Risk – Threat – Vulnerability Policy Definition Required

Unauthorized access from public Internet Access Control Policy Definition

Acceptable Use Policy, Mandated

User destroys data in application and deletes
Security Awareness Training Policy
all files
Definition
Vulnerability Management &
Hacker penetrates your IT infrastructure and
Vulnerability Window Policy
gains access to your internal network
Definition

Intra-office employee romance gone bad BIA Policy Definition

Business Continuity & Disaster

Recovery Policy Definition,

Fire destroys primary data center
Production Data Back-up Policy

Definition
Business Continuity & Disaster
Communication circuit outages
Recovery Policy Definition
Vulnerability Management &
Workstation OS has a known software
Vulnerability Window Policy
vulnerability
Definition
Unauthorized access to organization owned
Access Control Policy Definition
Workstations
Production Data Back-up Policy
Loss of production data
Definition
Vulnerability Management &
Denial of service attack on organization e-
Vulnerability Window Policy
mail Server
Definition
 Remote communications from home office Remote Access Policy Definition

Vulnerability Management &

LAN server OS has a known software
Vulnerability Window Policy
vulnerability
Definition
Acceptable Use Policy, Mandated
User downloads an unknown e-mail
Security Awareness Training Policy
attachment
Definition
Vulnerability Management &
Workstation browser has software
Vulnerability Window Policy
vulnerability
Definition
WAN Service Availability Policy
Service provider has a major network outage
Definition
Weak ingress/egress traffic filtering degrades Internet Ingress/Egress Traffic

Performance Policy Definition

User inserts CDs and USB hard drives with

personal photos, music, and videos on Acceptable Use Policy

organization owned computers

Remote Access Policy Definition,
VPN tunneling between remote computer
Internet Ingress/Egress Traffic
and ingress/egress router
Policy Definition
WLAN access points are needed for LAN
Access Control Policy Definition
connectivity within a warehouse
Need to prevent rogue users from Data Classification Standard &

unauthorized WLAN access Encryption Policy Definition

1. Health care organizations must strictly comply with the Health Insurance Portability and
Accountability Act (HIPAA) Privacy and Security rules that require organizations to have
proper security controls for handling personal information referred to as "protected
 health information," or PHI. This includes security controls for the IT infrastructure
handling PHI. Which of the listed risks, threats, or vulnerabilities can violate HIPAA
privacy and security requirements? List one and justify your answer in one or two
sentences.
2.
Unauthorized access to workstations maintained by the company. Entry to a "already
wired" workstation may provide a perpetrator direct access to confidential data, such as
HIPAA PHI privacy data. What will happen if this PHI privacy data was hacked and
leaked is the risk factor to remember here.

2. How many threats and vulnerabilities did you find that impacted risk in each of the
seven domains of a typical IT infrastructure?

User Domain: 3 Workstation Domain: 3 LAN Domain: 3 LAN-to-WAN Domain: 4 WAN

Domain: 2 Remote Access Domain: 2 System/Application Domain: 3

3. Which domain(s) had the greatest number of risks, threats, and vulnerabilities?

LAN-to-WAN Domain

4. What is the risk impact or risk factor (critical, major, and minor) that you would
qualitatively assign to the risks, threats, and vulnerabilities you identified for the LAN-to-
WAN Domain for the health care and HIPAA compliance scenario?

A hacker gains access to your internal network after breaking into your IT infrastructure:
PHI can be jeopardized, which is critical. Assault on an organization's e-mail server that
results in a denial of service: VPN tunneling between the remote device and the
ingress/egress router is minor and can be mitigated: If electronic safe health information
(ePHI) is accessed remotely, this is a major issue.

5. Of the three System/Application Domain risks, threats, and vulnerabilities identified,

which one requires a disaster recovery plan and business continuity plan to maintain
continued operations during a catastrophic outage?

The risk of "Fire destroys primary data center"

6. Which domain represents the greatest risk and uncertainty to an organization?

Since human action is unreliable and affected by forces outside policy's control, the
User Domain poses the greatest danger and ambiguity.

7. Which domain requires stringent access controls and encryption for connectivity to
corporate resources from home?
The Remote Access Domain requires stringent access controls and encryption because
of risks inherent in connectivity from home.

8. Which domain requires annual security awareness training and employee

background checks for sensitive positions to help mitigate risks from employee
sabotage?

User Domain

9. Which domains need software vulnerability assessments to mitigate risk from

software vulnerabilities?

Workstation Domain (workstation, corporate-issued mobile devices) LAN Domain

(regarding the network devices) System/Application Domain (servers, storage area
network (SAN), network attached storage (NAS), backup devices)

10. Which domain requires acceptable use policies (AUPs) to minimize unnecessary
user-initiated Internet traffic and can be monitored and controlled by Web content
filters?

User Domain
11. In which domain do you implement Web content filters?

LAN-to-WAN Domain

12. If you implement a Wireless LAN (WLAN) to support connectivity for laptops in the
Workstation Domain, which domain does WLAN fall within?

LAN Domain

13. Under the Gramm-Leach-Bliley-Act (GLBA), banks must protect customer privacy. A
given bank has just implemented its online banking solution that allows customers to
access their accounts and perform transactions via their computers or personal digital
assistant (PDA) devices. Online banking servers and their public Internet hosting would
fall within which domains of security responsibility?

System/Application Domain & LAN-to-WAN Domain

14. True or false: Customers who conduct online banking on their laptops or personal
computers must use Hypertext Transfer Protocol Secure (HTTPS), the secure and
encrypted version of Hypertext Transfer Protocol (HTTP) browser communications.
HTTPS encrypts Web page data inputs and data through the public Internet and
decrypts that Web page and data on the user's PC or device.
True
15. Explain how a layered security strategy throughout the seven domains of a typical IT
infrastructure can help mitigate risk exposure for loss of privacy data or confidential data
from the System/Application Domain.

Organizations should design a layered protection approach by analyzing where privacy

data and sensitive data exist and are accessed, offering various security
countermeasures and security controls at key points in the entire IT infrastructure.
Users and their point-of-entry are allowed access to applications and data according to
their access management conditions by applying proper security measures within the
User Domain and Workstation Domain. Additional protection countermeasures and
security controls in the LAN Domain and LAN-to-WAN Domain will grant authorised
users access to servers, files, directories, and data inside the IT infrastructure. Finally,
risks, hazards, and bugs within the System/Application Domain can be mitigated by
ensuring servers, operating systems, and application applications are patched with the
latest software upgrades.