Professional Documents
Culture Documents
Red Unsatisfactory
Table of Contents
S.no Topic Pg.no
1 Executive Summary
4 Appendices
Audit of (Name)
1. Executive Summary
1.1. Background
Page 2 of 9
1.2. Objective and Scope
1.3. Limitation of Scope
1.4. Number of Observations
Major 2 2
Moderate 0 0
Minor 0 0
Total 3 3
1.5. Conclusion
Audit of (Name)
2. Detail findings and recommendations
Finding / Risk Recommendations/ Owner / Timing Risk
Management Action Plan Rating
1. User Access
Recommendation:
Statement of Condition:
Security staff and Federal agency supervisors
application owners did should ensure such policies are
not periodically review developed and implemented
user access that ensure that if the user
authorizations to ensure leaves the organization or is
that users’ levels of terminated their data is
access to the deleted. And if someone wants
computers were to access the system with a
appropriate higher level, they should have
an application or approval from
Criteria: a higher authority that tells the
The organization access is appropriate Owner:
governing policy Will smith
requires security staff or
personnel to obtain Timing:
written documentation 20-6-2022
Page 3 of 9
and approval
from the supervisor
before allowing users
access to the
computers.
Cause:
The organization did not
have reports of user
access authority.
Although there is
functionality that user
access will be revoked
after 15 days but the
data from the database
was not deleted. The
reason is there is no
source of frequent
communication or
reports from employers
to security staff that
tells which employee is
terminated or when
they leave.
Risk:
There is no assurance
that user access was
assigned to the right
personnel. It increased
unauthorized access as
that time data can be
altered and destruction
can be done.
Page 4 of 9
authorized access.
Owner:
Criteria: Will smith
According to federal
agency management Timing:
criteria, it asks the 18-6-2022
agency to test their
application, as well as if
it has major backup and
access to stored backup
in case of disaster. To
check this the policy
needs to be reinvoked.
Cause:
The agency had the plan
to check if the
application/ system has
any disaster control
plan. Testers were asked
to test the plan but as
the system was under
changes due to some
bugs that were retrieved
in 2021 the plan to test
the system was dropped
and the disaster
recovery system was
not checked or tested.
Risk:
There is an increased
risk that the system will
not be able to give
reliability as it cannot
resume from the place
where the failure
occurred.
3. Access to admin
computer Recommendation:
Page 5 of 9
session fail exception policy.
was not working if a
user is inactive for 15
days. The system highly
relies on passwords and
IDs and if an
unauthorized person Owner:
can gain access, they Will smith
can modify the files or
data. Timing:
17-6-2022
Criteria:
According to "The
automated Information
Systems Security
Handbook" passwords
should be changed
every 90 days. Users
with sensitive data
access privileges should
change their passwords
in 30 days.
Cause:
The agency has no
policy that trains people
to know about these
sensitive issues that can
lead to big disasters.
The security packages
on other hand are not
updated which will
notify users that they
need to change the
password.
Risk:
The effectiveness of the
password as a control
has been diminished,
which
increases the risk of
unauthorized access to
sensitive information.
Page 6 of 9
Audit of (Name)
3. Report Discussion and Distribution
3.1. People interviewed during the audit
An initial meeting with Mr. Zubair was held to discuss the scope of the audit and initial information
request. During the audit, the following people were interviewed:
Page 7 of 9
3.5. Reporting Distribution
To: Assad Iqbal – Business Owner
Audit of (Name)
4. Appendices
4.1. Individual Findings Rating Criteria
Significant
Control
Weakness
The
There is a significant weakness in controls. Department Action plan to be
system is not able to give reliability as it implemented as
Director
a matter of
cannot resume from the place where the
Department priority.
Major failure occurred.
Managers Expected to be
implemented in
Develop a backup plan and ensure that the no later than 3
Timely corrective
storage plan is tested and secure. months.
action required
Page 8 of 9
Significant The password's effectiveness as control has
Control declined, increasing the risk of unauthorized Department Action plan to be
Weakness access to sensitive information. implemented as
Director
a matter of
Department priority.
Major
Managers Expected to be
Timely corrective Updated packages should be installed, and implemented in
action required new security policies should be no later than 3
implemented. months.
Risk Rating of
the Risk Summary Rating Explanation – Criteria
Process
Severe / Critical deficiencies There is no guarantee that user access was granted to the
noted in the System of appropriate personnel.
Unsatisfactory Corrective action is needed to ensure that if someone wants
Internal Controls. Immediate
corrective action required to access the system with a higher level, they should
have an application or approval from a higher authority
that tells the access is
Significant deficiencies were High residual risk exists in a major scope or risk area.
Needs noted in the System of The controls evaluated are unlikely to provide
Significant
Internal Control. reasonable assurance that risks are being managed
Improvement
Timely corrective action is and objectives met. The superior authority should
s
required. develop a plan and the plan should be tested and
offsite storage should be secure
Page 9 of 9