Lab #3 Defining an Information Systems Security Policy Framework for an IT Infrastructure Introduction In any company, a security policy helps to mitigate the risks and threats the business encounters. However, unless a company happens to be in the information security industry, the task of identifying, assessing, and categorizing the myriad of risks can be an overwhelming one. Thankfully, a company s IT infrastructure can be divided in a logical manner to more easily sort the risks. These divisions are the seven IT domains. The purpose of the seven domains of a typical IT infrastructure is to help organize the roles, responsibilities, and accountabilities for risk management and risk mitigation. In this lab, you will identify known risks, threats, and vulnerabilities, and you will determine which domain of a typical IT infrastructure is affected. You will then discuss security policies to address each identified risk and threat within the seven domains of a typical IT infrastructure. You will next determine which appropriate security policy definition will help mitigate the identified risk, threat, or vulnerability. You will organize your results into a framework that can become part of a layered security strategy. Learning Objectives Upon completing this lab, you will be able to: Identify risks, threats, and vulnerabilities commonly found in the seven domains of a typical IT infrastructure. Determine which domain is impacted by the risk, threat, or vulnerability. Determine security policies to address each identified risk and threat within the seven domains of a typical IT infrastructure. Select the appropriate policy definitions needed throughout the seven domains of a typical IT infrastructure to mitigate the identified risks, threats, and vulnerabilities. Organize the security policies in an overall framework as part of a layered security strategy for the seven domains of a typical IT infrastructure Deliverables Upon completion of this lab you are required to provide the following deliverables to your instructor: 1. Lab Report file; 2. Lab Assessments file. Hands-On Steps Note: This is a paper-based lab. To successfully complete the deliverables for this lab, you will need access to Microsoft Word or another compatible word processor. For some labs, you may also need access to a graphics line drawing application, such as Visio or PowerPoint. Refer to the Preface of this manual for information on creating the lab deliverable files. 1. On your local computer, create the lab deliverable files. 2. Review the Lab Assessment Worksheet. You will find answers to these questions as you proceed through the lab steps.
3. Review the seven domains of a typical IT infrastructure (see Figure) 4. On your local computer, open a new Internet browser window. 5. In the address box of your Internet browser, type the URL http://www.continuitycompliance.org/security-policy-components-of-agood-policy/ and press Enter to open the Web site. 6. Review the information to determine the components of an information systems security policy. 7. In your Lab Report file, identify the major components of an information systems security policy. 8. In your Lab Report file, align each of the risks, threats, and vulnerabilities identified in the table in Lab 2 to the domain impacted (refer to Figure for the seven IT domains). 9. In your Lab Report file, explain how risks like these can be mitigated with an information systems security policy. 10. In the address box of your Internet browser, type the URL http://download.matus.in/security/bezpecnostna%20politika/howtos/policy _Primer.pdf and press Enter to open the Web site. 11. Read the SANS Institute s document, A Short Primer for Developing Security Policies. 12. Visit the website http://www.sans.org/security-resources/policies for various information security policy templates and get yourself acquainted with these templates. 13. In your Lab Report file, define what a policy is according to the SANS Institute. Note:It is important to understand how and why a policy differs from a standard, a procedure, and a guideline. From the top down, the policy should not change or need modification unless a major shift in corporate values or business process occurs. On the contrary, guidelines should be reviewed, and possibly changed, often.
Similarly, even though a policy should be written clearly and concisely, it is a high-level document answering the why questions. Standards are also high-level, but instead should answer the what questions. Finally, the procedures and guidelines provide the how. 14. Using the SANS primer and the various policy templates (step 12), in your Report file, describe the basic requirements of policies, their benefits, the control factors, and policies every organization needs. 15. Review the identified risks, threats, and vulnerabilities in the table in step 8, and then select an appropriate policy definition that might help mitigate each of them. You can select one of the SANS policies or choose one from the following list: Policy Definition List Acceptable Use Policy Access Control Policy Definition Business Continuity Business Impact Analysis BIA) Policy Definition Business Continuity Disaster Recovery Policy Definition Data Classification Standard & Encryption Policy Definition Internet Ingress/Egress Traffic Policy Definition Mandated Security Awareness Training Policy Definition Production Data Backup Policy Definition Remote Access Policy Definition Vulnerability Management & Vulnerability Window Policy Definition Wide Area Network (WAN) Service Availability Policy Definition 16. In your Lab Report file, organize your security policies and the definitions you selected so that they can be used as part of an overall framework for a layered security strategy.
Evaluation Criteria and Rubrics The following are the evaluation criteria for this lab that students must perform: 1. Identify risks, threats, and vulnerabilities commonly found in the seven domains of a typical IT infrastructure. [25%] 2. Determine security policies to address each identified risk and threat within the seven domains of a typical IT infrastructure. [25%] 3. Select the appropriate policy definitions needed throughout the seven domains of a typical IT infrastructure to mitigate the identified risks, threats, and vulnerabilities. [25%]. 4. Organize the security policies in an overall framework as part of a layered security strategy for the seven domains of a typical IT infrastructure. [25%]
Lab #3 - Assessment Worksheet Defining an Information Systems Security Policy Framework for an IT Infrastructure Course Name and Number: Student Name: Instructor Name: Lab Due Date: Overview In this lab, you identified known risks, threats, and vulnerabilities, and you determined which domain of a typical IT infrastructure was affected. You then discussed security policies to address each identified risk and threat within the seven domains of a typical IT infrastructure. You next determined which appropriate security policy definition helped mitigate the identified risk, threat, or vulnerability. You organized your results into a framework that could become part of a layered security strategy. Lab Assessment Questions 1. What is the purpose of defining a framework for IT security policies? 2. What are the major components of an information systems security policy? 3. What is the definition of a policy? 4. What are the benefits of a policy? 5. What policy definition in the SANS primer or in the list provided in the lab is required to restrict and prevent unauthorized access to organization-owned IT systems and applications? 6. What policy definition in the SANS primer or in the list provided in the lab can help remind employees in the User Domain about ongoing acceptable use and unacceptable use? 7. Why should an organization have a remote access policy even if it already has an acceptable use policy (AUP) for employees? 8. What security controls can be implemented on your mail system to help prevent rogue or malicious software disguised as URL links or e-mail attachments from attacking the Workstation Domain? What kind of policy definition should you use? 9. Why should an organization have annual security awareness training that includes an overview of the organization s policies?