lab10 policy designsubject:
ISOL 631 operations securityThere is
already a template defined regarding the policy design at the end of the
attached file. Just fill in the required policy details you choose to implement
based on the characteristics defined in step 6.step
7 needed to complete in the attached file with considering characteristics of organization in
step 6.(I have also attached lab 9 solution which contains a table of which possible policy to use to avoid the associated risks. Just in case if you want to have look over it.)
lab_10_aligning_an_it_security_policy_framework_to_seven_domains_of_a_typical_it_infrastructure.docx
lab_9_solution.docx
Unformatted Attachment Preview
LAB 10 Aligning an IT Security Policy Framework to Seven Domains of a Typical IT
Infrastructure
EXY Credit Union/Bank
{Insert the Policy Definition Name Here}
Policy Statement
{Insert the policy you wrote for the selected IT security policy definition from step5.}
Purpose/Objectives
{Insert the policy’s purpose as well as its objectives; use a bulleted list of the policy definition.
Be sure to explain how this policy definition fills the identified gap in the overall IT security
policy framework definition and how it mitigates the risks, threats, and vulnerabilities
identified.}
Scope
{Define this policy and its scope and whom it covers. Which of the seven domains of a typical IT
infrastructure are impacted? What elements, IT assets, or organization-owned assets are within
the scope of this policy?}
Standards
{Does this policy point to any hardware, software, or configuration standards? If so, list them
here and explain the relationship of this policy to these standards.}
Procedures
{Explain in this section how you intend on implementing this policy organization-wide.}
Guidelines
{Explain in this section any roadblocks or implementation issues that you must address and how
you will overcome them as per defines policy guidelines.}
UNIT 9 LAB 1
Assess and Audit and Existing IT Security Policy Framework Definition
FEBRUARY 24, 2015
JAMES QUIROGA
IS4550
Part B: Sample IT Security Policy Framework Definition
Risk, Threat, Vulnerability
Unauthorized access from public Internet
IT Security Policy Definition
Acceptable Use Policy
Vulnerability Assessment & Management
Policy
User destroys data in application and
deletes all files
Vulnerability Assessment & Management
Policy
Acceptable Use Policy
Threat Assessment & Management Policy
Hacker penetrates you IT infrastructure
and gains access to your internal network
Vulnerability Assessment & Management
Policy
Threat Assessment & Management Policy
Intra-office employee romance “gone bad”
Acceptable Use Policy
Threat Assessment & Management Policy
Security Awareness Training Policy
Fire destroys the primary data center
Asset Protection Policy
Asset Identification & Classification Policy
Asset Management Policy
Communication circuit outages
Asset Management Policy
Asset Protection Policy
Workstation OS has a known software
vulnerability
Vulnerability Assessment & Management
Policy
Threat Assessment & Management Policy
Security Awareness Training Policy
Unauthorized access to organization owned
Workstations
Asset Management Policy
Acceptable Use Policy
Vulnerability Assessment & Management
Policy
Threat Assessment & Management Policy
Loss of production data
Asset Management Policy
Vulnerability Assessment & Management
Policy
Threat Assessment & Management Policy
Security Awareness Training Policy
Denial of service attacks on organization email server
Threat Assessment & Management Policy
Security Awareness Training Policy
Asset Identification & Classification Policy
Acceptable Use Policy
Remote communications from home office
Vulnerability Assessment & Management
Policy
Threat Assessment & Management Policy
Security Awareness Training Policy
Asset Protection Policy
Acceptable Use Policy
Asset Identification & Classification Policy
LAN server OS has a known software
vulnerability
Vulnerability Assessment & Management
Policy
Threat Assessment & Management Policy
Asset Protection Policy
Acceptable Use Policy
Asset Identification & Classification Policy
User downloads an unknown e-mail
Acceptable Use Policy
Vulnerability Assessment & Management
Policy
Threat Assessment & Management Policy
Asset Protection Policy
Security Awareness Training Policy
Workstation browser has software
vulnerability
Security Awareness Training Policy
Vulnerability Assessment & Management
Policy
Threat Assessment & Management Policy
Service provider has a major network
outage
Asset Management Policy
Weak ingress/egress traffic filtering
degrades performance
Vulnerability Assessment & Management
Policy
Asset Protection Policy
Threat Assessment & Management Policy
User inserts CDs and USB hard drives with Acceptable Use Policy
personal photos, music, and videos on
Vulnerability Assessment & Management
organization owned computers
Policy
Threat Assessment & Management Policy
Security Awareness Training Policy
VPN tunneling between remote computer
and ingress/egress router
Vulnerability Assessment & Management
Policy
Threat Assessment & Management Policy
Security Awareness Training Policy
WLAN access points are needed for LAN
connectivity within a warehouse
Asset Protection Policy
Vulnerability Assessment & Management
Policy
Security Awareness Training Policy
Need to prevent rouge users from
unauthorized WLAN access
Asset Protection Policy
Asset Management Policy
Vulnerability Assessment & Management
Policy
Security Awareness Training Policy
Lab Assessment Questions & Answers
1. What is the purpose of having a policy framework definition as opposed to
individual policies?
a. Individual Policies can add too much structure and can make the overall policy
inflexible or too rigid.
2. When should you use a policy definition as a means of risk mitigation and element
of a layered security strategy?
a. A policy definition can be used in support of the framework. The definition “Fine
Tunes” the framework.
3. In your gap analysis of the IT security policy framework definition provided, which
policy definition was missing for all access to various IT systems, applications, and
data throughout the scenario?
a. Access Policy which establishes the access needed to use assets/resources
4. Do you need policies for your telecommunication and Internet service providers?
a. Yes
5. Which policy definitions from the list provided Lab #9 – Part B helps optimize
performance of an organization’s Internet connection?
a. Asset Management
6. What is the purpose of a Vulnerability Assessment & Management Policy for an IT
infrastructure?
a. Its purpose is the monitoring managing any identified vulnerabilities.
7. Which policy definition helps achieve availability goals for data recovery when data
is lost or corrupted?
a. Asset Production.
8. Which policy definitions reference a Data Classification Standard and use of
cryptography for confidentiality purposes?
a. Asset ID & Classification
9. Which policy definitions from the sample IT security policy framework definition
mitigate risk in the User Domain?
a. Acceptable Use Policy
b. Security Awareness & Training.
10. Which policy definition from the sample IT security policy framework definition
mitigates risk in the LAN-to-WAN Domain?
a. Asset Management
11. How does an IT security policy framework make it easier to monitor and enforce
throughout an organization?
a. It details how to Audit, Remediate and Document issues of an IT Security nature
via a structured approach signed off on and supported by the Management Team.
12. Which policy definition requires an organization to list its critical business
operations and functions and the accompanying IT systems, applications, and
databases that support it?
a. BCP, which would be in Asset Protection
13. Why is it common to find a Business Continuity Plan (BCP) Policy Definition and a
Computer Security Incident Response Team (CSIRT) Policy Definition?
a. These help guide the organization in the protection, defining of, and the
management of Assets by rating them as mission essential (BCP) and how to
mitigate vulnerabilities.
14. True or False. A Data Classification Standard will define whether or not you need to
encrypt the data while residing in a database.
a. True
15. True or False. Your upstream Internet Service Provider must be part of your Denial
of Service/Distributed Denial of Service risk mitigation strategy at the LAN-toWAN Domain’s Internet ingress/egress. This is best defined in a policy definition for
Internet ingress/egress availability.
a. True

Purchase answer to see full
attachment

Are you having trouble with the above assignment or one similar?

To date, 239 students have ordered this same assignment from us and received 100% original work. We can do the same for you!

We offers 100% original papers that are written from scratch.We also have a team of editors who check each paper for plagiarism before it is sent to you.

Click this “order now” button to see free Cost Breakdown!