worksheet 3 information technology audit and control 3

Explain the use of
standards and frameworks in a compliance audit of an IT infrastructure.
You have been hired as an auditor for a local
university. The university is preparing to undergo an accreditation inspection
to validate security controls are in place and adhered to and that data is
protected from unauthorized access from both people internal and external to
the organization.
As the auditor, you play a key role in
ensuring regulations and compliances are met. As the organization prepares for
its three-year accreditation, you are tasked with gathering the artifacts that
will be used to build the accreditation package.
Your university has an IT staff consisting of
the following personnel:
CIO – Overall in charge of network operations
and cyber security.
Information Security Officer – Implements and
manages cyber security policies.
System Analysts – Tasked with monitoring
security features implemented on hosts (laptops, desktops) and server side
security (NIPS, NIDS).
Auditors – Tasked with validating baseline
compliance of systems in accordance with Security Technical Information Guide
(STIG), NIST, and Federal, state and local policies, regulations and laws.
System Administrators – tasked with managing
data and applications on servers.
Network Administrators – tasked with managing
all switches, routers, firewalls, and sensors.
Desktop Administrators – Tasked with
administering hardware and software to users and managing the day to day
trouble calls for users.
Help Desk – Acts as the liaison between the
customer and administrators through the use of a Ticket Management System
(TMS).
To ensure separation of duties, all employees
are designated in writing the roles and responsibilities for which they are
responsible. Terminated employees are debriefed and physical and logical access
controls are removed to prevent further access.
Users are defined as those individuals that
don’t have any elevated privileges that can affect the configuration of a
computer or networked device. All users, prior to gaining access to the
network, must read and sign a user agreement outlining the rules and terms of
use. These forms are reviewed annually by the ISO and stored digitally on the
network for three years from the date of termination. The organization defines
a time period for each type of account after which the information system
terminates temporary and emergency accounts (14 days) and all inactive accounts
(accounts that have not been accessed for 45 days) are suspended and after 90
days, removed from Active Directory.
Advanced users are those users who possess the
rights and credentials to physically make a configuration change to a networked
device or direct a configuration change through positional authority. All
advanced users complete the same initial user agreement as standard users as
well as a Non-Disclosure Agreement (NDA). There is no required training needed
for standard and advanced users.
For automated account management, the
university uses Active Directory (AD). When a user arrives, they submit a
request to have an account created to the Help Desk. The Help Desk creates a
ticket that includes the signed User Agreement and assigns the ticket to the
System Administrators (SA’s). The SA’s create the account and assign the user
access based on their role. Users are assigned Least Privilege when an account
is created. Discretionary Access Control is created for departments within the
university to allow users within the department to share information amongst
defined users. These processes aren’t audited and Active Directory has become a
massive database containing users that are no longer employed within the
organization as well as files that were created by them. No negative impact has
been observed by this. System Admins track when users login and log out so that
security and software patches can be pushed to the users machine. This tracking
mechanism also contributes to non-repudiation in the event of a cyber security
incident. Additionally, if there is no activity on the user’s computer for two
minutes, the machine is configured to log the user out. Failure to login
correctly three times will result in the account being locked out and will
require the user to visit the Help Desk in person to validate their credentials
prior to the account being unlocked.
As the
organization prepares for its three-year accreditation, you are tasked with
gathering the artifacts and complete an assessment which will be used to build
the accreditation package. The accreditation package that will be submitted is
will be under the Risk Management Framework (RMF) and will be utilizing the
controls found in NIST Publications 800-53 and 800-53A. The controls that are
to be audited have been provided to you. We will start with addressing the Access
Control Policy and Procedure (AC-1).
For this assignment, complete the following
tasks within this worksheet.
Refer to the scenario above and NIST 800-53 and 53A for reference
when completing the spreadsheet contained in this worksheet. Ensure that
you answer based on the information provided to you based on the
Assessment Objective listed in the control and the data provided to you in
the scenario. For example;

Need your ASSIGNMENT done? Use our paper writing service to score good grades and meet your deadlines.


Order a Similar Paper Order a Different Paper