Đào Quốc Trung – SE151141

Course Name : IAP301

Lab #3 – Assessment Worksheet
Part A – List of Risks, Threats, and Vulnerabilities Commonly Found in an
IT Infrastructure
The following risks, threats, and vulnerabilities were found in a healthcare IT
infrastructure servicing patients with life-threatening situations. Given the list, select which
of the seven domains of a typical IT infrastructure is primarily impacted by the risk, threat,
or vulnerability.

Risk – Threat – Vulnerability Primary Domain Impacted

Unauthorized access from public Internet LAN-to-WAN
User destroys data in application and deletes all System/Application
files
Hacker penetrates your IT infrastructure and LAN-to-WAN
gains access to your internal network
Intra-office employee romance “gone bad” User
Fire destroys the primary data center LAN
Communication circuit outages LAN
Workstation OS has a known software Workstation
vulnerability
Unauthorized access to organization owned Workstation
Workstations
Loss of production data System Database
Denial of service attack on organization e-mail WAN
server
Remote communications from home office Remote Access
LAN server OS has a known software LAN
vulnerability
User downloads an unknown e –mail attachment User
Workstation browser has software vulnerability Workstation
Service provider has a major network outage WAN
Weak ingress/egress traffic filtering degrades LAN-to-WAN
Performance
User inserts CDs and USB hard drives with User
personal photos, music, and videos on
organization owned computers
VPN tunneling between remote computer and Remote Access
ingress/egress router
WLAN access points are needed for LAN LAN-to-WAN
connectivity within a warehouse
Need to prevent rogue users from unauthorized WLAN-to-WAN
WLAN access

Part B – List of Risks, Threats, and Vulnerabilities Commonly Found in an

IT Infrastructure
 Risk – Threat – Vulnerability Primary Domain Impacted
Unauthorized access from public Internet Access Control Policy Definition
User destroys data in application and deletes all
Mandated Security Awareness Training Policy
files Definition
Hacker penetrates your IT infrastructure and Data Classification Standard & Encryption
gains access to your internal network Policy Definition
Intra-office employee romance “gone bad” Business Continuity – Business Impact
Analysis (BIA) Policy Definition
Fire destroys the primary data center Business Continuity & Disaster Recovery
Policy Definition
Communication circuit outages Business Continuity & Disaster Recovery
Policy Definition
Workstation OS has a known software Vulnerability Management & Vulnerability
vulnerability Window Policy Definition
Unauthorized access to organization owned Data Classification Standard & Encryption
Workstations Policy Definition
Loss of production data Production Data Back-up Policy Definition
Denial of service attack on organization e-mail Mandated Security Awareness Training
server Policy Definition
Remote communications from home office Remote Access Policy Definition
LAN server OS has a known software Vulnerability Management & Vulnerability
vulnerability Window Policy Definition
User downloads an unknown e –mail attachment Acceptable Use Policy
Workstation browser has software vulnerability Vulnerability Management & Vulnerability
Window Policy Definition
Service provider has a major network outage WAN Service Availability Policy Definition
Weak ingress/egress traffic filtering degrades Internet Ingress/Egress Traffic Policy
Performance Definition
User inserts CDs and USB hard drives with Acceptable Use Policy
personal photos, music, and videos on
organization owned computers
VPN tunneling between remote computer and Internet Ingress/Egress Traffic Policy
ingress/egress router Definition
WLAN access points are needed for LAN Internet Ingress/Egress Traffic Policy
connectivity within a warehouse Definition
Need to prevent rogue users from unauthorized Access Control Policy Definition
WLAN access

Part C - Define an Information Systems Security Policy Framework for an

IT Infrastructure
Lab Assessment Questions & Answers
1.A policy definition usually contains what four major parts or elements?
- A policy definition usually contains four major parts or elements: policy statement, purpose and
scope, policy content or rules, and enforcement or compliance.
2. In order to effectively implement a policy framework, what three organizational elements are
absolutely needed to ensure successful implementation?
- In order to effectively implement a policy framework, three organizational elements are absolutely
needed: executive sponsorship, adequate resources, and clear lines of accountability and
responsibility.
3. Which policy is the most important one to implement to separate employer from employee?
Which is the most challenging to implement successfully?
- The most important policy to implement to separate employer from employee is the Acceptable Use
Policy (AUP), while the most challenging to implement successfully is likely to be the Access Control
Policy as it requires a delicate balance between protecting sensitive information and enabling access
for authorized users.
4. Which domain requires stringent access controls and encryption for connectivity to the
corporate resources from home? What policy definition is needed for this domain?
- The Network Domain requires stringent access controls and encryption for connectivity to the
corporate resources from home. A Remote Access Policy definition is needed for this domain.
5. Which domains need software vulnerability management & vulnerability window policy
definitions to mitigate risk from software vulnerabilities?
- Both the Endpoint and Server Domains need software vulnerability management & vulnerability
window policy definitions to mitigate risk from software vulnerabilities.
6. Which domain requires AUPs to minimize unnecessary User-initiated Internet traffic and
awareness of the proper use of organization-owned IT assets?
- The User Domain requires Acceptable Use Policies (AUPs) to minimize unnecessary User-initiated
Internet traffic and awareness of the proper use of organization-owned IT assets.
7. What policy definition can help remind employees within the User Domain about on-going
acceptable use and unacceptable use?
- A Code of Conduct Policy definition can help remind employees within the User Domain about
ongoing acceptable use and unacceptable use.
8. What policy definition is required to restrict and prevent unauthorized access to organization
owned IT systems and applications?
- An Access Control Policy definition is required to restrict and prevent unauthorized access to
organization-owned IT systems and applications.
9. What is the relationship between an Encryption Policy Definition and a Data Classification
Standard?
- The Encryption Policy Definition and the Data Classification Standard are related as the former
outlines the required encryption levels for different types of data, while the latter defines the level of
confidentiality and sensitivity of various types of data within the organization.
10. What policy definition is needed to minimize data loss?
- A Data Backup and Recovery Policy definition is needed to minimize data loss.
11. Explain the relationship between the policy-standard-procedure-guideline structure and
how this should be postured to the employees and authorized users.
- The policy-standard-procedure-guideline structure is the hierarchy of how an organization defines
and implements its IT security policies. The policies provide high-level guidance, standards define
specific implementation requirements, procedures outline the steps to be taken, and guidelines provide
additional information and recommendations. All of these elements should be clearly communicated
to employees and authorized users to ensure understanding and compliance.
12. Why should an organization have a remote access policy even if they already have an
Acceptable Use Policy (AUP) for employees?
- An organization should have a remote access policy even if they already have an Acceptable Use
Policy (AUP) for employees because remote access may have different security considerations, such
as encryption, authentication, and authorization, than regular in-office access.
13. What security controls can be implemented on your e-mail system to help prevent rogue or
malicious software disguised as URL links or e-mail attachments from attacking the
Workstation Domain? What kind of policy definition should this be included in? Justify your
answer.
- Security controls that can be implemented on an e-mail system to prevent rogue or malicious
software disguised as URL links or e-mail attachments from attacking the Workstation Domain
include anti-malware software, e-mail filtering, and user education and awareness. This can be
included in an Email Security Policy definition.
14. Why should an organization have annual security awareness training that includes an
overview of the organization’s policies?
- An organization should have annual security awareness training that includes an overview of the
organization's policies to ensure that all employees are aware of their obligations and understand the
importance of IT security.
15. What is the purpose of defining of a framework for IT security policies?
- The purpose of defining a framework for IT security policies is to provide a comprehensive and
consistent approach to securing the organization's IT systems and data, ensure compliance with legal
and regulatory requirements, and minimize the risk of security incidents.