Đào Quốc Trung – SE151141

LAB 1 – Craft an Organization-Wide Security Management Policy for Acceptable Use

ABC Credit Union
Merchant Card Processing Policy
Policy Statement
In order to accept credit or debit card payments and compliance with GLBA and IT security best
practice, a ABC Credit union/bank must :
1. Protect consumer and customer records and will therefore help to build and strengthen
consumer reliability and trust.
2. Customers gain assurance that their information will be kept secure by the institution
3. Ensure that the payment process and related recordkeeping adhere to organization accounting
guidelines, the Payment Card Industry Data Security Standard (PCI DSS), and all applicable
legislation.
Purpose/Objectives
The purpose of this:
- Private information must secured against unauthorized access.
- Customers must be notified of private information sharing between financial institutions and
third parties and have the ability to opt out of private information sharing
- User activity must be tracked, including any attempts to access protected records.
Scope
All company data stored on electronic devices, hardware or software and other resources, whether
owned or leased by employee or third party is a part of company’s assets
- The server room must by locked to make sure physical access is restricted
- All device access to the internal network must be monitored and controlled
- Any account with failed login attempt > 5 must be blocked
- Critical business functions ( the customer service department) must be have a backup,
recovery plan,… to make sure its downtime is minimized
- Only allowed people can access the specific resource
- All inbound and outbound traffic must be filtered
Procedures
- Prepare the documentation of policies and timeline for the process
- Inform the implementation to all relevant entities ( employees, users, third parties), they will
need to agree the Acceptable use policy
- IT department is responsible for supervising the implementation
- The leader of the IT department is responsible for reporting the bank;s policy compliance
monthly to the executive director
Guidelines
The covered financial institutions must :
- Create a written information security plan describing the program to protect their customers’
information
 - Designate one or more employees to coordinate its information security program
- Identify and assess the risks to customer information in each relevant area of the company’s
operation, and evaluate the effectiveness of the current safeguards for controlling these risks
- Design and implement a safeguards program, and regularly monitor and test it
- Select service providers that can maintain safeguards, and oversee their handling of customer
information
- Evaluate and adjust the program in light of relevant circumstances, including changes in the
firm’s business or operations, or the results of security testing and monitoring
- Any exception of this policy will be examined and approved by the IT department
- All individuals must obey the AUPs. Violations can lead to disciplinary action up,
termination, civil penalties, and or criminal penalties, depending on the extent and bank’s
policies

Craft an Organization-Wide Security Management Policy for Acceptable

Use
1. What are the top risks and threats from the User Domain?
- Phishing attacks: These are fraudulent emails or messages that are designed to trick users into
disclosing sensitive information, such as passwords or financial details.
- Malware: This includes viruses, worms, and other malicious software that can be used to steal
data or disrupt systems.
- Social engineering: This involves using psychological manipulation to trick users into
divulging sensitive information or taking actions that could compromise security.
- Unsecured networks: If users access the internet over an unsecured network, their data and
devices may be vulnerable to attack.
- Lack of awareness: Users who are not aware of security risks and best practices may be more
likely to fall victim to attacks or to accidentally compromise security.
- Weak passwords: Users who use weak passwords or reuse passwords across multiple
accounts are more vulnerable to attack.
- Access controls: If users have access to sensitive systems or data that they do not need for
their job duties, it can increase the risk of unauthorized access or data breaches.
- Physical security: Users who do not secure their devices and workstations properly may leave
them vulnerable to theft or tampering.
2. Why do organizations have acceptable use policies (AUPs)?
There are several reasons why organizations have acceptable use policies:
- To protect the organization's assets: AUPs can help to protect the organization's systems, data,
and other assets from misuse or abuse.
- To maintain security: AUPs can help to ensure that employees and other users follow best
practices for security and do not inadvertently compromise the organization's security.
- To ensure compliance: AUPs can help organizations to comply with relevant laws and
regulations, such as data protection laws and intellectual property laws.
- To promote productivity: AUPs can help to ensure that employees and other users are using
company resources for legitimate business purposes and are not engaging in activities that
could distract from their work or disrupt the organization.
3. Can internet use and e-mail use policies be covered in Acceptable Use Policy?
- Yes, internet use and e-mail use policies can be covered in an acceptable use policy (AUP).
An AUP is a set of guidelines that outline the acceptable behavior and use of company
resources by employees, contractors, and other users. These policies can cover a wide range
of topics, including internet use and e-mail use.

4. Do compliance laws such as HIPPA or GLBE play a role in AUP definition?

-Yes, compliance laws such as HIPAA (Health Insurance Portability and Accountability Act) and
GLBA (Gramm-Leach-Bliley Act) can play a role in the definition of an acceptable use policy (AUP).
AUPs are guidelines that outline the acceptable behavior and use of company resources by employees,
contractors, and other users. These policies are put in place to protect the organization and its assets,
as well as to ensure that employees and other users understand the expectations and limitations of
their use of company resources.

5. Why is an acceptable use policy not a failsafe means of mitigating risks and threats
within the User Domain?
- An acceptable use policy, or AUP, is a set of rules that users of a network or service must agree to
follow in order to use that network or service. It is a way of defining what users are allowed to do, and
what they are not allowed to do, while using the network or service.
- While an AUP can be an effective means of mitigating certain risks and threats within the user
domain, it is not a failsafe solution. This is because it relies on users following the rules and
guidelines set out in the AUP. If users do not follow these rules, it can be difficult to enforce the AUP
and prevent risks and threats from occurring.
- Additionally, an AUP alone may not be sufficient to fully mitigate all risks and threats within the
user domain. It is important to have other security measures in place, such as network security
protocols and user authentication processes, to provide a comprehensive approach to risk
management.

6. Will the AUP apply to all levels of the organization, why or why not?
- An acceptable use policy (AUP) typically applies to all users of a network or service, regardless of
their level within an organization. This is because the AUP is meant to establish rules and guidelines
for the appropriate use of the network or service, and these rules should apply to all users to ensure
the security and integrity of the network or service.

7. When should this policy be implemented and how ?

-An acceptable use policy (AUP) should be implemented as soon as possible after the decision has
been made to create one. This is because an AUP is an important tool for establishing rules and
guidelines for the appropriate use of a network or service, and it is important for users to be aware of
these rules from the outset.
There are several steps that an organization can take to implement an AUP:
-Determine the scope and purpose of the AUP: It is important to define the scope and purpose of the
AUP before drafting it. This will help ensure that the AUP covers all necessary areas and addresses
the specific needs and concerns of the organization.
-Draft the AUP: Once the scope and purpose of the AUP have been determined, the AUP can be
drafted. This should include a list of specific activities that are allowed and not allowed, as well as
any consequences for violating the AUP.
-Communicate the AUP to users: It is important to make sure that all users are aware of the AUP and
understand their responsibilities under it. This can be done through a variety of means, such as email,
training sessions, or posting the AUP on the organization's website.
-Obtain user agreement: Users should be required to agree to the terms of the AUP before they are
granted access to the network or service. This can be done through a user agreement or acceptance
process.
-Monitor and enforce compliance: It is important to monitor compliance with the AUP and take
appropriate action when violations occur. This may include revoking access to the network or service,
or taking other disciplinary action as necessary.

8. Why does an organization want to align its policies with the existing compliance
requirements?
An organization may want to align its policies with existing compliance requirements for several
reasons. Some of the most common reasons include:
-To meet legal and regulatory requirements: Many industries are subject to various laws and
regulations that require organizations to follow certain practices and procedures. Aligning policies
with these requirements can help ensure that the organization is in compliance with these laws and
regulations.
-To protect the organization's reputation: By following compliance requirements, an organization can
demonstrate its commitment to ethical practices and help protect its reputation.
-To reduce risk: Compliance with laws and regulations can help an organization avoid fines and
penalties, as well as protect against legal liability.
-To improve efficiency: Aligning policies with compliance requirements can help streamline
processes and improve efficiency, as it can help ensure that everyone in the organization is following
the same rules and procedures.

9. Why is it important to flag any existing standards (hardware, software,

configuration, etc..) from an AUP?
- It is important to flag any existing standards (such as hardware, software, or configuration standards)
in an acceptable use policy (AUP) because these standards may impact the way in which users are
able to access and use the network or service. For example, if an organization has specific hardware or
software requirements in place, users may need to ensure that their devices meet these requirements in
order to be able to access the network or service.

10. Where in the policy definition do you define how to implement this policy within
your organization?
- The implementation of an acceptable use policy (AUP) within an organization should be defined in
the policy itself. This can typically be done in a section of the AUP that outlines the procedures and
processes for enforcing the policy and ensuring compliance.
-In this section, the AUP should outline the steps that the organization will take to communicate the
policy to users, as well as the process for obtaining user agreement to the terms of the policy. The
AUP should also outline any specific procedures that will be followed to monitor and enforce
compliance with the policy, as well as any consequences for violating the policy.

11. Why must be organization have an Acceptable Use Policy (AUP) even for non-
employees such as contractors, consultants, and other 3rd parties?
- An acceptable use policy (AUP) should be in place for non-employees such as contractors,
consultants, and other third parties because these individuals may have access to the organization's
network or other resources. This access can present risks to the organization if the individuals do not
follow appropriate rules and guidelines for using the network or resources.

12. What security control can be deployed to monitor and mitigate users from accessing
external websites that are potentially in violation of an AUP?
There are several security controls that can be deployed to monitor and mitigate users from accessing
external websites that are potentially in violation of an acceptable use policy (AUP). Some of the most
common options include:
-Web filters: Web filters are software tools that can be used to block access to specific websites or
categories of websites. They can be configured to block websites that are known to violate the AUP,
such as sites that contain malicious content or sites that are not related to work activities.
-URL filtering: URL filtering is a technique that can be used to block access to specific URLs or
groups of URLs. This can be useful for blocking access to specific websites or pages that are known
to violate the AUP.
-Network firewalls: Network firewalls can be configured to block access to specific websites or
categories of websites. They can also be used to block access to certain types of content, such as
streaming video or peer-to-peer file sharing.
-Traffic monitoring: Traffic monitoring involves monitoring the network traffic of users to identify
suspicious or inappropriate activity. This can be done through the use of network monitoring tools
that can identify patterns of behavior that may indicate an attempt to access prohibited websites or
engage in activities that violate the AUP.

13. What security control can be deployed to monitor and mitigate user from accessing
external webmail systems and services (i.e., Hotmail, Gmail, Yahoo, etc.)?
There are several security controls that can be deployed to monitor and mitigate users from accessing
external webmail systems and services. Some of the most common options include:
-Web filters: Web filters are software tools that can be used to block access to specific websites or
categories of websites. They can be configured to block access to webmail systems and services that
are not authorized by the organization.
-URL filtering: URL filtering is a technique that can be used to block access to specific URLs or
groups of URLs. This can be useful for blocking access to webmail systems and services that are not
authorized by the organization.
-Network firewalls: Network firewalls can be configured to block access to specific websites or
categories of websites. They can also be used to block access to certain types of content, such as
webmail systems and services.
-Traffic monitoring: Traffic monitoring involves monitoring the network traffic of users to identify
suspicious or inappropriate activity. This can be done through the use of network monitoring tools
that can identify patterns of behavior that may indicate an attempt to access prohibited webmail
systems and services.

14. What security controls can be deployed to monitor and mitigate users imbedding
privacy data in e-mail messages and or attaching documents that may contain privacy
data?
There are several security controls that can be deployed to monitor and mitigate users from
embedding privacy data in email messages and attaching documents that may contain privacy data.
Some of the most common options include:
-Data loss prevention (DLP) software: DLP software is designed to monitor outbound data and
identify sensitive information that may be at risk of being leaked. It can be configured to flag or block
email messages or attachments that contain privacy data, or to take other actions to prevent the data
from being transmitted.
-Encryption: Encrypting email messages and attachments can help to protect the confidentiality of
privacy data. By using encryption, organizations can ensure that the data is only accessible to
authorized users.
-Access controls: Access controls can be used to limit access to privacy data to only those users who
need it. This can be done through the use of permissions or other security measures.
-User training and awareness: Providing users with training and awareness about the importance of
protecting privacy data can help to reduce the risk of data breaches. This can include educating users
about the proper handling of privacy data and the consequences of mishandling it.

15. Should an organization terminate the employment of an employee if he/she violates

an AUP?
- It depends on the specific circumstances of the situation and the terms of the organization's
acceptable use policy (AUP). Violating an AUP may be grounds for disciplinary action,
including termination of employment, but the appropriate course of action will depend on the
severity of the violation and the specific provisions of the AUP. It is generally best for
organizations to have clear policies in place and to consistently enforce them in a fair and
transparent manner. If an employee violates an AUP, it may be appropriate for the
organization to discuss the situation with the employee, provide them with an opportunity to
explain their actions, and determine the appropriate course of action based on the
circumstances.