Lab #3 Assessment Worksheet

Part A □ List of Risks, Threats, and Vulnerabilities Commonly Found in an IT

Infrastructure
Course Name: IAP301 ……………………………...………………………………
Student Name: Đào Quang Việt …………………………………………………...
Instructor Name: Khúc Hữu Hùng ……………………………………………….
Lab Due Date: 12/02/2025…………………………………….……………………
Overview
The following risks, threats, and vulnerabilities were found in a healthcare IT
infrastructure serving patients with life-threatening situations. Given the following
list, select where the risk, threat, or vulnerability resides in the seven domains of a
typical IT infrastructure.
Risk □ Threat □ Vulnerability Primary Domain Impacted
Unauthorized access from public Remote Access Domain
Internet
User destroys data in application and System/Application Domain
deletes all files
Hacker penetrates your IT infrastructure LAN Domain
and gains access to your internal
network
Intra-office employee romance □ gone □ User Domain
bad
Fire destroys the primary data center Data Center Domain
Communication circuit outages WAN Domain

Workstation OS has a known software Workstation Domain

vulnerability
Unauthorized access to organization Workstation Domain
owned Workstations
Loss of production data System/Application Domain
Denial of service attack on organization LAN Domain
e-mail server
Remote communications from home Remote Access Domain
1
office
LAN server OS has a known software LAN Domain
vulnerability
User downloads an unknown e-mail LAN Domain
attachment
Workstation browser has software Workstation Domain
vulnerability
Service provider has a major network WAN Domain
outage
Weak ingress/egress traffic filtering LAN Domain
degrades Performance
User inserts CDs and USB hard drives User Domain
with personal photos, music, and videos
on organization owned computers
VPN tunneling between remote Remote Access Domain
computer and ingress/egress router
WLAN access points are needed for LAN Domain
LAN connectivity within a warehouse
Need to prevent rogue users from LAN Domain
unauthorized WLAN access

2
 Lab #3 Assessment Worksheet
Part B □ List of Risks, Threats, and Vulnerabilities Commonly Found in an IT
Infrastructure
Course Name: IAP301 ……………………………...………………………………
Student Name: Đào Quang Việt …………………………………………………...
Instructor Name: Khúc Hữu Hùng ……………………………………………….
Lab Due Date: 12/02/2025…………………………………….……………………
Overview
For each of the identified risks, threats, and vulnerabilities; select the most
appropriate policy definition that may help mitigate the identified risk, threat, or
vulnerability within that domain from the following list:
Policy Definition List
Acceptable Use Policy
Access Control Policy Definition
Business Continuity Business Impact Analysis (BIA) Policy Definition
Business Continuity & Disaster Recovery Policy Definition
Data Classification Standard & Encryption Policy Definition
Internet Ingress/Egress Traffic Policy Definition
Mandated Security Awareness Training Policy Definition
Production Data Back-up Policy Definition
Remote Access Policy Definition
Vulnerability Management & Vulnerability Window Policy Definition
WAN Service Availability Policy Definition
Risk □ Threat □ Vulnerability Policy Definition Required
Unauthorized access from public Access Control Policy Definition
Internet
User destroys data in application and Mandated Security Awareness Training
deletes all files Policy Definition
Hacker penetrates your IT infrastructure Data Classification Standard &
and gains access to your internal Encryption Policy Definition
network
Intra-office employee romance gone bad Business Continuity - Business Impact
Analysis (BIA) Policy Definition
Fire destroys primary data center Business Continuity & Disaster
Recovery Policy Definition
Communication circuit outages Business Continuity & Disaster
Recovery Policy Definition
Workstation OS has a known software Vulnerability Management &
vulnerability Vulnerability Window Policy Definition
Unauthorized access to organization- Data Classification Standard &
owned Workstations Encryption Policy Definition
Loss of production data Production Data Back-up Policy
Definition
Denial of service attack on organization Mandated Security Awareness Training
e-mail Server Policy Definition
Remote communications from home Remote Access Policy Definition
office
LAN server OS has a known software Vulnerability Management &
vulnerability Vulnerability Window Policy Definition
User downloads an unknown e Email Acceptable Use Policy
attachment
Workstation browser has software Vulnerability Management &
vulnerability Vulnerability Window Policy Definition
Service provider has a major network WAN Service Availability Policy
outage Definition
Weak ingress/egress traffic filtering Internet Ingress/Egress Traffic Policy
degrades Performance Definition
User inserts CDs and USB hard drives Acceptable Use Policy
with personal photos, music, and videos
on organization owned computers
VPN tunneling between remote Internet Ingress/Egress Traffic Policy
computer and ingress/egress router Definition
WLAN access points are needed for Internet Ingress/Egress Traffic Policy
LAN connectivity within a warehouse Definition
Need to prevent rogue users from Access Control Policy Definition
4
unauthorized WLAN access

5
 Lab #3 Assessment Worksheet
Define an Information Systems Security Policy Framework for an IT
Infrastructure
Course Name: IAP301 ……………………………...………………………………
Student Name: Đào Quang Việt …………………………………………………...
Instructor Name: Khúc Hữu Hùng ……………………………………………….
Lab Due Date: 12/02/2025…………………………………….……………………
Overview
In this lab, students identified risks, threats, and vulnerabilities throughout the seven
domains of a typical IT infrastructure. By organizing these risks, threats, and
vulnerabilities within each of the seven domains of a typical IT infrastructure
information system security policies can be defined to help mitigate this risk. Using
policy definition and policy implementation, organizations can tighten security
throughout the seven domains of a typical IT infrastructure.
Lab Assessment Questions & Answers
1. A policy definition usually contains what four major parts or elements?
- A policy definition usually contains four major parts or elements: policy statement,
purpose and scope, policy content or rules, and enforcement or compliance.

2. In order to effectively implement a policy framework, what three organizational

elements are absolutely needed to ensure successful implementation?
- In order to effectively implement a policy framework, three organizational elements
are absolutely needed: executive sponsorship, adequate resources, and clear lines of
accountability and responsibility.

3. Which policy is the most important one to implement to separate employer from
employee? Which is the most challenging to implement successfully?
- The most important policy to implement to separate employer from employee is the
Acceptable Use Policy (AUP), while the most challenging to implement successfully
is likely to be the Access Control Policy as it requires a delicate balance between
protecting sensitive information and enabling access for authorized users.

4. Which domain requires stringent access controls and encryption for connectivity to
the corporate resources from home? What policy definition is needed for this domain?
- The Network Domain requires stringent access controls and encryption for
connectivity to the corporate resources from home. A Remote Access Policy
definition is needed for this domain.

5. Which domains need software vulnerability management & vulnerability window

policy definitions to mitigate risk from software vulnerabilities?
- Both the Endpoint and Server Domains need software vulnerability management &
vulnerability window policy definitions to mitigate risk from software vulnerabilities.

6. Which domain requires AUPs to minimize unnecessary User-initiated Internet

traffic and awareness of the proper use of organization-owned IT assets?
- The User Domain requires Acceptable Use Policies (AUPs) to minimize
unnecessary User-initiated Internet traffic and awareness of the proper use of
organization-owned IT assets.

7. What policy definition can help remind employees within the User Domain about
on-going acceptable use and unacceptable use?
- A Code of Conduct Policy definition can help remind employees within the User
Domain about ongoing acceptable use and unacceptable use.

8. What policy definition is required to restrict and prevent unauthorized access to

organization owned IT systems and applications?
- An Access Control Policy definition is required to restrict and prevent unauthorized
access to organization-owned IT systems and applications.
9. What is the relationship between an Encryption Policy Definition and a Data
Classification Standard?
- The Encryption Policy Definition and the Data Classification Standard are related as
the former outlines the required encryption levels for different types of data, while the
latter defines the level of confidentiality and sensitivity of various types of data within
the organization.

10. What policy definition is needed to minimize data loss?

- A Data Backup and Recovery Policy definition is needed to minimize data loss.

11. Explain the relationship between the policy-standard-procedure-guideline

structure and how this should be postured to the employees and authorized users.
- The policy-standard-procedure-guideline structure is the hierarchy of how an
organization defines and implements its IT security policies. The policies provide
high-level guidance, standards define specific implementation requirements,
procedures outline the steps to be taken, and guidelines provide additional
information and recommendations. All of these elements should be clearly
communicated to employees and authorized users to ensure understanding and
compliance.

12. Why should an organization have a remote access policy even if they already have
an Acceptable Use Policy (AUP) for employees?
- An organization should have a remote access policy even if they already have an
Acceptable Use Policy (AUP) for employees because remote access may have
different security considerations, such as encryption, authentication, and
authorization, than regular in-office access.
13. What security controls can be implemented on your e-mail system to help prevent
rogue or malicious software disguised as URL links or e-mail attachments from
attacking the Workstation Domain? What kind of policy definition should this be
included in? Justify your answer.
- Security controls that can be implemented on an e-mail system to prevent rogue or
malicious software disguised as URL links or e-mail attachments from attacking the
Workstation Domain include anti-malware software, e-mail filtering, and user
education and awareness. This can be included in an Email Security Policy definition.

14. Why should an organization have annual security awareness training that includes
an overview of the organization's policies?
- An organization should have annual security awareness training that includes an
overview of the organization's policies to ensure that all employees are aware of their
obligations and understand the importance of IT security.

15. What is the purpose of defining of a framework for IT security policies?

- The purpose of defining a framework for IT security policies is to provide a
comprehensive and consistent approach to securing the organization's IT systems and
data, ensure compliance with legal and regulatory requirements, and minimize the risk
of security incidents.