This diagram represents the flow of information for the audited business process Step 1: lets revise the significant Information related to this point • • • The systems administrator download the CSV files from the email into his personal computer, because it is not possible to do this task from the Museum PC. The systems administrator personal PC is also used by his teenager children to download films and music from different non-official repositories. The system administrator personal PC does not have antivirus installed and is not configured securely. He works with an admin account. It is potentially insecure to use personal computers for working. The organization should facilite the neccesary artifacts to develop daily work, and they should be configured in a secure way. In this case, there are two significant weaknesses: - first, form the personal PC you can visit non secure URLs. This kind of web pages, usually contains malware which is prepared to infect a PC when a user navigates through them. - second, the PC has no security settings at all. This is a high potential risk, specially the fact that the user works with an admin account. In this way, potential malware can be installed with privileged rights. Step 2: lets revise the significant Information related to this point • After having downloaded the CSV files, the chief accountant sends them to the systems administrator by email. He does not encrypt the files. This way of proceeding has at least these weaknesses: . The CSV files are sent from a potential risky computer, therefore, they can have some kind of malware. . The files are sent without being encrypted, therefore confidentiality is in danger. . The files are sent manually by email. There is risk about integrity Step 3: lets revise the significant Information related to this point • The systems administrator download the CSV files from the email into his personal computer, because it is not possible to do this task from the Museum PC. • After that, he sends the files to the JDE server where there is a batch process which load the information automatically in the system. Sending is done via FTP protocol directly from the systems administrator´s personal computer. • The systems administrator personal PC is also used by his teenager children to download films and music from different non-official repositories. • The system administrator personal PC does not have antivirus installed and is not configured securely. He works with an admin account. As in the first point, personal computers must not be used for works tasks, because they can not have properly secure setting. In this particular case, web navigation is not restricted and it is possible to visit potential dangerous pages which can contains malware. Besides, users navigate with admin privileges which can facilite malware installation and privilege escalation. Another negative point is that the PC has no antivirus installed, and the files are sent directly to de JDE server with a weak protocol: FTP