37 0 86KB
Lab #1 - Organization-Wide Security Management Worksheet Course Name: IAP301 Group No: 4 Student Name: -
Vo Minh Khanh - SE140781
-
Tran Dang Khoa - SE140934
-
Nguyen Quoc Buu - SE140936
Instructor Name: Ho Hai Lab Due Date: 17/05/21
ABC Credit Union Merchant Card Processing Policy Policy Statement In order to accept credit or debit card payments and compliance with GLBA and IT security best practice, a ABC Credit union/bank must: 1. Protect consumer and customer records and will therefore help to build and strengthen consumer reliability and trust. 2. Customers gain assurance that their information will be kept secure by the institution 3. Ensure that the payment process and related recordkeeping adhere to organization accounting guidelines, the Payment Card Industry Data Security Standard (PCI DSS), and all applicable legislation.
Purpose/Objectives The purpose of this: -
Private information must be secured against unauthorized access.
-
Customers must be notified of private information sharing between financial institutions and third parties and have the ability to opt out of private information sharing.
-
User activity must be tracked, including any attempts to access protected records.
Scope These policies apply to any ABC Credit bank employee, contractor, business partner, or student involved in the processing of debit and credit card payments or who has authority over a system that accepts such payments.
Standards All company data stored on electronic devices, hardware or software and other resources, whether owned or leased by employee or third party is a part of company’s assets -
The server room must be locked to make sure physical access is restricted
-
All devices access to the internal network must be monitored and controlled
-
Any account with failed login attempt > 5 must be blocked
-
Critical business functions (The customer service department) must have a backup, recovery plan,... to make sure its downtime is minimized.
-
Only allowed people can access the specific resources
-
All inbound and outbound traffic must be filtered
Procedures -
Prepare the documentation of policies and timeline for the process
-
Inform the implementation to all relevant entities (employees, users, third parties), they will need to agree the Acceptable use policy
-
IT department is responsible for supervising the implementation
-
The leader of the IT department is responsible for reporting the bank’s policy compliance monthly to the executive director
Guidelines The covered financial institutions must: -
Create a written information security plan describing the program to protect their customers’ information.
-
Designate one or more employees to coordinate its information security program
-
Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks
-
Design and implement a safeguards program, and regularly monitor and test it
-
Select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information
-
Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.
-
Any exception of this policy will be examined and approved by the IT department.
-
All individuals must obey the AUPs. Violations can lead to disciplinary action up, termination, civil penalties, and/or criminal penalties, depending on the extent and bank’s policies.
Lab #1 - Assessment Worksheet Craft an Organization-Wide Security Management Policy for Acceptable Use
Course Name: IAP301 Group No: 4 Student Name: -
Vo Minh Khanh - SE140781
-
Tran Dang Khoa - SE140934
-
Nguyen Quoc Buu - SE140936
Instructor Name: Ho Hai Lab Due Date: 17/05/21
Lab Assessment Questions & Answers: 1. What are the top risks and threats from the User Domain? -
Social engineering
-
Accident disclosure
-
Malicious behaviours
2. Why do organizations have acceptable use policies (AUPs)? An organization has an acceptable use policies (AUPs) because: -
They can protect the organization, the employee, and also the user of the organization.
-
AUPs outline the rules and restrictions employees must follow in regard to the company's network, software, internet connection and devices → Make sure the organization's sensitive data cannot be leaked outside.
3. Can internet use and e-mail use policies be covered in an Acceptable Use Policy? -
Yes. They might be generally addressed individually as an Internet Acceptable Use Policy and an Email Acceptable Use Policy. Each would define the rules and regulations, similar to a regular Acceptable Use Policy.
4. Do compliance laws such as HIPPA or GLBA play a role in AUP definition? -
Yes, compliance laws should be used as a guideline for acceptable use policies
5. Why is an acceptable use policy not a failsafe means of mitigating risks and threats within the User Domain? An acceptable use policy not a failsafe means of mitigating risks and threats because: -
We cannot control the user (what they do, what they discuss when they are outside the workplace,...)
-
Even when the user agrees with the AUPs, they may not always follow through with them.
-
An acceptable use policy is a guideline.
6. Will the AUP apply to all levels of the organization, why or why not?
-
Yes, the main purpose of acceptable use policy is to protect the entire company and all employees and ensure that they are aware of the policies and what is acceptable and unacceptable behavior
7. When should an AUP be implemented and how? -
This policy should be in effect from day 1 of operation and periodically needs to be audited for weaknesses and vulnerabilities.
8. Why does an organization want to align its policies with the existing compliance requirements? -
These rules are applied to protect Company information against loss or theft, unauthorized access, disclosure, copying, use, modification or destruction. can lead to a range of negative consequences, including reputation loss, financial loss, non-compliance with standards, laws and third party liability
9. Why is it important to flag any existing standards (hardware, software, configuration, etc.) from an AUP? -
This way there are no hidden surprises for anyone and everyone will be on the same page when it comes to policies and procedures
10. Where in the policy definition do you define how to implement this policy within your organization? -
In the Procedures section of the AUP
11. Why must an organization have an Acceptable Use Policy (AUP) even for non-employees such as contractors, consultants, and other 3rd parties? -
Because it makes everyone responsible that works regardless of what type of worker they are
12. What security controls can be deployed to monitor and mitigate users from accessing external websites that are potentially in violation of an AUP? -
It can be done by monitoring the Internet traffic through firewalls, setting up firewall alerts, monitoring security logs, and setting up a proxy to limit the content users can access.
13. What security controls can be deployed to monitor and mitigate users from accessing external webmail systems and services (i.e., Hotmail, Gmail, Yahoo, etc.)? -
Monitor software (like webmonitor) can be installed to allow the manager monitoring the network traffic. The webmail systems and services can be blocked if they are known to violate the APUs
14. What security controls can be deployed to monitor and mitigate users from imbedding privacy data in e-mail messages and/or attaching documents that may contain privacy data? -
A policy of what communication methods may be used to exchange data, both internally and externally should be put in place, and implementing an
Application Proxy Firewall. This may also provide the ability to prevent data leakage through keyword inspection of outbound email.
15. Should an organization terminate the employment of an employee if he/she violates an AUP? -
Because it may cause damage to an organization, any violation of AUP can lead to disciplinary action up to termination, termination, civil penalties, and/or criminal penalties, depending on the extent.