TO: IT Manager, stakeholders

FROM: (Your Name)
DATE: (Today’s Date)
SUBJECT: Internal IT audit findings and recommendations

Dear Stakeholders,

Kindly examine the subsequent details pertaining to the internal audit of Botium Toys, which encompass the audit’s scope, objectives, key findings, summary, and recommendations.

Scope:

• The following systems are in scope: accounting, end point detection, firewalls, intrusion detection system, SIEM tool. The systems will be evaluated for:
  • Current user permissions
  • Current implemented controls
  • Current procedures and protocols
• The evaluation criteria for the systems in scope will focus on ensuring that existing user permissions, controls, procedures, and protocols are in alignment with both PCI DSS and GDPR compliance requirements.
• Ensure current technology is accounted for both hardware and system access.

Goals:

• Adhere to the NIST CSF.
• Establish a better process for their systems to ensure they are compliant.
• Fortify system controls.
• Adapt to the concept of least permissions when it comes to user credential management.
• Establish their policies and procedures, which includes their playbooks.
• Ensure they are meeting compliance requirements.

Critical findings (must be addressed immediately):

• Multiple controls need to be developed and implemented to meet the audit goals, including:
  • Control of Least Privilege and Separation of Duties
  • Disaster recovery plans
  • Password, access control, and account management policies, including the implementation of a password management system
  • Encryption (for secure website transactions)
  • IDS
  • Backups
  • AV software
  • CCTV
  • Locks
  • Manual monitoring, maintenance, and intervention for legacy systems
  • Fire detection and prevention systems
• Policies need to be developed and implemented to meet PCI DSS and GDPR compliance requirements.
• Policies need to be developed and implemented to align to SOC1 and SOC2 guidance related to user access policies and overall data safety.

Findings (should be addressed, but no immediate need):

• The following controls should be implemented when possible:
  • Time-controlled safe
  • Adequate lighting
  • Locking cabinets
  • Signage indicating alarm service provider

Summary and Recommendations

It is strongly advised that Botium Toys promptly address any critical findings related to compliance with PCI DSS and GDPR. Given that the company engages in online transactions with a global customer base, including those in the European Union, adherence to these regulations is imperative.

Furthermore, in alignment with the audit’s goal of adopting a “least permissions” approach, it is recommended to consult SOC1 and SOC2 guidelines. These can inform the development of robust user access policies and contribute to overall data security.

The implementation of disaster recovery plans and backup solutions is also crucial. These measures are foundational to ensuring business continuity in the event of a security incident.

To enhance our capabilities in identifying and mitigating potential risks, the integration of Intrusion Detection Systems (IDS) and Antivirus (AV) software is recommended. This is particularly important given that our existing legacy systems require manual monitoring and intervention.

For the physical security of assets at Botium Toys’ sole location, the installation of locks and Closed-Circuit Television (CCTV) is advised. These measures will not only secure physical assets, including equipment, but also facilitate the monitoring and investigation of potential threats.

While not immediately critical, future security improvements could include the use of encryption, time-controlled safes, adequate lighting, locking cabinets, fire detection and prevention systems, and visible signage indicating the presence of an alarm service. These additional measures will further bolster Botium Toys’ security posture.