Week 7
Worksheet 4: LAN/WAN Compliance and Auditing
Course Learning Outcome(s)
· Analyze information security systems compliance requirements within the Workstation and LAN Domains.
· Design and implement ISS compliance within the LAN-to-WAN and WAN domains with an appropriate framework.
As auditors, we presume that no data produced on a computer is 100% secure regardless of whether it’s a standalone device or connected to a local area network (LAN) or a wide area network (WAN). Organizations implement controls, which are developed and implemented based on regulations and best security practices. Security is implemented throughout an organizations enterprise – from the host the user sits and throughout the devices data traverses or is stored. Here’s an example of a basic enterprise and the security controls that may be implemented. Remember, controls can be physical or logical devices, software or encryption.
Host – A host is a computer, tablet or other device that a user interfaces with to perform a function. The device you’re reading this on is a host. The security controls that could be implemented onto a host include a Host Based Intrusion Detection Systems (HIDS), Host Based Intrusion Prevention System (HIPS), a software Firewall, and Antivirus protection. Policy controls implemented on a host include Role Based Access Control (RBAC), Discretionary Access Control (DAC), Mandatory Access Control (MAC), Login requirements, lockout settings and others that restrict what a user can and can’t do while logged into a host and software to manage (allow and deny) policies electronically (ePo).
Local Area Network – Think of a LAN as an internal network used by an organization that allows user to execute functions using various applications and storage while also having the ability to connect to other organizations using the Internet or Virtual Private Networks (VPN’s). A host connects to a switch and data is routed to a router where it either access systems on the LAN or to a router where it’s going to exchange data with another LAN or WAN. The devices that comprise a LAN and WAN are similar with a difference in that a WAN is built to a much larger scale. As stated, in a network, there are many devices, servers, switches, routers, storage, Call Managers (for VoIP communications), firewalls, web content filters, security appliances that manage Network Intrusion Detection Systems (NIDS), Network Intrusion Prevention Systems (NIPS) and other organization unique systems.
Often as a cost savings measure, services such as security, web content filtering, storage, IP telephony, Software licensing (SaaS) and others can be outsourced to a third party vendor. An agreement is made between the organization and the vendor on the expected requirements and documented in the contract. These requirements are known as Service Level Agreements (SLA).At no point does an organization relieve itself of regulatory requirements for data protection by contracting it o.
Week 7Worksheet 4 LANWAN Compliance and AuditingCourse L.docx
1. Week 7
Worksheet 4: LAN/WAN Compliance and Auditing
Course Learning Outcome(s)
· Analyze information security systems compliance
requirements within the Workstation and LAN Domains.
· Design and implement ISS compliance within the LAN-to-
WAN and WAN domains with an appropriate framework.
As auditors, we presume that no data produced on a computer is
100% secure regardless of whether it’s a standalone device or
connected to a local area network (LAN) or a wide area network
(WAN). Organizations implement controls, which are developed
and implemented based on regulations and best security
practices. Security is implemented throughout an organizations
enterprise – from the host the user sits and throughout the
devices data traverses or is stored. Here’s an example of a basic
enterprise and the security controls that may be implemented.
Remember, controls can be physical or logical devices, software
or encryption.
Host – A host is a computer, tablet or other device that a user
interfaces with to perform a function. The device you’re reading
this on is a host. The security controls that could be
implemented onto a host include a Host Based Intrusion
Detection Systems (HIDS), Host Based Intrusion Prevention
System (HIPS), a software Firewall, and Antivirus protection.
Policy controls implemented on a host include Role Based
Access Control (RBAC), Discretionary Access Control (DAC),
Mandatory Access Control (MAC), Login requirements, lockout
settings and others that restrict what a user can and can’t do
while logged into a host and software to manage (allow and
deny) policies electronically (ePo).
Local Area Network – Think of a LAN as an internal network
2. used by an organization that allows user to execute functions
using various applications and storage while also having the
ability to connect to other organizations using the Internet or
Virtual Private Networks (VPN’s). A host connects to a switch
and data is routed to a router where it either access systems on
the LAN or to a router where it’s going to exchange data with
another LAN or WAN. The devices that comprise a LAN and
WAN are similar with a difference in that a WAN is built to a
much larger scale. As stated, in a network, there are many
devices, servers, switches, routers, storage, Call Managers (for
VoIP communications), firewalls, web content filters, security
appliances that manage Network Intrusion Detection Systems
(NIDS), Network Intrusion Prevention Systems (NIPS) and
other organization unique systems.
Often as a cost savings measure, services such as security, web
content filtering, storage, IP telephony, Software licensing
(SaaS) and others can be outsourced to a third party vendor. An
agreement is made between the organization and the vendor on
the expected requirements and documented in the contract.
These requirements are known as Service Level Agreements
(SLA).At no point does an organization relieve itself of
regulatory requirements for data protection by contracting it out
to a third party or organization external to itself. Regulatory
controls must be incorporated into the SLA’s and audited by the
company contracting services out to ensure compliance.
Repercussions for not meeting SLA requirements should also be
included in the SLA.
Read the scenario below and complete the associated worksheet.
Tidewater LLC is an organization that produces and sells
apparel for men, women and children online. The company has
grown 70% over the past 2 years and is building a new facility
to support the continued growth. All current services with the
exception of managing their website are hosted by various third
party vendors. Because of the growth, the leadership within the
organization has not been able to validate compliance of the
SLA’s and feel that the vendors do not have the best interest of
3. Tidewater LLC in mind. Currently, there is a CIO and web
developer acting as the IT staff.
Tidewater LLC is in the process of recovering all IT services
into the server facility being housed in their new facility.
Tidewater LLC wishes establish and staff an IT department with
a system administrator, network administrator, two general
technicians, cyber security specialist and a full time system
auditor.
The new office is a 2000sqft open office with the server room
located in an adjacent room. Hardware supporting the
organizations IT services include 100 desktop computers
supporting the staff, network switches, routers, a firewall,
Maciffy Security Appliance to provide intrusion detection,
prevention and antivirus protection, Network Attached Storage
(NAS) for users to have a home drive as well as a shared
networked drive for collaboration and sharing, an IIS server for
website management and a call manager for VoIP. Wi-Fi access
points will be added as the network installation progresses.
Email will be managed by an exchange server. The only service
outsourced is a100mbps connection for Internet and VPN’s
between the organization and its suppliers.
Current employees are assigned desk with computer. There are
no prerequisite requirements such as training for users to have
accounts created. All data is stored by a third party vendor in a
shared environment. No controls are implemented to prevent
any user from accessing any other user’s files or folders.
You’ve been retained as an organizations auditor and your first
task is to determine what controls need to be implemented so
that the organization achieves a high level of sustained security
and compliance. Utilizing the NIST 800-53A, develop a control
sheet that the organization should implement and will not
impede with the organization’s mission. This control sheet
should encompass controls that apply to the users and systems
within the organization. You will brief these controls to the
CEO and CIO and explain why you choose these controls and
any impact it will have to the organization.
4. From the Access Control (AC) family of the NIST 800-53A,
select three controls you would recommend be implemented.
Control
Definition
Why Chosen
From the Security Awareness and Training Policy and
Procedures (AT) of the NIST 800-53A, select three controls you
would recommend be implemented.
Control
Definition
Why Chosen
From the Audit and Control (AU) section of the NIST 800-53A,
select three controls you would recommend be implemented.
Control
Definition
Why Chosen
5. From the Configuration Management (CM) section of the NIST
800-53A, select four controls you would recommend be
implemented.
Control
Definition
Why Chosen
From the Security Assessment and Authorization (CA) section
of the NIST 800-53A, select three controls you would
recommend be implemented.
Control
Definition
Why Chosen
6. From the Contingency Planning (CP) section of the NIST 800-
53A, select two controls you would recommend be
implemented.
Control
Definition
Why Chosen
From the Identification and Authentication Policy and
Procedures (IA) section of the NIST 800-53A, select three
controls you would recommend be implemented.
Control
Definition
Why Chosen