Introduction: For this final paper, I am to assemble the executive reports for which I have completed over the last 5 weeks and combine them into one final report. These reports will consist of:
- The two auditing frameworks or hardening guidelines / security checklists used by the DoD.
- How a security assessment addressing modern day risks, threats, and vulnerabilities throughout the 7-domains of a typical IT infrastructure can help an organization achieve compliance.
- How to gather and obtain needed information to perform a GLBA Financial Privacy & Safeguards Rules compliance audit and what must be covered.
- The top workstation domain risks, threats, and vulnerabilities which will not only include possible causes, but mitigations as to prevent these issues from happening.
- The top LAN – to – WAN risks, threats, and vulnerabilities which will not only include possible causes, but mitigations as to how we can prevent these issues from happening.
- The top Remote Access Domain risks, threats, and vulnerabilities as well as ways to mitigate these types of issues.
- The top Systems / Application Domain risks, threats, and vulnerabilities as well as ways to mitigate these types of issues.

Part 1:
Purpose:
The purpose of part 1 for this lab is to develop an executive summary in regards to either the two auditing frameworks or hardening guidelines/security checklists used by the DoD. For this, I have chosen to discuss the two auditing frameworks.

Background: A little background about the AF (Auditing Framework) for the DoD is that it provides a foundation for developing and representing descriptions that ensure a common denominator for understanding, comparing, and integration across organizational, joint, and multinational boundaries. All U.S. DoD weapons and information technology system acquisitions are required to develop and document an enterprise architecture (EA) using the views prescribed in the DoDAF. While it is clearly aimed at military systems, the DoD has broad applicability across the private, public and voluntary sectors world-wide.

Auditing Standards and Requirements: There are different standards when discussing the requirements within a DoD audit, such as:
- All auditing services performed by the DoD must comply with GAGAS (Government Auditing Standards)
- Although GAGAS may be compatible (and still used in conjunction with other auditing standards) if there are any sort of conflicts within the audits themselves, the GAGAS requirements will overrule any other sources.
- There is also a single audit standard and requirement which sets forth a basic set of standards for consistency and uniformity across the different federal agencies for any non-federal audit entities expending federal awards.
- The DoD guidance states that all issuances identifies the requirements which are unique to the DoD and auditors need to be aware of such additional requirements when they are performing any auditing services for the government (specifically the DoD).

Management Of The DoD Audit Organization: The department heads for the auditing committee must develop and maintain the elements for their respective organizations, such as:
- Tone at the top: this states that the head of the audit organization must understand and set a tone that supports the value and accountability the audit function brings to the DoD component.
- Organizational independence: this states that the audit organization must reports their results objectively.
- Independence impairment based on placement: states that an AO should never report to an area within the organization that could possibly be audited.
- Independence impairment based on reporting: states that the head of a functional area is able to rate, assess, or evaluate the audit organization’s leadership then an organizational independence impairment has occurred, which in turn means that the audit report may be reported objectively because of the possible influence.
- Organizational management: the AO must be independent, follow standards, and have a quality control program that complies with GAGAS.

Part 2
Overview:
The purpose of this first part of the lab is to develop an executive summary describing how a security assessment addressing modern day risks, threats, and vulnerabilities throughout the 7-domains of a typial IT infrastructure can help an organization achieve compliance.

Purpose:
We must first know what the 7-domains consist of an IT infrastructure and how they can be made compliant:
- User domain: this is the weakest link in an IT infrastructure because this is the user themselves. The best way to ensure compliance is by training all employees as well as holding periodical training sessions to ensure they are following protocol.
- Workstation domain: this is where most users connect to a company’s network. These consist of desktops, laptops, PDA’s, cell phones. These can be made compliant by ensuring users only have access to the proper folders / files they need to do their daily jobs.
- LAN domain: this is a collection of computers connected to one another or to a common connection medium. The best way to ensure this domain is compliant is by making sure all security (anti-virus) protections are implemented and patches are up to date.
- LAN-to-WAN domain: this is where the IT infrastructure links to the wide area network and the internet. A way to keep this compliant is to ensure the ports from coming into the LAN from the WAN are properly configured to keep from any sort of open-port attacks
- WAN domain: this is the connection to the “outside world” (I.E. internet). The best way to keep this compliant is by ensuring the company’s firewall is set to allow only work-related sites access to the company network.
- System / Application domain: this is where the servers are held and the best way to ensure this is compliant is by making sure all software updates as well as anti-virus security patches are up to date.
- Remote Access domain: this is where users connect from a location outside the network onto the company’s network. The best way to ensure this domain is compliant is by issuing only those that need access resets theirs passwords on a 30 day basis and they are to never give out their info.

Part 3
Purpose:
The purpose of this first part of the lab is to develop an executive summary describing how to gather and obtain needed information to perform a GLBA Financial Privacy & Safeguards Rules compliance audit and what must be covered.

Overview: In order to be compliant with the GLBA law, we must first know who can be eligible for this and what the covered by following questions and knowing the guidelines they set forth:
1. Obligations
• Privacy notices
• Who gets a privacy notice
• Customers
• Consumers who are not customers
• General obligations
• Expectations

2. Limits on reuse and re-disclosure of NPI
• General obligations
• Restrictions on reuse and re-disclosure if NPI is received under the section 14 or 15 exceptions
• Restrictions on reuse and re-disclosure if NPI is received outside the section 14 or 15 exceptions
3. Disclosure of account numbers is prohibited
4. Other issues
• The fair credit reporting act
• Enforcement
5. Further guidance

Part 4
Purpose:
The purpose of this first part of the lab is to develop an executive summary describing the top workstation domain risks, threats, and vulnerabilities which will not only include possible causes, but mitigations as to prevent these issues from happening.
Overview:
When discussing the risks, threats, and vulnerabilities within a workstation domain, we must not only know the potential issues, but we must also know what can be done to alleviate those issues.
Risk, Threat, or Vulnerability Mitigation
Lack of user awareness Conduct security awareness training
User apathy toward policies Conduct annual security awareness training, implement acceptable use policy, update staff manual and handbooks
Security policy violations Place employee on probation
CDs and USB drives Disable all CD drives and USB ports
File sharing Disable all websites to where only work relates sites can be accessed
Passwords Ensure all passwords are kept safe and secure by training all employees. e-mail Only allow those users who need access to send & receive emails outside the network. Also, train users to not open those emails for whom they do not know

Part 5
Purpose:
The purpose of this first part of the lab is to develop an executive summary describing the top LAN – to – WAN risks, threats, and vulnerabilities which will not only include possible causes, but mitigations as to how we can prevent these issues from happening.
Overview:
When discussing the risks, threats, and vulnerabilities within a LAN – to – WAN domain, we must not only know the potential issues, but we must also know what can be done to alleviate those issues. There are many different issues that we can face when talking about a LAN – to – WAN setup. Before we must first know what the differences between the two are and how they can be protected:
LAN: A local area network supplies networking capability to a group of computers in close proximity to each other such as in an office building, school, or a home
- Protection needed for the LAN are quickly defined by:
• Confidentiality
• Integrity
• availability
- security issues range from:
• users
• physical threats (I.E. weather)
- vulnerabilities:
• PCs are vulnerable with: access points, USB ports, CDROM drives
• LAN access
• viruses
WAN: A wide area network is a network that covers a broad area using private or public network transports.
- Protections needed to safeguard the WAN are:
• Firewall
• Antivirus software
• Email filter
- Vulnerabilities:
• Hackers
• Viruses
• Malware
• Trojans
• Worms

Part 6
Purpose:
The purpose of this first part of the lab is to create an executive summary describing the top Remote Access Domain risks, threats, and vulnerabilities as well as ways to mitigate these types of issues.
Overview:
In order to first discuss any risks, threats, or vulnerabilities, we must first know what the meaning of the Remote Access Domain and what it does. The Remote Access Domain standards are anything related to VPN connections and multi-factor authentication. Basically this is when someone connects to the network from an outside location (I.E. when an employee works from home they will remote into the network). When dealing with a remote connection, we must not just think that once we give a user access, that everything will be ok. The network is susceptible to attacks from hackers, Trojan viruses, malware, worms, even loss of data. Some of these risks, threats, or vulnerabilities and ways to mitigate these issues are:
1. Brute-force user ID and password attacks
- Establish a user ID and password policy which requires the user to change this every 30 days. Also train users to understand that they are to NEVER give their password out to anyone at any time.

2. Multiple logon retries and access control attacks
- A good way to stop this is by setting an automatic lockout for users (or in this case unauthorized users) to lock them out after a certain number of tries.
3. Unauthorized remote access to IT systems, applications, and data
- We could apply multiple levels of security by the user ID and password and next using tokens, biometrics, and smart cards to ensure the safety of company data.
4. Private data or confidential data is compromised remotely
- A good way to ensure the protection of company data is by making sure all data is encrypted within the database and / or hard drive. This is particularly good because if the data is ever stolen, then the lost hard drive cannot be accessed do to the heightened security.

Part 7
Purpose:
The purpose of this first part of the lab is to create an executive summary describing the top Systems / Application Domain risks, threats, and vulnerabilities as well as ways to mitigate these types of issues.
Overview:
In order to first discuss any risks, threats, or vulnerabilities, we must first know what the meaning of the Systems / Application Domain and what it does. The Systems / Application Domain is a mechanism used within the common language infrastructure to isolate executed software applications from one another so that they do not affect each other. As with anything computer related, there are always risks, threats, and vulnerabilities, but behind those issues there has to be a way to mitigate them and below are a list of a few.
1. Unauthorized access to data centers, computer rooms, and wiring closets
- Ways to mitigate this would be to apply policies, standards, procedures, and guidelines for staff and visitors to secure facilities
2. Servers must sometimes be shut down to perform maintenance
- By creating a system to tie servers, storage devices, and the network together
3. Server operating systems vulnerability
- By ensuring all window server operating system environments are defined with the proper patches

4. Cloud computing virtual environments are by default not secure
- By setting up virtual firewalls and server segments on separate VLANs will help alleviate any sort of failure

Sources:
1. http://en.wikipedia.org/wiki/Department_of_Defense_Architecture_Framework
2. http://www.dtic.mil/whs/directives/corres/pdf/760007m.pdf
3. http://iase.disa.mil/stigs/index.html