CSIA 413 IT Audit Policy and Plan

/ Answer / By /

IT Audit Policy and Plan

Enter Name

University of Maryland University College

Cybersecurity Policy, Plans, and Programs

CSIA 413 6380

Table of Contents

Because cybercrime has become an integral part of the organization’s overall concern and has taken steps to protect its information technology security, “high-performing organizations have audit committees and tables actively involved with the Internal audit function during the discovery and evaluation of these risks “(McCafferty, 2016). Red Clay Renovations has full use of technology that involves people, the process and the method of doing business, such as smart home and internet things. For this reason, it is important for Red Clay Renovations to implement audit policies that help the company’s IT managers and executives track all weaknesses and vulnerabilities to find a lasting solution to existing risks and other risks.

  • Executive Summary……………………………………………………………………….3
  • Issue Specific Policy for IT Security Policy Compliance Audits…………………………4
  • Access Control………………………………………………………………..……………5
  • Data Breach Response Policy……………………………………………………..………8
  • Preventing/Controlling Shadow IT Policy…………………………………………….….8
  • Management and Use of Corporate Social Media Accounts………………………………8
  • Audit Plan Awareness & Compliance (Employee Survey) ……………………………….9
  • Audit Plan Awareness & Compliance (Approach) ………………..…………………….10
  • Security Policies Audit (Documentation Review) ………………………………………12
  • Security Policies Audit (Objectives) …………………………………………………….29
  • Security Policies Audit (Approach) ……………………………………………………..31
  • Resources…………………………………………………………………………………32
    • Executive Summary

    This document will contain the following: Issue Specific Policy for IT Security Policy Compliance Audits, Audit Plan for IT Security Policy Awareness and Training (Employee Survey), and Audit Plan for IT Security Policies Audit Plan (Documentation Review). Red Clay Renovation policies will focus on various aspects of information technology. Issue Specific Policy for IT Security Policy Compliance will focus on access control of data, Audit Plan for IT Security Policy Awareness and Training will focus on best practices, and Audit Plan for IT Security Policies will focus on documentation review

    The enormous usage of systems of Red Clay Renovations, it is vital for the organization to have form of control in order to gain access to the networks or physical environment. A policy governing access control will ensure security of the network and physical environments, copyright protections, third-party entities, operations, minimize attacks, and preservation of company information.

    • Issue Specific Policy for IT Security Policy Compliance Audits

    From a legal perspective, Red Clay Renovations employees will need to be aware who is authorized to access information on the network while maintaining confidentiality, integrity and availability of the information. Personal Identifiable Information (PII) at any time will not be made public, Red Clay Renovations will make a concerted effort to ensure PII remains private by limiting who may gain access to this information. Red Clay Renovations will keep the security of information of their associates and customers as a high priority, preventing this information from being seen by any outside source.

    Red Clay Renovations associates operate at various locations, such as Red Clay Renovation offices, or remotely, therefore this information will need to be disseminated to all associates ensuring all associates are aware and apply the principles of securing the information. Remote workers may be more susceptible to leaving information unsecured due to the fact the mobile devices used by remote workers may be left unsecured and unattended for an extended period of time. Therefore, it is imperative that this policy is understood by remote workers to ensure security measures are applied.

    Departments that operate from Red Clay Renovations headquarters and local offices will need to ensure their respective employees are aware and applying these policies. Security is the responsibility of everyone, with the burden of responsibility placed on management. Many applications that conduct financial, privacy, safety or defense will need to have a form of access control to maintain security.

    Associates may encounter a Smart Home that operate in the realm of Internet of Things (IoT) technologies that may make the mobile devices vulnerable to attacks. While conducting operations in these residents, it is important that the associates are aware of this to maintain security, while working effectively and efficiently.

    Security of data is the primary concern of every company, including Red Clay Renovations. Information Technology systems stores, transmits and processes information continuously that plays a pivotal role in company operations. Access controls will remain in place to ensure the security of all information of Red Clay Renovation associates and customers.

    Red Clay Renovation Issue Specific Policy for IT Security Policy Compliance Audits regarding Access Control is key to success. Data Breach Response Policy, Preventing/Controlling Shadow IT Policy, and the Management and Use of Corporate Social Media Accounts Policy will need to be reviewed and applied in order to remain in compliance with local and federal laws. Red Clay Renovation associates are encouraged to ask any questions regarding the above-mentioned policies. For questions contact Edwin Carrington, CIO & Director of IT services at 667-555-6260 (Office) or Eric Carpenter, CISO/Deputy CIO at 667-555-6370 (Office)

    Policy Solution

    • Access Control
    • Policy
    • Red Clay Renovations policy currently in place
      • Red Clay Renovations uses Radio Frequency Identification (RFID) system and “smart” device control for Web based interfaces.
    • Additional Red Clay Renovation policies
      • Human Resources
      • Financial Management
      • Information Technology
      • Employee Handbook
      • Manager Deskbook

    Applicability

    • Red Clay Renovations will utilize National Institute of Standard and Technology Risk Management Framework to ensure compliance of security controls to regulate IT security policies. Red Clay Renovations has implemented CobiT or ITIL standards to manage IT Systems and services. The current audit plan follows the framework of ISO 27001/27002, which is not fully compliant. The Risk Management Framework is as follows.
      • System Categorization
      • Selection Control
      • Control Implementation
      • Access Control
      • Authorization
      • Continuous monitoring

    Policy Compliance

    • Policies are applied to the following:
      • Executive and Senior Leadership
      • Managers
      • Employees
      • Contractors and any entity working on behalf of Red Clay Renovations

    Point of Contact

    • Access Control policy compliance is based on NIST SP 800-53 (Revision 4)
      • AC-1 Access Control Policy and Procedures
        • Access Control policy will define the scope, purpose, responsibility, roles, and compliance of the policy
          • AC-2 Account Management
            • Classify type of account
              • Individual
              • Group
                • Authorization of users and privileged access
                • Access to authorized uses and purposes
                • Multi-factor authentication
                  • AC-4 Access Enforcement
                  • AC-4 Information Flow

                The implementation of Security Awareness and Training Policy and Procedures, Security Awareness Training, Role-Based Security Training, and Security Training Records will help Red Clay Renovations to have best IT audit for the company’s system. For questions contact Edwin Carrington, CIO & Director of IT services at 667-555-6260 (Office) or Eric Carpenter, CISO/Deputy CIO at 667-555-6370 (Office)

                • Information regarding policy
                  • Chief Information Officer 667-555-6260
                  • Chief Information Security Officer 667-555-6370
                • Data Breach Response Policy
                • Data Breach Response Policy covers the procedures that need to take place in the event of an anomaly detected or a breach within the system. Red Clay Renovations must ensure these measures are in place in hopes to prevent an attack by knowing what and where to monitor based on the location of information. Red Clay Renovations data breach response team will take responsibility for handling any incidents. This will centralize the incident and ensure the incident is handled in an effective manner.
                • Preventing/Controlling Shadow IT Policy
                • Red Clay Renovation associates, including executives, senior leadership, managers, contractors, and any entity working on behalf of Red Clay Renovations will need to be versed on Preventing/Controlling Shadow IT, which is pivotal to operations. Education and training is the key to success, as well as taking all precautions and necessary steps to ensure full implementation of this policy.
                • The success of this policy relies on the team work of all Red Clay Renovation associates, all departments remaining proactive, and continuous auditing of associates, systems, and policies in order to create simplicity.
                • Management and Use of Corporate Social Media Accounts Policy
                • Social media has become an integral part of everyday lives for individuals and businesses, Red Clay Renovations is not immune to the affects of social media. Social media links customers to Red Clay Renovation. Associates of Red Clay Renovation will need to understand the proper etiquette for operating on social media sites. Disciplinary actions can be the result for improper use of social media sites on behalf of Red Clay Renovations.
                • Audit Plan Awareness & Compliance (Employee Survey)
                • To ensure consistency throughout an organization, Red Clay Renovations should provide or coordinate a means to provide to all associates the proper techniques for awareness and continued training. This consistency will ensure that in awareness and training will minimize any confusion, and all associates will grasp the affects they can have on an organization, whether that is a positive or negative manner. Red Clay Renovations relies on customers for business, the consistency in awareness and training will ensure customer satisfaction, solid reputation, due diligence and accountability. The awareness and training will need to be continuously and an in a progressive manner.
                  • Organizations are governed by local and federal laws and regulations, this includes Red Clay Renovations. In order to conduct business properly, Red Clay Renovations will at all times have integrity, if at any time anyone associated with Red Clay Renovations does not maintain integrity, Red Clay Renovations may face fines. Therefore, all Red Clay Renovation associates will adhere to all policies and procedures to maintain information security. This is a combined effort of Red Clay Renovations and all associates. Red Clay Renovations will ensure proper training and associates will adhere to the standards.
                  • Customers do not want to have to worry about the security of their PII when conducting business with Red Clay Renovations most will assume their information will be secured. In the event Red Clay Renovations becomes victim to leaked information, customers will think twice before conducting business with Red Clay Renovations. Once again this reinforces the importance of information security, and Red Clay Renovations understands the importance and will ensure that all associates have the tools to enhance the awareness and continued training.
                  • Red Clay Renovation continues to grow due to the outstanding reputations, any information that is leaked can and will have a lasting effect on the company. As mentioned earlier social media is an instrumental part of an individual’s life and as well as a company’s success. Bad publicity generated from information leaked will find its way to social media, which reinforces that lack of confidence of customers in Red Clay Renovations.
                  • Red Clay Renovation management team will need to ensure due diligence by exercising the proper protection of all information, assets, and compliance with all legal and contractual obligations. Failure to maintain due diligence can also have a negative impact on Red Clay Renovations that may require legal services.
                  • An organization that demonstrates accountability is also an organization that will accept responsibility for their actions. Since Red Clay Renovation is a company that prides itself on great accountability, Red Clay Renovations also accepts the responsibility to ensure that all associates are properly versed on all aspects, to protect Red Clay Renovations, associates and customers.

                Validation of Documents

                • Audit Plan Awareness & Compliance (Approach)
                • Data Collections
                • Type of data collected
                  • Status of security
                  • Roles and responsibilities
                  • Knowledge base of associates
                  • Compliance with requirements for IT systems
                    • Plan of Action(s) and/or Milestones
                    • Security Assessment Report
                  • Gathering of Information
                    • Interviews (In-Person or Telephonic)
                    • Questionnaires (Online or Paper)
                    • Assessment

                  Survey Questions

                  • System Security Plan
                  • Plan of Action and/or Milestone
                  • Security Assessment Report

                  National Institute of Standard and Technology (NIST) has identified some security policies to conducting an audit on IT Systems.

                  • What is your position in the organization?
                  • Have you received adequate training?
                  • Have you shared your password?
                  • Do you have access to the policies?
                  • Do you know the different types of cyber attacks and how to identify them?
                  • Do you know if the system has the current software?
                  • Do you know who to contact in the event of an attack?
                  • Security Policies Audit (Documentation Review)
                  • Policies and plans that are put in place are to ensure that Red Clay Renovations will exceed standards set forth by the company. These standards will ensure all information is safe while in storage, being processed, and during transmission of data. Red Clay Renovations heavily relies on technology to conduct operations, therefore conducting an audit of all information technology related items, is not only smart but should be considered necessary.
                  • Security of information for Red Clay Renovation, much like other businesses need to ensure that information is always protected. The cost of protecting information will generate revenue while the cost of information that is compromised will be a deficit and have lasting effects for years to come. Security of information is not a one-time expense, and will need to be maintained. Most updates are come from the manufacture, which are free and is considered part of the maintenance.
                  • Mobility has become a part of every organization, once again Red Clay Renovations is no different. Red Clay Renovation associates continuously use mobile devices to conduct operations at remote locations. Associates are permitted to use personal devices, according to the Bring Your Own Device (BYOD) policy. Since Red Clay Renovations associates use personal devices there are many platforms and operating systems, therefore an audit is essential to ensure the BYOD policy is being used correctly.
                  • With the mobility of all personnel, management can be stressed to effectively manage all items, this may leave the network vulnerable. This is just the opportunity that hackers are looking for to exploit a network. Hackers come in many forms, those that are curious and not very seasoned to those that are very sophisticated and are using high end equipment. There is also a wide array of motivation for these hackers can range from, as mentioned previously, curiosity and financial gains. These attacks can be geared to a network that is located within the office or take advantage of those that are mobile.
                    • As mentioned previously software updates are generated from the manufacturer and are pushed to the end to ensure the software is current with the latest patches. Red Clay Renovation associates will need to ensure the moment a software update becomes available, that the software is updated. This is also applicable to hardware, there comes a time when the hardware will need to be replaced due to the item coming to the end of the lifecycle term of operation.
                    • Finally, social media has been mentioned several times, hackers prey on individuals and business that use social media. Usually social media can reveal enough information to a hacker to make the attack more lethal. Therefore, an audit of social media sites will need to be conducted to ensure the information that has been posted is a legitimate post from an authorized person.

                  AC-1 Access Control Policy and Procedures

                  This control watches out for the establishment of course of action and systems for the convincing use of picked security controls and control redesigns in the AC family. Course of action and frameworks reflect appropriate government laws, Executive Orders, orders, controls, courses of action, gages, and bearing. Security program plans and procedures at the affiliation level may make the necessity for structure specific systems and procedures trivial. The methodology can be fused as a part of the general information security approach for affiliations or then again, can be addressed by various methodologies reflecting the brain boggling nature of affiliations. The frameworks can be set up for the security program all things considered and for information structures, if essential. The progressive peril organization policy is a key factor in setting up approach and procedures.

                  AT-1 Security Awareness and Training Policy and Procedures

                  This control tends to the foundation of approach and systems for the compelling usage of chose security controls and control improvements in the AT family. Policy and policies reflect material government laws, Executive Orders, orders, directions, arrangements, norms, and direction. Security program approaches and techniques at the association level may make the requirement for framework arrangements and methods superfluous. The arrangement can be incorporated as a component of the general data security approach for associations or on the other hand, can be spoken to by different policies mirroring the unpredictable idea of specific associations. The techniques can be set up for the security program when all is said in done and for specific data frameworks, if necessary. The authoritative hazard administration methodology is a key factor in setting up arrangement and policies

                  AU-1 Audit and Accountability Policy and Procedures

                  This control tends to the foundation of approach and policies for the viable usage of chose security controls and control improvements in the AU family. Approach and policies reflect relevant government laws, Executive Orders, orders, controls, approaches, measures, and direction. Security program approaches and policies at the association level may make the requirement for framework approaches and policies superfluous. The arrangement can be incorporated as a feature of the general data security arrangement for associations or then again, can be spoken to by numerous approaches mirroring the intricate idea of specific associations. The policies can be built up for the security program all in all and for specific data frameworks, if necessary. The authoritative hazard administration methodology is a key factor in building up approach and methods.

                  CA-1 Security Assessment and Authorization Policy and Procedures

                  This control tends to the foundation of policy and methodology for the viable execution of chose security controls and control upgrades in the CA family. Approach and methods reflect pertinent government laws, Executive Orders, orders, controls, approaches, principles, and direction. Security program arrangements and methodology at the association level may make the requirement for framework approaches and methods pointless. The policy can be incorporated as a feature of the general data security approach for associations or on the other hand, can be spoken to by various approaches mirroring the mind-boggling nature of specific associations. The policies can be set up for the security program by and large and for specific data frameworks, if necessary. The hierarchical hazard administration methodology is a key factor in building up policy and methodology.

                  CM-1 Configuration Management Policy and Procedures

                  This control tends to the foundation of arrangement and policies and procedures for the compelling usage of chose security controls and control upgrades in the CM family. Arrangement and systems reflect material government laws, Executive Orders, orders, controls, arrangements, gauges, and direction. Security program policies and methodology at the association level may make the requirement for framework arrangements and systems pointless. The policy can be incorporated as a major aspect of the general data security arrangement for associations or alternately, can be spoken to by different approaches mirroring the unpredictable idea of specific associations. The methodology can be built up for the security program as a rule and for specific data frameworks, if necessary. The authoritative hazard administration technique is a key factor in building up approach and policies.

                  CP-1 Contingency Planning Policy and Procedures

                  This control tends to the foundation of arrangement and policies for the viable execution of chose security controls and control upgrades in the CP family. Approach and techniques reflect pertinent government laws, Executive Orders, mandates, controls, approaches, benchmarks, and direction. Security program policies and techniques at the association level may make the requirement for framework approaches and techniques pointless. The arrangement can be incorporated as a feature of the general data security arrangement for associations or on the other hand, can be spoken to by various arrangements mirroring the mind-boggling nature of specific associations. The policies can be built up for the security program by and large and for specific data frameworks, if necessary. The authoritative hazard administration methodology is a key factor in setting up arrangement and methods.

                  IA-1 Identification and Authentication Policy and Procedures

                  This control tends to the foundation of approach and methodology for the compelling execution of chose security controls and control upgrades in the IA family. Arrangement and methodology reflect material government laws, Executive Orders, orders, directions, approaches, guidelines, and direction. Security program approaches and techniques at the association level may make the requirement for framework arrangements and policies pointless. The approach can be incorporated as a major aspect of the general data security arrangement for associations or alternately, can be spoken to by various policies mirroring the mind-boggling nature of specific associations. The policies can be built up for the security program when all is said in done and for specific data frameworks, if necessary. The authoritative hazard administration system is a key factor in building up arrangement and techniques.

                  IR-1 Incident Response Policy and Procedures

                  This control tends to the foundation of arrangement and methods for the powerful execution of chose security controls and control improvements in the IR family. Policy and Procedures reflect appropriate government laws, Executive Orders, orders, controls, strategies, principles, and direction. Security program approaches and strategies at the association level may make the requirement for framework approaches and methodology superfluous. The approach can be incorporated as a component of the general data security policy for associations or on the other hand, can be spoken to by various strategies mirroring the mind-boggling nature of specific associations. The methods can be built up for the security program by and large and for specific data frameworks, if necessary. The authoritative hazard administration technique is a key factor in building up arrangement and methods.

                  MA-1 System Maintenance Policy and Procedures

                  This control tends to the foundation of policy and procedure for the successful usage of chose security controls and control improvements in the MA family. Approach and methodology reflect appropriate government laws, Executive Orders, orders, directions, approaches, models, and direction. Security program arrangements and strategies at the association level may make the requirement for framework approaches and methodology superfluous. The arrangement can be incorporated as a feature of the general data security approach for associations or alternately, can be spoken to by various approaches mirroring the perplexing idea of specific associations. The methods can be built up for the security program by and large and for specific data frameworks, if necessary. The hierarchical hazard administration technique is a key factor in building up approach and techniques.

                  MP-1 Media Protection Policy and Procedures

                  This control tends to the foundation of strategy and techniques for the successful execution of chose security controls and control upgrades in the MP family. Arrangement and methods reflect pertinent government laws, Executive Orders, mandates, controls, arrangements, guidelines, and direction. Security program arrangements and techniques at the association level may make the requirement for framework arrangements and methods pointless. The arrangement can be incorporated as a major aspect of the general data security approach for associations or on the other hand, can be spoken to by numerous approaches mirroring the mind-boggling nature of specific associations. The systems can be set up for the security program by and large and for specific data frameworks, if necessary. The hierarchical hazard administration methodology is a key factor in setting up policy and procedure.

                  PE-1 Physical and Environmental Protection Policy and Procedures

                  This control tends to the foundation of policy and methods for the compelling usage of chose security controls and control upgrades in the PE family. Arrangement and strategies reflect pertinent government laws, Executive Orders, orders, directions, arrangements, measures, and direction. Security program policies and procedures at the association level may make the requirement for framework arrangements and methodology superfluous. The approach can be incorporated as a major aspect of the general data security policy for associations or then again, can be spoken to by numerous policies mirroring the unpredictable idea of specific associations. The procedures can be set up for the security program all in all and for specific data frameworks, if necessary. The organizational risk management procedure is a key factor in setting up policy and procedures.

                  PL-1 Security Planning Policy and Procedures

                  This control tends to the foundation of approach and methodology for the compelling execution of chose security controls and control improvements in the PL family. Strategy and methods reflect pertinent government laws, Executive Orders, mandates, controls, arrangements, norms, and direction. Security program approaches and methods at the association level may make the requirement for framework particular arrangements and systems pointless. The approach can be incorporated as a feature of the general data security strategy for associations or alternately, can be spoken to by different strategies mirroring the unpredictable idea of specific associations. The strategies can be built up for the security program when all is said in done and for specific data frameworks, if necessary. The hierarchical hazard administration technique is a key factor in building up approach and strategies.

                  PS-1 Personnel Security Policy and Procedures

                  This control tends to the foundation of approach and techniques for the compelling execution of chose security controls and control improvements in the PS family. Arrangement and methods reflect relevant government laws, Executive Orders, mandates, directions, arrangements, guidelines, and direction. Security program approaches and techniques at the association level may make the requirement for framework arrangements and methods superfluous. The approach can be incorporated as a major aspect of the general data security approach for associations or then again, can be spoken to by numerous approaches mirroring the unpredictable idea of specific associations. The methodology can be set up for the security program all in all and for specific data frameworks, if necessary. The hierarchical hazard administration technique is a key factor in setting up policy and procedure.

                  RA-1 Risk Assessment Policy and Procedures

                  This control tends to the foundation of arrangement and methods for the successful usage of chose security controls and control upgrades in the RA family. Arrangement and strategies reflect pertinent government laws, Executive Orders, mandates, controls, approaches, models, and direction. Security program approaches and methods at the association level may make the requirement for framework strategies and methodology pointless. The arrangement can be incorporated as a major aspect of the general data security strategy for associations or then again, can be spoken to by different approaches mirroring the perplexing idea of specific associations. The methods can be set up for the security program when all is said in done and for specific data frameworks, if necessary. The authoritative hazard administration methodology is a key factor in setting up approach and techniques.

                  SA-1 System and Services Acquisition Policy and Procedures

                  This control tends to the foundation of arrangement and methods for the compelling usage of chose security controls and control improvements in the SA family. Strategy and strategies reflect appropriate government laws, Executive Orders, orders, directions, arrangements, principles, and direction. Security program strategies and methods at the association level may make the requirement for framework particular arrangements and systems pointless. The approach can be incorporated as a major aspect of the general data security strategy for associations or on the other hand, can be spoken to by different strategies mirroring the intricate idea of specific associations. The methodology can be set up for the security program all in all and for specific data frameworks, if necessary. The hierarchical hazard administration system is a key factor in setting up arrangement and methods.

                  SA-18 Tamper Resistance and Detection

                  Anti-tamper technology advances and procedures give a level of assurance to basic data frameworks, framework segments, and data innovation items against various related dangers including change, figuring out, and substitution. Solid distinguishing proof joined with alter resistance as well as alter identification is basic to ensuring data frameworks, segments, and items amid appropriation and when being used. Related controls: PE-3, SA-12, SI-7.

                  SC-1 System and Communications Protection Policy and Procedures

                  This control tends to the foundation of approach and methodology for the compelling execution of chose security controls and control improvements in the SC family. Arrangement and strategies reflect pertinent government laws, Executive Orders, mandates, directions, approaches, measures, and direction. Security program approaches and strategies at the association level may make the requirement for framework particular arrangements and systems superfluous. The approach can be incorporated as a feature of the general data security strategy for associations or alternately, can be spoken to by various strategies mirroring the mind-boggling nature of specific associations. The techniques can be set up for the security program all in all and for specific data frameworks, if necessary. The hierarchical hazard administration technique is a key factor in setting up arrangement and methods. Related control: PM-9

                  SI-1 System and Information Integrity Policy and Procedures

                  This control tends to the foundation of arrangement and strategies for the viable execution of chose security controls and control improvements in the SI family. Strategy and techniques reflect appropriate government laws, Executive Orders, mandates, directions, approaches, benchmarks, and direction. Security program arrangements and methods at the association level may make the requirement for framework particular strategies and techniques pointless. The arrangement can be incorporated as a feature of the general data security approach for associations or on the other hand, can be spoken to by different strategies mirroring the perplexing idea of specific associations. The methods can be built up for the security program when all is said in done and for specific data frameworks, if necessary. The authoritative hazard administration methodology is a key factor in setting up strategy and techniques. Related control: PM-9.

                  PL-2 System Security Plan

                  Security designs relate security necessities to an arrangement of security controls and control improvements. Security designs additionally depict, at an abnormal state, how the security controls and control improvements meet those security prerequisites, however don’t give itemized, specialized portrayals of the particular outline or usage of the controls/upgrades. Security designs contain adequate data (counting the particular of parameter esteems for task and choice articulations either unequivocally or by reference) to empower an outline and execution that is unambiguously consistent with the aim of the plans and resulting judgments of hazard to authoritative operations and resources, people, different associations, and the Nation if the arrangement is actualized as expected. Associations can likewise apply fitting direction to the security control baselines in Appendix D and CNSS Instruction 1253 to create overlays for group wide utilize or to address particular necessities, advancements, or missions/situations of operation (e.g., DoD-strategic, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Index I give direction on creating overlays.

                  Security designs require not be single records; the plans can be an accumulation of different reports including archives that as of now exist. Powerful security designs make broad utilization of references to approaches, methodology, and extra archives (e.g., plan and execution determinations) where more nitty gritty data can be acquired. This decreases the documentation necessities related with security programs and keeps up security-related data in other set up administration/operational regions identified with big business design, framework improvement life cycle, frameworks building, and obtaining. For instance, security designs don’t contain point by point alternate course of action or episode reaction design data yet rather give expressly or by reference, adequate data to characterize what should be expert by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17.

                  PL-4 Rules of Behavior

                  This control improvement applies to hierarchical clients. Associations consider standards of conduct in light of individual client parts and duties, separating, for instance, between decides that apply to favored clients and guidelines that apply to general clients. Building up tenets of conduct for a few sorts of non-authoritative clients including, for instance, people who just get information/data from government data frameworks, is regularly not doable given the expansive number of such clients and the restricted idea of their cooperations with the frameworks. Standards of conduct for both hierarchical and non-authoritative clients can likewise be set up in AC-8, System Use Notification. PL-4 b. (the marked affirmation bit of this control) might be fulfilled by the security mindfulness preparing and part based security preparing programs led by associations if such preparing incorporates principles of conduct. Associations can utilize electronic marks for recognizing tenets of conduct. Related controls: AC-2, AC-6, AC-8, AC-9, AC-17, AC-18, AC-19, AC-20, AT-2, AT-3, CM-11, IA-2, IA-4, IA-5, MP-7, PS-6, PS-8, SA-5.

                  PM-1 Information Security Program Plan

                  Data security program designs can be spoken to in single reports or assemblages of archives at the caution of associations. The designs report the program administration controls and association characterized basic controls. Data security program designs give adequate data about the program administration controls/regular controls (counting particular of parameters for any task and choice explanations either unequivocally or by reference) to empower usage that are unambiguously agreeable with the purpose of the plans and an assurance of the hazard to be brought about if the plans are actualized as proposed. The security anticipates singular data frameworks and the association wide data security program design together, give finish scope to all security controls utilized inside the association. Basic controls are reported in a supplement to the association’s data security program design unless the controls are incorporated into a different security get ready for a data framework (e.g., security controls utilized as a major aspect of an interruption discovery framework giving association wide limit insurance acquired by at least one hierarchical data frameworks). The association wide data security program design will show which isolate security designs contain portrayals of basic controls. Associations have the adaptability to portray regular controls in a solitary report or in various archives. On account of different records, the archives portraying regular controls are incorporated as connections to the data security program design. On the off chance that the data security program design contains different reports, the association determines in each archive the hierarchical authority or authorities in charge of the advancement, execution, appraisal, approval, and observing of the individual basic controls. For instance, the association may require that the Facilities Management Office create, actualize, survey, approve, and ceaselessly screen normal physical and natural insurance controls from the PE family when such controls are not related with a specific data framework but rather, bolster numerous data frameworks. Related control: PM-8.

                  PM-2 Senior Information Security Officer

                  The security officer depicted in this control is a hierarchical authority. For a government organization (as characterized in relevant elected laws, Executive Orders, orders, arrangements, or directions) this authority is the Senior Agency Information Security Officer. Associations may likewise allude to this official as the Senior Information Security Officer or Chief Information Security Officer.

                  PM-10 Security Authorization Process

                  Security approval forms for data frameworks and situations of operation require the execution of an association wide hazard administration handle, a Risk Management Framework, and related security gauges and rules. Particular parts inside the hazard administration prepare incorporate an authoritative hazard official (work) and assigned approving authorities for each hierarchical data framework and regular control supplier. Security approval forms are incorporated with authoritative ceaseless checking procedures to encourage continuous comprehension and acknowledgment of hazard to hierarchical operations and resources, people, different associations, and the Nation. Related control: CA-6.

                  PM-15 Contacts with Security Groups and Associations

                  Continuous contact with security gatherings and affiliations is of foremost significance in a situation of quickly changing innovations and dangers. Security gatherings and affiliations incorporate, for instance, specific vested parties, discussions, proficient affiliations, news gatherings, as well as companion gatherings of security experts in comparative associations. Associations select gatherings and affiliations in view of hierarchical missions/business capacities. Associations share danger, powerlessness, and occurrence data predictable with relevant government laws, Executive Requests, orders, approaches, directions, benchmarks, and direction. Related control: SI-5.

                  Security Policies Audit (Objective)

                  Objectives

                  Security Management Control Framework – These controls comply with current security standards

                  ISO 2700/27002

                  NIST SP 800 -12 – An Introduction to Computer Security: The NIST Handbook:

                  NIST SP 800-18 – Guide for Developing Security Plans for Federal Information Systems

                  NIST SP 800-100 – Information Security Handbook: A Guide for Managers

                  NISTIR 7621 – Small Business Information Security: The Fundamentals

                  Administrative Security – proper documentation of security policies

                  Risk Assessment

                  Risk Management

                  Workforce Security Training

                  Incident Response Procedures

                  Physical Security

                  Cameras (Surveillance

                  Fencing

                  Lights

                  Locks

                  Smoke Detectors

                  Access Control measures

                  IT Security – adhering to security controls policies and procedures

Place an Order

Plagiarism Free!

Create an Account

Create an account at Top Tutor Online

  • Allows you to track orders.
  • Receive personal messages.
  • Send messages to a tutor.
Create Account

Post a Question/ Assignment

Post your specific assignment

  • Tutors will be notified of your assignment.
  • Review your question and include all the details.
  • A payment Link will be sent to you.
Post a Question

Wait for your Answer!

Make payment and wait for your answer

  • Make payment in accordance with the number of pages to be written.
  • Wait for your Answer as a professional works on your paper.
  • You will be notified when your Answer is ready.
💙🤍💚

Related Posts

Scroll to Top