WebUI

Протокол

Задание №38

Назад к заданию

**Summary of the IT Infrastructure and Audit Preparation Discussion:**

### **1. Server Infrastructure Overview:**
- **On-Premises Systems:**
  - **MS SQL Servers:** 2 instances, likely for critical databases.
  - **Kubernetes Cluster:** Used for containerized applications.
  - **Linux Servers:** Mentioned as part of the infrastructure, though the conversation notes a lack of detailed knowledge about their configuration.
  - **Windows Servers:** Dominant in the environment, with some Linux integration for specific tasks.
- **Cloud Infrastructure:**
  - **Azure/AWS:** Likely used for some services, as noted by the mention of "cloud" and the assumption that cloud environments are more secure.
- **Single Point of Failure (SPOF):** Concerns about on-premises systems being a critical risk if not properly replicated or backed up.

---

### **2. Access Controls and Security:**
- **Privileged vs. Non-Privileged Accounts:**
  - **Privileged Accounts:** Need strict monitoring, with hot backups and password policies enforced.
  - **Integration Accounts:** Used for system integrations (e.g., APIs, services), but not subject to the same scrutiny as user accounts.
- **Password Policies:**
  - Domain-level policies enforced for Windows systems.
  - Local accounts (Linux) may lack standardized policies, raising risks of stale passwords.
- **User Access:**
  - Focus on **personified accounts** (individual user access) rather than integration accounts.
  - No "personified" accounts currently exist, per the conversation.

---

### **3. Backup and High Availability (HA):**
- **Backup Strategy:**
  - **Centralized Backups:** Shared company-wide, managed by the infrastructure team.
  - **On-Premises Systems:** Lack hot backups, which is a critical risk.
  - **Cloud Systems:** Considered more secure, with existing protections.
- **Hot Backups:**
  - Required for critical systems to meet audit standards (e.g., Central Bank requirements).
  - Admins agree on the need for hot backups, but implementation is pending.

---

### **4. Audit Preparation (Central Bank / ITGC/ITTC):**
- **Audit Timeline:**
  - **Target Date:** Mid-October 2023 (specifically, around October 2nd).
  - **Preparation Phase:** Ongoing, with the team preparing documentation and addressing risks.
- **Key Audit Areas:**
  - **ITGC (IT General Controls):** Focus on access controls, password policies, backup procedures, and system availability.
  - **ITTC (IT Trust Controls):** Ensuring systems meet compliance standards, including hot backups and redundancy.
- **Risks Identified:**
  - **On-Premises Systems:** Lack of hot backups and redundancy.
  - **Local Accounts:** Potential for outdated passwords and lack of monitoring.
  - **Integration Accounts:** May not be fully audited, but considered low-risk.

---

### **5. Next Steps and Collaboration:**
- **Internal Audit Team:** Expected to join the process in October, requiring collaboration with the IT team.
- **Documentation:** 
  - Screenshots and audit trails will be used for compliance.
  - Standardized procedures (e.g., password policies, backup logs) need to be documented.
- **Team Involvement:**
  - **IT Team:** Will focus on infrastructure, backups, and access controls.
  - **Finance Team:** Will handle financial aspects of the audit.
  - **External Auditors:** Will review compliance with Central Bank standards.

---

### **6. Key Concerns and Recommendations:**
- **Critical Systems:** Ensure on-premises systems have hot backups to avoid SPOF risks.
- **Password Policies:** Standardize and enforce policies for all accounts, including Linux servers.
- **Documentation:** Prepare audit-ready documentation for ITGC/ITTC compliance.
- **Collaboration:** Coordinate with the audit team and infrastructure team to address gaps before October.

---

### **Conclusion:**
The conversation highlights a mix of on-premises and cloud infrastructure, with a focus on securing access, ensuring backups, and preparing for a Central Bank audit. The main risks are the lack of hot backups for on-premises systems and inconsistent password policies. The team is working to address these issues by October, with collaboration between IT, finance, and auditors to ensure compliance.