups for on-premises systems and inconsistent password policies. The team is working to address these issues by October, with collaboration between IT, finance, and auditors to ensure compliance.