The task was to develop an audit scope and business line breakdown, based on the supplied narrative for our fake organization, the "Department of Controlled Substances (DCS)". I was an external auditor who has been contracted to come and perform a full scale, top-to-bottom audit of DCS
1. 1
INFORMATION SYSTEMS SECURITY PROGRAM
Department of Controlled Substances
FYE December 31st
, 20XX
This audit program covers the security over the information systems of the Department of
Controlled Substances (DCS). A description of critical agency systems, security controls, and
information system structure is documented in the following narrative. These systems support the
processes described in the other audit programs comprising this entire audit project.
The test procedures in this program support the systems security test objectives well as the audit
objectives outlined in the program. However, it does not test all internal controls built into
information systems used by the Department of Controlled Substances (DCS). System controls
that provide for things such as data accuracy and completeness (application controls) should be
addressed in the appropriate business process audit program.
Step 1: Narrative
Provide the detailed narrative of the Agency’s or Institution’s IT Environment as it relates to the
audit objectives and financial assertions of the general audit program. Document the internal
control processes as they relate to the confidentiality, integrity, and availability of information.
Step Completed by & Date: Christopher Purdin, April 13, 2019
Step Reviewed by & Date: Shaswat Khatiwada, April 13, 2019
CONTACTS
Chuck Ross Chief Information Officer
rosscd@vcu.edu 804.XXX.XXXX
Matt Robinett Chief Information Security Officer
robinettmw@vcu.edu 804.XXX.XXXX
NARRATIVE
The IT Narrative can be found embedded in the attached document, labeled “DCS IT
Narrative.docx”.
2. 2
Step 2: Scope
Document the scope limitations for this particular project. Be as specific as possible when
describing particular systems. Please list specific system names, platforms, and the applications
they support. Also, document the reasoning for the scope of this particular program. Include how
compensating controls will be evaluated in the absence of documented policies and procedures, or
whether a management point is warranted.
In my opinion, based on the agency’s procedures described above and an evaluation of their
internal control structure, the audit procedures listed below are adequate.
Group sign/date: Group 1, April 15, 2019
Project Manager sign/date: [Chuck or Matt will sign off, and Date]
SCOPE
1. Group 1 will be auditing the Warehouse Inventory Management System. WIMS is a mission
critical system that is externally accessible located on the dcs.wims.01 server. Both LDAP and
AD are employed for controlling access. As a system that is accessible by vendors, customers,
and employees, the proper functioning of this system is very important. As an externally
accessible server the potential failure could result in a loss of inventory information causing a
major disruption in operations. This could also mean a loss of financial data, inventory
information, and shipping information.
2. Group 1 will also be auditing the Disaster Recovery Plan. We have chosen this area to audit
because in the event of a catastrophic disaster, it is necessary for DCS to continue operations.
Even though the COOP was approved 2 years ago, we noticed that the DRP is relatively new,
and the DRP was not been tested in coordination with the COOP. " The COOP was tested in
20XX-1, but because the DRP is relatively new, the DRP has not been tested in coordination
with the COOP." If the DRP is not updated we might not have a proper plan when the system
fails. Failure to update DRP could have huge financial and technical impact.
These reviews should give reasonable assurance over core components of the DCS IT environment
and help support the conclusions reached in the financial statement audit performed by the financial
auditors.
Program Legend:
Andrew Eldridge
Urvesh Patel
Shaswat Khatiwada
Christopher Purdin
Brijesh Suthar
3. 3
AUDIT PROCEDURES
Step 3: Planning
A. Document the discussions and meeting that took place to derive your scope. Include class
sessions with instructors, emails/conversations directly with instructors and your cohorts, industry
research, and risks you noted in the DCS IT Narrative.
B. Prepare the DCS Case Study Excel document and embed it in the planning section.
Step Completed by & Date: Christopher Purdin, April 12, 2019
Step Reviewed by & Date: Shaswat Khatiwada, April 12, 2019
Auditor Planning Documentation
Group 1 was given the opportunity to develop the scope of our audit for the DCS System. After
our initial investigation there were a number of both technical and non-technical areas we wished
to review. Due to time constraints and the work of the rest of the Audit team, our instructor
assigned us the Web Application Review and IT Disaster Recovery Plant Review. Both of these
reviews were in our initial development of scope and we felt they warranted a closer look. The
functionality of the WIMS is critical enough to business processes that it’s misconfiguration or
failure to perform its tasks could result in major disruptions for DCS. Our analysis of the IT
Narrative further indicated reasons pointing to the necessity of a complete audit of the WIMS and
DRP. Without a proper DRP in place DCS will be sitting in the water when disaster strikes,
resulting in huge financial losses and disruption of operations.
Step 4: Preliminary Risk Assessment
Considering the audit risk, fraud risk, internal controls, determine and document the
following risks and the supporting information for the system security process:
*Control risk is the risk that an error could occur in an audit area, and which could be
material, individually or in combination with other errors, but the internal control system
will not prevent or detect and correct the error on a timely basis.
Step Completed by & Date: Christopher Purdin, April 15, 2019
Step Reviewed by & Date: Shaswat Khatiwada, April 15, 2019
PRELIMINARY RISK ASSESSMENT
Auditor determined that the preliminary control risk is medium.
Group 1 has established the preliminary control risk to be medium. This was determined during
the planning phase of our work and uncovering of essential documents. It was determined by our
Group that DCS is using custom tailored applications on mission critical systems that do not
appear to have correlating documentation on their configuration. Our Group will dive further into
this matter during fieldwork to uncover if this risk has been realized by DCS.
4. 4
TEST WORK
While the Confidentiality, Integrity, and Availability of information relating to financial statements
are maximized through a mature Information Security Program and the concept of “defense-in-
depth”, that is, there is an exponential relationship between the layers of information security
controls in place to the level of protection achieved; the audit test work in this program is focused
and based on the identified risks above.
DCS Warehouse Inventory Management System (WIMS)
WEB APPLICATION SECURITY
AUDIT PROGRAM
Audit Contact(s): Christopher Purdin, Auditor, purdinch@vcu.edu
Shaswat Khatiwada, Auditor, khatiwadas@vcu.edu
Andrew Eldridge, Auditor, eldridgeab@vcu.edu
Urvesh Patel, Auditor, patelus@vcu.edu
` Brijesh Suthar, Auditor, sutharbb@vcu.edu
Document Reference(s): DCS Audit Response- WIMS Web Application
DCS IT Change Management Process
DCS IT Risk Assessment (WIMS)
DCS IT Disaster Recovery Plan
Documentation Legend: Andrew Eldridge
Urvesh Patel
Shaswat Khatiwada
Christopher Purdin
Brijesh Suthar
Program Outline: Step 1 – Web Application Environment
Step 2 – Web Application Configuration
Step 3 – Session ID Management
Step 4 – Input Data Handling
Step 5 – Output Data Handling
Step 6 – Web Application Audit Program Conclusion
Program Conclusion
Auditor Purdin performed an evaluation of all audit worked performed on DCS Warehouse Inventory
Management System and determined the current configuration poses a significant security risk. There is
no baseline configuration for a custom application and system that is facing the public containing mission
critical business data. This increases the likelihood of a failure on this system that could result in a
disruption of service and financial loss. The WIMS system is similarly failing to provide adequate
password protections in line with best practices and SEC guidelines. Finally a lack of vulnerability
scanning on this system puts DCS at a higher inherent risk than otherwise. Without actively scanning for
vulnerabilities, there is an increased chance they will not be realized until they have become exploits,
resulting in more loss for DCS.
Program Completed by: Christopher Purdin, April 15, 2019
Program Reviewed by: Shaswat Khatiwada, April 15, 2019
5. 5
Step 1 – Web Application Environment
Objective
The web application environment is developed and maintained to assure protection of
organization assets and sensitive data.
Control:
The web application has been developed with appropriate architecture, and up to date server
hardware and software configurations to ensure a secure environment.
Step Conclusion:
Auditor Purdin reviewed the DCS Warehouse Inventory Management system and determined its
current configuration poses a risk to DCS. It was determined the operating systems and software
operating on the WIMS to not be the most current versions and out of date by several releases.
Failure to keep software patched and up to date puts DCS at a high risk for data breach that could
result in financial loss. It was also found that DCS does not have a baseline configuration for its
WIMS system. Failure to configure a baseline for their system puts DCS at a higher risk in the
event of a total system failure. Without a proper baseline configuration documented, DCS is at a
higher risk in the event of a total system failure.
Deemed not reasonable, see Observation # 3, 4, 5, 6, 7, 8, 9, 13
Step Completed by: Christopher Purdin, April, 12 2019
Step Reviewed by: Shaswat Khatiwada, April 13, 2019
Step 1.1 –Web Application Environment Test Work
1. Identify the network architecture and obtain a network diagram which identifies the web
servers, application server, and database server.
Auditor Purdin reviewed the DCS IT Narrative and determined the network architecture to be as
pictured below.
6. 6
Deemed reasonable.
2. Determine if the architecture is three-tier (preferred) or two-tier (requires risk assessment and
acceptance).
Auditor Purdin reviewed DCS Audit Responses for Web Application Security for WIMS and
after examining the network diagram determined the architecture is three-tier.
Deemed reasonable, three tier architecture separates the user interface logic from the business
logic and is easier to maintain, manage, and scale.
3. Identify the operating system running on the server(s), for example Windows, UNIX,
LINUX, etc.
Auditor Purdin reviewed DCS Audit Responses for Web Application Security for WIMS and
determined the application server to be running on Red Hat Enterprise Linux V 6.6. Auditor
Purdin determined the database server to be running IBM AIX v6.1.
7. 7
Deemed not reasonable. SEC 501-09.1 SI-2-COV states “The organization...Applies all security
updates as soon as possible after appropriate testing, not to exceed 90 days for implementation”
and “prohibits the use of software products that the software publisher has designed as End-Of-
Life/End-of-Support.
4. Determine whether all critical patches for the Operating System have been installed.
Auditor Purdin reviewed DCS Audit Responses for Web Application Security for WIMS and
determined the neither RHEL or IBM AIX operating system have the most up to date patches
installed. RHEL most current iteration is V 7.6. IBM AIX most current iteration is V7.2.
Deemed not reasonable. SEC 501-09.1 SI-2-COV states “The organization...Applies all security
updates as soon as possible after appropriate testing, not to exceed 90 days for implementation.”
5. Identify the web server software (IIS, Apache, etc.) and determine if it is current.
Auditor Purdin reviewed DCS Audit Responses for Web Application Security for WIMS and
determined the web server uses Oracle WebLogic Server V 10.3.6.0. Current iteration of Oracle
WebLogic Server is V 12.2.1.3.
Deemed not reasonable. SEC 501-09.1 SI-2-COV states “The organization...Applies all security
updates as soon as possible after appropriate testing, not to exceed 90 days for implementation.”
6. Identify the application server software (Oracle Application Server, BEA Web Logic, IBM
WebSphere, etc.) and determine if it is current.
Auditor Purdin reviewed DCS Audit Responses for Web Application Security for WIMS and
determined application server software is Oracle Tuxedo V 11.1.1.3.0, Patch Level 021. Current
iteration of Oracle Tuxedo is V 12.2.2.
Deemed not reasonable. SEC 501-09.1 SI-2-COV states “The organization...Applies all security
updates as soon as possible after appropriate testing, not to exceed 90 days for implementation.”
7. Identify the database server software and determine if it is current.
Auditor Purdin reviewed DCS Audit Responses for Web Application Security for WIMS and
determined database server software is Oracle Database 11g Enterprise Edition Release
11.2.0.3.0. Most current iteration of Oracle Database is V18.4
Deemed not reasonable. SEC 501-09.1 SI-2-COV states “The organization...Applies all security
updates as soon as possible after appropriate testing, not to exceed 90 days for implementation.
8. Determine if a baseline hardware configuration has been established for the server(s) and
verify that the actual configuration and baseline are in sync.
Auditor Purdin reviewed DCS Audit Responses for Web Application Security for WIMS and
determined DCS does not have any baseline hardware configurations.
8. 8
Deemed not reasonable. SEC 501-09.1 CM-2 states “The organization develops, documents,
and maintains under configuration control, a current baseline configuration of the information
system.”
9. Determine if a baseline software configuration has been established for the application server
and the database server and verify that the actual configuration and baseline are in sync.
Auditor Purdin reviewed DCS Audit Responses for Web Application Security for WIMS and
determined DCS does not have any baseline software configurations.
Deemed not reasonable. SEC 501-09.1 CM-2 states “The organization develops, documents,
and maintains under configuration control, a current baseline configuration of the information
system.”
10. Determine if the server(s) software configuration includes malware protection, that it is
installed, and current.
Auditor Purdin reviewed DCS Audit Responses for Web Application Security for WIMS and
determined DCS does not employ malware protection on its servers but instead utilized Nitro
McAfee IDS.
Deemed reasonable.
11. Determine if the server(s) are included in the backup scheme for the agency/institution and
verify that backups are current.
9. 9
Auditor Purdin reviewed DCS Audit Responses for Web Application Security for WIMS and the
DCS System Backup & Recovery Practices and determined the servers are included in the backup
scheme for DCS and backups are current.
Deemed reasonable.
12. Determine if audit logging is enabled as per policy, the logs are being reviewed, and
archived.
Auditor Purdin reviewed DCS Audit Responses for Web Application Security for WIMS and the
DCS Backup and Restoration Policy and determined audit logging is enabled and logs are
reviewed and archived.
Deemed reasonable.
13. Determine if the agency/institution regularly scans the server(s) for vulnerabilities and obtain
copies of the most recent scans.
Auditor Purdin reviewed DCS Audit Responses for Web Application Security for WIMS and
determined DCS does not use vulnerability scanning.
10. 10
Deemed not reasonable. SEC501-09.1 Section AU-6 5 Audit Review, Analysis, and Reporting |
Integration / Scanning and Monitoring Capabilities states,”The organization integrates analysis of
audit records with analysis of vulnerability scanning information; performance data; information
system monitoring information; to further enhance the ability to identify inappropriate or unusual
activity.”
14. Determine if changes to the hardware and software are controlled via change management.
Auditor Purdin reviewed DCS Audit Responses for Web Application Security for WIMS and the
DCS Information Technology Change Management Process and determined changes made to
both hardware and software are controlled via change management.
Deemed reasonable.
11. 11
Step 2 – Web Application Configuration
Objective
The web application has been appropriately configured to reasonably secure sensitive data and
protect against vulnerabilities that may be exploited by hackers to gain access to the system for
malicious purposes.
Control:.
The web application is developed using industry best practices to ensure proper configuration
management .
Step Conclusion:
Auditor Khatiwada and Purdin determined that there are gaps in the WIMS Web Application
appropriately configured to reasonably secure sensitive data and protect against vulnerabilities
that may be exploited by hackers to gain access to the system for malicious purpose. Such as
prohibition password reuse, login attempts and special characters, alphabetical characters,
numerical characters, and combination of uppercase and lowercase letters. Without WIMS
appropriate configuration it may expose to vulnerabilities that pose a risk to DCS.
Deemed Not Reasonable - See SEC501-09.1 Section IA-5 Under Control Enhancement for
Sensitive Systems and AC-7 Unsuccessful Login Attempt.
Step Completed by: Shaswat Khatiwada & Christopher Purdin, April 14, 2019
Step Reviewed by: Brijesh Suthar, April 15, 2019
Step 2.1 – Web Application Configuration Test Work
1. Determine if default content and sample is removed from the web application.
Auditor Purdin reviewed DCS Audit Responses for Web Application Security for WIMS and per
DCS response “Default content has not been disabled. We maintain several default pages for
script viewing that use default content.”
Deemed Reasonable.
2. Determine if directory indexing is disabled.
Auditor Purdin reviewed DCS Audit Responses for Web Application Security for WIMS and
determined indexing has been disabled.
12. 12
Deemed Reasonable.
3. Determine if server header information is sanitized.
Auditor Purdin reviewed DCS Audit Responses for Web Application Security for WIMS and
determined server header information has been sanitized.
Deemed Reasonable.
4. Evaluate the controls surrounding end user and administrative user authentication. Evaluate
for reasonableness. Consider the following controls:
a. Password Strength (length)
13. 13
b. Password Complexity (upper, lower, special, numerical etc.)
c. Password Age (forced change)
d. Password History (reuse)
e. Max Login Attempt
Auditor Khatiwada reviewed DCS Audit Responses for Web Application Security for WIMS.
Page 1.
A. Determined password length is properly enforced with the minimum of 8 characters. It was
also determined that the password must be no longer than 10 characters and it was determined the
program won't allow the password to be longer than 10 characters long.
Page 1 of WIMS Web Application.doc
B. Determined passwords upper,lower, special, numerical, It was determined that the program
does not check for upper,lower, special, numerical. SEC 501
C. Determined Password Age (force check). It was determined that the program does check for
forced check for the password age. Page 3
D. Determined Password History (reuse). It was determined that the program does not check for
reuse password history.
14. 14
E. Determined Max Login Attempt. It was determined that the program “needs to put some
locking functionality” and it does not check for max login attempt.
Deemed Not Reasonable- See SEC 501-09.1
B. IA-5 Under Control Enhancement for Sensitive Systems ask for at least three of the following
such as Special Characters, Alphabetical characters, Numerical characters and Combination of
uppercase and lowercase letter.
D. IA-5 Under Control Enhancement for Sensitive Systems, prohibits password reuse for 24
generations.
E. AC-7 Unsuccessful Login Attempts, enforces a limit of 10 consecutive invalid login attempts
by a user during a 15 minute period.
5. Determine for account lockouts if timed lockouts are used to prevent account/password
guessing and/or brute force password guessing attempts.
Auditor Khatiwada reviewed the sign-off procedure for the WIMS Web Application. The sign-off
procedure was demonstrated by CISO Robinett. Login credential were passed into the WIMS
Application, after 15 minutes of inactivity, the user was logged out of the application and CISO
demonstrated that access to the application was then unavailable.
Deemed Reasonable
6. If forms are used and the fields require sensitive data (e.g. SSN data, PCI compliance data,
etc.), determine if SSL is required.
Auditor Khatiwada reviewed WIMS Web Application and it was determined that SSL encryption
was used as a defense mechanism.
Deemed Reasonable
15. 15
Step 3 – Session ID Management
Objective
The web application is protected against Session ID vulnerabilities that may be exploited by an
attacker to gain access to sensitive data.
Control:
The web application is programmed using safe programming methodologies to ensure proper
Session ID Management.
Step Conclusion:
Auditor Eldridge determined that there are gaps in security in the WIMS application Session ID
Management. The WIMS application generates secure session id through its PS_TOKEN Cookie
function, utilizes a proper sign-off function, and utilizes SSL encryption to enforce valid sessions.
However, without vulnerability scanning and the capability to detect and react to session hijacks,
the WIMS application contains vulnerabilities that pose a risk to DCS. Without vulnerability
scanning, risk of unknown exploits being utilized by malicious users to the detriment of DCS is
increased. Additionally, if a session hijack occurs, without a system in place to detect the hijack
and remove the unauthorized user, the risk of damages resulting from session hijacks is increased.
These risks could result in financial loss, compromised data, reputational damage, and operational
damage for DCS.
Deemed Not Reasonable - See SEC501-09.1 Section SC-23 - Session Authenticity and Section
RA-5 - Vulnerability Scanning.
Step Completed by: Andrew Eldridge, April 11, 2019
Step Reviewed by: [Reviewer’s name], [Date]
Step 3.1 – Session ID Management Test Work
1. For session ID management, determine if there is a sign-off procedure to force the credentials
to be dropped from the browser.
Auditor Eldridge reviewed the sign-off procedure for the WIMS web application. The sign-off
procedure was demonstrated by CISO Robinett. Login credentials were passed into the WIMS
application. After 15 minutes of inactivity, the user was logged out of the application and CISO
Robinett demonstrated that access to the application was then unavailable.
Deemed reasonable.
2. For URL Rewriting/Hidden form fields determine
a. If the session IDs are sufficiently random and sufficiently large
b. That the generation of session ID is not based on any aspect of the user or password
information
c. That session IDs are perishable
16. 16
Auditor Eldridge reviewed Session ID security, Session ID creation, and Session ID perishability.
Auditor Eldridge noted that the the PS_TOKEN Cookie function is used to create Session IDs.
The process the PS_TOKEN Cookie function employs creates session IDs that are sufficiently
random and sufficiently large. The PS_TOKEN Cookie function uses its own SHA-1 hash
function to create a Session ID that is unique from the user and password information. CISO
Robinett demonstrated the PS_TOKEN Cookie functionality to Auditor Eldridge. After login into
the WIMS application. The PS_TOKEN Cookie function was shown to create new session ID for
each new page that was opened up in the WIMS application. The Session IDs were perishable not
able to be used more than once.
Deemed reasonable.
3. Determine what type of session hijacking/cloning detection capabilities exist.
Auditor Eldridge review session hijacking and cloning detection capabilities. Auditor Eldridge
reviewed DCS Audit Response - WIMS Web Application. Auditor Eldridge noted that on page 5
response 20 that the WIMS application uses SSL encryption to prevent session hijacking/cloning.
Deemed reasonable.
4. Determine what actions the application takes when a session violation is detected and
whether the action is appropriate.
Auditor Eldridge reviewed how WIMS handled session violations. Auditor Eldridge reviewed
DCS Audit Response - WIMS Web Application. Auditor Eldridge noted that on page 5 response
22 that no details were provided on how session violated is dedicated and remediaded. SSL
encryption is employed as a defense against session hijacking/cloning but SSL encryption on its
own is not sufficient to detect and react to a session hijack. This poses the risk to the organization
that if session hijacks occur, they are no stopped before damages occur resulting from the hijack.
Deemed Not Reasonable - See SEC501-09.1 Section SC-23 - Session Authenticity.
5. Determine if a valid session is required in all appropriate circumstances and how it is
enforced or mediated.
Auditor Eldridge reviewed if valid sessions are required in all appropriate circumstances. The
PS_TOKEN cookie function is used to allow a user to log in initially then pass their credentials
throughout the application through the use of the PS_TOKEN. In combination with SSL
Encryption, a valid session is enforced throughout the WIMS application in all appropriate
circumstances.
Deemed reasonable.
17. 17
6. Determine if the agency/institution regularly scans the web application for vulnerabilities and
obtain copies of the most recent scans.
Auditor Eldridge noted that in the DCS Audit Request - Web Application Security for WIMS
document on page 5 response 23(which refers to response 10), that vulnerability scanning on
WIMS is not conducted because WIMS is a custom application. Not conducting vulnerability
scanning several risks to the security of the WIMS application and DCS. Not conducting
vulnerability scanning increases the risk of exploits going unnoticed that could be exploited by
malicious users which can result in financial and operational losses for DCS.
Deemed Not Reasonable - See SEC501-09.1 Section RA-5 - Vulnerability Scanning.
Step 4 – Input Data Handling
Objective
The web application has been developed to protect against Input Data vulnerabilities that may
expose the application to corruption of data, or loss of data.
Control:
The web application is programmed with controls to ensure that appropriate input data handling
and data validation is ensured.
Step Conclusion:
Auditor Suthar reviewed the input data handling pertaining to the WIMS and determined best
practices are met.
Step Completed by: Brijesh Suthar, April 15, 2019
Step Reviewed by: Christopher Purdin, April 15, 2019
Step 4.1 – Input Data Handling Test Work
1. Determine how input data to the application is validated.
Auditor Suthar reviewed that criteria of term & EmpID were searched for using an invalid
EmpID. System correctly checked for EmpID and outputted “No matching values were found”.
Deemed Reasonable
2. Determine if all input data is validated and if not, why not.
Auditor Suthar reviewed input data based on existing standards, data that is improperly entered
was adequately assessed and outputted only one response which stated “No matching values were
found”.
Deemed Reasonable
18. 18
3. Determine if all sensitive information is sent using a POST rather than a GET.
Auditor Suthar noted that system is using GET for sensitive information.
Deemed Reasonable
Step 5 – Output Data Handling
Objective
The web application has been developed to protect against Output Data vulnerabilities that may
expose the application to corruption of data, or loss of data.
Control:
The web application is programmed with reasonable controls to ensure that appropriate output
data handling and data validation is ensured.
Step Conclusion:
Auditor Patel concludes that the error do conditions exist for the Application. Another point to
note is that because this is an inventory application, there are no anti-caching techniques in use
when sensitive information is returned and special characters are not stripped.
Step Completed by: Urvesh Patel, May 25, 2019
Step Reviewed by: Urvesh Patel, April 12, 2019
Step 5.1 – Output Data Handling Test Work
1. Determine how error conditions are handled.
While Auditor Patel was checking out the Schedule Process, Auditor noted that when forms are
accessed which require specific inputs, and the instructor does not supply it appropriately, the
application throws an error saying “No matching values were found” and instructs the user to
correct the necessary input. The following is a representative example of the error:
19. 19
(source: Input Data Validation.docx embedded within DCS Audit Response- WIMS Web
Application.docx)
Conclusion: Deemed Reasonable.
2. Determine if there are any anti-caching techniques in use when sensitive information is
returned.
Auditor Patel looked at the DCS Audit Response- WIMS Web Application.docx which stated that
“Anti-caching techniques are not used since it is an inventory application.”
Conclusion: Deemed Reasonable.
3. Determine if all special characters are properly stripped or escaped when returned in a web
page.
Auditor Patel looked at the DCS Audit Response- WIMS Web Application.docx which stated that
“Special characters are not stripped since it is an inventory application.”
20. 20
Conclusion: Deemed Reasonable.
Step 6: IT Disaster Recovery Plan (DRP) Controls
Contacts (Name, Title, and Contact info):
Chuck Ross Chief Information Officer
rosscd@vcu.edu 804.XXX.XXXX
Matt Robinett Chief Information Security Officer
robinettmw@vcu.edu 804.XXX.XXXX
Step Completed by & Date: Shaswat Khatiwada & Chris Purdin, May, 25 2019
Step Reviewed by & Date: Brijesh Suthar, April 12,2019
Conclusion: Auditor Khatiwada and Purdin concludes that the DRP does exist however it has
not been approved or updated for effectiveness and efficiency. It was also determined that the
DRP has not been tested, reviewed or revised. IT DRP Version 3.0 12-15-2018 This puts DCS at
an inherent risk in the event of a disaster. While the recovery plan exists, it has not been
exercised, tested or revisited. The potential risks include major disruption of operations resulting
in financial losses.
Step 1: (Policy Existence)
Yes No N/A
A. Does the Agency have a documented Disaster Recovery Plan? X
Step 2: (Policy Completeness)
Obtain and review the Agency’s DRP and determine whether:
A. The DRP has been approved by the Agency Head.
Auditor Khatiwada has reviewed the IT Disaster Recovery Plan for Department of Controlled
Substances, Version: 3.0 which was created 12-15-2018. It has not been approved by the
Director/Chief Executive Officer: Tyler Durden.
21. 21
Deemed Not Reasonable - See SEC501-09.1 Agency Head Section 2.4.3 “Review and approve
the agency’s Business Impact Analysis (BIAs), Risk Assessments (RAs), and Continuity Plan
(previously referred to as Continuity of Operations Plan or COOP), to include an IT Disaster
Recovery Plan, if applicable.”
B. Requirements are included to periodically review, reassess, test and revise to reflect changes
in essential business functions, services, system hardware and software and personnel.
Auditor Khatiwada has reviewed the IT Disaster Recovery Plan for Department of Controlled
Substances, Version: 3.0 which was created 12-15-2018. It determined that there have been
prerequisites exist to reach procedure but there is no detailed instruction where these prerequisites
are completed to reflect changed in business function, services, system hardware, software and
personnel. Also, there is no sign of any of Detailed instruction for the DRP process.
Deemed Not Reasonable - SEC501-09.1 Section CP-1 COV-2. “Require periodic review,
reassessment, testing, and revision of the IT DRP to reflect changes in mission essential
functions, services, IT system hardware and software, and personnel.”
22. 22
C. The recovery requirements are identified for IT systems and data needed to support the
essential business functions (based on BIA and RA), including system configurations, a list of
hardware and software, and vendor contacts.
Auditor Khatiwada has reviewed the IT Disaster Recovery Plan for Department of Controlled
Substances, Version: 3.0 which was created 12-15-2018. It was determined that there are essential
business functions based on BIA and RA.
Deemed Reasonable
Step 3: (Procedural & Control Implementation)
A. A copy of the DRP is stored in a designated plan repository (hard copy should be stored
at accessible, secure off-site location).
Auditor Purdin has review the IT Disaster Recovery Plan for DCS , Version 3.0 which was
created 12-15-2018. Screenshot below found on page A-3 of DRP indicates DCS is storing hard
copies of DRP at their Off-Site Storage facility Peak Data Center. Second screenshot below found
on page A-16 indicates location of Peak Data Center in relation to DCS.
23. 23
Deemed Reasonable
B. Determine whether the Agency periodically reviews, reassess, tests and revises the DRP
to reflect changes in essential business functions, services, system hardware and software
and personnel.
Auditor Khatiwada has reviewed the IT Disaster Recovery Plan for Department of Controlled
Substances, Version: 3.0 which was created 12-15-2018. There exist prerequisites for each
procedure, there is no detailed instructions when their prerequisites are completed to reflect
changes in essential business functions, services, system hardware and software and personnel.
Also, there is no sign of steps in the DRP being tested, review, or revised.
Deemed Not Reasonable - SEC501-09.1 Section CP-1 COV 2, “Require periodic review,
reassessment, testing, and revision of the IT DRP to reflect changes in mission essential
functions, services, IT system hardware and software, and personnel.
C. The DRP is tested annually (i.e., recovery from backup tapes). Review documentation
showing date of test, what was tested, results, and recommendations.
24. 24
Auditor Purdin has review the IT Disaster Recovery Plan for DCS , Version 3.0 which was
created 12-15-2018. Screenshot below from page A-16 of DCS DRP indicates no annual testing
has been conducted on DRP.
Deemed Not Reasonable - SEC501-09.1 Section CP-1 COV 2, “Require periodic review,
reassessment, testing, and revision of the IT DRP to reflect changes in mission essential
functions, services, IT system hardware and software, and personnel.