Name: Đào Quốc Trung

Student ID: SE151141

Subject: IAP301

LAB 4 Craft a Layered Security Management Policy – Separation of Duties

ABC Credit Union
Security Management Policy with Defined Separation of Duties
Policy Statement:
ABC Credit Union is committed to ensuring the confidentiality, integrity, and availability (C-I-A) of
its information systems and the protection of its customers' sensitive information. This policy outlines
the information systems security responsibilities and the separation of duties throughout the seven
domains of ABC Credit Union's typical IT infrastructure.
Purpose/Objectives:
- To ensure the confidentiality, integrity, and availability of ABC Credit Union's information
systems and customer data.
- To provide a framework for managing and controlling access to ABC Credit Union's
information systems and assets.
- To ensure compliance with GLBA and IT security best practices regarding employees.
- To prevent unauthorized access and use of ABC Credit Union's information systems and
assets.
- To monitor and control the use of the Internet by implementing content filtering.
- To eliminate personal use of organization-owned IT assets and systems.
- To monitor and control the use of the e-mail system by implementing email security controls.
- To define a clear separation of duties for information systems security responsibilities across
all seven domains of the typical IT infrastructure.
Scope:
- This policy applies to all employees, contractors, and third-party partners of ABC Credit
Union. It covers the following seven domains of the typical IT infrastructure:
- Endpoint devices (e.g. workstations, laptops, smartphones)
- Network devices (e.g. routers, switches, firewalls)
- Servers (e.g. file servers, email servers)
- Database systems
- Cloud services
- Application systems
- Physical security and access controls
All IT assets owned by ABC Credit Union and used to support its business operations are
within the scope of this policy.

Standards:
This policy references technical hardware, software, and configuration standards for IT assets
throughout the seven domains of ABC Credit Union's typical IT infrastructure. These standards
include, but are not limited to, the following:
 - Workstation Configuration Standards
- Network Device Configuration Standards
- Server Configuration Standards
- Database Configuration Standards
- Cloud Services Security Standards
- Application Security Standards
- Physical Security and Access Controls Standards
Procedures:
1. Endpoint Devices:
- All workstations, laptops, and smartphones must comply with the Workstation Configuration
Standards.
- The IT department is responsible for ensuring the proper configuration and security of all
endpoint devices.
- Employees are responsible for reporting any security incidents or vulnerabilities to the IT
department.
2. Network Devices:
- All network devices must comply with the Network Device Configuration Standards.
- The IT department is responsible for ensuring the proper configuration and security of all
network devices.
3. Servers:
- All servers must comply with the Server Configuration Standards.
- The IT department is responsible for ensuring the proper configuration and security of all
servers.
4. Database Systems:
- All database systems must comply with the Database Configuration Standards.
- The IT department is responsible for ensuring the proper configuration and security of all
database systems.
5. Cloud Services:
- All cloud services must comply with the Cloud Services Security Standards.
- The IT department is responsible for ensuring the proper configuration and security of all
cloud services.
6. Application Systems:
- All application systems must comply with the Application Security Standards.
- The IT department is responsible for ensuring the proper configuration and security of all
application systems.
7. Physical Security and Access Controls:
- All physical security and access controls must comply with the Physical Security and Access
Controls Standards.
Guidelines
- Information systems security is a shared responsibility among all employees, with defined
roles and responsibilities.
- Employees are responsible for following all policies and procedures related to information
systems security.
- The IT department is responsible for maintaining the technical hardware, software, and
configuration standards for IT assets throughout the seven domains of a typical IT
infrastructure.
 - Regular security audits will be performed to ensure compliance with this policy and to
identify any gaps or areas for improvement.
- If an employee identifies a potential security breach or violation of this policy, they must
report it immediately to the IT department.
- Any disputes or misunderstandings regarding the separation of duties should be addressed
through the appropriate channels and with the involvement of HR and senior management if
necessary.
- The policy will be reviewed and updated annually to ensure its effectiveness and to align with
the latest IT security best practices.

Lab Assessment Questions & Answers

1.For each of the seven domains of a typical IT infrastructure, summarize what the information
systems security responsibilities are within that domain:
- The information systems security responsibilities within each of the seven domains of
typical IT infrastructure vary, but in general, the responsibilities include protecting the
confidentiality, integrity, and availability (C-I-A) of data, as well as ensuring compliance with
security policies and standards. In the Workstation domain, security responsibilities include
protecting client devices from malware, implementing access control measures, and ensuring
secure configuration of devices. In the Server domain, security responsibilities include
protecting servers from external and internal threats, ensuring secure configuration of servers,
and implementing access control measures. In the Database domain, security responsibilities
include securing data at rest and in transit, ensuring secure database configuration, and
implementing access control measures. In the Network domain, security responsibilities
include securing data in transit, implementing access control measures, and ensuring secure
network configuration. In the Application domain, security responsibilities include ensuring
secure coding practices, implementing access control measures, and securing data at rest and
in transit. In the Internet domain, security responsibilities include securing data in transit,
implementing access control measures, and ensuring secure Internet access. In the Mobile
Device domain, security responsibilities include securing data at rest and in transit,
implementing access control measures, and ensuring secure configuration of mobile devices.
2.Which of the seven domains of a typical IT infrastructure requires personnel and executive
management support outside of the IT or information systems security organizations?
- The domains that require personnel and executive management support outside of the IT or
information systems security organizations are the Server, Database, Network, Application, Internet,
and Mobile Device domains. This is because these domains are critical to the business operations and
require coordination between various departments and levels of management to ensure that security
measures are implemented effectively.
3. What does separation of duties mean?
- Separation of duties means dividing the responsibilities for different tasks and processes among
different individuals or groups to reduce the risk of fraud or abuse. This helps to prevent one person or
group from having too much control over a particular process or system.
4. How does separation of duties throughout an IT infrastructure mitigate risk for an
organization?
- Separation of duties throughout an IT infrastructure mitigates risk for an organization by reducing
the potential for fraud or abuse. It helps to ensure that sensitive information is not accessible to a
single individual or group, and that security policies and standards are being followed. This helps to
prevent data breaches, protect the confidentiality and integrity of data, and ensure that the
organization is in compliance with security regulations.
5. How would you position a layered security approach with a layered security management
approach for an IT infrastructure?
- A layered security approach is often paired with a layered security management approach, as this
provides a more comprehensive approach to security. A layered security approach involves
implementing multiple security measures at different levels to create a barrier against potential
threats. A layered security management approach involves managing security measures at different
levels to ensure they are functioning effectively. By combining these two approaches, an organization
can better protect against potential threats and ensure that security measures are working as intended.
6. If a system administrator had both the ID and password to a system, would that be a
problem?
- If a system administrator had both the ID and password to a system, it could be a problem because it
would give them complete control over the system. This would increase the risk of fraud or abuse, and
make it difficult to track who made changes to the system.
7. When using a layered security approaches to system administration, who would have the
highest
access privileges?
- When using a layered security approach to system administration, the person with the highest access
privileges would typically be the security administrator. This person would be responsible for
managing security policies, procedures, and access control measures, and would have the highest
level of access to the systems and data.
8. Who would review the organizations layered approach to security?
- The organization's layered approach to security would typically be reviewed by the security
administrator, as well as by internal or external auditors. This helps to ensure that the security
measures are functioning as intended and that the organization is in compliance with security
regulations.
9. Why do you only want to refer to technical standards in a policy definition document?
- It is important to only refer to technical standards in a policy definition document because these
standards provide a specific and technical basis for the policies and procedures outlined in the
document. The policy definition document should be a high-level overview of an organization's
security policies, and referring to technical standards helps to ensure that the policies are based on
industry best practices and proven security methods.
10. Why is it important to define guidelines in this layered security management policy?
- Defining guidelines in a layered security management policy is important because it provides clarity
and direction for employees on how to implement the security policies outlined in the document.
Guidelines help to ensure that all employees understand their responsibilities and are able to
consistently implement the policies in a manner that is effective and consistent with the organization's
security goals.
11. Why is it important to define access control policies that limit or prevent exposing customer
privacy data to employees?
- Access control policies that limit or prevent exposing customer privacy data to employees are
important because this information is sensitive and confidential. Protecting this information is not
only a legal requirement, but also a matter of trust with customers. By defining policies that limit
access to this information, organizations can help to prevent unauthorized access and protect the
privacy of their customers.
12. Explain why the seven domains of a typical IT infrastructure helps organizations align to
separation of duties.
- The seven domains of a typical IT infrastructure helps organizations align to separation of duties by
providing a framework for defining roles and responsibilities within the organization. This framework
ensures that different aspects of the IT infrastructure are managed by separate individuals, which
helps to prevent any one person from having too much control and reduces the risk of fraud or misuse
of information.
13. Why is it important for an organization to have a policy definition for Business Continuity
and
Disaster Recovery?
- A policy definition for Business Continuity and Disaster Recovery is important because it provides a
plan for the organization in the event of a disaster or unexpected event that affects the normal
operations of the business. This policy definition should include procedures for restoring systems,
applications, and data, as well as guidelines for ensuring that critical business functions can continue
to operate even in the face of a disaster.
14. Why is it important to prevent users from downloading and installing applications on
organization owned laptops and desktop computers?
- Preventing users from downloading and installing applications on organization-owned laptops and
desktop computers is important for several reasons. First, downloading and installing unapproved
applications can introduce security risks to the organization's IT infrastructure. Second, it can also
lead to compatibility and performance issues that can affect the operation of the systems. Finally, it
can also result in increased support costs, as the IT department may have to spend time resolving
issues caused by unapproved applications.
15. Separation of duties is best defined by policy definition. What is needed to ensure its
success?
- Policy definition is key to ensuring the success of separation of duties. A clear, well-defined policy
provides a framework for how the organization should manage security, and defines the
responsibilities of each individual involved in the process. This helps to ensure that everyone is aware
of their role in the security process and is working together to achieve the organization's security
goals. To ensure the success of separation of duties, it is important for the organization to enforce its
policies, provide training and support to employees, and regularly monitor and review its security
processes and procedures.