Overview
You have been hired as an auditor for a local university, which is preparing to undergo an accreditation inspection to confirm that security controls are in place and adhered to and that data is protected from unauthorized access internally and externally. As the auditor, you play a key role in ensuring compliance. As the organization prepares for its three-year accreditation, you are tasked with gathering the artifacts that will be used to build the accreditation package. The accreditation package will be submitted under the Risk Management Framework (RMF) and will use the controls found in
NIST SP 800-53
and
NIST SP 800-53A
. The controls to be audited are provided in the worksheet.
Your university has an IT staff consisting of the following personnel:
CIO: in charge of overall network operations and cybersecurity.
Information Security Officer: implements and manages cybersecurity policies.
System Analysts: monitor security features implemented on hosts (laptops, desktops) and server-side security (NIPS, NIDS).
Auditors: validate baseline compliance of systems in accordance with Security Technical Information Guide (STIG), NIST, and federal, state and local policies, regulations, and laws.
System Administrators: manage data and applications on servers.
Network Administrators: manage all switches, routers, firewalls, and sensors.
Desktop Administrators: administer hardware and software to users and manage day-to-day troubleshooting calls from users.
Help Desk: acts as the liaison between the customer and administrators through the use of a Ticket Management System (TMS).
To ensure separation of duties, all employees are provided a written list detailing their roles and responsibilities. Terminated employees are debriefed, and physical and logical access controls are removed to prevent further access.
Users are defined as those staff without elevated privileges that can affect the configuration of a computer or networked device.
Advanced users have the rights and credentials to physically make a configuration change to a networked device or direct a configuration change through positional authority. All advanced users complete the same initial user agreement as standard users as well as a nondisclosure agreement (NDA). There is no required training for standard and advanced users.
For automated account management, the university uses Active Directory (AD).
Onboarding new users and managing access follows this process:
When a user arrives, they visit the help desk in person and submit a request to have an account created.
All users must read and sign a user agreement outlining the rules and terms of use before they are given network access.
These forms are reviewed annually by the ISO and stored digitally on the network for three years from the date of termination. The organization defines a time period for each type of account after which the information system terminates temporary and emergency accounts (1.
OverviewYou have been hired as an auditor for a local univer.docx
1. Overview
You have been hired as an auditor for a local university, which
is preparing to undergo an accreditation inspection to confirm
that security controls are in place and adhered to and that data
is protected from unauthorized access internally and externally.
As the auditor, you play a key role in ensuring compliance. As
the organization prepares for its three-year accreditation, you
are tasked with gathering the artifacts that will be used to build
the accreditation package. The accreditation package will be
submitted under the Risk Management Framework (RMF) and
will use the controls found in
NIST SP 800-53
and
NIST SP 800-53A
. The controls to be audited are provided in the worksheet.
Your university has an IT staff consisting of the following
personnel:
CIO: in charge of overall network operations and cybersecurity.
Information Security Officer: implements and manages
cybersecurity policies.
System Analysts: monitor security features implemented on
hosts (laptops, desktops) and server-side security (NIPS, NIDS).
Auditors: validate baseline compliance of systems in accordance
with Security Technical Information Guide (STIG), NIST, and
federal, state and local policies, regulations, and laws.
2. System Administrators: manage data and applications on
servers.
Network Administrators: manage all switches, routers,
firewalls, and sensors.
Desktop Administrators: administer hardware and software to
users and manage day-to-day troubleshooting calls from users.
Help Desk: acts as the liaison between the customer and
administrators through the use of a Ticket Management System
(TMS).
To ensure separation of duties, all employees are provided a
written list detailing their roles and responsibilities. Terminated
employees are debriefed, and physical and logical access
controls are removed to prevent further access.
Users are defined as those staff without elevated privileges that
can affect the configuration of a computer or networked device.
Advanced users have the rights and credentials to physically
make a configuration change to a networked device or direct a
configuration change through positional authority. All advanced
users complete the same initial user agreement as standard users
as well as a nondisclosure agreement (NDA). There is no
required training for standard and advanced users.
For automated account management, the university uses Active
Directory (AD).
Onboarding new users and managing access follows this
process:
3. When a user arrives, they visit the help desk in person and
submit a request to have an account created.
All users must read and sign a user agreement outlining the
rules and terms of use before they are given network access.
These forms are reviewed annually by the ISO and stored
digitally on the network for three years from the date of
termination. The organization defines a time period for each
type of account after which the information system terminates
temporary and emergency accounts (14 days); all accounts that
have not been accessed for 45 days are suspended and, after 90
days, removed from Active Directory.
The help desk creates a ticket that includes the signed user
agreement and assigns the ticket to the system administrators.
The system administrator (SA) creates the account and assigns
the user access based on their role.
Users are assigned least privilege when an account is created.
Discretionary access control is created for university
departments to allow internal users to share information among
defined users. These processes aren’t audited and Active
Directory has become a massive database containing accounts of
users who are no longer employed by the organization as well as
their files. No negative impact has been observed by this.
System admins track when users log in and log out so security
and software patches can be pushed to the users' machines. This
tracking mechanism also contributes to nonrepudiation in the
event of a cybersecurity incident. Additionally, the machine is
configured to log the user out if there is no activity on the
4. user’s computer for two minutes.
After three failed login attempts, the account will be locked and
will require the user to visit the help desk in person to validate
their credentials and unlock the account.
Instructions
Download
Worksheet: Information Technology Audit and Control [DOCX]
.
We started with addressing the Access Control Policy and
Procedure (AC-1) and provided the sample below.
Complete the controls in the rest of the table in the worksheet.
Ensure that you answer based on the assessment objective listed
in the control and the information in the scenario.
Submit the worksheet.
Sample:
ControlAssessment ObjectiveExamineTest/ InterviewCompliant/
Non-Compliant
AC-1.1The organization develops and formally documents
access control policy; the organization access control policy
addresses: purpose; scope; roles and responsibilities;
management commitment; coordination among organizational
entities; and compliance; the organization disseminates formal
5. documented access control policy to elements within the
organization having associated access control roles and
responsibilities; the organization develops and formally
documents access control procedures the organization access
control procedures facilitate the implementation of the access
control policy and associated access controls; and the
organization disseminates formally documented access control
procedures to elements within the organization having
associated access control roles and responsibilities.Access
control policy and procedures; other relevant documents or
records.Organizational personnel with access control
responsibilities.Compliant – organization documents access
control policy and are implemented based on user role and
organizational policies.
Requirements
This assignment will be graded on the following criteria:
Determine correct assessment objectives for each of the 11
controls presented in the worksheet.
Identify Examine categories for all controls as defined in IAW
NIST 800-53.
Identify Test/Interview categories for all controls as defined in
IAW NIST 800-53.
Identify Compliant/Noncompliant categories for all controls as
defined in IAW NIST 800-53.