Internet and User Domain

NT2580 Introduction to Information Security

Homework 5

Unit 5 Assignment 1: Define an Acceptable Use Policy (AUP)

Assignment Requirements
Richman Investments requires the enforcement of strict ingress-egress filtering policies for network traffic. Certain traffic is expressly forbidden:
1  No peer-to-peer file sharing or externally reachable file transfer protocol (FTP) servers
2  No downloading executables from known software sites
3  No unauthorized redistribution of licensed or copyrighted material
4  No exporting internal software or technical material in violation of export control laws
5  No introduction of malicious programs into networks or onto systems
6  No accessing unauthorized internal resources or information from external sources
7  No port scanning or data interception on the network
8  No denying service or circumventing authentication to legitimate users
9  No using programs, scripts, or commands to interfere with other network users
10  No sending unsolicited e-mail messages or junk mail to company recipients
11  No accessing adult content from company resources
12  No remote connections from systems failing to meet minimum security requirements

Define a LAN-to-WAN, Internet, and Web surfing AUP that restricts usage of the company’s Internet connection and permits the company to monitor usage of the corporate Internet connection. Carefully evaluate the implications of each policy and how implementations might impact the IT infrastructure, both positively and negatively. Weigh the benefits and the disadvantages of each method. Consider whether or not a proposed solution causes an interruption to the legitimate users and how it might bring security at the expense of preventing a perfectly legitimate activity.

Acceptable Use Policy
To fully explain the acceptable use policy would mean to begin from the beginning, the user domain. The user domain is the employee or people within an organization who is granted access to the information system for the organization. There are roles and tasks, responsibility, and accountability that go into an acceptable use policy for the user domain. Within the user domain is the access of LAN to Wan, web surfing, and internet. LAN to Wan is the activities between LAN to Wan and firewalls, routers, intrusion, detection, and workstations. Web surfing determines what a user can do on company time with company resources. Internet is when the user has access to the internet what types of controls should the organization have on the certain internet sites being accessed. Although they all sort of are the same they are very much different (Cordero, 2013).
For the Lan to Wan AUP will go hand in hand with the roles and tasks parts of the user domain. Users would be given access to certain systems, applications, and data depending on their access rights. The AUP is like a rulebook that employees need to follow when using an organization’s IT assets and if they are violated it could be grounds for termination. The AUP will set grounds on employees to understand that they are responsible for any and all actions on an organization’s IT assets. In particular to organizations that have databases with sensitive information may also require a criminal background check before granting access. This all prevents risks, threats, and vulnerability that could compromise an organization’s system, applications, and/or data.
Lan and Wan AUP helps in preventing users from destroying the firewalls and protection programs from leaking sensitive information and/or hackers from entering and obtaining important sensitive information to different area networks and the internet. For a solid AUP would be to have security monitoring controls to avoid intrusions. It would be best to apply antivirus programs especially on emails and email quadrating to identify unknown file types and catch any unsafe programs trying to come into the organization. The ability to block outbound traffic that may be accessed during normal work procedures. Also to have some type of file transfer or monitoring on unknown files types received by employees. These programs will all assist in maintaining security and integrity for the organization’s sensitive information (Kim & Solomon, 2012).
Web surfing on company time would be controlled by acknowledging and restricting which sites an employee will be able to access during company time. There will be type of filter that will determine if the website is allowed to be access and scanned to determine if there are any dangerous or unknown files that can hurt the organization’s system. With the internet part of the AUP would be to have a setting where if the employee decides to access internet sites not work related then they could be timed on the amount of time they can continue to view the sites. For instance, if an employee wanted to do some shopping on their break there would normally be a restriction to the shopping internet sites. However, there could be a monitoring program installed where the user would enter their username and password and it would give them an hour, forty-five minutes or thirty minutes of viewing time. Advantage of this protocol will prevent employees from being less productive while they should be doing work on their paid work time. Another advantage would be to prevent employees from accessing unauthorized websites and bringing in viruses into the organizations and making limitations on what type of emails are to be sent and accepted within the organization. Some disadvantages would be that at times the internet is useful in assisting customers when a question arises and the representative is unsure of the answer. For instance, if a customer comes in and needed information to another place of business we can easily assist our trusting and faithful customer and guide them in the right direction. At times a representative must also access the internet to answer questions they are unsure of the organization and need to internet to find the answers. This advantage will assure a customer needs were satisfied and leaves no gaps of uncertainty.

Reference: Cordero, M. (February 28, 2013).
Kim, D. & Solomon, M.G. (2012).