Provide (4) 150 words substantive response with a minimum of 1 APA references for RESPONSES 1, 2, 3 and 4 below. Ensure you list and break down each response in a word document. Response provided should further discuss the subject or provide more insight. To further understand the response, below is the discussion post that’s discusses the responses. 100% original work and not plagiarized. Must meet deadline.
RESPONSE 1:
ISSC 471
1. What is IT Security Auditing? What does it involve?
An IT security audit is a comprehensive examination and assessment of an information security system. By conducting regular audits, organizations can identify weak spots and vulnerabilities in their IT infrastructure, verify security controls, ensure regulatory compliance, and more. It involves running scans on IT resources like file-sharing services, database servers and SaaS applications to assess network security, data access levels, user access rights and other system configurations. It includes physically inspecting data centers for resilience to fires, floods, and power surges as part of a disaster recovery evaluation. Finally, it involves interviewing employees outside the IT team to assess their knowledge of security concerns and adherence to company security policy.
2. Why are Governance and Compliance Important?
To ensure that businesses protect their information, have consistent cohesion departmentally, and follow all governmental regulations, a governance, risk, and compliance program is important. This helps to minimize the threats and risks that companies are exposed to on a daily basis.
3. Explain in detail the roles and responsibilities in an organization associated with the following:
According to our lesson, the risk manager, auditor, and executive manager have the following responsibilities:
- Risk Manager – responsible for identifying organizational risk.
- Auditor – responsible for conducting information assurance audit and applying frameworks to the seven domains to align with compliance.
- Executive Manager – responsible for aligning external or internal compliance with governance requirements.
4. Define the Certification and Accreditation (C&A) Process and briefly discuss the phases of C&A.
It is my understanding that the C&A process is outdated, and we now use assessment and authorization (A&A) to follow terminology in the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF). In my job, we follow NIST guidelines, and all of our accreditation processes follow the RMF process. The C& process was initiation and planning, certification, accreditation, and then continuous monitoring. Though I never worked with the C&A process, I have been working with RMF for about 2 years now, and it is very involved.
References:
Tierney, M. (2020, Aug 5) IT Security Audits: The Key to Success. Retrieved from: https://blog.netwrix.com/2020/04/09/it-security-audit/
Hall, K.T. (n.d.) Why a Governance, Risk, and Compliance Program is Important for Your Business. Retrieved from: https://www.scripted.com/writing-samples/why-a-governance-risk-and-compliance-program-is-important-for-your-business
Sengupta, S. (2018, Apr 13) Cyber Security – Certification and Accreditation. Retrieved from: https://www.nxtkey.com/cyber-security-certification-and-accreditation
-JAMIE
RESPONSE 2:
1. What is IT Security Auditing? What does it involve?
According to the reading this week an IT Security Audit is an internal assessment of an organizations policies, controls, and activities. An audit ensures that an organization is in compliance with legal regulations and that their security controls are adequate. Audits can involve any number of aspects within a business’ activities including finances, compliance, operations, investigations and information technology. An IT Security Audit also involves three goals, providing an objective and review of policies, providing reasonable assurance controls are in place, and recommendations for improvement.
2. Why are Governance and Compliance Important?
As businesses become ever more reliant on technology governance and compliance become a more integral part of business function. Governance of IT systems ensures proper use as well as compliance and risk management, all vital to the success in a business environment. Compliance is important and beneficial to all aspects of a business, it ensures the reliability as well as public trust of a business which is vital to the business’ success.
3. Explain in details the roles and responsibilities in an organization associated with the following:
Risk Manager- A risk manager is familiar with the risks and vulnerabilities that an organization faces, as well as creating and evaluating risk management procedures. They are also responsible for knowing auditing controls as well as reporting procedures (Patel, 2016)
Auditor- The roles and responsibilities of an auditor include assessing current security controls and risk management procedures, advise management on how to improve security controls, evaluate risks, and analyze internal operations (Kumar, 2017)
Executive Manager- The Executive Manager is responsible for ensuring their department is aligned with company vision and goals. They help to create and implement policies and procedures, and they make business decisions, such as security policy changes, based on the information received from the risk manager and auditor (Woodman, 2018)
4. Define the Certification and Accreditation (C&A) Process and briefly discuss the phases of C&A.
The Certification and Accreditation process is a standardized process, activities, and management to validate, implement and ensure security. The phases of the C&A process include Phase I Initiation and Planning: Which defines the C&A effort, it documents the steps needed to achieve the desired accreditation. Phase II Certification: This phase verifies system compliance with the identified security standards. Phase III Accreditation: Here validation is made that the system is compliant and security accreditation is achieved. Phase IV Post Accreditation: This phase continuously monitors the system to ensure it remains compliant with accreditation standards (QTS, 2019).
Alysha Macleod
Kumar N. (2017) Roles and Responsibilities of an Internal Auditor. EnterSlice
https://enterslice.com/learning/roles-and-responsibilities-of-internal-auditor/
Patel N. (2016) A Risk Manager’s Role in Strategic Leadership. NIC State.
https://erm.ncsu.edu/library/article/risk-manager-strategic-leadership
QTS. (2019) The Four Phases of the Certification and Accreditation Process. QTS
Woodman C. (2018) Job Description of an Executive Manager. Career Trend
https://careertrend.com/about-6507018-executive-manager-job-description.html
ISSC 341
RESPONSE 3:
There are 7 layers to the Open Systems Interconnection (OSI) model, but I will be discussing layers one and two. The first layer, physical layer, is responsible for the physical cable or wireless connection between the network nodes. It defines the connector, the electrical cable or wireless technology connecting the devices, and is responsible for transmission of raw data (Os and 1s). The second layer, data link layer, establishes and terminates a connection between two physically connected nodes on a network. It is comprised of two parts, Logical Link Control (LLC) which identifies protocols and performs error checking/synchronizes frames. Media Access Control (MAC) uses MAC addresses to connect devices and define permissions to transmit and receive data.
IPv6 is the latest version of internet protocol and was introduced in 1998 by the Internet Engineering Task Force (IETF) to solve address space exhaustion. IPv6 uses 128-bit addressing instead of IPv4 32-bit addressing scheme. What that means is IPv4 address method uses four sets of one-to-three-digit number (192.0.2.146), and IPv6 uses eight groups of four hexadecimal digits (2001:0db8:85a3:0000:0000:8a2e:0370:7334). While IPv6 may seem more secure and will eventually replace IPv4 one day, the adoption of it has been delayed because there’s a dual stack requirement. IPv6 is not backwards compatible with IPv4. There is a problem with the network address translation (NAT), which takes private IP address and turns them into public IP addresses.
IPv4 allows for a variation of the network and host segments of an IP address, known as subnetting. It can be used to design a network physically and logically. Subnetwork addresses enhance local routing capabilities, while reducing number of address required. The subnet mask is used to show what part of the addresses is the network portion and what part is the host portion. In IPv4, there are 3 default subnet masks corresponding to three classes of IP address.
Hope everyone is having a great start to their week!
Regards,
Al
Works Cited:
McKeever, G., Sillam, Y., R.M., Hathaway, M., Houcheime, W., P.W., Kerman, D., Lynch, B., Hewitt, N., & Ray, T. (2020, June 10). What is OSI Model | 7 Layers Explained | Imperva. Learning Center. https://www.imperva.com/learn/application-security/osi-model/
Fruhlinger, K. S. A. J. (2020, August 26). What is IPv6, and why aren’t we there yet? Network World. https://www.networkworld.com/article/3254575/what-is-ipv6-and-why-aren-t-we-there-yet.html
Google IPv6 adoption Statistics. (2020). IPv6. https://nfware.com/blog-what-is-ipv6
IPv4 subnetting. (2021). IPv4 Subnetting. https://www.ibm.com/docs/en/zos/2.4.0?topic=internetworking-ipv4-subnetting
-ALI
RESPONSE 4:
1. For this discussion, compare and contrast two layers of the Open Systems Interconnection (OSI) Reference Model, including the protocols that run on each layer.
The Open Systems Interconnection (OSI) Reference Model consist of 7 layers and they are from top to bottom application, presentation, session, transport, network, data link and physical. The architecture of the OSI reference model is separated into 7 layers so it aids in development, design, and troubleshooting and provides changes in one layer without effecting the other therefor all layers are equally important. These 7 layers of OSI reference model are divided into 2 groups upper (top 3 layers) and lower layers (bottom 4 layers). The upper layers define communication between the applications of the end users and the lower layers define how the data is transmitted between the two applications. Common protocols used in the layers are TCP, IP/IPX and Ethernet for the lower group and for the upper group HTPP, SSL and RPC just to name a few.
2. What was the reason that IPv6 was introduced? Why do you think many organizations are not
upgrading their network solely to IPv6 and run that protocol instead of running IPv4?
IPv6 was introduced for its capacity over the IPv4, IPv4 is out of IP addresses and holds 4.3 billion addresses. With the growing devices like the smartphone, tablets, computer and other devices IPv4 was not able to support which gave birth to IPv6 which supports 128 bit addressing. Many organizations are not upgrading because IPv4 is enough for the company and because the internet at large doesn’t support IPv6 end to end there is a need to encapsulate IPv6 traffic into IPv4.
3. What is the purpose of subnetting when using IPv4 addressing? What role does subnet mask play in subnetting of IPv4?
Subnetting provides network security, better performance while providing clean separation for troubleshooting. Subnet mask plays important part of masking the IP address. Looking forward to reading other post and learning the role of IPv4 and 6 as my knowledge on the subject is limited. Have a good rest of the week.
References:
Imperva. (n.d.). What is OSI Model | 7 Layers Explained | Imperva? Learning Center. Retrieved from https://www.imperva.com/learn/application-security/osi-model/
PARR, B. (2011, February 03). IPv4 & IPv6: A Short Guide. Retrieved March 05, 2019, from Mashable:
https://mashable.com/2011/02/03/ipv4-ipv6-guide/#MFRFxeOnk
-TAVEN