Lab #5 – Assessment Worksheet

Elements of a Security Awareness & Training Policy

Course Name: IAP301

Student Name: SonLTSE161501

Instructor Name: DinhMH

Lab Due Date: 02/17/2023

Overview

For each of the identified risks and threats within the User Domain and Workstation Domain,
identify a security control or security countermeasure that can help mitigate the risk or threat

User Domain Risks & Threats Risk Mitigation Tactic/Solution

Dealing with humans and human nature AUP

User or employee apathy towards information SAP

systems security policy

Accessing the Internet is like opening AUP

“Pandora’s box” given the threat from
attackers

Surfing the web can be a dangerous trek in AUP

unknown territory

Opening e-mails and unknown e-mail AUP

attachments can unleash malicious software
and codes

Installing unauthorized applications, files, or SAP

data on organization owned IT assets can be
dangerous

Downloading applications or software with SAP

hidden malicious software or codes
 Clicking on an unknown URL link with SAP
hidden scripts

Unauthorized access to workstation UAP

Operating system software vulnerabilities PPA

Application software vulnerabilities PPA

Viruses, Trojans, worms, spyware, malicious SAP

software/code, etc.

User inserts CDs, DVDs, USB thumb drives AUP

with personal files onto organization-owned
IT assets

User downloads unauthorized applications UAP

and software onto organization-owned IT
assets

User installs unauthorized applications and UAP

software onto organization-owned IT assets

Overview

In this lab, you are to create an organization-wide security awareness & training policy for a
mock organization to reflect the demands of a recent compliance law. Here is your scenario:

• Regional ABC Credit union/bank with multiple branches and locations throughout the
region
• Online banking and use of the Internet is a strength of your bank given limited human
resources
• The customer service department is the most critical business function/operation for the
organization
• The organization wants to be in compliance with GLBA and IT security best practices
regarding employees in the User Domain and Workstation Domain
• The organization wants to monitor and control use of the Internet by implementing
content filtering
• The organization wants to eliminate personal use of organization owned IT assets and
systems
• The organization wants to monitor and control use of the e-mail system by implementing
e-mail security controls
 • Organization wants to implement the security awareness & training policy mandated for
all new hires and existing employees. Policy definition to include GLBA and customer
privacy data requirements and mandate annual security awareness training for all
employees

Instructions

Using Microsoft Word, create a Security Awareness & Training Policy for ABC Credit
union/bank capturing the elements of the policy as defined in the Lab #5 – Assessment
Worksheet. Use the following policy template for the creation of your Security Awareness &
Training Policy definition.

ABC Credit Union

Security Awareness & Training Policy

Policy Statement

The goal of the security awareness and training policy is to create the required framework for all
employees to be educated and trained on the value of security inside the company. This policy
makes sure that staff members are informed about security risks and their roles in protecting the
company's assets.

Purpose/Objectives

This policy's objectives are to:

• Promote security awareness and training throughout the organization

• Ensure that employees are aware of their responsibilities for safeguarding the
organization's assets and information
• Establish a uniform approach to security training and awareness for all employees
• Ensure compliance with all legal, contractual, and regulatory requirements related to
security awareness and training.

Scope

All people with access to the company's information or IT resources, including employees,
independent contractors, and other third parties, are subject to this policy. This policy applies to
all assets controlled by the company as well as the seven common IT infrastructure domains.

Standards
The Workstation Domain standards, which mandate that all employees take security awareness
training at least yearly, are in line with this policy. This policy as well as any pertinent rules,
procedures, and standards must be followed by every employee.

Procedures

The following steps will be taken to implement this policy:

• Create and provide security awareness training for all staff members, including
independent contractors and other professionals.
• Ensure that security training is provided to all new hires during orientation.
• Create and communicate security-related standards, guidelines, and rules to all staff
members, and demand their acknowledgment.
• Verify that the Acceptable Usage Policy is signed by all workers and that they abide by
it.
• Perform regular security audits and evaluations to gauge employee comprehension of and
adherence to this policy.
• Continue to inform and remind staff about security best practices and emerging dangers.

Guidelines

The following rules shall be adhered to in order to get beyond any obstacles or implementation
problems:

• • To increase employee involvement and retention, develop and deliver training that is
pertinent, interesting, and interactive.
• • Review and update the training materials on a regular basis to reflect new and evolving
security threats as well as modifications to the organization's infrastructure.
• • Make use of a range of distribution techniques, such as printed, in-person, and online
materials, to guarantee that all staff members can access the training.
• • To ensure adherence to this policy, set up a method for monitoring staff participation in
and completion of security training.
• • Include security education and training in performance evaluations to make sure that
staff are held accountable for their security-related actions.

Lab Assessment Questions & Answers

1. How does a security awareness & training policy impact an organization’s ability to
mitigate risks, threats, and vulnerabilities?
Through the instruction of staff members to become more security-conscious. It is intended to
demonstrate to workers how they can act as the network's first line of defense.

2. Why do you need a security awareness & training policy if you have new hires attend or
participate in the organization’s security awareness training program during new hire
orientation?

To ensure that your new hires know what to do in the event that your business faces a security
issue, you must have a security awareness and training policy.

3. What is the relationship between an Acceptable Use Policy (AUP) and a Security
Awareness & Training Policy?

The security awareness and training policy includes a section on acceptable use. In contrast to
the security awareness and training policy, which outlines security as a whole for the
organization, this component outlines what users can and cannot do on company resources.

4. Why is it important to prevent users from engaging in downloading or installing

applications and software found on the Internet?

Due to the possibility that these programs may include viruses that are harmful to the systems
and network of the organization

5. When trying to combat software vulnerabilities in the Workstation Domain, what is

needed most to deal with operating system, application, and other software installations?

Having a solid patch management plan in place is crucial for dealing with software
vulnerabilities in the Workstation Domain. By doing so, you can make sure that all of your
systems are updated with the most recent security patches and that any new vulnerabilities are
fixed right away.

6. Why is it important to educate users about the risks, threats, and vulnerabilities found
on the Internet and world wide web?

Users must receive training in order to safeguard their own assets and those of the company.

7. What are some strategies for preventing users or employees from downloading and
installing rogue applications and software found on the Internet?

- Create Standard user accounts on employees' laptops rather than Administrator accounts, and
update the local administrator accounts' default passwords.

- Create a blacklist of software that is not allowed and route every outgoing Internet connection
through a proxy server.
- Implement perimeter IPS file filtering rules and forbid downloading of programs that are on a
blacklist.

- Use URL filtering on the IPS or next-generation firewalls to prevent the user from visiting
websites that host software that is on a blacklist.

- Install end-point anti-virus and anti-malware on all workstations; this will stop rogue software
from being downloaded and installed.

8. What is one strategy for preventing users from clicking on unknown e-mail attachments
and files?

Users can be prevented from accessing emails and attachments from unidentified sources by
configuring the user email access managed by a Microsoft exchange server.

9. Why should social engineering be included in security awareness training?

Often times, people are unaware of the amount of information they could divulge by simply
talking excessively. The risks of social engineering, caution while speaking in public, and who to
avoid should all be taught to employees.

10. Which 2 domains of a typical IT infrastructure are the focus of a Security Awareness&
Training Policy?

User and Workstation Domain

11. Why should you include organization-wide policies in employee security awareness
straining?

The organization-wide security policies should be represented in the security awareness training,
which should also incorporate organization-wide policies to further enlighten users.

12. Which domain typically acts as the point-of-entry into the IT infrastructure? Which
domain typically acts as the point-of-entry into the IT infrastructure’s systems,
applications, databases?

LAN-to-WAN Domain

13. Why does an organization need a policy on conducting security awareness training
annually and periodically?

This is a requirement that IT implements and monitors the organization's training program, if
audited.

14. What other strategies can organizations implement to keep security awareness top of
mind with all employees and authorized users?
Periodic Policy Auditing.

15. Why should an organization provide updated security awareness training when anew
policy is implemented throughout the User Domain or Workstation Domain?

To inform the user about the revised policy. The weakest link in an organization's IT security is
the user.