CSIA 413 Project 3 – IT Security Audit Policy & Plans – Homework Solution

CSIA 413 Project 3 – IT Security Audit Policy & Plans

Hide Assignment Information
Instructions IT Security Audit Policy & Plans – Homework Solution
Download the attached detailed assignment description for this project. You should also review the rubric shown below for additional information about the requirements for the project and how your work will be graded. Please make sure that you use both the assignment description file AND the rubric when completing your work.

CSIA 413 Project 3 - IT Security Audit Policy & Plans - Homework Solution
CSIA 413 Project 3 – IT Security Audit Policy & Plans – Homework Solution
Due on Apr 16, 2024 11:59 PM
Attachments IT Security Audit Policy & Plans – Homework Solution
CSIA 413 Project #3 Audit Policy and Plans v202… (60.02 KB)
Download All Files

Hide Rubrics

Rubric Name: Project 3: IT Audit Policy & Plans

Print

Executive Summary Excellent Outstanding Acceptable Needs Improvement Needs Significant Improvement Missing or Unacceptable Criterion Score
Executive Summary for the Policy Briefing Package 12 points

The Executive Summary provided an excellent summary of the policy package’s purpose and contents. Information about the case study company was well integrated into the summary. Each policy was individually introduced and clearly explained. The material was well organized and easy to read.

10.2 points

The Executive Summary provided an outstanding summary of the policy package’s purpose and contents. Information about the case study company was integrated into the summary. Each policy in the briefing package was individually introduced and briefly explained. The material was well organized and easy to read.

8.4 points

The Executive Summary provided an acceptable overview of the contents of the policy package. Information about the case study company was used in the summary. Each policy in the briefing package was named and briefly explained.

7.2 points

The Executive Summary provided an overview of the policy package. Information about the case study company was mentioned.

4.8 points

An executive summary was provided but lacked details as to the purpose and contents of the policy package. (Or, inappropriate or excessive copying from other authors’ work.)

0 points

No work submitted.

Score of Executive Summary for the Policy Briefing Package,

/ 12

Policy for IT Security Policy Compliance Audits Excellent Outstanding Acceptable Needs Improvement Needs Significant Improvement Missing or Unacceptable Criterion Score
Policy Introduction

CSIA 413 Project 3 - IT Security Audit Policy & Plans - Homework Solution
CSIA 413 Project 3 – IT Security Audit Policy & Plans – Homework Solution
12 points

The policy contained an excellent introduction which addressed five or more specific characteristics of the company’s business, legal & regulatory, and/or enterprise IT environments and addressed the reasons why employees must comply with this policy. Compliance requirements are addressed and  contact information is provided for questions about the policy.

10.2 points

The policy contained an outstanding introduction which addressed three or more specific characteristics of the company’s business, legal & regulatory, and/or enterprise IT environments and addressed the reasons why employees must comply with this policy. Compliance requirements are addressed and  contact information is provided for questions about the policy.

8.4 points

The introduction for the policy was customized for the case study company. Three or more specific characteristics of the company’s business, legal & regulatory, and/or enterprise IT environments were incorporated into the policy. Compliance requirements were addressed.

7.2 points

The introduction to the policy mentions the case study company and compliance requirements.

4.8 points

The policy was built from a sample template or list of “recommended” audit policy contents without customization for the case study company. (Or, inappropriate or excessive copying from other authors’ work.)

0 points

No work submitted.

Score of Policy Introduction,

/ 12

Policy Content 12 points

The issue specific policy provided excellent (clear and concise) coverage of the following:

·         policy issue (do required policies exist and have they been properly vetted & approved)

·         policy solution (auditing all IT security policies to determine compliance with security controls)

·         applicability (to what and to whom the policy applies)

·         compliance requirements

·         point of contact (for more information)

The policy was easy to understand and thoroughly covered the required content.

10.2 points

The issue specific policy provided outstanding coverage of the following:

·         policy issue (do required policies exist and have they been properly vetted & approved)

·         policy solution (auditing all IT security policies to determine compliance with security controls)

·         applicability (to what and to whom the policy applies)

·         compliance requirements

·         point of contact (for more information)

The policy was easy to understand and addressed all required content.

8.4 points

The issue specific policy provided adequate coverage of the following:

·         policy issue (do required policies exist and have they been properly vetted & approved)

·         policy solution (auditing all IT security policies to determine compliance with security controls)

·         applicability (to what and to whom the policy applies)

·         compliance requirements

·         point of contact (for more information)

The policy was easy to understand and included all required content.

7.2 points

The issue specific policy mentioned at least 3 of the following:

·         policy issue (do required policies exist and have they been properly vetted & approved)

·         policy solution (auditing all IT security policies to determine compliance with security controls)

·         applicability (to what and to whom the policy applies)

·         compliance requirements

·         point of contact (for more information)

4.8 points

The issue specific policy was disorganized and difficult to understand. OR, the policy was significantly lacking in content. (Or, inappropriate or excessive copying from other authors’ work.)

0 points

No work submitted.

Score of Policy Content,

/ 12

Audit Plans Excellent Outstanding Acceptable Needs Improvement Needs Significant Improvement Missing or Unacceptable Criterion Score
Security Awareness Audit Plan: Audit Background 12 points

The Security Awareness audit plan contained an excellent background section which identified and discussed 5 or more risks which drive the requirements and objectives for this audit. IT security controls for security awareness (AT family of controls from NIST SP 800-53) and related compliance requirements were identified and discussed. Contact information was provided for the audit manager. Information from the case study was well integrated into the background material.

10.2 points

The Security Awareness audit plan contained an outstanding background section which identified and discussed 3 or more risks which drive the requirements and objectives for this audit. IT security controls for security awareness (AT family of controls from NIST SP 800-53) and related compliance requirements were identified and discussed. Contact information was provided for the audit manager. Information from the case study was well integrated into the background material.

IT Security Audit Policy & Plans – Homework Solution

8.4 points

The Security Awareness audit plan contained an acceptable background section which discussed one or more risks which drive the requirements and objectives for this audit. IT security controls for security awareness (AT family of controls from NIST SP 800-53) and related compliance requirements were discussed. Contact information was provided for the audit manager. Some information from the case study was integrated into the background material.

7.2 points

The background section mentions risks as drivers for the Security Awareness audit. Security controls and compliance requirements were mentioned. Information from the case study was used.

4.8 points

The Security Awareness audit plan was built from a sample template or list of “recommended” audit plan contents without customization for the case study company. (Or, inappropriate or excessive copying from other authors’ work.)

0 points

No work submitted.

Score of Security Awareness Audit Plan: Audit Background,

/ 12

Security Awareness Audit Plan: Audit Objectives 6 points

A clear and concise set of audit objectives were presented. These objectives addressed (and named) each security control in the Awareness & Training (AT) family (as listed in NIST SP 800-53).

4.8 points

A well written set of audit objectives were presented. The audit objectives addressed (and named) 4 or more security controls in the Awareness & Training (AT) family (as listed in NIST SP 800-53).

3.6 points

Three or more audit objectives were presented. Each objective was mapped to a specific security control from the Awareness & Training (AT) family (as listed in NIST SP 800-53).

2.4 points

Audit objectives were mentioned and discussed. But, the objectives were not clearly identified or were not tied to security controls from the Awareness & Training (AT) family.

1.2 points

Audit objectives were mentioned but not clearly identified or expressed. (Or, inappropriate or excessive copying from other authors’ work.)

0 points

Missing or no work submitted.

Score of Security Awareness Audit Plan: Audit Objectives,

/ 6

Security Awareness Audit Plan: Audit Approach 18 points

The Audit Approach clearly and concisely identified and described the major elements in the data collection strategy (what data will be collected, how it will be collected, what will be measured). The data collection strategy was supported by a checklist (for a document review) or list of questions (for a survey). The relationship between the audit approach and the measurement of the effectiveness of the security controls implementation was explained.

16.2 points

The Audit Approach clearly identified the major elements in the data collection strategy (what data will be collected, how it will be collected, what will be measured). The data collection strategy was supported by a checklist (for a document review) or list of questions (for a survey). The relationship between the audit approach and the measurement of the effectiveness of the security controls implementation was clearly stated.

14.4 points

The Audit Approach adequately addressed the data collection strategy and provided sufficient information that the reader could understand how the effectiveness of the security controls implementation would be determined.

12.6 points

Organization and appearance need improvement. The Audit Approach addressed the data collection strategy and provided some information about how compliance would be measured.

7.2 points

The Audit Approach was disorganized and difficult to understand. OR, the approach was significantly lacking in content (data collection strategy was not clearly identified). (Or, inappropriate or excessive copying from other authors’ work.)

0 points

No work submitted.

Score of Security Awareness Audit Plan: Audit Approach,

/ 18

IT Security Policies Audit Plan: Audit Background 12 points

The IT Security Policies audit plan contained an excellent background section which identified and discussed 5 or more risks which drive the requirements and objectives for this audit.

The 18 IT security policies & procedures security controls (e.g. AC-1, AT-1, etc. in NIST SP 800-53) were identified and discussed. Five or more additional controls from the PM & PL families were also addressed. Contact information was provided for the audit manager. Information from the case study was well integrated into the background material.

10.2 points

The IT Security Policies audit plan contained an outstanding background section which identified and discussed 3 or more risks which drive the requirements and objectives for this audit.

At least 12 IT security policies & procedures security controls (e.g. AC-1, AT-1, etc. in NIST SP 800-53) were identified and discussed. Three or more additional controls from the PM & PL families were also addressed. Contact information was provided for the audit manager. Information from the case study was well integrated into the background material.

IT Security Audit Policy & Plans – Homework Solution

8.4 points

The IT Security Policies audit plan contained an acceptable background section which identified 3 or more risks which drive the requirements and objectives for this audit.

At least 10 IT security policies & procedures security controls (e.g. AC-1, AT-1, etc. in NIST SP 800-53) were identified and discussed. Three or more additional controls from the PM & PL families were also addressed. Contact information was provided for the audit manager. Information from the case study was integrated into the background material.

7.2 points

The background section mentions risks as drivers for the IT Security Policies audit. Security controls and compliance requirements were mentioned. Information from the case study was used.

4.8 points

The IT Security Policies audit plan was built from a sample template or list of “recommended” audit plan contents without customization for the case study company. (Or, inappropriate or excessive copying from other authors’ work.)

0 points

No work submitted.

Score of IT Security Policies Audit Plan: Audit Background,

/ 12

IT Security Policies Audit Plan: Audit Objectives 6 points

A clear and concise set of audit objectives were presented. These objectives addressed (and named) all 18 policy & procedures security controls (e.g. AC-1, AT-1 as listed in NIST SP 800-53).

4.8 points

A well written set of audit objectives were presented. These objectives addressed (and named) at least 12 of the policy & procedures security controls (e.g. AC-1, AT-1 as listed in NIST SP 800-53).

3.6 points

Three or more audit objectives were presented. These objectives addressed (and named) at least 10 of the policy & procedures security controls (e.g. AC-1, AT-1 as listed in NIST SP 800-53).

2.4 points

Audit objectives were mentioned and discussed. But, the objectives were not clearly identified or were not tied to policy & procedures IT security controls from NIST SP 800-53.

1.2 points

Audit objectives were mentioned but not clearly identified or expressed. (Or, inappropriate or excessive copying from other authors’ work.)

0 points

Missing or no work submitted.

Score of IT Security Policies Audit Plan: Audit Objectives,

/ 6

IT Security Policies Audit Plan: Audit Approach 18 points

The Audit Approach clearly and concisely identified and described the major elements in the data collection strategy (what data will be collected, how it will be collected, what will be measured). The data collection strategy was supported by a checklist (for a document review) or list of questions (for a survey). The relationship between the audit approach and the measurement of the effectiveness of the security controls implementation was explained.

16.2 points

The Audit Approach clearly identified the major elements in the data collection strategy (what data will be collected, how it will be collected, what will be measured). The data collection strategy was supported by a checklist (for a document review) or list of questions (for a survey). The relationship between the audit approach and the measurement of the effectiveness of the security controls implementation was clearly stated.

14.4 points

The Audit Approach adequately addressed the data collection strategy and provided sufficient information that the reader could understand how the effectiveness of the security controls implementation would be determined.

12.6 points

Organization and appearance need improvement. The Audit Approach addressed the data collection strategy and provided some information about how compliance would be measured.

7.2 points

The Audit Approach was disorganized and difficult to understand. OR, the approach was significantly lacking in content (data collection strategy was not clearly identified). (Or, inappropriate or excessive copying from other authors’ work.)

0 points

No work submitted.

Score of IT Security Policies Audit Plan: Audit Approach,

/ 18

Professionalism Excellent Outstanding Acceptable Needs Improvement Needs Significant Improvement Missing or Unacceptable Criterion Score
Execution 12 points

Work is professional in appearance and organization (appropriate and consistent use of fonts, headings, color).

No word usage, grammar, spelling, or punctuation errors. All quotations (copied text) are properly marked and cited using a professional format (APA format recommended but not required.)

10.2 points

Work is professional in appearance and organization (appropriate and consistent use of fonts, headings, color).

Work contains minor errors in word usage, grammar, spelling or punctuation which do not significantly impact professional appearance. All quotations (copied text) are properly marked and cited using a professional format (APA format recommended but not required.)

8.4 points

Work is professional in appearance and organization (minor issues allowable but overall the work contains appropriate and consistent use of fonts, headings, color).

Errors in word usage, spelling, grammar, or punctuation which detract from professional appearance of the submitted work. All quotations (copied text) are properly marked and cited using a professional format (APA format recommended but not required.)

7.2 points

Submitted work has numerous errors in formatting, organization, word usage, spelling, grammar, or punctuation which detract from readability and professional appearance. Punctuation errors may include failure to properly mark quoted or copied material (an attempt to name original source is required).

4.8 points

Submitted work is difficult to read / understand and has significant errors in formatting, appearance / organization, spelling, grammar, punctuation, or word usage. Significant errors in presentation of copied text (lacks proper punctuation and failed to attribute material to original source).

0 points

No work submitted. OR, work contains significant instances of cut-and-paste without proper citing / attribution to the original work or author.

Score of Execution,

/ 12

Posted in IT

Get 30% off your first purchase

X
Click to Order