Risk – Threat – Vulnerability Policy Definition Required

Unauthorized access from public Internet Access Control Policy Definition

Acceptable Use Policy, Mandated

User destroys data in application and deletes all
Security Awareness Training Policy
files
Definition

Hacker penetrates your IT infrastructure and Vulnerability Management &

gains access to your internal network Vulnerability Window Policy Definition

Intra-office employee romance gone bad BIA Policy Definition

Business Continuity & Disaster

Fire destroys primary data center Recovery Policy Definition, Production

Data Back-up Policy Definition

Business Continuity & Disaster
Communication circuit outages
Recovery Policy Definition
Workstation OS has a known software Vulnerability Management &

vulnerability Vulnerability Window Policy Definition

Unauthorized access to organization owned

Access Control Policy Definition
Workstations
Production Data Back-up Policy
Loss of production data
Definition
Denial of service attack on organization e-mail Vulnerability Management &

Server Vulnerability Window Policy Definition

Remote communications from home office Remote Access Policy Definition

LAN server OS has a known software Vulnerability Management &

vulnerability Vulnerability Window Policy Definition

User downloads an unknown e-mail attachment Acceptable Use Policy, Mandated

 Security Awareness Training Policy

Definition
Vulnerability Management &
Workstation browser has software vulnerability
Vulnerability Window Policy Definition
WAN Service Availability Policy
Service provider has a major network outage
Definition
Weak ingress/egress traffic filtering degrades Internet Ingress/Egress Traffic Policy

Performance Definition
User inserts CDs and USB hard drives with

personal photos, music, and videos on Acceptable Use Policy

organization owned computers

Remote Access Policy Definition,
VPN tunneling between remote computer and
Internet Ingress/Egress Traffic Policy
ingress/egress router
Definition
WLAN access points are needed for LAN
Access Control Policy Definition
connectivity within a warehouse
Need to prevent rogue users from unauthorized Data Classification Standard &

WLAN access Encryption Policy Definition

Unauthorized access from public Internet Remote Acces Domain

Hacker penetrates IT infrastructure and gains LAN-to-WAN Domain

access to your internal network

Communication circuit outages WAN Domain
Workstation OS has a known software Workstation Domain

vulnerability
Fire destroys primary data center System/Application Domain
Denial of service attack on organization e- LAN-to-WAN Domain

mail Server
Loss of production data System/Application Domain
Intra-office employee romance gone bad User Domain
User destroys data in application and deletes System/Application Domain
 all files
Remote communications from home office Remote Acces Domain
LAN server OS has a known software LAN-to-WAN Domain

vulnerability
User downloads an unknown e –mail User Domain

attachment
Workstation browser has software Workstation Domain

vulnerability
Service provider has a major network outage WAN Domain
Weak ingress/egress traffic filtering degrades LAN Domain

Performance
VPN tunneling between remote computer and LAN-to-WAN Domain

ingress/egress router
User inserts CDs and USB hard drives with User Domain

personal photos, music, and videos on

organization owned computers

Unauthorized access to organization owned Workstation Domain

Workstation
WLAN access points are needed for LAN LAN Domain

connectivity within a warehouse

Need to prevent rogue users from LAN Domain

unauthorized WLAN access

1. What is the purpose of having a policy framework definition as opposed to individual

policies?

Establishes the rules and standards for the concepts that an organization will employ to achieve

long-term goals. To offer general recommendations that will be explicitly defined in particular

policies.
 2. When should you use a policy definition as a means of risk mitigation and element of a

layered security strategy?

To fix policy loopholes that allow a danger to exist with the potential to be exploited.

3. In your gap analysis of the IT security policy framework definition provided, which policy

definition was missing for all access to various IT systems, applications, and data

throughout the scenario?

Incident Response Policy Definition

Third-party Risk Policy Definition

4. Do you need policies for your telecommunication and Internet service providers?

Yes. ISPs make it possible for their customers to surf the web, shop online, conduct

business, and connect with family and friends—all for a fee. ISPs may also provide other

services including email services, domain registration, web hosting, and browser packages.

An ISP may also be referred to as an information service provider, a storage service

provider, an Internet service provider (INSP), or any combination of these three based on

the services the company offers.

5. Which policy definitions from the list provided in Lab #9 – Part B helps optimize performance

of an organization’s Internet connection?

Remote Access Policy Definition

Internet Ingress/Egress Traffic Policy Definition

Data Classification Standard

 Encryption Policy Definition

6. What is the purpose of a Vulnerability Assessment & Management Policy for an IT

infrastructure?

A vulnerability assessment is a systematic review of security weaknesses in an information

system. It evaluates if the system is susceptible to any known vulnerabilities, assigns severity

levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever

needed.

Managing an organisation’s assets to deliver the required level of service, the objective being to

meet current and future demand at the optimal long-term cost.

7. Which policy definition helps achieve availability goals for data recovery when data is lost or

corrupted?

Business Continuity & Disaster Recovery Policy Definition

Production Data Back-up Policy Definition

8. Which policy definitions reference a Data Classification Standard and use of cryptography for

confidentiality purposes?

Data Classification Standard & Encryption Policy Definition

9. Which policy definitions from the sample IT security policy framework definition mitigate risk

in the User Domain?

Acceptable Use Policy

Mandated Security Awareness Training Policy Definition

BIA Policy Definition

10. Which policy definition from the sample IT security policy framework definition mitigates risk

in the LAN-to-WAN Domain?

Vulnerability Management & Vulnerability Window Policy Definition

Remote Access Policy Definition

Internet Ingress/Egress Traffic Policy Definition

11. How does an IT security policy framework make it easier to monitor and enforce throughout

an organization?

It establishes standards that must be followed in order to function well in the organization.

12. Which policy definition requires an organization to list its mission critical business operations

and functions and the accompanying IT systems, applications, and databases that support it?

Asset Protection Definition

13. Why is it common to find a Business Continuity Plan (BCP) Policy Definition and a

Computer Security Incident Response Team (CSIRT) Policy Definition?

It is common because the CSIRT is a component of the BCP. The CSIRT enables the firm to

respond to hazards more quickly.

14. True or False. A Data Classification Standard will define whether or not you need to encrypt

the data while residing in a database.

True

15. True or False. Your upstream Internet Service Provider must be part of your Denial of

Service / Distributed Denial of Service risk mitigation strategy at the LAN-to-WAN Domain’s
Internet ingress/egress. This is best defined in a policy definition for Internet ingress/egress

availability.

False