[Solved] Assignment #3 – Crafting a Separation of Duties Policy

Introduction

Learning Objectives

Deliverables

Upon completion of this lab, you are required to provide the following deliverables to your instructor:

1. Assignment #3 Assessment Worksheet and your SoD Policy Statement

Hands-on Steps

1. Review the Lab Assessment Worksheet. You will find answers to these questions as you proceed through the lab steps.
2. Review the seven domains of a typical IT infrastructure (see Figure 1 below).
3. In the address box of your Internet browser, type the URL https://www.sans.org/reading-room/whitepapers/policyissues/building-implementing-information-security-policy-509 and press Enter to open the Web site.
4. Read the article titled “Building and Implementing an Information Security Policy” this will aid you as you develop your Separation of Duties policy for ABC Bank.
5. Review the following information about the separation of duties:

• No one individual should have too much authority or power to perform a function in a business or organization.
• Understanding one’s domain of responsibilities and where those responsibilities stop is critical to understanding the correct separation of duties.

6. Read the following scenario of the mock ABC Bank:

• The organization is a regional Bank that has multiple branches and locations throughout the upper Midwest.
• Online banking and use of the Internet are the bank’s strengths, given its limited human resources.
• The customer service department is the organizations’ most critical business function.
• The organization wants to monitor and control the use of the Internet by its employees by implementing content filtering.
• The organization wants to eliminate personal use of organization owned IT assets and systems.
• The organization wants to monitor and control the use of the company owned and managed email system by implementing email security controls.
• The organization wants to implement this policy for all of the IT assets it owns and to incorporate this policy review into its annual security awareness training program.
• The organization wants to define a policy framework, including a security management policy defining the separation of duties related to information systems security.

7. Use the following template to create your security management policy as it relates to separation of duties for the ABC Bank (this should be no more than 3 pages).

ABC Bank

Policy Name

Policy Statement

{Insert policy statement here}

Purpose/Objectives

{Insert the policy’s purpose as well as its objectives; include a bulleted list of the policy definitions.}

Scope

{Define whom this policy applies to and the scope that it covers. Which of the seven domains of a typical IT infrastructure are impacted? All seven should be included in the scope.

What elements, IT assets, or organization-owned assets are within this policy’s scope? In this case, you are concerned about which IT assets and elements in each of the domains require information systems security management.}

Standards

{Does the policy statement point to any hardware, software, or configuration standards? If so, list them here and explain the relationship of this policy to these standards. You need to reference technical hardware, software, and configuration standards for IT assets throughout the seven domains.}

Procedures

{Explain how you intend to implement this policy for the entire organization. This is important because it is where you must explain and define your separation of duties throughout the seven domains of a typical IT infrastructure. All seven domains must be listed in this section as well as who is responsible for ensuring the C-I-A (confidentiality, integrity, and availability) of information is followed.}

Guidelines

{Explain any potential roadblocks or implementation issues that might arise that would need to be overcome. Any disputes or gaps in the definition and separation of duties responsibility may also need to be addressed in this section.}

Assignment #3 – Crafting a Separation of Duties Policy

Overview

In this lab, you identified the roles and responsibilities for policy implementation and you identified the separation of duties for them. You then created a security management policy that addressed the management and the separation of duties throughout the seven domains of a typical IT infrastructure.

Lab Assessment Questions & Answers

1. For each of the seven domains of a typical IT infrastructure, describe a policy you would write and implement for each domain.

1. Describe the roles and responsibilities of those implementing information systems security policies.

1. What is does separation of duties mean?

1. How does separation of duties throughout an IT infrastructure mitigate risk for an organization?

1. If a system administrator had both the ID and password to a system, would that be a problem?

1. When using a layered security approach like Defense-in-Depth to system administration, who would typically have the highest level of access privilege? What is an example of a technical control that could be utilized discussed in class that could help control risk around these accounts?

1. Who would review the organization’s layered approach to security within the organization?

1. Why do you only want to refer to technical standards in a policy definition document?

1. Explain why the seven domains of a typical IT infrastructure help organizations align to separation of duties?

1. Why is it important for an organization to have a policy definition for business continuity and disaster recovery?