CTF: The Auditor Left. Now What Do You Do With the Report?

Difficulty: Intermediate | Time: 20–30 min | Linked product: AI Governance Pack ($97)​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌​​‌​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​​‌‌​

---

The Setup

You're the IT manager for a 55-person professional services firm in Canberra. Six weeks ago, your board mandated an external security audit as part of applying for a federal government supply-chain panel. The auditor has just sent through the final report. It's 47 pages.

Key findings summary:​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌​​‌​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​​‌‌​

• 2 Critical findings
• 7 High findings
• 9 Medium findings
• 5 Low findings
• Total: 23 findings

You have:

• $12,000 remaining in your security budget for the financial year
• No dedicated security staff — it's you plus a part-time IT contractor
• A board presentation in 5 business days where you need to present your remediation plan
• The government panel application requires you to evidence remediation of all Critical and High findings within 90 days

The 23 findings include a mix of technical vulnerabilities, missing policies, procedural gaps, and one AI-related finding you weren't expecting.

You can't fix everything. You need a prioritisation framework and a credible plan. Build it.

---

The Challenge

---

Question 1 — Triage the Critical findings

The two Critical findings are:

Critical 1: "No multi-factor authentication enforced on internet-facing administrative interfaces. Remote Desktop Protocol (RDP) is exposed to the internet on three servers without MFA. Exploitation of this vulnerability would provide an attacker with direct administrative access to production systems."

Critical 2: "No documented Business Continuity Plan (BCP) or Disaster Recovery Plan (DRP). In the event of a significant disruption, there is no documented procedure for restoring operations. Staff interviewed could not identify their recovery point or recovery time objectives."

For each Critical finding: (a) What is t

he remediation? (b) How long will it take? (c) What does it cost? (d) Who in your firm needs to be involved?

---

Question 2 — Prioritise the High findings

You have 7 High findings. With $12,000 and two people, you cannot fix them all before the board presentation. You need a prioritisation framework.

Design a 4-factor prioritisation matrix for your High findings that accounts for: exploitability, business impact, remediation effort, and cost. For each factor, define a 1–3 scoring scale. Apply it to these two High findings to demonstrate the framework:

• High-3: "Password policy does not enforce minimum complexity. Audit of Active Directory found 23 user accounts with passwords that have not been changed in over 3 years, including 4 accounts with administrative privileges."
• High-7: "No formal vendor risk assessment process. Third-party suppliers with access to company systems have not been assessed for security maturity."

---

Question 3 — The unexpected AI finding

The auditor flagged a Medium finding you weren't anticipating:

Medium-4: "Multiple staff members are using AI productivity tools (ChatGPT, Copilot, Gemini) for work purposes. No AI Acceptable Use Policy exists. No assessment has been conducted of data processed by these tools. Given the firm's engagement with federal government clients, this represents a potential information security and contractual compliance risk."

Your government panel application requires you to confirm that all information handling practices comply with the Australian Government's Protective Security Policy Framework (PSPF) and the ISM.

• What does the PSPF say about using commercial AI tools to process government information?
• Does your "no AI policy" currently comply with PSPF requirements?
• What is the minimum viable AI governance artefact you need to produce to address this finding?

---

Question 4 — The board presentation

You have 5 days and need to present a credible remediation plan to the board. The board has two concerns: legal liability (they don't want to be responsible if something goes wrong) and the government panel (they need that contract).

Structure your board presentation. What are the four essential elements of a security audit response presentation that gives a non-technical board what they need to make decisions? What's the single most common mistake IT managers make when presenting security findings to boards?

---

Question 5 — The 90-day plan

Design a credible 90-day remediation roadmap for the Critical and High findings. You have $12,000 and two people (you and a part-time contractor at $120/hour for up to 40 hours/month). Allocate your budget across the findings in a way that addresses the government panel requirements.

What do you do in Month 1, Month 2, and Month 3? What gets deferred and why?

---

Hints

Hint 1 (Q1): RDP exposed to the internet without MFA is one of the most commonly exploited attack vectors in Australian SMB ransomware incidents. Remediation is fast and cheap: disable direct internet RDP, require VPN for remote admin access, enable MFA on VPN. Cost: configuration time. The BCP/DRP is harder — you can't write a credible BCP in a week. But you can document your current state (what systems are critical, what the RTOs and RPOs should be) in a week, which is a credible first deliverable.

Hint 2 (Q2): The four factors in your matrix should reflect both the attacker's perspective (how easy is this to exploit, how much damage does it do) and your perspective (how hard is it to fix, how much does it cost). High-3 (weak passwords on admin accounts) scores high on exploitability and business impact, low on effort and cost — fix it first. High-7 (no vendor risk process) scores medium on exploitability (it's a process gap, not an immediate technical vulnerability) and high on effort (building a process takes time) — this can wait.

Hint 3 (Q3): The Australian Government's PSPF and ISM have specific guidance on using cloud services and AI tools for official work. The ISM's cloud controls (ISM-1159 and related) require that cloud services used for government-related work be assessed under the IRAP (Infosec Registered Assessors Program) framework. Commercial ChatGPT and consumer-tier Copilot are not IRAP-assessed. This means your staff using these tools for work that involves government information may already be in breach of your panel agreement. The minimum artefact is a policy that explicitly prohibits using unapproved AI tools for any work involving government information, with an approved alternatives list.

Hint 4 (Q4): The most common mistake: presenting a list of vulnerabilities and their technical details to a board that doesn't understand them. Boards need risk in business terms (what does this mean for us in $, liability, operations) not technical terms (CVE-2024-XXXX, CVSS score 9.1). Lead with: what's our current risk, what's our plan, what do we need from the board (budget, decisions), what's the legal exposure if we don't act.

Hint 5 (Q5): Month 1 is all Critical findings and the highest-scoring High findings — these are your government panel commitments and your biggest liability. Month 2 is policy and process — BCP documentation, vendor risk process, AI policy. Month 3 is remaining High findings and beginning Medium remediation. Defer Low findings explicitly and document why.

---

Reveal: Full Answer to Question 3

The PSPF, ISM, and your AI finding:

What the PSPF says about commercial AI tools:

The Australian Government's PSPF Policy 10 (Safeguarding information from cyber threats) and the Information Security Manual (ISM) together govern how government information must be handled. Key principle: government information must only be processed by systems that have been assessed and authorised to handle that classification level.

The ISM's cloud computing guidance requires that cloud services used to process government information be either:

1. Hosted in Australia with an IRAP assessment, or
2. Listed on the ASD Certified Cloud Services List (CCSL), or
3. Assessed by your own IRAP assessor and found acceptable for the specific data classification

Consumer-tier ChatGPT (OpenAI US infrastructure, no IRAP assessment) and consumer-tier Copilot are not on the CCSL and have not been IRAP-assessed. Microsoft 365 GCC High (US government cloud) is assessed, but that's not what most SMBs are running.

Does "no AI policy" comply?

No. The absence of a policy means there's no control preventing staff from processing government information through unapproved tools. Even if no-one has actually done it, the absence of the control is itself non-compliant with the PSPF's control objectives.

The minimum viable AI governance artefact for this finding:

You need three things:

1. AI Acceptable Use Policy that explicitly states: "Staff must not use AI tools to process, store, or transmit any information received from, or created in connection with, Australian Government clients, unless that tool has been approved by [your firm's security function] and assessed as appropriate for the relevant data classification."

2. An approved AI tools list — even if it's a short list. For government work: no unapproved AI tools. For internal-only work with no government information: approved tools with conditions (e.g., no client data). This gives staff clear guidance rather than a blanket prohibition that gets ignored.

3. A staff acknowledgement that they've read the policy — specifically name AI tools. "I acknowledge I have read the AI Acceptable Use Policy and understand that I must not use [list of unapproved tools] for any work involving government information."

This doesn't require extensive documentation. It requires: a two-page policy, a one-page approved tools list, and a signature form. You can produce this in a week. When you present to the auditor and the government panel, this shows a control is in place — it's not a full ISO 42001 framework, but it addresses the finding.

The longer-term answer is to run a proper AI tool assessment using the ISM's cloud security controls as a baseline — that's what the AI Governance Pack is built to help you do.

---

Get the Full Answer Key

You've seen the full PSPF/AI governance answer. The remaining questions — on Critical finding remediation costs, the 4-factor prioritisation matrix, board presentation structure, and the 90-day budget allocation — are covered in the AI Governance Policy Pack for SMBs.

The pack includes:

• AI Acceptable Use Policy template (PSPF-aware)
• AI tool risk assessment matrix aligned to ISM cloud controls
• Approved AI tools assessment template
• Security audit response framework
• Board presentation template for non-technical boards

Get the AI Governance Pack for $97 → lil.business/products/ai-governance-pack

Or buy via Polar: https://buy.polar.sh/polar_cl_8KEjRB7rL8QidCD5EAXNOJavkYIVqdLdazVqE4SaII2

---

PSPF and ISM references are accurate as at April 2026. The CCSL and IRAP framework are real ASD/ACSC mechanisms. Scenario is fictionalised.