Professional Documents
Culture Documents
Đặng Nam Bình-SE171569- Lab 5
Đặng Nam Bình-SE171569- Lab 5
Policy
Course Name: Policy Development in Information Assurance - IAP301
Purpose/Objectives:
The objectives of this policy are to promote security awareness and training across the organization,
ensure employees understand their responsibilities in safeguarding assets and information, establish a
consistent approach to security training for all employees, and ensure compliance with legal, contractual,
and regulatory requirements related to security awareness and training.
Scope:
This policy applies to everyone with access to the company's information or IT resources, including
employees, independent contractors, and third parties. It covers all company-controlled assets and the
seven common IT infrastructure domains.
Standards:
This policy aligns with the Workstation Domain standards, requiring all employees to complete security
awareness training annually. All employees must adhere to this policy and any relevant rules, procedures,
and standards.
Procedures:
-Provide security awareness training for all staff, including independent contractors.
-Communicate security-related standards, guidelines, and rules to all staff, requiring their
acknowledgment.
-Ensure all employees sign and adhere to the Acceptable Usage Policy.
-Conduct regular security audits and evaluations to assess employee understanding and compliance.
-Continuously inform and remind staff about security best practices and emerging threats.
Guidelines:
-Develop and deliver training that is relevant, interesting, and interactive to increase employee
engagement and retention.
-Regularly review and update training materials to reflect new security threats and changes to the
organization's infrastructure.
-Utilize various distribution techniques, such as printed, in-person, and online materials, to ensure all staff
can access training.
-Establish a method to monitor staff participation and completion of security training to ensure policy
adherence.
-Include security education and training in performance evaluations to hold staff accountable for their
security-related actions.
Why do you need a security awareness & training policy if you have new hires
attend or participate in the organization’s security awareness training program
during new hire orientation?
To ensure that your new hires know what to do in the event that your business faces a security issue, you
must have a security awareness and training policy.
What is the relationship between an Acceptable Use Policy (AUP) and a Security
Awareness & Training Policy?
The acceptable use policy, which is part of the broader security awareness and training policy, outlines
permissible and impermissible actions for users on company resources. While the security awareness and
training policy addresses security comprehensively across the organization, the acceptable use policy
specifically delineates user behavior on company resources.
Why is it important to educate users about the risks, threats, and vulnerabilities
found on the Internet and world wide web?
Users must receive training in order to safeguard their own assets and those of the company.
What are some strategies for preventing users or employees from downloading and
installing rogue applications and software found on the Internet?
Utilize Standard user accounts instead of Administrator accounts on employees' laptops and regularly
change default local administrator account passwords.
Direct all outbound Internet connections through a proxy server and establish a blacklist of prohibited
software.
Implement file filtering rules on the perimeter Intrusion Prevention System (IPS) to prevent the download
of blacklisted applications.
Employ URL filtering on the IPS or next-generation firewalls to block access to websites hosting
blacklisted software.
Deploy endpoint anti-virus and anti-malware software on all workstations to prevent the download and
installation of malicious applications.
What is one strategy for preventing users from clicking on unknown e-mail
attachments and files?
Users can be prevented from accessing emails and attachments from unidentified sources by configuring
the user email access managed by a Microsoft exchange server.
What other strategies can organizations implement to keep security awareness top
of mind with all employees and authorized users?
Periodic Policy Auditing.