LAB 4 REPORT

Course Name: IAP301

Student Name: SE151146 - Mai Gia Tú

Instructor Name: Mai Hoàng Đỉnh

Lab Due Date: 25/1/2024

FPT UNIVERSITY
 ABC Credit Union
Policy Name: Information Security Policy

Policy Statement
The Information Security Policy of ABC Credit Union is designed to
ensure the confidentiality, integrity, and availability of the organization's
information assets. This policy establishes guidelines and procedures to
safeguard sensitive information from unauthorized access, disclosure,
alteration, and destruction.

Separation of duties is widely used, not only in the IT world, but

everywhere, for the sole purpose to task different individuals. As
we assigned these responsibilities, it’s expected for every
personnel to abide by all rules and regulations set forth on these
responsibilities.
Purpose/Objectives
- Used to prevent attacks, insider threats, errors, and maintain control
from within the organization.
- Ensure the security of information assets.
- Protect customer and organizational data.
- Comply with relevant laws and regulations.

Scope
The seven domains of a typical IT infrastructure impacted by this policy
include:
1. User Domain
2. Workstation Domain
3. LAN Domain
4. LAN-to-WAN Domain
5. WAN Domain
6. Remote Access Domain
7. System/Application Domain

BUSINESS REPORT 2
Standards
This policy references the "Workstation Configuration Standards" and
"Network Security Standards" for specific hardware, software, and
configuration requirements.

Procedures
- User Domain: User access privileges are managed by the IT department.
Employees receive training on security best practices.
- Workstation Domain: Workstations are configured according to the
"Workstation Configuration Standards." Antivirus software is mandatory.
- LAN Domain: Network access is restricted based on job roles. Firewalls
and intrusion detection/prevention systems are implemented.
- LAN-to-WAN Domain: Secure routers and switches are configured to
control traffic between the LAN and WAN.
- WAN Domain: Encryption is used for data transmitted over the WAN.
Access controls are enforced.
- Remote Access Domain: Remote access requires multi-factor
authentication. VPNs are used to secure connections.
- System/Application Domain: Regular vulnerability assessments and
patch management are conducted.

Guidelines:
Any disputes or gaps in the separation of duties responsibility should be
reported to the IT Security Officer.

BUSINESS REPORT 3
 LAB ASSESSMENT QUESTIONS & ANSWERS

1. For each of the seven domains of a typical IT infrastructure, summarize

what the information systems security responsibilities are within that domain.
a. User Domain:
- Responsibility: Ensure that users understand and follow security policies.
- Motivation: Understand user behavior to prevent compromise.

b. Workstation Domain:
- Responsibility: Safeguard controls within workstations.
- Access Control: Define proper access control based on job roles.
Implementation: Assign access rights to systems, applications, and data based on
access control definitions.

c. LAN Domain:
- Responsibility: LAN support group is in charge.
- Tasks: Maintain and support file and print services, configure access controls for
users.

d. LAN-to-WAN Domain:
- Responsibility: Network security group is responsible.
- Tasks: Apply defined security controls in both physical and logical elements.

e. WAN Domain:
- Responsibility: Network engineer or WAN group.
- Tasks: Set up defined security controls according to policies. May involve
outsourcing to service providers for WAN and router management.

f. Remote Access Domain:

- Responsibility: Network engineer or WAN group.
- Tasks: Apply security controls, maintain, update, and troubleshoot hardware and
logical remote access connections.

g. System/Application Domain:
- Responsibility: Director of systems and applications, director of software
development.
BUSINESS REPORT 4
- Scope: Encompasses the development and maintenance of systems and
applications.

2. Which of the seven domain of a typical IT infrastructure require personnel

and executive management support outside of the IT or information systems
security organizations?
- The User Domain typically requires personnel and executive management support
outside of the IT or information systems security organizations.
Reason: In the User Domain, individuals throughout the organization, including
employees, contractors, and other personnel, play a crucial role in adhering to
security policies and practices. These individuals may not be part of the IT
department or directly involved in information systems security but are essential for
maintaining a secure environment.

3. What does separation of duties mean?

- Separation of duties is the means by which no one person has sole control over the
lifespan of a transaction.

4. How does separation of duties throughout an IT infrastructure mitigate rick

for an organization?
- Separation of duties fulfills two purposes. First, it prevents frauds, errors, and
abuse of systems and processes, and second, it aids in the discovery of control
failures such as theft of information, data breaches, and circumvention of security
controls.

5. How would you position a layered security approach with a layered security
management approach for an IT infrastructure?
- The solution is to make sure that protocols in each layer correspond and function
together. This way you can position the higher protocols with higher ones and lower
with lower ones.

6. If a system administrator had both the ID and password to a system, would that be a problem?
- Yes, Having both the ID and password to a system poses a serious security risk by
granting an administrator unrestricted access, potentially leading to misuse or
unauthorized access. This situation undermines security controls, complicates
auditing and accountability, and heightens the risk of insider threats.

BUSINESS REPORT 5
7. When using a layered security approaches to system administration, who
would have the highest access privileges?
- The super administrator of the IT system would have highest access privileges

8. Who would review the organizations layered approach to security?

- The administrator of the IT security apartment.

9. Why do you only want to refer to technical standards in a policy definition

document?
- Because the technical standards in a policy definition document identify and
enumerate these industries recommended standards that will help enforce an IT
policy.

10. Why it is important to define guidelines in this layered security

management policy?
- Because it is really important to understand guidelines, when a user violates policy
or bad things happen, the user will know the way to isolate the issue that will help
mitigate the risk.

11.Why is it important to define access control policies that limit or prevent

exposing customer privacy data to employee?
- Because employees are human so that sometimes they will violate policy for no
reason. To mitigate that risk, the data of customers must the encrypted or limited
access from employees.

12. Explain why the seven domains of a typical IT infrastructure helps

organizations align to separation of duties.
- Because each domain represents a distinct area of responsibility within the IT
environment, and by delineating these domains, organizations can clearly define
roles and responsibilities. This separation of duties ensures that no single individual
has excessive control over critical functions or systems, reducing the risk of
unauthorized access, fraud, and errors.

13. Why it is important for an organization to have a policy definition for

BUSINESS REPORT 6
Business Continuity and Disaster Recovery?
- Because it has the highest odds of recovering from it with minimal damages and
losses.

14.Why is it important to prevent users from downloading and installing

applications on organization owned laptops and desktop computers?
- Because some download on internet contains virus or malware. So, it really
important to prevent users download and install that will reduce risk.

15. Separation of duties is best defined by policy definition. What is needed to

ensure it success?
- Separation of duties is the concept of having more than one person required to
complete a task. Individual person in company will be the key of success.

-END-

BUSINESS REPORT 7
HEADING
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et
dolore magna aliqua. Feugiat vivamus at augue eget. Vitae turpis massa sed elementum tempus.
Bibendum enim facilisis gravida neque. Aenean euismod elementum nisi quis eleifend quam
adipiscing vitae proin. Facilisi nullam vehicula ipsum a. Integer enim neque volutpat ac tincidunt vitae
semper. Proin sagittis nisl rhoncus mattis rhoncus. Morbi tristique senectus et netus. Purus ut
faucibus pulvinar elementum integer.

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et
dolore magna aliqua. Quis eleifend quam adipiscing vitae proin sagittis nisl rhoncus mattis. At tellus
at urna condimentum mattis. Odio aenean sed adipiscing diam donec adipiscing tristique. Molestie ac
feugiat sed lectus vestibulum mattis ullamcorper velit sed. Cursus in hac habitasse platea dictumst
quisque sagittis purus sit.

Subheading
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et
dolore magna aliqua. Pellentesque id nibh tortor id aliquet. Purus in mollis nunc sed. Elit duis tristique
sollicitudin nibh sit amet commodo nulla. At tellus at urna condimentum. Nunc non blandit massa
enim nec dui nunc. Massa id neque aliquam vestibulum morbi blandit.

Lorem ipsum dolor sit amet consectetur adipiscing. Nisi lacus sed viverra tellus. Orci eu lobortis
elementum nibh tellus molestie nunc non. Laoreet suspendisse interdum consectetur libero id
faucibus nisl tincidunt. Pharetra massa massa ultricies mi quis hendrerit dolor. Non tellus orci ac
auctor augue mauris augue neque gravida. Nunc non blandit massa enim nec dui nunc mattis. Nulla
malesuada pellentesque elit eget gravida cum. Sit amet nulla facilisi morbi

Description Description Description

Lorem Ipsum is simply dummy text ofLorem

the printing
Ipsum and
is simply
typesetting
dummy industry.
text ofLorem
the printing
Ipsum and
is simply
typesetting
dummy industry.
text of the p

BUSINESS REPORT 8
HEADING
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore
et dolore magna aliqua. Dictum at tempor commodo ullamcorper. Suspendisse ultrices gravida
dictum fusce ut. Mauris nunc congue nisi vitae suscipit tellus mauris a. Amet mauris commodo quis
imperdiet massa tincidunt nunc. Amet dictum sit amet justo donec. Netus et malesuada fames ac
turpis egestas integer. Faucibus interdum posuere lorem ipsum dolor. Porttitor eget dolor morbi non
arcu. Sit amet dictum sit amet justo donec enim diam. Augue lacus viverra vitae congue eu
consequat. Porta non pulvinar neque laoreet suspendisse interdum. Varius sit amet mattis vulputate
enim nulla aliquet porttitor lacus. Ipsum faucibus vitae aliquet nec ullamcorper sit amet risus nullam.
Pellentesque adipiscing commodo elit at. Fermentum iaculis eu non diam phasellus. Aliquet lectus
proin nibh nisl condimentum id venenatis a condimentum.

Ut ornare lectus sit amet est placerat. Tincidunt vitae semper quis lectus nulla at volutpat. Sit amet
nisl suscipit adipiscing bibendum. Nunc sed id semper risus in hendrerit. Tincidunt praesent semper
feugiat nibh sed pulvinar proin gravida. Sed felis eget velit aliquet sagittis. Porta lorem mollis aliquam
ut porttitor leo a diam. Mattis molestie a iaculis at erat pellentesque adipiscing commodo. Mi proin
sed libero enim sed. Egestas diam in arcu cursus euismod quis. Massa ultricies mi quis hendrerit
dolor magna. Fermentum iaculis eu non diam phasellus vestibulum.

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eius

Metus dictum at tempor commodo ullamcorper a. Laoreet suspendisse interdum consectetur libero
id. Risus ultricies tristique nulla aliquet enim tortor at auctor urna. A lacus vestibulum sed arcu non
odio euismod lacinia at. Tortor id aliquet lectus proin nibh nisl condimentum id venenatis. Neque
gravida in fermentum et sollicitudin ac orci phasellus. Morbi enim nunc faucibus a pellentesque sit
amet porttitor eget. Nunc sed blandit libero volutpat sed cras ornare arcu. Sit amet nisl purus in mollis
nunc sed. Risus nec feugiat in fermentum. Integer vitae justo eget magna fermentum iaculis eu non
diam. Vulputate eu scelerisque felis imperdiet proin. Ridiculus mus mauris vitae ultricies. Gravida
rutrum quisque non tellus orci ac. Quam vulputate dignissim suspendisse in est ante in nibh mauris.
Quis auctor elit sed vulputate mi sit.

Eu lobortis elementum nibh tellus molestie nunc non. Consectetur lorem donec massa sapien
faucibus et molestie. Consequat interdum varius sit amet mattis vulputate enim. Non enim praesent
elementum facilisis leo. Elementum eu facilisis sed odio morbi quis commodo. Bibendum enim
facilisis gravida neque convallis a cras semper. Risus in hendrerit gravida rutrum quisque. Aliquam
eleifend mi in nulla posuere. Malesuada fames ac turpis egestas maecenas. Molestie ac feugiat sed
lectus vestibulum mattis. Eget nullam non nisi est sit amet. Pulvinar elementum integer enim neque.
Dui accumsan sit amet nulla facilisi morbi

BUSINESS REPORT 9
BUSINESS REPORT 10
HEADING
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et
dolore magna aliqua. Pellentesque id nibh tortor id aliquet. Purus in mollis nunc sed. Elit duis tristique
sollicitudin nibh sit amet commodo nulla. At tellus at urna condimentum. Nunc non blandit massa
enim nec dui nunc. Massa id neque aliquam vestibulum morbi blandit.

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et
dolore magna aliqua. Nullam ac tortor vitae purus faucibus ornare suspendisse sed nisi. Adipiscing
elit pellentesque habitant morbi tristique senectus et. Ultricies leo integer malesuada nunc vel.

Lorem ipsum dolor sit amet consectetur adipiscing. Nisi lacus sed viverra tellus. Orci eu lobortis
elementum nibh tellus molestie nunc non. Laoreet suspendisse interdum consectetur libero id
faucibus nisl tincidunt. Pharetra massa massa ultricies mi quis hendrerit dolor. Non tellus orci ac
auctor augue mauris augue neque gravida. Nunc non blandit massa enim nec dui nunc mattis. Nulla
malesuada pellentesque elit eget gravida cum. Sit amet nulla facilisi morbi

2020 2021 2022

Labor $50,000 $60,000 $75,000
Materials $20,000 $25,000 $27,000
Research $10,000 $5,000 $5,000

Year over year costs

80K

70K

60K

50K

40K

30K

20K

10K

K
Labor Materials Research

2020 2021 2022

BUSINESS REPORT 11