KENNETH KIBATHI

MSCCS/2024/46923
MIT 5110: INFORMATION SYSTEM SECURITY CONTROL AND AUDIT.

Question 1

A. Briefly describe the key stages of a cybersecurity audit process ( 4 marks)

1️Planning & Scope Definition: Define the audit objectives, scope, and criteria; identify the
systems, networks, and data to be assessed; ensure compliance with relevant security policies and
regulations.
2️Risk Assessment & Data Collection: Evaluate potential security risks and vulnerabilities;
analyze system configurations; review security logs; conduct interviews with IT staff; gather data
through security scans and network monitoring.
3️Evaluation & Testing: Perform penetration tests, vulnerability scans, and compliance checks;
assess the effectiveness of security controls, including firewall rules, encryption methods, access
controls, and authentication mechanisms.
4️Reporting & Recommendations: Document findings in a detailed audit report; highlight
security gaps, compliance issues, and areas of concern; provide recommendations for strengthening
security measures, mitigating risks, and improving overall cybersecurity posture.

B. With the landscape of cybersecurity threats constantly evolving, describe how

organizations should adapt their information security controls to mitigate new types of
attacks (4 marks)

1️Implement Continuous Threat Monitoring: Deploy real-time security monitoring tools, such as
SIEM (Security Information and Event Management) and Intrusion Detection Systems (IDS/IPS),
to detect and respond to anomalies and potential threats before they cause damage.
2️Enhance Endpoint Security: Protect devices by implementing Endpoint Detection and Response
(EDR) solutions, enforcing Zero Trust policies, and keeping all operating systems, software, and
antivirus solutions updated against the latest exploits.
3️Adopt a Zero Trust Security Model: Enforce least privilege access, implement multi-factor
authentication (MFA), and continuously verify user and device trust levels before granting access to
sensitive resources.
4️Regularly Conduct Security Awareness Training: Educate employees on phishing attacks,
social engineering, and password hygiene, ensuring that human errors are minimized as they remain
a leading cause of security breaches.
5️Use Advanced Threat Intelligence: Leverage threat intelligence feeds, AI-driven security
analytics, and machine learning algorithms to anticipate and neutralize cyber threats before they
escalate into full-scale attacks.
6️Strengthen Cloud Security Measures: Secure cloud environments by enforcing data encryption,
identity and access management (IAM), and continuous security audits, ensuring compliance with
best security practices and regulatory standards.
7️Conduct Regular Security Audits & Penetration Testing: Perform vulnerability assessments,
red team exercises, and simulated cyberattacks to identify weaknesses in security infrastructure and
promptly address them.
8️Ensure Robust Incident Response & Recovery Plans: Develop and test incident response
protocols, disaster recovery plans, and backup strategies, ensuring business continuity in the event
of a ransomware attack or data breach.

C. Discuss the legal and ethical considerations that information security professionals must
navigate during their audits and control implementations ( 4 marks)

Legal Considerations

Compliance with Data Protection Laws: such as GDPR (General Data Protection Regulation),
CCPA (California Consumer Privacy Act), HIPAA (Health Insurance Portability and Accountability
Act), and PCI DSS (Payment Card Industry Data Security Standard) to ensure proper handling of
sensitive data.
Authorization & Legal Scope: Ensure audits and security implementations are authorized by the
organization to avoid legal violations such as unauthorized access, data interception, or surveillance
beyond the agreed scope.
Intellectual Property Protection: Respect intellectual property rights when handling proprietary
software, digital assets, and third-party tools during audits and security assessments.
Incident Disclosure & Reporting: Follow laws requiring organizations to report data breaches to
regulatory authorities and affected parties within a specified time frame to maintain transparency
and legal compliance.

Ethical Considerations
Confidentiality & Privacy Protection: Maintain the confidentiality of sensitive business and
personal data encountered during audits, ensuring it is not misused or exposed.
Minimizing Intrusiveness: Perform audits and security implementations with minimal disruption to
users and business operations, ensuring ethical balance between security and user freedom.
Avoiding Conflict of Interest: Ensure impartiality by avoiding conflicts of interest, such as favoring
a specific vendor or using privileged access for personal gain.
Responsible Disclosure of Vulnerabilities: Report security weaknesses responsibly to the
organization, rather than exposing them publicly or using them maliciously.
Accountability & Integrity: Follow professional codes of ethics such as those set by (ISC)², ISACA,
and EC-Council, ensuring honest and transparent communication in security assessments.

D. Using an example, provide an incident response scenario and discuss how the audit process
can uncover gaps in the response plan. (4 marks )

A financial institution, Lanisha Sacco suffers a ransomware attack, encrypting critical customer data
and demanding a ransom; the IT security team follows the incident response plan by isolating
infected systems, notifying authorities, restoring backups, and strengthening defenses.
How the Audit Process Uncovers Gaps in the Response Plan:
1️Gap in Early Detection: The audit reveals that the Intrusion Detection System (IDS) failed to
flag suspicious activity in time; solution: implement real-time threat monitoring and enhance log
analysis for faster anomaly detection.
2️Gap in Incident Containment: The ransomware spread across multiple departments due to a
lack of network segmentation; solution: enforce Zero Trust security and restrict access to prevent
lateral movement.
3️Gap in Communication & Reporting: Employees delayed reporting the breach due to unclear
escalation procedures; solution: conduct staff training on incident escalation protocols and establish
a clear chain of communication.
4️Gap in Data Recovery & Business Continuity: Backups were incomplete, leading to partial
data loss; solution: perform regular backup testing, maintain offsite encrypted backups, and ensure
data is ransomware-resistant.

E. Compare and contrast NIST Cybersecurity Framework vs. ISO/IEC 27001) in terms of
their approach to identifying, assessing, and mitigating risks. ( 4 marks)

While NIST CSF is voluntary and widely used in the U.S. for organizations seeking cybersecurity
best practices, ISO/IEC 27001 is an internationally recognized standard often required for
regulatory compliance and external audits.

While NIST CSF takes a flexible, risk-based approach that organizations can tailor based on
industry needs, ISO/IEC 27001 follows a systematic, compliance-driven approach requiring the
establishment of an Information Security Management System (ISMS) with strict documentation
and continuous improvement.

The NIST Cybersecurity Framework (CSF) and ISO/IEC 27001 both provide structured approaches
to identifying, assessing, and mitigating cyber security risks by helping organizations implement
security controls and improve resilience against cyber threats.

Both frameworks encourage organizations to integrate security measures into business processes,
but while NIST CSF provides broad, outcome-based guidelines that allow flexibility, ISO/IEC
27001 mandates strict risk management, documentation, and periodic audits to maintain
certification.

Question 2
A. Briefly discuss how ethical hacking and penetration testing fit into the overall audit process
(4 marks)
Ethical hacking and penetration testing play a crucial role in the overall audit process by identifying
security vulnerabilities before malicious attackers can exploit them.
Ethical hacking involves simulating real-world cyberattacks to assess an organization’s security
posture, while penetration testing is a more targeted approach that actively tests specific systems,
networks, or applications for weaknesses.
Both techniques help auditors evaluate the effectiveness of security controls, incident response
readiness, and compliance with cybersecurity policies by exposing gaps that traditional audits may
overlook.
While ethical hacking provides a broader assessment of an organization’s overall security resilience,
penetration testing focuses on specific vulnerabilities and verifies whether security measures are
effective in preventing breaches.
By incorporating these proactive security assessments into the audit process, organizations can
ensure continuous improvement, risk mitigation, and compliance with industry standards such as
ISO/IEC 27001 and NIST CSF.

B. Briefly describe the unique challenges of managing information security in cloud

computing environments. ( 4 marks)
1️Shared Responsibility Model: Security is split between the cloud provider and the customer,
requiring organizations to clearly define and manage their security responsibilities.
2️Data Privacy & Compliance: Ensuring compliance with GDPR, HIPAA, and ISO/IEC 27001 is
complex as data is stored across multiple cloud locations with varying regulations.
3️Data Breaches & Insider Threats: Cloud environments are vulnerable to unauthorized access,
requiring strong encryption, identity management, and access controls to prevent breaches.
4️Insecure APIs & Misconfigurations: Poorly secured APIs and cloud misconfigurations can
expose sensitive data, making regular security audits and configuration management essential.
5️Lack of Visibility & Control: Organizations have limited control over cloud infrastructure,
requiring real-time monitoring, automated security tools, and cloud security posture management
(CSPM).
6️Incident Response & Recovery Challenges: Detecting and responding to security incidents in
cloud environments is more difficult, necessitating robust logging, automated threat detection, and a
cloud-specific response plan.

C. Discuss strategies for ensuring compliance with relevant security standards and
regulations when data and applications are hosted in the cloud ( 6 marks)

1️Understand and Align with Compliance Requirements: Identify relevant security standards
and regulations (e.g., GDPR, HIPAA, ISO/IEC 27001, PCI DSS) and ensure cloud configurations
align with their requirements.
2️Implement Strong Access Controls and Identity Management: Enforce Multi-Factor
Authentication (MFA), Role-Based Access Control (RBAC), and Least Privilege Access to prevent
unauthorized access to sensitive cloud data.
3️Use Data Encryption and Secure Storage: Encrypt data at rest, in transit, and during processing
using strong encryption standards (e.g., AES-256, TLS 1.2+) to protect information from breaches.
4️Perform Regular Security Audits and Assessments: Conduct continuous monitoring,
vulnerability scans, and penetration testing to detect compliance gaps and security weaknesses
before attackers exploit them.
5️Ensure Cloud Provider Compliance and Security Certifications: Choose trusted cloud
providers (e.g., AWS, Azure, Google Cloud) that have compliance certifications for standards like
ISO 27001, SOC 2, and FedRAMP to ensure regulatory adherence.
6️Maintain Incident Response and Data Retention Policies: Establish a clear incident response
plan, data backup strategies, and retention policies to comply with legal requirements and ensure
business continuity.

D. Describe the potential benefits and risks of using artificial intelligence (AI) in information
security controls and audits. (4 marks)

Benefits:
Enhanced Threat Detection: AI-powered security tools can analyze vast amounts of data in real
time to detect anomalies and cyber threats faster than traditional methods.
2️Automated Security Audits: AI automates compliance checks, vulnerability assessments, and
log analysis, improving accuracy and reducing manual workload.
3️Predictive Analysis & Proactive Defense: AI can identify emerging threats by analyzing
patterns, enabling organizations to take preventive security measures.
4️Improved Incident Response: AI-driven Security Orchestration, Automation, and Response
(SOAR) systems help contain and mitigate security incidents quickly.
Risks:
1️False Positives & Bias: AI models may generate false alerts or miss threats due to biased or
incomplete training data, leading to ineffective security responses.
2️Adversarial Attacks: Cybercriminals can manipulate AI models through adversarial machine
learning techniques, tricking security systems into misclassifying threats.
3️Data Privacy & Compliance Concerns: AI systems require large datasets, raising concerns
about data privacy, regulatory compliance, and ethical use of information.
4️High Implementation Costs & Complexity: AI-driven security solutions require significant
investment, skilled personnel, and ongoing model training to remain effective.

Question 4
A. Discuss the following IT Governance Frameworks
I. IT Infrastructure Library (ITIL) (5 marks)

The IT Infrastructure Library (ITIL) is a globally recognized framework for IT service management
(ITSM) that provides best practices for delivering high-quality IT services that align with business
goals. It focuses on standardizing processes, improving efficiency, and enhancing customer
satisfaction in IT service delivery.
ITIL is structured around five core stages in the service lifecycle:
1️Service Strategy: Defines IT service objectives, value creation, and financial management to
align IT with business needs.
2️Service Design: Plans and develops IT services, ensuring aspects such as capacity, availability,
security, and compliance are well-structured before deployment.
3️Service Transition: Manages the implementation of new or modified IT services, ensuring
smooth transitions while minimizing risks and disruptions.
4️Service Operation: Focuses on the day-to-day management of IT services, handling incidents,
problems, access control, and operational tasks to ensure reliability.
5️Continual Service Improvement (CSI): Ensures ongoing evaluation and enhancement of IT
services by analyzing performance and identifying areas for improvement.

II. COBIT, (5 marks)

COBIT (Control Objectives for Information and Related Technologies) is a globally recognized IT
governance and management framework developed by ISACA. It helps organizations ensure that IT
processes align with business goals while maintaining security, compliance, and risk management.
COBIT focuses on bridging the gap between business and IT by providing best practices for
governance, control, and risk management across enterprise IT environments.

There are several components of COBIT.

1️Framework: Provides a structured approach to aligning IT with business objectives.
2️Principles & Policies: Defines governance principles, security policies, and compliance
requirements.
3️Processes & Controls: Establishes guidelines for managing IT operations, risk, and security.
4️Performance Measurement: Uses metrics and KPIs to monitor IT service performance and
effectiveness.
5️Continuous Improvement: Ensures organizations regularly assess and enhance IT processes for
better efficiency and security.

III. British Standard International Organization for Standardization (ISO)/International

Electro technical Commission 27002 (ISO/IEC 27002). (5 marks)

ISO/IEC 27002 is an internationally recognized standard for information security controls,

developed by the International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC). It provides best practices and guidelines for implementing
security measures within an Information Security Management System (ISMS).
There are several aspects of ISO/IEC 27002.
1️Security Policies: Establishes guidelines for documenting and enforcing security policies to
ensure organizational compliance.
2️Risk Management: Helps organizations identify, assess, and mitigate information security risks
through structured controls.
3️Access Control: Defines measures for user authentication, role-based access, and data protection
to prevent unauthorized access.
4️Cryptography & Data Protection: Provides guidelines for encryption, secure communication,
and cryptographic key management to safeguard sensitive information.
5️Incident Response & Business Continuity: Ensures organizations implement incident
management, disaster recovery, and backup strategies to maintain business operations in case of
security breaches.

B. What is an IT strategic plan and why is it significant in aligning business objectives with
IT (5 marks)
An IT strategic plan is a long-term roadmap that outlines how an organization’s technology
resources, investments, and initiatives will support its overall business objectives. It defines the
vision, goals, and priorities for IT to ensure that technology aligns with and drives business growth.

Significance of an IT Strategic Plan in Aligning Business Objectives with IT:

1️Business-IT Alignment: Ensures that IT investments and initiatives directly support the
company’s strategic goals, operational needs, and competitive advantage.
2️Resource Optimization: Helps organizations prioritize IT spending, manage budgets effectively,
and allocate resources efficiently to maximize value.
3️Risk Management & Security: Establishes frameworks for cybersecurity, compliance, and data
protection to mitigate IT-related risks and safeguard business operations.
4️Innovation & Competitive Advantage: Enables businesses to adopt emerging technologies (AI,
cloud computing, automation) to drive innovation, efficiency, and market leadership.
5️Scalability & Future Growth: Provides a structured approach for technology scalability, digital
transformation, and infrastructure upgrades to support long-term business expansion.

Question 5
SecureTech Inc. is a leading cybersecurity firm that provides a wide range of security services,
including vulnerability assessments, penetration testing, and managed security services to clients
across various industries. Despite its strong market reputation, SecureTech recently fell victim to
a sophisticated cyber attack that led to a significant data breach.
Incident Overview
The breach was initially detected by an anomaly in the network traffic, which was flagged by the
intrusion detection system. Upon further investigation, it was discovered that attackers had
exploited a zero-day vulnerability in one of the third-party software applications used by
SecureTech. This allowed them to gain unauthorized access to the company’s internal networks.
Once inside, the attackers were able to move laterally across the network, eventually gaining access
to a critical server containing sensitive client data, including financial information, intellectual
property, and personal identification information. The breach went undetected for approximately
two weeks, during which the attackers exfiltrated a significant amount of data.
Post-Incident Response:
Upon discovery of the breach, SecureTech’s incident response team was immediately mobilized.
The team took steps to contain the breach by isolating affected systems, eradicating the attackers’
presence from the network, and starting the recovery process. The company also notified law
enforcement and all affected clients, offering support and identity protection services where
necessary.
3

An external forensic investigation was commissioned to thoroughly understand the breach's scope,
the attackers' methods, and any potential weaknesses in SecureTech’s security posture that were
exploited.
Challenges Identified

Third-Party Risk Management:- The breach was made possible through a vulnerability in third-
party software, highlighting a gap in SecureTech’s vendor risk assessment and management

processes.
Detection and Response Time:- The breach went undetected for two weeks, indicating potential
shortcomings in SecureTech’s monitoring and incident detection capabilities.
Insider Threats:- Preliminary investigations have not ruled out the possibility of an insider
facilitating the breach, either knowingly or unknowingly, by bypassing certain security controls.
Questions :
a) Discuss the steps should SecureTech take to improve its third-party risk management
processes to prevent similar breaches in the future? ( 5 marks)

1️Conduct Comprehensive Vendor Risk Assessments: Evaluate all third-party software providers
for security vulnerabilities, compliance with industry standards, and past security incidents before
integration.
2️Implement a Vendor Security Policy: Establish strict security requirements for third-party
vendors, including regular security audits, secure coding practices, and access control measures.
3️Continuous Monitoring of Third-Party Software: Use automated tools to scan third-party
applications for vulnerabilities and ensure real-time threat detection.
4️Zero Trust Access Control for Vendors: Restrict vendor access to only necessary systems and
implement least privilege access to prevent lateral movement in case of compromise.
5️Regular Security Patching and Updates: Ensure third-party vendors provide timely security
patches and mandate regular software updates to mitigate zero-day vulnerabilities.

b) Describe how SecureTech ensure that third-party software complies with its internal
security standards? ( 5 marks)

1️Establish Security Baselines for Vendors: Define and enforce minimum security requirements,
such as encryption standards, secure authentication, and regular security testing.
2️Security Audits and Penetration Testing: Conduct periodic audits and penetration tests on third-
party software to detect and remediate vulnerabilities before they are exploited.
3️Contractual Security Requirements: Include data protection clauses, incident reporting
obligations, and security compliance mandates in vendor contracts.
4️Software Bill of Materials (SBOM) Review: Require vendors to provide an SBOM to track all
software components and detect known vulnerabilities in open-source dependencies.
5️Zero-Day Vulnerability Response Plan: Collaborate with vendors to establish a rapid patch
management and remediation process in case of newly discovered security flaws.

c) Considering the possibility of an insider threat, describe the preventive measures can
SecureTech implement to detect and mitigate such risks? ( 5 marks)

1️User Behavior Analytics (UBA): Deploy AI-driven tools to monitor anomalous activities, such
as unauthorized access attempts, unusual data transfers, or excessive privilege escalation.
2️Role-Based Access Control (RBAC): Enforce least privilege access, ensuring employees can
only access resources necessary for their roles.
3️Mandatory Security Awareness Training: Educate employees on social engineering tactics,
phishing attacks, and insider threat risks to minimize unintentional security breaches.
4️Multi-Factor Authentication (MFA): Implement MFA for all critical systems to prevent
unauthorized access even if credentials are compromised.
5️Incident Response & Whistleblower Policies: Establish anonymous reporting mechanisms for
employees to report suspicious activities without fear of retaliation.

d) Discuss how continuous monitoring and behavior analysis help in identifying potential
insider threats? ( 5 marks)

1️Real-Time Anomaly Detection: AI-powered Security Information and Event Management

(SIEM) systems analyze network activity for unusual login patterns, file access, and unauthorized
data transfers.
2️Privileged Access Monitoring: Track administrator and high-privilege account activities to
detect potential misuse or unauthorized changes to critical systems.
3️Data Loss Prevention (DLP) Systems: Implement DLP solutions to monitor and restrict
sensitive data transfers via email, USB devices, or cloud applications.
4️Automated Alerting and Response: Configure security tools to automatically flag suspicious
activities, such as excessive file downloads, failed login attempts, or off-hours system access.
5️Continuous Employee Risk Assessment: Regularly review employee access levels, behavioral
patterns, and past security incidents to identify potential insider threats before they escalate.