SlideShare a Scribd company logo

Information Security Awareness Training Open

Download as PPTX, PDF
F
Fred Beck MBA, CPA

This document provides an overview and objectives for an information security awareness training. It covers topics like electronic communication, email viruses, phishing, internet usage, social networking, password management, and physical security. The training aims to help users understand cybersecurity threats, how to safely use technology, and their role in protecting company information assets. It emphasizes the importance of having strong, unique passwords and avoiding opening attachments or clicking links from unknown sources.

1 of 44
Downloaded 331 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Most read
30
31
32
33
34
35
36
Most read
37
38
39
40
41
42
43
44
Most read
Information Security Awareness Training SECURITY IS EVERYONE'S RESPONSIBILITY
Training Objectives and Overview
Objectives 3 After completing this training, you should be able to: • Understand cyber security threats associated with email and other forms of electronic communications • Learn tips on how to safely maneuver through the internet • Understand why it is important to protect our information assets and your role in the process • Learn how to better secure your computer and data • Understand the importance of passwords and how to create a strong password • Understand how international travel can pose risks to information assets • Locate policies, standards and travel preparation on the Employee Portal
Electronic Communication 4
Electronic Communication • Any Communication (email, instant messaging, text messaging, etc.)sent in support of the corporate business is considered the corporate message and is subject to monitoring. Do not Send: • Anything which could be interpreted as abusive or harassing • Unsolicited advertising or anything that could be interpreted as a scam 5
Electronic Communication-Do’s • Be careful of the information shared outside of the company and its competitive value. • Protect information inside the company by not sharing it with those without a need-to-know. • Use approved “Chat” applications (set up by IT helpdesk) for instant messaging needs. The use of other commercial instant messaging products could allow viruses to infect your computer. • Be mindful of the Information Security Policies and procedures restrictions on information sharing. Improper use of electronic communication in support of the corporate business can put the corporate at risk and is a violation of company policy. 6
Email Viruses Email is the most common source of computer viruses. What can you do to avoid computer viruses? When receiving email from questionable sources: • Do not open attachments. • Do not click on web links. • Do not respond to the email. • If you don’t know the sender or what it concerns, the safest thing to do is delete the email. • Forward the email to mailscam@mailserver.com Even be cautious of email which appears to be from someone you know. The email could have been forwarded from a questionable or unknown email address. Be certain of the source before you click on a link. 7
Email • Email is inherently unsafe because it is the easiest way for someone to breach the system and to trick you. • Do not forward any confidential company email outside of the corporate policy (i.e., personal email accounts , etc.). • If your job requires you to email confidential information to outside parties, including personal information, use the e-mail policy for the policy, Secure Email*. *encrypt-to convert or scramble computer data and messages into something incomprehensible. 8
Spam • Spam is unsolicited email ( junk email). It may be targeted to a certain group or a mass mailing. • the corporate e-mail spam service blocks millions of spam email everyday; however some do manage to get through. • For the majority of cases, delete the spam. • If you feel someone should be alerted , call the help desk or forward the email to mailscam@corporate.com 9
Phishing Phishing is a type of cyber attack involving forged emails and websites. Typically, an email is sent with a disturbing message such as “Your bank account has been suspended” and includes a website link or an attachment. The website link looks like a viable website, such as a financial institution, but is actually the hacker’s website. To avoid being caught by a phishing email, individuals should: • Contact the business directly. • Be suspicious of any email requesting personal information. • Do not open links or attachments from questionable sources. • Delete the email. 10
Internet Usage 11
Use Good Judgment the corporate monitors internet usage and block certain websites for a variety of reasons. Please be aware that anything you do on the internet can be traced. When accessing the internet from email links use sound judgment. Be extremely wary of emails asking for information or asking you to click a link. If the email states “You’ve got to see this,” ask yourself why. Please use sound judgement when accessing personal web-based email such as Yahoo, Gmail, or other non-the corporate email systems from your the corporate Computer. 12
Blocked Website Categories Certain types of websites are blocked from the the corporate network. Some examples include: • Adult/Mature Content • Gambling • Games • Hacking • Personals/Dating • Social Media • Violence/Hate/Racism • Weapons Contact IT for a complete list of Blocked Websites Categories. 13
Malware • Malware is a term for malicious software which is designed to be installed on a computer without the owner’s knowledge. • Spyware is a type of malware which monitors your computer activity and reports this activity back to the owner of the spyware. Spyware can keep track of the websites you visit. • Based on this information, spam or phishing emails can be created by hackers to target your interests or work profession. • Therefore, visiting unfamiliar sites could infect your computer with malware. 14
Caution Before You Click Computers can get infected with malware by simply visiting an infected website. That is why it is very important to be careful when clicking a link in email, search lists, or web pages. Malware can also steal data. This includes personal data such as computer ID’s, passwords, social security and account numbers. To avoid having your identity compromised by malware: • Be careful what internet sites you visit. • Do not open attachments or links from unknown sources. • Don’t download without your managers approval for free software download offers. 15
Social Networking (i.e. Facebook, LinkedIn, Twitter) • Be very careful what information is shared on these sites . Always consider what could be done with this information and the possible impact it may have. • Certain data posted on these sites may allow a targeted email fraud, phishing, or spam attack to be developed. • In addition, the personal information posted may be used in a social engineering attack, where someone masquerades as you or a person close to you. • Access to many social networking sites is blocked from the the corporate network due to the risk of exposure. 16
Public Wireless Access • Public Wireless Internet is available at many locations. It is important to understand when you use these networks you are no longer on a network controlled by either you or the corporate. • Many of the security controls in place at work are not available on a public network. You cannot assume a public network is secure. • Protect company information by ALWAYS using your the corporate secure Virtual Private Network (VPN) connection when accessing a public network. • Always use extreme caution when handling the corporate information. 17
Personal Devices Do not connect personal devices to the corporate network. Examples include: • IPads • Tablets • Wireless camera • Wireless Printers Do not use personal software for company business. • Using personal software for company business violates company license agreements. 18
Data Security 19
Protecting Information • Non-public company information should be protected, both inside and outside the company. • Unauthorized disclosure of company information can put the corporate at risk. We could lose competitive advantage, create legal problems, violate regulatory requirements, or tarnish the image of the company. • Information should only be shared with individuals on a need-to-know basis. the corporate uses access restrictions on File Shares to protect stored information and Secure File Transfer Protocol (SFTP) to securely transfer information. 20
Information Protection Confidential information should never be left unattended in place such as : • Meeting rooms • Fax machines • Printers • Desks • Dry erase boards • Unlocked file cabinets • Unsecured shared drives Dispose of personal or confidential information in a secure manner (i.e., shred, delete data from hard drive according to company guidelines, or incinerate). Use a clean desk approach. Lock up confidential/sensitive papers when you are not using them. 21
File Share Ownership for “Common Drive” Information • Per the corporate policy, File Share owners must be a manager or supervisor. • File Share owners are responsible for all content and access they own. • Ownership roles must be reviewed annually and updated when there is a change in job responsibilities. • Owners should limit access to only those who have a business need to access the information. • Data owners should adhere to the the corporate Information Security Handling and Classification Policy (NO-POL-0026) to ensure content is retained based on regulatory obligations, industry benchmarks and sound business practices. The policy is available on the corporate’s intranet. • Do not store Personally Identifiable Information (PII) on a File Share that is accessible by any employee who does not have a legitimate business purpose for accessing that information. 22
Unauthorized Software • Installing unauthorized software is a violation of company policy that may result in disciplinary action. Software downloaded from the internet can contain vulnerabilities that put the entire association at risk. • the corporate catalogs, tracks, and updates the software contained in the standard computer image for vulnerabilities. However, updates cannot be done for unauthorized software thus putting the association’s at risk. • Software downloaded to share music can often make other files on your computer available for sharing to others and lead to disclosure of sensitive information. • These precautions apply to all the corporate owned devices, including mobile devices (NO-POL-0013). 23
Mobile Device Security Every individual at the corporate is responsible for protecting the company’s information and equipment. • Laptops, smart phones, tablets and other mobile devices(i.e., thumb drives) should be locked or kept in your personal possession at all times. • When traveling, be sensitive to where and when you use mobile devices such as phones , laptops, and tablets. Don't allow others to “look over your shoulder”. • Never Leave laptops or other mobile devices in clear view inside a vehicle. • Immediately report any stolen mobile device storing corporate information to Help Desk. Mobile devices, including smart phones and tablets, must be password protected. 24
Corporate Mobile Devices and Personal Information • the corporate may elect to to provide corporately owned mobile devices to enable the Company workforce. These devices may include tablets such as iPads, smart phones, Androids or other types of mobile devices. • Though the devices are for corporate use, it is easy to commingle personal information with corporate data on the device. • To ‘commingle’ company information and personal information means to mix them in some fashion. Commingling company information and personal information has privacy and security consequences. • Examples of commingling data include: • Personal emails and/or documents stored on a corporate device • Corporate email stored on a personal email account • Call records of personal telephone calls made on a corporate device 25
Commingling – No Expectation of Privacy • the corporate permits limited personal use of corporate computing resources . • There are many consequences, to storing personal information on a corporate device, including mobile devices. Some of these consequences are : • Employees can have no expectation of privacy related to personal information stored on the corporate device • If the employee is involved in personal litigation, and relevant personal data is on the corporate device, that device may be subject to discovery and : • The Company may be compelled to provide the personal information to counsel, placing personal information at risk of exposure, and • The device may be unavailable to the company for a time which could place company data at risk of exposure. 26
USB Flash/Thumb Drives • USB drives are becoming a way to spread unwanted malicious progrthe corporate. • It is important no to insert personal-use USB drives into the corporate equipment. This may inadvertently transport a virus or other unwanted progrthe corporate. • One hacking trick is to leave infected USB drives laying around in public places for people to pick up and use. While it is enticing to find a ‘free’ USB drive, inserting it into your corporate or home computer is strongly discouraged. • To protect information contained on USB drives, look for devices that use a password or allow encryption (scrambling the information into secret code).A user manual often comes with the device to explain these features. • If you work inside process control environments use only dedicated portable media to transfer information to Supervisory Control and Data Acquisition (SCADA) systems or process computer systems. Do not use this portable media for any other purpose. 27
What to do if you notice a Security Issue If you suspect the corporate’s security has been compromised, a security issue has occurred or unauthorized information has been accessed or released, contact: • The Help Desk • Your Manager or Supervisor 28
Social Engineering • Social Engineering is the art of manipulating people into performing actions or divulging confidential information. Email is a common method used. • They create a scenario based on a few known facts(names ,phone numbers, etc.) which seems believable. If the story is credible, then most people are more than willing to help the social engineer. • For example, a social engineer may claim to be an the corporate IT employee who needs your password to fix a computer problem. In reality, they are trying to gain access to the corporate computers using your ID and password. • Be very cautious and think twice before giving out the corporate information. 29
Physical Security 30
Physical Security for Information Assets• Facilities housing the corporate information assets are physically restricted to authorized individuals and require a valid the corporate ID. • These facilities or buildings must be protected by physical security controls that prevent unauthorized individuals from gaining access. Visitors are required to sign in and be accompanied by an escort while in company facilities. • Remember: • Never allow others to user your badge • Never allow tailgating (holding a door or gate open for another person that requires a badge). • Report lost or stolen badges immediately: • HR Administration • Mangers or Supervisors • Help Desk 31
Sabotage on the corporate Facilities Individuals should watch for one or more of the following signs: • Physical surveillance of the corporate facilities • Any threats to individuals or property • Attempts to gain unauthorized access to restricted areas • Vandalism to company property What should you do ? • If threated or in danger , move to safety and call 911. • Notify HR Administration. • Do not touch anything. Preserve evidence for investigators. 32
Lock Your Computer • Lock your computer when you walk away. It is easy to do : • 1. Press the Ctrl+Alt+Del KEYS AT THE SAME TIME • 2. Then select the “Lock Computer” option • You are responsible for all actions that occur with your ID. if you leave your computer unattended and unlocked, someone else could take action ( such as send email) using your identity or access your personal information (view your paycheck) via Portal. • Your computer should always be in a physically secured location. • Use the provided cable lock/tether to secure laptops left unattended. 33
Password Management 34
Your Password • Your password is an integral part of the overall protection of the corporate’s information assets. • Hackers will try to steal passwords and IDs to break into the corporate systems. • If your password is compromised , the hacker has the ability to access anything you can access, using your identity. • Never use your the corporate ID or account password on non the corporate systems such as Amazon, Facebook or EBay. Once a password is compromised, the next logical step for a hacker is to try that password on other systems that you access. 35
Password Guidelines & Suggestions The science of password cracking has been simplified with the use of high speed progrthe corporate that employ databases containing words and phrases. There are ways to protect your password from these types of attacks, such as creating a password by using a password phrase. Tips: What Not to Do: • Do not write down or share your password. • Do not use the same password for everything(i.e., work, personal banking, etc.) • Do not use information that others could associate with you, like names of family members or pets. • Do not use cyclical, incremental, or patterned passwords. • Do not use words spelled backwards. • Do not use keyboard patterns (i.e., “asdf”). For information on creating a strong password, see Password Requirements located on the Password Policy (NO-POL- 0022). 36
Tips for Creating a Strong Password Create a strong , secure password that is easy to remember. Use a combination of upper case, lower case, numbers, and special characters to make your password complex. • Example: Use the phrase "it is not enough to do your best ; you must know what to do, and Then do your best.” W.Edwards Deming • Take the first letter from each word, separate every four letters with a comma, and then put a two digit number at the end. • Add a number or punctuation every few letters or between syllables. • A 12 character password would then be “iine,tdyb,12”. • Your the corporate password should only be used for your the corporate’s account. Use a different password for all personal email accounts. 37
Privacy • Privacy is a set of fair information practices to ensure: • Personal information is accurate, relevant, and current. • All collections, uses, and disclosures of personal information are known and appropriate. • Personal information is protected. The Policy for Privacy: • Implements procedures and controls at all levels to protect the confidentiality and integrity of information stored and processed on systems. 38
Different types and forms of Personally Identifiable Information (PII) •Social Security number (SSN) • Health Insurance Claim Number (HICN) • Date of birth (DOB) • National Provider Identification (NPI) • Driver’s license number • Passport number • Personal Health Information (PHI) • Biometric Information • PII must be protected in any form : paper, electronic, oral. 39
Recognize threats to information systems and privacy • Share information on a need to know basis. • Never access PII unless authorized to do so to perform your job. • Only store PII on encrypted devices. • Encrypt emails and double – check that the recipient name(s) is correct before sending. • When faxing, confirm that you have the correct fax number and call the recipient to confirm receipt. 40
Privacy Roles and Responsibilities Objective: Understand personal responsibility to protect information systems. Privacy policies and procedures require you to: • Collect, use, and disclose personal information for reasons that are for a legitimate job function, support the mission of the corporate and are allowed by law. • Disclose only the minimum amount of information. • Access information only for authorized purposes. • Follow standards to safeguard personal information throughout the information life cycle. • Report suspected privacy violations or incidents. • Comply with all applicable privacy laws. • Shred documents containing PII; NEVER place them in the trash. Contact the IT Department for proper disposal of equipment like copy machines and computers. As a member of the the corporate workforce, you are responsible for privacy policies and procedures. 41
Privacy Violations • Privacy violations can result in severe consequences including: 42
Security Summary 43
Things You Can Do To Help Keep the Company Secure It is the responsibility of each member of the corporate workforce to protect our enterprise information assets. Here are some things you can do to help: • Only the corporate equipment can be connected to the internal business network. • Do not load any unapproved software on your the corporate equipment. • Do not change any corporate security settings. • Avoid opening email and attachments from questionable sources. • Lock your workstation before you walk away. • Protect the corporate data in all formats(i.e., thumb drive, hard copy, CD, etc.) • Use a strong password. • Do not write down or share your password. • Ensure each member of the workforce has access to only what they need. • Beware of social engineering. • Report any lost or stolen company information asset (laptop, mobile phone ,etc.) to the Help Desk. 44

More Related Content

PPTX
Cybersecurity Awareness Training
Dave Monahan
 
PPSX
Security Awareness Training
William Mann
 
PDF
End-User Security Awareness
Surya Bathulapalli
 
PPTX
Cybersecurity Awareness Training for Employees.pptx
Mustafa Amiri
 
PPT
Employee Security Training[1]@
R_Yanus
 
PPT
IT Security Awareness-v1.7.ppt
OoXair
 
PDF
Cybersecurity Awareness Training Presentation v2024.03
DallasHaselhorst
 
PPTX
Information security awareness - 101
mateenzero
 
Cybersecurity Awareness Training
Dave Monahan
 
Security Awareness Training
William Mann
 
End-User Security Awareness
Surya Bathulapalli
 
Cybersecurity Awareness Training for Employees.pptx
Mustafa Amiri
 
Employee Security Training[1]@
R_Yanus
 
IT Security Awareness-v1.7.ppt
OoXair
 
Cybersecurity Awareness Training Presentation v2024.03
DallasHaselhorst
 
Information security awareness - 101
mateenzero
 

What's hot (20)

PDF
Employee Security Awareness Program
davidcurriecia
 
PPTX
Awareness Training on Information Security
Ken Holmes
 
PPTX
Employee Security Awareness Training
Denis kisina
 
PPTX
Hyphenet Security Awareness Training
Jen Ruhman
 
PPTX
Security awareness
Josh Chandler
 
PPTX
Basic Security Training for End Users
Community IT Innovators
 
PPTX
Security Awareness Training.pptx
MohammedYaseen638128
 
PPTX
Information Security Awareness
SnapComms
 
PDF
Cyber Security Awareness
Ramiro Cid
 
PDF
Cybersecurity Employee Training
Paige Rasid
 
PPTX
Cybersecurity Awareness
JoshuaWisniewski3
 
PPTX
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Stephen Cobb
 
PPTX
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
David Menken
 
PDF
Information Security Awareness Training
Randy Bowman
 
PDF
14 tips to increase cybersecurity awareness
Michel Bitter
 
PPTX
User security awareness
K. A. M Lutfullah
 
PDF
Cybersecurity Awareness Training Presentation v1.3
DallasHaselhorst
 
PDF
Security Awareness Training
Dmitriy Scherbina
 
PDF
Cyber security training
Wilmington University
 
PPTX
ICT and end user security awareness slides
jubke
 
Employee Security Awareness Program
davidcurriecia
 
Awareness Training on Information Security
Ken Holmes
 
Employee Security Awareness Training
Denis kisina
 
Hyphenet Security Awareness Training
Jen Ruhman
 
Security awareness
Josh Chandler
 
Basic Security Training for End Users
Community IT Innovators
 
Security Awareness Training.pptx
MohammedYaseen638128
 
Information Security Awareness
SnapComms
 
Cyber Security Awareness
Ramiro Cid
 
Cybersecurity Employee Training
Paige Rasid
 
Cybersecurity Awareness
JoshuaWisniewski3
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Stephen Cobb
 
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
David Menken
 
Information Security Awareness Training
Randy Bowman
 
14 tips to increase cybersecurity awareness
Michel Bitter
 
User security awareness
K. A. M Lutfullah
 
Cybersecurity Awareness Training Presentation v1.3
DallasHaselhorst
 
Security Awareness Training
Dmitriy Scherbina
 
Cyber security training
Wilmington University
 
ICT and end user security awareness slides
jubke
 
Ad

Viewers also liked (7)

PPT
It Security Awareness Overview
Nicholas Davis
 
PPT
Information Security Awareness And Training Business Case For Web Based Solut...
Michael Kaishar, MSIA | CISSP
 
PDF
Raising information security awareness
Terranovatraining
 
PDF
CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 
PPTX
Information security management system
Arani Srinivasan
 
PPTX
S/MIME & E-mail Security (Network Security)
Prafull Johri
 
PPTX
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
It Security Awareness Overview
Nicholas Davis
 
Information Security Awareness And Training Business Case For Web Based Solut...
Michael Kaishar, MSIA | CISSP
 
Raising information security awareness
Terranovatraining
 
CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 
Information security management system
Arani Srinivasan
 
S/MIME & E-mail Security (Network Security)
Prafull Johri
 
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
Ad

Similar to Information Security Awareness Training Open (20)

PPTX
TheCyberThreatAndYou2_deck.pptx
KevinRiley83
 
PPTX
ISMS Awareness Training (2) (1).pptx
vasidharta
 
PPTX
Internet Security
mjelson
 
PDF
CyberSecurity Cyber24x7.pdf
Varinder K
 
PPTX
c13.security_and_ethics.pptx managemet info
tasniahnuha
 
PDF
Masterclass_ Cybersecurity and Data Privacy Basics
Excellence Foundation for South Sudan
 
PPTX
7500_Lesson_07_Slides.pptx...............
Ahmadhawshar
 
PDF
Building a culture of security
Courion Corporation
 
PPTX
Computer Basics in the Work Place
Alan Simpers MBA M.ED
 
PPTX
SAFETY, SECURITY AND ETHICS.ppttttttxxxx
anovalexter
 
PPTX
Lecture 6 Cybersecurity-Basics and .pptx
akatsesena2003
 
PPTX
Internet Safety & Privacy
Alexine Marier
 
PPTX
Chp-15 Cyber Safety ppt-std 11.pptx
HarishParthasarathy4
 
PDF
Free_business_IT_security_policy_template_v5.pdf
klodianelezi1
 
PPTX
Cybersecurity - Defense Against The Dark Arts Harry Potter Style
Brian Pichman
 
PPTX
Cyber security for small businesses
B2BPlanner Ltd.
 
PPTX
Data protection and security
samina khan
 
PPTX
CyberSecurity - Computers In Libraries 2024
Brian Pichman
 
PDF
Cyber Security - back to basics - webinar slides.pdf
larsg2
 
PPTX
Phishing attack, with SSL Encryption and HTTPS Working
Sachin Saini
 
TheCyberThreatAndYou2_deck.pptx
KevinRiley83
 
ISMS Awareness Training (2) (1).pptx
vasidharta
 
Internet Security
mjelson
 
CyberSecurity Cyber24x7.pdf
Varinder K
 
c13.security_and_ethics.pptx managemet info
tasniahnuha
 
Masterclass_ Cybersecurity and Data Privacy Basics
Excellence Foundation for South Sudan
 
7500_Lesson_07_Slides.pptx...............
Ahmadhawshar
 
Building a culture of security
Courion Corporation
 
Computer Basics in the Work Place
Alan Simpers MBA M.ED
 
SAFETY, SECURITY AND ETHICS.ppttttttxxxx
anovalexter
 
Lecture 6 Cybersecurity-Basics and .pptx
akatsesena2003
 
Internet Safety & Privacy
Alexine Marier
 
Chp-15 Cyber Safety ppt-std 11.pptx
HarishParthasarathy4
 
Free_business_IT_security_policy_template_v5.pdf
klodianelezi1
 
Cybersecurity - Defense Against The Dark Arts Harry Potter Style
Brian Pichman
 
Cyber security for small businesses
B2BPlanner Ltd.
 
Data protection and security
samina khan
 
CyberSecurity - Computers In Libraries 2024
Brian Pichman
 
Cyber Security - back to basics - webinar slides.pdf
larsg2
 
Phishing attack, with SSL Encryption and HTTPS Working
Sachin Saini
 

Information Security Awareness Training Open

  • 1. Information Security Awareness Training SECURITY IS EVERYONE'S RESPONSIBILITY
  • 3. Objectives 3 After completing this training, you should be able to: • Understand cyber security threats associated with email and other forms of electronic communications • Learn tips on how to safely maneuver through the internet • Understand why it is important to protect our information assets and your role in the process • Learn how to better secure your computer and data • Understand the importance of passwords and how to create a strong password • Understand how international travel can pose risks to information assets • Locate policies, standards and travel preparation on the Employee Portal
  • 5. Electronic Communication • Any Communication (email, instant messaging, text messaging, etc.)sent in support of the corporate business is considered the corporate message and is subject to monitoring. Do not Send: • Anything which could be interpreted as abusive or harassing • Unsolicited advertising or anything that could be interpreted as a scam 5
  • 6. Electronic Communication-Do’s • Be careful of the information shared outside of the company and its competitive value. • Protect information inside the company by not sharing it with those without a need-to-know. • Use approved “Chat” applications (set up by IT helpdesk) for instant messaging needs. The use of other commercial instant messaging products could allow viruses to infect your computer. • Be mindful of the Information Security Policies and procedures restrictions on information sharing. Improper use of electronic communication in support of the corporate business can put the corporate at risk and is a violation of company policy. 6
  • 7. Email Viruses Email is the most common source of computer viruses. What can you do to avoid computer viruses? When receiving email from questionable sources: • Do not open attachments. • Do not click on web links. • Do not respond to the email. • If you don’t know the sender or what it concerns, the safest thing to do is delete the email. • Forward the email to mailscam@mailserver.com Even be cautious of email which appears to be from someone you know. The email could have been forwarded from a questionable or unknown email address. Be certain of the source before you click on a link. 7
  • 8. Email • Email is inherently unsafe because it is the easiest way for someone to breach the system and to trick you. • Do not forward any confidential company email outside of the corporate policy (i.e., personal email accounts , etc.). • If your job requires you to email confidential information to outside parties, including personal information, use the e-mail policy for the policy, Secure Email*. *encrypt-to convert or scramble computer data and messages into something incomprehensible. 8
  • 9. Spam • Spam is unsolicited email ( junk email). It may be targeted to a certain group or a mass mailing. • the corporate e-mail spam service blocks millions of spam email everyday; however some do manage to get through. • For the majority of cases, delete the spam. • If you feel someone should be alerted , call the help desk or forward the email to mailscam@corporate.com 9
  • 10. Phishing Phishing is a type of cyber attack involving forged emails and websites. Typically, an email is sent with a disturbing message such as “Your bank account has been suspended” and includes a website link or an attachment. The website link looks like a viable website, such as a financial institution, but is actually the hacker’s website. To avoid being caught by a phishing email, individuals should: • Contact the business directly. • Be suspicious of any email requesting personal information. • Do not open links or attachments from questionable sources. • Delete the email. 10
  • 12. Use Good Judgment the corporate monitors internet usage and block certain websites for a variety of reasons. Please be aware that anything you do on the internet can be traced. When accessing the internet from email links use sound judgment. Be extremely wary of emails asking for information or asking you to click a link. If the email states “You’ve got to see this,” ask yourself why. Please use sound judgement when accessing personal web-based email such as Yahoo, Gmail, or other non-the corporate email systems from your the corporate Computer. 12
  • 13. Blocked Website Categories Certain types of websites are blocked from the the corporate network. Some examples include: • Adult/Mature Content • Gambling • Games • Hacking • Personals/Dating • Social Media • Violence/Hate/Racism • Weapons Contact IT for a complete list of Blocked Websites Categories. 13
  • 14. Malware • Malware is a term for malicious software which is designed to be installed on a computer without the owner’s knowledge. • Spyware is a type of malware which monitors your computer activity and reports this activity back to the owner of the spyware. Spyware can keep track of the websites you visit. • Based on this information, spam or phishing emails can be created by hackers to target your interests or work profession. • Therefore, visiting unfamiliar sites could infect your computer with malware. 14
  • 15. Caution Before You Click Computers can get infected with malware by simply visiting an infected website. That is why it is very important to be careful when clicking a link in email, search lists, or web pages. Malware can also steal data. This includes personal data such as computer ID’s, passwords, social security and account numbers. To avoid having your identity compromised by malware: • Be careful what internet sites you visit. • Do not open attachments or links from unknown sources. • Don’t download without your managers approval for free software download offers. 15
  • 16. Social Networking (i.e. Facebook, LinkedIn, Twitter) • Be very careful what information is shared on these sites . Always consider what could be done with this information and the possible impact it may have. • Certain data posted on these sites may allow a targeted email fraud, phishing, or spam attack to be developed. • In addition, the personal information posted may be used in a social engineering attack, where someone masquerades as you or a person close to you. • Access to many social networking sites is blocked from the the corporate network due to the risk of exposure. 16
  • 17. Public Wireless Access • Public Wireless Internet is available at many locations. It is important to understand when you use these networks you are no longer on a network controlled by either you or the corporate. • Many of the security controls in place at work are not available on a public network. You cannot assume a public network is secure. • Protect company information by ALWAYS using your the corporate secure Virtual Private Network (VPN) connection when accessing a public network. • Always use extreme caution when handling the corporate information. 17
  • 18. Personal Devices Do not connect personal devices to the corporate network. Examples include: • IPads • Tablets • Wireless camera • Wireless Printers Do not use personal software for company business. • Using personal software for company business violates company license agreements. 18
  • 20. Protecting Information • Non-public company information should be protected, both inside and outside the company. • Unauthorized disclosure of company information can put the corporate at risk. We could lose competitive advantage, create legal problems, violate regulatory requirements, or tarnish the image of the company. • Information should only be shared with individuals on a need-to-know basis. the corporate uses access restrictions on File Shares to protect stored information and Secure File Transfer Protocol (SFTP) to securely transfer information. 20
  • 21. Information Protection Confidential information should never be left unattended in place such as : • Meeting rooms • Fax machines • Printers • Desks • Dry erase boards • Unlocked file cabinets • Unsecured shared drives Dispose of personal or confidential information in a secure manner (i.e., shred, delete data from hard drive according to company guidelines, or incinerate). Use a clean desk approach. Lock up confidential/sensitive papers when you are not using them. 21
  • 22. File Share Ownership for “Common Drive” Information • Per the corporate policy, File Share owners must be a manager or supervisor. • File Share owners are responsible for all content and access they own. • Ownership roles must be reviewed annually and updated when there is a change in job responsibilities. • Owners should limit access to only those who have a business need to access the information. • Data owners should adhere to the the corporate Information Security Handling and Classification Policy (NO-POL-0026) to ensure content is retained based on regulatory obligations, industry benchmarks and sound business practices. The policy is available on the corporate’s intranet. • Do not store Personally Identifiable Information (PII) on a File Share that is accessible by any employee who does not have a legitimate business purpose for accessing that information. 22
  • 23. Unauthorized Software • Installing unauthorized software is a violation of company policy that may result in disciplinary action. Software downloaded from the internet can contain vulnerabilities that put the entire association at risk. • the corporate catalogs, tracks, and updates the software contained in the standard computer image for vulnerabilities. However, updates cannot be done for unauthorized software thus putting the association’s at risk. • Software downloaded to share music can often make other files on your computer available for sharing to others and lead to disclosure of sensitive information. • These precautions apply to all the corporate owned devices, including mobile devices (NO-POL-0013). 23
  • 24. Mobile Device Security Every individual at the corporate is responsible for protecting the company’s information and equipment. • Laptops, smart phones, tablets and other mobile devices(i.e., thumb drives) should be locked or kept in your personal possession at all times. • When traveling, be sensitive to where and when you use mobile devices such as phones , laptops, and tablets. Don't allow others to “look over your shoulder”. • Never Leave laptops or other mobile devices in clear view inside a vehicle. • Immediately report any stolen mobile device storing corporate information to Help Desk. Mobile devices, including smart phones and tablets, must be password protected. 24
  • 25. Corporate Mobile Devices and Personal Information • the corporate may elect to to provide corporately owned mobile devices to enable the Company workforce. These devices may include tablets such as iPads, smart phones, Androids or other types of mobile devices. • Though the devices are for corporate use, it is easy to commingle personal information with corporate data on the device. • To ‘commingle’ company information and personal information means to mix them in some fashion. Commingling company information and personal information has privacy and security consequences. • Examples of commingling data include: • Personal emails and/or documents stored on a corporate device • Corporate email stored on a personal email account • Call records of personal telephone calls made on a corporate device 25
  • 26. Commingling – No Expectation of Privacy • the corporate permits limited personal use of corporate computing resources . • There are many consequences, to storing personal information on a corporate device, including mobile devices. Some of these consequences are : • Employees can have no expectation of privacy related to personal information stored on the corporate device • If the employee is involved in personal litigation, and relevant personal data is on the corporate device, that device may be subject to discovery and : • The Company may be compelled to provide the personal information to counsel, placing personal information at risk of exposure, and • The device may be unavailable to the company for a time which could place company data at risk of exposure. 26
  • 27. USB Flash/Thumb Drives • USB drives are becoming a way to spread unwanted malicious progrthe corporate. • It is important no to insert personal-use USB drives into the corporate equipment. This may inadvertently transport a virus or other unwanted progrthe corporate. • One hacking trick is to leave infected USB drives laying around in public places for people to pick up and use. While it is enticing to find a ‘free’ USB drive, inserting it into your corporate or home computer is strongly discouraged. • To protect information contained on USB drives, look for devices that use a password or allow encryption (scrambling the information into secret code).A user manual often comes with the device to explain these features. • If you work inside process control environments use only dedicated portable media to transfer information to Supervisory Control and Data Acquisition (SCADA) systems or process computer systems. Do not use this portable media for any other purpose. 27
  • 28. What to do if you notice a Security Issue If you suspect the corporate’s security has been compromised, a security issue has occurred or unauthorized information has been accessed or released, contact: • The Help Desk • Your Manager or Supervisor 28
  • 29. Social Engineering • Social Engineering is the art of manipulating people into performing actions or divulging confidential information. Email is a common method used. • They create a scenario based on a few known facts(names ,phone numbers, etc.) which seems believable. If the story is credible, then most people are more than willing to help the social engineer. • For example, a social engineer may claim to be an the corporate IT employee who needs your password to fix a computer problem. In reality, they are trying to gain access to the corporate computers using your ID and password. • Be very cautious and think twice before giving out the corporate information. 29
  • 31. Physical Security for Information Assets• Facilities housing the corporate information assets are physically restricted to authorized individuals and require a valid the corporate ID. • These facilities or buildings must be protected by physical security controls that prevent unauthorized individuals from gaining access. Visitors are required to sign in and be accompanied by an escort while in company facilities. • Remember: • Never allow others to user your badge • Never allow tailgating (holding a door or gate open for another person that requires a badge). • Report lost or stolen badges immediately: • HR Administration • Mangers or Supervisors • Help Desk 31
  • 32. Sabotage on the corporate Facilities Individuals should watch for one or more of the following signs: • Physical surveillance of the corporate facilities • Any threats to individuals or property • Attempts to gain unauthorized access to restricted areas • Vandalism to company property What should you do ? • If threated or in danger , move to safety and call 911. • Notify HR Administration. • Do not touch anything. Preserve evidence for investigators. 32
  • 33. Lock Your Computer • Lock your computer when you walk away. It is easy to do : • 1. Press the Ctrl+Alt+Del KEYS AT THE SAME TIME • 2. Then select the “Lock Computer” option • You are responsible for all actions that occur with your ID. if you leave your computer unattended and unlocked, someone else could take action ( such as send email) using your identity or access your personal information (view your paycheck) via Portal. • Your computer should always be in a physically secured location. • Use the provided cable lock/tether to secure laptops left unattended. 33
  • 35. Your Password • Your password is an integral part of the overall protection of the corporate’s information assets. • Hackers will try to steal passwords and IDs to break into the corporate systems. • If your password is compromised , the hacker has the ability to access anything you can access, using your identity. • Never use your the corporate ID or account password on non the corporate systems such as Amazon, Facebook or EBay. Once a password is compromised, the next logical step for a hacker is to try that password on other systems that you access. 35
  • 36. Password Guidelines & Suggestions The science of password cracking has been simplified with the use of high speed progrthe corporate that employ databases containing words and phrases. There are ways to protect your password from these types of attacks, such as creating a password by using a password phrase. Tips: What Not to Do: • Do not write down or share your password. • Do not use the same password for everything(i.e., work, personal banking, etc.) • Do not use information that others could associate with you, like names of family members or pets. • Do not use cyclical, incremental, or patterned passwords. • Do not use words spelled backwards. • Do not use keyboard patterns (i.e., “asdf”). For information on creating a strong password, see Password Requirements located on the Password Policy (NO-POL- 0022). 36
  • 37. Tips for Creating a Strong Password Create a strong , secure password that is easy to remember. Use a combination of upper case, lower case, numbers, and special characters to make your password complex. • Example: Use the phrase "it is not enough to do your best ; you must know what to do, and Then do your best.” W.Edwards Deming • Take the first letter from each word, separate every four letters with a comma, and then put a two digit number at the end. • Add a number or punctuation every few letters or between syllables. • A 12 character password would then be “iine,tdyb,12”. • Your the corporate password should only be used for your the corporate’s account. Use a different password for all personal email accounts. 37
  • 38. Privacy • Privacy is a set of fair information practices to ensure: • Personal information is accurate, relevant, and current. • All collections, uses, and disclosures of personal information are known and appropriate. • Personal information is protected. The Policy for Privacy: • Implements procedures and controls at all levels to protect the confidentiality and integrity of information stored and processed on systems. 38
  • 39. Different types and forms of Personally Identifiable Information (PII) •Social Security number (SSN) • Health Insurance Claim Number (HICN) • Date of birth (DOB) • National Provider Identification (NPI) • Driver’s license number • Passport number • Personal Health Information (PHI) • Biometric Information • PII must be protected in any form : paper, electronic, oral. 39
  • 40. Recognize threats to information systems and privacy • Share information on a need to know basis. • Never access PII unless authorized to do so to perform your job. • Only store PII on encrypted devices. • Encrypt emails and double – check that the recipient name(s) is correct before sending. • When faxing, confirm that you have the correct fax number and call the recipient to confirm receipt. 40
  • 41. Privacy Roles and Responsibilities Objective: Understand personal responsibility to protect information systems. Privacy policies and procedures require you to: • Collect, use, and disclose personal information for reasons that are for a legitimate job function, support the mission of the corporate and are allowed by law. • Disclose only the minimum amount of information. • Access information only for authorized purposes. • Follow standards to safeguard personal information throughout the information life cycle. • Report suspected privacy violations or incidents. • Comply with all applicable privacy laws. • Shred documents containing PII; NEVER place them in the trash. Contact the IT Department for proper disposal of equipment like copy machines and computers. As a member of the the corporate workforce, you are responsible for privacy policies and procedures. 41
  • 42. Privacy Violations • Privacy violations can result in severe consequences including: 42
  • 44. Things You Can Do To Help Keep the Company Secure It is the responsibility of each member of the corporate workforce to protect our enterprise information assets. Here are some things you can do to help: • Only the corporate equipment can be connected to the internal business network. • Do not load any unapproved software on your the corporate equipment. • Do not change any corporate security settings. • Avoid opening email and attachments from questionable sources. • Lock your workstation before you walk away. • Protect the corporate data in all formats(i.e., thumb drive, hard copy, CD, etc.) • Use a strong password. • Do not write down or share your password. • Ensure each member of the workforce has access to only what they need. • Beware of social engineering. • Report any lost or stolen company information asset (laptop, mobile phone ,etc.) to the Help Desk. 44