Assignment
Scenario: You are the IT Security Manager of XYZ
Credit Union that has multiple branches throughout the region. Write an acceptable use policy (AUP) for XYZ Credit Union that wants to monitor and control use of the Internet by implementing content filtering; wants to eliminate personal use of organization-owned IT assets and systems; wants to monitor the use of the e-mail system by implementing e-mail security controls; and wants to implement this policy for all the IT assets it owns and to incorporate this policy review into its annual security awareness training. Your policy must contain the following headings:
XYZ Credit Union
Policy Heading {To identify the topic}
Policy Statement {Mandatory directive.}
Introduction {To frame the document.}
Policy Goals/Objectives {Insert the policy's goals as well as its objectives; to convey intent.}
Scope {Define this policy's scope and whom it covers. Which of the seven domains of a typical IT infrastructure are impacted? What elements, IT assets, or organization-owned assets are within this policy's scope?}
Standards {Does this policy point to any hardware, software, or configuration standards? If so, list them here and explain the relationship of this policy to these standards.}
Procedures {In this section, explain how you intend to implement this policy throughout this organization.}
Guidelines {In this section, explain any roadblocks or implementation issues that you must overcome and how you will overcome them per the defined policy guidelines.}
Policy Exceptions {To acknowledge exclusions}
Policy Enforcement Clause {Violation sanctions}
Administrative Notations {Additional information}
Policy Definitions {Glossary of terms}
Version Control {To track Changes}
Answer the following questions:
2. As the IT Security Manager, who would you involve to write this policy?
3. How do you train the employees?
4. How do you measure and enforce the policy?
5. When will this policy be updated?
6. Who will approve the policy?
7. How did you determine the length of the policy? Justify the length of your policy.
8. Why must an organization have an acceptable use policy (AUP) even for non-employees, such as contractors, consultants, and other third parties?
9. What security controls can be deployed to monitor and mitigate users from accessing external websites that are potentially in violation of an AUP?
10. What security controls can be deployed to monitor and mitigate users from accessing external webmail systems and services (that is, Hotmail, Gmail, Yahoo, etc.)?