Security Audit

Mon, 17 Jul 2023 20:21:09 -0700

Project Setup

Summary

Perform an audit of Botium Toys’ cybersecurity program. The audit needs to align current business practices with industry standards and best practices. The audit is meant to provide mitigation recommendations for vulnerabilities found that are classified as “high risk,” and present an overall strategy for improving the security posture of the organization. The audit team needs to document their findings, provide remediation plans and efforts, and communicate with stakeholders.

Stakeholder Memorandum

Mon, 17 Jul 2023 21:04:23 -0700

Back to Security Audit

Stakeholder memorandum

TO: IT Manager, Stakeholders
FROM: Kazuhiro Funakoshi
DATE: 07/13/2023
SUBJECT: Internal IT Audit Findings and Recommendations

Dear Colleagues,

Please review the following information regarding the Botium Toys internal audit scope, goals, critical findings, summary and recommendations.

Scope

The following systems are in scope: accounting, endpoint detection, firewalls, intrusion detection system, security information and event management (SIEM) tool.
Ensure current user permissions, controls, procedures, and protocols in place align with necessary compliance requirements.

Compliance Checklist

Mon, 17 Jul 2023 21:00:47 -0700

Back to Security Audit

[ ] The Federal Energy Regulatory Commission - North American Electric Reliability Corporation (FERC-NERC)

The FERC-NERC regulation applies to organizations that work with electricity or that are involved with the U.S. and North American power grid. Organizations have an obligation to prepare for, mitigate, and report any potential security incident that can negatively affect the power grid. Organizations are legally required to adhere to the Critical Infrastructure Protection Reliability Standards (CIP) defined by the FERC.

Controls Assessment

Mon, 17 Jul 2023 20:52:21 -0700

Back to Security Audit

Controls Assessment

Current assets

Assets managed by the IT Department include:

On-premises equipment for in-office business needs
Employee equipment: end-user devices (desktops/laptops, smartphones), remote workstations, headsets, cables, keyboards, mice, docking stations, surveillance cameras, etc.
Management of systems, software, and services: accounting, telecommunication, database, security, ecommerce, and inventory management
Internet access
Internal network
Vendor access management
Data center hosting services
Data retention and storage
Badge readers
Legacy system maintenance: end-of-life systems that require human monitoring

Administrative Controls

Least Priviledge: Needs to be implemented; High
Preventative; reduces risk by making sure vendors and non-authorized staff only have access to the assets/data they need to do their jobs
Disaster recovery plans: Needs to be implemented; Medium
Corrective; business continuity to ensure systems are able to run in the event of an incident/there is limited to no loss of productivity downtime/impact to system components, including: computer room environment (air conditioning, power supply, etc.); hardware (servers, employee equipment); connectivity (internal network, wireless); applications (email, electronic data); data and restoration
Password policies: Needs to be implemented; Medium
Preventative; establish password strength rules to improve security/reduce likelihood of account compromise through brute force or dictionary attack techniques
Access control policies: Needs to be implemented; High
Preventative; increase confidentiality and integrity of data
Account management policies: Needs to be implemented; High
Preventative; reduce attack surface and limit overall impact from disgruntled/former employees
Separation of duties: Needs to be implemented; High
Preventative; ensure no one has so much access that they can abuse the system for personal gain

Technical Controls

Firewall: Preventative; firewalls are already in place to filter unwanted/malicious traffic from entering internal network
Intrusion Detection System (IDS): Detective; allows IT team to identify possible intrusions (e.g., anomalous traffic) quickly
Encryption: Needs to be implemented; Medium
Deterrent; makes confidential information/data more secure (e.g., website payment transactions)
Backups: Needs to be implemented; Medium
Corrective; supports ongoing productivity in the case of an event; aligns to the disaster recovery plan
Password management system: Needs to be implemented; Medium
Corrective; password recovery, reset, lock out notifications
Antivirus (AV) software: Needs to be implemented; High
Corrective; detect and quarantine known threats
Manual monitoring, maintenance, and intervention: Needs to be implemented; Medium
Preventative/corrective; required for legacy systems to identify and mitigate potential threats, risks, and vulnerabilities

Physical Controls

Time-controlled safe: Needs to be implemented; Low
Deterrent; reduce attack surface/impact of physical threats
Adequate lighting: Needs to be implemented; Low
Deterrent; limit “hiding” places to deter threats
Closed-circuit television (CCTV) surveillance: Needs to be implemented; High
Preventative/detective; can reduce risk of certain events; can be used after event for investigation
Locking cabinets (for network gear): Needs to be implemented; High
Preventative; increase integrity by preventing unauthorized personnel/individuals from physically accessing/modifying network infrastructure gear
Signage indicating alarm service provider: Needs to be implemented; Low
Deterrent; makes the likelihood of a successful attack seem low
Locks: Needs to be implemented; Low
Preventative; physical and digital assets are more secure
Fire detection and prevention (fire alarm, sprinkler system, etc.): Needs to be implemented; High
Detective/Preventative; detect fire in the toy store’s physical location to prevent damage to inventory, servers, etc.

Security Audit on My Portfolio

Security Audit

Project Setup

Summary

Stakeholder Memorandum

Stakeholder memorandum

Scope

Compliance Checklist

[ ] The Federal Energy Regulatory Commission - North American Electric Reliability Corporation (FERC-NERC)

Controls Assessment

Controls Assessment

Current assets

Administrative Controls

Technical Controls

Physical Controls