After completing your master’s degree, you have been hired by a contracting company as an information systems security officer, or ISSO, supporting systems for federal clients. One morning, your boss asks you to come to her office. She tells you that you’ll be working on a network security audit. Network security audits, based on FISMA standards, are used annually to determine the effectiveness of our security controls. The boss explains: “Prior to the security audit, I will need you to test, execute, collect, and compile your results into a security assessment report, or SAR. Once you’re finished, you will submit the report to me and the executive leadership.”
Later, you receive a follow-up email from your boss with instructions. First you will conduct a risk and threat assessment of the enterprise network. Next, you will perform black box testing of the network using network analysis tools. After identifying any network vulnerabilities, you will lead efforts to remedy and mitigate those vulnerabilities using appropriate risk management controls. You will then perform a white box test and compile the results in the final security assessment report. And provide this to leadership, along with an executive briefing in your lab analysis, so management has a baseline view of the security posture of the enterprise network, before the actual external IT audit. The email ends with this note: “Thank you for taking this on. Our executive leadership is excited to learn of your findings.”
Deliverable: Security assessment report (SAR): Your report should be 12 pages minimum, double-spaced with citations in APA format. The page count does not include figures, diagrams, tables, or citations.