Lone Star Credit Union: A Separation of Duties Case Project

Create a security management policy that addresses the management and the separation of duties throughout the seven domains of a typical IT infrastructure for Lone Star Credit Union.

Lone Star Credit Union

Employee I.T. Security Policy

Policy Statement

Lone Star’s intentions for publishing an Employee I.T. Security Policy is to clearly establish the Credit Union’s posture on the use of IT assets and infrastructure, across the seven IT domains. Online banking and use of the Internet are the bank’s strengths and it is the responsibility of every employee of Lone Star who uses IT infrastructure in any capacity to know adhere to this policy and to conduct their activities accordingly.


The purpose of this policy is to identify the seven domains of IT infrastructure, establish separation of duties, and to be compliant with the Gramm-Leach-Bliley Act (GLBA).


The policy covers the seven domains of IT infrastructure, all their equipment, hardware, and software, and all processes, functions, tasks involving them, and the employees handling them, in each of the branches of Lone Star. The seven domains are identified as User Domain, Workstation Domain, LAN Domain, LAN to WAN domain, WAN domain, Remote Access Domain, and the Systems/Application Domain.

Related Standards and Policies

Acceptable Use Policy

Initial Configuration and System Hardening Policy

GLBA Compliance Policy

Provisioning and Access Management Policy


User Domain

  • All employees will undergo the mandatory security awareness training, and any other training as required.
  • All employees will use set passwords and use them in accordance with the password policies
  • All employees will adhere to the Clean Desk policy
  • No employee will share passwords, collude, or perform any activity that violates the controls implementing the principle of separation of duties.
  • No employee will log in as anyone but themselves
  • All employees will use all IT services and infrastructure for official purposes only, and not for any personal use
  • All employees understand that all assets and infrastructure belong to Lone Star and that their activities can be monitored to check for policy compliance

Workstation Domain

  • All laptops and desktops will have the enterprise antivirus installed on them
  • All laptops and desktops will be hardened
  • All laptops and desktops will be accessed as “local users” and not as admins
  • All laptops and desktops will be screen locked when the employee walks away from it

LAN Domain

  • All routers, printers, network devices will be hardened
  • All access points must be approved before being set up
  • All endpoint and LAN devices will be monitored, patched, and checked for health by the NAC (Network Access Control)
  • Email servers will be configured with Spam filters
  • Emails will be monitored in accordance with the Data Loss Prevention policy and Acceptable Use Policy
  • The IDS sensors on the LAN will be regularly monitored, checked for trends, and logs analyzed, in accordance with the IDS policy
  • The Access Control lists on the internal firewall will be changed only on going through the Change Management System

LAN-to-WAN Domain

  • Content filtering and URL filtering rules will set on perimeter defense devices
  • Pornography sites, gambling sites, peer-to-peer network links, the dark web, anonymizers and proxy connections will be blocked
  • All attempts to connect to blocked sites will be logged and reported

WAN Domain

  • All connection will be routed the external firewall
  • Logs will be monitored

Remote Access Domain

  • All remote connections will be routed through the company provided VPN
  • The VPN servers will be updated and patched in accordance with the Patch Management policy
  • The VPN logs will be monitored

System/Application Domain

  • All software and operating systems on the network will be patched in accordance with the Patch Management Policy
  • All systems will be hardened before use
  • All default passwords and configurations will be changed


  • Each domain will have two super administrators. Further, function related administrators will be in a step below them.
  • The super administrators will be responsible for the creation and deletion of other admins
  • All other tasks will be conducted by the specific admin roles (network admin, application admin, security admin etc.), as required by the job function
  • All changes to configurations should go through the change management processes
  • All access and change logs will be maintained
  • All admins and employees will allow their activities to be monitored by internal the audit team