IT Audit Report: Root Cause Analysis, Risk Management & Change Control, NIST Cybersecurity Framework, and Vendor Risk Management
Added on 2023-05-29
12 Pages3619 Words499 Views
qwertyuiopasdfghjklzxcvbnmqw
ertyuiopasdfghjklzxcvbnmqwert
yuiopasdfghjklzxcvbnmqwertyui
opasdfghjklzxcvbnmqwertyuiop
asdfghjklzxcvbnmqwertyuiopasd
fghjklzxcvbnmqwertyuiopasdfgh
jklzxcvbnmqwertyuiopasdfghjkl
zxcvbnmqwertyuiopasdfghjklzxc
vbnmqwertyuiopasdfghjklzxcvb
nmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqw
ertyuiopasdfghjklzxcvbnmqwert
yuiopasdfghjklzxcvbnmqwertyui
opasdfghjklzxcvbnmqwertyuiop
asdfghjklzxcvbnmqwertyuiopasd
fghjklzxcvbnmqwertyuiopasdfgh
jklzxcvbnmrtyuiopasdfghjklzxcv
IT Audit
Report
11/15/2018
ertyuiopasdfghjklzxcvbnmqwert
yuiopasdfghjklzxcvbnmqwertyui
opasdfghjklzxcvbnmqwertyuiop
asdfghjklzxcvbnmqwertyuiopasd
fghjklzxcvbnmqwertyuiopasdfgh
jklzxcvbnmqwertyuiopasdfghjkl
zxcvbnmqwertyuiopasdfghjklzxc
vbnmqwertyuiopasdfghjklzxcvb
nmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqw
ertyuiopasdfghjklzxcvbnmqwert
yuiopasdfghjklzxcvbnmqwertyui
opasdfghjklzxcvbnmqwertyuiop
asdfghjklzxcvbnmqwertyuiopasd
fghjklzxcvbnmqwertyuiopasdfgh
jklzxcvbnmrtyuiopasdfghjklzxcv
IT Audit
Report
11/15/2018
IT Audit
Table of Contents
Root Cause Analysis..............................................................................................................................2
Role of IT Auditor in Determining Root Cause.................................................................................2
Root Cause........................................................................................................................................2
Recommendations.............................................................................................................................2
Risk Management & Change Control....................................................................................................3
High-Level Business Process Flow Chart..........................................................................................3
Documentation to Test.......................................................................................................................4
NIST Cybersecurity Framework............................................................................................................5
Reasonable Steps to Secure Sensitive Customer Data.......................................................................5
Periodic Independent Cybersecurity IT Audits..................................................................................6
Assessment of Risks in Cloud-based Environment................................................................................7
Vendor Risk Management Framework..............................................................................................7
Potential Risks & Audit Strategies – Evaluation & Selection of Third-party Cloud Provider...........8
Root Cause Analysis in Investigating a Data Breach.............................................................................8
Factors that Contributed to Data Breach............................................................................................8
Applying Root Cause Analysis to Identify Primary Cause................................................................9
Recommendations to Avoid the Problem in Future...........................................................................9
References...........................................................................................................................................11
1
Table of Contents
Root Cause Analysis..............................................................................................................................2
Role of IT Auditor in Determining Root Cause.................................................................................2
Root Cause........................................................................................................................................2
Recommendations.............................................................................................................................2
Risk Management & Change Control....................................................................................................3
High-Level Business Process Flow Chart..........................................................................................3
Documentation to Test.......................................................................................................................4
NIST Cybersecurity Framework............................................................................................................5
Reasonable Steps to Secure Sensitive Customer Data.......................................................................5
Periodic Independent Cybersecurity IT Audits..................................................................................6
Assessment of Risks in Cloud-based Environment................................................................................7
Vendor Risk Management Framework..............................................................................................7
Potential Risks & Audit Strategies – Evaluation & Selection of Third-party Cloud Provider...........8
Root Cause Analysis in Investigating a Data Breach.............................................................................8
Factors that Contributed to Data Breach............................................................................................8
Applying Root Cause Analysis to Identify Primary Cause................................................................9
Recommendations to Avoid the Problem in Future...........................................................................9
References...........................................................................................................................................11
1
IT Audit
Root Cause Analysis
Root Cause Analysis in the process of evaluation of IT risk event is a risk
identification technique that provides the details of the risks and reasons for the occurrence of
the same. The triggers that may lead to the occurrence of the risk and the associated
vulnerabilities of the organization contributing the same are listed in the process1.
Role of IT Auditor in Determining Root Cause
There are certain steps that are followed by an IT auditor in the root cause analysis of
an IT event. The primary step is gathering and managing the evidence. The IT auditor shall
carry out evidence-based root cause analysis and look out for the evidence in the areas as
people of the organization, systems, environment, procedures, and documentation. The
auditor shall then prepare a problem statement listing the details of the problem, associated
impact, and area(s) of impact. The nature of the impacts may be qualitative or quantitative in
nature. The problem statement must focus upon both of these impacts. Cause-and-Effect
analysis shall then be done by the auditor to build a model of how the problem occurred. The
solutions to the problem shall be documented in the next step followed by the submission of
the final report to the senior management2.
Root Cause
The root cause for the scenario specified for MortgageNow Inc. is the poor and
inadequate management of the user identities. There are inappropriate users IDs that are
active along with the IDs of the employees or contractors that no longer work for the
company. The root cause behind the problem is ineffective identity control and management
by the senior managers and representatives of the organization. This may result in the
negative implications on the privacy and confidentiality of the organization data and
information sets.
Recommendations
The following steps shall be followed for sustainable corrective actions to respond to the
root cause of the problem of identity management in the organization.
1 Mohammad Javad Ershadi, Roozbeh Aiasi and Shirin Kazemi, "Root Cause Analysis In Quality Problem Solving
Of Research Information Systems: A Case Study" (2018) 24(2) International Journal of Productivity and Quality
Management.
2 Joan Cerniglia-Lowensen, "Learning From Mistakes And Near Mistakes: Using Root Cause Analysis As A Risk
Management Tool" (2015) 34(1) Journal of Radiology Nursing.
2
Root Cause Analysis
Root Cause Analysis in the process of evaluation of IT risk event is a risk
identification technique that provides the details of the risks and reasons for the occurrence of
the same. The triggers that may lead to the occurrence of the risk and the associated
vulnerabilities of the organization contributing the same are listed in the process1.
Role of IT Auditor in Determining Root Cause
There are certain steps that are followed by an IT auditor in the root cause analysis of
an IT event. The primary step is gathering and managing the evidence. The IT auditor shall
carry out evidence-based root cause analysis and look out for the evidence in the areas as
people of the organization, systems, environment, procedures, and documentation. The
auditor shall then prepare a problem statement listing the details of the problem, associated
impact, and area(s) of impact. The nature of the impacts may be qualitative or quantitative in
nature. The problem statement must focus upon both of these impacts. Cause-and-Effect
analysis shall then be done by the auditor to build a model of how the problem occurred. The
solutions to the problem shall be documented in the next step followed by the submission of
the final report to the senior management2.
Root Cause
The root cause for the scenario specified for MortgageNow Inc. is the poor and
inadequate management of the user identities. There are inappropriate users IDs that are
active along with the IDs of the employees or contractors that no longer work for the
company. The root cause behind the problem is ineffective identity control and management
by the senior managers and representatives of the organization. This may result in the
negative implications on the privacy and confidentiality of the organization data and
information sets.
Recommendations
The following steps shall be followed for sustainable corrective actions to respond to the
root cause of the problem of identity management in the organization.
1 Mohammad Javad Ershadi, Roozbeh Aiasi and Shirin Kazemi, "Root Cause Analysis In Quality Problem Solving
Of Research Information Systems: A Case Study" (2018) 24(2) International Journal of Productivity and Quality
Management.
2 Joan Cerniglia-Lowensen, "Learning From Mistakes And Near Mistakes: Using Root Cause Analysis As A Risk
Management Tool" (2015) 34(1) Journal of Radiology Nursing.
2
IT Audit
The analysis of the IDs in the active state shall be done and mapped with the identity
owners. The IDs that do not have a corresponding owner shall be deactivated.
The access control and user permissions shall be analysed and assigned for the users
on the basis of their role in the organization.
The identity management process shall be re-designed on the basis of multi-fold
authentication comprising of authorizing the users on the basis of their IDs followed
by a biometric-based recognition to identify the user. This will result in the inability
to the attackers to forge and misuse the user IDs.
The implementation of the above steps will ensure that the identity management and
control is adequately implemented in the organization.
Risk Management & Change Control
High-Level Business Process Flow Chart
Emergency Change Control Process
The emergency change control process that shall be followed for handling and
managing the changes and the risk events is depicted in the flow chart above. There are three
major phases that shall be used for managing the changes as change initiator, change
3
The analysis of the IDs in the active state shall be done and mapped with the identity
owners. The IDs that do not have a corresponding owner shall be deactivated.
The access control and user permissions shall be analysed and assigned for the users
on the basis of their role in the organization.
The identity management process shall be re-designed on the basis of multi-fold
authentication comprising of authorizing the users on the basis of their IDs followed
by a biometric-based recognition to identify the user. This will result in the inability
to the attackers to forge and misuse the user IDs.
The implementation of the above steps will ensure that the identity management and
control is adequately implemented in the organization.
Risk Management & Change Control
High-Level Business Process Flow Chart
Emergency Change Control Process
The emergency change control process that shall be followed for handling and
managing the changes and the risk events is depicted in the flow chart above. There are three
major phases that shall be used for managing the changes as change initiator, change
3
End of preview
Want to access all the pages? Upload your documents or become a member.
Related Documents
Project Risk Managementlg...
|15
|3514
|419
Quality Assurance Planlg...
|10
|1867
|219
Mitolo Wines: Risks & Risk Management for Staff Party Projectlg...
|6
|900
|128
Big Data Integration: Phases & Planlg...
|13
|2810
|190
Use of Big Data for Governmentlg...
|10
|1649
|159
Risk Management Plan for ATA’s East Timor Solar Projectlg...
|8
|1721
|110