Lab #5: Craft an Organization-Wide Security Awareness
Policy
Course Name: Policy Development in Information Assurance - IAP301
Student Name: Đặng Nam Bình
Instructor Name: Mai Hoàng Đỉnh
User Domain Risks & Threats
Dealing with humans and human nature
User or employee apathy towards information
systems security policy
Accessing the Internet is like opening “Pandora’s
box” given the threat from attackers
Surfing the web can be a dangerous trek in
unknown territory
Opening e-mails and unknown e-mail attachments
can unleash malicious software and codes
Workstation Domain Risks & Threats
Installing unauthorized applications, files, or data
on organization owned IT assets can be dangerous
Downloading applications or software with hidden
malicious software or codes
Clicking on an unknown URL link with hidden
scripts
Workstation Domain Risks & Threats
Unauthorized access to workstation
Operating system software vulnerabilities
Application software vulnerabilities
Viruses, Trojans, worms, spyware, malicious
software/code, etc.
User inserts CDs, DVDs, USB thumb drives with
personal files onto organization-owned IT assets
User downloads unauthorized applications and
software onto organization-owned IT assets
User installs unauthorized applications and
software onto organization-owned IT assets
Risk Mitigation Tactic/Solution
Automate processes
Require users and employees to take security
awareness training courses
Restrict websites that users can access
Do not click on malicious links from strange
sources
Do not open e-mail from unknown or suspicious
sources
Risk Mitigation Tactic/Solution
Create a whitelist and a blacklist of softwares that
are allowed or prohibited
Always run virus scanner on downloaded files
Do not click on suspicious links
Risk Mitigation Tactic/Solution
Enforce strong access control and authentication
Update OS regularly to avoid known vulnerabilities
Update softwares to the latest version or remove
them
Always let antivirus programs running
Restrict users from inserting personal devices into
organization-owned IT assets
Create a whitelist and a blacklist of softwares that
are allowed or prohibited
Create a whitelist and a blacklist of softwares that
are allowed or prohibited
Instructions:
ABC Credit Union
Security Awareness & Training Policy
Policy Statement:
The security awareness and training policy aims to establish a framework to educate and train all
employees on the importance of security within the company. This policy ensures that staff are aware of
security risks and understand their responsibilities in safeguarding the company's assets.

Purpose/Objectives:
The objectives of this policy are to promote security awareness and training across the organization,
ensure employees understand their responsibilities in safeguarding assets and information, establish a
consistent approach to security training for all employees, and ensure compliance with legal, contractual,
and regulatory requirements related to security awareness and training.

Scope:
This policy applies to everyone with access to the company's information or IT resources, including
employees, independent contractors, and third parties. It covers all company-controlled assets and the
seven common IT infrastructure domains.

Standards:
This policy aligns with the Workstation Domain standards, requiring all employees to complete security
awareness training annually. All employees must adhere to this policy and any relevant rules, procedures,
and standards.

Procedures:
-Provide security awareness training for all staff, including independent contractors.

-Ensure new hires receive security training during orientation.

-Communicate security-related standards, guidelines, and rules to all staff, requiring their
acknowledgment.

-Ensure all employees sign and adhere to the Acceptable Usage Policy.

-Conduct regular security audits and evaluations to assess employee understanding and compliance.

-Continuously inform and remind staff about security best practices and emerging threats.
Guidelines:
-Develop and deliver training that is relevant, interesting, and interactive to increase employee
engagement and retention.

-Regularly review and update training materials to reflect new security threats and changes to the
organization's infrastructure.

-Utilize various distribution techniques, such as printed, in-person, and online materials, to ensure all staff
can access training.

-Establish a method to monitor staff participation and completion of security training to ensure policy
adherence.

-Include security education and training in performance evaluations to hold staff accountable for their
security-related actions.

Lab Assessment Questions & Answers:

How does a security awareness & training policy impact an organization’s ability
to mitigate risks, threats, and vulnerabilities?
By training employees to be more aware of how to be secured . It is meant to showemployees ways that
they can be the first line of defense to keep the network secured

Why do you need a security awareness & training policy if you have new hires
attend or participate in the organization’s security awareness training program
during new hire orientation?
To ensure that your new hires know what to do in the event that your business faces a security issue, you
must have a security awareness and training policy.

What is the relationship between an Acceptable Use Policy (AUP) and a Security
Awareness & Training Policy?
The acceptable use policy, which is part of the broader security awareness and training policy, outlines
permissible and impermissible actions for users on company resources. While the security awareness and
training policy addresses security comprehensively across the organization, the acceptable use policy
specifically delineates user behavior on company resources.

Why is it important to prevent users from engaging in downloading or installing

applications and software found on the Internet?
Due to the possibility that these programs may include viruses that are harmful to the systems and
network of the organization

When trying to combat software vulnerabilities in the Workstation Domain, what

is needed most to deal with operating system, application, and other software
installations?
To effectively address software vulnerabilities in the Workstation Domain, a robust patch management
strategy is crucial. This ensures timely application of security fixes, keeping all systems up to date and
swiftly addressing new vulnerabilities.

Why is it important to educate users about the risks, threats, and vulnerabilities
found on the Internet and world wide web?
Users must receive training in order to safeguard their own assets and those of the company.

What are some strategies for preventing users or employees from downloading and
installing rogue applications and software found on the Internet?
Utilize Standard user accounts instead of Administrator accounts on employees' laptops and regularly
change default local administrator account passwords.

Direct all outbound Internet connections through a proxy server and establish a blacklist of prohibited
software.

Implement file filtering rules on the perimeter Intrusion Prevention System (IPS) to prevent the download
of blacklisted applications.

Employ URL filtering on the IPS or next-generation firewalls to block access to websites hosting
blacklisted software.

Deploy endpoint anti-virus and anti-malware software on all workstations to prevent the download and
installation of malicious applications.

What is one strategy for preventing users from clicking on unknown e-mail
attachments and files?
Users can be prevented from accessing emails and attachments from unidentified sources by configuring
the user email access managed by a Microsoft exchange server.

Why should social engineering be included in security awareness training?

People often don't know how much information they could give away simply by talking too much.
Employees should be taught about the dangers of social engineering and being careful about what they
say in public and who to
Which 2 domains of a typical IT infrastructure are the focus of a Security
Awareness& Training Policy?
User and Workstation Domain

Why should you include organization-wide policies in employee security

awareness training?
The Security awareness training is a representation of security policies organization -wide and should
include organization - wide policies to help further educate users

Which domain typically acts as the point-of-entry into the IT infrastructure?

Which domain typically acts as the point-of-entry into the IT infrastructure’s systems, applications,
databases? LAN-to-WAN Domain

Why does an organization need a policy on conducting security awareness training

annually and periodically?
If audited , this is a mandatory policy IT institutes and tracks the organization 'straining program

What other strategies can organizations implement to keep security awareness top
of mind with all employees and authorized users?
Periodic Policy Auditing.

Why should an organization provide updated security awareness training when a

new policy is implemented throughout the User Domain or Workstation Domain?
To educate the user on the updated policy. The user is a company's weakest link in IT security