Lab3 - Information Systems Security Policy FW
Lab3 - Information Systems Security Policy FW
IT Infrastructure
Introduction
In any company, a security policy helps to mitigate the risks and threats the business encounters.
However, unless a company happens to be in the information security industry, the task of
identifying, assessing, and categorizing the myriad of risks can be an overwhelming one.
Thankfully, a companys IT infrastructure can be divided in a logical manner to more easily sort
the risks. These divisions are the seven IT domains.
The purpose of the seven domains of a typical IT infrastructure is to help organize the roles,
responsibilities, and accountabilities for risk management and risk mitigation.
In this lab, you will identify known risks, threats, and vulnerabilities, and you will determine
which domain of a typical IT infrastructure is affected. You will then discuss security policies to
address each identified risk and threat within the seven domains of a typical IT infrastructure.
You will next determine which appropriate security policy definition will help mitigate the
identified risk, threat, or vulnerability. You will organize your results into a framework that can
become part of a layered security strategy.
Learning Objectives
Upon completing this lab, you will be able to:
Identify risks, threats, and vulnerabilities commonly found in the seven domains of a
typical IT infrastructure.
Determine which domain is impacted by the risk, threat, or vulnerability.
Determine security policies to address each identified risk and threat within the seven
domains of a typical IT infrastructure.
Select the appropriate policy definitions needed throughout the seven domains of a
typical IT infrastructure to mitigate the identified risks, threats, and vulnerabilities.
Organize the security policies in an overall framework as part of a layered security
strategy for the seven domains of a typical IT infrastructure
Deliverables
Upon completion of this lab you are required to provide the following deliverables to your
instructor:
1. Lab Report file;
2. Lab Assessments file.
Hands-On Steps
Note: This is a paper-based lab. To successfully complete the deliverables for this lab, you will need access to
Microsoft Word or another compatible word processor. For some labs, you may also need access to a graphics line
drawing application, such as Visio or PowerPoint. Refer to the Preface of this manual for information on creating the
lab deliverable files.
Similarly, even though a policy should be written clearly and concisely, it is a high-level document answering
the why questions. Standards are also high-level, but instead should answer the what questions. Finally,
the procedures and guidelines provide the how.
14. Using the SANS primer and the various policy templates (step 12), in your Report file,
describe the basic requirements of policies, their benefits, the control factors, and
policies every organization needs.
15. Review the identified risks, threats, and vulnerabilities in the table in step 8, and then
select an appropriate policy definition that might help mitigate each of them. You can
select one of the SANS policies or choose one from the following list:
Policy Definition List
Acceptable Use Policy
Access Control Policy Definition
Business ContinuityBusiness Impact Analysis BIA) Policy Definition
Business Continuity Disaster Recovery Policy Definition
Data Classification Standard & Encryption Policy Definition
Internet Ingress/Egress Traffic Policy Definition
Mandated Security Awareness Training Policy Definition
Production Data Backup Policy Definition
Remote Access Policy Definition
Vulnerability Management & Vulnerability Window Policy Definition
Wide Area Network (WAN) Service Availability Policy Definition
16. In your Lab Report file, organize your security policies and the definitions you selected
so that they can be used as part of an overall framework for a layered security strategy.
9.