Recommend which internal controls should be addressed during an IT audit based on your risk assessment
Recommend which internal controls should be addressed during an IT audit based on your risk assessment
Introduction
You are asked to conduct a risk assessment using principles introduced in our Risk Assessment lesson and NIST publication 800-30, Revision 1. Below is a scenario presented to you as the IT auditor. For this project, you will review the evidence you are given here, scope the IT audit based on internal controls presented below, and conduct a risk assessment. Based on your assessment, you will provide a recommend on which internal controls to audit. Project Description
• The company’s password policy requires a minimum of 6 characters. • Passwords are not required to be changed. • Usernames and passwords are the only authentication method used for logging into
systems with sensitive business records. • When an employee leaves the company, it is found that user accounts are not deleted. • The company stores its sensitive business data on local servers physically located all in
one building. • There are no backups of the company’s business data.
Grading Your project should be well-written and easy to understand by your company’s executives. Be sure to be clear and precise in your description and assessment. Your risk assessment should contain the following sections/information. The expect length of the project is 5-10 pages, double spaced, 12 pt font.
• [10 points] Describe the risk assessment framework (NIST 800-30, Lesson 3, other research you may have done)
• [60 points] Conduct a risk assessment based on the evidence presented above using the framework you’ve described. You should address threats and vulnerabilities for each. Use risk assessment level and scoring to quantify your risk and provide qualitative description of your assessment.
• [25 points] Recommend which internal controls should be addressed during an IT audit based on your risk assessment
• [5 points] Writing style – easy to read and understand, clear and precise, free of grammatical errors, recommendations supported by evidence
