|
Getting your Trinity Audio player ready... |
First you need to know all control categories then you can try to check compliance and control one by one. It’s not complicated to understand control for example, if you are home and your mom told you make your kitchen stuff list and find what is useful or what is not useful. This is easy to understand, besides you need a mind set to check all lists carefully. this is a example of how to check compliance and control in security audit. This list also help to understand some audit terms.
Before create this check list you need to understand How to write Scope, Goals and risk assessment report for a company.
This is a example report for a company this report provide controls assessment report with one by one point.
| Control | Yes/No | Explanation |
| Least Privilege | No | Currently, all employees have access to customer data: privileges need to be limited to reduce the risk of a breach. |
| Disaster Recovery Plans | No | There are no disaster recovery plans in place. These need to be implemented to ensure business continuity. |
| Password Policies | No | Employee password requirement are minimal, which could allow a threat actor to more easily access secure data/other assets via employee work equipment/ the internal network. |
| Separation of duties | No | needs to be implemented to reduce the possibility of fraud/access to critical data, since the company CEO currently runs day-to-day operations and managers the payroll. |
| Firewall | Yes | The existing firewall blocks traffic based on an appropriately defined set of security rules. |
| Intrusion detection system (IDS) | No | The IT department needs an IDS in place to help identify possible intrusions by threat actors. |
| Backups | No | The IT department needs to have backups of critical data, in the case of a breach to ensure business continuity. |
| Antivirus software | Yes | Antivirus software is installed and monitored regularly by the IT department. |
| Manual monitoring maintenance and intervention for legacy systems | No | The list of assets notes the use of legacy systems. The risk assessment indicates that these systems are monitored and maintained, but there is not a regular schedule in place for this task and procedures/policies related to intervention are unclear, which could place these systems at risk of a breach. |
| Encryption | No | Encryption is not currently used, implementing if would provide greater confidentiality of sensitive information. |
| Password Management System | No | There is no password management system currently in place, implementing this control would improve IT department/other employee productivity in the case of password issues. |
| Locks (offices, storefront, warehouse) | Yes | The store’s physical location which includes the company’s main offices, store front, and warehouse of products, has sufficient locks. |
| Closed-circuit television (CCTV) surveillance | Yes | CCTV is installed/functioning at the store’s physical location. |
| Fire detection/prevention (fire alarm, sprinkler system, etc.) | Yes | Botium Toy’s physical location has a functioning fire detection and prevention system. |
Compliance Checklist
Payment Card Industry Data Security Standard (PCI DSS)
| Best Practice | Yes/No | Explanation |
| Only authorized users have access to customers credit card information | No | Currently all employees have access to the company’s internal data. |
| Credit card information is accepted processed transmitted and stored internally in a secure environment. | No | Credit Card information is not encrypted and all employees currently have access to internal data, including customers credit card information |
| Implement data encryption procedures to better secure credit card transaction touchpoints and data. | No | The company does not currently use encryption to better ensure the confidentiality of customers financial information. |
| Adopt secure password management policies. | No | Password policies are nominal and no password management system is currently in place. |
General Data Protection Regulation (GDRP)
| Best Practice | Yes/No | Explanation |
| E.U customers data is kept private/secured. | No | The company does not currently use encryption to better ensure the confidentiality of customers financial information. |
| There is a plan in place to notify E.U. Customers within 72 hours if their data is compromised/there is a breach. | Yes | there is a plan to notify E.U. customers within 72 hours of a data breach. |
| Ensure data is properly classified and inventoried | No | Current assets have been inventoried/listed, but not classified. |
| Enforce privacy policies, procedures and processes to properly document and maintain data. | Yes | Privacy policies procedures and processes have been developed and enforced among IT team members and other employees as needed. |
System and Organizations Controls (SOC type 1, SOC type 2)
| Best Practice | Yes/No | Explanation |
| User access policies are established | No | Controls of least privilege and separation of duties are not currently in place: all employees have access to internally stored data. |
| Sensitive data (PII/SPII) is confidential/private | No | Encryption is not currently used to better ensure the confidentiality of PII/SPII. |
| Data integrity ensures the data is consistent, complete, accurate, and has been validated. | Yes | Data integrity is in place |
| Data is available to individuals authorized to access it. | No | While data is available to all employees, authorization needs to be limited to only the individuals who need access to it do their jobs. |
After check all compliance list you need to be write recommendation for a company, this is a positive points which are always give you strength.
Let’s analysis this report……..
In this report you can see lots of options does not follow by a company so that you need to make a final closure of a compliance and control security with the help you above checklist.
According to checklist multiple controls need to be implemented to improve company posture and better ensure the confidentiality of sensitive information, including: Least Privilege, disaster recovery plans, password policies, separation of duties, an IDS, ongoing legacy system management, encryption and a password management system.
Be positive and try to address gaps in compliance company needs to implement controls such as Least Privilege, separation of duties, and encryption. The company also needs to properly classify assets, to identify additional controls that may need to be implemented to improve their security posture and better protect sensitive information.
Form any question suggestion and recommendation please contact on contact@widelamp.com
