Fact Pattern I
You are the Chief Information Security Officer of Banks-A-Million, which owns banks, in the U.S. and in 74 other countries.
Banks-A-Million has 1.25 million ATM machines.
It relies on local third-party vendors to install and service ATM machines in all 75 countries.
Banks-A-Million’s, CEO sent you a copy of the City of Denver’s Audit Report: Technology Services – Information Technology Vendor Management (September
2022) Download City of Denver’s Audit Report: Technology Services – Information Technology Vendor Management (September 2022).
The CEO has asked you to review pp. 13-15, which set forth the following audit finding: Technology Services Does Not Consistently Review Vendors for
Existing Security Controls (including Recommendation 1.5).
The CEO is particularly concerned about the audit report’s emphasis on Technology Services’ lack of “consistency” and its “reliance on outdated security
information.”
Questions
The CEO has asked you for three (3) concrete, company-specific vendor audit recommendations to:
Assure consistent oversight of the company’s ATM vendors, and
Reduce the risk of relying on outdated security information.
One of your recommendations should be a creative, outside-the-box vendor auditing idea.
Fact Pattern II
You are the Chief Information Security Officer of Hospitals-A-Million, which owns hospitals, in the U.S. and in 74 other countries.
The company has 1.25 million hospital beds and offers free Wi-Fi to patients.
Hospitals-A-Million relies on local third-party vendors to install and service Wi-Fi routers in its hospitals in all 75 countries.
Hospitals-A-Million’s, CEO sent you a copy of the City of Denver’s Audit Report: Technology Services – Information Technology Vendor Management
(September 2022) Download City of Denver’s Audit Report: Technology Services – Information Technology Vendor Management (September 2022).
The CEO has asked you to review pp. 13-15, which set forth the following audit finding: Technology Services Does Not Consistently Review Vendors for
Existing Security Controls (including Recommendation 1.5).
The CEO is particularly concerned about the audit report’s emphasis on Technology Services’ lack of “consistency” and its “reliance on outdated security
information.”
Questions
The CEO has asked you for three (3) concrete, company-specific vendor audit recommendations to:
Assure consistent oversight of the company’s Wi-Fi vendors, and
Reduce the risk of relying on outdated security information.
One of your recommendations should be a creative, outside-the-box vendor auditing idea.
Fact Pattern III
You are the Chief Information Security Officer of Hotels-A-Million, which owns hotels, in the U.S. and in 74 other countries.
The company has 1.25 million guestrooms and offers free Wi-Fi to members of its Loyal Customers Program.
Hotels-A-Million relies on local third-party vendors to install and service Wi-Fi routers in its hotels in all 75 countries.
Hotels-A-Million’s, CEO sent you a copy of the City of Denver’s Audit Report: Technology Services – Information Technology Vendor Management (September
2022) Download City of Denver’s Audit Report: Technology Services – Information Technology Vendor Management (September 2022).
The CEO has asked you to review pp. 13-15, which set forth the following audit finding: Technology Services Does Not Consistently Review Vendors for
Existing Security Controls (including Recommendation 1.5).
The CEO is particularly concerned about the audit report’s emphasis on Technology Services’ lack of “consistency” and its “reliance on outdated security
information.”
Questions
The CEO has asked you for three (3) concrete, company-specific vendor audit recommendations to:
Assure consistent oversight of the company’s Wi-Fi vendors, and
Reduce the risk of relying on outdated security information.
One of your recommendations should be a creative, outside-the-box vendor auditing idea
