Scribd Logo
Upload

Welcome to Scribd!

  • 288 views

    Lab #4 - Assessment Worksheet Craft A Layered Security Management Policy - Separation of Duties ABC Credit Union Policy Name+ Policy Statement

    Uploaded by

    Vo Minh Khanh (K14 HCM)
    This document outlines a layered security management policy for ABC Credit Union. It establishes that employees must comply with organizational policies when using company resources. The policy separates duties among departments to prevent any one individual from being able to conduct fraudulent transactions alone. It defines procedures like access restrictions and annual training to maintain separation of duties. The document also includes assessment questions about implementing separation of duties across the seven domains of a typical IT infrastructure.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd

    Lab #4 - Assessment Worksheet Craft A Layered Security Management Policy - Separation of Duties ABC Credit Union Policy Name+ Policy Statement

    Uploaded by

    Vo Minh Khanh (K14 HCM)
    288 views4 pages
    This document outlines a layered security management policy for ABC Credit Union. It establishes that employees must comply with organizational policies when using company resources. The policy separates duties among departments to prevent any one individual from being able to conduct fraudulent transactions alone. It defines procedures like access restrictions and annual training to maintain separation of duties. The document also includes assessment questions about implementing separation of duties across the seven domains of a typical IT infrastructure.

    Original Title

    LAB4_GROUP4_IAP301

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document outlines a layered security management policy for ABC Credit Union. It establishes that employees must comply with organizational policies when using company resources. The policy separates duties among departments to prevent any one individual from being able to conduct fraudulent transactions alone. It defines procedures like access restrictions and annual training to maintain separation of duties. The document also includes assessment questions about implementing separation of duties across the seven domains of a typical IT infrastructure.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    288 views4 pages

    Lab #4 - Assessment Worksheet Craft A Layered Security Management Policy - Separation of Duties ABC Credit Union Policy Name+ Policy Statement

    Uploaded by

    Vo Minh Khanh (K14 HCM)
    This document outlines a layered security management policy for ABC Credit Union. It establishes that employees must comply with organizational policies when using company resources. The policy separates duties among departments to prevent any one individual from being able to conduct fraudulent transactions alone. It defines procedures like access restrictions and annual training to maintain separation of duties. The document also includes assessment questions about implementing separation of duties across the seven domains of a typical IT infrastructure.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    of 4

    Lab #4 – Assessment Worksheet

    Craft a Layered Security Management Policy – Separation of Duties

    ABC Credit Union


    Policy Name+

    Policy Statement
    - Employees using resources that belong to ABC Credit Union must act in
    compliance with the policies of this company in regards to using these
    resources.

    Purpose/Objectives
    - The purpose of this policy is to ensure that no individual should be able to
    execute a high-risk transaction or conceal errors or fraud in the normal course
    of their duties. This policy must be in compliance with GLBA

    Scope
    - This policy applies to all employees, systems, and customers of ABC Credit
    Union. Standards All employees will be separated into group/departments and
    each department will have specific duties assigned to them

    Standards
    - All employees will be separated into group/departments and each department
    will have specific duties assigned to them

    Procedures
    - Group Policies will be implemented to ensure that employees have access to
    only the files they need.
    - Each department will have annual training to discuss any possible changes to
    department duties and policies.
    - Chain of command will be established within each department leading up to
    executive management.
    - Users who have been charged with the management of IT systems are
    responsible for ensuring that they are at all times properly protected against
    known threats and vulnerabilities as far as is reasonably practicable and
    compatible with the designated purpose of those systems.

    Guidelines
    - Users will be trained to follow all policies and procedures in the organization.
    System Administrators can refer to NIST Special Publication 800-53 Security
    and Privacy Controls
    Lab #4 – Assessment Worksheet
    Craft a Layered Security Management Policy – Separation of Duties

    Lab Assessment Questions & Answers


    1. For each of the seven domains of a typical IT infrastructure, summarize
    what the information systems security responsibilities are within that
    domain:
    - Users Domain Data stewards are the individuals responsible for ensuring data
    quality within the business unit.
    - LAN Domain the head of information management is the single point of
    contact responsible for data quality within the enterprise.
    - System/Application Domain, Workstation Domain Data administrators are
    responsible for executing the policies and procedures such as backup,
    versioning, uploading, downloading, and database administration.
    - Remote Access Domain and LAN to WAN Domain and WAN Domain Data
    security administrator have a highly restricted role. They grant access rights
    and assess threats to the information assurance program

    2. Which of the seven domains of a typical IT infrastructure requires


    personnel and executive management support outside of the IT or
    information systems security organizations?
    - Remote Access Domain

    3. What does separation of duties mean?


    - Separation of duties mean having more than one person required to complete
    a task.

    4. How does separation of duties throughout an IT infrastructure mitigate


    risk for an organization?
    - A single person can’t execute a high risk transaction. A person should not be
    allowed to audit his own activities.
    Ex: the person creating a security application, is not the same person testing.

    5. How would you position a layered security approach with a layered


    security management approach for an IT infrastructure?
    - In order to defeat attacks which rely on exploiting vulnerable systems, the
    preferred method to do so, is the implementation of a layered security
    approach

    6. If a system administrator had both the ID and password to a system,


    would that be a problem?
    - No, because the system administrator has all access to the system. An
    administrator is a local account or a local security group with full access to the
    file system and settings on a particular computer. However, we need a role to
    audit what system administrators did, this position makes sure system
    administrators don't do anything harmful to the system.
    7. When using a layered security approach to system administration, who
    would have the highest access privileges?
    - Data Security Administrators have a highly restricted role. They grant access
    rights and assess threats to the information assurance (IA) program.

    8. Who would review the organization's layered approach to security?


    - Each manager should review all decisions on security permissions of each
    layer. It is better to have more than 1 person to review each layer to make
    sure integrity is involved and personnel don’t get more than what they need.

    9. Why do you only want to refer to technical standards in a policy


    definition document?
    - Technical standards are developed by organizations like the NIST or IEEE
    after a lot of research, proof of concepts, peer reviews and debate, and
    discussion. The technical standards in a policy definition document identify
    and enumerate these industries recommended standards that will help
    enforce an IT policy. An IT administrator who is implementing the policy is
    aware of the standards and adheres to them. A technical standard could be
    the encryption algorithm and key size for encryption of hard disks. By
    following and implementing security controls according to the specified
    standard the risks are minimized and that security control can be said to be
    current with prevailing standards.

    10. Why is it important to define guidelines in this layered security


    management policy?
    - A guideline is merely a recommendation or suggestion that should probably
    be followed but is not necessarily required. In most cases, guidelines and
    standards are largely interchangeable. The standards will be identified easier
    if all guidelines are set before any standards.

    11. Why is it important to define access control policies that limit or prevent
    exposing customer privacy data to employees?
    - Access control policies limits or prevents employees from exposing customer
    privacy data. From that, you are limiting the risk of the exposure of that
    information to only those that require access to the information and adhering
    to compliance laws.
    12. Explain why the seven domains of a typical IT infrastructure helps
    organizations align to separation of duties
    - By separating the responsibilities, it makes it easier for an organization to
    identify possible risks/areas of impact and the ability to delegate resources to
    mitigate those risks.

    13. Why is it important for an organization to have a policy definition for


    Business Continuity and Disaster Recovery?
    - It is important for an organization to have a business continuity and disaster
    recovery policy in the event of an incident it provides them with a systematic
    way to keep business running

    14. Why is it important to prevent users from downloading and installing


    applications on organization owned laptops and desktop computers?
    - Downloading applications can open the door to malware and can compromise
    sensitive data

    15. Separation of duties is best defined by policy definition. What is needed


    to ensure its success?
    - Understanding one's duties and training of employees. This ensures
    cooperation and adherence to policy

    You might also like