You are one of the MSc level trainees newly employed in IT security auditing at CyberSAFE Auditors. The Chief Auditor, Nigel Waring, is very keen on team work approaches to auditing and so, as part of the postgraduate induction programme, has divided trainees into teams of two persons. Nigel explains that each team is tasked with conducting a limited ISO27002 compliance audit of a new client's premises and to prepare an audit report. Nigel will then select the best report to present to the client.

Nigel explains that each pair must arrange between them for the following tasks to be undertaken:

1. must meet, either in-person or by email, and allocate one person to do Secure Areas (Section4 in report) and another person to Equipment Security (Section5 in report). All other sections to be dealt with jointly.
2. must decide on their fieldwork methods, timetable and approach
3. must, as the audit progresses, keep minutes (up to 250 words each) of three work-in-progress meetings (Initial, Interim, Final). These minutes should contain the following:-

Initial: agreements, differences of opinion, allocation of tasks and duties for audit process.

Interim: agreements, differences of opinion, peer review of each other's work to date,

Final: agreements, differences of opinion, and peer review of each other's work and decisions on structure of final report.

1. must produce a joint audit report according to required template (see Audit Job Allocation form) and containing an Appendix A showing brief notes (no more than 250 words each) for the three work-in-progress meetings (Initial, Interim, Final).

Nigel then presents each team formally with the following documents:-

1. An Audit Job Allocation Form
2. A copy of the original letter from the client specifying the audit to be undertaken,
3. A copy of the relevant parts of ISO27002:2013 sect. 11 that Nigel wants you to use,

Deliverables

Visit the computing laboratories on the 1^st floor King William (all labs) and perform your audit using whatever practical techniques you have jointly decided upon. However, you MUST abide by the constraints specified by the client. Based on this, write a report as requested below. The report should have a minimum 3000 words, maximum 5000 words excluding any appendices/references. The report must be word-processed and must have the headings and sub-headings specified by the Chief Auditor in the Audit Job Allocation form.

The report must contain, on it's header page, the following Joint Authorship statement:

This report is a team product, reviewed through regular work-in-progress meetings, and its content integrated and jointly agreed by all authors. It represents a true statement of the team's audit findings and conclusion.

Secure Areas author:

Equipment Security author:

Assessment Criteria

Marks will be awarded for the report as follows:-

Title, Team Name, Recipients, Joint Authorship statement, Date, Contents 2 marks

Scope, 6 marks

Business Setting 6 marks

Practical Audit Method Employed 20 marks

Secure Areas 20 marks

Equipment Security 20 marks

Audit Conclusion 20 marks

Appendix A: Work-in-Progress Peer Review reports 6 Marks

Your final report MUST have the headings as shown below and which follow the CyberSAFE Auditors standard method of reporting.

One page showing Title, Recipients, Date, Joint Authorship statement

One Page showing Contents Page (with section headings and page numbers)

Section 1:Scope (no more than 250 words)

Section 2 : Business Setting (no more than 250 words)

Section 3 : Practical Audit Method Employed

Section 4 :Secure Areas

4(a) Expected Controls,

4(b) Observed Controls and Comments

Section 5 : A.11.2: Equipment Security

5(a) Expected Controls,

5(b) Observed Controls and Comments

Section 6 : Audit Conclusion

6(a) Overall conclusion based on relevant GAP analyses

6(b) Recommendation for Immediate and Future Management Action

References

Appendix A: Minutes of Work-in-Progress meetings (Initial, Interim, Final).

Other appendices

Nigel Waring

CEO CyberSAFE Auditors plc

Romney Road

Greenwich

London SE10 9LS

22nd January 2023

Dear Mr Waring,

The Department of Computing and Mathematical Sciences (CMS) requires you to undertake a security audit of computing resources used by students in all the computing laboratories on the first floor of the King William Building. The scope of the audit is to cover the physical and environmental security of the physical assets in the labs themselves as per ISO27002:2022 section 7.

However, the university has specified two constraints that must be adhered to by all of your participating fieldwork auditors. Constraint 1 is that auditors must not converse either verbally or in writing with any member of the university staff of any grade. Constraint 2 is that auditors must approach from a point of view consistent with that of an average (not highly technical) student. Consequently, the audit need not investigate at the operating systems level nor the actual network servers themselves. In fact, to be as authentic as possible and not cause alarm or disruption, it would be desirable for auditors to pose as typical students and fulfil the audit requirements without alerting the technical staff in any way.

We would welcome your commencement of the audit as soon as possible on receipt of this documentation and look forward to receiving your audit report as agreed by close of business on the required date.

Yours Sincerely,

L. Clancy

Manager CMS Support

Queen Mary Building

	Physical Controls
Secure areas	Objective:To prevent unauthorized physical access, damage and interference to the organization's premises and information.
7.1 Physical security perimeter	Control:Security perimeters ( walls, gates, reception) shall be used to protect areas that contain information and information processing facilities.
7.2 Physical entry controls	Control:Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.
7.3 Securing offices, rooms and facilities	Control: Physical security for offices, rooms, and facilities shall be designed and applied.
7.4 Physical Security Monitoring	Not required for this audit
7.5 Protecting against external and environmental threats	Not required for this audit.
7.6 Working in secure areas	Control: Physical protection and guidelines for working in secure areas shall be designed and applied.
Equipment security	Objective:To prevent loss, damage, theft or compromise of assets and interruption to the organization's activities.
7.7 Clear desk/screen policy	Not required for this audit.
7.8 Equipment siting and protection	Control: Equipment shall be sited or protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.
7.9 Assets off-premises	Not required for this audit.
7.10 Storage Media	Not required for this audit.
7.11 Supporting utilities	Control: Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities.
7.12 Cabling Security	Control: Power and telecommunications cabling carrying data or supporting information services shall be protected from interception or damage.
7.13 Equipment Maintenance	Not required for this audit.
7.14 Disposal/reuse of equipment	Not required for this audit.