Call/WhatsApp: +1 914 416 5343

Substantive Response

Provide (4) 150 words substantive response with a minimum of 1 APA references for RESPONSES 1, 2, 3 and 4 below. Ensure you list and break down each response in a word document. Response provided should further discuss the subject or provide more insight. To further understand the response, below is the discussion post that’s discusses the responses. 100% original work and not plagiarized. Must meet deadline.


ISSC 471

1. What is IT Security Auditing? What does it involve?

An IT security audit is a comprehensive examination and assessment of an information security system. By conducting regular audits, organizations can identify weak spots and vulnerabilities in their IT infrastructure, verify security controls, ensure regulatory compliance, and more. It involves running scans on IT resources like file-sharing services, database servers and SaaS applications to assess network security, data access levels, user access rights and other system configurations. It includes physically inspecting data centers for resilience to fires, floods, and power surges as part of a disaster recovery evaluation. Finally, it involves interviewing employees outside the IT team to assess their knowledge of security concerns and adherence to company security policy.

2. Why are Governance and Compliance Important?

To ensure that businesses protect their information, have consistent cohesion departmentally, and follow all governmental regulations, a governance, risk, and compliance program is important. This helps to minimize the threats and risks that companies are exposed to on a daily basis.

3. Explain in detail the roles and responsibilities in an organization associated with the following:

According to our lesson, the risk manager, auditor, and executive manager have the following responsibilities:

Risk Manager – responsible for identifying organizational risk.
Auditor – responsible for conducting information assurance audit and applying frameworks to the seven domains to align with compliance.
Executive Manager – responsible for aligning external or internal compliance with governance requirements.
4. Define the Certification and Accreditation (C&A) Process and briefly discuss the phases of C&A.

It is my understanding that the C&A process is outdated, and we now use assessment and authorization (A&A) to follow terminology in the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF). In my job, we follow NIST guidelines, and all of our accreditation processes follow the RMF process. The C& process was initiation and planning, certification, accreditation, and then continuous monitoring. Though I never worked with the C&A process, I have been working with RMF for about 2 years now, and it is very involved.

1. What is IT Security Auditing? What does it involve?

According to the reading this week an IT Security Audit is an internal assessment of an organizations policies, controls, and activities. An audit ensures that an organization is in compliance with legal regulations and that their security controls are adequate. Audits can involve any number of aspects within a business’ activities including finances, compliance, operations, investigations and information technology. An IT Security Audit also involves three goals, providing an objective and review of policies, providing reasonable assurance controls are in place, and recommendations for improvement.

2. Why are Governance and Compliance Important?

As businesses become ever more reliant on technology governance and compliance become a more integral part of business function. Governance of IT systems ensures proper use as well as compliance and risk management, all vital to the success in a business environment. Compliance is important and beneficial to all aspects of a business, it ensures the reliability as well as public trust of a business which is vital to the business’ success.

3. Explain in details the roles and responsibilities in an organization associated with the following:

Risk Manager- A risk manager is familiar with the risks and vulnerabilities that an organization faces, as well as creating and evaluating risk management procedures. They are also responsible for knowing auditing controls as well as reporting procedures (Patel, 2016)
Auditor- The roles and responsibilities of an auditor include assessing current security controls and risk management procedures, advise management on how to improve security controls, evaluate risks, and analyze internal operations (Kumar, 2017)