IS ASSURANCE & ADVISORY SERVICES
Our IS Assurance experts give a scope of IS audit and advisory services to help external and internal customers (clients) in accomplishing their business objectives, dealing with their risk and enhancing their business execution.
As the world's fifth biggest management consulting firm, BDO is particular in its capacity to help clients take care of their most complex issues. We are exclusive by our ability to execute the guidance we give to help clients in the business sectors where they work today and where they need to be.
Today, business and technology development are inseparably connected and the interest for technology-empowered business change services is quickly developing. BDO technology experts around the globe help customers resolve their confidential and critical business information and technology challenges.
Strategy & Operations
Linking strategy to operations, conveying enduring effect. Find out more about our services.
Business pioneers must act with conviction, even in a period of developing many-sided quality, instability, and interruption. These business pioneers require clear, compact, very much educated points of view on the critical progression that are right now reshaping their business surroundings. Our global system of Strategy and Operations experts draws on the quality of BDO's full suite of expert services and industry experience to center arrangements on the main problems influencing organizations today. We work cooperatively with our customers to interface key vision to immaculate execution to accomplish substantial, long haul esteem. From building up a sober minded system and assessing opportunities to enhancing account and operations capacities, we have the experience and aptitude to help customers construct an executable methodology.
Business-drove, innovation empowered. Find out more about our services.
Today, business and technology development are inseparably connected, and the interest for technology-empowered business change services is becoming quickly. Companies are hoping to change their IT operations to conform to new business objectives, elements, and administrative pressures. With a pattern toward progressively portable and virtual workforces, companies are likewise endeavouring to adjust expanding development and globalization with readiness and enhanced efficiencies.
BDO's worldwide system of technology experts helps customers recognize and tackle their most important business information and technology challenges. With profound specialized involvement in Enterprise Applications, including Oracle, SAP, MS Dynamics, Technology Advisory, and Application Management Services, market driving industry skill, and recompense winning business change abilities, our system of experts make unmatched business sector offerings to comprehend our customers' hardest business issues.
Advancement, change and governance in your business sector. Find out more about our services.
As the world's fifth biggest management counselling firm, BDO is unmistakable in its capacity to help customers take care of their most complex issues, from methodology to execution. We are separated by our capacity to execute the exhortation we give to help customers in the business sectors where they work today and where they need to be later on. Conveying this sort of quality requires the aptitudes to incorporate a wide scope of ability and aptitudes – crosswise over human capital, technique and operations, and technology – adjusted to the remarkable needs of our customers' industry areas, trades/dealings and companies.
HOW BDO CAN HELP?
BDO understand the importance of working with you to make practical recommendations that reduce risks to a level that is appropriate for you and your business. Our knowledge and experience will help you to balance the importance of mitigating risk with the cost of implementing and maintaining appropriate measures. Our staff have a strong track record in providing independent IT / IS assurance and will use this experience when engaging and advising your board, Audit Committee and senior management. Furthermore, Information Security Assurance can help you to:
- Understands how Information and Information Systems Assurance might be applicable and beneficial to your organization and how to best employ Assurance activities within your organization.
- Understands what threats, risks and vulnerabilities your organization information and information systems face the likelihood of occurrence and impact of these risks on your organization.
- Design and prioritize mitigation strategies to address these identified issues.
- Obtain an independent report of your Information Security for review by interested parties such as auditors, customers, partners etc.
- Classify your Information and implement appropriate Information handling and management solutions.
- Design, implement and verify Disaster Recovery Plans as part of Business Continuity Planning
INFORMATION SYSTEM ASSURANCE ADVISORY
IT Governance & Strategy
Organizations can achieve business goals and value delivery through effective and efficient alignment of the IT organization’s strategic and operational plans with the enterprise’s business strategy. BDO would assess and provide clients a comprehensive IT governance framework, processes and standards required to effectively manage and monitor their IT and would enhance the value delivery from IT.
- Establishment of IT Governance framework.
- Strategic alignment of IT with the business.
- Performance management and ‘Value’ delivery.
- Resource Management.
- IT Risk management.
- Data governance.
- Establishment of IT Governance structure and culture that is accountable, effective and transparent with unambiguous responsibilities.
- Alignment of IT with the business objectives and goals.
- IT investment programs are directed to ensure that they deliver tangible benefits to the organization.
- Establishment of data governance procedures that monitor and prevent breaches in data confidentiality, integrity and availability.
Organizations can identify opportunities for cost-effective improvements in ERP controls by detecting control gaps in existing configuration /functionality. BDO would assess and provide cost-effective improvement opportunities to clients and also help them to secure their application critical data both in standalone and in cloud setup.
- Adequacy and effectiveness of application’s functionality to support business operations.
- Development, testing and deployment of applications (SDLC cycle).
- User access management and Segregation of duties.
- Application input, processing, output and storage controls.
- Data Migration and system interfaces.
- Integration with other applications.
- Backup and Restorations.
- Increase in efficiency and usage of the applications throughout the organization.
- Enhanced application security and safeguard of critical business data.
- Reduction in fraud-related risks in financial applications.
- Structured responsibilities and streamlining of business processes
Business Continuity and Disaster Recovery
Organizations can be more resilient to potential threats and allow the business to resume or continue operations under adverse or abnormal conditions. BDO would help in the proactive identification of business continuity risks and also prepare organizations to be more resilient and continue critical business operations during a disaster. Our assurance services to validate your Information Systems Disaster Recovery plan. To ensure the effectiveness of BCP and DRP in organizations strong governance, change management and verification controls are required.
- Establishment of business continuity and disaster recovery (BC & DR) strategy, plan and procedures.
- Business impact assessment.
- Establishment of RTO, RPO and other parameters for critical applications.
- Risk assessment. Effectiveness of BC & DR Solution (Backup, Replication etc.).
- Staff awareness and training.
- BC & DR test plan, schedules, scenarios, procedures and results.
- An increase in the organization’s ability to handle disasters and business disruptions, in turn helps in speedy recovery.
- Continuity of critical business operations even during a disaster.
- Improvement in the safety of staff and customers.
IT Services Operations & Maintenance and Process
Organizations can meet their business objectives by identification of critical risks and ensuring that the right processes, people and technologies are in place.BDO would assess the IT operations supporting business and provide practically actionable which will help organizations in achieving their business objectives and also ensures that the right processes, people and technologies are in place.
Establishment of policies, procedures and objectives for service management.
- Monitoring, measuring and reviewing the performance of the service management system and the services.
- Resolution process management (incident, service request and problem).
- Relationship process management (Business relationship and supplier management).
- Service reporting and customer satisfaction.
- Better alignment to business requirements and consistency in the delivery of IT services.
- Reduction in response times and interruptions to IT service.
- Moving from reactive to proactive IT culture.
- Remove bottlenecks and ambiguities in IT services.
Develop & Evaluate IT General Controls Reviews
Organizations can have a panoramic view of the IT risk posture exposing the critical business functions. Also, helps business to take proactive steps for the mitigating of these risks. BDO would assess various aspects of IT (including the risks related to Data Centre) and controls adopted, to provide organizations with a panoramic view of the IT risk posture exposing their critical business functions.
- User Access Management Policy and Procedure.
- General System Security Settings including password settings are Appropriate.
- Access to Privileged IT Functions is Limited to Appropriate Individuals.
- User access is authorized and appropriately established.
- Physical access to computer hardware is limited to appropriate individuals.
- Logical access process is monitored.
- Segregation of incompatible duties exists within the logical access environment.
- Active directory & access controls (physical and logical).
- Change Management Policy and Procedure.
- Changes (including minor, major, and emergency) are authorized, tested and approved.
- Changes are monitored.
- Segregation of incompatible duties exists within the manage change environment.
- Service level management.
- Data Centre physical and environmental controls.
- Understanding of enterprise-wide IT risk posture for the organization.
- Enhanced overall IT security and the organization’s ability to restrict many of the known malicious attacks.
- Increased customer confidence due to improved IT and security posture.
- Efficient and effective management of IT assets.
Vendor Selection & Project Management
The objective of our Vendor Selection Services is to provide assistance to the Client in the documentation of business requirements, Assistance in evaluation, selection and acquisition of best fit solution to ensure:
- Comprehensive business requirements are gathered from process owners;
- Application covers all the key processes areas;
- Request for Proposal / Tender process is detailed and effective;
- Effectiveness, and transparency in evaluating & selecting a vendor for acquiring a solution;
- All the areas for improvements are identified along with the practical recommendations.
We provide support with project preparation, including preliminary studies, analysis of the current state and bids for procurement. Our project experts will also take care of the organization and management of the project and the related documentation and reporting.
- Project management
- Handling of project management/project management office (PMO).
- Project review/project relaunch.
- Project Assurance.
- Data Migration reviews.
- Project Governance.
Vendor selection steps:
- Business requirement document.
- Current & Future State.
- Expression of Interest - EOI.
- Request for Proposal - RFP.
- Assistance in vendor evaluation.
- Contractual & Support Arrangements.
Vulnerability Assessment & Penetration Testing
BDO would assess the risk assessment and vulnerability assessment as a base level Information Security assessment to identify, quantify, verify and prioritize vulnerabilities in Information Systems and the risks that they pose. We use a systematic approach to assess all vulnerabilities at all layers in the Information System using both manual and automated testing techniques developed from our years’ experience, Industry-leading vulnerability assessment tools and access to support resources from our best of breed partnerships.
Internal Penetration Testing:
- Identify potential vulnerabilities within the LAN, intranet, email, application and databases.
- Perform an automated vulnerability scan on all in-scope services in the network to identify weaknesses in relation to both the network interface and Operating System (local user accounts, password policy, logging settings etc.).
- Identify potential vulnerabilities related to the systems, network devices and workstations in scope.
External Penetration Testing:
- Scanning of the IPs will be performed in order to determine exposed architecture and internet services (that may include email, web applications, DNS, RAS capabilities, etc.)
- Infrastructure services will be tested using a vulnerability scanning engine to identify known vulnerabilities.
- All identified vulnerabilities will be tested for false positives and evidence of successful exploitation will be returned during the exploitation phase.
- Enumeration of brand names, version numbers and operating systems of the equipment using TCP/IP finger printing, and service analysis.
- Enumeration of active TCP/UDP services, or other available IP protocols.
- Performing password attacks against different authentication mechanisms.
- Performing vulnerability scanning of software and firmware version of the different devices and indentify related vulnerbilities.
- Understanding of enterprise wide IT risk assessment and network security design.
- Enhanced overall IT network security and the organization’s ability to restrict many of the known malicious attacks.
- Increased management comfort over the risk and associated threats and vulnerabilities.
- Understand the architecture of the CDN, including segmentation, routing and Active Directory structure.
- Understand the architecture, identify configuration flaws or inappropriately configured systems.
- Increased management comfort over the risk and associated threats and vulnerabilities.
- Efficient and effective management of IT network security.
BDO starts working with you to execute a compromise assessment, our subject matter experts to begin review the relevant telemetry of your organization has available. We start to identify gaps through scoping and use any one of the tools or mix of different tools that should deploy to solve those prominence gaps, such as custom build executables, endpoint security & credential hunting. Lastly we look for anomalies and known indicators of compromise.
- Reconnaissance helps us identify indicator or compromise, evaluate its risks and map threat factors which exposes data to command and control servers (C2).
- Initial Compromise: Identification of C2 and its track and traces to distinguish initial compromise.
- Establish Foothold: Replicate or initiate an attack to gain foothold to manually assess threat vectors and gain initial footholds
- Escalate Privileges: Hunting of administrative privileges, later movements and gain persistence foothold in target environment.
- Exfiltration and C2: Exfiltrate the data, hunt for further assess and communicate with C2
- Escalate Privileges: Hunting of administrative privileges, later movements and gain persistence foothold in target environment
SECP Guidelines on Cybersecurity Framework for Insurers 2020
On 17th March, The SECP has issued guidelines on Cybersecurity Framework for the Insurance Sector, providing principles to make the information technology systems of insurance companies and their partners secure and resilient.
Cyber risk presents an evolving challenge for the insurance sector due to growing interconnectedness, said SECP in a statement.
“Insurance companies gather, store, and maintain substantial volumes of confidential personal and organizational information. Because of these data reservoirs, insurers may become potential targets for Cybercriminals. “
SECP was of the view that its guidelines will provide a principle for the formulation of a sound Cybersecurity framework to anticipate, withstand, detect, prevent and respond to any possible Cyber-attacks.
The Guidelines take effect from 1 July 2020.
- Alignment of Cybersecurity Framework with overall Risk Management Framework
- Developing Cybersecurity Framework and Mechanisms
- Appointment of Chief Information Security Officer (CISO)
- Insurers to conduct Cyber Risk Assessment
- Data Security and Confidentiality
- Cyber Risk Insurance Coverage
- Insurers to have adequate Cybersecurity Systems in place
- The Guiding Cybersecurity Framework for Insurance Sector
- In compliance with SECP Requirements
- Tests your cyber-defense capability to deal with cyber attackers and malicious activities
- Uncovers existing weaknesses in your application(s), configurations, network infrastructure, and your system(s), etc.
- Maintains the credibility and trust of your stakeholders
- Set risk management standards, based on acceptable safe practices and legal requirements.
- Provide a clear framework for the delegation of decision-making;
SBP Requirements for PSO & PSP
The EMIs are entities that offer innovative, user-friendly and cost-effective low value digital payment instruments like wallets, prepaid cards, and contactless payment instruments. e-money has played a crucial role in digitizing different types of payments in various countries. The EMIs in Pakistan are expected to offer interoperable and secure digital payment products and services to end users.
Under the Regulations, Prospective EMI applicants are granted EMI license in three stages viz In-Principal approval, approval for Commencement of Pilot Operations and the Final Approval i.e., License.
Below are some State Bank of Pakistan (SBP) circulars /notifications related to payment system departments:
- Payment system & Electronic Fund transfer Act 2007.
- PSD Circular No. 03 _Oct 21, 2015 - Regulations for the Security of Internet Banking.
- PSD Circular No. 05 _Jun 10, 2016 - Regulations for Payment Card Security.
- PSD Circular Letter No. 07 _Oct 07, 2016 - Master Circular of Payment Systems Data.
- PSD Circular No. 03 _May 09, 2018 - Electronic Fund Transfers (EFT) Regulations.
- PSD Circular No. 09 _Nov 28, 2018 - Security of Digital Payments.
- PSD Circular No. 01 _Apr 01, 2019 - Regulations for Electronic Money Institutions.
- Can get license from SBP for running business.
- Full fill SBP compliance
- Enhanced security and safeguard of critical business data
- Reduction of frauds related risk in the financial application.
Swift CSP Independent Security Assessment
SWIFT recommends the implementation of CSCF controls on the entire end-to-end transaction chain beyond the SWIFT local infrastructure, e.g. the upstream payment processing systems.
Controls are mapped against recognized international standards where applicable –NIST, PCI-DSS and ISO 27002. Complying with these standards would indicate that a SWIFT local infrastructure is, to some extent, compliant with CSCF. Fig 1.0 defines the SWIFT CSP scope.
- Understand and identify the local SWIFT infrastructure and its network to be reviewed;
- Identify SWIFT underlying risks and related control objectives mentioned in the SWIFT CSP Framework v2019.
- Develop a pragmatic remediation plan to address risks including resource composition for each technology/infrastructure and required operational roles/ responsibilities for securing the environment.
- Review Swift related policies and procedures prior to their completion or as part of their lifecycle review, to ensure they meet the requirements of the Swift Customer Security Framework. Where necessary, the Consultants will provide recommendations and co-authoring support for any improvements if required.
- Assist in the remediation of identified gaps in mandatory controls and/or suggest best practice advisory controls to implement
- In-line with existing information security industry standards, and product-agnostic.
- Expected to evolve over time in light of the changing cyber threat landscape.
- Establish a security baseline for the entire community
- All users must self-attest against their implementation on their local SWIFT-related infrastructure.
AML/ CFT/ CPF REGULATIONS FOR SBP’S REGULATED ENTITIES
State Bank of Pakistan (SBP) has issued the Anti-Money Laundering, Combating the Financing of Terrorism & Countering Proliferation Financing (AML/ CFT / CPF) Regulations for SBP’s Regulated Entities (REs) under powers conferred to it under Section 6A (2) of the Anti-Money Laundering Act, 2010.
BDO will review the existing AML and Trade Sanction compliance framework to identify gaps (if any) in comparison with the regulatory and legislative framework.
- Understanding of existing branch and digital banking systems.
- Understanding of digital financial services products & services.
- Utilization of systems & digital channels to market the product & service offerings to customers.
- Review of alignment of business plans with the capability and scalability of digital systems.
- Identification of scenarios developed within the systems.
- Understanding of parameters/ rules configured against each scenario.
- Walkthrough of alert generated against each scenario covering both digital and branch banking payment systems.
- Review of Security controls (Authorization & Authentication, Password Management, Auditing & Logging)
- Review of user profiles including the system administrators and super user access.
- Review of change management procedure and changes occurred during the period
Check health of your program and provide you with the confidence that you are meeting your regulatory obligations, while providing peace of mind. Set a realistic goal for near-term, tangible security gain and risk reduction.