Lab #10 – Assessment Worksheet

Part A – Policy Statement Definitions

Overview
Create a policy statement that defines how these policies mitigate the risk, threat, or
vulnerability as indicated in the gap analysis matrix below for each of the gaps identified and
recommended policy definitions.
Risk – Threat – Vulnerability IT Security Policy Definition
Unauthorized access from public Internet Firewall Management Policy
User destroys data in application and deletes Backup and Recovery Policy
all files
Hacker penetrates your IT infrastructure and Intrusion Detection and Prevention Policy
gains access to your internal network
Intra-office employee romance gone bad Employee Code of Conduct Policy
Fire destroys primary data center Disaster Recovery Policy
Communication circuit outages Business Continuity Policy
Workstation OS has a known software Patch Management Policy
vulnerability
Unauthorized access to organization owned Workstation Security Policy
workstations
Loss of production data Data Backup and Recovery Policy
Denial of service attack on organization e- E-mail Security Policy
mail server
Remote communications from home office Server Security Policy
LAN server OS has a known software Server Security Policy
vulnerability
User downloads an unknown e –mail Email Security Policy
attachment
Workstation browser has software Browser Security Policy
vulnerability
Service provider has a major network Service Level Agreement Policy
outage
Weak ingress/egress traffic filtering Traffic Filtering Policy
degrades performance
User inserts CDs and USB hard drives with Removable Media Policy
personal photos, music, and videos
VPN tunneling between remote computer VPN Security Policy
and ingress/egress router
WLAN access points are needed for LAN Wireless Network Security Policy
connectivity within a warehouse
Need to prevent rogue users from Wireless Access Control Policy
unauthorized WLAN access

For each identified gap, insert a recommendation for an IT security policy to help mitigate the
risk, threat or vulnerability: Define a policy statement (2 or 3 sentences max) for each of the
following policy definitions that are needed to remediate the identified gap analysis for the IT
security policy framework:
1.Access Control Policy Definition: This policy outlines the procedures for granting and
revoking access to company resources, including information systems, networks, and
physical facilities. It should define the roles and responsibilities of individuals in managing
access control, and specify the criteria for determining access levels.

2.Business Continuity – Business Impact Analysis (BIA) Policy Definition: This policy
outlines the procedures for conducting a business impact analysis (BIA) to assess the
potential impacts of disruptive events on the organization. It should define the roles and
responsibilities of individuals in conducting the BIA, and specify the criteria for determining
critical business functions and resources.

3.Business Continuity & Disaster Recovery Policy Definition: This policy outlines the
procedures for developing and maintaining a business continuity and disaster recovery plan.
It should define the roles and responsibilities of individuals in developing and maintaining
the plan, and specify the procedures for testing and updating the plan.

4.Data Classification Standard & Encryption Policy Definition: This policy outlines the
procedures for classifying data according to its level of sensitivity, and specifying the
appropriate encryption measures to protect it. It should define the roles and responsibilities of
individuals in classifying and encrypting data, and specify the procedures for managing and
storing encrypted data.

5.Internet Ingress/Egress Traffic & Web Content Filter Policy Definition: This policy outlines
the procedures for managing and filtering incoming and outgoing internet traffic, as well as
web content. It should define the roles and responsibilities of individuals in managing the
filters, and specify the procedures for testing and updating the filters.

6.Production Data Back-up Policy Definition: This policy outlines the procedures for backing
up critical production data, and storing it in secure locations. It should define the roles and
responsibilities of individuals in managing the backups, and specify the procedures for testing
and restoring the backups.

7.Remote Access VPN Policy Definition: This policy outlines the procedures for providing
remote access to company resources through a VPN. It should define the roles and
responsibilities of individuals in managing remote access, and specify the criteria for
determining access levels.
8.WAN Service Availability Policy Definition: This policy outlines the procedures for
ensuring WAN service availability, and minimizing downtime. It should define the roles and
responsibilities of individuals in managing WAN services, and specify the procedures for
testing and updating the services.

9.Internet Ingress/Egress Availability (DoS/DDoS) Policy Definition: This policy outlines the
procedures for managing and mitigating the risk of Denial of Service (DoS) and Distributed
Denial of Service (DDoS) attacks. It should define the roles and responsibilities of
individuals in managing the risks, and specify the procedures for testing and updating the
mitigation measures.
10.Wireless LAN Access Control & Authentication Policy Definition: This policy outlines the
procedures for managing and securing wireless LAN access. It should define the roles and
responsibilities of individuals in managing access control and authentication, and specify the
procedures for testing and updating the security measures.
11.Internet & E-Mail Acceptable Use Policy Definition: This policy outlines the procedures
for acceptable use of company internet and e-mail resources. It should define the roles and
responsibilities of individuals in managing acceptable use, and specify the consequences for
violations.
12.Asset Protection Policy Definition: This policy outlines the procedures for protecting
company assets, including information systems, networks, and physical facilities. It should
define the roles and responsibilities of individuals in managing asset protection, and specify
the procedures for testing and updating the protection measures.
13.Audit & Monitoring Policy Definition: This policy outlines the procedures for conducting
audits and monitoring company resources, including information systems, networks, and
physical facilities. It should define the roles and responsibilities of individuals in conducting
audits and monitoring, and specify the procedures for testing and updating the audit and
monitoring measures.
14.Computer Security Incident Response Team (CSIRT) Policy Definition: The CSIRT policy
should define the roles and responsibilities of the incident response team, including how
incidents are reported, investigated, and resolved. It should also include procedures for
notifying management and other stakeholders, as well as procedures for communicating with
external entities such as law enforcement or regulatory agencies.
15.Security Awareness Training Policy Definition: The security awareness training policy
should outline the training requirements for all employees, including the frequency of
training and the topics covered. It should also define the consequences for non-compliance
with the training requirements and outline the methods for measuring the effectiveness of the
training program. The policy should emphasize the importance of security awareness in
protecting the organization's information assets and should encourage employees to report
any security incidents or concerns.

Part B – Craft an IT Security Policy Definition

 ABC Credit Union
Internet Ingress/Egress Traffic & Web Content Filter Policy Definition
Policy Statement
This policy establishes guidelines for the implementation and management of Internet
Ingress/Egress Traffic & Web Content Filtering controls across the organization's network
infrastructure. It outlines measures to ensure that all incoming and outgoing network traffic is
appropriately filtered to mitigate potential security risks.
Purpose/Objectives
The purpose of this policy is to ensure that Internet Ingress/Egress Traffic & Web Content
Filtering controls are in place to protect the organization's network infrastructure from
malicious activities such as phishing, malware, and other cyber attacks. The objectives of this
policy are to:

• Provide a secure computing environment for ABC Credit Union and its employees,
customers, and partners
• Protect the organization's sensitive information and data from unauthorized access or
exfiltration
• Ensure compliance with regulatory requirements and IT security best practices
• Enhance the organization's ability to identify and mitigate network security threats
and vulnerabilities
Scope
This policy applies to all employees, contractors, and third-party vendors who use or have
access to the organization's network infrastructure. This policy impacts the Network Domain
and the User Domain of the organization's IT infrastructure. All organization-owned IT assets
that access the Internet or the network infrastructure are within the scope of this policy.
Standards
This policy requires compliance with industry-standard web content filtering technologies,
such as firewalls, intrusion detection and prevention systems, and antivirus software. All
hardware, software, and configuration standards must adhere to this policy.
Procedures
To implement this policy, the following procedures must be followed:
• Install and configure web content filtering controls on all network devices to prevent
unauthorized access and block malicious network traffic.
• Configure firewalls to block all incoming traffic that is not necessary for business
operations and to allow only authorized outgoing traffic.
• Regularly update web filtering technologies to ensure protection against the latest
threats.
 • Develop and implement a procedure for addressing false positives and false negatives
detected by web content filtering controls.
• Regularly monitor network traffic to detect and respond to potential security
incidents.
Guidelines
ABC Credit Union may face some challenges in implementing this policy. These challenges
include the possibility of false positives, which can impact productivity and the effectiveness
of the filtering controls. Additionally, the cost of implementing and maintaining web content
filtering controls may be significant. To address these challenges, the organization must:
• Develop a process to address false positives and minimize their impact on
productivity.
• Ensure that the cost of implementing and maintaining web content filtering controls is
justified and within the organization's budget.
• Provide appropriate training to employees on the use of web filtering technologies and
the importance of complying with this policy.