Many companies and agencies conduct IT audits to test and assess the rigor of IT security controls in order to mitigate risks to IT networks. Such audits meet compliance mandates by regulatory organizations. Federal IT systems follow Federal Information System Management Act (FISMA) guidelines and report security compliance to US-CERT, the United States Computer Emergency Readiness Team, which handles defense and response to cyberattacks as part of the Department of Homeland Security. In addition, the Control Objective for Information Technology (COBIT) is a set of IT security guidelines that provides a framework for IT security for IT systems in the commercial sector. These audits are comprehensive and rigorous, and negative findings can lead to significant fines and other penalties. Therefore, industry and federal entities conduct internal self-audits in preparation for actual external IT audits, and compile security assessment reports. In this project, you will develop a 12-page written and for a company and submit the report to the leadership of that company. There are six steps to complete the project. Most steps in this project should take no more than two hours to complete, and the project as a whole should take no more than three weeks to complete. Begin with the workplace scenario, and then continue to Step 1. security assessment report (SAR), slides to support executive briefing, lab report When you submit your project, your work will be evaluated using the competencies listed below. You can use the list below to self-check your work before submission. In the first step of the project, you will conduct a security analysis baseline of the IT systems, which will include a data-flow diagram of connections and endpoints, and all types of access points, including wireless. The baseline report will be part of the overall security assessment report (SAR). You will get your information from a data-flow diagram and report from the Microsoft Threat Modeling Tool 2016. The scope should include network IT security for the whole organization. Click the following to view the data-flow diagram: Include the following areas in this portion of the SAR: The overall SAR should detail the security measures needed, or implementations status of those in progress, to address the identified vulnerabilities. Include: Through your research, provide the methods used to provide the protections and defenses. From the identification of risk factors in the risk model, identify the appropriate security controls from and determine their applicability to the risks identified. The baseline should make up at least three of the 12 pages of the overall report. When you have completed your security analysis baseline, move on to the next step, in which you will use testing procedures that will help determine the company’s overall network defense strategy. You’ve completed your initial assessment of the company’s security with your baseline analysis. Now it’s time to determine the best defenses for your network. Start by reading a publication by the National Institute of Standards and Technology, , and outline how you would test violations. Identify how you will assess the effectiveness of these controls and write test procedures that could be used to test for effectiveness. Write them in a manner to allow a future information systems security officer to use them in preparing for an IT security audit or IT certification and accreditation. Within this portion of the SAR, explain the different testing types (black box testing, white box testing). Include these test plans in the SAR. The strategy should take up at least two of the 12 pages of the overall report. Click the following link to learn more about cybersecurity for process control systems: After you’ve completed this step, it’s time to define the process of penetration testing. In the next step, you’ll develop rules of engagement (ROE). Now that you’ve completed your test plans, it’s time to define your penetration testing process. Include all involved processes, people, and timeframe. Develop a letter of intent to the organization, and within the letter, include some formal rules of engagement (ROE). The process and any documents can be notional or can refer to actual use cases. If actual use cases are included, cite them using APA format. This portion should be about two pages of the overall 12-page report. After you have outlined the steps of a penetration testing process, in the next step you will perform penetration testing. During the testing, you will determine if the security components are updated and if the latest patches are implemented, and if not, determine where the security gaps are. Step 4: Conduct a Network Penetration Test You’ve defined the penetration testing process, and in this step, you will scan the network for vulnerabilities. Though you have some preliminary information about the network, you will perform a black box test to assess the current security posture. Black box testing is performed with little or no information about the network and organization. To complete this step, you will use industry tools to carry out simulated attacks to test the weaknesses of the network. You will do this within your lab Workspace. The workspace instructions will provide many of the details, but in the simulation, you will launch a sandbox type of virtual machine (VM), report your findings and actual screen captures of the behaviors you see as a result of the tests, and include these in the SAR. Your assessments within the lab will be reported in the SAR. You will use the tools in Workspace for this step. If you need help outside the classroom, you can register for the CLAB 699 Cyber Computing Lab Assistance (go to the Discussions List for registration information). Lab assistants are available to help. Click here to access the instructions for . Click here to access the . Explore the tutorials and user guides to learn more about the tools you will use. Then, enter . After finding the security issues within the network, define which control families from the NIST 800-53 are violated by these issues. Explain in the SAR why each is a violation, support your arguments with a copy of your evidence, and then provide suggestions on improving the security posture of these violations. This section should make up at least four of the 12 pages in the overall report. After you’ve completed the penetration testing, move to the next step, where you will compile a risk management cost benefit analysis. Step 5: Complete a Risk Management Cost Benefit Analysis You’ve completed the penetration testing, and now it’s time to complete your SAR with a risk management cost benefit analysis. Within this analysis, think about the cost of violations and other areas if you do not add the controls. Then add in the cost for implementing your controls. When you have finished with the cost benefit analysis, which should be at least one page of your overall report, move to the final step, which is the completed SAR. As part of the final assignment, remember that you will need to create a slide presentation as part of the executive briefing, and submit that along with the SAR. Step 6: Compile the SAR, Executive Briefing, and Lab Report You have completed comprehensive testing in preparation for this audit, provided recommended remediations, and developed a set of recommendations. Now you are ready to submit your SAR and executive briefing. The requirements for Project 1 are as follows: Submit all three components to the assignment folder. Before you submit your assignment, review the competencies below, which your instructor will use to evaluate your work. A good practice would be to use each competency as a self-check to confirm you have incorporated all of them in your work.
