Lab - Develop Cybersecurity Policies and Procedures

Introduction
Information security policies provide a framework for organizations to manage and protect
their assets, and a safeguard that organizations employ to reduce risk. Students will be
required to compare information security policies to determine the differences between
policies, standards, guidelines, and procedures. Students will then develop an information
security policy to address existing vulnerabilities identified by an internal audit.
For example, a password policy sets the standard for creating strong passwords and
protecting passwords. A password construction guide defines how to create a strong
password and provides best practice recommendations. The password procedure provides
instructions on how to implement the strong password requirement. Organizations do not
update policies as frequently as they update procedures within the information security
policy framework.

Goals
This project includes the following objectives:
Part 1: Review the scenario
Part 2: Review and prioritize audit results
Part 3: Developing policy documents
Part 4: Develop a plan to disseminate and evaluate policies

Requirements
You will need Internet access for the following websites, videos, and documents:
 SANS Security Policy
Projecthttps://www.sans.org/security-resources/policies/
 Information Security Policy (video)
https://youtu.be/ZlKgMUOpMf8
 Main Computer Security Vulnerabilitieshttps
://www.n-able.com/features/computer-security-vulnerability
 Information Security Policy Development Guide for Large and Small Companies (pdf)
https://www.sans.org/reading-room/whitepapers/policyissues/information-security-
policy-development-guide-large-small-companies-1331
 Technical writing for IT security policies in five easy
stepshttps://www.sans.org/reading-room/whitepapers/policyissues/technical-writing-
security-policies-easy-steps-492

Situation
ACME Healthcare is a healthcare services company that operates more than 25 medical
facilities, including patient care, diagnostics, outpatient care and emergency care. The
organization has experienced several data breaches over the past five years. These data
breaches have cost the organization financially and damaged its reputation.
The executive leadership team recently hired a new Chief Information Security Officer
(CISO). The new CISO has brought in one of the leading cybersecurity penetration teams to
conduct a full security audit across the organization. This independent contractor performed
the audit and discovered the following vulnerabilities:
1) Several accounts of employees who no longer work at ACME were identified.
2) Multiple user accounts allowed unauthorized and higher level privileges. These
accounts accessed systems and information without formal authorization.
 3) Multiple devices and systems allowed unsecured remote access.
4) 40% of all audited organization passwords were cracked within 6 hours.
5) Password expiration was not standardized.
6) Sensitive files were found unencrypted on users' devices.
7) Several wireless access points used WEP for encryption and authentication.
8) Evidence indicates that confidential email was sent to and from employees' homes
and mobile devices without encryption.
9) Intrusion detection logs were infrequently reviewed and analyzed.
10) Employees used devices with confidential company data for private use.
11) Employee devices were left unattended and employees failed to log out of the
company's network and data systems.
12) Inconsistent device configurations and updates were performed.
13) Several firewall rules have been set to allow all traffic unless specifically denied.
14) The company's servers were not updated with the latest patches.
15) The intranet web server allowed users to change their personal information,
including contact information.

Instructions

Part 1: Scenario Review

Read the scenario above. Watch the Information Security Policy video. Take notes to
differentiate the different levels and types of policies.

Part 2: Review and prioritize audit results

a. Research the types of vulnerabilities listed to determine which ones pose the greatest
threat. Go to Top Computer Security Vulnerabilities for more information.
b. Based on your research, list the top five security audit findings that ACME should
address, starting with the largest vulnerability.
c. Record your ratings in a Vulnerability Rating Table, such as the one shown below. List
the Vulnerabilities, the Recommended Policy to mitigate this vulnerability, and your
Justification for the classification you determined.

Vulnerability Classification Table

Vulnerability Recommended Policy Justification

blank blank blank

blank blank blank
blank blank blank
blank blank blank
blank blank blank
Blank line, no additional information

Click Show Answer for a sample answer in the table.

Vulnerability Classification Table

Vulnerability Recommended Policy Justification

 Vulnerability Classification Table

Several accounts were identified When an employee leaves the The former employee may gain
for employees who are no longer company: unauthorized access to proprietary
employed by ACME. Review all access permissions and confidential information and
equipment. Anyone with the former
Retrieve employee data if
employee's credentials can gain
applicable
unauthorized access to the internal
Terminate access and reset all system.
passwords
Several user accounts allowed Assign the least privilege to Least privilege allows the user to
unauthorized privileges and higher perform the task perform all necessary tasks without
level access to systems and Logging in when using elevated the risk of unintentionally causing
information without formal privileges systemic changes.
authorization.
Multiple devices and systems Disable insecure remote access, Insecure remote access transmits
allowed unsecured remote access. such as Telnet data in clear text. Transmitting
Require secure remote access, clear text can expose sensitive
such as SSH and VPN information, such as user
credentials, for malicious actors to
perform reconnaissance and
attacks.
40% of all audited organization New password policy: When passwords are cracked, the
passwords were cracked within 6 Implement 2FA or MFA attacker can gain unauthorized
hours. access and change passwords to
User Passphrase
lock out authorized users.
Change passwords only after
evidence of compromise
Do not reuse old passwords
Do not reuse passwords across
different applications
Enable copy/paste passwords
Educate users on basic
cybersecurity
Many wireless access points use Upgrade wireless access points WEP is prone to man-in-the-middle
WEP for encryption and with the most secure encryption attacks and the key is easily
authentication. and authentication available cracked and difficult to distribute to
users.
The company's servers were not Establish a plan to update/test the Regular updates can protect data,
updated with the latest patches. latest patches at regular intervals. fix security vulnerabilities, and
improve the stability of the
operating system and applications.
Blank line, no additional information

Part 3: Developing Policy Documents

Step 1: Create an information security policy

a. Choose a vulnerability from the table to develop a security policy.
b. Use the Information Security Policy Templates to develop a security policy specific to
ACME Healthcare that addresses the chosen vulnerability.
Note: Follow the template as a guide. Address all elements of existing policies. No policy
should exceed two pages.
Step 2: Create a procedure
a. Create a set of step-by-step instructions that supports your information security policy.
Go to Information Security Policy: A Development and Technical Development Guide
for IT Security Policies in Five Easy Steps for instructions and guidance.
Note: All of the above links will also be useful in Part 4 of this lab. Keep them open and
bookmark them.
b. Include all information a user would need to successfully configure or complete the task
according to the security policy.

Part 4: Develop a Plan to Disseminate and Evaluate Policies

Step 1: Create an information security policy implementation and dissemination

plan.
a. Document the information required to create an information security policy
implementation and dissemination plan.
b. Include specific tasks and events that ACME Healthcare will use to ensure that all
employees involved are aware of the information security policies that apply to them.
c. Include all specific departments that need to be involved. ACME Healthcare must also be
able to assess whether individuals have adequate knowledge of policies related to their
job responsibilities.
Conclusion
Information security policies provide a framework for how an organization protects its assets
and is a safeguard that the organization employs to reduce risk. This project examined why
an organization develops information security policies and the differences between
information security policies, standards, guidelines, and procedures. This project also
explored how an organization disseminates and evaluates information security policies.
End of document