Running head: IT Infrastructure

Planning an IT Infrastructure Audit for Compliance

Larry Michael

Strayer University

Professor

June 5, 2018
IT Infrastructure 2

Planning an IT Infrastructure Audit for Compliance

Introduction

IT audit is a type of examination and evaluation of information technology infrastructure

for any organization. This process helps to determine the effectiveness of IT controls used by an

organization to ensure its data protection and data integrity. In the world of technology,

companies are dealing with big database and working with large online accounts that have

increased the need for advanced technologies and tools for data protection and integrity. The

process of IT audit helps to meet these objectives, and it not only performs a check for physical

security but performs a detailed analysis of financial and technical controls for an organization.

For this report, the selected organization is JP Morgan Chase & Co. that is one of the

largest multinational investment banks that is working in many countries. In the world market

capitalization, it comes at the second largest number in the most valuable bank. This organization

is counted in big four investment banks of America that are Citigroup, the Wells Fargo and Bank

of America. It has established in 2000 with the joint venture of J.P. Morgan & Co and the Chase

Manhattan Corporation and makes a valuable name in the money market. As of 2017-18, the

bank has the most significant assets worth of US$2.789 trillion (JP Morgan Chase & Co., 2018).

1. Scope

The scope of JP Morgan Chase & Co. is to provide the continuous and valuable services

in the financial market to build future for their stakeholders by using the strength of the

company.

2. Goals and objectives

IT Infrastructure 3

To achieve short term and long term business objectives, JP Morgan Chase & Co. is

following a specific working structure with a commitment to fairness, integrity, and

responsibility.

• It works to offer excellent customer services by building some world-class franchises

and long-term investment plans for the clients

• Financial rigor and the risk discipline are critical disciplines of work followed by JP

Morgan Chase & Co.

• JP Morgan Chase & Co. does not compromise on the features of data integrity with

train, skilled and diverse employee force

The Frequency of the audit

It conducts the process of IT audit annually with the external IT auditors that

work in every financial year, but the company also has internal IT auditors work continuously

work with the company to secure data of customers.

Duration of the audit

The External IT audit infrastructure completes in 1-2 months with final reports, but the

internal auditors does continuous working for IT structure,

2. Requirements of the audit for JP Morgan Chase & Co.

JP Morgan Chase & Co. is responsible for data protection and security for thousands of

customers about their personal accounts and about their financial dealings as well. In this

scenario, the IT infrastructure should be secured fully by meeting the control framework

suggested by the IGs, CIOs and by the CISOs. In this company, the IT auditor should complete

all following steps for required controls,

• Overview of the Control

IT Infrastructure 4

• Working with factors

• Defensive objectives

• Quick Wins

• Configuration and security of sensitive information

• Overview of Evaluating the Control

• Core Evaluation Test

• Testing/Reporting Metrics

• Evaluating Root Cause Analysis of Failures

• Audit/Evaluation Methodologies

• Using various Evaluation Tool

3. Privacy laws that apply to the organization

While dealing with digital information and with confidential information of customers, it

becomes the first propriety of the company to adopt the privacy laws.

1. Expectation to opt out: as all customer have right to obtain the necessary

information.

2. Restriction on sharing account numbers.

3. The content of notice should be known by customers.

4. Disclosure of information should be made under the Fair Credit Reporting Act.

5. Draft privacy notice

6. Fair Credit Reporting Act (Korenbeusser, 2015).

4. Plan for assessing IT security for JP Morgan Chase & Co.

The plan to access the security of IT JP Morgan will follow the below steps:

• Risk management
IT Infrastructure 5

For the Risk management, JP Morgan Chase and Co can identify, evaluate and it

also prioritize the risks that occur with the products and services this organization gives to the

customers.

• Threat analysis

JP Morgan Chase and Co can do the threat analysis to get some hits about the

probability of the terrorist attacks and the threat assessment results.

• Vulnerability analysis

JP Morgan Chase and Co must do the vulnerability assessment to identify, define,

prioritize and classify the vulnerabilities in the applications, computer systems, and other

network infrastructures to give the management enough understanding about any vulnerability.

• Risk assessment analysis

There is a risk analysis that involves the identification f the threats that might over

and some vulnerabilities against the threat can be analyzed. In this instance, the risks assessment

is based on an evaluation of control and security of the organization potential threats.

5. Obtaining information, resources, and documentation

For audit purpose, the information, resources, and documentation are obtained from the

IT systems and for that the secured way to retrieve the information and data will be adopted so

that any existing data breach could be eliminated.

6. Seven (7) domains align with JP Morgan Chase & Co.

According to the Electronic Data Processing Auditors Association (EDPAA) and

American Institute of Certified Public Accountant (AICPA) introduces seven essential domain of

work for IT audit infrastructure that can define the whole process of auditing. To bring integrity
IT Infrastructure 6

and stability in IT audit procedure, the IIA’s IPPF (International Professional Practices

Framework and COSO’s. Following are some critical domains for IT audit,

Figure 1: IT audit and 7 domain of IT audit infrastructure

Source: (Computerworld, 2016)

Key audit domains of Remote access, WAN, LAN to WAN, workstation and users, LAN,

internet service and system and essential applications helps to determine the structure of IT audit

in any organization. These seven domains are aligned with the audit infrastructure of the JP

Morgan Chase & Co. and will help to increase the performance of IT audit with desired

objectives.

These all audit domains are related to each other that start from the remote access of data

and ends at the qualitative app and web service to secure the personal and financial data of

customers. These domains can be applied at the working of JP Morgan in following ways,

1. First of all, at the user domain, the third person can destroy all data application, for

example, a co-worker would found some personal problem with other work, and he can use the

password to edit or to delete a file that will result in a lousy performance for another person.
IT Infrastructure 7

2. Second, the workstation domain is the primary place where production takes place

but the vulnerability of operating system here is that the hackers can find a backdoor for data. At

the JP Morgan Chase &Co., the hackers can steal information about financial accounts of people

and can make unwanted investment transactions (Chen, 2017).

3. Third, LAN domain is one trusted zone interconnection of this domain with all hubs

results in a warm to spread in all system. At the selected company, the accounts of different

employees or of the customer can get interconnect and become vulnerable

4. Fourth the LAN/WAN domain at the JP Morgan increases egress/ingress traffic

filtering that will decrease the performance of internal working and increase penetration

opportunities for hackers.

5. Application/system storage domain increases chances for DOS attacks, and the can

cripple working of organizational email and increase chances of SQL injection. At JP Morgan,

hackers can damage the central system of the company and the can get control over investment

decision for clients.

6. Remote access domain helps to manage to deal with the mobile users of JP Morgan,

for example, they offer services of mobile banking and online dealings etc. At this domain, the

connection between remote computers and between the VPN channels can be disrupted and

hackers can access to connections of clients at JP Morgan.

7. System and essential application are helpful to manage the financial transactions and

record of every investment by using the functioning of cloud working (Binus Ac, 2015).

7. Security policy and procedure Plan

JP Morgan could develop a plan that strictly adheres to the privacy policies and the

principles associated with the information and data of the customers. Moreover this organization
IT Infrastructure 8

can follow jurisdictions and maintain its compliance over all of its services. Considering the

audit of its privacy policy this organization manages to assure the proper follow up over the

standards it has build to eliminate any risk factor associated with the services it gives to the

customers. In this concern JP Morgan may develop confidentiality and privacy of personal

information through the electronic, physical procedural safeguards that strictly follow the legal

standards to secure data from any sort of unlawful alteration, unauthorized access to the

information and processing errors.

• In this instance the information type is firstly understood after that the security codes,

biometric identifiers and the driver licenses could be obtained through which the security is

maintained.

• In addition to it the control such as keeping all the things up to date is mandatory for

that purpose reasonable steps could be created such as the ports identification that can be used to

access the authenticity of the access.

• Moreover the affiliates could only be given by the authority to share the personal and

sensitive information of the business units and they will strictly conform to the law.

• The process information could be transferred with the persistent regulatory and legal

obligations to assure the highest quality financial services to eth customers.

• All of the third parties who are unaffiliated will not be allowed to get any access to the

personal information of the online activities while visiting the online services. Therefore the

proper notice will be given before sending any sort of personal information.

8. Control points verified in IT infrastructure

IT audit, assessment and assurance do a detailed and careful analysis of all managerial

and technical aspects of an organization. Each company has some critical security controls and
IT Infrastructure 9

policies that should be completed by the IT audit. Following are some security control that must

be verified through the process of IT audit,

1. Evaluation of all IT resources to ensure that these resources are completing the needs

and requirements of business

2. To make agiler IT resources with advance and with more compatible technological

supports

For JP Morgan Chase & Co. number of processes has been considered for

examination to increase the security control for the organization. Some processes include the

accurate inventory management, the energy consumption, and level of financial services, human

resource consideration, online dealing of accounts with the transaction of amounts, direct

strategic options, and reduction of server utilization. These policies and processes will help to

increase the security control for the JP Morgan Chase & Co.

Following are some critical procedures about the IT Infrastructure audit,

• Control 1: It is one of the essential requirement of IT infrastructure for the selected

company because the record of inventory of authorized and unauthorized devices will help to

check possible vulnerabilities is a system of the company. The vulnerable system can give a

backdoor to hackers that area significant threat to IT structure (JP Morgan Chase & Co., 2018).

• Control 2: Audit should include a proper check for the computer installed programs

and to record the inventory of authorized and unauthorized devices because of the compromised

system of company increase risk of a data breach.

• Control 3: Secure configuration of different hardware and software servers is essential

as the default configuration increases the network accessibility of hacker. Audit team can use the

periodic basis or test system for this control (Gonzales, 2017).

IT Infrastructure 10

• Control 4: Advance vulnerability scanning tools can be used to increase the

remediation and vulnerability assessment. It helps to increase security for software working with

exploit codes.

• Control 5: Defense from the malicious threats is one fundamental threat to data

integrity, and it can target the end user through e-mail attachments, mobile devices, vectors, and

web browsing. IT audit bring control to ensure anti-virus signature and more secure IT features

for the organization.

• Control 6: JP Morgan Chase & Co. deal with large data with personal and financial

information of clients that need to have adequate backup features to avoid any unforeseen event.

Thus, the potential jeopardizing organizational structure is critical entry during the IT audit.

• Control 7: Entry of electronic holes in the network is essential to protect the sensitive

data of millions of customers in JP Morgan Chase & Co. For this purpose, the IT auditor should

consider robust firewalls, switches, and routers for the data of the company (Casola, 2017).

9. Conclusion

Summing up all in nutshell, IT audit infrastructure is very important for the compliance

and it will help organization to meet primary operational objectives and to ensure the data

integrity while working at digital age. Therefore the above mentioned plan is giving an insight

about the critical requirements of the audit at the JP Morgan Chase & Co. It also develops the

audit and compliance with the help of proper arrangement and security plan through which the

IT infrastructure could be secured from any malicious activity.

IT Infrastructure 11

References

Binus A. (2015, June 23). The Seven domain of a typical infrastructure. from

[Link]

Casola, V., Benedictis, A., Eraşcu, M., Modic, J., & Rak, M. (2017). Automatically enforcing

security slas in the cloud. IEEE Transactions on Services Computing, 10 (5), 741-755.

from [Link]

Chen, J., Yao, S., Yuan, Q., Du, R., & Xue, G. (2017). Checks and balances: A tripartite public

key infrastructure for secure web-based [Link] on Computer

Communications , 1-9. from [Link]

Computerworld. (2016, May 12). Five steps to audit-proof your IT infrastructure. from

[Link]

[Link]

Gonzales, D., Kaplan, J., Saltzman, E., Winkelman, Z., & Woods, D. (2017). Cloud-trust—A

security assessment model for infrastructure as a service (IaaS) [Link] Transactions

on Cloud Computing 5, no. 3 , 523-536. from

[Link]

JP Morgan Chase & Co. (2018, Jan 12). JP Morgan Chase & Co. from

[Link]

Korenbeusser, C. (2015, January 23). How do banks charter their way to better data privacy?

from [Link]

[Link]
IT Infrastructure 12