The audit project is to make sure the audit to aligns current business practices with industry standards and best practices. The audit is meant to provide mitigation recommendations for vulnerabilities found that are classified as “high risk,” and present an overall strategy for improving the security posture of the organization. The audit team documents the findings, provide remediation plans and efforts, and communicate with stakeholders.
| Control Name | Control type and explanation | Needs to be implemented | Priority |
|---|---|---|---|
| Least Privilege | Preventative; reduces risk by making sure vendors and non-authorized staff only have access to the assets/data they need to do their jobs | X | High |
| Disaster recovery plans | Corrective; business continuity to ensure systems are able to run in the event of an incident/there is limited to no loss of productivity downtime/impact to system components, including: computer room environment (air conditioning, power supply, etc.); hardware (servers, employee equipment); connectivity (internal network, wireless); applications (email, electronic data); data and restoration | X | High |
| Password policies | Preventative; establish password strength rules to improve security/reduce likelihood of account compromise through brute force or dictionary attack techniques | X | High |
| Access control policies | Preventative; increase confidentiality and integrity of data | X | High |
| Account management policies | Preventative; reduce attack surface and limit overall impact from disgruntled/former employees | X | High\ Medium |
| Separation of duties | Preventative; ensure no one has so much access that they can abuse the system for personal gain | X | High |
| Control Name | Control type and explanation | Needs to be implemented | Priority |
|---|---|---|---|
| Firewall | Preventative; firewalls are already in place to filter unwanted/malicious traffic from entering internal network | NA | NA |
| Intrusion Detection System (IDS) | Detective; allows IT team to identify possible intrusions (e.g., anomalous traffic) quickly | X | High |
| Encryption | Deterrent; makes confidential information/data more secure (e.g., website payment transactions) | X | High/ Medium |
| Backups | Corrective; supports ongoing productivity in the case of an event; aligns to the disaster recovery plan | X | High |
| Password management system | Corrective; password recovery, reset, lock out notifications | X | High\ Medium |
| Antivirus (AV) software | Corrective; detect and quarantine known threats | X | High |
| Manual monitoring, maintenance, and intervention | Preventative/corrective; required for legacy systems to identify and mitigate potential threats, risks, and vulnerabilities | X | High |
| Control Name | Control type and explanation | Needs to be implemented | Priority |
|---|---|---|---|
| Time-controlled safe | Deterrent; reduce attack surface/impact of physical threats | X | Medium/Low |
| Adequate lighting | Deterrent; limit “hiding” places to deter threats | X | Medium/Low |
| Closed-circuit television (CCTV) surveillance | Preventative/detective; can reduce risk of certain events; can be used after event for investigation | X | High/ Medium |
| Locking cabinets (for network gear) | Preventative; increase integrity by preventing unauthorized personnel/individuals from physically accessing/modifying network infrastructure gear | X | Medium |
| Signage indicating alarm service | Deterrent; makes the likelihood of a successful attack seem low | X | Low |
| provider | |||
| Locks | |||
| Preventative; physical and digital assets are more secure | X | High | |
| Fire detection and prevention (fire alarm, sprinkler system, etc.) | Detective/Preventative; detect fire in the toy store’s physical location to prevent damage to inventory, servers, etc. | X | Medium/Low |
-
Development of critical thinking
-
Understanding auditing frameworks
-
Up-to-date knowledge of threats and tactics
-
Ability to identify risky IT procedures
-
Ability to identify potential software and hardware vulnerabilities
-
Experience with risk management and mitigation
-
Technical skills required to assess the status of networks and systems
- Compliance checklist
-
Step 1: Access supporting materials
-
Step 2: Analyze the audit scope, goals, and risk assessment
-
Step 3: Conduct the audit: Controls assessment
-
Step 4: Conduct the audit: Compliance checklist
-
Step 5: Assess your activity