Information-Technology-Audit-and-Control
Assignment : Information Technology Audit and Control
- Explain the use of standards and frameworks in a compliance audit of an IT infrastructure.
You have been hired as an auditor for a local university. The university is preparing to undergo an accreditation inspection to validate security controls are in place and adhered to and that data is protected from unauthorized access from both people internal and external to the organization.
Save your time - order a paper!
Get your paper written from scratch within the tight deadline. Our service is a reliable solution to all your troubles. Place an order on any task and we will take care of it. You won’t have to worry about the quality and deadlines
Order Paper NowAs the auditor, you play a key role in ensuring regulations and compliances are met. As the organization prepares for its three-year accreditation, you are tasked with gathering the artifacts that will be used to build the accreditation package.
Your university has an IT staff consisting of the following personnel:
CIO – Overall in charge of network operations and cyber security.
Information Security Officer – Implements and manages cyber security policies.
System Analysts – Tasked with monitoring security features implemented on hosts (laptops, desktops) and server side security (NIPS, NIDS).
Auditors – Tasked with validating baseline compliance of systems in accordance with Security Technical Information Guide (STIG), NIST, and Federal, state and local policies, regulations and laws.
System Administrators – tasked with managing data and applications on servers.
Network Administrators – tasked with managing all switches, routers, firewalls, and sensors.
Desktop Administrators – Tasked with administering hardware and software to users and managing the day to day trouble calls for users.
Help Desk – Acts as the liaison between the customer and administrators through the use of a Ticket Management System (TMS).
To ensure separation of duties, all employees are designated in writing the roles and responsibilities for which they are responsible. Terminated employees are debriefed and physical and logical access controls are removed to prevent further access.
Users are defined as those individuals that don’t have any elevated privileges that can affect the configuration of a computer or networked device. All users, prior to gaining access to the network, must read and sign a user agreement outlining the rules and terms of use. These forms are reviewed annually by the ISO and stored digitally on the network for three years from the date of termination. The organization defines a time period for each type of account after which the information system terminates temporary and emergency accounts (14 days) and all inactive accounts (accounts that have not been accessed for 45 days) are suspended and after 90 days, removed from Active Directory.
Advanced users are those users who possess the rights and credentials to physically make a configuration change to a networked device or direct a configuration change through positional authority. All advanced users complete the same initial user agreement as standard users as well as a Non-Disclosure Agreement (NDA). There is no required training needed for standard and advanced users.
For automated account management, the university uses Active Directory (AD). When a user arrives, they submit a request to have an account created to the Help Desk. The Help Desk creates a ticket that includes the signed User Agreement and assigns the ticket to the System Administrators (SA’s). The SA’s create the account and assign the user access based on their role. Users are assigned Least Privilege when an account is created. Discretionary Access Control is created for departments within the university to allow users within the department to share information amongst defined users. These processes aren’t audited and Active Directory has become a massive database containing users that are no longer employed within the organization as well as files that were created by them. No negative impact has been observed by this. System Admins track when users login and log out so that security and software patches can be pushed to the users machine. This tracking mechanism also contributes to non-repudiation in the event of a cyber security incident. Additionally, if there is no activity on the user’s computer for two minutes, the machine is configured to log the user out. Failure to login correctly three times will result in the account being locked out and will require the user to visit the Help Desk in person to validate their credentials prior to the account being unlocked.
As the organization prepares for its three-year accreditation, you are tasked with gathering the artifacts and complete an assessment which will be used to build the accreditation package. The accreditation package that will be submitted is will be under the Risk Management Framework (RMF) and will be utilizing the controls found in NIST Publications 800-53 and 800-53A. The controls that are to be audited have been provided to you. We will start with addressing the Access Control Policy and Procedure (AC-1).
STUDENTS: The focus of this assignment is the appropriate application and testing of controls listed in the Access Control family.
For this assignment, complete the following tasks within this worksheet.
- Refer to the scenario above and NIST 800-53 and 53A for reference when completing the spreadsheet contained in this worksheet. Ensure that you answer based on the information provided to you based on the Assessment Objective listed in the control and the data provided to you in the scenario. For example;
|
Control |
Assessment Objective |
Examine |
Test / Interview |
Compliant / Non-Compliant |
|
AC-1.1 |
The organization develops and formally documents access control policy; the organization access control policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; the organization disseminates formal documented access control policy to elements within the organization having associated access control roles and responsibilities; the organization develops and formally documents access control procedures the organization access control procedures facilitate implementation of the access control policy and associated access controls; and the organization disseminates formal documented access control procedures to elements within the organization having associated access control roles and responsibilities. |
Access control policy and procedures; other relevant documents or records. |
Organizational personnel with access control responsibilities. |
Compliant – organization documents access control policy and is implemented based on user role and organizational policies. |
|
Control |
Assessment Objective |
Examine |
Test / Interview |
Compliant / Non-Compliant |
|
AC-1.2 |
||||
|
AC-2.1 |
||||
|
AC-2.(2).1 |
||||
|
AC-2.(3).1 |
||||
|
AC-2(5).1 |
||||
|
AC-3.1 |
||||
|
AC-3(2).1 |
||||
|
AC-3(4).1 |
||||
|
AC-5.1 |
||||
|
AC-6.1 |
||||
|
AC-7.1 |
Note:The assignment will be check for plagiarism.
The grading rubric for this assignment attached below.
Grading for this assignment will be based on answer quality, logic / organization of the paper, and language and writing skills, using the following rubric.
|
Points: 50 |
Worksheet 3: Information Technology Audit & Control |
||||
|
Criteria |
Unacceptable Below 60% F |
Meets Minimum Expectations 60-69% D |
Fair 70-79% C |
Proficient 80-89% B |
Exemplary 90-100% A |
|
1. Determine correct Assessment Objectives for each of the 11 controls presented in the Worksheet. Weight: 25% |
Did not submit or more than four errors present. |
Insufficiently determined correct Assessment Objectives with no more than four errors. |
Partially determined correct Assessment Objectives with no more than three errors. |
Satisfactorily determined correct Assessment Objectives with no more than two errors. |
Successfully determined correct Assessment Objectives for all 11 controls. |
|
2. Examine categories for all controls are correctly identified as defined in IAW NIST 800-53. |
Did not submit or more than four errors present. |
Insufficiently determined correct Examine categories with no more than four errors. |
Partially determined correct Examine categories with no more than three errors. |
Satisfactorily determined correct Examine categories with no more than two errors. |
Successfully determined correct Examine categories for all 11 controls. |
|
3. Test / Interview categories for all controls are correctly identified as defined in IAW NIST 800-53. Weight: 25% |
Did not submit or more than four errors present. |
Insufficiently determined correct Test / Interview categories with no more than four errors. |
Partially determined correct Test / Interview categories with no more than three errors. |
Satisfactorily determined correct Test / Interview categories with no more than two errors. |
Successfully determined correct Test / Interview categories for all 11 controls. |
|
4. Compliant / Non-Compliant for all controls are correctly identified as defined in IAW NIST 800-53. Weight: 25% |
Did not submit or more than four errors present. |
Insufficiently determined correct Compliant / Non-Compliant categories with no more than four errors. |
Partially determined correct Compliant / Non-Compliant categories with no more than three errors. |
Satisfactorily determined correct Compliant / Non-Compliant categories with no more than two errors. |
Successfully determined correct Compliant / Non-Compliant categories for all 11 controls. |
Do you need a similar assignment done for you from scratch? We have qualified writers to help you. We assure you an A+ quality paper that is free from plagiarism. Order now for an Amazing Discount!
Use Discount Code "Newclient" for a 15% Discount!
NB: We do not resell papers. Upon ordering, we do an original paper exclusively for you.
