Security Data 1 Discussion 1 Security awareness training is often the first view a typical user has into information security. It’s often required for a

1

Discussion 1

Security awareness training is often the first view a typical user has into information security. It’s often required for all new hires. Think of it as the first impression of management’s view of information security. This is management’s opportunity to set the tone. Most individuals want to do a good job, but they need to know what the rules and expected behavior are. That is one of the purposes of a security awareness policy.

Answer the following question(s):

1. What do you think are the two most important practices that should be incorporated into a security awareness policy?

2. Why do you rank them so highly?

Discussion 2

Class,

People are using their mobile phone browsers more and more every day to find information about businesses, make product decisions and purchases, and even determine the quality of a business based on what they can find online.  With the proliferation of mobile browsers, people need to be able to access your website and, at a minimum, be able to browse it smoothly to find the information they need.  Taking it a step further and providing an optimal mobile user interface (UI), or specialized mobile content, can provide a great experience and enhance the reputation of an  organization.

· Discuss pros/cons of a adaptive web site

· Discuss pros/cons of a dedicated web site

· Identify and discuss best approaches to website development for mobile applications

LAB 1

Review the security awareness training policies at the following websites:

Health care: State of North Carolina Department of Health and Human Services (
https://policies.ncdhhs.gov/departmental/policies-manuals/section-viii-privacy-and-security/manuals/security-manual/@@display-file/policy_file/DHHS%20Security%20Manual.pdf
)

Higher education: University of San Francisco (
http://www.usfca.edu/its/security/seta/
)

1. For each sample security awareness training policy that you reviewed in the step above, discuss the policy’s main components. You should focus on the need for a security awareness program and its key elements.

Review the following scenario for the fictional Bankwise Credit Union:

The organization is a local credit union that has several branches and locations throughout the region.

Online banking and use of the internet are the bank’s strengths, given its limited human resources.

The customer service department is the organization’s most critical business function.

The organization wants to be in compliance with the Gramm-Leach-Bliley Act (GLBA) and IT security best practices regarding its employees.

The organization wants to monitor and control use of the Internet by implementing content filtering.

The organization wants to eliminate personal use of organization-owned IT assets and systems.

The organization wants to monitor and control use of the e-mail system by implementing e-mail security controls.

The organization wants to implement security awareness training policy mandates for all new hires and existing employees. Policy definitions are to include GLBA and customer privacy data requirements, in addition to a mandate for annual security awareness training for all employees.

2. Create a security management policy with defined separation of duties for the Bankwise Credit Union.

Bankwise Credit Union

Security Awareness Training Policy

 

A.Policy Statement
Define your policy verbiage.

 

B.Purpose/Objectives
Define the policy’s purpose as well as its objectives.

 

C.Scope
Define whom this policy covers and its scope. What elements, IT assets, or organization-owned assets are within this policy’s scope?

 

D.Standards
Does the policy statement point to any hardware, software, or configuration standards? If so, list them here and explain the relationship of this policy to these standards.

 

E. Procedures
Explain how you intend to implement this policy for the entire organization.

 

F. Guidelines
Explain any roadblocks or implementation issues that you must overcome in this section and how you will surmount them per defined guidelines. Any disputes or gaps in the definition and separation of duties responsibility may need to be addressed in this section.

3. There are many vendors that provide security awareness training software to organizations that do not have the time nor the resources to create their own. When selecting a software vendor, many organizations will issue a Request for Information (RFI) to potential vendors, outlining the details of what the organization would like to learn about the vendor’s solution. You can read more about RFIs here: https://www.smartsheet.com/free-request-for-information-templates.

 

As a security manager at eChef, an online marketplace for high-end kitchenware, you have been tasked with selecting a security awareness training software provider.

 

Use the internet to research real security awareness training software providers.

 

A. Identify three security awareness training software providers.

 

B. Identify 10 questions that you would include in your RFI.

 

 LAB 2

In your browser, navigate to and read the “Remote Access Policy” template at https://www.sans.org/information-security-policy/.

Using your favorite search engine, locate a remote access policy for a higher education institution.

Using your favorite search engine, locate a remote access policy for a healthcare provider.

1. Write a brief summary of the information during your research. In your summary, focus on the key elements of the remote access policy. You should also identify any unique elements of remote access policies for higher education and healthcare institutions. Be sure to provide links to the remote access policies you identified in steps 2 and 3.

Review the following risks and threats found in the Remote Access Domain:

The organization is a local credit union that has several branches and locations throughout the region.

Online banking and use of the internet are the bank’s strengths, given its limited human resources.

The customer service department is the organization’s most critical business function.

The organization wants to be in compliance with the Gramm-Leach-Bliley Act (GLBA) and IT security best practices regarding its employees.

The organization wants to monitor and control use of the internet by implementing content filtering.

The organization wants to eliminate personal use of organization-owned IT assets and systems.

The organization wants to monitor and control use of the e-mail system by implementing e-mail security controls.

The organization wants to implement security awareness training policy mandates for all new hires and existing employees. Policy definitions are to include GLBA and customer privacy data requirements, in addition to a mandate for annual security awareness training for all employees.

2. Identify a security control or countermeasure to mitigate each risk and threat identified in the Remote Access Domain. These security controls or countermeasures will become the basis of the scope of the Remote Access Domain policy definition to help mitigate the risks and threats commonly found within the Remote Access Domain.

Review the following characteristics of the fictional Healthwise Health Care Provider:

Healthwise has several remote health care branches and locations throughout the region.

Online access to patients’ medical records through the public Internet is required for remote nurses and hospices providing in-home medical services.

Online access to patients’ medical records from remote clinics is facilitated through a virtual private network (VPN) and a secure web application front-end over the public Internet.

The organization wants to be in compliance with the Health Insurance Portability and Accountability Act (HIPAA) and IT security best practices regarding remote access through the public internet.

The organization wants to monitor and control the use of remote access by implementing system logging.

The organization wants to implement a security awareness training policy mandating that all new hires and existing employees obtain remote access security training. Policy definition is to include HIPAA and electronic protected health information (ePHI) security requirements and a mandate for annual security awareness training for all remote or mobile employees.

3. Create an organization-wide remote access policy for Healthwise Health Care:

 

Healthwise Health Care

Remote Access Policy for Remote Workers and Medical Clinics

 

A. Policy Statement
Define your policy verbiage.

 

B. Purpose/Objectives
Define the policy’s purpose as well as its objectives and policy definitions

 

C. Scope
Define whom this policy covers and its scope. What elements, IT assets, or organization-owned assets are within this policy’s scope?

 

D. Standards
Does the policy statement point to any hardware, software, or configuration standards? If so, list them here and explain the relationship of this policy to these standards. In this case, Remote Access Domain standards should be referenced, such as encryption standards and VPN standards; make any necessary assumptions.

 

E. Procedures
Explain how you intend to implement this policy for the entire organization.

 

F. Guidelines
Explain any roadblocks or implementation issues that you must overcome in this section and how you will surmount them per defined guidelines. Any disputes or gaps in the definition and separation of duties responsibility may need to be addressed in this section.

For this portion of the lab, you will create training documentation for remote employees of Healthwise Health Care. This training will provide remote employees with methods they can use to secure their home network before connecting a company computer, as well as guidance on how to access the corporate network while traveling.

 

4. Use the internet to find information about remote access policies and home network protection, and then use this information to create a training document for remote employees.

1

Discussion

1

Security

awareness

training

is

often

the

first

view

a

typical

user

has

into

information

security.

It

s

often

required

for

all

new

hires.

Think

of

it

as

the

first

impression

of

management

s

view

of

information

security.

This

is

management

s

opportunity

to

set

the

tone.

Most

individuals

want

to

do

a

good

job,

but

they

need

to

know

what

the

rules

and

expected

behavior

are.

That

is

one

of

the

purposes

of

a

security

awareness

policy.

Answer

the

following

question(s):

1.

What

do

you

think

are

the

two

most

important

practices

that

should

be

incorporated

into

a

security

awareness

policy?

2.

Why

do

you

rank

them

so

highly?

Discussion

2

Class,

People

are

using

their

mobile

phone

browsers

more

and

more

every

day

to

find

information

about

businesses,

make

product

decisions

and

purchases,

and

even

determine

the

quality

of

a

business

based

on

what

they

can

find

online.

With

the

proliferation

of

mobile

browsers,

people

need

to

be

able

to

access

your

website

and,

at

a

minimum,

be

able

to

browse

it

smoothly

to

find

the

information

they

need.

Taking

it

a

step

further

and

providing

an

optimal

mobile

user

interface

(UI),

or

specialized

mobile

content,

can

provide

a

great

experience

and

enhance

the

reputation

of

an

organization.

·

Discuss

pros/cons

of

a

adaptive

web

site

·

Discuss

pros/cons

of

a

dedicated

web

site

·

Identify

and

discuss

best

approaches

to

website

development

for

mobile

applications

LAB

1

Review

the

security

awareness

training

policies

at

the

following

websites:

Looking for this or a Similar Assignment? Click below to Place your Order