HW03_PoliciesAndAuditing
doc
keyboard_arrow_up
School
Utah Valley University *
*We aren’t endorsed by this school
Course
4700
Subject
Information Systems
Date
Dec 6, 2023
Type
doc
Pages
4
Uploaded by BaronFlamingoPerson398
IT 4700 – Enterprise Cybersecurity Management
Utah Valley University
Fall 2023 semester
Homework #3: Policies and Auditing
Student Name
Post the completed assignment in Canvas by the due date.
The following formats are acceptable:
PDF, HTML, MS Word.
Handwritten work is not acceptable.
Other file formats are not
acceptable.
Start with the cybersecurity goals known as “the CIA triad.”
Confidentiality, Integrity, and
Availability.
Add any other goals that you think should be considered in your enterprise.
PART A)
For each of your cybersecurity goals, list at least two policy statements that will help you meet
the goal.
Remember that a policy describes
what
should happen and not
how
it should happen.
In grading this part, I will be looking specifically at whether you are writing policy
or
procedure
.
Cybersecurity Goal
Policy Statements
Confidentiality
Passwords will be kept secret
Each Device will have a unique password
Integrity
No attempting to access information not accessible
No modifying of information not allowed
Availability
All passwords will be accessible to the proper people when/if needed
All services will be accessible to the proper people
…
…
PART B)
In PART A you created cyber security policies for your home (or other) enterprise.
Now you will
perform an audit to determine if you are
in compliance
with the policies that you created in the
previous assignment.
Because this is an internal audit it will be less formal than audits that were
described in the lecture.
You are free to modify the formatting if you have another style that is
better for you.
Audit Report
Write an audit report.
Keep it simple.
For each policy statement from PART A (there were at
least six) you should list which controls have been (or should be) put into place.
Test each
control.
Describe the test that you performed and the results of the test.
For each control list any
recommendations for improvement.
At the end of the audit include a short summary with:
1.
One paragraph describing what is working well.
2.
A second paragraph describing what is not working well.
3.
A third paragraph describing what needs to be done to improve compliance with the
policies.
Your grade for the assignment depends on how well your audit report is (complete, easy to
read, useful), not on “passing” results of the audit report.
Below is an example audit for one
policy statement.
Remember to include the three summary paragraphs
described above.
EXAMPLE audit for one policy/control
Policy Statement
(from PART A)
Control
Test Description
Test Result
Recommendation
Each account on a
computing device
will be protected
with a nontrivial
and non-default
password.
Password
protection
of
accounts.
Each account on a
computer, router,
tablet, or phone that
accesses the network
was checked to verify
that it is password
protected, that the
password is not a
default password, and
that the password is
not trivial (i.e.
“password”).
The router was
found to have a
default password.
All other
accounts passed.
A new procedure
should be created
to require this test
to be performed
on any equipment
as it is added to
the network.
Short Audit
Policy
Statement
(from
PART A)
Control
Test Description
Test Result
Recommendation
Passwords
will be kept
secret
Password
Protection
Software
Went through
notebooks to ensure
passwords are not
written down as well
as documents on
Computers to ensure
no passwords were
documented
Did not find any
notebooks or
documents with any
written down
passwords
Continue with
what is working
Each
Device will
have a
unique
password
Password
creation
programs
Logged into each
service, computer,
and device attached
to WIFI to check
passwords
Found 2 devices that
did not have unique
passwords and had
easy to guess
passwords
Plan to check my
children’s devices
more often
No
attempting
to access
information
not
accessible
Two Factor
authentication
Logged into each
service that had two
factor authentication
Found all services
that had 2 factor
authentication was
working properly
Continue with
what is working
No
modifying
of
information
not allowed
Random
checks
Spot checked several
important
information
documents against
the master document
Did not find that any
of the checked
documents had been
modified.
Continue with
random spot
checks
All
passwords
will be
accessible
to the
proper
people
when/if
needed
Password
Protection
Software
Logged into
password protection
service and checked
who had access.
Found 4 emails that
had access to the
password protection
software that were
never removed when
they should have
been.
Create a new
process to ensure
when emails are
discarded to
remove them from
software.
All services
will be
accessible
to the
proper
people
Password
Protection
Software
Logged into
password protection
service and checked
who had access.
Found 1 email that
should have access to
services that did not
have it.
Create a new
process to ensure
new emails/people
who need access
get access.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Working well:
I think keeping my passwords policies have been working very well with only 2
devices found to be out of compliance.
Not working well:
Removing and adding people to the accounts as need be has been found out
of compliance and will for sure need to have new procedures implemented.
Needs to be done:
A couple of new procedures and processes will need to be adding and
implemented in order to maintain a level of security that I am comfortable with.