Worksheet: Creating an Audit Plan Course Learning Outcome(s) Develop IT compliance audit plans. . When establishing an audit program, the auditing committee or auditor will select those items or controls, within an organization’s IT infrastructure that will be audited. Referring back to NIST SP 800-53 and NIST SP 800-53A, controls are selected and those items which need to be reviewed are selected. Enterprises provide services to their customers in the forms of operating systems, applications, hardware, Internet, VoIP and security. These services are provided through internal hardware you would find in a server room such as an application server, data storage, web servers, email servers, call-managers, firewalls, and security appliances that provide network based security and monitoring. Often, there are services that are provided to an enterprise by a third party vendor or other organization such as SaaS, cloud based storage, telephony, security, web hosting, connectivity, routing and switching. Though these services are not inherent to the enterprise, there are still controls that are auditable. When developing an audit plan, we first have to identify those items that are to be audited. Each audit looks at controls that are derived from internal and external sources. Items or controls that are internal to the enterprise are known as internal controls. These are controls that are implemented and managed locally within the organization and the enterprise. Often, services are provided by outside vendors or third parties. Compliance is usually managed through the use of service level agreements (SLA). An SLA is a contractual agreement that the vendor or third party will adhere to a predefined set of requirements. These requirements should fall within the organizations compliance requirements. The services an organization receives from an external agency are known as inherited controls. A key component in developing an audit plan is to identify those controls that are internal and inherited to an organization. As an auditor, you are responsible to ensure those controls that are both internal and inherited are within compliance of accrediting the system. Those items not meeting SLA requirements that may or may not be injecting any level of risk into accreditation should be reported to the client or contracting official within your organization. An audit plan consists of various components as you have learned in your reading and lessons. A fundamental document that is the foundation of any audit is to clearly define what it is that’s going to be audited. When that’s know, the auditor can review those items to determine which controls are internal and which are inherited so that the right resources can be assigned to validating those controls. Review the following scenario and determine if the control is internal or inherited; XYZ Corporation has retained you to audit their enterprise and validate their compliance requirements. XYZ Corporation has a staff of 200 employees and an IT staff of three personnel. Internal to XYZ Corp, the organization has a server room which houses network storage for proprietary data, an application server to manage applications and licenses, a web server which hosts the company’s internal and external websites, hardware firewalls and security appliances to manage and protect inbound and outbound services. The organization has contracted Python LLC to provide email, VoIP, SaaS and cloud storage services for non-proprietary data for XYZ Corp. Based on the scenario above, determine whether the following controls are internal or inherited. Control Name Control Assessment Objective Internal / Inherited Use of External Information Systems AC-21(1).1 Determine if the information system employs automated mechanisms to enable authorized users to make information-sharing decisions based on access authorizations of sharing partners and access restrictions on information to be shared. Content of Audit Records AU-3(2).1 Determine if: the organization defines the information system components for which the content of audit records generated is centrally managed; and the organization centrally manages the content of audit records generated by organization-defined information system components. Information Systems Connections CA-3.1 Determine if the organization identifies connections to external information systems (i.e., information systems outside of the authorization boundary); the organization authorizes connections from the information system to external information systems through the use of Interconnection Security Agreements; the organization documents, for each connection, the interface characteristics, security requirements, and the nature of the information communicated; and the organization monitors the information system connections on an ongoing basis to verify enforcement of security requirements. Incident Monitoring IR-5(1) Determine if the organization employs automated mechanisms to assist in the tracking of security incidents; the organization employs automated mechanisms to assist in the collection of security incident information; and the organization employs automated mechanisms to assist in the analysis of security incident information. The audit and auditor are also auditable and considered a control within the NIST framework. Referring to the NIST SP-53 and 53A, Audit and Accountability Policy and Procedures, explain what the assessment objective is based on the control number it’s associated to: Control Number: Description: When an auditor develops an audit plan, the size or scope of the audit must be defined so that redundant audits are avoided and that time can be applied to those controls within the domains that are needed. In the chart below, list the seven domains that are auditable: 1. 2. 3. 4. 5. 6. 7.
