A comprehensive understanding of cyber security audits is important for insurance brokers to effectively assess and mitigate these risks. This blog explores the frequently asked questions (FAQs) surrounding cyber security audits tailored specifically for insurance brokers, offering insights into the essential practices and considerations necessary to navigate the complex realm of cyber security with confidence and proficiency.
#1: Describe your company’s name with full address?
Answer: Please provide the corresponding details of your insurance broking firm.
#2: Could you provide details regarding the names, designations, qualifications, experience, and records of conduct and performance of individuals managing the applicant’s insurance Self-Network Platform?
Answer as follows:-
1. Vivek Stanley: IT Head: M-Tech-Technology Management: 11 Years
2. Vaishnavi S: Server management: Diploma in Computer Hardware: 5.5 Years
3. Devassy Nelvin: DevOps: MCA: 2 Years
4. Suraj Radhakrishnan: Front End: Plus Two: 10 Years
#3: Does your company have a policy for encryption and key management that follows industry best practices?
Answer: In AWS, encryption policies are typically implemented using services like AWS Key Management Service (KMS) to manage encryption keys. You can enforce encryption at rest for various AWS resources, such as Amazon S3 buckets, Amazon EBS volumes, and Amazon RDS databases. Additionally, AWS Identity and Access Management (IAM) allows you to control access to encryption keys and resources, ensuring secure data handling within your AWS environment.
#4: Does your encryption & key management policy require all systems including applications, databases, operating systems, and network devices that store, process, or transport CARE information to follow encryption and key management policies?
Answer: –
At Rest: Data is considered at rest when it is stored in a persistent storage medium, such as databases, Amazon S3 buckets, or EBS volumes.
In Transit: We are using secure communication channel using protocols like HTTP for web traffic and SSL for various services.
#5: What encryption is used for data on internal and external networks (In Transit and Rest)?
Answer: TLS 1.2, SSH
#6: Does your company maintain a current inventory of assets (hardware, software, and third-party information systems) that store and process client information?
Answer: Yes, we do.
#7: Does all code promotion to production require approval through a formal change management process?
Answer: Yes.
#8: Is all code managed within a source code repository?
Answer: Yes. Gitlab.
#9: Does your company maintain documentations on incident or events?
Answer: NA.
#10: Does your company have documented BCP and DR?
Answer: Yes.
#11: How are security priorities in a recovery process?
Answer: Regular updates, testing, training are essential to maintain the effectiveness. In the case of database backup we are using two types of back up –
1. Daily backup
2. Three hour backup
Restoration Process: Our RTO is 4 hours. It means that the organization aims to have the application fully operational within 4 hours of a disruption.
Recovery point objective: 3 hours. It means that data recovery should be initiated in a way that ensures no more than 3 hour of data is lost.
#12: What measures have been implemented to safeguard against unauthorized access, alteration, destruction, disclosure, or dissemination of records and data belonging to the applicant?
Answer:
1. Server level controls: The access to server is protected by user credentials along with the SSH key using which, authorized personnel can only access the server. We are also using least access privilege and strong password management policy to ensure secure access.
2 Website level controls:-
1) User with privilege will be able to access the admin panel of the website.
2) When we will be enabling customer accounts, then we will be having a 2FA for end customers.
#13: Does your organization have user role right review process? If Yes (Please describe), If NO, please describe the reasons for lack of such requirement?
Answer: Yes. Based on the roles and responsibilities
#14: Are all user access privileges reviewed on a periodic basis? If YES, please describe the process and frequency?
Answer: No. Only reviewed on demand.
#15: What are the ports used in the app and MySQL server?
Answer:–
1. In App Server: HTTPS 443, HTTP 80, SSH 22
2. In MySQL: 3306, HTTPS 443, HTTP 80, SSH 22
#16: List out your operating system, firewall, MySQL version, server location?
Answer:
1. Operating System: OS ubuntu 20.04
2. Firewall: Firewall Default
3. MySQL version: MySQL version 8
4. PHP Version: PHP version 8.1
5. Server Location: Mumbai
#17: What database server are you using, and what type of encryption is employed for securing the data within that database?
Answer: We are storing our database in a secure server and we are using MySQL as our database and we are using SHA2 based encryption which is tested for SQL injection and other hacking techniques.
#18: Is the domain name of your website registered, and are the servers hosting it located in India?
Answer: Hosting: AWS Mumbai, India.
#19: Is there a Management Information System supporting internet insurance business operations, enabling real-time connectivity with insurance core systems and ensuring effective isolation from other application systems to prevent the external transmission and spread of information security risks in insurers/intermediaries?
Answer: We are using Sibro application as MIS and Policy Engine for Insurer Integration. All Employees login to SIBRO for MIS purpose. The Policy Engine is an API system that enables real time connectivity and single window connectivity between Broker Systems and insurance core systems.
#20: How do you ensure that your website remains available 24/7 to users?
Answer: We have monitoring in place; that will intimate us on above expected usage. This will help us take scaling decisions.