Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

IT Audit Report: Root Cause Analysis, Risk Management & Change Control, NIST Cybersecurity Framework, and Vendor Risk Management

Verified

Added on 2023/05/29

AI Summary

This IT Audit report covers topics such as Root Cause Analysis, Risk Management & Change Control, NIST Cybersecurity Framework, and Vendor Risk Management. It includes recommendations and steps to secure sensitive customer data, periodic independent cybersecurity IT audits, and assessment of risks in cloud-based environment.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

qwertyuiopasdfghjklzxcvbnmqw
ertyuiopasdfghjklzxcvbnmqwert
yuiopasdfghjklzxcvbnmqwertyui
opasdfghjklzxcvbnmqwertyuiop
asdfghjklzxcvbnmqwertyuiopasd
fghjklzxcvbnmqwertyuiopasdfgh
jklzxcvbnmqwertyuiopasdfghjkl
zxcvbnmqwertyuiopasdfghjklzxc
vbnmqwertyuiopasdfghjklzxcvb
nmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqw
ertyuiopasdfghjklzxcvbnmqwert
yuiopasdfghjklzxcvbnmqwertyui
opasdfghjklzxcvbnmqwertyuiop
asdfghjklzxcvbnmqwertyuiopasd
fghjklzxcvbnmqwertyuiopasdfgh
jklzxcvbnmrtyuiopasdfghjklzxcv
IT Audit
Report
11/15/2018

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

IT Audit
Table of Contents
Root Cause Analysis..............................................................................................................................2
Role of IT Auditor in Determining Root Cause.................................................................................2
Root Cause........................................................................................................................................2
Recommendations.............................................................................................................................2
Risk Management & Change Control....................................................................................................3
High-Level Business Process Flow Chart..........................................................................................3
Documentation to Test.......................................................................................................................4
NIST Cybersecurity Framework............................................................................................................5
Reasonable Steps to Secure Sensitive Customer Data.......................................................................5
Periodic Independent Cybersecurity IT Audits..................................................................................6
Assessment of Risks in Cloud-based Environment................................................................................7
Vendor Risk Management Framework..............................................................................................7
Potential Risks & Audit Strategies – Evaluation & Selection of Third-party Cloud Provider...........8
Root Cause Analysis in Investigating a Data Breach.............................................................................8
Factors that Contributed to Data Breach............................................................................................8
Applying Root Cause Analysis to Identify Primary Cause................................................................9
Recommendations to Avoid the Problem in Future...........................................................................9
References...........................................................................................................................................11
1

IT Audit
Root Cause Analysis
Root Cause Analysis in the process of evaluation of IT risk event is a risk
identification technique that provides the details of the risks and reasons for the occurrence of
the same. The triggers that may lead to the occurrence of the risk and the associated
vulnerabilities of the organization contributing the same are listed in the process1.
Role of IT Auditor in Determining Root Cause
There are certain steps that are followed by an IT auditor in the root cause analysis of
an IT event. The primary step is gathering and managing the evidence. The IT auditor shall
carry out evidence-based root cause analysis and look out for the evidence in the areas as
people of the organization, systems, environment, procedures, and documentation. The
auditor shall then prepare a problem statement listing the details of the problem, associated
impact, and area(s) of impact. The nature of the impacts may be qualitative or quantitative in
nature. The problem statement must focus upon both of these impacts. Cause-and-Effect
analysis shall then be done by the auditor to build a model of how the problem occurred. The
solutions to the problem shall be documented in the next step followed by the submission of
the final report to the senior management2.
Root Cause
The root cause for the scenario specified for MortgageNow Inc. is the poor and
inadequate management of the user identities. There are inappropriate users IDs that are
active along with the IDs of the employees or contractors that no longer work for the
company. The root cause behind the problem is ineffective identity control and management
by the senior managers and representatives of the organization. This may result in the
negative implications on the privacy and confidentiality of the organization data and
information sets.
Recommendations
The following steps shall be followed for sustainable corrective actions to respond to the
root cause of the problem of identity management in the organization.
1 Mohammad Javad Ershadi, Roozbeh Aiasi and Shirin Kazemi, "Root Cause Analysis In Quality Problem Solving
Of Research Information Systems: A Case Study" (2018) 24(2) International Journal of Productivity and Quality
Management.
2 Joan Cerniglia-Lowensen, "Learning From Mistakes And Near Mistakes: Using Root Cause Analysis As A Risk
Management Tool" (2015) 34(1) Journal of Radiology Nursing.
2

IT Audit
 The analysis of the IDs in the active state shall be done and mapped with the identity
owners. The IDs that do not have a corresponding owner shall be deactivated.
 The access control and user permissions shall be analysed and assigned for the users
on the basis of their role in the organization.
 The identity management process shall be re-designed on the basis of multi-fold
authentication comprising of authorizing the users on the basis of their IDs followed
by a biometric-based recognition to identify the user. This will result in the inability
to the attackers to forge and misuse the user IDs.
The implementation of the above steps will ensure that the identity management and
control is adequately implemented in the organization.
Risk Management & Change Control
High-Level Business Process Flow Chart
Emergency Change Control Process
The emergency change control process that shall be followed for handling and
managing the changes and the risk events is depicted in the flow chart above. There are three
major phases that shall be used for managing the changes as change initiator, change
3

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

IT Audit
management, and change implementation3. Request for Change (RFC) is a formal change
request document that shall be circulated comprising of the changes that need to be made,
associated risks with the change, impact of the change on the scope, time, and budget along
with the resources responsible for the execution of the changes. The planning of the change
shall be followed by review, analysis, and authorization of the request. Once the change is
authorized and accepted, it shall be implemented in the organization. The review and audit
cycles shall run in parallel to keep a track of the changes being made. The closure of the
change shall be done only after the post implementation review is successful.
The change control points have been marked with red arrows in the image above.
These are the four control points that will make sure that the risks do not occur. In the case of
occurrence of the risk(s), the mitigation strategies will be implemented to avoid the impact of
the risks. The control points will ensure that the changes that are implemented in the
organization do not result in the risky event.
Documentation to Test
There will be documentation that will be required to be tested to make sure that the
emergency change control process is being carried out effectively.
 Request for Change (RFC): The document will be tested to determine the feasibility
of the change along with the nature of the change. The analysis and audit of the
document will provide the details of the changes that will be made along with the
associated impact of the change.
 Change Plan: The document will include the detailed methodology of change
implementation and management. The impact of the change on the schedule, budget,
and scope will also be included in the plan. The analysis of the document will provide
an overview of the adherence of the planned values in the implementation process4.
The IT auditor may use the techniques as Earned Value Management to analyse the
gaps in the planned and actual values of schedule and budget.
 Change Review Report: The implementation review and post implementation review
of the change will be done to understand the correctness of the process and to identify
3 Jorge Humberto Mejia Morelos, François Grima and Georges Trepo, "Change And Stability Interaction‐
Processes In Smes: A Comparative Case Study" (2013) 26(2) Journal of Organizational Change Management.
4 Celia Desmond, "Project To Plan For Significant Process Change" (2016) 44(2) IEEE Engineering Management
Review.
4

IT Audit
the areas of improvement. The analysis of the document will provide the details of the
major gaps and areas to be focussed upon.
 Change Closure Report: The final report that will be submitted by the resources for
handling the changes will be the closure report. The IT auditor shall analyse the
document to determine the activities performed by the team in the process of handling
the changes along with the areas that may be improved upon in the future.
NIST Cybersecurity Framework
Reasonable Steps to Secure Sensitive Customer Data
There are several frameworks that have been developed to make sure that the
information properties are protected and safeguarded. One such framework is NIST
Cybersecurity framework.
Adopting and adhering to such frameworks can assist the organizations in
implementing reasonable steps to secure the sensitive customer data and information. The
core structure of the framework is as represented in the image below.
NIST Framework Core Structure5
The business organizations can adopt the framework and use it as a guideline to
safeguard its information sets. There are five primary functions that the organizations may
5 Nist, Framework For Improving Critical Infrastructure Cybersecurity (2018) Nvlpubs.nist.gov
<https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf>.
5

IT Audit
use in the process as identify, protect, detect, respond, and recover. These functions may be
used to carry out the strategies to identify all the possible risks that an organization may be
exposed to. The identification of all the risk events will provide the organization with the
readiness to implement the risk management activities. The analysis of the identified risks
will assist in the development of the protection strategies that may be used. The detection of
the strategies to be applied will make sure that a better response is provided to the risk areas.
This will assist in enhanced management and control of the risks6. The ability to recover from
the risks will also be provided to the organization in case of the occurrence of the risks.
Each of these five functions is mapped with the categories and sub-categories that
may be used by the organizations to further streamline the process. For instance, the risk
identified in the initial step may be assigned to the categories as legal risks, ethical risks,
quality risks, resource risks, project-related risks, and likewise. These identified risk
categories may have sub-categories, for example, project-related risks may be assigned to the
sub-categories as schedule risks, budget risks, policy risks, customer risks, stakeholder risks,
and communication risks. The security risks on the information sets may also be classified in
the sub-categories as network security risks, system risks, insider threats, etc. The
organization will be able to design and implement the controls on the basis of the risk
categories and sub-categories resulting in higher success rates.
Periodic Independent Cybersecurity IT Audits
It is necessary to carry out periodic independent cybersecurity IT audits to ensure that
the steps that are taken for risk management and control are effective in nature.
The conduction of these IT audits will make sure that the areas that may be required
to be improved upon are identified and highlighted. For instance, in order to deal with the
network-based security attacks, the organization may be using outdated network-based
intrusion detection and prevention system7. The IT audit will determine the need to update the
tools and equipment being used in the process of risk handling and the other areas of
improvement will be identified as well. The IT audits will also analyse the gaps in the
resource skills that may require improvements and the measures to be taken to address the
same will also be listed.
6 Yogesh Malhotra, "Cybersecurity & Cyber-Finance Risk Management: Strategies, Tactics, Operations, &,
Intelligence: Enterprise Risk Management To Model Risk Management: Understanding Vulnerabilities, Threats,
& Risk Mitigation (Presentation Slides)" [2015] SSRN Electronic Journal.
7 Regner Sabillon, "A Practical Model To Perform Comprehensive Cybersecurity Audits" (2018) 9(1) Enfoque
UTE.
6

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

IT Audit
The conduction of the periodic audits will ensure that the overall improvements in the
integrated cybersecurity risk handling and control is implemented.
Assessment of Risks in Cloud-based Environment
Vendor Risk Management Framework
There is a defined process that shall be used in the managing the risks associated with
the vendors. There are four steps that shall be included in the vendor risk management
framework. The four steps have been listed below.
Vendor Risk Management Framework
The first step that shall be followed in the development of vendor risk criteria for the
third-party cloud providers. The risk criteria shall be defined and must be based upon the
areas as operational risks, data privacy risks, transactional risks, compliance risks,
procurement risks, legal risks, and regulatory risks8. Vendor information management shall
be done by analysing the vendor qualification, market performance, contract management
procedure, customer support services, policy, and procedure management. The vendor risk
analysis shall be done by following the process as risk universe management, risk
identification, risk prioritization, and risk scoring. The assessment of the vendor on the basis
of the information collected shall be done. The assessment process shall be qualitative and
quantitative in nature.
The monitoring of the risks shall be done by carrying out the control tests and scoring
along with the use of Key Performance Indicators (KPIs). These KPIs may be based upon the
areas as services, costs, schedule, resources, terms & conditions, and policies. The SWOT
analysis shall be done to determine the control process and monitoring activities being carried
out followed by the closure of the risks.
The process of vendor risk management will make sure that the third-party cloud
provider that is selected for the organization is as per the needs of the organization.
8 Jennifer V. Blackhurst, Kevin P. Scheibe and Danny J. Johnson, "Supplier Risk Assessment And Monitoring For
The Automotive Industry" (2008) 38(2) International Journal of Physical Distribution & Logistics Management.
7
Vendor Risk Criteria Vendor Information
Management
Vendor Risk Analysis &
Assessment
Vendor Risk
Monitoring & Closure

IT Audit
Potential Risks & Audit Strategies – Evaluation & Selection of Third-party Cloud
Provider
The potential risks that may come up in the process of the selection of the third-party
cloud provider may be legal risks, procurement risks, communication issues, security risks,
and market-related risks.
The cloud provider may not comply with certain legal policies and standards which
may result in legal obligations for the organization. The contractual and procurement process
used with the cloud-provider may result in differences in the terms of services. There may be
issues around the availability of the two parties for communications which may bring up the
gaps in the understanding of the requirements. There may be issues with the security
strategies and policies used by the third-party cloud provider. The changes in the market
scenarios and status may bring up the issues of changes in the price for service and
technological modifications9.
The audit strategies that are followed and applied in the process must make use of the
vendor risk management process as documented above. The strategies shall also focus upon
the use of automated tools for analysing the market conditions and scenarios. The
performance of the vendor in the market will provide an overview of the possible risks that
may emerge. The IT auditor must also take assistance from a legal representative. The legal
assistance will ensure that the legal policies and standards are adhered to. The use of
qualitative and quantitative strategies shall be done to determine the impact levels. The
control processes and strategies shall be designed accordingly.
Root Cause Analysis in Investigating a Data Breach
Factors that Contributed to Data Breach
A recent case of data breach has occurred in Nordstrom which is an American
company of luxury department stores. The company has its headquarters in Seattle and a
spokesperson of the company reported that data breach occurred resulting in the exposure of
private and sensitive employee information. Co-President Blake Nordstrom circulated an
email to the employees of the organization on November 7, 2018 to inform them about the
information breach that took place.
9 Robert Stroud, "Vendor Risk Management Using COBIT 5" (2014) 50(1) EDPACS.
8

IT Audit
The factors that contributed to the breach were the access provided to the contract
worker on the sensitive information sets that resulted in the exposure of the information. It
indicates the lack of adequate governance and control along with the gaps in the security
controls that were used in the organization10.
Applying Root Cause Analysis to Identify Primary Cause
The application of the root cause analysis will be done in this case by gathering the
evidence as a primary step. The employees of Nordstrom, senior management, contract
workers, and other stakeholders will be interviewed so that the potential causes resulting in
the breach could be identified. The analysis of the control and governance measures along
with the system analysis will be done to determine the nature of the security controls being
used in the organization. The evidence-based analysis will be done to understand the probable
causes that may have contributed to the event in the areas as people, system, technology, and
governance. Once the initial evidences will be gathered, the problem statement will then be
prepared describing the nature of the event, location of the event, impact of the event, and the
probable causes of the event. Cause-and-effect analysis will then be done to identify the
primary and secondary causes of the problem11. The results will then be mapped with the
event and a final report will be prepared describing the root cause of the issue.
Recommendations to Avoid the Problem in Future
The following recommendations will be made to make sure that a similar problem does
not occur in the future.
 All of the data and information sets associated with the organization shall be
encrypted using the advanced encryption algorithms, such as triple data encryption
standard, advanced data encryption standard, and hashing algorithms.
 The use of multi-fold authentication measures shall be used for identity control of the
users and employees of the organization. There shall be use of one time passwords
and biometric recognition systems for identity management.
 The use of automated security tools and controls shall be increased covering the
integration of the systems and databases with anti-malware tools, anti-denial tools,
firewalls, intrusion detection, and prevention systems.
10 Jessica Davis, Nordstrom Data Breach Exposes Employee Information -- Security Today (2018) Security Today
<https://securitytoday.com/articles/2018/11/15/nordstrom-data-breach-exposes-employee-
information.aspx>.
11 Martin Fochmann and Marcel Haak, "Strategic Decision Behavior And Audit Quality Of Big And Small Audit
Firms In A Tendering Process" [2015] SSRN Electronic Journal.
9

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

IT Audit
 The access control and user permissions shall be revised and must be assigned on the
basis of the user role. Attribute and role-based access control mechanisms shall be
promoted.
 The physical security of the organization shall be enhanced with the use of automated
security controls.
 IT audits and reviews shall be conducted as a part of regular procedure.
10

IT Audit
References
Blackhurst, J.V., Kevin, P.S. and Danny J.J., "Supplier Risk Assessment And Monitoring For
The Automotive Industry" (2008) 38(2) International Journal of Physical Distribution &
Logistics Management
Cerniglia-Lowensen, J., "Learning From Mistakes And Near Mistakes: Using Root Cause
Analysis As A Risk Management Tool" (2015) 34(1) Journal of Radiology Nursing
Desmond, C., "Project To Plan For Significant Process Change" (2016) 44(2) IEEE
Engineering Management Review
Ershadi, M.J., Roozbeh A. and Shirin K., "Root Cause Analysis In Quality Problem Solving
Of Research Information Systems: A Case Study" (2018) 24(2) International Journal of
Productivity and Quality Management
Fochmann, M. and Marcel H., "Strategic Decision Behavior And Audit Quality Of Big And
Small Audit Firms In A Tendering Process" [2015] SSRN Electronic Journal
Humberto, M.M., Jorge, F.G. and Georges, T., "Change And Stability Interaction Processes
In Smes: A Comparative Case Study" (2013) 26(2) Journal of Organizational Change
Management
Malhotra, Y., "Cybersecurity & Cyber-Finance Risk Management: Strategies, Tactics,
Operations, &, Intelligence: Enterprise Risk Management To Model Risk Management:
Understanding Vulnerabilities, Threats, & Risk Mitigation (Presentation Slides)" [2015]
SSRN Electronic Journal
Sabillon, R., "A Practical Model To Perform Comprehensive Cybersecurity Audits" (2018)
9(1) Enfoque UTE
Stroud, R., "Vendor Risk Management Using COBIT 5" (2014) 50(1) EDPACS
Davis, J., Nordstrom Data Breach Exposes Employee Information -- Security Today (2018)
Security Today <https://securitytoday.com/articles/2018/11/15/nordstrom-data-breach-
exposes-employee-information.aspx>
Nist, Framework For Improving Critical Infrastructure Cybersecurity (2018)
Nvlpubs.nist.gov <https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf>
11

1 out of 12

+13062052269

info@desklib.com

IT Audit Report: Root Cause Analysis, Risk Management & Change Control, NIST Cybersecurity Framework, and Vendor Risk Management

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Related Documents

Project Risk Management

Quality Assurance Plan

Mitolo Wines: Risks & Risk Management for Staff Party Project

Big Data Integration: Phases & Plan

Use of Big Data for Government

Risk Management Plan for ATA’s East Timor Solar Project