...Lab #1 Assessment Worksheet Crafting an Organization-Wide Security Management Policy for Acceptable Use Student Name: Jonathan Duarte Student Banner ID: 900421269 Date: 2/4/2016 Overview In this lab, you defined an AUP as it relates to the User Domain, you identified the key elements of sample AUPs, and you learned how to mitigate threats and risks with an AUP. Lab Assessment Questions & Answers 1. What are three risks and threats of the User Domain? Threats: * Lack of user awareness * User inserts CDs and UBS drives and personal photos, music, and videos. * Lack of knowledge Risks: * User destruction of systems, application, or data * Stolen Data * Stolen Software/Application 2. Why do organizations have acceptable use policies (AUPs)? * It is because so they can protect the security of a network/organization * Prevent users from getting viruses * Prevent user and organizations to open their systems and network to attacks * Consequences an organization or employee may face * Informing users of acceptable behavior and the use of computers/networks. 3. Can Internet use and e-mail use policies be covered in an acceptable use policy? * Yes they can! Because it’s for the safety of employees and the organization itself. * It’s so the organization is protected at all times. 4. Why is an acceptable use policy not a fail-safe means of mitigating risks and threats within the User Domain? * Because you...
Words: 500 - Pages: 2
...------------------------------------------------- Week 1 Laboratory Part 1: Craft an Organization-Wide Security Management Policy for Acceptable Use Learning Objectives and Outcomes Upon completing this lab, students will be able to complete the following tasks: * Define the scope of an acceptable use policy as it relates to the User Domain * Identify the key elements of acceptable use within an organization as part of an overall security management framework * Align an acceptable use policy with the organization’s goals for compliance * Mitigate the common risks and threats caused by users within the User Domain with the implementation of an acceptable use policy (AUP) * Draft an acceptable use policy (AUP) in accordance with the policy framework definition incorporating a policy statement, standards, procedures, and guidelines Part 1 – Craft an Organization-Wide Security Management Policy for Acceptable Use Worksheet Overview In this hands-on lab, you are to create an organization-wide acceptable use policy (AUP) that follows a recent compliance law for a mock organization. Here is your scenario: * Regional ABC Credit union/bank with multiple branches and locations thrrxampexoughout the region * Online banking and use of the Internet is a strength of your bank given limited human resources * The customer service department is the most critical business function/operation for the organization * The organization wants to be in compliance with GLBA and IT security...
Words: 639 - Pages: 3
...domain is used to provide internet access for an entire organization and is actually the entry point of the Wide Area Network (WAN). This domain is the IT infrastructure where all the data moves in and out of the organization (Mansfield, 2010). There are many risks and threats that are associated with this domain since an attack can come from inside the network or try entering the network from an outside source. As an Information Systems Security Officer for a medium sized technology firm that has two sites, one in Virginia, and another in California, I am charged with the task of implementing the proper security controls for the organization’s LAN-to-WAN domain as well as propose a series of hardware and software controls which will provide security for these domain. The LAN-to-WAN domain is responsible for receiving a lot of traffic through it and it is therefore vulnerable to numerous risks, threats and other vulnerabilities. The threats from people can emerge from badly configured equipment or those that are not correctly...
Words: 1164 - Pages: 5
...Unit 1 Assignment 2 Impact of a Data Classification Standard The user domain defines the people who access an organizations network and IT infrastructure. In the user domain you will find an acceptable use policy, also known as an AUP. An AUP defines what a user can and cannot do within the organization. It is basically an employee handbook on acceptable activity within the organizations resources or network. Failure to follow these rules can be grounds for termination. The user domain is the weakest link in the IT infrastructure. Some of these threats include, lack of user awareness, security policy violation, and employee blackmail. To help combat a user’s lack of awareness, you can conduct security awareness training seminars; have pop-ups warning about a security threat, and send e-mail reminders to employees about common threats. Security policy violation you can approach in a few ways, if there is a violation, place the employee on probation, do a monthly review of the AUP and employee handbook, discuss these common violations during the employees performance review. With employee blackmail, you can track and monitor any abnormal employee behavior and the use of network resources or logging in to the network during off hours. You can also set alarms and alerts within the network to help identify abnormal traffic. The workstation domain is where most users connect to the company’s network. The workstation can be a desktop computer, laptop, tablet, or any other devise...
Words: 521 - Pages: 3
...| Why Establish an Acceptable Usage Policy?| | By| Stephen Lyons| | | | Background For the Past 15 years, I have been supporting small businesses with computer problems, ranging from desktop support to network and server integration. I have been a Microsoft® Certified Professional since 1999, and a Microsoft® Certified Small Business Specialist for over a year. I ran my own company, Lyons Den Computer Services, Inc., from 1992-2007. I exclusively serviced businesses with 3-25 workstation and servers. I recently started a new position where I am working with even larger organizations, with over 100 computers per location. One thing most of these companies have in common is a great dependence on technologies such as the internet, email and network connections to the world. Unfortunately, another thing they have in common is a lack of understanding of the depth of security concerns they create by taking advantage of these technologies. One of the largest security holes is often not a missing piece of hardware or software, but a missing piece of documentation that should be in place to protect their investment in all their equipment, personnel and good company name. I am referring to an Acceptable Use Policy for their network and Internet usage. Purpose I intend to show company management just how important this document can be, and why they need one, as well as the importance of keeping it updated. I will show examples of problems a lack of policy can create...
Words: 2455 - Pages: 10
... I. Introduction An Acceptable Use Policy (AUP) is an organization-wide policy that defines what is allowed and what is not allowed regarding use of Information Technology (IT) assets by employees. The following policy is to be followed by all employees of Richman Investments, authorized individuals, vendors, and contractors who use any information technology (IT), electronic, or communication devices owned and/or provided by Richman Investments for the purpose of assisting them with their job-related duties. Access to the Internet is a privilege and all employees must adhere to the policies regarding computer, email, and Internet usage. Violation of these policies will result in disciplinary and/or legal action that may include counseling, revocation of company devices, termination of the employee, and legal action. II. Roles and Responsibilities Every employee must acknowledge that they have received a copy of the AUP and confirm that they have a complete understanding and agree to abide by the rules set forth in the AUP. Receipt and signing of the AUP will occur at Employee Orientation, and in the event of changes to the policy, a revised AUP must be signed. III. Policy Directives A. Acceptable Use Management Requirements A Standard Operating Procedure (SOP) will be established to support the development and maintenance of this AUP. Richman Investments’ management team is responsible for keeping the AUP up to current standards and ensuring that new...
Words: 747 - Pages: 3
..."internal use only" data classification standard of Richman investments. I will list a few of the IT infrastructure domains that are affected by the standard and how they are affecting the domain and their security here at Richman investments. * User domain The user domain defines the people who access an organizations information system. In the user domain you will find an acceptable use policy (AUP). An AUP defines what a user can and cannot do with organization-owned IT assets. It is like a rulebook that the employees must follow. Failure to follow these rules can be grounds for termination. The user domain is the weakest link in an IT infrastructure. Anybody who is responsible for computer security understand what motivates someone to compromise an organization system, application, or data. Now I am going to list risk and threats commonly found in the user domain and plans you can use to prevent them. Lack of user awareness - solution - conduct security awareness training, display security awareness posters, insert reminders in banner greeting, and send email reminders to employees. Security policy violation- solution - place employee on probation, review AUP and employee Manuel, discuss during performance review. Employee blackmail or extortion- solution - track and monitor abnormal employee behavior and use of IT infrastructure during off hours. Alarms and alerts programmed within an IDS/IPS help identify abnormal traffic and can block IP traffic as per policy definition...
Words: 681 - Pages: 3
...Introduction Richman Investments is at all times committed to complying with the laws and regulations governing use of the Internet, e-mail transmission and text messaging and preserving for all of its Employee’s the ability to use RICHMAN INVESTMENTS 's network and the Internet without interference or harassment from other users. The Richman Investments AUP ("AUP") is designed to help achieve these goals. By using IP Service(s), as defined below, Employee(s) agrees to comply with this Acceptable Use Policy and to remain responsible for its users. Richman Investments reserves the right to change or modify the terms of the AUP at any time, effective when posted on Richman Investments web site at www. Richman Investments .com/aup. Employees’ use of the IP Service(s) after changes to the AUP are posted shall constitute acceptance of any changed or additional terms. Scope of the AUP The AUP applies to the Richman Investments services that provide (or include) access to the Internet, including hosting services (software applications and hardware), or are provided over the Internet or wireless data networks (collectively "IP Services"). Prohibited Activities General Prohibitions: RICHMAN INVESTMENTS prohibits use of the IP Services in any way that is unlawful, harmful to or interferes with use of RICHMAN INVESTMENTS’s network or systems, or the network of any other provider, interferes with the use or enjoyment of services received by others, infringes intellectual property...
Words: 2687 - Pages: 11
...Windows Server 2008 R2. Organizations invest a large portion of their information technology budgets on security applications and services, such as antivirus software, firewalls, and encryption. But no matter how much security hardware or software you deploy, how tightly you control the rights of users, or carefully you configure security permissions on your data, you should not consider the job complete unless you have a well-defined, timely auditing strategy to track the effectiveness of your defenses and identify attempts to circumvent them. To be well defined and timely, an auditing strategy must provide useful tracking data on an organization's most important resources, critical behaviors, and potential risks. In a growing number of organizations, it must also provide absolute proof that IT operations comply with corporate and regulatory requirements. Unfortunately, no organization has unlimited resources to monitor every single resource and activity on a network. If you do not plan well enough, you will likely have gaps in your auditing strategy. However, if you try to audit every resource and activity, you may find yourself with far too much monitoring data, including thousands of benign audit entries that an analyst would need to sift through to identify the narrow set of entries that warrant closer examination. This could cause delays or even prevent auditors from identifying suspicious activity. Thus, over-monitoring can leave an organization as vulnerable as monitoring...
Words: 1876 - Pages: 8
...awareness & training policy if you have new hires attend or participate in the organization’s security awareness training program during new hire orientation? An employee security awareness program can alleviate the problem of employee security breaches by clarifying why security is important. 3. What is the relationship between an Acceptable Use Policy (AUP) and a Security Awareness & Training Policy? An acceptable use policy (AUP) is a document that outlines a set of rules to be followed by users or customers of a set of computing resources, which could be a computer network, website or large computer system. Security awareness training is a formal process for educating employees about corporate policies and procedures for working with information technology. 4. Why is it important to prevent users from engaging in downloading or installing applications and software found on the Internet? There are hundreds of malicious programs that can cause damage to computers and information on the computers. They can also slow down machine, and they might even use the computer to spread themselves to entire organization. 5. When trying to combat software vulnerabilities in the Workstation Domain, what is needed most to deal with operating system, application, and other software installations? Perform...
Words: 717 - Pages: 3
...Unit 1 Assignment 2 Ronald McMahon April 1, 2014 To: Senior Management. Richman Investment “Internal use only “data classification standard. Ronald McMahon April 1, 2014 Information or data shared internally by an organization. While confidential information or data may not be included, communications are not intended to leave the organization. This report is designed to describe clarify the standards for the “Internal use only” data classification for Richman Investments, this report will address which IT infrastructure domains are affected by the standard and how. The first IT infrastructure affected by internal use only classification is the User Domain. The user domain defines the people who access an organization’s information system. The user domain also will enforce an acceptable use policy ( AUP) to define what each user can and cannot do with any company data shall he or she have access to it. As well as with company users, any outsiders, contractor’s or third party representatives shall also need to agree and comply with the AUP . Any violation will be taken up with management and / or the authorities to access further punitive action. Work Station Domain – is where most users connect to the IT infrastructure. No personal devices or removable media may be used on this network. All devices and removable media will be issued by the company for official use only. Access Control Lists ( ACLs ) will be drawn up to appropriately define what access each person will have...
Words: 385 - Pages: 2
...have devised a summary of the seven domains of the company and its security model. Please take the time to read this over and understand the implications of not following company guidelines, procedures, and policies. The user domain contains the users and/or employees that will be accessing resources within the organizations information system. A user can access systems, applications and data within the rights and privileges defined by the AUP (acceptable use policy). The AUP must be followed or the user may be dismissed or have their contracts terminated. With the user domain being one of the most vulnerable aspects of any organization, there are a wide variety of user related threats ranging from lack of awareness to blackmail and extortion. Employees are responsible for their own actions when using company assets and the HR department will be doing background checks on all employees within the company to ensure integrity within the workforce. Enforcement of the user level domain will include the use of RFID badges and pins for all areas of the facility and rooms that require special access. The workstation domain is where most users connect to the organizations infrastructure. That means that tight security and access controls will be enforced on company assets and users must authenticate themselves before access will be granted. This authentication process may be accomplished with smart cards and pins on some devices. Strong passwords or passphrases meeting password requirements...
Words: 1016 - Pages: 5
...User Domain The User Domain defines the people who access an organization’s information system. The User Domain will enforce an acceptable use policy (AUP) to define what each user can and cannot do with any company data shall he or she have access to it. Its like a rulebook that employees must follow. Users are responsible for their use of IT assets. The User Domain is the weakest link in the IT infrastructure. Any user responsible for computer security must understand what brings someone to compromise the data of an organization. Workstation domain The workstation domain is where most users connect to the IT infrastructure. The workstation can be a desktop computer, laptop computer, or any other devise that connects to a network. The staff should have the access necessary to be productive. Tasks include configuring hardware. Hardening systems and verifying antivirus files. Hardening a system is the process of ensuring that controls are in place to handle any known threats. The workstation domain requires tight security and access controls. This is where users first access systems, applications and data. The workstation domain requires a logon ID and password for access. Now I will list risks, threats and vulnerabilities commonly found in the workstation domain, along ways to protect against them. Unauthorized accesses to workstation- (solution) enable password protection on workstations for access. Enable auto screen lockout for inactive times. Viruses, malicious code, or...
Words: 509 - Pages: 3
...NT 2580 Intro to Info Security Project part 1 December 8, 2015 Headquarters Phoenix, AZ Branch 1 Branch 2 Branch 3 Atlanta, GA Chicago, IL Cincinnati, OH User Domain * Have employees sign confidential agreement * Introduce an AUP acceptable use policy * Have HR verify an employee’s identity with background checks * Conduct security awareness training * Enable content filtering and antivirus scanning * Restrict access to only info needed to perform job * Track and monitor abnormal behavior of employees Workstation Domain * Implement workstation log on ids and password * HR must define proper access controls for workers based on jobs * IT security must then assign access rights to systems, apps, and data * IT director must ensure workstation conforms to policy * Implement second level test to verify a user’s right to gain access * Start periodic workstation domain vulnerability tests to find gaps * Define workstation application software vulnerability window policy * Use content filtering and antivirus scanning at internet entry and exit * Mandate annual security awareness training LAN Domain * Setup of user LAN accounts with logon ID and password access controls * Make sure wiring closets, data centers , and computer rooms are secure * Define strict access control policies * Implement second level identity check * Define a strict software vulnerability window policy ...
Words: 1912 - Pages: 8
...1. Why is it important to perform a risk assessment on the systems, applications, and data prior to designing layered access controls? 2. What purpose does a Data Classification Standard have on designing layered access control systems? 3. You are tasked with creating a Microsoft Windows Enterprise Patch Management solution for an organization, but you have no budget. What options does Microsoft provide? 4. How does network monitoring, performance monitoring, alarming, and incident response help secure the IT infrastructure? 5. Provide an example of multi-factor authentication and identify an application that you think would require multi-factor authentication. 6. In which of the seven domains of a typical IT infrastructure would be policy definitions for implementation of anti-virus application/tool as a security countermeasure? Explain. 7. What is the difference between a Host-based Firewall and a Network-based Firewall? What domains of the typical IT infrastructure would you deploy each of these within? Explain how firewalls help mitigate risk exposure by preventing or blocking unauthorized access. 8. Give at least 3 examples of controls typically implemented in the User Domain. Explain these controls. 9. Provide 3 example of encrypted remote access communications commonly used through the public Internet (i.e., remote access via Internet) 10. Which domain within a typical IT infrastructure is the weakest link? From am access control perspective...
Words: 376 - Pages: 2
