Anyone wanna help create an executive summary for an auditing policy?

This is a project for school, for a cyber security class.

“Write an auditing policy executive summary for management outlining the auditing polices you recommend the organization adopt. You will create a policy to be used specifically by the IT department and other areas of the organization that manage access to computer resources or data within the organization”

"Items to consider include, but is not limited to, issues such as:

  • Key minimum events or event types to audit (this need not be exhaustive; list 6-10 that you feel are the most important)
  • Whether you feel you should audit success, failure or both for the events or event types you enumerate.
  • Archiving and retention policies, including retention length, location, and other specifics.
  • What you will do with the data?
  • How will you protect the data? Does the data need to be protected?

Anyone who has been in the trade for a while able to give input on ideas to implement?

Also, I think networking is the best topic to put this under, but if a mod needs me to move it, let me know. Or just go ahead and move it, that’s fine too.

1 Like

Would to be a fly on the wall with you :slight_smile: Technically work for an MSP, and I can tell you as we work with customers on a day to day basis, the normies are catching on the importance of this but only because their cybersecurity insurance agents are forcing them to :slight_smile: So your outline above is essentially the “value add” that we present to customers, in alignment to frameworks and what not such as NIST, CMMC. But again only from the perspective of “meeting compliance”

@Mentalguy15 IMO, you should complete this assignment to the best of your abilities and then ask us for feedback on it. As it stands, I don’t know how to help you without simply giving you answers (which may not even be the answers your professor is looking for tbh).

4 Likes

this looks like a cyber security assessment?.

if you dont know how its done or haven’t been given an outline then i would suggest you go talk to your tutor and explain your issues.
it sux i know but its what they are there for.

as for your assessment. they are basically asking you to google and put in your own words what you find.
there are plenty of examples of audits out there.
just dont cut and paste or you could get failed for plagiarism

so google key events/event types to audit in cyber security.

google applicable data retention laws.
(just summarise you don’t need the actual case law.)

add in the other stuff which you should have learned about already in class.
if not start googling and watching cybersecurity content (not just hacking video’s) from the likes of InfoSec and cyber insecurity. (its very dry so… defiantly check the timestamps for infor you need)
look up coarse work and then once your all done.

put it in a presentation you would hand to management.(your teacher/tutor)

now… your done?..
no…
go ask your tutor to look it over and give you feedback.
(post it here first, if you want, im sure some will be able to give you pointers)

what you though we were gonna put 8 hours into a submission for you?.
LOL no mate.
if you want into cyber you gotta do the learning bit yourself or you end up failing your exam.
if you have no interest in it, then tell your tutor that too.
maybe she can get you into something that does interest you.

finally, go get it.
:slight_smile:

This isnt really a regular assignment. For the most part, I could find and tweak a company’s existing executive summary to fit my made-up company, as long as I cited it as my basis. I don’t really want to do that and figured some of the professionals on here would know what specific things to add into it.

no, I dont expect anyone else to do it for me. I’m allowed to use and tweak an existing summary/policy as long as I cite it. I just wanted ideas that real-world people can have input on. Might be some underrated stuff that often gets overlooked or maybe something they wish their company would implement.

Im just looking for ideas, not a completed paper.

1 Like

Go and listen to the Darknet Diaries podcast, there are quite a few episodes walking through pentests and the kind of findings they get. (Though most audits aren’t as exciting as pentests). When it comes to reports most of this stuff is pretty boring, you just get to point out that the prince with no clothes on.