Overview You have been hired as an auditor for a local university, which is preparing to undergo an accreditation inspection to confirm that security controls are in place and adhered to and that data is protected from unauthorized access internally and externally. As the auditor, you play a key role in ensuring compliance. As the organization prepares for its three-year accreditation, you are tasked with gathering the artifacts that will be used to build the accreditation package. The accreditation package will be submitted under the Risk Management Framework (RMF) and will use the controls found in NIST SP 800-53 and NIST SP 800-53A . The controls to be audited are provided in the worksheet. Your university has an IT staff consisting of the following personnel: CIO: in charge of overall network operations and cybersecurity. Information Security Officer: implements and manages cybersecurity policies. System Analysts: monitor security features implemented on hosts (laptops, desktops) and server-side security (NIPS, NIDS). Auditors: validate baseline compliance of systems in accordance with Security Technical Information Guide (STIG), NIST, and federal, state and local policies, regulations, and laws. System Administrators: manage data and applications on servers. Network Administrators: manage all switches, routers, firewalls, and sensors. Desktop Administrators: administer hardware and software to users and manage day-to-day troubleshooting calls from users. Help Desk: acts as the liaison between the customer and administrators through the use of a Ticket Management System (TMS). To ensure separation of duties, all employees are provided a written list detailing their roles and responsibilities. Terminated employees are debriefed, and physical and logical access controls are removed to prevent further access. Users are defined as those staff without elevated privileges that can affect the configuration of a computer or networked device. Advanced users have the rights and credentials to physically make a configuration change to a networked device or direct a configuration change through positional authority. All advanced users complete the same initial user agreement as standard users as well as a nondisclosure agreement (NDA). There is no required training for standard and advanced users. For automated account management, the university uses Active Directory (AD). Onboarding new users and managing access follows this process: When a user arrives, they visit the help desk in person and submit a request to have an account created. All users must read and sign a user agreement outlining the rules and terms of use before they are given network access. These forms are reviewed annually by the ISO and stored digitally on the network for three years from the date of termination. The organization defines a time period for each type of account after which the information system terminates temporary and emergency accounts (1.