• Save
Employee Security Awareness Program
Upcoming SlideShare
Loading in...5
×
 

Employee Security Awareness Program

on

  • 1,874 views

Publish this Employee Security Awareness Program in your company\'s newsletter to reach all employees.

Publish this Employee Security Awareness Program in your company\'s newsletter to reach all employees.

Statistics

Views

Total Views
1,874
Views on SlideShare
1,873
Embed Views
1

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 1

http://www.lmodules.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Employee Security Awareness Program Employee Security Awareness Program Document Transcript

  • EMPLOYEE SECURITY AWARENESS PROGRAM By David Currie, CPA, CIA, CISA david.currie@earthlink.net pg. 0
  • TABLE OF CONTENTS Physical Security..................................................................................................... 2 Don't Play in Traffic on the Information Superhighway ........................................... 3 Password Security .................................................................................................. 4 Cyber hoaxes .......................................................................................................... 5 Fax Security ............................................................................................................ 6 Voice Mail Security ................................................................................................. 7 Telecomm Security ................................................................................................. 8 Dos & Don’ts of Info Security (Hardware and Software) ......................................... 9 Information Security Policies ................................................................................... 10 Laptop Security and Air Travel ................................................................................ 11 Questions……………………………………………………………………………….....12 pg. 1
  • PHYSICAL SECURITY Physical security is an important component of the information protection program at Your company. Below are some tips that can help you avoid overlooking physical security. The 10 Commandments of Physical Security  Never walk way from your computer when you are logged onto the mainframe, local area network, e-mail, or an application.  Always log out before leaving your desk even if it’s just for a minute.  Don’t write down your password and leave it lying around your workstation.  Adhere to a clean-desk policy. Keep your area clean and uncluttered. Clear off your desk at the end of every workday.  Make time at the end of your day to secure your work area.  Use the locks on your desk, file cabinets, and diskette storage cases.  Don’t leave sensitive information lying around. Make sure all documents and diskettes are secured properly.  Dispose of sensitive information properly. Shred sensitive documents. If you’re discarding or recycling diskettes, make sure that they have been erased not simply re-initialized.  Be careful not to damage diskettes or other media. Never use a ballpoint pen to write directly onto a labeled diskette.  Don’t eat or drink near your computer or other electronic media. Liquids spilled on your PC or keyboard can cause serious damage. INFORMATION SECURITY ALWAYS MATTERS! pg. 2
  • DON’T PLAY IN TRAFFIC ON THE INFORMATION SUPERHIGHWAY How can you avoid getting into an accident on the Information Superhighway? By adhering to a simple set of guidelines outlined below. I will:  Protect your company’s information from unauthorized access, modification, duplication, destruction or disclosure.  Protect my password and not share it with anyone.  Only transmit information that is unclassified.  Comply with copyright and software licensing agreements.  Report any suspicious activity or suspected compromises of your company’s information systems to the Information Security Officer  Scan files downloaded from the Internet with anti-virus scanning software. I will not:  Download games, viruses, unlicensed software, or offensive materials.  Use company-provided Internet access for unauthorized activities.  Transmit messages that adversely affect the company’s image.  Use another person’s password to access the Internet.  Transmit confidential information. INFORMATION SECURITY ALWAYS MATTERS! pg. 3
  • CREATE STRONG PASSWORDS AND CHANGE FREQUENTLY Don’t think of your password as a way to get into your computer, think of it as a way to keep others out. Don’t think of your password as a free ticket, think of it as an expensive, highly prized, easily pocketed item coveted by dishonest insiders, malicious hackers, and unethical competitors alike. Your password should be a mix of letters and numbers and you should change it frequently. Here are some hints for creating strong passwords: Technique Words Password String several words together adding I LOVE YOU ILOVE44U numbers Repeat words and add numbers BAT BAT22BAT Spell a word phonetically Telephone TELEFON6 Combine personal facts Age + Favorite Color 29YELLOW Substitute an I or O with a 1 (one) or Noisy Kid N01SYK1D 0 (zero) Use an acronym from an easy to A Stitch in Time Saves ASITS9 Remember phrase Nine Never use a password that you have read on a password protection checklist like this one. Follow the techniques suggested, but don’t use the examples given. INFORMATION SECURITY ALWAYS MATTERS! pg. 4
  • CYBERHOAXES “Good Times” is perhaps the most infamous virus hoax. It claimed that “the Federal Communications Commission had discovered a virus that would destroy your computer’s processor by setting it into an nth complexity infinite loop.” It was a source of aggravation and confusion for months. At the height of the hysteria, “Good Times” e-mail messages brought down one major corporation’s whole network of networks. What you can do about cyber hoaxes Being a good “On-line User” means taking both individual and collective responsibility for what happens on-line. Some cyber hoaxes and urban legends may appear amusing but the dangers are real. If you receive an e-mail message warning you about some imminent danger or spreading some outlandish tale not reflected in the mainstream media, don’t act without thinking first. Ask yourself, “Is the content of this message plausible?” “Is the alleged source of this message plausible?” If the countless users who unwittingly spread the “Good Times” message around the globe had taken a moment to ask themselves when was the last time they received an e-mail message of any kind from the FCC, the resounding answer would have been “never” and the hoax would have sunk into oblivion. If you receive an unsolicited e-mail message of an unusual nature (especially one purporting to warn of on-line dangers) and it suggests that you forward it to other on-line users—don’t do it! That’s another common sense tip that would have ended “Good Times” early on. If you receive any such unusual messages, you should contact your Information Security Officer before doing anything. But you might just call on the phone, instead of simply forwarding the e-mail—in many cases, the intent of the cyber hoax is to bring down the network by the sheer volumes of messages. INFORMATION SECURITY ALWAYS MATTERS! pg. 5
  • FAX SECURITY People don’t generally think of fax machines when they think of industrial espionage or information warfare. Faxes are relatively low-tech. They aren’t perceived as dangerous. They’re easy to use. But their seemingly harmless functionality can be deluding. These simple devices have had a dramatic impact on how business communications are conducted. What can you do to help with fax security Many common sense fax security tips are similar to those urged for voice and e- mail.  Don’t send a fax containing anything that you wouldn’t want to hear on the evening news.  Don’t send faxes of personal nature on company time or using company fax equipment.  Never hurry the typing in of an outgoing fax number. Go slow and double- check yourself  Take extra care whenever you send a broadcast fax.  Don’t let incoming faxes simply pile up and spill over. Get them properly distributed.  If you're sending information intended only for the recipient, call the recipient before and after sending the fax. INFORMATION SECURITY ALWAYS MATTERS! pg. 6
  • VOICEMAIL SECURITY Hackers and phreakers are adept at gaining access to outside lines through voice mail boxes, then running up costly long-distance phone bills for the victimized organizations. Hackers, phreakers, and even drug dealers are known to use abandoned voice mail boxes on large corporate systems to traffic in contraband and conduct other nefarious activities. Below is a checklist to help you in promoting voice mail security: Checklist  When you first receive voice mail privileges, you should change your password immediately. And, just as with your e-mail account and network access, come up with a password that is easy for you to remember but difficult for someone else to guess. Use a clever mix of letters and numbers.  Change your password frequently, at least every 30 days. Remember that your voice mail account is on the front line of information security.  Don’t share your password with anyone  Record a personalized greeting in your own voice  Delete messages after you’ve listened to them  Don’t leave messages that contain sensitive, confidential, or personal information in a voice mail box.  Report strange or suspicious voice mail messages to your Information Security Officer. Don’t delete such messages—they may yield vital evidence  If you are aware of a still active voice mail box for an employee that has been terminated or transferred, notify your information security personnel.  Take some time to learn about the voice mail system. This knowledge will help you detect breaches in telecommunications security. INFORMATION SECURITY ALWAYS MATTERS! pg. 7
  • TELECOMM SECURITY Cellular phones are the most singularly insecure medium over which to have a confidential conversation. It is a fairly trivial matter (and a common one) for hobbyists to listen in on cellular phone calls. For the middle class of organized crime, it is a way of life. For corporate raider and foreign spies, it is standard operating procedure. Here are some suggestions on how to thwart cellular eavesdroppers:  Be careful about what kind of information you discuss over cell phones  Answer your cell phone by saying “hello,” instead of your full name and company name, to reclaim to anonymity  Remind the person at the other end of the line that cellular communications are very insecure  If you’re forced to discuss confidential or sensitive information, try to use only first names of key players and try to avoid naming the different corporate entities involved  Understand that when you dial into your organization’s voice mail system via cell phone, it is possible for an eavesdropper to not only hear your messages as your do, but more importantly to record and be able to replay the exact tones of your voice mail password. Even pagers are being exploited in telecommunications fraud. One scam involves someone sending pages to get people to dial a number that results in a billing of $25 or $30 each, like a 900 or 976 number. Many of these scams use numbers in the 809 Caribbean area code. There is no warning prior to the charge being assessed. This scam preys on the natural tendency of diligent and harried workers to immediately respond to a page, thinking it’s a potential customer. When the victim ends up reaching a weather report for the Sub- Sahara or an X-rated chat line in Trinidad, they simply hang up thinking they dialed the wrong number or the person paging them entered the wrong digits. INFORMATION SECURITY ALWAYS MATTERS! pg. 8
  • DOs AND DON’Ts OF HARDWARE AND SOFTWARE SECURITY “Hardware” is physical equipment, including mechanical, electronic, and magnetic components, used in data processing. “Software” refers to computer programs, instructions, procedures, routines, and possibly associated documentation concerned with the operation of a computer system.  DON’T use personally owned hardware or software at the work site to perform work assignments and related functions.  DO use only your company-owned hardware to perform job duties  DO use only your company authorized software.  DO comply with all license agreements  DON’T make unauthorized copies of software.  DON’T use public domain software.  DO take reasonable precautions to prevent damage to hardware and software from food or beverage spills.  DO store all removable and concealable items (e.g., diskettes, etc.) under lock and key when not in use if applicable.  DON’T eat, drink, or smoke around computer equipment or software.  DO take reasonable precautions to ensure security of the computer when left unattended.  DON’T pile papers, printouts, diskettes, etc. on computer equipment.  DO protect computer equipment from environmental hazards, (i.e., direct sunlight, heat sources, vents, open windows, or other sources of dust and moisture).  DON’T make or use illegal copies of proprietary software. Know and obey copyright software laws and licensing restrictions.  DO store diskettes in protective storage containers.  DO label all diskettes.  DON’T touch any exposed areas of the diskette or attempt to open the metal shield.  DO keep diskettes away from magnets and magnetized objects, including power supply adapters and telephones.  DO provide the diskettes the same level of security as the data stored on them.  DO use a password-protected screen-saver, if possible. INFORMATION SECURITY ALWAYS MATTERS! pg. 9
  • INFORMATION SECURITY POLICIES A successful security program, just like the construction of a building, starts with a strong foundation on which to build. Security policies and procedures are the foundation on which all other security feature or disciplines are built. Your company has developed several information security policies to protect its information assets from loss or misuse. It is your responsibility to know and comply with the following policies:  Information Asset Protection Policy The Information Asset Protection Policy is the primary information security policy. It states that all information is an asset of the company and will be protected from unauthorized access, disclosure, modification, or destruction— whether accidental or intentional. This policy provides the framework for implementing an asset protection program.  Business Risk Assessment Policy This policy addresses the requirement for annual risk assessment is performed on distributed systems and the applications processed on those systems.  Electronic Communications Policy This policy covers the use of Electronic Communication resources including connectivity to public and private networks. It also discusses the use of the Internet and e-mail systems.  Privacy Policy All employees are expected to follow this policy. It assures customers that they can continue to entrust the company with customer personal information. INFORMATION SECURITY ALWAYS MATTERS! pg. 10
  • LAPTOPS AND AIR TRAVEL There has been increased attention lately to the problems of laptop security while traveling. With a substantial number of business travelers carrying laptops, the airport security checkpoint has become the target for a scam aimed at separating you from your laptop. It involves two persons who look for a victim carrying a laptop and approaching a metal detector. They position themselves in front of the unsuspecting passenger. They stall until the unsuspecting passenger puts the laptop computer on the conveyor belt. Then the first subject moves through the metal detector easily. The second subject sets off the detector and begins the slow process of emptying pockets, removing jewelry, etc. While this is happening, the first subject takes the laptop as soon as it appears on the conveyor belt and moves away quickly. When the passenger finally gets through the metal detector, the laptop is gone. The subject that picked it up travels into the gate area and disappears among the crowd. Sometimes even a third subject will take a hand off from the first subject and the computer is out of the restricted area before the passenger even knows that it is gone. How Do You Avoid Being a Victim?  Don’t put your computer on the conveyor until the person in front of you has cleared the detector  Make sure the computer has disappeared into the scanner before you pass through the detector (otherwise someone on the outside can grab it before it goes through).  Don’t carry your computer in a clearly definable computer carrying case  If you set off the detector, ask to be checked with the “wand” inside security where you can watch your computer. If you go back out, the computer, which has already passed through the scanner, may disappear. INFORMATION SECURITY ALWAYS MATTERS! pg. 11
  • Questions? David Currie, CPA, CIA, CISA david.currie@earthlink.net pg. 12