PROJECT 1 - NIST SP 800-53 Cybersecurity Framework Audit
PROJECT 1 - NIST SP 800-53 Cybersecurity Framework Audit
Embedded Files
In this case study, I'll walk you through the step-by-step audit process applied to an organization's adherence to the NIST 800-53 Cybersecurity Framework. The goal is to showcase how the outlined audit methodology is practically implemented in a real-world scenario.
SIMPLY CYBER GRC ANALYST WORKBOOK.xlsxIntroduction
So, in diving deep into the process of conducting an audit, I'll share how I approached each step of this audit. Auditing is a multifaceted task, encompassing meticulous preparation, effective on-site activities, and transparent reporting. Let's walk through how I navigated each stage of the audit process.
Audit Preparation
Starting with the audit preparation, I made sure to gather all the essential materials needed for the audit. The focus was on the NIST 800-171 cybersecurity framework in this case. I meticulously prepared an audit spreadsheet, ensuring it listed all controls and relevant details, setting the foundation for a structured audit.
Audit Logistics
Moving forward, I meticulously scheduled meetings with individuals and departments crucial to the controls being audited. Additionally, I requested SOPs, policies, and documentation in advance for a comprehensive review. The emphasis during this phase was on meticulous planning to ensure a seamless audit process.
On-Site Audit
During the on-site audit, I conducted interviews with key personnel to gain insights into the implementation of controls. I requested evidence and documentation to substantiate processes and workflows. Detailed note-taking and, when possible, recording meetings were essential to ensure comprehensive data collection.
Post-Audit Reconciliation
After the on-site activities, I focused on reviewing and organizing the collected data. My goal was to ensure that all evidence aligned seamlessly with the audit findings. Any outstanding data requests or action items were promptly addressed, emphasizing the importance of clarity and completeness in data consolidation.
Analysis
The analysis phase involved a meticulous evaluation of each control based on the evidence collected. The goal was to determine whether controls were fully implemented, partially implemented, or not applicable. This objective analysis formed the basis for drawing accurate conclusions regarding compliance status.
Reporting
In the reporting phase, I created an executive summary providing a quick overview of the audit findings for executives. I included details on the purpose, scope, and results of the audit. Transparently, I offered recommendations for compliance improvement and provided a link to the detailed audit spreadsheet for traceability.
Follow-Up and Recommendations
After presenting the audit findings, I proactively offered recommendations for compliance improvement, aiming to add value as an auditor. Opportunities for follow-on work were identified based on the audit findings. I ensured to provide support and guidance for addressing areas of non-compliance in a collaborative manner.
Conclusion
In conclusion, the audit process, as navigated, involves meticulous planning, transparent communication, and objective analysis. By following these steps, I aimed to provide organizations with accurate insights into their compliance status and actionable recommendations for continuous improvement.
PROJECT 2 - PCI DSS SELF ASSESSMENT QUESTIONNAIRE
PROJECT 2 - PCI DSS SELF ASSESSMENT QUESTIONNAIRE
A narration was provided on how cardholder data is transmitted and processed for Company Confidential. I then determined the appropriate SAQ for the assessment and completed it using the provided evidence.
COMPANY CONFIDENTIAL PROJECT.docx
Topic: Completing Self-Assessment Questionnaire (SAQ) for Company Confidential, LLC
Topic: Completing Self-Assessment Questionnaire (SAQ) for Company Confidential, LLC
Step 1: Identification of Applicable SAQ
Step 1: Identification of Applicable SAQ
I began the project by carefully reviewing the nature of Company Confidential's operations and payment processes. Considering the absence of credit card data storage, and the reliance on CyberSource for payment processing, I determined that a SAQ A (Self-Assessment Questionnaire A) is applicable.
I began the project by carefully reviewing the nature of Company Confidential's operations and payment processes. Considering the absence of credit card data storage, and the reliance on CyberSource for payment processing, I determined that a SAQ A (Self-Assessment Questionnaire A) is applicable.
Step 2: Requesting Necessary Documents
Step 2: Requesting Necessary Documents
To initiate the self-assessment process, I reached out to the relevant stakeholders to collect essential documents. I requested the following documents:
To initiate the self-assessment process, I reached out to the relevant stakeholders to collect essential documents. I requested the following documents:
CyberSource Agreement: Obtained from the finance or legal department, this document ensures understanding of the terms and conditions related to payment processing.
CyberSource Agreement: Obtained from the finance or legal department, this document ensures understanding of the terms and conditions related to payment processing.
Company Confidential Security Policy: This document provides insights into authentication and password policies within the organization.
Company Confidential Security Policy: This document provides insights into authentication and password policies within the organization.
AWS Shared Responsibility Matrix: Acquired from the IT department, this matrix helps in understanding shared responsibilities for PCI requirements in the cloud environment.
AWS Shared Responsibility Matrix: Acquired from the IT department, this matrix helps in understanding shared responsibilities for PCI requirements in the cloud environment.
Incident Response Plan: Collected from the security team, this plan was reviewed to ensure its robustness and alignment with industry best practices.
Incident Response Plan: Collected from the security team, this plan was reviewed to ensure its robustness and alignment with industry best practices.
Step 3: Evidences Requested and Reviewed
Step 3: Evidences Requested and Reviewed
After receiving the necessary documents, I systematically reviewed each to gather evidence required for the SAQ A. Specific focus was placed on:
After receiving the necessary documents, I systematically reviewed each to gather evidence required for the SAQ A. Specific focus was placed on:
CyberSource Payment Process: Ensured that credit card data is not stored locally and confirmed the secure transmission process through tokenization.
CyberSource Payment Process: Ensured that credit card data is not stored locally and confirmed the secure transmission process through tokenization.
-AWS Security Measures: Verified the deployment of Sophos Antivirus and InterceptX, the use of MFA through Microsoft Authenticator, and adherence to the shared responsibility matrix.
-AWS Security Measures: Verified the deployment of Sophos Antivirus and InterceptX, the use of MFA through Microsoft Authenticator, and adherence to the shared responsibility matrix.
Employee Management Policy: Confirmed the absence of employee turnover, adherence to security policies, and the utilization of Microsoft Intune MDM for workstation management.
Employee Management Policy: Confirmed the absence of employee turnover, adherence to security policies, and the utilization of Microsoft Intune MDM for workstation management.
Step 4: Collaboration with Teams
Step 4: Collaboration with Teams
Throughout the project, I collaborated closely with:
Throughout the project, I collaborated closely with:
Finance and Legal Departments: For insights into the CyberSource agreement and PCI compliance records of service providers.
Finance and Legal Departments: For insights into the CyberSource agreement and PCI compliance records of service providers.
IT and Security Teams: To validate the deployment and effectiveness of security measures, including antivirus software and MFA.
IT and Security Teams: To validate the deployment and effectiveness of security measures, including antivirus software and MFA.
Step 5: Outcome of the Project
Step 5: Outcome of the Project
Upon completion of the self-assessment, I compiled the findings into a comprehensive SAQ A, highlighting Company Confidential's adherence to PCI DSS requirements. The assessment demonstrated a robust payment process, secure cloud infrastructure management, and compliance with industry standards.
Upon completion of the self-assessment, I compiled the findings into a comprehensive SAQ A, highlighting Company Confidential's adherence to PCI DSS requirements. The assessment demonstrated a robust payment process, secure cloud infrastructure management, and compliance with industry standards.
Step 6: Final Documentation and Reporting
Step 6: Final Documentation and Reporting
The finalized SAQ A and any supporting documentation were submitted to the relevant stakeholders. A summary report was created, outlining key findings and highlighting areas of compliance and improvement.
The finalized SAQ A and any supporting documentation were submitted to the relevant stakeholders. A summary report was created, outlining key findings and highlighting areas of compliance and improvement.
This project not only ensured compliance with PCI DSS but also provided valuable insights into the organization's security posture and areas for continuous improvement.
This project not only ensured compliance with PCI DSS but also provided valuable insights into the organization's security posture and areas for continuous improvement.
PROJECT 3 - Comprehensive Testing and Component Identification for Key Logical Security Control
Project Goal:
To complete testing for a key Logical Security control while identifying the key components required to successfully complete testing.
Control:
An access request form must be completed and appropriately approved by an employee’s manager for access requests to a system.
Evidences Gathered:
1. Access Request Forms
2. IT Policy
Workpaper:
Testing Summary Sheet
Access Request Form.docx
Testing Summary Sheet.xlsTESTING SUMMARY
The examination of Access Request Forms (1 to 5) was crucial in recognizing the diversity in requests and ensuring that the selected samples represented different scenarios. Subsequently, the Test of Design was conducted, employing the IT Policy Excerpt" to document the IT policy and evaluating the alignment of access request forms with the defined policy.
The testing phase involved the careful selection of a representative sample of Access Request Forms (considering forms 1 to 5) and the meticulous execution of testing procedures for new user access. The Testing Summary Sheet was then completed for each sample, documenting detailed testing steps, observations, and outcomes.
In documenting results, I provided clear statements on the effectiveness of the control based on testing outcomes. Deviations from expected results were thoroughly documented, supported by evidence for each testing step and outcome.
Analyzing overall testing results, I identified patterns, trends, and recurring issues, offering recommendations for potential improvements or enhancements to the Logical Security control based on my findings. The final step involved a comprehensive review of all documentation, ensuring accuracy and completeness, before submitting the finalized Testing Summary Sheet along with supporting documentation and recommendations. Through this process, I successfully contributed to the completion of the audit objective, providing valuable insights into the effectiveness of the Logical Security control.
PROJECT 4 - PCI DSS SCOPING FOR CLIENT TEMI INC.
TEMI INC. SCOPING WORKBOOK.xlsxPage updated
Google Sites
Report abuse