Many organizations have policies and procedures in place regarding information systems and security. However, many of these policies are stored in locations

CYB 4304, Cybersecurity Law and Policy 1

Course Learning Outcomes for Unit V Upon completion of this unit, students should be able to:

4. Analyze a security awareness training policy for new and existing employees at an organization. 4.1 Identify security control or countermeasures to mitigate risks and threats for the user domain. 4.2 Discuss the main components of reviewed security awareness policy.

Required Unit Resources Chapter 9: User Domain Policies Chapter 10: IT Infrastructure Security Policies Unit Lesson

The Paradox of a Greater, but More Vulnerable Network While it is generally true that a greater number of users and a greater degree of technological sophistication increase a network’s value, those characteristics also make the network more vulnerable to security risks. Individual user access must be controlled as a network grows, and the risks of their access should be considered. Security policies can mitigate risks in the user domain, but only if done correctly (Johnson & Easttom, 2022). Security awareness is important to everyone as this is a security culture. This awareness is part of a security awareness program; therefore, an organization must have routine security awareness training to ensure all end users are up-to-date on security events surrounding the organization as well as outside the organization.

People Can Be A Network’s Greatest Weakness People can unfortunately be one of the greatest weaknesses in a network security regime. This is generally because people have different skill sets; can let their guard down; or get tired, confused, or distracted. Automated controls never get tired, distracted, or confused, but they are limited to the tasks for which they were built, and therefore cannot deal well with the unexpected (Johnson & Easttom, 2022). People are the major users of information technology (IT) systems, which leads to risks in the user domain. While security policies are created to mitigate risks, their design must consider social engineering, human error, and internal threats. These concepts are explored below.

• Social engineering: This concept describes the act of misleading or manipulating people in a way that threatens an entity’s information security. For instance, you and a friend are discussing how you created a password on your workstation. Within earshot, an unknown employee heard you say your favorite password was the family dog. Your friend asks you, “What is the name of your dog?” and you replied, “His name is Walter.” The unknown employee waits until you go to lunch before he goes to enter your password at your workstation. He now sees all of your information on your computer. A second avenue for social engineering involves pretexting, such as contacting an employee pretending to be part of the IT department, and getting that person to disclose information they should not have.

• Phishing: Phishing is an emailed variation of social engineering, where the recipient of an email is convinced to click a link or download an attachment that contains malicious programs. Spear phishing is phishing that has been targeted to a specific audience, such as new employees. Whaling is even more targeted than spear phishing, in that very specific information or interests relating to the target is

UNIT V STUDY GUIDE User Domain and Information Technology Infrastructure Security Policies

CYB 4304, Cybersecurity Law and Policy 2

UNIT x STUDY GUIDE Title

used, often gathered from social media. • Human error: People, by nature, make mistakes or are careless. For example, you cannot seem to

remember your password, so you write it on a sticky note and place it under your keyboard. Another example may be that you think to yourself that your computer is acting in a strange way, but you are unsure. This may be a lack of knowledge that your computer has received a threat of some kind, such as a virus. Even programmers make mistakes in creating software code, and eventually there are updates created to fix the code.

• Internal threats: Although we try to protect our systems from outside hackers or intruders, we forget about our worst threats, those from the inside. There are a number of reasons why you would have insider threats, for example, an employee who was passed over for promotion, has been fired, or is on probation. These employees may want all access to the system (remember SOD) for monetary gain by selling proprietary data. Employees who can no longer be trusted in the user domain are now a risk to the system (Johnson & Easttom, 2022).

Users in the User Domain

Seven different types of users will have access to the user domain, each with their own unique needs. Complexity grows as users increase in number and category, and each will impact how the security policy is designed.

1. Employees: They are the staff members of the organization. 2. Systems administrators: These are IT professionals who work in the IT department and provide

technical IT support. 3. Security personnel: These are IT professionals who design and implement the organization’s security

programs. 4. Contractors: These are temporary employees who work on certain tasks within the organization. The

company manages them in the same manner as employees. 5. Vendors: Outside companies are hired to provide services to the organization and are directly

managed by the vendor company. 6. Guests and the public: These are individuals who access specific applications within the IT system of

the organization. 7. Control partners: Those are those who evaluate controls for design and effectiveness (Johnson &

Easttom, 2022). In addition to these human-user types, there are two other groups that are important. These groups are different from the others in that they are account types rather than user types. System accounts are nonhuman accounts used by the system to support automated service. Contingent IDs are nonhuman accounts until assigned, when they are used to recover a system after a major outage (Johnson & Easttom, 2022).

Best Practices for User Domain Policies Many of you have heard the term best practices in business, industry, academia, and private sectors. A best practice is nothing more than a technique, methodology, or technology used to produce a sustained and quality result. For user domain policies, Johnson and Easttom (2022) state that the practices below are typical and have been included in many security policies.

• Attachments: Never open attachments from sources that you do not trust. • Encryption: Always use some sort of encryption application to secure your desktop, emails, laptops,

backup devices, and such. • Layered defense: Use more than one layer of security approaches to mitigate risks. • Least privilege: Use the least-privilege concept. In other words, users are on a need-to-know basis for

access control. • Best fit privilege: Individuals should have the limited access necessary to fulfill their responsibilities. • Patch management: Use a program to ensure all security patches are up-to-date to reduce risks and

to mitigate future risks. • Unique identity: Use unique credentials that identify who you are except for public areas of access.

CYB 4304, Cybersecurity Law and Policy 3

UNIT x STUDY GUIDE Title

• Virus protection: Ensure virus and malware prevention applications are installed on all desktops and laptops.

IT Infrastructure Security Policies

Once you have identified those elements needed for the user domain, the next step is creating the security policy for the IT Infrastructure. In one sense, all organizations will have unique IT infrastructures, since each has its own characteristics and needs. However, all networks must have foundational policy concepts and focus areas—such as layers of security, from the perimeter, through the network, to the data being accessed (Johnson & Easttom, 2022). Recall the seven domains of the IT infrastructure in your previous chapters, each having its own unique domains. The basic anatomy of a policy starts with understanding different types of documents that capture the domain security control requirements. Johnson and Easttom (2022) list the five common documents.

• Control standards: This document describes the core security control requirements. • Baseline standards: This document describes the technical security controls for a specific technology. • Procedure documents: These documents include processes needed to implement control and

baseline standards. • Guidelines: This document, although optional, describes parameters and recommended policies,

standards, or procedures. • Dictionary: A common taxonomy used in policies that define scope and meaning of the terms used.

These standards are often described as the core policy statements or minimum security baseline (MSB). The number of documents can vary significantly between organizations. As the end user of the user domain, you are responsible for the security of all network resources as well as being accountable for those resources in which you have the least privilege. The periodic security awareness training will provide you with the necessary knowledge to avoid security risks within your user domain and protect the network resources within the organization as a whole.

Reference Johnson, R., & Easttom, C. (2022). Security policies and implementation issues (3rd ed.). Jones & Bartlett

Learning. https://online.vitalsource.com/#/books/9781284200034