Page 21 - QDigitz
P. 21

Q!Digitz                                         Vol 1            Aug 2019







              After  migration  of  infrastructure  to  a  new           Is  there  an  agreement  to  have  access  to
            vendor,  would  the  existing  CSP  release  the           network level logs of the CSP?
            IP’s?                                                        Agreement   to   investigate   and   collect
              After  potential  termination  of  contract,             forensic level data?
            portability  of  data  and  metadata  (for  e.g.             How  are  the  IP’s  released  by  the  CSP?  And
            format  of  the  output/extract  from  the                 how are they re-assigned?
            vendor)  and  purging  of  data  by  the  service            SIEM   (Security   Incident    and    Event
            provider.  This  data  remanence  poses  a                 Management) like Firewall, IPS and IDS of the
            higher security threat  and  auditor  needs  to            CSP
            double  check  the  mechanisms  enforced  by                 CSP may collect syslog  les. Has there been
            the  former  CSP  after  release  of  data                 a risk assessment done to understand what
            regarding storage media.                                   all  data  is  going  in  syslog   les  (like
              The CSP should have agreed to and evidence               authentication  and  authorization  details).
            clearing and the Sanitization approach used.               The  auditor  needs  to  question  the  bank  to
            Auditor  should  refer  to  certi cates  here              understand the inventory of this data.
            which      speci cally    mention      Media                 Regular  upkeep,  patching,  and  hardening
            Sanitization  like  NIST  (800-88)  guidelines             processes used by CSP
            ensuring the right compliance by CSP                         If  this  community  CSP  is  hosting  data  of
              The  auditor  can  review  the  CSP’s  data              multiple  banks,  what  preventive  measures
            destruction policy, if accessible.                         are  taken  to  ensure  Bank  A  cannot
                                                                       intentionally / accidentally gain access to the
      Security and Data Privacy - These forms the meat                 database  of  Bank  B.  These  are  technically
      of  the  entire  audit.  Data  security  and  privacy  are       achieved  by  logical  isolation  using  the
      core  to  any  business  having  customers'  sensitive           hypervisor layer.
      data, and banking quali es for extra scrutiny.
                                                                         Access controls to the hypervisors


      Whether  the  bank  has  access  to  a  security  audit    Data Security
      report of the CSP
                                                                 We  can  further  subdivide  this  critical  topic  into
      We  can  segregate  this  topic  in  multiple  areas  as   multiple arenas as below -
      below –


      Physical Security


      What  guarantees  are  provided  by  CSP  to  assure
      the physical level security of data centers, storage,
      and network resources?


      Network Security










                                                         DigitQ.in
   16   17   18   19   20   21   22   23   24   25   26