Tom Tanner is an external auditor doing an audit on a business line of a multinational corporation. During the audit, he discovers that this business line was recently acquired by the parent company. The long-term intent is to convert this business to the corporate ERP system. However, the existing ERP system is custom-built software maintained by internal developers hired by the business line for this purpose. Tom is accustomed to auditing organizations that use COTS (commercial off-the-shelf) applications that have predictable and determinable vulnerability and version-patching controls and procedures. He hires you to function as a subcontractor to audit the security implications of this customized ERP software.
Use the study materials and engage in any additional research needed to fill in knowledge gaps. Write a 4 page paper that covers the following:
Describe the security controls that are in place, that is, controls that mitigate application threats and vulnerabilities, both in terms of the development and the use of the software.
Describe the role that existing application security policy will play in ensuring that the audit covers the appropriate software development and maintenance controls.
Explain how to audit the software patching and version-control process that is performed internal to the organization.
Describe how to approach audit recommendations for missing application controls related to a system known to be at the end of the useful life cycle.
Apply mitigations that support application security within a specific organization.
