The purpose of this thesis project was to conduct an IT security audit on a paper mill’s office systems. This was carried out with a partner company that provides information technology solutions and services. The goal for doing the audit is to develop awareness of the mill’s current situation with their office system’s security, and to determine the level of protection in order to avoid any production loss or sensitive data breaches. The framework that was followed in the research as a guide is from the Center of Internet Security (CIS). The framework showed how to perform an audit and which parts to focus on in the research. The CIS RAM (Risk Assessment Method) version 1.0. is used to evaluate the possibility and the impact of the vulnerabilities and threats when doing the risk assessment.

The information presented in this report consists of the method of the research, the case study, the security audit, and the risk analysis. The data has been acquired with help of the partner company, through the documents from the system scan, and by interviewing the paper mill’s IT personnel. Together we chose to focus on the two controls of version 7.1 of the CIS, and the sections are named “Continuous vulnerability management” and “Controlled use of administrative privileges”. The CIS offers a guide chart on how to assess the method from being possibly compromised and which parts have a higher priority to be focused more.

The mill’s staff has expertise in the field of information security and some parts were already under implementation during the research. Some of the aspects in the list require enhancing in terms of security since there were a couple of default passwords in use, and there is no regular nor automatic scan running that would keep the software updated with the latest version. In the end, we went through the results about the current state and the client was consulted with proposals on how to enhance their security level – resulting in protection that fulfills the framework’s requirements and minimizes the possibility for threats such as unauthorized access into their system.