CIS240 - Lab Experiment

Ls3 – Policies, Procedures, and Awareness

A. PROCEDURE
1. Start the LabSim Program
2. Go to item 3 and do the following and complete the following: (minimum of 250 word total)
Your grade is based on the Average of the Exams and Labs AND your report in table below:

In your own words (No cutting and pasting)

What did you learn? Why is this IMPORTANT to protect YOU,
(Not What you did) or to Business
Some international governmental and Propose or identify a security policy requires
non-governmental organizations have a high commitment to the organization,
developed documents, guidelines, and technical acuity to establish flaws and
recommendations that guide the proper weaknesses, and constancy to renew and
use of new technologies to obtain the update said policy in function of the dynamic
greatest benefit and avoid the improper environment that surrounds modern
use of them, which can cause serious organizations.
problems in goods and services. the
companies in the world.
3.1: Security Policies
In this sense, the Information Security
Policies (ISP), emerges as an
organizational tool to raise awareness
among each member of an organization
about the importance and sensitivity of
critical information and services. These
allow the company to develop and
maintain its business sector.

3.2: Risk Management Risk Management is a method to Bearing in mind that for the vast majority of
determine, analyze, evaluate and classify Organizations, Risk Management is now a
risk, to subsequently implement fundamental part of the Organization's
mechanisms that allow control. Management, which aims to efficiently
support the identification, analysis,
Risk Management contains four phases: treatment, communication, and monitoring of
 business risks; This analysis becomes a
 Analysis: It determines the mandatory compliance issue when talking
components of a system that about an Information Security Management
requires protection, its System.
vulnerabilities that weaken it and
the threats that put it in danger,
with the result of revealing its
degree of risk.

 Classification: Determines if the

risks found and the remaining
risks are acceptable.

 Reduction: Defines and

implements protective measures.
In addition, it sensitizes and
trains users according to the
measures.

 Control: Analyzes the operation,

effectiveness and compliance of
the measures, to determine and
adjust the deficient measures and
sanctions the breach.

3.3: Business Continuity The Business Continuity Plan itself: The management of the consequences
establishes the continuity of an derived from security incidents must always
organization from multiple perspectives: be considered, with management and
IT infrastructure, human resources, recovery plans for disasters and security
furniture, communication systems, incidents, with the main objective of
logistics, industrial systems, physical maintaining the activity of the organization
infrastructures, etc. Each of these areas and minimizing the impact on your activity.
will, in turn, have a more specific
continuity plan, since the flooding of a
logistics warehouse is not the same as
cutting off the power supply in a server
room.
 What can a Business Continuity Plan help
with? To avoid that the processes and
activities of the company are interrupted
and in case of doing it, that the inactivity
is the minimum possible. In addition, it
will allow maintaining the level of service
in the limits, establishing a minimum
recovery period that guarantees the
continuity of the activities and can return
to the initial situation prior to the
occurrence of the incident.

Manageable Network Plan is the process By making use of the standard defined by the
that allows the administration, NSA for network management, companies
installation, adaptation, expansion, seek to align with the best state practices,
operation, and updating of computer which guarantee a better use of resources and
3.4: Manageable Network Plan networks, guaranteeing easy access to efficient management of security.
applications and services such as email,
internet, databases, among others
required by the companies.

3.5: Social Engineering Social Engineering is an action or social While we could go into particularities of each
behavior aimed at getting information case is essential to understand that there is
from people close to a system. It is the art no technology capable of protecting against
of getting what interests us from a third Social Engineering, nor are there users or
party through social skills. These experts who are safe from this form of attack.
practices are related to communication Social Engineering does not go out of style, is
between human beings. The actions perfected and only has our imagination as a
usually take advantage of tricks to get an limit.
authorized user to reveal information
that, in some way, compromises the There is also a unique and effective way to be
system. protected against it: EDUCATION. In this case,
we are not talking about a strictly technical
People suffer the same weaknesses inside education but rather a social training that
and outside the network, and the known alerts the person when he/she is about to be
techniques should only be adapted to the the target of this type of attack. If the attacker
new desired medium. has enough experience, he can easily deceive
a user for his own benefit, but if this user
 knows these tricks he cannot be deceived. In
addition, the education of users is usually an
important deterrent technique.

System Development Life Cycle (SDLC): It Current organizations have begun to

is the process that is followed to build, understand that the identification and early
deliver and evolve the software, from the remediation of problems has a cost inversely
conception of an idea to the delivery and proportional to the time the error remains in
withdrawal of the system. The different the system.
intermediate phases that are required to
validate the development of software are The introduction of a secure development
defined, that is, to ensure that the cycle through the implementation of a
software meets the requirements for the security-oriented design model that
application and verification of the generates synergy between the area of
development procedures, it ensures that security and development brings us one step
the methods used are appropriate. closer to the deployment of more robust and
3.6: App Development and Deployment much more profitable applications.
Security in software products is an
emergent property dictated by the
cohesion of multiple factors throughout
the development process, from its very
conception to the death of the product.
When we talk about evaluating the
security of computer programs, we refer
to a set of activities throughout the
development cycle that is born with the
idealization of the system and extends
over the design, codification, and
strengthening of it.

3.7: Employee Management Currently, computer security is a subject Human resources are perhaps the most
of strong interest. We are constantly critical component when guaranteeing the
talking about the tools we must use to three characteristics of information security:
ensure that our critical information is integrity, confidentiality, and availability;
protected from cyber threats. However, therefore, controls and management practices
many companies only consider, the must be adopted to help mitigate the impact
security from the point of view of of the risks that arise from this factor could
software and hardware and forget to materialize.
 think about what happens with the role of
employees in the face of information
security.

The Company must train and promote

among its workers the knowledge and
application of security protocols with
respect to information since they are the
cornerstone and the key to the success of
any security strategy.

Security on mobile devices has become aSince the current trend is for employees to
very important issue due to the increase
bring their personal devices to the office, in
in "attacks" received and the
addition to giving them a personal use, the
consequences they have. Attacks are most usual is that they use it for the review of
encouraged by the popularization of corporate email and as support for the tasks
mobile devices, the increase of personal
of their daily work. If a company adopts BYOD
and confidential information stored, and
(Bring Your Own Device) it is necessary to
3.8: Mobile Devices operations performed through them, suchdefine adequate management of the devices
as banking. that are connected, to use the applications
and information according to the provisions
Therefore, it is important to minimize of the policies established by the company.
security risks to protect confidential
information on our devices, whether we
connect for personal use or use our
devices for daily work.

3.9: Third-Party Integration Suppliers that have access to the network It is essential that organizations manage the
of an organization must be forced to sign risk involved in remote access for external
contracts or other agreements that providers. Organizations can manage these
require compliance with the risks using existing information security
organization's security policies. There technologies, such as web filters, to enforce
must be a language in these agreements standard remote access methodologies. They
that allow the organization the right to can also limit any damage caused by a
audit the provider about compliance with provider being compromised by
these security policies. This may be compartmentalizing the network and limiting
difficult to execute in some organizations provider access. Finally, contracts may
since it requires that information security require compliance of the provider of
 teams have a seat at the table during information security policies through audits
contract purchases and discussions, but and potential penalties.
there is a long way to set the tone of the
discussion about the severity of
information security in the organization.
It may also be beneficial for providers to
be required to go through the
organization's safety awareness training.

D. Save this file as Ls3-Your LastName and Attach and Submit this to Blackboard via Assignments