Lab #3 – Define an Information Systems Security Policy Framework for an IT

Infrastructure
Course Name: IAP301
Student Name: Phạm Thị Minh Thúy (HE171100)
Instructor Name: Hoàng Mạnh Đức

Lab #3 – Assessment Worksheet

Part A – List of Risks, Threats, and Vulnerabilities Commonly Found in an IT
Infrastructure

Overview
The following risks, threats, and vulnerabilities were found in a healthcare IT infrastructure
serving patients with life-threatening situations. Given the following list, select where the
risk, threat, or vulnerability resides in the seven domains of a typical IT infrastructure.

Risk - Threat – Vulnerability Primary Domain Impacted

Unauthorized access from public Internet Remote Access Domain

User destroys data in application and deletes

all files System/Application Domain

Hacker penetrates your IT infrastructure and

gains access to your internal network LAN-to-WAN Domain

Intra-office employee romance "gone bad"

Fire destroys the primary data center User Domain

Communication circuit outages

System/Application Domain
Workstation OS has a known software
vulnerability WAN Domain

Unauthorized access to organization owned Workstation Domain

Workstations

Loss of production data Workstation Domain

Denial of service attack on organization e-

mail server System/Application Domain
Remote communications from home office LAN-to-WAN Domain

LAN server OS has a known software

vulnerability Remote Access Domain

User downloads an unknown e -mail

attachment LAN Domain

Workstation browser has software

vulnerability User Domain

Service provider has a major network

outage Workstation Domain

Weak ingress/egress traffic filtering

degrades Performance WAN Domain

User inserts CDs and USB hard drives with

personal photos, music, and videos on LAN-to-WAN Domain
organization owned computers

VPN tunneling between remote computer User Domain

and ingress/egress router

WLAN access points are needed for LAN

connectivity within a warehouse LAN-to-WAN Domain

Need to prevent rogue users from

unauthorized WLAN access LAN Domain

LAN Domain
 Lab #3 – Assessment Worksheet
Part B – List of Risks, Threats, and Vulnerabilities Commonly Found in an IT
Infrastructure
Overview
For each of the identified risks, threats, and vulnerabilities; select the most appropriate policy
definition that may help mitigate the identified risk, threat, or vulnerability within that
domain from the following list:
Policy Definition List
Acceptable Use Policy
Access Control Policy Definition
Business Continuity – Business Impact Analysis (BIA) Policy Definition
Business Continuity & Disaster Recovery Policy Definition
Data Classification Standard & Encryption Policy Definition
Internet Ingress/Egress Traffic Policy Definition
Mandated Security Awareness Training Policy Definition
Production Data Back-up Policy Definition
Remote Access Policy Definition
Vulnerability Management & Vulnerability Window Policy Definition
WAN Service Availability Policy Definition

Risk - Threat – Vulnerability Primary Domain Impacted

Unauthorized access from public Internet Remote Access Policy Definition

User destroys data in application and deletes

all files Acceptable Use Policy

Hacker penetrates your IT infrastructure

and gains access to your internal network Access Control Policy Definition

Intra-office employee romance gone bad

Fire destroys primary data center Mandated Security Awareness Training

Policy Definition

Communication circuit outages Business Continuity & Disaster Recovery

Policy Definition
Workstation OS has a known software Business Continuity & Disaster Recovery
vulnerability Policy Definition

Unauthorized access to organization-owned Vulnerability Management & Vulnerability

Workstations Window Policy Definition

Loss of production data Access Control Policy Definition

Denial of service attack on organization e- Production Data Back-up Policy Definition

mail Server
Remote Access Policy Definition
Remote communications from home office

LAN server OS has a known software Remote Access Policy Definition

vulnerability

User downloads an unknown e –mail Vulnerability Management & Vulnerability

Attachment Window Policy Definition

Workstation browser has software Mandated Security Awareness Training

vulnerability Policy Definition

Service provider has a major network Vulnerability Management & Vulnerability

outage Window Policy Definition

Weak ingress/egress traffic filtering Internet Ingress/Egress Traffic Policy

degrades Performance Definition

User inserts CDs and USB hard drives with Internet Ingress/Egress Traffic Policy
personal photos, music, and videos on Definition
organization owned computers
Acceptable Use Policy
VPN tunneling between remote computer
and ingress/egress router

WLAN access points are needed for LAN Internet Ingress/Egress Traffic Policy
connectivity within a warehouse Definition

Need to prevent rogue users from Remote Access Policy Definition

unauthorized WLAN access

Access Control Policy Definition

 Lab #3 – Assessment Worksheet
Define an Information Systems Security Policy Framework for an IT Infrastructure
Overview
In this lab, students identified risks, threats, and vulnerabilities throughout the seven domains
of a typical IT infrastructure. By organizing these risks, threats, and vulnerabilities within
each of the seven domains of a typical IT infrastructure information system security policies
can be defined to help mitigate this risk. Using policy definition and policy implementation,
organizations can “tighten” security throughout the seven domains of a typical IT
infrastructure.

Lab Assessment Questions & Answers

1. A policy definition usually contains what four major parts or elements?
- Purpose or Objective: This section outlines the reason for the policy's existence and
its intended outcome. It explains why the policy is necessary and what it aims to
achieve.
- Scope: This part defines the boundaries and applicability of the policy. It specifies
who or what the policy applies to, what actions or behaviors it covers, and any
exceptions or exclusions.
- Responsibilities: This section outlines the roles and responsibilities of individuals or
groups involved in implementing, enforcing, or complying with the policy. It clarifies
who is accountable for what and what actions are expected from each party.
- Compliance and Enforcement: This part describes how the policy will be enforced,
monitored, and evaluated. It may include consequences for non-compliance,
procedures for reporting violations, and mechanisms for updating or revising the
policy as needed.

2. In order to effectively implement a policy framework, what three organizational

elements are absolutely needed to ensure successful implementation?
- People: The involvement and cooperation of people within the organization are
essential for successful policy implementation. This includes having skilled personnel
to develop, communicate, and enforce policies effectively. Additionally, fostering a
culture of compliance and accountability among employees ensures that they
understand and adhere to the policies in place.
- Policy: Clearly defined policies provide the foundation for guiding behavior and
decision-making within the organization. Policies outline expectations, rules, and
procedures that employees must follow to achieve organizational goals and comply
with regulations. Well-written policies are essential for creating a framework that
governs various aspects of operations, security, and compliance.
- Technologies: Implementing appropriate technologies can facilitate policy
enforcement, monitoring, and compliance within the organization. This may involve
 deploying security tools, access control mechanisms, monitoring systems, and other
technological solutions to support policy objectives. Technologies play a crucial role
in automating processes, detecting violations, and mitigating risks associated with
policy non-compliance.

3. Which policy is the most important one to implement to separate employer from
employee? Which is the most challenging to implement successfully?
The most important policy to implement to separate employer from employee is the
Acceptable Use Policy. This policy outlines the acceptable behaviors and activities for
employees while using the organization's resources, including computers, networks, and
internet access. By clearly defining what constitutes acceptable use, the policy helps establish
boundaries between personal and professional activities, minimizing the risk of misuse or
abuse of company resources. It also helps protect the organization from legal liabilities
associated with inappropriate use of technology assets.
The most challenging policy to implement successfully may vary depending on the
organization's specific context and industry. However, one policy that is often challenging to
implement successfully is the Data Classification Standard & Encryption Policy. This policy
defines how sensitive data should be classified based on its level of confidentiality, integrity,
and availability, and outlines requirements for encrypting data to protect it from unauthorized
access or disclosure. Implementing this policy requires thorough assessment and
classification of data assets, deployment of encryption technologies, and ensuring compliance
with regulatory requirements. It also involves educating employees about data classification
and encryption practices, enforcing policy adherence, and regularly auditing and monitoring
data handling processes. Achieving effective implementation of this policy often requires
significant resources, coordination across departments, and ongoing efforts to address
evolving security threats and compliance obligations.

4. Which domain requires stringent access controls and encryption for connectivity
to the corporate resources from home? What policy definition is needed for this
domain?
- The domain that requires stringent access controls and encryption for connectivity to
corporate resources from home is the Remote Access Domain.
- For this domain, the policy definition needed is the Remote Access Policy Definition.

5. Which domains need software vulnerability management & vulnerability

window policy definitions to mitigate risk from software vulnerabilities?
- Workstation Domain: Workstations are endpoints used by employees to perform their
tasks. They often run various software applications that could contain vulnerabilities.
A vulnerability management policy for workstations helps ensure that software on
 these devices is regularly scanned for vulnerabilities, and patches or updates are
applied promptly to mitigate security risks.
- LAN Domain: Servers and systems within the Local Area Network (LAN) also need
protection against software vulnerabilities. A vulnerability management policy for
LAN servers outlines procedures for identifying, prioritizing, and addressing
vulnerabilities in server operating systems and applications to prevent exploitation by
malicious actors.
- System/Application Domain: This domain encompasses critical systems and
applications used by the organization. Vulnerability management policies for systems
and applications help ensure that vulnerabilities are identified and addressed in a
timely manner to protect sensitive data and prevent service disruptions.
- LAN-to-WAN Domain: involves the network infrastructure responsible for
connecting the internal Local Area Network (LAN) to the external Wide Area
Network (WAN), typically through routers, switches, and other networking devices.
These devices often run software that may contain vulnerabilities, which could be
exploited by attackers to gain unauthorized access or disrupt network operations.
Implementing a vulnerability management policy for the LAN-to-WAN Domain helps
ensure that network devices are regularly scanned for vulnerabilities, and patches or
updates are applied promptly to mitigate security risks.

6. Which domain requires AUPs to minimize unnecessary User-initiated Internet

traffic and awareness of the proper use of organization-owned IT assets?
- Workstation Domain: AUPs ensure that employees understand and adhere to
guidelines for using their workstations and associated resources appropriately. This
includes rules about internet browsing, downloading files, accessing specific websites,
and other online activities to minimize unnecessary internet traffic and maintain
productivity and security.

- WAN Domain: AUPs govern the use of the organization's wide area network and
internet connections. These policies establish rules and guidelines for accessing the
Internet, managing network resources, and maintaining network security. AUPs in this
domain help prevent unauthorized access, minimize the risk of malware infections,
and ensure compliance with legal and regulatory requirements related to internet
usage.

7. What policy definition can help remind employees within the User Domain about
on-going acceptable use and unacceptable use?
The policy definition that can help remind employees within the User Domain about ongoing
acceptable use and unacceptable use is the Acceptable Use Policy (AUP). The Acceptable
Use Policy outlines the rules and guidelines for the appropriate use of organization-owned IT
assets, including computers, networks, internet access, and software applications. It defines
acceptable behaviors and activities, as well as prohibited actions or uses that could pose risks
to security, productivity, or compliance.

8. What policy definition is required to restrict and prevent unauthorized access to

organization owned IT systems and applications?
The policy definition required to restrict and prevent unauthorized access to organization-
owned IT systems and applications is the Access Control Policy.
This policy establishes access control mechanisms such as authentication methods,
authorization protocols, user account management practices, and enforcement measures to
prevent unauthorized access to sensitive systems and applications. By implementing the
Access Control Policy, organizations can enforce security measures to safeguard their IT
assets, protect against unauthorized access, and maintain confidentiality, integrity, and
availability of data and resources.

9. What is the relationship between an Encryption Policy Definition and a Data

Classification Standard?
The relationship between these policies is that the Data Classification Standard informs the
Encryption Policy Definition by identifying which types of data require encryption based on
their classification. For example, highly sensitive or confidential data identified through the
Data Classification Standard may be designated for encryption according to the Encryption
Policy Definition. Conversely, less sensitive data may not require encryption or may be
subject to less stringent encryption requirements.
The Data Classification Standard guides decisions about data protection requirements, while
the Encryption Policy Definition specifies how encryption should be implemented to meet
those requirements. Together, these policies form part of a comprehensive approach to data
security within an organization.

10. What policy definition is needed to minimize data loss?

The policy definition needed to minimize data loss is the Data Loss Prevention (DLP) Policy.
The Data Loss Prevention Policy outlines the procedures, mechanisms, and guidelines for
preventing the unauthorized disclosure, leakage, or loss of sensitive or confidential data. It
includes measures to identify, monitor, and protect sensitive data as it moves within and
outside the organization's network perimeter.
 11. Explain the relationship between the policy-standard-procedure-guideline
structure and how this should be postured to the employees and authorized
users.
The policy-standard-procedure-guideline structure provides a hierarchical framework for
managing organizational processes and behaviors.
- Policy: Policies are formal statements produced and supported by senior management.
Policies are enforceable and mandatory, which means there are consequences if
they're not followed.
- Standard: Standards are mandatory courses of action or rules that give formal policies
support and direction. This makes sure everything and everyone is consistent in their
performance across the organization.
- Procedure: Procedures are detailed step-by-step instructions to achieve a given goal or
mandate. They often go hand-in-hand with policies and guidelines.
- Guidelines: Guidelines are recommendations to users when specific standards do not
apply. Guideline gives the reader guidance and additional information to help the
audience
To posture this structure to employees and authorized users:
- Clearly communicate policies, standards, procedures, and guidelines.
- Provide training and education on these documents.
- Ensure accessibility through centralized repositories.
- Regularly update documents and inform users of changes.
This ensures understanding, adherence, and continuous improvement of organizational
practices.

12. Why should an organization have a remote access policy even if they already
have an Acceptable Use Policy (AUP) for employees?

An organization should have a separate Remote Access Policy in addition to an Acceptable

Use Policy (AUP) for several reasons:
- Specificity: A Remote Access Policy provides specific guidelines and rules related to
accessing the organization's network and resources remotely. It addresses unique
considerations, such as the use of virtual private networks (VPNs), authentication
methods, encryption requirements, and remote device security protocols. While an
AUP may touch on remote access briefly, a dedicated Remote Access Policy offers
more detailed and tailored guidance.
- Risk Management: Remote access introduces additional security risks compared to
on-site access. By having a Remote Access Policy, organizations can implement
measures to mitigate these risks, such as enforcing multi-factor authentication,
 limiting access to authorized personnel, and requiring the use of secure connections.
This helps protect sensitive data and systems from unauthorized access or breaches.
- Compliance Requirements: Many regulatory frameworks and industry standards
mandate the implementation of specific controls for remote access. Having a
dedicated Remote Access Policy helps ensure compliance with these requirements by
clearly articulating the organization's approach to remote access security and data
protection.
- Clarity and Enforcement: Separating remote access guidelines into their own policy
helps clarify expectations for employees and reinforces the importance of adhering to
security protocols when accessing organizational resources remotely. It also facilitates
easier enforcement of remote access rules and consequences for policy violations.
- Flexibility and Scalability: A Remote Access Policy can be tailored to accommodate
different scenarios, such as remote work arrangements, business travel, or vendor
access requirements. It provides the flexibility to adapt security measures based on
evolving technology, threats, and organizational needs without necessarily modifying
the broader Acceptable Use Policy.

13. What security controls can be implemented on your e-mail system to help
prevent rogue or malicious software disguised as URL links or e-mail
attachments from attacking the Workstation Domain? What kind of policy
definition should this be included in? Justify your answer.
Several security controls can be implemented on an email system to help prevent rogue or
malicious software disguised as URL links or email attachments from attacking the
Workstation Domain:
- Email Filtering and Anti-Spam Solutions
- Anti-Malware and Anti-Virus Scanning
- URL Filtering
- User Awareness Training
- Policy-Based Controls
These security controls should be included in both the Internet Ingress/Egress Traffic Policy
Definition and the Acceptable Use Policy (AUP):
- Internet Ingress/Egress Traffic Policy Definition: This policy defines the rules and
guidelines for managing incoming and outgoing internet traffic, including email
communications. It should specify the security controls and measures implemented to
protect against malicious email threats, such as email filtering, anti-malware scanning,
and URL filtering.
- Acceptable Use Policy (AUP): This policy outlines the acceptable behaviors and
guidelines for using organization-owned IT assets, including email systems. It should
include provisions related to safe email practices, such as avoiding clicking on
suspicious links or opening unexpected email attachments. By including email
 security controls in the AUP, organizations reinforce the importance of adhering to
security measures and promoting safe email usage practices among users.

14. Why should an organization have annual security awareness training that
includes an overview of the organization’s policies?
An organization should have annual security awareness training that includes an overview of
the organization's policies because it:
- Mitigates risks by educating employees about security best practices.
- Ensures compliance with policies and regulatory requirements.
- Protects sensitive information by promoting awareness of security measures.
- Fosters a culture of security within the organization.
- Allows for continuous improvement and adaptation to evolving threats.

15. What is the purpose of defining of a framework for IT security policies?

The purpose of defining a framework for IT security policies is to ensure consistency,
comprehensiveness, alignment with objectives, scalability, flexibility, efficiency,
effectiveness, and risk management in managing security across the organization.