Many of the business sectors we work with are subject to audits, sometimes from multiple auditors. Foresite was brought into this financial sector client several years ago when they asked for help preparing for their annual regulatory audits.
We adapt the functional testing annually to change the focus and to make sure we re-test any areas of weakness from the previous year. In this client’s case, one area they have struggled with is staff adhering to their cyber policies and procedures. There were also some known vulnerabilities discovered in the previous years, so we were validating if the vulnerability management program that they had implemented internally based on our last assessment was being kept up.
Foresite deployed a consultant onsite at the client’s location for a week to perform the testing, meet with staff, and collaborate with their ISO auditor. We found that the technical controls were strong – much improvement was made during the past several years of working with their IT team. Our main recommendations this year revolve around physical security. There were several areas where we found risk – how many of these might apply to your organization (or your clients)?
Lax enforcement of physical security controls by staff. There is an area of this office that holds the most sensitive data, and is only supposed to be accessed by authorized staff or escorted visitors. By simply holding back and watching the flow of staff, our auditor was able to see that the door that secures this area closed very slowly. He waited until a staffer left the hallway and went in, and stuck his foot into the base of the door to prevent it from closing. After waiting for the staff member to round the corner, our auditor entered the secure area and had access with no one questioning him.
Next, our consultant found paperwork on a desk with network credentials. He copied the information and was able to access the main database with client financial information. He also found a second document abandoned in the copy room with a staff members personal information, including social security number and account details.
Last, the client relies very heavily on the building’s security staff. Our final recommendation was to have us perform physical penetration testing on the building to confirm that their staff is following the processes and procedures to prevent unauthorized entry to the client’s offices.
Read or download the full case study to learn more about the client’s challenges and how we helped address them.