critique discussion post below
critique discussion post below
Larry,
Employee Awareness Of IT Security Policies
The purpose of auditing employee awareness of IT security policies is to protect information systems. These systems and the data they withhold are important to the long-term success of Red Clay Renovations. There are three goals for this type of audit (Winnipeg, 2008):
• Assess the awareness of management and staff
• Assess the understanding of management and staff
• Identify the key improvement opportunities
While does not state a specific assessor for an organization, the assessor must meet some selection criteria. The auditor should have significant security and networking knowledge as well as security, firewalls, IDS and other security knowledge (NIST, 2008, p. xx). The person that fits this description would be the CISO, Eric Carpenter, responsible for developing security plans and procedures.
The most important and susceptible forms of a cyber attack will be covered by the audit. These topics include, but are not limited to, a clean desk policy, BYOD policies, data management, social networking dangers, email security, and malware. The understanding of the policies and training for these topics are important to the integrity of IT in Red clay Renovations. For example, BYOD covers the devices employees can bring into the workplace, and these devices may carry malicious software whether the owner knows it or not. Understanding the standards that the policy implementation will help keep an employee aware. Resource availability is a limiting factor in the frequency of security assessments so; audits are conducted based on the suspected presence of a weakness (NIST, 2008, p. xx). At the least, they should be conducted annually. The audits would be conducted at each specific location. These include Baltimore, Philadelphia, Owings Mills, and Wilmington. It is important to conduct the audits separately for each location as each environment may have a different level of awareness.
The audit will be conducted in a manner that has the least amount of impact on current business functions. The auditor would first ensure they understand the current policies and risk that is accepted (Finnelly, 2003). The audit will be conducted from an overt-external view with testing and examination assessments, as this offers the ability to view the security posture as an attacker or the Internet view. Reconnaissance techniques are selected to determine if employees are aware of current policies. Once the techniques are selected then the testing begins. An example of this could be simply utilizing public engineering to gain access to a facility despite having explicit policies against unauthorized access. This shows that a staff member may not clearly be aware of a policy. The review technique can also be utilized with log reviews. Log reviews determine if security controls are logging proper information and if the organization are following policies (NIST, 2008, p. xx). An example of this could be viewing logs recorded by a mantrap and if the mantrap is correctly recording credentials or misinterpreting the policies.
Summary
Overall, IT security audits are the examination and evaluation of an organizations information technology policies and operations. These will expose any issues Red Clay Renovations is having with employee awareness of current company policies. There are a handful of methods for reviewing and conducting assessments but the most fitting for this audit are testing and assessments processes. The reason for this is that they relay the most honest results, unlike a survey. The topics being assessed some of the most basic policies that apply to all employees. A clear understanding and awareness of these policies allow for a better baseline for future cybersecurity baselines. There must be separate audits for each location as assuming the conditions are the same for each location will equal inaccurate auditing results. IT security audits should be planned with the goal of identifying policy and staff shortfalls as well as improving the security infrastructure.
References
Finnelly, C. (2003, March). IT security auditing: Best practices for conducting audits. Retrieved from https://searchsecurity.techtarget.com/IT-security-…
NIST. (2008). nist special-publication 800-115. Retrieved from NIST website: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistsp…
Winnipeg. (2008, June). Assessment of Information Security Awareness. Retrieved from https://www.winnipeg.ca/audit/pdfs/reports/ITSecur…