Lab #1 Creating an IT Infrastructure Asset List and. Identifying Where Privacy Data Resides

Transcription

1 Lab #1 Creating an IT Infrastructure Asset List and Identifying Where Privacy Data Resides Introduction Privacy is of growing concern, especially that of individual personal information. Between businesses seeking more effective use of their marketing budgets and governments targeting potential hostiles, the individual struggles to keep any information private. The purpose of an IT asset identification and asset classification exercise is to protect privacy data and implement security controls. Identifying where privacy data is accessed throughout an IT infrastructure or outside of its protected environment is important. In this lab, you will create an IT asset/inventory checklist organized within the seven domains of a typical IT infrastructure, Jones & you Bartlett will perform Learning, an asset LLC identification and classification Jones exercise, & Bartlett Learning, LL you will explain NOT how FOR a data SALE classification OR DISTRIBUTION standard is linked to customer privacy NOT data FOR and SALE OR DISTRIBUT security controls, and you will identify where privacy data resides and what security controls are needed to maintain compliance. Learning Jones & Objectives Bartlett Learning, LLC Upon completing this lab, you will be able to: Create an IT asset/inventory checklist organized within the seven domains of a typical IT infrastructure. Jones & Bartlett Perform Learning, an asset LLC identification and asset Jones classification & Bartlett exercise Learning, for a typical LLC IT NOT FOR SALE OR infrastructure. DISTRIBUTION Explain how a data classification standard is linked to customer privacy data protection and proper security controls. Identify where privacy data can reside or traverse throughout the seven domains of a typical IT infrastructure. Jones & Bartlett Learning, LLC Identify NOT where FOR privacy SALE data OR protection DISTRIBUTION and proper security controls are NOT needed FOR to SALE assist OR DISTRIBUT organizations with maintaining compliance. 1..

2 2 LAB #1 Creating an IT Infrastructure Asset List and Identifying Where Privacy Data Jones & Bartlett Resides Learning, LLC Deliverables Upon completion of Jones this lab, & Bartlett you are required Learning, to provide LLC the following deliverables Jones to & your Bartlett Learning, LL instructor: 1. Lab Report file; 2. Lab Assessments file. Instructor NOT FOR SALE Demo OR DISTRIBUTION The Instructor will present the instructions for this lab. This will start with a general discussion of asset identification and asset classification from a risk management perspective. The Jones & Bartlett Instructor Learning, will then present LLC an overview of the risks, Jones threats, & Bartlett and vulnerabilities Learning, LLC commonly found NOT FOR SALE within OR the DISTRIBUTION seven domains of a typical IT infrastructure...

3 3 Hands-On Steps Note: This is a paper-based NOT lab. FOR To successfully SALE OR complete DISTRIBUTION the deliverables for this lab, you will need NOT access FOR to Microsoft SALE OR DISTRIBUT Word or another compatible word processor. For some labs, you may also need access to a graphics line drawing application, such as Visio or PowerPoint. Refer to the Preface of this manual for information on creating the lab deliverable files. 1. On your local computer, create the lab deliverable files. 2. Review the Lab Assessment Worksheet. You will find answers to these questions as you proceed through the lab steps. NOT FOR SALE 3. OR Review DISTRIBUTION the seven domains of a typical NOT IT infrastructure. FOR SALE OR DISTRIBUTION Figure 1 Seven domains of a typical IT infrastructure An Asset s Finer NOT Points FOR SALE OR DISTRIBUTION A domain is not the same as an asset. And a piece of hardware does not always equate to one asset. Many assets can be in one domain, such as the System/Application Domain. A single hardware firewall might present itself as two assets, one in two different domains, for example, a Local Area Network-to-Wide Area Network (LANto-WAN) firewall and a Wide Area Network (WAN) firewall. In your own environments, ask yourself, What function does this perform? Copyright 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. Student Lab Manual..

4 4 LAB #1 Creating an IT Infrastructure Asset List and Identifying Where Privacy Data Jones & Bartlett Resides Learning, LLC 4. Review Figure 2, which is a Mock IT infrastructure with a Cisco core backbone network. Jones Figure 2 & Mock Bartlett IT infrastructure Learning, with LLC Cisco core backbone network 5. Refer to Figure 2 and note the following information, which describes the details of the Workstation Domain and System/Application Domain at a health care provider under the Health Insurance Portability and Accountability Act (HIPAA) compliance law: Jones & Workstation Bartlett Learning, Domain: Indicated LLC by the B in Figure Jones 2, the Workstation & Bartlett Learning, Domain LLC NOT FOR consists SALE of OR Microsoft DISTRIBUTION XP 2003, SP2 workstations NOT (50), FOR laptops SALE (50), OR and DISTRIBUTION desktop computers (50). System/Application Domain: Indicated by the G in Figure 2, the System/Application Domain consists of the following servers and applications: Jones & Bartlett Learning, o Linux LLC Server #1 (Domain Name Jones Server & Bartlett [DNS], Learning, File Transfer LLC Protocol [FTP], and Trivial File Transfer Protocol NOT FOR [TFTP]) SALE OR DISTRIBUTION o Linux Server #2 (Web Server) o Microsoft Server #1 (e-commerce Server and Customer Database Subset) o Microsoft Server #2 (Master Structured Query Language [SQL] Customer Jones Database & and Bartlett Intellectual Learning, Property LLCAssets) o NOT Microsoft FOR SALE Server OR #3 DISTRIBUTION (Office Automation, Dynamic Host NOT Configuration FOR SALE OR DISTRIBUT Protocol [DHCP] Server, and Customer Database Subset) o Microsoft Server #4 ( Server)..

5 5 NOT FOR SALE 6. OR In DISTRIBUTION your Lab Report file, use the following NOT table FOR to SALE identify OR three DISTRIBUTION to five IT assets and insert them into the table. Indicate in which of the seven domains of an IT infrastructure the asset resides. Indicate if the asset accesses customer privacy data or contains customer privacy data. Finally, classify the IT asset as Critical, Major, or Minor, where the following defines Jones each: & Bartlett Learning, LLC Critical: Generates revenues or represents intellectual property asset of organization Major: Contains customer privacy data Minor: Required for normal business functions and operations Jones IT Asset & Bartlett Learning, Seven Domains LLC Description of Typical IT Privacy Data Jones & Bartlett Assessment Learning, LLC Impact [Critical-Major-Minor] Note: Pay attention to the descriptions of the various System/Application assets. Individual assets may fall into different assessment categories. The same certainly holds true for real-world environments you will assess. The guiding question should always be What does this asset do? or What sort of data does it hold? 7. In your Lab Report file, explain how a data classification standard is related to customer privacy data protection and security controls. Note: This completes the lab. Close the Web browser, if you have not already done so. Copyright 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. Student Lab Manual..

6 6 LAB #1 Creating an IT Infrastructure Asset List and Identifying Where Privacy Data Jones & Bartlett Resides Learning, LLC Evaluation Criteria and Rubrics The following are NOT the FOR evaluation SALE criteria OR DISTRIBUTION for this lab that students must perform: 1. Create an IT asset/inventory checklist organized within the seven domains of a typical IT infrastructure. [20%] Jones 2. Perform & Bartlett an asset Learning, identification LLCand asset classification exercise Jones & for Bartlett a typical Learning, IT LLC NOT FOR infrastructure. SALE OR [20%] DISTRIBUTION 3. Explain how a data classification standard is linked to customer privacy data protection and proper security controls. [20%] 4. Identify where privacy data can reside or traverse throughout the seven domains of a typical IT infrastructure. [20%] 5. Identify where privacy data protection and proper security controls are needed to assist organizations with maintaining compliance. [20%]..