Skip to main content

Author: Muhamed Badri Abdulkadir

Athlete Wearable Technology Audit Report

Introduction

The information presented below was obtained from the audit conducted by Manheer Singh Dhillon, (Team Leader of Athlete Wearable Technology) and Muhamed Badri Abdulkadir, (Cyber Security Team member). The objective of the audit is to assess the Athlete Wearable Technology project's compliance with required Redback Operations policies and standards. The audit will also identify areas of improvement along with any recommendations to improve our practices. This will help to improve the integrity and security of Redback operations. What we hope to achieve with the audit and subsequent report is to meet the organisations expectation regulations and industry's best standard and practice.

Policy Compliance

1.1 Are the correct encryption methods being used for data in storage and transmission?

Team is using a data set from the previous trimester and no data is being collected this trimester, this question is not applicable to the project.

Yes, DLP Policies are being followed. Everything the team have is stored on the GitHub repository where only the team have access, and the Team Leader and one other colleague are the only ones that manage the pull requests on GitHub.

Yes, data which was gathered from the previous trimester has been filtered by this team and only the information which is necessary is being used.

1.4 Have forms of physical security for data protection been implemented?

No, because data has not been collected by this current team, there has not been much focus on forms of physical security that have been deployed.

Recommendation: Physical infrastructure and data collection are limited for this team, resulting in a lack of physical security implementation. However, physical security of Athlete Wearable devices should be looked into once devices have been made available.

1.5 Have forms of digital security for data protection been implemented?

This is similar to 1.4 in that no data is being gathered and little effort has been made to put plans for digital security into action.

Recommendation: The team should implement GitHub accounts which use two-factor authentication (2FA) to enable secure access to the platform.

1.6 Have EASM risks been identified?

No, the team has not made a document outlining the potential External Attack Surface Management risks.

Recommendation: The team must review the EASM policy on the Redback Operations website and determine any risks that they may be held accountable for.

1.7 Have all employees undergone the appropriate User Awareness Training?

The Team Leader demonstrated how to use GitHub and informed his team members of their privileges. The Team Leader also showed them where they could review the online data set. However, the Cybersecurity Awareness Training document was not reviewed by the team.

Recommendation: The entire team should go over the training document as it contains policies implemented by Redback Operations to help inform employees about potential risks associated with their positions and duties.

Ethical Considerations and Requirements

The data set being used was collected by the team during the previous trimester. They obtained the dataset from the previous trimester's Team Leader during the handover. Because the data was acquired from the previous trimester, this question was not relevant to the current team.

2.2 Has all collected information and data been classified with data classification requirements?

Yes, the policy is being followed by the team as specified in 1.3.

2.3 Is data anonymity used to protect the privacy of customers?

Yes, this is being followed, as personal information is not used and only the necessary information, such as heart rate and step data is used, and the data source is anonymous.

2.4 Is data minimalization being put in place when collecting data?

Yes, the data is clean. The team had an original data set that had information that was not required, therefore the team made a new data set with only the necessary data (clean data).

2.5 Looping back to the ISMS policies, are they being adhered to when required?

Yes, the Team Leader stated that everything was being adhered to and nothing was being violated.

Governance

3.1 Is the team adhering to the company’s governance framework?

Yes, this is being followed because all data used is in compliance with the company's governance framework.

3.2 Are team roles and responsibilities clearly defined and documented?

Yes, roles have been clearly defined as they’ve separated the team into three parts: front end, back end, and data analysis, with the Team Leader and one of his colleagues juggling between the teams.

3.3 Is there a risk management plan in place?

No, The Team Leader believes that there is not much that can be risked in their project because data has not been acquired in this trimester.

Recommendation: A risk management plan should be developed regardless of current data collection status, to identify and mitigate potential risks related to future data handling and other parts of the project.

3.4 Is there an incident response plan in place?

The data set is stored in private repositories on GitHub in case of an emergency, and authorised users can request access by submitting a pull request. However, an incident response plan with structure and steps has not been made in the chance an incident occurs.

Recommendation: A dedicated plan should be constructed and everyone in the team should be aware of it in the chance an incident occurs.

3.5 Are incidents logged and reviewed for continuous improvement?

No, there is currently no process in place for logging and reviewing incidents.

Recommendation: The team should establish a system for documenting any incidents that occur throughout the trimester.

Recommendations and Conclusion

The audit gave significant insights into the Athlete Wearable Technology project's compliance with Redback Operations policies and standards. While certain parts of compliance, such as adherence to DLP and data classification criteria, were satisfied, the project's present phase, which is characterised by a lack of data collection, has resulted in a restricted focus on critical security and governance measures.

Areas in which Athlete Wearable Technology should focus on

  • EASM and Risk Management: The team did not report identifying External Attack Surface Management risks or risk management plans. The lack of these processes means the project may be exposing itself to potential vulnerabilities in the future. Identifying and documenting the risk can support proactive decision-making in allocating resources.

  • Incident Response and Continuous Improvement: There is no documented incident response plan and there is no detailed incident log. The lack of these documents could impact the team's ability to protect themselves against potential attacks. The project team must create an incident response plan.

  • User Awareness Training: While initial training was implemented, the team did not review the Cybersecurity Awareness Training document. It will be vital for team members to be trained on the policies and procedures.

Overall, the project displays compliance in some areas, but the existing lack of data collecting has slowed down the development of more complete security standards. As the project progresses, resolving the identified gaps and recommendations will be critical to improving the integrity and security of the Athlete Wearable Technology Project.