CONFIDENTIAL OCCUPATIONAL SAFETY HEALTH AND IT

IT Audit Report
These findings represent controls that were not in place during the audit conducted by the Occupational Safety Health and IT agency
on Discount Juice Shop. All information systems must meet these controls. Remember to test all changes before applying to a
production environment.

Management
Finding Control Objective Results Noted Evidence Requested
Response

1.1. 1.1. Organization shall protect NOT IN PLACE Provide evidence that
confidentiality and integrity of demonstrates only
transmitted information to ensure The organization did not use secure protocols are
that the confidentiality and integrity secure protocols, such as Secure in use.
of the data are maintained during Shell (SSH), Transport Layer
the transfer process. Security (TLS), and Internet Provide IP address
Protocol Security (IPSec), for for new web server.
Ref: NIST SP 800-53 SC-8 secure network management Auditor will review
functions. TLS configuration.

The organization did not

employ the most current secure
transport protocol that includes
the most recent version of
Transport Layer Security (TLS)
for communications that
transferred confidentially
sensitive data between web
clients and web servers. NIST
SP 800-52, Guidelines for the
Selection, Configuration, and
Use of Transport Layer Security

PAGE 1 OF 10
CONFIDENTIAL OCCUPATIONAL SAFETY HEALTH AND IT

Management
Finding Control Objective Results Noted Evidence Requested
Response

(TLS) Implementations must be

used as guidance on protecting
transmission integrity using
TLS.

2.1. 2.1.1. Organization shall (a) NOT IN PLACE Provide evidence that
establish and document usage demonstrates MFA is
restrictions, The organization did not use in use and describe
configuration/connection multi-factor authentication how the current
requirements, and implementation (MFA) when establishing implementation
guidance for each type of remote remote access for system meets this
access allowed; and (b) authorize administration functions that requirement.
remote access to the information originated from networks
system prior to allowing such external to the organization,
connections. such as the Internet.

Ref: NIST SP 800-53 AC-17

2.1.2. Organization shall (a) NOT IN PLACE Provide a copy of the

develop an information security most recent network
architecture that describes any The organization did not diagram as an
information security assumptions maintain a current, documented attached PDF.
about, and dependencies on, information security
external services; (b) review and architecture.
update the information security
architecture at least annually to
reflect updates in the architecture;
and (c) ensure that planned

PAGE 2 OF 10
CONFIDENTIAL OCCUPATIONAL SAFETY HEALTH AND IT

Management
Finding Control Objective Results Noted Evidence Requested
Response

information security architecture

changes are reflected in the security
plan.

Ref: NIST SP 800-53 PL-8

2.1.3. Organization shall (a) NOT IN PLACE Provide evidence that

monitor and control border devices
communications at the external The organization had publicly restrict traffic to only
boundary; (b) implement accessible system components that required for
subnetworks for publicly accessible that were not physically or business purposes
system components that are logically separated from the and documentation
physically or logically separated internal network. that provides
from internal network(s); and (c) justification on any
connect to external networks or The organization did not limit traffic that is allowed.
information systems only through the number of external network
managed interfaces consisting of connections to the information
boundary protection devices system. Further, organization
arranged in accordance with an did not have an established a
organizational security architecture. traffic flow policy for each
managed interface. Information
Ref: NIST SP 800-53 SC-7 systems at managed interfaces
should deny network
communications traffic by
default and allow network
communications traffic by
exception (i.e., deny all, permit
by exception) for both inbound
and outbound network

PAGE 3 OF 10
CONFIDENTIAL OCCUPATIONAL SAFETY HEALTH AND IT

Management
Finding Control Objective Results Noted Evidence Requested
Response

communications traffic. A
deny-all, permit-by-exception
network communications traffic
policy ensures that only those
connections which are essential
and approved are allowed.
Limiting the number of external
network connections facilitates
more comprehensive
monitoring of inbound and
outbound communications
traffic. NIST SP 800-41,
Guidelines on Firewalls and
Firewall Policy must be used as
guidance on firewalls and
firewall rule set.

3.1. 3.1.1. Organization shall uniquely NOT IN PLACE Provide evidence that
identify and authenticate demonstrates shared
organizational users. Individual The organization used shared accounts are not in
authenticators include, for example, accounts (credentials used by use.
passwords, tokens, biometrics, PKI more than one individual)
certificates, and key cards. within their systems. The use of
shared user accounts makes it
Ref: NIST SP 800-53 IA-2 difficult to (a) uniquely identify
individuals accessing or (b)
provide detailed accountability
of user activity within an
information system.

PAGE 4 OF 10
CONFIDENTIAL OCCUPATIONAL SAFETY HEALTH AND IT

Management
Finding Control Objective Results Noted Evidence Requested
Response

Default/generic credentials,
such as "root" or "admin",
should be disabled or changed
prior to a system being put into
production.

3.1.2. Organization shall (a) ensure NOT IN PLACE Auditor will test for
that authenticators have sufficient default and easily
strength of mechanism for their The organization had not guessable passwords.
intended use and (b) change default changed default passwords prior
content of authenticators prior to to information system
information system installation. installation.

Ref: NIST SP 800-53 IA-5

3.1.3. Organization shall (a) NOT IN PLACE Provide evidence that

schedule, perform, document, and demonstrates systems
review records of maintenance and The organization had not are running the latest
repairs on information system performed regular maintenance security patches,
components in accordance with of operating systems. Systems including when the
manufacturer or vendor were missing security latest patches were
specifications and/or organizational vulnerability patches, records of installed, and systems
requirements; and (b) approve and all maintenance activities were are configured to
monitor all maintenance activities, not maintained, and update automatically.
whether performed on site or maintenance activities were not
remotely and whether the approved or monitored.
equipment is serviced on site or
removed to another location. The organization did not

PAGE 5 OF 10
CONFIDENTIAL OCCUPATIONAL SAFETY HEALTH AND IT

Management
Finding Control Objective Results Noted Evidence Requested
Response

employ automated mechanisms

Ref: NIST SP 800-53 MA-2 to schedule and conduct the
information system security
maintenance as required.

3.2. 3.2.1. Organization shall (a) review NOT IN PLACE Provide a completed
proposed configuration-controlled change control form
changes to the information system The organization did not (a) as an attached PDF.
and approve or disapprove such provide adequate management
changes with explicit consideration of or (b) document changes to
for security impact analyses, (b) systems and application
document configuration change programs to protect the systems
decisions associated with the and programs against failure as
information system, and (c) retain well as security breaches.
records of configuration-controlled Changes should be analyzed
changes to the information system and evaluated for the impact on
for at least three (3) years. security, preferably before they
are approved and implemented.
Ref: NIST SP 800-53 CM-3

3.2.2. Organization shall establish NOT IN PLACE Provide a copy of

and document configuration settings hardening guides for
for information technology products The organization had not system components
employed within the information established and documented a in use as an attached
system. standard set of mandatory PDF(s).
configuration settings for
Ref: NIST SP 800-53 CM-6 information technology
products employed within the

PAGE 6 OF 10
CONFIDENTIAL OCCUPATIONAL SAFETY HEALTH AND IT

Management
Finding Control Objective Results Noted Evidence Requested
Response

information system. The

selected configuration setting
must reflect the most restrictive
mode consistent with
operational requirements and
must be derived from industry-
accepted sources.

4.1. 4.1.1. Organization shall (a) NOT IN PLACE Provide a copy of the
implement incident handling relevant incident
capability for security incidents that The organization did not have handling procedures
includes preparation, detection and procedures defined for properly as an attached PDF.
analysis, containment, eradication, responding to a ransomware
and recovery; and (b) incorporates security incident. The incident
lessons learned from ongoing handling procedures should
incident handling activities into address processes throughout all
incident response procedures, stages of the NIST incident
training, and testing, and implement response life cycle, including
the resulting changes accordingly. the following:

Ref: NIST SP 800-53 IR-4 • Preparation

• Detection and Analysis
• Containment,
Eradication, and
Recovery
• Post-Incident Activities

The procedures should also

include (a) a method to verify

PAGE 7 OF 10
CONFIDENTIAL OCCUPATIONAL SAFETY HEALTH AND IT

Management
Finding Control Objective Results Noted Evidence Requested
Response

threats to rule out the possibility

of a hoax before notifying
others and (b) a contact list of
antivirus software vendors.

NIST SP 800-61, Computer

Security Incident Handling
Guide and NIST SP 800-83,
Guide to Malware Prevention
and Incident Handling for
Desktops and Laptops should be
used as guidance when
developing incident handling
procedures.

4.1.2. Organization shall require NOT IN PLACE Provide a copy of an

personnel to (a) report suspected incident report form
security incidents to the The organization did not have as an attached PDF.
organizational incident response an established incident reporting
capability within a defined time procedure. This procedure
period; and (b) report security should define incident severity
incident information to appropriate levels, internal escalation
organization management. procedures and contact
information, reporting time
Ref: NIST SP 800-53 IR-6 frames, and requirements for
minimum information that must
be documented as part of an
event.

PAGE 8 OF 10
CONFIDENTIAL OCCUPATIONAL SAFETY HEALTH AND IT

Management
Finding Control Objective Results Noted Evidence Requested
Response

4.1.3. Organization shall test the NOT IN PLACE Provide a copy of the
incident response capability for the documented test
information system at least annually The organization did not results as an attached
using to determine the incident perform testing to simulate a PDF.
response effectiveness and breach of restricted or highly
documents the results. restricted data and test the
organization's incident response
Ref: NIST SP 800-53 IR-3 policies and procedures. Each
test must produce an after-
action report to improve
existing processes, procedures,
and policies.

5.1. 5.1.1. Organization shall establish NOT IN PLACE Describe how the
usage restrictions, configuration mobile device
requirements, connection The organization did not have a ownership model and
requirements, and implementation formal practice for securing MDM solution
guidance for organization- mobile devices. Employees secures mobile
controlled mobile devices; and (b) were required to use mobile devices.
authorize the connection of mobile phones but had not been
devices to organizational provided guidance on how
information systems. mobile devices were to be used,
how access was to be
Ref: NIST SP 800-53 AC-19 controlled, and how data was to
be secured.

NIST SP 800-46, Guide to

Enterprise Telework, Remote
Access, and Bring Your Own

PAGE 9 OF 10
CONFIDENTIAL OCCUPATIONAL SAFETY HEALTH AND IT

Management
Finding Control Objective Results Noted Evidence Requested
Response

Device (BYOD) Security should

be used as guidance on
protecting mobile device
technologies.

5.1.2. Organization shall establish NOT IN PLACE Provide a copy of the

terms and conditions allowing mobile device policy
authorized individuals to (a) access The organization did not have a as an attached PDF.
the information system from formal documented policy on
external information systems; and who was granted access from
(b) process, store, or transmit mobile devices or what
organization-controlled information resources mobile devices were
using external information systems. allowed to access.

Ref: NIST SP 800-53 AC-20

PAGE 10 OF 10