Hands-On Steps
Note:
This is a paper-based lab. To successfully complete the deliverables for this lab, you will need access to Microsoft® Word or another compatible word processor. For some labs, you may also need access to a graphics line drawing application, such as Visio or PowerPoint. Refer to the Preface of this manual for information on creating the lab deliverable files.
On your local computer, create the lab deliverable files.
Review the Lab Assessment Worksheet. You will find answers to these questions as you proceed through the lab steps.
Using Figure 1, review the seven domains of a typical IT infrastructure.
Crafting an Organization Wide Security Management Policy for Acceptable Use
Overview
In this lab, you defined an AUP as it relates to the User Domain, you identified the key elements of sample AUPs, you learned how to mitigate threats and risks with an AUP, and you created your own AUP for an organization.
Lab Assessment Questions & Answers
What are three risks and threats of the User Domain?
Why do organizations have acceptable use policies (AUPs)?
Can Internet use and e-mail use policies be covered in an acceptable use policy?
Do compliance laws, such as the Health Insurance Portability and Accountability Act (HIPAA) or GLBA, play a role in AUP definition?
Why is an acceptable use policy not a fail-safe means of mitigating risks and threats within the User Domain?
Will the AUP apply to all levels of the organization? Why or why not?
When should an AUP be implemented and how?
Why would an organization want to align its policies with existing compliance requirements?
In which domain of the seven domains of a typical IT infrastructure would an acceptable use policy (AUP) reside? How does an AUP help mitigate the risks commonly found with employees and authorized users of an organization’s IT infrastructure?
Why must an organization have an acceptable use policy (AUP) even for nonemployees, such as contractors, consultants, and other third parties?
What security controls can be deployed to monitor and mitigate users from accessing external Web sites that are potentially in violation of an AUP?
What security controls can be deployed to monitor and mitigate users from accessing external webmail systems and services (for example, Hotmail®, Gmail™, Yahoo!®, etc.)?
Should an organization terminate the employment of an employee if he/she violates an AUP?
