Lab #4 – Assessment Worksheet

Craft a Layered Security Management Policy – Separation of Duties

Course Name: IAP301

Student Name: Phạm Thị Minh Thúy (HE171100)
Instructor Name: Hoàng Mạnh Đức

Overview
In this lab, you are to create a security management policy that addresses the management
and the separation of duties throughout the seven domains of a typical IT infrastructure. You
are to define what the information systems security responsibility is for each of the seven
domains of a typical IT infrastructure. From this definition, you must incorporate your
definition for the separation of duties within the procedures section of your policy definition
template. Your scenario is the same as in Lab #1 – ABC Credit Union/Bank.
• Regional ABC Credit union/bank with multiple branches and locations throughout
the region
• Online banking and the use of the Internet is a strength of your bank given limited
human resources
• The customer service department is the most critical business function/operation of
the organization.
• The organization wants to be in compliance with GLBA and IT security best
practices regarding employees.
• The organization wants to monitor and control use of the Internet by implementing
content filtering.
• The organization wants to eliminate personal use of organization owned IT assets
and systems.
• The organization wants to monitor and control the use of the e-mail system by
implementing e-mail security controls.
• The organization wants to implement this policy for all IT assets owned by the
organization and to incorporate this policy review into the annual security awareness
training.
• The organization wants to define a policy framework including a Security
Management Policy defining the separation of duties for information systems security.
ABC Credit Union
 Employee I.T. Security Policy
Policy Statement
ABC’s intentions for publishing an Employee I.T. Security Policy is to clearly establish the
Credit Union’s posture on the use of IT assets and infrastructure, across the seven IT
domains. Online banking and use of the Internet are the bank’s strengths and it is the
responsibility of every employee of ABC who uses IT infrastructure in any capacity to know
adhere to this policy and to conduct their activities accordingly.

Purpose/Objectives
The purpose of this Employee I.T. Security Policy is to:

 Define clear roles and responsibilities for personnel involved in security management
within each domain.
 Enforce a separation of duties principle to mitigate the risk of unauthorized activities
and fraud.
 Ensure compliance with relevant regulations, standards, and industry best practices.
 Support business continuity and disaster recovery efforts by implementing robust
security controls.
 Foster collaboration and communication between different departments and
stakeholders involved in security management.
 Continuously improve security practices and procedures through regular assessments,
audits, and reviews.

Scope
This Employee I.T. Security Policy applies to all employees, contractors, and third-party
vendors who access or manage ABC Credit Union's IT infrastructure across the seven
domains of IT infrastructure, all their equipment, hardware, and software, and all processes,
functions, tasks involving them. The seven domains are identified as User Domain,
Workstation Domain, LAN Domain, LAN to WAN domain, WAN domain, Remote Access
Domain, and the Systems/Application Domain.

Standards
ABC Credit Union adheres to the following standards to ensure effective security
management and separation of duties:

 ISO/IEC 27001: Information Security Management System (ISMS) standard.

 NIST Cybersecurity Framework: Framework for improving critical infrastructure
cybersecurity.
  PCI DSS: Payment Card Industry Data Security Standard for securing payment card
transactions.
 COBIT: Control Objectives for Information and Related Technologies framework for
governance and management of IT.
 GLBA Compliance Policy

Procedures
User Domain:

 All employees will complete mandatory security awareness training, along with any
additional training required.
 All employees will utilize assigned passwords in compliance with password policies.
 Compliance with the Clean Desk policy is mandatory for all employees.
 Employees are prohibited from sharing passwords, engaging in collusion, or any
activities that breach separation of duties principles.
 Logging in as another user is strictly prohibited.
 IT services and infrastructure are for official use only; personal use is prohibited.
 Employees acknowledges that all assets and infrastructure are property of ABC and
may be subject to monitoring for policy compliance.
Workstation Domain:

 Enterprise antivirus software will be installed on all laptops and desktops.

 Laptops and desktops will undergo hardening procedures.
 Local user accounts will be utilized for accessing laptops and desktops, rather than
administrative accounts.
 Screen locking laptops and desktops upon leaving unattended is mandatory.

LAN Domain:

 Routers, printers, and network devices will undergo hardening procedures.

 Prior approval is required for setting up all access points.
 NAC will monitor, patch, and assess the health of all endpoint and LAN devices.
 Email servers will be equipped with spam filters and emails monitored per Data Loss
Prevention and Acceptable Use policies.
 IDS sensors on the LAN will be regularly monitored, trends analyzed, and logs
reviewed in accordance with IDS policy.
 Changes to access control lists on the internal firewall require approval through the
Change Management System.
LAN-to-WAN Domain:

 Content and URL filtering rules will be established on perimeter defense devices.
  Blocking access to pornography sites, gambling sites, peer-to-peer networks, the dark
web, anonymizers, and proxy connections is mandatory.
 Attempts to connect to blocked sites will be logged and reported.

WAN Domain:

 All connections will pass through the external firewall.

 Regular monitoring of logs will be conducted.

Remote Access Domain:

 All remote connections will utilize the company-provided VPN.

 VPN servers will be regularly updated and patched as per the Patch Management
policy.
 Continuous monitoring of VPN logs will be performed.

System/Application Domain:

 Patching of all software and operating systems will adhere to the Patch Management
Policy.
 Systems will be hardened prior to use.
 Default passwords and configurations will be changed.

Guidelines
The following guidelines are provided to support the implementation of security management
and separation of duties:
1. Documented Policies and Procedures: Maintain up-to-date documentation of security
policies, procedures, and guidelines for each domain.
2. Training and Awareness: Provide regular training and awareness programs to educate
employees on security best practices and their roles in maintaining security.
3. Continuous Monitoring: Implement monitoring and logging mechanisms to detect and
respond to security threats in real-time.
4. Collaboration and Communication: Foster collaboration and communication between
IT and business units to ensure alignment of security measures with business
objectives.
5. Third-Party Risk Management: Assess and manage the security risks associated with
third-party vendors and service providers accessing ABC Credit Union's IT
infrastructure.

Lab #4 – Assessment Worksheet

Craft a Layered Security Management Policy – Separation of Duties
Course Name: IAP301
Student Name: Phạm Thị Minh Thúy (HE171100)
Instructor Name: Hoàng Mạnh Đức

Overview
In this lab, you examined the seven domains of a typical IT infrastructure from an
information systems security responsibility perspective. What are the roles and
responsibilities performed by the IT professional, and what are the roles and responsibilities
of the information systems security practitioner? This lab presented an overview of exactly
what those roles and responsibilities are and, more importantly, how to define a security
management policy that aligns and defines who is responsible for what. This is critical during
a security incident that requires immediate attention by the security incident response team.

Lab Assessment Questions & Answers

1. For each of the seven domains of a typical IT infrastructure, summarize what the
information systems security responsibilities are within that domain:
1. User Domain:
- Educating users about security policies and best practices.
- Enforcing password policies and access controls.
- Conducting security awareness training.
- Monitoring user activity for suspicious behavior.
2. Workstation Domain:
- Installing and maintaining antivirus software and firewalls.
- Enforcing security configurations and updates on workstations.
- Implementing access controls and encryption for sensitive data.
- Monitoring for unauthorized software installations.
3. LAN Domain:
- Configuring and maintaining network firewalls and intrusion detection/prevention
systems.
- Implementing access controls and VLAN segmentation.
- Conducting regular network vulnerability assessments and patch management.
- Monitoring network traffic for anomalies and security breaches.
4. LAN-to-WAN Domain:
- Implementing secure remote access technologies like VPNs.
- Configuring and managing routers and switches with strong access controls.
- Monitoring and logging traffic between LAN and WAN for security events.
 - Implementing encryption for data transmitted over the network.
5. WAN Domain:
- Configuring secure connections between multiple sites using VPNs or dedicated
circuits.
- Implementing access controls and encryption for data traversing the WAN.
- Regularly monitoring WAN connections for unauthorized access or anomalies.
- Implementing redundancy and failover mechanisms for critical WAN links.
6. Remote Access Domain:
- Implementing multi-factor authentication for remote access.
- Enforcing strong encryption for data transmitted over remote access connections.
- Monitoring and logging remote access sessions for security purposes.
- Regularly auditing and updating remote access policies and configurations.
7. System/Application Domain:
- Applying security patches and updates to operating systems and applications.
- Configuring access controls and authentication mechanisms for systems and
applications.
- Regularly auditing system and application logs for security events.
- Conducting vulnerability assessments and penetration testing on systems and
applications.

2. Which of the seven domains of a typical IT infrastructure requires personnel and

executive management support outside of the IT or information systems security
organizations?
The Remote Access Domain typically requires personnel and executive management support
outside of the IT or information systems security organizations. This domain involves
enabling users to connect to an organization's network and resources from outside its physical
premises. Personnel and executive management from various departments, such as human
resources, legal, and operations, often play essential roles in supporting remote access
initiatives. Therefore, their involvement is crucial in ensuring the effective implementation
and management of remote access technologies.
3. What does separation of duties mean?
Separation of duties is a fundamental principle in security and risk management, as well as in
financial and operational contexts. It refers to the practice of dividing tasks and
responsibilities among different individuals or groups to ensure that no single person or entity
has complete control over a critical process or transaction from start to finish.
 4. How does separation of duties throughout an IT infrastructure mitigate risk for
an organization?
Separation of duties throughout an IT infrastructure helps mitigate risk for an organization in
several ways:
1. Preventing Insider Threats: By dividing tasks and responsibilities among different
individuals or teams, no single person has complete control over critical processes or
systems. This reduces the risk of insider threats, such as unauthorized access, data
manipulation, or sabotage by a disgruntled employee.
2. Detecting and Deterrence of Fraud: Separation of duties ensures that multiple
individuals are involved in key processes, making it more difficult for any single
person to carry out fraudulent activities without detection. Additionally, the
knowledge that multiple people are involved can act as a deterrent to potential
fraudsters.
3. Error Detection and Correction: With multiple individuals involved in various
aspects of IT operations, errors are more likely to be detected and corrected early in
the process. This helps prevent costly mistakes from escalating into larger issues that
could impact the organization's operations or reputation.
4. Enhancing Accountability: When responsibilities are clearly defined and divided
among different individuals or teams, it becomes easier to hold individuals
accountable for their actions. This accountability fosters a culture of responsibility
and professionalism within the organization.
5. Compliance with Regulations and Standards: Many regulatory requirements and
industry standards, such as PCI DSS (Payment Card Industry Data Security Standard)
and SOX (Sarbanes-Oxley Act), mandate the implementation of separation of duties
as a security control. Adhering to these requirements helps organizations avoid
penalties, fines, and legal liabilities.
6. Ensuring Business Continuity: Separation of duties helps ensure business
continuity by reducing the risk of a single point of failure. If one individual is
unavailable or incapacitated, others can step in to fulfill their responsibilities,
minimizing disruptions to critical IT processes and operations.

Overall, separation of duties is a fundamental principle in risk management that enhances

security, integrity, and resilience within an organization's IT infrastructure.

5. How would you position a layered security approach with a layered security
management approach for an IT infrastructure?
A layered security approach involves implementing multiple security measures at different
levels of an IT infrastructure to provide overlapping protection. A layered security
management approach complements this by integrating policies, procedures, and oversight to
ensure the effective implementation and coordination of these security measures.
In positioning these approaches:

 Layered Security Approach: Emphasize the importance of having multiple layers of

defense, such as network firewalls, intrusion detection systems, antivirus software,
access controls, and encryption, to address various threats and vulnerabilities
comprehensively.
 Layered Security Management Approach: Highlight the need for strategic planning,
risk assessment, policy development, training, monitoring, and incident response
coordination across all layers of security. This ensures that security measures are
aligned with business objectives, regulatory requirements, and evolving threats.
Together, these approaches create a robust security posture that strengthens resilience and
mitigates risks effectively in an IT infrastructure.

6. If a system administrator had both the ID and password to a system, would that
be a problem?
Yes, if a system administrator possesses both the username (ID) and password to a system, it
can pose a significant security risk. This scenario violates the principle of separation of
duties, which is a fundamental security control mechanism. Having both the ID and password
means that the system administrator has complete control and access to the system, which can
lead to various security issues, including:
1. Unauthorized Access: The administrator could potentially misuse their access
privileges to view, modify, or delete sensitive data, applications, or system
configurations without proper authorization.

2. Data Breaches: If the administrator's credentials are compromised or misused, it

could lead to data breaches, where confidential or sensitive information is accessed,
stolen, or leaked to unauthorized parties.
3. Malicious Activities: With full access to the system, the administrator could
intentionally engage in malicious activities, such as installing malware, conducting
sabotage, or disrupting system operations.
4. Lack of Accountability: Having both the ID and password undermines
accountability and traceability, as it becomes challenging to attribute specific actions
or changes to individual users. This can hinder incident investigation and response
efforts.
To mitigate these risks, it's essential to adhere to the principle of least privilege and separation
of duties. System administrators should only have access to the resources and privileges
necessary to perform their job duties effectively. Additionally, strong authentication
mechanisms, such as multi-factor authentication (MFA), should be implemented to ensure
that even if credentials are compromised, unauthorized access can be prevented. Regular
monitoring and auditing of system access and activities can also help detect and mitigate
security incidents promptly.

7. When using a layered security approaches to system administration, who would

have the highest access privileges?
In a layered security approach to system administration, the individual or role with the
highest access privileges is typically the system administrator or a similar administrative role.
This individual is responsible for managing and overseeing the entire IT infrastructure,
including servers, networks, databases, and other critical systems.
The system administrator's high-level access privileges usually include:

 Full Administrative Access: The system administrator typically has administrative or

root-level access to all systems and resources within the IT infrastructure. This allows
them to perform tasks such as installing software, configuring settings, and managing
user accounts.
 Access to Configuration Settings: The system administrator can modify configuration
settings for various systems and devices to ensure optimal performance, security, and
compliance with organizational policies and standards.
 Privileged Access to Data: The system administrator may have access to sensitive or
confidential data stored on servers, databases, or other systems. This access is
necessary for tasks such as troubleshooting, data backup, and disaster recovery.
 Ability to Implement Security Controls: The system administrator has the authority to
implement and manage security controls such as firewalls, intrusion detection
systems, antivirus software, and access controls to protect the IT infrastructure from
security threats and vulnerabilities.
While the system administrator has the highest access privileges, it's essential to implement
additional security measures, such as role-based access control (RBAC), least privilege
principles, and audit trails, to ensure accountability, mitigate risks, and prevent unauthorized
access or misuse of privileges. Additionally, oversight and monitoring by higher-level
management or security teams help ensure that the system administrator's actions align with
organizational policies and security best practices.

8. Who would review the organizations layered approach to security?

The organization's layered security approach would typically be reviewed by a combination
of stakeholders, including the information security team, IT management, system
administrators, risk management team, compliance and audit teams, and executive
management. These stakeholders ensure that security measures are effective, aligned with
organizational goals, comply with regulations, and mitigate risks appropriately.

9. Why do you only want to refer to technical standards in a policy definition

document?
Relying solely on technical standards in a policy definition document may overlook non-
technical aspects of security, such as user behavior, regulatory requirements, and
organizational objectives. Comprehensive security policies should consider a holistic
approach that encompasses technical standards alongside broader risk management
principles, compliance requirements, and user awareness.

10. Why is it important to define guidelines in this layered security management

policy?
It's important to define guidelines in a layered security management policy for several
reasons:

 Clarity and Consistency: Guidelines provide clear instructions and expectations for
implementing security measures consistently across the organization. This clarity
ensures that all stakeholders understand their roles and responsibilities in maintaining
security.
 Standardization: Guidelines help standardize security practices and procedures,
reducing variability and improving efficiency in security operations. Standardization
simplifies training, auditing, and compliance efforts.
 Flexibility: While policies set the overarching framework for security, guidelines offer
flexibility in implementation. They can be tailored to specific systems, departments,
or business processes, allowing for customized security solutions that meet diverse
needs.
 Risk Management: Guidelines help organizations manage security risks by offering
practical recommendations for mitigating threats and vulnerabilities. They provide
actionable steps for identifying, assessing, and addressing security risks proactively.
 Compliance and Auditing: Clearly defined guidelines facilitate compliance with
regulatory requirements and industry standards. Auditors and regulators can assess
adherence to security best practices more effectively when guidelines are well-defined
and documented.
 Continuous Improvement: Guidelines serve as a basis for evaluating and improving
security practices over time. Organizations can review and update guidelines in
response to evolving threats, technological advancements, and changing business
requirements.
Overall, defining guidelines in a layered security management policy enhances the
organization's ability to implement effective security measures, manage risks, and maintain
compliance with regulatory requirements.

11. Why is it important to define access control policies that limit or prevent
exposing customer privacy data to employees?
Defining access control policies to limit employee access to customer privacy data is crucial
for maintaining trust, complying with regulations, protecting reputation, and reducing
financial and legal risks. It ensures customer data remains secure, employees' trust is
maintained, and the organization avoids potential penalties and reputational damage.

12. Explain why the seven domains of a typical IT infrastructure helps organizations
align to separation of duties.
The seven domains of a typical IT infrastructure provide a structured framework that helps
organizations align with the principle of separation of duties by delineating distinct areas of
responsibility and authority. Here's how each domain contributes to supporting separation of
duties:

 Security and Risk Management: This domain establishes policies, procedures, and
controls for managing security risks. It involves defining roles and responsibilities for
risk assessment, risk mitigation, and security governance, ensuring that different
individuals or teams are responsible for overseeing these critical security functions.

 Asset Security: Asset security focuses on protecting organizational assets, including

data, hardware, and software. By defining roles and responsibilities for asset
classification, ownership, and handling, this domain ensures that individuals or teams
with appropriate expertise manage and safeguard organizational assets.
 Security Architecture and Engineering: This domain involves designing,
implementing, and maintaining secure IT systems and infrastructure. It requires
collaboration among architects, engineers, and administrators to ensure that security
controls are properly designed, deployed, and managed across the organization.
 Communication and Network Security: Communication and network security domain
addresses the protection of network infrastructure and data transmission. By assigning
responsibilities for network design, configuration, and monitoring, this domain
ensures that different teams oversee network security functions, such as firewall
management, intrusion detection, and encryption.
 Identity and Access Management (IAM): IAM domain focuses on managing user
identities, access rights, and privileges. It involves defining roles and responsibilities
for user provisioning, access control, and authentication, ensuring that access to
 sensitive resources is granted based on the principle of least privilege and separation
of duties.
 Security Assessment and Testing: This domain involves assessing and testing the
effectiveness of security controls and mechanisms. It requires collaboration among
security analysts, testers, and administrators to identify vulnerabilities, assess risks,
and remediate security weaknesses across the organization.
 Security Operations: Security operations domain encompasses the day-to-day
activities related to monitoring, detecting, and responding to security incidents. It
involves assigning responsibilities for incident response, threat detection, and security
monitoring, ensuring that different teams collaborate to maintain the organization's
security posture.
By delineating specific responsibilities and functions across these seven domains,
organizations can effectively implement separation of duties, ensuring that no single
individual or team has complete control over critical IT processes or systems. This helps
mitigate the risk of fraud, errors, and unauthorized access, while also promoting
accountability, transparency, and resilience in the organization's security posture.

13. Why is it important for an organization to have a policy definition for Business
Continuity and Disaster Recovery?
It is important for an organization to have a policy definition for Business Continuity and
Disaster Recovery (BCDR) for several reasons:

 Risk Mitigation: A BCDR policy outlines procedures and strategies to mitigate the
impact of potential disruptions, such as natural disasters, cyberattacks, or equipment
failures. By proactively planning for such events, organizations can reduce downtime,
minimize losses, and maintain operational continuity.
 Regulatory Compliance: Many industries and jurisdictions require organizations to
have formal BCDR plans in place to comply with regulatory requirements. Adhering
to these regulations helps organizations avoid penalties, fines, and legal liabilities.
 Maintaining Customer Trust: Customers and stakeholders expect organizations to
have plans in place to ensure business continuity and protect their interests in the
event of a disaster or disruption. Demonstrating a commitment to BCDR instills
confidence and trust among customers, partners, and investors.
 Preserving Reputation: Effective BCDR planning helps organizations respond to
crises in a timely and coordinated manner, minimizing negative publicity and
reputational damage. Maintaining operational resilience during challenging times can
enhance the organization's reputation and brand image.
 Financial Stability: Disruptions to business operations can have significant financial
consequences, including revenue loss, increased expenses, and damage to assets. A
BCDR policy helps organizations mitigate these financial risks by enabling quick
recovery and resumption of critical business functions.
  Employee Safety and Well-being: BCDR plans include measures to ensure the safety
and well-being of employees during emergencies, such as evacuation procedures and
communication protocols. Providing a safe and secure work environment enhances
employee morale, loyalty, and productivity.
 Strategic Planning: BCDR planning is an integral part of strategic risk management
and business planning. It helps organizations identify vulnerabilities, assess risks, and
prioritize investments in resilience-building measures to protect critical assets and
operations.
Overall, having a policy definition for Business Continuity and Disaster Recovery is essential
for organizations to prepare for, respond to, and recover from disruptions effectively. It helps
ensure operational resilience, regulatory compliance, customer trust, and long-term
sustainability in an increasingly uncertain business environment.

14. Why is it important to prevent users from downloading and installing

applications on organization owned laptops and desktop computers?
Preventing users from downloading and installing applications on organization-owned
laptops and desktop computers is important for several reasons:

 Security Risks: Downloading and installing unauthorized applications can introduce

security risks such as malware, spyware, or ransomware onto the organization's
devices. These applications may compromise the integrity and confidentiality of
sensitive data, lead to data breaches, or disrupt normal business operations.
 Compliance Requirements: Many organizations are subject to regulatory requirements
or industry standards that mandate the control and management of software
installations. Allowing users to download and install applications without proper
oversight may result in non-compliance with these requirements, leading to potential
legal and financial consequences.
 System Stability and Performance: Unauthorized applications can consume system
resources, degrade system performance, and interfere with the stability of the
operating environment. By restricting application installations, organizations can
maintain the stability and performance of their IT infrastructure, ensuring
uninterrupted productivity and efficiency.
 License Compliance: Unauthorized software installations may violate software
licensing agreements, leading to legal liabilities and financial penalties. By controlling
application installations, organizations can ensure compliance with software licensing
terms and optimize software asset management practices.
 Data Protection and Privacy: Some applications may access or collect sensitive
information without users' knowledge or consent, posing risks to data protection and
privacy. By restricting application installations, organizations can mitigate the risk of
unauthorized access to sensitive data and protect individuals' privacy rights.
Overall, implementing controls to prevent users from downloading and installing applications
on organization-owned devices helps mitigate security risks, ensure compliance with
regulations, maintain system stability and performance, enforce software licensing
agreements, and protect sensitive data and privacy.

15. Separation of duties is best defined by policy definition. What is needed to ensure
its success?
To ensure the success of separation of duties defined by policy, several key elements are
needed:

 Clear Policy Statement: The policy should include a clear and concise statement
defining separation of duties and its importance within the organization. It should
articulate the objectives of separation of duties and its alignment with organizational
goals.

 Roles and Responsibilities: The policy should specify the roles and responsibilities of
individuals or teams involved in different processes or functions within the
organization. It should delineate the tasks and duties that are segregated to prevent
conflicts of interest and maintain accountability.
 Risk Assessment: The policy should incorporate a risk assessment process to identify
areas where separation of duties is necessary to mitigate risks effectively. It should
consider the potential impact of not implementing separation of duties and prioritize
areas where it is most critical.
 Compliance Requirements: The policy should address any regulatory requirements or
industry standards related to separation of duties, ensuring that the organization
remains compliant with applicable laws and regulations. It should outline procedures
for monitoring and auditing compliance with separation of duties requirements.
 Training and Awareness: The policy should emphasize the importance of training and
awareness programs to educate employees about separation of duties principles and
their role in maintaining effective controls. It should provide guidance on how
employees can comply with separation of duties requirements in their daily activities.
 Monitoring and Enforcement: The policy should establish procedures for monitoring
compliance with separation of duties requirements and enforcing accountability for
violations. It should define mechanisms for detecting and reporting breaches of
separation of duties and specify consequences for non-compliance.
 Regular Review and Updates: The policy should undergo regular review and updates
to ensure its continued effectiveness and relevance in addressing evolving risks and
business needs. It should incorporate feedback from stakeholders and lessons learned
from incidents or audits to improve separation of duties practices over time.
By incorporating these elements into the policy definition, organizations can effectively
implement and maintain separation of duties as a fundamental control mechanism to enhance
security, mitigate risks, and promote accountability within the organization.