- What are three risks and threats of the user domain?
Threats:
- Disgruntled employee backlashes or attacks.
- The user developing apathy towards policies.
- Lack of user awareness because of leaving the machine unattended.
- The user accidentally or intentionally violating security policies.
Risks:
- The user machine being attacked by malware.
- Unauthorized access into the user’s domain.
- An unauthorized user using phishing emails to distribute malicious attachments and links.
- An unauthorized user accessing and compromising the user’s saved credentials.
- Why do organizations have acceptable use policies (AUPs)?
Organizations adopt acceptable use policies (AUPs) to educate and inform employees about the expected proper user of company resources. Additionally, AUPs are enacted to create awareness among employees of what constitutes a violation of policy and the appropriate penalties accompanying each violation. AUPs set limits of network resources and the level of privacy expected when working in a particular network (Mitchell, 2018).
- Can Internet use and e-mail use policies be covered in an acceptable use policy?
Yes they can both be covered. Both email and internet are accessed through company devices. As such, an organization can specify how it desires these resources to be used declaring what is constitutes acceptable and unacceptable usage.
- Do compliance laws, such as HIPAA or GLBA, play a role in AUP definition?
Yes, an acceptable use policy will be within the guidelines of the laws and regulations. Healthcare companies, for example, institute appropriate safeguards and access control to protect patients’ health records.
- Why is an acceptable use policy not a fail-safe means of mitigating risks and threats within the user domain?
A policy is a set of rules that can either be followed or ignored. The policy is dependent on the disciplining mechanism that accompanies it and proper monitoring (Wrenn n.d.). The use of technical controls in conjunction with use policy will stop potential violators from violating certain aspects of the policy.
- Will the AUP apply to all levels of the organization? Why or why not?
Yes, because risk increases as you go to higher levels of an organization. This is because higher rank employees know a lot about the organization. Secondly, upper management are supposed to set a good precedence to lower rank employees by observing acceptable policies. The importance and seriousness of user policy can be gauged by considering the number of people observing it.
- Why does an organization want to align its policies with the existing compliance requirements?
An organization may want to align its policies with the existing compliance requirements so as to avoid losses due to fines for failing to comply with the existing requirements. Secondly, aligning policies with existing compliance requirements minimizes the risks of misuse and damage of organizational devices.
- Why must an organization have an acceptable use policy (AUP) even for non-employees, such as contractors, consultants, and other third parties?
An organization must have an acceptable use policy (AUP) even for non-employees such as contractors, consultants, and other parties to make them aware of the organization’s policies concerning Information Systems (SITE, 2010). They need to be notified that they can be held accountable for their actions whenever these are contravening or unacceptable.
- What security controls can be deployed to monitor users that are potentially in violation of an AUP?
There are many security controls that can be deployed to monitor user activity. Per Stallings, Brown, Bauer & Bhattacharjee (2012), some of these controls include:
- Firewalls to monitor web access,
- Intrusion Detection Systems to see what files are viewed and any failed attempt to access, unauthorized domains,
- Monitoring email traffic,
- Controlling software that employees can install,
- Content filtering,
- Proxy servers.
- Should an organization terminate the employment of an employee if he/she violates an AUP? Why?
This should depend on the severity of the violation and whether the act is repetitive in nature or not. However, if the violation resulted in an unlawful activity, then the employee should be relieved from employment and the organization should comply with the authorities in bringing the employee to book.
References
Mitchell, B. (2018, April 1). What is an Acceptable Use Policy (AUP)? Retrieved May 4, 2018, from https://www.lifewire.com/acceptable-use-policy-aup-817563
SITE, P. U. O. O. (2010). Acceptable Use Policy.
Stallings, W., Brown, L., Bauer, M. D., & Bhattacharjee, A. K. (2012). Computer security: principles and practice (pp. 978-0). Pearson Education.
Wrenn, G. (n.d.). Acceptable use policies will minimize email risks. Retrieved May 4, 2018, from https://searchsecurity.techtarget.com/tip/Mail-Call-Setting-acceptable-use-and-security-expectations-will-minimize-e-mail-risk