Business Overview:
ABC Company is involved a wide range of business elements that give business process services to the money related services industry. ABC is included fifteen Operating Segments, having forty-two Business Segments. A large number of these fragments have developed from various purposes of source (e.g. by means of obtaining, by means of entrepreneurial startup, through earlier rearrangements); along these lines, numerous keep on operating in a fairly independent manner, both from a business viewpoint and from an innovation point of view. In a half year since the corporate level rearrangements, extraordinary steps have been made to adjust the specialty units and to convey lucidity to ABC’s general system and vision. The new Executive Management group is clear in their sponsorship of conveying end to end answers for their clients, which will bring about expanded market entrance and expanded general incomes. This sponsorship includes the business viewpoint, as well as the innovation angle.
The head office of ABC company is located in New York, United States. Its other offices are established in different cities of United States. They have distributed networking system having all their business process centrally synchronized.
The company is planning an IT infrastructure auditing for a compliance.
Scope:
The Scope of this audit plan will be central to the ABC’s Company network. It includes the evaluation of IT infrastructure that is accurately supports the business processes and operations. The scope of this audit also includes the security controls and measures applied in the network. The audit will also confirm whether the company has implemented the rules and standards according to their own and government policies. Moving further, this audit plan will assure that the company is working according to the implemented policies.
Goals and objectives:
The goal is to implement proper security controls for information systems of the company. We will examine the company’s IT infrastructure and company’s computer network and figure out security flaws and errors that can lead to the security breach. The audit will target the alignment of ABC’s business strategy with IT infrastructure and IT security.
Audit Frequency:
The audit will be conducted after every three to five years and it will be proportional to the risk assessment. However, we will also conduct quarterly audits.
Duration of audits:
The duration of audit will be based on the type of audit we want to conduct at the time. There are many software available that can assist in conducting regular audits. The duration of quarterly audits will be from two weeks to one month. The high-intense audit duration will vary is we will be verifying that the IT infrastructure is assisting the business operations without any error or flow. The high intense audits will usually take at least two months.
Identifying the critical requirements of the audit:
Before conducting an audit, we will identify the critical requirements of the organization which needs to be critically analyze. Firstly, we will analyze the degree of the systems and geographic centralization. We will analyze whether the organization has truly implement the centralized organizational structure as it will affect the allocation of IT resources. We will figure out and inspect the technologies that has been implemented. There might be huge assorted variety in any level of the IT stack, justifying examination in a particular application’s program code, database, operating system, and network foundation. We will inspect the quality of customized software components whether such customization is according to the policies of the organizations. And is there appropriate technical support for the customized software available in the organization. We will examine and evaluate the intensity of company policies and standards that defines the IT governance. An association’s regulatory prerequisites must be considered in the risk characterization and IT audit scope. Any association enrolled with the Securities and Exchange Commission is required by the Sarbanes-Oxley Act to provide details regarding the adequacy of their inside policies for monetary reporting. This audit planning includes the inspection of the level of operational standardization. This will affect the dependability and perfection of the IT foundation and related procedures. We will analyze an association’s IT infrastructure by evaluating the level of dependence on innovation in that association. The more an association depends on the accessibility and usefulness of various innovations in the IT world in everyday business tasks, the more the potential hazard increments. Moreover we will also analyze the critical components of ABC’s IT network. We will analyze the devices such as firewall, routers, switches, DMZ , whether they are installed appropriately to provide the information security that flows across the network. We will also audit the installation of IPS/IDS. We will inspect he rules defined in the firewalls so that the firewalls are accurately securing the network from the attackers.
Privacy Laws:
We will audit the privacy and security controls implemented in the organization whether they are according to the rules and regulations defined by the Federal information management Act (FISMA). It is a united states legislation that consist of complete framework to secure information systems in federal agencies against the threats. It is also known as the E-government act signed in 2002. This Act is complete and comprehensive that it is also enacted by the private sector to effectively deal with threats and secure critical information assets of an organization. The main objective that FISMA conveys is to develop a policy of risk analysis and mitigation to get cost-effective security. The Government enforces this act to ensure that federal government and agencies should secure their information assets by adopting risk analysis and mitigation strategies.
FISMA is responsible for assigning duties to federal agencies, Office of Management and Business and the National Institute of Standards and Technology(NIST). The NIST is a government agency that is non-regulatory. It is responsible for developing technology metric and guidelines. Federal agencies or government organizations which comply with NIST, may also further ensure compliance with FISMA as NIST guidelines directs organizations to comply with FISMA. NIST has provided nine rules to move towards FISMA compliance. It is compulsory for U.S based organizations to adopt the standards developed by NIST to initiate innovation and economic competitiveness. As the FISMA is an Act released by United State Congress, govern by the United States Government. The Government through this Act ensures that the other IT organizations, federal agencies must secure their information assets. Hence the government took this step to implement the security strategies adopted by other organizations which is beneficial for the United State’s Security interests.
Assessing the IT security:
Analyzing the IT security is a important part of reviewing the IT infrastructure for compliance. Through audit, we can find out fraud, inefficient IT procedures, inaccurate utilization of IT resources and weak security. The IT security is tested to ensure that the security controls are accurately placed. In order to assess the IT security we need to know about and implement risk management.
Risk management:
In the risk management process the threats are identified, assessed and controlled. These threats affects the organization’s business process, capital and earnings. These threats originated from many sources which includes financial unpredictability, natural disasters, strategic management flaws. The security threats related to IT infrastructure and information risks are mitigate by risk management strategies. To resolve such risks and threats related to IT have become the top most priority for today’s companies. So the risk management plan clearly addresses the identification and controlling of threats to its IT assets which includes the security of critical information of organizations ad other resources. The risk management plan also addresses the strategies to resolve such risks. Our audit will include the proper analyses of risk management plan ensuring that it has accurately identified all possible risks and threat to IT infrastructure and corrects strategies adopted to resolve such risks.
Threat analysis:
Cyber threat examination is a procedure in which the learning of interior and outside data vulnerabilities correlated to a specific association is coordinated against true cyber assaults. As for cyber security, this threat-situated way to deal with fighting cyber assaults shows a smooth change from a condition of receptive security to a condition of proactive one. In addition, the expected result of a threat appraisal is to give best practices on the most proficient method to expand the defensive instruments as for accessibility, privacy and completeness, without swinging back to ease of use and functionality conditions.
