Project 2: Performing a Security Audit

Today, I'll be perfoming my first security audit, provided and encouraged by the Google Cybersecurity Certification.

This is the fictional scenario I was given:

Botium Toys is a small U.S. business that develops and sells toys. The business has a single physical location. However, its online presence has grown, attracting customers in the U.S. and abroad. Their information technology (IT) department is under increasing pressure to support their online market worldwide.

The manager of the IT department has decided that an internal IT audit needs to be conducted. She expresses concerns about not having a solidified plan of action to ensure business continuity and compliance, as the business grows. She believes an internal audit can help better secure the company’s infrastructure and help them identify and mitigate potential risks, threats, or vulnerabilities to critical assets. The manager is also interested in ensuring that they comply with regulations related to accepting online payments and conducting business in the European Union (E.U.).

The IT manager starts by implementing the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), establishing an audit scope and goals, and completing a risk assessment. The goal of the audit is to provide an overview of the risks the company might experience due to the current state of their security posture. The IT manager wants to use the audit findings as evidence to obtain approval to expand his department.

Your task is to review the IT manager’s scope, goals, and risk assessment. Then, perform an internal audit to complete a controls assessment and compliance checklist.

Firstly, I reviewed the audit's scopes and goals. Then I went through the risk accessment of this fictional company.

Then, I conducted the audit by reviewing each control type and marking an 'X' to each security control I viewed as necessary and then noted the levels of priority.

After that, I conducted a compliance checklist for the laws and regulation this fictional security company needed to adhered to.

Finally, to communicate the security audit results and recommendations to stakeholders, I prepared a memorandum that summarizes the findings I discovered.

The end results can be found here:

Control assessment: https://docs.google.com/document/d/1OoKAG9lrh_z2HbbI2_R6DrU7WFegnWLzcNZ6nntgkCU/edit?usp=sharing&resourcekey=0-EgPwlCK_zmGJWnYSRdfG4A

Compliance checklist: https://docs.google.com/document/d/1ZiIruLmDksQt6_eimDNEnMhxBnceQbxpfrsoibMyU80/edit?usp=sharing

Memorandum:

https://docs.google.com/document/d/1DdotsVMsTUJhs5CCjGp8eOGFZd5YO45OGgsp2vmEx0w/edit?usp=sharing&resourcekey=0-xSyFR5QxzoW2zcltyIFbeg

Overall, this has been a very enlightening experience and is a good step up in my cybersecurity journey.