Part 1

A. Identify the risks, threats, and vulnerabilities commonly found in the user domain. (Name
at least three risks/threats.)
The three most common risk/threats/vulnerabilities that are commonly found in the user
domain are:
1. The domain user or admin have a guessable password in Windows NT (CVE, 2013).
2. The domain user logs into the domain with a space at the end of the domain name it will
cause an error and wont accurately download a system policy (CVE, 2013).
3. The domain enterprise Server Management System (DESMS) in HP-UX allows local
users to gain privileges (CVE, 2013).

Part 2
A. Choose two articles that discuss two of the risks or threats you listed in the previous step.
In your text document, discuss how these articles explain how to mitigate risks or threats in
the user domain.
1. The first article it discusses the use of USB devices in the workplace. Employees can use
a USBs to transport data from one computer to another. They can represent a number of
security challenges for a company. Those challenges may be disgruntled workers,
careless users and malicious individuals (Couture, 2009, p. 6). To mitigate this problem
we can disable USB ports in BIOS, this will prevent users from installing a USB device.
Also, we can make USB ports read only by disabling ISB ports in the Group Policy.
2. The second article it discusses the vulnerabilities of the BIOS. BIOS can execute power
up test within the hardware components and memory, without this program the computer
would not know what to do after it was turned on. An unauthorized user can access the
network by cracking the BIOS password, deleting the contents of the CMOS RAM. To
mitigate the risk of users accessing the BIOS, system administrators can implement BIOS
passwords that protect the BIOS configuration utility and a different password should be
used for critical systems. System should only boot form hard drives, all computer cases
should be lock, and critical data should not being kept on hard drives.

Part 3
A. List the main components of each of the acceptable use policies (AUPs).
1. Health Cares main components are: Use of Information Technology (IT) Resources
Policy, E-mail Use Policy, and Anti-virus Policy.
2. Higher Education main components are: proper use of domain accounts policy, shared
resources (traffic p2p to download music, etc.) policy, intellectual property policy,
publication policy,
3. U.S. Federal Governments main components are: use of government equipment policy,
access data programs that are not authorize by the government, password policy, System
and Network Security (antivirus) policy, and use of domain accounts policy.



Part 4
A. Explain how a risk can be mitigated in the user domain with an acceptable use policy (AUP).
Risk can be mitigating in the user domain with an Acceptable Use Policy (AUP) that
minimize vulnerability and threats when using e-mail. Proper policy can help users to understand
that opening any unknown e-mail may potentially cause a risk to the company, as a virus could
be accessed through the e-mail. AUP can state that outside e-mails are prohibited and/or blocked,
do not open any attachments, no spamming, what documents can and cannot be sent through e-
mail and using acceptable language (Wrenn, 2005).
Part 5
A. Using the following AUP template, in your text document, create an acceptable use policy
for the XYZ Credit Union/Bank organization (next page).











XYZ Credit Union/Bank Acceptable Use Policy
1. Policy Statement
1.1 General Requirements
1.1.1 User is responsible for exercising good judgment when using XYZ Credit
Union/Bank Information Systems (IS) resources in accordance with XYZ Credit Union/Bank
policies, guidelines, and standards. XYZ Credit Union/Bank Information System resources may
not be used for any unlawful purpose.
1.1.2 Information technology department may monitor and audit IS equipment, systems,
and network traffic for security, compliance and maintenance purposes. Users that interfere with
other user equipment, audits and/or other schedule maintenance on the XYZ Credit Union/Bank
network may be disconnected. Firewalls must permit access to audit scan, and to the scan
sources.
1.2 Email Usage (the following are strictly prohibited)
1.2.1 Using XYZ Credit Union/Bank e-mail account to send text messages, instant
messages, and spam e-mail.
1.2.2 Use of the XYZ Credit Union/Bank e-mail or IP address to engage in unlawful or
illegal activities that violate XYZ Credit Union/Bank e-mail policies or guidelines.
1.2.3 Misrepresenting, obscuring, forging, or replacing a user identity on any e-mail to
mislead recipient about sender.
1.2.4 User must exercise good judgment when posting to a public bulletin board, or
newsgroup when using XYZ Credit Union/Bank e-mail or IP address, to avoid misrepresenting
user authority in representing the opinion of the company.
1.3 System Accounts
1.3.1 User are responsible for maintaining system level and user-level passwords in
accordance with Password Policy
1.3.2 User is responsible for the account, systems, and the security of data under their
control. Password must be kept secure, accounts and passwords should not be share with other
users.
1.4 Network Usege (the following are strictly prohibited)
1.4.1 Causing an interruption of service to XYZ Credit Union/Bank network resources,
including, but not limited to, spoofing, denial of service attacks, buffer overflow, and forged
routing information for malicious purposes.
1.4.2 Use of the network to cause security breaches to either XYZ Credit Union/Bank
network or other network, including, but not limited to , accessing servers, data, or unauthorized
accounts is prohibited.
1.4.3 Use of the network with intention to violate copyright laws, including, but not
limited to, duplicating or shared copyright pictures, music, video, and software is prohibited.
1.4.4 Use of the internet or XYZ Credit Union/Bank network with the intention to violate
local laws, and XYZ Credit Union/Bank network policies are prohibited.
1.4.5 Deliberately introducing malicious code, such as virus, worms, Trojan horses, e-
mail bombs, spyware, adware and keyloggers is prohibited.
1.5 Computing Assets
1.5.1 All Workstations, PDAs, Laptops, PCs, must be secured with a password protected
screensaver, and automatic activation feature must be active.
1.5.2 User device that use XYZ Credit Union/Bank network to connect to the internet
must comply with XYZ Credit Union/Bank access policy.
1.5.3 All users are responsible for ensuring the protection of assigned XYZ Credit
Union/Bank IS assets. It is responsibility of the user to promptly report theft, and loss of any
XYZ Credit Union/Bank IS equipment.
2. Purpose/Objectives
2.1 The purpose of this policy is to be in compliance with Gramm-Leach-Bliley Act and IT
security best practices, by establishing guidelines for the proper usage XYZ Credit Union/Bank
network resources, and electronic devices at all locations. In Addition this policy will ensure
that:
XYZ Credit Union/Bank employees comply with XYZ Credit Union/Bank policies.
XYZ Credit Union/Bank prevents any misuse or damage to a IS equipment or data.
XYZ Credit Union/Bank employees have all the appropriate tools to operate in a safe
network.
3. Scope
3.1 This policy applies to the use of XYZ Credit Union/Bank information systems,
electronic communications, computing assets, and network resources to conduct business or
interact with internal or external network systems, whether owned or leased by XYZ Credit
Union/Bank, the employees, or a third party. All XYZ Credit Union/Bank employees, contractor,
consultants, temporary and other workers, including those affiliated with third parties must
adhere to XYZ Credit Union/Bank policy.
3.2 All XYZ Credit Union/Bank employees, contractor, consultants, temporary and other
workers, including those affiliated with third parties are responsible for exercising good
judgment when operating XYZ Credit Union/Bank electronic devices, IS equipment, and
network resources.
4. Standards
4.1 This policy will include standards that all XYZ Credit Union/Bank employees,
contractor, consultants, temporary and other workers, including those affiliated with third parties
need to familiarize themselves with, before using XYZ Credit Union/Bank IS resources. It will
provide consistent rule of use for:
4.1.1 Electronic Communications Standard
4.1.2 Internet Usage Standard
4.1.3 Network Usage Standard
4.1.4 Copyright Standards
5. Procedures
5.1 All XYZ Credit Union/Bank employees, contractor, consultants, temporary and other
workers, including those affiliated with third parties will be given a copy of XYZ Credit
Union/Bank policy, and then they will sign and date such policy. The XYZ Credit Union/Bank
IT Departments will maintain the policy sign by user.
5.2 XYZ Credit Union/Bank IT Department will provide training to enforce XYZ Credit
Union/Bank policy.
6. Guidelines
6.1 XYZ Credit Union/Bank will not tolerate any misuse of its system, employees fund to
have violated XYZ Credit Union/Bank policy may be subject to disciplinary actions, up to and
including termination of employment.
6.2 The usage of any of the XYZ Credit Union/Bank resources for illegal activity will be
grounds for termination of employment, and XYZ Credit Union/Bank will cooperate with any
criminal investigation and prosecution that may result from such illegal activity.



Lab Assessment Questions & Answers
1. What are three risks and threats of the user domain?
Data leakage empowered by USB devices.
Install of unauthorized or inappropriate applications.
Unauthorized access to someone else account.
2. Why do organizations have acceptable use policies (AUPs)?
Appropriate Use Policy (AUP) are implemented to help organizations avoid unwanted
consequences protecting the company and employees by enabling it to deal with transgressions
activities in a systematic way that will bear legal challenges without reducing productivity and
employees moral. AUPs declare network etiquette, limits of network resources, and the level of
privacy a user should expect when working in the network (Mitchell, 2013).
3. Can Internet use and e-mail use policies be covered in an acceptable use policy?
Yes, Internet use and e-mail use policies be covered in an acceptable use policy declaring
what is acceptable when using companys network.
4. Do compliance laws, such as HIPAA or GLBA, play a role in AUP definition?
Yes, especially healthcare companies. They must implement appropriate access control
and safeguards to protect patients health information.
5. Why is an acceptable use policy not a fail-safe means of mitigating risks and threats within the
user domain?
Because does not contain any sensitive information, it is just a document employees sign
declaring proper use of Information Systems. In other hand this document should be kept in a
safe place, so when an employees fail to comply with companys policy, the organization have
evidence that he can be accountable for his actions.
6. Will the AUP apply to all levels of the organization? Why or why not?
Yes, AUP should apply to all level of the organization. Because it describe what is the
intended uses of the network including unacceptable uses and the consequences for non-
compliance (Mitchell, 2013).
7. When should an AUP be implemented and how?
AUP should be implemented before the user gain access to the companys network, and
access to the IS equipment. AUP document will be given to all employees to sign and then stored
in their files.
8. Why does an organization want to align its policies with the existing compliance
requirements?
Organization can align their policies with existing compliance requirements to mitigate
and minimize risk making sure that all users and devices comply with the requirements before
accessing the companys IS resources.
9. In which domain of the seven domains of a typical IT infrastructure would an acceptable use
policy (AUP) reside? How does an AUP help mitigate the risks commonly found with employees
and authorized users of an organizations IT infrastructure?
The AUP reside in the System Application Domain, and it mitigate the risk commonly
found with employees and authorized user by describing companys employees roles and
responsibilities.
10. Why must an organization have an acceptable use policy (AUP) even for non-employees,
such as contractors, consultants, and other third parties?
Organizations must have an acceptable use policy (AUP) even for non-employees, such
as contractors, consultants, and other third parties because they need to be aware of the
companys policies regarding Information Systems. They need to understand that they can be
accountable for misuse of organization Information Systems.
11. What security controls can be deployed to monitor and mitigate users from accessing
external websites that are potentially in violation of an AUP?
Some security controls that can be deployed to monitored and mitigate users form
accessing external websites that are potentially in violation of an AUP are:
Firewall
Intrusion Detection System
Antivirus and Patches.
Access Control
12. What security controls can be deployed to monitor and mitigate users from accessing
external webmail systems and services (that is, Hotmail, Gmail, Yahoo, etc.)?
Content Filtering and/or proxy are security controls that can be deployed to monitor and
mitigate users from accessing external webmail systems.
13. Should an organization terminate the employment of an employee if he/she violates
an AUP? Depends of the severity of the violation, and how many times he/she has violated
companys policy. In the other hand if the employees use the organization information system to
commit any illegal activity he/she should be terminated, and the organization should cooperate
with local authorities.








Reference
Mitchell, B. (2013). Acceptable Use Policy. Retrieved from
http://compnetworking.about.com/od/filetransferprotocol/a/aup_use_policy.htm

Wrenn, G. (2005). Acceptable use policies will minimize email risk. Retrieved
fromhttp://searchsecurity.techtarget.com/tip/Mail-Call-Setting-acceptable-use-and-security-
expectations-will-minimize-e-mail-risk