[SOLVED] Audit Policy, assignment help – Business Finance

by | Aug 24, 2022 | Business Finance

Attached are documents required for this project. Also included some old docs just in case they are helpful. Thanks.  This is tricky, so make sure you know what needs to be done before you take this on!  Thanks again!Project #4: IT Audit Policy and Plans
Company Background & Operating Environment
Use the assigned case study for information about “the company.”
Policy Issue & Plan of Action
The corporate board was recently briefed by the Chief Information Officer concerning the
company’s IT Security Program and how this program contributes to the company’s risk management
strategy. During the briefing, the CIO presented assessment reports and audit findings from IT security
audits. These audits focused upon the technical infrastructure and the effectiveness and efficiency of
the company’s implementation of security controls. During the discussion period, members of the
corporate board asked about audits of policy compliance and assessments as to the degree that
employees were (a) aware of IT security policies and (b) complying with these policies. The Chief
Information Officer was tasked with providing the following items to the board before its next quarterly
meeting:
(a) Issue Specific Policy requiring an annual compliance audit for IT security policies as
documented in the company’s Policy System
(b) Audit Plan for assessing employee awareness of and compliance with IT security policies
a. Are employees aware of the IT security policies in the Employee Handbook?
b. Do employees know their responsibilities under those policies?
(c) Audit Plan for assessing the IT security policy system
a. Do required policies exist?
b. Have they been updated within the past year?
c. Are the policies being reviewed and approved by the appropriate oversight
authorities (managers, IT governance board, etc.)?
Your Task Assignment
As a staff member supporting the CISO, you have been asked to research this issue (auditing IT
security policy compliance) and then prepare an “approval draft” for a compliance policy. You must also
research and draft two separate audit plans (a) employee compliance and (b) policy system audit. The
audit policy should not exceed two typed pages in length so you will need to be concise in your writing
and only include the most important elements for the policy. Make sure that you include a requirement
for an assessment report to be provided to company management and the corporate board of directors.

For the employee compliance assessment, you must use an interview strategy which
includes 10 or more multiple choice questions that can be used to construct a webbased survey of all employees. The questions should be split between (a) awareness of
key policies and (b) awareness of personal responsibilities in regards to compliance.

For the policy system audit, you should use a documentation assessment strategy which
reviews the contents of the individual policies to determine when the policy was last
updated, who “owns” the policy, who reviewed the policy, and who approved the policy
for implementation.
Research:
1. Review the weekly readings including the example audit assessment report.
2. Review work completed previously in this course which provides background about the IT Policy
System and specific policies for the case study company.
3. Find additional resources which discuss IT compliance audits and/or policy system audits.
Write:
1. Prepare briefing package with approval drafts of the three required documents. Place all three
documents in a single MS Word (.doc or .docx) files.
2. Your briefing package must contain the following:


Executive Summary
“Approval Drafts” for
o Issue Specific Policy for IT Security Policy Compliance Audits
o Audit Plan for IT Security Policy Awareness & Compliance (Employee Survey)
o Audit Plan for IT Security Policies Audit (Documentation Review)
As you write your policy and audit plans, make sure that you address security issues using
standard cybersecurity terminology (e.g. 5 Pillars of IA, 5 Pillars of Information Security). See the
resources listed under Course Resources > Cybersecurity Concepts Review for definitions and
terminology.
3. Use a professional format for your policy documents and briefing package. Your policy
documents should be consistently formatted and easy to read.
4. Common phrases do not require citations. If there is doubt as to whether or not information
requires attribution, provide a footnote with publication information or use APA format
citations and references.
5. You are expected to write grammatically correct English in every assignment that you submit for
grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c)
verifying that your punctuation is correct and (d) reviewing your work for correct word usage
and correctly structured sentences and paragraphs.
Weekly reading
http://www.symantec.com/connect/articles/conducting-security-audit-introductory-overview
http://www.winnipeg.ca/audit/pdfs/reports/ITSecurityAwareness.pdf
http://www.gao.gov/special.pubs/p0921.pdf
http://www.technology.wv.gov/SiteCollectionDocuments/Policies%20Issued%20by%20the%20CTO/July
2015/AuditPolicy_July2015.pdf
INTERNAL
AUDIT
PLAN
Project or System Name
U.S. Department of Housing and Urban Development
Month, Year
Revision Sheet
Revision Sheet
Release No.
Rev. 0
Rev. 1
Date
5/30/00
4/10/02
Internal Audit Plan
Revision Description
Internal Audit Plan Template and Checklist
Conversion to WORD 2000 format
Page i
Internal Audit Plan
Authorization Memorandum
I have carefully assessed the Internal Audit Plan for the (System Name). This document has been
completed in accordance with the requirements of the HUD System Development Methodology.
MANAGEMENT CERTIFICATION – Please check the appropriate statement.
______ The document is accepted.
______ The document is accepted pending the changes noted.
______ The document is not accepted.
We fully accept the changes as needed improvements and authorize initiation of work to proceed. Based
on our authority and judgment, the continued operation of this system is authorized.
_______________________________
NAME
Project Leader
_____________________
DATE
_______________________________
NAME
Operations Division Director
_____________________
DATE
_______________________________
NAME
Program Area/Sponsor Representative
_____________________
DATE
_______________________________
NAME
Program Area/Sponsor Director
_____________________
DATE
Internal Audit Plan
Page ii
Notification Letter Guidelines
NOTE TO AUTHOR: Highlighted, italicized text throughout this template is provided solely as
background information to assist you in creating this document. Please delete all such text, as well as
the instructions in each section, prior to submitting this document. ONLY YOUR PROJECTSPECIFIC INFORMATION SHOULD APPEAR IN THE FINAL VERSION OF THIS
DOCUMENT.
The Internal Audit Plan, developed by the Inspector General’s (IG) staff, verifies involvement, which
may range from review of completed work to active audit participation in system activities. The project
manager must formally notify the IG of the existence of the project at the Define stage of the system
development lifecycle, and again at the Build and Evaluate stages to update the list of deliverables.
The project leader fills in the following notification letter template and forwards to the IG.
Introduction
(Project Name) (PCAS Number) (System ID) has transitioned from the Initiate to the Define phase of the
system development lifecycle.
System Overview
Provide a brief system overview description.
Points of Contact
Provide a list of the points of organizational contact.
Schedule Dates
Provide the start date of the Define phase. In subsequent updates, provide the start dates of the Build and
Evaluate phases.
Deliverable List
For each phase (Define, Design, Build, and Evaluate), provide a list of deliverables to be completed.
Internal Audit Plan
Page iii
INTERNAL AUDIT PLAN
TABLE OF CONTENTS
Page #
1.0
GENERAL INFORMATION ……………………………………………………………………………………………. 1-1
1.1
1.2
1.3
1.4
1.5
1.6
Purpose ………………………………………………………………………………………………………………….. 1-1
Scope …………………………………………………………………………………………………………………….. 1-1
System Overview ……………………………………………………………………………………………………. 1-1
Project References …………………………………………………………………………………………………… 1-2
Acronyms and Abbreviations ……………………………………………………………………………………. 1-2
Points of Contact …………………………………………………………………………………………………….. 1-2
1.6.1
1.6.2
2.0
AUDIT PROCESS …………………………………………………………………………………………………………… 2-1
2.1
2.2
2.3
2.4
2.5
3.0
Information ……………………………………………………………………………………………………………..1-2
Coordination ……………………………………………………………………………………………………………1-2
Type of Internal Audit ……………………………………………………………………………………………… 2-1
Internal Audit Subject ……………………………………………………………………………………………… 2-1
Roles and Responsibilities ……………………………………………………………………………………….. 2-1
Method of Internal Audit …………………………………………………………………………………………. 2-1
Schedule ………………………………………………………………………………………………………………… 2-1
EVALUATION ……………………………………………………………………………………………………………….. 3-1
3.1
3.2
Strategy………………………………………………………………………………………………………………….. 3-1
Metrics…………………………………………………………………………………………………………………… 3-1
Internal Audit Plan
General Information
1.0
Internal Audit Plan
GENERAL INFORMATION
1.0 General Information
This section is an Internal Audit Plan template to be completed by the Inspector General’s office. The
Project Manager is not responsible for completing this template.
1.0
GENERAL INFORMATION
1.1
Purpose
Describe the purpose of the Internal Audit Plan.
1.2
Scope
Describe the scope of the Internal Audit Plan as it relates to the project.
1.3
System Overview
Provide a brief system overview description as a point of reference for the remainder of the document. In
addition, include the following:

Responsible organization

System name or title

System code

System category



Major application: performs clearly defined functions for which there is a readily
identifiable security consideration and need

General support system: provides general ADP or network support for a variety of users
and applications
Operational status

Operational

Under development

Undergoing a major modification
System environment and special conditions
Internal Audit Plan
Page 1-1
1.0 General Information
1.4
Project References
Provide a list of the references that were used in preparation of this document. Examples of references
are:

Previously developed documents relating to the project

Documentation concerning related projects

HUD standard procedures documents
1.5
Acronyms and Abbreviations
Provide a list of the acronyms and abbreviations used in this document and the meaning of each.
1.6
Points of Contact
1.6.1 Information
Provide a list of the points of organizational contact (POCs) that may be needed by the document user for
informational and troubleshooting purposes. Include type of contact, contact name, department,
telephone number, and e-mail address (if applicable). Points of contact may include, but are not limited
to, helpdesk POC, development/maintenance POC, and operations POC.
1.6.2 Coordination
Provide a list of organizations that require coordination between the project and its specific support
function (e.g., installation coordination, security, etc.). Include a schedule for coordination activities.
Internal Audit Plan
Page 1-2
2.0 Audit Process
2.0
Internal Audit Plan
AUDIT PROCESS
2.0 Audit Process
2.0
AUDIT PROCESS
2.1
Type of Internal Audit
Identify the type of Internal Audit being completed. (e.g., financial, performance, operational)
2.2
Internal Audit Subject
Identify the subject area and/or organization to be audited.
2.3
Roles and Responsibilities
Identify roles and responsibilities for each organization and management area within each organization
that will influence the Internal Audit of the project.
2.4
Method of Internal Audit
Explain the Internal Audit Process. Include descriptions and sources of forms and checklists that will be
used for the Internal Audit.
2.5
Schedule
Identify and describe all activities and events associated with the Internal Audit. List all deliverables.
Internal Audit Plan
Page 2-1
3.0 Evaluation
3.0
Internal Audit Plan
EVALUATION
3.0 Evaluation
3.0
EVALUATION
3.1
Strategy
Describe the strategy used, which will result in a successful audit.
3.2
Metrics
Describe how Internal Audits will be measured, and the results analyzed.
Internal Audit Plan
Page 3-1
Executive Summary
Due to the changing concurrent trends, the company decided to update its employee
handbook with the up-to-date IT modules that will endow the group to meet its goals and
Employee Handbook
2
objectives in an appealing manner. Each of the worker had to play a role to ensure that the IT
platform was enabled, with each assigned the duty that they are aptly conversant with. The board
of directors came up with policies that would enable formation of the updated system, which
would also facilitate its integration into the system’s structure. The board of governors set the
acceptable use policy for information technology to identify the requirements needed for the
process; both the tools and legal requirements. They also set bring your device policy that
conferred the staff to use their own tools and gadgets for the operational amenities of the firm.
Lastly, digital media sanitization, reuse, & destruction policy was put in place to have control of
optimum usability of the system to achieve maximum gains for the corporation.
The Acceptable Use Policy for Information Technology
Overview
The main purpose of the policy is to inform all Red Clay Renovations information
technology users about their compliance obligation with all laws that exist, and the use of
information technology resource institutional policies. It is not a right, but a privilege to use
technology with users having certain responsibilities. The company’s use of the information
technology resources has to be in line with the goals, mission and the values that are Providence
to the enterprise. The use of the company’s technology has to be further supportive of its research
and educational role, as to its behavioral and value standards.
The acceptable company use of information technology resources is consistent with the
company’s freedom principle. The use of all other activities and resources is sponsored or
provided by the corporation. The use of the companies information technology resources is
however contingent to the legal and ethical behavioral expectation, and the procedure and
Employee Handbook
3
policies compliance in Red Clay Renovations Handbooks. The legitimate use of computer and
computer network or system never extends what is technically possible. Users have to note the
companies minors may as well access information resources.
The effective security is a considered community-wide effort that involves the
participation and involvement of all companies Providence employees and affiliates; those who
deal with information systems. The companies community members providence are familiarly
expected to become acceptable using policy, in carefully acting requirement consideration and
assistance seek whenever necessary. The rules are placed for the protection of its leaders and
employees. The inappropriate expose use provides the company to the risks number, which are
included, and no limitation to the compromising of the systems of the network and the services,
virus attack and the legal liabilities.
Policy statement
All law violations or physical space institutional policy are also violations when in the
use of Red Clay Renovation Information Technology resources.
By the approval of the company’s senior management includes the Chief Executive
Officer, Chief Operating Officer, Chief Financial Officer, Director of Customer Relations,
Director of Architecture & Construction Services, Human Resources Director, Director of
Marketing and Media, and the Information Technology Services Director. The Director of ITS is
dual-hatted as the company’s Chief Information Security Officer (CISO), the policy incorporates
all the other related institutional policies. The incorporation includes and not limited to working
Integrity, Companies Code of conduct, the research misconduct, human resources, data and
information governance policies and the facilities and financial policies.
Employee Handbook
4
The users of the information technology resources is an obligation to the Report
violations credible to the policy. Failure to comply with the threatened resources information
sharing atmosphere appropriates, the free idea exchange and information technology resource
secure environment. Individual policy violation may be subjected to the proceeding disciplinary.
Bring Your Own Device Policy
Overview
The rapid increase use of mobile device and remote and flexible staff growth now accepts
own laptops, tablet and phone use in conducting business. The guidance is usually for the
organization considering the ‘Bring Your Own Device ‘approach (BYOD), and the key security
description aspect, considered maximizing the BYOD while minimizing risks.
The policy also provides reminders that are useful for those who already implement the
approach. The policy should be used to inform the risk management BYOD deployment
decisions and relevantly particular public organizations sector officially operating such
deployments, for the security advice in relation to the specific mobile platform and best practice
information security for mobile device range.
The legal responsibility is usually personal information protection with data controller
but not the owner of the device. The data protection Act, states that employees must avoid
measures that are against unlawful and unauthorized personal data processing. The employment
practice code, states that an employee is entitled to privacy degree in the work environment.
The consideration of how any secondary or a commercial party agrees by an adoption of
the Bring Your Own Device .The advantage to this adoption will be that the personally owned
Employee Handbook
5
device will always be connected. It however has association risks. The privately owned devices
designed for any easier facilitation data sharing and the owners device use to personally sharing
information in the cloud and with others users. Personal application security problems may affect
the Red Clay Renovation information, applications and their network services. An example is
the use of many in adherently sent social network posted from the identity corporate identity
intended to their personal account configuration on the device.
Policy Statement
Mobile device use management technology, which creates virtual partition for each
device separating work data from the personal data. The security measure facilitates employer
wishes impose, and employer limit will access to work the only work data.
The determination device will be supported and permitted to which data company type
able to accessing them. Decision in which class of employee to be used permitted their own
device use and to why, and the employment requirement to agree with the acceptable use terms
when they first connect with computer network employers.
Digital Media Sanitization, Reuse, & Destruction Policy
Overview
Information security concern conveys information regards and sanitization media resides
in the information recorded but in the media. Media disposal issue and driven sanitization by the
Employee Handbook
6
intentionally placed information. The media disposal issue and sanitization intentionally
informational placed driven on media.
The media electronically on the system should contain information that is
commensurately assumed with the categorized security system with the categorized security
system confidentiality. If the media release is not properly handled it could lead to unauthorized
occurrence information disclosure. Information technology categorization system is the first stem
critical managing system understanding and media.
Red Clay Renovation uses the company’s information technology resources to access,
create, manage and the company to access data management to their business functions. The
responsible local data responsibly will ensure that the enterprise data is properly removed from
the media before it leaves the departmental control for disposal and reuse. The policies primary
purpose protects the non-public company data. It is often difficult separating the classification
from the Medias personal and public information on the media or consecutively determining the
non-public remnant data that are not recoverable.
Confidential protection of the information has to be a concern for everyone, from the
federal agencies and the businesses to the home users. The interconnection reorganization and
information exchange are a government service critical exchange; the guide is used in decision
assistance for sanitization or disposal process use.
Policy statement
Employee Handbook
7
The prime organizational guide has the organization correctly able to identify the
appropriate information, information location, and the confidential impact level. This activity is
ideally accomplished in its early system life cycle phase. The initial critical step outside the
scope documents, without identifying the will of the organization in all likelihood and control
lose to some of the media sensitively contained information.
The guide cover claims all the media possible that an organization could store and use the
information in the forecast attempt to the future media that might develop during the productive
guide life. The users will be expected to make disposals and the sanitizations decision that is
based on the categorized security information on the contained media.
Briefing Package
Red Clay Renovations
Executive Summary:
Managers Deskbook
2
The Chief Information Security Officer has requested this briefing to provide information
to all managers of Red Clay Innovations regarding procedures and policies that must be
implemented and enforced to maintain the security and integrity of the organization. Each issue
will be addressed specifically and the manager of each affected department will be responsible
for informing their staff of the requirements to recognize, analyze and rectify each situation.
Each manager will prepare a report to be delivered in meeting with the company CEO, CISO,
CFO and Chief of Staff after the necessary research for each situation is complete.
Individual department input will be strongly considered, therefore detailed research and
preparation is expected. The Governing Board will make final decisions regarding
implementation of new policy upon recommendations from department managers. Department
managers will then be responsible for overseeing effective implementation of new policies and
reporting to senior management regarding progress. Timeliness will be strictly adhered to and an
evaluation tool will determine the result of each department’s success. The issues to be
researched and reported on are as follows:
1) Data Breach Response Policy
2) Preventing / Controlling Shadow IT Policy
3) Management and Use of Corporate Social Media Accounts Policy
4) Corporate Domain Name Management Policy
5) Website Governance Policy
Data Breach Response Policy
Managers Deskbook
3
Data security is of primary importance for Red Clay Renovations to be successful. The
private information and systems of the company must always be secure and our clients depend
on that security to protect their data as well. In the event of a data breach, specific steps must be
taken to inform senior management of the occurrence immediately and every member of IT
Security Management must be notified. Central console will be immediately secured and all
computers locked down while the breach is investigated. Internet provider will be notified
immediately and all computers and other digital devices from employees must be disabled
immediately. IT security audits will be reviewed and solutions will be researched and
implemented. Further details will be provided by the IT Governance Board and presented to the
Executive Board.
Preventing / Controlling Shadow IT Policy
After the conclusion of the breach investigation, prevention and control of future data
breaches will be of primary focus. Specific studies will be researched to discover flaws in the
system that the IT department may have missed and these will be remedied. The necessary steps
will be taken to ensure that future problems of this nature will not occur. It is the responsibility
of the IT Governance Board to review any data breach and make sure to prevent employees use
of IT systems without approval. Strict monitoring of employee use of company technology will
be expected and a full report will be necessary.
Unapproved software is prohibited, as it compromises security and compliance. Cloud
based applications and personal devices will be prohibited. Senior management expects that
service reviews will be presented to the Governing Board to help prevent and control Shadow IT.
The service reviews will contain the following topics: pertaining to service (availability,
Managers Deskbook
4
performance, desk data, request data), incident data, current issues and changes, new challenges
and requirements.
Management and Use of Corporate Social Media Accounts Policy
Great care must be taken to ensure that classified company information is not shared on
social media. A strict policy must be in place to monitor social media use by employees and to
prevent dissemination of private information to social media outlets. Each employee is
responsible for what they decide to post online. Participating in social media conversations can
compromise company principles and interfere with job performance.
Strict guidelines must be followed to avoid social media activity in the workplace and
disciplinary action will be taken if there is not adherence to this rule. Each department should
monitor their employees to make sure that if there is social media use for the benefit of the
corporation, then certain rules must be followed. The employee is representing the business so
courtesy and professionalism is paramount. Be accurate when providing any information and
post only personal opinions and not the perceived opinions of corporate officers. It is up to each
department manager to make sure their staffs follow these procedures.
Corporate Domain Name Management Policy
There are important steps to understanding domain name management. The domain name
is a key corporate asset and must be viewed as such. The management of the domain name must
be centralized to protect brands and trademarks. Systematic domain name portfolio audits are
required and periodic audit of trademark portfolio should also be performed. Marketing the
domain name can help reduce advertising costs and domain name expenditures.
Website Governance Policy
Managers Deskbook
5
A well-planned website governance policy will make clear the policies, procedures,
guidelines and standards of the website so that everyone understands what is required to maintain
the website at maximum efficiency. A website management team should be appointed to ensure
proper functioning and their purpose is three-fold. Separate strategic, tactical and operational
levels will be established to support the management team. The strategic level is responsible for
the success of the site’s vision. The tactical level is responsible for designing the site, makes
decisions on placement of content and prioritizes projects. Finally, the operational level oversees
the everyday efficiency of the website so it is operating at the highest level.
UNIVERSITY OF MARYLAND UNIVERSITY COLLEGE
Red Clay Renovations
A case study for CSIA 413
Valorie J. King, PhD
3/30/2016
Copyright © 2016 by University of Maryland University College. All Rights Reserved.
CSIA 413: Cybersecurity Policy, Plans, and Programs
Table of Contents
Company Overview ……………………………………………………………………………………………………………………… 1
Corporate Governance & Management ……………………………………………………………………………………… 1
Operations ……………………………………………………………………………………………………………………………… 4
Acquisitions …………………………………………………………………………………………………………………………….. 4
Legal and Regulatory Environment …………………………………………………………………………………………….. 5
Policy System ………………………………………………………………………………………………………………………….. 6
Risk Management & Reporting ………………………………………………………………………………………………….. 6
IT Security Management …………………………………………………………………………………………………………… 7
Information Technology Infrastructure ………………………………………………………………………………………….. 8
Enterprise Architecture…………………………………………………………………………………………………………….. 8
Operations Center IT Architecture……………………………………………………………………………………………… 9
Field Office IT Architecture ……………………………………………………………………………………………………… 10
System Interconnections ………………………………………………………………………………………………………… 11
Tables
Table 1. Key Personnel Roster ………………………………………………………………………………………………………. 3
Table 2. Red Clay Renovations Office Locations & Contact Information ……………………………………………… 4
Figures
Figure 1. Red Clay Renovations Organization Chart …………………………………………………………………………. 2
Figure 2. Overview for Enterprise IT Infrastructure ………………………………………………………………………….. 9
Figure 3. IT Architecture for Operations Center ………………………………………………………………………………. 9
i
Company Overview
Red Clay Renovations is an internationally recognized, awarding winning firm that specializes in the
renovation and rehabilitation of residential buildings and dwellings. The company specializes in updating
homes using “smart home” and “Internet of Things” technologies while maintaining period correct
architectural characteristics. The company’s primary line of business is Home Remodeling Services
(NAICS 236118).
Corporate Governance & Management
Red Clay Renovations was incorporated in the State of Delaware in 1991 and is privately held. (Its stock
is not publicly traded on a stock exchange.)The company maintains a legal presence (“Corporate
Headquarters”) in Delaware to satisfy laws relating to its status as a Delaware corporation. The company
has a five member Board of Directors (BoD). The Chief Executive Officer (CEO) and Chief Financial Officer
(CFO) each own 25% of the corporation’s stock; both serve on the BoD. The CEO is the chair person for
the BoD. The three additional members of the BoD are elected from the remaining stock holders and
each serve for a three year term. The BoD provides oversight for the company’s operations as required
by state and federal laws. Its primary purpose is to protect the interests of stockholders. Under state
and federal law, the BoD has a fiduciary duty to ensure that the corporation is managed for the benefit
of the stockholders (see http://www.nolo.com/legal-encyclopedia/fiduciary-responsibilitycorporations.html). The BoD has adopted a centrally managed “Governance, Risk, and Compliance”
(GRC) methodology to ensure that the corporation meets the expectations of stakeholders while
complying with legal and regulatory requirements.
The company’s senior management includes the Chief Executive Officer (CEO), Chief Financial Officer
(CFO), Chief Operating Officer (COO), Director of Architecture & Construction Services (A&C), Director of
Customer Relations (CR), Director of Human Resources (HR), the Director of Information Technology
Services (ITS), and the Director of Marketing and Media (M&M). The Director of ITS is dual-hatted as the
company’s Chief Information Security Officer (CISO). These individuals constitute the Executive Board for
the company and are responsible for implementing the business strategies, policies, and plans approved
by the BoD. A separately constituted IT Governance Board is chaired by the Chief Operating Officer. The
five directors (A&C, CR, HR, ITS, and M&M) serve as members of the IT Governance board. This board
considers all matters related to the acquisition, management, and operation of the company’s
information technology resources.
The CEO, CFO, and COO have been with the company since it started in 1991. The Directors for A&C, CR,
and HR have over 20 years each with the company. The Director for M&M has ten years of service. The
Director of ITS / CISO has been with the company less than two years and is still trying to bring a
semblance of order to the IT management program – especially in the area of IT security services. This is
a difficult task due to the company’s failure to promptly hire a replacement for the previous director
who retired two years ago.
1
CSIA 413: Cybersecurity Policy, Plans, and Programs
Figure 1. Red Clay Renovations Organization Chart
2
CSIA 413: Cybersecurity Policy, Plans, and Programs
Table 1. Key Personnel Roster
Name & Title
James Randell
CEO
Irma Bromley
Office
Location
Wilmington
Office Phone
No.
910-555-2158
email
Wilmington
910-555-2150
Irma_Bromley@ redclayrennovations.com
Wilmington
910-555-2152
nr@redclayrenovations.com
Wilmington
910-555-2159
marcus@redclayrenovations.com
Owings Mills
667-555-5000
julia@redclayrenovations.com
Wilmington
910-555-1000
ed@redclayrenovations.com
Owings Mills
667-555-6260
Erwin_Carrington@hq.redclayrenovations.com
Owings Mills
667-555-6370
Eric_Carpenter@hq.redclayrenovations.com
Owings Mills
667-555-6400
an@redclayrenovations.com
Ownings Mills
667-555-6900
rn@redclayrenovations.com
Owings Mills
667-555-8000
en@redclayrenovations.com
Baltimore
443-555-2900
Charles@balt.redclayrenovations.com
Baltimore
443-555-2900
Erica@balt.redclayrenovations.com
Philadelphia
267-555-1200
William@philly.redclayrenovations.com
Philadelphia
267-555-1200
Alison@philly.redclayrenovations.com
jr@redclayrenovations.com
Executive Assistant to
Mr. Randell
Nancy Randell
Chief of Staff
Marcus Randell
CFO
Julia Randell
COO
Edward Randell, Esq
Corporate Counsel
Erwin Carrington
CIO & Director IT
Services
Eric Carpenter
CISO / Deputy CIO
Amanda Nosinger
Director, Customer
Relations
Rebecca Nosinger
Director, Marketing &
Media
Eugene Nosinger
Director, Architecture
& Services
Charles Kniesel
Manager & Architect
in Charge, Baltimore
Field Office
Erica Kniesel
Office Manager &
ISSO, Baltimore Field
Office
William Kniesel
Manager & Architect
in Charge,
Philadelphia Field
Office
Alison Kniesel-Smith
Office Manager &
ISSO, Philadelphia
Field Office
3
CSIA 413: Cybersecurity Policy, Plans, and Programs
Operations
Red Clay Renovations has offices in Baltimore, MD, Philadelphia PA, and Wilmington, DE. The contact
information for each location is provided in Table 2.
Table 2. Red Clay Renovations Office Locations & Contact Information
Location
Baltimore Field Office
Philadelphia Field Office
Operations Center (Owings Mills)
Wilmington Office
Mailing Address
200 Commerce Street, Suite 450
Baltimore, MD 21201
1515 Chester Street
Philadelphia, PA 19102
12209 Red Clay Place
Owings Mills, MD 21117
12 High Street
Wilmington, DE 19801
Phone Number
443-555-2900
267-555-1200
667-555-6000
910-555-2150
The Operations Center is the company’s main campus and is located in suburban Baltimore, MD (Owings
Mills). The Owings Mills facility houses the company’s data center as well as general offices for the
company’s operations. These operations include: accounting & finance, customer relations, human
resources, information technology services, marketing, and corporate management. There are
approximately 100 employees at the Operations Center. Day to day management of the Owings Mills
facility is provided by the company’s Chief Operating Officer (COO).
The company’s Chief Executive Officer, corporate counsel, and support staff maintain a presence in the
company’s Wilmington, DE offices but spend most of their time at the Owings Mills operations center.
Field Offices are located in downtown Baltimore and suburban Philadelphia. Each office has a managing
director, a team of 2-3 architects, a senior project manager, a business manager, and an office manager.
Support personnel (receptionist, clerks, etc.) are contractors provided by a local staffing services firm.
Each office operates and maintains its own IT infrastructure.
The company’s architects, project managers, and other support personnel frequently work from
renovation sites using cellular or WiFi connections to access the Internet. Many field office employees
are also authorized to work from home or an alternate work location (“telework site”) one or more days
per week.
Acquisitions
Red Clay acquired “Reality Media Services,” a five person digital media & video production firm in 2015
(NAICS Codes 512110, 519130, and 541430). RMS creates a video history for each residential
4
CSIA 413: Cybersecurity Policy, Plans, and Programs
construction project undertaken by Red Clay Renovations. RMS also provides Web design and social
media services for Red Clay Renovations to promote its services. RMS employees work primarily out of
their own home offices using company provided equipment (computers, video / audio production
equipment). Each employee also uses personally owned cell phones, laptops, digital cameras, and
camcorders. While RMS is now wholly owned by Red Clay, it continues to operate as an independent
entity. Red Clay senior management is working to change this, however, starting with bringing all IT and
IT related resources under the company’s central management. As part of this change, Red Clay has set
up a media production facility (“Media Studio”) in its headquarters location which includes office space
for RMS personnel. The production facility and RMS operations are under the management control of
the Director, Marketing & Media Services.
Legal and Regulatory Environment
The firm is licensed to do business as a general contractor for residential buildings in three states (DE,
MD, PA). The company’s architects maintain professional licensure in their state of residence. The
company’s general counsel is licensed to practice law in Delaware and Maryland. The Chief Financial
Officer is a Certified Public Accountant (CPA) and licensed to practice in all three states.
The company collects, maintains, and stores personal information from and about customers over the
normal course of doing business. This includes credit checks, building plans and drawings for homes, and
information about a customer’s family members which needs to be taken into consideration during the
design and construction phases of a project (e.g. medical issues / disabilities, hobbies, etc.).
When renovations are required due to a medical condition or disability, the company works with health
insurance companies, Medicare/Medicaid, and medical doctors to plan appropriate modifications to the
home and to obtain reimbursement from insurers. This sometimes requires that the company receive,
process, store, and transmit Protected Health Information (PHI) generated by medical practitioners or as
provided by the customer. The company’s legal counsel has advised it to be prepared to show
compliance with the HIPAA Security Rule for PHI for information stored on computer systems in its field
offices and in the operations center.
Red Clay began offering “Smart Home” renovation services in 2005 (NAICS Codes 541310 and 236118).
These services are primarily offered out of the Baltimore and Philadelphia field offices. A large
percentage of the company’s “smart home” remodeling work is financed by customers through the
Federal Housing Administration’s 203K Rehab Mortgage Insurance program. Red Clay provides
assistance in filling out the required paperwork with local FHA approved lenders but does not actually
process mortgages itself. Red Clay does, however, conduct credit checks on prospective customers and
accepts credit card payments for services.
As a privately held stock corporation, Red Clay Renovations is exempt from many provisions of the
Sarbanes-Oxley Act of 2002. But, in certain circumstances, i.e. a government investigation or bankruptcy
5
CSIA 413: Cybersecurity Policy, Plans, and Programs
filing, there are substantial criminal penalties for failure to protect business records from destruction or
spoliation.
Policy System
The company’s Chief of Staff is responsible for the overall organization and management of the
company’s collection of formal policies and procedures (“policy system”). The company’s policies
provide guidance to employees and officers of the company (CEO, CFO, and the members of the Board
of Directors) with respect to their responsibilities to the company. Policies may be both prescriptive
(what “must” be done) and proscriptive (what “must not” be done). Responsibility for writing and
maintaining individual policies is assigned to a designated manager or executive within the company.
Each policy identifies the responsible individual by title, e.g. Director of Human Resources.
The major policy groupings are:





Human Resources
Financial Management
Information Technology
Employee Handbook
Manager Deskbook
Selected policies are published as an Employee Handbook and a Manager’s Deskbook to communicate
them to individual employees and managers and to ensure that these individuals are aware of the
content of key policies which affect how they perform their duties.
Risk Management & Reporting
The company engages in a formal risk management process which includes identification of risks,
assessment of the potential impact of each risk, determination of appropriate risk treatments
(mitigation, acceptance, transfer), and implementation of the risk management strategy which is based
upon the selected risk treatments. For information technology related risks, the CISO working in
conjunction with the IT Governance Board is responsible for identifying and assessing risks.
Corporate-wide, high level risks which could impact the company’s financial performance are disclosed
to shareholders during the annual meeting and in the Annual Report to Investors. For the current year,
the following high level cybersecurity related risks will be disclosed.
1. Cyber-attacks could affect our business.
2. Disruptions in our computer systems could adversely affect our business.
3. We could be liable if third party equipment, recommended and installed by us (e.g. smart home
controllers), fails to provide adequate security for our residential clients.
6
CSIA 413: Cybersecurity Policy, Plans, and Programs
The company’s risk treatments for cybersecurity related risks include purchasing cyber liability
insurance, implementing an asset management and protection program, implementing configuration
baselines, implementing configuration management for IT systems and software and auditing
compliance with IT security related policies, plans, and procedures.
The corporate board was recently briefed by the Chief Information Officer concerning the company’s IT
Security Program and how this program contributes to the company’s risk management strategy. During
the briefing, the CIO presented assessment reports and audit findings from IT security audits. These
audits focused upon the technical infrastructure and the effectiveness and efficiency of the company’s
implementation of security controls. During the discussion period, members of the corporate board
asked about audits of policy compliance and assessments as to the degree that employees were (a)
aware of IT security policies and (b) complying with these policies. The CIO was tasked with providing
audit reports for these items before the next quarterly meeting of the corporate board.
The corporate board also asked the CIO about future plans for improvements to the IT Security program.
The CIO reported that, in the coming year, the CISO will begin implementation of an IT vulnerability
management program. The CIO also reported that the CISO is working with the IT Governance Board to
restart the company’s security education, training, and awareness (SETA) program. SETA activities had
fallen into disuse due to a perceived lack of quality and lack of timeliness (out of date materials). The
CISO has also determined that the System Security Plans for the field offices are out of date and lacking
in important security controls. These plans have been scheduled for update in the near future to ensure
that the company’s risk management strategy for cybersecurity risks is fully implemented.
IT Security Management
The company’s Chief Information Security Officer (CISO) is responsible for providing management
oversight and technology leadership for the company’s Information Technology security program. This
program is designed around the ISO 27001/27002 requirements but is not fully compliant. For cost
reasons, the Chief Information Officer (CIO) has decided not to pursue implementation of CobiT or ITIL
standards for managing IT systems and services. A less costly alternative, using NIST guidance
documents, was approved at the CISO’s suggestion. The CISO’s selected guidance documents include:





NIST SP 800-12 “An Introduction to Computer Security: The NIST Handbook:
NIST SP 800-18 “Guide for Developing Security Plans for Federal Information Systems”
NIST SP 800-53 “Security and Privacy Controls for Federal Information Systems and
Organizations”
NIST SP 800-100 “Information Security Handbook: A Guide for Managers”
NISTIR 7621 “Small Business Information Security: The Fundamentals”
The CISO has determined that the closest fit for the level of security required by law for the company’s
IT systems is the “moderate level” as defined in the FIPS 199/200 standards and specified in NIST SP
7
CSIA 413: Cybersecurity Policy, Plans, and Programs
800-53 Revision 4. The company has created its own minimum security controls baseline which is used
for developing system security plans.
Under the company’s existing IT Security Management Plan, the following individuals are responsible for
the security of its IT systems.
1. Chief Information Officer: designated approving official for all IT systems certification and
authorization.
2. Chief Information Security Officer: responsible for developing security plans and procedures.
3. Chief Financial Officer: responsible for negotiating and providing oversight for contracts and
service level agreements for IT services.
4. Chief Operating Officer: responsible for approval of and compliance with security plans and
procedures for the company’s IT Operations Center. The COO is the system owner for all IT
systems in the operations center.
5. Field Office Manager: responsible for approval of and compliance with security plans and
procedures for his or her field office. The field office manager is the system owner for all IT
systems in his or her field office.
6. Field Office Information Systems Security Officer (ISSO): responsible for day to day
implementation of security plans, processes, and procedures.
Information Technology Infrastructure
Enterprise Architecture
The overview for the enterprise IT architecture for Red Clay Renovations is shown in Figure 2. This
diagram shows the interconnections between the company’s field offices and the operations center.
Each facility-to-facility interconnection is made via a Virtual Private Network (VPN). The VPN connects
the Local Area Networks (LANs) in the operations center and the field offices to the company’s
enterprise network. All IT systems are in the operational phase of the Systems Development Lifecycle.
The company does not have plans at this time to upgrade (“major modification”) or implement (“under
development”) any IT systems.
8
CSIA 413: Cybersecurity Policy, Plans, and Programs
Figure 2. Overview for Enterprise IT Infrastructure
Operations Center IT Architecture
The Owings Mills facility (see Figure 3) contains the company’s operations (data) center as well as
general offices for the company’s operations. These operations include: accounting & finance, customer
relations, human resources, information technology services, marketing, and corporate management.
Figure 3. IT Architecture for Operations Center
9
CSIA 413: Cybersecurity Policy, Plans, and Programs
Field Office IT Architecture
The company’s corporate headquarters are located in Wilmington, DE. These offices have the same IT
architecture as is used by the field offices in Baltimore and Philadelphia (see Figure 4). The company’s
Chief Executive Officer and support staff maintain a presence in Delaware but spend most of their time
at the Owings Mills operations center. The company’s architects, project managers, and other support
personnel frequently work from renovation sites using cellular or WiFi connections to access the
Internet. Many field office employees, including “Reality Media Services” staff, are also authorized to
work from home or an alternate work location (“telework site”) one or more days per week.
Red Clay’s offices have been remodeled to use the “smart home” and “Internet of Things” technologies
which it installs in the residential buildings that it rehabilitates. These devices have IP addresses and are
connected to the in-office wireless network (WiFi). Each smart device has a controller which can be
accessed via a Web-based interface that runs on the office’s application server (username and password
required). The brand and type of equipment varies. The majority of these devices have little to no
security beyond a password protected Web-based logon. Every Red Clay location also has one or more
conference rooms which provide “smart” podiums, projection and video conferencing technologies, and
wireless network access to both the internal network and the Internet.
All locations use Dell computers for laptops, desktop computers, and servers. The laptops and desktops
were recently upgraded to Windows 10 Enterprise for their operating systems. The servers are running
Windows server 2012. All Windows systems have Symantec Endpoint Protection installed for host-based
security (anti-malware, host-based firewall, host-based intrusion detection).
Figure 4. “Smart” Office IT Architecture (Baltimore, Philadelphia, Wilmington)
10
CSIA 413: Cybersecurity Policy, Plans, and Programs
Each field office uses the same logical architecture. This infrastructure consists of a local area network
with both wired and wireless segments. A wiring closet containing the premises router and switches is
located in the office space (labeled “Utilities” in the diagram). The “smart office” and “IoT” devices are
also located within the office suites and are connected via WiFi to the Wireless Access Points and from
there to the office LAN. These devices are individually addressable via their IP addresses. Some have
onboard programmable controllers with Web based interfaces. Others have limited onboard
functionality and must be controlled via a central console (which has an IP address and Web based
interface). The RFID system used to control access to doors has sensor plates affixed to the walls. These
sensors are hard wired to a controller in the utilities closet. This controller connects to the local area
network and can be accessed via a Web based interface using its IP address. Access control for the Web
based interfaces (used for RFID system and “smart” device control) is limited to password protected
logons.
System Interconnections
The Operations Center and the individual Field Offices connect to the Internet via a business grade
Internet Services Provider with a standard Service Level Agreement (as established by the ISP). Systems
interconnections between internal systems and between facilities are certified and approved by the
Chief Information Officer. These interconnections include Virtual Private Network connections between
the Operations Center and the Field Offices over ISP provided networks). The VPN is used to protect the
confidentiality and integrity of information transmitted between IT systems located in the company’s
field offices, its headquarters, and the operations center. (See Information Technology Infrastructure
later in this document for additional information about system interconnections.)
The operations center and field offices each have their own network infrastructure built on CISCO
branded equipment (Virtual Private Network (VPN), wired and wireless local area networks, wireless
access points, switches, a premise firewall, and intrusion detection system). Offices and server rooms
have RJ-45 wall jacks for 100BaseT “wired” connections to the local area network. Network equipment
serving individual LAN segments is located in locked equipment closets (“wiring closets”) within the
office areas.
The company’s Wide Area Networking (WAN) and Internet services are provided by Verizon Business
services. These services include static IP addresses for the company’s network connections and domain
name service for the company’s primary domain name (RedClayRenovations.com) and multiple third
level domain names (e.g. balt.redclayrenovations.com, philly.redclayrenovations.com, etc.). The
company owns, operates, and manages its own Active Directory server, multiple Web servers, Email
servers, file and print servers, and multiple application /database servers. These servers are accessed via
local area network (LAN) and virtual private network (VPN) connections. The Email and public Web
servers are located in a protected network segment (Demilitarized Zone AKA DMZ) and are accessible
from both internal and external networks.
11
CSIA 413: Cybersecurity Policy, Plans, and Programs
Verizon provides fiber optic cables to the building demarc. Internally, the company owns the cable
infrastructure and has predominantly Cat 5 cabling inside the buildings. Company owned cabling also
runs from the Verizon owned demarc to a company owned/maintained central wiring closet. This closet
also contains routers and switches serving the internal LANs.
Telephone service is provided to each office building via fiber optic cables (as part of the FiOS business
services). Internal to the buildings, telephone service routes through an Alcatel Private Brach Exchange
(PBX) system over ANSI/TIA/EIA-568-B compliant wiring (predominantly Cat 3 cabling). The PBX system
does not connect to the company’s internal networks.
The company allows employees to bring and use their own personal digital devices (laptops, cell phones,
cameras, etc.) provided that these devices are required to perform their duties. Contract employees are
not allowed to “bring your own device” (BYOD) and will be terminated if they are found to be using cell
phones or personal computers on the company’s premises. Employees carry an RFID enabled “proximity
access” card which they use to access offices and other restricted areas. BYOD devices are NOT allowed
to connect directly to the company’s VPN. These devices are restricted to WiFi access to the Internet
using the company’s wireless access points.
12

Purchase answer to see full
attachment



Why Choose Us

  • 100% non-plagiarized Papers
  • 24/7 /365 Service Available
  • Affordable Prices
  • Any Paper, Urgency, and Subject
  • Will complete your papers in 6 hours
  • On-time Delivery
  • Money-back and Privacy guarantees
  • Unlimited Amendments upon request
  • Satisfaction guarantee

How it Works

  • Click on the “Place Order” tab at the top menu or “Order Now” icon at the bottom and a new page will appear with an order form to be filled.
  • Fill in your paper’s requirements in the "PAPER DETAILS" section.
  • Fill in your paper’s academic level, deadline, and the required number of pages from the drop-down menus.
  • Click “CREATE ACCOUNT & SIGN IN” to enter your registration details and get an account with us for record-keeping and then, click on “PROCEED TO CHECKOUT” at the bottom of the page.
  • From there, the payment sections will show, follow the guided payment process and your order will be available for our writing team to work on it.