Discussion: Security Assessment and Testing
Your task: Develop an “intake” briefing for middle managers who will be assisting in the planning and execution of an internal audit of employee use of company owned laptops as part of the company’s “Work From Home” arrangements. The purpose of an “intake” briefing is to get everyone “on the same page” with respect to what will be done, who will do it, and what the roles & responsibilities of the managers will be during the audit (e.g. assist with employee contacts and “smooth ruffled feathers” amongst their workers).
Background: The purpose of the audit is to determine how the laptops are being used by the employees working from home (what corporate and non corporate systems, services, networks, and websites are being accessed) and to uncover, if possible, any misuse (e.g. usage that is outside of the company’s acceptable use policy). The audit should also look for evidence of laptops that are improperly configured or have vulnerable software installed.
Background: The company will follow the Information System Security Audit Process as defined by Harris & Maymi in the CISSP All-in-One Exam Guide, 8th edition. The steps are:
- Determine Goals
- Involve the right business unit leaders
- Determine the scope
- Choose the audit team
- Plan the audit
- Conduct the audit
- Document the results
- Communicate the results
Format: this week, your deliverable should be formatted as briefing paper (you will have a combination of paragraphs and bullet points). You should have an introduction, “analysis” section (explaining the ground rules and processes for how the audit will be conducted), and an appropriate summary section (including an appeal for cooperation and assistance). Include citations (in the text) and references (at the end) to support your work and allow your readers to fact check your analysis and conclusions.