Lab #1 – Organization-Wide Security Management AUP Worksheet

Course Name: IAP301

Student Name: Phạm Thị Minh Thúy (HE171100)
Instructor Name: Hoàng Mạnh Đức
Lab Due Date: 20/01/2024

ABC Credit Union

Internet Usage Monitoring and Content Filtering Policy

Policy Statement
ABC Credit Union/Bank is committed to maintaining a secure computing
environment for the responsible use of its information technology (IT) resources. This
Acceptable Use Policy (AUP) outlines guidelines for Internet usage, including the
implementation of content filtering, to safeguard against potential risks associated
with inappropriate or harmful online content. This policy establishes expectations for
employees, contractors, and third-party individuals accessing ABC Credit
Union/Bank's IT assets and systems.
The following policy will be applied for individual ABC Credit Union/Bank:

 Using a firewall to record traffic each time, the traffic log can only be viewed
by the administrator.
 Security personnel should monitor the machinery, computer, and system.
 In charge of reporting any theft, loss, or illegal use of an ABC Credit asset.

Purpose/Objectives

 Ensure the responsible and secure use of ABC Credit Union/Bank's IT

resources.

 Implement content filtering to protect against security risks and potential harm
from inappropriate online content. By implementing content filtering, the
organization is in compliance with GLBA and reduce the security risk of all the
IT assets it owns.

 Establish standards for Internet usage that align with legal requirements and
the organization's values.
Scope
This policy applies to all employees, contractors, and third-party individuals who
have access to ABC Credit Union/Bank's IT assets and systems, including but not
limited to, computers, networks, internet services, email systems, and all forms of
electronic communications.

Standards

 Password policy
 Adherence to NIST Cybersecurity Framework for risk management.
 Utilization of industry-standard antivirus and firewall solutions.
 Enforcement of strong authentication protocols for system access.
 All devices access to the internet must be monitored and controlled
 Acceptable Use:
o Internet activities must comply with ABC Credit Union/Bank's policies,
procedures, and applicable laws.
o Employees are expected to use the Internet primarily for work-related
purposes, with limited personal use during designated break times.
 Content Filtering:
o ABC Credit Union/Bank implements content filtering tools to monitor
and control access to websites and online content.
o The content filtering system restricts access to websites that may pose
security risks, violate legal regulations, or contravene organizational
values and policies.

Procedures
1. Prohibited Activities:
 Employees are strictly prohibited from accessing or attempting to
access websites or content that is illegal, promotes illegal activities, is
offensive, discriminatory, or harassing.
 Violation of intellectual property rights or engaging in activities that may
harm the security or integrity of ABC Credit Union/Bank's network is
strictly prohibited.
2. Monitoring and Logging:
 Internet usage, including websites visited and content accessed, may
be monitored, recorded, and logged.
 Monitoring activities will be conducted with respect for individual
privacy, following applicable laws and regulations.
 3. Reporting Violations:
 Employees are required to promptly report any suspected violations of
this policy to their supervisor or the IT department.
 Reporting is essential for maintaining the security and integrity of ABC
Credit Union/Bank's network.
Guidelines
1. Consequences of Violation:
 Violations of this policy may result in disciplinary action, ranging from
warnings to termination of employment.
 Legal action may be pursued in cases of severe policy violations.
2. Review and Updates:
 This policy will be periodically reviewed and updated to address
changes in technology, regulations, or the organization's operational
needs.
 Employees will be notified of any revisions to this policy.
 Lab #1 – Assessment Worksheet
Craft an Organization-Wide Security Management Policy for Acceptable Use

Course Name: IAP301

Student Name: Phạm Thị Minh Thúy (HE171100)
Instructor Name: Hoàng Mạnh Đức
Lab Due Date: 20/01/2024

Overview
In this lab, Create an Organization-Wide Security Management Acceptable Use
Policy (AUP), the students participated in a classroom discussion about what is
considered to be “acceptable use.” The weakest link in the seven domains of a
typical IT infrastructure was identified as the User Domain. When given a scenario,
the students created an organization-wide acceptable use policy for ABC Credit
Union/Bank.

Lab Assessment Questions & Answers

1. What are the top risks and threats from the User Domain?
 Susceptibility to social engineering: Employees and users are vulnerable
to being socially engineered into letting malware and threat actors into the
system. Phishing, vishing, whaling, pharming, spoofing, and impersonation
are the various ways a user could fall victim to hackers.
 Weak Passwords: Users may use weak passwords, reuse passwords
across multiple accounts, or fail to update passwords regularly, making it
easier for attackers to gain unauthorized access.
 Lack of Security Awareness: Users may lack awareness of cybersecurity
best practices, making them susceptible to various threats. This includes
failing to recognize potential risks or neglecting to report security incidents.

2. Why do organizations have acceptable use policies (AUPs)?

Organizations implement Acceptable Use Policies (AUPs) to:

 Enhance Security: Establish guidelines for secure technology use, reducing

the risk of breaches.
  Ensure Compliance: Adhere to legal and regulatory requirements related to
information technology
 Boost Productivity: Define acceptable practices to maintain a focused and
productive work environment.
 Manage Resources: Optimize IT assets by preventing misuse and overuse,
ensuring efficient resource utilization.
 Mitigate Risks: Prevent inappropriate use to reduce the likelihood of security
incidents and legal issues.
 Educate Employees: Promote awareness of responsible technology use and
cybersecurity best practices.
 Protect Reputation: Set expectations for professional conduct to safeguard
the organization's image.
 Reduce Liability: Clearly outline acceptable use and prohibited activities to
minimize legal risks.
 Ensure Consistency: Provide a uniform set of rules for all employees,
maintaining a fair work environment.
 Control Technology Assets: Establish guidelines to align technology use with
organizational goals and objectives.

3. Can internet use and e-mail use policies be covered in an Acceptable Use
Policy?

Yes, internet use and email use policies are commonly covered within an Acceptable
Use Policy (AUP). An AUP is a comprehensive document that outlines the
acceptable behaviors and practices related to the use of an organization's
information technology resources. It typically includes specific guidelines and rules
for various aspects of technology usage, including internet and email use. By
incorporating internet use and email use policies into the AUP, organizations can
provide employees with clear guidelines for responsible and secure use of these
communication and information-sharing channels. This helps to mitigate risks,
ensure compliance with legal and regulatory requirements, and foster a productive
and secure technology environment.

4. Do compliance laws such as HIPPA or GLBAA play a role in AUP definition?

Compliance laws such as the Health Insurance Portability and Accountability Act
(HIPAA) and the Gramm-Leach-Bliley Act (GLBA) play a crucial role in shaping
and influencing the definition of Acceptable Use Policies (AUPs). AUPs are not
standalone documents but need to align with various legal and regulatory
requirements to ensure that organizations are operating within the bounds of the
law
 5. Why is an acceptable use policy not a failsafe means of mitigating risks and
threats within the User Domain?

An Acceptable Use Policy (AUP) is not fail-safe for mitigating risks within the User
Domain because it relies on user adherence, is subject to human error, may not
keep up with evolving threats, lacks technical controls, and may be ineffective
against insider threats. It should be complemented with ongoing training, robust
technical measures, and a proactive security culture for comprehensive risk
mitigation.

6. Will the AUP apply to all levels of the organization, why or why not?

Yes, an Acceptable Use Policy (AUP) should apply to all levels of the organization.
The AUP is designed to establish consistent guidelines and expectations for the use
of information technology resources, irrespective of an individual's position within the
organization. While the AUP may include specific considerations tailored to certain
roles or departments, the core principles and guidelines should be applicable to all
employees. This approach helps create a cohesive and secure technology
environment, reducing the likelihood of policy breaches and promoting a culture of
responsible technology use throughout the organization.

7. When should this policy be implemented and how?

The implementation of an Acceptable Use Policy (AUP) should be initiated as early

as possible during the onboarding process for new employees, contractors, and
anyone granted access to an organization's information technology resources.
Additionally, existing employees should be made aware of the AUP, and periodic
refresher training sessions should be conducted.

8. Why does an organization want to align its policies with the existing
compliance requirements?

Aligning organizational policies with existing compliance requirements is a proactive

approach to legal and regulatory adherence. It helps organizations navigate the
complex landscape of laws and regulations, reduces risks, and positions the
organization as a responsible and trustworthy entity within its industry.

9. Why is it important to flag any existing standards (hardware, software,

configuration, etc.) from an AUP?

Flagging existing standards in an AUP is a proactive measure to ensure that the

organization operates in accordance with industry best practices, legal requirements,
and security standards. It helps create a secure and well-governed technology
environment while promoting consistency and efficiency across the organization.

10. Where in the policy definition do you define how to implement this policy
within your organization?

In the 'Procedures' section of the policy

11. Why must an organization have an Acceptable Use Policy (AUP) even for
non-employees such as contractors, consultants, and other 3rd parties?

An Acceptable Use Policy (AUP) for non-employees, such as contractors and

consultants, is essential to:
Protect Information Assets: Safeguard the organization's data and systems.

 Ensure Security Measures: Communicate security expectations to non-

employees.
 Comply with Regulations: Meet industry and regulatory requirements.
 Maintain Consistency: Establish uniform technology use standards.
 Mitigate Risks: Address potential security risks associated with non-employee
access.
 Reduce Liability: Clarify expectations for responsible technology use to
minimize legal risks.
 Protect Reputation: Uphold organizational standards and values through non-
employees.
 Meet Contractual Obligations: Align with contract requirements related to
technology use.
 Ensure Data Privacy: Outline expectations for handling and protecting
confidential information.
 Define Access Control: Specify authorized access levels for non-employees.
 Encourage Accountability: Foster responsible behavior among non-
employees.
 Simplify Policy Management: Integrate all users, regardless of employment
status, into a single, comprehensive AUP.

12. What security controls can be deployed to monitor and mitigate users from
accessing external websites that are potentially in violation of an AUP?
 Implement web filtering solutions that block access to websites based on
predefined categories or specific URLs. This helps prevent users from
accessing content that violates the AUP.
  Use proxy servers to intercept and control web traffic. Proxies can enforce
policies to block access to unauthorized websites and provide visibility into
user activities.
 Configure firewall rules to restrict outgoing traffic to known problematic IP
addresses or specific website categories, enforcing AUP compliance.
 Implement network segmentation to isolate sensitive areas of the network.
Restrict internet access for certain user groups or devices based on their
roles and requirements.

13. What security controls can be deployed to monitor and mitigate users from
accessing external webmail systems and services (i.e., Hotmail, Gmail,
Yahoo, etc.)?
 Implement proxy servers with web filtering capabilities to block access to
external webmail services. Configure the web filtering policies to include
categories related to webmail and personal email services.
 Monitoring network traffic for connections to known webmail servers.
Conduct regular security awareness training to educate users about the
risks associated with accessing external webmail services from work
devices. Reinforce the organization's policies and the reasons behind
them.

14. What security controls can be deployed to monitor and mitigate users from
imbedding privacy data in e-mail messages and/or attaching documents that
may contain privacy data?
 Configure email gateways to filter and block emails that contain sensitive
information. Email security gateways can inspect outbound emails for
privacy data and prevent unauthorized disclosures.
 Implement email encryption to secure the content of sensitive emails.
Encrypt both the body of the email and any attachments containing privacy
data to protect against unauthorized access.
Conduct regular audits of outbound emails to identify patterns or trends
related to privacy data. Monitor email logs and user activities to detect and
respond to potential policy violations.

15. Should an organization terminate the employment of an employee if he/she

violates an AUP?

Terminating an employee for violating an Acceptable Use Policy (AUP) depends on

factors like the severity of the violation, intent, impact on security, and the
employee's history. Consider alternatives, ensure legal compliance, and involve HR.
Termination may be appropriate for serious breaches, but it should be approached
with fairness and consistency.