Using the selected approach, you should then conduct an audit or review of the information security issues associated with the use of computing facility and report on the findings. It is important that in conducting this review, issues around the risks associated with the particular circumstances of your facility are appropriately considered. It is also important that the review extends beyond the simple technical aspects of the situation.
Your report should include the following details:
- a discussion of the methodology or review approach that you have adopted. You should identify the approach, briefly outline it key features, and you should provide a justification as to why this is an appropriate tool for this assignment. Where you have taken a recognised approach (or combination of approaches) and have modified them to suit the particular circumstances of this review, you should outline any rationale for these modifications;
- a summary of the tasks undertaken to conduct the review. What steps did you follow in conducting the review? What evidence did you consider in helping you form your views? What tests did you perform in order to verify the answers to key review questions?
- the findings of your review and recommendations for improvement. What issues from the situation came up looking good in the review, and where was there room for improvement? What things would you change in order to improve the information security environment?
- a brief reflection on the methodology or review approach, following your experience of applying it to your personal computing facilities. Do you think this approach targeted the right issues? Did it leave anything out that you could see might be a significant information security issue? Did it expect certain security measures that you would regard as being unreasonable (assuming that you have applied the methodology in an appropriate way)? Did the approach allow for an adequate consideration of your risk profile and make allowances for risk management with these issues?