CST 630 Bethesda University Parem Company Network Audit Security Assessment Report
Risk Management
After completing your master's degree, you have been hired by a contracting company as an information systems security officer, or ISSO, supporting systems for federal clients. One morning, your boss asks you to come to her office. She tells you that you'll be working on a network security audit. Network security audits, based on FISMA standards, are used annually to determine the effectiveness of our security controls. The boss explains: "Prior to the security audit, I will need you to test, execute, collect, and compile your results into a security assessment report, or SAR. Once you're finished, you will submit the report to me and the executive leadership."
Later, you receive a follow-up email from your boss with instructions. First you will conduct a risk and threat assessment of the enterprise network. Next, you will perform black box testing of the network using network analysis tools. After identifying any network vulnerabilities, you will lead efforts to remedy and mitigate those vulnerabilities using appropriate risk management controls. You will then perform a white box test, and compile the results in the final security assessment report. And provide this to leadership, along with an executive briefing in your lab analysis, so management has a baseline view of the security posture of the enterprise network, before the actual external IT audit. The email ends with this note: "Thank you for taking this on. Our executive leadership is excited to learn of your findings."
Many companies and agencies conduct IT audits to test and assess the rigor of IT security controls in order to mitigate risks to IT networks. Such audits meet compliance mandates by regulatory organizations.
Federal IT systems follow Federal Information System Management Act (FISMA) guidelines and report security compliance to US-CERT, the United States Computer Emergency Readiness Team, which handles defense and response to cyberattacks as part of the Department of Homeland Security. In addition, the Control Objective for Information Technology (COBIT) is a set of IT security guidelines that provides a framework for IT system security in the commercial sector.
continuation of Step 3.Image 1Your team is setting up a secure network for an important tech conference. Attendees will be trying to access the network later that same day. The pressure is on... Ned, a cyber co-worker, says “Hey, network is up. Can you pen test it for me? Check ports and see if any of my dummy client files are exposed? Nikto should work.... And by the way, with all the big names here, I wouldn’t be surprised if someone is in the lobby trying to sniff our traffic already, so give it your best shot. We only have a few hours to finish.”You respond, “No problem. I can be done in 30 minutes.” Ned replies, “That is great! I’ll need time to fix anything you find.”Image 2Pressure reminds you of a particular phone call from your Uncle Ray during your time in school. One evening after work, Uncle Ray calls and you answer, “Uncle Ray! Uh oh, I forgot about the big dinner tonight! Uncle Ray replies, “Hey chief! Will I see you at dinner tonight?”You answer: “Um...not sure, I have schoolwork to do ....hey! A friend gave me a copy of his assignments from last semester. I can probably just base mine on his. Then I can meet up for dinner tonight." Uncle Ray says with concern, “Well, okay. It will save you some time, but let me ask you: What are you going to do when you get a job and can’t do the work for real? “You imagine Uncle Ray the time you visited him at work, welding, his mustache visible below welding goggles. He continues, “I’ve been certified to do 22 types of welds on dozens of job sites. And let me tell you—that wouldn’t have been possible if I waited to learn the welds on the job site. You have to do the weld on the spot while they watch to get a cert for a job.” Image 3Ray softens his tone, “Hey, I know you can do it. Put in the work now so you’re ready when you need it, and we’ll see you next time.” You say, “I’ll think about it. Thanks, Uncle Ray.”You think to yourself, “It’s not just getting the degree—I have to put in the work, so the degree means something.” The memory dissipates—back in present at conference you tell Ned, “Here are the results: I can see 32 open ports and I found four files marked Confidential Client Files. Happy to do a second round of pen testing after you fix those.”Ned says with a big smile, “Thanks!”