Challenge Rating: 1
Skills: Security Analyst+1
In today’s interconnected world, cybersecurity is of utmost importance for businesses of all sizes. The ever-evolving threat landscape necessitates a proactive approach to safeguarding sensitive data and protecting against potential cyberattacks. A cybersecurity audit serves as a vital tool to assess and enhance the security posture of an organization. By following these five simple steps, you can effectively perform a cybersecurity audit to identify vulnerabilities, fortify defenses, and ensure robust protection against cyber threats.
Security Audit
Scenario
This scenario is based on a fictional company:
Botium Toys is a small U.S. business that develops and sells toys. The business has a single physical location. However, its online presence has grown, attracting customers in the U.S. and abroad. Their information technology (IT) department is under increasing pressure to support their online market worldwide.
The manager of the IT department has decided that an internal IT audit needs to be conducted. She expresses concerns about not having a solidified plan of action to ensure business continuity and compliance, as the business grows. She believes an internal audit can help better secure the company’s infrastructure and help them identify and mitigate potential risks, threats, or vulnerabilities to critical assets. The manager is also interested in ensuring that they comply with regulations related to accepting online payments and conducting business in the European Union (E.U.).
The IT manager starts by implementing the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), establishing an audit scope and goals, and completing a risk assessment. The goal of the audit is to provide an overview of the risks the company might experience due to the current state of their security posture. The IT manager wants to use the audit findings as evidence to obtain approval to expand his department.
Your task is to review the IT manager’s scope, goals, and risk assessment. Then, perform an internal audit to complete a controls assessment and compliance checklist.
Step 1:
Understanding what the company’s scope and goals are.
Botium Toys: Audit scope and goals
Summary: Perform an audit of Botium Toys’ cybersecurity program. The audit needs to align current business practices with industry standards and best practices. The audit is meant to provide mitigation recommendations for vulnerabilities found that are classified as “high risk,” and present an overall strategy for improving the security posture of the organization. The audit team needs to document their findings, provide remediation plans and efforts, and communicate with stakeholders.
Scope:
Botium Toys’ internal IT audit will assess the following:
-
- Current user permissions are set in the following systems: accounting, endpoint detection, firewalls, intrusion detection system, security information, and event management (SIEM) tool.
-
- Current implemented controls in the following systems: accounting, endpoint detection, firewalls, intrusion detection system, Security Information, and Event Management (SIEM) tool.
-
- Current procedures and protocols are set for the following systems: accounting, endpoint detection, firewall, intrusion detection system, Security Information, and Event Management (SIEM) tool.
-
- Ensure current user permissions, controls, procedures, and protocols in place align with necessary compliance requirements.
-
- Ensure current technology is accounted for. Both hardware and system access.
Goals:
The goals for Botium Toys’ internal IT audit are:
-
- To adhere to the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF)
-
- Establish a better process for their systems to ensure they are compliant.
-
- Fortify system controls.
-
- Implement the concept of least permissions when it comes to user credential management.
-
- Establish their policies and procedures, which includes their playbooks.
-
- Ensure they meet compliance requirements.
Step 2:
Understanding the following Risk Assessment
Botium Toys: Risk assessment
Current assets
Assets managed by the IT Department include:
-
- On-premises equipment for in-office business needs
-
- Employee equipment: end-user devices (desktops/laptops, smartphones), remote workstations, headsets, cables, keyboards, mice, docking stations, surveillance cameras, etc.
-
- Management of systems, software, and services: accounting, telecommunication, database, security, e-commerce, and inventory management
-
- Internet access
-
- Internal network
-
- Vendor access management
-
- Data center hosting services
-
- Data retention and storage
-
- Badge readers
-
- Legacy system maintenance: end-of-life systems that require human monitoring.
Risk description
Currently, there is inadequate management of assets. Additionally, Botium Toys does not have the proper controls in place and may not be compliant with U.S. and international regulations and standards.
Control best practices
The first of the five functions of the NIST CSF is Identify. Botium Toys will need to dedicate resources to managing assets. Additionally, they will need to determine the impact of the loss of existing assets, including systems, on business continuity.
Risk score
On a scale of 1 to 10, the risk score is 8, which is fairly high. This is due to a lack of controls and adherence to necessary compliance regulations and standards.
Additional comments
The potential impact from the loss of an asset is rated as medium, because the IT department does not know which assets would be lost. The likelihood of a lost asset or fines from governing bodies is high because Botium Toys does not have all of the necessary controls in place and is not adhering to required regulations and standards related to keeping customer data private.
Step 3:
Conduct a Control Assessment
Current assets
Assets managed by the IT Department include:
-
- On-premises equipment for in-office business needs
-
- Employee equipment: end-user devices (desktops/laptops, smartphones), remote workstations, headsets, cables, keyboards, mice, docking stations, surveillance cameras, etc.
-
- Management of systems, software, and services: accounting, telecommunication, database, security, e-commerce, and inventory management
-
- Internet access
-
- Internal network
-
- Vendor access management
-
- Data center hosting services
-
- Data retention and storage
-
- Badge readers
-
- Legacy system maintenance: end-of-life systems that require human monitoring
Administrative Controls | |||
Control Name | Control type and explanation | Needs to be implemented (X) | Priority |
Least Privilege | Preventative; reduces risk by making sure vendors and non-authorized staff only have access to the assets/data they need to do their jobs | X | High |
Disaster recovery plans | Corrective; business continuity to ensure systems are able to run in the event of an incident/there is limited to no loss of productivity downtime/impact to system components, including: computer room environment (air conditioning, power supply, etc.); hardware (servers, employee equipment); connectivity (internal network, wireless); applications (email, electronic data); data and restoration | X | High |
Password policies | Preventative; establish password strength rules to improve security/reduce likelihood of account compromise through brute force or dictionary attack techniques | X | High |
Access control policies | Preventative; increase confidentiality and integrity of data | X | High |
Account management policies | Preventative; reduce attack surface and limit overall impact from disgruntled/former employees | X | High/ Medium |
Separation of duties | Preventative; ensure no one has so much access that they can abuse the system for personal gain | X | High |
Technical Controls | |||
Control Name | Control type and explanation | Needs to be implemented. (X) | Priority |
Firewall | Preventative: firewalls are already in place to filter unwanted/malicious traffic from entering internal network | NA | NA |
Intrusion Detection System (IDS) | Detective: allows IT team to identify possible intrusions (e.g., anomalous traffic) quickly | X | High |
Encryption | Deterrent; makes confidential information/data more secure (e.g., website payment transactions) | X | High/ Medium |
Backups | Corrective; supports ongoing productivity in the case of an event; aligns to the disaster recovery plan | X | High |
Password management system | Corrective: password recovery, reset, lock out notifications | X | High/ Medium |
Antivirus (AV) software | Corrective; detect and quarantine known threats | X | High |
Manual monitoring, maintenance, and intervention | Preventative/corrective; required for legacy systems to identify and mitigate potential threats, risks, and vulnerabilities | X | High |
Physical Controls | |||
Control Name | Control type and explanation | Needs to be implemented. (X) | Priority |
Time-controlled safe | Deterrent; reduce attack surface/impact of physical threats | X | Medium/ Low |
Adequate lighting | Deterrent: limit “hiding” places to deter threats | X | Medium/ Low |
Closed-circuit television (CCTV) surveillance | Preventative/detective; can reduce risk of certain events; can be used after event for investigation | X | High/ Medium |
Locking cabinets (for network gear) | Preventative: increase integrity by preventing unauthorized personnel/individuals from physically accessing/modifying network infrastructure gear | X | Medium |
Signage indicating alarm service provider | Deterrent: makes the likelihood of a successful attack seem low | X | Low |
Locks | Preventative: physical and digital assets are more secure | X | High |
Fire detection and prevention (fire alarm, sprinkler system, etc.) | Detective/Preventative; detect fire in the toy store’s physical location to prevent damage to inventory, servers, etc. | X | Medium/ Low |
Step 4:
Conduct Compliance checklist
Compliance checklist
The Federal Energy Regulatory Commission – North American Electric
Reliability Corporation (FERC-NERC)
This regulation applies to organizations that work with electricity or that are involved with the U.S. and North American power grid. Organizations have an obligation to prepare for, mitigate, and report any potential security incident that can negatively affect the power grid. Organizations are legally required to adhere to the Critical Infrastructure Protection Reliability Standards (CIP) defined by the Federal Energy Regulatory Commission (FERC).
Explanation: NA
__X__ General Data Protection Regulation (GDPR)
GDPR is a European Union (E.U.) general data regulation that protects the processing of E.U. citizens’ data and their right to privacy in and out of E.U. territory. Additionally, if a breach occurs and a E.U. citizen’s data is compromised, they must be informed within 72 hours of the incident.
Explanation: Botium Toys needs to obey the GDPR because they conduct business /collect personal information from people worldwide, including the E.U.
__X__ Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is an international security standard meant to ensure that organizations storing, accepting, processing, and transmitting credit card information do so in a secure environment.
Explanation: Botium Toys needs to follow the PCI DSS because they store, accept, process, and transmit credit card information both in person and online.
_____ The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is a federal law established in 1996 to protect U.S. patients’ health information. This law prohibits patient information from being shared without their consent. Organizations have a legal obligation to inform patients of a breach.
Explanation: NA
__X__ System and Organizations Controls (SOC type 1, SOC type 2)
The SOC1 and SOC2 are a series of reports that focus on an organization’s user access policies at different organizational levels. They are used to assess an organization’s financial compliance and levels of risk. They also cover confidentiality, privacy, integrity, availability, security, and overall data safety. Control failures in these areas can lead to fraud.
Explanation: Botium Toys needs to establish/enforce correct user access for internal and external (third-party vendor) personnel to mitigate risk and ensure data safety.
Step 5:
Communicate results and recommendations to Stakeholders.
TO: IT Manager, Stakeholders
FROM: Shane Womboldt
DATE: July 12, 2023
SUBJECT: Internal IT Audit Findings and Recommendations
Dear Colleagues,
Please review the following information regarding the Botium Toys internal audit scope, goals, critical findings, summary and recommendations.
Scope:
-
- The following systems are in scope: accounting, end point detection, firewalls, intrusion detection system, SIEM tool. The systems will be evaluated for:
- Current user permissions
- Current implemented controls
-
- Current procedures and protocols
- The following systems are in scope: accounting, end point detection, firewalls, intrusion detection system, SIEM tool. The systems will be evaluated for:
-
- Ensure current user permissions, controls, procedures, and protocols in place align with PCI DSS and GDPR compliance requirements.
-
- Ensure current technology is accounted for both hardware and system access.
Goals:
-
- Adhere to the NIST CSF.
-
- Establish a better process for their systems to ensure they are compliant.
-
- Fortify system controls.
-
- Adapt to the concept of least permissions when it comes to user credential management.
-
- Establish their policies and procedures, which includes their playbooks.
-
- Ensure they meet compliance requirements.
Critical findings (must be addressed immediately):
-
- Multiple controls need to be developed and implemented to meet the audit goals, including:
- Control of Least Privilege and Separation of Duties
- Disaster recovery plans
- Password, access control, and account management policies, including the implementation of a password management system
- Encryption (for secure website transactions)
- IDS
- Backups
- AV software
- CCTV
- Locks
- Manual monitoring, maintenance, and intervention for legacy systems
-
- Fire detection and prevention systems
- Multiple controls need to be developed and implemented to meet the audit goals, including:
-
- Policies need to be developed and implemented to meet PCI DSS and GDPR compliance requirements.
-
- Policies need to be developed and implemented to align to SOC1 and SOC2 guidance related to user access policies and overall data safety.
Findings (should be addressed, but no immediate need):
-
- The following controls should be implemented when possible:
- Time-controlled safe
- Adequate lighting
- Locking cabinets
-
- Signage indicating alarm service provider.
- The following controls should be implemented when possible:
Summary/Recommendations:
It is crucial to promptly address critical findings related to compliance with PCI DSS and GDPR, considering that Botium Toys accepts online payments from customers worldwide, including the E.U. In line with the concept of least permissions, it is recommended to utilize SOC1 and SOC2 guidance to develop appropriate policies and procedures concerning user access policies and overall data safety. To ensure business continuity in the event of an incident, it is essential to have disaster recovery plans and backups in place. Enhancing the current systems with an Intrusion Detection System (IDS) and Anti-Virus (AV) software will support the identification and mitigation of potential risks, particularly with regards to intrusion detection, as the existing legacy systems require manual monitoring and intervention. To bolster security measures at Botium Toys’ physical location, it is advised to implement locks, CCTV surveillance, and investigate potential threats. While not immediately necessary, additional measures such as encryption, time-controlled safes, adequate lighting, locking cabinets, fire detection and prevention systems, and signage indicating the alarm service provider will further enhance the overall security posture of Botium Toys.
*Scenario laid out by Coursera’s “Google Cybersecurity Certification.”