Professional Documents
Culture Documents
Lab4 IAP301
Lab4 IAP301
Overview
In this lab, you are to create a security management policy that addresses the management
and the separation of duties throughout the seven domains of a typical IT infrastructure. You
are to define what the information systems security responsibility is for each of the seven
domains of a typical IT infrastructure. From this definition, you must incorporate your
definition for the separation of duties within the procedures section of your policy definition
template. Your scenario is the same as in Lab #1 – ABC Credit Union/Bank.
• Regional ABC Credit union/bank with multiple branches and locations throughout
the region
• Online banking and the use of the Internet is a strength of your bank given limited
human resources
• The customer service department is the most critical business function/operation of
the organization.
• The organization wants to be in compliance with GLBA and IT security best
practices regarding employees.
• The organization wants to monitor and control use of the Internet by implementing
content filtering.
• The organization wants to eliminate personal use of organization owned IT assets
and systems.
• The organization wants to monitor and control the use of the e-mail system by
implementing e-mail security controls.
• The organization wants to implement this policy for all IT assets owned by the
organization and to incorporate this policy review into the annual security awareness
training.
• The organization wants to define a policy framework including a Security
Management Policy defining the separation of duties for information systems security.
ABC Credit Union
Employee I.T. Security Policy
Policy Statement
ABC’s intentions for publishing an Employee I.T. Security Policy is to clearly establish the
Credit Union’s posture on the use of IT assets and infrastructure, across the seven IT
domains. Online banking and use of the Internet are the bank’s strengths and it is the
responsibility of every employee of ABC who uses IT infrastructure in any capacity to know
adhere to this policy and to conduct their activities accordingly.
Purpose/Objectives
The purpose of this Employee I.T. Security Policy is to:
Define clear roles and responsibilities for personnel involved in security management
within each domain.
Enforce a separation of duties principle to mitigate the risk of unauthorized activities
and fraud.
Ensure compliance with relevant regulations, standards, and industry best practices.
Support business continuity and disaster recovery efforts by implementing robust
security controls.
Foster collaboration and communication between different departments and
stakeholders involved in security management.
Continuously improve security practices and procedures through regular assessments,
audits, and reviews.
Scope
This Employee I.T. Security Policy applies to all employees, contractors, and third-party
vendors who access or manage ABC Credit Union's IT infrastructure across the seven
domains of IT infrastructure, all their equipment, hardware, and software, and all processes,
functions, tasks involving them. The seven domains are identified as User Domain,
Workstation Domain, LAN Domain, LAN to WAN domain, WAN domain, Remote Access
Domain, and the Systems/Application Domain.
Standards
ABC Credit Union adheres to the following standards to ensure effective security
management and separation of duties:
Procedures
User Domain:
All employees will complete mandatory security awareness training, along with any
additional training required.
All employees will utilize assigned passwords in compliance with password policies.
Compliance with the Clean Desk policy is mandatory for all employees.
Employees are prohibited from sharing passwords, engaging in collusion, or any
activities that breach separation of duties principles.
Logging in as another user is strictly prohibited.
IT services and infrastructure are for official use only; personal use is prohibited.
Employees acknowledges that all assets and infrastructure are property of ABC and
may be subject to monitoring for policy compliance.
Workstation Domain:
LAN Domain:
Content and URL filtering rules will be established on perimeter defense devices.
Blocking access to pornography sites, gambling sites, peer-to-peer networks, the dark
web, anonymizers, and proxy connections is mandatory.
Attempts to connect to blocked sites will be logged and reported.
WAN Domain:
System/Application Domain:
Patching of all software and operating systems will adhere to the Patch Management
Policy.
Systems will be hardened prior to use.
Default passwords and configurations will be changed.
Guidelines
The following guidelines are provided to support the implementation of security management
and separation of duties:
1. Documented Policies and Procedures: Maintain up-to-date documentation of security
policies, procedures, and guidelines for each domain.
2. Training and Awareness: Provide regular training and awareness programs to educate
employees on security best practices and their roles in maintaining security.
3. Continuous Monitoring: Implement monitoring and logging mechanisms to detect and
respond to security threats in real-time.
4. Collaboration and Communication: Foster collaboration and communication between
IT and business units to ensure alignment of security measures with business
objectives.
5. Third-Party Risk Management: Assess and manage the security risks associated with
third-party vendors and service providers accessing ABC Credit Union's IT
infrastructure.
Overview
In this lab, you examined the seven domains of a typical IT infrastructure from an
information systems security responsibility perspective. What are the roles and
responsibilities performed by the IT professional, and what are the roles and responsibilities
of the information systems security practitioner? This lab presented an overview of exactly
what those roles and responsibilities are and, more importantly, how to define a security
management policy that aligns and defines who is responsible for what. This is critical during
a security incident that requires immediate attention by the security incident response team.
5. How would you position a layered security approach with a layered security
management approach for an IT infrastructure?
A layered security approach involves implementing multiple security measures at different
levels of an IT infrastructure to provide overlapping protection. A layered security
management approach complements this by integrating policies, procedures, and oversight to
ensure the effective implementation and coordination of these security measures.
In positioning these approaches:
6. If a system administrator had both the ID and password to a system, would that
be a problem?
Yes, if a system administrator possesses both the username (ID) and password to a system, it
can pose a significant security risk. This scenario violates the principle of separation of
duties, which is a fundamental security control mechanism. Having both the ID and password
means that the system administrator has complete control and access to the system, which can
lead to various security issues, including:
1. Unauthorized Access: The administrator could potentially misuse their access
privileges to view, modify, or delete sensitive data, applications, or system
configurations without proper authorization.
Clarity and Consistency: Guidelines provide clear instructions and expectations for
implementing security measures consistently across the organization. This clarity
ensures that all stakeholders understand their roles and responsibilities in maintaining
security.
Standardization: Guidelines help standardize security practices and procedures,
reducing variability and improving efficiency in security operations. Standardization
simplifies training, auditing, and compliance efforts.
Flexibility: While policies set the overarching framework for security, guidelines offer
flexibility in implementation. They can be tailored to specific systems, departments,
or business processes, allowing for customized security solutions that meet diverse
needs.
Risk Management: Guidelines help organizations manage security risks by offering
practical recommendations for mitigating threats and vulnerabilities. They provide
actionable steps for identifying, assessing, and addressing security risks proactively.
Compliance and Auditing: Clearly defined guidelines facilitate compliance with
regulatory requirements and industry standards. Auditors and regulators can assess
adherence to security best practices more effectively when guidelines are well-defined
and documented.
Continuous Improvement: Guidelines serve as a basis for evaluating and improving
security practices over time. Organizations can review and update guidelines in
response to evolving threats, technological advancements, and changing business
requirements.
Overall, defining guidelines in a layered security management policy enhances the
organization's ability to implement effective security measures, manage risks, and maintain
compliance with regulatory requirements.
11. Why is it important to define access control policies that limit or prevent
exposing customer privacy data to employees?
Defining access control policies to limit employee access to customer privacy data is crucial
for maintaining trust, complying with regulations, protecting reputation, and reducing
financial and legal risks. It ensures customer data remains secure, employees' trust is
maintained, and the organization avoids potential penalties and reputational damage.
12. Explain why the seven domains of a typical IT infrastructure helps organizations
align to separation of duties.
The seven domains of a typical IT infrastructure provide a structured framework that helps
organizations align with the principle of separation of duties by delineating distinct areas of
responsibility and authority. Here's how each domain contributes to supporting separation of
duties:
Security and Risk Management: This domain establishes policies, procedures, and
controls for managing security risks. It involves defining roles and responsibilities for
risk assessment, risk mitigation, and security governance, ensuring that different
individuals or teams are responsible for overseeing these critical security functions.
13. Why is it important for an organization to have a policy definition for Business
Continuity and Disaster Recovery?
It is important for an organization to have a policy definition for Business Continuity and
Disaster Recovery (BCDR) for several reasons:
Risk Mitigation: A BCDR policy outlines procedures and strategies to mitigate the
impact of potential disruptions, such as natural disasters, cyberattacks, or equipment
failures. By proactively planning for such events, organizations can reduce downtime,
minimize losses, and maintain operational continuity.
Regulatory Compliance: Many industries and jurisdictions require organizations to
have formal BCDR plans in place to comply with regulatory requirements. Adhering
to these regulations helps organizations avoid penalties, fines, and legal liabilities.
Maintaining Customer Trust: Customers and stakeholders expect organizations to
have plans in place to ensure business continuity and protect their interests in the
event of a disaster or disruption. Demonstrating a commitment to BCDR instills
confidence and trust among customers, partners, and investors.
Preserving Reputation: Effective BCDR planning helps organizations respond to
crises in a timely and coordinated manner, minimizing negative publicity and
reputational damage. Maintaining operational resilience during challenging times can
enhance the organization's reputation and brand image.
Financial Stability: Disruptions to business operations can have significant financial
consequences, including revenue loss, increased expenses, and damage to assets. A
BCDR policy helps organizations mitigate these financial risks by enabling quick
recovery and resumption of critical business functions.
Employee Safety and Well-being: BCDR plans include measures to ensure the safety
and well-being of employees during emergencies, such as evacuation procedures and
communication protocols. Providing a safe and secure work environment enhances
employee morale, loyalty, and productivity.
Strategic Planning: BCDR planning is an integral part of strategic risk management
and business planning. It helps organizations identify vulnerabilities, assess risks, and
prioritize investments in resilience-building measures to protect critical assets and
operations.
Overall, having a policy definition for Business Continuity and Disaster Recovery is essential
for organizations to prepare for, respond to, and recover from disruptions effectively. It helps
ensure operational resilience, regulatory compliance, customer trust, and long-term
sustainability in an increasingly uncertain business environment.
15. Separation of duties is best defined by policy definition. What is needed to ensure
its success?
To ensure the success of separation of duties defined by policy, several key elements are
needed:
Clear Policy Statement: The policy should include a clear and concise statement
defining separation of duties and its importance within the organization. It should
articulate the objectives of separation of duties and its alignment with organizational
goals.
Roles and Responsibilities: The policy should specify the roles and responsibilities of
individuals or teams involved in different processes or functions within the
organization. It should delineate the tasks and duties that are segregated to prevent
conflicts of interest and maintain accountability.
Risk Assessment: The policy should incorporate a risk assessment process to identify
areas where separation of duties is necessary to mitigate risks effectively. It should
consider the potential impact of not implementing separation of duties and prioritize
areas where it is most critical.
Compliance Requirements: The policy should address any regulatory requirements or
industry standards related to separation of duties, ensuring that the organization
remains compliant with applicable laws and regulations. It should outline procedures
for monitoring and auditing compliance with separation of duties requirements.
Training and Awareness: The policy should emphasize the importance of training and
awareness programs to educate employees about separation of duties principles and
their role in maintaining effective controls. It should provide guidance on how
employees can comply with separation of duties requirements in their daily activities.
Monitoring and Enforcement: The policy should establish procedures for monitoring
compliance with separation of duties requirements and enforcing accountability for
violations. It should define mechanisms for detecting and reporting breaches of
separation of duties and specify consequences for non-compliance.
Regular Review and Updates: The policy should undergo regular review and updates
to ensure its continued effectiveness and relevance in addressing evolving risks and
business needs. It should incorporate feedback from stakeholders and lessons learned
from incidents or audits to improve separation of duties practices over time.
By incorporating these elements into the policy definition, organizations can effectively
implement and maintain separation of duties as a fundamental control mechanism to enhance
security, mitigate risks, and promote accountability within the organization.