Many companies and agencies conduct IT audits to test and assess the rigor of IT security controls in order to mitigate risks to IT networks. Such audits meet compliance mandates by regulatory organizations.
Federal IT systems follow Federal Information System Management Act (FISMA) guidelines and report security compliance to US-CERT, the United States Computer Emergency Readiness Team, which handles defense and response to cyberattacks as part of the Department of Homeland Security. In addition, the Control Objective for Information Technology (COBIT) is a set of IT security guidelines that provides a framework for IT system security in the commercial sector.
These audits are comprehensive and rigorous, and negative findings can lead to significant fines and other penalties. Therefore, industry and federal entities conduct internal self-audits in preparation for actual external IT audits, and compile security assessment reports.
In this project, you will develop a 12-page written security assessment report and lab report for a company and submit both reports to the leadership of that company.
There are six steps to complete the project. Most steps in this project should take no more than two hours to complete, and the project as a whole should take no more than two weeks. Begin with the workplace scenario and then continue to Step 1.
- Security assessment report (SAR): Your report should be 12 pages minimum, double-spaced with citations in APA format. The page count does not include figures, diagrams, tables, or citations.
- Lab report: A document sharing your lab experience and providing screenshots to demonstrate that you performed the lab. Attach it to the SAR as an artifact.
Your work will be evaluated using the competencies listed below.
- 2.4: Consider and analyze information in context to the issue or problem.
- 5.2: Knowledge of architectural methodologies used in the design and development of information systems, including the physical structure of a system’s internal operations and interactions with other systems and knowledge of standards that either are compliant with or derived from established standards or guidelines.
- 5.3: Uses defensive measures and information collected from a variety of sources to identify, analyze, and report events that occur or might occur within the network in order to protect information, information systems, and networks from threats.
- 7.2: Includes the process of identifying, quantifying, and prioritizing the vulnerabilities in a system. Vulnerability from the perspective of disaster management includes assessing the threats from potential hazards to the population & to infrastructure.