Case Study: IT Audit Use Case for a Public Defense Contractor

Background

An independent IT security consultancy conducted a comprehensive gap analysis for a publicly traded company to assess alignment with industry-standard cybersecurity controls and determine the company’s readiness for formal compliance and risk-based audits.

The objective was to evaluate how well the company had implemented a set of 110 recommended cybersecurity practices—derived from frameworks such as NIST SP 800-171 Rev. 2—focusing on risk, data protection, and operational resilience. The assessment included document review, stakeholder interviews, and infrastructure analysis.

Scope

The audit covered:

  • Systems used to process, store, or transmit sensitive business data

  • Infrastructure located in the continental United States (non-OCONUS)

  • Policies and procedures applicable to enterprise-level cybersecurity operations

  • Applications, platforms, and processes related to finance, HR, legal, and IT

Identified Gaps

The assessment revealed 16 critical control gaps across several cybersecurity domains:

Control Family + Number of Gaps

  • Access Control + 2

  • Awareness and Training + 1

  • Audit and Accountability + 3

  • Configuration Management + 1

  • Risk Assessment + 3

  • System and Communications Security + 4

These gaps ranged from missing automated session terminations to inadequate audit log protection and lack of role-based security training.

Areas for Improvement

Seventeen (17) additional areas were flagged where controls were partially implemented or required formalization:

Control Family + Areas for Improvement

  • Configuration Management + 2

  • Identification and Authentication + 3

  • Incident Response + 3

  • Maintenance + 2

  • Media and Physical Security + 3

  • Personnel Security + 1

  • System Integrity and Monitoring + 3

These recommendations support efforts to tighten access control, improve detection and response capabilities, and elevate infrastructure maturity.

Recommendations

A. Governance and Leadership

  • Appoint a Chief Information Security Officer (CISO) or a virtual CISO (vCISO) to establish independent cybersecurity leadership.

  • Develop a Cybersecurity Governance Program to formalize risk ownership, security strategy, and executive accountability.

B. Technical Operations

  • Implement an integrated Asset Inventory & Change Management solution that links IT, HR, and Finance systems.

  • Adopt a Configuration Management Database (CMDB) with support for device baselining and traceability.

  • Build a Change Advisory Board (CAB) to oversee infrastructure and software changes.

C. Security Management

  • Deploy a Vulnerability Management Program with periodic scans using tools like Tenable or Qualys.

  • Enforce Multi-Factor Authentication (MFA) across all applications and remote access.

  • Create and maintain a formal Incident Response Plan, including testing and cross-functional roles (IT, HR, Finance).

  • Transition to a modern cloud office suite (e.g., Microsoft 365 GCC or Google Workspace) to support security, collaboration, and compliance.

D. Documentation and Records

  • Update and maintain all cybersecurity-related documentation with:

    • Defined ownership

    • Version tracking

    • Consistent formatting and clarity

    • Policy acknowledgment tracking

E. Risk Management

  • Establish an annual enterprise risk assessment aligned to COSO, ISO 31000, or RIMS.

  • Incorporate cybersecurity metrics into IT Steering Committees and executive-level reporting.

F. Compliance Readiness

  • Define and maintain a System Security Plan (SSP) covering systems, assets, controls, and data flow.

  • Map data classifications and storage to sensitive business information (SBI) instead of Controlled Unclassified Information (CUI).

  • Introduce user training tailored to business roles with annual re-certification.

Conclusion

This audit highlights a public company in the process of maturing its IT governance and cybersecurity controls. Addressing the identified gaps will position the organization for stronger regulatory compliance, better audit readiness, and reduced risk exposure. Implementation of the improvements outlined should begin with executive sponsorship and be phased across key business units.