Last updated by: T_Apperley, Last updated on: 03/12/2024
VR Sun Cycle Audit Report - September 2024
Author: Ali Demirovski (Redback Operations)
Introduction
The VR Sun Cycle Smart Bike audit was conducted on Saturday the 14th of September between I, Ali Demirovski, and team leader, Johnathon David Lowden. Additionally, another team leader, Ethan Byrne-Staunton, was also questioned for clarification on some points.
This audit evaluates the development process of a Virtual Reality (VR) Smart Bike, focusing on key aspects such as data protection, hardware and software challenges, and adherence to cybersecurity policies.
The objective of this audit is to assess the project's current state, identify potential risks, and provide recommendations to improve overall security and compliance.
GENERAL AUDIT POINTS - Policy Compliance
1.1 Are the correct encryption methods being used for data in storage and transmission?
- Compliant: No
- Observations: Very minimal data is stored; encryption not necessary at this stage.
- Action Required: None required for now, but encryption should be considered in future.
1.2 Are the related DLP Policies being adhered to?
- Compliant: No
- Observations: Data is uploaded to GitHub and Microsoft Teams with no encryption. No formal backup plan.
- Action Required: Consider data protection policies for better data integrity.
1.3 Are the related Data Classification Policies being adhered to?
- Compliant: No
- Observations: All data created by the team is publicly accessible.
- Action Required: Implement access restrictions to control who can view and edit data.
1.4 Have forms of physical security for data protection been implemented?
- Compliant: No
- Observations: No physical security measures have been implemented.
- Action Required: None for now, but it should be considered for customer data collection.
1.5 Have forms of digital security for data protection been implemented?
- Compliant: No
- Observations: No digital security measures in place.
- Action Required: Should be considered in future for customer data protection.
1.6 Have EASM risks been identified?
- Compliant: No
- Observations: EASM risks have not been considered.
- Action Required: Need to assess potential risks and threats related to EASM.
1.7 Have all employees undergone the appropriate User Awareness Training?
- Compliant: No
- Observations: Training has not been a priority so far.
- Action Required: Mandatory awareness training required as data collection becomes more prominent.
GENERAL AUDIT POINTS - Ethical Considerations and Requirements
2.1 Are all forms of data collection briefed with customers and consent gathered?
- Compliant: NA
- Observations: No customer data collection has started.
- Action Required: None.
2.2 Has all collected information and data been classified with data classification requirements?
- Compliant: NA
- Action Required: None.
2.3 Is data anonymity used to protect the privacy of customers?
- Compliant: NA
- Action Required: None.
2.4 Is the cryptography policy being adhered to?
- Compliant: NA
- Observations: No data currently requires encryption.
- Action Required: None.
2.5 Is data minimization being put in place when collecting data?
- Compliant: NA
- Action Required: None.
2.6 Are ISMS policies being adhered to when required?
- Compliant: NA
- Action Required: None.
GENERAL AUDIT POINTS - Governance
3.1 Is the team adhering to the company’s governance framework?
- Compliant: NA
- Action Required: None.
3.2 Are team roles and responsibilities clearly defined and documented?
- Compliant: Yes
- Observations: Team roles are divided between software, hardware, and mobile development.
- Action Required: None.
3.3 Is there a risk management plan in place?
- Compliant: No
- Observations: No risk management plan is in place.
- Action Required: Consider creating a risk management plan, especially as data collection becomes a focus.
3.4 Is there an incident response plan in place?
- Compliant: No
- Action Required: A risk management plan should also include incident response procedures.
3.5 Are incidents logged and reviewed for continuous improvement?
- Compliant: No
- Action Required: Consider logging and reviewing incidents as part of future plans.
PROJECT-SPECIFIC AUDIT POINTS
4.1 How reliable are the hardware components of the project?
- Compliant: Yes
- Observations: Hardware components have been performing reliably.
- Action Required: None.
4.2 Are there any challenges with integrating software and hardware?
- Compliant: Yes
- Observations: Some initial challenges, but improvements have been made.
- Action Required: None.
4.3 Are there limitations from the hardware or software being used?
- Compliant: Yes
- Observations: Minimal limitations; team has significant experience with both hardware and software.
- Action Required: Ensure new team members receive proper training.