PROJECT REPORT

DISA 3.0
TOPIC: Network Security Audit of
Remote Operations Including Work
From Home (WFH)
 CERTIFICATE

This is to certify that we have successfully completed the DISA 3.0 course training conducted at Balaji
Palace, Mahmoorganj, Varanasi from 26.04.2025 to 01.06.2025 and we have the required attendance.
We are submitting the Project titled:

“Network Security Audit of Remote Operations Including Work From Home (WFH)”

We hereby confirm that we have adhered to the guidelines issued by DAAB, ICAI for the project. We
also certify that this project report is the original work of our group and each one of us have
actively participated and contributed in preparing this project. We have not shared the project
details or taken help in preparing project report from anyone except members of our group.

1. Name: CA Shruti Agrawal Membership No. 451538

2. Name: CA Shivam Jaiswal Membership No. 469524

3. Name: CA Himanshu Patel Membership No. 471503

Place: Varanasi
Date: 17.05.2025
 Table of Contents

Sr. No. Content

1 Details of Case Study/Project (Problem)

2 2.1 Introduction
2.2 Auditee Environment

2.3 Background

2.4 Situation

2.5 Terms and Scope of Assignment

2.6 Logistic Arrangements Required

2.7 Methodology and Strategy Adapted for Execution of Assignment

2.8 Documents Reviewed

2.9 References

2.10 Deliverables

2.11 Format of Report/Findings and Recommendations

2.12 Summary/Conclusion
1. Details of Case Study/Project (Problem)
Due to the shift toward remote work, many organizations are struggling to secure their networks
effectively. This project involves auditing the network security posture of an IT services company
that has allowed 70% of its employees to work remotely. The key concerns revolve around VPN
access, endpoint security, data loss risks, employee awareness, and overall compliance with
standards such as ISO/IEC 27001, GDPR, and HIPAA. Thereafter, series of discussions were held by
entity team with IS auditor to understand the different modules, models, features and controls were
prepared considering relevant business rules and regulations.

2. Project Report (Solution)

2.1 Introduction

Auditee Overview:

SuperCheck Technologies Pvt. Ltd., based in Noida, is a mid-sized IT services company catering to
Banking and Financial Institutions and Educational Institutions. The organization has about 300+
employees, with a hybrid work model adopted since 2020. Their infrastructure includes cloud
services on AWS, internal VPN servers, and office productivity suites like Microsoft 365. On the
technological front, the company has been a forerunner in many technological innovations. The
urge to innovate and improve customer satisfaction is never-ending for the company. Moreover, the
Company has documented policies and procedures for Accounting, Administration, Customer
Services, Cyber Security Policy, Fair Disclosure Policy, Finance, Information Technology, Marketing,
Preservation of Documents, and Whistle Blower Policy.

Audit Firm (Fictitious):

SHS & Associates is a firm specializing in IS Audits and IT Governance. With a team of 5
professionals led by a DISA-certified partner, we have executed several assignments in
cybersecurity and IT compliance audits, particularly in cloud and remote access environments.

Composing:-
Partners :5
No. of employees : 20
No. of Articles : 10

Located at : Sector 18, Noida

Here in this case, audit will be handled by a team leading by CA Shruti Agrawal with 11 other
members including 2 partners, 2 paid employees and 6 articles. The audit team for this particular
assignment consists of the following qualified members who are as follows:

Sr. Name Qualification Role

No.

1 Shruti Agrawal CA, DISA Team Leader

2 Shivam Jaiswal CA, DISA Member

3 Himanshu Patel CA, DISA Member

SHS & Associates Chartered Accountants are one of the famous chartered accountants firms in India
and are engaged in providing Information System Auditing services across India. We are also
recognized as provider of information System Audit services and our core competences are listed
below:

• SAP, Oracle & JDE process reviews

• Review and Framing of 'IS' Policies, Procedures and Practices

• Review of Physical & Logical Access Controls

• Review of Operating System Controls

• Review of Application Systems Controls

• Review of Database Controls

• Review of Network Management

• Review of 'Application Support' and 'System Maintenance' Processes

• Review of 'Disaster Recovery & Business Continuity Plans'

• Review of IS Environment

• Risk Assessment & Suggestions

• Post Implementation reviews of Business Processes and Practices and Suggestions

2.2 Auditee Environment

Networking at remote operation in SuperCheck Technologies Pvt. Ltd. has posed unique
challenges arising out of the need to properly secure the networking at each device.

Each employee has been provided separate laptop for their working and they carry the devices
at client location and upload the data from there. Some of the employees are working from
home to save operational cost.

Company has already implemented the network security policy separately for the devices used
in remote location or employee working from their place.

Communication from the clients about their business insights relevant for analysis should be
made through only secured networks as these type of informations are sensitive and needs to
be protected.

● Business Domain: IT Services for Banking and Financial Institutions and Educational
Institutions

● Organizational Size: 300 employees; 70% remote workers

● Tech Stack:

○ OS: Windows 10, Windows Server 2019

○ DBMS: MySQL, PostgreSQL

○ Applications: Custom ERP, Jira, Zoho, Microsoft 365

○ Network: Cisco Firewalls, Fortinet VPN Gateway, AWS VPC

● Policies:

○ Remote Access Policy

○ BYOD (Bring Your Own Device) Policy

○ Information Security Policy

○ Acceptable Use Policy

● Regulations Complied With:

○ ISO/IEC 27001:2013

○ GDPR
2.3 Background

SuperCheck Technologies Pvt. Ltd. has been using Information Technology as a key enabler for
facilitating business process Owners and enhancing services to its customers. The senior
management of the company has been very proactive in directing the management and
deployment of Information Technology. Mostly all of the mission critical applications in the
company have been computerized and networked with proper security.

Implementation of network security has empowered the company that their authorized user
connect seamlessly all its legitimate vendors, customers and partners to achieve improved
business efficiency and with proper security which helps it to achieve superior connection
excellence and business security.

However, the organization experienced a rise in security incidents such as phishing attempts,
unauthorized login alerts, and unpatched personal devices connecting to the corporate network.
Concerned with its security exposure and client data protection, the management decided to
commission a network security audit focusing on remote operations.

2.4 Situation

Key security challenges:

● Inconsistent security patching on BYOD devices.

● Weak Wi-Fi password policies at employee homes.

● Absence of centralized anti-virus enforcement.

● Use of shared personal devices without MDM (Mobile Device Management).

● No SIEM integration for VPN and firewall logs.

● Poor employee awareness of phishing threats.

2.5 Terms and Scope of Assignment

The Information System Audit should be executed as per the Audit Charter prepared by the
company and agreed upon by the Auditors. The purpose, authority, responsibilities and
accountability are defined in the Audit Charter.

To comply with relevant standards issued by the ICAI and globally accepted standards for the
purpose of Information System Audit and to establish an Information Security Framework for
assurance that all required aspects of information security is covered.

Scope includes:

• Review of security and controls at network layer.

• Review of all the key functionalities and related Security and Access Controls as
designed at the parameter level.

• Review how the business rules and regulatory requirements have been designed and
built in the package.

• VPN infrastructure review and access control assessment

• Device compliance and endpoint security checks

 • Remote policy enforcement assessment

• Log review and monitoring systems

• Recommendations for improving remote work posture

2.6 Logistic Arrangements Required

• The company will make available the necessary computer time, software resources and
support facilities for the assignment.

• During the course of the IS Audit, the auditors will use ACL, IDEA Software, SQL
Commands, Baseline Security Analyzer, Belarc Security Advisor, Free Port Scanner and
Third Party Access Control Software as computer audit assistance techniques (CAAT)
for the verification of the system with Windows 10 computer connected to the server
having ABC operating system.

• As an auditor, we will use Integrated Test Facility (ITF) for audit of regulatory
requirements embedded in the application software. We will use correct as well as
incorrect data to check the error reporting capabilities of the network software.

• Automated Flowcharting Programs would be used to interpret the source code of the
application software & to generate flowcharts indicating flow of information.

• Mapping Program would be used, which identifies the unexecuted codes in the coding of
the software which will help us to draw attention of the management and software
development team.

• Access to policy documentation, VPN configs, firewall rules

• Use of tools like Nessus (for vulnerability scanning), Splunk (for log review), Nmap (for
network scan)

• Sample endpoint access (10 devices)

• Interviews with IT/security personnel

2.7 Methodology and Strategy

When undertaking an initial security audit, it is important to use the most up-to-date
compliance requirements to uphold security protocols. This clearly defines what CISOs should
be looking at, and helps in shaping and setting up the future of your automated security
monitoring and assessments. The Audit will be conducted to review the following steps are in
place and updated:-

Step 1: The Scope of the Security Perimeter

The scope of the auditing process is to clearly define. It should include all access layers: wired,
wireless and VPN connections. In this manner, the scope of the audit will ultimately include all
software and devices, in all locations, so as to ultimately define the security perimeter for the
company.

Step 2: Defining the Threats

The next step is to list potential threats to the security perimeter. Common threats to include in
this step would be:

Malware – worms, Trojan horses, spyware and ransom ware – the most popular form of
threats to any organization in the last few years.

Employee exposure – making sure that employees in all locations change their passwords
periodically and use a certain level of sophistication; (especially with sensitive company
accounts) as well as protection against phishing attacks and scams.

Malicious Insiders – once on boarding has taken place- employees, contractors and guests –
there is the risk of theft or misuse of sensitive information.

DDoS Attacks – Distributed Denial of Service attacks happen when multiple systems flood a
targeted system such as a web server, overload it and destroy its functionality.

BYOD, IoT – these devices tend to be somewhat easier to hack and therefore must be
completely visible on the network.

Physical breaches, natural disasters – less common but extremely harmful when they occur.

Step 3: Prioritizing and Risk Scoring

There are many factors that go into creating the priorities and risk scoring.

Cyber security trends – working with a network access control system in place that factors in
the most common and current threats along with the less frequent, could save you and your
CISOs a lot of time and cut costs, while at the same time defending the organization in an
optimal framework.

Compliance – includes the kind of data that is to be handled, whether the company
stores/transmits sensitive financial or personal information, who specifically has access to
which systems.
Organization history – If the organization has experienced a data breach or cyber-attack in the
past.

Industry trends – understanding the types of breeches, hacks and attacks within your specific
industry should be factored in when creating your scoring system.

Step 4: Assessing the Current Security Posture

At this point you should start to have an initial security posture available for each item included
in your initial scope definition. Ideally, with the right access control systems in place, no
internal biases affect your initial audit or any continuous risk assessments performed
automatically later on.

Additionally, making sure that all connected devices have the latest security patches, firewall
and malware protection will assure more accuracy in your ongoing assessments.

Step 5: Formulating Automated Responses and Remediation Action

Establishing a corresponding set of processes designed to eliminate the risks discussed in step 2
includes a few solutions that should be included in this step:

Network monitoring – establishing continuous automated monitoring and creating automated

risk assessments will lead to improved risk management. Cyber offenders are typically working
to gain access to networks. Activating software that automatically takes notice of new devices,
software updates/changes, security patches, firewall installments and malware protection is
the best way for any organization to protect itself. Ideally your CISOs should be alerted to any
questionable device, software, activity, unknown access attempts, and more, so as to be a step
ahead of any harmful activity whether it is maliciously done or not.

Software Updates – Making sure that everyone on the network has the latest software updates
and patches, firewalls etc. It is highly recommended to take advantage of this built-in feature in
Network Access Control Software that alerts you when those are required.

Data backups and data segmentation – relatively simple but crucial steps, because obviously
consistent and frequent data back-ups along with segmentation will ensure minimal damage
should your organization ever fall to malware or physical cyber-attacks.

Employee education and awareness – training for new employees and continuous security
updates for all employees to make sure best practices are implemented company-wide, such as
how to spot phishing campaigns, increasing password complexity, two-factor authentication
and more.
2.8 Documents Reviewed

● Remote Access Policy

● Endpoint Protection Policy

● VPN Access Logs

● Firewall Logs

● Employee Training Records

● Asset Inventory

● Incident Response Plan

● IT security policy for mobiles devices used on a network

● Network Security Policy that lists the rights and responsibilities of all staff, employees, and
consultants.
2.9 References
During the course of the Network Security Audit of the Company, the IS Auditors of the
company has complied with the standards and guidelines as detailed below:

• DISA 3.0 Modules (Information Security, Risk Management)

• Information Technology Act, 2000.

• Section 7(A) of the Act –Audit of documents i.e. Electronic Form.

• Section 43A of the Act – Body corporate dealing with sensitive data.

• Section 72(A) of the Act – Disclosure of the information without the consent of the

person concerned The Banking Regulation Act, 1949.

• ISO/IEC 27001 & 27002

• NIST SP 800-46 Rev. 2

• GDPR (Articles 25, 32, 33)

• COBIT 5 Framework

• OWASP Secure Remote Work Guidelines

• ICAI e-Learning Materials

• Other Globally Accepted Standards issued by the relevant authorities

2.10 Deliverables

● Draft Audit Report

● Final IS Audit Report

● Risk Register and Impact Matrix

● Executive Summary for Senior Management

● Recommendations Plan (short-term + long-term)

2.11 Report/Findings and Recommendations

Sr. Questions Yes No Documentation

No.
1 Review Network diagrams to understand the
Done
network infrastructure.

2 Review the physical and logical access controls
Done

to the network.

3 Review the applicable policies, standards,
Done

procedures and guidance on network.

4 Review Maker-checker concept to reduce the
Done

risk of error and misuse and to ensure
reliability of data/information

5 Review the Information Security and Cyber
Done

Security

6 Review the adequacy to file regulatory returns
Done

to RBI

7 Review the BCP policy duly approved by the
Done

Board ensuring regular oversight of the Board
by way of periodic

8 Review whether the requirements as regards
Done

Mobile Financial Services, Social Media and
Digital Signature Certificates are properly met.

9 Arrangement for backup of data with periodic
Done

testing

10 Review whether internet connections are
Done

protected through industry recognized firewall
 Sr. Control Observation Recommendation
No.
1 Security Policy Proper documentation for It is advisable the each employee
security policy is made by should aware of the security policy
management and it is time to and proper training should be
time but it is not effectively given at the time of joining.
executed in the software.

2 Disaster There is option for disaster It is advisable to compulsory have

Recovery Plan Recovery Plan for the disaster recovery plan in the
customer in case of security system.
breach or network failure.

3 Network Network diagrams do not Diagram should conform to

Diagram follow diagramming standard conventions. They should
conventions. It is not using be updated as and when changes
the conventional device icons occur to network.
to represent devices like
routers, L-3 switches etc.

4 Audit Log Audit log policy is not Consistent audit log policy should
consistent across servers in be applied across servers and logs
terms of network logging, log should be promptly backed up and
file size and retention period. manually cleared to obviate the
Audit logs configurations on need for overwriting. Wherever
all servers allow overwriting required, log size may be suitably
on reaching of defined increased.
maximum log size.

5 VPN Access New employees are getting VPN adds extra layer of security by
VPN access but the Old hiding IP addresses, encrypt the
employee working at remote data and mask the location of user.
location doesn’t provided VPN Ensure that all your remote
access and they are working employees have access to the VPN
using normal public network service. If necessary hold a meeting
or share tutorials on how to use a
VPN efficiently to protect company
network

6 Third party Employees are using Remote IT team should choose the RDS
remote access desktop service to hold very wisely before begin any
platform meeting without getting exchange of information or
adjustment of network holding meetings.
suitability by IT team

7 Lack of antivirus Potential for malware Enforce corporate antivirus via

on BYOD MDM
Other recommendations for remote operations:-

• Make 2FA (Two-Factor Authentication) mandatory.

• Educate your employees about cyber security risks and their vulnerabilities as they
work from home.

• Teach your employees how to identify phishing and steps they need to take if they get
phished.

• Provide a point of contact and clear guidelines in case there is a security breach.

• Make the use of a standard password manager solution mandatory.

• Conduct phishing audits to test the preparedness of your remote employees.

• Ensure regular backups are conducted.

• Keep “read-only” as the default when granting file share permissions.

• Use an email filtering solution to filter inbound as well as outbound messages.

• Protect against spam, malware, and phishing by using mail filters.

2.12 Summary/Conclusion

We have conducted Network Security audit of the SuperCheck Technologies Pvt. Ltd. focusing
on remote operations including Work from Home as per the terms and scope agreed upon
between the management and the auditors. We have taken care of the international reporting
standards issued by ISACA while conducting the audit assignment. We have tested the software
thoroughly then also our report is prone to audit risk associated with the audit itself.

Although the company has managed to secure their network but there are key areas which we
have identified that are related to authentication for connect to network, employees are
unaware about the security policy of the company, Disaster recovery plans are not in place, use
of third party RDS without consulting IT team, etc. We have made recommendations regarding
our findings which may become helpful to the management.

There other findings as well which are also important to be solved as soon as possible. There
are guidelines in case of security breach; there are no proper authorization controls in place for
connecting the network, etc. Necessary recommendations are provided by us to the
management to overcome the findings of us.

The recommendations suggested by us are suggestive in nature and not mandatory the
management may look for alternative solutions to the findings. The audit identified
significant gaps in the company’s remote work security framework. While some policies
existed, their enforcement and technical controls were inconsistent.

The audit recommends implementing a Zero Trust framework, improved VPN logging,
mandatory EDR (Endpoint Detection and Response) tools, and a remote employee training
program. These measures will elevate the organization’s compliance level and resilience
against cyber threats.