Lab 1:
Part 1:
1. Review the security awareness training policies at the following websites:
· Health care: State of North Carolina Department of Health and Human Services (https://policies.ncdhhs.gov/departmental/policies-manuals/section-viii-privacy-and-security/manuals/security-manual/@@display-file/policy_file/DHHS%20Security%20Manual.pdf)
· Higher education: University of San Francisco (http://www.usfca.edu/its/security/seta/)
2. For each sample security awareness training policy that you reviewed in the step above, discuss the policy’s main components. You should focus on the need for a security awareness program and its key elements
--------------------------------------------------------------------------------
Part 2: Create a Security Awareness Policy (0/6 completed)
Note: A strong security awareness policy is a key component of a strong organizational security posture. The effectiveness of a security awareness training policy and program will directly influence how well employees will value and protect the organization’s security position. When writing a security awareness training policy, consider the following questions:
· Is the policy statement as concise and readable as possible? For example, no more than one to three sentences.
· Is the entire policy as concise and readable as possible? For example, no more than two to three pages.
· Does the policy align well with other governing documents?
· Does the policy speak directly to the target audience?
· Does the policy state the “why” with only the minimal detail, and rely on standards or guidelines for the “how”? Policies should be written in such a way that they will not need frequent updates.
· Does the policy adequately describe scope and responsibilities?
· Are the policy’s revision, approval, and distribution documented?
After the policy has been approved, its success relies on proper delivery and understanding. To simply give a new employee 5 minutes to read and sign a policy during orientation is not enough. Focused and interactive “policy understanding” sessions should guarantee every employee understands the policy’s reasoning and necessity. Customizing these sessions according to department or function can drastically increase how much employees retain of and apply the training during their work. Repeat sessions reinforce the policies and keep material fresh in their minds.
1. Review the following scenario for the fictional Bankwise Credit Union:
· The organization is a local credit union that has several branches and locations throughout the region.
· Online banking and use of the internet are the bank’s strengths, given its limited human resources.
· The customer service department is the organization’s most critical business function.
· The organization wants to be in compliance with the Gramm-Leach-Bliley Act (GLBA) and IT security best practices regarding its employees.
· The organization wants to monitor and control use of the Internet by implementing conten ...
Lab 1Part 11. Review the security awareness training polic
1. Lab 1:
Part 1:
1. Review the security awareness training policies at the
following websites:
· Health care: State of North Carolina Department of Health and
Human Services
(https://policies.ncdhhs.gov/departmental/policies-
manuals/section-viii-privacy-and-security/manuals/security-
manual/@@display-
file/policy_file/DHHS%20Security%20Manual.pdf)
· Higher education: University of San Francisco
(http://www.usfca.edu/its/security/seta/)
2. For each sample security awareness training policy that you
reviewed in the step above, discuss the policy’s main
components. You should focus on the need for a security
awareness program and its key elements
---------------------------------------------------------------------------
-----
Part 2: Create a Security Awareness Policy (0/6 completed)
Note: A strong security awareness policy is a key component of
a strong organizational security posture. The effectiveness of a
security awareness training policy and program will directly
influence how well employees will value and protect the
organization’s security position. When writing a security
awareness training policy, consider the following questions:
· Is the policy statement as concise and readable as possible?
For example, no more than one to three sentences.
· Is the entire policy as concise and readable as possible? For
example, no more than two to three pages.
· Does the policy align well with other governing documents?
2. · Does the policy speak directly to the target audience?
· Does the policy state the “why” with only the minimal detail,
and rely on standards or guidelines for the “how”? Policies
should be written in such a way that they will not need frequent
updates.
· Does the policy adequately describe scope and
responsibilities?
· Are the policy’s revision, approval, and distribution
documented?
After the policy has been approved, its success relies on proper
delivery and understanding. To simply give a new employee 5
minutes to read and sign a policy during orientation is not
enough. Focused and interactive “policy understanding”
sessions should guarantee every employee understands the
policy’s reasoning and necessity. Customizing these sessions
according to department or function can drastically increase
how much employees retain of and apply the training during
their work. Repeat sessions reinforce the policies and keep
material fresh in their minds.
1. Review the following scenario for the fictional Bankwise
Credit Union:
· The organization is a local credit union that has several
branches and locations throughout the region.
· Online banking and use of the internet are the bank’s
strengths, given its limited human resources.
· The customer service department is the organization’s most
critical business function.
· The organization wants to be in compliance with the Gramm-
Leach-Bliley Act (GLBA) and IT security best practices
regarding its employees.
· The organization wants to monitor and control use of the
Internet by implementing content filtering.
· The organization wants to eliminate personal use of
organization-owned IT assets and systems.
· The organization wants to monitor and control use of the e-
3. mail system by implementing e-mail security controls.
· The organization wants to implement security awareness
training policy mandates for all new hires and existing
employees. Policy definitions are to include GLBA and
customer privacy data requirements, in addition to a mandate
for annual security awareness training for all employees.
2. Create a security management policy with defined separation
of duties for the Bankwise Credit Union.
Bankwise Credit Union
Security Awareness Training Policy
Policy Statement
Define your policy verbiage.
Purpose/Objectives
Define the policy’s purpose as well as its objectives.
Scope
Define whom this policy covers and its scope. What elements,
IT assets, or organization-owned assets are within this policy’s
scope?
Standards
Does the policy statement point to any hardware, software, or
configuration standards? If so, list them here and explain the
relationship of this policy to these standards.
Procedures
Explain how you intend to implement this policy for the entire
organization.
Guidelines
Explain any roadblocks or implementation issues that you must
overcome in this section and how you will surmount them per
4. defined guidelines. Any disputes or gaps in the definition and
separation of duties responsibility may need to be addressed in
this section.
Challenge Exercise (0/2 completed)
Note: The following challenge exercise is provided to allow
independent, unguided work - similar to what you will
encounter in a real situation.
There are many vendors that provide security awareness training
software to organizations that do not have the time nor the
resources to create their own. When selecting a software
vendor, many organizations will issue a Request for Information
(RFI) to potential vendors, outlining the details of what the
organization would like to learn about the vendor’s solution.
You can read more about RFIs
here: https://www.smartsheet.com/free-request-for-information-
templates.
As a security manager at eChef, an online marketplace for high-
end kitchenware, you have been tasked with selecting a security
awareness training software provider.
Use the internet to research real security awareness training
software providers.
Question 1:
Identify three security awareness training software providers.
Question 2:
Identify 10 questions that you would include in your RFI.
Lab 2:
Part 1: Research Remote Access Policies (0/1 completed)
Note: In this part of the lab, you will review internet resources
5. on remote access policies in order to form a basis for their
purpose and usage. Understanding the reason behind a remote
access policy is key to understanding the component policies
and procedures. Please take the time to review the research
thoroughly and think through the concepts of the policy itself.
1. In your browser, navigate to and read the “Remote Access
Policy” template at https://www.sans.org/information-security-
policy/.
2. Using your favorite search engine, locate a remote access
policy for a higher education institution.
3. Using your favorite search engine, locate a remote access
policy for a healthcare provider.
4. Write a brief summary of the information during your
research. In your summary, focus on the key elements of the
remote access policy. You should also identify any unique
elements of remote access policies for higher education and
healthcare institutions. Be sure to provide links to the remote
access policies you identified in steps 2 and 3.
Part 2: Create a Remote Access Policy (0/7 completed)
Note: As you found in your research, different industries have
similar but different policies. When using a policy template, i t
is important to ensure that the template matches the needs of
your specific industry and business.
1. Review the following risks and threats found in the Remote
Access Domain:
· The organization is a local credit union that has several
branches and locations throughout the region.
· Online banking and use of the internet are the bank’s
strengths, given its limited human resources.
· The customer service department is the organization’s most
6. critical business function.
· The organization wants to be in compliance with the Gramm-
Leach-Bliley Act (GLBA) and IT security best practices
regarding its employees.
· The organization wants to monitor and control use of the
internet by implementing content filtering.
· The organization wants to eliminate personal use of
organization-owned IT assets and systems.
· The organization wants to monitor and control use of the e-
mail system by implementing e-mail security controls.
· The organization wants to implement security awareness
training policy mandates for all new hires and existing
employees. Policy definitions are to include GLBA and
customer privacy data requirements, in addition to a mandate
for annual security awareness training for all employees.
2. Identify a security control or countermeasure to mitigate each
risk and threat identified in the Remote Access Domain. These
security controls or countermeasures will become the basis of
the scope of the Remote Access Domain policy definition to
help mitigate the risks and threats commonly found within the
Remote Access Domain.
3. Review the following characteristics of the fictional
Healthwise Health Care Provider:
· Healthwise has several remote health care branches and
locations throughout the region.
· Online access to patients’ medical records through the public
Internet is required for remote nurses and hospices providing in-
home medical services.
· Online access to patients’ medical records from remote clinics
is facilitated through a virtual private network (VPN) and a
secure web application front-end over the public Internet.
· The organization wants to be in compliance with the Health
Insurance Portability and Accountability Act (HIPAA) and IT
security best practices regarding remote access through the
7. public internet.
· The organization wants to monitor and control the use of
remote access by implementing system logging.
· The organization wants to implement a security awareness
training policy mandating that all new hires and existing
employees obtain remote access security training. Policy
definition is to include HIPAA and electronic protected health
information (ePHI) security requirements and a mandate for
annual security awareness training for all remote or mobile
employees.
4. Create an organization-wide remote access policy for
Healthwise Health Care:
Healthwise Health Care
Remote Access Policy for Remote Workers and Medical Clinics
Policy Statement
Define your policy verbiage.
Purpose/Objectives
Define the policy’s purpose as well as its objectives and policy
definitions
Scope
Define whom this policy covers and its scope. What elements,
IT assets, or organization-owned assets are within this policy’s
scope?
Standards
Does the policy statement point to any hardware, software, or
configuration standards? If so, list them here and explain the
relationship of this policy to these standards. In this case,
Remote Access Domain standards should be referenced, such as
encryption standards and VPN standards; make any necessary
assumptions.
8. Procedures
Explain how you intend to implement this policy for the entire
organization.
Challenge Exercise (0/1 completed)
Note: The following challenge exercise is provided to allow
independent, unguided work - similar to what you will
encounter in a real situation.
For this portion of the lab, you will create training
documentation for remote employees of Healthwise Health
Care. This training will provide remote employees with methods
they can use to secure their home network before connecting a
company computer, as well as guidance on how to access the
corporate network while traveling.
Use the internet to find information about remote access
policies and home network protection, and then use this
information to create a training document for remote employees.
-----------------------------------------------