VR Sun Cycle Audit Report - September 2024

Author: Ali Demirovski (Redback Operations)

Introduction

The VR Sun Cycle Smart Bike audit was conducted on Saturday the 14th of September between I, Ali Demirovski, and team leader, Johnathon David Lowden. Additionally, another team leader, Ethan Byrne-Staunton, was also questioned for clarification on some points.

This audit evaluates the development process of a Virtual Reality (VR) Smart Bike, focusing on key aspects such as data protection, hardware and software challenges, and adherence to cybersecurity policies.

The objective of this audit is to assess the project's current state, identify potential risks, and provide recommendations to improve overall security and compliance.

GENERAL AUDIT POINTS - Policy Compliance

1.1 Are the correct encryption methods being used for data in storage and transmission?

Compliant: No
Observations: Very minimal data is stored; encryption not necessary at this stage.
Action Required: None required for now, but encryption should be considered in future.

Compliant: No
Observations: Data is uploaded to GitHub and Microsoft Teams with no encryption. No formal backup plan.
Action Required: Consider data protection policies for better data integrity.

Compliant: No
Observations: All data created by the team is publicly accessible.
Action Required: Implement access restrictions to control who can view and edit data.

1.4 Have forms of physical security for data protection been implemented?

Compliant: No
Observations: No physical security measures have been implemented.
Action Required: None for now, but it should be considered for customer data collection.

1.5 Have forms of digital security for data protection been implemented?

Compliant: No
Observations: No digital security measures in place.
Action Required: Should be considered in future for customer data protection.

1.6 Have EASM risks been identified?

Compliant: No
Observations: EASM risks have not been considered.
Action Required: Need to assess potential risks and threats related to EASM.

1.7 Have all employees undergone the appropriate User Awareness Training?

Compliant: No
Observations: Training has not been a priority so far.
Action Required: Mandatory awareness training required as data collection becomes more prominent.

GENERAL AUDIT POINTS - Ethical Considerations and Requirements

Compliant: NA
Observations: No customer data collection has started.
Action Required: None.

2.2 Has all collected information and data been classified with data classification requirements?

Compliant: NA
Action Required: None.

2.3 Is data anonymity used to protect the privacy of customers?

Compliant: NA
Action Required: None.

2.4 Is the cryptography policy being adhered to?

Compliant: NA
Observations: No data currently requires encryption.
Action Required: None.

2.5 Is data minimization being put in place when collecting data?

Compliant: NA
Action Required: None.

2.6 Are ISMS policies being adhered to when required?

Compliant: NA
Action Required: None.

GENERAL AUDIT POINTS - Governance

3.1 Is the team adhering to the company’s governance framework?

Compliant: NA
Action Required: None.

3.2 Are team roles and responsibilities clearly defined and documented?

Compliant: Yes
Observations: Team roles are divided between software, hardware, and mobile development.
Action Required: None.

3.3 Is there a risk management plan in place?

Compliant: No
Observations: No risk management plan is in place.
Action Required: Consider creating a risk management plan, especially as data collection becomes a focus.

3.4 Is there an incident response plan in place?

Compliant: No
Action Required: A risk management plan should also include incident response procedures.

3.5 Are incidents logged and reviewed for continuous improvement?

Compliant: No
Action Required: Consider logging and reviewing incidents as part of future plans.

PROJECT-SPECIFIC AUDIT POINTS

4.1 How reliable are the hardware components of the project?

Compliant: Yes
Observations: Hardware components have been performing reliably.
Action Required: None.

4.2 Are there any challenges with integrating software and hardware?

Compliant: Yes
Observations: Some initial challenges, but improvements have been made.
Action Required: None.

4.3 Are there limitations from the hardware or software being used?

Compliant: Yes
Observations: Minimal limitations; team has significant experience with both hardware and software.
Action Required: Ensure new team members receive proper training.

Key Findings & Recommendations

From this Audit, it has been made clear that the project team has not seen data protection and cyber security policies as a priority at this time. However, the team must soon begin to investigate this matter more as in the future customer data collection is going to be a more common task throughout the project.

As the team hasn’t seen much need or use for incorporating data protection into their project as data collection and storing is at a minimum, the team will need to gain an understanding of all the cyber security and data protection policies as they move forward with their project into the development of their mobile application.

Starting with policy compliance, this is an area that the team isn’t very familiar with as they haven’t had the need to comply with all the policies regarding data protection as currently, they don’t collect a whole lot of data. However, with the team moving forward into the following semesters, the plan to develop a new web application in corporation with their development on the Vr Bike, they would need to start to seriously consider and familiarize themselves with all the policies as customer data collection is going to be a much more prevalent procedure throughout their project. With the project delving more into data collection in the upcoming semesters, I’d strongly recommend that the entire team becomes familiar with the policies of data collection and some tasks should be included that train the team on how to comply with all these policies.

Moving onto ethical considerations, this is a similar situation to the policy compliance where it doesn’t relate too much to what is currently being conducted within the VR sun cycle smart bike team, however as data collection does become more prevalent in the upcoming semesters, it is important that the team is trained on how to understand and comply with all the ethical considerations for data collection.

Additionally, with the governance section of the audit, this is something that the team hasn’t investigated at all as well considering that their focus has been on the development of the hardware and software of the project, and their primary goal is for project functionality. Due to this, a lot of the governance and ethical considerations have been overlooked by the team however it is a goal for them to put a lot more focus in the coming semesters. My recommendations for this are to ensure that all governance policies are understood by the team before any customer data collection occurs.

Finally, going into more of the project-specific area, this is where the project has focused a lot of their time as the overall functionality of the software and hardware has been their primary goal. With the amount of time that the team has spent on the hardware specific points, this is the point where the team has been thriving the most as they have found very minimal limitations with the hardware and overall software that is being used. As a result of their success with this part of the project, it now gives them the time to focus on other parts of their project.

Overall, the team has been quite successful with the development of their project as majority of their goals for this semester have been achieved with minimal setbacks. However, with data collection becoming their next goal due to the development of their application, the team will need to be trained and become well accustomed to all the different governance policies and ethical considerations when collecting any types of data for their project.

Summary of Actions Required:

Implement encryption and data protection as the project evolves.
Conduct mandatory User Awareness Training for team members.
Develop a risk management and incident response plan.

Introduction​

GENERAL AUDIT POINTS - Policy Compliance​

1.1 Are the correct encryption methods being used for data in storage and transmission?​

1.2 Are the related DLP Policies being adhered to?​

1.3 Are the related Data Classification Policies being adhered to?​

1.4 Have forms of physical security for data protection been implemented?​

1.5 Have forms of digital security for data protection been implemented?​

1.6 Have EASM risks been identified?​

1.7 Have all employees undergone the appropriate User Awareness Training?​

GENERAL AUDIT POINTS - Ethical Considerations and Requirements​

2.1 Are all forms of data collection briefed with customers and consent gathered?​

2.2 Has all collected information and data been classified with data classification requirements?​

2.3 Is data anonymity used to protect the privacy of customers?​

2.4 Is the cryptography policy being adhered to?​

2.5 Is data minimization being put in place when collecting data?​

2.6 Are ISMS policies being adhered to when required?​

GENERAL AUDIT POINTS - Governance​

3.1 Is the team adhering to the company’s governance framework?​

3.2 Are team roles and responsibilities clearly defined and documented?​

3.3 Is there a risk management plan in place?​

3.4 Is there an incident response plan in place?​

3.5 Are incidents logged and reviewed for continuous improvement?​

PROJECT-SPECIFIC AUDIT POINTS​

4.1 How reliable are the hardware components of the project?​

4.2 Are there any challenges with integrating software and hardware?​

4.3 Are there limitations from the hardware or software being used?​

Key Findings & Recommendations​