Lab #10: Align an IT Security Policy Framework to

the 7 Domains of a Typical IT Infrastructure

Course Name: IAP 301

Student Name: Trần Đức Thiện

Instructor Name: Hoàng Tuấn Anh

Lab Due Date: 27/03/2025

Risk – Threat – Vulnerability IT Security Policy Definition

Implement firewall rules and intrusion prevention systems

Unauthorized access from public (IPS) to monitor and block unauthorized access attempts.
Internet Enforce strong authentication and access control
mechanisms.

Implement role-based access control (RBAC) and audit

User destroys data in application
logging. Regularly back up data and enforce version control
and deletes all files
to restore deleted files.

Hacker penetrates your IT Deploy intrusion detection and prevention systems (IDPS)
infrastructure and gains access to and conduct regular security audits. Implement least
your internal network privilege access controls.

Enforce workplace conduct policies and implement access

Intra-office employee romance
controls to prevent unauthorized information access or
gone bad
misuse.

Implement a disaster recovery plan (DRP) with offsite

Fire destroys primary data center backups and cloud-based redundancy. Conduct regular
failover testing.

Communication circuit outages Establish redundant communication lines and automatic

Risk – Threat – Vulnerability IT Security Policy Definition

failover mechanisms. Monitor network health proactively.

Enforce a patch management policy that requires regular

Workstation OS has a known
updates and security patches. Implement endpoint
software vulnerability
protection solutions.

Require multi-factor authentication (MFA) and enforce

Unauthorized access to
endpoint security policies. Implement auto-locking
organization owned workstations
mechanisms after inactivity.

Regularly back up critical production data and verify the

Loss of production data integrity of backups through periodic testing. Store backups
in a secure offsite location.

Deploy anti-DDoS protection measures and use load

Denial of service attack on
balancing techniques to mitigate attacks. Monitor email
organization e-mail server
server activity for anomalies.

Enforce the use of a secure VPN with strong encryption.

Remote communications from
Require endpoint security compliance checks before
home office
allowing access.

Implement an automated patch management policy to

LAN server OS has a known
ensure timely updates. Conduct vulnerability assessments
software vulnerability
regularly.

Implement email filtering solutions to scan and block

User downloads an unknown
malicious attachments. Educate employees on cybersecurity
email attachment
awareness.

Require browser updates and enforce security

Workstation browser has software
configurations through group policies. Implement web
vulnerability
filtering to block malicious sites.

Service provider has a major Establish backup internet service providers (ISPs) and
network outage failover mechanisms to maintain business continuity.

Deploy deep packet inspection (DPI) and enforce strict

Weak ingress/egress traffic
ingress/egress filtering rules to prevent network congestion
filtering degrades performance
and threats.
Risk – Threat – Vulnerability IT Security Policy Definition

User inserts CDs and USB hard Implement device control policies to block unauthorized
drives with personal photos, USB and external media usage. Require encryption for
music, and videos approved removable devices.

VPN tunneling between remote

Enforce strong VPN encryption protocols and require
computer and ingress/egress
authentication mechanisms to prevent unauthorized access.
router

WLAN access points are needed Secure WLAN access points with WPA3 encryption and
for LAN connectivity within a implement MAC address filtering. Regularly monitor and
warehouse audit access logs.

Deploy wireless intrusion detection and prevention systems

Need to prevent rogue users from
(WIDS/WIPS) to detect and block rogue devices. Enforce
unauthorized WLAN access
strong authentication for network access.

1. Access Control Policy Definition

All users must authenticate using multi-factor authentication (MFA) before accessing
organization resources. Role-based access control (RBAC) is enforced to ensure users
have the minimum required privileges.

2. Business Continuity – Business Impact Analysis (BIA) Policy Definition

A Business Impact Analysis (BIA) must be conducted annually to assess critical business
functions and the potential impact of disruptions. Identified risks must be mitigated
through redundancy planning and alternate processing strategies.

3. Business Continuity & Disaster Recovery Policy Definition

A comprehensive disaster recovery (DR) and business continuity (BC) plan must be
 established and tested semi-annually. Backup systems and failover mechanisms should
be implemented to minimize downtime in case of an incident.

4. Data Classification Standard & Encryption Policy Definition

All data must be classified according to confidentiality, integrity, and availability
requirements. Sensitive data must be encrypted at rest and in transit using industry-
standard encryption methods.

5. Internet Ingress/Egress Traffic & Web Content Filter Policy Definition

All internet traffic must pass through a secure web gateway with ingress/egress traffic
filtering. Content filtering policies should be enforced to block access to malicious or
unauthorized websites.

6. Production Data Back-up Policy Definition

Production data must be backed up daily and stored securely both on-premises and in
an offsite location. Backup integrity must be verified through periodic testing and
restoration exercises.

7. Remote Access VPN Policy Definition

Remote access to the organization’s network must be secured through VPN with strong
encryption protocols. Users must authenticate using MFA, and only authorized
personnel are permitted to connect remotely.

8. WAN Service Availability Policy Definition

WAN connections must be monitored continuously for availability and performance.
 Redundant network paths should be implemented to ensure high availability in case of
failure.

9. Internet Ingress/Egress Availability (DoS/DDoS) Policy Definition

DDoS mitigation strategies, including traffic rate limiting and intrusion prevention
systems, must be in place to protect against denial-of-service attacks. Internet
availability should be monitored in real-time for potential threats.

10. Wireless LAN Access Control & Authentication Policy Definition

All WLAN access points must require authentication using WPA3 encryption or higher.
Unauthorized access attempts must be logged and monitored, and rogue access points
should be actively detected and removed.