Operations Security
25
Copyright © 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Student Lab Manual
Lab #3 - Assessment Worksheet
Defining an Information Systems Security Policy Framework for an IT Infrastructure Course Name and Number: _____________________________________________________ Student Name: ________________________________________________________________ Instructor Name: ______________________________________________________________ Lab Due Date: ________________________________________________________________
Overview
In this lab, you identified known risks, threats, and vulnerabilities, and you determined which domain of a typical IT infrastructure was affected. You then discussed security policies to address each identified risk and threat within the seven domains of a typical IT infrastructure. You next determined which appropriate security policy definition helped mitigate the identified risk, threat, or vulnerability. You organized your results into a framework that could become part of a layered security strategy.
Lab Assessment Questions & Answers
1. What is the purpose of defining a framework for IT security policies?
2. What are the major components of an information systems security policy?
3. What is the definition of a policy?
4. What are the benefits of a policy?
26 | LAB #3 Defining an Information Systems Security Policy Framework for an IT Infrastructure
5. What policy definition in the SANS primer or in the list provided in the lab is required to restrict and prevent unauthorized access to organization-owned IT systems and applications?
6. What policy definition in the SANS primer or in the list provided in the lab can help remind employees in the User Domain about ongoing acceptable use and unacceptable use?
7. Why should an organization have a remote access policy even if it already has an acceptable use policy (AUP) for employees?
8. What security controls can be implemented on your e-mail system to help prevent rogue or malicious software disguised as URL links or e-mail attachments from attacking the Workstation Domain? What kind of policy definition should you use?
9. Why should an organization have annual security awareness training that includes an overview of the organization’s policies?
- Course Name and Number:
- Student Name:
- Instructor Name:
- Lab Due Date:
- Question1:
- Question2:
- Question3:
- Question4:
- Question5:
- Question6:
- Question7:
- Question8:
- Question9: