Red Clay Renovations: Enhanced IT Security & IoT Smart Home Services - Essay Sample

Introduction

Red Clay Renovations has adopted the required IT security policies as guided by NIST to enhance IT security and improve services offered to customers. The company provides renovations and rehabilitation services to residential buildings and homes to convert them to smart homes and use the Internet of Things. As a result, it is significant for the company to adopt safety measures to keep their data and customers safe from cyber insecurity. Policies designed by the company ensure internet safety, thereby avoiding legal and compliance issues and enhance customer experience and loyalty. The rationale of the policy briefing package is to provide a precise framework that guides IT safety policy fulfillment assessment, examination plan to conduct employees’ awareness and conformity with IT safety policies and appraisal plan for the company’s IT security policies through certification assessment. The policy framework in use is FISMA Cybersecurity Framework established in 2014. The framework provides IT security compliance provisions under NIST Special Publication SP 800-53. The provisions guides adoption, installation, and implementation of IT safety solutions.

Is your time best spent reading someone else’s essay? Get a 100% original essay FROM A CERTIFIED WRITER!

Order now

Policy for IT Security Policy Compliance Audits

FISMA Cybersecurity Framework (CSF)

Federal Information Security Mobilization Act, which was established through a presidential executive order of 2014, provides the Cybersecurity Compliance Audit Framework to guide companies on conducting their annual security audit. The framework provides that an audit should be conducted by an independent or private consultant licensed by the government. The auditor must be given access to the system to analyze the controls plus the risks to enhance the identification of acceptable and unacceptable risks in the company, its operations, assets, employees, or the buildings near it. The company must provide documentation of the standards in use to the auditor to prepare the audit report. The documents mush comply with NIST Special Publication SP 800-53 plus SP 800-137. The documents required by NIST to show compliance with IT security policies must have a precise catalog record of information systems detailed as follows.

Typical data elements applied to enhance plus sustain an updated catalog of hardware property used by the company’s system, its software, plus licenses.

Cloud Structures Used by the Company, Websites, and Third-Party Systems

Provision of all integrations in the company’s IT system, especially those applying federal data:

The company’s safety plan outlining safety controls adopted, exiting policies plus measures, plus a common schedule used for future control performance;

Adoption of safety strategies for employees outlining their specific functions and responsibilities:

Adoption of Safety management measures in the company, knowledge and training, emergency preparation, protection, response to threats, and risk evaluation; and

Risk appraisal analysis detailing grouping and levels as guided by IT compliance measures provided by the government, the company’s mission, and the company’s functional importance.

FISMA provides that the company receive certification plus accreditation after the audit fulfills its IT security compliance provisions. SP 800-37 provides a Risk Management Framework that the company must considered ensuring that they conduct continuous monitoring procedures to prove its compliance. The policy provides a solution to ensure that the company has the aptitude for identifying, protecting, discovering, reacting to, and recovering from cybersecurity threats. The policy is applicable to the company to make executive risk identification to involve external facing, corporate assets, general, and public relations. Also, the IT department must use the policy to determine internal, network assets, and technical risks.

The audit reports must clearly show the company’s information management systems against these evaluation criteria. The reports must itemize the findings, previous year’s security conditions, recommendations, plus status. The findings include risk management techniques that are compliant with FISMA and those that are not. The company’s policies are also attached, and all the weaknesses of the IT security policies highlighted and solutions recommended.

Security Awareness Audit Plan

Audit Plan Background

Closing the gap in safety and compliance requires the company to educate, plan, and employ employees with knowledge of IT safety guidelines to guarantee that they are compliant with the policies provided in the worker manual. The review plan ensures that the company controls data breach through a clear understanding of employees’ responsibilities as outlined in the company’s policies. Through the plan, a clear messaging system to disseminate information successfully is adopted through the CIO to curb all security related issues. All security policies become clear to employees to enhance data security.

Red Clay Renovations Company is driven by the awareness that the Internet of Things and smart home approaches are prone to cyber-attacks and can lead to deadly consequences in residential buildings and homes. The risks that have driven the company to adopt a review plan for evaluating staff understanding of and observance with IT safety strategies include:

• Lack of experienced employees may lead to disruption of computer systems creating loopholes for security threats.
• Employees can lead to the adoption of faulty third-party equipment that does not meet the company’s IT compliant policies making the company fail to provide enough security measures for the clients.
• The company’s data can be unprotected and easily accessible by hackers as a result of a lack of security knowledge and information among the employees. This can destroy the company’s reputation and business.
• Poor IT services can lead to a breach of security in residential buildings and homes, subjecting clients to security threats, thereby destroying customer experience and loyalty.
• Using personal gadgets to do the company’s work by connecting them with the company’s VPN posing a security threat to the company.

The company has ensured that the following safety consciousness as guided by NIST SP 800-53 on AT family of controls is provided to the employees; admittance management policies and measures, access, and data transmission enforcement, separation of obligations and responsibilities, session lock and termination, remote and wireless access, data mining safety, access management decisions, reference observance, application of outside IS, security attributes, and supervision and review. The auditor of the company is Natalie Randall, located at the Wilmington office. Her contact email is [email protected].

Audit Objectives

The review objectives will be guided by the control families provided by NIST SP 800-53. The groups include access management, accountability, understanding and education, contingency planning, detection and verification, incidence reaction, safeguarding, employees’ safety, risk evaluation, structure and information veracity, and safety assessment and authorization. The audit will seek to achieve the following objectives;

Discover and classify sensitive data- The employees must be able to locate and secure all sensitive data and classify it based on the company and NIST policies.

Map data and permissions- designated employees such as the chief information officer, must be able to identify users, groups, folders, and files permission and identify who accessed what data to trace the origin of data breaches. Every trace of data must be identifiable professionally.

Manage access control- The chief information officer must recognize and disable stale users, control user and group membership, eradicate global admission groups, and implement a model that gives the least privilege to many employees.

Scrutinize data, file activity, and employee performance- the review will aim at an end result of filing every event of the users of the company’s IT system, monitor insider threats, and security breaches, and detect an employee’s instigated security vulnerabilities and how they were mediated.

Audit Approach

Auditing employees’ awareness will undergo four steps, that is, planning, risk assessment, data collection, and evaluation and reporting (Jack et al., 2019).

Planning

An initial assessment will be conducted to gather information about the company. Planning enhances initial assessments that give the basis for testing hypotheses. In this stage, the auditors will understand the organizational function, operating environment, structure, IT systems, nature and extent of cybersecurity risks, and employees. Organizational hierarchy is important to understand the mode of governance in the company. Characteristics of the IT system are also important to the auditor to understand its diversity and security loopholes they might exhibit. The preliminary information will be gathered through conducting due diligence about the companies, reading company’s publications and strategic plans, interviewing major personnel to understand the company’s performance and business, and visiting business premises and several residential buildings the company has renovated or rehabilitated.

Risk Assessment

The step involves identifying and assessing risks and taking precautionary measures to reduce cybersecurity vulnerabilities. The assessment considers the likelihood of the company experiencing security hacks and the possibility of employees causing the threats. The auditors will study the management’s perspective on employee training to determine their responsibility is enhancing employee awareness on IT security policies. As such, the assessment of the awareness of employees will engage policies and security measures to manage security risks in the company.

Data Collection

Here, auditors will collect evidence on the degree of awareness among employees and how well they are conversant with NIST and the company’s security policies. Data collection techniques, such as interviews, observation, questionnaire, and analytical procedures will be used. Data will be collected against the control families provided by NIST SP 800-53. Direct observation will provide proof that employees are knowledgeable about IT security policies. Document review will facilitate the auditors to understand the security measures and policies in place to use as a checklist among the employees.

Evaluation and Reporting

The evaluation will use tools such as generalized, industry-specific, utility, and specialized audit software. The generalized software will access the company’s files, re-organize them, select, and mine data required by the auditor. Industry logic is required to manage expectations. The auditor will then compile a report to show the findings and recommendations. It will show the program, evidence, and its support, reports from data collected, and comments or recommendations. The report will follow the official audit report standards.

IT Security Policies Audit Plan

Audit Background

The rapid change in technology requires the company to adopt IT security control measures to enhance data and information security. NIST SP 800-53 provides guidelines on what a company should adopt to enhance its security. The adoption of policies must comply with policies and procedures controls provided by the framework as the minimum requirements. The framework provides management, operational, plus technical safeguards to be adopted in the form of IT policies. The following are provisions that are required by The U.S. Department of Interior (2008) to be adopted by the company.