Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Awareness Training - For Companies With Access to NYS "Sensitive" Information

Presentation to a New York not-for-profit corporation on compliance with New York laws regarding security awareness and data breach notification

  • Login to see the comments

  • Be the first to like this

Security Awareness Training - For Companies With Access to NYS "Sensitive" Information

  1. 1. Information Security User Awareness and Best Practices Presented by David A. Menken, Smith Buss & Jacobs, LLP to December 15, 2014 David A. Menken, Esq. Smith Buss & Jacobs LLP 733 Yonkers Avenue Yonkers NY 10704 914-457-4186
  2. 2. 2
  3. 3. 3 Importance of Security The Internet allows an attacker to attack from anywhere. Malicious code from an email, a web page or a USB, can infect the entire organization. A breach is often the result of a simple mistake. What you risk with poor security knowledge and practice:  Risk of identity theft  Risk of monetary theft  Risk of cancellation of contracts  Risk of a lawsuit (for you and your company)  Risk of liability for fines and penalties  Risk of termination of employment if company policies are not followed
  4. 4. What We Need to Take Away Security: We must protect our computers and data in the same way that we secure the doors to our homes. Safety: We must behave in ways that protect us against risks and threats that come with technology. 4
  5. 5. Why We Are Here This Morning You have access to NYS Govt. information, so it must comply with NYS Cyber Security Policy P03-002 v3.4 in its data handling and data confidentiality requirements. • Information must be housed only on internal servers • Information must be segmented from the rest of EIC's network • Access must be controlled by encryption per AES254 standards • Access must be contingent on roll-based permissions and strong passwords • Information must be secured behind a strong firewall and not available to the Internet • Information can be unencrypted only to perform data analysis • When information is destroyed, must be pursuant to DOD grade destruction • Security must be monitored in real time • Employees must be trained in security awareness 5
  6. 6. Why We Are Here This Morning Employees MUST Undertake Training 1. New employees must receive general security awareness training, to include recognizing and reporting insider threats, within 30 days of hire. 2. Additional training must be completed before access is provided to specific sensitive information not covered in the general security training. 3. All security training must be reinforced at least annually and must be tracked by your company 6
  7. 7. 7 How We Can Detect an Intrusion/Malware  Antivirus software detects a problem  Pop-ups suddenly appear  Disk space disappears  Home page changes  Files or transactions appear that should not be there  System slows down to a crawl  Unusual messages, sounds, or displays  Your mouse moves by itself  Frequent firewall alerts about unknown programs trying to access the Internet  Your computer shuts down and powers off by itself  Often we cannot detect an intrusion
  8. 8. 8
  9. 9. 9 Best Practices to Preserve Security Handling Sensitive Data • Protect all "sensitive" data and files. "Sensitive" is data, documents, or files which, if compromised, would have an adverse effect on the company or its employees or customers. • Store data in a secure physical environment, only on devices owned and approved by IT Support. • Encrypt and password-protect data when in transit (email) or mobile devices (laptops, CD’s, USB “thumb” drives). • NYS data has special encryption requirements.
  10. 10. • Only devices owned or approved by IT Support may be connected to the systems – See the “Bring Your Own Device” Policy. • PCs must be manually locked when unattended, must automatically lock after a period of inactivity. • PCs must require a password to re-activate. • Files must be stored and backed up on the server, not on the desktop or C: drive. 10 Best Practices to Preserve Security Handling Devices and Files
  11. 11. • Passwords must comply with security standards • A good password is: • yours alone • secret • easily remembered by you • at least 8 characters, complex • not guessable • changed regularly (every 90 days) • 5 unsuccessful attempts will lock your account • System or browser may not be configured to remember (cache) passwords • Users may NEVER share passwords for any reason • Two-factor authentication 11 Best Practices to Preserve Security Handling Logons and Passwords
  12. 12. • Configure operating systems for automatic security updates and patches • Configure applications for automatic security updates and patches (e.g., MS Office, Acrobat) • Configure security software to scan web pages, email, attachments, and downloads • Keep security software up to date and configured for regular scans 12 Best Practices to Preserve Security Handling Security Updates and Patches
  13. 13. • Lock your workstation when you leave your desk or leave your laptop/mobile device unattended • Press the Windows Key and “L” (at the same time) • Press Ctrl-Alt-Del and “Lock Computer” • Lock sensitive documents and materials in a file cabinet • Dispose of sensitive materials appropriately • Never share your access key, card or fob • Always question unescorted strangers • Immediately report all suspicious activities and breaches of physical security 13 Best Practices to Preserve Security Handling Physical Security
  14. 14. • Don’t fall prey to “social engineering” • Do not open email attachments unless you are expecting the email with the attachment and you trust the sender. • Do not click on links in emails unless you are absolutely sure of their validity. • REMEMBER: The most prevalent and persistent threats to your security come to you in your Inbox, even supposedly from people you may know. • They all have this in common: they are designed to get you to click on an item like an attachment, link or picture. Stop - Think - Then (maybe) Click 14 Best Practices to Preserve Security Handling Email Threats
  15. 15. • Browsing Can Hazardous To Your PC • The Common Threat: On the web, the threats come from malicious links. • Most of the threats come when you click on a link that launches a malicious program or re-directs you to a dangerous site. 15 Best Practices to Preserve Security Handling Threats from Your Browser
  16. 16. • Mobile Workers: Be Careful With Your Connections • Assume public wireless networks are not secure • Use a Virtual Private Network: Allows you to launch a secure Internet connection • Device Encryption: Should be installed on all mobile devices that connect to company systems 16 Best Practices to Preserve Security Handling Telework Threats
  17. 17. Reported Data Breaches of Not for Profit Corporations in 2014 (reported by Privacy Rights Clearinghouse) 17 Oct. 2014 Community Technology Alliance (provides tech support to non-profits in San Jose) notified individuals of a potential compromise of their personal information, when an employee's laptop was stolen. Sept. 2014 (life sciences non-profit in Bay Area) notified individuals of a data breach to their online payment system. The hacker, via an email, inserted files that captured keystrokes of visitors to their site. July 2014 Central City Concern (poverty and homelessness NGO in Oregon) suffered a data breach when an unauthorized access by a former employee resulted in the breach of client data. March 2014 Service Coordination Inc. (provides services to developmentally disabled in Maryland) suffered a breach involving one file which contained SSNs and medical info of 9,700 clients when someone hacked its computers.
  18. 18. 18 New York Data Breach Law N.Y. St. Tech. Law §208 (applies to state agencies) and N.Y. Gen. Bus. Law, §899-aa (applies to business) Guarantees persons the right to know what private information was exposed during a breach, so that they can take the necessary steps to both prevent and repair any damage incurred. Obligates any person or business that conducts business in NY and owns or licenses computerized data that includes private information, or any person or business that maintains such data, to notify a person whose unencrypted data was stolen.
  19. 19. 19 New York Data Breach Law Definition of “Private Information” • Personal information of a natural person (i.e., information which can be used to identify that person, such as name, email address) • In combination with any one or more of the following data elements (1) Social security number (2) Drivers license or similar identification (3) Account number, credit/debit card number, in combination with password of security code. • When either non-encrypted or encrypted with a data key that was also acquired
  20. 20. If you have any questions please contact me: David A. Menken Smith Buss & Jacobs LLP 733 Yonkers Avenue, Yonkers NY 10704 914-457-4186 20