Lab #5 – Assessment Worksheet
Elements of a Security Awareness & Training Policy
Course Name: IAP301
Student Name: Phạm Thị Minh Thúy (HE171100)
Instructor Name: Hoàng Mạnh Đức
Overview
For each of the identified risks and threats within the User Domain and Workstation Domain,
identify a security control or security countermeasure that can help mitigate the risk or threat.
User Domain Risks & Threats
Dealing with humans and human nature
User or employee apathy towards
information systems security policy
Accessing the Internet is like opening
“Pandora’s box” given the threat from
attackers
Surfing the web can be a dangerous trek in
unknown territory
Opening e-mails and unknown e-mail
attachments can unleash malicious software
and codes
Installing unauthorized applications, files, or
data on organization owned IT assets can be
dangerous
Downloading applications or software with
hidden malicious software or codes
Clicking on an unknown URL link with
hidden scripts
Unauthorized access to workstation
Risk Mitigation Tactic/Solution
Create an environment of security within the
organization and regularly provide training
to raise awareness about security measures.
Develop concise and transparent policies,
ensuring effective communication of these
guidelines. Utilize engaging training
methods to underscore the significance of
compliance.
To deter access to harmful websites,
implement firewall regulations and web
filtering. Enhance perimeter protection by
employing intrusion detection systems.
To identify and block access to websites
notorious for hosting malware or phishing
attacks, utilize online reputation services.
Set up an email security gateway to scan for
viruses and phishing scams. Educate users
on recognizing and reporting suspicious
emails.
To prevent unauthorized installations,
employ restrictions on administrator
privileges and utilize application
whitelisting.
Supervise and regulate internet traffic
through a secure gateway while
implementing real-time scanning for
endpoint protection.
Utilize state-of-the-art threat prevention
tools equipped with real-time malware
analysis and blocking functionalities.
Ensure that workstations are securely shut
down when not in use and implement strong

Operating system software vulnerabilities
Application software vulnerabilities
Viruses, Trojans, worms, spyware,
malicious software/code, etc.
User inserts CDs, DVDs, USB thumb drives
with personal files onto organization-owned
IT assets
User downloads unauthorized applications
and software onto organization-owned IT
assets
User installs unauthorized applications and
software onto organization-owned IT assets
user authentication methods, such as multi-
factor authentication.
Utilize vulnerability management resources
and apply the most recent security upgrades
to operating systems.
Perform frequent security audits and update
programs to the most recent versions.
Update your antivirus software frequently
and make use of behavior-based malware
detection.
Implement strict network-level application
limitations and access controls to prevent
unauthorized downloads.
Group policies can be used to centrally
manage user access and application
installation privileges.
Group policies can be used to centrally
control application installation privileges
and user access.

Lab #5 – Assessment Worksheet

Elements of a Security Awareness & Training Policy

Course Name: IAP301

Student Name: Phạm Thị Minh Thúy (HE171100)
Instructor Name: Hoàng Mạnh Đức

Overview
In this lab, you are to create an organization-wide security awareness & training policy for a
mock organization to reflect the demands of a recent compliance law. Here is your scenario:
• Regional ABC Credit union/bank with multiple branches and locations throughout the
region
• Online banking and use of the Internet is a strength of your bank given limited human
resources
• The customer service department is the most critical business function/operation for the
organization
• The organization wants to be in compliance with GLBA and IT security best practices
regarding employees in the User Domain and Workstation Domain
• The organization wants to monitor and control use of the Internet by implementing content
filtering
• The organization wants to eliminate personal use of organization owned IT assets and
systems
• The organization wants to monitor and control use of the e-mail system by implementing e-
mail security controls
• Organization wants to implement the security awareness & training policy mandated for all
new hires and existing employees. Policy definition to include GLBA and customer privacy
data requirements and mandate annual security awareness training for all employees

ABC Credit Union

Security Awareness & Training Policy
Policy Statement
ABC Credit Union understands the critical role of security awareness and training in
protecting our information assets and mitigating potential risks. This Security Awareness and
Training Policy establishes guidelines and procedures to ensure that all employees are
properly trained and equipped to detect and respond to security threats.

Purpose/Objectives
• Raise employee awareness about information security risks and best practices.
• Inform employees about the significance of maintaining confidentiality, integrity, and
availability of information assets.
• Encourage employees to identify and report security incidents promptly.
• Ensure security awareness and training meet regulatory and industry standards.
Scope
This policy governs all employees, contractors, and third-party entities who have access to
ABC Credit Union's information resources. It affects all seven domains of an average IT
infrastructure:
1. User Domain
2. Workstation Domain
3. LAN Domain
4. WAN Domain
5. Remote Access Domain
6. System/Application Domain
7. Data Domain

Standards
This policy follows Workstation Domain standards, including ensuring workstations are
configured for security awareness training software and access to relevant resources.
• Security Software Standards: Require the use of security software on workstations for
training and protection against security threats.

Procedures
ABC Credit Union will implement this policy by:
1. Developing and maintaining a security awareness and training program tailored to
their needs and regulatory requirements.
2. Provide annual security awareness training to all employees, covering topics like
phishing, password security, and social engineering.
3. Provide diverse training methods, such as online courses, instructor-led sessions,
and interactive modules, to accommodate different learning styles and preferences.
4. Ensure employee participation and completion of security awareness training, and
offer remedial training if needed.
5. Provide security awareness and training during onboarding for new hires and
ongoing refresher training for current employees.

Guidelines
To effectively implement this policy, ABC Credit Union will:
• Secure executive sponsorship and allocate resources for security awareness and
training initiatives.
• Create training content to address security risks and challenges specific to ABC
Credit Union's business operations and industry sector.
• Create clear channels for employees to report security concerns and request
additional training resources.
• Monitor security awareness and training effectiveness using metrics like completion
rates, incident reporting trends, and employee feedback surveys.
 • Regularly update and improve security awareness and training program to address
emerging threats, regulatory changes, and stakeholder feedback.

Lab #5 – Assessment Worksheet

Elements of a Security Awareness & Training Policy

Course Name: IAP301

Student Name: Phạm Thị Minh Thúy (HE171100)
Instructor Name: Hoàng Mạnh Đức

Overview
In this lab, the students reviewed and identified common risks and threats within the User
Domain and Workstation Domain. From this, the elements of a security awareness training
policy definition were aligned to policy definition goals and objectives. The students then
created a Security Awareness & Training Policy definition focusing on the requirements as
defined in the given scenario. This policy, coupled with actual security awareness training
content customized to ABC Credit union/bank, can help mitigate the risks and threats within
the User Domain and Workstation Domain and will contribute to the organization’s overall
layered security strategy.

Lab Assessment Questions & Answers

1. How does a security awareness & training policy impact an organization’s ability
to mitigate risks, threats, and vulnerabilities?
By teaching staff members about security best practices, increasing their awareness of
potential risks, and equipping them with the information and abilities necessary to recognize
and appropriately handle security incidents, a security awareness and training policy
dramatically improves an organization's capacity to mitigate risks, threats, and vulnerabilities.
Frequent training sessions help staff members become more proactive and watchful in
identifying questionable activities, which lowers the risk of security breaches and lessens the
effect of possible threats.
 2. Why do you need a security awareness & training policy if you have new hires
attend or participate in the organization’s security awareness training program
during new hire orientation?
A distinct security awareness & training policy guarantees that the training is a continuous,
company-wide endeavor, even though incorporating security awareness training in new hire
orientation is crucial. It specifies the duration and breadth of training sessions, offers
instructions for training current staff members, and highlights the value of ongoing education
and awareness-raising regarding new security threats and best practices.

3. What is the relationship between an Acceptable Use Policy (AUP) and a Security
Awareness & Training Policy?
The Acceptable Use Policy (AUP) establishes guidelines for the proper use of company-
owned IT resources, including acceptable email, internet, and data handling practices. The
AUP is enhanced by the Security Awareness & Training Policy, which informs staff members
about its contents, alerts them to potential security threats linked to non-compliance, and
offers advice on how to successfully implement training and awareness campaigns to uphold
the policy.

4. Why is it important to prevent users from engaging in downloading or installing

applications and software found on the Internet?
It is essential to stop users from downloading and installing software and applications from
the Internet in order to reduce the possibility of malware, viruses, or other malicious software
entering the IT environment of the company. Unauthorized downloads pose serious risks to
an organization's operations and reputation because they can result in security breaches,
system vulnerabilities, and compromised data integrity.
5. When trying to combat software vulnerabilities in the Workstation Domain,
what is needed most to deal with operating system, application, and other
software installations?
The Workstation Domain requires frequent patch management and software updates to
combat software vulnerabilities. Organizations can reduce the risk of cyber threat exploitation
and preserve the integrity and security of their IT infrastructure by making sure that operating
systems, applications, and other software installations are promptly patched with the most
recent security updates and fixes.

6. Why is it important to educate users about the risks, threats, and vulnerabilities
found on the Internet and world wide web?
In order to equip users with the knowledge and abilities necessary to navigate cyberspace
safely and securely, it is imperative that they receive education about the risks, threats, and
vulnerabilities present on the Internet and World Wide Web. By becoming more
knowledgeable about prevalent dangers like malware, phishing scams, and social engineering
attacks, users can identify warning indicators, proceed with caution, and take the necessary
safety measures to safeguard the organization and themselves against malicious activity and
cyber threats.

7. What are some strategies for preventing users or employees from downloading
ad installing rogue applications and software found on the Internet?
Implementing endpoint security solutions that restrict unauthorized software installations is
one way to stop users or employees from downloading and installing rogue applications and
software from the Internet.
• Implementing firewall rules and network access controls to prevent access to
dubious or unreliable websites.
• Informing users of the dangers associated with downloading and installing software
from unreliable or unknown sources.
• Tracking user actions and habits to identify and stop illegal software installations
and downloads.
• Creating precise guidelines and protocols with suitable supervision and
authorization systems in place for software installation requests and approvals.

8. What is one strategy for preventing users from clicking on unknown e-mail
attachments and files?
Using email filtering and malware detection software is one way to stop users from clicking
on unknown email attachments and files. These programs have the ability to automatically
check incoming emails for questionable attachments or links, quarantine them, or mark them
for more inspection. Organizations can also educate users about the dangers of opening
unknown attachments and motivate them to confirm the legitimacy of email senders and
attachments before acting, by offering training and awareness programs.

9. Why should social engineering be included in security awareness training?

Attackers frequently employ social engineering strategies like phishing, pretexting, and
baiting to trick people into divulging private information or taking actions that jeopardize
security. Employees can identify these strategies, comprehend how they operate, and learn
how to react appropriately to defend the company and themselves from social engineering
attacks by having social engineering awareness included in security training.
 10. Which 2 domains of a typical IT infrastructure are the focus of a Security
Awareness & Training Policy?
A Security Awareness & Training Policy focuses on the User Domain and the Workstation
Domain because these domains are crucial for security awareness and education programs
since they directly involve end users and their interactions with IT resources.

11. Why should you include organization-wide policies in employee security

awareness training?
Employee security awareness training that covers organization-wide policies guarantees that
staff members are aware of their responsibilities in maintaining these policies and enhancing
the organization's overall security posture. Employee adherence to security guidelines and
risk mitigation are enhanced by the reinforcement of key policies, including those pertaining
to acceptable use, data protection, and incident response procedures.

12. Which domain typically acts as the point-of-entry into the IT infrastructure?
Which domain typically acts as the point-of-entry into the IT infrastructure’s
systems, applications, databases?
Usually serving as the entry point into the IT infrastructure, the Remote Access Domain
allows external users to safely access organizational resources from a distance. The
System/Application Domain is the main point of entry for the systems, applications, and
databases that make up the IT infrastructure. It includes all of the servers, platforms, and
software applications that support different business operations.

13. Why does an organization need a policy on conducting security awareness

training annually and periodically?
To guarantee that staff members are regularly trained on new security procedures, emerging
threats, and best practices, an organization must have a policy in place regarding security
awareness training that is conducted both annually and on a regular basis. Organizations can
uphold a culture of security awareness, strengthen regulatory compliance, and effectively
respond to changing cybersecurity threats by instituting a formal policy for ongoing training
initiatives.

14. What other strategies can organizations implement to keep security awareness
top of mind with all employees and authorized users?
Organizations can use the following techniques in addition to official security awareness
training programs to make security awareness a priority for all staff members and authorized
users:
• Consistently sending out security updates or newsletters to give timely information
on new security risks, advice, and best practices.
• Testing staff members' awareness of and reactivity to phishing attacks through the
conduct of simulated phishing exercises.
Organizing workshops or events with a security theme to involve staff and encourage
a security-aware culture.
• Honoring and rewarding staff members who follow best practices in security and
quickly report security incidents.
• Promoting open lines of communication so that staff members can voice concerns,
report suspicious activity, and ask questions.

15. Why should an organization provide updated security awareness training when a
new policy is implemented throughout the User Domain or Workstation
Domain?
When a new policy is applied across the User Domain or Workstation Domain, it is necessary
to provide updated security awareness training to make sure that staff members are informed
of any modifications to security protocols, procedures, and expectations. Organizations can
improve their capacity to manage risks, uphold regulatory compliance, and securely protect
sensitive data by stressing the value of adhering to updated policies and training staff on any
new security requirements or guidelines.