Lab #3 – Assessment Worksheet

Part A – List of Risks, Threats, and

Vulnerabilities Commonly Found in an IT
Infrastructure
Course Name: IAP301
Student Name: Lê Quang Vũ
Instructor Name: Phạm Yên Thao
Lab Due Date:25/01/2024
Overview
The following risks, threats, and vulnerabilities were found in a healthcare IT
infrastructure serving patients with life-threatening situations. Given the following
list, select where the risk, threat, or vulnerability resides in the seven domains of a
typical IT infrastructure.
Risk – Threat – Vulnerability Primary Domain Impacted
Unauthorized access from public Internet LAN-to-WAN
User destroys data in application and deletes all System/Application
files
Hacker penetrates your IT infrastructure and LAN-to-WAN
gains access to your internal network
Intra-office employee romance “gone bad” User
Fire destroys the primary data center LAN
Communication circuit outages LAN
Workstation OS has a known software Workstation
vulnerability
Unauthorized access to organization owned Workstation
Workstations
Loss of production data System Database
Denial of service attack on organization e-mail WAN
server
Remote communications from home office Remote Access
LAN server OS has a known software LAN
vulnerability
User downloads an unknown e –mail User
attachment
Workstation browser has software vulnerability Workstation
Service provider has a major network outage WAN
Weak ingress/egress traffic filtering degrades LAN-to-WAN
Performance
User inserts CDs and USB hard drives with User
personal photos, music, and videos on
organization owned computers
VPN tunneling between remote computer and Remote Access
ingress/egress router
WLAN access points are needed for LAN LAN-to-WAN
connectivity within a warehouse
Need to prevent rogue users from unauthorized LAN-to-WAN
WLAN access

Part B – List of Risks, Threats, and

Vulnerabilities Commonly Found in an IT
Infrastructure
Overview
For each of the identified risks, threats, and vulnerabilities; select the most appropriate
policy definition that may help mitigate the identified risk, threat, or vulnerability
within that domain from the following list:
Policy Definition List
Acceptable Use Policy
Access Control Policy Definition
Business Continuity – Business Impact Analysis (BIA) Policy Definition
Business Continuity & Disaster Recovery Policy Definition
Data Classification Standard & Encryption Policy Definition
Internet Ingress/Egress Traffic Policy Definition
Mandated Security Awareness Training Policy Definition
Production Data Back-up Policy Definition
Remote Access Policy Definition
Vulnerability Management & Vulnerability Window Policy Definition
WAN Service Availability Policy Definition
Risk – Threat – Vulnerability Policy Definition Required
Unauthorized access from public Internet Access Control Policy Definition
User destroys data in application and deletes all Mandated Security Awareness Training Policy
files
Hacker penetrates your IT infrastructure and Data Classification Standard & Encryption
gains access to your internal network
Intra-office employee romance gone bad Business Continuity – Business Impact
Fire destroys primary data center Business Continuity & Disaster Recovery
Communication circuit outages Business Continuity & Disaster Recovery
Workstation OS has a known software Vulnerability Management & Vulnerability
vulnerability
Unauthorized access to organization-owned Data Classification Standard & Encryption
Workstations
Loss of production data Production Data Back-up Policy Definition
Denial of service attack on organization e-mail Mandated Security Awareness Training
Server
Remote communications from home office Remote Access Policy Definition
LAN server OS has a known software Vulnerability Management & Vulnerability
vulnerability
User downloads an unknown e –mail Acceptable Use Policy
attachment
Workstation browser has software vulnerability Vulnerability Management & Vulnerability
Service provider has a major network outage WAN Service Availability Policy Definition
Weak ingress/egress traffic filtering degrades Internet Ingress/Egress Traffic Policy
Performance
User inserts CDs and USB hard drives with Acceptable Use Policy
personal photos, music, and videos on
organization owned computers
VPN tunneling between remote computer and Internet Ingress/Egress Traffic Policy
ingress/egress router
WLAN access points are needed for LAN Internet Ingress/Egress Traffic Policy
connectivity within a warehouse
Need to prevent rogue users from unauthorized Access Control Policy Definition
WLAN access WLAN access

Define an Information Systems Security Policy

Framework for an IT Infrastructure
Overview
In this lab, students identified risks, threats, and vulnerabilities throughout the seven domains of a
typical IT infrastructure. By organizing these risks, threats, and vulnerabilities within each of the
seven domains of a typical IT infrastructure information system security policies can be defined to
help mitigate this risk. Using policy definition and policy implementation, organizations can
“tighten” security throughout the seven domains of a typical IT infrastructure.
Lab Assessment Questions & Answers
1. A policy definition usually contains what four major parts or elements?
- A policy definition usually contains four major parts or elements: policy statement,
purpose and scope, policy content or rules, and enforcement or compliance.

2. In order to effectively implement a policy framework, what three organizational elements are
absolutely needed to ensure successful implementation?
- In order to effectively implement a policy framework, three organizational elements are
absolutely needed: executive sponsorship, adequate resources, and clear lines of accountability
and responsibility.

3. Which policy is the most important one to implement to separate employer from employee?
Which is the most challenging to implement successfully?
- The most important policy to implement to separate employer from employee is the
Acceptable Use Policy (AUP), while the most challenging to implement successfully is likely to
be the Access Control Policy as it requires a delicate balance between protecting sensitive
information and enabling access for authorized users.

4. Which domain requires stringent access controls and encryption for connectivity to the
corporate resources from home? What policy definition is needed for this domain?
- The Network Domain requires stringent access controls and encryption for connectivity to
the corporate resources from home. A Remote Access Policy definition is needed for this domain.

5. Which domains need software vulnerability management & vulnerability window policy
definitions to mitigate risk from software vulnerabilities?
- Both the Endpoint and Server Domains need software vulnerability management &
vulnerability window policy definitions to mitigate risk from software vulnerabilities.

6. Which domain requires AUPs to minimize unnecessary User-initiated Internet traffic and
awareness of the proper use of organization-owned IT assets?
- The User Domain requires Acceptable Use Policies (AUPs) to minimize unnecessary
User-initiated Internet traffic and awareness of the proper use of organization-owned IT assets.

7. What policy definition can help remind employees within the User Domain about on-going
acceptable use and unacceptable use?
 - A Code of Conduct Policy definition can help remind employees within the User Domain
about on going acceptable use and unacceptable use.

8. What policy definition is required to restrict and prevent unauthorized access to organization
owned IT systems and applications?
- An Access Control Policy definition is required to restrict and prevent unauthorized access
to organization-owned IT systems and applications.

9. What is the relationship between an Encryption Policy Definition and a Data Classification
Standard?
- The Encryption Policy Definition and the Data Classification Standard are related as the
former outlines the required encryption levels for different types of data, while the latter defines
the level of confidentiality and sensitivity of various types of data within the organization.

10. What policy definition is needed to minimize data loss?

- A Data Backup and Recovery Policy definition is needed to minimize data loss.

11. Explain the relationship between the policy-standard-procedure-guideline structure and how
this should be postured to the employees and authorized users.
- The policy-standard-procedure-guideline structure is the hierarchy of how an organization
defines and implements its IT security policies. The policies provide high-level guidance,
standards define specific implementation requirements, procedures outline the steps to be taken,
and guidelines provide additional information and recommendations. All of these elements should
be clearly communicated to employees and authorized users to ensure understanding and
compliance.

12. Why should an organization have a remote access policy even if they already have an
Acceptable Use Policy (AUP) for employees?
- An organization should have a remote access policy even if they already have an
Acceptable Use Policy (AUP) for employees because remote access may have different security
considerations, such as encryption, authentication, and authorization, than regular in-office access.

13. What security controls can be implemented on your e-mail system to help prevent rogue or
malicious software disguised as URL links or e-mail attachments from attacking the Workstation
Domain? What kind of policy definition should this be included in? Justify your answer.
- Security controls that can be implemented on an e-mail system to prevent rogue or
malicious software disguised as URL links or e-mail attachments from attacking the Workstation
Domain include anti-malware software, e-mail filtering, and user education and awareness. This
can be included in an Email Security Policy definition.

14. Why should an organization have annual security awareness training that includes an overview
of the organization’s policies?
- An organization should have annual security awareness training that includes an overview
of the organization's policies to ensure that all employees are aware of their obligations and
understand the importance of IT security.

15. What is the purpose of defining of a framework for IT security policies?

- The purpose of defining a framework for IT security policies is to provide a
comprehensive and consistent approach to securing the organization's IT systems and data, ensure
compliance with legal and regulatory requirements, and minimize the risk of security incidents.