Scribd
Upload
1K views5 pages

Lab3 - Information Systems Security Policy FW

Lab 3: Defining an Information Systems Security Policy Framework for an IT infrastructure. A company's IT infrastructure can be divided in a logical manner to sort the risks. The purpose of the seven IT domains is to help organize the roles, responsibilities, and accountabilities for risk management and risk mitigation.

Uploaded by

S Teja Svi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
1K views5 pages

Lab3 - Information Systems Security Policy FW

Lab 3: Defining an Information Systems Security Policy Framework for an IT infrastructure. A company's IT infrastructure can be divided in a logical manner to sort the risks. The purpose of the seven IT domains is to help organize the roles, responsibilities, and accountabilities for risk management and risk mitigation.

Uploaded by

S Teja Svi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Lab #3 Defining an Information Systems Security Policy Framework for an

IT Infrastructure
Introduction
In any company, a security policy helps to mitigate the risks and threats the business encounters.
However, unless a company happens to be in the information security industry, the task of
identifying, assessing, and categorizing the myriad of risks can be an overwhelming one.
Thankfully, a companys IT infrastructure can be divided in a logical manner to more easily sort
the risks. These divisions are the seven IT domains.
The purpose of the seven domains of a typical IT infrastructure is to help organize the roles,
responsibilities, and accountabilities for risk management and risk mitigation.
In this lab, you will identify known risks, threats, and vulnerabilities, and you will determine
which domain of a typical IT infrastructure is affected. You will then discuss security policies to
address each identified risk and threat within the seven domains of a typical IT infrastructure.
You will next determine which appropriate security policy definition will help mitigate the
identified risk, threat, or vulnerability. You will organize your results into a framework that can
become part of a layered security strategy.
Learning Objectives
Upon completing this lab, you will be able to:
Identify risks, threats, and vulnerabilities commonly found in the seven domains of a
typical IT infrastructure.
Determine which domain is impacted by the risk, threat, or vulnerability.
Determine security policies to address each identified risk and threat within the seven
domains of a typical IT infrastructure.
Select the appropriate policy definitions needed throughout the seven domains of a
typical IT infrastructure to mitigate the identified risks, threats, and vulnerabilities.
Organize the security policies in an overall framework as part of a layered security
strategy for the seven domains of a typical IT infrastructure
Deliverables
Upon completion of this lab you are required to provide the following deliverables to your
instructor:
1. Lab Report file;
2. Lab Assessments file.
Hands-On Steps
Note: This is a paper-based lab. To successfully complete the deliverables for this lab, you will need access to
Microsoft Word or another compatible word processor. For some labs, you may also need access to a graphics line
drawing application, such as Visio or PowerPoint. Refer to the Preface of this manual for information on creating the
lab deliverable files.

1. On your local computer, create the lab deliverable files.


2. Review the Lab Assessment Worksheet. You will find answers to these questions
as you proceed through the lab steps.

3. Review the seven domains of a typical IT infrastructure (see Figure)

4. On your local computer, open a new Internet browser window.


5. In the address box of your Internet browser, type the URL
http://www.continuitycompliance.org/security-policy-components-of-agood-policy/ and press Enter to open the Web site.
6. Review the information to determine the components of an information systems security
policy.
7. In your Lab Report file, identify the major components of an information systems
security policy.
8. In your Lab Report file, align each of the risks, threats, and vulnerabilities identified in
the table in Lab 2 to the domain impacted (refer to Figure for the seven IT domains).
9. In your Lab Report file, explain how risks like these can be mitigated with an
information systems security policy.
10. In the address box of your Internet browser, type the URL
http://download.matus.in/security/Bezpecnostna%20politika/howtos/Policy
_Primer.pdf and press Enter to open the Web site.
11. Read the SANS Institutes document, A Short Primer for Developing Security
Policies.
12. Visit the website http://www.sans.org/security-resources/policies for various
information security policy templates and get yourself acquainted with these templates.
13. In your Lab Report file, define what a policy is according to the SANS Institute.
Note:It is important to understand how and why a policy differs from a standard, a procedure, and a
guideline. From the top down, the policy should not change or need modification unless a major shift in
corporate values or business process occurs. On the contrary, guidelines should be reviewed, and possibly
changed, often.

Similarly, even though a policy should be written clearly and concisely, it is a high-level document answering
the why questions. Standards are also high-level, but instead should answer the what questions. Finally,
the procedures and guidelines provide the how.

14. Using the SANS primer and the various policy templates (step 12), in your Report file,
describe the basic requirements of policies, their benefits, the control factors, and
policies every organization needs.
15. Review the identified risks, threats, and vulnerabilities in the table in step 8, and then
select an appropriate policy definition that might help mitigate each of them. You can
select one of the SANS policies or choose one from the following list:
Policy Definition List
Acceptable Use Policy
Access Control Policy Definition
Business ContinuityBusiness Impact Analysis BIA) Policy Definition
Business Continuity Disaster Recovery Policy Definition
Data Classification Standard & Encryption Policy Definition
Internet Ingress/Egress Traffic Policy Definition
Mandated Security Awareness Training Policy Definition
Production Data Backup Policy Definition
Remote Access Policy Definition
Vulnerability Management & Vulnerability Window Policy Definition
Wide Area Network (WAN) Service Availability Policy Definition
16. In your Lab Report file, organize your security policies and the definitions you selected
so that they can be used as part of an overall framework for a layered security strategy.

Evaluation Criteria and Rubrics


The following are the evaluation criteria for this lab that students must perform:
1. Identify risks, threats, and vulnerabilities commonly found in the seven domains of a
typical IT infrastructure. [25%]
2. Determine security policies to address each identified risk and threat within the seven
domains of a typical IT infrastructure. [25%]
3. Select the appropriate policy definitions needed throughout the seven domains of a
typical IT infrastructure to mitigate the identified risks, threats, and vulnerabilities.
[25%].
4. Organize the security policies in an overall framework as part of a layered security
strategy for the seven domains of a typical IT infrastructure. [25%]

Lab #3 - Assessment Worksheet


Defining an Information Systems Security Policy Framework for an IT
Infrastructure
Course Name and Number:______________________________________________
Student Name:_________________________________________________________
Instructor Name:_______________________________________________________
Lab Due Date:__________________________________________________________
Overview
In this lab, you identified known risks, threats, and vulnerabilities, and you determined which
domain of a typical IT infrastructure was affected. You then discussed security policies to
address each identified risk and threat within the seven domains of a typical IT infrastructure.
You next determined which appropriate security policy definition helped mitigate the identified
risk, threat, or vulnerability. You organized your results into a framework that could become part
of a layered security strategy.
Lab Assessment Questions
1.
2.
3.
4.
5.
6.
7.
8.

9.

What is the purpose of defining a framework for IT security policies?


What are the major components of an information systems security policy?
What is the definition of a policy?
What are the benefits of a policy?
What policy definition in the SANS primer or in the list provided in the lab is required to restrict
and prevent unauthorized access to organization-owned IT systems and applications?
What policy definition in the SANS primer or in the list provided in the lab can help remind
employees in the User Domain about ongoing acceptable use and unacceptable use?
Why should an organization have a remote access policy even if it already has an acceptable use
policy (AUP) for employees?
What security controls can be implemented on your mail system to help prevent rogue or
malicious software disguised as URL links or e-mail attachments from attacking the Workstation
Domain? What kind of policy definition should you use?
Why should an organization have annual security awareness training that includes an overview of
the organizations policies?

You might also like