cQube v5.0 | Scope of Work for Security Audit

Owned by Ananya Jain
Last updated: Mar 21, 2023

It is important to conduct security audit for cQube v5.0 so that multiple states and central agencies can adopt cQube seamlessly without any security-related concern. The security audit will help protect critical data, identify security loopholes, ensure compliance with regulations, create new security policies and track the effectiveness of security strategies.

Objective

The objectives of this security audit are to:

  • Identify any security vulnerabilities present in the data ETL and visualisation layer of the application

  • Assess the effectiveness of existing security controls

  • Provide recommendations for improving the overall security of the data ETL and visualisation application

Scope

The scope of the audit includes:

  • Reviewing the data ETL and visualisation application's data processing and storage components

  • Testing for common vulnerabilities, such as SQL injection and cross-site scripting (XSS)

  • Assessing the security of the application's data sources and data integrations

  • Reviewing the configuration of the application's hosting environment and infrastructure

  • Assessing the effectiveness of existing security controls, such as access controls, encryption, and logging

 

The following are outside the scope of this audit:

  • Penetration testing of any systems other than the data ETL and visualisation application itself

  • Physical security of the hosting environment

Methodology

The audit will be conducted using the following methodology:

  • A combination of automated and manual testing techniques will be employed

  • Industry-standard testing frameworks and tools will be used

  • The OWASP Top 10 security risks will be used as a guide for testing scenarios

  • SANS TOP 25 Most Dangerous Software Errors could be as additional guidelines

  • Additional testing scenarios will be developed to assess the specific security risks associated with data ETL and visualisation applications, such as data leakage and data corruption

Deliverables

The following deliverables will be provided upon completion of the audit:

  • A detailed report of findings, including a prioritised list of vulnerabilities and recommended remediation steps

  • An executive summary of the findings and recommendations

  • A debrief session to review the findings and recommendations with the development team and stakeholders

Roles and Responsibilities

The following roles and responsibilities have been established for the audit:

  • The audit team will be responsible for conducting the audit and producing the deliverables

  • The data ETL, visualisation and application development team will be responsible for providing access to the application and its components, as well as providing any necessary assistance during the audit

  • Stakeholders from the organisation will be responsible for reviewing the findings and recommendations and implementing any necessary remediation steps