Course Code 290030 Section 29106

Course Details Information Quality Assurance 1 Date 10-21-24

Name Dionisio, Denemi Daniel C. Student No. 201911045

Midterm Laboratory Exercise 3

Develop Cybersecurity Policies and Procedures
Introduction

Information security policies provide a framework for organizations to manage and protect their
assets, and a safeguard that the organizations employ to reduce risk. Students will be required to
compare information security policies to determine the differences between policies, standards,
guidelines, and procedures. Students will then develop an information security policy to address existing
vulnerabilities identified by an internal audit.

For example, a password policy states the standard for creating strong passwords and protecting
passwords. A password construction guideline defines how to create a strong password and provides
best practices recommendations. The password procedure provides the instructions on how to
implement the strong password requirement. Organizations do not update policies as frequently as they
update procedures within the information security policy framework.

Objectives

This project includes the following objectives:

Part 1: Review the Scenario

Part 2: Review and Prioritize Audit Findings

Part 3: Develop Policy Documents

Part 4: Develop a Plan to Disseminate and Evaluate Policies

Requirements

You will need internet access to the following websites, video, and documents:

= SANS Security Policy Project

https://www.sans.org/security-resources/policies/

= Information Security Policy (video)

https://youtu.be/ZlKgMUOpMf8

= Top Computer Security Vulnerabilities

https://www.n-able.com/features/computer-security-vulnerabilities

= Information Security Policy – A Development Guide for Large and Small Companies
(pdf) https://www.sans.org/reading-room/whitepapers/policyissues/information-security-policy-
development-guide-large-small-companies-1331
 = Technical Writing for IT Security Policies in Five Easy Steps
https://www.sans.org/reading-room/whitepapers/policyissues/technical-writing-security-policies-easy-
steps-492

Scenario

ACME Healthcare is a healthcare company that runs over 25 medical facilities including patient
care, diagnostics, outpatient care, and emergency care. The organization has experienced several data
breaches over the last five years. These data breaches have cost the organization financially and
damaged its reputation.

The executive leadership team recently hired a new chief information security officer (CISO). The
new CISO has brought in one of the top cybersecurity penetration teams to perform a full security audit
on the entire organization. This independent contractor conducted the audit, and found the following
vulnerabilities:

1) Several accounts were identified for employees that are no longer employed by ACME.

2) Several user accounts allowed unauthorized and escalated privileges. These accounts
accessed systems and information without formal authorization.

3) Several devices and systems allowed unsecure remote access.

4) Forty percent of all organization passwords audited were cracked within 6 hours.

5) Password expiration was not standardized.

6) Sensitive files were found unencrypted on user devices.

7) Several wireless hotspots used WEP for encryption and authentication.

8) Evidence indicates that sensitive e-mail was sent to and from employee homes and mobile
devices without encryption.

9) Intrusion detection logs were infrequently reviewed and analyzed.

10) Devices with sensitive company data were used by employees for private use.

11) Employee devices were left unattended and employees failed to logout of the company
network and data systems.

12) Inconsistent device updates and configurations were performed.

13) Several firewall rules were set to permit all traffic unless specifically denied.

14) Company servers were not updated with the latest patches.

15) The intranet web server allowed users to change personal information about themselves,
including contact information.

Instructions

Part 1: Review of the Scenario

Read the scenario given above. Watch the Information Security Policy video. Take notes to help
you differentiate the various levels and types of policies.

Part 2: Review and Prioritize Audit Findings

 a. Research the types of vulnerabilities listed to determine which of them pose the greatest
threat. Go to Top Computer Security Vulnerabilities to learn more.

b. Based on your research, list the top five security audit findings that ACME should address,
starting with the greatest vulnerability.

c. Record your rankings in a Vulnerabilities Ranking Table, like the one shown below. It lists
the Vulnerabilities, the Recommended Policy to mitigate this vulnerability, and your Justification for the
ranking you determined.

Vulnerabilities Ranking Table

Vulnerability Recommended Policy Justification

Several user accounts Implement a Role-Based Unauthorized access is a

allowed unauthorized and Access Control (RBAC) policy and critical issue because it can lead
escalated privileges conduct regular access audits to unauthorized data theft,
system changes, or breaches.
Escalated privileges without
oversight can also allow attackers
or disgruntled employees to
cause significant harm.

Devices and systems Adopt a Strict Remote Unsecured remote access

allowed unsecure remote access Access Policy with multi-factor is one of the easiest ways for
authentication and VPN use external attackers to infiltrate the
network, especially with the
increase of remote work.

Sensitive files were Enforce Data Encryption Leaving sensitive data

unencrypted on user devices Policies for all sensitive unencrypted makes it easy for
information attackers or unauthorized users
to access valuable data, especially
in case of device theft.

Inconsistent device Establish a Patch Outdated systems and

updates and configurations were Management Policy with regular software expose the organization
performed updates and maintenance to known vulnerabilities and
exploits, including malware.
Ensuring timely updates is critical
for security.

Several firewall rules Update the Firewall Policy Allowing all traffic
allowed all traffic unless with strict traffic rules and increases the risk of unauthorized
specifically denied ongoing review access to the network, leaving the
organization vulnerable to
various attacks, such as botnets
or malware intrusions.

A sample answer table.

 Vulnerabilities Ranking Table

Vulnerability Recommended Policy Justification

Several accounts were When an employee leaves The former employee

identified for employees that are the company: may gain unauthorized access to
no longer employed by ACME. proprietary and confidential
Review all access
information and equipment.
permission
Anyone with the former
Retrieve data from the employee's credentials can gain
employee if appropriate unauthorized access to internal
system.
Terminate access and
reset all passwords

Several user accounts Assign the least privilege The least privilege allows
allowed unauthorized and to perform the task the user to perform all the
escalated privileges and accessed necessary tasks without the risk
Log when elevated
systems and information without of causing systemic changes
privileges are used
formal authorization. unintentionally.

Several devices and Disable unsecured remote Unsecured remote access

systems allowed unsecure remote access, such as Telnet transmits the data in plaintext.
access. The transmission of plaintext can
Require secure remote
expose sensitive information,
access, such as SSH and VPN
such as user credentials, for
malicious actors to conduct
reconnaissance and attacks.

Forty percent of all New password policy: When the passwords are
organization passwords audited cracked, the attacker can gain
Implement 2FA or MFA
were cracked within 6 hours. unauthorized access and change
User passphrases the passwords to lock out the
authorized users.
Change passwords only
after evidence of compromise

No reuse of old
passwords

No reuse of passwords on
different applications

Enable copy/paste
passwords

Educate users on basic

cybersecurity

Several wireless hotspots Upgrade wireless WEP is prone to man-in-

used WEP for encryption and hotspots to the most secure the-middle attacks and the key is
authentication. encryption and authentication easily cracked and hard to
available distribute to the users.
 Vulnerabilities Ranking Table

Company servers were Establish a plan to update Updating regularly can

not updated with the latest / test the latest patches at regular protect the data, fix security
patches. intervals. vulnerability, and improve the
stability of the OS and
applications.

Blank Line, No additional information

Part 3: Develop Policy Documents

Step 1: Create an Information Security Policy

a. Choose one vulnerability in the table for which to develop a security policy.

b. Use the Information Security Policy Templates to develop a specific security policy for
ACME Healthcare that addresses your chosen vulnerability.

Note: Follow the template as a guideline. Address all existing policy elements. No policy should
exceed two pages in length.

Step 2: Create a Procedure

a. Create a step-by-step set of instructions that supports your information security policy. Go
to Information Security Policy — A Development Guide and Technical Writing for IT Security Policies in
Five Easy Steps for instructions and guidance.

Note: All the above links will also be useful in Part 4 of this lab. Keep them open and bookmark
them.

b. Include all the information that a user would need to properly configure or complete the
task in accordance with the security policy.

Part 4: Develop a Plan to Disseminate and Evaluate Policies

Step 1: Create an Information Security Policy Implementation and Dissemination Plan.

a. Document the information required to create an information security policy

implementation and dissemination plan.

b. Include specific tasks and events that ACME Healthcare will use to make sure that all
employees involved are aware of the information security policies that pertain to them.

c. Include any specific departments that need to be involved. ACME Healthcare must also be
able to assess whether individuals have the proper knowledge of the policies that pertain to their job
responsibilities.

Conclusion

ACME Healthcare’s Information Security Policy Implementation and Dissemination Plan focuses
on addressing the key vulnerabilities identified during the audit. The plan involves drafting clear policies
for access control, encryption, patch management, and firewall settings, with input from departments
like IT, HR, Compliance, and Legal. Policies will be communicated via email, the intranet, webinars, and
visual reminders. Tailored training programs will be developed to ensure employees understand their
responsibilities, with specific modules for IT staff, general employees, and management. All employees
will acknowledge receipt and understanding of policies, and security drills will test policy effectiveness.
Regular policy reviews, audits, and updates will ensure continued compliance and risk mitigation across
the organization.

ACME Healthcare's Information Security Policy Implementation Plan is designed to address

critical vulnerabilities identified during the audit, involving clear policies, effective communication, and
robust training programs tailored to the roles of its employees. By involving key departments like IT, HR,
and Compliance, the company ensures that security becomes a shared responsibility across the
organization. Regular reviews, employee assessments, and ongoing training will help ACME remain
compliant with legal standards, while protecting both its data and reputation.

This comprehensive approach ensures that employees not only understand their roles in
safeguarding company assets but also follow proper procedures to mitigate risks proactively.

End of document