SlideShare a Scribd company logo

OverviewYou have been hired as an auditor for a local univer.docx

Download as DOCX, PDF
A
aman341480

Overview You have been hired as an auditor for a local university, which is preparing to undergo an accreditation inspection to confirm that security controls are in place and adhered to and that data is protected from unauthorized access internally and externally. As the auditor, you play a key role in ensuring compliance. As the organization prepares for its three-year accreditation, you are tasked with gathering the artifacts that will be used to build the accreditation package. The accreditation package will be submitted under the Risk Management Framework (RMF) and will use the controls found in NIST SP 800-53 and NIST SP 800-53A . The controls to be audited are provided in the worksheet. Your university has an IT staff consisting of the following personnel: CIO: in charge of overall network operations and cybersecurity. Information Security Officer: implements and manages cybersecurity policies. System Analysts: monitor security features implemented on hosts (laptops, desktops) and server-side security (NIPS, NIDS). Auditors: validate baseline compliance of systems in accordance with Security Technical Information Guide (STIG), NIST, and federal, state and local policies, regulations, and laws. System Administrators: manage data and applications on servers. Network Administrators: manage all switches, routers, firewalls, and sensors. Desktop Administrators: administer hardware and software to users and manage day-to-day troubleshooting calls from users. Help Desk: acts as the liaison between the customer and administrators through the use of a Ticket Management System (TMS). To ensure separation of duties, all employees are provided a written list detailing their roles and responsibilities. Terminated employees are debriefed, and physical and logical access controls are removed to prevent further access. Users are defined as those staff without elevated privileges that can affect the configuration of a computer or networked device. Advanced users have the rights and credentials to physically make a configuration change to a networked device or direct a configuration change through positional authority. All advanced users complete the same initial user agreement as standard users as well as a nondisclosure agreement (NDA). There is no required training for standard and advanced users.  For automated account management, the university uses Active Directory (AD). Onboarding new users and managing access follows this process: When a user arrives, they visit the help desk in person and submit a request to have an account created. All users must read and sign a user agreement outlining the rules and terms of use before they are given network access. These forms are reviewed annually by the ISO and stored digitally on the network for three years from the date of termination. The organization defines a time period for each type of account after which the information system terminates temporary and emergency accounts (1.

Education
1 of 6
Overview You have been hired as an auditor for a local university, which is preparing to undergo an accreditation inspection to confirm that security controls are in place and adhered to and that data is protected from unauthorized access internally and externally. As the auditor, you play a key role in ensuring compliance. As the organization prepares for its three-year accreditation, you are tasked with gathering the artifacts that will be used to build the accreditation package. The accreditation package will be submitted under the Risk Management Framework (RMF) and will use the controls found in NIST SP 800-53 and NIST SP 800-53A . The controls to be audited are provided in the worksheet. Your university has an IT staff consisting of the following personnel: CIO: in charge of overall network operations and cybersecurity. Information Security Officer: implements and manages cybersecurity policies. System Analysts: monitor security features implemented on hosts (laptops, desktops) and server-side security (NIPS, NIDS). Auditors: validate baseline compliance of systems in accordance with Security Technical Information Guide (STIG), NIST, and federal, state and local policies, regulations, and laws.
System Administrators: manage data and applications on servers. Network Administrators: manage all switches, routers, firewalls, and sensors. Desktop Administrators: administer hardware and software to users and manage day-to-day troubleshooting calls from users. Help Desk: acts as the liaison between the customer and administrators through the use of a Ticket Management System (TMS). To ensure separation of duties, all employees are provided a written list detailing their roles and responsibilities. Terminated employees are debriefed, and physical and logical access controls are removed to prevent further access. Users are defined as those staff without elevated privileges that can affect the configuration of a computer or networked device. Advanced users have the rights and credentials to physically make a configuration change to a networked device or direct a configuration change through positional authority. All advanced users complete the same initial user agreement as standard users as well as a nondisclosure agreement (NDA). There is no required training for standard and advanced users. For automated account management, the university uses Active Directory (AD). Onboarding new users and managing access follows this process:
When a user arrives, they visit the help desk in person and submit a request to have an account created. All users must read and sign a user agreement outlining the rules and terms of use before they are given network access. These forms are reviewed annually by the ISO and stored digitally on the network for three years from the date of termination. The organization defines a time period for each type of account after which the information system terminates temporary and emergency accounts (14 days); all accounts that have not been accessed for 45 days are suspended and, after 90 days, removed from Active Directory. The help desk creates a ticket that includes the signed user agreement and assigns the ticket to the system administrators. The system administrator (SA) creates the account and assigns the user access based on their role. Users are assigned least privilege when an account is created. Discretionary access control is created for university departments to allow internal users to share information among defined users. These processes aren’t audited and Active Directory has become a massive database containing accounts of users who are no longer employed by the organization as well as their files. No negative impact has been observed by this. System admins track when users log in and log out so security and software patches can be pushed to the users' machines. This tracking mechanism also contributes to nonrepudiation in the event of a cybersecurity incident. Additionally, the machine is configured to log the user out if there is no activity on the
user’s computer for two minutes. After three failed login attempts, the account will be locked and will require the user to visit the help desk in person to validate their credentials and unlock the account. Instructions Download Worksheet: Information Technology Audit and Control [DOCX] . We started with addressing the Access Control Policy and Procedure (AC-1) and provided the sample below. Complete the controls in the rest of the table in the worksheet. Ensure that you answer based on the assessment objective listed in the control and the information in the scenario. Submit the worksheet. Sample: ControlAssessment ObjectiveExamineTest/ InterviewCompliant/ Non-Compliant AC-1.1The organization develops and formally documents access control policy; the organization access control policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; the organization disseminates formal
documented access control policy to elements within the organization having associated access control roles and responsibilities; the organization develops and formally documents access control procedures the organization access control procedures facilitate the implementation of the access control policy and associated access controls; and the organization disseminates formally documented access control procedures to elements within the organization having associated access control roles and responsibilities.Access control policy and procedures; other relevant documents or records.Organizational personnel with access control responsibilities.Compliant – organization documents access control policy and are implemented based on user role and organizational policies. Requirements This assignment will be graded on the following criteria: Determine correct assessment objectives for each of the 11 controls presented in the worksheet. Identify Examine categories for all controls as defined in IAW NIST 800-53. Identify Test/Interview categories for all controls as defined in IAW NIST 800-53. Identify Compliant/Noncompliant categories for all controls as defined in IAW NIST 800-53.
OverviewYou have been hired as an auditor for a local univer.docx

Recommended

· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
LynellBull52
 
Information systems and its components iii
Information systems and its components iiiInformation systems and its components iii
Information systems and its components iii
Ashish Desai
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
Muhammad Azmy
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
joellemurphey
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
Mufaddal Nullwala
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptx
JoshJaro
 
Supplier security assessment questionnaire
Supplier security assessment questionnaireSupplier security assessment questionnaire
Supplier security assessment questionnaire
Priyanka Aash
 

Recommended

· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
LynellBull52
 
Information systems and its components iii
Information systems and its components iiiInformation systems and its components iii
Information systems and its components iii
Ashish Desai
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
Muhammad Azmy
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
joellemurphey
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
Mufaddal Nullwala
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptx
JoshJaro
 
Supplier security assessment questionnaire
Supplier security assessment questionnaireSupplier security assessment questionnaire
Supplier security assessment questionnaire
Priyanka Aash
 
Information 2nd lesson
Information 2nd lessonInformation 2nd lesson
Information 2nd lesson
Anne ndolo
 
Ch06 Policy
Ch06 PolicyCh06 Policy
Ch06 Policy
phanleson
 
CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDIT
Ros Dina
 
Fingerprint Alert System A Solution for Effective Management System
Fingerprint Alert System A Solution for Effective Management SystemFingerprint Alert System A Solution for Effective Management System
Fingerprint Alert System A Solution for Effective Management System
ijtsrd
 
Seven Elements Of Effective Compliance Programs
Seven Elements Of Effective Compliance ProgramsSeven Elements Of Effective Compliance Programs
Seven Elements Of Effective Compliance Programs
Maria Macri
 
Unit Iii
Unit IiiUnit Iii
Unit Iii
Ram Dutt Shukla
 
Security audit
Security auditSecurity audit
Security audit
Rosaria Dee
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
gueste080564
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
renetta
 
Technology Controls in Business - End User Computing
Technology Controls in Business - End User ComputingTechnology Controls in Business - End User Computing
Technology Controls in Business - End User Computing
guestc1bca2
 
Cisa 2013 ch4
Cisa 2013 ch4Cisa 2013 ch4
Cisa 2013 ch4
Aladdin Dandis
 
User Provisioning, Comparison of Common Methodologies, Cloud Provisioning
User Provisioning, Comparison of Common Methodologies, Cloud ProvisioningUser Provisioning, Comparison of Common Methodologies, Cloud Provisioning
User Provisioning, Comparison of Common Methodologies, Cloud Provisioning
Dave Wippich
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
Piyush Jain
 
Dit yvol5iss38
Dit yvol5iss38Dit yvol5iss38
Dit yvol5iss38
Rick Lemieux
 
Cain and AbelOphcrackStart H.docx
Cain and AbelOphcrackStart H.docxCain and AbelOphcrackStart H.docx
Cain and AbelOphcrackStart H.docx
RAHUL126667
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practices
amiable_indian
 
CCISO_Certification_Training_Course-Outline.pdf
CCISO_Certification_Training_Course-Outline.pdfCCISO_Certification_Training_Course-Outline.pdf
CCISO_Certification_Training_Course-Outline.pdf
priyanshamadhwal2
 
Dit yvol3iss33
Dit yvol3iss33Dit yvol3iss33
Dit yvol3iss33
Rick Lemieux
 
Access Control and Maintenance.pptx
Access Control and Maintenance.pptxAccess Control and Maintenance.pptx
Access Control and Maintenance.pptx
Kinetic Potential
 
Project Documentation Student Management System format.pptx
Project Documentation Student Management System format.pptxProject Documentation Student Management System format.pptx
Project Documentation Student Management System format.pptx
AjayPatre1
 
Paracentesis diagnostic procedure ALT Active Learning Template .docx
Paracentesis diagnostic procedure ALT Active Learning Template .docxParacentesis diagnostic procedure ALT Active Learning Template .docx
Paracentesis diagnostic procedure ALT Active Learning Template .docx
aman341480
 
Paper to include Name of the Culture,(Italian)Country of Origin.docx
Paper to include Name of the Culture,(Italian)Country of Origin.docxPaper to include Name of the Culture,(Italian)Country of Origin.docx
Paper to include Name of the Culture,(Italian)Country of Origin.docx
aman341480
 

More Related Content

Similar to OverviewYou have been hired as an auditor for a local univer.docx

Fingerprint Alert System A Solution for Effective Management System
Fingerprint Alert System A Solution for Effective Management SystemFingerprint Alert System A Solution for Effective Management System
Fingerprint Alert System A Solution for Effective Management System
ijtsrd
 
Seven Elements Of Effective Compliance Programs
Seven Elements Of Effective Compliance ProgramsSeven Elements Of Effective Compliance Programs
Seven Elements Of Effective Compliance Programs
Maria Macri
 
Cain and AbelOphcrackStart H.docx
Cain and AbelOphcrackStart H.docxCain and AbelOphcrackStart H.docx
Cain and AbelOphcrackStart H.docx
RAHUL126667
 

Similar to OverviewYou have been hired as an auditor for a local univer.docx (20)

Information 2nd lesson
Information 2nd lessonInformation 2nd lesson
Information 2nd lesson
 
Ch06 Policy
Ch06 PolicyCh06 Policy
Ch06 Policy
 
CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDIT
 
Fingerprint Alert System A Solution for Effective Management System
Fingerprint Alert System A Solution for Effective Management SystemFingerprint Alert System A Solution for Effective Management System
Fingerprint Alert System A Solution for Effective Management System
 
Seven Elements Of Effective Compliance Programs
Seven Elements Of Effective Compliance ProgramsSeven Elements Of Effective Compliance Programs
Seven Elements Of Effective Compliance Programs
 
Unit Iii
Unit IiiUnit Iii
Unit Iii
 
Security audit
Security auditSecurity audit
Security audit
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
 
Technology Controls in Business - End User Computing
Technology Controls in Business - End User ComputingTechnology Controls in Business - End User Computing
Technology Controls in Business - End User Computing
 
Cisa 2013 ch4
Cisa 2013 ch4Cisa 2013 ch4
Cisa 2013 ch4
 
User Provisioning, Comparison of Common Methodologies, Cloud Provisioning
User Provisioning, Comparison of Common Methodologies, Cloud ProvisioningUser Provisioning, Comparison of Common Methodologies, Cloud Provisioning
User Provisioning, Comparison of Common Methodologies, Cloud Provisioning
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
 
Dit yvol5iss38
Dit yvol5iss38Dit yvol5iss38
Dit yvol5iss38
 
Cain and AbelOphcrackStart H.docx
Cain and AbelOphcrackStart H.docxCain and AbelOphcrackStart H.docx
Cain and AbelOphcrackStart H.docx
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practices
 
CCISO_Certification_Training_Course-Outline.pdf
CCISO_Certification_Training_Course-Outline.pdfCCISO_Certification_Training_Course-Outline.pdf
CCISO_Certification_Training_Course-Outline.pdf
 
Dit yvol3iss33
Dit yvol3iss33Dit yvol3iss33
Dit yvol3iss33
 
Access Control and Maintenance.pptx
Access Control and Maintenance.pptxAccess Control and Maintenance.pptx
Access Control and Maintenance.pptx
 
Project Documentation Student Management System format.pptx
Project Documentation Student Management System format.pptxProject Documentation Student Management System format.pptx
Project Documentation Student Management System format.pptx
 

More from aman341480

PAPERSDecember 2008 Project Management Jou.docx
PAPERSDecember 2008 Project Management Jou.docxPAPERSDecember 2008 Project Management Jou.docx
PAPERSDecember 2008 Project Management Jou.docx
aman341480
 
PAPER TOPIC You may choose any biological, chemical or physic.docx
PAPER TOPIC You may choose any biological, chemical or physic.docxPAPER TOPIC You may choose any biological, chemical or physic.docx
PAPER TOPIC You may choose any biological, chemical or physic.docx
aman341480
 
Paper Instructions Paper 1 is your first attempt at an argumen.docx
Paper Instructions Paper 1 is your first attempt at an argumen.docxPaper Instructions Paper 1 is your first attempt at an argumen.docx
Paper Instructions Paper 1 is your first attempt at an argumen.docx
aman341480
 
PAPER EXPECTATIONSFollow the instructions.Make your ideas .docx
PAPER EXPECTATIONSFollow the instructions.Make your ideas .docxPAPER EXPECTATIONSFollow the instructions.Make your ideas .docx
PAPER EXPECTATIONSFollow the instructions.Make your ideas .docx
aman341480
 
Paper Title (use style paper title)Note Sub-titles are not.docx
Paper Title (use style paper title)Note Sub-titles are not.docxPaper Title (use style paper title)Note Sub-titles are not.docx
Paper Title (use style paper title)Note Sub-titles are not.docx
aman341480
 
Paper requirementsMust be eight to ten pages in length (exclud.docx
Paper requirementsMust be eight to ten pages in length (exclud.docxPaper requirementsMust be eight to ten pages in length (exclud.docx
Paper requirementsMust be eight to ten pages in length (exclud.docx
aman341480
 
Paper is due March 15th. Needed it by March 14th for reviewT.docx
Paper is due March 15th. Needed it by March 14th for reviewT.docxPaper is due March 15th. Needed it by March 14th for reviewT.docx
Paper is due March 15th. Needed it by March 14th for reviewT.docx
aman341480
 
Paper deadline[10 pts] Due Saturday 0321 Turn in the followin.docx
Paper deadline[10 pts] Due Saturday 0321 Turn in the followin.docxPaper deadline[10 pts] Due Saturday 0321 Turn in the followin.docx
Paper deadline[10 pts] Due Saturday 0321 Turn in the followin.docx
aman341480
 
Paper C Topic Selection (Individual) and Research of an existin.docx
Paper C Topic Selection (Individual) and Research of an existin.docxPaper C Topic Selection (Individual) and Research of an existin.docx
Paper C Topic Selection (Individual) and Research of an existin.docx
aman341480
 
Paper Ba matrix mapping of a key IT-related organizational (o.docx
Paper Ba matrix mapping of a key IT-related organizational (o.docxPaper Ba matrix mapping of a key IT-related organizational (o.docx
Paper Ba matrix mapping of a key IT-related organizational (o.docx
aman341480
 
Paper CriteriaTopic selection—A current governmental policy re.docx
Paper CriteriaTopic selection—A current governmental policy re.docxPaper CriteriaTopic selection—A current governmental policy re.docx
Paper CriteriaTopic selection—A current governmental policy re.docx
aman341480
 
Paper Analysis Essay The 5-page Paper You Submit Must At L.docx
Paper Analysis Essay The 5-page Paper You Submit Must At L.docxPaper Analysis Essay The 5-page Paper You Submit Must At L.docx
Paper Analysis Essay The 5-page Paper You Submit Must At L.docx
aman341480
 
Paper #4 PromptDue Date April 17Rough Draft (Optional) Due A.docx
Paper #4 PromptDue Date April 17Rough Draft (Optional) Due A.docxPaper #4 PromptDue Date April 17Rough Draft (Optional) Due A.docx
Paper #4 PromptDue Date April 17Rough Draft (Optional) Due A.docx
aman341480
 
Page 1 of 2 Summer 2020 AFR 110N Sec. 101, Dr. Gove.docx
Page 1 of 2 Summer 2020 AFR 110N Sec. 101, Dr. Gove.docxPage 1 of 2 Summer 2020 AFR 110N Sec. 101, Dr. Gove.docx
Page 1 of 2 Summer 2020 AFR 110N Sec. 101, Dr. Gove.docx
aman341480
 
Page 1 of 4 NIZWA COLLEGE OF TECHNOLOGY BUSINESS .docx
Page 1 of 4 NIZWA COLLEGE OF TECHNOLOGY BUSINESS .docxPage 1 of 4 NIZWA COLLEGE OF TECHNOLOGY BUSINESS .docx
Page 1 of 4 NIZWA COLLEGE OF TECHNOLOGY BUSINESS .docx
aman341480
 
Page 2 (BSBMGT516 Facilitate continuous improvementLea.docx
Page 2 (BSBMGT516 Facilitate continuous improvementLea.docxPage 2 (BSBMGT516 Facilitate continuous improvementLea.docx
Page 2 (BSBMGT516 Facilitate continuous improvementLea.docx
aman341480
 

More from aman341480 (20)

Paracentesis diagnostic procedure ALT Active Learning Template .docx
Paracentesis diagnostic procedure ALT Active Learning Template .docxParacentesis diagnostic procedure ALT Active Learning Template .docx
Paracentesis diagnostic procedure ALT Active Learning Template .docx
 
Paper to include Name of the Culture,(Italian)Country of Origin.docx
Paper to include Name of the Culture,(Italian)Country of Origin.docxPaper to include Name of the Culture,(Italian)Country of Origin.docx
Paper to include Name of the Culture,(Italian)Country of Origin.docx
 
Paper on Tone What is Flannery O’Connor really discussing in A.docx
Paper on Tone What is Flannery O’Connor really discussing in A.docxPaper on Tone What is Flannery O’Connor really discussing in A.docx
Paper on Tone What is Flannery O’Connor really discussing in A.docx
 
PAPERSDecember 2008 Project Management Jou.docx
PAPERSDecember 2008 Project Management Jou.docxPAPERSDecember 2008 Project Management Jou.docx
PAPERSDecember 2008 Project Management Jou.docx
 
PAPER TOPIC You may choose any biological, chemical or physic.docx
PAPER TOPIC You may choose any biological, chemical or physic.docxPAPER TOPIC You may choose any biological, chemical or physic.docx
PAPER TOPIC You may choose any biological, chemical or physic.docx
 
Paper Instructions Paper 1 is your first attempt at an argumen.docx
Paper Instructions Paper 1 is your first attempt at an argumen.docxPaper Instructions Paper 1 is your first attempt at an argumen.docx
Paper Instructions Paper 1 is your first attempt at an argumen.docx
 
Paper to include Name of the Culture,(Italian)Country of Or.docx
Paper to include Name of the Culture,(Italian)Country of Or.docxPaper to include Name of the Culture,(Italian)Country of Or.docx
Paper to include Name of the Culture,(Italian)Country of Or.docx
 
PAPER EXPECTATIONSFollow the instructions.Make your ideas .docx
PAPER EXPECTATIONSFollow the instructions.Make your ideas .docxPAPER EXPECTATIONSFollow the instructions.Make your ideas .docx
PAPER EXPECTATIONSFollow the instructions.Make your ideas .docx
 
Paper Title (use style paper title)Note Sub-titles are not.docx
Paper Title (use style paper title)Note Sub-titles are not.docxPaper Title (use style paper title)Note Sub-titles are not.docx
Paper Title (use style paper title)Note Sub-titles are not.docx
 
Paper requirementsMust be eight to ten pages in length (exclud.docx
Paper requirementsMust be eight to ten pages in length (exclud.docxPaper requirementsMust be eight to ten pages in length (exclud.docx
Paper requirementsMust be eight to ten pages in length (exclud.docx
 
Paper is due March 15th. Needed it by March 14th for reviewT.docx
Paper is due March 15th. Needed it by March 14th for reviewT.docxPaper is due March 15th. Needed it by March 14th for reviewT.docx
Paper is due March 15th. Needed it by March 14th for reviewT.docx
 
Paper deadline[10 pts] Due Saturday 0321 Turn in the followin.docx
Paper deadline[10 pts] Due Saturday 0321 Turn in the followin.docxPaper deadline[10 pts] Due Saturday 0321 Turn in the followin.docx
Paper deadline[10 pts] Due Saturday 0321 Turn in the followin.docx
 
Paper C Topic Selection (Individual) and Research of an existin.docx
Paper C Topic Selection (Individual) and Research of an existin.docxPaper C Topic Selection (Individual) and Research of an existin.docx
Paper C Topic Selection (Individual) and Research of an existin.docx
 
Paper Ba matrix mapping of a key IT-related organizational (o.docx
Paper Ba matrix mapping of a key IT-related organizational (o.docxPaper Ba matrix mapping of a key IT-related organizational (o.docx
Paper Ba matrix mapping of a key IT-related organizational (o.docx
 
Paper CriteriaTopic selection—A current governmental policy re.docx
Paper CriteriaTopic selection—A current governmental policy re.docxPaper CriteriaTopic selection—A current governmental policy re.docx
Paper CriteriaTopic selection—A current governmental policy re.docx
 
Paper Analysis Essay The 5-page Paper You Submit Must At L.docx
Paper Analysis Essay The 5-page Paper You Submit Must At L.docxPaper Analysis Essay The 5-page Paper You Submit Must At L.docx
Paper Analysis Essay The 5-page Paper You Submit Must At L.docx
 
Paper #4 PromptDue Date April 17Rough Draft (Optional) Due A.docx
Paper #4 PromptDue Date April 17Rough Draft (Optional) Due A.docxPaper #4 PromptDue Date April 17Rough Draft (Optional) Due A.docx
Paper #4 PromptDue Date April 17Rough Draft (Optional) Due A.docx
 
Page 1 of 2 Summer 2020 AFR 110N Sec. 101, Dr. Gove.docx
Page 1 of 2 Summer 2020 AFR 110N Sec. 101, Dr. Gove.docxPage 1 of 2 Summer 2020 AFR 110N Sec. 101, Dr. Gove.docx
Page 1 of 2 Summer 2020 AFR 110N Sec. 101, Dr. Gove.docx
 
Page 1 of 4 NIZWA COLLEGE OF TECHNOLOGY BUSINESS .docx
Page 1 of 4 NIZWA COLLEGE OF TECHNOLOGY BUSINESS .docxPage 1 of 4 NIZWA COLLEGE OF TECHNOLOGY BUSINESS .docx
Page 1 of 4 NIZWA COLLEGE OF TECHNOLOGY BUSINESS .docx
 
Page 2 (BSBMGT516 Facilitate continuous improvementLea.docx
Page 2 (BSBMGT516 Facilitate continuous improvementLea.docxPage 2 (BSBMGT516 Facilitate continuous improvementLea.docx
Page 2 (BSBMGT516 Facilitate continuous improvementLea.docx
 

Recently uploaded

An Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdfAn Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdf
SanaAli374401
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
heathfieldcps1
 
Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterGardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
MateoGardella
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
MateoGardella
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
kauryashika82
 

Recently uploaded (20)

Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
An Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdfAn Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdf
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writing
 
Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterGardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 

OverviewYou have been hired as an auditor for a local univer.docx

  • 1. Overview You have been hired as an auditor for a local university, which is preparing to undergo an accreditation inspection to confirm that security controls are in place and adhered to and that data is protected from unauthorized access internally and externally. As the auditor, you play a key role in ensuring compliance. As the organization prepares for its three-year accreditation, you are tasked with gathering the artifacts that will be used to build the accreditation package. The accreditation package will be submitted under the Risk Management Framework (RMF) and will use the controls found in NIST SP 800-53 and NIST SP 800-53A . The controls to be audited are provided in the worksheet. Your university has an IT staff consisting of the following personnel: CIO: in charge of overall network operations and cybersecurity. Information Security Officer: implements and manages cybersecurity policies. System Analysts: monitor security features implemented on hosts (laptops, desktops) and server-side security (NIPS, NIDS). Auditors: validate baseline compliance of systems in accordance with Security Technical Information Guide (STIG), NIST, and federal, state and local policies, regulations, and laws.
  • 2. System Administrators: manage data and applications on servers. Network Administrators: manage all switches, routers, firewalls, and sensors. Desktop Administrators: administer hardware and software to users and manage day-to-day troubleshooting calls from users. Help Desk: acts as the liaison between the customer and administrators through the use of a Ticket Management System (TMS). To ensure separation of duties, all employees are provided a written list detailing their roles and responsibilities. Terminated employees are debriefed, and physical and logical access controls are removed to prevent further access. Users are defined as those staff without elevated privileges that can affect the configuration of a computer or networked device. Advanced users have the rights and credentials to physically make a configuration change to a networked device or direct a configuration change through positional authority. All advanced users complete the same initial user agreement as standard users as well as a nondisclosure agreement (NDA). There is no required training for standard and advanced users. For automated account management, the university uses Active Directory (AD). Onboarding new users and managing access follows this process:
  • 3. When a user arrives, they visit the help desk in person and submit a request to have an account created. All users must read and sign a user agreement outlining the rules and terms of use before they are given network access. These forms are reviewed annually by the ISO and stored digitally on the network for three years from the date of termination. The organization defines a time period for each type of account after which the information system terminates temporary and emergency accounts (14 days); all accounts that have not been accessed for 45 days are suspended and, after 90 days, removed from Active Directory. The help desk creates a ticket that includes the signed user agreement and assigns the ticket to the system administrators. The system administrator (SA) creates the account and assigns the user access based on their role. Users are assigned least privilege when an account is created. Discretionary access control is created for university departments to allow internal users to share information among defined users. These processes aren’t audited and Active Directory has become a massive database containing accounts of users who are no longer employed by the organization as well as their files. No negative impact has been observed by this. System admins track when users log in and log out so security and software patches can be pushed to the users' machines. This tracking mechanism also contributes to nonrepudiation in the event of a cybersecurity incident. Additionally, the machine is configured to log the user out if there is no activity on the
  • 4. user’s computer for two minutes. After three failed login attempts, the account will be locked and will require the user to visit the help desk in person to validate their credentials and unlock the account. Instructions Download Worksheet: Information Technology Audit and Control [DOCX] . We started with addressing the Access Control Policy and Procedure (AC-1) and provided the sample below. Complete the controls in the rest of the table in the worksheet. Ensure that you answer based on the assessment objective listed in the control and the information in the scenario. Submit the worksheet. Sample: ControlAssessment ObjectiveExamineTest/ InterviewCompliant/ Non-Compliant AC-1.1The organization develops and formally documents access control policy; the organization access control policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; the organization disseminates formal
  • 5. documented access control policy to elements within the organization having associated access control roles and responsibilities; the organization develops and formally documents access control procedures the organization access control procedures facilitate the implementation of the access control policy and associated access controls; and the organization disseminates formally documented access control procedures to elements within the organization having associated access control roles and responsibilities.Access control policy and procedures; other relevant documents or records.Organizational personnel with access control responsibilities.Compliant – organization documents access control policy and are implemented based on user role and organizational policies. Requirements This assignment will be graded on the following criteria: Determine correct assessment objectives for each of the 11 controls presented in the worksheet. Identify Examine categories for all controls as defined in IAW NIST 800-53. Identify Test/Interview categories for all controls as defined in IAW NIST 800-53. Identify Compliant/Noncompliant categories for all controls as defined in IAW NIST 800-53.