Overview

In this lab, you are to create a security management policy that

addresses the management and the separation of duties
throughout the seven domains of a typical IT infrastructure. You
are to define what the information systems security
responsibility is for each of the seven domains of a typical IT
infrastructure. From this definition, you must incorporate your
definition for the separation of duties within the procedures
section of your policy definition template. Your scenario is the
same as in Lab #1 – ABC Credit Union/Bank. • Regional ABC
Credit union/bank with multiple branches and locations
throughout the region • Online banking and the use of the
Internet is a strength of your bank given limited human
resources • The customer service department is the most critical
business function/operation of the organization. • The
organization wants to be in compliance with GLBA and IT
security best practices regarding employees. • The organization
wants to monitor and control use of the Internet by
implementing content filtering. • The organization wants to
eliminate personal use of organization owned IT assets and
systems. • The organization wants to monitor and control the use
of the e-mail system by implementing email security controls. •
The organization wants to implement this policy for all IT assets
owned by the organization and to incorporate this policy review
into the annual security awareness training. • The organization
wants to define a policy framework including a Security
Management Policy defining the separation of duties for
information systems security.
ABC Credit Union
Policy Name: Separation of Duties
Policy Statement
Separation of duties is widely used, not only in the IT world, but
everywhere, for the sole purpose to task different individuals. As
we assigned these responsibilities, it’s expected for every
personnel to abide by all rules and regulations set forth on these
responsibilities.
Purpose/Objectives
Separation of duties is a simple concept used to prevent attacks,
insider threats, errors, and maintain control from within the
organization. Not every agency has an official Separation of
Duties policy in place and some do, but it’s not official.
Scope
The concept in itself is simple and common sense. Simple
because is similar to a trust issue, but at the same time complex
because it is costly and requires more manpower.
Procedures
There are many concepts possible, from requiring two signatures
to two people having to be within eye sight. But on concept
used, that I like, is the two-person concept, which is to prevent a
lone.
Guidelines
After the assessment is completed and a consensus has been
reached that a SoD is needed, then an information flow chart
needs to be created. After the matrix is created, all personnel
involved will need to be properly trained and aware to the SoD.
Overview
In this lab, you examined the seven domains of a typical IT
infrastructure from an information systems security
responsibility perspective. What are the roles and
responsibilities performed by the IT professional, and what are
the roles and responsibilities of the information systems security
practitioner? This lab presented an overview of exactly what
those roles and responsibilities are and, more importantly, how
to define a security management policy that aligns and defines
who is responsible for what. This is critical during a security
incident that requires immediate attention by the security
incident response team.
Lab Assessment Questions & Answers
1. For each of the seven domains of a typical IT infrastructure,
summarize what the information systems security
responsibilities are within that domain:
The User Domain is the weakest link in an IT infrastructure.
Anyone responsible for computer security must understand what
motivates someone to compromise an organization’s system,
applications, or data.
Workstation Domain can be a desktop computer, a laptop
computer, a special-purpose terminal, or any other device that
connects to your network. The IT security personnel must
safeguard controls within the Workstation Domain. Typically,
human resources departments define proper access control for
workers based on their jobs. IT security personnel then assign
access rights to systems, applications, and data based on this
definition.
The LAN support group is in charge of the LAN Domain. This
includes both the physical component and logical elements.
LAN system administrators must maintain and support
departments’ file and print services and configure access
controls for users.
The network security group is responsible for the LAN-to-WAN
Domain. This includes both the physical components and logical
elements. Group members are responsible for applying the
defined security controls.
The network engineer or WAN group is responsible for the
WAN Domain. This includes both the physical components and
logical elements. Network engineers and security practitioners
set up the defined security controls according to defined
policies. Note that because of the complexities of IP network
engineering, many groups now outsource management of their
WAN and routers to service providers. This service includes
SLAs that ensure that the system in available and that problems
are solved quickly. In the event of a WAN connection outage,
customers call a toll-free number for their service providers
network operations center.
The network engineer or WAN group is usually in charge of the
Remote Access Domain. This includes both the hardware
components and logical elements. Network engineers and
security practitioners are in charge of applying security controls
according to policies. these include maintaining, updating, and
troubleshooting the hardware and logical remote access
connection for the Remote Access Domain.
The responsibility for System/Application Domain lies with the
director of systems and applications and the director of software
development. This domain includes the following.
2. Which of the seven domain of a typical IT infrastructure
require personnel and executive management support outside of
the IT or information systems security organizations?
3. What does separation of duties mean?
Separation of duties is the means by which no one person has
sole control over the lifespan of a transaction.
4. How does separation of duties throughout an IT infrastructure
mitigate rick for an organization?
Separation of duties fulfills two purposes. First, it prevents
frauds, errors, and abuse of systems and processes, and second,
it aids in the discovery of control failures such as theft of
information, data breaches, and circumvention of security
controls.
5. How would you position a layered security approach with a
layered security management approach for an IT infrastructure?
I would make sure that protocols in each layer correspond and
function together. This way you can position the higher
protocols with higher ones and lower with lower ones.
6. If a system administrator had both the ID and password to a
system, would that be a problem?
It would be a problem if the password is too weak or not
encryption.
7. When using a layered security approaches to system
administration, who would have the highest access privileges?
The super administrator of the IT system would have highest
access privileges.
8. Who would review the organizations layered approach to
security?
The administrator of the IT security apartment.
9. Why do you only want to refer to technical standards in a
policy definition document?
Because the technical standards in a policy definition document
identify and enumerate these industries recommended standards
that will help enforce an IT policy.
10.Why it is important to define guidelines in this layered
security management policy?
Because it is really important to understand guidelines, when a
user violates policy or bad things happen, the user will know the
way to isolate the issue that will help mitigate the risk.
11. Why is it important to define access control policies that
limit or prevent exposing customer privacy data to employee?
Because employees are human so that sometimes they will
violate policy for no reason. To mitigate that risk, the data of
customers must the encrypted or limited access from employees.
12. Explain why the seven domains of a typical IT infrastructure
helps organizations align to separation of duties.
It helps give clarity of job junctions, transparency on task
ownership, distributes controls, and aids in the implementation
of secure IT controls.
13. Why it is important for an organization to have a policy
definition for Business Continuity and Disaster Recovery?
Because it has the highest odds of recovering from it with
minimal damages and losses.
14. Why is it important to prevent users from downloading and
installing applications on organization owned laptops and
desktop computers?
Because some download on internet contain virus or malware.
So it really important to prevent users download and install that
will reduce risk.
15. Separation of duties is best defined by policy definition.
What is needed to ensure it success?
Separation of duties is the concept of having more than one
person required to complete a task. Individual person in
company will be the key of success.