Conduct A Security Audit
The following guide will walk you through the process of conducting a security audit on your network. This guide will cover the steps you need to take to identify potential security vulnerabilities and provide recommendations for improving your network security.
Scenario - Botium Toys
This scenario is based on a fictional company:
Botium Toys is a small U.S. business that develops and sells toys. The business has a single physical location, which serves as their main office, a storefront, and warehouse for their products. However, Botium Toy’s online presence has grown, attracting customers in the U.S. and abroad. As a result, their information technology (IT) department is under increasing pressure to support their online market worldwide.
The manager of the IT department has decided that an internal IT audit needs to be conducted. She's worried about maintaining compliance and business operations as the company grows without a clear plan. She believes an internal audit can help better secure the company’s infrastructure and help them identify and mitigate potential risks, threats, or vulnerabilities to critical assets. The manager is also interested in ensuring that they comply with regulations related to internally processing and accepting online payments and conducting business in the European Union (E.U.).
The IT manager starts by implementing the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), establishing an audit scope and goals, listing assets currently managed by the IT department, and completing a risk assessment. The goal of the audit is to provide an overview of the risks and/or fines that the company might experience due to the current state of their security posture.
Your task is to review the IT manager’s scope, goals, and risk assessment report. Then, perform an internal audit by completing a controls and compliance checklist.
Characteristics of Botium Toys​
- Single physical location
- Growing online presence
- Attracting customers in the U.S. and abroad
- IT department under increasing pressure to support online market worldwide
- Concerned about maintaining compliance and business operations as the company grows
- Interested in ensuring compliance with regulations related to processing online payments and conducting business in the E.U.
Elements of a Security Audit​
- Scope and Goals
- Risk Assessment
- Controls Assessment
- Compliance Assessment
- Compliance Assessment
- Reporting
Solution​
Google provides a number of resources to help complete this project which will not be provided here as they are proprietary. The following solution is based of these provided materials.
1. Scope and Goals​
Scope​
Botium Toys is in a place of high growth and expansion. With a physical presence as well as a rapidly growing online presence, the company is at risk of potential security vulnerabilities. The scope of the audit will be vast, covering all aspects of the company's IT infrastructure, including the physical location, online presence, and compliance with regulations related to processing online payments and conducting business in the E.U. A review of all assets currently managed by the IT department will be conducted to identify potential risks, threats, or vulnerabilities to critical assets. This includes:
- Network infrastructure
- Systems and applications
- Emplyee devices
Goals​
A focus on the assessment of existing assets and the identification of potential risks, threats, or vulnerabilities through the completion of a controls and compliance checklist. The goal of the audit is to provide an overview of the risks and/or fines that the company might experience due to the current state of their security posture. The audit will also help better secure the company’s infrastructure and help them identify and mitigate potential risks, threats, or vulnerabilities to critical assets.
Current Assets Managed by IT Department​
- On-prem equipment (servers, switches, routers and other office equiipment)
- Employee devices (laptops, desktops, mobile devices, remote workstations, headsets, desk phones, displays, docking stations, surveillance cameras)
- Storefront products and inventory - items for retail sale and warehouse inventory
- Systems, software, and services: accounting software, inventory management software, customer relationship management (CRM) software, database email, website, online store, payment processing, and shipping services
- Internet access
- Ineternal network
- Customer data
- Data retention policies and storage
- Legacy systems
2. Risk Assessment​
Risk description​
Botium Toys is currently at risk due to inadequate asset manaagement practices. Additionally, as the company grows and expands their online presnece internationally, they are at risk of non-compliance with regulations related to processing online payments and conducting business in the E.U.
Control Best Practices​
Based on the NIST Cybersecurity Framework, Botium Toys will need to allocate resources to identify a comprehensive list of assets currently managed by the IT department. This will help the company identify potential risks, threats, or vulnerabilities to critical assets.
Additionally classifying the assets based on their criticality and the potential impact of a security incident will help the company prioritize their security efforts.
Risk Score​
On a scale of 1-10, Botium Toys has a risk score of 7.5. This score is based on the company's current security posture and the potential risks, threats, or vulnerabilities to critical assets.
3. Controls Assessment​
The controls assessment will be based on the completion of a controls and compliance checklist. The checklist will cover the following areas:
- Network infrastructure
- Systems and applications
- Employee devices
- Compliance with regulations related to processing online payments and conducting business in the E.U.
Controls and Compliance Checklist
Controls and compliance checklist​
To complete the controls assessment checklist, refer to the information provided in the scope, goals, and risk assessment report. For more details about each control, including the type and purpose, refer to the control categories document.
Then, select “yes” or “no” to answer the question: Does Botium Toys currently have this control in place?
Controls assessment checklist
| Yes | No | Control | Explanation |
|---|---|---|---|
| x | Least Privilege | At present, all employees have access to all systems and data. Data access must be limited to only those who require it | |
| x | Disaster recovery plans | No disaster planning has been undertaken thus far. It is critical that a plan is put in place at the earliest opportunity | |
| x | Password policies | Presently password policies are weak and not enforced. Strong password policies must be implemented | |
| x | Separation of duties | There is no separation of duties in place. This is a critical control that must be implemented as payroll and day-to-day operations are run in-house by the CEO | |
| âś” | Firewall | A firewall is in place and has strong ACLs and robust rules to protect the network | |
| x | Intrusion detection system (IDS) | There is no IDS in place. An IDS is critical to detect and respond to potential security threats | |
| x | Backups | There are no backups in place. Regular backups must be taken to ensure data can be recovered in the event of a disaster. | |
| âś” | Antivirus software | Antivirus software is in place and is updated regularly to protect against malware and other threats | |
| x | Manual monitoring, maintenance, and intervention for legacy systems | Listed amongst the companies assets are legacy systems. The systems are monitored and maintained but are cared for at random intervals or when a system needs troubleshooting. Scheduling maintenance and monitoring tasks is recommended | |
| x | Encryption | Data encryption is not currently in place. Data encryption is critical to protect sensitive data from unauthorized access | |
| x | Password management system | There is no password management system in place. A password management system is critical to ensure strong password policies are enforced | |
| âś” | Locks (offices, storefront, warehouse) | Locks are in place to secure the physical location of the business including retails store, office and warehouse | |
| âś” | Closed-circuit television (CCTV) surveillance | CCTV surveillance is in place to monitor the physical location of the business | |
| âś” | Fire detection/prevention (fire alarm, sprinkler system, etc.) | Fire detection and prevention systems are in place to protect the physical location of the business |
To complete the compliance checklist, refer to the information provided in the scope, goals, and risk assessment report. For more details about each compliance regulation, review the controls, frameworks, and compliance reading.
Then, select “yes” or “no” to answer the question: Does Botium Toys currently adhere to this compliance best practice?
Compliance checklist
Payment Card Industry Data Security Standard (PCI DSS)
| Yes | No | Best practice | Explanation |
|---|---|---|---|
| x | Only authorized users have access to customers’ credit card information. | Currently, all Botium employees have access to customer credit card information. | |
| x | Credit card information is stored, accepted, processed, and transmitted internally, in a secure environment. | There is no encryption in place to protect credit card information at present, presenting a significant risk to Botium and their customers from a breach or data being captured and read by unauthorized parties | |
| x | Implement data encryption procedures to better secure credit card transaction touchpoints and data. | No encryption is in place to protect credit card information at present. | |
| x | Adopt secure password management policies. | Password policies are weak and not enforced. Strong password policies must be implemented. |
General Data Protection Regulation (GDPR)
| Yes | No | Best practice | Explanation |
|---|---|---|---|
| x | E.U. customers’ data is kept private/secured. | No encryption is in place to protect credit card information at present. | |
| âś” | There is a plan in place to notify E.U. customers within 72 hours if their data is compromised/there is a breach. | ||
| x | Ensure data is properly classified and inventoried. | Data is inventoried but not currently classified. | |
| âś” | Enforce privacy policies, procedures, and processes to properly document and maintain data. | Privacy policies are in place andare enforced. |
System and Organizations Controls (SOC type 1, SOC type 2)
| Yes | No | Best practice | Explanation |
|---|---|---|---|
| x | User access policies are established. | User access policies are not currently in place. No current implemenation of least privilege or separation of duties | |
| x | Sensitive data (PII/SPII) is confidential/private. | Sensitive data is not currently encrypted. This should be implemented immediately to better ensure the | |
| confidentiality of PII/SPII. | |||
| âś” | Data integrity ensures the data is consistent, complete, accurate, and has been validated. | Data is available to individuals authorized to access it. | |
| x | Data is available to individuals authorized to access it. | Data is available to individuals authorized to access it, however it should be limited to only be accessbile by those who require it |
4. Compliance Assessment​
Currently, Botium Toys is not in compliance with the following regulations and will need to take immediate action to address these issues:
- Least Privilege
- Disaster recovery plans
- Password policies
- Separation of duties
- Intrusion detection system (IDS)
- Backups
- Manual monitoring, maintenance, and intervention for legacy systems
- Encryption
- Password management system
- Only authorized users have access to customers’ credit card information
- Credit card information is stored, accepted, processed, and transmitted internally, in a secure environment
- Implement data encryption procedures to better secure credit card transaction touchpoints and data
- Adopt secure password management policies
- E.U. customers’ data is kept private/secured
- Ensure data is properly classified and inventoried
- User access policies are established
- Sensitive data (PII/SPII) is confidential/private
5. Reporting​
Botium Toys faces significant risks due to inadequate asset management, lack of security controls, and non-compliance with key regulations like PCI DSS, GDPR, and SOC. The audit has identified critical vulnerabilities, including insufficient data encryption, weak password policies, lack of disaster recovery plans, and the absence of intrusion detection systems.
Key Recommendations:
- Implement Least Privilege Access: Limit employee access to sensitive systems and data.
- Establish Strong Password Policies: Enforce strict password management practices and adopt a password management system.
- Enhance Data Security: Encrypt sensitive data, including customer information, especially for online payments and compliance with GDPR.
- Deploy Disaster Recovery and Backup Systems: Develop and implement disaster recovery plans and ensure regular data backups.
- Improve Network Security: Install an intrusion detection system (IDS) and enforce monitoring for legacy systems.
Addressing these vulnerabilities will significantly reduce Botium Toys’ risk exposure and enhance their security posture as the company grows.