Lab #4 – Assessment Worksheet

Craft a Layered Security Management Policy – Separation of Duties

Course Name: IAP301
Student Name: SonLTSE161501
Instructor Name: DinhMH
Lab Due Date: February 10th, 2023
Overview
In this lab, you are to create a security management policy that addresses the management
and the separation of duties throughout the seven domains of a typical IT infrastructure. You
are to define what the information systems security responsibility is for each of the seven
domains of a typical IT infrastructure. From this definition, you must incorporate your definition
for the separation of duties within the procedures section of your policy definition template.
Your scenario is the same as in Lab #1 – ABC Credit Union/Bank.

• •Regional ABC Credit union/bank with multiple branches and locations throughout the
region
• •Online banking and the use of the Internet is a strength of your bank given limited
human resources
• •The customer service department is the most critical business function/operation of
the organization.
• •The organization wants to be in compliance with GLBA and IT security best practices
regarding employees.
• •The organization wants to monitor and control use of the Internet by implementing
content filtering.
• •The organization wants to eliminate personal use of organization owned IT assets and
systems.
• •The organization wants to monitor and control the use of the e-mail system by
implementing e-mail security controls.
• •The organization wants to implement this policy for all IT assets owned by the
organization and to incorporate this policy review into the annual security awareness
training.
• •The organization wants to define a policy framework including a Security Management
Policy defining the separation of duties for information systems security.
Instructions
Using Microsoft Word, craft a Security Management Policy with Defined Separation of Duties
using the following policy template:
 ABC Credit Union
Separate of Duties
Policy Statement
Employees who use resources owned by ABC Credit Union are required to follow all applicable
corporate policies when using these resources.
Purpose/Objectives
The purpose of this policy is to ensure that no individual should be able to execute a high-risk
transaction or conceal errors or fraud in the normal course of the duties. This policy must be in
compliance with GLBA.
Scope
This policy applies to all employees, systems and customers of ABC Credit Union.
Standards
Each employee will be divided into groups or departments, with each department being given a
set of duties to complete.
Procedures
Group Policies will be put in place to guarantee that workers can only access the files they
actually require.
Every year, departments will receive training to go over any potential changes to their duties
and policies.
Each department will develop a chain of command that ascends to executive management.
Users who have been given the responsibility of managing IT systems are accountable for
making sure those systems are always adequately protected against known threats and
vulnerabilities to the extent that this is both practicable and compatible with the designated
purpose of those systems.
Guidelines
Users will be trained to follow all policies and procedures in the organization. System
Administrators can refer to NIST Special Publication 800-53 Security and Privacy Controls
==============================================================================
Overview
In this lab, you examined the seven domains of a typical IT infrastructure from an information
systems security responsibility perspective. What are the roles and responsibilities performed
by the IT professional, and what are the roles and responsibilities of the information systems
security practitioner? This lab presented an overview of exactly what those roles and
responsibilities are and, more importantly, how to define a security management policy that
aligns and defines who is responsible for what. This is critical during a security incident that
requires immediate attention by the security incident response team.
Lab Assessment Questions & Answers
1. For each of the seven domains of a typical IT infrastructure, summarize what the
information systems security responsibilities are within that domain:
User Domain is the weakest link in an IT infrastructure. Anyone in charge of computer security
must be aware of the motives behind any penetration of a system, applications, or data.
Workstation Domain can be a desktop computer, a laptop computer, a special-purpose
terminal, or any other device that connects to your network. The Workstation Domain controls
must be protected by the IT security team. Human resources departments typically base the
appropriate access control for employees on their jobs. Based on this criteria, IT security staff
then award access permissions to systems, applications, and data.
The LAN support group is in charge of the LAN Domain. Both the cognitive and physical
components are included in this. Access controls must be set up for users and maintained and
supported by LAN system administrators for departments' file and print services.
The network security group is responsible for the LAN-to-WAN Domain. Both the cognitive and
physical components are included in this. Members of the group are in charge of implementing
the specified security controls.
The network engineer or WAN group is responsible for the WAN Domain. Both the cognitive
and physical components are included in this. The defined security controls are installed by
network engineers and security professionals in accordance with defined policies. Be aware
that numerous organizations now use service providers to handle their WAN and routers due to
the complexity of IP network engineering. This service contains SLAs to guarantee system
availability and prompt problem resolution. Customers can contact their service provider's
network operations center through a toll-free number in the event of a WAN connection
interruption.
The network engineer or WAN group is usually in charge of the Remote Access Domain. Both
the logical and physical components are included in this. Application of security controls in
accordance with policies is the responsibility of network engineers and security professionals.
This include looking after the logical remote access connection and hardware for the Remote
Access Domain, as well as updating and maintaining them.
2. Which of the seven domain of a typical IT infrastructure require personnel and executive
management support outside of the IT or information systems security organization?
Every aspect of each domain should be accomplished with the informed consent of
management. This information is garnered by receiving input from all levels of personnel within
the organization
3. What does separation of duties mean?
No one individual has exclusive control over the duration of a transaction.
4. How does separation of duties throughout an IT infrastructure mitigate rick for an
organization?
Separating responsibilities serves two purposes. It does two things: it stops frauds, mistakes,
and abuse of systems and procedures; and it helps identify control flaws such data theft,
security breaches, and the evasion of security measures.
5. How would you position a layered security approach with a layered security management
approach for an IT infrastructure?
Ensure that the protocols used at each tier are compatible and work well together
6. If a system administrator had both the ID and password to a system, would that be a
problem?
It would be a problem if the password is too weak or not encryption.
7. When using a layered security approaches to system administration, who would have the
highest access privileges?
The super administrator of the IT system would have highest access privileges.
8. Who would review the organizations layered approach to security?
The administrator of the IT security apartment.
9. Why do you only want to refer to technical standards in a policy definition document?
Because these industries' suggested standards are identified and listed in a policy definition
document's technical standards, they will aid in the enforcement of an IT policy.
10. Why it is important to define guidelines in this layered security management policy?
Because it is crucial to comprehend the rules, when a user transgresses them or negative
things occur, they will be able to identify the problem and take the necessary steps to reduce
the risk.
11. Why is it important to define access control policies that limit or prevent exposing
customer privacy data to employee?
Due to the fact that employees are only human, they occasionally break the law for no reasons
12. Explain why the seven domains of a typical IT infrastructure helps organizations align to
separation of duties.
It facilitates with the deployment of secure IT controls by providing clarity around job
junctions, task ownership, and distribution of controls.
13. Why it is important for an organization to have a policy definition for Business Continuity
and Disaster Recovery?
because it has the best chance of surviving it with the fewest losses and damages.
14. Why is it important to prevent users from downloading and installing applications on
organization owned laptops and desktop computers?
Because the applications which is downloaded and installed approximately have malware and
virus.
15. Separation of duties is best defined by policy definition. What is needed to ensure it
success?
Individual person in company will be the key of success