Lab #4 Assessment Worksheet

Craft a Layered Security Management Policy Separation of Duties

Course Name: IAP301 ……………………………...………………………………
Student Name: Đào Quang Việt …………………………………………………...
Instructor Name: Khúc Hữu Hùng …………………………………………….….
Lab Due Date: 21/02/2025…………………………………….………………….…
Overview
In this lab, you are to create a security management policy that addresses the
management and the separation of duties throughout the seven domains of a typical IT
infrastructure. You are to define what the information systems security responsibility
is for each of the seven domains of a typical IT infrastructure. From this definition,
you must incorporate your definition for the separation of duties within the
procedures section of your policy definition template. Your scenario is the same as in
Lab #1 ABC Credit Union/Bank.
 Regional ABC Credit union/bank with multiple branches and locations
throughout the region
 Online banking and the use of the Internet is a strength of your bank given
limited human resources
 The customer service department is the most critical business
function/operation of the organization.
 The organization wants to be in compliance with GLBA and IT security best
practices regarding employees.
 The organization wants to monitor and control use of the Internet by
implementing content filtering.
 The organization wants to eliminate personal use of organization owned IT
assets and systems.
 The organization wants to monitor and control the use of the e-mail system by
implementing e- mail security controls.
 The organization wants to implement this policy for all IT assets owned by the
organization and to incorporate this policy review into the annual security
awareness training.

1
  The organization wants to define a policy framework including a Security
Management Policy defining the separation of duties for information systems
security.
Instructions
Using Microsoft Word, craft a Security Management Policy with Defined Separation
of Duties using the following policy template:
ABC Credit Union
Policy Name
Policy Statement
This Security Management Policy establishes guidelines for the management and
separation of duties within the seven domains of the IT infrastructure of Regional
ABC Credit Union/Bank. The policy aims to ensure compliance with the Gramm-
Leach-Bliley Act (GLBA) and IT security best practices while addressing the specific
needs and objectives of the organization.

Purpose/Objectives
The purpose of this policy is to establish guidelines for the management and
separation of duties across the seven domains of the IT infrastructure within ABC
Credit Union/Bank. Ensure the security, confidentiality, integrity, and availability (C-
I-A) of information assets. Facilitate compliance with GLBA and IT security best
practices. Mitigate risks associated with unauthorized access, data breaches, and
system vulnerabilities.

Scope
This policy applies to all employees, contractors, and third-party vendors who have
access to ABC Credit Union/Bank's IT assets and systems. Domains impacted:
-User Domain
-Workstation Domain
-LAN Domain

2
-WAN Domain
-Remote Access Domain
-System/Application Domain
-LAN-to-WAN domain
IT assets within the scope of this policy include:
-Workstations
-Servers
-Network infrastructure
-Remote access solutions
-Applications and systems
-Data storage devices

Standards
This policy aligns with the organization's Workstation Configuration Standards,
Server Configuration Standards, Network Infrastructure Standards, and Data Security
Standards.

Procedures
- Group Policies will be implemented to ensure that employees have access to only
the files they need.
- Each department will have annual training to discuss any possible changes to
department duties and policies.
- Chain of command will be established within each department leading up to
executive management.
- Users who have been charged with the management of IT systems are
responsible for ensuring that they are at all times properly protected against
known threats and vulnerabilities as far as is reasonably practicable and
3
compatible with the designated purpose of those systems.

Guidelines
Users will be trained to follow all policies and procedures in the organization. System
Administrators can refer to NIST Special Publication 800-53 Security and Privacy
Controls
Note: Your policy document must be no more than 3 pages.

4
 Lab #4 Assessment Worksheet
Craft a Layered Security Management Policy Separation of Duties
Course Name: IAP301 ……………………………...………………………………
Student Name: Đào Quang Việt …………………………………………………...
Instructor Name: Khúc Hữu Hùng …………………………………………….….
Lab Due Date: 21/02/2025…………………………………….………………….…
Overview
In this lab, you examined the seven domains of a typical IT infrastructure from an
information systems security responsibility perspective. What are the roles and
responsibilities performed by the IT professional, and what are the roles and
responsibilities of the information systems security practitioner? This lab presented an
overview of exactly what those roles and responsibilities are and, more importantly,
how to define a security management policy that aligns and defines who is
responsible for what. This is critical during a security incident that requires immediate
attention by the security incident response team.
Lab Assessment Questions & Answers
1. For each of the seven domains of a typical IT infrastructure, summarize what the
information systems security responsibilities are within that domain:
The User Domain is the weakest link in an IT infrastructure. Anyone responsible for
computer security must understand what motivates someone to compromise an
organization’s system, applications, or data.

2. Which of the seven domains of a typical IT infrastructure requires personnel and

executive management support outside of the IT or information systems security
organizations?

3. What does separation of duties mean?

4. How does separation of duties throughout an IT infrastructure mitigate risk for an
organization?

5. How would you position a layered security approach with a layered security
management approach for an IT infrastructure?

6.If a system administrator had both the ID and password to a system, would that be a
problem?

7. When using a layered security approaches to system administration, who would

have the highest access privileges?

8. Who would review the organizations layered approach to security?

9. Why do you only want to refer to technical standards in a policy definition

document?

10. Why is it important to define guidelines in this layered security management

policy?

11. Why is it important to define access control policies that limit or prevent exposing
customer privacy data to employees?
12. Explain why the seven domains of a typical IT infrastructure helps organizations
align to separation of duties.

13. Why is it important for an organization to have a policy definition for Business
Continuity and Disaster Recovery?

14. Why is it important to prevent users from downloading and installing applications
on organization owned laptops and desktop computers?

15. Separation of duties is best defined by policy definition. What is needed to ensure
its success?