10 May 2022

86

IT Security Audit Policy & Plans

Format: APA

Academic level: College

Paper type: Term Paper

Words: 1936

Pages: 8

Downloads: 0

Executive Summary 

IT Compliance along with Regulatory Compliance are some of the greatest challenges organizations face today. Observing Regulatory Compliance and IT Security are a requisite for every firm. Classified organizational information is always at a risk of comprises; as a result, it has emerged a mandate to safeguard sensitive data by establishing network security protocols and meeting the set guidelines of every regulatory body. Various compliance standards such as HIPAA, SOX, STIG, PCI DSS, NIST 800-53, GLBA, and FISMA need organizations to safeguard their networks, strengthen desktop computers and servers thus ensuring a high security level for their sensitive enterprise assets. Further, this procedures supply network compliance audit reports to the firm’s auditors when demanded. 

The first process in this audit plan involved creating a master list of resources or assets the company possess, in order to determine the needs to be safeguarded through the audit. The audit reported difficulties in listing all the intangible resources. The scope of the audit plan is the smallest limit that contains the resources that the audit will control for the organization’s security. The information security issues that will be addressed in this audit are as follows: network and computer passwords; physical assets; records of physical resources; data backups; logging of data access; access to confidential customer data, for example, credit card information; access to customer lists; long-distance calling; and emails. 

It’s time to jumpstart your paper!

Delegate your assignment to our experts and they will do the rest.

Get custom essay

The identified data security areas are important for this audit plan considering that Red Clay Renovations’ main operations center (also referred to as main campus) is located in Owing Mills, Baltimore – a facility housing the firm’s data center along with general offices. Further, the support staff, corporate counsel, and Chief Executive Officer maintain presence in a different location; that is, Wilmington, DE. The company’s Field Officers are situated in suburban Philadelphia and downtown Baltimore, with each office containing an office manager, a business manager, a senior project manager, a team of between 2 and 3 architects, and an MD. Support personnel including clerks and receptionist are contracts offered by a local staffing services company. Each office serving Red Clay Renovations runs and maintains its individual Information Technology Infrastructure. 

PCI DSS compliance, with regards to security audit procedure, is assessed for the sole purpose of reviewing the organization’s data security. The purpose of PCI Security Audit is to encourage and enhance the safety of payment card-holder information as well as to offer a means of large-scale adoption of consistent information security measures. 

Policy 

Introduction  

It is critical for firms to observe regulatory compliance guidelines concerning audits since being non-compliance to regulatory and security standards can result in harsh penalties or loss of the Authority to Operate (ATO). In order to meet all compliance and security requirements, firms are required to adopt proactive measures to create network security processes aimed at detecting network attacks, anomalies, and other weaknesses that can potentially cause damage to the sensitive data of the enterprise. 

Security issue

The Information Technology Security framework, provided by the technology leadership and management oversight under the control of CISO (Chief Information Security Officer), follows the ISO 27001/27002 standards, but is not entirely compliant. Implementation of ITIL or CobiT standards for monitoring IT services and systems has also not been implemented or even pursued for cost reasons. The CISO, therefore, suggested a less costly option – NIST guidance documents- which was approved upon signing. 

The solution 

An assessment of the organization’s data security resources along with reviewing the reports of the CISO indicates that Red Clay Renovations relies on a closest fit level of security that differs from the use of NIST guidance documents. The audit finds that the firm’s IT system falls in the moderate level as highlighted in the FIPS 199/200 principles, which are also specified in NIST SP 800-53 Rev. 4. This is the minimum security control baseline which is applicable for creating system security plans. 

Reasons why employees must comply 

Firms deploy certain technological means to safeguard their technology and information facilities, with the help of their employees (Mass.gov, 2014). Workers who apply the technology and information amenities of their companies assume some roles and are responsible for keeping those resources. Assessment of employee compliance is important because of the need to understand the driving factors for performing those roles to meet every responsibility (Bulgurcu, Cavusoglu, & Benbasat, 2010). Further, the definition of information security policy with regards to auditing refers to a statement of responsibilities and roles of the workers to protect the technology and information resources of their companies. Information Security Policy encompasses grounded regulations that address particular security cases by offering instructions to the workers as what should be done when interacting with the technology and information resources of their companies (Mass.gov, 2014). 

Compliance requirements

The compliance requirement with regards to the information security policy needs identified in the company case follows the “moderate level” as outlined in the FIPS 199/200 principle and specified in NIST SP 800-53 Rev. 4 (Al-Omari et al., 2013). The company identified this compliance standard as its personal minimum security monitoring baseline which is applied to creating system security plans. Since the company is involved, in one way or another, in financial transactions which transit credit card information, the audit is subject to PCI DSS compliance. In each situation, the form must be in a position to demonstrated compliance through producing audit trail, primarily debated by information from event log administration software (Al-Omari et al., 2013). Compliance auditors should basically ask IT managers, CTOs, CISOs, and CIOs a sequence of pointed questions over the cycle of the audit. These includes what users are added and when, employees who left the firm, whether users’ personal data were revoked and which information technology managers have entry to the critical frameworks. IT managers should prepare for compliance requirement audits to enable trailing and documentation controls and authentication in IT systems. Finally, the category of governance, risk management, and compliance (GRC) software will allow CIOs to quickly illustrate to auditor that the firm is in agreement and will not be subject to expensive or costly sanctions and/or fines. 

Applicability  

Applicability of the identified audit plan considers the need to prevent future hacks on the company’s data security. First, the audit sufficiently specifies data security requirements as well as compliance standards as spelled out in various policy regulations. The ultimate deliverables are listed as regards the cost analysis provided by the CISO. The audit scope has also relied on the specific goals identified through conducting a comprehensive evaluation of the information targeting Red Clay Renovation. 

Contact information

Type of contact  Name  Department  Telephone number  Email address 
Chief Information Officer  Erwin Carrington IT  667-555-6260 Erwin_Carrington@hq.redclayrenovations.com
Chief Information Security Officer  Eric Carpenter  IT services  667-555-6370 Eric_Carpenter@hq.redclayrenovations.com
Chief Operating Officer  Julia Randell Operations  667-555-5000 julia@redclayrenovations.com
Field Office Manager  Charles Kniesel  Filed Office 443-555-2900 Charles@balt.redclayrenovations.com
Field Office Information Systems Security Officer  Alison Kniesel-Smith  ISSO and Field Office  267-555-1200 Alison@philly.redclayrenovations.com

Audit Plans

Security Awareness Audit Plan:

Audit Background 

To meet several compliance standards, it is important to provide risk monitoring and visibility, maintain a secure and stable environment, comply with policies for both users and administrators, encrypt information, and be in a position to react quickly to any identified security threats (Al-Omari et al., 2013). A number of firms acknowledge that their workers, who are often deemed the weakest link in matters of information security, can also emerge as great assets in the bid to limit risks linked with information security (Rasheed, 2014). Because workers who comply with information security regulations and rules of the firm are the key to empowering information security, comprehending compliance conduct is key for firms that need leverage on human capital. Companies deploy technological frameworks to safeguard their technology and information resources, but they also depend greatly on their employees (Mass.gov, 2014). Workers who apply the technology and information resources of their respective organizations assume some responsibilities in and are responsible for protecting those amenities or facilities. As a result, this audit is interested in the factors driving workers to perform these responsibilities. 

Audit objectives 

The objective in this section is to assess the determinants of employee compliance with ISP (information security policy) of an organization. 

Audit Approach 

The approach used in this audit relates to the investigation of rationality-based elements that compel or drive a worker to comply with the ISP requirements with regard to safeguarding the firm’s technology and information resources. 

IT Security Audit Plan:

Audit Background 

The PCI Compliance Audit, also referred to as the PCI Security Audit concerns whether or not issues related to data security are implemented. Using the PCI protocol, each need is broken down into finer detail, an action which enhances the execution of required checks when developing the PCI audit. Further, the needs document is conveniently created with the audit activity in mind. To begin, the sub-requirement is identified, followed by a section highlighting the testing procedures, guidelines for the monitoring that needs to be conducted to ensure compliance with the need.

Audit Objectives 

The objective for IT security policy system audit is determine a) the existence of required policies, b) presence of policy updates within the past year, and c) existence of review and approval of the policies by the appropriate oversight authorities (for example, IT governance board and managers). 

Audit Approach 

The audit approach employed in this report involves researching on the issue of IT security policy compliance and then preparing an “approval draft” for a policy compliance. Also, the approach entails researching and drafting two different audit plans: one for employee compliance audit and the other for policy system audit. A requirement for examination report will be included and forwarded to the corporate board of directors and company management. The employee compliance examination will employ an interview plan which includes about 10 multiple choice questions to be used in constructing a web-based study of all employees. 

Required audit plans 

Employee compliance audit plan 

The effort to understand the driving factors for employee compliance to ISP of their firm is undertaken by suggesting and analyzing a framework of the components influencing a work’s intention to comply. Consistent with the concept of planned behavior, which acknowledges behavioral intention as a sign of a person’s readiness to showcase or perform a certain behavior, a worker’s intention to consider the needs of the ISP is applied as one of the major variables in the audit (Mass.gov, 2014). 

Interview strategy (multiple choice questions to be used as a web-based survey)

The interview strategy involves assessment of employee attitudes as concerns compliance with the firm’s ISP, evaluation of workers’ normative conceptions about compliance with the company’s IPS, and understanding of employees’ self-efficacy with regards to complying with the firm’s ISP. Some of the important interview questions to be applied during a web-based survey are listed as follows:

Which of the following does not describe a primary element of a security program?

The consequences for the individual breaking the policies

The protective measures and policies that will be applied

The roles of people involved in monitoring security 

Which of the following correctly identifies interception?

It bars virus intrusion into internal network via mail

It emphasizes on preventing outsiders or systems from entering internal systems

It focuses on barring the capture information being relayed across a network 

Which among the following terms describes an individual who gains illegal entry to a computer system?

Intruder

Identity thief

Hacker 

Which statement best describes the results of a denial service attack?

Results in erasing the content of an entire website 

Does not have to take place via a network 

Is an indoor or in-company attempt to overload a website or web server. 

The term commonly applied to describe a terrorist attack on an information system either through or using a computer is:

Network terrorism

Cyber terrorism

Computer terrorism 

A backup premise characterized by computer systems ready to run is referred to as:

Hot site

Freezing site

Cold site 

Warm site 

Among the following options, which choice best describes public domain software or application?

It is supported by unknown developers all over the world wide web

It is free

It is freely copied because it is not copyrighted

Which among the following are approaches used to try to limit piracy of software orany other intellectual property?

Legal copyrighting 

Legal action 

Intellectual property laws 

Conclusion 

This policy audit report articulates the requirements that assist the company’s administration in defining a system that ensures compliance with the entire information security objectives. It includes, without limitation, compliance with security-relates standards, policies regulations, laws, and contractual provisions to which their information technology data and resources are subject. The organization needs to ensure the necessary security controls that exceed or meet the compliance standards associated with their data assets are in place. Also, it should offer availability, integrity, and confidentiality of the information for which it is responsible. The report further notes that the board of directors and company managers must have controls in place that offer reasonable assurance that security goals are addressed. The enterprises should be responsible for its ongoing compliance with regards to security-related contractual, regulatory, and statutory agreements. 

References

Al-Omari, A., Deokar, A., El-Gayar, O., Walters, J., & Aleassa, H. (2013). Information security policy compliance: an empirical study of ethical ideology. In System Sciences (HICSS), 2013 46th Hawaii International Conference on (pp. 3018-3027). IEEE.

Mass.gov. (2014). Enterprise IT security compliance policy. Mass Web. Retrieved December 16, 2016, from http://www.mass.gov/anf/research-and-tech/policies-legal-and-technical-guidance/it-policies-standards-and-procedures/ent-pols-and-stnds/enterprise-it-security-compliance-policy.html

Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS quarterly , 34 (3), 523-548.

Rasheed, H. (2014). Data and infrastructure security auditing in cloud computing environments. International Journal of Information Management , 34 (3), 364-368.

Illustration
Cite this page

Select style:

Reference

StudyBounty. (2023, September 15). IT Security Audit Policy & Plans.
https://studybounty.com/it-security-audit-policy-plans-term-paper

illustration

Related essays

We post free essay examples for college on a regular basis. Stay in the know!

Security Implication of the Internet of Things

The Internet of Things (IoT) can be described as s system of interconnected devices that have the ability to transfer information over a computer network without the need of human-to-computer or human-to-human...

Words: 892

Pages: 3

Views: 96

Modern Day Attacks Against Firewalls and VPNs

Introduction The need to have an enhanced security of the computer connectivity happens to be one of the reasons that attract companies and organizations towards wide usage of VPNs. Several simple techniques...

Words: 2025

Pages: 7

Views: 134

How to Deploy and Administer Windows Server 2012

Securing a reliable, and expandable configuration for a company is important to build a strong network. The new and enhanced features of the Windows Server 2012 can be used to implement the network. In this...

Words: 1673

Pages: 6

Views: 88

Deployment Model in Cloud Computing

Deployment model is a representation of a cloud environment primarily distinguished by parameters such as accessibility, proprietorship, and storage size. The National Institute of Standards and Technology gives the...

Words: 254

Pages: 1

Views: 82

How to Use Web Search Engines for Business Research

The advancement of technology has made it possible for many people around the world to have easy access to information whenever they want. The development of the Wide World Web-enabled different kinds of information...

Words: 773

Pages: 3

Views: 87

Distributed Database Management System (DDBMS)

Introduction Data management has been a headache to many technology enthusiasts for quite a long period of time. They have successfully managed to logically collect interrelated data and share it. If the data is...

Words: 799

Pages: 3

Views: 128

illustration

Running out of time?

Entrust your assignment to proficient writers and receive TOP-quality paper before the deadline is over.

Illustration