Part 1: Research Security Policy Frameworks (0/2 completed) Note: In

  

Part 1: Research Security Policy Frameworks (0/2 completed)

Note: In this part of the lab, you will review internet resources on security policy frameworks to form a basis for their purpose and usage. Understanding the reason behind a security policy framework is key to understanding the component policies and procedures. Please take the time to review the research thoroughly and think through the concepts behind the framework itself.

  1. In      your browser, navigate to https://www.sans.org/reading-room/whitepapers/policyissues/information-security-policy-development-guide-large-small-companies-1331.
  2. Read      Sections 1-5 of the SANS Policy Development Guide.
  3. Summarize the      Policy Development Guide’s recommendations for organizing a policy      hierarchy and selecting policy topics.

Note: It is important to understand how and why a policy differs from a standard, a procedure, and a guideline. From the top down, the policy should not change or need modification unless a major shift in corporate values or business process occurs. On the contrary, guidelines should be reviewed, and possibly changed, often.

Similarly, even though a policy should be written clearly and concisely, it is a high-level document answering the “why” questions. Standards are also high level, but they answer the “what” questions. Finally, the procedures and guidelines provide the “how.”

Examples of security policy and guideline templates are available from the SANS Institute at https://www.sans.org/information-security-policy/.

In the next steps, you will learn about COBIT 2019, a popular industry-standard policy framework.

  1. In      your browser, navigate to https://www.cio.com/article/3243684/what-is-cobit-a-framework-for-alignment-and-governance.html.
  2. Describe the core principles and      objectives of COBIT 2019.

Part 2: Define a Security Policy Framework (0/2 completed)

Note: Understanding both unique and universal risks to your organization’s IT infrastructure is essential to developing an appropriate IT security policy framework for your organization. In this part of the lab, you will review a list of risk, threats, and vulnerabilities and define appropriate policies to mitigate them. Next, you will organize your policies into a policy framework.

  1. Review the      following list of risks, threats, and vulnerabilities at the fictional      Healthwise Health Care Company.

     

    • Unauthorized       access from public Internet
    • Hacker       penetrates IT infrastructure
    • Communication       circuit outages
    • Workstation       operating system (OS) has a known software vulnerability
    • Unauthorized       access to organization-owned data
    • Denial       of service attack on organization’s e-mail
    • Remote       communications from home office
    • Workstation       browser has software vulnerability
    • Weak       ingress/egress traffic-filtering degrades performance
    • Wireless Local Area Network (WLAN) access points are       needed for Local Area Network (LAN) connectivity within a warehouse
    • User destroys data in application, deletes all files,       and gains access to internal network
    • Fire destroys primary data center
    • Intraoffice employee romance gone bad
    • Loss of production data
    • Need to prevent rogue users from unauthorized WLAN       access
    • LAN server OS has a known software vulnerability
    • User downloads an unknown e-mail attachment
    • Service provider has a major network outage
    • User inserts a USB hard drive with personal photos,       music, and videos on organization-owned computers
    • Virtual Private Network (VPN) tunneling between the       remote computer and ingress/egress router

 
 

  1. For each risk, threat, or      vulnerability in the list above, select an appropriate      security policy that might help mitigate it. You can select one of the      SANS policies or choose one from the following list.

Security Policies

· Acceptable Use Policy

· Access Control Policy

· Business Continuity—Business Impact Analysis (BIA) Policy

· Business Continuity and Disaster Recovery Policy

· Data Classification Standard and Encryption Policy

· Internet Ingress/Egress Traffic Policy

· Mandated Security Awareness Training Policy

· Production Data Backup Policy

· Remote Access Policy

· Vulnerability Management and Vulnerability Window Policy

· Wide Area Network (WAN) Service Availability Policy

 
 

3. Organize the security policies you selected so that they can be used as part of an overall framework for a layered security strategy.

Challenge Exercise (0/2 completed)

Note: The following challenge exercise is provided to allow independent, unguided work – similar to what you will encounter in a real situation.

A user at Digital Innovation Products has been using company network resources to download torrent files onto a USB drive and transfer those files to their home computer. IT tracked down the torrent traffic during a recent network audit. Unfortunately, the company does not have a current policy that restricts this type of activity.

Identify at least two appropriate policies that should be in place to define this type of behavior and the consequences thereof.

Write a brief overview for C-level executives explaining which policies should be added to the company’s overall security policy framework, why they should be added, and how those policies could protect the company.

Share This Post

Email
WhatsApp
Facebook
Twitter
LinkedIn
Pinterest
Reddit

Order a Similar Paper and get 15% Discount on your First Order

Related Questions