This site uses cookies to provide you with a more responsive and personalized service. By using this site you agree to our use of cookies. Please read our cookie notice for more information on the cookies we use and how to delete or block them.

Bookmark Email Print page

Case Study: IT Security Audit

Abstract

A large manufacturing organisation sought assurance regarding the controls governing the IT Security function and an evaluation of the effectiveness of the policies in place.

Challenge

We provided a large manufacturing company with a comprehensive review of IT security controls within the organisation. The objective was to determine whether appropriate policies and controls were designed and implemented, operating effectively, and periodically reviewed to ensure ongoing use.

Approach

  • We reviewed the Information Security Policies in place at the company.
  • Extensive external and internal vulnerability assessments were performed using specialised hacking techniques.
  • We examined the logical access and security controls in place.
  • A review of the use of PDA devices and the potential security threats posed by such devices was carried out.

Solution

The critical findings can be summarised as follows:

  • A number of servers appeared to be missing a significant number of Microsoft Security Patches.
  • A number of administrator accounts were identified with weak passwords.
  • System shares on the main information system allowed access controls to be bypassed.

The significant findings can be summarised as follows:

  • IT Security Polices were not fully implemented on a number of the servers examined.
  • IT Security policies referenced security standards that were not defined.
  • Insecure storage mechanisms were used for storing sensitive passwords.
  • Administrators within the information system could switch to any user profile without audit trails being maintained or users being notified.
  • MS SQL Service Packs and Hot fixes were not applied on the databases supporting the main applications.
  • Access to system shares was not appropriately restricted on the main servers.
  • Default SNMP community strings were present on a large number of servers.
  • The backup software had been configured with the default user on a number of servers.
  • A number of dormant accounts were noted on the domain controller.
  • A number of Blackberry security settings had not been implemented.

Material on this website is © 2013 Deloitte Global Services Limited, or a member firm of Deloitte Touche Tohmatsu Limited, or one of their affiliates. See Legal for copyright and other legal information.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/ie/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.

Get connected
Share your comments
More on Deloitte
Learn about our site