CSIA 413 Project 3 – IT Security Audit Policy & Plans
Hide Assignment Information | |||||||
Instructions | IT Security Audit Policy & Plans – Homework Solution | ||||||
Download the attached detailed assignment description for this project. You should also review the rubric shown below for additional information about the requirements for the project and how your work will be graded. Please make sure that you use both the assignment description file AND the rubric when completing your work. | |||||||
Due on Apr 16, 2024 11:59 PM | |||||||
Attachments | IT Security Audit Policy & Plans – Homework Solution | ||||||
|
Hide Rubrics
Rubric Name: Project 3: IT Audit Policy & Plans
Executive Summary | Excellent | Outstanding | Acceptable | Needs Improvement | Needs Significant Improvement | Missing or Unacceptable | Criterion Score | ||||||||
Executive Summary for the Policy Briefing Package | 12 points
The Executive Summary provided an excellent summary of the policy package’s purpose and contents. Information about the case study company was well integrated into the summary. Each policy was individually introduced and clearly explained. The material was well organized and easy to read. |
10.2 points
The Executive Summary provided an outstanding summary of the policy package’s purpose and contents. Information about the case study company was integrated into the summary. Each policy in the briefing package was individually introduced and briefly explained. The material was well organized and easy to read. |
8.4 points
The Executive Summary provided an acceptable overview of the contents of the policy package. Information about the case study company was used in the summary. Each policy in the briefing package was named and briefly explained. |
7.2 points
The Executive Summary provided an overview of the policy package. Information about the case study company was mentioned. |
4.8 points
An executive summary was provided but lacked details as to the purpose and contents of the policy package. (Or, inappropriate or excessive copying from other authors’ work.) |
0 points
No work submitted. |
Score of Executive Summary for the Policy Briefing Package,
/ 12 |
||||||||
Policy for IT Security Policy Compliance Audits | Excellent | Outstanding | Acceptable | Needs Improvement | Needs Significant Improvement | Missing or Unacceptable | Criterion Score | ||||||||
Policy Introduction | 12 points
The policy contained an excellent introduction which addressed five or more specific characteristics of the company’s business, legal & regulatory, and/or enterprise IT environments and addressed the reasons why employees must comply with this policy. Compliance requirements are addressed and contact information is provided for questions about the policy. |
10.2 points
The policy contained an outstanding introduction which addressed three or more specific characteristics of the company’s business, legal & regulatory, and/or enterprise IT environments and addressed the reasons why employees must comply with this policy. Compliance requirements are addressed and contact information is provided for questions about the policy. |
8.4 points
The introduction for the policy was customized for the case study company. Three or more specific characteristics of the company’s business, legal & regulatory, and/or enterprise IT environments were incorporated into the policy. Compliance requirements were addressed. |
7.2 points
The introduction to the policy mentions the case study company and compliance requirements. |
4.8 points
The policy was built from a sample template or list of “recommended” audit policy contents without customization for the case study company. (Or, inappropriate or excessive copying from other authors’ work.) |
0 points
No work submitted. |
Score of Policy Introduction,
/ 12 |
||||||||
Policy Content | 12 points
The issue specific policy provided excellent (clear and concise) coverage of the following: · policy issue (do required policies exist and have they been properly vetted & approved) · policy solution (auditing all IT security policies to determine compliance with security controls) · applicability (to what and to whom the policy applies) · compliance requirements · point of contact (for more information) The policy was easy to understand and thoroughly covered the required content. |
10.2 points
The issue specific policy provided outstanding coverage of the following: · policy issue (do required policies exist and have they been properly vetted & approved) · policy solution (auditing all IT security policies to determine compliance with security controls) · applicability (to what and to whom the policy applies) · compliance requirements · point of contact (for more information) The policy was easy to understand and addressed all required content. |
8.4 points
The issue specific policy provided adequate coverage of the following: · policy issue (do required policies exist and have they been properly vetted & approved) · policy solution (auditing all IT security policies to determine compliance with security controls) · applicability (to what and to whom the policy applies) · compliance requirements · point of contact (for more information) The policy was easy to understand and included all required content. |
7.2 points
The issue specific policy mentioned at least 3 of the following: · policy issue (do required policies exist and have they been properly vetted & approved) · policy solution (auditing all IT security policies to determine compliance with security controls) · applicability (to what and to whom the policy applies) · compliance requirements · point of contact (for more information) |
4.8 points
The issue specific policy was disorganized and difficult to understand. OR, the policy was significantly lacking in content. (Or, inappropriate or excessive copying from other authors’ work.) |
0 points
No work submitted. |
Score of Policy Content,
/ 12 |
||||||||
Audit Plans | Excellent | Outstanding | Acceptable | Needs Improvement | Needs Significant Improvement | Missing or Unacceptable | Criterion Score | |||||||
Security Awareness Audit Plan: Audit Background | 12 points
The Security Awareness audit plan contained an excellent background section which identified and discussed 5 or more risks which drive the requirements and objectives for this audit. IT security controls for security awareness (AT family of controls from NIST SP 800-53) and related compliance requirements were identified and discussed. Contact information was provided for the audit manager. Information from the case study was well integrated into the background material. |
10.2 points
The Security Awareness audit plan contained an outstanding background section which identified and discussed 3 or more risks which drive the requirements and objectives for this audit. IT security controls for security awareness (AT family of controls from NIST SP 800-53) and related compliance requirements were identified and discussed. Contact information was provided for the audit manager. Information from the case study was well integrated into the background material. IT Security Audit Policy & Plans – Homework Solution |
8.4 points
The Security Awareness audit plan contained an acceptable background section which discussed one or more risks which drive the requirements and objectives for this audit. IT security controls for security awareness (AT family of controls from NIST SP 800-53) and related compliance requirements were discussed. Contact information was provided for the audit manager. Some information from the case study was integrated into the background material. |
7.2 points
The background section mentions risks as drivers for the Security Awareness audit. Security controls and compliance requirements were mentioned. Information from the case study was used. |
4.8 points
The Security Awareness audit plan was built from a sample template or list of “recommended” audit plan contents without customization for the case study company. (Or, inappropriate or excessive copying from other authors’ work.) |
0 points
No work submitted. |
Score of Security Awareness Audit Plan: Audit Background,
/ 12 |
|||||||
Security Awareness Audit Plan: Audit Objectives | 6 points
A clear and concise set of audit objectives were presented. These objectives addressed (and named) each security control in the Awareness & Training (AT) family (as listed in NIST SP 800-53). |
4.8 points
A well written set of audit objectives were presented. The audit objectives addressed (and named) 4 or more security controls in the Awareness & Training (AT) family (as listed in NIST SP 800-53). |
3.6 points
Three or more audit objectives were presented. Each objective was mapped to a specific security control from the Awareness & Training (AT) family (as listed in NIST SP 800-53). |
2.4 points
Audit objectives were mentioned and discussed. But, the objectives were not clearly identified or were not tied to security controls from the Awareness & Training (AT) family. |
1.2 points
Audit objectives were mentioned but not clearly identified or expressed. (Or, inappropriate or excessive copying from other authors’ work.) |
0 points
Missing or no work submitted. |
Score of Security Awareness Audit Plan: Audit Objectives,
/ 6 |
|||||||
Security Awareness Audit Plan: Audit Approach | 18 points
The Audit Approach clearly and concisely identified and described the major elements in the data collection strategy (what data will be collected, how it will be collected, what will be measured). The data collection strategy was supported by a checklist (for a document review) or list of questions (for a survey). The relationship between the audit approach and the measurement of the effectiveness of the security controls implementation was explained. |
16.2 points
The Audit Approach clearly identified the major elements in the data collection strategy (what data will be collected, how it will be collected, what will be measured). The data collection strategy was supported by a checklist (for a document review) or list of questions (for a survey). The relationship between the audit approach and the measurement of the effectiveness of the security controls implementation was clearly stated. |
14.4 points
The Audit Approach adequately addressed the data collection strategy and provided sufficient information that the reader could understand how the effectiveness of the security controls implementation would be determined. |
12.6 points
Organization and appearance need improvement. The Audit Approach addressed the data collection strategy and provided some information about how compliance would be measured. |
7.2 points
The Audit Approach was disorganized and difficult to understand. OR, the approach was significantly lacking in content (data collection strategy was not clearly identified). (Or, inappropriate or excessive copying from other authors’ work.) |
0 points
No work submitted. |
Score of Security Awareness Audit Plan: Audit Approach,
/ 18 |
|||||||
IT Security Policies Audit Plan: Audit Background | 12 points
The IT Security Policies audit plan contained an excellent background section which identified and discussed 5 or more risks which drive the requirements and objectives for this audit. The 18 IT security policies & procedures security controls (e.g. AC-1, AT-1, etc. in NIST SP 800-53) were identified and discussed. Five or more additional controls from the PM & PL families were also addressed. Contact information was provided for the audit manager. Information from the case study was well integrated into the background material. |
10.2 points
The IT Security Policies audit plan contained an outstanding background section which identified and discussed 3 or more risks which drive the requirements and objectives for this audit. At least 12 IT security policies & procedures security controls (e.g. AC-1, AT-1, etc. in NIST SP 800-53) were identified and discussed. Three or more additional controls from the PM & PL families were also addressed. Contact information was provided for the audit manager. Information from the case study was well integrated into the background material. IT Security Audit Policy & Plans – Homework Solution |
8.4 points
The IT Security Policies audit plan contained an acceptable background section which identified 3 or more risks which drive the requirements and objectives for this audit. At least 10 IT security policies & procedures security controls (e.g. AC-1, AT-1, etc. in NIST SP 800-53) were identified and discussed. Three or more additional controls from the PM & PL families were also addressed. Contact information was provided for the audit manager. Information from the case study was integrated into the background material. |
7.2 points
The background section mentions risks as drivers for the IT Security Policies audit. Security controls and compliance requirements were mentioned. Information from the case study was used. |
4.8 points
The IT Security Policies audit plan was built from a sample template or list of “recommended” audit plan contents without customization for the case study company. (Or, inappropriate or excessive copying from other authors’ work.) |
0 points
No work submitted. |
Score of IT Security Policies Audit Plan: Audit Background,
/ 12 |
|||||||
IT Security Policies Audit Plan: Audit Objectives | 6 points
A clear and concise set of audit objectives were presented. These objectives addressed (and named) all 18 policy & procedures security controls (e.g. AC-1, AT-1 as listed in NIST SP 800-53). |
4.8 points
A well written set of audit objectives were presented. These objectives addressed (and named) at least 12 of the policy & procedures security controls (e.g. AC-1, AT-1 as listed in NIST SP 800-53). |
3.6 points
Three or more audit objectives were presented. These objectives addressed (and named) at least 10 of the policy & procedures security controls (e.g. AC-1, AT-1 as listed in NIST SP 800-53). |
2.4 points
Audit objectives were mentioned and discussed. But, the objectives were not clearly identified or were not tied to policy & procedures IT security controls from NIST SP 800-53. |
1.2 points
Audit objectives were mentioned but not clearly identified or expressed. (Or, inappropriate or excessive copying from other authors’ work.) |
0 points
Missing or no work submitted. |
Score of IT Security Policies Audit Plan: Audit Objectives,
/ 6 |
|||||||
IT Security Policies Audit Plan: Audit Approach | 18 points
The Audit Approach clearly and concisely identified and described the major elements in the data collection strategy (what data will be collected, how it will be collected, what will be measured). The data collection strategy was supported by a checklist (for a document review) or list of questions (for a survey). The relationship between the audit approach and the measurement of the effectiveness of the security controls implementation was explained. |
16.2 points
The Audit Approach clearly identified the major elements in the data collection strategy (what data will be collected, how it will be collected, what will be measured). The data collection strategy was supported by a checklist (for a document review) or list of questions (for a survey). The relationship between the audit approach and the measurement of the effectiveness of the security controls implementation was clearly stated. |
14.4 points
The Audit Approach adequately addressed the data collection strategy and provided sufficient information that the reader could understand how the effectiveness of the security controls implementation would be determined. |
12.6 points
Organization and appearance need improvement. The Audit Approach addressed the data collection strategy and provided some information about how compliance would be measured. |
7.2 points
The Audit Approach was disorganized and difficult to understand. OR, the approach was significantly lacking in content (data collection strategy was not clearly identified). (Or, inappropriate or excessive copying from other authors’ work.) |
0 points
No work submitted. |
Score of IT Security Policies Audit Plan: Audit Approach,
/ 18 |
|||||||
Professionalism | Excellent | Outstanding | Acceptable | Needs Improvement | Needs Significant Improvement | Missing or Unacceptable | Criterion Score | |||||||
Execution | 12 points
Work is professional in appearance and organization (appropriate and consistent use of fonts, headings, color). No word usage, grammar, spelling, or punctuation errors. All quotations (copied text) are properly marked and cited using a professional format (APA format recommended but not required.) |
10.2 points
Work is professional in appearance and organization (appropriate and consistent use of fonts, headings, color). Work contains minor errors in word usage, grammar, spelling or punctuation which do not significantly impact professional appearance. All quotations (copied text) are properly marked and cited using a professional format (APA format recommended but not required.) |
8.4 points
Work is professional in appearance and organization (minor issues allowable but overall the work contains appropriate and consistent use of fonts, headings, color). Errors in word usage, spelling, grammar, or punctuation which detract from professional appearance of the submitted work. All quotations (copied text) are properly marked and cited using a professional format (APA format recommended but not required.) |
7.2 points
Submitted work has numerous errors in formatting, organization, word usage, spelling, grammar, or punctuation which detract from readability and professional appearance. Punctuation errors may include failure to properly mark quoted or copied material (an attempt to name original source is required). |
4.8 points
Submitted work is difficult to read / understand and has significant errors in formatting, appearance / organization, spelling, grammar, punctuation, or word usage. Significant errors in presentation of copied text (lacks proper punctuation and failed to attribute material to original source). |
0 points
No work submitted. OR, work contains significant instances of cut-and-paste without proper citing / attribution to the original work or author. |
Score of Execution,
/ 12 |
|||||||