Expert answer:Creating an Audit Plan

Solved by verified expert:Down below is a worksheet assignment I need help on.
cis349_worksheet_2__student_version.docx

sp800_53a_rev1_final.pdf

Unformatted Attachment Preview

Week 3
Worksheet 2: Creating an Audit Plan
Course Learning Outcome(s)
•
Develop IT compliance audit plans.
.
When establishing an audit program, the auditing committee or auditor will select those items or controls,
within an organization’s IT infrastructure that will be audited. Referring back to NIST SP 800-53 and NIST
SP 800-53A, controls are selected and those items which need to be reviewed are selected.
Enterprises provide services to their customers in the forms of operating systems, applications, hardware,
Internet, VoIP and security. These services are provided through internal hardware you would find in a
server room such as an application server, data storage, web servers, email servers, call-managers,
firewalls, and security appliances that provide network based security and monitoring.
Often, there are services that are provided to an enterprise by a third party vendor or other organization
such as SaaS, cloud based storage, telephony, security, web hosting, connectivity, routing and switching.
Though these services are not inherent to the enterprise, there are still controls that are auditab le.
When developing an audit plan, we first have to identify those items that are to be audited. Each audit
looks at controls that are derived from internal and external sources. Items or controls that are internal to
the enterprise are known as internal controls. These are controls that are implemented and managed
locally within the organization and the enterprise.
Often, services are provided by outside vendors or third parties. Compliance is usually managed through
the use of service level agreements (SLA). An SLA is a contractual agreement that the vendor or third
party will adhere to a predefined set of requirements. These requirements should fall within the
organizations compliance requirements. The services an organization receives from an external agency
are known as inherited controls.
A key component in developing an audit plan is to identify those controls that are internal and inherited to
an organization. As an auditor, you are responsible to ensure those controls that are both internal and
inherited are within compliance of accrediting the system. Those items not meeting SLA requirements
that may or may not be injecting any level of risk into accreditation should be reported to the client or
contracting official within your organization.
An audit plan consists of various components as you have learned in your reading and lessons. A
fundamental document that is the foundation of any audit is to clearly define what it is that’s going to be
audited. When that’s know, the auditor can review those items to determine which controls are internal
and which are inherited so that the right resources can be assigned to validating those controls.
Review the following scenario and determine if the control is internal or inherited;
XYZ Corporation has retained you to audit their enterprise and validate their compliance requirements.
XYZ Corporation has a staff of 200 employees and an IT staff of three personnel. Internal to XYZ Corp,
the organization has a server room which houses network storage for proprietary data, an application
server to manage applications and licenses, a web server which hosts the company’s internal and
external websites, hardware firewalls and security appliances to manage and protect inbound and
outbound services. The organization has contracted Python LLC to provide email, VoIP, SaaS and cloud
storage services for non-proprietary data for XYZ Corp.
Based on the scenario above, determine whether the following controls are internal or inherited.
Control Name
Use of External
Control
AC-21(1).1
Assessment Objective
Determine if the information system
Internal / Inherited
Information Systems
Content of Audit
Records
AU-3(2).1
Information Systems
Connections
CA-3.1
Incident Monitoring
IR-5(1)
employs automated mechanisms to
enable authorized users to make
information-sharing decisions based on
access authorizations of sharing partners
and access restrictions on information to
be shared.
Determine if: the organization defines the
information system components for
which the content of audit records
generated is centrally managed; and the
organization centrally manages the
content of audit records generated by
organization-defined information system
components.
Determine if the organization identifies
connections to external information
systems (i.e., information systems
outside of the authorization boundary);
the organization authorizes connections
from the information system to external
information systems through the use of
Interconnection Security Agreements;
the organization documents, for each
connection, the interface characteristics,
security requirements, and the nature of
the information communicated; and the
organization monitors the information
system connections on an ongoing basis
to verify enforcement of security
requirements.
Determine if the organization employs
automated mechanisms to assist in the
tracking of security incidents; the
organization employs automated
mechanisms to assist in the collection of
security incident information; and the
organization employs automated
mechanisms to assist in the analysis of
security incident information.
The audit and auditor are also auditable and considered a control within the NIST framework. Referring to
the NIST SP-53 and 53A, Audit and Accountability Policy and Procedures, explain what the assessment
objective is based on the control number it’s associated to:
Control Number:
Description:
When an auditor develops an audit plan, the size or scope of the audit must be defined so that redundant
audits are avoided and that time can be applied to those controls within the domains that are needed. In
the chart below, list the seven domains that are auditable:
1.
2.
3.
4.
5.
6.
7.
Archived NIST Technical Series Publication
The attached publication has been archived (withdrawn), and is provided solely for historical purposes.
It may have been superseded by another publication (indicated below).
Archived Publication
Series/Number:
Title:
NIST Special Publication 800-53A Revision 1
Guide for Assessing the Security Controls in Federal Information Systems
and Organizations: Building Effective Security Assessment Plans
Publication Date(s):
June 2010
Withdrawal Date:
December 11, 2015
Withdrawal Note:
SP 800-53A Rev. 1 is withdrawn one year after the publication of SP
800-53A Rev. 4 (December 2014), and is superseded in its entirety.
Superseding Publication(s)
The attached publication has been superseded by the following publication(s):
Series/Number:
Title:
Author(s):
NIST Special Publication 800-53A Revision 4
Assessing Security and Privacy Controls in Federal Information
Systems and Organizations: Building Effective Assessment Plans
Joint Task Force Transformation Initiative
Publication Date(s):
December 2014
URL/DOI:
http://dx.doi.org/10.6028/NIST.SP.800-53Ar4
Additional Information (if applicable)
Contact:
Latest revision of the
Computer Security Division (Information Technology Laboratory)
SP 800-53A Rev. 4, updated 12-18-2014 (as of December 11, 2015)
attached publication:
Related information:
Withdrawal
announcement (link):
http://csrc.nist.gov/groups/SMA/fisma/assessment.html
N/A
Date updated: December 11, 2015
NIST Special Publication 800-53A
Revision 1
Guide for Assessing the Security
Controls in Federal Information
Systems and Organizations
Building Effective Security Assessment Plans
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
INFORMATION
SECURITY
Consistent with NIST SP 800-53, Revision 3
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Gaithersburg, MD 20899-8930
June 2010
U.S. Department of Commerce
Gary Locke, Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Director
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and
Technology (NIST) promotes the U.S. economy and public welfare by providing technical
leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test
methods, reference data, proof of concept implementations, and technical analyses to advance the
development and productive use of information technology. ITL’s responsibilities include the
development of management, administrative, technical, and physical standards and guidelines for
the cost-effective security and privacy of other than national security-related information in
federal information systems. The Special Publication 800-series reports on ITL’s research,
guidelines, and outreach efforts in information system security, and its collaborative activities
with industry, government, and academic organizations.
PAGE ii
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
Authority
This publication has been developed by NIST to further its statutory responsibilities under the
Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347. NIST is
responsible for developing information security standards and guidelines, including minimum
requirements for federal information systems, but such standards and guidelines shall not apply to
national security systems without the express approval of appropriate federal officials exercising
policy authority over such systems. This guideline is consistent with the requirements of the
Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency
Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections.
Supplemental information is provided in Circular A-130, Appendix III, Security of Federal
Automated Information Resources.
Nothing in this publication should be taken to contradict the standards and guidelines made
mandatory and binding on federal agencies by the Secretary of Commerce under statutory
authority. Nor should these guidelines be interpreted as altering or superseding the existing
authorities of the Secretary of Commerce, Director of the OMB, or any other federal official.
This publication may be used by nongovernmental organizations on a voluntary basis and is not
subject to copyright in the United States. Attribution would, however, be appreciated by NIST.
NIST Special Publication 800-53A, Revision 1, 399 pages
(June 2010)
Certain commercial entities, equipment, or materials may be identified in this document in order to
describe an experimental procedure or concept adequately. Such identification is not intended to imply
recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or
equipment are necessarily the best available for the purpose.
There may be references in this publication to other publications currently under development by NIST
in accordance with its assigned statutory responsibilities. The information in this publication, including
concepts and methodologies, may be used by federal agencies even before the completion of such
companion publications. Thus, until each publication is completed, current requirements, guidelines,
and procedures, where they exist, remain operative. For planning and transition purposes, federal
agencies may wish to closely follow the development of these new publications by NIST.
Organizations are encouraged to review all draft publications during public comment periods and
provide feedback to NIST. All NIST publications, other than the ones noted above, are available at
http://csrc.nist.gov/publications.
Comments on this publication may be submitted to:
National Institute of Standards and Technology
Attn: Computer Security Division, Information Technology Laboratory
100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930
Electronic mail: sec-cert@nist.gov
PAGE iii
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
Compliance with NIST Standards and Guidelines
In accordance with the provisions of FISMA,1 the Secretary of Commerce shall, on the basis of
standards and guidelines developed by NIST, prescribe standards and guidelines pertaining to
federal information systems. The Secretary shall make standards compulsory and binding to the
extent determined necessary by the Secretary to improve the efficiency of operation or security of
federal information systems. Standards prescribed shall include information security standards
that provide minimum information security requirements and are otherwise necessary to improve
the security of federal information and information systems.
•
Federal Information Processing Standards (FIPS) are approved by the Secretary of
Commerce and issued by NIST in accordance with FISMA. FIPS are compulsory and
binding for federal agencies.2 FISMA requires that federal agencies comply with these
standards, and therefore, agencies may not waive their use.
•
Special Publications (SPs) are developed and issued by NIST as recommendations and
guidance documents. For other than national security programs and systems, federal
agencies must follow those NIST Special Publications mandated in a Federal Information
Processing Standard. FIPS 200 mandates the use of Special Publication 800-53, as
amended. In addition, OMB policies (including OMB Reporting Instructions for FISMA
and Agency Privacy Management) state that for other than national security programs
and systems, federal agencies must follow certain specific NIST Special Publications.3
•
Other security-related publications, including interagency reports (NISTIRs) and ITL
Bulletins, provide technical and other information about NIST’s activities. These
publications are mandatory only when specified by OMB.
•
Compliance schedules for NIST security standards and guidelines are established by
OMB in policies, directives, or memoranda (e.g., annual FISMA Reporting Guidance).4
1
The E-Government Act (P.L. 107-347) recognizes the importance of information security to the economic and
national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information
Security Management Act (FISMA), emphasizes the need for organizations to develop, document, and implement an
organization-wide program to provide security for the information systems that support its operations and assets.
2
The term agency is used in this publication in lieu of the more general term organization only in those circumstances
where its usage is directly related to other source documents such as federal legislation or policy.
3
While federal agencies are required to follow certain specific NIST Special Publications in accordance with OMB
policy, there is flexibility in how agencies apply the guidance. Federal agencies apply the security concepts and
principles articulated in the NIST Special Publications in accordance with and in the context of the agency’s missions,
business functions, and environment of operation. Consequently, the application of NIST guidance by federal agencies
can result in different security solutions that are equally acceptable, compliant with the guidance, and meet the OMB
definition of adequate security for federal information systems. Given the high priority of information sharing and
transparency within the federal government, agencies also consider reciprocity in developing their information security
solutions. When assessing federal agency compliance with NIST Special Publications, Inspectors General, evaluators,
auditors, and assessors consider the intent of the security concepts and principles articulated within the specific
guidance document and how the agency applied the guidance in the context of its mission/business responsibilities,
operational environment, and unique organizational conditions.
4
Unless otherwise stated, all references to NIST publications in this document (i.e., Federal Information Processing
Standards and Special Publications) are to the most recent version of the publication.
PAGE iv
Special Publication 800-53A
Guide for Assessing the Security Controls in
Federal Information Systems and Organizations
________________________________________________________________________________________________
Acknowledgements
This publication was developed by the Joint Task Force Transformation Initiative Interagency
Working Group with representatives from the Civil, Defense, and Intelligence Communities in an
ongoing effort to produce a unified information security framework for the federal government.
The National Institute of Standards and Technology wishes to acknowledge and thank the senior
leaders from the Departments of Commerce and Defense, the Office of the Director of National
Intelligence, the Committee on National Security Systems, and the members of the interagency
technical working group whose dedicated efforts contributed significantly to the publication. The
senior leaders, interagency working group members, and their organizational affiliations include:
U.S. Department of Defense
Office of the Director of National Intelligence
Cheryl J. Roby
Acting Assistant Secretary of Defense for Networks
and Information Integration/Chief Information Officer
Honorable Priscilla Guthrie
Intelligence Community Chief Information
Officer
Gus Guissanie
Acting Deputy Assistant Secretary of Defense
for Cyber, Identity, and Information Assurance
Sherrill Nicely
Deputy Intelligence Community Chief
Information Officer
Dominic Cussatt
Senior Policy Advisor
Mark J. Morrison
Deputy Associate Director of National
Intelligence for IC Information Assurance
Roger Caslow
Lead, C&A Transformation
National Institute of Standards and Technology
Committee on National Security Systems
Cita M. Furlani
Director, Information Technology Laboratory
Dave Wennergren
Acting Chair, CNSS
William C. Barker
Cyber Security Advisor, Information Technology Laboratory
Eustace D. King
CNSS Subcommittee Co-Chair (DoD)
Donna Dodson
Chief, Computer Security Division
Peter Gouldmann
CNSS Subcommittee Co-Chair (DoS)
Ron Ross
FISMA Implementation Project Leader
Joint Task Force Transformation Initiative Interagency Working Group
Ron Ross
NIST, JTF Leader
Gary Stoneburner
Johns Hopkins APL
Terry Sherald
Department of Defense
Kelley Dempsey
NIST
Patricia Toth
NIST
Esten Porter
The MITRE Corporation
Peter Gouldmann
Department of State
Arnold Johnson
NIST
Bennett Hodge
Booz Allen Hamilton
Karen Quigg
The MITRE Corporation
Jonathan Chiu
Booz Allen Hamilton
Christian Enloe
NIST
In addition to the above acknowledgments, a special note of thanks goes to Peggy Himes and
Elizabeth Lennon of NIST for their superb technical editing and administrative support. The
authors also wish to recognize Jennifer Fabius Greene, James Govekar, Terrance Hazelwood,
Austin Hershey, Laurie Hestor, Jason Mackanick, Timothy Potter, Jennifer Puma, Matthew
Scholl, Julie Trei, Gail Tryon, Ricki Vanetesse, Cynthia Whitmer, and Peter Williams for their
exceptional contributions in helping to improve the content of the publication. And finally, the
authors gratefully acknowledge and appreciate the significant contributions from individuals and
organizations in the public and private sectors, nationally and internationally, whose thoughtful
and constructive comments improved the overall quality and usefulness of this publication.
PAGE v
Special Public …
Purchase answer to see full
attachment

How it works

1. Paste your instructions in the instructions box. You can also attach an instructions file
2. Select the writer category, deadline, education level and review the instructions 
3. Make a payment for the order to be assignment to a writer
4.  Download the paper after the writer uploads it 

Will the writer plagiarize my essay?

You will get a plagiarism-free paper and you can get an originality report upon request.

Is this service safe?

All the personal information is confidential and we have 100% safe payment methods. We also guarantee good grades