SlideShare una empresa de Scribd logo

ISSC471_Final_Project_Paper_John_Intindolo

Descargar como DOCX, PDF
John Intindolo
John Intindolo
1 de 12
Running head: WRITING THE IT INFRASTRUCTURE AUDIT REPORT 1 Writing the IT Infrastructure Audit Report John Intindolo June 7, 2014 ISSC471- IT Security: Auditing Professor Janelle Davis American Public University
WRITING THE IT INFRASTRUCTURE AUDIT REPORT 2 An IT Security Audit is used to determine how effective an organization’s IT controls are, and to ensure that those controls maintain compliance with company policies. There are many steps that go into compliance including protecting and securing of private data, implementing proper security controls, as well as performing periodic security assessments. Once an audit has been conducted it is time for the final report to be written. Writing the IT Infrastructure audit report is perhaps the most important part of the audit process. This is because the report communicates the results to the leaders of the organization, prevents misinterpretation of its results, and discusses measures to be taken in order to correct any issues. The scope, objectives, methods, work completed, use of other’s work, and findings (amongst other things) combine to make up the basis of the report. With that said, it is important to understand just exactly what an IT Security Audit is. An IT Security Audit by definition is an independent analysis and inspection of records and activities to calculate the adequacy of system controls, certify compliance with company policies and procedures, and to recommend necessary changes in controls, policies, and/or procedures (Goldberg, n.d.). Basically, an IT Security Audit assures that the confidentiality, integrity, and availability of an organization’s information assets are being maintained. Furthermore, performing an IT Security Audit is done in a proactive manner; meaning that the its intended purpose is to test the security controls and compliance with policies and procedures before a hacker has the chance to exploit vulnerabilities within the system. Why is it so important for an organization to maintain compliance for ISS? Compliance for ISS is important to businesses because of the risk of sanctions that could be imposed if a breach were to occur. These sanctions can be criminal, civil, or both. An example of sanctions related to failed compliance of the Sarbanes-Oxley Act is a fine of up to $1 million and
WRITING THE IT INFRASTRUCTURE AUDIT REPORT 3 imprisonment for up to 10 years (Hladjik, 2007, pp. 3-4). Another reason that compliance is important is that it also involves IT controls, and failure to assure the CIA of an organization’s system can significantly impact the public image of the company or even the value of its assets. An example of this is this past winter when Target had its customer’s credit card information stolen. Besides the amount of money lost as a result of the crime, Target suffered a huge blow to their public image because many customers did not want to shop there as a result of the incident. While compliance is important there is another term that is closely related that plays an important role in ISS, that being governance. While compliance verifies that the correct controls are being implemented, governance looks to use complete and accurate information and management controls to make the organization run better (Weis & Solomon, 2011). So for example, governance ensures that thorough security policies and procedures are in place to implement the policy. Now how do compliance and governance relate to each other? Well without proper governance an organization cannot have effective compliance or risk management, and compliance helps governance by ensuring that the security policies and procedures implemented also meet the standards and regulations set forth. Now understanding an IT Security Audit, compliance and governance (as well as their importance), the next logical step is to discuss an IT compliance audit. As stated earlier an IT compliance audit is an ongoing process of making sure that effective security policies and controls are both implemented and maintained throughout the entire organization. So how does this whole process of IT compliance auditing begin? In order to start audit process one must first have a plan. That is where the scope of the audit comes in. The scope covers everything covered within the audit. This includes information and resources. So the scope
WRITING THE IT INFRASTRUCTURE AUDIT REPORT 4 will include the measures needed to be taken to be in compliance, the seven domains covered under the audit, the audit report which includes findings as well as assessment and recommendations (if changes are needed). Basically, the scope is the outline of the entire audit. What tasks are necessary for compliance? Compliance is not a simple, but rather a process of several tasks needed and everyone within the organization to adhere by. It begins with protecting and securing private data. This is done in many ways including the development of privacy policies, routine risk assessment of access controls, using encryption for work-related e-mails, and training employees on privacy practices and policies. Privacy policies do not only exist within the company, but there are also privacy laws set forth by the government that must be complied with. Due to “pressure from various stakeholder action groups interested in concerns dealing with security and privacy, the U.S. government and a few security conscientious industries” have set specific regulations and standards to be followed (Chen, Ramamurthy, & Wen, 2012, p.158). One of the most common privacy laws is the Health Insurance Portability and Accountability Act also known as HIPAA. What HIPAA does is protect a person’s health information and permits the disclosure of said health information to any third parties (“Understanding health information,” n.d.). Next up for remaining compliant within the organization’s IT infrastructure is having the proper security controls in place. Since the biggest factor to information security is the management of risk, the use of proper security controls are the ones that mitigate its risk. It is impossible to account for every risk however because of monetary reasons, and it is for this reason that there must be some trade-off with risks. In other words, the biggest risks will have security controls to mitigate them, while the smallest risks
WRITING THE IT INFRASTRUCTURE AUDIT REPORT 5 will use fewer resources (or even be ignored altogether). Due to the importance of the risk threat level it is important to prioritize the risks from highest to lowest. This will ensure that the biggest threats are dealt with and that resources are not wasted. What constitutes proper security controls? As stated above deciding what security controls are necessary for the organization needs works hand in hand with risk management. So the first step is to list all data and information systems within the organization. Then one must consider the impact of each piece data and information system in the organization, once again prioritized from highest to lowest importance. It is at this time that security controls can be selected based upon the risk to the systems and then implemented to mitigate the risks. The process does not end there however, as the controls shall be evaluated for their effectiveness, determined that they meet the needs of the organization (by reducing the risk to an adequate level), and lastly be continuously monitored. Continuous monitoring not only identifies new threats, but also may require a change to the security controls implemented. What security controls can be implemented to constitute compliance? Understanding which security controls represent the best way to be in compliance starts with the use of a common IT control framework known as Control Objectives for Information and related Technology or simply COBIT. COBIT 5 is a foundation built of principles that an “organization should build and test security policies, standards, guidelines, processes, and controls” (Olzak, 2013). Not only does COBIT provide this but it also helps to bring IT and management together, as IT focuses on business aspects and allows management to better understand what they do. Some examples of the types of controls that will be implemented to satisfy the need for compliance are: access control, awareness and training, audit and accountability, security assessment and
WRITING THE IT INFRASTRUCTURE AUDIT REPORT 6 authorization, configuration management, incident response, risk assessment, and contingency planning (Weiss & Solomon, 2011, p. 56). As stated previously, achieving compliance is an ongoing process due to constant change within an organization, standards, laws, regulations, and threats; therefore, in order to respond and adjust to these changes several things need to happen. There are three basic categories that make up the basis for maintaining compliance and they would be: periodic security assessments, annual security compliance audits, and defining proper security controls. The first category listed is conducting periodic security assessments. These type of security assessments occur more frequently than the annual security compliance audit, and because so are generally grouped into one of the following types: high-level (overall view of information systems), comprehensive (a more succinct analysis of information systems), and preproduction (for new systems or those implanting a major change). Changes occur all the time within a year’s time, so it is imperative that periodic security assessments take place for maintaining compliance. Annual security compliance auditing is to be performed as a complimentary method to periodic assessments. This provides an independent review of how sufficient and effective the internal IT security controls are. Defining proper security controls is the third component of maintaining compliance. This is by creating a policy framework for IT security that will outline what is required for everyone in the organization to maintain compliance. Essentially this is the why, what, and how of the organization’s IT security framework. Without defining the proper security controls how will anyone know if they are in compliance or not? For that reason, it vital to the security of an organization to have clear cut and well defined security controls. Defining proper security controls is done using the following framework: at the top is the policy which details the organization’s beliefs, goals, objectives, and
WRITING THE IT INFRASTRUCTURE AUDIT REPORT 7 acceptable procedures for IT security, followed by standards which make the policy more meaningful and effective by creating an action or rule to support the policy, then proceeded by guidelines which suggest the best practices to reach the policy’s objectives, and lastly may also include a step by step outline of how the standards and guidelines are implemented to support the policy (Guel, 2007). Now comes the writing of the IT infrastructure audit report. The audit report is perhaps the most important part of the auditing process, because without it being properly written management may not consider the measures needed to be taken to improve compliance across the IT infrastructure. That is why the audit report must be well written and easy to follow. Furthermore, it should serve as a means to communicate the results, prevent misinterpretation of the results, and detail a list of recommendations to improve compliance for upper management. An audit report is a lengthy one and since the higher-ups in an organization are very busy they often do not have the time to read the full report. That is where the executive summary comes into play. The executive summary is the part of the audit report that is designed for the executives who are too busy to read the full report or perhaps lack the technical competence to grasp what it says. It should be a brief review of the entire report, and according to Jacka, “If there is a overpowering need to share such detailed information, then the auditors should put it in the report” (2012). Make no mistake though brief does not mean vague. The executive summary shall include the only most important issues of the audit report. A good measuring stick for the length of the executive summary is that it should be about 10% of the audit report (Weiss & Solomon, 2011, p. 154). So if the report is 30 pages long, then the executive summary should be about 3 pages long. The next area of the audit report is the summary of findings.
WRITING THE IT INFRASTRUCTURE AUDIT REPORT 8 The summary of findings is an abstract of what was discovered during the audit (within the seven domains) of the IT infrastructure. A finding is broken down into four components and they are criteria, circumstance, cause, and impact. Criteria is what is expected, circumstance is the situation within the existing IT infrastructure, cause represents the reason a gap exists between the circumstance and the criteria, and impact identifies the impact or potential impact on the entire IT infrastructure based upon the difference between the circumstance and the criteria (Weiss & Solomon, 2011, pp. 154-155). As referenced above there is a gap that exists between the expected state and the actual situation occurring within the IT infrastructure. This is where a gap analysis comes into play. A gap analysis is a tool that is used to find the gap between the current state of the IT infrastructure and the desired state that is necessary for compliance. Additionally, the gap analysis will provide the necessary steps to bridge the gap between the two. Conducting a gap analysis is a three step approach that includes the following: identifying the criteria for compliance, analyzing the current situation of the IT infrastructure, and lastly what needs to be done to close the gap between the two and reach the desired state for compliance (“Gap analysis,” n.d.). The next part of writing the audit report is performing an IT Security Assessment. One of the questions often asked about enterprise security is what should be focused on more compliance or risk? The best answer to that question is that there needs to be a healthy balance between the two. In fact, both risk management and compliance are essential to an organization and merging, balancing, and managing the overlap between the two will avoid the biggest threats to the organization (Anschuetz, 2013). Performing an IT Security Assessment is the area of enterprise security that focuses on risk. This portion of the audit report covers risks, threats, and vulnerabilities.
WRITING THE IT INFRASTRUCTURE AUDIT REPORT 9 Risk is the likelihood of a loss occurring. A loss occurs when a threat has exploited a vulnerability or weaknesses. The assessment process includes basic principles in information security practices such as security controls that can identify and record known types of attacks and prioritized by risk, and training employees on social engineering attacks that can lead to malware being infected into the organization’s network. The assessment process takes security to the next level though and is a continuous model that consists of the following principles: collection of intelligence feeds, research and training for solutions, threat analysis (assessments and reporting), developing corrective controls and continuously improving, and monitoring through periodic security reviews or taking proactive surveillance measures (Neghina & Scarlett, 2013). Next would be a list of IT security controls and countermeasures that will enable compliance within the organization’s IT infrastructure. This portion of the audit report compares the current state of controls to the desired state of controls, and should clearly define any major gaps as well. The easiest way to do this is by creating a spreadsheet documenting a list of controls with column headings identifying controls that are in place, partially in place, or not in place at all. The next step is the compliance assessment stage. Compliance should be broken down throughout the entire IT infrastructure to clearly state the compliance level that is being met. This would consist of compliant (which is satisfactory), noncompliant (which means the requirement is not being met), not determined (there is not enough evidence to make a conclusion one way or the other), or not applicable (compliance does not apply in this case). Lastly, would be the compliance recommendations. It is at this point of the report that recommendations are made and documented to ensure that the organization is in compliance.
WRITING THE IT INFRASTRUCTURE AUDIT REPORT 10 In conclusion, an IT Security Audit determines the effectiveness of an organization’s IT controls, as well as making sure that those controls are following company policies in addition to complying with laws and regulations. The most important part of the entire audit process is writing the actual audit report, because this is where the audit is communicated to upper management. Without proper documentation of the report it essentially becomes useless, as misinterpretation of its results may occur or even worse if the leaders of the organization do not see the importance of corrective actions.
WRITING THE IT INFRASTRUCTURE AUDIT REPORT 11 References Anschueltz, C. (2013). When it comes to enterprise security is it better to focus on compliance or risk?. Network World, 30(7), 16. Chen, Y., Ramamurthy, K. K., & Wen, K. (2012). Organizations' Information Security Policy Compliance: Stick or Carrot Approach?. Journal Of Management Information Systems, 29(3), 157-188. Gap analysis. (n.d.). Retrieved from http://www.mccd.edu/organizations/student/Gap Analysis.pdf Goldberg, M. IT Security Auditing [PowerPoint slides]. Retrieved from https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=11&cad=rja&uac t=8&ved=0CKQBEBYwCg&url=https%3A%2F%2Fisis.poly.edu%2Fcourses%2Fcs996 -management- s2005%2FLectures%2Fsecurity%2520audit.ppt&ei=LIyTU9_qJNTNsQT_n4CQCg&usg =AFQjCNEwYf2W68P7jNw9J6DzJxNirMhLDw&sig2=2JrsyrbmWZ_4s1xhQeOVzA& bvm=bv.68445247,d.cWc Guel, M. (2007). A short primer for developing security policies. Retrieved from https://www.sans.org/security-resources/policies/Policy_Primer.pdf Hladjk, J. It compliance and it security- part 2. Privacy & Data Protection, 7(4), 3-5. Jacka, J. (2012). Just tell me what I need to know. Internal Auditor, 69(6), 71. Neghina, D., & Scarlat, E. (2013). Managing information technology security in the context of cyber crime trends. International Journal Of Computers, Communications & Control, 8(1), 97-104.
WRITING THE IT INFRASTRUCTURE AUDIT REPORT 12 Olzak, T. (2013). Cobit 5 for information security: The underlying principles. Retrieved from http://www.techrepublic.com/blog/it-security/cobit-5-for-information-security-the- underlying-principles/ Weiss, M. & Solomon, M. (2011). Auditing IT infrastructures for compliance. Sudbury, Mass.: Jones & Bartlett Learning. Understanding health information privacy. (n.d.). Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/

Recomendados

Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningRisk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningKeyaan Williams
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFLaurie Mosca-Cocca
 
Physical Security Management System
Physical Security Management SystemPhysical Security Management System
Physical Security Management SystemDaniel Suchy, CPP, MSyI
 
Role management
Role managementRole management
Role managementAbidullah Zarghoon
 
How to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHow to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHanaysha
 
E1804012536
E1804012536E1804012536
E1804012536IOSR Journals
 
Implementing IT Security Controls
Implementing IT Security ControlsImplementing IT Security Controls
Implementing IT Security ControlsThomas Jones
 
Information Security Management
Information Security ManagementInformation Security Management
Information Security ManagementEC-Council
 

Recomendados

Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningRisk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningKeyaan Williams
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFLaurie Mosca-Cocca
 
Physical Security Management System
Physical Security Management SystemPhysical Security Management System
Physical Security Management SystemDaniel Suchy, CPP, MSyI
 
Role management
Role managementRole management
Role managementAbidullah Zarghoon
 
How to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHow to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHanaysha
 
E1804012536
E1804012536E1804012536
E1804012536IOSR Journals
 
Implementing IT Security Controls
Implementing IT Security ControlsImplementing IT Security Controls
Implementing IT Security ControlsThomas Jones
 
Information Security Management
Information Security ManagementInformation Security Management
Information Security ManagementEC-Council
 
Information Risk Management Overview
Information Risk Management OverviewInformation Risk Management Overview
Information Risk Management Overviewelvinchan
 
Security management and tools
Security management and toolsSecurity management and tools
Security management and toolsVibhor Raut
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills
 
It security-plan-template
It security-plan-templateIt security-plan-template
It security-plan-templatejbmills1634
 
Mapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityMapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityRedspin, Inc.
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011codka
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
Information technology risks
Information technology risksInformation technology risks
Information technology riskssalman butt
 
Security Management | System Administration
Security Management | System AdministrationSecurity Management | System Administration
Security Management | System AdministrationLisa Dowdell, MSISTM
 
develop security policy
develop security policydevelop security policy
develop security policyInfo-Tech Research Group
 
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...Redspin, Inc.
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk managementG3 intelligence Ltd
 
1. security management practices
1. security management practices1. security management practices
1. security management practices7wounders
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee StudyHiten Sethi
 
Chapter003
Chapter003Chapter003
Chapter003Jeanie Delos Arcos
 
Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security RisksChris Ross
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity ModelCSCJournals
 
Enterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoftEnterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoftAppsian
 
Ambar lópez etapas_administración
Ambar lópez etapas_administraciónAmbar lópez etapas_administración
Ambar lópez etapas_administraciónAmbar Lopez
 
Mediat2
Mediat2Mediat2
Mediat2sarahlouise12
 
A2 Media Studies Advanced Portfolio Production Diary
A2 Media Studies Advanced Portfolio Production DiaryA2 Media Studies Advanced Portfolio Production Diary
A2 Media Studies Advanced Portfolio Production DiaryPetramediastudies
 

Más contenido relacionado

La actualidad más candente

Information Risk Management Overview
Information Risk Management OverviewInformation Risk Management Overview
Information Risk Management Overviewelvinchan
 
Security management and tools
Security management and toolsSecurity management and tools
Security management and toolsVibhor Raut
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills
 
It security-plan-template
It security-plan-templateIt security-plan-template
It security-plan-templatejbmills1634
 
Mapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityMapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityRedspin, Inc.
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011codka
 
Information technology risks
Information technology risksInformation technology risks
Information technology riskssalman butt
 
Security Management | System Administration
Security Management | System AdministrationSecurity Management | System Administration
Security Management | System AdministrationLisa Dowdell, MSISTM
 
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...Redspin, Inc.
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk managementG3 intelligence Ltd
 
1. security management practices
1. security management practices1. security management practices
1. security management practices7wounders
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee StudyHiten Sethi
 
Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security RisksChris Ross
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity ModelCSCJournals
 
Enterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoftEnterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoftAppsian
 

La actualidad más candente (19)

Information Risk Management Overview
Information Risk Management OverviewInformation Risk Management Overview
Information Risk Management Overview
 
Security management and tools
Security management and toolsSecurity management and tools
Security management and tools
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample Material
 
It security-plan-template
It security-plan-templateIt security-plan-template
It security-plan-template
 
Mapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityMapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information Security
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
 
Security policy
Security policySecurity policy
Security policy
 
Information technology risks
Information technology risksInformation technology risks
Information technology risks
 
Security Management | System Administration
Security Management | System AdministrationSecurity Management | System Administration
Security Management | System Administration
 
develop security policy
develop security policydevelop security policy
develop security policy
 
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk management
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee Study
 
Chapter003
Chapter003Chapter003
Chapter003
 
Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security Risks
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity Model
 
Enterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoftEnterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoft
 

Destacado

Ambar lópez etapas_administración
Ambar lópez etapas_administraciónAmbar lópez etapas_administración
Ambar lópez etapas_administraciónAmbar Lopez
 
A2 Media Studies Advanced Portfolio Production Diary
A2 Media Studies Advanced Portfolio Production DiaryA2 Media Studies Advanced Portfolio Production Diary
A2 Media Studies Advanced Portfolio Production DiaryPetramediastudies
 
01 Mid-term Assignment - Christmas Land Project_khawar_v3
01 Mid-term Assignment - Christmas Land Project_khawar_v301 Mid-term Assignment - Christmas Land Project_khawar_v3
01 Mid-term Assignment - Christmas Land Project_khawar_v3Reza Khawar
 
20160708 Jeroen Ketting BIO
20160708 Jeroen Ketting BIO20160708 Jeroen Ketting BIO
20160708 Jeroen Ketting BIOJeroen Ketting
 
Présentation IceFire pour Aos Canada français
Présentation IceFire pour Aos Canada françaisPrésentation IceFire pour Aos Canada français
Présentation IceFire pour Aos Canada françaisMartin Laplante
 
Mu0011–management and organisational development
Mu0011–management and organisational developmentMu0011–management and organisational development
Mu0011–management and organisational developmentconsult4solutions
 
Using Animation in Education
Using Animation in EducationUsing Animation in Education
Using Animation in EducationAmro Elfeki
 
THE SENSATIONAL ED MOSES
THE SENSATIONAL ED MOSESTHE SENSATIONAL ED MOSES
THE SENSATIONAL ED MOSESFiona Duncan
 
Enabling Scalable Publish/Subscribe for Logical-Clustering in Crowdsourcing v...
Enabling Scalable Publish/Subscribe for Logical-Clustering in Crowdsourcing v...Enabling Scalable Publish/Subscribe for Logical-Clustering in Crowdsourcing v...
Enabling Scalable Publish/Subscribe for Logical-Clustering in Crowdsourcing v...Hasib ur Rahman, PhD
 
Pm0015 quantitaive methods in project management
Pm0015 quantitaive methods in project managementPm0015 quantitaive methods in project management
Pm0015 quantitaive methods in project managementconsult4solutions
 
PSEA Article - Above Beyond - WTHS
PSEA Article - Above Beyond - WTHSPSEA Article - Above Beyond - WTHS
PSEA Article - Above Beyond - WTHSSteve Beal
 
Branding & Corporate Identity Design for PLYTEC by Buzzworks
Branding & Corporate Identity Design for PLYTEC by BuzzworksBranding & Corporate Identity Design for PLYTEC by Buzzworks
Branding & Corporate Identity Design for PLYTEC by BuzzworksPatrick Liew
 

Destacado (19)

Ambar lópez etapas_administración
Ambar lópez etapas_administraciónAmbar lópez etapas_administración
Ambar lópez etapas_administración
 
Mediat2
Mediat2Mediat2
Mediat2
 
A2 Media Studies Advanced Portfolio Production Diary
A2 Media Studies Advanced Portfolio Production DiaryA2 Media Studies Advanced Portfolio Production Diary
A2 Media Studies Advanced Portfolio Production Diary
 
Siva Guru Resume
Siva Guru ResumeSiva Guru Resume
Siva Guru Resume
 
01 Mid-term Assignment - Christmas Land Project_khawar_v3
01 Mid-term Assignment - Christmas Land Project_khawar_v301 Mid-term Assignment - Christmas Land Project_khawar_v3
01 Mid-term Assignment - Christmas Land Project_khawar_v3
 
20160708 Jeroen Ketting BIO
20160708 Jeroen Ketting BIO20160708 Jeroen Ketting BIO
20160708 Jeroen Ketting BIO
 
Mark Edwards
Mark EdwardsMark Edwards
Mark Edwards
 
Me4Map presentation at Universidad Carlos III of Madrid
Me4Map presentation at Universidad Carlos III of MadridMe4Map presentation at Universidad Carlos III of Madrid
Me4Map presentation at Universidad Carlos III of Madrid
 
Education Data
Education DataEducation Data
Education Data
 
Présentation IceFire pour Aos Canada français
Présentation IceFire pour Aos Canada françaisPrésentation IceFire pour Aos Canada français
Présentation IceFire pour Aos Canada français
 
Mu0011–management and organisational development
Mu0011–management and organisational developmentMu0011–management and organisational development
Mu0011–management and organisational development
 
Using Animation in Education
Using Animation in EducationUsing Animation in Education
Using Animation in Education
 
THE SENSATIONAL ED MOSES
THE SENSATIONAL ED MOSESTHE SENSATIONAL ED MOSES
THE SENSATIONAL ED MOSES
 
Enabling Scalable Publish/Subscribe for Logical-Clustering in Crowdsourcing v...
Enabling Scalable Publish/Subscribe for Logical-Clustering in Crowdsourcing v...Enabling Scalable Publish/Subscribe for Logical-Clustering in Crowdsourcing v...
Enabling Scalable Publish/Subscribe for Logical-Clustering in Crowdsourcing v...
 
Pm0015 quantitaive methods in project management
Pm0015 quantitaive methods in project managementPm0015 quantitaive methods in project management
Pm0015 quantitaive methods in project management
 
PSEA Article - Above Beyond - WTHS
PSEA Article - Above Beyond - WTHSPSEA Article - Above Beyond - WTHS
PSEA Article - Above Beyond - WTHS
 
Bxd 681 qd-bxd-12072016
Bxd 681 qd-bxd-12072016Bxd 681 qd-bxd-12072016
Bxd 681 qd-bxd-12072016
 
journal 1
journal 1journal 1
journal 1
 
Branding & Corporate Identity Design for PLYTEC by Buzzworks
Branding & Corporate Identity Design for PLYTEC by BuzzworksBranding & Corporate Identity Design for PLYTEC by Buzzworks
Branding & Corporate Identity Design for PLYTEC by Buzzworks
 

Similar a ISSC471_Final_Project_Paper_John_Intindolo

Read the article Security Controls that Work by Dwayne Melancon .pdf
Read the article Security Controls that Work by Dwayne Melancon .pdfRead the article Security Controls that Work by Dwayne Melancon .pdf
Read the article Security Controls that Work by Dwayne Melancon .pdfsales113
 
Read the article Security Controls that Work by Dwayne Melancon.pdf
Read the article Security Controls that Work by Dwayne Melancon.pdfRead the article Security Controls that Work by Dwayne Melancon.pdf
Read the article Security Controls that Work by Dwayne Melancon.pdfsales113
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentBradley Susser
 
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...Angie Miller
 
CHAPTER 3 Security Policies and Regulations In this chap
CHAPTER 3 Security Policies and Regulations In this chapCHAPTER 3 Security Policies and Regulations In this chap
CHAPTER 3 Security Policies and Regulations In this chapEstelaJeffery653
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji JacobBeji Jacob
 
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docxRunning Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docxhealdkathaleen
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveyEdgar Alejandro Villegas
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...FireEye, Inc.
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docxLynellBull52
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
 
1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docxdurantheseldine
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALSteve Knapp
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxjoellemurphey
 
Running Head ENTERPRISE RISK MANAGEMENT 1ENTERPRISE RISK MANA.docx
Running Head ENTERPRISE RISK MANAGEMENT 1ENTERPRISE RISK MANA.docxRunning Head ENTERPRISE RISK MANAGEMENT 1ENTERPRISE RISK MANA.docx
Running Head ENTERPRISE RISK MANAGEMENT 1ENTERPRISE RISK MANA.docxtodd271
 
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...Redspin, Inc.
 

Similar a ISSC471_Final_Project_Paper_John_Intindolo (20)

ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochureISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochure
 
Read the article Security Controls that Work by Dwayne Melancon .pdf
Read the article Security Controls that Work by Dwayne Melancon .pdfRead the article Security Controls that Work by Dwayne Melancon .pdf
Read the article Security Controls that Work by Dwayne Melancon .pdf
 
Read the article Security Controls that Work by Dwayne Melancon.pdf
Read the article Security Controls that Work by Dwayne Melancon.pdfRead the article Security Controls that Work by Dwayne Melancon.pdf
Read the article Security Controls that Work by Dwayne Melancon.pdf
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
 
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...
 
CHAPTER 3 Security Policies and Regulations In this chap
CHAPTER 3 Security Policies and Regulations In this chapCHAPTER 3 Security Policies and Regulations In this chap
CHAPTER 3 Security Policies and Regulations In this chap
 
Task 2
Task 2Task 2
Task 2
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
 
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docxRunning Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls Survey
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
 
1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINAL
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
 
Running Head ENTERPRISE RISK MANAGEMENT 1ENTERPRISE RISK MANA.docx
Running Head ENTERPRISE RISK MANAGEMENT 1ENTERPRISE RISK MANA.docxRunning Head ENTERPRISE RISK MANAGEMENT 1ENTERPRISE RISK MANA.docx
Running Head ENTERPRISE RISK MANAGEMENT 1ENTERPRISE RISK MANA.docx
 
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
 

Más de John Intindolo

Power_Point_Presentation_ISSC458_Intindolo
Power_Point_Presentation_ISSC458_IntindoloPower_Point_Presentation_ISSC458_Intindolo
Power_Point_Presentation_ISSC458_IntindoloJohn Intindolo
 
ISSC368_Final_Project Proposal_Wk8_Intindolo
ISSC368_Final_Project Proposal_Wk8_IntindoloISSC368_Final_Project Proposal_Wk8_Intindolo
ISSC368_Final_Project Proposal_Wk8_IntindoloJohn Intindolo
 
ISSC456_Final_J_Intindolo
ISSC456_Final_J_IntindoloISSC456_Final_J_Intindolo
ISSC456_Final_J_IntindoloJohn Intindolo
 
ISSC456_Project_Presentation_Intindolo
ISSC456_Project_Presentation_IntindoloISSC456_Project_Presentation_Intindolo
ISSC456_Project_Presentation_IntindoloJohn Intindolo
 
Research_Paper_Final_ISSC431_Intindolo
Research_Paper_Final_ISSC431_IntindoloResearch_Paper_Final_ISSC431_Intindolo
Research_Paper_Final_ISSC431_IntindoloJohn Intindolo
 
ISSC362_Research_Paper_Intindolo
ISSC362_Research_Paper_IntindoloISSC362_Research_Paper_Intindolo
ISSC362_Research_Paper_IntindoloJohn Intindolo
 
Research_Paper_ISSC461_Intindolo
Research_Paper_ISSC461_IntindoloResearch_Paper_ISSC461_Intindolo
Research_Paper_ISSC461_IntindoloJohn Intindolo
 
Attack_Project_Presentation_ISSC461_Intindolo
Attack_Project_Presentation_ISSC461_IntindoloAttack_Project_Presentation_ISSC461_Intindolo
Attack_Project_Presentation_ISSC461_IntindoloJohn Intindolo
 
Project_Paper_Presentation_ISSC471_Intindolo
Project_Paper_Presentation_ISSC471_IntindoloProject_Paper_Presentation_ISSC471_Intindolo
Project_Paper_Presentation_ISSC471_IntindoloJohn Intindolo
 
ISSC481_Term_Paper_John_Intindolo
ISSC481_Term_Paper_John_IntindoloISSC481_Term_Paper_John_Intindolo
ISSC481_Term_Paper_John_IntindoloJohn Intindolo
 
Project_Paper_ISSC455_Intindolo
Project_Paper_ISSC455_IntindoloProject_Paper_ISSC455_Intindolo
Project_Paper_ISSC455_IntindoloJohn Intindolo
 
ISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
ISSC455_Week6_Project_PowerPoint_Presentation_IntindoloISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
ISSC455_Week6_Project_PowerPoint_Presentation_IntindoloJohn Intindolo
 
Wk 7 Case Study Summary Paper_ISSC331_Intindolo
Wk 7 Case Study Summary Paper_ISSC331_IntindoloWk 7 Case Study Summary Paper_ISSC331_Intindolo
Wk 7 Case Study Summary Paper_ISSC331_IntindoloJohn Intindolo
 
ISSC422_Project_Paper_John_Intindolo
ISSC422_Project_Paper_John_IntindoloISSC422_Project_Paper_John_Intindolo
ISSC422_Project_Paper_John_IntindoloJohn Intindolo
 
ISSC490_Project_John_Intindolo
ISSC490_Project_John_IntindoloISSC490_Project_John_Intindolo
ISSC490_Project_John_IntindoloJohn Intindolo
 
ISSC361_Project_John_Intindolo
ISSC361_Project_John_IntindoloISSC361_Project_John_Intindolo
ISSC361_Project_John_IntindoloJohn Intindolo
 
Project_Presentation_ISSC361_Intindolo
Project_Presentation_ISSC361_IntindoloProject_Presentation_ISSC361_Intindolo
Project_Presentation_ISSC361_IntindoloJohn Intindolo
 

Más de John Intindolo (17)

Power_Point_Presentation_ISSC458_Intindolo
Power_Point_Presentation_ISSC458_IntindoloPower_Point_Presentation_ISSC458_Intindolo
Power_Point_Presentation_ISSC458_Intindolo
 
ISSC368_Final_Project Proposal_Wk8_Intindolo
ISSC368_Final_Project Proposal_Wk8_IntindoloISSC368_Final_Project Proposal_Wk8_Intindolo
ISSC368_Final_Project Proposal_Wk8_Intindolo
 
ISSC456_Final_J_Intindolo
ISSC456_Final_J_IntindoloISSC456_Final_J_Intindolo
ISSC456_Final_J_Intindolo
 
ISSC456_Project_Presentation_Intindolo
ISSC456_Project_Presentation_IntindoloISSC456_Project_Presentation_Intindolo
ISSC456_Project_Presentation_Intindolo
 
Research_Paper_Final_ISSC431_Intindolo
Research_Paper_Final_ISSC431_IntindoloResearch_Paper_Final_ISSC431_Intindolo
Research_Paper_Final_ISSC431_Intindolo
 
ISSC362_Research_Paper_Intindolo
ISSC362_Research_Paper_IntindoloISSC362_Research_Paper_Intindolo
ISSC362_Research_Paper_Intindolo
 
Research_Paper_ISSC461_Intindolo
Research_Paper_ISSC461_IntindoloResearch_Paper_ISSC461_Intindolo
Research_Paper_ISSC461_Intindolo
 
Attack_Project_Presentation_ISSC461_Intindolo
Attack_Project_Presentation_ISSC461_IntindoloAttack_Project_Presentation_ISSC461_Intindolo
Attack_Project_Presentation_ISSC461_Intindolo
 
Project_Paper_Presentation_ISSC471_Intindolo
Project_Paper_Presentation_ISSC471_IntindoloProject_Paper_Presentation_ISSC471_Intindolo
Project_Paper_Presentation_ISSC471_Intindolo
 
ISSC481_Term_Paper_John_Intindolo
ISSC481_Term_Paper_John_IntindoloISSC481_Term_Paper_John_Intindolo
ISSC481_Term_Paper_John_Intindolo
 
Project_Paper_ISSC455_Intindolo
Project_Paper_ISSC455_IntindoloProject_Paper_ISSC455_Intindolo
Project_Paper_ISSC455_Intindolo
 
ISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
ISSC455_Week6_Project_PowerPoint_Presentation_IntindoloISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
ISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
 
Wk 7 Case Study Summary Paper_ISSC331_Intindolo
Wk 7 Case Study Summary Paper_ISSC331_IntindoloWk 7 Case Study Summary Paper_ISSC331_Intindolo
Wk 7 Case Study Summary Paper_ISSC331_Intindolo
 
ISSC422_Project_Paper_John_Intindolo
ISSC422_Project_Paper_John_IntindoloISSC422_Project_Paper_John_Intindolo
ISSC422_Project_Paper_John_Intindolo
 
ISSC490_Project_John_Intindolo
ISSC490_Project_John_IntindoloISSC490_Project_John_Intindolo
ISSC490_Project_John_Intindolo
 
ISSC361_Project_John_Intindolo
ISSC361_Project_John_IntindoloISSC361_Project_John_Intindolo
ISSC361_Project_John_Intindolo
 
Project_Presentation_ISSC361_Intindolo
Project_Presentation_ISSC361_IntindoloProject_Presentation_ISSC361_Intindolo
Project_Presentation_ISSC361_Intindolo
 

ISSC471_Final_Project_Paper_John_Intindolo

  • 1. Running head: WRITING THE IT INFRASTRUCTURE AUDIT REPORT 1 Writing the IT Infrastructure Audit Report John Intindolo June 7, 2014 ISSC471- IT Security: Auditing Professor Janelle Davis American Public University
  • 2. WRITING THE IT INFRASTRUCTURE AUDIT REPORT 2 An IT Security Audit is used to determine how effective an organization’s IT controls are, and to ensure that those controls maintain compliance with company policies. There are many steps that go into compliance including protecting and securing of private data, implementing proper security controls, as well as performing periodic security assessments. Once an audit has been conducted it is time for the final report to be written. Writing the IT Infrastructure audit report is perhaps the most important part of the audit process. This is because the report communicates the results to the leaders of the organization, prevents misinterpretation of its results, and discusses measures to be taken in order to correct any issues. The scope, objectives, methods, work completed, use of other’s work, and findings (amongst other things) combine to make up the basis of the report. With that said, it is important to understand just exactly what an IT Security Audit is. An IT Security Audit by definition is an independent analysis and inspection of records and activities to calculate the adequacy of system controls, certify compliance with company policies and procedures, and to recommend necessary changes in controls, policies, and/or procedures (Goldberg, n.d.). Basically, an IT Security Audit assures that the confidentiality, integrity, and availability of an organization’s information assets are being maintained. Furthermore, performing an IT Security Audit is done in a proactive manner; meaning that the its intended purpose is to test the security controls and compliance with policies and procedures before a hacker has the chance to exploit vulnerabilities within the system. Why is it so important for an organization to maintain compliance for ISS? Compliance for ISS is important to businesses because of the risk of sanctions that could be imposed if a breach were to occur. These sanctions can be criminal, civil, or both. An example of sanctions related to failed compliance of the Sarbanes-Oxley Act is a fine of up to $1 million and
  • 3. WRITING THE IT INFRASTRUCTURE AUDIT REPORT 3 imprisonment for up to 10 years (Hladjik, 2007, pp. 3-4). Another reason that compliance is important is that it also involves IT controls, and failure to assure the CIA of an organization’s system can significantly impact the public image of the company or even the value of its assets. An example of this is this past winter when Target had its customer’s credit card information stolen. Besides the amount of money lost as a result of the crime, Target suffered a huge blow to their public image because many customers did not want to shop there as a result of the incident. While compliance is important there is another term that is closely related that plays an important role in ISS, that being governance. While compliance verifies that the correct controls are being implemented, governance looks to use complete and accurate information and management controls to make the organization run better (Weis & Solomon, 2011). So for example, governance ensures that thorough security policies and procedures are in place to implement the policy. Now how do compliance and governance relate to each other? Well without proper governance an organization cannot have effective compliance or risk management, and compliance helps governance by ensuring that the security policies and procedures implemented also meet the standards and regulations set forth. Now understanding an IT Security Audit, compliance and governance (as well as their importance), the next logical step is to discuss an IT compliance audit. As stated earlier an IT compliance audit is an ongoing process of making sure that effective security policies and controls are both implemented and maintained throughout the entire organization. So how does this whole process of IT compliance auditing begin? In order to start audit process one must first have a plan. That is where the scope of the audit comes in. The scope covers everything covered within the audit. This includes information and resources. So the scope
  • 4. WRITING THE IT INFRASTRUCTURE AUDIT REPORT 4 will include the measures needed to be taken to be in compliance, the seven domains covered under the audit, the audit report which includes findings as well as assessment and recommendations (if changes are needed). Basically, the scope is the outline of the entire audit. What tasks are necessary for compliance? Compliance is not a simple, but rather a process of several tasks needed and everyone within the organization to adhere by. It begins with protecting and securing private data. This is done in many ways including the development of privacy policies, routine risk assessment of access controls, using encryption for work-related e-mails, and training employees on privacy practices and policies. Privacy policies do not only exist within the company, but there are also privacy laws set forth by the government that must be complied with. Due to “pressure from various stakeholder action groups interested in concerns dealing with security and privacy, the U.S. government and a few security conscientious industries” have set specific regulations and standards to be followed (Chen, Ramamurthy, & Wen, 2012, p.158). One of the most common privacy laws is the Health Insurance Portability and Accountability Act also known as HIPAA. What HIPAA does is protect a person’s health information and permits the disclosure of said health information to any third parties (“Understanding health information,” n.d.). Next up for remaining compliant within the organization’s IT infrastructure is having the proper security controls in place. Since the biggest factor to information security is the management of risk, the use of proper security controls are the ones that mitigate its risk. It is impossible to account for every risk however because of monetary reasons, and it is for this reason that there must be some trade-off with risks. In other words, the biggest risks will have security controls to mitigate them, while the smallest risks
  • 5. WRITING THE IT INFRASTRUCTURE AUDIT REPORT 5 will use fewer resources (or even be ignored altogether). Due to the importance of the risk threat level it is important to prioritize the risks from highest to lowest. This will ensure that the biggest threats are dealt with and that resources are not wasted. What constitutes proper security controls? As stated above deciding what security controls are necessary for the organization needs works hand in hand with risk management. So the first step is to list all data and information systems within the organization. Then one must consider the impact of each piece data and information system in the organization, once again prioritized from highest to lowest importance. It is at this time that security controls can be selected based upon the risk to the systems and then implemented to mitigate the risks. The process does not end there however, as the controls shall be evaluated for their effectiveness, determined that they meet the needs of the organization (by reducing the risk to an adequate level), and lastly be continuously monitored. Continuous monitoring not only identifies new threats, but also may require a change to the security controls implemented. What security controls can be implemented to constitute compliance? Understanding which security controls represent the best way to be in compliance starts with the use of a common IT control framework known as Control Objectives for Information and related Technology or simply COBIT. COBIT 5 is a foundation built of principles that an “organization should build and test security policies, standards, guidelines, processes, and controls” (Olzak, 2013). Not only does COBIT provide this but it also helps to bring IT and management together, as IT focuses on business aspects and allows management to better understand what they do. Some examples of the types of controls that will be implemented to satisfy the need for compliance are: access control, awareness and training, audit and accountability, security assessment and
  • 6. WRITING THE IT INFRASTRUCTURE AUDIT REPORT 6 authorization, configuration management, incident response, risk assessment, and contingency planning (Weiss & Solomon, 2011, p. 56). As stated previously, achieving compliance is an ongoing process due to constant change within an organization, standards, laws, regulations, and threats; therefore, in order to respond and adjust to these changes several things need to happen. There are three basic categories that make up the basis for maintaining compliance and they would be: periodic security assessments, annual security compliance audits, and defining proper security controls. The first category listed is conducting periodic security assessments. These type of security assessments occur more frequently than the annual security compliance audit, and because so are generally grouped into one of the following types: high-level (overall view of information systems), comprehensive (a more succinct analysis of information systems), and preproduction (for new systems or those implanting a major change). Changes occur all the time within a year’s time, so it is imperative that periodic security assessments take place for maintaining compliance. Annual security compliance auditing is to be performed as a complimentary method to periodic assessments. This provides an independent review of how sufficient and effective the internal IT security controls are. Defining proper security controls is the third component of maintaining compliance. This is by creating a policy framework for IT security that will outline what is required for everyone in the organization to maintain compliance. Essentially this is the why, what, and how of the organization’s IT security framework. Without defining the proper security controls how will anyone know if they are in compliance or not? For that reason, it vital to the security of an organization to have clear cut and well defined security controls. Defining proper security controls is done using the following framework: at the top is the policy which details the organization’s beliefs, goals, objectives, and
  • 7. WRITING THE IT INFRASTRUCTURE AUDIT REPORT 7 acceptable procedures for IT security, followed by standards which make the policy more meaningful and effective by creating an action or rule to support the policy, then proceeded by guidelines which suggest the best practices to reach the policy’s objectives, and lastly may also include a step by step outline of how the standards and guidelines are implemented to support the policy (Guel, 2007). Now comes the writing of the IT infrastructure audit report. The audit report is perhaps the most important part of the auditing process, because without it being properly written management may not consider the measures needed to be taken to improve compliance across the IT infrastructure. That is why the audit report must be well written and easy to follow. Furthermore, it should serve as a means to communicate the results, prevent misinterpretation of the results, and detail a list of recommendations to improve compliance for upper management. An audit report is a lengthy one and since the higher-ups in an organization are very busy they often do not have the time to read the full report. That is where the executive summary comes into play. The executive summary is the part of the audit report that is designed for the executives who are too busy to read the full report or perhaps lack the technical competence to grasp what it says. It should be a brief review of the entire report, and according to Jacka, “If there is a overpowering need to share such detailed information, then the auditors should put it in the report” (2012). Make no mistake though brief does not mean vague. The executive summary shall include the only most important issues of the audit report. A good measuring stick for the length of the executive summary is that it should be about 10% of the audit report (Weiss & Solomon, 2011, p. 154). So if the report is 30 pages long, then the executive summary should be about 3 pages long. The next area of the audit report is the summary of findings.
  • 8. WRITING THE IT INFRASTRUCTURE AUDIT REPORT 8 The summary of findings is an abstract of what was discovered during the audit (within the seven domains) of the IT infrastructure. A finding is broken down into four components and they are criteria, circumstance, cause, and impact. Criteria is what is expected, circumstance is the situation within the existing IT infrastructure, cause represents the reason a gap exists between the circumstance and the criteria, and impact identifies the impact or potential impact on the entire IT infrastructure based upon the difference between the circumstance and the criteria (Weiss & Solomon, 2011, pp. 154-155). As referenced above there is a gap that exists between the expected state and the actual situation occurring within the IT infrastructure. This is where a gap analysis comes into play. A gap analysis is a tool that is used to find the gap between the current state of the IT infrastructure and the desired state that is necessary for compliance. Additionally, the gap analysis will provide the necessary steps to bridge the gap between the two. Conducting a gap analysis is a three step approach that includes the following: identifying the criteria for compliance, analyzing the current situation of the IT infrastructure, and lastly what needs to be done to close the gap between the two and reach the desired state for compliance (“Gap analysis,” n.d.). The next part of writing the audit report is performing an IT Security Assessment. One of the questions often asked about enterprise security is what should be focused on more compliance or risk? The best answer to that question is that there needs to be a healthy balance between the two. In fact, both risk management and compliance are essential to an organization and merging, balancing, and managing the overlap between the two will avoid the biggest threats to the organization (Anschuetz, 2013). Performing an IT Security Assessment is the area of enterprise security that focuses on risk. This portion of the audit report covers risks, threats, and vulnerabilities.
  • 9. WRITING THE IT INFRASTRUCTURE AUDIT REPORT 9 Risk is the likelihood of a loss occurring. A loss occurs when a threat has exploited a vulnerability or weaknesses. The assessment process includes basic principles in information security practices such as security controls that can identify and record known types of attacks and prioritized by risk, and training employees on social engineering attacks that can lead to malware being infected into the organization’s network. The assessment process takes security to the next level though and is a continuous model that consists of the following principles: collection of intelligence feeds, research and training for solutions, threat analysis (assessments and reporting), developing corrective controls and continuously improving, and monitoring through periodic security reviews or taking proactive surveillance measures (Neghina & Scarlett, 2013). Next would be a list of IT security controls and countermeasures that will enable compliance within the organization’s IT infrastructure. This portion of the audit report compares the current state of controls to the desired state of controls, and should clearly define any major gaps as well. The easiest way to do this is by creating a spreadsheet documenting a list of controls with column headings identifying controls that are in place, partially in place, or not in place at all. The next step is the compliance assessment stage. Compliance should be broken down throughout the entire IT infrastructure to clearly state the compliance level that is being met. This would consist of compliant (which is satisfactory), noncompliant (which means the requirement is not being met), not determined (there is not enough evidence to make a conclusion one way or the other), or not applicable (compliance does not apply in this case). Lastly, would be the compliance recommendations. It is at this point of the report that recommendations are made and documented to ensure that the organization is in compliance.
  • 10. WRITING THE IT INFRASTRUCTURE AUDIT REPORT 10 In conclusion, an IT Security Audit determines the effectiveness of an organization’s IT controls, as well as making sure that those controls are following company policies in addition to complying with laws and regulations. The most important part of the entire audit process is writing the actual audit report, because this is where the audit is communicated to upper management. Without proper documentation of the report it essentially becomes useless, as misinterpretation of its results may occur or even worse if the leaders of the organization do not see the importance of corrective actions.
  • 11. WRITING THE IT INFRASTRUCTURE AUDIT REPORT 11 References Anschueltz, C. (2013). When it comes to enterprise security is it better to focus on compliance or risk?. Network World, 30(7), 16. Chen, Y., Ramamurthy, K. K., & Wen, K. (2012). Organizations' Information Security Policy Compliance: Stick or Carrot Approach?. Journal Of Management Information Systems, 29(3), 157-188. Gap analysis. (n.d.). Retrieved from http://www.mccd.edu/organizations/student/Gap Analysis.pdf Goldberg, M. IT Security Auditing [PowerPoint slides]. Retrieved from https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=11&cad=rja&uac t=8&ved=0CKQBEBYwCg&url=https%3A%2F%2Fisis.poly.edu%2Fcourses%2Fcs996 -management- s2005%2FLectures%2Fsecurity%2520audit.ppt&ei=LIyTU9_qJNTNsQT_n4CQCg&usg =AFQjCNEwYf2W68P7jNw9J6DzJxNirMhLDw&sig2=2JrsyrbmWZ_4s1xhQeOVzA& bvm=bv.68445247,d.cWc Guel, M. (2007). A short primer for developing security policies. Retrieved from https://www.sans.org/security-resources/policies/Policy_Primer.pdf Hladjk, J. It compliance and it security- part 2. Privacy & Data Protection, 7(4), 3-5. Jacka, J. (2012). Just tell me what I need to know. Internal Auditor, 69(6), 71. Neghina, D., & Scarlat, E. (2013). Managing information technology security in the context of cyber crime trends. International Journal Of Computers, Communications & Control, 8(1), 97-104.
  • 12. WRITING THE IT INFRASTRUCTURE AUDIT REPORT 12 Olzak, T. (2013). Cobit 5 for information security: The underlying principles. Retrieved from http://www.techrepublic.com/blog/it-security/cobit-5-for-information-security-the- underlying-principles/ Weiss, M. & Solomon, M. (2011). Auditing IT infrastructures for compliance. Sudbury, Mass.: Jones & Bartlett Learning. Understanding health information privacy. (n.d.). Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/