You are on page 1of 3

Company ABC – Observations and Risks

Materiality Potential Key:

Immediate corrective action required.

Corrective action plan needs to be formulized.

Project Management Controls Materiality Auditor


Potential
# Observation Suggested Actions To Be Taken Date
1 Firewall administration and operations weaknesses: The overall methodology and functionality of the
Firewall utilization needs to be:
• There is no documented firewall/intruder detection strategy.
1. Developed
• Firewall Change Management is not properly documented.
The implicit approval documentation has not been formalized 2. Documented
or approved at the time of this review.
3. Implemented
• The current OS installed of the firewall is 6.2, one behind
4. Monitored
the recent available version.
5. Updated
• The firewall alert features are disengaged.
6. Periodically Tested
• The firewall timeout features have been set at 8 hours.
• Firewall activity logs are available but are only reviewed if
there is a problem that needs to be diagnosed. Reference materials:
Cisco Network Security: Best Practices White
Paper
NIST 800-41 Guidelines on Firewalls and
Firewalls Policies

2 The control process that reviews and confirms PROCESS ABC A formalized and documented project plan for the
access is not properly functioning. While recent management conversion and continuing maintenance of the
controls have improved control procedures, individual user access PROCESS ABC user IDs need to be developed,
continues to be based upon inaccurate and outdated employee approved, and implemented.
profiles. PROCESS ABC job duty functions setup prior to June 1
allows some employee’s access to a combination of program
functions that do not always provide a proper separation of duties and
may not be appropriately based upon job responsibility.

1 01/17/10
Company ABC Technologies, Inc. – Observations and Risks

Project Management Controls Materiality Auditor


Potential
# Observation Suggested Actions To Be Taken Date
3 Overall documentation of D/R and recovery procedures remains A formalized, documented and tested project plan
incomplete and outdated. A business impact analysis and disaster of the D/R and recovery procedures needs to be
recovery planning has not been performed in some time. Current developed, approved, tested, and implemented.
network systems and architecture has changed but not updated.
Documentation of recent PROCESS ABC restore was saved to disk
but later found to be corrupted.
4 Current Change Management processes are not adequately A formalized and documented overall
documented. While recent management controls have improved Information Technology Change Management
control procedures, there was not enough change management in process needs to be developed, approved, and
PROCESS ABC applications or general IT infrastructure to properly implemented. Additionally, a formalized and
test. In addition, the implicit approval documentation has not been documented project plan of the Change
formalized or approved at the time of this review. Management processes needs to be developed,
tested, and implemented.

2 01/17/10
Company ABC Technologies, Inc. – Observations and Risks

3 01/17/10