ICT Infrastructure Audit: (Inspection & Assessment, Audit, Compliance & Certification)
Public/Government ICT Infrastructure includes all information and communications technology infrastructure and systems (including software, hardware, firmware, networks and web-portals, sites as well as applications including mobile ones) that is used by any Government organization including department, directorate, corporation, board etc.
An ICT infrastructure audit is to evaluate the system's internal control design and effectiveness against relevant standards and best practices in order to withstand various types of intrusive activities. This includes but is not limited to, design, implementation, performance, efficiency, security protocols and IT governance or oversight.
The entire process is monitored online using the portal of CS-CoE.
Stages of activity:
- Online intimation to the organisation and capturing consent using web-form;
- Initiation of audit activity by sending ‘pre-audit’ checklist for filling up and submission;
- Intimation to the empanelled auditor to commence audit process based on checklist;
- Online monitoring of audit by capturing audit report from the site of audit;
- Compilation and finalisation of audit report in consultation with the stakeholders;
- Issuance of recommendation and advisory to the auditee organisation;
- Issuance of completion certificate for release of payment to the auditor.
The audit is conducted in four stages:
- Inspection & Assessment – Inspection of the entire ICT infrastructure covering but not limited to Asset, Systems, Processes and Applications (web and mobile version, as the case may be). Assessment leading to security categorisation i.e. Critical, Vulnerable, Safe.
- Audit – Either Comprehensive or Specific (depending on whether the system has been classified as Critical, Vulnerable or Safe).
- Compliance – This stage ensures that all the software, hardware, processes and systems cater to the compliance requirements as per globally acceptable standards for the same.
- Certification – A third-party certification excluding the organisation involved in the earlier activities for the auditee after compliance activity.
Cyber Security Centre of Excellence 