3.1 Password Policies Prompt: What principles should the information security analyst apply in order to develop appropriate password policies for their clients? Make sure you address confidentiality, integrity, and availability of information, as well as each of the following aspects:
• Password length and composition of the password (e.g., uppercase, numbers, special characters) • Time period between resets and ability to reuse a prior password Differentiated policies for different types of users (e.g., administrator vs. regular user) 3.2 Acceptable Use Policies Prompt: What principles should the information security analyst apply in order to develop appropriate acceptable use policies for the client? Make sure you address confidentiality, integrity, and availability of information, as well as each of the following questions:
• What should users generally be allowed to do with their computing and network resources? When and why would each example be allowable? • What should users generally be prohibited from doing with their computing and network resources? When and why would each example require prohibition? When and why should users be aware of acceptable use policies and how can organizations keep track of these policies? 3.3 User Training Policies Prompt: What principles should the information security analyst apply in order to develop appropriate user training policies for the client? Make sure you address confidentiality, integrity, and availability of information, as well as each of the following:
• How to determine who would be trained • How to determine how often trainings would occur How to determine whether certain staff receive additional training or whether they should be held to higher standards
3.4 Basic User Policies Prompt: What principles should the information security analyst apply in order to develop appropriate basic user policies for the client? Make sure you address confidentiality, integrity, and availability of information, as well as each of the following questions:
• When and why should users have to display some type of identification while in the workplace? • What types of physical access (with or without ID) to company areas is acceptable? Why? • When and why should employees with identification be allowed access to all areas of the company? When and why should employees be allowed to take work home or bring guests into the workplace? 4.1 Theft Prompt: In the last month, two break-ins have occurred at a client’s office, which resulted in the theft of employee laptops during both incidents. The first incident occurred in the evening when the thieves broke through a ground-floor window. The second incident occurred during the day when the thieves walked right into the business area and removed two laptops. What physical and technical controls would be helpful to address the issue and prevent this type of vulnerability in the future? Compare and contrast the different methods that could be used to mitigate the given threat. 4.2 Malware Prompt: Recently, one of your client’s staff has been inundated with phishing emails that are targeted at individuals and related to current business opportunities for the company. These messages are linked to malware and sent by known threat actors. What physical and technical controls would be helpful to address the issue and prevent this type of vulnerability in the future? Compare and contrast the different methods that could be used to mitigate the given threat. 4.3 Your Choice Prompt: Create your own illustrative scenario of a common threat that an information security analyst may face. Explain what physical and technical controls would be helpful to address your chosen issue and prevent that type of vulnerability in the future, and compare and contrast the different methods that could be used to mitigate the given threat.