Risk-Threat-Vulnerability IT Security Policy Definition
Unauthorized access from Public Internet Acceptable Us Policy User Destroys Data in application and deletes all files Asset Identification and Classification Policy Hacker penetrates you IT infrastructure and gains access to your internal network Vulnerability Assessment and Management Policy Intra-office employee romance gone bad Security Awareness Training Policy Fire destroys primary data center Threat Assessment and Management policy communication circuit outages Asset Protection Policy Workstation OS has a known software vulnerability Vulnerability Assessment and Management Policy Unauthorized access to organization owned Workstations Asset Management Policy Loss of production data Security Awareness Training Policy Denial of service attack on organization e-mail server Vulnerability Assessment and Management Policy Remote communications from home office Asset Protection Policy LAN server OS has a known software vulnerability Vulnerability Assessment and Management Policy User downloads an unknown e-mail attachment Security Awareness Training Policy Workstation browser has software vulnerability Vulnerability Assessment and Management Policy Service provider has a major network outage Asset Protection Policy Weak ingress/egress traffic filtering degrades performance Vulnerability Assessment and Management Policy User inserts CDs and USB hard drives with personal photos, music, and video's Security Awareness Training Policy VPN tunneling between remote computer and ingress/egress router Vulnerability Assessment and Management Policy WLAN access points are needed for LAN connectivity within a warehouse Asset Identification and Classification Policy Need to prevent rogue users from unauthorized WLAN access Vulnerability Assessment and Management Policy 1. What is the purpose of having a policy framework definition as opposed to individual policies? a. It is a set of principles and long-term goals that form the basis of making rules and guidelines, and to give overall direction to planning and development of the organization. 2. When should you use a policy definition as means of risk mitigation and element of a layered security strategy? a. When implementing a new Policy 3. IN you gap analysis of the IT security policy framework definitions provided, which policy definition was missing from all access to various IT systems, applications, and data throughout the scenario? a. Data Access Policy 4. Do you need policies for you telecommunication and Internet service providers? a. Yes 5. Which policy definitions from the list provided in lab#9-part B helps optimize performance of an organizations internet connection? a. Asset Identification and Classification Policy 6. What is the purpose of a Vulnerability Assessment & Management Policy for an IT infrastructure? a. It identifies, quantifies, and prioritizes (or ranking) the vulnerabilities in a system 7. Which policy definition helps achieve availability goals for data recovery when data is lost or corrupted? a. Threat Assessment and Management Policy 8. Which policy definitions reference a Data Classification Standard and use of cryptography for confidentiality purposes? a. Asset Management Policy 9. Which policy definition from the sample IT security policy framework definition mitigate risk in thee User Domain? a. Security Awareness Training Policy 10. Which Policy definition from the sample IT security policy framework definition mitigates risk in the LAN-to-WAN Domain? a. Vulnerability Assessment and Management Policy 11. How does an IT security policy framework make it easier to monitor and enforce throughout an organization? a. Identifying safeguards and controls that protects information from security threats 12. Which policy definition requires an organization to list its mission critical business operations and functions and the accompanying IT systems, application, and databases that support it? a. Asset Identification and Classification Policy 13. Why is it common to find a Business Continuity Plan (BCP) Policy Definition and a Computer Security Incident Repose Team (CSIRT) Policy Definition? a. In order to protect the assets for a company you need to know the plan of the company.