A cybersecurity Audit is different from a penetration test. An audit is generally a paper checklist
process and review. A description for one is as follows:
Cybersecurity audits act as a checklist that organizations can use to validate their
security policies and procedures. Organizations that conduct an audit will be able to
assess whether or not they have the proper security mechanisms in place while also
making sure they are in compliance with relevant regulations. This helps businesses
take a proactive approach when designing cybersecurity policies, resulting in more
dynamic threat management. Cybersecurity audits are performed by third-party vendors
in order to eliminate any conflicts of interest. They can also be administered by an
in-house team as long as they act independently of their parent organization.
(https://securityscorecard.com/blog/best-practices-for-a-cybersecurity-audit)
There are any number of checklists available on the Internet. Some are intended for a very
specific sector governed by regulations for that sector (such as banking or health care). Others
are more generic in nature. When considering small businesses, one of the big issues with
audits is that these checklists are often, as the description above implies, designed for 3rd party
experts to come in and assess the organization. A certain level of understanding of
cybersecurity is expected. If they are too detailed or too lengthy, many small businesses will not
attempt to conduct the audit because they have neither the time nor expertise to conduct the
operation. Another important factor that many of the checklists may be based on is a specific
model, process, or framework for cybersecurity. This will help an organization approach their
cybersecurity program in an organized manner.
For this assignment, you are to examine guidance that you can find on the Internet discussing
both audits and cybersecurity frameworks/models/processes in preparation for conducting a
cybersecurity audit. Consider the guidance that you can find in the following documents:
• CIS Controls (V7.1)
• CIS Controls Guide for SMEs
• CIS Risk Assessment Method (RAM)
• NIST Cybersecurity Framework
• NIST IR 7621r1 (The Fundamentals)
• NIST SP 800-171r2
• NIST SP 800-53r5
• NIST SP 800-60 vol 1 and 2
• FIPS 199
• FIPS 200
Your target for this assignment is a small business or non-profit organization. You will want to
have a model in mind to base the organization’s cybersecurity program on. For this assignment
put yourself in the shoes of a cybersecurity services business that performs cybersecurity audits
for organizations that hire you. You are producing the documents you will provide your
employees who will go into an organization to help them with their security.
Hint: Take a very good look at NIST IR 7621r1 and the CIS controls.
Write a paper of at least 1200 words that describes your basic decision on the
framework/model/process you are going to use