IT Audit Policy and Plans

Your Task Assignment As a staff member supporting the CISO, you have been asked to research this issue (auditing IT security policy compliance) and then prepare an “approval draft” for a compliance policy. You must also research and draft two separate audit plans (a) employee compliance and (b) policy system audit. The audit policy should not exceed two typed pages in length so you will need to be concise in your writing and only include the most important elements for the policy. Make sure that you include a requirement for an assessment report to be provided to company management and the corporate board of directors. For the employee compliance assessment, you must use an interview strategy which includes 10 or more multiple choice questions that can be used to construct a web-based survey of all employees. The questions should be split between (a) awareness of key policies and (b) awareness of personal responsibilities in regards to compliance. For the policy system audit, you should use a documentation assessment strategy which reviews the contents of the individual policies to determine when the policy was last updated, who “owns” the policy, who reviewed the policy, and who approved the policy for implementation.
project__4_audit_policy_and_plans_v2.docx

grade_rubric_4_week4.docx

Don't use plagiarized sources. Get Your Custom Essay on
IT Audit Policy and Plans
Just from $13/Page
Order Essay

assigned_case_study.docx

Unformatted Attachment Preview

Project #4: IT Audit Policy and Plans
Company Background & Operating Environment
Use the assigned case study for information about “the company.”
Policy Issue & Plan of Action
The corporate board was recently briefed by the Chief Information Officer concerning the
company’s IT Security Program and how this program contributes to the company’s risk management
strategy. During the briefing, the CIO presented assessment reports and audit findings from IT security
audits. These audits focused upon the technical infrastructure and the effectiveness and efficiency of
the company’s implementation of security controls. During the discussion period, members of the
corporate board asked about audits of policy compliance and assessments as to the degree that
employees were (a) aware of IT security policies and (b) complying with these policies. The Chief
Information Officer was tasked with providing the following items to the board before its next quarterly
meeting:
(a) Issue Specific Policy requiring an annual compliance audit for IT security policies as
documented in the company’s Policy System
(b) Audit Plan for assessing employee awareness of and compliance with IT security policies
a. Are employees aware of the IT security policies in the Employee Handbook?
b. Do employees know their responsibilities under those policies?
(c) Audit Plan for assessing the IT security policy system
a. Do required policies exist?
b. Have they been updated within the past year?
c. Are the policies being reviewed and approved by the appropriate oversight
authorities (managers, IT governance board, etc.)?
Your Task Assignment
As a staff member supporting the CISO, you have been asked to research this issue (auditing IT
security policy compliance) and then prepare an “approval draft” for a compliance policy. You must also
research and draft two separate audit plans (a) employee compliance and (b) policy system audit. The
audit policy should not exceed two typed pages in length so you will need to be concise in your writing
and only include the most important elements for the policy. Make sure that you include a requirement
for an assessment report to be provided to company management and the corporate board of directors.
•
For the employee compliance assessment, you must use an interview strategy which
includes 10 or more multiple choice questions that can be used to construct a webbased survey of all employees. The questions should be split between (a) awareness of
key policies and (b) awareness of personal responsibilities in regards to compliance.
•
For the policy system audit, you should use a documentation assessment strategy which
reviews the contents of the individual policies to determine when the policy was last
updated, who “owns” the policy, who reviewed the policy, and who approved the policy
for implementation.
Research:
1. Review the weekly readings including the example audit assessment report.
2. Review work completed previously in this course which provides background about the IT Policy
System and specific policies for the case study company.
3. Find additional resources which discuss IT compliance audits and/or policy system audits.
Write:
1. Prepare briefing package with approval drafts of the three required documents. Place all three
documents in a single MS Word (.doc or .docx) files.
2. Your briefing package must contain the following:
•
•
Executive Summary
“Approval Drafts” for
o Issue Specific Policy for IT Security Policy Compliance Audits
o Audit Plan for IT Security Policy Awareness & Compliance (Employee Survey)
o Audit Plan for IT Security Policies Audit (Documentation Review)
As you write your policy and audit plans, make sure that you address security issues using
standard cybersecurity terminology (e.g. 5 Pillars of IA, 5 Pillars of Information Security). See the
resources listed under Course Resources > Cybersecurity Concepts Review for definitions and
terminology.
3. Use a professional format for your policy documents and briefing package. Your policy
documents should be consistently formatted and easy to read.
4. Common phrases do not require citations. If there is doubt as to whether or not information
requires attribution, provide a footnote with publication information or use APA format
citations and references.
5. You are expected to write grammatically correct English in every assignment that you submit for
grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c)
verifying that your punctuation is correct and (d) reviewing your work for correct word usage
and correctly structured sentences and paragraphs.
Submit For Grading
Submit briefing package in MS Word format (.docx or .doc file) for grading using your
assignment folder. (Attach the file.)
Rubric Name: Project 4: IT Audit Policy & Plans
Executive
Summary
Excellent
Outstanding
Acceptable
8.5 points
The Executive Summary
provided an excellent
summary of the policy
package’s purpose and
Executive
Summary for the contents. Information about
the case study company
Policy Briefing
was well integrated into the
Package
summary. Each policy was
individually introduced and
clearly explained. The
material was well
organized and easy to read.
The Executive
Summary provided an
outstanding summary
of the policy
package’s purpose and
contents. Information
about the case study
company was
integrated into the
summary. Each policy
in the briefing
package was
individually
introduced and briefly
explained. The
material was well
organized and easy to
read.
Policy for IT
Security Policy
Compliance
Audits
Excellent
Outstanding
10 points
8.5 points
The policy contained an
excellent introduction
which addressed five or
more specific
characteristics of the
company’s business, legal
& regulatory, and/or
enterprise IT environments
and addressed the reasons
why employees must
comply with this policy.
Compliance requirements
are addressed and contact
The policy contained
an outstanding
introduction which
addressed three or
more specific
characteristics of the
company’s business,
legal & regulatory,
and/or enterprise IT
environments and
addressed the reasons
why employees must
comply with this
10 points
Policy
Introduction
7 points
The Executive Summary provided an ac
of the contents of the policy package. In
case study company was used in the sum
in the briefing package was named and
Acceptable
7 points
The introduction for the policy was cust
study company. Three or more specific
company’s business, legal & regulatory,
environments were incorporated into th
Compliance requirements were addresse
information is provided for policy. Compliance
questions about the policy. requirements are
addressed and contact
information is
provided for questions
about the policy.
8.5 points
10 points
The issue specific policy
provided excellent (clear
and concise) coverage of
the following:
The issue specific
policy provided
outstanding coverage
of the following:
•
•
•
Policy Content
•
•
•
Audit Plans
policy issue (do
required policies exist
policy issue (do required
and have they been
policies exist and have they
properly vetted &
been properly vetted &
approved)
approved)
• policy solution
•
policy solution (auditing all
(auditing all IT
IT security policies to
security policies to •
determine compliance with
determine compliance
security controls)
with security controls)
•
applicability (to what and
• applicability (to what
•
to whom the policy
and to whom the •
applies)
policy applies)
compliance requirements
• compliance
point of contact (for more
requirements
information)
• point of contact (for
more information)
The policy was easy to
understand and thoroughly
The policy was easy
covered the required
to understand and
content.
addressed all required
content.
7 points
The issue specific policy provided adeq
following:
policy issue (do required policies exist a
properly vetted & approved)
policy solution (auditing all IT security
determine compliance with security con
applicability (to what and to whom the p
compliance requirements
point of contact (for more information)
The policy was easy to understand and i
content.
Excellent
Outstanding
Acceptable
10 points
8.5 points
7 points
The Security
Awareness audit plan
contained an
outstanding
The Security Awareness audit plan cont
background section which discussed on
which drive the requirements and objec
IT security controls for security awaren
Security
Awareness Audit The Security Awareness
Plan: Audit
audit plan contained an
Background
excellent background
section which identified
and discussed 5 or more
risks which drive the
requirements and
objectives for this audit. IT
security controls for
security awareness (AT
family of controls from
NIST SP 800-53) and
related compliance
requirements were
identified and discussed.
Contact information was
provided for the audit
manager. Information from
the case study was well
integrated into the
background material.
background section
which identified and
discussed 3 or more
risks which drive the
requirements and
objectives for this
audit. IT security
controls for security
awareness (AT family
of controls from NIST
SP 800-53) and
related compliance
requirements were
identified and
discussed. Contact
information was
provided for the audit
manager. Information
from the case study
was well integrated
into the background
material.
controls from NIST SP 800-53) and rela
requirements were discussed. Contact in
provided for the audit manager. Some in
case study was integrated into the backg
4 points
5 points
A well written set of
A clear and concise set of audit objectives were
audit objectives were
presented. The audit
Security
presented.
These
objectives
objectives addressed
Awareness Audit
addressed (and named)
(and named) 4 or
Plan: Audit
each
security
control
in
the
more security controls
Objectives
Awareness & Training
in the Awareness &
(AT) family (as listed in
Training (AT) family
NIST SP 800-53).
(as listed in NIST SP
800-53).
15 points
3 points
Three or more audit objectives were pre
objective was mapped to a specific secu
Awareness & Training (AT) family (as
800-53).
13.5 points
12 points
Security
Awareness Audit
Plan: Audit
Approach
The Audit Approach
clearly and concisely
identified and described the
major elements in the data
collection strategy (what
data will be collected, how
it will be collected, what
The Audit Approach
clearly identified the
major elements in the
data collection
strategy (what data
will be collected, how
it will be collected,
The Audit Approach adequately address
collection strategy and provided sufficie
the reader could understand how the eff
security controls implementation would
will be measured). The
data collection strategy was
supported by a checklist
(for a document review) or
list of questions (for a
survey). The relationship
between the audit approach
and the measurement of the
effectiveness of the
security controls
implementation was
explained.
what will be
measured). The data
collection strategy
was supported by a
checklist (for a
document review) or
list of questions (for a
survey). The
relationship between
the audit approach and
the measurement of
the effectiveness of
the security controls
implementation was
clearly stated.
8.5 points
10 points
IT Security
Policies Audit
Plan: Audit
Background
The IT Security
Policies audit plan
The IT Security Policies
contained an
audit plan contained an
outstanding
excellent background
background section
section which identified
which identified and
and discussed 5 or more
discussed 3 or more
risks which drive the
risks which drive the
requirements and
requirements and
objectives for this audit.
objectives for this
The 18 IT security policies audit.
& procedures security
At least 12 IT security
controls (e.g. AC-1, AT-1, policies & procedures
etc. in NIST SP 800-53)
security controls (e.g.
were identified and
AC-1, AT-1, etc. in
discussed. Five or more
NIST SP 800-53)
additional controls from
were identified and
the PM & PL families were
discussed. Three or
also addressed. Contact
more additional
information was provided controls from the PM
for the audit manager.
& PL families were
Information from the case also addressed.
study was well integrated Contact information
into the background
was provided for the
material.
audit manager.
Information from the
case study was well
7 points
The IT Security Policies audit plan cont
background section which identified 3 o
drive the requirements and objectives fo
At least 10 IT security policies & proce
controls (e.g. AC-1, AT-1, etc. in NIST
identified and discussed. Three or more
from the PM & PL families were also a
information was provided for the audit m
Information from the case study was int
background material.
integrated into the
background material.
4 points
5 points
IT Security
Policies Audit
Plan: Audit
Objectives
A well written set of
A clear and concise set of audit objectives were
audit objectives were
presented. These
presented. These objectives objectives addressed
addressed (and named) all (and named) at least
18 policy & procedures
12 of the policy &
security controls (e.g. AC- procedures security
1, AT-1 as listed in NIST controls (e.g. AC-1,
SP 800-53).
AT-1 as listed in
NIST SP 800-53).
3 points
Three or more audit objectives were pre
objectives addressed (and named) at lea
procedures security controls (e.g. AC-1
NIST SP 800-53).
13.5 points
15 points
IT Security
Policies Audit
Plan: Audit
Approach
The Audit Approach
clearly and concisely
identified and described the
major elements in the data
collection strategy (what
data will be collected, how
it will be collected, what
will be measured). The
data collection strategy was
supported by a checklist
(for a document review) or
list of questions (for a
survey). The relationship
between the audit approach
and the measurement of the
effectiveness of the
security controls
implementation was
explained.
Professionalism Excellent
Execution
10 points
The Audit Approach
clearly identified the
major elements in the
data collection
strategy (what data
will be collected, how
it will be collected,
what will be
measured). The data
collection strategy
was supported by a
checklist (for a
document review) or
list of questions (for a
survey). The
relationship between
the audit approach and
the measurement of
the effectiveness of
the security controls
implementation was
clearly stated.
12 points
The Audit Approach adequately address
collection strategy and provided sufficie
the reader could understand how the eff
security controls implementation would
Outstanding
Acceptable
8.5 points
7 points
Work is professional in
appearance and
organization (appropriate
and consistent use of fonts,
headings, color).
No word usage, grammar,
spelling, or punctuation
errors. All quotations
(copied text) are properly
marked and cited using a
professional format (APA
format recommended but
not required.)
Overall Score
Excellent
90 or more
Work is professional
in appearance and
organization
(appropriate and
consistent use of
fonts, headings,
color).
Work is professional in appearance and
issues allowable but overall the work co
and consistent use of fonts, headings, co
Outstanding
80 or more
Acceptable
70 or more
Errors in word usage, spelling, gramma
which detract from professional appeara
work. All quotations (copied text) are p
cited using a professional format (APA
Work contains minor recommended but not required.)
errors in word usage,
grammar, spelling or
punctuation which do
not significantly
impact professional
appearance. All
quotations (copied
text) are properly
marked and cited
using a professional
format (APA format
recommended but not
required.)
Red Clay Renovations
Table of Contents
Company Overview ……………………………………………………………… 1Corporate Governance & Management
…………………………………………………………………………………………………………………………………………………. 1
Operations ……………………………………………………………………………………………………………………………… 4
Acquisitions …………………………………………………………………………………………………………………………….. 5
Legal and Regulatory Environment …………………………………………………………………………………………….. 6
Policy System ………………………………………………………………………………………………………………………….. 6
Risk Management & Reporting ………………………………………………………………………………………………….. 7
IT Security Management …………………………………………………………………………………………………………… 8
Information Technology Infrastructure ………………………………………………………………………………………….. 9
Enterprise Architecture…………………………………………………………………………………………………………….. 9
Operations Center IT Architecture……………………………………………………………………………………………. 10
Field Office IT Architecture ……………………………………………………………………………………………………… 10
System Interconnections ………………………………………………………………………………………………………… 11
Tables
Table 1. Key Personnel Roster ………………………………………………………………………………………………………. 3
Table 2. Red Clay Renovations Office Locations & Contact Information ……………………………………………… 4
Figures
Figure 1. Red Clay Renovations Organization Chart …………………………………………………………………………. 2
Figure 2. Overview for Enterprise IT Infrastructure ………………………………………………………………………….. 9
Figure 3. IT Architecture for Operations Center …………………………………………………………………………….. 10
CSIA 413: Cybersecurity Policy, Plans, and Programs
i
Company Overview
Red Clay Renovations is an internationally recognized, awarding winning firm that specializes in the
renovation and rehabilitation of residential buildings and dwellings. The company specializes in updating
homes using “smart home” and “Internet of Things” technologies while maintaining period correct
architectural characteristics. The company’s primary line of business is Home Remodeling Services
(NAICS 236118).
Corporate Governance & Management
Red Clay Renovations was incorporated in the State of Delaware in 1991 and is privately held. (Its stock
is not publicly traded on a stock exchange.)The company maintains a legal presence (“Corporate
Headquarters”) in Delaware to satisfy laws relating to its status as a Delaware corporation. The company
has a five member Board of Directors (BoD). The Chief Executive Officer (CEO) and Chief Financial Officer
(CFO) each own 25% of the corporation’s stock; both serve on the BoD. The CEO is the chair person for
the BoD. The three additional members of the BoD are elected from the remaining stock holders and
each serve for a three year term. The BoD provides oversight for the company’s operations as required
by state and federal laws. Its primary purpose is to protect the interests of stockholders. Under state
and federal law, the BoD has a fiduciary duty to ensure that the corporation is managed for the benefit
of the stockho …
Purchase answer to see full
attachment

GradeAcers
Calculate your paper price
Pages (550 words)
Approximate price: -

Why Work with Us

Top Quality and Well-Researched Papers

We always make sure that writers follow all your instructions precisely. You can choose your academic level: high school, college/university or professional, and we will assign a writer who has a respective degree.

Professional and Experienced Academic Writers

We have a team of professional writers with experience in academic and business writing. Many are native speakers and able to perform any task for which you need help.

Free Unlimited Revisions

If you think we missed something, send your order for a free revision. You have 10 days to submit the order for review after you have received the final document. You can do this yourself after logging into your personal account or by contacting our support.

Prompt Delivery and 100% Money-Back-Guarantee

All papers are always delivered on time. In case we need more time to master your paper, we may contact you regarding the deadline extension. In case you cannot provide us with more time, a 100% refund is guaranteed.

Original & Confidential

We use several writing tools checks to ensure that all documents you receive are free from plagiarism. Our editors carefully review all quotations in the text. We also promise maximum confidentiality in all of our services.

24/7 Customer Support

Our support agents are available 24 hours a day 7 days a week and committed to providing you with the best customer experience. Get in touch whenever you need any assistance.

Try it now!

Calculate the price of your order

Total price:
$0.00

How it works?

Follow these simple steps to get your paper done

Place your order

Fill in the order form and provide all details of your assignment.

Proceed with the payment

Choose the payment system that suits you most.

Receive the final file

Once your paper is ready, we will email it to you.

Our Services

No need to work on your paper at night. Sleep tight, we will cover your back. We offer all kinds of writing services.

Essays

Essay Writing Service

No matter what kind of academic paper you need and how urgent you need it, you are welcome to choose your academic level and the type of your paper at an affordable price. We take care of all your paper needs and give a 24/7 customer care support system.

Admissions

Admission Essays & Business Writing Help

An admission essay is an essay or other written statement by a candidate, often a potential student enrolling in a college, university, or graduate school. You can be rest assurred that through our service we will write the best admission essay for you.

Reviews

Editing Support

Our academic writers and editors make the necessary changes to your paper so that it is polished. We also format your document by correctly quoting the sources and creating reference lists in the formats APA, Harvard, MLA, Chicago / Turabian.

Reviews

Revision Support

If you think your paper could be improved, you can request a review. In this case, your paper will be checked by the writer or assigned to an editor. You can use this option as many times as you see fit. This is free because we want you to be completely satisfied with the service offered.

Order your essay today and save 15% with the discount code DISCOUNT15