Information Technology Audit and Control

invnci
InformationTechnologyAuditandControl.docx
Home>Computer Science homework help>Information Technology Audit and Control

Assignment 2: Organizational Risk Appetite and Risk Assessment

Due Week 4 and worth 50 points

Imagine that a software development company has just appointed you to lead a risk assessment project. The Chief Information Officer (CIO) of the organization has seen reports of malicious activity on the rise and has become extremely concerned with the protection of the intellectual property and highly sensitive data maintained by your organization. The CIO has asked you to prepare a short document before your team begins working. She would like for you to provide an overview of what the term “risk appetite” means and a suggested process for determining the risk appetite for the company. Also, she would like for you to provide some information about the method(s) you intend to use in performing a risk assessment.  

Write a two to three page paper in which you:

1. Analyze the term “risk appetite”. Then, suggest at least one practical example in which it applies.

2. Recommend the key method(s) for determining the risk appetite of the company.

3. Describe the process of performing a risk assessment.

4. Elaborate on the approach you will use when performing the risk assessment.

5. Use at least three quality resources in this assignment. Note: Wikipedia and similar Websites do not qualify as quality resources.

Your assignment must follow these formatting requirements:

· This course requires use of Strayer Writing Standards (SWS). The format is different than other Strayer University courses. Please take a moment to review the SWS documentation for details.

· Include a cover page containing the title of the assignment, the student’s name, the professor’s name, the course title, and the date. The cover page and the reference page are not included in the required assignment page length.

The specific course learning outcomes associated with this assignment are:

· Describe the components and basic requirements for creating an audit plan to support business and system considerations.

· Describe the parameters required to conduct and report on IT infrastructure audit for organizational compliance.

· Use technology and information resources to research issues in security strategy and policy formation.

· Write clearly and concisely about topics related to information technology audit and control using proper writing mechanics and technical style conventions.

Assignment 3: Evaluating Access Control Methods

Due Week 6 and worth 50 points

Imagine that you are the Information Systems Security Specialist for a medium-sized federal government contractor. The Chief Security Officer (CSO) is worried that the organization's current methods of access control are no longer sufficient. In order to evaluate the different methods of access control, the CSO requested that you research: mandatory access control (MAC), discretionary access control (DAC), and role-based access control (RBAC). Then, prepare a report addressing positive and negative aspects of each access control method. This information will be presented to the Board of Directors at their next meeting. Further, the CSO would like your help in determining the best access control method for the organization.

Write a three to five page paper in which you:

1. Explain in your own words the elements of the following methods of access control:

a. Mandatory access control (MAC)

b. Discretionary access control (DAC)

c. Role-based access control (RBAC)

2. Compare and contrast the positive and negative aspects of employing a MAC, DAC, and RBAC.

3. Suggest methods to mitigate the negative aspects for MAC, DAC, and RBAC.

4. Evaluate the use of MAC, DAC, and RBAC methods in the organization and recommend the best method for the organization. Provide a rationale for your response.

5. Speculate on the foreseen challenge(s) when the organization applies the method you chose. Suggest a strategy to address such challenge(s).

6. Use at least three quality resources in this assignment. Note: Wikipedia and similar Websites do not qualify as quality resources.

Your assignment must follow these formatting requirements:

· This course requires use of Strayer Writing Standards (SWS). The format is different than other Strayer University courses. Please take a moment to review the SWS documentation for details.

· Include a cover page containing the title of the assignment, the student's name, the professor's name, the course title, and the date. The cover page and the reference page are not included in the required assignment page length.

The specific course learning outcomes associated with this assignment are:

· Analyze information security systems compliance requirements within the User Domain.

· Use technology and information resources to research issues in security strategy and policy formation.

· Write clearly and concisely about topics related to information technology audit and control using proper writing mechanics and technical style conventions.

8 DISCUSSIONS (200 words each)

1

"Audit Findings and Business Processes" 

· Per the text, audit findings focus on four areas: criteria, circumstance, cause, and impact. Determine the area that you believe might be the most difficult to complete.  Justify your response. Then, propose a method to address the difficulties you identified.

2

"Monitoring the User Domain" 

· It is common knowledge that employees are a necessary part of any business. Identify three best practices in the user domain and suggest the control type(s) (technical or manual) that are best suited to monitor each best practice.

· Determine the impact that factors such as physical security, device type, and open source software might have on the choices that are made.

3

"Forming the CSIRT"  Please respond to the following:

· Determine what you believe are the top two considerations that should be addressed when forming the CSIRT in terms of skills, abilities, procedures, training, deployment, etc.

· Explain what you believe to be the most critical flaw or failure when it comes to CSIRT organization and preparation. Suggest ways management can avoid this pitfall altogether.

4

"Team Communication…Tested!"  Please respond to the following:

· From the e-Activity, explain in your own words the purpose of the Software Engineering Institute’s (SEI) exercises regarding team communication, and determine whether or not you believe this type of testing and analysis is a beneficial use of resources. Justify your answer.

· Based on the testing and analysis described in the e-Activity, indicate the two most important things that you believe are needed in order for cross-team communication to be successful when dealing with potential widespread incidents.

5

"Containment and IR Strategies"  Please respond to the following:

· Explain why it is important for a business to have a specific plan of action, processes, and / or a set of guidelines to manage potential security incidents that may arise. Support your answer with a real-life example. Be sure to clearly identify the business as well as the potential security incident in your example.

· Discuss the role of incident containment in an incident response strategy and how a lack of planning for containment is a potential pitfall for any response strategy.

6

"SIEM and Incident Response"  Please respond to the following:

· From the e-Activity, explain in your own words the purpose of security information and event management (SIEM) solutions and how this category of tools can assist an incident response team. Also determine whether or not you believe the “golden hour” is a realistic and attainable response goal. Justify your answer.

· Compare and contrast two SIEM tools of your choice based on their common uses and market reputation. Determine which of these tools you would prefer to use as part of an incident response strategy and explain why.

7

"Encryption in Investigations"  Please respond to the following:

· Discuss in your own words the effects that encryption can have on incident response activities, and explain how the use of encryption technologies could prove to be detrimental to an investigation.

· Devise an example of an incident where encryption could be used as protection from an intruder or attacker, and determine the actions that could be taken by the incident responders to manage the situation.

8

"e-Discovery in Action"  Please respond to the following:

· From the e-Activity, explain the top three reasons why you believe organizations may be unprepared to manage incidents effectively and in a timely fashion. Provide real-world examples to support your chosen reasons.

· From the e-Activity, determine which of the seven recommendations to improve e-Discovery and incident management you would consider the most important for organizations to address. Justify your answer.