Lab #3 – Assessment Worksheet

Part A – List of Risks, Threats, and Vulnerabilities Commonly Found in an IT

Infrastructure
Course Name: IAP301
Student Name: SonLTSE161501
Instructor Name: DinhMH
Lab Due Date: 3-2-2023
Overview
The following risks, threats, and vulnerabilities were found in a healthcare IT
infrastructure serving patients with life-threatening situations. Given the
following list, select where the risk, threat, or vulnerability resides in the seven
domains of a typical IT infrastructure
Risk- Threat- Vulnerability Primary Domain Impacted
Unauthorized access from public Remote Access Domain
Internet
User destroys data in application and System/Application Domain
deletes all files
Hacker penetrates your IT Lan-to-Wan Domain
infrastructure and gains access to your
internal network
Intra-office employee romance gone User Domain
bad
Fire destroys primary data center System/Application Domain
Communication circuit outages Wan Domain
Workstation OS has a known software Workstation Domain
vulnerability
Unauthorized access to organization Workstation Domain
owned Workstation
Loss of production data System/Application Domain
Denial of service attack on Lan-to-Wan Domain
organization e-mail Server
Remote communications from home Remote Access Domain
 office
LAN server OS has a known software LAN Domain
vulnerability
User downloads an unknown e-mail User Domain
attachment
Workstation browser has software Workstation Domain
vulnerability
Service provider has a major network WAN Domain
outage
Weak ingress/egress traffic filtering LAN-to-WAN Domain
degrades Performance
User inserts CDs and USB hard drives User Domain
with personal photos, music and
videos on organization owned
computers
VPN tunneling between remote LAN-to-WAN Domain
computer and ingress/egress router
WLAN access points are needed for LAN Domain
LAN connectivity within a warehouse
Need to prevent rogue users from LAN Domain
unauthorized WLAN access

Part B –List of Risks, Threats, and Vulnerabilities Commonly Found in an IT

Infrastructure
Overview
For each of the identified risks, threats, and vulnerabilities; select the most
appropriate policy definition that may help mitigate the identified risk, threat, or
vulnerability within that domain from the following list:
Policy Definition List
 Acceptable Use Policy
 Access Control Policy Definition
 Business Continuity – Business Impact Analysis (BIA) Policy Definition
 Business Continuity & Disaster Recovery Policy Definition
 Data Classification Standard & Encryption Policy Definition
  Internet Ingress/Egress Traffic Policy Definition
 Mandated Security Awareness Training Policy Definition
 Production Data Back-up Policy Definition
 Remote Access Policy Definition
 Vulnerability Management & Vulnerability Window Policy Definition
 WAN Service Availability Policy Definition

Risk- Threat- Vulnerability Primary Domain Impacted

Unauthorized access from public Remote Access Policy Definition
Internet
User destroys data in application and Acceptable Use Policy
deletes all files
Hacker penetrates your IT Access Control Policy Definition
infrastructure and gains access to your
internal network
Intra-office employee romance gone Acceptable Use Policy
bad
Fire destroys primary data center Business Continuity & Disaster
Recovery Policy Definition
Communication circuit outages WAN Service Availability Policy
Definition
Workstation OS has a known software Vulnerability Management &
vulnerability Vulnerability Window Policy Definition
Unauthorized access to organization Access Control Policy Definition
owned Workstation
Loss of production data Production Data Back-up Policy
Definition
Denial of service attack on WAN Service Availability Policy
organization e-mail Server Definition
Remote communications from home Remote Access Policy Definition
office
LAN server OS has a known software Vulnerability Management &
vulnerability Vulnerability Window Policy Definition
User downloads an unknown e-mail Mandated Security Awareness Training
attachment Policy Definition
 Workstation browser has software Vulnerability Management &
vulnerability Vulnerability Window Policy Definition
Service provider has a major network WAN Service Availability Policy
outage Definition
Weak ingress/egress traffic filtering Internet Ingress/Egress Traffic Policy
degrades Performance Definition
User inserts CDs and USB hard drives Acceptable Use Policy
with personal photos, music and
videos on organization owned
computers
VPN tunneling between remote Internet Ingress/Egress Traffic Policy
computer and ingress/egress router Definition
WLAN access points are needed for WAN Service Availability Policy
LAN connectivity within a warehouse Definition
Need to prevent rogue users from Access Control Policy Definition
unauthorized WLAN access

Define an Information Systems Security Policy Framework for an IT

Infrastructure
Overview
In this lab, students identified risks, threats, and vulnerabilities throughout the
seven domains of a typical IT infrastructure. By organizing these risks, threats, and
vulnerabilities within each of the seven domains of a typical IT infrastructure
information system security policies can be defined to help mitigate this risk.
Using policy definition and policy implementation, organizations can “tighten”
security throughout the seven domains of a typical IT infrastructure.

Lab Assessment Questions & Answers

1. A policy definition usually contains what four major parts or elements?
- command-and-control measures, enabling measures, monitoring,
incentives and disincentives
2. In order to effectively implement a policy framework, what three
organizational elements are absolutely needed to ensure successful
implementation?
- people, policy and technologies

3. Which policy is the most important one to implement to separate

employee from employee? Which is the most challenging to implement
successfully?
- Acceptable Use Policy is the important.
- It is about how everyone has a different worldview. It is challenging to get
everyone to follow the rules, and it may be laborious to update the rules
frequently.
4. Which domain requires stringent access controls and encryption for
connectivity to the corporate resources from home? What policy definition
is needed for this domain?
- Remote Access Domain and Remote Access Policy Definition, respectively.
5. Which domains need software vulnerability management & vulnerability
window definitions to mitigate risk form software vulnerabilities?
- Workstation Domain, System/Application Domain, LAN Domain and LAN /
WAN Domain
6. Which domain requires AUPs to minimize unnecessary User-initiated
Internet traffic and awareness of the proper use of organization-owned IT
assets?
- Workstation Domain.
7. What policy definition can help remind employees within the User Domain
about on-going acceptable use and unacceptable use?
- Acceptable Use Policy.
8. What policy definition is required to restrict and prevent unauthorized
access to organization owned IT systems and applications?
- Access Control Policy.
9. What is the relationship between an Encryption Policy and a Data
Classification Standard?
- Both assist in categorizing sensitive information and defending it against
illegal access.
10.What policy definition is needed to minimize data loss?
- Data Loss Prevention Policy Definition.