Information Security Assessment Doshi & Sons, LLP

Final Report
5th July, 2017

Doshi Infosec Consulting

Street No.1,
Singapore.

www.infosec-career.com
Version control and distribution

Version
number Date issued Issued to
0 January
V1.0 2 2017 The Company
2 February
Final 2 2017 The Company

This report is intended solely for the information and use of the management of The Company and is not intended to be
and should not be used by anyone other than these specified parties. Audit Firm therefore assumes no responsibility to
any user of the report other than The Company. Any other persons who choose to rely on our report do so entirely at their
own risk.

www.infosec-career.com
Table of contents

Sr.No Details Page No.

1 Executive Summary

2 Scope and Objectives

3 Scope Limitations

4 Issue Rating Descriptions

5 Overall Assessment Results

6 Risk Assessment Summary

7 Domain-Wise Distribution of
Risk

8 Summary of Key Findings

9 Issues and recommendations

10 Persistent Irregularities

www.infosec-career.com
1. Executive Summary
1.1 Introduction :

Mention details about the company.

1.2 Audit Firm Profile :

Mention details about the audit firm.

1.3 Summary of Assessment :

Scope Details
Name Audit Firm
Name of Client
Description of service
Assessment type
Risk Score
Compliance Score
Date of assessment
Address where onsite assessment took place
Name of assessor
Reviewed By

www.infosec-career.com
 2. Scope and Objectives
The vendor assessment consisted of a review and evaluation of current policies, procedures and practices used by
The Company for rendering the service as defined above. The Company was assessed on domains pertaining to
Information Security risk supporting SBIL Operations.

The following information security control areas were reviewed with The Company Limited Solutions as part of
the questionnaire mandated controls

1. Human Resource Security 8 Media Handling

9 Vendor Governance
2. Physical & Environment Security
10 Data Back Up
3. Email Security
11 Network Security
4. Logical Access Control
12 System Security
5. Business Continuity
13 Compliance & Legal
6. Change Management
14 Mobile Security
7. Incident Management

www.infosec-career.com
 3. Scope Limitations
The scope of the engagement excludes:

The review of design or source code for any of the in-scope applications
Performing any infrastructure or application penetration testing for in-scope applications and underlying infrastructure
Performing ongoing control monitoring activities or other control activities that affect the execution of transactions or
ensure that transactions are properly executed and/or accounted for
Determining which, if any, recommendations should be implemented and the implementation of any recommendations
arising from this engagement
Preparing source documents of transactions
Having custody of assets
Acting in any capacity equivalent to a member of management or an employee

www.infosec-career.com
4. Issue Rating Descriptions
The issue ratings used in this report reflect the recommended priority to resolve the control gaps identified.

Target completion
Issue Rating Description date
The control(s) failure will cause the objective not to be achieved and the Withi afte
Red/High prevailing risk(s) not mitigated, n 30 days r
resulting in threat and potentially material impact on confidentiality, agreeing remediation
integrity and risks to the action
organizations information asset and system(s). The following is a non- plan with Third
exhaustive list of events that Party.
could result in a High risk observation rating:
Controls exceptions;
Lack of segregation of duties; or
Insufficient evidence to show the control operation.
These issues require immediate attention and accelerated remediation.
The controls design is not in line with The Banks compliance requirement Withi afte
Amber/Medium and needs improvement to n 60 days r
operate effectively. However, the risk exposures are mitigated by agreeing remediation
compensating controls. If these action
threats are not addressed over a defined period of time, the potential risk plan with Third
to the organizations Party.
information assets may increase.
The following is a non-exhaustive list of events that could result in a
Medium risk observation rating:
Control design is not well documented, however, controls operates
effectively;

www.infosec-career.com
 Lack of information security program, policies, awareness, or
enforcement; or
Control failures that do not directly impair or impact the services
provided.
Requires review and attention from management within the near term.
The gaps are minor and do not result in exposure. Relevant controls exist Withi afte
Green/Low and are effective. However, n 90 days r
addressing the minor gaps will further strengthen the overall environment agreeing remediation
and operations. action
plan with Third
Party.

www.infosec-career.com
5. Overall Assessment Results
Compliance Score:
It is a score is calculated based on the controls implemented during the assessment at the business processes carried
out for The Company, the non-conformance to the implemented controls leads to the percentage calculation of the
Vendor compliance score.

Risk Score:
It is a score calculated based on the product of High, Medium and Low level non-conformities observed against the total
control assessed during the
assessment.

www.infosec-career.com
 6. Risk Assessment
Summary

38
Medium
Low
6%
Hig
High h
32%
Medium
62% Low

Risk Score
Overall Vendor Score

52

Medium

Lo
Hig
w
h

www.infosec-career.com
 7. Domain-Wise Distribution of Risk

Domain-wise Assessment

Compliance & Legal

System Security
Network Security
Data Back Up
Vendor Governance
Media Handling
Incident Management
Change Management
Business Continuity
Logical Access Control
Email Security
Physical & Environment Security
Human Resource Security

0 2 4 6 8 10

High Medium Low

www.infosec-career.com
 8. Summary of Key Findings
Key Summary Findings
High Risk Non Compliant

40
Controls

0 5 10 15 20 25 30 35 40
45

Number of Key Summary Findings

www.infosec-career.com
9. Issues and recommendations
The following table provides details of the non-compliant controls identified during the Assessment conducted in FY 2016

Sr.No. Domain Risk Rating Observation Recommendation

1 Human Resource Security High

2 Physical Security Low

www.infosec-career.com
10. Persistent Irregularities:

The following table contains repeated findings ( Assessment findings found in previous and present Assessments): There are no
observations found.

Risk
Domain Rating Observation Observation
No. (Current Assessment) (Previous Assessment)

High

High

www.infosec-career.com
www.infosec-career.com