Scribd
Upload
54 views5 pages

Is Audit IRCTC Project

The document presents an audit of the IRCTC online booking system, focusing on its effectiveness, security, and compliance with standards. Key findings highlight vulnerabilities in user authentication, payment processing, and system availability, with recommendations for improvements such as implementing multi-factor authentication and continuous vulnerability assessments. Overall, while the system is well-designed, it requires ongoing monitoring and updates to address identified risks.

Uploaded by

dkgarg1011
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
54 views5 pages

Is Audit IRCTC Project

The document presents an audit of the IRCTC online booking system, focusing on its effectiveness, security, and compliance with standards. Key findings highlight vulnerabilities in user authentication, payment processing, and system availability, with recommendations for improvements such as implementing multi-factor authentication and continuous vulnerability assessments. Overall, while the system is well-designed, it requires ongoing monitoring and updates to address identified risks.

Uploaded by

dkgarg1011
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Information System Audit of the IRCTC

Railway Online Booking System

Submitted by: [Your Name]

Course/Institution: [Your Institution Name]

Date: June 2025


Table of Contents
1. Objectives

2. Scope of the Audit

3. Methodology

4. System Overview

5. Key Audit Areas

6. Sample Audit Findings

7. Recommendations

8. Conclusion

9. Appendices
1. Objectives
- To assess the effectiveness and security of the IRCTC online booking system.

- To identify vulnerabilities and risks in the system’s architecture and processes.

- To evaluate compliance with standards such as ISO 27001, DISA 3.0, and IT Act 2000.

- To recommend measures for improved data integrity, confidentiality, and availability.

2. Scope of the Audit


This audit covers the following components of the IRCTC online booking system:

- Online ticket booking process

- User authentication and access control

- Payment systems and financial transactions

- Server infrastructure and system availability

- Database security and data handling practices

- Third-party service integrations

3. Methodology
• Planning: Understand IRCTC’s system structure, stakeholders, and audit objectives.

• Risk Assessment: Identify potential internal and external risks.

• Control Evaluation: Assess technical, operational, and administrative controls.

• Data Collection: Interviews, system logs, penetration testing results, vulnerability scans.

• Reporting: Document findings, assess gaps, and recommend corrective actions.

4. System Overview
The IRCTC Online Booking System includes:

- User Registration & Login (OTP/email/password)

- Train Search & Availability

- Ticket Booking (Payment Gateway Integration)


- Cancellations & Refunds

- Tatkal & Premium Services

5. Key Audit Areas


- Authentication & Access Control

- Data Security

- Payment Gateway & Financial Transactions

- System Availability

- Change Management

- Log Management & Monitoring

- Third-party Risk

6. Sample Audit Findings


Area Issue Found Risk Recommendation

Authentication Password reset via Medium Implement OTP-


email without MFA based verification

Payment Gateway Non-tokenized card High Enforce full PCI DSS


details in transit compliance

System Logs No log retention Medium Implement a 90-day


policy minimum retention

Server Uptime Downtime during High Add capacity + auto-


peak Tatkal hours scaling

7. Recommendations
- Adopt continuous vulnerability assessment and penetration testing (VAPT).

- Implement zero-trust security for user sessions.

- Enforce endpoint security for backend admin access.

- Ensure periodic IS audits and third-party risk reviews.


8. Conclusion
The IRCTC online booking system is robust in design but requires continuous monitoring,
regular audits, and implementation of modern security practices to handle large-scale usage
securely. This audit reveals that while key compliance frameworks are followed, some
critical gaps in user data protection and system availability must be addressed.

9. Appendices
• Screenshots of the IRCTC system (if permitted)

• Sample logs or mock penetration test results

• Audit checklist (custom based on COBIT/ISO)

You might also like