Three affected domains include the user Domain, the Workstation Domain, and the Remote Access Domain.
In the User Domain, users have access to systems, applications and data. Users are also responsible for the proper use of these assets and must be verified through a background check before they are allowed to use them. Users may be unaware of classification standards, be against them, and may violate them, making the User Domain the weakest link in an IT infrastructure that offers the biggest risk, present the biggest threat and be the most vulnerable. Errs can be the number one source of data leakage in an organization. In order to secure this domain, user access must be defined and an Acceptable User policy (ASAP) must be implemented. An CAP defines what a user can and cannot do. (Kim, David, and Michael 201 0, 15) Violation of the AY-JP can be grounds for dismissal. Lastly, within the user domain, organizations may require staff, contractors, or other third parties to sign an agreement to keep information confidential.
(Kim, David, and Michael 201 0, 15) The Workstation domain is where users first connect to he IT infrastructure.A workstation can be a desktop computer, laptop computer, or any other network enabled device that connects to your network. Within this domain user access controls must be implemented and applied to systems, applications, and data to restrict and or control the level of access for users.
IT security can enable password protection on workstations, set lockout times for periods of inactivity and disable the use of personal devices such as USB thumb drives, smartness or any device with flash storage. The director of IT security can also implement annual security awareness training for all employees.The Remote Access Domain connects remote users to the organization’s IT infrastructure.
Company data and information must be secure at the source, destination and during transmission. Remote Access allows employees to work from home or in the field by connecting to the IT systems through a smart phone, tablet, PDA, or laptop computer or any other network enabled device to access company data. These types Of devices must be company-issued devices with up to date armoire updates, operating system software, and patches.In case of a loss or a stolen device, devices are required to be password protected and set up for remote data wipe according to company policy. Also, Laptop VPN client software is required to meet the company needs and must be compatible with company software.
Hyper Text Transfer Protocol Secure (HTTPS) is to be used for data encryption between the VPN client and the VPN router or firewall. Secure Socket Layer (SSL) for the VPN web server is required for 128- bit encryption between an HTTPS web page and web browser.