In this lab, you are to create a security management policy that
addresses the management and the separation of duties throughout the seven domains of a typical IT infrastructure. You are to define what the information systems security responsibility is for each of the seven domains of a typical IT infrastructure. From this definition, you must incorporate your definition for the separation of duties within the procedures section of your policy definition template. Your scenario is the same as in Lab #1 – ABC Credit Union/Bank. • Regional ABC Credit union/bank with multiple branches and locations throughout the region • Online banking and the use of the Internet is a strength of your bank given limited human resources • The customer service department is the most critical business function/operation of the organization. • The organization wants to be in compliance with GLBA and IT security best practices regarding employees. • The organization wants to monitor and control use of the Internet by implementing content filtering. • The organization wants to eliminate personal use of organization owned IT assets and systems. • The organization wants to monitor and control the use of the e-mail system by implementing email security controls. • The organization wants to implement this policy for all IT assets owned by the organization and to incorporate this policy review into the annual security awareness training. • The organization wants to define a policy framework including a Security Management Policy defining the separation of duties for information systems security. ABC Credit Union Policy Name: Separation of Duties Policy Statement Separation of duties is widely used, not only in the IT world, but everywhere, for the sole purpose to task different individuals. As we assigned these responsibilities, it’s expected for every personnel to abide by all rules and regulations set forth on these responsibilities. Purpose/Objectives Separation of duties is a simple concept used to prevent attacks, insider threats, errors, and maintain control from within the organization. Not every agency has an official Separation of Duties policy in place and some do, but it’s not official. Scope The concept in itself is simple and common sense. Simple because is similar to a trust issue, but at the same time complex because it is costly and requires more manpower. Procedures There are many concepts possible, from requiring two signatures to two people having to be within eye sight. But on concept used, that I like, is the two-person concept, which is to prevent a lone. Guidelines After the assessment is completed and a consensus has been reached that a SoD is needed, then an information flow chart needs to be created. After the matrix is created, all personnel involved will need to be properly trained and aware to the SoD. Overview In this lab, you examined the seven domains of a typical IT infrastructure from an information systems security responsibility perspective. What are the roles and responsibilities performed by the IT professional, and what are the roles and responsibilities of the information systems security practitioner? This lab presented an overview of exactly what those roles and responsibilities are and, more importantly, how to define a security management policy that aligns and defines who is responsible for what. This is critical during a security incident that requires immediate attention by the security incident response team. Lab Assessment Questions & Answers 1. For each of the seven domains of a typical IT infrastructure, summarize what the information systems security responsibilities are within that domain: The User Domain is the weakest link in an IT infrastructure. Anyone responsible for computer security must understand what motivates someone to compromise an organization’s system, applications, or data. Workstation Domain can be a desktop computer, a laptop computer, a special-purpose terminal, or any other device that connects to your network. The IT security personnel must safeguard controls within the Workstation Domain. Typically, human resources departments define proper access control for workers based on their jobs. IT security personnel then assign access rights to systems, applications, and data based on this definition. The LAN support group is in charge of the LAN Domain. This includes both the physical component and logical elements. LAN system administrators must maintain and support departments’ file and print services and configure access controls for users. The network security group is responsible for the LAN-to-WAN Domain. This includes both the physical components and logical elements. Group members are responsible for applying the defined security controls. The network engineer or WAN group is responsible for the WAN Domain. This includes both the physical components and logical elements. Network engineers and security practitioners set up the defined security controls according to defined policies. Note that because of the complexities of IP network engineering, many groups now outsource management of their WAN and routers to service providers. This service includes SLAs that ensure that the system in available and that problems are solved quickly. In the event of a WAN connection outage, customers call a toll-free number for their service providers network operations center. The network engineer or WAN group is usually in charge of the Remote Access Domain. This includes both the hardware components and logical elements. Network engineers and security practitioners are in charge of applying security controls according to policies. these include maintaining, updating, and troubleshooting the hardware and logical remote access connection for the Remote Access Domain. The responsibility for System/Application Domain lies with the director of systems and applications and the director of software development. This domain includes the following. 2. Which of the seven domain of a typical IT infrastructure require personnel and executive management support outside of the IT or information systems security organizations? 3. What does separation of duties mean? Separation of duties is the means by which no one person has sole control over the lifespan of a transaction. 4. How does separation of duties throughout an IT infrastructure mitigate rick for an organization? Separation of duties fulfills two purposes. First, it prevents frauds, errors, and abuse of systems and processes, and second, it aids in the discovery of control failures such as theft of information, data breaches, and circumvention of security controls. 5. How would you position a layered security approach with a layered security management approach for an IT infrastructure? I would make sure that protocols in each layer correspond and function together. This way you can position the higher protocols with higher ones and lower with lower ones. 6. If a system administrator had both the ID and password to a system, would that be a problem? It would be a problem if the password is too weak or not encryption. 7. When using a layered security approaches to system administration, who would have the highest access privileges? The super administrator of the IT system would have highest access privileges. 8. Who would review the organizations layered approach to security? The administrator of the IT security apartment. 9. Why do you only want to refer to technical standards in a policy definition document? Because the technical standards in a policy definition document identify and enumerate these industries recommended standards that will help enforce an IT policy. 10.Why it is important to define guidelines in this layered security management policy? Because it is really important to understand guidelines, when a user violates policy or bad things happen, the user will know the way to isolate the issue that will help mitigate the risk. 11. Why is it important to define access control policies that limit or prevent exposing customer privacy data to employee? Because employees are human so that sometimes they will violate policy for no reason. To mitigate that risk, the data of customers must the encrypted or limited access from employees. 12. Explain why the seven domains of a typical IT infrastructure helps organizations align to separation of duties. It helps give clarity of job junctions, transparency on task ownership, distributes controls, and aids in the implementation of secure IT controls. 13. Why it is important for an organization to have a policy definition for Business Continuity and Disaster Recovery? Because it has the highest odds of recovering from it with minimal damages and losses. 14. Why is it important to prevent users from downloading and installing applications on organization owned laptops and desktop computers? Because some download on internet contain virus or malware. So it really important to prevent users download and install that will reduce risk. 15. Separation of duties is best defined by policy definition. What is needed to ensure it success? Separation of duties is the concept of having more than one person required to complete a task. Individual person in company will be the key of success.