Case Study 1: Mitigating Cloud Computing Risks
Due Week 4 and worth 125 points
Imagine you are an Information Security Manager in a medium-sized organization. Your CIO has asked you to prepare a case analysis report and presentation on establishing internal controls in cloud computing. The CIO has seen several resources online which discuss the security risks related to Cloud based computing and storage. One that stood out was located at http://www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Cloud-Computing-Risk-Assessment-A-Case-Study.aspx. You are being asked to summarize the information you can find on the Internet and other sources that are available. Moving forward, the CIO wants to have a firm grasp of the benefits and risks associated with public, private, and hybrid cloud usage. There is also concern over how these systems, if they were in place, should be monitored to ensure not only proper usage, but also that none of these systems or their data have been compromised.
Write a three to four (3-4) page paper in which you:
Provide a summary analysis of the most recent research that is available in this area.
Examine the risks and vulnerabilities associated with public clouds, private clouds, and hybrids. Include primary examples applicable from the case studies you previously reviewed.
Suggest key controls that organizations could implement to mitigate these risks and vulnerabilities.
Develop a list of IT audit tasks that address a cloud computing environment based on the results from the analysis of the case studies, the risks and vulnerabilities, and the mitigation controls.
Use at least three (3) quality resources in this assignment. Note: Wikipedia and similar Websites do not qualify as quality resources.
Your assignment must follow these formatting requirements:
Be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides; citations and references must follow APA or school-specific format. Check with your professor for any additional instructions.
Include a cover page containing the title of the assignment, the student’s name, the professor’s name, the course title, and the date. The cover page and the reference page are not included in the required assignment page length.
The specific course learning outcomes associated with this assignment are:
Describe the process of performing effective information technology audits and general controls.
Describe the various general controls and audit approaches for software and architecture to include operating systems, telecommunication networks, cloud computing, service-oriented architecture and virtualization.
Use technology and information resources to research issues in information technology audit and control.
Write clearly and concisely about topics related to information technology audit and control using proper writing mechanics and technical style conventions
Assignment 2: Software Engineering, CMMI, and ITIL
Due W ...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
Case Study 1 Mitigating Cloud Computing RisksDue Week 4 and wor
1. Case Study 1: Mitigating Cloud Computing Risks
Due Week 4 and worth 125 points
Imagine you are an Information Security Manager in a medium-
sized organization. Your CIO has asked you to prepare a case
analysis report and presentation on establishing internal
controls in cloud computing. The CIO has seen several
resources online which discuss the security risks related to
Cloud based computing and storage. One that stood out was
located at http://www.isaca.org/Journal/Past-
Issues/2011/Volume-4/Pages/Cloud-Computing-Risk-
Assessment-A-Case-Study.aspx. You are being asked to
summarize the information you can find on the Internet and
other sources that are available. Moving forward, the CIO
wants to have a firm grasp of the benefits and risks associated
with public, private, and hybrid cloud usage. There is also
concern over how these systems, if they were in place, should
be monitored to ensure not only proper usage, but also that none
of these systems or their data have been compromised.
Write a three to four (3-4) page paper in which you:
Provide a summary analysis of the most recent research that is
available in this area.
Examine the risks and vulnerabilities associated with public
clouds, private clouds, and hybrids. Include primary examples
applicable from the case studies you previously reviewed.
Suggest key controls that organizations could implement to
mitigate these risks and vulnerabilities.
2. Develop a list of IT audit tasks that address a cloud computing
environment based on the results from the analysis of the case
studies, the risks and vulnerabilities, and the mitigation
controls.
Use at least three (3) quality resources in this assignment. Note:
Wikipedia and similar Websites do not qualify as quality
resources.
Your assignment must follow these formatting requirements:
Be typed, double spaced, using Times New Roman font (size
12), with one-inch margins on all sides; citations and references
must follow APA or school-specific format. Check with your
professor for any additional instructions.
Include a cover page containing the title of the assignment, the
student’s name, the professor’s name, the course title, and the
date. The cover page and the reference page are not included in
the required assignment page length.
The specific course learning outcomes associated with this
assignment are:
Describe the process of performing effective information
technology audits and general controls.
Describe the various general controls and audit approaches for
software and architecture to include operating systems,
telecommunication networks, cloud computing, service-oriented
architecture and virtualization.
Use technology and information resources to research issues in
3. information technology audit and control.
Write clearly and concisely about topics related to information
technology audit and control using proper writing mechanics
and technical style conventions
Assignment 2: Software Engineering, CMMI, and ITIL
Due Week 6 and worth 125 points
Realizing that an organization’s CMMI level impacts an
organization’s success on requests for proposals (RFPs), your
CIO wants to get the software development processes to CMMI
level 3. Your organization has started developing software
applications and database systems for their customers. The CIO
wants to ensure that the software development and database
development processes are being properly managed and audited,
and he wants to ensure that the organization begins taking the
necessary steps to progress to CMMI level 3. In preparation for
your response, review the CMMI information available at the
Carnegie Mellon Website, located at
http://www.sei.cmu.edu/cmmi/.
IT managers will commonly manage software development and
systems integration activities. Write a three to five (3-5) page
paper in which you:
Describe the software engineering process, the challenges in
managing software development activities, and the potential
interface issues from the software development perspective.
Analyze the CMMI levels and define a roadmap that the
4. organization will need to follow in order to get their software
development processes to CMMI level 3. Note: This is
important because the CMMI level that an organization achieves
impacts their software development reputation.
Explain the auditing tasks that must be performed in order to
achieve level 3.
Determine the continuous assurance auditing activities that the
organization will need to implement to help achieve CMMI
level 3.
Analyze the ITIL service management guidelines and principles.
Examine how ITIL service management practices relate to
CMMI levels and continuous service auditing.
Use at least three (3) quality resources in this assignment. Note:
Wikipedia and similar Websites do not qualify as quality
resources.
Your assignment must follow these formatting requirements:
Be typed, double spaced, using Times New Roman font (size
12), with one-inch margins on all sides; citations and references
must follow APA or school-specific format. Check with your
professor for any additional instructions.
Include a cover page containing the title of the assignment, the
student’s name, the professor’s name, the course title, and the
date. The cover page and the reference page are not included in
the required assignment page length.
The specific course learning outcomes associated with this
assignment are:
5. Describe the process of performing effective information
technology audits and general controls.
Describe information technology general controls based on the
Information Technology Infrastructure Library (ITIL) best
practices.
Describe the various general controls and audit approaches for
software and architecture to include operating systems,
telecommunication networks, cloud computing, service-oriented
architecture and virtualization.
Use technology and information resources to research issues in
information technology audit and control.
Write clearly and concisely about topics related to information
technology audit and control using proper writing mechanics
and technical style conventions.
Case Study 2: HIPAA and IT Audits
Due Week 7 and worth 125 points
Imagine you are the Information Security Officer at a medium-
sized hospital chain. The CEO and the other senior leadership of
the company want to ensure that all of their hospitals are and
remain HIPAA compliant. They are concerned about the HIPAA
Security and Privacy Rules and its impact on the organization.
You begin looking at the information provided by the
Department of Health and Human Services, located at
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.html.
Specifically, you are asked to provide an analysis of two (2) of
6. the cases found here with emphasis on what was done to resolve
the compliance issues.
Section 1. Written Paper
Non-compliance with HIPAA regulations can result in
significant fines and negative publicity. To help ensure that
your organization remains in compliance with HIPAA
regulations you have been asked to write a three to five (3-5)
page paper in which you:
1a. Create an overview of the HIPAA Security Rule and
Privacy Rule.
1b. Analyze the major types of incidents and breaches that
occur based on the cases reported.
1c. Analyze the technical controls and the non-technical
controls that are needed to mitigate the identified risks and
vulnerabilities.
1d. Analyze and describe the network architecture that is
needed within an organization, including a medium-sized
hospital, in order to be compliant with HIPAA regulations.
1e. Analyze how a hospital is similar to and different from
other organizations in regards to HIPAA compliance.
1f. List the IT audit steps that need to be included in the
organization’s overall IT audit plan to ensure compliance with
HIPAA rules and regulations.
1g. Use at least three (3) quality resources in this assignment.
Note: Wikipedia and similar Websites do not qualify as quality
7. resources.
Your assignment must follow these formatting requirements:
Be typed, double spaced, using Times New Roman font (size
12), with one-inch margins on all sides; citations and references
must follow APA or school-specific format. Check with your
professor for any additional instructions.
Include a cover page containing the title of the assignment, the
student’s name, the professor’s name, the course title, and the
date. The cover page and the reference page are not included in
the required assignment page length.
Section 2. Network Architecture
2a. Create a network architecture diagram (using Visio or an
open-source equivalent to Visio for creating diagrams), based
on the description of the network architecture that you defined
above for the organization to be compliant with HIPAA
regulations.
2b. Include in the diagram the switches, routers, firewalls,
IDS / IPS, and any other devices needed for a compliant
network architecture.
The specific course learning outcomes associated with this
assignment are:
Describe the process of performing effective information
technology audits and general controls.
8. Explain the role of cybersecurity privacy controls in the review
of system processes.
Describe the various general controls and audit approaches for
software and architecture to include operating systems,
telecommunication networks, cloud computing, service-oriented
architecture and virtualization.
Use technology and information resources to research issues in
information technology audit and control.
Write clearly and concisely about topics related to information
technology audit and control using proper writing mechanics
and technical style conventions.
Term Paper: Managing an IT Infrastructure Audit
Due Week 10 and worth 210 points
This assignment consists of four (4) sections: an internal IT
audit policy, a management plan, a project plan, and a disaster
recovery plan. You must submit all four (4) sections as separate
files for the completion of this assignment. Label each file name
according to the section of the assignment it is written for.
Additionally, you may create and /or assume all necessary
assumptions needed for the completion of this assignment.
Imagine you are an Information Security Manager for a large
national retailer. You have been hired to be directly responsible
for the planning and oversight of IT audits. At the request of the
Board of Directors, the CEO has tasked you with developing a
9. plan for conducting regular audits of the IT infrastructure. The
planning and management aspects of IT audit are critical to the
overall success of the audit, and as a result, the overall success
of the systems implemented within the organization. You must
develop a policy for conducting IT audits and develop a project
plan for conducting two week IT audits.
In addition to the typical networking and Internetworking
infrastructure of a medium-sized organization, the organization
has the following characteristics:
They have a main office and 268 stores in the U.S.
They utilize a cloud computing environment for storage and
applications.
Their IT infrastructure includes Cisco workgroup and core
switches, Cisco routers, Cisco firewalls and intrusion
prevention systems, and servers running Microsoft Windows
Server 2012.
They have over 1000 desktops and approximately 500
organization-owned laptops in the main headquarters.
They allow employees to bring their own devices into the
organization; however, they are subject to being searched upon
entry and exit from the building.
They enable remote access to corporate information assets for
employees and limited access to extranet resources for
contractors and other business partners.
They enable wireless access at the main office and the stores.
They process an average of 67.2 credit card transactions per
10. hour every day at each location and via their corporate Website.
Section 1: Internal IT Audit Policy
Write a three to four (3-4) page paper in which you:
1. Develop an Internal IT Audit Policy, which includes at a
minimum:
a. Overview
b. Scope
c. Goals and objectives
d. Compliance with applicable laws and regulations
e. Management oversight and responsibility
f. Areas covered in the IT audits
g. Frequency of the audits
h. Use at least two (2) quality resources in this assignment.
Note: Wikipedia and similar Websites do not qualify as quality
resources.
Section 2: Management Plan
Write a four to six (4-6) page paper in which you:
2. Explain the management plan for conducting IT audits,
11. including:
a. Risk management
b. System Software and Applications
c. Wireless Networking
d. Cloud Computing
e. Virtualization
f. Cybersecurity and Privacy
g. BCP and DRP
h. Network Security
i. Use at least three (3) quality resources in this assignment.
Note: Wikipedia and similar Websites do not qualify as quality
resources.
Section 3: Project Plan
Use Microsoft Project or an Open Source alternative, such as
Open Project to:
3. Develop a project plan which includes the applicable tasks
for each of the major areas listed below for each element of the
IT audit mentioned above; plan for the audit to be a two (2)
week audit.
12. a. Risk management
b. System software and applications
c. Wireless networking
d. Cloud computing
e. Virtualization
f. Cybersecurity and privacy
g. Network security
Section 4: Disaster Recovery Plan
Write a five to seven (5-7) page paper in which you:
4. Develop a disaster recovery plan (DRP) for recovering
from a major incident or disaster affecting the organization.
a. The organization must have no data loss.
b. The organization must have immediate access to
organizational data in the event of a disaster.
c. The organization must have critical systems operational
within 48 hours.
d. Include within the DRP the audit activities needed to
ensure that the organization has an effective DRP and will be
able to meet the requirements stated above.
13. e. Use at least three (3) quality resources in this assignment.
Note: Wikipedia and similar Websites do not qualify as quality
resources.
Your assignment must follow these formatting requirements:
Be typed, double spaced, using Times New Roman font (size
12), with one-inch margins on all sides; citations and references
must follow APA or school-specific format. Check with your
professor for any additional instructions.
Include a cover page containing the title of the assignment, the
student’s name, the professor’s name, the course title, and the
date. The cover page and the reference page are not included in
the required assignment page length.
The specific course learning outcomes associated with this
assignment are:
Describe the Sarbanes-Oxley (SOX) act and Committee of
Sponsoring Organizations (COSO) framework.
Describe the process of performing effective information
technology audits and general controls.
Describe the various general controls and audit approaches for
software and architecture to include operating systems,
telecommunication networks, cloud computing, service-oriented
architecture and virtualization.
Explain the role of cybersecurity privacy controls in the review
of system processes.
14. Discuss and develop strategies that detect and prevent
fraudulent business practices.
Describe and create an information technology disaster recovery
plan.
Develop an audit plan and control framework that addresses and
solves a proposed business problem.
Use technology and information resources to research issues in
information technology audit and control.
Write clearly and concisely about topics related to information
technology audit and control using proper writing mechanics
and technical style conventions.