Professional Documents
Culture Documents
Lab Exercise It Security Audit
Lab Exercise It Security Audit
LABORATORY EXERCISE
Instructions
1. Read thoroughly and understand the given scenario.
2. Accomplish the IT Security Questionnaire Checklist for ISO 27001.
3. Based on the result of the checklist, recommend solutions (Controls) to prevent or
mitigate the IT security issues faced by the company.
4. Send your answer through e-mail : rhentecson.ccsict.isue@gmail.com
Company Overview
ABC Retail is a national retail chain that operates both brick-and-mortar stores and
an extensive online shopping platform. The company manages a wide range of customer
data, including payment information, personal details, and purchase histories. It employs
around 5,000 people and has an IT infrastructure that supports its operations, including
inventory management, customer relationship management (CRM), and point-of-sale (POS)
systems. However, ABC Retail company faced IT security issues. Their IT security framework
is outdated and fragmented. The company has implemented basic security measures, such
as firewalls, antivirus software, and password policies, but lacks a comprehensive and
integrated approach to information security.
1. Extract sensitive customer data, including credit card information and personal
identifiers.
2. Inject malware into the POS systems, leading to fraudulent transactions and data
leakage.
3. Initiate a ransomware attack, encrypting critical data and demanding a ransom for
decryption keys.
During the investigation, the following were the IT Security issues findings:
1. Inadequate Email Security. The phishing attack exploited weak email security protocols.
There was no advanced threat protection or robust spam filtering to prevent malicious
emails from reaching employees.
2. Lack of Employee Training. Employees were not adequately trained to recognize and
respond to phishing attempts, making them easy targets for social engineering attacks.
3. Insufficient Network Segmentation. Once inside the network, attackers moved laterally
with ease due to a lack of proper network segmentation, exposing critical systems and data.
4. Poor Incident Response Plan. The company lacked a robust incident response plan,
resulting in delayed detection and response to the breach.
5. Outdated Security Policies. Security policies were outdated and did not address the latest
threats or incorporate best practices for cybersecurity, as well as, no assigned new IT
Security Officer.
IT Security Questionnaire Checklist for ISO 27001 Compliance
ABC Retail Company
NAME ______________________________________________________________________
Compliance
(Yes/No)
Questions If No, Remarks
Please put
remarks.
17. Are physical security controls in place to
protect facilities and data centers?
18. Are there controls to prevent
unauthorized physical access to sensitive
areas?
19. Is equipment protected from
environmental threats and hazards?
Section 7: Operations Security
Compliance
(Yes/No)
Questions If No, Remarks
Please put
remarks.
20. Are operating procedures documented and
maintained?
21. Are changes to the IT environment controlled
through a formal change management
process?
22. Are antivirus and anti-malware solutions
deployed and regularly updated?
23. Are backups performed regularly, and are
backup restoration processes tested?
Compliance
(Yes/No)
Questions If No, Remarks
Please put
remarks.
24. Are networks adequately protected against
threats (e.g., firewalls, IDS/IPS)?
25. Is sensitive information transmitted over
networks encrypted?
26. Are agreements in place for the secure
exchange of information with third parties?
Compliance
(Yes/No)
Questions Remarks
If No, Please
put remarks.
Is there a mechanism for continuously monitoring
and reviewing the effectiveness of the ISMS?
Are regular management reviews conducted to
assess the performance and suitability of the
ISMS?