A client approached us with a request to analyse their machine learning solutions. The startup was analysing a large amount of user data, emails, files and more. They also had a chatbot for support, similar to a help desk for the company. The client was unsure about what regulations and certifications they should obtain in the area of cybersecurity, and how they could ensure the security of user files.

We began by assessing the architecture and working documentation of the AI project, including its workflows. The audit also included interviews with management and the development team. In this particular case, there was no direct access to the project code; instead, the auditors analysed specific components through screen demonstrations.

You will learn about the methodologies and approaches we used during the presale phase 😉

The following categories were analyzed in total:

• Architecture
• Cloud
• Network security
• Code, frameworks, packages
• Continuous Integration (CI) and Continuous Deployment (CD)
• Authentication/Authorization (organizational structure, roles, accesses, policies)
• Company processes (documentation, meetings, etc.)
• New government regulations

Additionally, the following recommendations were made for future actions:

• Social engineering (emails, messaging apps, etc.)
• Penetration testing
• Cybersecurity training
• National Security Strategy
• Disaster Recovery Plan

Based on the information gathered, a report was produced to further improve the project cybersecurity posture:

Upon completion of the audit, we provided the client with a cybersecurity business report that outlines the cybersecurity issues in language that is easily understood by business stakeholders. In addition, a detailed cybersecurity technical report was delivered to address the issues identified for the development team. As a bonus, we also provided the client with a process improvement plan to improve the company's critical business processes.

In total, three reports were provided:

• Cybersecurity Business Report
• Detailed Cybersecurity Technical Report
• Business Process Improvement Plan

The client was satisfied with our work and has scheduled a future Remediation Support & Follow-Up Audit.