Lab #1 – Organization-Wide Security Management

AUP Worksheet

Course Name: IAP301

Student Name: Quanndse151007
Instructor Name: DinhMH
Lab Due Date: 17/5/2023

Overview
In this lab, you are to create an organization-wide acceptable use policy (AUP)
that follows a recent compliance law for mock organization. Here is your
scenario:
• Regional ABC Credit union/bank with multiple branches and locations
throughout the region
• Online banking and use of the Internet is a strength of your bank given
limited human resources
• The customer service department is the moist critical business
function/operation for the organization
• The organization wants to be in compliance with GLBA and IT security best
practices regarding its employees
• The organization wants to monitor and control use of the Internet by
implementing content filtering
• The organization wants to eliminate personal use of organization owned IT
assets and systems
• The organization wants to monitor and control use of the e-mail system by
implementing e-mail security controls
• The organization wants to implement this policy for all the IT assets it owns
and to incorporate this policy review into an annual security awarenes

Instructions
Using Microsoft Word, create an Acceptable Use Policy for ABC Credit union/bank
according to the following policy template:
 ABC Credit Union
Merchant Card Processing Policy

Policy Statement

In order to accept credit or debit card payments and compliance with GLBA and IT security
best practice, a ABC Credit union/bank must :

1. Protect consumer and customer records and will therefore help to build and
strengthen consumer reliability and trust
2. Customers gain assurance that their information will be kept secure by the institution
3. Ensure that the payment process and related recordkeeping adhere to organization
accounting guidelines, the Payment Card Industry Data Security Standard (PCI
DSS), and all applicable legislation.

Purpose/Objectives

The purpose of this:

- Private information must secured against unauthorized access.
- Customers must be notified of private information sharing between financial
institutions and third parties and have the ability to opt out of private information
sharing
- User activity must be tracked, including any attempts to access protected records.

Scope
All company data stored on electronic devices, hardware or software and other
resources, whether owned or leased by employee or third party is a part of company’s
assets
- The server room must by locked to make sure physical access is restricted.
- All device access to the internal network must be monitored and controlled
- Any account with failed login attempt > 5 must be blocked
- Critical business functions ( the customer service department) must be have
backup, recovery plan,… to make sure its downtime is minimized
- Only allowed people can access the specific resource
- All inbound and outbound traffic must be filtered

Procedures

- Prepare the documentation of policies and timeline for the process

- Inform the implementation to all relevant entities ( employees, users, third parties),
they will need to agree the Acceptable use policy
- IT department is responsible for supervising the implementation
- The leader of the IT department is responsible for reporting the bank;s policy
compliance monthly to the executive director
Guidelines

The covered financial institutions must :

- Create a written information security plan describing the program to protect their
customers’ information
- Designate one or more employees to coordinate its information security program
- Identify and assess the risks to customer information in each relevant area of the
company’s operation, and evaluate the effectiveness of the current safeguards for
controlling these risks
- Design and implement a safeguards program, and regularly monitor and test it
- Select service providers that can maintain safeguards, and oversee their handling
of customer information
- Evaluate and adjust the program in light of relevant circumstances, including
changes in the firm’s business or operations, or the results of security testing and
monitoring
- Any exception of this policy will be examined and approved by the IT department
- All individuals must obey the AUPs. Violations can lead to disciplinary action up,
termination, civil penalties, and or criminal penalties, depending on the extent and
bank’s policies.

Craft an Organization-Wide Security Management Policy

for Acceptable Use

1. What are the top risks and threats from the User Domain?

- Phishing attacks: These are fraudulent emails or messages that are designed to
trick users into disclosing sensitive information, such as passwords or financial
details.
- Malware: This includes viruses, worms, and other malicious software that can be
used to steal data or disrupt systems.
- Social engineering: This involves using psychological manipulation to trick users
into divulging sensitive information or taking actions that could compromise security.
- Unsecured networks: If users access the internet over an unsecured network, their
data and devices may be vulnerable to attack.
- Lack of awareness: Users who are not aware of security risks and best practices
may be more likely to fall victim to attacks or to accidentally compromise security.
- Weak passwords: Users who use weak passwords or reuse passwords across
multiple accounts are more vulnerable to attack.
- Access controls: If users have access to sensitive systems or data that they do not
need for their job duties, it can increase the risk of unauthorized access or data
breaches
- Physical security: Users who do not secure their devices and workstations properly
may leave them vulnerable to theft or tampering.

2. Why do organizations have acceptable use policies (AUPs)?

There are several reasons why organizations have acceptable use policies:
 - To protect the organization's assets: AUPs can help to protect the organization's
systems, data, and other assets from misuse or abuse.
- To maintain security: AUPs can help to ensure that employees and other users
follow best practices for security and do not inadvertently compromise the
organization's security.
- To ensure compliance: AUPs can help organizations to comply with relevant laws
and regulations, such as data protection laws and intellectual property laws.
- To promote productivity: AUPs can help to ensure that employees and other users
are using company resources for legitimate business purposes and are not engaging
in activities that could distract from their work or disrupt the organization.

3. Can internet use and e-mail use policies be covered in

Acceptable Use Policy?

- Yes, internet use and e-mail use policies can be covered in an acceptable use
policy (AUP). An AUP is a set of guidelines that outline the acceptable behavior and
use of company resources by employees, contractors, and other users. These
policies can cover a wide range of topics, including internet use and e-mail use.

4. Do compliance laws such as HIPPA or GLBE play a role in AUP

definition?

-Yes, compliance laws such as HIPAA (Health Insurance Portability and

Accountability Act) and GLBA (Gramm-Leach-Bliley Act) can play a role in the
definition of an acceptable use policy (AUP). AUPs are guidelines that outline the
acceptable behavior and use of company resources by employees, contractors, and
other users. These policies are put in place to protect the organization and its assets,
as well as to ensure that employees and other users understand the expectations
and limitations of their use of company resources.

5. Why is an acceptable use policy not a failsafe means of

mitigating risks and threats within the User Domain?

- An acceptable use policy, or AUP, is a set of rules that users of a network or

service must agree to follow in order to use that network or service. It is a way of
defining what users are allowed to do, and what they are not allowed to do, while
using the network or service.
- While an AUP can be an effective means of mitigating certain risks and threats
within the user domain, it is not a failsafe solution. This is because it relies on users
following the rules and guidelines set out in the AUP. If users do not follow these
rules, it can be difficult to enforce the AUP and prevent risks and threats from
occurring.
- Additionally, an AUP alone may not be sufficient to fully mitigate all risks and
threats within the user domain. It is important to have other security measures in
place, such as network security protocols and user authentication processes, to
provide a comprehensive approach to risk management.
6. Will the AUP apply to all levels of the organization, why or why
not?

- An acceptable use policy (AUP) typically applies to all users of a network or

service, regardless of their level within an organization. This is because the AUP is
meant to establish rules and guidelines for the appropriate use of the network or
service, and these rules should apply to all users to ensure the security and integrity
of the network or service.

7. When should this policy be implemented and how ?

-An acceptable use policy (AUP) should be implemented as soon as possible after
the decision has been made to create one. This is because an AUP is an important
tool for establishing rules and guidelines for the appropriate use of a network or
service, and it is important for users to be aware of these rules from the outset.

There are several steps that an organization can take to implement an AUP:

-Determine the scope and purpose of the AUP: It is important to define the scope
and purpose of the AUP before drafting it. This will help ensure that the AUP covers
all necessary areas and addresses the specific needs and concerns of the
organization.

-Draft the AUP: Once the scope and purpose of the AUP have been determined, the
AUP can be drafted. This should include a list of specific activities that are allowed
and not allowed, as well as any consequences for violating the AUP.

-Communicate the AUP to users: It is important to make sure that all users are
aware of the AUP and understand their responsibilities under it. This can be done
through a variety of means, such as email, training sessions, or posting the AUP on
the organization's website.

-Obtain user agreement: Users should be required to agree to the terms of the AUP
before they are granted access to the network or service. This can be done through a
user agreement or acceptance process.

-Monitor and enforce compliance: It is important to monitor compliance with the AUP
and take appropriate action when violations occur. This may include revoking access
to the network or service, or taking other disciplinary action as necessary.

8. Why does an organization want to align its policies with the

existing compliance requirements?

An organization may want to align its policies with existing compliance requirements
for several reasons. Some of the most common reasons include:
-To meet legal and regulatory requirements: Many industries are subject to various
laws and regulations that require organizations to follow certain practices and
procedures. Aligning policies with these requirements can help ensure that the
organization is in compliance with these laws and regulations.

-To protect the organization's reputation: By following compliance requirements, an

organization can demonstrate its commitment to ethical practices and help protect its
reputation.
-To reduce risk: Compliance with laws and regulations can help an organization
avoid fines and penalties, as well as protect against legal liability.

-To improve efficiency: Aligning policies with compliance requirements can help
streamline processes and improve efficiency, as it can help ensure that everyone in
the organization is following the same rules and procedures.

9. Why is it important to flag any existing standards (hardware,

software, configuration, etc..) from an AUP?

- It is important to flag any existing standards (such as hardware, software, or

configuration standards) in an acceptable use policy (AUP) because these standards
may impact the way in which users are able to access and use the network or
service. For example, if an organization has specific hardware or software
requirements in place, users may need to ensure that their devices meet these
requirements in order to be able to access the network or service.

10. Where in the policy definition do you define how to implement

this policy within your organization?

- The implementation of an acceptable use policy (AUP) within an organization

should be defined in the policy itself. This can typically be done in a section of the
AUP that outlines the procedures and processes for enforcing the policy and
ensuring compliance.
-In this section, the AUP should outline the steps that the organization will take to
communicate the policy to users, as well as the process for obtaining user agreement
to the terms of the policy. The AUP should also outline any specific procedures that
will be followed to monitor and enforce compliance with the policy, as well as any
consequences for violating the policy.

11. Why must be organization have an Acceptable Use Policy

(AUP) even for nonemployees such as contractors, consultants,
and other 3 rd parties?

- An acceptable use policy (AUP) should be in place for non-employees such as

contractors, consultants, and other third parties because these individuals may have
access to the organization's network or other resources. This access can present
risks to the organization if the individuals do not follow appropriate rules and
guidelines for using the network or resources.

12. What security control can be deployed to monitor and mitigate

users from accessing external websites that are potentially in
violation of an AUP?

There are several security controls that can be deployed to monitor and mitigate
users from accessing external websites that are potentially in violation of an
acceptable use policy (AUP). Some of the most common options include:

-Web filters: Web filters are software tools that can be used to block access to
specific websites or categories of websites. They can be configured to block websites
that are known to violate the AUP, such as sites that contain malicious content or
sites that are not related to work activities.

-URL filtering: URL filtering is a technique that can be used to block access to
specific URLs or groups of URLs. This can be useful for blocking access to specific
websites or pages that are known to violate the AUP.

-Network firewalls: Network firewalls can be configured to block access to specific

websites or categories of websites. They can also be used to block access to certain
types of content, such as streaming video or peer-to-peer file sharing.

-Traffic monitoring: Traffic monitoring involves monitoring the network traffic of users
to identify suspicious or inappropriate activity. This can be done through the use of
network monitoring tools that can identify patterns of behavior that may indicate an
attempt to access prohibited websites or engage in activities that violate the AUP.

13. What security control can be deployed to monitor and mitigate

user from accessing external webmail systems and services (i.e.,
Hotmail, Gmail, Yahoo, etc.)?

- There are several security controls that can be deployed to monitor and mitigate
users from accessing external webmail systems and services. Some of the most
common options include:

-Web filters: Web filters are software tools that can be used to block access to
specific websites or categories of websites. They can be configured to block access
to webmail systems and services that are not authorized by the organization
. -URL filtering: URL filtering is a technique that can be used to block access to
specific URLs or groups of URLs. This can be useful for blocking access to webmail
systems and services that are not authorized by the organization.
-Network firewalls: Network firewalls can be configured to block access to specific
websites or categories of websites. They can also be used to block access to certain
types of content, such as webmail systems and services.
 -Traffic monitoring: Traffic monitoring involves monitoring the network traffic of users
to identify suspicious or inappropriate activity. This can be done through the use of
network monitoring tools that can identify patterns of behavior that may indicate an
attempt to access prohibited webmail systems and services.

14. What security controls can be deployed to monitor and

mitigate users imbedding privacy data in e-mail messages and or
attaching documents that may contain privacy data?

There are several security controls that can be deployed to monitor and mitigate
users from embedding privacy data in email messages and attaching documents that
may contain privacy data. Some of the most common options include:

-Data loss prevention (DLP) software: DLP software is designed to monitor outbound
data and identify sensitive information that may be at risk of being leaked. It can be
configured to flag or block email messages or attachments that contain privacy data,
or to take other actions to prevent the data from being transmitted
-Encryption: Encrypting email messages and attachments can help to protect the
confidentiality of privacy data. By using encryption, organizations can ensure that the
data is only accessible to authorized users.
-Access controls: Access controls can be used to limit access to privacy data to only
those users who need it. This can be done through the use of permissions or other
security measures.

-User training and awareness: Providing users with training and awareness about
the importance of protecting privacy data can help to reduce the risk of data
breaches. This can include educating users about the proper handling of privacy data
and the consequences of mishandling it.

15. Should an organization terminate the employment of an

employee if he/she violates an AUP?

- It depends on the specific circumstances of the situation and the terms of the
organization's acceptable use policy (AUP). Violating an AUP may be grounds for
disciplinary action, including termination of employment, but the appropriate course
of action will depend on the severity of the violation and the specific provisions of the
AUP. It is generally best for organizations to have clear policies in place and to
consistently enforce them in a fair and transparent manner. If an employee violates
an AUP, it may be appropriate for the organization to discuss the situation with the
employee, provide them with an opportunity to explain their actions, and determine
the appropriate course of action based on the circumstances