Lab #3 – Assessment Worksheet

Part A – List of Risks, Threats, and Vulnerabilities Commonly Found in an IT Infrastructure

Course Name: IAP301

Student Name: NGUYỄN MINH TRƯỜNG

Instructor Name: DinhMH

Lab Due Date: 18/1/2024

Overview

The following risks, threats, and vulnerabilities were found in a healthcare IT infrastructure serving
patients with life-threatening situations. Given the following list, select where the risk, threat, or
vulnerability resides in the seven domains of a typical IT infrastructure.

Risk – Threat – Vulnerability Primary Domain Impacted

Unauthorized access from public Internet LAN-to-WAN

User destroys data in application and deletes User

all files

Hacker penetrates your IT infrastructure Workstation

and gains access to your internal network

Intra-office employee romance “gone bad” User

Fire destroys the primary data center System/Application

Communication circuit outages System/Application

Workstation OS has a known software vulnerability Workstation

Unauthorized access to organization owned Workstation

Workstations

Loss of production data User

Denial of service attack on organization e-mail server LAN

Remote communications from home office Remote access

LAN server OS has a known software vulnerability LAN

User downloads an unknown e –mail User

attachment
Workstation browser has software vulnerability Workstation

Service provider has a major network outage System/Application

Weak ingress/egress traffic filtering degrades Lan-to-wan

Performance

User inserts CDs and USB hard drives User

with personal photos, music, and videos on

organization owned computers

VPN tunneling between remote computer LAN-to-WAN

and ingress/egress router

WLAN access points are needed for LAN connectivity LAN

within a warehouse

Need to prevent rogue users from unauthorized WLAN LAN

access

Overview

For each of the identified risks, threats, and vulnerabilities; select the most appropriate policy definition
that may help mitigate the identified risk, threat, or vulnerability within that domain from the following
list:

Policy Definition List

Acceptable Use Policy

Access Control Policy Definition

Business Continuity – Business Impact Analysis (BIA) Policy Definition

Business Continuity & Disaster Recovery Policy Definition

Data Classification Standard & Encryption Policy Definition

Internet Ingress/Egress Traffic Policy Definition

Mandated Security Awareness Training Policy Definition

Production Data Back-up Policy Definition

Remote Access Policy Definition

Vulnerability Management & Vulnerability Window Policy Definition

WAN Service Availability Policy Definition

Risk – Threat – Vulnerability Policy Definition Required

Unauthorized access from public Internet Internet Ingress/Egress Traffic Policy

Definition

User destroys data in application and deletes Data Classification Standard & Encryption
all files Policy Definition

Hacker penetrates your IT infrastructure Vulnerability Management & Vulnerability

and gains access to your internal network Window Policy Definition

Intra-office employee romance gone bad Mandated Security Awareness Training

Policy Definition

Fire destroys primary data center Business Continuity & Disaster Recovery
Policy Definition

Communication circuit outages Business Continuity – Business Impact

Analysis (BIA) Policy Definition

Workstation OS has a known software Production Data Back-up Policy Definition

vulnerability

Unauthorized access to organization-owned Access Control Policy Definition

Workstations

Loss of production data Production Data Back-up Policy Definition

Denial of service attack on organization e- Internet Ingress/Egress Traffic Policy

mail Server Definition

Remote communications from home office Remote Access Policy Definition

LAN server OS has a known software Vulnerability Management & Vulnerability

vulnerability Window Policy Definition

User downloads an unknown e –mail AUP

attachment
 Workstation browser has software Vulnerability Management & Vulnerability
vulnerability Window Policy Definition

Service provider has a major network outage WAN Service Availability Policy Definition

Weak ingress/egress traffic filtering degrades Internet Ingress/Egress Traffic Policy

Performance Definition

User inserts CDs and USB hard drives AUP

with personal photos, music, and videos on
organization owned computers

VPN tunneling between remote computer Remote Access Policy Definition

and ingress/egress router

WLAN access points are needed for LAN WAN Service Availability Policy Definition
connectivity within a warehouse

Need to prevent rogue users from Access Control Policy Definition

unauthorized WLAN access

Overview

In this lab, students identified risks, threats, and vulnerabilities throughout the seven domains of
a typical IT infrastructure. By organizing these risks, threats, and vulnerabilities within each of
the seven domains of a typical IT infrastructure information system security policies can be
defined to help mitigate this risk. Using policy definition and policy implementation,
organizations can “tighten” security throughout the seven domains of a typical IT infrastructure.

Lab Assessment Questions & Answers

1. A policy definition usually contains what four major parts or elements?

Policy statement, Purpose and objective, Scope ,Procedure

2. In order to effectively implement a policy framework, what three organizational elements are

absolutely needed to ensure successful implementation?

Clear leadership commitment and accountability, coupled with effective communication and
training, form the foundation for successful policy implementation
3. Which policy is the most important one to implement to separate employer from employee?
Which is the most challenging to implement successfully?

AUP

4. Which domain requires stringent access controls and encryption for connectivity to the
corporate resources from home? What policy definition is needed for this domain?

Remote Access Domain - Remote Access Policy Definition

5. Which domains need software vulnerability management & vulnerability window policy
definitions to mitigate risk from software vulnerabilities?

Workstation Domain - Vulnerability Management & Vulnerability Window Policy Definition

6. Which domain requires AUPs to minimize unnecessary User-initiated Internet traffic and
awareness of the proper use of organization-owned IT assets?

User Domain - Internet Ingress/Egress Traffic Policy Definition

7. What policy definition can help remind employees within the User Domain about on-going
acceptable use and unacceptable use?

Internet Ingress/Egress Traffic Policy Definition

8. What policy definition is required to restrict and prevent unauthorized access to organization
owned IT systems and applications?

9. What is the relationship between an Encryption Policy Definition and a Data Classification
Standard?

Encryption policy is about how data is encrypted using standards crypto algorithm, Data
Classification Standard is about data classified for easy handling

10. What policy definition is needed to minimize data loss?

Production Data Back-up Policy Definition

11. Explain the relationship between the policy-standard-procedure-guideline structure and how
this should be postured to the employees and authorized users.

The policy-standard-procedure-guideline structure establishes a governance hierarchy; when

communicated to employees, policies provide principles, standards set benchmarks, procedures
outline steps, and guidelines offer support for clear understanding and adherence to
organizational expectations.
12. Why should an organization have a remote access policy even if they already have an
Acceptable Use Policy (AUP) for employees?

A remote access policy is needed alongside an Acceptable Use Policy to give clear rules for
securely working from outside the office, addressing unique risks like secure connections and
data protection that may not be covered in a general use policy. It ensures specific guidance for
safe remote work.

13. What security controls can be implemented on your e-mail system to help prevent rogue or
malicious software disguised as URL links or e-mail attachments from attacking the Workstation
Domain?

Email filtering and detection and url scanning

What kind of policy definition should this be included in? Justify your answer.

Internet Ingress/Egress Traffic Policy Definition

14. Why should an organization have annual security awareness training that includes an
overview of the organization’s policies?

Annual security awareness training ensures employees stay informed about evolving threats,
fostering a security-conscious culture. Including an overview of organization policies reinforces
adherence, reducing security risks and promoting a cohesive security posture.

15. What is the purpose of defining of a framework for IT security policies?

Provide a base in creating policy so they can based on and follow that to have clear guidelines,
terms. It establishes a cohesive set of guidelines, standards, and procedures, ensuring a
systematic and consistent approach to safeguarding an organization's information assets and
technology infrastructure.