Executive Summary
IT Compliance along with Regulatory Compliance are some of the greatest challenges organizations face today. Observing Regulatory Compliance and IT Security are a requisite for every firm. Classified organizational information is always at a risk of comprises; as a result, it has emerged a mandate to safeguard sensitive data by establishing network security protocols and meeting the set guidelines of every regulatory body. Various compliance standards such as HIPAA, SOX, STIG, PCI DSS, NIST 800-53, GLBA, and FISMA need organizations to safeguard their networks, strengthen desktop computers and servers thus ensuring a high security level for their sensitive enterprise assets. Further, this procedures supply network compliance audit reports to the firm’s auditors when demanded.
The first process in this audit plan involved creating a master list of resources or assets the company possess, in order to determine the needs to be safeguarded through the audit. The audit reported difficulties in listing all the intangible resources. The scope of the audit plan is the smallest limit that contains the resources that the audit will control for the organization’s security. The information security issues that will be addressed in this audit are as follows: network and computer passwords; physical assets; records of physical resources; data backups; logging of data access; access to confidential customer data, for example, credit card information; access to customer lists; long-distance calling; and emails.
Delegate your assignment to our experts and they will do the rest.
The identified data security areas are important for this audit plan considering that Red Clay Renovations’ main operations center (also referred to as main campus) is located in Owing Mills, Baltimore – a facility housing the firm’s data center along with general offices. Further, the support staff, corporate counsel, and Chief Executive Officer maintain presence in a different location; that is, Wilmington, DE. The company’s Field Officers are situated in suburban Philadelphia and downtown Baltimore, with each office containing an office manager, a business manager, a senior project manager, a team of between 2 and 3 architects, and an MD. Support personnel including clerks and receptionist are contracts offered by a local staffing services company. Each office serving Red Clay Renovations runs and maintains its individual Information Technology Infrastructure.
PCI DSS compliance, with regards to security audit procedure, is assessed for the sole purpose of reviewing the organization’s data security. The purpose of PCI Security Audit is to encourage and enhance the safety of payment card-holder information as well as to offer a means of large-scale adoption of consistent information security measures.
Policy
Introduction
It is critical for firms to observe regulatory compliance guidelines concerning audits since being non-compliance to regulatory and security standards can result in harsh penalties or loss of the Authority to Operate (ATO). In order to meet all compliance and security requirements, firms are required to adopt proactive measures to create network security processes aimed at detecting network attacks, anomalies, and other weaknesses that can potentially cause damage to the sensitive data of the enterprise.
Security issue
The Information Technology Security framework, provided by the technology leadership and management oversight under the control of CISO (Chief Information Security Officer), follows the ISO 27001/27002 standards, but is not entirely compliant. Implementation of ITIL or CobiT standards for monitoring IT services and systems has also not been implemented or even pursued for cost reasons. The CISO, therefore, suggested a less costly option – NIST guidance documents- which was approved upon signing.
The solution
An assessment of the organization’s data security resources along with reviewing the reports of the CISO indicates that Red Clay Renovations relies on a closest fit level of security that differs from the use of NIST guidance documents. The audit finds that the firm’s IT system falls in the moderate level as highlighted in the FIPS 199/200 principles, which are also specified in NIST SP 800-53 Rev. 4. This is the minimum security control baseline which is applicable for creating system security plans.
Reasons why employees must comply
Firms deploy certain technological means to safeguard their technology and information facilities, with the help of their employees (Mass.gov, 2014). Workers who apply the technology and information amenities of their companies assume some roles and are responsible for keeping those resources. Assessment of employee compliance is important because of the need to understand the driving factors for performing those roles to meet every responsibility (Bulgurcu, Cavusoglu, & Benbasat, 2010). Further, the definition of information security policy with regards to auditing refers to a statement of responsibilities and roles of the workers to protect the technology and information resources of their companies. Information Security Policy encompasses grounded regulations that address particular security cases by offering instructions to the workers as what should be done when interacting with the technology and information resources of their companies (Mass.gov, 2014).
Compliance requirements
The compliance requirement with regards to the information security policy needs identified in the company case follows the “moderate level” as outlined in the FIPS 199/200 principle and specified in NIST SP 800-53 Rev. 4 (Al-Omari et al., 2013). The company identified this compliance standard as its personal minimum security monitoring baseline which is applied to creating system security plans. Since the company is involved, in one way or another, in financial transactions which transit credit card information, the audit is subject to PCI DSS compliance. In each situation, the form must be in a position to demonstrated compliance through producing audit trail, primarily debated by information from event log administration software (Al-Omari et al., 2013). Compliance auditors should basically ask IT managers, CTOs, CISOs, and CIOs a sequence of pointed questions over the cycle of the audit. These includes what users are added and when, employees who left the firm, whether users’ personal data were revoked and which information technology managers have entry to the critical frameworks. IT managers should prepare for compliance requirement audits to enable trailing and documentation controls and authentication in IT systems. Finally, the category of governance, risk management, and compliance (GRC) software will allow CIOs to quickly illustrate to auditor that the firm is in agreement and will not be subject to expensive or costly sanctions and/or fines.
Applicability
Applicability of the identified audit plan considers the need to prevent future hacks on the company’s data security. First, the audit sufficiently specifies data security requirements as well as compliance standards as spelled out in various policy regulations. The ultimate deliverables are listed as regards the cost analysis provided by the CISO. The audit scope has also relied on the specific goals identified through conducting a comprehensive evaluation of the information targeting Red Clay Renovation.
Contact information
| Type of contact | Name | Department | Telephone number | Email address |
| Chief Information Officer | Erwin Carrington | IT | 667-555-6260 | Erwin_Carrington@hq.redclayrenovations.com |
| Chief Information Security Officer | Eric Carpenter | IT services | 667-555-6370 | Eric_Carpenter@hq.redclayrenovations.com |
| Chief Operating Officer | Julia Randell | Operations | 667-555-5000 | julia@redclayrenovations.com |
| Field Office Manager | Charles Kniesel | Filed Office | 443-555-2900 | Charles@balt.redclayrenovations.com |
| Field Office Information Systems Security Officer | Alison Kniesel-Smith | ISSO and Field Office | 267-555-1200 | Alison@philly.redclayrenovations.com |
Audit Plans
Security Awareness Audit Plan:
Audit Background
To meet several compliance standards, it is important to provide risk monitoring and visibility, maintain a secure and stable environment, comply with policies for both users and administrators, encrypt information, and be in a position to react quickly to any identified security threats (Al-Omari et al., 2013). A number of firms acknowledge that their workers, who are often deemed the weakest link in matters of information security, can also emerge as great assets in the bid to limit risks linked with information security (Rasheed, 2014). Because workers who comply with information security regulations and rules of the firm are the key to empowering information security, comprehending compliance conduct is key for firms that need leverage on human capital. Companies deploy technological frameworks to safeguard their technology and information resources, but they also depend greatly on their employees (Mass.gov, 2014). Workers who apply the technology and information resources of their respective organizations assume some responsibilities in and are responsible for protecting those amenities or facilities. As a result, this audit is interested in the factors driving workers to perform these responsibilities.
Audit objectives
The objective in this section is to assess the determinants of employee compliance with ISP (information security policy) of an organization.
Audit Approach
The approach used in this audit relates to the investigation of rationality-based elements that compel or drive a worker to comply with the ISP requirements with regard to safeguarding the firm’s technology and information resources.
IT Security Audit Plan:
Audit Background
The PCI Compliance Audit, also referred to as the PCI Security Audit concerns whether or not issues related to data security are implemented. Using the PCI protocol, each need is broken down into finer detail, an action which enhances the execution of required checks when developing the PCI audit. Further, the needs document is conveniently created with the audit activity in mind. To begin, the sub-requirement is identified, followed by a section highlighting the testing procedures, guidelines for the monitoring that needs to be conducted to ensure compliance with the need.
Audit Objectives
The objective for IT security policy system audit is determine a) the existence of required policies, b) presence of policy updates within the past year, and c) existence of review and approval of the policies by the appropriate oversight authorities (for example, IT governance board and managers).
Audit Approach
The audit approach employed in this report involves researching on the issue of IT security policy compliance and then preparing an “approval draft” for a policy compliance. Also, the approach entails researching and drafting two different audit plans: one for employee compliance audit and the other for policy system audit. A requirement for examination report will be included and forwarded to the corporate board of directors and company management. The employee compliance examination will employ an interview plan which includes about 10 multiple choice questions to be used in constructing a web-based study of all employees.
Required audit plans
Employee compliance audit plan
The effort to understand the driving factors for employee compliance to ISP of their firm is undertaken by suggesting and analyzing a framework of the components influencing a work’s intention to comply. Consistent with the concept of planned behavior, which acknowledges behavioral intention as a sign of a person’s readiness to showcase or perform a certain behavior, a worker’s intention to consider the needs of the ISP is applied as one of the major variables in the audit (Mass.gov, 2014).
Interview strategy (multiple choice questions to be used as a web-based survey)
The interview strategy involves assessment of employee attitudes as concerns compliance with the firm’s ISP, evaluation of workers’ normative conceptions about compliance with the company’s IPS, and understanding of employees’ self-efficacy with regards to complying with the firm’s ISP. Some of the important interview questions to be applied during a web-based survey are listed as follows:
Which of the following does not describe a primary element of a security program?
The consequences for the individual breaking the policies
The protective measures and policies that will be applied
The roles of people involved in monitoring security
Which of the following correctly identifies interception?
It bars virus intrusion into internal network via mail
It emphasizes on preventing outsiders or systems from entering internal systems
It focuses on barring the capture information being relayed across a network
Which among the following terms describes an individual who gains illegal entry to a computer system?
Intruder
Identity thief
Hacker
Which statement best describes the results of a denial service attack?
Results in erasing the content of an entire website
Does not have to take place via a network
Is an indoor or in-company attempt to overload a website or web server.
The term commonly applied to describe a terrorist attack on an information system either through or using a computer is:
Network terrorism
Cyber terrorism
Computer terrorism
A backup premise characterized by computer systems ready to run is referred to as:
Hot site
Freezing site
Cold site
Warm site
Among the following options, which choice best describes public domain software or application?
It is supported by unknown developers all over the world wide web
It is free
It is freely copied because it is not copyrighted
Which among the following are approaches used to try to limit piracy of software orany other intellectual property?
Legal copyrighting
Legal action
Intellectual property laws
Conclusion
This policy audit report articulates the requirements that assist the company’s administration in defining a system that ensures compliance with the entire information security objectives. It includes, without limitation, compliance with security-relates standards, policies regulations, laws, and contractual provisions to which their information technology data and resources are subject. The organization needs to ensure the necessary security controls that exceed or meet the compliance standards associated with their data assets are in place. Also, it should offer availability, integrity, and confidentiality of the information for which it is responsible. The report further notes that the board of directors and company managers must have controls in place that offer reasonable assurance that security goals are addressed. The enterprises should be responsible for its ongoing compliance with regards to security-related contractual, regulatory, and statutory agreements.
References
Al-Omari, A., Deokar, A., El-Gayar, O., Walters, J., & Aleassa, H. (2013). Information security policy compliance: an empirical study of ethical ideology. In System Sciences (HICSS), 2013 46th Hawaii International Conference on (pp. 3018-3027). IEEE.
Mass.gov. (2014). Enterprise IT security compliance policy. Mass Web. Retrieved December 16, 2016, from http://www.mass.gov/anf/research-and-tech/policies-legal-and-technical-guidance/it-policies-standards-and-procedures/ent-pols-and-stnds/enterprise-it-security-compliance-policy.html
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS quarterly , 34 (3), 523-548.
Rasheed, H. (2014). Data and infrastructure security auditing in cloud computing environments. International Journal of Information Management , 34 (3), 364-368.
