What is IT Security Auditing? What does it involve?

Provide (4) 150 words substantive response with a minimum of 1 APA references for RESPONSES 1, 2, 3 and 4 below. Ensure you list and break down each response in a word document. Response provided should further discuss the subject or provide more insight. To further understand the response, below is the discussion post that’s discusses the responses. 100% original work and not plagiarized. Must meet deadline.

RESPONSE 1:

ISSC 471

1. What is IT Security Auditing? What does it involve?

An IT security audit is a comprehensive examination and assessment of an information security system. By conducting regular audits, organizations can identify weak spots and vulnerabilities in their IT infrastructure, verify security controls, ensure regulatory compliance, and more. It involves running scans on IT resources like file-sharing services, database servers and SaaS applications to assess network security, data access levels, user access rights and other system configurations. It includes physically inspecting data centers for resilience to fires, floods, and power surges as part of a disaster recovery evaluation. Finally, it involves interviewing employees outside the IT team to assess their knowledge of security concerns and adherence to company security policy.

2. Why are Governance and Compliance Important?

To ensure that businesses protect their information, have consistent cohesion departmentally, and follow all governmental regulations, a governance, risk, and compliance program is important. This helps to minimize the threats and risks that companies are exposed to on a daily basis.

3. Explain in detail the roles and responsibilities in an organization associated with the following:

According to our lesson, the risk manager, auditor, and executive manager have the following responsibilities:

Risk Manager – responsible for identifying organizational risk.
Auditor – responsible for conducting information assurance audit and applying frameworks to the seven domains to align with compliance.
Executive Manager – responsible for aligning external or internal compliance with governance requirements.

4. Define the Certification and Accreditation (C&A) Process and briefly discuss the phases of C&A.

It is my understanding that the C&A process is outdated, and we now use assessment and authorization (A&A) to follow terminology in the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF). In my job, we follow NIST guidelines, and all of our accreditation processes follow the RMF process. The C& process was initiation and planning, certification, accreditation, and then continuous monitoring. Though I never worked with the C&A process, I have been working with RMF for about 2 years now, and it is very involved.

References:

Tierney, M. (2020, Aug 5) IT Security Audits: The Key to Success. Retrieved from: https://blog.netwrix.com/2020/04/09/it-security-audit/

Hall, K.T. (n.d.) Why a Governance, Risk, and Compliance Program is Important for Your Business. Retrieved from: https://www.scripted.com/writing-samples/why-a-governance-risk-and-compliance-program-is-important-for-your-business

Sengupta, S. (2018, Apr 13) Cyber Security – Certification and Accreditation. Retrieved from: https://www.nxtkey.com/cyber-security-certification-and-accreditation

-JAMIE

RESPONSE 2:

1. What is IT Security Auditing? What does it involve?

According to the reading this week an IT Security Audit is an internal assessment of an organizations policies, controls, and activities. An audit ensures that an organization is in compliance with legal regulations and that their security controls are adequate. Audits can involve any number of aspects within a business’ activities including finances, compliance, operations, investigations and information technology. An IT Security Audit also involves three goals, providing an objective and review of policies, providing reasonable assurance controls are in place, and recommendations for improvement.

2. Why are Governance and Compliance Important?

As businesses become ever more reliant on technology governance and compliance become a more integral part of business function. Governance of IT systems ensures proper use as well as compliance and risk management, all vital to the success in a business environment. Compliance is important and beneficial to all aspects of a business, it ensures the reliability as well as public trust of a business which is vital to the business’ success.

3. Explain in details the roles and responsibilities in an organization associated with the following:

Risk Manager- A risk manager is familiar with the risks and vulnerabilities that an organization faces, as well as creating and evaluating risk management procedures. They are also responsible for knowing auditing controls as well as reporting procedures (Patel, 2016)
Auditor- The roles and responsibilities of an auditor include assessing current security controls and risk management procedures, advise management on how to improve security controls, evaluate risks, and analyze internal operations (Kumar, 2017)
Executive Manager- The Executive Manager is responsible for ensuring their department is aligned with company vision and goals. They help to create and implement policies and procedures, and they make business decisions, such as security policy changes, based on the information received from the risk manager and auditor (Woodman, 2018)

4. Define the Certification and Accreditation (C&A) Process and briefly discuss the phases of C&A.

The Certification and Accreditation process is a standardized process, activities, and management to validate, implement and ensure security. The phases of the C&A process include Phase I Initiation and Planning: Which defines the C&A effort, it documents the steps needed to achieve the desired accreditation. Phase II Certification: This phase verifies system compliance with the identified security standards. Phase III Accreditation: Here validation is made that the system is compliant and security accreditation is achieved. Phase IV Post Accreditation: This phase continuously monitors the system to ensure it remains compliant with accreditation standards (QTS, 2019).

Alysha Macleod

Kumar N. (2017) Roles and Responsibilities of an Internal Auditor. EnterSlice

Patel N. (2016) A Risk Manager’s Role in Strategic Leadership. NIC State.

https://erm.ncsu.edu/library/article/risk-manager-strategic-leadership

QTS. (2019) The Four Phases of the Certification and Accreditation Process. QTS

https://www.qtsdatacenters.com/resources/articles/the-four-phases-of-the-certification-and-accreditation-process

Woodman C. (2018) Job Description of an Executive Manager. Career Trend

https://careertrend.com/about-6507018-executive-manager-job-description.html

ISSC 341

RESPONSE 3:

There are 7 layers to the Open Systems Interconnection (OSI) model, but I will be discussing layers one and two. The first layer, physical layer, is responsible for the physical cable or wireless connection between the network nodes. It defines the connector, the electrical cable or wireless technology connecting the devices, and is responsible for transmission of raw data (Os and 1s). The second layer, data link layer, establishes and terminates a connection between two physically connected nodes on a network. It is comprised of two parts, Logical Link Control (LLC) which identifies protocols and performs error checking/synchronizes frames. Media Access Control (MAC) uses MAC addresses to connect devices and define permissions to transmit and receive data.

IPv6 is the latest version of internet protocol and was introduced in 1998 by the Internet Engineering Task Force (IETF) to solve address space exhaustion. IPv6 uses 128-bit addressing instead of IPv4 32-bit addressing scheme. What that means is IPv4 address method uses four sets of one-to-three-digit number (192.0.2.146), and IPv6 uses eight groups of four hexadecimal digits (2001:0db8:85a3:0000:0000:8a2e:0370:7334). While IPv6 may seem more secure and will eventually replace IPv4 one day, the adoption of it has been delayed because there’s a dual stack requirement. IPv6 is not backwards compatible with IPv4. There is a problem with the network address translation (NAT), which takes private IP address and turns them into public IP addresses.

IPv4 allows for a variation of the network and host segments of an IP address, known as subnetting. It can be used to design a network physically and logically. Subnetwork addresses enhance local routing capabilities, while reducing number of address required. The subnet mask is used to show what part of the addresses is the network portion and what part is the host portion. In IPv4, there are 3 default subnet masks corresponding to three classes of IP address.

Hope everyone is having a great start to their week!