Lab #1 - Organization-Wide Security Management Worksheet

Course Name: IAP301

Group No: 4

Student Name:

- Vo Minh Khanh - SE140781

- Tran Dang Khoa - SE140934

- Nguyen Quoc Buu - SE140936

Instructor Name: Ho Hai

Lab Due Date: 17/05/21

ABC Credit Union

Merchant Card Processing Policy

Policy Statement

In order to accept credit or debit card payments and compliance with GLBA and IT

security best practice, a ABC Credit union/bank must:

1. Protect consumer and customer records and will therefore help to build and

strengthen consumer reliability and trust.

2. Customers gain assurance that their information will be kept secure by the

institution

3. Ensure that the payment process and related recordkeeping adhere to

organization accounting guidelines, the Payment Card Industry Data Security

Standard (PCI DSS), and all applicable legislation.

Purpose/Objectives

The purpose of this:

- Private information must be secured against unauthorized access.

- Customers must be notified of private information sharing between financial

institutions and third parties and have the ability to opt out of private

information sharing.

- User activity must be tracked, including any attempts to access protected

records.

Scope

These policies apply to any ABC Credit bank employee, contractor, business

partner, or student involved in the processing of debit and credit card payments or

who has authority over a system that accepts such payments.

Standards

All company data stored on electronic devices, hardware or software and other

resources, whether owned or leased by employee or third party is a part of

company’s assets

- The server room must be locked to make sure physical access is restricted

- All devices access to the internal network must be monitored and controlled

- Any account with failed login attempt > 5 must be blocked

- Critical business functions (The customer service department) must have a

backup, recovery plan,... to make sure its downtime is minimized.

- Only allowed people can access the specific resources

 - All inbound and outbound traffic must be filtered

Procedures

- Prepare the documentation of policies and timeline for the process

- Inform the implementation to all relevant entities (employees, users, third

parties), they will need to agree the Acceptable use policy

- IT department is responsible for supervising the implementation

- The leader of the IT department is responsible for reporting the bank’s policy

compliance monthly to the executive director

Guidelines

The covered financial institutions must:

- Create a written information security plan describing the program to protect

their customers’ information.

- Designate one or more employees to coordinate its information security

program

- Identify and assess the risks to customer information in each relevant area of

the company’s operation, and evaluate the effectiveness of the current

safeguards for controlling these risks

- Design and implement a safeguards program, and regularly monitor and test it

- Select service providers that can maintain appropriate safeguards, make sure

your contract requires them to maintain safeguards, and oversee their

handling of customer information

- Evaluate and adjust the program in light of relevant circumstances, including

changes in the firm’s business or operations, or the results of security testing

and monitoring.
- Any exception of this policy will be examined and approved by the IT

department.

- All individuals must obey the AUPs. Violations can lead to disciplinary action

up, termination, civil penalties, and/or criminal penalties, depending on the

extent and bank’s policies.

 Lab #1 - Assessment Worksheet

Craft an Organization-Wide Security Management Policy for Acceptable Use

Course Name: IAP301

Group No: 4

Student Name:

- Vo Minh Khanh - SE140781

- Tran Dang Khoa - SE140934

- Nguyen Quoc Buu - SE140936

Instructor Name: Ho Hai

Lab Due Date: 17/05/21

Lab Assessment Questions & Answers:

1. What are the top risks and threats from the User Domain?

- Social engineering

- Accident disclosure

- Malicious behaviours

2. Why do organizations have acceptable use policies (AUPs)?

An organization has an acceptable use policies (AUPs) because:

- They can protect the organization, the employee, and also the user of the

organization.

- AUPs outline the rules and restrictions employees must follow in regard to the

company's network, software, internet connection and devices → Make sure the

organization's sensitive data cannot be leaked outside.

3. Can internet use and e-mail use policies be covered in an Acceptable

Use Policy?

- Yes. They might be generally addressed individually as an Internet

Acceptable Use Policy and an Email Acceptable Use Policy. Each would

define the rules and regulations, similar to a regular Acceptable Use Policy.

4. Do compliance laws such as HIPPA or GLBA play a role in AUP

definition?

- Yes, compliance laws should be used as a guideline for acceptable use

policies

5. Why is an acceptable use policy not a failsafe means of mitigating risks

and threats within the User Domain?

An acceptable use policy not a failsafe means of mitigating risks and threats

because:

- We cannot control the user (what they do, what they discuss when they are

outside the workplace,...)

- Even when the user agrees with the AUPs, they may not always follow

through with them.

- An acceptable use policy is a guideline.

6. Will the AUP apply to all levels of the organization, why or why not?
- Yes, the main purpose of acceptable use policy is to protect the entire

company and all employees and ensure that they are aware of the policies

and what is acceptable and unacceptable behavior

7. When should an AUP be implemented and how?

- This policy should be in effect from day 1 of operation and periodically needs

to be audited for weaknesses and vulnerabilities.

8. Why does an organization want to align its policies with the existing

compliance requirements?

- These rules are applied to protect Company information against loss or theft,

unauthorized access, disclosure, copying, use, modification or destruction.

can lead to a range of negative consequences, including reputation loss,

financial loss, non-compliance with standards, laws and third party liability

9. Why is it important to flag any existing standards (hardware, software,

configuration, etc.) from an AUP?

- This way there are no hidden surprises for anyone and everyone will be on

the same page when it comes to policies and procedures

10. Where in the policy definition do you define how to implement this

policy within your organization?

- In the Procedures section of the AUP

11. Why must an organization have an Acceptable Use Policy (AUP) even

for non-employees such as contractors, consultants, and other 3rd

parties?

- Because it makes everyone responsible that works regardless of what type of

worker they are

12. What security controls can be deployed to monitor and mitigate users

from accessing external websites that are potentially in violation of an

AUP?

- It can be done by monitoring the Internet traffic through firewalls, setting up

firewall alerts, monitoring security logs, and setting up a proxy to limit the

content users can access.

13. What security controls can be deployed to monitor and mitigate users

from accessing external webmail systems and services (i.e., Hotmail,

Gmail, Yahoo, etc.)?

- Monitor software (like webmonitor) can be installed to allow the manager

monitoring the network traffic. The webmail systems and services can be

blocked if they are known to violate the APUs

14. What security controls can be deployed to monitor and mitigate users

from imbedding privacy data in e-mail messages and/or attaching

documents that may contain privacy data?

- A policy of what communication methods may be used to exchange data, both

internally and externally should be put in place, and implementing an

 Application Proxy Firewall. This may also provide the ability to prevent data

leakage through keyword inspection of outbound email.

15. Should an organization terminate the employment of an employee if

he/she violates an AUP?

- Because it may cause damage to an organization, any violation of AUP can

lead to disciplinary action up to termination, termination, civil penalties, and/or

criminal penalties, depending on the extent.