I need help with this lab please

Aligning Auditing Frameworks for a Business Unit within the DoD

The Department of Defense (DoD) has established auditing frameworks for its business units, outlining baseline requirements and hardening guidelines that must be met by government networks.

Utilizing an audit framework provides a standardized and structured foundation for establishing security policies. The audit process subsequently enables the organization to assess its adherence to these security policies. When integrated with a risk assessment, the organization gains the ability to identify and address any existing gaps, effectively mitigating IT risks.

In this lab, you will identify the requirements and hardening guides that provide a framework to which a government network and business should adhere. You will begin by assessing the available sites under the Department of Defense (DoD) and identify agencies in charge of providing security guidelines. You will then review the hardening and best practice guidelines provided by the DoD's Defense Information Systems Agency (DISA), Cyber Exchange, and National Institute of Standards and Technology (NIST).

Learning Objectives

Upon completing this lab, you will be able to:

1. Identify the minimum baseline requirements and hardening guidelines that provide a framework to which a government network and business unit should adhere.
2. Assess available sites under the Department of Defense (DoD) and identify the agencies in charge of providing security guidelines and best practices for federal entities.
3. Review hardening and best practice guidelines provided by DoD's Defense Information Systems Agency (DISA), Cyber Exchange, and NIST.
4. Draft an executive summary identifying and explaining the two auditing frameworks or hardening guidelines/security checklists used by DoD.

Hands-On

1. On your local computer, createa new document.

You can use this document to keep notes. The document does NOT need to be submitted.

1. Considerthe following scenario:

You work for a governmental unit of the DoD and your manager has asked you to write a brief paper outlining the importance of having the proper DoD-approved frameworks in place when an organization wants to conduct business with a governmental unit. Your task is to evaluate all the available Defense Information Systems Agency (DISA), Cyber Exchange, and National Institute of Standards and Technology (NIST) hardening guides on the Internet and to write a brief analysis of the technical controls and hardening guides that should be implemented as a minimum guideline for divisions of government agencies such as yours.

Frameworks as a Guide

Frameworks are, in general, a set of ideas or rules to guide you, whether the rules apply to how to administer IT equipment, how to manage your daily work, or how to drive a car. The framework does not detail the manner in which you conduct yourself hour by hour, but only the general rules you should avoid breaking. The DoD-approved frameworks you research will provide these rules in the form of controls.

Controls can either describe or prescribe "best practices" to secure your IT environment. It is also these controls that grant auditors the ability to measure whether the IT environment following that framework is staying compliant, that is, keeping within these rules.

1. On your local computer, opena new web browser window.
2. In your browser, navigate tottps://www.isaca.org/resources/news-and-trends/industry-news/2022/an-integrated-approach-to-....... security-audits and review the article to establish a high level understanding of a security audit.
3. In your browser, navigate tohttps://csrc.nist.gov/pubs/fips/200/final and review the abstract of the FIPS 200 pdf. Download the pdf and review section 4 (Security Control Selection) to determine which cybersecurity framework pertains to your DoD contracting business.

Note: The pdf version can be found athttps://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf

1. Gather information about the security auditing process and which framework should be used in the organization.
2. In your browser, navigatetohttps://www.disa.mil/.

1. Reviewthe Defense Information Systems Agency (DISA) website, focusing on the agency's services and capabilities. Evaluatewhich services and capabilities are relevant to the task of formulating a framework for secure government operations.

Note:In browsing the pages from the DISA website, you might be prompted for a DoD-approved public key infrastructure (PKI) client certificate to access the linked page. Without the certificate, your browsing will end there. A DoD-approved PKI client certificate is not required to complete this lab.

1. In your browser, navigatetohttps://public.cyber.mil/.
2. Reviewthe online training catalog on the website focusing on information security and related training.
3. From the website's navigation menu, select SRGs/STIGs, then click Document Libraryfrom the menu on the left to open the STIGS Document Library.

Note:The STIG files are saved in an XML format and the other files in the folder control the format of the XML file. Since these files are structured in XCCDF (Extensible Configuration Checklist Description Format), an XML format for specifying security checklists, benchmarks, and configuration documentation, producing a readable version of this content generally requires a SCAP-validated software. More information can be found in the DoD's SRG/STIG Tools and Viewing Guidancehere:https://public.cyber.mil/stigs/srg-stig-tools/. For this reason, a HTML document has been included in this archive for easy viewing of the content in your local web browser, which you will access in the next step.

Note that these ZIP archives contain versions of the DoD's STIGs that are current at the time of this writing. If a new version/revision was published, you could retrieve it by navigating tohttps://public.cyber.mil/stigs/, selecting the Document Librarylink from the left-hand menu, and then searching for the necessary STIG using the provided Search box.

1. Reviewthe top 5 Rule Titles of each of the STIGs (Security Technical Implementation Guide) and SRG (Security Requirements Guide) focused on the following topics:

• Network Hardening Guides
  • https://jbl-lti.hatsize.com/uploads/U_Network_Infrastructure_Policy_V10R6_STIG.zip
• Secure Remote Computing
  • https://jbl-lti.hatsize.com/uploads/U_VPN_V2R5_SRG.zip
• Windows Operating Systems
  • https://jbl-lti.hatsize.com/uploads/U_MS_Windows_10_V2R8_STIG.zip
• Application Security
  • https://jbl-lti.hatsize.com/uploads/U_ASD_V5R3_STIG.zip

Note: Each of the links will download a copy of the associated STIGs/SRG. To open the necessary documents, perform the following actions:

• In your downloads folder, double-clickthe downloaded ZIP archive to open the archive using your default compressed file manager application.
• From the Zip archive, click the embedded ZIP file and click the Extract button in your compressed file manager application.
• On your computer, navigate to the location of the extracted files.
• Double-click the .htm file to open it in a browser window (example: U_VPN_SRG_V2R5_Manual-xccdf.htm).

1. In your browser, navigatetohttps://csrc.nist.gov/publications/sp.
2. Reviewthe NIST list of Special Publications (800 Series), and review the contents of the guides related to security and privacy controls for information systems and organizations(800-53 and 800-53A titles).
3. Keep the document with your notes open because in the next activity you will answer questions based on your findings in this lab.
4. To begin the assessment of this lab click Next.