APUS Assignment Rubric Undergraduate Level EXEMPLARYLEVEL4.docx

APUS Assignment Rubric Undergraduate Level
EXEMPLARY
LEVEL
4
ACCOMPLISHED
LEVEL
3
DEVELOPING
LEVEL
2
BEGINNING
LEVEL
1
POINTS
FOCUS/THESIS
Student exhibits a clear understanding of the assignment. Work
is clearly defined to help guide the reader throughout the
assignment. Student builds upon the assignment with well-
documented and exceptional supporting facts, figures, and/or
statements.
Establishes a good comprehension of topic and in the building
of the thesis. Student demonstrates an effective presentation of
thesis, with most support statements helping to support the key
focus of assignment
Student exhibits a basic understanding of the intended
assignment, but the formatting and grammar is not supported
throughout the assignment. The reader may have some difficulty
in seeing linkages between thoughts. Student has limited the
quality of the assignment.
Exhibits a limited understanding of the assignment. Reader is
unable to follow the logic used for the thesis and development
of key themes. Assignment instructions were not followed.
Student’s writing is weak in the inclusion of supporting facts or
statements. Paper includes more than 25% quotes, which renders

it unoriginal.
4
SUBJECT KNOWLEDGE
Student demonstrates proficient command of the subject matter
in the assignment. Assignment shows an impressive level of
depth of student’s ability to relate course content to practical
examples and applications. Student provides comprehensive
analysis of details, facts, and concepts in a logical sequence.
Student exhibits above average usage of subject matter in
assignment. Student provides above average ability in relating
course content in examples given. Details and facts presented
provide an adequate presentation of student’s current level of
subject matter knowledge.
The assignment reveals that the student has a general,
fundamental understanding of the course material. Whereas,
there are areas of some concerning in the linkages provided
between facts and supporting statements. Student generally
explains concepts, but only meets the minimum requirements in
this area.
Student tries to explain some concepts, but overlooks critical
details. Assignment appears vague or incomplete in various
segments. Student presents concepts in isolation, and does not
perceive to have a logical sequencing of ideas.
4
CRITICAL THINKING
Student demonstrates a higher-level of critical thinking
necessary for undergraduate level work. Learner provides a
strategic approach in presenting examples of problem solving or
critical thinking, while drawing logical conclusions which are
not immediately obvious. Student provides well-supported ideas
and reflection with a variety of current and/or world views in
the assignment
Student exhibits a good command of critical thinking skills in
the presentation of material and supporting statements.
Assignment demonstrates the student’s above average use of
relating concepts by using a variety of factors. Overall, student

provides adequate conclusions, with 2 or fewer errors.
Student takes a common, conventional approach in guiding the
reader through various linkages and connections presented in
assignment. However, student presents a limited perspective on
key concepts throughout assignment. Student appears to have
problems applying information in a problem-solving manner.
Student demonstrates beginning understanding of key concepts,
but overlooks critical details. Learner is unable to apply
information in a problem-solving fashion. Student presents
confusing statements and facts in assignment. No evidence or
little semblance of critical thinking skills.
4
ORGANIZATION & FORMAT
Student thoroughly understands and excels in explaining all
major points. An original, unique, and/or imaginative approach
to overall ideas, concepts, and findings is presented. Overall
format of assignment includes an appropriate introduction, well-
developed paragraphs, and conclusion. Finished assignment
demonstrates student’s ability to plan and organize research in a
logical sequence. Student exhibits excellent format grasp with
no more than 5 APA errors.
Student explains the majority of points and concepts in the
assignment. Learner demonstrates a good skill level in
formatting and organizing material in assignment. Student
presents an above average level of preparedness, with a few
formatting errors. Assignment contains less than 5 resources.
Student exhibits good format grasp with no more than 10 APA
errors.
Learner applies some points and concepts incorrectly. Student
uses a variety of formatting styles, with some inconsistencies
throughout the paper. Assignment does not have a continuous
pattern of logical sequencing. Student uses less than 3 sources
or references. Student exhibits fair format grasp with no more
than 15 APA errors.
Assignment reveals formatting errors and a lack of organization.
Student presents an incomplete attempt to provide linkages or

explanation of key terms. The lack of appropriate references or
source materials demonstrates the student’s need for additional
help or training in this area. Student needs to review and revise
the assignment. Student exhibits poor format grasp with no
more than 15 APA errors.
4
GRAMMAR & MECHANICS
Student provides an effective display of good writing and
grammar. Assignment reflects student’s ability to select
appropriate word usage and present an above average
presentation of a given topic or issue. Assignment appears to be
well written with no more than 3-5 errors. Student provides a
final written product that covers the above-minimal
requirements. Student exhibits excellent format grasp with no
more than 10 contents for grammar, spelling, punctuation, or
syntax errors.
Assignment reflects basic writing and grammar, but more than 5
errors. Key terms and concepts are somewhat vague and not
completely explained by student. Student uses a basic
vocabulary in assignment. Student’s writing ability is average,
but demonstrates a basic understanding of the subject matter.
Student exhibits fair format grasp with no more than 15
grammar, spelling, punctuation, or syntax errors.
Topics, concepts, and ideas are not coherently discussed or
expressed in assignments. Student’s writing style is weak and
needs improvement, along with numerous proofreading errors.
Assignment lacks clarity, consistency, and correctness. Student
exhibits poor format grasp with more than 15 errors and did not
focus critical thinking use of critical thinking grammar APA
format subject knowledge with communities grammar, spelling,
punctuation, or syntax errors.
4
TIMELY
Turned in on time
1 day late

2 days late
More than 2 days late
4
Total Points
24/ 24= 100%
Code Galore Caselet:
Using COBIT® 5 for Information Security
Company Profile – Code Galore
Background Information
The Problems
Your Role
Your Tasks
Figures
Notes
Questions
2
Agenda
© 2013 ISACA. All rights reserved.
Profile
Start-up company founded in 2005
One office in Sunnyvale, California, USA
10 remote salespeople and a few with space at resellers’ offices
Approximately 100 total staff; about one-third work in
engineering

3
Company Profile – Code Galore
4
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
Background Information
Building a comprehensive business function automation
software that performs many functions (decision making in
approaching new initiatives, goal setting and tracking, financial
accounting, a payment system, and much more).
The software is largely the joint brainchild of the Chief
Technology Officer (CTO) and a highly visionary Marketing
Manager who left the company a year ago
5
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
Background Information – What We Do
Financed 100% by investors who are extremely anxious to make
a profit.

Investors have invested more than US $35 million since
inception and have not received any returns.
The organization expected a small profit in the last two
quarters. However, the weak economy led to the cancellation of
several large orders. As a result, the organization was in the red
each quarter by approximately US $250,000.
6
Background Information – Financials
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
Code Galore is a privately held company with a budget of US
$15 million per year. Sales last year totaled US $13.5 million
(as mentioned earlier, the company came within US $250,000 of
being profitable each of the last two quarters).
The investors hold the preponderance of the company’s stock;
share options are given to employees in the form of stock
options that can be purchased for US $1 per share if the
company ever goes public.
Code Galore spends about five percent of its annual budget on
marketing. Its marketing efforts focus on portraying other
financial function automation applications as ‘point solutions’
in contrast to Code Galore’s product.
7
Background Information – Financials
What we do
Org. Structure
Operational
Industry
Products

Sales
Financials
8
Background Information – Org. Structure
Figure 1—Code Galore Organisational Chart
CEO
CSO
VP, Finance
VP, Business
CTO
VP, Human Resources
Security
Administrator
Sales Mgr
Accounting
Dir.
Sr. Financial
Analyst
Infrastructure
Mgr.
Sys. Dev. Mgr.
HR Manager
What we do

Org. Structure
Operational
Industry
Products
Sales
Financials
The board of directors:
Consists of seasoned professionals with many years of
experience in the software industry
Is scattered all over the world and seldom meets, except by
teleconference
Is uneasy with Code Galore being stretched so thin financially,
and a few members have tendered their resignations within the
last few months
9
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
The CEO:
Is the former chief financial officer (CFO) of Code Galore that
replaced the original CEO who resigned to pursue another
opportunity two years ago
Has a good deal of business knowledge, a moderate amount of
experience as a C-level officer, but no prior experience as a
CEO
As a former CFO, tends to focus more on cost cutting than on
creating a vision for developing more business and getting

better at what Code Galore does best
10
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
Engineers perform code installations. The time to get the
product completely installed and customized to the customer’s
environment can exceed one month with costs higher than US
$60,000 to the customer.
Labour and purchase costs are too high for small and medium-
sized businesses. So far, only large companies in the US and
Canada have bought the product.
C-level officers and board members know that they have
developed a highly functional, unique product for which there is
really no competition. They believe that, in time, more
companies will become interested in this product, but the
proverbial time bomb is ticking. Investors have stretched
themselves to invest US $35 million in the company, and are
unwilling to invest much more.
11
Background Information – Operational
What we do
Org. Structure
Operational
Industry
Products

Sales
Financials
Business function automation software is a profitable area for
many software vendors because it automates tasks that
previously had to be performed manually or that software did
not adequately support.
The business function automation software arena has many
products developed by many vendors. However, Code Galore is
a unique niche player that does not really compete (at least on
an individual basis) with other business automation software
companies.
Background Information – Industry
12
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
The product is comprehensive—at least four other software
products would have to be purchased and implemented to cover
the range of functions that Code Galore’s product covers.
Additionally, the product integrates information and statistics
throughout all functions—each function is aware of what is
occurring in the other functions and can adjust what it does
accordingly, leading to better decision aiding.
Background Information – Products
13
What we do
Org. Structure
Operational

Industry
Products
Sales
Financials
Sales have been slower than expected, mainly due to a
combination of the economic recession and the high price and
complexity of the product.
The price is not just due to the cost of software development; it
also is due to the configuration labour required to get the
product running suitably for its customers.
Background Information – Sales
14
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
Acquisition
Code Galore is in many ways fighting for its life, and the fact
that, four months ago, the board of directors made the decision
to acquire a small software start-up company, Skyhaven
Software, has not helped the cash situation.
Skyhaven consists of approximately 15 people, mostly
programmers who work at the company’s small office in
Phoenix, Arizona, USA. Originally, the only connection
between your network and Skyhaven’s was an archaic public
switched telephone network (PSTN).
Setting up a WAN
Two months ago, your company’s IT director was tasked with

setting up a dedicated wide area network (WAN) connection to
allow the former Skyhaven staff to remotely access Code
Galore’s internal network and vice versa.
You requested that this implementation be delayed until the
security implications of having this new access route into your
network were better understood, but the CEO denied your
request on the grounds that it would delay a critical business
initiative, namely getting Skyhaven’s code integrated into Code
Galore’s.
15
The Problems
Information Security
More recently, you have discovered that the connection does not
require a password for access and that, once a connection to the
internal network is established from outside the network, it is
possible to connect to every server within the network,
including the server that holds Code Galore’s source code and
software library and the server that houses employee payroll,
benefits and medical insurance information.
Fortunately, access control lists (ACLs) limit the ability of
anyone to access these sensitive files, but a recent vulnerability
scan showed that both servers have vulnerabilities that could
allow an attacker to gain unauthorised remote privileged access.
You have told the IT director that these vulnerabilities need to
be patched, but because of the concern that patching them may
cause them to crash or behave unreliably and because Code
Galore must soon become profitable or else, you have granted
the IT director a delay of one month in patching the servers.
16
The Problems – Overview

Bots
What now really worries you is that, earlier today, monitoring
by one of the security engineers who does some work for you
has shown that several hosts in Skyhaven’s network were found
to have bots installed in them.
Source Code
Furthermore, one of the Skyhaven programmers has told you
that Skyhaven source code (which is to be integrated into Code
Galore’s source code as soon as the Skyhaven programmers are
through with the release on which they are currently working) is
on just about every Skyhaven machine, regardless of whether it
is a workstation or server.
17
Code Galore vs. Skyhaven Employee knowledge
Code Galore employees are, in general, above average in their
knowledge and awareness of information security, due in large
part to an effective security awareness programme that you set
up two months after you started working at Code Galore and
have managed ever since.
You offer monthly brown bag lunch events in a large conference
room, display posters reminding employees not to engage in
actions such as opening attachments that they are not expecting,
and send a short monthly newsletter informing employees of the
direction in which the company is going in terms of security and
how they can help.
Very few incidents due to bad user security practices occurred
until Skyhaven Software was acquired. Skyhaven’s employees
appear to have almost no knowledge of information security.

You also have discovered that the Skyhaven employee who
informally provides technical assistance does not make backups
and has done little in terms of security configuration and patch
management.
18
19
Your Role
Hired two years ago as the only Chief Security Officer (CSO)
this company has ever had.
Report directly to the Chief Executive Officer (CEO).
Attend the weekly senior management meeting in which goals
are set, progress reports are given and issues to be resolved are
discussed.
The Information Security Department consists of just you; two
members of the security engineering team from software are
available eight hours each week.
10 years of experience as an information security manager, five
of which as a CSO, but you have no previous experience in the
software arena.
Four years of experience as a junior IT auditor.
Undergraduate degree in managing information systems and
have earned many continuing professional education credits in
information security, management and audit areas.
Five years ago, you earned your CISM certification.
The focus here is not on a business unit, but rather on Code
Galore as a whole, particularly on security risk that could
cripple the business.

Due primarily to cost-cutting measures the CEO has put in
place, your annual budget has been substantially less than you
requested each year.
Frankly, you have been lucky that no serious incident has
occurred so far. You know that in many ways your company has
been tempting fate.
You do the best you can with what you have, but levels of
unmitigated risk in some critical areas are fairly high.
Your Role and the Business Units
20
Mr. Wingate’s focus on cost cutting is a major reason that you
have not been able to obtain more resources for security risk
mitigation measures.
He is calm and fairly personable, but only a fair communicator,
something that results in your having to devote extra effort in
trying to learn his expectations of your company’s information
security risk mitigation effort and keeping him advised of risk
vectors and major developments and successes of this effort.
21
Your Role and the CEO, Ernest Wingate
Code Galore’s IT director is Carmela Duarte. She has put a
system of change control into effect for all IT activities
involving hardware and software.
This system is almost perfect for Code Galore—it is neither

draconian nor too lax and very few employees have any
complaints against it.
You have an excellent working relationship with her, and
although she is under considerable pressure from her boss, the
CTO, and the rest of C-level management to take shortcuts, she
usually tries to do what is right from a security control
perspective.
She is working hard to integrate the Skyhaven Software network
into Code Galore’s, but currently, there are few resources
available to do a very thorough job. She would also do more for
the sake of security risk mitigation if she had the resources.
Carmela has worked with Code Galore since 2006, and she is
very much liked and respected by senior management and the
employees who work for her.
22
Your Role and the IT Director, Carmela Duarte
You believe that Code Galore’s (but not Skyhaven Software’s)
security risk is well within the risk appetite of the CEO and the
board of directors.
You have a good security policy (including acceptable use
provisions) and standards in place, and you keep both of them
up to date.
You have established a yearly risk management cycle that
includes asset valuation, threat and vulnerability assessment,
risk analysis, controls evaluation and selection, and controls
effectiveness assessment, and you are just about ready to start a
controls evaluation when you suddenly realise that something

more important needs to be done right away (outlined in The
Problem section).
23
Your Tasks
Using the figure 4 template, you need to modify the qualitative
risk analysis that you performed six months ago to take into
account the risk related to Skyhaven Software. The major risk
events identified during this risk analysis are shown in figure 2.
You must not only head this effort, but for all practical
purposes, you will be the only person from Code Galore who
works on this effort.
24
Your Tasks – Qualitative Risk Analysis
Your revision of the last risk analysis will not only bring Code
Galore up to date concerning its current risk landscape, but will
also provide the basis for your requesting additional resources
to mitigate new, serious risk and previously unmitigated or
unsuitably mitigated risk.
You may find that some risk events are lower in severity than
before, possibly to the point that allocating further resources to
mitigate them would not be appropriate. This may help optimise
your risk mitigation investments.
To the degree that you realistically and accurately identify new
and changed risk, you will modify the direction of your
information security practice in a manner that, ideally, lowers
the level of exposure of business processes to major risk and
facilitates growth of the business.

Failure to realistically and accurately identify new and changed
risk will result in blindness to relevant risk that will lead to
unacceptable levels of unmitigated risk.
25
You must revise the most recent risk analysis, not only by
reassessing all the currently identified major risk, but also by
adding at least three risk events that were not previously
identified.
COBIT 5 provides tools that might be helpful in determining the
best approach reassessing and prioritising the major risk events,
in EDM03, Ensure risk optimisation.
You must also provide a clear and complete rationale for the
risk events, their likelihood, and impacts (outlined in the
section Alternatives With Pros and Cons of Each section).
26
The rationale for each security-related risk that you select must
include a discussion of the pros and cons associated with
identifying and classifying each as a medium-low risk or higher.
For example, suppose that you decide that a prolonged IT
outage is no longer a medium- to low-level risk, but instead is
now a low risk.
The pros (purely hypothetical in this case) may be that outage-
related risk events are now much lower than before due to, for

example, the implementation of a new backup and recovery
system that feeds data into an alternative data center (not true in
this caselet).
In this case allocating additional resources would therefore be a
waste of time and money.
27
Your Tasks – Pros and Cons
On the con side, lowering the severity of a prolonged IT outage
risk may result in underestimation of this source of risk, which
could result in failing to allocate resources and in a much higher
amount of outage-related loss and disruption than Code Galore
could take, given its somewhat precarious state.
28
Your Tasks – Pros and Cons
Exhibits – Major Risk
29
Figure 2—Major Risk
Figure 3—Network Diagram
30

31
Figure 4—Risk Analysis Template
Since Code Galore is in the business function automation
software arena it should be consider using business process
automation (BPA), a strategy an business uses to automate
processes in order to contain costs. It consists of integrating
applications, restructuring labor resources and using software
applications throughout the organization.
Code Galore is in a very difficult situation. Its existence is
uncertain, and money is critical right now.
Yet, this company has opened itself up to significant levels of
security risk because of acquiring Skyhaven Software and the
need for former Skyhaven programmers to access resources
within the corporate network.
Worse yet, even if the chief security officer (CSO) in this
scenario correctly identifies and assesses the magnitude of
security risk from acquiring Skyhaven and opening the Code
Galore network to connections from the Skyhaven network and
prescribes appropriate controls, given Code Galore’s cash
crunch, not many resources (money and labour) are likely to be
available for these controls.
32
Notes
All the CSO may be able to do is document the risk and make
prioritised recommendations for controls, waiting for the right
point in time when the company’s financial situation gets better.

If an information security steering committee exists, the CSO
must keep this committee fully apprised of changes in risk and
solicit input concerning how to handle this difficult situation.
At the same time, the CSO should initiate an ongoing effort (if
no such effort has been initiated so far) to educate senior
management and key stockholders concerning the potential
business impact of the new risk profile. (Note: The kind of
situation described in this caselet is not uncommon in real-
world settings.)
33
Notes
What are the most important business issues and goals for Code
Galore?
What are the factors affecting the problem related to this case?
What are the managerial, organizational, and technological
issues and resources related to this case?
What role do different decision makers play in the overall
planning, implementing and managing of the information
technology/security applications?
What are some of the emerging IT security technologies that
should be considered in solving the problem related to the case?
34
Discussion Questions 1-5
In what major ways and areas can information security help the
business in reaching its goals?
Which of the confidentiality, integrity and availability (CIA)
triad is most critical to Code Galore’s business goals, and why?

Change leads to risk, and some significant changes have
occurred. Which of these changes lead to the greatest risk?
Imagine that three of the greatest risk events presented
themselves in worst-case scenarios. What would be some of
these worst-case scenarios?
How can the CSO in this scenario most effectively communicate
newly and previously identified risk events that have grown
because of the changes to senior management?
35
Discussion Questions 6-10
1
Quantitative Analysis
To: Chief Information officer
From: Manager of Desktop Support
Re: Report
Introduction
Computer and Mobile phone loss in NASA could cause great
danger to the organization and expose the organization to all
sorts of system vulnerabilities. As reported in (Melanie Pinola,
2012), 48 mobile devices were stolen between April 2009 and
April 2011. A more worrying trend is the level of encryption
within the organization. Only one percent of the organization is

encrypted, leaving sensitive data exposed to vulnerabilities and
potential losses. There is a need to review the business
continuity and disaster management plan. This should be done
with a deep understanding of the current problem. Currently,
there are 700 laptops presently in service. These
Single Loss Expectancy (SLE)
This is a risk assessment tool, which is the monetary value
experienced when there is a risk on an asset. It is a single loss
that the institution will suffer.
SLE== Asset Value X Exposure Factor
$49000 X 0.99 X 700
=$33,957,000
Annualized Rate of Occurrence (ARO)
This is the projected frequency of a threat happening in a year.
48 computers lost between Apr 2009 and April 2011
Hence 24 computers lost in one year. Hence the threat on a
single laptop or mobile is
24/700=0.034
Annualized Loss Expectancy (ALE)
It is based on the probability of an event occurring. Therefore,
you multiply the annualized rate of occurrence (ARO) by Loss
of Expectancy (SLE)
ALE =SLE X ARO
ALE=$33,957,000 X 0.034
=US$1,154,538
Safeguard Value
Risk mitigation controls monetary expense. This helps
determine the financial feasibility and effectiveness. The
assumption is that all the proposed risk control measures are
implemented correctly.
Safeguard value is based on the hardware and software cost that
you invest in protecting your information in case of software
theft.
Software solutions
Altiris Manageability toolkit is available hardware per every

node is US$18
https://www.marketscreener.com/ALTIRIS-8486/news/Altiris-
Altiris-Ships-New-Toolkit-to-Sucnet.com/products/altiris-
manageability-toolkit-for-intel-vpro-technology-essential-
support-renewal-series/pport-Intel-vPro-1-Technology-for-
Efficient-IT-Service-Man-273906/?iCStream=1
$ 18 X700
=12600
Support license for the network
12600+$80000
Cost of software USD92,600
Value of Safeguard=ALE before the implementation of
safeguard-ALE after safeguard -Annual cost of protection.
Sheet1CategoryProbability(0.0-1.0)Impact(0-100)Risk
Level(PXI)Description1Zombles0.02901.8Zombie Apocalypse
causes wide spread panic and physical security threats to staff,
property and business operations2Natural Disaster0.12607.2the
location of business may expose it to particular national
disasters. This may be long term or short term. Rains may
inturupt power supply. 3Threat of Breach from consumer
error0.43012Consumer may expose the system or account by
commission or ommission. This puts own data and others data at
risk. 4Breach Through Vendor Network0.454520.25A threat
from the faults of the service providers security system may
expose the data to threat. 5Malware0.87560Malwares will
mostly be sent through other communication or may be brought
. They pause the threat of data exposure6Inside
Misuse0.78559.5Employees handle a lot of company data and
can be threat to the organisation by sharing it or even exposing

it accidentally7Fringe Threat0.88568The risks includes fires,
electrical failure, physical theft, attack by mob from office. The
impact of threat varies

APUS Assignment Rubric Undergraduate Level EXEMPLARYLEVEL4.docx

Recommandé

Recommandé

Contenu connexe

Similaire à APUS Assignment Rubric Undergraduate Level EXEMPLARYLEVEL4.docx

Similaire à APUS Assignment Rubric Undergraduate Level EXEMPLARYLEVEL4.docx (20)

Plus de YASHU40

Plus de YASHU40 (20)

Dernier

Dernier (20)

APUS Assignment Rubric Undergraduate Level EXEMPLARYLEVEL4.docx