Академический Документы
Профессиональный Документы
Культура Документы
Final Report
5th July, 2017
www.infosec-career.com
Version control and distribution
Version
number Date issued Issued to
0 January
V1.0 2 2017 The Company
2 February
Final 2 2017 The Company
This report is intended solely for the information and use of the management of The Company and is not intended to be
and should not be used by anyone other than these specified parties. Audit Firm therefore assumes no responsibility to
any user of the report other than The Company. Any other persons who choose to rely on our report do so entirely at their
own risk.
www.infosec-career.com
Table of contents
1 Executive Summary
3 Scope Limitations
7 Domain-Wise Distribution of
Risk
10 Persistent Irregularities
www.infosec-career.com
1. Executive Summary
1.1 Introduction :
Scope Details
Name Audit Firm
Name of Client
Description of service
Assessment type
Risk Score
Compliance Score
Date of assessment
Address where onsite assessment took place
Name of assessor
Reviewed By
www.infosec-career.com
2. Scope and Objectives
The vendor assessment consisted of a review and evaluation of current policies, procedures and practices used by
The Company for rendering the service as defined above. The Company was assessed on domains pertaining to
Information Security risk supporting SBIL Operations.
The following information security control areas were reviewed with The Company Limited Solutions as part of
the questionnaire mandated controls
www.infosec-career.com
3. Scope Limitations
The scope of the engagement excludes:
The review of design or source code for any of the in-scope applications
Performing any infrastructure or application penetration testing for in-scope applications and underlying infrastructure
Performing ongoing control monitoring activities or other control activities that affect the execution of transactions or
ensure that transactions are properly executed and/or accounted for
Determining which, if any, recommendations should be implemented and the implementation of any recommendations
arising from this engagement
Preparing source documents of transactions
Having custody of assets
Acting in any capacity equivalent to a member of management or an employee
www.infosec-career.com
4. Issue Rating Descriptions
The issue ratings used in this report reflect the recommended priority to resolve the control gaps identified.
Target completion
Issue Rating Description date
The control(s) failure will cause the objective not to be achieved and the Withi afte
Red/High prevailing risk(s) not mitigated, n 30 days r
resulting in threat and potentially material impact on confidentiality, agreeing remediation
integrity and risks to the action
organizations information asset and system(s). The following is a non- plan with Third
exhaustive list of events that Party.
could result in a High risk observation rating:
Controls exceptions;
Lack of segregation of duties; or
Insufficient evidence to show the control operation.
These issues require immediate attention and accelerated remediation.
The controls design is not in line with The Banks compliance requirement Withi afte
Amber/Medium and needs improvement to n 60 days r
operate effectively. However, the risk exposures are mitigated by agreeing remediation
compensating controls. If these action
threats are not addressed over a defined period of time, the potential risk plan with Third
to the organizations Party.
information assets may increase.
The following is a non-exhaustive list of events that could result in a
Medium risk observation rating:
Control design is not well documented, however, controls operates
effectively;
www.infosec-career.com
Lack of information security program, policies, awareness, or
enforcement; or
Control failures that do not directly impair or impact the services
provided.
Requires review and attention from management within the near term.
The gaps are minor and do not result in exposure. Relevant controls exist Withi afte
Green/Low and are effective. However, n 90 days r
addressing the minor gaps will further strengthen the overall environment agreeing remediation
and operations. action
plan with Third
Party.
www.infosec-career.com
5. Overall Assessment Results
Compliance Score:
It is a score is calculated based on the controls implemented during the assessment at the business processes carried
out for The Company, the non-conformance to the implemented controls leads to the percentage calculation of the
Vendor compliance score.
Risk Score:
It is a score calculated based on the product of High, Medium and Low level non-conformities observed against the total
control assessed during the
assessment.
www.infosec-career.com
6. Risk Assessment
Summary
38
Medium
Low
6%
Hig
High h
32%
Medium
62% Low
Risk Score
Overall Vendor Score
52
Medium
Lo
Hig
w
h
www.infosec-career.com
7. Domain-Wise Distribution of Risk
Domain-wise Assessment
0 2 4 6 8 10
40
Controls
0 5 10 15 20 25 30 35 40
45
www.infosec-career.com
9. Issues and recommendations
The following table provides details of the non-compliant controls identified during the Assessment conducted in FY 2016
www.infosec-career.com
10. Persistent Irregularities:
The following table contains repeated findings ( Assessment findings found in previous and present Assessments): There are no
observations found.
Risk
Domain Rating Observation Observation
No. (Current Assessment) (Previous Assessment)
High
High
www.infosec-career.com
www.infosec-career.com