Question

The purpose of security policies is to help mitigate identified risks. Writing these policies is easier once you have created an asset inventory list, prioritized that list, and identified the major risk exposures found in those assets. The task of identifying your IT assets begins with recognizing that your IT infrastructure and supporting resources can be divided into the seven IT domains. The benefit of identifying the assets and prioritizing them across those domains is being able to document policies in a systematic and thorough manner.

Review the following scenario for Premier Collegiate School.

You are the new director for Information Technology at Premier Collegiate School. The private school teaches grade 7 through grade 12 with 300 students and 30 staff members and faculty. Below is a description of the school’s computing resources

• Each of the 10 administrative staff members has a dedicated desktop computer.
• The school's principal has a notebook computer that she takes home and when traveling to conduct school business and personal tasks. She maintains a Facebook account and has opened other social media accounts to monitor the activities of the students who also have such accounts.
• The teachers have 10 computers that they share in the teacher 's lounge to record grades and do all work associated with conducting their assigned classes (daily lesson plans, research, handouts, tests, quizzes, and final exams).
• The school has two file servers. One is for administration business and the other serves student computing needs.
  • The administration server has dedicated storage for each of the teachers and both hardwired access and wireless Local Area Network (LAN) access throughout the school.
  • The student server has applications the students might need for their schoolwork and provides wireless access for student-owned laptop computers.
• All students are required to have a laptop computer with wireless access.
• In addition, the school has a dedicated computer lab with 25 desktop computers for the students to use in computer science classes.

The school's principal has requested that you prepare an IT asset list and a high-level prioritization or ranking of the IT given the function and purpose for administrative or student computing requirements.

1. List each asset that you can identify and:
   1. Describe the asset
   2. Identify to which the seven IT domains it belongs
   3. Identify whether you think the asset’s criticality to the organization is H, M, or L
2. Create a table that identifies at least five (5) risk exposures that you believe the school should address with specific mitigation strategies
   1. Describe the risk
   2. List and describe for each risk a security policy that could help mitigate risk
3. What should the school define as acceptable and unacceptable use of school IT assets, Internet, e-mail, and use of personal laptop computers on the school's network?

Attachments

Answer 1

Answer:

Talking about assets there are teacher's desktops, desktops for administrative people, A notebook laptop owned by the principle and a couple of important file servers.

In addition to that there are also desktop computers which are placed in the computer science labs in which the students can practice their practical assignments.

Desktop computers for administrators are individual desktops which they use for administrative purposes and that should contain appropriate security mechanisms because all the account related information of the school is also stored in those desktops. They should have proper firewall mechanisms. The principal's laptop can be used for business needs as well as she can use it for personal use as well.

The file servers are most important and should be of high priority for security. All the files in the servers ate most valuable for the school.

The asset's criticality should be labelled as "M".

Talking about risks there are risks for leakage of student's educational data, School's finance information and the account information for the school.

For mitigating the risks the schools network should be well protected by using a firewall which would restrict access to certain content over the internet and sharing of any data to any personal belongings should be restricted.