Course Code 290030 Section 29106

Course Details Information Quality Assurance 1 Date 10-21-24

Name Dionisio, Denemi Daniel C. Student No. 201911045

Midterm Laboratory Exercise 3

Develop Cybersecurity Policies and Procedures
Introduction

Information security policies provide a framework for organizations to manage and protect their
assets, and a safeguard that the organizations employ to reduce risk. Students will be required to
compare information security policies to determine the differences between policies, standards,
guidelines, and procedures. Students will then develop an information security policy to address existing
vulnerabilities identified by an internal audit.

For example, a password policy states the standard for creating strong passwords and protecting
passwords. A password construction guideline defines how to create a strong password and provides
best practices recommendations. The password procedure provides the instructions on how to
implement the strong password requirement. Organizations do not update policies as frequently as they
update procedures within the information security policy framework.

Objectives

This project includes the following objectives:

Part 1: Review the Scenario

Part 2: Review and Prioritize Audit Findings

Part 3: Develop Policy Documents

Part 4: Develop a Plan to Disseminate and Evaluate Policies

Requirements

You will need internet access to the following websites, video, and documents:

= SANS Security Policy Project

https://www.sans.org/security-resources/policies/

= Information Security Policy (video)

https://youtu.be/ZlKgMUOpMf8

= Top Computer Security Vulnerabilities

https://www.n-able.com/features/computer-security-vulnerabilities

= Information Security Policy – A Development Guide for Large and Small Companies
(pdf) https://www.sans.org/reading-room/whitepapers/policyissues/information-security-policy-
development-guide-large-small-companies-1331
 = Technical Writing for IT Security Policies in Five Easy Steps
https://www.sans.org/reading-room/whitepapers/policyissues/technical-writing-security-policies-easy-
steps-492

Scenario

ACME Healthcare is a healthcare company that runs over 25 medical facilities including patient
care, diagnostics, outpatient care, and emergency care. The organization has experienced several data
breaches over the last five years. These data breaches have cost the organization financially and
damaged its reputation.

The executive leadership team recently hired a new chief information security officer (CISO). The
new CISO has brought in one of the top cybersecurity penetration teams to perform a full security audit
on the entire organization. This independent contractor conducted the audit, and found the following
vulnerabilities:

1) Several accounts were identified for employees that are no longer employed by ACME.

2) Several user accounts allowed unauthorized and escalated privileges. These accounts
accessed systems and information without formal authorization.

3) Several devices and systems allowed unsecure remote access.

4) Forty percent of all organization passwords audited were cracked within 6 hours.

5) Password expiration was not standardized.

6) Sensitive files were found unencrypted on user devices.

7) Several wireless hotspots used WEP for encryption and authentication.

8) Evidence indicates that sensitive e-mail was sent to and from employee homes and mobile
devices without encryption.

9) Intrusion detection logs were infrequently reviewed and analyzed.

10) Devices with sensitive company data were used by employees for private use.

11) Employee devices were left unattended and employees failed to logout of the company
network and data systems.

12) Inconsistent device updates and configurations were performed.

13) Several firewall rules were set to permit all traffic unless specifically denied.

14) Company servers were not updated with the latest patches.

15) The intranet web server allowed users to change personal information about themselves,
including contact information.

Instructions

Part 1: Review of the Scenario

Read the scenario given above. Watch the Information Security Policy video. Take notes to help
you differentiate the various levels and types of policies.

Part 2: Review and Prioritize Audit Findings

 a. Research the types of vulnerabilities listed to determine which of them pose the greatest
threat. Go to Top Computer Security Vulnerabilities to learn more.

b. Based on your research, list the top five security audit findings that ACME should address,
starting with the greatest vulnerability.

c. Record your rankings in a Vulnerabilities Ranking Table, like the one shown below. It lists
the Vulnerabilities, the Recommended Policy to mitigate this vulnerability, and your Justification for the
ranking you determined.

Vulnerabilities Ranking Table

Vulnerability Recommended Policy Justification

Several user accounts Implement a Role-Based Unauthorized access is a

allowed unauthorized and
escalated privileges
Access Control (RBAC) policy and critical issue because it can lead
conduct regular access audits to unauthorized data theft,
system changes, or breaches.
Escalated privileges without
oversight can also allow attackers
or disgruntled employees to
cause significant harm.

Devices and systems Adopt a Strict Remote Unsecured remote access

allowed unsecure remote access Access Policy with multi-factor is one of the easiest ways for
authentication and VPN use external attackers to infiltrate the
network, especially with the
increase of remote work.

Sensitive files were Enforce Data Encryption Leaving sensitive data

unencrypted on user devices Policies for all sensitive unencrypted makes it easy for
information attackers or unauthorized users
to access valuable data, especially
in case of device theft.

Inconsistent device Establish a Patch Outdated systems and

updates and configurations were
performed
Management Policy with regular
updates and maintenance
software expose the organization
to known vulnerabilities and
exploits, including malware.
Ensuring timely updates is critical
for security.

Several firewall rules
allowed all traffic unless
specifically denied
Update the Firewall Policy
with strict traffic rules and
ongoing review
Allowing all traffic
increases the risk of unauthorized
access to the network, leaving the
organization vulnerable to
various attacks, such as botnets
or malware intrusions.

A sample answer table.

 Vulnerabilities Ranking Table
Vulnerability
Several accounts were
identified for employees that are
no longer employed by ACME.
Several user accounts
allowed unauthorized and
escalated privileges and accessed
systems and information without
formal authorization.
Several devices and
systems allowed unsecure remote
access.
Forty percent of all
organization passwords audited
were cracked within 6 hours.
Several wireless hotspots
used WEP for encryption and
authentication.
Recommended Policy
When an employee leaves
the company:
Review all access
permission
Retrieve data from the
employee if appropriate
Terminate access and
reset all passwords
Assign the least privilege
to perform the task
Log when elevated
privileges are used
Disable unsecured remote
access, such as Telnet
Require secure remote
access, such as SSH and VPN
New password policy:
Implement 2FA or MFA
User passphrases
Change passwords only
after evidence of compromise
No reuse of old
passwords
No reuse of passwords on
different applications
Enable copy/paste
passwords
Educate users on basic
cybersecurity
Upgrade wireless
hotspots to the most secure
encryption and authentication
available
Justification
The former employee
may gain unauthorized access to
proprietary and confidential
information and equipment.
Anyone with the former
employee's credentials can gain
unauthorized access to internal
system.
The least privilege allows
the user to perform all the
necessary tasks without the risk
of causing systemic changes
unintentionally.
Unsecured remote access
transmits the data in plaintext.
The transmission of plaintext can
expose sensitive information,
such as user credentials, for
malicious actors to conduct
reconnaissance and attacks.
When the passwords are
cracked, the attacker can gain
unauthorized access and change
the passwords to lock out the
authorized users.
WEP is prone to man-in-
the-middle attacks and the key is
easily cracked and hard to
distribute to the users.
 Vulnerabilities Ranking Table

Company servers were Establish a plan to update Updating regularly can

not updated with the latest / test the latest patches at regular protect the data, fix security
patches. intervals. vulnerability, and improve the
stability of the OS and
applications.

Blank Line, No additional information

Part 3: Develop Policy Documents

Step 1: Create an Information Security Policy

a. Choose one vulnerability in the table for which to develop a security policy.

b. Use the Information Security Policy Templates to develop a specific security policy for
ACME Healthcare that addresses your chosen vulnerability.

Note: Follow the template as a guideline. Address all existing policy elements. No policy should
exceed two pages in length.

Step 2: Create a Procedure

a. Create a step-by-step set of instructions that supports your information security policy. Go
to Information Security Policy — A Development Guide and Technical Writing for IT Security Policies in
Five Easy Steps for instructions and guidance.

Note: All the above links will also be useful in Part 4 of this lab. Keep them open and bookmark
them.

b. Include all the information that a user would need to properly configure or complete the
task in accordance with the security policy.

Part 4: Develop a Plan to Disseminate and Evaluate Policies

Step 1: Create an Information Security Policy Implementation and Dissemination Plan.

a. Document the information required to create an information security policy

implementation and dissemination plan.

b. Include specific tasks and events that ACME Healthcare will use to make sure that all
employees involved are aware of the information security policies that pertain to them.

c. Include any specific departments that need to be involved. ACME Healthcare must also be
able to assess whether individuals have the proper knowledge of the policies that pertain to their job
responsibilities.

Conclusion

ACME Healthcare’s Information Security Policy Implementation and Dissemination Plan focuses
on addressing the key vulnerabilities identified during the audit. The plan involves drafting clear policies
for access control, encryption, patch management, and firewall settings, with input from departments
like IT, HR, Compliance, and Legal. Policies will be communicated via email, the intranet, webinars, and
visual reminders. Tailored training programs will be developed to ensure employees understand their
responsibilities, with specific modules for IT staff, general employees, and management. All employees
will acknowledge receipt and understanding of policies, and security drills will test policy effectiveness.
Regular policy reviews, audits, and updates will ensure continued compliance and risk mitigation across
the organization.

ACME Healthcare's Information Security Policy Implementation Plan is designed to address

critical vulnerabilities identified during the audit, involving clear policies, effective communication, and
robust training programs tailored to the roles of its employees. By involving key departments like IT, HR,
and Compliance, the company ensures that security becomes a shared responsibility across the
organization. Regular reviews, employee assessments, and ongoing training will help ACME remain
compliant with legal standards, while protecting both its data and reputation.

This comprehensive approach ensures that employees not only understand their roles in
safeguarding company assets but also follow proper procedures to mitigate risks proactively.

End of document