Professional Documents
Culture Documents
Overview
For each of the identified risks and threats within the User Domain and Workstation Domain,
identify a security control or security countermeasure that can help mitigate the risk or threat.
Overview
In this lab, you are to create an organization-wide security awareness & training policy for a
mock organization to reflect the demands of a recent compliance law. Here is your scenario:
• Regional ABC Credit union/bank with multiple branches and locations throughout the
region
• Online banking and use of the Internet is a strength of your bank given limited human
resources
• The customer service department is the most critical business function/operation for the
organization
• The organization wants to be in compliance with GLBA and IT security best practices
regarding employees in the User Domain and Workstation Domain
• The organization wants to monitor and control use of the Internet by implementing content
filtering
• The organization wants to eliminate personal use of organization owned IT assets and
systems
• The organization wants to monitor and control use of the e-mail system by implementing e-
mail security controls
• Organization wants to implement the security awareness & training policy mandated for all
new hires and existing employees. Policy definition to include GLBA and customer privacy
data requirements and mandate annual security awareness training for all employees
Purpose/Objectives
• Raise employee awareness about information security risks and best practices.
• Inform employees about the significance of maintaining confidentiality, integrity, and
availability of information assets.
• Encourage employees to identify and report security incidents promptly.
• Ensure security awareness and training meet regulatory and industry standards.
Scope
This policy governs all employees, contractors, and third-party entities who have access to
ABC Credit Union's information resources. It affects all seven domains of an average IT
infrastructure:
1. User Domain
2. Workstation Domain
3. LAN Domain
4. WAN Domain
5. Remote Access Domain
6. System/Application Domain
7. Data Domain
Standards
This policy follows Workstation Domain standards, including ensuring workstations are
configured for security awareness training software and access to relevant resources.
• Security Software Standards: Require the use of security software on workstations for
training and protection against security threats.
Procedures
ABC Credit Union will implement this policy by:
1. Developing and maintaining a security awareness and training program tailored to
their needs and regulatory requirements.
2. Provide annual security awareness training to all employees, covering topics like
phishing, password security, and social engineering.
3. Provide diverse training methods, such as online courses, instructor-led sessions,
and interactive modules, to accommodate different learning styles and preferences.
4. Ensure employee participation and completion of security awareness training, and
offer remedial training if needed.
5. Provide security awareness and training during onboarding for new hires and
ongoing refresher training for current employees.
Guidelines
To effectively implement this policy, ABC Credit Union will:
• Secure executive sponsorship and allocate resources for security awareness and
training initiatives.
• Create training content to address security risks and challenges specific to ABC
Credit Union's business operations and industry sector.
• Create clear channels for employees to report security concerns and request
additional training resources.
• Monitor security awareness and training effectiveness using metrics like completion
rates, incident reporting trends, and employee feedback surveys.
• Regularly update and improve security awareness and training program to address
emerging threats, regulatory changes, and stakeholder feedback.
Overview
In this lab, the students reviewed and identified common risks and threats within the User
Domain and Workstation Domain. From this, the elements of a security awareness training
policy definition were aligned to policy definition goals and objectives. The students then
created a Security Awareness & Training Policy definition focusing on the requirements as
defined in the given scenario. This policy, coupled with actual security awareness training
content customized to ABC Credit union/bank, can help mitigate the risks and threats within
the User Domain and Workstation Domain and will contribute to the organization’s overall
layered security strategy.
3. What is the relationship between an Acceptable Use Policy (AUP) and a Security
Awareness & Training Policy?
The Acceptable Use Policy (AUP) establishes guidelines for the proper use of company-
owned IT resources, including acceptable email, internet, and data handling practices. The
AUP is enhanced by the Security Awareness & Training Policy, which informs staff members
about its contents, alerts them to potential security threats linked to non-compliance, and
offers advice on how to successfully implement training and awareness campaigns to uphold
the policy.
6. Why is it important to educate users about the risks, threats, and vulnerabilities
found on the Internet and world wide web?
In order to equip users with the knowledge and abilities necessary to navigate cyberspace
safely and securely, it is imperative that they receive education about the risks, threats, and
vulnerabilities present on the Internet and World Wide Web. By becoming more
knowledgeable about prevalent dangers like malware, phishing scams, and social engineering
attacks, users can identify warning indicators, proceed with caution, and take the necessary
safety measures to safeguard the organization and themselves against malicious activity and
cyber threats.
7. What are some strategies for preventing users or employees from downloading
ad installing rogue applications and software found on the Internet?
Implementing endpoint security solutions that restrict unauthorized software installations is
one way to stop users or employees from downloading and installing rogue applications and
software from the Internet.
• Implementing firewall rules and network access controls to prevent access to
dubious or unreliable websites.
• Informing users of the dangers associated with downloading and installing software
from unreliable or unknown sources.
• Tracking user actions and habits to identify and stop illegal software installations
and downloads.
• Creating precise guidelines and protocols with suitable supervision and
authorization systems in place for software installation requests and approvals.
8. What is one strategy for preventing users from clicking on unknown e-mail
attachments and files?
Using email filtering and malware detection software is one way to stop users from clicking
on unknown email attachments and files. These programs have the ability to automatically
check incoming emails for questionable attachments or links, quarantine them, or mark them
for more inspection. Organizations can also educate users about the dangers of opening
unknown attachments and motivate them to confirm the legitimacy of email senders and
attachments before acting, by offering training and awareness programs.
12. Which domain typically acts as the point-of-entry into the IT infrastructure?
Which domain typically acts as the point-of-entry into the IT infrastructure’s
systems, applications, databases?
Usually serving as the entry point into the IT infrastructure, the Remote Access Domain
allows external users to safely access organizational resources from a distance. The
System/Application Domain is the main point of entry for the systems, applications, and
databases that make up the IT infrastructure. It includes all of the servers, platforms, and
software applications that support different business operations.
14. What other strategies can organizations implement to keep security awareness
top of mind with all employees and authorized users?
Organizations can use the following techniques in addition to official security awareness
training programs to make security awareness a priority for all staff members and authorized
users:
• Consistently sending out security updates or newsletters to give timely information
on new security risks, advice, and best practices.
• Testing staff members' awareness of and reactivity to phishing attacks through the
conduct of simulated phishing exercises.
Organizing workshops or events with a security theme to involve staff and encourage
a security-aware culture.
• Honoring and rewarding staff members who follow best practices in security and
quickly report security incidents.
• Promoting open lines of communication so that staff members can voice concerns,
report suspicious activity, and ask questions.
15. Why should an organization provide updated security awareness training when a
new policy is implemented throughout the User Domain or Workstation
Domain?
When a new policy is applied across the User Domain or Workstation Domain, it is necessary
to provide updated security awareness training to make sure that staff members are informed
of any modifications to security protocols, procedures, and expectations. Organizations can
improve their capacity to manage risks, uphold regulatory compliance, and securely protect
sensitive data by stressing the value of adhering to updated policies and training staff on any
new security requirements or guidelines.