Audit and Assurance

Auditing Vendor-less Applications

  • 1.  Auditing Vendor-less Applications

    Posted 06 Mar, 2020 12:02
    Hi all,

    I'm new to ISACA, joined yesterday, and to the communities. Happy to be here, as I have already found very useful information regarding mobile app auditing, which I've been struggling with. I'm looking forward to browsing more topics. In the meantime, I have one of my own. I searched but couldn't find what I was looking for, so I'm hoping the community can help me.

    I am a Security and Risk Management Analyst for a large hospital system. One of my responsibilities is to assess any new applications our client engagement analysts request for the departments they support. Sometimes, however, the applications they request are freeware, open source, direct download, etc. and there is no vendor involved. Typically, the analyst will send the vendor our security questionnaire. The vendor fills it out and returns it to us. I and my team base our approval or denial of the application on those answers. I was wondering how you handle assessing applications for which contacting the vendor is not an option. Some vendorless apps I was recently asked to assess include: FileZilla, WinSCP, and Razer Synapse 3. While there are ways to contact support for some of these types of applications, they are not willing to answer our questions. This is what happened with the Razer app. In that case, what steps would you take to assess the application?

    Thank you!

    Troy Brokenshire
    IS Security & Risk Management Analyst