Lab #3: Define an Information Systems Security

Policy Framework for an IT Infrastructure

Course Name: IAP301

Student Name: Quanndse151007
Instructor Name: DinhMH
Lab Due Date: 24/5/2023

Overview
In this lab, students identified risks, threats, and vulnerabilities throughout the seven domains of a
typical IT infrastructure. By organizing these risks, threats, and vulnerabilities within each of the
seven domains of a typical IT infrastructure information system security policies can be defined to
help mitigate this risk. Using policy definition and policy implementation, organizations can “tighten”
security throughout the seven domains of a typical IT infrastructure

Part A – List of Risks, Threats, and Vulnerabilities Commonly Found in an IT

Infrastructure

Risk – Threat – Vulnerability Primary Domain Impacted

Unauthorized access from public Internet LAN-to-WAN
User destroys data in application and deletes all System/Application
files
Hacker penetrates your IT infrastructure and LAN-to-WAN
gains access to your internal network
Intra-office employee romance “gone bad” User
Fire destroys the primary data center LAN
Communication circuit outages LAN
Workstation OS has a known software Workstation
vulnerability
Unauthorized access to organization owned Workstation
Workstations
Loss of production data System Database
Denial of service attack on organization e-mail WAN
server
Remote communications from home office Remote Access
LAN server OS has a known software LAN
vulnerability
User downloads an unknown e –mail attachment User
Workstation browser has software vulnerability Workstation
Service provider has a major network outage WAN
Weak ingress/egress traffic filtering degrades LAN-to-WAN
Performance
User inserts CDs and USB hard drives with User
personal photos, music, and videos on
organization owned computers
VPN tunneling between remote computer and Remote Access
ingress/egress router
WLAN access points are needed for LAN LAN-to-WAN
connectivity within a warehouse
Need to prevent rogue users from unauthorized WLAN-to-WAN
WLAN access

Part B – List of Risks, Threats, and Vulnerabilities Commonly Found in an

IT Infrastructure

Risk – Threat – Vulnerability Primary Domain Impacted

Unauthorized access from public Internet Access Control Policy Definition
User destroys data in application and deletes all
Mandated Security Awareness Training Policy
files Definition
Hacker penetrates your IT infrastructure and Data Classification Standard & Encryption
gains access to your internal network Policy Definition
Intra-office employee romance “gone bad” Business Continuity – Business Impact
Analysis (BIA) Policy Definition
Fire destroys the primary data center Business Continuity & Disaster Recovery
Policy Definition
Communication circuit outages Business Continuity & Disaster Recovery
Policy Definition
Workstation OS has a known software Vulnerability Management & Vulnerability
vulnerability Window Policy Definition
Unauthorized access to organization owned Data Classification Standard & Encryption
Workstations Policy Definition
Loss of production data Production Data Back-up Policy Definition
Denial of service attack on organization e-mail Mandated Security Awareness Training
server Policy Definition
Remote communications from home office Remote Access Policy Definition
LAN server OS has a known software Vulnerability Management & Vulnerability
vulnerability Window Policy Definition
User downloads an unknown e –mail attachment Acceptable Use Policy
Workstation browser has software vulnerability Vulnerability Management & Vulnerability
Window Policy Definition
Service provider has a major network outage WAN Service Availability Policy Definition
Weak ingress/egress traffic filtering degrades Internet Ingress/Egress Traffic Policy
Performance Definition
User inserts CDs and USB hard drives with Acceptable Use Policy
personal photos, music, and videos on
organization owned computers
VPN tunneling between remote computer and Internet Ingress/Egress Traffic Policy
ingress/egress router Definition
WLAN access points are needed for LAN Internet Ingress/Egress Traffic Policy
connectivity within a warehouse Definition
Need to prevent rogue users from unauthorized Access Control Policy Definition
WLAN access

Part C - Define an Information Systems Security Policy Framework for

an IT Infrastructure

Lab Assessment Questions & Answers

1.A policy definition usually contains what four major parts or elements?
- A policy definition usually contains four major parts or elements: policy statement, purpose and
scope, policy content or rules, and enforcement or compliance.
2. In order to effectively implement a policy framework, what three organizational
elements are absolutely needed to ensure successful implementation?
3. In order to effectively implement a policy framework, three organizational elements are
absolutely needed: executive sponsorship, adequate resources, and clear lines of
accountability and responsibility.
3. Which policy is the most important one to implement to separate employer from
employee? Which is the most challenging to implement successfully?
○ The most important policy to implement to separate employer from employee is the
Acceptable Use Policy (AUP), while the most challenging to implement successfully is
likely to be the Access Control Policy as it requires a delicate balance between protecting
sensitive information and enabling access for authorized users.
4. Which domain requires stringent access controls and encryption for connectivity to the
corporate resources from home? What policy definition is needed for this domain?
○ The Network Domain requires stringent access controls and encryption for connectivity to
the corporate resources from home. A Remote Access Policy definition is needed for this
domain.
5. Which domains need software vulnerability management & vulnerability window
policy definitions to mitigate risk from software vulnerabilities?
○ Both the Endpoint and Server Domains need software vulnerability management &
vulnerability window policy definitions to mitigate risk from software vulnerabilities.
6. Which domain requires AUPs to minimize unnecessary User-initiated Internet traffic
and awareness of the proper use of organization-owned IT assets?
○ The User Domain requires Acceptable Use Policies (AUPs) to minimize unnecessary
User-initiated Internet traffic and awareness of the proper use of organization-owned IT
assets.
7. What policy definition can help remind employees within the User Domain about
on-going acceptable use and unacceptable use?
○ A Code of Conduct Policy definition can help remind employees within the User Domain
about ongoing acceptable use and unacceptable use.
8. What policy definition is required to restrict and prevent unauthorized access to
organization owned IT systems and applications?
○ An Access Control Policy definition is required to restrict and prevent unauthorized access
to organization-owned IT systems and applications.
9. What is the relationship between an Encryption Policy Definition and a Data
Classification Standard?
○ The Encryption Policy Definition and the Data Classification Standard are related as the
former outlines the required encryption levels for different types of data, while the latter
defines the level of confidentiality and sensitivity of various types of data within the
organization.
10. What policy definition is needed to minimize data loss?
○ A Data Backup and Recovery Policy definition is needed to minimize data loss.
11. Explain the relationship between the policy-standard-procedure-guideline structure
and how this should be postured to the employees and authorized users.
○ The policy-standard-procedure-guideline structure is the hierarchy of how an organization
defines and implements its IT security policies. The policies provide high-level guidance,
standards define specific implementation requirements, procedures outline the steps to be
taken, and guidelines provide additional information and recommendations. All of these
elements should be clearly communicated to employees and authorized users to ensure
understanding and compliance.
12. Why should an organization have a remote access policy even if they already have an
Acceptable Use Policy (AUP) for employees?
○ An organization should have a remote access policy even if they already have an Acceptable
Use Policy (AUP) for employees because remote access may have different security
considerations, such as encryption, authentication, and authorization, than regular in-office
access.
13. What security controls can be implemented on your e-mail system to help prevent
rogue or malicious software disguised as URL links or e-mail attachments from
attacking the Workstation Domain? What kind of policy definition should this be
included in? Justify your answer.
○ Security controls that can be implemented on an e-mail system to prevent rogue or malicious
software disguised as URL links or e-mail attachments from attacking the Workstation
Domain include anti-malware software, e-mail filtering, and user education and awareness.
This can be included in an Email Security Policy definition.
14. Why should an organization have annual security awareness training that includes an
overview of the organization’s policies?
○ An organization should have annual security awareness training that includes an overview of
the organization's policies to ensure that all employees are aware of their obligations and
understand the importance of IT security.
15. What is the purpose of defining of a framework for IT security policies?
○ The purpose of defining a framework for IT security policies is to provide a comprehensive
and consistent approach to securing the organization's IT systems and data, ensure
compliance with legal and regulatory requirements, and minimize the risk of security
incidents.