This document provides an overview of information technology security awareness training at Northern Virginia Community College. It aims to assist faculty and staff in safely using computing systems and data by understanding security threats and taking reasonable steps to prevent them. Everyone who uses a computer is responsible for security. New employees must complete training within 30 days, and refresher training is required annually. Users have personal responsibilities around reporting violations, securing devices and data, and safe email practices. Security violations can result in consequences like data loss, costs, and disciplinary action. Training must be documented and various delivery methods are outlined.
IT Security Awarenesss by Northern Virginia Community College
1. IT Security Awareness:
Information Security is
Everyone’s Business
A Guide to Information Technology Security at
Northern Virginia
Community College
2. Goals of IT Security
Awareness Training
To assist faculty and staff in using safe,
secure computer practice to safeguard
College computing systems and data they
store or access.
To answer any questions about information
security requirements and procedures
To promote Computer Security Awareness
4. What Is IT Security
Awareness?
Information Technology Security Awareness
means understanding various information
technology threats that exist in one's
computing environment and taking reasonable
steps to guard against them.
5. Who Is Responsible for
IT Security?
Everyone who uses a computer needs to know
how to keep his or her computer and data
secure to ensure a safe working
environment.
NOTE: Security Awareness is one of the thirteen
security components required in the COV ITRM
Standard SEC2001-01.1.
6. Who Must Have Security
Awareness Training?
All new employees who use information
technology or have access to areas where
information resources reside, must receive
formal training within 30 days
Refresher training must be provided to all
personnel annually at a minimum
7. What Are User Personal
Responsibilities?
Report security violations
Develop “end-of-day” security procedures
Practice proper telephone and e-mail security
Clear physical area in office of sensitive data
when not in office
Do not leave your portable unattended
Lock your office, if possible
8. What Are the
Consequences for
Security Violations?
Risk to security and integrity of personal or
confidential information
Los of employee and public trust resulting in
embarrassment and bad publicity
Costly reporting requirements in case of compromise
of sensitive information
Internal disciplinary action(s) up to and including
termination of employment, possible penalties,
prosecution, & potential for sanctions/lawsuits
9. What Must Be Included in
the Security Awareness
Training Program?
Provide both general and position
appropriate security awareness content
Specify timeframes for receiving initial,
ongoing and refresher training
Be documented on an auditable medium
Be approved by the Information Systems
Security Officer
10. How Is Security
Awareness Training
Documented?
Receipt of training must be documented in
employee’s personnel file with employee’s
acknowledgement of receipt and understanding
All training must be documented and filed with
Information Systems Security Officer and
available for audit
11. How Can Training Be
Delivered?
New employee orientation
General sessions
Departmental sessions
Web delivery via Web Pages, PowerPoint or video
Tip of the month via email to distribution lists
12. How Can Training Be
Delivered?
Posters
Brochures
“Security Day”
Brown bag lunch sessions
14. How Do I Secure My
Computer?
Use a firewall
Use strong passwords
Use antivirus software
Install security patches
Share files correctly
Back up files regularly
Don’t store sensitive information on hard
drive
15. How Can I Prevent
Spyware on my
Computer?
Avoid free tool bars for your browser since
they may come with spyware
Regularly use spam cleaners to remove
spyware.
17. How Do I Use USB Flash
Drives Safely?
Back up files on USB flash drive
Do not store sensitive data, such as SSNs or
student grades, on USB flash drive
If possible, use password to protect data on
USB flash drive
Remember to remove drive from your
computer before walking away
19. What Is Safe Email
Practice?
Don’t open email attachments unless you
know what they are.
Don’t open, forward or reply to spam or
suspicious emails; delete them.
Be aware of sure signs of scam email.
• Not addressed to you by name
• Asks for personal or financial information
• Asks you for password
• Asks you to forward it to lots of other people
20. Safe Email Practice
Don’t click on website addresses in emails
unless you know what you are opening.
Use official VCCS student email to
communicate with students about grades or to
provide feedback on assignments.
Report email security concerns to IT Help Desk.
21. How Do I Recognize
Phishing?
Phishing is type of email or instant message
scam designed to steal your identity.
Phishing is the act of attempting to
fraudulently acquire sensitive information,
such as usernames, passwords, and credit
card details, by masquerading as trustworthy
entity in electronic communication using
email or instant message.
22. How Can I Safeguard
Against Phishing?
Don’t reply to email or pop-up messages that ask
for personal or financial information.
Don’t click on links in email or instant message.
Don’t cut and paste link from questionable
message into your Web browser.
Use antivirus and firewalls and update them
regularly.
Don’t email personal or financial information.
23. If you are scammed, visit Federal Trade
Commission’s Identity Theft website –
www.consumer.gov/idtheft
25. How Do I Protect Sensitive
Data?
Protect sensitive information on lists and
reports with social security numbers (SSNs).
Limit access to lists and reports with SSNs to
those who specifically need SSNs for official
college business.
Never store SSNs or lists with SSNs on
laptops or home computers.
Save and store sensitive information on server
managed by campus or college IT staff.
26. Protection of Sensitive
Data
Never copy sensitive data to CDs, disks, or
portable storage devices.
Do not sore lists with sensitive information on
the Web.
Lock printed materials with sensitive data in
drawers or cabinets when you leave at night.
When done with printed sensitive material,
shred them.
27. Protection of Sensitive
Data
Remove sensitive materials from printer right
away.
If problem with printer, turn off printer to remove
sensitive material from printer’s memory.
Personally deliver sensitive materials to recipient
or distribute information electronically using
College’s email system.
Arrange for shared electronic file that requires
user ID and password.
29. What Are the Password
Security Guidelines?
Passwords must be treated as sensitive and
confidential information.
Never share your password with anyone for
any reason.
Passwords should not be written down, stored
electronically, or published.
30. Password Security
Guidelines
Be sure to change initial passwords, password
resets and default passwords first time you log in.
Use different passwords for your different
accounts.
Create passwords that are
• not common,
• avoid common keyboard sequences,
• contain personal information, such as pets & birthdays.
32. What Are the Steps to
Take to Ensure Safe
Computing?
Use cryptic passwords that can’t be easily
guessed and protect your passwords.
Secure your area, files and portable equipment
before leaving them unattended.
Make sure your computer is protected with
anti-virus and all security patches and updates.
33. Steps to Ensure Safe
Computing
Make backup copies of data you do not want to
lose and store the copies very securely.
Don’t save sensitive information on portable
devises, such as laptops, memory sticks, PDAs
data phones, CDs/DVDs.
Practice safe emailing.
Be responsible when using the Internet.
34. Steps to Ensure Safe
Computing
Don’t install unknown or suspicious programs
on your computer.
Prevent illegal duplication of proprietary
software.
Protect against sypware/adware.
35. How Should I Report
Security Incidents?
Immediately report suspected security
incidents & breaches to your supervisor and
the IT Help Desk.
37. Resource Handout
Use the handout found on the IT Security
Awareness Training website as easy
reference for steps to follow to ensure
information security.
38. College and Campus
Resources
Contact the IT HelpDesk
ithelpdesk@nvcc.vccs.edu
703-426-4141
Contact the Office of Instructional & Information
Technology Support Services
703-323-3278
Contact your campus Information Technology
Manager (ITMs)
39.
Campus IT Staff
Contacts
Dave Babel (AL) dbabel@nvcc.vccs.edu
703-845-6019
Bruce Ghofrany (AN) bghofrany@nvcc.edu
323-4259
Jeff Howlett (MEC) jhowlett@nvcc.vccs.edu
703-822-6666
Kevin Kelley (LO) kkelley@nvcc.edu
703-450-2569
Lynn Bowers (MA) lbowers@nvcc.vccs.edu
703-257-6652
Lynn Feist (WO) nvfeisl@nvcc.vccs.edu
703-878-5659
Peter Tharp (CS) ptharp@nvcc.vccs.edu
703-323-3705
Tom Pyron (ELI) jpyron@nvcc.edu
703-323-3800