represents a summary of the specific risks and gaps after
conducting the audit.
The auditor created a heat map of risks (figure 12) that
shows the impact/magnitude and likelihood/frequency of
key risks relevant to Company A. The combination of higher
(negative) impact/magnitude and higher likelihood/frequency
of the incident leads to a higher level of business risk. The
darker shade indicates unacceptable risk. This level of risk is
far beyond Company A’s normal risk appetite. (There may
be other risks unique to the ultimate end users/customers of
Company A, but that is out of scope for this case study.)
Figure 8—Audit Program: Data(base) Integrity (DS11.6)
Relevant COBIT Control Objective
DS11.6 Security requirements for data management—Define and
implement policies and procedures to identify and apply security
requirements applicable to the receipt, processing, storage and output
of data to meet business objectives, the organization’s security policy
and regulatory requirements.
Audit Procedure
Determine whether a policy has been defined and implemented
to protect sensitive data and messages from unauthorized access
and incorrect transmission and transport, including, but not limited
to, encryption, message authentication codes, hash totals, bonded
couriers and tamper-resistant packaging for physical transport.
Findings
Personally identifiable information (PII) is stored in clear text at the CSP.
Figure 9—Audit Program: Logical Trespassing (DS5.5)
Relevant COBIT Control Objective
DS5.5 Security testing, surveillance and monitoring—Test and
monitor the IT security implementation in a proactive way. IT security
should be reaccredited in a timely manner to ensure that the approved
enterprise’s information security baseline is maintained. A logging and
monitoring function will enable the early prevention and/or detection
and subsequent timely reporting of unusual and/or abnormal activities
that may need to be addressed.
Audit Procedure
Determine whether the IT security management function has been
integrated within the organization’s project management initiatives
to ensure that security is considered in development, design and
testing requirements to minimize the risk of new or existing systems
introducing security vulnerabilities.
Findings
Network diagrams have not been updated to reflect connectivity
with the CSP. As a result, the last network penetration testing did not
include this as part of the scope.
Figure 10—Audit Program: Contractual Compliance (ME3.4)
Relevant COBIT Control Objective
ME3.4 Positive assurance of compliance—Obtain and report
assurance of compliance and adherence to all internal policies derived
from internal directives or external legal, regulatory or contractual
requirements, confirming that any corrective actions to address any
compliance gaps have been taken by the responsible process owner
in a timely manner.
Audit Procedure
Inquire whether procedures are in place to regularly assess levels
of compliance with legal and regulatory requirements by
independent parties.
Review policies and procedures to ensure that contracts with
third-party service providers require regular confirmation of
compliance (e.g., receipt of assertions) with applicable laws,
regulations and contractual commitments.
Findings
The cloud computing vendor does not have an independent auditor’s
report (e.g., ISAE 3402/SOC 1/SSAE 16 report).
Due to competing resources, the prioritization of risks
related to cloud computing needs to occur, and appropriate
action should be taken based on the risk appetite of the
company. Appropriate action includes a combination of
the following:
• Implement controls.
• Transfer risk(s).
• Avoid risk(s).
• Accept risk(s).
The audit highlighted that Company A needs to mitigate
several risks. However, implementing too many controls may
