Lab #5 – Assessment Worksheet

Elements of a Security Awareness & Training Policy

Student Name: Vũ Tuấn Anh

Student ID: SE130255

User Domain Risks & Threats Risk Mitigation Tactic/Solution

Dealing with humans and human nature Risk mitigation

User or employee apathy towards information AUP

systems security policy

Accessing the Internet is like opening “Pandora’s SAP

box” given the threat from attackers

Surfing the web can be a dangerous trek in AUP

unknown territory

Opening e-mails and unknown e-mail AUP

attachments can unleash malicious software and
codes

Installing unauthorized applications, files, or data SAP

on organization owned IT assets can be
dangerous

Downloading applications or software with SAP

hidden malicious software or codes

Clicking on an unknown URL link with hidden SAP

scripts

Unauthorized access to workstation UAP

Operating system software vulnerabilities PAA

Application software vulnerabilities PAA

Viruses, Trojans, worms, spyware, malicious SAP

software/code, etc.

User inserts CDs, DVDs, USB thumb drives with AUP

personal files onto organization-owned IT assets
 User downloads unauthorized applications and UAP
software onto organization-owned IT assets

User installs unauthorized applications and UAP

software onto organization-owned IT assets

Lab #5 – Assessment Worksheet

Craft an Organization-Wide Security Awareness & Training Policy

ABC Credit Union

Security Awareness & Training Policy

Policy Statement

Employees using resources that belong to ABC Credit Union must act in compliance with the policies of
this company in regards to using these resources

Purpose/Objectives

To create an organization-wide policy defining and authorizing a Security or Computer Response team to
have full access and authority to all IT systems, applications, and data and physical IT assets when a
security or other incident occurs.

Scope

This policy applies to all employees, systems, and customers of using ABC Credit Unionresources.

Standards

A computer security incident is a violation or imminent threat of violation of computer security policies,
acceptable use policies, or standards security practices.

Procedures

Guidelines
Lab Assessment Questions & Answers

1. How does a security awareness & training policy impact an organization’s ability to mitigate
risks, threats, and vulnerabilities?
- Security awareness training is a formal process for educating employees about computer
security. A good security awareness program should educate employees about corporate
policies and procedures for working with information technology (IT). Employees should
receive information about who to contact if they discover a security threat and be taught
that data as a valuable corporate asset.
2. Why do you need a security awareness & training policy if you have new hires attend or
participate in the organization’s security awareness training program during new hire
orientation?
- An employee security awareness program can alleviate the problem of employee security
breaches by clarifying why security is important.

3. What is the relationship between an Acceptable Use Policy (AUP) and a Security Awareness &
Training Policy?
- An acceptable use policy (AUP) is a document that outlines a set of rules to be followed by
users or customers of a set of computing resources, which could be a computer network,
website or large computer system. Security awareness training is a formal process for
educating employees about corporate policies and procedures for working with information
technology.
4. Why is it important to prevent users from engaging in downloading or installing applications
and software found on the Internet?
- Because when users download unknown software, this can be hacker software to get user
information.

5. When trying to combat software vulnerabilities in the Workstation Domain, what is needed
most to deal with operating system, application, and other software installations?
- A centralized asset managing system which has client software deployed to all workstation
end-points (Windows, Linux, Mac) would be most valuable while dealing with the operating
system, application, and other software installations across the organization.

- With this software solution, an administrator can push out remote operating system
installations of hardened images, install required applications, update and patch the OS and
applications, and even uninstall the software. This will help in maintaining a uniform tested
and secure environment on all workstations in the organization.
6. Why is it important to educate users about the risks, threats, and vulnerabilities found on the
Internet and world wide web?
- Because so that users can identify the most basic risks, protect themselves, acquire some
skills to solve basic problems.

7. What are some strategies for preventing users or employees from downloading ad installing
rogue applications and software found on the Internet?
- Earn Free Access, Get Money to download,…
8. What is one strategy for preventing users from clicking on unknown e-mail attachments and
files?
- Get Money, win the lottery, get reward,…

9. Why should social engineering be included in security awareness training?

- These days, social engineering is used in more than 66% of all attacks. Solo hackers and
nation states alike employ tactics meant to trick, coerce, and manipulate individuals into
giving them access to what should be secure data. Often, all the hackers need to do is find
an unsuspecting individual who doesn’t follow protocol in order to be helpful.

10. Which 2 domains of a typical IT infrastructure are the focus of a Security Awareness & Training
Policy?
- User
- Workstation

11. Why should you include organization-wide policies in employee security awareness training?
- It will help employees not to make costly errors and have a solid understanding of company
security policy, procedure and best practices.

12. Which domain typically acts as the point-of-entry into the IT infrastructure? Which domain
typically acts as the point-of-entry into the IT infrastructure’s systems, applications,
databases?
- User Domain
- WAN Domain 13

13. Why does an organization need a policy on conducting security awareness training annually
and periodically?
- To reinforce the awareness of security risk and to keep them updated of any new security
issues. ... To keep everyone informed of any new risk, threats, and vulnerability.

14. What other strategies can organizations implement to keep security awareness top of mind
with all employees and authorized users?

Some of the strategies for organizations can implement are-

- Mandatory annual security training

- Quarterly role-based security training

- Monthly security newsletter

- Daily social media posts on information security – these could include graphics, tongue-in-
cheek humor, cartoon strips, news articles of security breaches, and easy tips for everyday
information security
 - Regular audits of information security practices

- Simulated phishing campaigns, and specialized training for those who fall victim

- Security-based games and contests

- T-shirts, banners, posters with witty one-liners promoting security

15. Why should an organization provide updated security awareness training when a new policy is
implemented throughout the User Domain or Workstation Domain?
- To educate the user on the updated policy. The user is a company's weakest link in IT
security.