Project Assignment
benita01
Project3-RUBRIC.pdf
12/2/21, 6:52 PMProject 3 - IT Security Audit Policy & Plans - CSIA 413 7381 Cybers…licy, Plans, and Programs (2218) - UMGC Learning Management System
Page 1 of 5https://learn.umgc.edu/d2l/lms/dropbox/user/folder_submit_files.d2l?db=1156965&grpid=0&isprv=0&bp=0&ou=616134
Project 3: IT Audit Policy & Plans Course: CSIA 413 7381 Cybersecurity Policy, Plans, and Programs (2218)
Execu!ve
Summary Excellent Outstanding Acceptable Needs Improvement
Needs Significant Improvement
Missing or Unacceptable
Criterion Score
Execu!ve
Summary for the
Policy Briefing
Package
/ 1010 points
The Execu!ve
Summary provided
an excellent
summary of the
policy package's
purpose and
contents.
Informa!on about
the case study
company was well
integrated into the
summary. Each
policy was
individually
introduced and
clearly explained.
The material was
well organized and
easy to read.
8.5 points
The Execu!ve
Summary provided
an outstanding
summary of the
policy package's
purpose and
contents.
Informa!on about
the case study
company was
integrated into the
summary. Each
policy in the briefing
package was
individually
introduced and
briefly explained.
The material was
well organized and
easy to read.
7 points
The Execu!ve
Summary provided
an acceptable
overview of the
contents of the
policy package.
Informa!on about
the case study
company was used in
the summary. Each
policy in the briefing
package was named
and briefly explained.
6 points
The Execu!ve
Summary provided
an overview of the
policy package.
Informa!on about
the case study
company was
men!oned.
4 points
An execu!ve
summary was
provided but lacked
details as to the
purpose and
contents of the
policy package. (Or,
inappropriate or
excessive copying
from other authors'
work.)
0 points
No work submi"ed.
Policy for IT
Security Policy
Compliance
Audits
Excellent Outstanding Acceptable Needs Improvement Needs Significant Improvement
Missing or Unacceptable
Criterion Score
Policy
Introduc!on
/ 10
/ 10
10 points
The policy contained
an excellent
introduc!on which
addressed five or
more specific
characteris!cs of the
company's business,
legal & regulatory,
and/or enterprise IT
environments and
addressed the
reasons why
employees must
comply with this
policy. Compliance
requirements are
addressed and
contact informa!on
is provided for
ques!ons about the
policy.
8.5 points
The policy contained
an outstanding
introduc!on which
addressed three or
more specific
characteris!cs of the
company's business,
legal & regulatory,
and/or enterprise IT
environments and
addressed the
reasons why
employees must
comply with this
policy. Compliance
requirements are
addressed and
contact informa!on
is provided for
ques!ons about the
policy.
7 points
The introduc!on for
the policy was
customized for the
case study company.
Three or more
specific
characteris!cs of the
company's business,
legal & regulatory,
and/or enterprise IT
environments were
incorporated into the
policy. Compliance
requirements were
addressed.
6 points
The introduc!on to
the policy men!ons
the case study
company and
compliance
requirements.
4 points
The policy was built
from a sample
template or list of
"recommended"
audit policy contents
without
customiza!on for the
case study company.
(Or, inappropriate or
excessive copying
from other authors'
work.)
0 points
No work submi"ed.
10 points
The issue specific
policy provided
excellent (clear and
8.5 points
The issue specific
policy provided
outstanding
7 points
The issue specific
policy provided
adequate coverage
6 points
The issue specific
policy men!oned at
least 3 of the
4 points
The issue specific
policy was
disorganized and
0 points
No work submi"ed.
12/2/21, 6:52 PMProject 3 - IT Security Audit Policy & Plans - CSIA 413 7381 Cybers…licy, Plans, and Programs (2218) - UMGC Learning Management System
Page 2 of 5https://learn.umgc.edu/d2l/lms/dropbox/user/folder_submit_files.d2l?db=1156965&grpid=0&isprv=0&bp=0&ou=616134
Policy Content concise) coverage of
the following:
policy issue
(do required
policies exist
and have they
been properly
ve"ed &
approved)
policy solu!on
(audi!ng all IT
security
policies to
determine
compliance
with security
controls)
applicability
(to what and
to whom the
policy applies)
compliance
requirements
point of
contact (for
more
informa!on)
The policy was easy
to understand and
thoroughly covered
the required content.
coverage of the
following:
policy issue
(do required
policies exist
and have they
been properly
ve"ed &
approved)
policy solu!on
(audi!ng all IT
security
policies to
determine
compliance
with security
controls)
applicability
(to what and
to whom the
policy applies)
compliance
requirements
point of
contact (for
more
informa!on)
The policy was easy
to understand and
addressed all
required content.
of the following:
policy issue
(do required
policies exist
and have they
been properly
ve"ed &
approved)
policy solu!on
(audi!ng all IT
security
policies to
determine
compliance
with security
controls)
applicability
(to what and
to whom the
policy applies)
compliance
requirements
point of
contact (for
more
informa!on)
The policy was easy
to understand and
included all required
content.
following:
policy issue
(do required
policies exist
and have they
been properly
ve"ed &
approved)
policy solu!on
(audi!ng all IT
security
policies to
determine
compliance
with security
controls)
applicability
(to what and
to whom the
policy applies)
compliance
requirements
point of
contact (for
more
informa!on)
difficult to
understand. OR, the
policy was
significantly lacking
in content. (Or,
inappropriate or
excessive copying
from other authors'
work.)
Audit Plans Excellent Outstanding Acceptable Needs Improvement Needs Significant Improvement
Missing or Unacceptable
Criterion Score
Security
Awareness Audit
Plan: Audit
Background
/ 1010 points
The Security
Awareness audit
plan contained an
excellent background
sec!on which
iden!fied and
discussed 5 or more
risks which drive the
requirements and
objec!ves for this
audit. IT security
controls for security
awareness (AT family
of controls from
NIST SP 800-53) and
related compliance
requirements were
iden!fied and
discussed. Contact
informa!on was provided for the
audit manager.
Informa!on from the
case study was well
integrated into the
background material.
8.5 points
The Security
Awareness audit
plan contained an
outstanding
background sec!on
which iden!fied and
discussed 3 or more
risks which drive the
requirements and
objec!ves for this
audit. IT security
controls for security
awareness (AT family
of controls from
NIST SP 800-53) and
related compliance
requirements were
iden!fied and
discussed. Contact
informa!on was provided for the
audit manager.
Informa!on from the
case study was well
integrated into the
background material.
7 points
The Security
Awareness audit
plan contained an
acceptable
background sec!on
which discussed one
or more risks which
drive the
requirements and
objec!ves for this
audit. IT security
controls for security
awareness (AT family
of controls from
NIST SP 800-53) and
related compliance
requirements were
discussed. Contact
informa!on was
provided for the audit manager. Some
informa!on from the
case study was
integrated into the
background material.
6 points
The background
sec!on men!ons
risks as drivers for
the Security
Awareness audit.
Security controls and
compliance
requirements were
men!oned.
Informa!on from the
case study was used.
4 points
The Security
Awareness audit
plan was built from a
sample template or
list of
"recommended"
audit plan contents
without
customiza!on for the
case study company.
(Or, inappropriate or
excessive copying
from other authors'
work.)
0 points
No work submi"ed.
12/2/21, 6:52 PMProject 3 - IT Security Audit Policy & Plans - CSIA 413 7381 Cybers…licy, Plans, and Programs (2218) - UMGC Learning Management System
Page 3 of 5https://learn.umgc.edu/d2l/lms/dropbox/user/folder_submit_files.d2l?db=1156965&grpid=0&isprv=0&bp=0&ou=616134
Security
Awareness Audit
Plan: Audit
Objec!ves
/ 5
Security
Awareness Audit
Plan: Audit
Approach
/ 15
/ 10
5 points
A clear and concise
set of audit
objec!ves were
presented. These
objec!ves addressed
(and named) each
security control in
the Awareness &
Training (AT) family
(as listed in NIST SP
800-53).
4 points
A well wri"en set of
audit objec!ves were
presented. The audit
objec!ves addressed
(and named) 4 or
more security
controls in the
Awareness &
Training (AT) family
(as listed in NIST SP
800-53).
3 points
Three or more audit
objec!ves were
presented. Each
objec!ve was
mapped to a specific
security control from
the Awareness &
Training (AT) family
(as listed in NIST SP
800-53).
2 points
Audit objec!ves
were men!oned and
discussed. But, the
objec!ves were not
clearly iden!fied or
were not !ed to
security controls
from the Awareness
& Training (AT)
family.
1 point
Audit objec!ves
were men!oned but
not clearly iden!fied
or expressed. (Or,
inappropriate or
excessive copying
from other authors'
work.)
0 points
Missing or no work
submi"ed.
15 points
The Audit Approach
clearly and concisely
iden!fied and
described the major
elements in the data
collec!on strategy
(what data will be
collected, how it will
be collected, what
will be measured).
The data collec!on
strategy was
supported by a
checklist (for a
document review) or
list of ques!ons (for
a survey). The
rela!onship between
the audit approach and the
measurement of the
effec!veness of the
security controls
implementa!on was
explained.
13.5 points
The Audit Approach
clearly iden!fied the
major elements in
the data collec!on
strategy (what data
will be collected,
how it will be
collected, what will
be measured). The
data collec!on
strategy was
supported by a
checklist (for a
document review) or
list of ques!ons (for
a survey). The
rela!onship between
the audit approach
and the measurement of the
effec!veness of the
security controls
implementa!on was
clearly stated.
12 points
The Audit Approach
adequately
addressed the data
collec!on strategy
and provided
sufficient
informa!on that the
reader could
understand how the
effec!veness of the
security controls
implementa!on
would be
determined.
10.5 points
Organiza!on and
appearance need
improvement. The
Audit Approach
addressed the data
collec!on strategy
and provided some
informa!on about
how compliance
would be measured.
6 points
The Audit Approach
was disorganized and
difficult to
understand. OR, the
approach was
significantly lacking
in content (data
collec!on strategy
was not clearly
iden!fied). (Or,
inappropriate or
excessive copying
from other authors'
work.)
0 points
No work submi"ed.
10 points
The IT Security
Policies audit plan
contained an
excellent background
sec!on which
iden!fied and
discussed 5 or more
risks which drive the
requirements and
objec!ves for this
audit.
The 18 IT security
policies &
procedures security
controls (e.g. AC-1,
AT-1, etc. in NIST SP
800-53) were
iden!fied and
discussed. Five or
more addi!onal
controls from the
PM & PL families
were also addressed.
Contact informa!on
8.5 points
The IT Security
Policies audit plan
contained an
outstanding
background sec!on
which iden!fied and
discussed 3 or more
risks which drive the
requirements and
objec!ves for this
audit.
At least 12 IT
security policies &
procedures security
controls (e.g. AC-1,
AT-1, etc. in NIST SP
800-53) were
iden!fied and
discussed. Three or
more addi!onal
controls from the
PM & PL families
were also addressed.
Contact informa!on
7 points
The IT Security
Policies audit plan
contained an
acceptable
background sec!on
which iden!fied 3 or
more risks which
drive the
requirements and
objec!ves for this
audit.
At least 10 IT
security policies &
procedures security
controls (e.g. AC-1,
AT-1, etc. in NIST SP
800-53) were
iden!fied and
discussed. Three or
more addi!onal
controls from the
PM & PL families
were also addressed.
Contact informa!on
6 points
The background
sec!on men!ons
risks as drivers for
the IT Security
Policies audit.
Security controls and
compliance
requirements were
men!oned.
Informa!on from the
case study was used.
4 points
The IT Security
Policies audit plan
was built from a
sample template or
list of
"recommended"
audit plan contents
without
customiza!on for the
case study company.
(Or, inappropriate or
excessive copying
from other authors'
work.)
0 points
No work submi"ed.
12/2/21, 6:52 PMProject 3 - IT Security Audit Policy & Plans - CSIA 413 7381 Cybers…licy, Plans, and Programs (2218) - UMGC Learning Management System
Page 4 of 5https://learn.umgc.edu/d2l/lms/dropbox/user/folder_submit_files.d2l?db=1156965&grpid=0&isprv=0&bp=0&ou=616134
IT Security
Policies Audit
Plan: Audit
Background
IT Security
Policies Audit
Plan: Audit
Objec!ves
/ 5
IT Security
Policies Audit
Plan: Audit
Approach
/ 15
was provided for the
audit manager.
Informa!on from the
case study was well
integrated into the
background material.
was provided for the
audit manager.
Informa!on from the
case study was well
integrated into the
background material.
was provided for the
audit manager.
Informa!on from the
case study was
integrated into the
background material.
5 points
A clear and concise
set of audit
objec!ves were
presented. These
objec!ves addressed
(and named) all 18
policy & procedures
security controls (e.g.
AC-1, AT-1 as listed
in NIST SP 800-53).
4 points
A well wri"en set of
audit objec!ves were
presented. These
objec!ves addressed
(and named) at least
12 of the policy &
procedures security
controls (e.g. AC-1,
AT-1 as listed in
NIST SP 800-53).
3 points
Three or more audit
objec!ves were
presented. These
objec!ves addressed
(and named) at least
10 of the policy &
procedures security
controls (e.g. AC-1,
AT-1 as listed in
NIST SP 800-53).
2 points
Audit objec!ves
were men!oned and
discussed. But, the
objec!ves were not
clearly iden!fied or
were not !ed to
policy & procedures
IT security controls
from NIST SP 800-
53.
1 point
Audit objec!ves
were men!oned but
not clearly iden!fied
or expressed. (Or,
inappropriate or
excessive copying
from other authors'
work.)
0 points
Missing or no work
submi"ed.
15 points
The Audit Approach
clearly and concisely
iden!fied and
described the major
elements in the data
collec!on strategy
(what data will be
collected, how it will
be collected, what
will be measured).
The data collec!on
strategy was
supported by a
checklist (for a
document review) or
list of ques!ons (for
a survey). The
rela!onship between
the audit approach
and the
measurement of the
effec!veness of the
security controls
implementa!on was
explained.
13.5 points
The Audit Approach
clearly iden!fied the
major elements in
the data collec!on
strategy (what data
will be collected,
how it will be
collected, what will
be measured). The
data collec!on
strategy was
supported by a
checklist (for a
document review) or
list of ques!ons (for
a survey). The
rela!onship between
the audit approach
and the
measurement of the
effec!veness of the
security controls
implementa!on was
clearly stated.
12 points
The Audit Approach
adequately
addressed the data
collec!on strategy
and provided
sufficient
informa!on that the
reader could
understand how the
effec!veness of the
security controls
implementa!on
would be
determined.
10.5 points
Organiza!on and
appearance need
improvement. The
Audit Approach
addressed the data
collec!on strategy
and provided some
informa!on about
how compliance
would be measured.
6 points
The Audit Approach
was disorganized and
difficult to
understand. OR, the
approach was
significantly lacking
in content (data
collec!on strategy
was not clearly
iden!fied). (Or,
inappropriate or
excessive copying
from other authors'
work.)
0 points
No work submi"ed.
Professionalism Excellent Outstanding Acceptable Needs Improvement Needs Significant Improvement
Missing or Unacceptable
Criterion Score
/ 1010 points
Work is professional
in appearance and
organiza!on
(appropriate and
consistent use of
fonts, headings,
color).
No word usage,
grammar, spelling, or
punctua!on errors.
All quota!ons
(copied text) are
properly marked and
cited using a
professional format
8.5 points
Work is professional
in appearance and
organiza!on
(appropriate and
consistent use of
fonts, headings,
color).
Work contains minor
errors in word usage,
grammar, spelling or
punctua!on which
do not significantly
impact professional
appearance. All
quota!ons (copied
7 points
Work is professional
in appearance and
organiza!on (minor
issues allowable but
overall the work
contains appropriate
and consistent use of
fonts, headings,
color).
Errors in word usage,
spelling, grammar, or
punctua!on which
detract from
professional
appearance of the
6 points
Submi"ed work has
numerous errors in
forma%ng,
organiza!on, word
usage, spelling,
grammar, or
punctua!on which
detract from
readability and
professional
appearance.
Punctua!on errors
may include failure
to properly mark
quoted or copied
4 points
Submi"ed work is
difficult to read /
understand and has
significant errors in
forma%ng,
appearance /
organiza!on,
spelling, grammar,
punctua!on, or word
usage. Significant
errors in
presenta!on of
copied text (lacks
proper punctua!on
and failed to
0 points
No work submi"ed.
OR, work contains
significant instances
of cut-and-paste
without proper ci!ng
/ a"ribu!on to the
original work or
author.
12/2/21, 6:52 PMProject 3 - IT Security Audit Policy & Plans - CSIA 413 7381 Cybers…licy, Plans, and Programs (2218) - UMGC Learning Management System
Page 5 of 5https://learn.umgc.edu/d2l/lms/dropbox/user/folder_submit_files.d2l?db=1156965&grpid=0&isprv=0&bp=0&ou=616134
Total / 100
Overall Score
Execu!on (APA format
recommended but
not required.)
text) are properly
marked and cited
using a professional
format (APA format
recommended but
not required.)
submi"ed work. All
quota!ons (copied
text) are properly
marked and cited
using a professional
format (APA format
recommended but
not required.)
material (an a"empt
to name original
source is required).
a"ribute material to
original source).
Do Not Use This Block 0 points minimum
