Security Audits
Im studying for my Computer Science class and need an explanation.
COMPETENCIES
427.3.3 : Security Audits
The student evaluates the practice of defining and implementing a security audit and conducts an information security audit using industry best practices.
INTRODUCTION
An Information Security Management System (ISMS) represents a systematic approach for designing, implementing, maintaining, and auditing an organizations information system security objectives. As with any process, if an ISMS is not continually monitored, its effectiveness will tend to deteriorate.
SCENARIO
For this task, you will use the attached Task 2 Healthy Body Wellness Center Risk Assessment case study to write a paper defining the scope of an ISMS plan for the Healthy Body Wellness Center and an evaluation of the previously conducted risk assessment.
The first step in initiating an ISMS is to form a committee of upper-level management to create organizational support for the ISMS. Assume you are part of that team. Initiating an ISMS involves developing a plan that includes the scope of the ISMS and identifying and assessing risk. The risk assessment for the Health Body Wellness Center has already been conducted. Your task is to define the ISMS scope for the Healthy Body Wellness Center and make recommendations for implementing the resulting ISMS plan.
REQUIREMENTS
Your submission must be your original work. No more than a combined total of 30% of the submission and no more than a 10% match to any one individual source can be directly quoted or closely paraphrased from sources, even if cited correctly.
You must use the rubric to direct the creation of your submission because it provides detailed criteria that will be used to evaluate your work. Each requirement below may be evaluated by more than one rubric aspect. The rubric aspect titles may contain hyperlinks to relevant portions of the course.
A. Create the scope for the ISMS plan being developed in the case study by doing the following:
1. Describe the business objectives being developed in the case study for the organization.
2. Describe the guiding security principles based on the case study.
3. Justify the processes that should be included in the scope. Include the following points for each process:
what the process is
how you would apply the process to the scenario
why the process is needed or should be included in the scope of the ISMS
4. Justify the information systems that should be included in the scope. Include the following points for each information system:
what the information system that should be included is
what the duties of the information system are, according to the scenario
why this information system is needed should be included in the scope of the ISMS plan
5. Justify the IT infrastructure that should be included in the scope, including a description of the data flow.
B. Recommend additional steps to address all of the identified risks in the case study that the organization would need to take to implement the ISMS plan.
1. Discuss what each recommended step entails based on your evaluation of the conducted risk assessment.
2. Justify each recommended step based on your evaluation of the conducted risk assessment.
C. Acknowledge sources, using in-text citations and references, for content that is quoted, paraphrased, or summarized.
D. Demonstrate professional communication in the content and presentation of your submission.
File Restrictions
File name may contain only letters, numbers, spaces, and these symbols: ! – _ . * ‘ ( )
File size limit: 200 MB
File types allowed: doc, docx, rtf, xls, xlsx, ppt, pptx, odt, pdf, txt, qt, mov, mpg, avi, mp3, wav, mp4, wma, flv, asf, mpeg, wmv, m4v, svg, tif, tiff, jpeg, jpg, gif, png, zip, rar, tar, 7z
RUBRIC
A1
:
BUSINESS OBJECTIVES
|
NOT EVIDENT Information about business objectives is not provided, or the information about the business objectives is not taken from the case study for the organization.
|
APPROACHING COMPETENCE The information about the business objectives being developed is based on the case study, but the information is inaccurate or incomplete.
|
COMPETENT The information about the business objectives being developed is clearly and logically based on the case study for the organization, and the information is accurate and complete.
|
A2:GUIDING SECURITY PRINCIPLES
|
NOT EVIDENT A description of the guiding security principles is not provided, or the described guiding security principles are not relevant to the case study.
|
APPROACHING COMPETENCE The described guiding security principles are not clearly relevant to the case study or are incomplete.
|
COMPETENT The described guiding security principles are relevant to the case study and are complete.
|
A3:PROCESSES
|
NOT EVIDENT A justification is not provided, or the submission does not include a justification for the processes that should be included in the scope. The justification for each process does not include the given points.
|
APPROACHING COMPETENCE The justification demonstrates a limited understanding of the processes that should be included in the scope but does not clearly justify why the processes should be included. The submission does not appropriately include the given points for each process.
|
COMPETENT The justification demonstrates a clear understanding of the processes and why they should be included in the scope. The submission appropriately includes the given points for each process.
|
|
NOT EVIDENT A justification is not provided, or the submission does not include a justification for the information systems that should be included in the scope. The justification for each information system does not include the given points.
|
APPROACHING COMPETENCE The justification demonstrates a limited understanding of the information systems that should be included in the scope but does not clearly justify why the information systems should be included. The submission does not accurately include the given points for each information system.
|
COMPETENT The justification demonstrates a clear understanding of the information systems and why they should be included in the scope. The submission accurately includes the given points for each information system.
|
|
NOT EVIDENT A justification is not provided, or the submission does not include a justification for the IT infrastructure that should be included in the scope. The submission does not include a description of the data flow.
|
APPROACHING COMPETENCE The justification demonstrates a limited understanding of the IT infrastructure that should be included in the scope but does not clearly justify why the IT infrastructure should be included. The description of the data flow is inaccurate or incomplete.
|
COMPETENT The justification demonstrates a clear understanding of the IT infrastructure and why it should be included in the scope. The description of the data flow is accurate and complete.
|
|
NOT EVIDENT A recommendation is not provided, or the recommendation does not include additional steps to address the identified risks in the case study that the organization would need to take to implement the ISMS plan.
|
APPROACHING COMPETENCE The submission recommends additional steps to address all of the identified risks in the case study that the organization would need to take to implement the ISMS plan, but not all of the recommended steps are clearly relevant to the conducted risk assessment in the case study.
|
COMPETENT The submission recommends additional steps to address all of the identified risks in the case study that the organization would need to take to implement the ISMS plan, and the recommended steps are relevant to the conducted risk assessment in the case study.
|
B1:DISCUSSION
|
NOT EVIDENT A discussion is not provided, the response does not discuss what each recommended step entails, or the discussion of each step is not based on the evaluation of the conducted risk assessment.
|
APPROACHING COMPETENCE The discussion includes what each recommended step entails, but it is not clearly based on the evaluation of the conducted risk assessment in the case study.
|
COMPETENT The discussion includes what each recommended step entails, and it is clearly based on the evaluation of the conducted risk assessment in the case study.
|
B2:JUSTIFICATION
|
NOT EVIDENT A justification is not provided, the submission does not include a justification for each recommended step, or the justifications for each step are not based on the evaluation of the conducted risk assessment.
|
APPROACHING COMPETENCE The submission demonstrates a limited understanding of the reasons for each recommended step, but the reasons do not clearly justify each recommended step based on the evaluation of the conducted risk assessment in the case study.
|
COMPETENT The submission demonstrates a clear understanding of the reasons for each recommended step, and the reasons justify each recommended step based on the evaluation of the conducted risk assessment in the case study.
|
C:SOURCES
|
NOT EVIDENT The submission does not include both in-text citations and a reference list for sources that are quoted, paraphrased, or summarized.
|
APPROACHING COMPETENCE The submission includes in-text citations for sources that are quoted, paraphrased, or summarized, and a reference list; however, the citations and/or reference list is incomplete or inaccurate.
|
COMPETENT The submission includes in-text citations for sources that are properly quoted, paraphrased, or summarized and a reference list that accurately identifies the author, date, title, and source location as available.
|
|
NOT EVIDENT Content is unstructured, is disjointed, or contains pervasive errors in mechanics, usage, or grammar. Vocabulary or tone is unprofessional or distracts from the topic.
|
APPROACHING COMPETENCE Content is poorly organized, is difficult to follow, or contains errors in mechanics, usage, or grammar that cause confusion. Terminology is misused or ineffective.
|
COMPETENT Content reflects attention to detail, is organized, and focuses on the main ideas as prescribed in the task or chosen by the candidate. Terminology is pertinent, is used correctly, and effectively conveys the intended meaning. Mechanics, usage, and grammar promote accurate interpretation and understanding.
|
