User Domain Policies

Modes of Learning
For this module, the following modes of learning will be used:

• Textbook Readings

Learning Outcomes
Upon completion of this module, you will be able to:

1. List the different types of users and the threats that they pose
2. Describe the different types of social engineering attacks
3. Explain the different types of user security policies
4. Describe the essential elements of a security awareness program

Key Terms and Concepts

Listed below are some important key terms and concepts within this module.

• Insider Threat
• Social Engineering
• Acceptable User Policies
• Privileged-Level-Access Agreement

Different Types of Users

Users can be categorized in many different ways. One way is to associate them with functional
roles and create security policies based on these roles.

• End-users: These are the regular employees of the company. They typically have
unique information needs that are defined by their department and line of business. It is
important to note that even low-level employees such as help desk personnel have
access to confidential customer data so this group requires just as much care in policy
creation as any other group.
• Privileged Entities: Certain classes of users have special privileges. They are referred
to as privileged entities because they have the power to create major havoc on a
system. Examples of these users include system administrators, operators, database
administrators, and corporate security personnel. Because of their privileged status,
controls must be strictly enforced on them.
• Executive Management: The executive management class is much like the privileged
entities class except in this case their access to information and the power to bypass
controls is much greater.
 • Contractors: This group includes temporary employees who are directly managed by
the organization. At the minimum, contractors must follow the same security policies as
regular employees. In some situations where they are performing sensitive roles even
stricter controls are required because they have no loyalty to the organization. In all
cases, a service level agreement and tighter log review are required. Examples of
sensitive roles that are typically contracted out include:
o Auditor
o Penetration tester
o Software developer
o Network support engineer
• Vendors: Vendors are outside companies or individuals who provide ongoing services
to the organization. They include hardware suppliers with support contracts, penetration
testing firms, software development, and network support. In all cases, due diligence
and due care must be exercised to ensure competence and that their security policies
are equivalent to your own organization’s policies. A service level agreement is a must.
• Business Partners: Business partners may have different security policies than your
organization. In today’s business environment, today’s partner may conceivably become
tomorrow’s competitor.
• Guests and General Public: This is a highly problematic group for the security policy
writer. Members of the general public class include competitors and hackers as well as
legitimate customers. A well-written policy must protect the organization without
interfering with the customer experience.

The Weakest Link

Security professionals consider people the weakest link in the security chain. Although they do
have an advantage over automated controls in situations when discriminatory judgement is
required, people are prone to error, easily distracted, and vulnerable to social engineering.

Human Error
It was Alexander Pope, [the great 18th century English poet] who wrote, “To err is to human…”

Carelessness, fatigue, and lack of knowledge all have at one time or another contributed to
major IT service outages.

In 2012, 12 million customers of the Royal Bank of Scotland (RBS), NatWest, and the Ulster
Bank could not access their accounts for a week. An untested upgrade procedure was
acknowledged as the cause of the outage.

Proper change management would have increased the likelihood of a successful outcome. One
of the results of the service outage was that RBS’s regulator, the Financial Conduct Authority
(FCA), fined them ₤42m (approximately C$71m).
In 2013, some of Canada’s biggest banks were hit with a nation-wide VISA outage. The problem
was caused by a data centre power outage at payment processor TSYS. Although the reason
for the power outage was never made public, nevertheless, the event indicated inadequate risk
planning on TSYS’s part.

Social Engineering
Social engineering, in the vernacular, means an attempt to influence the actions or behaviour of
another person. In security, we have a more specific meaning; social engineering is
manipulating human nature to break down some aspect of security protection as its ultimate
goal.

Organizations are targeted through social engineering because it is an easier way to gain
breach security than through technical means. Kevin Mitnick, who spent 5 years in prison for
computer fraud, attributes his success as a hacker to social engineering skills.

Social engineering comes in many different forms but can broadly be categorized into the
following types:

• Herd Mentality Principle: Social scientists refer to the strong social pressure to act like
other members of your peer group as normative social influence.
• Authority Principle: Blind trust in authority. Research has shown people only take
1/10th of a second to form first impressions about someone. Titles (“Dr”, “Phd”, “CEO”),
clothing (expensive suits, religious robes), and accessories (Mercedes Benzes and
Rolexes are indicators of a successful businessman, badges and guns are indicators of
a law enforcement officer) can subconsciously trigger compliance.
• Consistency Principle: People have a tendency to act in a consistent manner.
• Lack of Time Principle: People can be fooled by convincing them that there’s no time;
they must act now.
• Distraction Principle: This is sometimes referred to as the “10” attack, referring to the
1979 movie of the same name with Bo Derek and Dudley Moore. Use a pretty
accomplice.
• Innate Kindness Principle: We like to be kind to others.
• Innate Dishonesty Principle: Some social scientists think we are dishonest at heart.
You may not lie to steal $1,000 but what if it is for a share of a $50M lottery jackpot - and
you know you can get away with it?

Personnel Controls
No complex system can be secured 100% percent. But we can limit damage by users through
personnel controls. Personnel risk management starts right at the time of hiring. Employment
history and qualifications should be checked to verify the candidate’s trustworthiness, integrity
and reliability.
Once hired, the employee’s identity and access rights must be managed throughout their
career. Security policies that deal with personnel security controls ensure this is properly done.

Here is a list of personnel controls that every organization must have:

• Separation of Duty: Tasks associated with sensitive processes must be distributed

among several individuals. The expectation is that one individual involved in the process
will identify or prevent a processing error or fraud from occurring.
• Job Rotation: Employees in sensitive job functions should be required to change roles
on a regular basis. This helps in two ways: it will prevent an employee from continuing
with fraudulent activities, and the new employee stepping into the job acts as a fraud
detection tool.
• Mandatory Vacations: Like job rotation, mandatory vacation is also a fraud deterrent
and detection tool.
• Need to Know: Individuals should only have the minimum amount of information to
perform their job.
• Principle of Least Privilege: Individuals should only have enough access rights to
perform their job.
• Non-disclosure Agreement: Individuals handling sensitive corporate information
should be required to sign a Non-Disclosure Agreement (NDA).
• Acceptable Use Policies: Acceptable Use policies are documents that summarize
policies and highlight key security responsibilities for employees.

Acceptable Use Policies

Acceptable Use Policies (AUP) set clear expectations and define acceptable behaviour for
employees using corporate IT resources. It is an agreement, typically signed by the employee,
contractor or vendor with access to network resources, to abide by the information security
policies that it represents.

Issues addressed in an Acceptable Use Policy include:

• Aligning the use of corporate IT resources with corporate policy and ethical values.
• Establishing that employees are responsible and accountable for all actions that they
take while using IT resources
• Required security practices
• Use of the Internet for legitimate business reasons
• Proper use of e-mail
• User telecommuter agreement
• Notification that use of IT resources is, or may be, subject to monitoring
• Restrictions relating to intellectual property rights and the prohibition of illegal copying of
licensed software.
• Restrictions regarding the downloading of files (including images, audio and video)
unless there is an explicit business-related need.
• Restrictions relating to the use of computers for entertainment
 • Protection of computer software and hardware from viruses and computer hackers
• Identification and authentication of users.

A successful AUP will be a concise summary of the associated security policies written in plain
language. Since it will be one of the first documents that an employee will see, it should follow
an informational style of language. The key is to get the point across in a way that grabs the
reader’s attention.

Here are some questions you can ask yourself to guide you in drafting a AUP:

• Who are the owners of the policy? The owners will be responsible for keeping the policy
up-to-date.
• Are technical or legal terms used and are they really necessary? If so, are the definitions
clearly presented so they can be understood by a layperson?
• Is the language too informal? It can send the wrong message and the AUP document
will not be taken seriously.
• Have scenarios been documented to clarify ambiguous situations for the key policy
issues? For example, you have receive a politically sensitive joke in an email that you
think is hilarious and are considering forwarding to the rest of your team mates. Provide
examples of situations to help the employee relate the policy to real life situations.
• Will you be actively or passively monitoring for non-compliance? Be honest and provide
up-front notice to the employee if you will be monitoring. There may not be a choice for
organizations operating internationally; there might be a legal obligation for full
disclosure of monitoring and data collection.
• Are the consequences for policy non-compliance clear and just as importantly, capable
of being enforced? Ensure that the consequences are in line with the seriousness of the
policy violation.
• What sort of training package is required to support this UAP? Online training videos are
frequently the preferred method due to two perceived advantages: employees can take
the training at their convenience and the training completion can be automatically
recorded. However, do not rely on a single mode of communication; an effective training
package will include newsletters, posters, and even unannounced simulated phishing
attacks.
• Are any collective agreements impacted? Sensitive areas include monitoring and non-
compliance penalties.
• Does it require an annual sign-off by the employee?

The Privileged-Level Access Agreement (PAA)

A Privileged-Level Access Agreement is useful in heightening the security awareness of
privileged entities and explicitly having them acknowledge that they have additional
responsibilities over and above regular employees.

Here are examples of statements outlining responsibilities that can be included in a PAA form
for a systems administrator.
 • Preparing and maintaining security procedures in accordance with Corporate security
policies to implement access control, backup and disaster recovery mechanisms and
continuous operation in case of power outages.
• Taking reasonable precautions to guard against corruption, compromise or destruction
of Corporate computer and network resources. Reasonable precautions for system
administrators exceed those authorized for system users.
• System administrators may conduct security scans of systems which they directly
administer. However, they may not conduct security scans for any other system or
network.
• System administrators may also intercept or inspect information en route through a
network, but only information originating from or destined for systems for which they
have direct administrative responsibility and only for purposes of diagnosing system or
network problems. Exceptions must be authorized by the Information Technology
Security Group in accordance with this policy.
• Treating the files of system users as private. It is recognized that a system administrator
may have incidental contact with system user files, including electronic mail, in the
course of his or her duties. The contents of such files must be kept private. Deliberate
access to system user files is authorized only in the event of a suspected security
breach, if essential to maintain the system(s) or network(s) for which the system
administrator has direct administrative responsibility, or if requested by or coordinated
with the system user. Law enforcement access to system and/or user files must be by
properly filed subpoena or search warrant only.
• Ensuring that the Company’s network addresses are assigned to those entities or
organizations that are part of the corporation’s network. System administrators must not
assign network addresses to non-corporate entities or organizations. System
administrators may in some cases provide Domain Name Service for non-corporate
computer and network resources, but only with the approval of Corporate IT Services.
• Limiting access to root or privileged supervisory accounts. In general, only system
administrators should have access to such accounts. System users should generally not
be given unrestricted access to root or privileged supervisory accounts. As with all
accounts, authorization for root or privileged supervisory accounts must be approved in
accordance with corporate policies.

Security Awareness Program

Security awareness programs, when properly executed, provide knowledge and promote an
attitude that instills a security culture.

Security awareness programs have three main purposes:

• Help employees understand their roles and responsibilities as it relates to the

organization’s IT security objectives.
 • Make known the location of the organization’s IT security policy, procedures, and
practices and encourage employees to refer to them as necessary.
• Help employees understand the organization’s IT security policy, procedures, and
practices and be competent with the various supporting management, operational, and
technical controls that fall within their responsibilities.

Each level of the organization will require a slightly different focus on awareness training based
on their responsibilities. For example, a regular user will need basic security training whereas an
executive will need to be familiar with regulatory requirements.

Training Strategy
There are several critical success factors: C-level support, partnership with key departments,
and metrics.

Focus on obtaining strong C-level support before anything else. Executive support can lead to
larger budgets, more freedom to run a diverse campaign, and support from other departments.

Obtain senior management's support by highlighting that security awareness is required for
compliance and that awareness efforts provided a return on investment by reducing risk and
thus inevitably saving the company money.

Partner with key departments like Legal, Regulatory and Compliance, and Human Resources.
Their support will carry a lot of weight; you can leverage their influence to obtain cooperation
from the other business unit leaders and their management team.

It is reasonable to mandate that awareness training be required for anyone with access to
company computers and networks. All departments should not only set aside time for security
awareness training, they should actively encourage it.

To ensure 100% compliance, completion of the mandatory training courses can be incorporated
into the annual performance review discussion of employees and their managers. Human
Resources should keep a record of completed training courses as well as all documents signed
by the employee acknowledging acceptance of policies.

Summary
In this module you have learned:

1. The different types of users and the threats that they pose
2. Social engineering attacks
3. The different types of user security policies
4. The essential elements of a security awareness program
Knowledge Check
The following questions provide an opportunity for you to see what you remember and
understand so far. Answer the questions to the best of your ability.

Questions
1. What is the main success factor for a security awareness campaign?
A. Policies customized to the target groups
B. Active management support
C. Frequent security awareness training
D. Automatic logging for compliance
2. Robert is the system administrator for a data centre. One morning, somebody knocks on
the door and shows Robert a copy of the Letter of Engagement for Audit and asks to be
let in. Robert was not notified of an audit. What is this an example of?
A. Need to know
B. Company demonstrating due care
C. Insider threat
D. Authority principle
3. What is the purpose of a PAA?
A. To heighten the security awareness of privileged entities
B. To limit the powers of privileged entities
C. To explain specific procedures not mentioned in the general security policies
D. To define and explain the role of a privileged entity
4. Why do contractors pose more of a security risk than regular employees?
A. Contractors generally work from home unsupervised
B. Contractors generally have no security awareness training
C. Contractors are perceived as having no loyalty to the organization
D. Contractors are not as familiar with the corporate network as the regular employees
5. Denise has been tasked to prepare an AUP for employee email. What should she do to
ensure employees will read and follow the AUP?
A. Write it in an informational style with clear simple wording
B. Provide notice that the employee will be terminated if the rules are not followed
C. Advise employees that their email will be inspected for security policy violations
D. Have the employees sign the AUP form as proof that they read and understood the
policy

Answers
1. B. Active management support
2. D. Authority principle
3. A. To heighten the security awareness of privileged entities
4. C. Contractors are perceived as having no loyalty to the organization
5. A. Write it in an informational style with clear simple wording
End of Module
You have completed User Domain Policies.

Remember to check the timeline before you proceed to the next module to ensure you have
completed any assignments as required. Check with your instructor if you have any questions.