Scenario: You are the IT Security Manager of XYZ

Credit Union that has multiple branches throughout the region. Write an acceptable use policy (AUP) for XYZ Credit Union that wants to monitor and control use of the Internet by implementing content filtering; wants to eliminate personal use of organization-owned IT assets and systems; wants to monitor the use of the e-mail system by implementing e-mail security controls; and wants to implement this policy for all the IT assets it owns and to incorporate this policy review into its annual security awareness training. Your policy must contain the following headings:

XYZ Credit Union

Policy Heading {To identify the topic}

Policy Statement {Mandatory directive.}

Introduction {To frame the document.}

Policy Goals/Objectives {Insert the policy's goals as well as its objectives; to convey intent.}

Scope {Define this policy's scope and whom it covers. Which of the seven domains of a typical IT infrastructure are impacted? What elements, IT assets, or organization-owned assets are within this policy's scope?}

Standards {Does this policy point to any hardware, software, or configuration standards? If so, list them here and explain the relationship of this policy to these standards.}

Procedures {In this section, explain how you intend to implement this policy throughout this organization.}

Guidelines {In this section, explain any roadblocks or implementation issues that you must overcome and how you will overcome them per the defined policy guidelines.}

Policy Exceptions {To acknowledge exclusions}

Policy Enforcement Clause {Violation sanctions}

Administrative Notations {Additional information}

Policy Definitions {Glossary of terms}

Version Control {To track Changes}

Answer the following questions:

2. As the IT Security Manager, who would you involve to write this policy?

3. How do you train the employees?

4. How do you measure and enforce the policy?

5. When will this policy be updated?

6. Who will approve the policy?

7. How did you determine the length of the policy?

Please justify the length of your policy.

8. Why must an organization have an acceptable use

policy (AUP) even for non-employees, such as

contractors, consultants, and other third parties?

9. What security controls can be deployed to monitor

and mitigate users from accessing external websites that

are potentially in violation of an AUP?

10. What security controls can be deployed to monitor

and mitigate users from accessing external webmail

systems and services (that is, Hotmail, Gmail, Yahoo,

etc.)?

11. Please cite your sources