Blogs

Step 1

Start mapping the key risks across applications, infrastructure and people, and designing controls in a risk register. A few examples are below:

Information security risk

• Antivirus should be installed on all devices
• USB lock should be enabled on all devices. Exception approvals should be in place for users for whom the USB lock can be disabled.
• All servers should be patched with the latest updates
• All Personally Identifiable Information (PII) should be encrypted at rest
• An Aadhaar Vault should be in place for Aadhaar number storage. Images containing Aadhaar number should be masked
• Firewall logs need to be reviewed every month and suitable action needs to be taken.

People risk

• Background verification checks for all candidates for employment.
• Employee access should be revoked across all systems on the last working day of the employee

Physical security risk

• CCTV installed at all entry & exit points and logs should be reviewed
• Only approved users can access CCTV Camera
• Visitor/third party employee registers should be maintained

Operational risk

• Maker-checker should be implemented in applications, document review, system administration, database administration and transaction processing
• Backups are checked and validated regularly

Step 2

Roll up all the controls into an IT policy document. Get the policy reviewed and approved by your board.

Step 3

All controls defined in the IT policy need to be implemented and tested. Define an audit calendar and ensure that all controls are tested over a period of time.

Step 4

Review the audit observations that do not comply with our IT controls. Tag them as high, medium & low. Ensure that the observations are fixed within a reasonable period of time.

Once you follow the above process for a few months you will get the hang of the IT governance ritual. Then start exploring popular frameworks such as COBIT / ITIL and improving your IT governance process.