This part of the management plan consists of conducting a risk audit. This is an essential part of the process of developing this management plan. Since this is a medium size organization one of the first steps would be to visualize and understand the risks. Questions like need to be asked like: What risks to the organization are relevant? What risks are visible? Are there risks that are jus not seen, are impossible to mitigate or are unable to be measured.
Looking at the organizations infrastructure, the likelihood that if one of the stores gets infected, it could effect the other 268 stores makes it a must that high risks should be prioritized first. The risk management strategies should include a network design for agility because there are supplier/logistics risks that come with it being a retail business. Since this is a retail chain there are some regulatory compliance audits that are mandated by rules such as Sarbanes-Oxley Act (SOX), and these type of audits help to expose the potential risks from any gaps in the financial processing procedures.
System Software and Applications The system software and applications management process helps to assess the design as well as the effectiveness of the processes and controls related to software and applications that are utilized in the organization. This process also includes software license reviews that help to evaluate the effectiveness of the system’s software and applications as well as help to maintain software license agreements (e. g. , ERPs). This process can also help reduce costs that it a direct result effectively managing the software licenses.
Effectively managing licenses can potentially help to reduce liabilities and risks associated with those licenses, because the organization is more aware of compliance issues and software and applications expiration dates. On average about 20% of IT costs consist of software and applications licensing. The software and application venders have also become more diligent when it relates to ensuring their clients are in compliance with their licensing agreements. Wireless Networking
The wireless network is much harder to secure because of the absence of hardwired links. All of the store locations across the United States have a 2 wireless networks, one for customers and the other for the internal network. The reason that the network is so vulnerable is because its broadcasting itself wireless name and it can be connected to as a wireless access point (WAP). This allows any client computer to connect to the network without it being physically linked. There are many good things about wireless networks but there are also many bad things.
Being that the wireless networks are accessible to the public there needs to be certain safeguards in place to prevent exposure to the network from intrusions, viruses, malicious code, loss of data and unauthorized access. There are several software tools available that can be used to conduct wireless network audits. The most popular tools are PrismDump and NetStumbler. The following are two wireless auditing technique objective’s. First we need to assure that transmissions are received by authorized individuals only.
There should be a MAC address filtering option available on the wireless access point that should be enabled so that only specified NICs are able to connect to the access point. You can also make use of digital certificates or passwords for reconnection purposes. Another objective is to assure that data the user should not see is available to them when they connect to the wireless network. The data that is not accessible by a particular user should be encrypted so it basically useless to an unauthorized user. (Hoesing & Raval, 2015) Cloud Computing
The management plan for conducting an IT audit would include the tool audit/assurance program. The use of this tool will help provide an assessment for the stakeholders on the effectiveness of the internal security and controls related to the cloud computing environment. Deficiencies within the internal controls can be identified. An assessment can be prepared for the stakeholders that will help them determine if the quality and reliability of the service they are being provided is compliant with the results of the internals control audits.
Virtualization The management plan for conducting an IT audit on virtualization relies heavily on the knowledge that the IT auditor in reference to the VM technology and also the risks that are associated with same. In order for a virtualization IT audit be successful there has to be an adequate understanding of the entire VM infrastructure. The audit should always allow room for an assessment to be made as to whether a business needs to move from physical servers to virtual ones and if this will provide any sort of benefit.
All of the audits that are used to audit physical system are relevant when auditing virtual systems. The results of the audit should be shared with management so that any discrepancy that is found in the control procedures or standards can be rectified. Cybersecurity and Privacy The management plan for conducting an IT audit on cybersecurity and privacy for this organization is mainly based upon the cyber-security framework that is provide by the National Institute of Standards and Technology.
The National Institute of Standards and Technology framework is a very useful tool that can be easily used for addressing cybersecurity risks. Once the vulnerabilities are determined, the results from the internal audit can be used to help clarify what the potential consequences might be if those vulnerabilities are exploited. At that time the audit should help to determine if the right controls were in place, or if the controls were lacking. This will all help when it come time to remediate the risks.
BCP and DRP The management plan for conducting an IT audit on BCP and DRP. The first thing that should be accomplished is that the organizations BCP and DRP readiness needs to be evaluated. It needs to be determined if these plans have sound processes in place that would help the organization maintain their normal business operations if a disaster were to occur. The audit of these two plans need include an accurate review to determine if they reflect the current environment and its systems.
The audit should also include any relevant information that helps to determine if the plans meet the recovery objectives. The critical business processes should be the main focus of this audit to ensure a disaster will not destroy the company. (Edmead, 2008) Network Security The management plan for conducting an IT audit on Network Security will utilize a few different assessments such as penetration testing, security audits and vulnerability assessments.
The three audit approaches use a different method to accomplish their assessment’s. The penetration testing is more of a covert operation that attempts a number of attacks to help determine if the systems can survive an actual attack. The security audits use a list of particular criteria to measure the information system’s performance. The vulnerability assessment includes a complete study of the entire information system, attempting to find any potential security weaknesses. (Rouse, 2007)
