security audits 1

COMPETENCIES


427.3.3 : Security Audits

Save your time - order a paper!

Get your paper written from scratch within the tight deadline. Our service is a reliable solution to all your troubles. Place an order on any task and we will take care of it. You won’t have to worry about the quality and deadlines

Order Paper Now

The student evaluates the practice of defining and implementing a security audit and conducts an information security audit using industry best practices.

INTRODUCTION


An Information Security Management System (ISMS) represents a systematic approach for designing, implementing, maintaining, and auditing an organization’s information system security objectives. As with any process, if an ISMS is not continually monitored, its effectiveness will tend to deteriorate.

SCENARIO


For this task, you will use the attached “Task 2 Healthy Body Wellness Center Risk Assessment” case study to write a paper defining the scope of an ISMS plan for the Healthy Body Wellness Center and an evaluation of the previously conducted risk assessment.

The first step in initiating an ISMS is to form a committee of upper-level management to create organizational support for the ISMS. Assume you are part of that team. Initiating an ISMS involves developing a plan that includes the scope of the ISMS and identifying and assessing risk. The risk assessment for the Health Body Wellness Center has already been conducted. Your task is to define the ISMS scope for the Healthy Body Wellness Center and make recommendations for implementing the resulting ISMS plan.

REQUIREMENTS


Your submission must be your original work. No more than a combined total of 30% of the submission and no more than a 10% match to any one individual source can be directly quoted or closely paraphrased from sources, even if cited correctly.

You must use the rubric to direct the creation of your submission because it provides detailed criteria that will be used to evaluate your work. Each requirement below may be evaluated by more than one rubric aspect. The rubric aspect titles may contain hyperlinks to relevant portions of the course.

A. Create the scope for the ISMS plan being developed in the case study by doing the following:
1. Describe the business objectives being developed in the case study for the organization.
2. Describe the guiding security principles based on the case study.
3. Justify the processes that should be included in the scope. Include the following points for each process:

• what the process is

• how you would apply the process to the scenario

• why the process is needed or should be included in the scope of the ISMS

4. Justify the information systems that should be included in the scope. Include the following points for each information system:

• what the information system that should be included is

• what the duties of the information system are, according to the scenario

• why this information system is needed should be included in the scope of the ISMS plan

5. Justify the IT infrastructure that should be included in the scope, including a description of the data flow.

B. Recommend additional steps to address all of the identified risks in the case study that the organization would need to take to implement the ISMS plan.
1. Discuss what each recommended step entails based on your evaluation of the conducted risk assessment.
2. Justify each recommended step based on your evaluation of the conducted risk assessment.

C. Acknowledge sources, using in-text citations and references, for content that is quoted, paraphrased, or summarized.

D. Demonstrate professional communication in the content and presentation of your submission.

File Restrictions

File name may contain only letters, numbers, spaces, and these symbols: ! – _ . * ‘ ( )
File size limit: 200 MB
File types allowed: doc, docx, rtf, xls, xlsx, ppt, pptx, odt, pdf, txt, qt, mov, mpg, avi, mp3, wav, mp4, wma, flv, asf, mpeg, wmv, m4v, svg, tif, tiff, jpeg, jpg, gif, png, zip, rar, tar, 7z

RUBRIC



A1
:
BUSINESS OBJECTIVES

NOT EVIDENT

Information about business objectives is not provided, or the information about the business objectives is not taken from the case study for the organization.

APPROACHING COMPETENCE

The information about the business objectives being developed is based on the case study, but the information is inaccurate or incomplete.

COMPETENT

The information about the business objectives being developed is clearly and logically based on the case study for the organization, and the information is accurate and complete.

A2:GUIDING SECURITY PRINCIPLES

NOT EVIDENT

A description of the guiding security principles is not provided, or the described guiding security principles are not relevant to the case study.

APPROACHING COMPETENCE

The described guiding security principles are not clearly relevant to the case study or are incomplete.

COMPETENT

The described guiding security principles are relevant to the case study and are complete.

A3:PROCESSES

NOT EVIDENT

A justification is not provided, or the submission does not include a justification for the processes that should be included in the scope. The justification for each process does not include the given points.

APPROACHING COMPETENCE

The justification demonstrates a limited understanding of the processes that should be included in the scope but does not clearly justify why the processes should be included. The submission does not appropriately include the given points for each process.

COMPETENT

The justification demonstrates a clear understanding of the processes and why they should be included in the scope. The submission appropriately includes the given points for each process.

A4:INFORMATION SYSTEMS

NOT EVIDENT

A justification is not provided, or the submission does not include a justification for the information systems that should be included in the scope. The justification for each information system does not include the given points.

APPROACHING COMPETENCE

The justification demonstrates a limited understanding of the information systems that should be included in the scope but does not clearly justify why the information systems should be included. The submission does not accurately include the given points for each information system.

COMPETENT

The justification demonstrates a clear understanding of the information systems and why they should be included in the scope. The submission accurately includes the given points for each information system.

A5:IT INFRASTRUCTURE

NOT EVIDENT

A justification is not provided, or the submission does not include a justification for the IT infrastructure that should be included in the scope. The submission does not include a description of the data flow.

APPROACHING COMPETENCE

The justification demonstrates a limited understanding of the IT infrastructure that should be included in the scope but does not clearly justify why the IT infrastructure should be included. The description of the data flow is inaccurate or incomplete.

COMPETENT

The justification demonstrates a clear understanding of the IT infrastructure and why it should be included in the scope. The description of the data flow is accurate and complete.

B:ADDITIONAL STEPS

NOT EVIDENT

A recommendation is not provided, or the recommendation does not include additional steps to address the identified risks in the case study that the organization would need to take to implement the ISMS plan.

APPROACHING COMPETENCE

The submission recommends additional steps to address all of the identified risks in the case study that the organization would need to take to implement the ISMS plan, but not all of the recommended steps are clearly relevant to the conducted risk assessment in the case study.

COMPETENT

The submission recommends additional steps to address all of the identified risks in the case study that the organization would need to take to implement the ISMS plan, and the recommended steps are relevant to the conducted risk assessment in the case study.

B1:DISCUSSION

NOT EVIDENT

A discussion is not provided, the response does not discuss what each recommended step entails, or the discussion of each step is not based on the evaluation of the conducted risk assessment.

APPROACHING COMPETENCE

The discussion includes what each recommended step entails, but it is not clearly based on the evaluation of the conducted risk assessment in the case study.

COMPETENT

The discussion includes what each recommended step entails, and it is clearly based on the evaluation of the conducted risk assessment in the case study.

B2:JUSTIFICATION

NOT EVIDENT

A justification is not provided, the submission does not include a justification for each recommended step, or the justifications for each step are not based on the evaluation of the conducted risk assessment.

APPROACHING COMPETENCE

The submission demonstrates a limited understanding of the reasons for each recommended step, but the reasons do not clearly justify each recommended step based on the evaluation of the conducted risk assessment in the case study.

COMPETENT

The submission demonstrates a clear understanding of the reasons for each recommended step, and the reasons justify each recommended step based on the evaluation of the conducted risk assessment in the case study.

C:SOURCES

NOT EVIDENT

The submission does not include both in-text citations and a reference list for sources that are quoted, paraphrased, or summarized.

APPROACHING COMPETENCE

The submission includes in-text citations for sources that are quoted, paraphrased, or summarized, and a reference list; however, the citations and/or reference list is incomplete or inaccurate.

COMPETENT

The submission includes in-text citations for sources that are properly quoted, paraphrased, or summarized and a reference list that accurately identifies the author, date, title, and source location as available.

D:PROFESSIONAL COMMUNICATION

NOT EVIDENT

Content is unstructured, is disjointed, or contains pervasive errors in mechanics, usage, or grammar. Vocabulary or tone is unprofessional or distracts from the topic.

APPROACHING COMPETENCE

Content is poorly organized, is difficult to follow, or contains errors in mechanics, usage, or grammar that cause confusion. Terminology is misused or ineffective.

COMPETENT

Content reflects attention to detail, is organized, and focuses on the main ideas as prescribed in the task or chosen by the candidate. Terminology is pertinent, is used correctly, and effectively conveys the intended meaning. Mechanics, usage, and grammar promote accurate interpretation and understanding.

 
Do you need a similar assignment done for you from scratch? We have qualified writers to help you. We assure you an A+ quality paper that is free from plagiarism. Order now for an Amazing Discount!
Use Discount Code "Newclient" for a 15% Discount!

NB: We do not resell papers. Upon ordering, we do an original paper exclusively for you.