Professional Documents
Culture Documents
Lab #3 - Assessment Worksheet
Lab #3 - Assessment Worksheet
Lab #3 - Assessment Worksheet
2. In order to effectively implement a policy framework, what three organizational elements are
absolutely needed to ensure successful implementation?
- In order to effectively implement a policy framework, three organizational elements are
absolutely needed: executive sponsorship, adequate resources, and clear lines of accountability
and responsibility.
3. Which policy is the most important one to implement to separate employer from employee?
Which is the most challenging to implement successfully?
- The most important policy to implement to separate employer from employee is the
Acceptable Use Policy (AUP), while the most challenging to implement successfully is likely to
be the Access Control Policy as it requires a delicate balance between protecting sensitive
information and enabling access for authorized users.
4. Which domain requires stringent access controls and encryption for connectivity to the
corporate resources from home? What policy definition is needed for this domain?
- The Network Domain requires stringent access controls and encryption for connectivity to
the corporate resources from home. A Remote Access Policy definition is needed for this domain.
5. Which domains need software vulnerability management & vulnerability window policy
definitions to mitigate risk from software vulnerabilities?
- Both the Endpoint and Server Domains need software vulnerability management &
vulnerability window policy definitions to mitigate risk from software vulnerabilities.
6. Which domain requires AUPs to minimize unnecessary User-initiated Internet traffic and
awareness of the proper use of organization-owned IT assets?
- The User Domain requires Acceptable Use Policies (AUPs) to minimize unnecessary
User-initiated Internet traffic and awareness of the proper use of organization-owned IT assets.
7. What policy definition can help remind employees within the User Domain about on-going
acceptable use and unacceptable use?
- A Code of Conduct Policy definition can help remind employees within the User Domain
about on going acceptable use and unacceptable use.
8. What policy definition is required to restrict and prevent unauthorized access to organization
owned IT systems and applications?
- An Access Control Policy definition is required to restrict and prevent unauthorized access
to organization-owned IT systems and applications.
9. What is the relationship between an Encryption Policy Definition and a Data Classification
Standard?
- The Encryption Policy Definition and the Data Classification Standard are related as the
former outlines the required encryption levels for different types of data, while the latter defines
the level of confidentiality and sensitivity of various types of data within the organization.
11. Explain the relationship between the policy-standard-procedure-guideline structure and how
this should be postured to the employees and authorized users.
- The policy-standard-procedure-guideline structure is the hierarchy of how an organization
defines and implements its IT security policies. The policies provide high-level guidance,
standards define specific implementation requirements, procedures outline the steps to be taken,
and guidelines provide additional information and recommendations. All of these elements should
be clearly communicated to employees and authorized users to ensure understanding and
compliance.
12. Why should an organization have a remote access policy even if they already have an
Acceptable Use Policy (AUP) for employees?
- An organization should have a remote access policy even if they already have an
Acceptable Use Policy (AUP) for employees because remote access may have different security
considerations, such as encryption, authentication, and authorization, than regular in-office access.
13. What security controls can be implemented on your e-mail system to help prevent rogue or
malicious software disguised as URL links or e-mail attachments from attacking the Workstation
Domain? What kind of policy definition should this be included in? Justify your answer.
- Security controls that can be implemented on an e-mail system to prevent rogue or
malicious software disguised as URL links or e-mail attachments from attacking the Workstation
Domain include anti-malware software, e-mail filtering, and user education and awareness. This
can be included in an Email Security Policy definition.
14. Why should an organization have annual security awareness training that includes an overview
of the organization’s policies?
- An organization should have annual security awareness training that includes an overview
of the organization's policies to ensure that all employees are aware of their obligations and
understand the importance of IT security.