Audit-Plans-and-Policies

The Executive Summary provided an excellent summary of the policy package’s purpose and contents. Information about the case study company was well integrated into the summary. Each policy was individually introduced and clearly explained. The material was well organized and easy to read.

The Executive Summary provided an outstanding summary of the policy package’s purpose and contents. Information about the case study company was integrated into the summary. Each policy in the briefing package was individually introduced and briefly explained. The material was well organized and easy to read.

The Executive Summary provided an acceptable overview of the contents of the policy package. Information about the case study company was used in the summary. Each policy in the briefing package was named and briefly explained.

The Executive Summary provided an overview of the policy package. Information about the case study company was mentioned.

An executive summary was provided but lacked details as to the purpose and contents of the policy package. (Or, inappropriate or excessive copying from other authors’ work.)

No work submitted.

The policy contained an excellent introduction which addressed five or more specific characteristics of the company’s business, legal & regulatory, and/or enterprise IT environments and addressed the reasons why employees must comply with this policy. Compliance requirements are addressed and contact information is provided for questions about the policy.

The policy contained an outstanding introduction which addressed three or more specific characteristics of the company’s business, legal & regulatory, and/or enterprise IT environments and addressed the reasons why employees must comply with this policy. Compliance requirements are addressed and contact information is provided for questions about the policy.

The introduction for the policy was customized for the case study company. Three or more specific characteristics of the company’s business, legal & regulatory, and/or enterprise IT environments were incorporated into the policy. Compliance requirements were addressed.

The introduction to the policy mentions the case study company and compliance requirements.

The policy was built from a sample template or list of “recommended” audit policy contents without customization for the case study company. (Or, inappropriate or excessive copying from other authors’ work.)

No work submitted.

The issue specific policy provided excellent (clear and concise) coverage of the following:

• policy issue (do required policies exist and have they been properly vetted & approved)
• policy solution (auditing all IT security policies to determine compliance with security controls)
• applicability (to what and to whom the policy applies)
• compliance requirements
• point of contact (for more information)

The policy was easy to understand and thoroughly covered the required content.

The issue specific policy provided outstanding coverage of the following:

• policy issue (do required policies exist and have they been properly vetted & approved)
• policy solution (auditing all IT security policies to determine compliance with security controls)
• applicability (to what and to whom the policy applies)
• compliance requirements
• point of contact (for more information)

The policy was easy to understand and addressed all required content.

The issue specific policy provided adequate coverage of the following:

• policy issue (do required policies exist and have they been properly vetted & approved)
• policy solution (auditing all IT security policies to determine compliance with security controls)
• applicability (to what and to whom the policy applies)
• compliance requirements
• point of contact (for more information)

The policy was easy to understand and included all required content.

The issue specific policy mentioned at least 3 of the following:

• policy issue (do required policies exist and have they been properly vetted & approved)
• policy solution (auditing all IT security policies to determine compliance with security controls)
• applicability (to what and to whom the policy applies)
• compliance requirements
• point of contact (for more information)

The issue specific policy was disorganized and difficult to understand. OR, the policy was significantly lacking in content. (Or, inappropriate or excessive copying from other authors’ work.)

No work submitted.

The Security Awareness audit plan contained an excellent background section which identified and discussed 5 or more risks which drive the requirements and objectives for this audit. IT security controls for security awareness (AT family of controls from NIST SP 800-53) and related compliance requirements were identified and discussed. Contact information was provided for the audit manager. Information from the case study was well integrated into the background material.

The Security Awareness audit plan contained an outstanding background section which identified and discussed 3 or more risks which drive the requirements and objectives for this audit. IT security controls for security awareness (AT family of controls from NIST SP 800-53) and related compliance requirements were identified and discussed. Contact information was provided for the audit manager. Information from the case study was well integrated into the background material.

The Security Awareness audit plan contained an acceptable background section which discussed one or more risks which drive the requirements and objectives for this audit. IT security controls for security awareness (AT family of controls from NIST SP 800-53) and related compliance requirements were discussed. Contact information was provided for the audit manager. Some information from the case study was integrated into the background material.

The background section mentions risks as drivers for the Security Awareness audit. Security controls and compliance requirements were mentioned. Information from the case study was used.

The Security Awareness audit plan was built from a sample template or list of “recommended” audit plan contents without customization for the case study company. (Or, inappropriate or excessive copying from other authors’ work.)

No work submitted.

A clear and concise set of audit objectives were presented. These objectives addressed (and named) each security control in the Awareness & Training (AT) family (as listed in NIST SP 800-53).

A well written set of audit objectives were presented. The audit objectives addressed (and named) 4 or more security controls in the Awareness & Training (AT) family (as listed in NIST SP 800-53).

Three or more audit objectives were presented. Each objective was mapped to a specific security control from the Awareness & Training (AT) family (as listed in NIST SP 800-53).

Audit objectives were mentioned and discussed. But, the objectives were not clearly identified or were not tied to security controls from the Awareness & Training (AT) family.

Audit objectives were mentioned but not clearly identified or expressed. (Or, inappropriate or excessive copying from other authors’ work.)

Missing or no work submitted.

The Audit Approach clearly and concisely identified and described the major elements in the data collection strategy (what data will be collected, how it will be collected, what will be measured). The data collection strategy was supported by a checklist (for a document review) or list of questions (for a survey). The relationship between the audit approach and the measurement of the effectiveness of the security controls implementation was explained.

The Audit Approach clearly identified the major elements in the data collection strategy (what data will be collected, how it will be collected, what will be measured). The data collection strategy was supported by a checklist (for a document review) or list of questions (for a survey). The relationship between the audit approach and the measurement of the effectiveness of the security controls implementation was clearly stated.

The Audit Approach adequately addressed the data collection strategy and provided sufficient information that the reader could understand how the effectiveness of the security controls implementation would be determined.

Organization and appearance need improvement. The Audit Approach addressed the data collection strategy and provided some information about how compliance would be measured.

The Audit Approach was disorganized and difficult to understand. OR, the approach was significantly lacking in content (data collection strategy was not clearly identified). (Or, inappropriate or excessive copying from other authors’ work.)

No work submitted.

The IT Security Policies audit plan contained an excellent background section which identified and discussed 5 or more risks which drive the requirements and objectives for this audit.

The 18 IT security policies & procedures security controls (e.g. AC-1, AT-1, etc. in NIST SP 800-53) were identified and discussed. Five or more additional controls from the PM & PL families were also addressed. Contact information was provided for the audit manager. Information from the case study was well integrated into the background material.

The IT Security Policies audit plan contained an outstanding background section which identified and discussed 3 or more risks which drive the requirements and objectives for this audit.

At least 12 IT security policies & procedures security controls (e.g. AC-1, AT-1, etc. in NIST SP 800-53) were identified and discussed. Three or more additional controls from the PM & PL families were also addressed. Contact information was provided for the audit manager. Information from the case study was well integrated into the background material.

The IT Security Policies audit plan contained an acceptable background section which identified 3 or more risks which drive the requirements and objectives for this audit.

At least 10 IT security policies & procedures security controls (e.g. AC-1, AT-1, etc. in NIST SP 800-53) were identified and discussed. Three or more additional controls from the PM & PL families were also addressed. Contact information was provided for the audit manager. Information from the case study was integrated into the background material.

The background section mentions risks as drivers for the IT Security Policies audit. Security controls and compliance requirements were mentioned. Information from the case study was used.

The IT Security Policies audit plan was built from a sample template or list of “recommended” audit plan contents without customization for the case study company. (Or, inappropriate or excessive copying from other authors’ work.)

No work submitted.

A clear and concise set of audit objectives were presented. These objectives addressed (and named) all 18 policy & procedures security controls (e.g. AC-1, AT-1 as listed in NIST SP 800-53).

A well written set of audit objectives were presented. These objectives addressed (and named) at least 12 of the policy & procedures security controls (e.g. AC-1, AT-1 as listed in NIST SP 800-53).

Three or more audit objectives were presented. These objectives addressed (and named) at least 10 of the policy & procedures security controls (e.g. AC-1, AT-1 as listed in NIST SP 800-53).

Audit objectives were mentioned and discussed. But, the objectives were not clearly identified or were not tied to policy & procedures IT security controls from NIST SP 800-53.

Audit objectives were mentioned but not clearly identified or expressed. (Or, inappropriate or excessive copying from other authors’ work.)

Missing or no work submitted.

The Audit Approach clearly and concisely identified and described the major elements in the data collection strategy (what data will be collected, how it will be collected, what will be measured). The data collection strategy was supported by a checklist (for a document review) or list of questions (for a survey). The relationship between the audit approach and the measurement of the effectiveness of the security controls implementation was explained.

The Audit Approach clearly identified the major elements in the data collection strategy (what data will be collected, how it will be collected, what will be measured). The data collection strategy was supported by a checklist (for a document review) or list of questions (for a survey). The relationship between the audit approach and the measurement of the effectiveness of the security controls implementation was clearly stated.

The Audit Approach adequately addressed the data collection strategy and provided sufficient information that the reader could understand how the effectiveness of the security controls implementation would be determined.

Organization and appearance need improvement. The Audit Approach addressed the data collection strategy and provided some information about how compliance would be measured.

The Audit Approach was disorganized and difficult to understand. OR, the approach was significantly lacking in content (data collection strategy was not clearly identified). (Or, inappropriate or excessive copying from other authors’ work.)

No work submitted.

Work is professional in appearance and organization (appropriate and consistent use of fonts, headings, color).

No word usage, grammar, spelling, or punctuation errors. All quotations (copied text) are properly marked and cited using a professional format (APA format recommended but not required.)

Work is professional in appearance and organization (appropriate and consistent use of fonts, headings, color).

Work contains minor errors in word usage, grammar, spelling or punctuation which do not significantly impact professional appearance. All quotations (copied text) are properly marked and cited using a professional format (APA format recommended but not required.)

Work is professional in appearance and organization (minor issues allowable but overall the work contains appropriate and consistent use of fonts, headings, color).

Errors in word usage, spelling, grammar, or punctuation which detract from professional appearance of the submitted work. All quotations (copied text) are properly marked and cited using a professional format (APA format recommended but not required.)

Submitted work has numerous errors in formatting, organization, word usage, spelling, grammar, or punctuation which detract from readability and professional appearance. Punctuation errors may include failure to properly mark quoted or copied material (an attempt to name original source is required).

Submitted work is difficult to read / understand and has significant errors in formatting, appearance / organization, spelling, grammar, punctuation, or word usage. Significant errors in presentation of copied text (lacks proper punctuation and failed to attribute material to original source).

No work submitted. OR, work contains significant instances of cut-and-paste without proper citing / attribution to the original work or author.