Student Name: Đào Quốc Trung
Course Name : IAP301
Elements of a Security Awareness & Training Policy
User Domain Risks & Threats
Dealing with humans and human nature
User or employee apathy towards information
systems security policy
Accessing the Internet is like opening
“Pandora’s box” given the threat from attackers
Surfing the web can be a dangerous trek in
unknown territory
Opening e-mails and unknown e-mail
attachments can unleash malicious software and
codes
Installing unauthorized applications, files, or
data on organization owned IT assets can be
dangerous
Downloading applications or software with
hidden malicious software or codes
Clicking on an unknown URL link with hidden
scripts
Unauthorized access to workstation
Operating system software vulnerabilities
Risk Mitigation Tactic/Solution
Create a Security-Conscious Culture: Building a
culture of security within the organization is
crucial to mitigating the risk of security
incidents related to human behavior.
Provide Security Awareness Training: Providing
regular security awareness training to
employees can help educate them on the
importance of information systems security
policy and the potential consequences of non-
compliance. This can also help employees
understand how their actions can impact the
organization's security posture.
Implementing Firewall Protection: Firewalls are
a key component of a secure network, and can
help block unauthorized access to systems and
data. By implementing firewalls at the network
perimeter, organizations can help reduce the
likelihood of cyber attacks.
Use Security Tools: Implementing security
tools, such as anti-virus and anti-malware
software, can help detect and prevent attacks.
Use Spam Filters: Implementing spam filters
can help prevent malicious emails from reaching
users' inboxes, reducing the likelihood of
phishing attacks and malware infections.
Use Access Controls: Implementing access
controls, such as user authentication and
authorization, can help prevent unauthorized
access to systems and data.
Download from Trusted Sources: Downloading
applications or software from trusted sources,
such as official websites and app stores, can
help reduce the likelihood of downloading
software with hidden malicious software or
codes.
Use Anti-Phishing Software: Using anti-
phishing software can help detect and block
suspicious links and websites.
Use Strong Passwords: Using strong passwords,
including a combination of letters, numbers, and
special characters, can help prevent
unauthorized access to workstations.
Apply Security Patches: Applying security
patches and updates to the operating system
software can help address known vulnerabilities
and prevent exploits.
 Application software vulnerabilities
Viruses, Trojans, worms, spyware, malicious
software/code, etc.
User inserts CDs, DVDs, USB thumb drives
with personal files onto organization-owned IT
assets
User downloads unauthorized applications and
software onto organization-owned IT assets
User installs unauthorized applications and
software onto organization-owned IT assets
Use Antivirus and Antimalware Software:
Using antivirus and antimalware software can
help detect and block malware that may exploit
vulnerabilities in the application software.
Use Firewall Protection: Using firewall
protection can help prevent unauthorized access
to computer systems and networks and block
network traffic that may contain malicious code.
Use Device Control: Using device control
software can help restrict access to external
storage devices and prevent users from inserting
personal CDs, DVDs, USB thumb drives, or
other external storage devices onto
organization-owned IT assets.
Use Application Control: Using application
control software can help restrict access to
unauthorized applications and software and
prevent users from downloading and installing
them on organization-owned IT assets.
Use Application Control: Using application
control software can help restrict access to
unauthorized applications and software and
prevent users from installing them on
organization-owned IT assets.

Craft an Organization-Wide Security Awareness &

Training Policy
ABC Credit Union
Security Awareness & Training Policy

Policy Statement
ABC Credit Union/Bank is committed to ensuring the security and confidentiality of customer data.
The purpose of this Security Awareness & Training Policy is to ensure that all employees are aware of
their responsibilities and obligations to protect customer data, as well as to provide them with the
necessary skills and knowledge to safeguard the organization's IT assets.

Purpose/Objectives
The purpose of this policy is to establish a comprehensive security awareness and training program
that will enable employees to:

• Understand their role in protecting customer data

• Recognize potential security threats and vulnerabilities
• Identify and report security incidents
 • Comply with GLBA and IT security best practices regarding employees in the User Domain
and Workstation Domain
• Eliminate personal use of organization-owned IT assets and systems
• Control and monitor the use of the Internet and e-mail systems
• Implement content filtering and e-mail security controls
• Mandate annual security awareness training for all employees
Scope
This policy covers all employees of ABC Credit Union/Bank and is applicable to all IT assets and
organization-owned systems, including those within the User Domain and Workstation Domain. The
policy also covers the use of the Internet and e-mail systems within the organization.

Standards
This policy adheres to the Workstation Domain standards established by the organization, which
includes the use of approved software and hardware, regular updates and patching of software, and the
prohibition of unauthorized access to organization-owned IT assets and systems.

Procedures

• To implement this policy, all new hires and existing employees will be required to complete
annual security awareness training. The training will cover the following topics:

• Overview of the organization's security policies and procedures

• Best practices for protecting customer data and organization-owned IT assets
• Common security threats and vulnerabilities, and how to recognize and report them
• Use of the Internet and e-mail systems, including content filtering and e-mail security controls
• Consequences of non-compliance with security policies and procedures
• The security awareness training will be delivered via an online platform and must be
completed by all employees within 30 days of their start date or the annual training date. Non-
compliance with the security awareness training requirement will result in disciplinary action.

Guidelines

• In implementing this policy, the organization recognizes that there may be roadblocks or
challenges that must be addressed. To ensure the success of the security awareness and
training program, the following guidelines will be followed:

• Regular updates and communications will be provided to all employees regarding the
importance of security and their role in safeguarding customer data and organization-owned
IT assets.
• Any incidents or violations of security policies and procedures will be thoroughly
investigated, and appropriate disciplinary action will be taken.
• The organization will work to ensure that all IT assets and systems are secure, including
implementing content filtering and e-mail security controls.
 Craft an Organization-Wide Security Awareness &
Training Policy
1. How does a security awareness & training policy impact an organization’s ability to
mitigate risks, threats, and vulnerabilities?
- A security awareness & training policy can help to educate and train employees on how
to identify and mitigate risks, threats, and vulnerabilities within the User Domain and
Workstation Domain. This can lead to better security practices and reduced security
incidents.
2. Why do you need a security awareness & training policy if you have new hires attend or
participate in the organization’s security awareness training program during new hire
orientation?
- A security awareness & training policy is needed to ensure that all employees receive
consistent and ongoing security awareness training, not just during new hire orientation. It
also provides guidelines and expectations for employee behavior and responsibilities
regarding IT security.
3. What is the relationship between an Acceptable Use Policy (AUP) and a Security
Awareness & Training Policy?
- An Acceptable Use Policy (AUP) typically outlines the acceptable use of IT assets and
systems, while a Security Awareness & Training Policy focuses on educating and training
employees on IT security best practices. However, both policies are important in
promoting a strong security culture and reducing security incidents.
4. Why is it important to prevent users from engaging in downloading or installing
applications and software found on the Internet?
- Downloading or installing applications and software found on the Internet can introduce
malware and other security vulnerabilities into the IT infrastructure, which can
compromise sensitive data and systems.
5. When trying to combat software vulnerabilities in the Workstation Domain, what is
needed most to deal with operating system, application, and other software
installations?
- Regular software updates and patches are needed to combat software vulnerabilities in the
Workstation Domain.
6. Why is it important to educate users about the risks, threats, and vulnerabilities found
on the Internet and world wide web?
- Educating users about the risks, threats, and vulnerabilities found on the Internet and
world wide web can help them to identify and avoid potential security threats and
minimize the risk of a security incident.
7. What are some strategies for preventing users or employees from downloading ad
installing rogue applications and software found on the Internet?
- Strategies for preventing users from downloading and installing rogue applications and
software include implementing content filtering, restricting user permissions, and
educating employees on the risks of unauthorized software installation.
8. What is one strategy for preventing users from clicking on unknown e-mail attachments
and files?
- One strategy for preventing users from clicking on unknown e-mail attachments and files
is to provide training on how to identify and avoid phishing and social engineering
attacks.
9. Why should social engineering be included in security awareness training?
 - Social engineering should be included in security awareness training because it is a
common tactic used by attackers to gain access to sensitive data and systems. Educating
employees on how to identify and avoid social engineering attacks can reduce the risk of
a security incident.
10. Which 2 domains of a typical IT infrastructure are the focus of a Security Awareness &
Training Policy?
- The User Domain and Workstation Domain are the focus of a Security Awareness &
Training Policy.
11. Why should you include organization-wide policies in employee security awareness
training?
- Including organization-wide policies in employee security awareness training helps to
reinforce the importance of IT security and the organization's commitment to maintaining
a strong security culture.
12. Which domain typically acts as the point-of-entry into the IT infrastructure? Which
domain typically acts as the point-of-entry into the IT infrastructure’s systems,
applications, databases?
- The User Domain typically acts as the point-of-entry into the IT infrastructure, while the
Workstation Domain typically acts as the point-of-entry into the IT infrastructure's
systems, applications, and databases.
13. Why does an organization need a policy on conducting security awareness training
annually and periodically?
- An organization needs a policy on conducting security awareness training annually and
periodically to ensure that all employees receive consistent and ongoing training on IT
security best practices and to reinforce the organization's commitment to maintaining a
strong security culture.
14. What other strategies can organizations implement to keep security awareness top of
mind with all employees and authorized users?
- Other strategies that organizations can implement to keep security awareness top of mind
with all employees and authorized users include sending out regular security bulletins,
conducting simulated phishing and social engineering attacks, and providing incentives
for good security practices.
15. Why should an organization provide updated security awareness training when a new
policy is implemented throughout the User Domain or Workstation Domain?
- Providing updated security awareness training when a new policy is implemented
throughout the User Domain or Workstation Domain ensures that employees are aware of
the new policies and understand their roles and responsibilities in maintaining the
organization's security posture.