Lab #4 – Assessment Worksheet

Craft a Layered Security Management Policy – Separation of Duties

Course Name: ____IAP301____________________________________

Student Name: ___Vu Tuan Anh_____________________________________
Instructor Name: ____Nguyen Tan Danh___________________________
Lab Due Date: __________1/2/2021___________________________________

Policy Statement

Maintaining the security, confidentiality, integrity, and availability of information stored in the Regional
ABC Credit Union’s computer network and data communication infrastructure is a responsibility help by
all of the users in that system. They are responsible for protecting the resources and information, stored
ormoved.

Purpose/Objectives

The purpose of this policy is to ensure that no individual will be able to execute a high-risk transaction or
conceal errors or fraud in the normal course of their duties. This policy will also be GLBA compliant.

Scope

This policy applies to all employees, systems, and customers of ABC Credit Union.

Standards

All employees will be separated into different departments and each department will have their specific
duties assigned to them.

Procedures

All employees will be limited to specific applications and information. No individual should be able to
access information to which they do not have a legitimate access right. Systems will be in placeto ensure
that this is the case. They will be in charge of all customer service and will have access to customer
information when needed. System Administrators:will have administrative rights to install, configure
and repair systems. Systems Administrators will also be in charge of monitoring all network activity to
ensure that there is no unauthorized activity. System Administrators will refer to the Workstation
Configuration Standards.
 Lab #4 – Assessment Worksheet

Craft a Layered Security Management Policy – Separation of Duties

Course Name: ____IAP301____________________________________

Student Name: ___Vu Tuan Anh_____________________________________
Instructor Name: ____Nguyen Tan Danh___________________________
Lab Due Date: __________1/2/2021___________________________________

1. For each of the seven domains of a typical IT infrastructure, summarize what the information systems
security responsibilities are within that domain:

- User domain- has the responsibility of authentication.

- Workstation domain- the workstation defines the controls within the workstation itself, such as limiting
who can install software on the workstation.

- LAN Domain- encompasses the equipment that makes up the LAN.

- LAN-to-WAN Domain- Responsible for the DMZ.

- WAN domain- supplies the virtual private networks for companies.

- Remote Access Domain- responsible for enhanced remote authentication and network connectivity.

- System/Application domain- Responsible for software for collecting and storing data.

2. Which of the seven domains of a typical IT infrastructure requires personnel and executive
management support outside of the IT or information systems security organizations?

- The user domain requires personnel and executive management support outside the IT or information
systems security organizations.

3. What does separation of duties mean?

- Separation of duties is a classic security method to manage conflict of interest, the appearance of
conflict of interest, and fraud.

4. How does separation of duties throughout an IT infrastructure mitigate risk for an organization?

- It restricts the amount of power held by any one individual. It puts a barrier in place to prevent fraud
that may be perpetrated by one individual.
5. How would you position a layered security approach with a layered security management approach
for an IT infrastructure?

- I would make sure that protocols in each layer correspond and function together. This way you can
position the higher protocols with higher ones and lower with lower ones.

6. If a system administrator had both the ID and password to a system, would that be a problem?

- The problem is the admin is going to abuse their rights and validate the policy.

7. When using a layered security approaches to system administration, who would have the highest
access privileges?

- When using a layered security approaches to a system administration the administrator would have
the highest privileges

8. Who would review the organizations layered approach to security?

- The CISO (Chief Information Security Officer) would review the organizations layered approach to
security.

9. Why do you only want to refer to technical standards in a policy definition document?

- The technical standards in a policy definition document identify and enumerate these industries
recommended standards that will help enforce an IT policy. An IT administrator who is implementing the
policy is aware of the standards and adheres to them.

10. Why is it important to define guidelines in this layered security management policy?

- Because there needs to be a balance between cost and return in risk reduction.

11. Why is it important to define access control policies that limit or prevent exposing customer privacy
data to employees?

- The data is private to the customer and should not be displayed in clear text to employee.

12. Explain why the seven domains of a typical IT infrastructure helps organizations align to separation
of duties.
- Separation of duties is not specific to one of the seven domains. It helps the organizationsto tailor their
policies to a much stronger and diversified position.

13. Why is it important for an organization to have a policy definition for Business Continuity and
Disaster Recovery?

- To ensure that the organization is able to efficiently recover from a disaster and resume normal
business operations as quickly as possible.

14. Why is it important to prevent users from downloading and installing applications on organization
owned laptops and desktop computers?

- To prevent the possibility of other company systems becoming infected with viruses or their work
information being compromised

15. Separation of duties is best defined by policy definition. What is needed to ensure its success?\

- Guidelines and policies help ensure success for SOD's.