USA: +1(669)289-8683 
Sign in
Many organizations have policies and procedures in place regarding information systems and security. However, many of these policies are stored in locations not readily available to employees. What would be your approach to ensure all employees of the organization are fully aware of the policies to secure the organizational infrastructure along with practices accepted by the organization?
Course Textbook(s) Johnson, R., & Easttom, C. (2022). Security policies and implementation issues (3rd ed.). Jones & Bartlett Learning. https://online.vitalsource.com/#/books/9781284200034
CYB 4304, Cybersecurity Law and Policy 1
Upon completion of this unit, students should be able to:
4. Analyze a security awareness training policy for new and existing employees at an organization.
4.1 Identify security control or countermeasures to mitigate risks and threats for the user domain.
4.2 Discuss the main components of reviewed security awareness policy.
Chapter 9: User Domain Policies
Chapter 10: IT Infrastructure Security Policies
The Paradox of a Greater, but More Vulnerable Network
While it is generally true that a greater number of users and a greater degree of technological sophistication
increase a network’s value, those characteristics also make the network more vulnerable to security risks.
Individual user access must be controlled as a network grows, and the risks of their access should be
considered. Security policies can mitigate risks in the user domain, but only if done correctly (Johnson &
Easttom, 2022).
Security awareness is important to everyone as this is a security culture. This awareness is part of a security
awareness program; therefore, an organization must have routine security awareness training to ensure all
end users are up-to-date on security events surrounding the organization as well as outside the organization.
People Can Be A Network’s Greatest Weakness
People can unfortunately be one of the greatest weaknesses in a network security regime. This is generally
because people have different skill sets; can let their guard down; or get tired, confused, or distracted.
Automated controls never get tired, distracted, or confused, but they are limited to the tasks for which they
were built, and therefore cannot deal well with the unexpected (Johnson & Easttom, 2022).
People are the major users of information technology (IT) systems, which leads to risks in the user domain.
While security policies are created to mitigate risks, their design must consider social engineering, human
error, and internal threats. These concepts are explored below.
• Social engineering: This concept describes the act of misleading or manipulating people in a way that
threatens an entity’s information security. For instance, you and a friend are discussing how you
created a password on your workstation. Within earshot, an unknown employee heard you say your
favorite password was the family dog. Your friend asks you, “What is the name of your dog?” and you
replied, “His name is Walter.” The unknown employee waits until you go to lunch before he goes to
enter your password at your workstation. He now sees all of your information on your computer. A
second avenue for social engineering involves pretexting, such as contacting an employee pretending
to be part of the IT department, and getting that person to disclose information they should not have.
• Phishing: Phishing is an emailed variation of social engineering, where the recipient of an email is
convinced to click a link or download an attachment that contains malicious programs. Spear phishing
is phishing that has been targeted to a specific audience, such as new employees. Whaling is even
more targeted than spear phishing, in that very specific information or interests relating to the target is
UNIT V STUDY GUIDE
User Domain and Information
Technology Infrastructure Security
Policies
CYB 4304, Cybersecurity Law and Policy 2
UNIT x STUDY GUIDE
Title
used, often gathered from social media.
• Human error: People, by nature, make mistakes or are careless. For example, you cannot seem to
remember your password, so you write it on a sticky note and place it under your keyboard. Another
example may be that you think to yourself that your computer is acting in a strange way, but you are
unsure. This may be a lack of knowledge that your computer has received a threat of some kind, such
as a virus. Even programmers make mistakes in creating software code, and eventually there are
updates created to fix the code.
• Internal threats: Although we try to protect our systems from outside hackers or intruders, we forget
about our worst threats, those from the inside. There are a number of reasons why you would have
insider threats, for example, an employee who was passed over for promotion, has been fired, or is
on probation. These employees may want all access to the system (remember SOD) for monetary
gain by selling proprietary data. Employees who can no longer be trusted in the user domain are now
a risk to the system (Johnson & Easttom, 2022).
Users in the User Domain
Seven different types of users will have access to the user domain, each with their own unique needs.
Complexity grows as users increase in number and category, and each will impact how the security policy is
designed.
1. Employees: They are the staff members of the organization.
2. Systems administrators: These are IT professionals who work in the IT department and provide
technical IT support.
3. Security personnel: These are IT professionals who design and implement the organization’s security
programs.
4. Contractors: These are temporary employees who work on certain tasks within the organization. The
company manages them in the same manner as employees.
5. Vendors: Outside companies are hired to provide services to the organization and are directly
managed by the vendor company.
6. Guests and the public: These are individuals who access specific applications within the IT system of
the organization.
7. Control partners: Those are those who evaluate controls for design and effectiveness (Johnson &
Easttom, 2022).
In addition to these human-user types, there are two other groups that are important. These groups are
different from the others in that they are account types rather than user types. System accounts are
nonhuman accounts used by the system to support automated service. Contingent IDs are nonhuman
accounts until assigned, when they are used to recover a system after a major outage (Johnson & Easttom,
2022).
Best Practices for User Domain Policies
Many of you have heard the term best practices in business, industry, academia, and private sectors. A best
practice is nothing more than a technique, methodology, or technology used to produce a sustained and
quality result. For user domain policies, Johnson and Easttom (2022) state that the practices below are typical
and have been included in many security policies.
• Attachments: Never open attachments from sources that you do not trust.
• Encryption: Always use some sort of encryption application to secure your desktop, emails, laptops,
backup devices, and such.
• Layered defense: Use more than one layer of security approaches to mitigate risks.
• Least privilege: Use the least-privilege concept. In other words, users are on a need-to-know basis for
access control.
• Best fit privilege: Individuals should have the limited access necessary to fulfill their responsibilities.
• Patch management: Use a program to ensure all security patches are up-to-date to reduce risks and
to mitigate future risks.
• Unique identity: Use unique credentials that identify who you are except for public areas of access.
CYB 4304, Cybersecurity Law and Policy 3
UNIT x STUDY GUIDE
Title
• Virus protection: Ensure virus and malware prevention applications are installed on all desktops and
laptops.
IT Infrastructure Security Policies
Once you have identified those elements needed for the user domain, the next step is creating the security
policy for the IT Infrastructure. In one sense, all organizations will have unique IT infrastructures, since each
has its own characteristics and needs. However, all networks must have foundational policy concepts and
focus areas—such as layers of security, from the perimeter, through the network, to the data being accessed
(Johnson & Easttom, 2022).
Recall the seven domains of the IT infrastructure in your previous chapters, each having its own unique
domains. The basic anatomy of a policy starts with understanding different types of documents that capture
the domain security control requirements. Johnson and Easttom (2022) list the five common documents.
• Control standards: This document describes the core security control requirements.
• Baseline standards: This document describes the technical security controls for a specific technology.
• Procedure documents: These documents include processes needed to implement control and
baseline standards.
• Guidelines: This document, although optional, describes parameters and recommended policies,
standards, or procedures.
• Dictionary: A common taxonomy used in policies that define scope and meaning of the terms used.
These standards are often described as the core policy statements or minimum security baseline (MSB). The
number of documents can vary significantly between organizations.
As the end user of the user domain, you are responsible for the security of all network resources as well as
being accountable for those resources in which you have the least privilege. The periodic security awareness
training will provide you with the necessary knowledge to avoid security risks within your user domain and
protect the network resources within the organization as a whole.
Reference
Johnson, R., & Easttom, C. (2022). Security policies and implementation issues (3rd ed.). Jones & Bartlett
Learning. https://online.vitalsource.com/#/books/9781284200034
-
Course Learning Outcomes for Unit V
Required Unit Resources
Unit Lesson
The Paradox of a Greater, but More Vulnerable Network
People Can Be A Network’s Greatest Weakness
Users in the User Domain
Best Practices for User Domain Policies
IT Infrastructure Security Policies
Reference
