Posted on by admin

 

PART 1) Auditing
In a previous assignment you created cyber security policies for your home (or other) enterprise. Now you will perform an audit to determine if you are in compliance with the policies that you created in the previous assignment. Because this is an internal audit it will be less formal that the audits that were described in the lecture. You are free to modify the formatting if you have another style that is better for you.

Write an audit report. Keep it simple. For each policy you should list which controls have been (or should be) put into place. Test each control. Describe the test that you perform and the results of the test. For each control list any recommendations for improvement. At the end of the audit include a short summary with one paragraph describing what is working well, a second paragraph describing what is not working well, and a third paragraph describing what needs to be done to improve compliance with the policies.

Your grade for the assignment depends on how well you report on your audit, not on the results of the audit report. Below is an example for one policy.

Policy Control Test and Result Recommendation
Each account on a computing device will be protected with a nontrivial and non-default password. Password protection of accounts. Test: Each account on a computer, router, tablet, or phone that accesses the network was checked to verify that it is password protected, that the password is not a default password, and that the password is not trivial (i.e. “password”).

READ ALSO :   Social Sciences

Result: The router was found to have a default password. All other accounts passed. A new procedure should be created to require this test to be performed on any equipment as it is added to the network.
PART 2) Budgeting
Determine a yearly budget for your home (or other enterprise) enterprise cybersecurity needs. It is recommended that you use a spreadsheet for this.
1. Start with a list of controls that you audited in Homework #5. Add to the list any controls that you think you should implement within the next year.
2. For each control list at least one threat that the control addresses. Add any threats to the list that you can think of that are not already addressed by controls. (Be very general with any added threats. For example, “equipment destruction” is a nice broad category that includes “loss by fire”, “loss by flood”, “theft”, “meteor strike”, etc.)
3. Determine a possible loss event for each of the threats
4. Determine an appropriate control to mitigate each newly added threat (the control may already be implemented or it may not be implemented yet)
5. Determine the annualized cost for each control
6. Calculate the ARO, SLE, and ALE of each possible loss event if no control is in place
7. Calculate the ARO and new ALE if the control is implemented
8. For each loss event, explain and justify the ARO that you selected. Include references to data sources, etc.
9. Calculate the expected loss (in dollars) if there are no controls.
10. Calculate the cost of the proposed controls for one year.
11. Add in any other budget items that you think are needed.
12. Calculate the expected savings. (expected savings = ALE with controls – cost of controls)
13. List each control and its yearly cost ranked in order of priority. You assign the priority.
14. Add a column that shows the benefit / cost ratio for each control.

READ ALSO :   Academic Help Online

Example formatting (steps 1—8)
Analysis of Controls
Loss Event (no control) Control(s) Loss Event(with control)
Description ARO SLE ALE Description Annualized Cost ARO SLE ALE
Explanation of ARO estimates
Loss Event 1 – Reasoning…
Loss Event 2 – Reasoning…

Example formatting (steps 9—14)
Total expected loss without any controls: $XX
Total cost of controls: $XX
Total expected savings: $XX

Priority Description of Control Annualized Benefit Annualized Cost Benefit / Cost ratio

Priority Description of Control Annualized Benefit Annualized Cost Benefit/Cost ratio
1 Anti-virus software monitoring 24/7 121,680 260 468.00
2 Removing unwanted 3rd party software 47,936 364 131.69
3 Updating/patching software 2,490 260 9.58
4 Use UPS for higher end equipment 96 164 0.59
5 Use surge protectors 0 115 0.00
6 Enforce Password Requirements 11,180 520 21.50
7 Backups working properly 18,980 520 36.50
8 Verify recognizable MAC addresses for LAN 3,948 52 75.92
9 Firewall login attempts, log 6,444 156 41.31
10 Streaming services working properly (10) 80 -0.13
11 Admin connects devices to network 96 64 1.50
12 Admin allows file sharing between devices 750 250 3.00