Employee Security Training[1]@


Published on

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Employee Security Training[1]@

  1. 1. Employee Information Security Awareness Training
  2. 2. <ul><li>Objectives </li></ul><ul><li>Help you identify common information security risks </li></ul><ul><li>Help you develop good security practices </li></ul><ul><li>Introduce select Information Security Manual (ISM), Practices and Standards </li></ul><ul><li>Review requirements for protecting information </li></ul><ul><li>Passwords </li></ul><ul><li>Social Engineering </li></ul><ul><li>Securing Your Workstation </li></ul><ul><li>E-Mail Risk </li></ul><ul><li>Mobile Devices </li></ul><ul><li>Security on the Road </li></ul><ul><li>Unauthorized Software </li></ul>
  3. 3. Protecting Information <ul><li>Classified information must be protected </li></ul><ul><ul><li>Specific handling requirements based on risk of modification, disclosure, or loss </li></ul></ul><ul><li>It is equally important to protect unclassified but sensitive information such as: </li></ul><ul><ul><li>Daily routines </li></ul></ul><ul><ul><li>Phone numbers </li></ul></ul><ul><ul><li>Software versions </li></ul></ul><ul><ul><li>Systems </li></ul></ul><ul><ul><li>Travel schedules </li></ul></ul>
  4. 4. Company Information Adversaries Hackers Cyber Criminals Foreign Countries Organized Crime Terrorists Who wants information on the Company?
  5. 5. Types of Information That Can Be Exploited <ul><li>Names, phone numbers, e-mail addresses </li></ul><ul><li>Software and hardware information </li></ul><ul><li>Process information </li></ul><ul><li>Location information </li></ul><ul><li>Projects </li></ul><ul><li>Work schedules </li></ul><ul><li>Comments about co-workers or boss </li></ul>
  6. 6. Where Could this Information Come From? <ul><li>Pieces of information can be obtained from overheard conversations, web logs (blogs), personal web sites, online resumes, news reports, interviews, etc. </li></ul><ul><li>Social engineering techniques - conning people into revealing sensitive data is effective, but often the information is publicly available (or can be overheard) </li></ul><ul><li>Combined, these pieces of information can be VERY valuable </li></ul>
  7. 7. Why Would Anyone Be Interested? <ul><li>To get the inside “scoop” </li></ul><ul><li>Target known hardware/software vulnerabilities to compromise our systems </li></ul><ul><li>Target a physical attack to damage infrastructure </li></ul>
  8. 8. What Can I Do? Report all suspected information security compromises immediately Be aware of others trying to gain information from you Be aware Don’t be afraid to speak up if you see or hear company information in public that shouldn’t be shared with others of what information you are sharing, where you share it, and with whom you share it
  9. 9. Rules of OpSec <ul><li>Don’t discuss past, current or future company business in public areas </li></ul><ul><li>Don’t talk to outsiders about company personnel issues, including names of co-workers and schedules </li></ul><ul><li>Don’t openly discuss company office locations and addresses in public or online </li></ul><ul><li>Don’t post information about company business in public forums online; examples include: </li></ul><ul><ul><ul><li>References to the company </li></ul></ul></ul><ul><ul><ul><li>References to your employment at the company </li></ul></ul></ul><ul><ul><ul><li>Information about your job responsibilities </li></ul></ul></ul><ul><ul><ul><li>Information about our computing environment </li></ul></ul></ul><ul><ul><ul><li>Your company e-mail account or phone number </li></ul></ul></ul>
  10. 10. Rules of OpSec (cont.) <ul><li>Don’t discuss computer-related information publicly, including the types of software and other systems you use at the company </li></ul><ul><li>Don’t divulge any information over the phone to people calling from outside the company </li></ul><ul><li>Remember, none of your online activities are anonymous </li></ul><ul><li>Don’t do anything that may pose a risk or cause embarrassment to the company </li></ul><ul><li>Talk to your management if you’re not certain about what you can/can’t share </li></ul><ul><li>Don’t assume outsiders aren’t trying to collect information on the company – they are! </li></ul>
  11. 11. <ul><li>At least eight characters long </li></ul><ul><ul><li>The longer your password is, the more difficult it is for someone to guess. </li></ul></ul><ul><li>Use upper- and lower-case letters, 2 numbers and 2 special characters, like $ or #. </li></ul><ul><li>Don’t use: </li></ul><ul><ul><li>Dictionary words </li></ul></ul><ul><ul><li>Combination of or reverse spelling of words, </li></ul></ul><ul><ul><li>Foreign language or technical words, proper names, location names or user IDs. </li></ul></ul>Create Strong Passwords
  12. 12. <ul><li>Create strong passwords. </li></ul><ul><li>Create passwords that are easy for you to </li></ul><ul><li>remember, but difficult for others to guess. </li></ul><ul><li>Protect your password. </li></ul><ul><li>Giving users passwords over the phone or changing user passwords in response to telephone or personal requests when the requestor is not authenticated </li></ul>Passwords
  13. 13. <ul><li>Pick a phrase that has meaning to you but would be hard for others to guess. </li></ul><ul><ul><ul><li>I am going to New York for a wonderful vacation I@g2NY4awv! </li></ul></ul></ul><ul><ul><ul><li>I am starting my vacation on Saturday, August 2 Ia$mv0Sa2* </li></ul></ul></ul><ul><li>Pick a long word. </li></ul><ul><ul><ul><li>Supermarket - replace vowels with #s & symbols </li></ul></ul></ul><ul><ul><ul><ul><ul><li>Sp3rm@rk3t$ </li></ul></ul></ul></ul></ul>Make Passwords Easy to Remember
  14. 14. Protect Your Passwords <ul><li>Protect passwords at all times. </li></ul><ul><ul><li>Protect them as you would your money and credit cards. </li></ul></ul><ul><ul><li>Never share passwords unless authorized by management </li></ul></ul><ul><ul><li>under exceptional circumstances. </li></ul></ul><ul><ul><ul><li>Technical support personnel do not need your password to resolve problems. </li></ul></ul></ul><ul><ul><li>Avoid writing your password down. </li></ul></ul><ul><ul><li>Make your mainframe password unique. </li></ul></ul><ul><ul><li>Passwords for accessing company -related systems must be different from any passwords used for external Internet sites like Amazon.com. </li></ul></ul>
  15. 15. SecureLogin <ul><li>Password Management Tool </li></ul><ul><ul><li>Automatically saves and enters passwords for many applications </li></ul></ul><ul><li>Applications currently taking advantage of Secure Login Tools </li></ul><ul><ul><li>E-mail </li></ul></ul><ul><ul><li>Job specific Applications </li></ul></ul><ul><ul><li>etc </li></ul></ul><ul><li>For more documentation, refer to the Information Security Department’s Web site </li></ul>
  16. 16. <ul><li>Hacker technique to trick people into revealing their passwords and other information </li></ul><ul><li>Hackers don’t have to come in over the Internet. </li></ul><ul><ul><li>They may easily get information by asking for it. </li></ul></ul><ul><ul><li>Studies have shown that even the best security technology cannot prevent devious acts as well as you can. </li></ul></ul>Social Engineering
  17. 17. Guarding Against Social Engineering <ul><li>Impersonating </li></ul><ul><ul><li>Do not share your password with anyone. </li></ul></ul><ul><ul><li>Be suspicious. If someone contacts you and asks for information you don't think you should provide, suggest having your management contact them. </li></ul></ul><ul><li>Shoulder Surfing </li></ul><ul><ul><li>Don’t let anyone watch you key in your password. </li></ul></ul><ul><li>Eavesdropping </li></ul><ul><ul><li>Use caution when discussing company information – especially information about the company systems and vulnerabilities. </li></ul></ul><ul><li>Dumpster Diving </li></ul><ul><ul><li>Do not dispose of company documents in public trash receptacles. It’s best to dispose of any document containing Bank information at the company. </li></ul></ul>
  18. 18. Responding to Social Engineering <ul><li>Even if you’re careful, you can still give out information to a social engineer. </li></ul><ul><ul><li>Always report compromises of your password or other classified information to your Information Security Officer or management immediately. </li></ul></ul><ul><li>Report all suspicious incidents to your management. </li></ul>
  19. 19. Information Handling – Classification <ul><li>Three levels of classification </li></ul><ul><ul><li>Based on risk associated with unauthorized modification, disclosure, or loss of information </li></ul></ul><ul><li>Documents labeled with the following classifications should be handled in accordance with ISM guidelines: </li></ul><ul><ul><li>Secret – serious loss </li></ul></ul><ul><ul><li>Confidential – significant loss </li></ul></ul><ul><ul><li>Internal – some loss </li></ul></ul>
  20. 20. Information Handling – Protecting <ul><li>Do not share classified information with anyone who is not a company employee. </li></ul><ul><li>Do not leave Secret or Confidential documents unprotected – always secure them. </li></ul><ul><li>Even unclassified information may need protection. </li></ul><ul><ul><li>You may have access to unclassified information that is not available to the public. </li></ul></ul><ul><ul><li>You may disclose this nonpublic information only as required for company purposes and only as authorized . </li></ul></ul>
  21. 21. Information Handling – Protecting <ul><li>Disposal </li></ul><ul><ul><li>Highly classified documents must always be shredded. </li></ul></ul><ul><li>Emailing </li></ul><ul><ul><li>Do not send classified documents outside the company. </li></ul></ul><ul><ul><li>Follow appropriate requirements if you send highly classified documents within the company. </li></ul></ul><ul><li>More on Handling Classified Information </li></ul><ul><ul><li>Refer to Handling Classified Information card for details on handling requirements for printed and electronic media and e-mail </li></ul></ul>
  22. 22. Securing Your Workstation <ul><li>Employees must restrict access to workstations when they’re left unattended. </li></ul><ul><ul><li>Any time you step away from your computer, you must ensure that your workstation is secured. </li></ul></ul><ul><ul><li>When leaving for more than eight hours (for example, when you leave work for the day), shut down your workstation unless it needs to remain on because of business requirements. </li></ul></ul><ul><li>Restrict access by doing one of the following: </li></ul><ul><ul><li>Press Ctrl-Alt-Del and select the appropriate option (Lock Computer, Log Off or Shut Down). </li></ul></ul>
  23. 23. E-Mail Risks <ul><li>Opening files attached to an e-mail </li></ul><ul><ul><li>Loads all data within the file, including any viruses, onto the PC. </li></ul></ul><ul><ul><li>Do not view, open, edit, save, or forward unexpected or questionable e-mail attachments; if in doubt, verify content & intent with sender. </li></ul></ul><ul><ul><li>If you can’t verify, delete the message. </li></ul></ul><ul><li>Clicking links (URLs) in the text of an e-mail </li></ul><ul><ul><li>Might send you directly to a dangerous site. </li></ul></ul><ul><ul><li>Do not click links (URLs) embedded in text of unexpected or suspicious e-mail. </li></ul></ul><ul><li>E-Mail Out of Office Feature </li></ul><ul><ul><li>Carefully review your Out of Office settings and ensure you are not replying to Internet e-mails. </li></ul></ul>
  24. 24. Safe E-Mail Practices <ul><li>If you receive an Execution Security Alert </li></ul><ul><ul><ul><li>Call your local help desk </li></ul></ul></ul><ul><ul><ul><li>Never click Trust Signer </li></ul></ul></ul><ul><ul><ul><li>or Execute Once </li></ul></ul></ul><ul><li>Chain Letters </li></ul><ul><ul><li>Do not pass along chain letters. </li></ul></ul><ul><li>Newsletters or Newsgroups </li></ul><ul><ul><li>Use discretion when subscribing to newsletters or newsgroups. </li></ul></ul><ul><li>Personal Use </li></ul><ul><ul><li>Don’t violate any policies or laws with your occasional & incidental personal use. Monitoring of your computer activities may occur. </li></ul></ul>
  25. 25. Secure Your Mobile Devices <ul><li>When you are outside of the company : </li></ul><ul><ul><li>Never lose control of your device. Keep it with you at all times. </li></ul></ul><ul><li>When you are inside the company : </li></ul><ul><ul><li>Keep small devices (like cell phone, BlackBerry, etc.) with you or locked in a cabinet or desk drawer. </li></ul></ul><ul><ul><li>Secure your laptop as appropriate. </li></ul></ul><ul><li>Follow all remote access requirements if you are connecting remotely to the company network. </li></ul>
  26. 26. Mobile Devices <ul><li>Blackberry’s and PDA’s </li></ul><ul><ul><li>Report to local police </li></ul></ul><ul><ul><li>Notify appropriate company staff </li></ul></ul><ul><ul><ul><li>Area management </li></ul></ul></ul><ul><li>If your Laptop is lost or stolen </li></ul><ul><ul><li>Report to local police </li></ul></ul><ul><ul><li>Notify appropriate company staff </li></ul></ul><ul><ul><ul><li>Area management </li></ul></ul></ul>
  27. 27. Security on the Road <ul><li>Non-Technical Remote Work Risks </li></ul><ul><li>Performing work remotely brings with it a unique set of threats. </li></ul><ul><ul><li>Home </li></ul></ul><ul><ul><li>Home Office </li></ul></ul><ul><ul><li>Vehicles </li></ul></ul><ul><ul><li>Coffee Shops/Bookstores </li></ul></ul><ul><ul><li>Satellite Offices </li></ul></ul>
  28. 28. Security on the Road <ul><li>Non-Technical Travel Risks </li></ul><ul><li>Performing high priority job functions while traveling creates opportunities for danger. </li></ul><ul><ul><li>Airports </li></ul></ul><ul><ul><li>Airplanes </li></ul></ul><ul><ul><li>Vehicles </li></ul></ul><ul><ul><li>Wireless Hotspots </li></ul></ul><ul><ul><li>Satellite Offices </li></ul></ul><ul><ul><li>Hotels </li></ul></ul>
  29. 29. Security on the Road <ul><li>The Role of the Mobile Device </li></ul><ul><li>Why has the mobile and wireless device become such a necessity for the business traveler? </li></ul><ul><ul><li>Executive/Management </li></ul></ul><ul><ul><li>Engineering </li></ul></ul><ul><ul><li>Field Support </li></ul></ul><ul><ul><li>IT Personnel </li></ul></ul><ul><ul><li>Human Resources </li></ul></ul><ul><ul><li>Consumer Support </li></ul></ul>
  30. 30. <ul><ul><li>Carelessness with Data </li></ul></ul><ul><ul><li>False Sense of Security </li></ul></ul><ul><ul><li>Lack of Normal Resources </li></ul></ul><ul><ul><li>Less Concern For Security </li></ul></ul><ul><ul><li>Foreign Wireless Networks </li></ul></ul><ul><ul><li>Contact With Strangers </li></ul></ul><ul><ul><li>Devices Not Secure </li></ul></ul><ul><ul><li>Breaking Security Policies </li></ul></ul><ul><ul><li>Not Protecting Devices </li></ul></ul><ul><ul><li>Lack of Awareness of Surroundings </li></ul></ul>Security on the Road Common Business Travel Pitfalls Some mistakes most commonly made that increase the likelihood of security breach: Business travel security cannot be taken lightly.
  31. 31. What if your laptop disappears? <ul><li>Immediate Notifications: </li></ul><ul><li>If the loss occurs away from work premises you must report the incident to the relevant local law enforcement agency as soon as possible. </li></ul><ul><li>If your laptop is lost or stolen you must notify your management immediately. </li></ul><ul><li>They will then notify the appropriate work personnel to mitigate any potential information or security breach. </li></ul>
  32. 32. Laptop Issues <ul><li>Keep control of your laptop </li></ul><ul><ul><li>Airport, hotel and conference check-in areas </li></ul></ul><ul><ul><li>On-board – trains, planes, busses and cabs </li></ul></ul><ul><ul><li>On the road – shuttle busses, limos, rental cars, parking and waiting areas </li></ul></ul><ul><li>Do not check as luggage </li></ul><ul><li>Be alert for “shoulder surfers” </li></ul><ul><li>Treat a laptop as you would your desktop workstation </li></ul>
  33. 33. Laptop Security <ul><li>Laptops have become a major target for thieves. The data stored on the laptops is generally worth more than the cost of the laptop itself. </li></ul><ul><li>The thief may only want the laptop for the network access it can provide to: </li></ul><ul><ul><li>Launch DoS attacks </li></ul></ul><ul><ul><li>Criminal activity </li></ul></ul><ul><ul><li>Business disruption </li></ul></ul>
  34. 34. Laptop Security Guidelines <ul><li>Perform file back-ups regularly </li></ul><ul><li>Lock laptops away when not in use </li></ul><ul><li>Avoid identifiable carrying cases </li></ul><ul><li>Do not check as baggage </li></ul><ul><li>Do not leave in unattended conference rooms </li></ul><ul><li>Store laptops in hotel or room safes </li></ul><ul><li>Keep login/logon information secure </li></ul><ul><li>Encrypt sensitive information </li></ul><ul><li>Be aware of your surroundings </li></ul>
  35. 35. Unauthorized Software <ul><li>Only approved software may be loaded on PC’s and Laptops. </li></ul><ul><ul><li>Unauthorized software may expose the company to viruses, worms, malicious code or copyright violations. </li></ul></ul><ul><li>Obtain management authorization before installing software. </li></ul><ul><ul><li>Do not install unauthorized games, screen savers, music and video files, etc. on company PCs. </li></ul></ul><ul><li>Never download unauthorized software from the Internet. </li></ul><ul><li>Never install software downloaded from home or given to you on a CD. </li></ul><ul><li>Never make unauthorized changes to standard </li></ul><ul><li>Bank software, such as virus scanning programs. </li></ul><ul><li>Never attach unauthorized devices, such as PC video cameras. </li></ul><ul><li>Always shut down your workstation when you leave work for the day unless the workstation must remain powered on for business reasons. </li></ul><ul><li>Always remind others of all these risks. </li></ul>
  36. 36. Unauthorized Software <ul><li>Never download unauthorized software from the Internet. </li></ul><ul><li>Never install software downloaded from home or given to you on a CD. </li></ul><ul><li>Never make unauthorized changes to standard </li></ul><ul><li>Bank software, such as virus scanning programs. </li></ul><ul><li>Never attach unauthorized devices, such as PC video cameras. </li></ul><ul><li>Always shut down your workstation when you leave work for the day unless the workstation must remain powered on for business reasons. </li></ul><ul><li>Always remind others of all these risks. </li></ul>
  37. 37. Information Security Policy Framework <ul><li>Information Security Framework </li></ul><ul><ul><li>Principles </li></ul></ul><ul><ul><li>Practices </li></ul></ul><ul><ul><li>Standards </li></ul></ul><ul><ul><li>Guidelines </li></ul></ul>
  38. 38. ID Badge Protection <ul><li>Photo ID’s assist in visual identification of individuals at facilities. </li></ul><ul><li>Worn by all employees. </li></ul><ul><li>Politely request others to show you their badge if it is not visible. </li></ul><ul><li>If ID badge is also access card, be aware of access restrictions (after hours, remote sites). </li></ul><ul><li>Report lost ID badge immediately. </li></ul>
  39. 39. Company Policies <ul><li>Information Security Manual: </li></ul><ul><ul><li>All suspected information security incidents must be reported as quickly as possible through the appropriate internal channels </li></ul></ul><ul><li>Computer Use Policy: </li></ul><ul><ul><li>It is the responsibility of the employee to be aware at all times of the location of the laptop and satisfied that it is physically secure </li></ul></ul><ul><ul><li>Report loss or theft as soon as possible to local management </li></ul></ul><ul><ul><li>Local management should also provide a copy of the loss information to Protection, Audit, Information Security and Management Information </li></ul></ul><ul><li>Screensaver Lock Policy </li></ul><ul><li>E-Mail policy </li></ul><ul><li>Webinar Training Policy </li></ul><ul><li>Workstation Power-down Policy </li></ul><ul><li>Modem Use Policy </li></ul><ul><li>Software Installation Standard </li></ul><ul><li>Personal Firewall Standard </li></ul><ul><li>Computer Use Policy </li></ul>
  40. 40. Summary <ul><li>Passwords </li></ul><ul><ul><li>Create strong passwords that are easy for you to remember. </li></ul></ul><ul><ul><li>Never share your password without approval. </li></ul></ul><ul><li>Social Engineering </li></ul><ul><ul><li>Be suspicious when talking on the phone to an unknown caller. </li></ul></ul><ul><ul><li>Use care when discussing company information in public places. </li></ul></ul><ul><ul><li>Notify management of known or suspected threats. </li></ul></ul><ul><li>Information Handling </li></ul><ul><ul><li>Do not allow access to information without a “need to know.” </li></ul></ul><ul><ul><li>Protect classified information and follow ISM classification and handling requirements. </li></ul></ul><ul><li>Securing Your Workstation </li></ul><ul><ul><li>Restrict access to your workstation when you leave it unattended. </li></ul></ul><ul><li>E-Mail Risks </li></ul><ul><ul><li>Verify suspicious e-mail with questionable attachments with the sender. </li></ul></ul><ul><ul><li>Do not click links in suspicious e-mails. If in doubt, delete the e-mail. </li></ul></ul><ul><ul><li>Do not use e-mail for chain letters. </li></ul></ul>
  41. 41. Summary <ul><li>Mobile Devices </li></ul><ul><ul><li>Secure your mobile devices at all times. </li></ul></ul><ul><ul><li>Follow remote access requirements when connecting to the company remotely. </li></ul></ul><ul><li>Unauthorized Software </li></ul><ul><ul><li>Do not load any software without approval. </li></ul></ul><ul><ul><li>May use company computers for occasional and incidental personal use as long as you neither endanger our systems nor violate policies. Your computer activities may be monitored. </li></ul></ul><ul><li>Protect the company – Be vigilant </li></ul><ul><ul><li>If you observe a security violation, report it to management and correct it, if possible. </li></ul></ul>
  42. 42. <ul><li>Thank You </li></ul>