LAB 1

Draft an Organization-Wide Security

Management Policy for Acceptable Use
Course: IAP301
Semester: SU24
Class: IA1701
Name: Dương Thành Lộc
Roll numbers: SE171551

Overview
In this lab, you are to create an organization-wide acceptable use policy (AUP) that follows a
recent compliance law for a mock organization. Here is your scenario:
 Regional FPT Credit union/bank with multiple branches and locations throughout the
region
 Online banking and use of the Internet is a strength of your bank given limited human
resources
 The organization wants to monitor and control the use of the Internet by implementing
content filtering
 The organization wants to eliminate personal use of organization owned IT assets and
systems
 The organization wants to eliminate use of social media (i.e. Facebook, Twitter,… ) and
non-business related instant messaging (i.e. Zalo, Facebook Messenger,… )
 The organization wants to monitor and control the use of the e-mail system by
implementing e-mail security controls
 The organization wants to monitor and control the use of printing system
 The organization wants to implement this policy and to incorporate it into an annual
security awareness training
Instructions
Create an Acceptable Use Policy for FPT Credit union/bank according to the following template.

FPT Credit union/bank

Security Management Policy
Policy Statement
It is the policy of FPT Credit Union/Bank to ensure the responsible use of information
technology (IT) assets and systems to maintain security, confidentiality, and compliance with
relevant laws and regulations.
Purpose/Objectives
 To establish guidelines and restrictions for the appropriate use of IT assets and systems.
 To ensure the security and integrity of FPT Credit Union/Bank's data and network
infrastructure.
 To promote a culture of compliance and awareness regarding IT usage and security.
Scope
This policy applies to all employees, contractors, and third-party users who have access to FPT
Credit Union/Bank's IT assets and systems. It impacts the following domains of the IT
infrastructure:
 User Domain: Employees, contractors, and third-party users
 Workstation Domain: Computers and mobile devices owned or used by the organization
 LAN Domain: Network infrastructure within FPT Credit Union/Bank's premises
 WAN Domain: Internet connectivity utilized by the organization
 Communications Domain: Email and instant messaging systems
 Information Domain: Data stored and transmitted through organization-owned IT assets
 Printing Domain: Printing systems utilized within the organization
Standards
This policy aligns with the following hardware, software, and configuration standards:
 Content filtering software/hardware to control Internet access and enforce usage policies.
 Email security controls to monitor and protect organization email systems.
 Printing management software to monitor and control printing activities.
Procedures
1. Implementation of Content Filtering:
a. Procure and implement content filtering software/hardware to monitor and control
access to inappropriate websites.
b. Regularly update and maintain content filtering rules to ensure effectiveness and
compliance with policies.
2. Enforcement of Personal Use Restrictions:
a. Communicate the policy on personal use of organization-owned IT assets to all
employees through security awareness training.
 b. Implement monitoring measures to detect and deter personal use of IT assets,
including periodic audits and usage reports.
3. Restriction of Social Media and Non-Business Related Instant Messaging:
a. Block access to social media platforms (e.g., Facebook, Twitter) and non-
business-related instant messaging applications (e.g., Zalo, Facebook Messenger)
on organization-owned devices and networks.
b. Provide alternatives for secure communication channels for business-related
instant messaging needs.
4. Implementation of Email Security Controls:
a. Deploy email security solutions to monitor and control the use of the
organization's email system.
b. Train employees on identifying and reporting suspicious emails (e.g., phishing
attempts) to mitigate security risks.
5. Management of Printing Systems:
a. Implement printing management software to monitor and control printing
activities, including quota management and job tracking.
b. Educate employees on responsible printing practices to minimize waste and
reduce costs.
Guidelines
 Roadblocks or implementation issues may arise due to resistance from employees
accustomed to unrestricted IT usage. To overcome this, clear communication
emphasizing the importance of security and compliance will be provided.
 Training sessions will be conducted to educate employees on the rationale behind the
policy and its implications for organizational security and compliance.
 Regular reminders and updates regarding the policy will be disseminated to reinforce
adherence and address any emerging concerns or challenges.
Note: Your policy document should not be more than 3 pages long.