Lab 5
1. From your computer workstation, create a new text document called Security Awareness Lab #5.
2. Review the following Web addresses, and in your text document, first list the name of the security awareness policy you reviewed, and then discuss the policy’s main components (do this for each document you research at these Web addresses):
• Health care: State of North Carolina Department of Health and Human Services (http://info.dhhs.
state.nc.us/olm/manuals/dhs/pol-80/man/06security_training_and_awareness.pdf)
• Higher education: University of Massachusetts (http://www.massachusetts.edu/policyfaq/faq.cfm)
• Health care: Community Health Plan of Washington (http://chpw.org/assets/file/Security-
Awareness-and-Training-Policy.pdf)
3. Review the following risks and threats found in the user domain:
• Dealing with humans and human nature
• Dealing with user or employee apathy toward information systems security policy
• Accessing the Internet and opening “Pandora’s box”
• Surfing the Web, a dangerous trek into unknown territory
• Opening e-mails and unknown e-mail attachments, which can lead to malicious software and codes
• Installing unauthorized applications, files, or data onto organization-owned IT assets
• Downloading applications or software with hidden malicious software or codes
• Clicking on an unknown URL link that has hidden scripts
4. In your text document, identify a security control or countermeasure to mitigate each risk and threat identified above for the user domain. Draw from what you read at the Web addresses in Step 2.
5. Review the following risks and threats found in the workstation domain:
• Unauthorized access to workstations
• Operating system software vulnerabilities
• Application software vulnerabilities
• Viruses, trojans, worms, spyware, malicious software, and malicious code
• A user inserting CDs, DVDs, USB thumb drives with personal data and files onto organization-
owned IT assets
• A user downloading unauthorized applications and software onto organization-owned IT assets
• A user installing unauthorized applications and software onto organization-owned IT assets
6. In your text document, identify a security control or countermeasure to mitigate each risk and threat identified above for the workstation domain. Draw from what you read at the Web addresses in Step 2.
7. In your text document, create an organization-wide security awareness training policy for the XYZ Credit Union/Bank:
• The organization is a regional XYZ Credit Union/Bank that has multiple branches and locations throughout the region
• Online banking and use of the Internet are the bank’s strengths, given its limited human resources
• The customer service department is the organization’s most critical business function
• The organization wants to be in compliance with the Gramm-Leach-Bliley Act (GLBA) and IT
security best practices regarding its employees
• The organization wants to monitor and control use of the Internet by implementing content
filtering
• The organization wants to eliminate personal use of organization-owned IT assets and systems
• The organization wants to monitor and control use of the e-mail system by implementing e-mail security controls
• The organization wants to implement security awareness training policy mandates for all new hires
and existing employees. Policy definitions are to include GLBA and customer privacy data require-
ments, in addition to a mandate for annual security awareness training for all employees
Using the following template, in your text document, create a security awareness training policy for the XYZ Credit Union/Bank organization (this should not be longer than three pages):
XYZ Credit Union
Security Awareness Training Policy
Policy Statement
{Insert policy verbiage here.}
Purpose/Objectives
{Insert the policy’s purpose as well as its objectives; use a bulleted list of the policy definition.}
Scope
{Define whom this policy covers and its scope.
Which of the seven domains of a typical IT infrastructure are impacted?
What elements, IT assets, or organization-owned assets are within the scope of this policy?}
Standards
{Does this policy point to any hardware, software, or configuration standards?
If so, list them here and explain the relationship of this policy to these standards. In this case, workstation domain standards should be referenced; make any necessary assumptions.}
Procedures
{Explain how you intend to implement this policy across the organization and how you intend to
deliver annual or ongoing security awareness training for employees.}
Guidelines
{Explain any roadblocks or implementation issues that you must address in this section and how you will overcome them per defined policy guidelines.}
8. Submit the text document to your instructor as a deliverable for this lab.
Lab Assessment Questions & Answers
1. How does a security awareness training policy impact an organization’s capability to mitigate risks, threats, and vulnerabilities?
2. Why do you need a security awareness training policy if you have new hires attend or participate in the organization’s security awareness training program during new hire orientation?
3. What is the relationship between an acceptable use policy (AUP) and a security awareness training policy?
4. Why is it important to prevent users from engaging in downloading or installing applications and software found on the Internet?
5. When trying to combat software vulnerabilities in the workstation domain, what is needed most to deal with operating system, application, and other software installations?
6. Why is it important to educate users about the risks, threats, and vulnerabilities found on the Internet and World Wide Web?
7. What are some strategies for preventing users or employees from downloading and installing rogue applications and software found on the Internet?
8. What is one strategy for preventing users from clicking on unknown e-mail attachments and files?
9. Why should you include organization-wide policies in employee security awareness training?
10. Why does an organization need a policy on conducting security awareness training annually and periodically?
11. What other strategies can organizations implement to keep security awareness top of mind with all employees and authorized users?
12. Why should an organization provide updated security awareness training when a new policy is implemented throughout the user domain or workstation domain?
