• आइ. टी. पार्क संचालनमा
  • नेपाल सरकार मन्त्रिपरिषदबाट मिति २०७२/२/२० मा सुचना प्रविधि पार्क (व्यवस्थापन तथा संचालन ) निर्देशिका, २०७२ स्वीकृत भएको छ |
  • नेपाल सरकार (मन्त्रिपरिषद) बाट मिति २०७१/११/१० मा " नेपाल सरकारको सुचना प्रविधि प्रणाली (व्यवस्थापन तथा संचालन) निर्देशिका २०७१ स्वीकृत भएको छ |

About IT Security Audit

Department of Information Technology (DoIT) has started IT system Audit of government agencies following the letter of OPMCM (Office of Prime Ministers and Council of Ministries) dated 2070/11/21, referencing the decision of ICT development Project Steering committee chaired by Chief Secretary Mr. Lilamani Poudel that "gave direction to Department of Information Technology (DoIT) to Conduct Web site and Software Audit of all Ministries and report to OPMCM.  On the basis of decisions made on 2070/12/05, Department of Information Technology (DoIT) has prepared the Preliminary ICT System Audit Framework for ICT Audit. Then, DoIT has circulated the letter dated on 2071/02/04 to all Ministries of Government of Nepal and performed ICT Security Audit of all Ministries submitted the report to OPMCM in the first phase.

DoIT has provided the authority to Training, Research and Development Section to conduct further Security Audit process. Training, Research and Development  (TRD) section has prepared Web Application Security Audit Framework (which is based on various International practices and Standards like OWASP, SANS Top 20, WASC, PCI DSS compliance, etc ) for the purpose of making own Standard to conduct security audit of Website and Web application of all Ministries and Departments. TRD Section circulated the letter dated  2072/05/06 to all Government and Departments to conduct Web application and website security audit.

Standard Operating Procedures (SOP) for Website and Web application Security Audit

The standard and framework available in DoIT is based on various international standards and practices such as OWASP Top 10 Security risks of the application, SANS Top 20 software errors, PCI-DSS Compliance, etc.

DoIT uses various open source tools (such as Nessus Vulnerability Scanner, nmap, Metasploit framework, ZAP, OpenVas, etc) and commercial tools (such as Qualys Vulnerability Scanner, Acunetix web vulnerability Scanner) to conduct the Website/ Web application security audit.

DoIT has Security Audit experts with the qualification of CISA, ISO 27001:2013 Lead Auditors, CISSP, CEH, ECSA, etc.

DoIT follows the following Web security audit approach and methodology:

Pre-audit meeting

Preparation of Audit scope

Selection and approval of Audit team

Selection and approval of standard, framework, and audit tools

Information Gathering , Fingerprinting and Google Hacking

Attack Surface Analysis  and Risk Assessment

Vulnerability Scanning using automated tools

Risk classification and Prioritization

Penetration Testing using automated tools and using manual approach

Reporting and Communicating

Re-Assessment

DoIT uses all its resources as defined in clause 7 to conduct vulnerability assessment and penetration testing of website and web application.

During Security audit process, the audit team gathers proof of concept, and communicates the management with audit issues.

Prepare audit reports in following formats:

Background and overview

Executive Summary

Audit scope

Audit approach and methodology

Audit Findings and Proof of Concept

Recommendations for mitigation of risks

Conclusion

Submit security audit reports to the responsible ministries and departments.

Responsible ministries and departments minimize the risks seen in the report, and again send request letter to DoIT to re-audit.

 

This is one of the most important programme of DoIT is to audit the IT infrastructure of various agencies of Government of Nepal. IT Audit is on going security process to check, evaluate, and report latest threats, vulnerability and risk of the system. IT Audit programme conducted by DoIT covers the following areas of audit:

1.    Preliminary ICT Audit

2.    Documentation and Policy Audit

3.    Website, Web application and Software System Audit

4.    Hardware Audit

5.    Vulnerability Assessment and Penetration Testing

6.    Risk Assessment etc


Director General
director of General
Birendra Kumar Mishra
Contact Address

 

embed google map
Photo Gallery