HW03_PoliciesAndAuditing

PART B) In PART A you created cyber security policies for your home (or other) enterprise. Now you will perform an audit to determine if you are in compliance with the policies that you created in the previous assignment. Because this is an internal audit it will be less formal than audits that were described in the lecture. You are free to modify the formatting if you have another style that is better for you. Audit Report Write an audit report. Keep it simple. For each policy statement from PART A (there were at least six) you should list which controls have been (or should be) put into place. Test each control. Describe the test that you performed and the results of the test. For each control list any recommendations for improvement. At the end of the audit include a short summary with: 1. One paragraph describing what is working well. 2. A second paragraph describing what is not working well. 3. A third paragraph describing what needs to be done to improve compliance with the policies. Your grade for the assignment depends on how well your audit report is (complete, easy to read, useful), not on “passing” results of the audit report. Below is an example audit for one policy statement. Remember to include the three summary paragraphs described above. EXAMPLE audit for one policy/control Policy Statement (from PART A) Control Test Description Test Result Recommendation Each account on a computing device will be protected with a nontrivial and non-default password. Password protection of accounts. Each account on a computer, router, tablet, or phone that accesses the network was checked to verify that it is password protected, that the password is not a default password, and that the password is not trivial (i.e. “password”). The router was found to have a default password. All other accounts passed. A new procedure should be created to require this test to be performed on any equipment as it is added to the network.