ComputerScienceExpert
$18/per page/
For this project, there is no template which means that it will be a document you will need to create. I have attached the grading rubric, which will identify what the document(s) will need for full credit.
Thanks
Case Study_Company (1).docx
Table of Contents
Company Overview.....................................................................................................................................1
Corporate Governance & Management...................................................................................................1
Operations...............................................................................................................................................4
Acquisitions.............................................................................................................................................4
Legal and Regulatory Environment..........................................................................................................5
Policy System...........................................................................................................................................6
Risk Management & Reporting................................................................................................................6
IT Security Management..........................................................................................................................7
Information Technology Infrastructure........................................................................................................8
Enterprise Architecture............................................................................................................................8
Operations Center IT Architecture...........................................................................................................9
Field Office IT Architecture....................................................................................................................10
System Interconnections.......................................................................................................................11 Tables
Table 1. Key Personnel Roster......................................................................................................................3
Table 2. Red Clay Renovations Office Locations & Contact Information.......................................................4 Figures
Figure 1. Red Clay Renovations Organization Chart.....................................................................................2
Figure 2. Overview for Enterprise IT Infrastructure.....................................................................................9
Figure 3. IT Architecture for Operations Center...........................................................................................9 0 Company Overview
Red Clay Renovations is an internationally recognized, awarding winning firm that specializes in the
renovation and rehabilitation of residential buildings and dwellings. The company specializes in updating
homes using “smart home” and “Internet of Things” technologies while maintaining period correct
architectural characteristics. The company’s primary line of business is Home Remodeling Services (NAICS
236118).
Corporate Governance & Management
Red Clay Renovations was incorporated in the State of Delaware in 1991 and is privately held. (Its stock is
not publicly traded on a stock exchange.)The company maintains a legal presence (“Corporate
Headquarters”) in Delaware to satisfy laws relating to its status as a Delaware corporation. The company
has a five member Board of Directors (BoD). The Chief Executive Officer (CEO) and Chief Financial Officer
(CFO) each own 25% of the corporation’s stock; both serve on the BoD. The CEO is the chair person for
the BoD. The three additional members of the BoD are elected from the remaining stock holders and
each serve for a three year term. The BoD provides oversight for the company’s operations as required
by state and federal laws. Its primary purpose is to protect the interests of stockholders. Under state and
federal law, the BoD has a fiduciary duty to ensure that the corporation is managed for the benefit of the
stockholders (see http://www.nolo.com/legal-encyclopedia/fiduciary-responsibility-corporations.html).
The BoD has adopted a centrally managed “Governance, Risk, and Compliance” (GRC) methodology to
ensure that the corporation meets the expectations of stakeholders while complying with legal and
regulatory requirements.
The company’s senior management includes the Chief Executive Officer (CEO), Chief Financial Officer
(CFO), Chief Operating Officer (COO), Director of Architecture & Construction Services (A&C), Director of
Customer Relations (CR), Director of Human Resources (HR), the Director of Information Technology
Services (ITS), and the Director of Marketing and Media (M&M). The Director of ITS is dual-hatted as the
company’s Chief Information Security Officer (CISO). These individuals constitute the Executive Board for
the company and are responsible for implementing the business strategies, policies, and plans approved
by the BoD. A separately constituted IT Governance Board is chaired by the Chief Operating Officer. The
five directors (A&C, CR, HR, ITS, and M&M) serve as members of the IT Governance board. This board
considers all matters related to the acquisition, management, and operation of the company’s
information technology resources.
The CEO, CFO, and COO have been with the company since it started in 1991. The Directors for A&C, CR,
and HR have over 20 years each with the company. The Director for M&M has ten years of service. The
Director of ITS / CISO has been with the company less than two years and is still trying to bring a
semblance of order to the IT management program – especially in the area of IT security services. This is
a difficult task due to the company’s failure to promptly hire a replacement for the previous director who
retired two years ago. 1 Figure 1. Red Clay Renovations Organization Chart 2 Table 1. Key Personnel Roster
Name & Title Office
Location
Wilmington Office Phone
No.
910-555-2158 email Wilmington 910-555-2150 Irma_Bromley@ redclayrennovations.com Nancy Randell
Chief of Staf
Marcus Randell
CFO
Julia Randell
COO
Edward Randell,
Esq
Corporate Counsel
Erwin Carrington Wilmington 910-555-2152 nr@redclayrenovations.com Wilmington 910-555-2159 marcus@redclayrenovations.com Owings Mills 667-555-5000 julia@redclayrenovations.com Wilmington 910-555-1000 ed@redclayrenovations.com Owings Mills 667-555-6260 Erwin_Carrington@hq.redclayrenovations.com Eric Carpenter Owings Mills 667-555-6370 Eric_Carpenter@hq.redclayrenovations.com Amanda Nosinger Owings Mills 667-555-6400 an@redclayrenovations.com Rebecca Nosinger Ownings Mills 667-555-6900 rn@redclayrenovations.com Eugene Nosinger Owings Mills 667-555-8000 en@redclayrenovations.com Charles Kniesel Baltimore 443-555-2900 Charles@balt.redclayrenovations.com Erica Kniesel Baltimore 443-555-2900 Erica@balt.redclayrenovations.com William Kniesel Philadelphia 267-555-1200 William@philly.redclayrenovations.com Philadelphia 267-555-1200 Alison@philly.redclayrenovations.com James Randell
CEO
Irma Bromley Executive Assistant to
Mr. Randell CIO & Director IT
Services jr@redclayrenovations.com CISO / Deputy CIO
Director, Customer
Relations Director, Marketing &
Media
Director, Architecture
& Services
Manager & Architect
in Charge, Baltimore
Field Office
Office Manager &
ISSO, Baltimore Field
Office
Manager & Architect
in Charge,
Philadelphia Field
Office Alison KnieselSmith
Office Manager & 3 ISSO, Philadelphia
Field Office Operations
Red Clay Renovations has offices in Baltimore, MD, Philadelphia PA, and Wilmington, DE. The contact
information for each location is provided in Table 2.
Table 2. Red Clay Renovations Office Locations & Contact Information
Location
Baltimore Field Office
Philadelphia Field Office
Operations Center (Owings Mills)
Wilmington Office Mailing Address
200 Commerce Street, Suite 450
Baltimore, MD 21201
1515 Chester Street
Philadelphia, PA 19102
12209 Red Clay Place
Owings Mills, MD 21117
12 High Street
Wilmington, DE 19801 Phone Number
443-555-2900
267-555-1200
667-555-6000
910-555-2150 The Operations Center is the company’s main campus and is located in suburban Baltimore, MD (Owings
Mills). The Owings Mills facility houses the company’s data center as well as general offices for the
company’s operations. These operations include: accounting & finance, customer relations, human
resources, information technology services, marketing, and corporate management. There are
approximately 100 employees at the Operations Center. Day to day management of the Owings Mills
facility is provided by the company’s Chief Operating Officer (COO).
The company’s Chief Executive Officer, corporate counsel, and support staf maintain a presence in the
company’s Wilmington, DE offices but spend most of their time at the Owings Mills operations center.
Field Offices are located in downtown Baltimore and suburban Philadelphia. Each office has a managing
director, a team of 2-3 architects, a senior project manager, a business manager, and an office manager.
Support personnel (receptionist, clerks, etc.) are contractors provided by a local staffing services firm.
Each office operates and maintains its own IT infrastructure.
The company’s architects, project managers, and other support personnel frequently work from
renovation sites using cellular or WiFi connections to access the Internet. Many field office employees
are also authorized to work from home or an alternate work location (“telework site”) one or more days
per week.
Acquisitions
Red Clay acquired “Reality Media Services,” a five person digital media & video production firm in 2015
(NAICS Codes 512110, 519130, and 541430). RMS creates a video history for each residential
4 construction project undertaken by Red Clay Renovations. RMS also provides Web design and social
media services for Red Clay Renovations to promote its services. RMS employees work primarily out of
their own home offices using company provided equipment (computers, video / audio production
equipment). Each employee also uses personally owned cell phones, laptops, digital cameras, and
camcorders. While RMS is now wholly owned by Red Clay, it continues to operate as an independent
entity. Red Clay senior management is working to change this, however, starting with bringing all IT and
IT related resources under the company’s central management. As part of this change, Red Clay has set
up a media production facility (“Media Studio”) in its headquarters location which includes office space
for RMS personnel. The production facility and RMS operations are under the management control of
the Director, Marketing & Media Services.
Legal and Regulatory Environment
The firm is licensed to do business as a general contractor for residential buildings in three states (DE,
MD, PA). The company’s architects maintain professional licensure in their state of residence. The
company’s general counsel is licensed to practice law in Delaware and Maryland. The Chief Financial
Officer is a Certified Public Accountant (CPA) and licensed to practice in all three states.
The company collects, maintains, and stores personal information from and about customers over the
normal course of doing business. This includes credit checks, building plans and drawings for homes, and
information about a customer’s family members which needs to be taken into consideration during the
design and construction phases of a project (e.g. medical issues / disabilities, hobbies, etc.).
When renovations are required due to a medical condition or disability, the company works with health
insurance companies, Medicare/Medicaid, and medical doctors to plan appropriate modifications to the
home and to obtain reimbursement from insurers. This sometimes requires that the company receive,
process, store, and transmit Protected Health Information (PHI) generated by medical practitioners or as
provided by the customer. The company’s legal counsel has advised it to be prepared to show
compliance with the HIPAA Security Rule for PHI for information stored on computer systems in its field
offices and in the operations center.
Red Clay began ofering “Smart Home” renovation services in 2005 (NAICS Codes 541310 and 236118).
These services are primarily ofered out of the Baltimore and Philadelphia field offices. A large
percentage of the company’s “smart home” remodeling work is financed by customers through the
Federal Housing Administration’s 203K Rehab Mortgage Insurance program. Red Clay provides
assistance in filling out the required paperwork with local FHA approved lenders but does not actually
process mortgages itself. Red Clay does, however, conduct credit checks on prospective customers and
accepts credit card payments for services.
As a privately held stock corporation, Red Clay Renovations is exempt from many provisions of the
Sarbanes-Oxley Act of 2002. But, in certain circumstances, i.e. a government investigation or bankruptcy
filing, there are substantial criminal penalties for failure to protect business records from destruction or
spoliation.
5 Policy System
The company’s Chief of Staf is responsible for the overall organization and management of the
company’s collection of formal policies and procedures (“policy system”). The company’s policies provide
guidance to employees and officers of the company (CEO, CFO, and the members of the Board of
Directors) with respect to their responsibilities to the company. Policies may be both prescriptive (what
“must” be done) and proscriptive (what “must not” be done). Responsibility for writing and maintaining
individual policies is assigned to a designated manager or executive within the company. Each policy
identifies the responsible individual by title, e.g. Director of Human Resources.
The major policy groupings are: Human Resources
Financial Management
Information Technology
Employee Handbook
Manager Deskbook Selected policies are published as an Employee Handbook and a Manager’s Deskbook to communicate
them to individual employees and managers and to ensure that these individuals are aware of the
content of key policies which afect how they perform their duties.
Risk Management & Reporting
The company engages in a formal risk management process which includes identification of risks,
assessment of the potential impact of each risk, determination of appropriate risk treatments
(mitigation, acceptance, transfer), and implementation of the risk management strategy which is based
upon the selected risk treatments. For information technology related risks, the CISO working in
conjunction with the IT Governance Board is responsible for identifying and assessing risks.
Corporate-wide, high level risks which could impact the company’s financial performance are disclosed
to shareholders during the annual meeting and in the Annual Report to Investors. For the current year,
the following high level cybersecurity related risks will be disclosed.
1. Cyber-attacks could afect our business.
2. Disruptions in our computer systems could adversely afect our business.
3. We could be liable if third party equipment, recommended and installed by us (e.g. smart home
controllers), fails to provide adequate security for our residential clients.
The company’s risk treatments for cybersecurity related risks include purchasing cyber liability insurance,
implementing an asset management and protection program, implementing configuration baselines,
implementing configuration management for IT systems and software and auditing compliance with IT
security related policies, plans, and procedures. 6 The corporate board was recently briefed by the Chief Information Officer concerning the company’s IT
Security Program and how this program contributes to the company’s risk management strategy. During
the briefing, the CIO presented assessment reports and audit findings from IT security audits. These
audits focused upon the technical infrastructure and the efectiveness and efficiency of the company’s
implementation of security controls. During the discussion period, members of the corporate board
asked about audits of policy compliance and assessments as to the degree that employees were (a)
aware of IT security policies and (b) complying with these policies. The CIO was tasked with providing
audit reports for these items before the next quarterly meeting of the corporate board.
The corporate board also asked the CIO about future plans for improvements to the IT Security program.
The CIO reported that, in the coming year, the CISO will begin implementation of an IT vulnerability
management program. The CIO also reported that the CISO is working with the IT Governance Board to
restart the company’s security education, training, and awareness (SETA) program. SETA activities had
fallen into disuse due to a perceived lack of quality and lack of timeliness (out of date materials). The
CISO has also determined that the System Security Plans for the field offices are out of date and lacking
in important security controls. These plans have been scheduled for update in the near future to ensure
that the company’s risk management strategy for cybersecurity risks is fully implemented.
IT Security Management
The company’s Chief Information Security Officer (CISO) is responsible for providing management
oversight and technology leadership for the company’s Information Technology security program. This
program is designed around the ISO 27001/27002 requirements but is not fully compliant. For cost
reasons, the Chief Information Officer (CIO) has decided not to pursue implementation of CobiT or ITIL
standards for managing IT systems and services. A less costly alternative, using NIST guidance
documents, was approved at the CISO’s suggestion. The CISO’s selected guidance documents include: NIST SP 800-12 “An Introduction to Computer Security: The NIST Handbook:
NIST SP 800-18 “Guide for Developing Security Plans for Federal Information Systems”
NIST SP 800-53 “Security and Privacy Controls for Federal Information Systems and
Organizations”
NIST SP 800-100 “Information Security Handbook: A Guide for Managers”
NISTIR 7621 “Small Business Information Security: The Fundamentals” The CISO has determined that the closest fit for the level of security required by law for the company’s IT
systems is the “moderate level” as defined in the FIPS 199/200 standards and specified in NIST SP 800-53
Revision 4. The company has created its own minimum security controls baseline which is used for
developing system security plans.
Under the company’s existing IT Security Management Plan, the following individuals are responsible for
the security of its IT systems.
1. Chief Information Officer: designated approving official for all IT systems certification and
authorization.
7 2. Chief Information Security Officer: responsible for developing security plans and procedures.
3. Chief Financial Officer: responsible for negotiating and providing oversight for contracts and
service level agreements for IT services.
4. Chief Operating Officer: responsible for approval of and compliance with security plans and
procedures for the company’s IT Operations Center. The COO is the system owner for all IT
systems in the operations center.
5. Field Office Manager: responsible for approval of and compliance with security plans and
procedures for his or her field office. The field office manager is the system owner for all IT
systems in his or her field office.
6. Field Office Information Systems Security Officer (ISSO): responsible for day to day
implementation of security plans, processes, and procedures.
Information Technology Infrastructure
Enterprise Architecture
The overview for the enterprise IT architecture for Red Clay Renovations is shown in Figure 2. This
diagram shows the interconnections between the company’s field offices and the operations center. Each
facility-to-facility interconnection is made via a Virtual Private Network (VPN). The VPN connects the
Local Area Networks (LANs) in the operations center and the field offices to the company’s enterprise
network. All IT systems are in the operational phase of the Systems Development Lifecycle. The company
does not have plans at this time to upgrade (“major modification”) or implement (“under development”)
any IT systems. Figure 2. Overview for Enterprise IT Infrastructure
8 Operations Center IT Architecture
The Owings Mills facility (see Figure 3) contains the company’s operations (data) center as well as
general offices for the company’s operations. These operations include: accounting & finance, customer
relations, human resources, information technology services, marketing, and corporate management. Figure 3. IT Architecture for Operations Center
Field Office IT Architecture
The company’s corporate headquarters are located in Wilmington, DE. These offices have the same IT
architecture as is used by the field offices in Baltimore and Philadelphia (see Figure 4). The company’s
Chief Executive Officer and support staf maintain a presence in Delaware but spend most of their time
at the Owings Mills operations center. The company’s architects, project managers, and other support
personnel frequently work from renovation sites using cellular or WiFi connections to access the
Internet. Many field office employees, including “Reality Media Services” staf, are also authorized to
work from home or an alternate work location (“telework site”) one or more days per week.
Red Clay’s offices have been remodeled to use the “smart home” and “Internet of Things” technologies
which it installs in the residential buildings that it rehabilitates. These devices have IP addresses and are
connected to the in-office wireless network (WiFi). Each smart device has a controller which can be
accessed via a Web-based interface that runs on the office’s application server (username and password
required). The brand and type of equipment varies. The majority of these devices have little to no
security beyond a password protected Web-based logon. Every Red Clay location also has one or more
conference rooms which provide “smart” podiums, projection and video conferencing technologies, and
wireless network access to both the internal network and the Internet.
9 All locations use Dell computers for laptops, desktop computers, and servers. The laptops and desktops
were recently upgraded to Windows 10 Enterprise for their operating systems. The servers are running
Windows server 2012. All Windows systems have Symantec Endpoint Protection installed for host-based
security (anti-malware, host-based firewall, host-based intrusion detection). Figure 4. “Smart” Office IT Architecture (Baltimore, Philadelphia, Wilmington)
Each field office uses the same logical architecture. This infrastructure consists of a local area network
with both wired and wireless segments. A wiring closet containing the premises router and switches is
located in the office space (labeled “Utilities” in the diagram). The “smart office” and “IoT” devices are
also located within the office suites and are connected via WiFi to the Wireless Access Points and from
there to the office LAN. These devices are individually addressable via their IP addresses. Some have
onboard programmable controllers with Web based interfaces. Others have limited onboard
functionality and must be controlled via a central console (which has an IP address and Web based
interface). The RFID system used to control access to doors has sensor plates affixed to the walls. These
sensors are hard wired to a controller in the utilities closet. This controller connects to the local area
network and can be accessed via a Web based interface using its IP address. Access control for the Web
based interfaces (used for RFID system and “smart” device control) is limited to password protected
logons.
System Interconnections
The Operations Center and the individual Field Offices connect to the Internet via a business grade
Internet Services Provider with a standard Service Level Agreement (as established by the ISP). Systems
interconnections between internal systems and between facilities are certified and approved by the
Chief Information Officer. These interconnections include Virtual Private Network connections between
10 the Operations Center and the Field Offices over ISP provided networks). The VPN is used to protect the
confidentiality and integrity of information transmitted between IT systems located in the company’s
field offices, its headquarters, and the operations center. (See Information Technology Infrastructure
later in this document for additional information about system interconnections.)
The operations center and field offices each have their own network infrastructure built on CISCO
branded equipment (Virtual Private Network (VPN), wired and wireless local area networks, wireless
access poi...
Executive Summary Excellent
10 points The Executive Summary provided an
excellent summary of the policy
package's purpose and contents.
Executive Summary for the Policy Briefing Information about the case study
Package
company was well integrated into the
summary. Each policy was individually
introduced and clearly explained. The
material was well organized and easy to
read. Policy for IT Security Policy
Compliance Audits Excellent
10 points Policy Introduction The policy contained an excellent
introduction which addressed five or more
specific characteristics of the company's
business, legal & regulatory, and/or
enterprise IT environments and
addressed the reasons why employees
must comply with this policy. Compliance
requirements are addressed and contact
information is provided for questions
about the policy. 10 points The issue specific policy provided
excellent (clear and concise) coverage of
the following: policy issue (do required policies exist
and have they been properly vetted &
approved)
Policy Content
policy solution (auditing all IT security
policies to determine compliance with
security controls) applicability (to what and to whom the
policy applies)
compliance requirements
point of contact (for more information) The policy was easy to understand and
thoroughly covered the required content. Audit Plans Excellent
10 points Security Awareness Audit Plan: Audit
Background Security Awareness Audit Plan: Audit
Background The Security Awareness audit plan
contained an excellent background
section which identified and discussed 5
or more risks which drive the
requirements and objectives for this audit.
IT security controls for security
awareness (AT family of controls from
NIST SP 800-53) and related compliance
requirements were identified and
discussed. Contact information was
provided for the audit manager.
Information from the case study was well
integrated into the background material. 5 points Security Awareness Audit Plan: Audit
Objectives A clear and concise set of audit objectives
were presented. These objectives
addressed (and named) each security
control in the Awareness & Training (AT)
family (as listed in NIST SP 800-53). 15 points Security Awareness Audit Plan: Audit
Approach Security Awareness Audit Plan: Audit
Approach The Audit Approach clearly and concisely
identified and described the major
elements in the data collection strategy
(what data will be collected, how it will be
collected, what will be measured). The
data collection strategy was supported by
a checklist (for a document review) or list
of questions (for a survey). The
relationship between the audit approach
and the measurement of the
effectiveness of the security controls
implementation was explained. 10 points The IT Security Policies audit plan
contained an excellent background
section which identified and discussed 5
or more risks which drive the
requirements and objectives for this audit. IT Security Policies Audit Plan: Audit
Background
The 18 IT security policies & procedures
security controls (e.g. AC-1, AT-1, etc. in
NIST SP 800-53) were identified and
discussed. Five or more additional
controls from the PM & PL families were
also addressed. Contact information was
provided for the audit manager.
Information from the case study was well
integrated into the background material. 5 points IT Security Policies Audit Plan: Audit
Objectives A clear and concise set of audit objectives
were presented. These objectives
addressed (and named) all 18 policy &
procedures security controls (e.g. AC-1,
AT-1 as listed in NIST SP 800-53). 15 points IT Security Policies Audit Plan: Audit
Approach Professionalism The Audit Approach clearly and concisely
identified and described the major
elements in the data collection strategy
(what data will be collected, how it will be
collected, what will be measured). The
data collection strategy was supported by
a checklist (for a document review) or list
of questions (for a survey). The
relationship between the audit approach
and the measurement of the
effectiveness of the security controls
implementation was explained. Excellent
10 points Work is professional in appearance and
organization (appropriate and consistent
use of fonts, headings, color). Execution No word usage, grammar, spelling, or
punctuation errors. All quotations (copied
text) are properly marked and cited using
a professional format (APA format
recommended but not required.) Outstanding Acceptable Needs Improvement 8.5 points 7 points 6 points The Executive Summary
provided an outstanding
summary of the policy package's
purpose and contents.
Information about the case study
company was integrated into the
summary. Each policy in the
briefing package was individually
introduced and briefly explained.
The material was well organized
and easy to read. The Executive Summary
provided an acceptable overview
The Executive Summary
of the contents of the policy
provided an overview of the
package. Information about the
policy package. Information
case study company was used in
about the case study
the summary. Each policy in the
company was mentioned.
briefing package was named
and briefly explained. Outstanding Acceptable Needs Improvement 8.5 points 7 points 6 points The policy contained an
outstanding introduction which
addressed three or more specific
characteristics of the company's
business, legal & regulatory,
and/or enterprise IT
environments and addressed the
reasons why employees must
comply with this policy.
Compliance requirements are
addressed and contact
information is provided for
questions about the policy. The introduction for the policy
was customized for the case
study company. Three or more
specific characteristics of the
company's business, legal &
regulatory, and/or enterprise IT
environments were incorporated
into the policy. Compliance
requirements were addressed. 8.5 points 7 points The introduction to the
policy mentions the case
study company and
compliance requirements. 6 points The issue specific policy
provided outstanding coverage
of the following: The issue specific policy
provided adequate coverage of
the following: policy issue (do required
policies exist and have they
been properly vetted &
approved) policy issue (do required
policies exist and have they
been properly vetted &
approved) policy issue (do required
policies exist and have
they been properly vetted
& approved) policy solution (auditing all IT
security policies to determine
compliance with security
controls) policy solution (auditing all IT
security policies to determine
compliance with security
controls) policy solution (auditing
all IT security policies to
determine compliance
with security controls) applicability (to what and to
whom the policy applies) applicability (to what and to
whom the policy applies) applicability (to what and
to whom the policy
applies) compliance requirements compliance requirements compliance requirements point of contact (for more
information) point of contact (for more
information) point of contact (for more
information) The policy was easy to
understand and addressed all
required content. The issue specific policy
mentioned at least 3 of the
following: The policy was easy to
understand and included all
required content. Outstanding Acceptable Needs Improvement 8.5 points 7 points 6 points The Security Awareness audit
plan contained an outstanding
background section which
identified and discussed 3 or
more risks which drive the
requirements and objectives for
this audit. IT security controls for
security awareness (AT family of
controls from NIST SP 800-53)
and related compliance
requirements were identified and
discussed. Contact information
was provided for the audit
manager. Information from the
case study was well integrated
into the background material. The Security Awareness audit
plan contained an acceptable
background section which
discussed one or more risks
which drive the requirements
and objectives for this audit. IT
security controls for security
awareness (AT family of controls
from NIST SP 800-53) and
related compliance requirements
were discussed. Contact
information was provided for the
audit manager. Some
information from the case study
was integrated into the
background material. The background section
mentions risks as drivers for
the Security Awareness
audit. Security controls and
compliance requirements
were mentioned.
Information from the case
study was used. 4 points 3 points 2 points A well written set of audit
objectives were presented. The
audit objectives addressed (and
named) 4 or more security
controls in the Awareness &
Training (AT) family (as listed in
NIST SP 800-53). Three or more audit objectives
were presented. Each objective
was mapped to a specific
security control from the
Awareness & Training (AT)
family (as listed in NIST SP 80053). Audit objectives were
mentioned and discussed.
But, the objectives were not
clearly identified or were not
tied to security controls from
the Awareness & Training
(AT) family. 13.5 points 12 points 10.5 points The Audit Approach clearly
identified the major elements in
the data collection strategy (what
data will be collected, how it will
The Audit Approach adequately
be collected, what will be
addressed the data collection
measured). The data collection
strategy and provided sufficient
strategy was supported by a
information that the reader could
checklist (for a document review)
understand how the
or list of questions (for a survey).
effectiveness of the security
The relationship between the
controls implementation would
audit approach and the
be determined.
measurement of the
effectiveness of the security
controls implementation was
clearly stated. 8.5 points 7 points The IT Security Policies audit
plan contained an outstanding
background section which
identified and discussed 3 or
more risks which drive the
requirements and objectives for
this audit. The IT Security Policies audit
plan contained an acceptable
background section which
identified 3 or more risks which
drive the requirements and
objectives for this audit. At least 12 IT security policies &
procedures security controls
(e.g. AC-1, AT-1, etc. in NIST SP
800-53) were identified and
discussed. Three or more
additional controls from the PM
& PL families were also
addressed. Contact information
was provided for the audit
manager. Information from the
case study was well integrated
into the background material. At least 10 IT security policies &
procedures security controls
(e.g. AC-1, AT-1, etc. in NIST SP
800-53) were identified and
discussed. Three or more
additional controls from the PM
& PL families were also
addressed. Contact information
was provided for the audit
manager. Information from the
case study was integrated into
the background material. Organization and
appearance need
improvement. The Audit
Approach addressed the
data collection strategy and
provided some information
about how compliance
would be measured. 6 points The background section
mentions risks as drivers for
the IT Security Policies
audit. Security controls and
compliance requirements
were mentioned.
Information from the case
study was used. 4 points A well written set of audit
objectives were presented.
These objectives addressed
(and named) at least 12 of the
policy & procedures security
controls (e.g. AC-1, AT-1 as
listed in NIST SP 800-53). 13.5 points 3 points 2 points Three or more audit objectives
were presented. These
objectives addressed (and
named) at least 10 of the policy
& procedures security controls
(e.g. AC-1, AT-1 as listed in NIST
SP 800-53). Audit objectives were
mentioned and discussed.
But, the objectives were not
clearly identified or were not
tied to policy & procedures
IT security controls from
NIST SP 800-53. 12 points 10.5 points The Audit Approach clearly
identified the major elements in
the data collection strategy (what
data will be collected, how it will
The Audit Approach adequately
be collected, what will be
addressed the data collection
measured). The data collection
strategy and provided sufficient
strategy was supported by a
information that the reader could
checklist (for a document review)
understand how the
or list of questions (for a survey).
effectiveness of the security
The relationship between the
controls implementation would
audit approach and the
be determined.
measurement of the
effectiveness of the security
controls implementation was
clearly stated. Organization and
appearance need
improvement. The Audit
Approach addressed the
data collection strategy and
provided some information
about how compliance
would be measured. Outstanding Acceptable Needs Improvement 8.5 points 7 points 6 points Work is professional in
appearance and organization
(appropriate and consistent use
of fonts, headings, color). Work is professional in
appearance and organization
(minor issues allowable but
overall the work contains
appropriate and consistent use
of fonts, headings, color). Work contains minor errors in
word usage, grammar, spelling
or punctuation which do not
significantly impact professional
appearance. All quotations
(copied text) are properly
marked and cited using a
professional format (APA format
recommended but not required.) Errors in word usage, spelling,
grammar, or punctuation which
detract from professional
appearance of the submitted
work. All quotations (copied text)
are properly marked and cited
using a professional format (APA
format recommended but not
required.) Submitted work has
numerous errors in
formatting, organization,
word usage, spelling,
grammar, or punctuation
which detract from
readability and professional
appearance. Punctuation
errors may include failure to
properly mark quoted or
copied material (an attempt
to name original source is
required). Needs Significant
Improvement
4 points Missing or
Unacceptable
0 points An executive summary
was provided but lacked
details as to the purpose
and contents of the policy
No work submitted.
package. (Or,
inappropriate or
excessive copying from
other authors' work.) Needs Significant
Improvement
4 points Missing or
Unacceptable
0 points The policy was built from
a sample template or list
of "recommended" audit
policy contents without
customization for the
No work submitted.
case study company. (Or,
inappropriate or
excessive copying from
other authors' work.) 4 points 0 points The issue specific policy
was disorganized and
difficult to understand.
OR, the policy was
significantly lacking in
content. (Or,
inappropriate or
excessive copying from
other authors' work.) Needs Significant
Improvement
4 points No work submitted. Missing or
Unacceptable
0 points The Security Awareness
audit plan was built from
a sample template or list
of "recommended" audit
plan contents without
No work submitted.
customization for the
case study company. (Or,
inappropriate or
excessive copying from
other authors' work.) 1 point 0 points Audit objectives were
mentioned but not clearly
identified or expressed. Missing or no work
(Or, inappropriate or
submitted.
excessive copying from
other authors' work.) 6 points 0 points The Audit Approach was
disorganized and difficult
to understand. OR, the
approach was
significantly lacking in
content (data collection
No work submitted.
strategy was not clearly
identified). (Or,
inappropriate or
excessive copying from
other authors' work.) 4 points 0 points The IT Security Policies
audit plan was built from
a sample template or list
of "recommended" audit
plan contents without
No work submitted.
customization for the
case study company. (Or,
inappropriate or
excessive copying from
other authors' work.) 1 point 0 points Audit objectives were
mentioned but not clearly
identified or expressed. Missing or no work
(Or, inappropriate or
submitted.
excessive copying from
other authors' work.) 6 points 0 points The Audit Approach was
disorganized and difficult
to understand. OR, the
approach was
significantly lacking in
content (data collection
No work submitted.
strategy was not clearly
identified). (Or,
inappropriate or
excessive copying from
other authors' work.) Needs Significant
Improvement
4 points Missing or
Unacceptable
0 points Submitted work is difficult
to read / understand and
has significant errors in
formatting, appearance /
organization, spelling,
grammar, punctuation, or
word usage. Significant
errors in presentation of
copied text (lacks proper
punctuation and failed to
attribute material to
original source). No work submitted.
OR, work contains
significant instances
of cut-and-paste
without proper citing /
attribution to the
original work or
Project #4: IT Audit Policy and Plans
Company Background & Operating Environment
Use the assigned case study for information about “the company.”
Policy Issue & Plan of Action
The corporate board was recently briefed by the Chief Information Officer concerning the
company’s IT Security Program and how this program contributes to the company’s risk management
strategy. During the briefing, the CIO presented assessment reports and audit findings from IT security
audits. These audits focused upon the technical infrastructure and the effectiveness and efficiency of the
company’s implementation of security controls. During the discussion period, members of the corporate
board asked about audits of policy compliance and assessments as to the degree that employees were
(a) aware of IT security policies and (b) complying with these policies. The Chief Information Officer was
tasked with providing the following items to the board before its next quarterly meeting:
(a) Issue Specific Policy requiring an annual compliance audit for IT security policies as
documented in the company’s Policy System
(b) Audit Plan for assessing employee awareness of and compliance with IT security policies
a. Are employees aware of the IT security policies in the Employee Handbook?
b. Do employees know their responsibilities under those policies?
(c) Audit Plan for assessing the IT security policy system
a. Do required policies exist?
b. Have they been updated within the past year?
c. Are the policies being reviewed and approved by the appropriate oversight
authorities (managers, IT governance board, etc.)?
Your Task Assignment
As a staff member supporting the CISO, you have been asked to research this issue (auditing IT
security policy compliance) and then prepare an “approval draft” for a compliance policy. You must also
research and draft two separate audit plans (a) employee compliance and (b) policy system audit. The
audit policy should not exceed two typed pages in length so you will need to be concise in your writing
and only include the most important elements for the policy. Make sure that you include a requirement
for an assessment report to be provided to company management and the corporate board of directors. For the employee compliance assessment, you must use an interview strategy which
includes 10 or more multiple choice questions that can be used to construct a webbased survey of all employees. The questions should be split between (a) awareness of
key policies and (b) awareness of personal responsibilities in regards to compliance. For the policy system audit, you should use a documentation assessment strategy which
reviews the contents of the individual policies to determine when the policy was last updated, who “owns” the policy, who reviewed the policy, and who approved the policy
for implementation.
Research:
1. Review the weekly readings including the example audit assessment report.
2. Review work completed previously in this course which provides background about the IT Policy
System and specific policies for the case study company.
3. Find additional resources which discuss IT compliance audits and/or policy system audits.
Write:
1. Prepare briefing package with approval drafts of the three required documents. Place all three
documents in a single MS Word (.doc or .docx) files.
2. Your briefing package must contain the following: Executive Summary
“Approval Drafts” for
o Issue Specific Policy for IT Security Policy Compliance Audits
o Audit Plan for IT Security Policy Awareness & Compliance (Employee Survey)
o Audit Plan for IT Security Policies Audit (Documentation Review) As you write your policy and audit plans, make sure that you address security issues using
standard cybersecurity terminology (e.g. 5 Pillars of IA, 5 Pillars of Information Security). See the
resources listed under Course Resources > Cybersecurity Concepts Review for definitions and
terminology.
3. Use a professional format for your policy documents and briefing package. Your policy
documents should be consistently formatted and easy to read.
4. Common phrases do not require citations. If there is doubt as to whether or not information
requires attribution, provide a footnote with publication information or use APA format citations
and references.
5. You are expected to write grammatically correct English in every assignment that you submit for
grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c)
verifying that your punctuation is correct and (d) reviewing your work for correct word usage
and correctly structured sentences and paragraphs.