Lab1 questions

1. What are the top risks and threats form the User Domain.
Top risks are Users and social engineering
2. Why do organizations have acceptance and policies? (AUPS)
In order to protect the company and for a legal action to take If there is a violation.
3. Can internet use and email use policies be covered in an Acceptable Use Policy?
Yes anything done on work time and on work devices will be covered in an AUP
4. Do compliance laws such as HIPPA or GLBA play a role in AUP definition?
Absolutely, this should be used as a template for the AUP.
5. Why is an acceptable use policy not a failsafe means of mitigating risks and threats within the User Domain?
Because you cannot control humans
6. Will the AUP apply to all levels of the organization, why or why not?
Yes this will apply to all levels from the lower level to the executive level. The AUP protects all employees.
7. When should this policy be implemented and how?
This policy should be in effect from day 1 of operation and periodically needs to be audited for weaknesses and vulnerabilities.
8. Why does an organization want to align its policies with existing compliance requirements?
This way they do not have to do double work with keeping up with two policies and the organization will need to be compliant regardless so this makes sense to have the same policies.
9. Why is it important to flag any existing standards (hardware, software, configuration, etc.) from an AUP?
This way there are no hidden surprises for anyone and everyone will be on the same page when it comes to policies and procedures
10. Where in the policy definition do you define how to implement this policy within you organization?
In the middle of the AUP this way you can know the expectations before the implementations.
11. Why must an organization have an Acceptable Use Policy (AUP) even for non-employees such as contractors, consultants, and other third parties?
Because it makes everyone responsible that works regardless of what type of worker they are.
12. What security controls can be deployed to monitor ad mitigate users form accessing external websites that are potentially in violation of an AUP?
You can use services like Websense to block specific sites and specific key words.
13. What security controls can be deployed to monitor and mitigate users form accessing external webmail systems and services (i.e., Hotmail, Gmail, Yahoo, etc.)?
Depending on the organization there should only be work emails allowed.
14. What security controls can be deployed to monitor and mitigate users from imbedding privacy data in email messages and/or attaching documents that may contain privacy data?
You could have any email that goes to a personal email address and non-authorized web based email blocked all together.
15. Should an organization terminate the employment of an employee if he/she violates AUP?
Yes, chances are if someone is violating the AUP then they know they are and should be terminated.