Lab #1 Organization-Wide Security Management AUP Worksheet

Course Name IAP301 …………………………………………………………………………………

Student Name: Đào Quang Việt …………………………………………………………………..
Instructor Name: Khúc Hữu Hùng ………………………………………………………………
Lab Due Date: 17/01/2025 ……………………………………………………………………….
Overview:
In this lab, you are to create an organization-wide acceptable use policy (AUP) that follows
a recent compliance law for a mock organization. Here is your scenario:
 Regional ABC Credit union/bank with multiple branches and locations throughout
the region
 Online banking and use of the Internet is a strength of your bank given limited
human resources
 The customer service department is the most critical business function/operation for
the organization
 The organization wants to be in compliance with GLBA and IT security best practices
regarding its employees
 The organization wants to monitor and control use of the Internet by implementing
content filtering
 The organization wants to eliminate personal use of organization owned IT assets
and systems
 The organization wants to monitor and control use of the e-mail system by
implementing e-mail security controls
 The organization wants to implement this policy for all the IT assets it owns and to
incorporate this policy review into an annual security awareness training
Instructions
Using Microsoft Word, create an Acceptable Use Policy for ABC Credit union/bank
according to the following policy template:
 ABC Credit Union
Policy Name
Policy Statement
In order to accept credit or debit card payments and compliance with GLBA and IT security
best practice, a ABC Credit union/bank must:
1. Protect consumer and customer records and will therefore help to build and
strengthen consumer reliability and trust.
2. Customers gain assurance that their information will be kept secure by the
institution
3. Ensure that the payment process and related recordkeeping adhere to organization
accounting guidelines, the Payment Card Industry Data Security Standard (PCI DSS),
and all applicable legislation.
Purpose/Objectives
The purpose of this:
- Private information must be secured against unauthorized access.
- Customers must be notified of private information sharing between financial
institutions and third parties and have the ability to opt out of private information
sharing.
- User activity must be tracked, including any attempts to access protected records.
Scope
These policies apply to any ABC Credit bank employee, contractor, business partner, or
student involved in the processing of debit and credit card payments or who has authority
over a system that accepts such payments.

Standards
All company data stored on electronic devices, hardware or software and other resources,
whether owned or leased by employee or third party is a part of company’s assets
- The server room must be locked to make sure physical access is restricted
- All devices access to the internal network must be monitored and controlled
 - Any account with failed login attempt > 5 must be blocked
- Critical business functions (The customer service department) must have a backup,
recovery plan,... to make sure its downtime is minimized.
- Only allowed people can access the specific resources
- All inbound and outbound traffic must be filtered
Procedures
- Prepare the documentation of policies and timeline for the process
- Inform the implementation to all relevant entities (employees, users, third parties),
they will need to agree the Acceptable use policy
- IT department is responsible for supervising the implementation
- The leader of the IT department is responsible for reporting the bank’s policy
compliance monthly to the executive director
Guidelines
The covered financial institutions must:
- Create a written information security plan describing the program to protect their
customers’ information.
- Designate one or more employees to coordinate its information security program
- Identify and assess the risks to customer information in each relevant area of the
company’s operation, and evaluate the effectiveness of the current safeguards for
controlling these risks
- Design and implement a safeguards program, and regularly monitor and test it
- Select service providers that can maintain appropriate safeguards, make sure your
contract requires them to maintain safeguards, and oversee their handling of
customer information
- Evaluate and adjust the program in light of relevant circumstances, including
changes in the firm’s business or operations, or the results of security testing and
monitoring.
- Any exception of this policy will be examined and approved by the IT department.
 - All individuals must obey the AUPs. Violations can lead to disciplinary action up,
termination, civil penalties, and/or criminal penalties, depending on the extent and
bank’s policies.
Note: Your policy document should be no more than 3 pages long.

Lab #1 Assessment Worksheet

Craft an Organization-Wide Security Management Policy for Acceptable Use
Course Name IAP301 …………………………………………………………………………………
Student Name: Đào Quang Việt …………………………………………………………………..
Instructor Name: Khúc Hữu Hùng ………………………………………………………………
Lab Due Date: 17/01/2025 ……………………………………………………………………….
Overview
In this lab, Create an Organization-Wide Security Management Acceptable Use Policy
(AUP), the students participated in a classroom discussion about what is considered to be
acceptable use. The weakest link in the seven domains of a typical IT infrastructure was
identified as the User Domain. When given a scenario, the students created an
organization-wide acceptable use policy for ABC Credit Union/Bank.
Lab Assessment Questions & Answers
1. What are the top risks and threats from the User Domain?
- Social engineering
- Accident disclosure
- Malicious behaviours
2. Why do organizations have acceptable use policies (AUPS)?
An organization has an acceptable use policies (AUPs) because:
- They can protect the organization, the employee, and also the user of the
organization.
- AUPs outline the rules and restrictions employees must follow in regard to the
company's network, software, internet connection and devices → Make sure the
organization's sensitive data cannot be leaked outside.

3. Can internet use and e-mail use policies be covered in an Acceptable Use Policy?
- Yes. They might be generally addressed individually as an Internet Acceptable Use
Policy and an Email Acceptable Use Policy. Each would define the rules and
regulations, similar to a regular Acceptable Use Policy.

4. Do compliance laws such as HIPPA or GLBA play a role in AUP definition?

- Yes, compliance laws should be used as a guideline for acceptable use policies

5. Why is an acceptable use policy not a failsafe means of mitigating risks and threats
within the User Domain?
An acceptable use policy not a failsafe means of mitigating risks and threats
because:
- We cannot control the user (what they do, what they discuss when they are outside
the workplace,...)
- Even when the user agrees with the AUPs, they may not always follow through with
them.
- An acceptable use policy is a guideline.

6. Will the AUP apply to all levels of the organization, why or why not?
 - Yes, the main purpose of acceptable use policy is to protect the entire company and
all employees and ensure that they are aware of the policies and what is acceptable
and unacceptable behavior

7. When should this policy be implemented and how?

- This policy should be in effect from day 1 of operation and periodically needs to be
audited for weaknesses and vulnerabilities.

8. Why does an organization want to align its policies with the existing compliance
requirements?
- These rules are applied to protect Company information against loss or theft,
unauthorized access, disclosure, copying, use, modification or destruction. can lead
to a range of negative consequences, including reputation loss, financial loss, non-
compliance with standards, laws and third party liability

9. Why is it important to flag any existing standards (hardware, software, configuration,

etc.) from an AUP?
- This way there are no hidden surprises for anyone and everyone will be on the same
page when it comes to policies and procedures

10. Where in the policy definition do you define how to implement this policy within your
organization?
- In the Procedures section of the AUP

11. Why must an organization have an Acceptable Use Policy (AUP) even for non-
employees such as contractors, consultants, and other 3rd parties?
- Because it makes everyone responsible that works regardless of what type of worker
they are
12. What security controls can be deployed to monitor and mitigate users from accessing
external websites that are potentially in violation of an AUP?
- It can be done by monitoring the Internet traffic through firewalls, setting up firewall
alerts, monitoring security logs, and setting up a proxy to limit the content users can
access.

13. What security controls can be deployed to monitor and mitigate users from accessing
external webmail systems and services (i.e., Hotmail, Gmail, Yahoo, etc.)?
- Monitor software (like webmonitor) can be installed to allow the manager
monitoring the network traffic. The webmail systems and services can be blocked if
they are known to violate the APUs

14. What security controls can be deployed to monitor and mitigate users from imbedding
privacy data in e-mail messages and/or attaching documents that may contain privacy
data?
- A policy of what communication methods may be used to exchange data, both
internally and externally should be put in place, and implementing an Application
Proxy Firewall. This may also provide the ability to prevent data leakage through
keyword inspection of outbound email.

15. Should an organization terminate the employment of an employee if he/she violates an

AUP?
- Because it may cause damage to an organization, any violation of AUP can lead to
disciplinary action up to termination, termination, civil penalties, and/or criminal
penalties, depending on the extent.