docx
keyboard_arrow_up
School
Collin County Community College District *
*We aren’t endorsed by this school
Course
2341
Subject
Information Systems
Date
Apr 3, 2024
Type
docx
Pages
8
Uploaded by DeaconTurkey1941
Information Security Program Plan Grading Sheet
Name
: Item #
Item
Points Available Per Item
Points Received
Comments
1.
Paper delivered on time
5
2.
Paper includes the following items:
Title page
Table of Contents
Abbreviations and Acronyms
Definitions
References
2
3.
Please identify in Appendix D, those fellow students, prior students, current and past professors, or others that you worked with in completing your paper and identify which section(s) they assisted
you with
.
If did not collaborate with anyone, please provide the following statement in Appendix D:
“I did not collaborate with anyone in producing this paper.”
5
4.
Paper has Introduction, with Purpose, Scope., Background, and/or Assumptions/Constraints
2
5.
Paper has Vision, Mission, Objectives
1
6.
Paper has Legal and Privacy with required items
20
a.
Paper identifies laws, statutes, and regulations, that you believe apply (Does not have to be exhaustive). Maximum page length is 5 pages, if more than 5 pages, 3 points will be taken off.
4
b.
Paper discuss how you are going to interface with the Chief Privacy Office
8
c.
Paper discusses/identifies if you are going to implement a Privacy Impact Analysis and discuss when you are going to use the Privacy Impact Analysis
8
7.
Paper has Information Security Section with Required items
180
1
Item #
Item
Points Available Per Item
Points Received
Comments
a)
Paper identifies and discusses Identify Key
Enterprise Team Members and their roles and responsibilities:
Must identify roles and responsibilities for Board of Trustees, Executive Management Team and other College leaders critical to your security program
Must include Security Steering Committee roles and responsibilities and identify who are the key members
10
b)
Produce a RACI Matrix that assigns RACI responsibilities for each Key Team Members as identified in Section 4.1
•
Use a table or spreadsheet for accomplishing this task
5
c)
Paper provides a RACI Matrix that assigns
RACI responsibilities for each security function for the CISO’s team and the CIO’s team as identified in the table provided in the Project Plan Assignment slide # 19. A table as used in the Project Plan Assignment slide # 19 should be used
in providing this information
10
d)
Paper discusses your Information/Data Classification Scheme and its relationship to information held by the College, must include a risk statement in each classification beyond Public as discussed in the Data Classification Lab(s) and lecture notes. Must address Audit Finding #3
10
e)
Paper discusses your data retention schema. Your data retention schema cannot have indefinite as the retention time period without justification, longest time period normally is 7 years, unless required by law. If data retention schema
has indefinite as the retention time period
without justification, 5 points will be taken off regardless of how many occurrences.
10
f)
Paper discusses your Magnetic Remanence
schema and the items that it will address. 5
g)
Paper addresses how you are aligning your
information security program with the business
10
2
Item #
Item
Points Available Per Item
Points Received
Comments
h)
Paper identifies/discusses which security framework(s) you are/will use and describe
why you are using selected framework(s) as well as address Audit Finding #5. Identify which security control framework(s) you are/will use and describe
why you are using selected control framework(s).
Identify which non-security control framework(s) you are/will use and describe
why you are using selected non-control framework(s)
Note: Hybrid frameworks (those that have control frameworks embedded within them) can be identified in either control or non-control section. Modules 8 & 9 addresses frameworks 10
i.
Paper identifies/discusses which security framework(s) you plan or are currently using and the purpose of using the framework.
5
ii.
Paper identifies/discusses which control framework(s) you are/will use and describe
why you are using selected control framework(s)
5
i)
Paper discusses Discuss how you are going
to perform a GAP Assessment moving from current state to a future state that will address Audit Finding #5 establishing the college’s baseline security controls. Must specifically address or state which frameworks or framework subsets will be used in establishing this baseline. Finally, must include specific steps in performing GAP assessment and implementation selected framework(s). It is recommended
that a framework that addresses Small to Medium Business be considered
5
j)
Paper outlines and discusses your Risk Management Program (Modules 6 and 7 are good sources for this section with Module 7 being most helpful)
. Paper must answer “What is the College’s Risk Appetite Leve
10
3
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Item #
Item
Points Available Per Item
Points Received
Comments
k)
Paper discuss how you are going to report metrics back to the CEO and the BOD and what metrics you are reporting on (information is contained at the end of Module 5’s presentation)
5
l)
Paper identifies/discusses the Top 3 or 4 risks that you are planning to mitigate in this project plan.
90
Does the Paper identify the Top 3 or 4 risks that you are planning to mitigate in this project plan of which 2 out of the 3 risks must address the specific risks that may arise out of the “Situation as You Briefed the BOD and Executive Management” Slide Note: If there are more than 3 risks identified, only the first 3 will be scored.
At least 2 out of the 3 risks must address the specific risks that may arise out of the “Situation as You Briefed the BOD and Executive Management” Slide
. If at leat two do not address this item, only the one that does and one additional one will be scored.
For this section you must have at least 3 risk with required information below for scoring of each risk and 2 out of the 3 risks must address the specific risks that may arise out of the “Situation as You Briefed the
BOD and Executive Management” Slide
At a Minimum Each risk needs to address each of the following areas as separate subparagraphs under each risk
For each risk –
30 points are possible
Does the identified risk have a subparagraph titled “Asset(s) Potentially Affected” and does this paragraph in sentence form identify what asset(s), business processes and so
froth that are potentially affected by identified risk. 3
Does the identified risk have a subparagraph titled “Threat or threat Actors” and does this paragraph in sentence form identify which threat(s) or threat actors are a potential threats to the identified asset(s).
3
Does the identified risk have a subparagraph titled “Vulnerability(ies)”
and does this paragraph in sentence form identify any vulnerability(ies) that
may be exploited by the identified threat or threat actors above to the identified asset(s) above.
3
4
Item #
Item
Points Available Per Item
Points Received
Comments
Does the identified risk have a subparagraph titled “Impact if Realize” and does this paragraph in sentence form identify/discuss the impact to the asset(s)/business if risk is realized.
3
Does the identified risk have a subparagraph titled “Time Period Risk Remains Active” and does this paragraph in sentence form identify/discuss the time period in which the risk remains active. The time period cannot be continuous unless supported by rational and must include checkpoints showing periodic review whether risk remains near or at threshold level.
3
5
Item #
Item
Points Available Per Item
Points Received
Comments
Does it include a risk statement
Must be in the form of a risk statement-
Module 6’s “Risk Exercise will demonstrate how this can be done and what is expected.
Write a Risk Statement in the form of the example provided for the given “Situation as You Briefed the Board of Trustees and Alpha Community College Predsident” assigned to your group and ensure you have identified the following items: •
Severity description
•
Threat description
•
Impact statement and explanation
•
Vulnerability statement
Example:
Risk: Civil unrest in Janwick, HIGH
Description: XYZ Co faces a HIGH risk {severity description} due to the potential for civil unrest in Janwick {threat description}
which could have a HIGH impact on our global supply chain as our key manufacturing sites are concentrated there {impact statement and explanation}
. The firm has MODERATE vulnerability to civil unrest as our local safety and security arrangements were designed when the country was peaceful and have not been updated to address the deteriorating security situation {vulnerability statement
}.
Must be in this exact form as each completed Risk Statement is worth 15 out of the possible 30 points/per RISK
15
8.
Information Security Policies, Procedures, Standards, or Processes
This section must present a prioritize listed
on Project Plan Assignment Slide #25 using a scale from 1-10 (1 being the highest and 10 being the lowest) and state why your team rated each item the way they did demonstrating a risk-based approach given scare resources for those items listed on Project Plan Assignment Slide #25
50
6
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Item #
Item
Points Available Per Item
Points Received
Comments
9.
Paper has Information Security Programs with required top 4 items, could have more
160
Does the Paper have at least 4 programs
For this section must have at least 4 programs with required information below for scoring of each program
At a Minimum Each program needs to address each of the following questions
For each program – 40 points are possible
•
What risk(s) stated in the Information Security Section are you addressing with this proposed program. Section must map back to some risk(s) identified in prior section.
8
•
Why you are initiating/doing this program.
8
•
What you are going to do within the program. Section must contain at least 3 paragraphs with at least 6-8 sentences per paragraph.
8
•
What are your expected outcomes and how are you measuring these expected
outcomes. Section must contain at least 3 expected outcomes and how each are measured.
8
•
What is your timeline for implementation? Timeline cannot be continuous unless supported by rational and must include checkpoints showing periodic review whether risk remains near or at threshold level.
8
10.
Paper uses citations or endnotes
10
11.
Spelling Errors
10
12.
Word Format
5
Total
450
Metrics Extra Credit Points for Section 5 of your paper:
7
You have the option of doing option a, b, or both and those options are:
a.
Produce a metric for 1 program using the Goal, Question, Metric process that was covered in Module 5, that answers “What are your expected outcomes and how are you measuring these expected outcomes
” and place your work in that respective section of your project plan. You need to show your work. You can earn up to 25 points for doing this, and partial credit will be given for those that attempt the Goal, Question, Metric process but don’t complete the process. It has to be an honest and not just some stuff thrown together. Please identify that you are attempting this effort within your paper.
b.
Produce a metric for 1 program using one of the examples provided in the Goal, Question, Metric process covered in Module 5, that answers “What are your expected outcomes and how are you measuring these expected outcomes
” and place your work in that respective section of your project plan. You can earn up to 5 points for doing this. Please identify that you are attempting this effort within your paper.
You can earn up to 30 extra credit points that will be applied to the raw score of your paper. These points are award in addition to the possible 10 points for that section of the paper.
8