SlideShare a Scribd company logo

Security is a Culture GB v 9

Download as PPT, PDF
G
Garry Bolland
1 of 46
Garry Bolland Information Security Officer / Data Protection Office x3671 Security is a Culture
Protection of Personal Data
Security starts at Home • Have an updated Virus (& Malware) checker • Use Strong Passwords • Don’t download from unknown sites • Don’t open emails from unknown sources • Keep your security software patches up to date • Back-up copies of important/precious files, etc. • Shop online Safely • Beware of Bogus calls for Computer help
Gameover (Zeus) •http://www.getsafeonline.org/ •https://www.getsafeonline.org/themes/site_themes/getsa feonline/pdf/GetSafeOnline_RoughGuide.pdf •https://www.cyberstreetwise.com/ •http://ceop.police.uk/safety-centre/ •http://www.bbc.co.uk/webwise/0/22717886 •Victim of Malware – http://www.actionfraud.police.uk/scam-emails •Or call 0300 123 2040
Email – Phishing Scams Don’t get hooked by a bogus eMail Stop & Think DON’T CLICK
What is a Phishing Attack? • Phishing is the act of attempting to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. • Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.
Example – Phishing 1
Guidance from Tax Office • HM Revenue & Customs (HMRC) will never send notifications of a tax rebate / refund by email, or ask you to disclose personal or payment information by email. • Do not visit the website contained within the email or disclose any personal or payment information. • http://www.hmrc.gov.uk/security/examples.htm
Guidance from RLBUHT • Don’t’ click on any links within the email • Do NOT respond • Save the email (Save As) • Forward to Server Team • They will get N3 network to BLOCK that email address • Brightmail should remove any Virus Component • Delete Email
Example – Phishing 2
Barclays - 2
Example - 1a
Example - 1b
Example – 2a
Example – 2b
Example 3a
Example 3b
What are Data Flows? • Data Flows are a requirement that must be done every 2 years • They are done per Department of every Data (PID) that flows into / out of the Trust • They take the form of a spread sheet that asks for all process on how data flows i.e. by letter, fax, email, File Transfer Protocol (FTP), etc. • Phase out Fax & send encrypted email (PGP).
What are Data Flows - Spreadsheet?
Email Usage Email is a business tool and the language used in all correspondence should reflect this Staff should not use abusive language or profanity in any correspondence regardless of who it’s being sent to Email filtering software is currently in place that monitors all incoming and outgoing Email for abusive language and profanity Staff must also not send any Personal Identifiable Data (PID) or commercially sensitive data insecurely. Here are some do’s and don'ts: RLBUHT Trust to RLBUHT Trust - Secure  NHS Mail to NHS Mail - Secure  NHS Mail to the following domains: x.gsi.gov.uk .gsi.gov.uk; gse.gov.uk; gsx.gov.uk; pnn.police.uk; csjm.net; scn.gov.uk; gcsx.gov.uk; mod.uk  RLBUHT Trust to another Trust – not secure  RLBUHT Trust to NHS Mail - not secure  NHS Mail to RLBUHT Trust - not secure 
PGP – Email Encryption (sending) • Within Outlook select Tags • Select Sensitivity Drop-down • Change Normal to Confidential • Select Close • Send as normal • Recipient gets re-directed to RLBUHT portal • Recipient enters passphrase • No Patient, No., DOB names in Header (Not encrypted).
PGP – Email Encryption (receiving)
Certificate Error
Initial Setup
PGP – Email Encryption (receiving)
PGP – Email Encryption (receiving)
PGP – Email Encryption (receiving)
Facebook & Twitter • Facebook is an online (internet) social networking service • It enables people & groups to chat, share ideas & photographs • The Trust allows the use of this facility during allocated lunch breaks for personal use • It does not allow ‘posting’ of Trust related information • Do not post anything that may bring the Trust into disrepute – Don’t be a Twit be a careful Tweeter • Warning - Facebook has a license to use your content in any way it sees fit.
Blogs • A blog (a truncation of the expression web log) • A personal website or web page on which an individual records opinions, links to other sites, etc. on a regular basis • As for Facebook don’t bring the Trust into disrepute • And certainly don’t start to record medical information even if anonymised. • You will be ask to remove and delete
Why shouldn’t ‘we’ be using XP? • Microsoft no loner supporting XP since July 8th 2014 • Anti-Virus Vendors may stop supporting XP (MSE to July 2015) • A greater risk to vulnerabilities • Patch Tuesday fixed latest IE Flaw • Migrate to Windows 7 (or Windows 8) • But not all process’s run on Win7/8 (Risk) • Residual Risk or Accept
Why are some Sites Blocked? • Both large and small companies block sites to cut down on security breaches • and boost productivity (Facebook etc. now OK) • To prevent downloading virus's and malicious code • To prevent unauthorised software • To prevent any licensing copyright laws
Why can’t I just download any software? • Control of Software • Trust Process – IT Asset Management Policy - Section 9 – Design Board – Meets every 3rd Tuesday of the Month – Project Mandate Form
Software Request Form
Why do I need an NDA? • Non–Disclosure Agreement (NDA) – Is required when dealing with outside contractors dealing with patient, staff or financial Trust data – is a legal contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another • Information Sharing Agreement (ISA)
Why do I need an ISA? • Information Sharing Agreement (ISA) – Is required when dealing with outside contractors dealing with patient, staff or financial Trust data, when data is shared, copied, moved of site (or viewed by external Contractors – is a legal contract between at least two parties – Data Controller – Data Processor
What is the IG Toolkit? • It is a requirement placed on all NHS organisations (or partners) • The Information Governance Toolkit (IGT) is an online tool that enables organisations to measure their performance against the information governance requirements • To provide NHS organisations with a means of self assessing performance against key aspects of information governance
Who are the ICO? • The Information Commissioner’s Office is the UK’s independent authority set up to uphold information rights in the public interest, • promoting openness by public bodies • and data privacy for individuals • And they have the ability to fine the Trust up to £500,000 per incident if a breach is caused
Why do I need a Clear Desk Policy? • Information needs to be Protected (especially outside normal working hours) • Need to Know Principal • Lock unused documents in desks or lock whole office • Lock PC’s when not in use • File documents so that can easily be referenced or located • A Tidy Ship is a Happy Ship
What is an IAO/IAA? • Trust systems that store information (patient, staff or financial) are information Assets • If you are a Manager of a Department or a System then it is likely you are an Information Asset Owner (IAO) or if you administer it you are an Information Asset Administrator (IAA) • AS an IAO/IAA you have to manage this asset and any risks associated with it and defined by Policy _
What is DATIX? • Software for Patient Safety – A tool to register clinical incidents within the Trust • Software for IT Risks – A tool to register IT incidents/risks within the Trust – Additional access over & above clinical risks for IT Project Risks (TB)
I am being Monitored? • Data Loss Prevention (DLP) is a automated tool that monitors all outgoing email for patient, staff or financial information (Outlook or Web Mail) • Websense is an automated tool that monitors all web traffic and blocks certain web sites • All Clinical Systems have account log in details & monitor who logs in and when • Note Tablets/Laptops & Desktops have tracking • You have been Warned.
Programme Managers • Need to know how IG relates to programs • IG Checklist – Privacy Impact Assessment – NDA/ISA & Data Flows – Does it contain PID – Is it being transferred Securely – Asset Register and Risk Assessments (IAO/IAA) – Design Board – Requirements to satisfy IG Toolkit
On Line IG Training - ESR •Use Your Smart Card and sign into ESR
They are Watching
Any Questions?
Questions?

Recommended

Online privacy & security
Online privacy & securityOnline privacy & security
Online privacy & securityPriyab Satoshi
 
Types of Cyber Crimes and Security Threats
Types of Cyber Crimes and Security ThreatsTypes of Cyber Crimes and Security Threats
Types of Cyber Crimes and Security ThreatsAmity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 
How you can protect your online identity, online privacy and VPNs
How you can protect your online identity, online privacy and VPNsHow you can protect your online identity, online privacy and VPNs
How you can protect your online identity, online privacy and VPNsIulia Porneala
 
Privacy, Encryption, and Anonymity in the Civil Legal Aid Context
Privacy, Encryption, and Anonymity in the Civil Legal Aid ContextPrivacy, Encryption, and Anonymity in the Civil Legal Aid Context
Privacy, Encryption, and Anonymity in the Civil Legal Aid ContextLegal Services National Technology Assistance Project (LSNTAP)
 
11 Computer Privacy
11 Computer Privacy11 Computer Privacy
11 Computer PrivacySaqib Raza
 
BASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESSBASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESSMd Abu Syeem Dipu
 
Security v. Privacy: the great debate
Security v. Privacy: the great debateSecurity v. Privacy: the great debate
Security v. Privacy: the great debateDavid Strom
 
How to safe your company from having a security breach
How to safe your company from having a security breachHow to safe your company from having a security breach
How to safe your company from having a security breachBaltimax
 

Recommended

Online privacy & security
Online privacy & securityOnline privacy & security
Online privacy & securityPriyab Satoshi
 
Types of Cyber Crimes and Security Threats
Types of Cyber Crimes and Security ThreatsTypes of Cyber Crimes and Security Threats
Types of Cyber Crimes and Security ThreatsAmity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 
How you can protect your online identity, online privacy and VPNs
How you can protect your online identity, online privacy and VPNsHow you can protect your online identity, online privacy and VPNs
How you can protect your online identity, online privacy and VPNsIulia Porneala
 
Privacy, Encryption, and Anonymity in the Civil Legal Aid Context
Privacy, Encryption, and Anonymity in the Civil Legal Aid ContextPrivacy, Encryption, and Anonymity in the Civil Legal Aid Context
Privacy, Encryption, and Anonymity in the Civil Legal Aid ContextLegal Services National Technology Assistance Project (LSNTAP)
 
11 Computer Privacy
11 Computer Privacy11 Computer Privacy
11 Computer PrivacySaqib Raza
 
BASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESSBASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESSMd Abu Syeem Dipu
 
Security v. Privacy: the great debate
Security v. Privacy: the great debateSecurity v. Privacy: the great debate
Security v. Privacy: the great debateDavid Strom
 
How to safe your company from having a security breach
How to safe your company from having a security breachHow to safe your company from having a security breach
How to safe your company from having a security breachBaltimax
 
Cyber crime
Cyber crimeCyber crime
Cyber crimeSalma Zafar
 
Information Security and Forensics
Information Security and ForensicsInformation Security and Forensics
Information Security and ForensicsTharindu Weerasinghe
 
Recommending information security measures
Recommending information security measuresRecommending information security measures
Recommending information security measuresManish Singh
 
Bcc comp4 ppt1
Bcc comp4 ppt1Bcc comp4 ppt1
Bcc comp4 ppt1ifrieshe
 
Target data breach presentation
Target data breach presentationTarget data breach presentation
Target data breach presentationSreejith Nair
 
Computer Misuse Act
Computer Misuse ActComputer Misuse Act
Computer Misuse Actmrmwood
 
E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...
E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...
E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...Stefano Maria De' Rossi
 
Tom tom - Location services and privacy | Simon Hania @ VINT symposium THINGS...
Tom tom - Location services and privacy | Simon Hania @ VINT symposium THINGS...Tom tom - Location services and privacy | Simon Hania @ VINT symposium THINGS...
Tom tom - Location services and privacy | Simon Hania @ VINT symposium THINGS...VINTlabs | The Sogeti Trendlab
 
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 9 - Network...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 9 - Network...Understanding Computers: Today and Tomorrow, 13th Edition Chapter 9 - Network...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 9 - Network...yaminohime
 
Cybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataCybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataStephen Cobb
 
Basic_computerHygiene
Basic_computerHygieneBasic_computerHygiene
Basic_computerHygieneEricK Gasana
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentationBradford Bach
 
Privacy , Security and Ethics Presentation
Privacy , Security and Ethics PresentationPrivacy , Security and Ethics Presentation
Privacy , Security and Ethics PresentationHajarul Cikyen
 
Improve Cybersecurity Education Or Awareness Training
Improve Cybersecurity Education Or Awareness TrainingImprove Cybersecurity Education Or Awareness Training
Improve Cybersecurity Education Or Awareness TrainingTriskele Labs
 
internet securityand cyber law Unit2
internet securityand cyber law Unit2internet securityand cyber law Unit2
internet securityand cyber law Unit2Royalzig Luxury Furniture
 
SingHealth Cyber Attack (project)
SingHealth Cyber Attack (project)SingHealth Cyber Attack (project)
SingHealth Cyber Attack (project)James Neo
 
Cybercrime And Cyber forensics
Cybercrime And Cyber forensics Cybercrime And Cyber forensics
Cybercrime And Cyber forensics sunanditaAnand
 
Discovering Computers: Chapter 11
Discovering Computers: Chapter 11Discovering Computers: Chapter 11
Discovering Computers: Chapter 11Anna Stirling
 
Chapter 13 security and ethical challenges
Chapter 13 security and ethical challengesChapter 13 security and ethical challenges
Chapter 13 security and ethical challengesAdvance Saraswati Prakashan Pvt Ltd
 
Chapter 3 ethics and privacy
Chapter 3 ethics and privacyChapter 3 ethics and privacy
Chapter 3 ethics and privacymrzapper
 
Personal Threat Models
Personal Threat ModelsPersonal Threat Models
Personal Threat ModelsGeoffrey Vaughan
 
Meeting the Cybersecurity Challenge
Meeting the Cybersecurity ChallengeMeeting the Cybersecurity Challenge
Meeting the Cybersecurity ChallengeNet at Work
 

More Related Content

What's hot

Information Security and Forensics
Information Security and ForensicsInformation Security and Forensics
Information Security and ForensicsTharindu Weerasinghe
 
Recommending information security measures
Recommending information security measuresRecommending information security measures
Recommending information security measuresManish Singh
 
Bcc comp4 ppt1
Bcc comp4 ppt1Bcc comp4 ppt1
Bcc comp4 ppt1ifrieshe
 
Target data breach presentation
Target data breach presentationTarget data breach presentation
Target data breach presentationSreejith Nair
 
Computer Misuse Act
Computer Misuse ActComputer Misuse Act
Computer Misuse Actmrmwood
 
E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...
E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...
E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...Stefano Maria De' Rossi
 
Tom tom - Location services and privacy | Simon Hania @ VINT symposium THINGS...
Tom tom - Location services and privacy | Simon Hania @ VINT symposium THINGS...Tom tom - Location services and privacy | Simon Hania @ VINT symposium THINGS...
Tom tom - Location services and privacy | Simon Hania @ VINT symposium THINGS...VINTlabs | The Sogeti Trendlab
 
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 9 - Network...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 9 - Network...Understanding Computers: Today and Tomorrow, 13th Edition Chapter 9 - Network...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 9 - Network...yaminohime
 
Cybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataCybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataStephen Cobb
 
Basic_computerHygiene
Basic_computerHygieneBasic_computerHygiene
Basic_computerHygieneEricK Gasana
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentationBradford Bach
 
Privacy , Security and Ethics Presentation
Privacy , Security and Ethics PresentationPrivacy , Security and Ethics Presentation
Privacy , Security and Ethics PresentationHajarul Cikyen
 
Improve Cybersecurity Education Or Awareness Training
Improve Cybersecurity Education Or Awareness TrainingImprove Cybersecurity Education Or Awareness Training
Improve Cybersecurity Education Or Awareness TrainingTriskele Labs
 
SingHealth Cyber Attack (project)
SingHealth Cyber Attack (project)SingHealth Cyber Attack (project)
SingHealth Cyber Attack (project)James Neo
 
Cybercrime And Cyber forensics
Cybercrime And Cyber forensics Cybercrime And Cyber forensics
Cybercrime And Cyber forensics sunanditaAnand
 
Discovering Computers: Chapter 11
Discovering Computers: Chapter 11Discovering Computers: Chapter 11
Discovering Computers: Chapter 11Anna Stirling
 
Chapter 3 ethics and privacy
Chapter 3 ethics and privacyChapter 3 ethics and privacy
Chapter 3 ethics and privacymrzapper
 

What's hot (20)

Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Information Security and Forensics
Information Security and ForensicsInformation Security and Forensics
Information Security and Forensics
 
Recommending information security measures
Recommending information security measuresRecommending information security measures
Recommending information security measures
 
Bcc comp4 ppt1
Bcc comp4 ppt1Bcc comp4 ppt1
Bcc comp4 ppt1
 
Target data breach presentation
Target data breach presentationTarget data breach presentation
Target data breach presentation
 
Computer Misuse Act
Computer Misuse ActComputer Misuse Act
Computer Misuse Act
 
E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...
E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...
E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...
 
Tom tom - Location services and privacy | Simon Hania @ VINT symposium THINGS...
Tom tom - Location services and privacy | Simon Hania @ VINT symposium THINGS...Tom tom - Location services and privacy | Simon Hania @ VINT symposium THINGS...
Tom tom - Location services and privacy | Simon Hania @ VINT symposium THINGS...
 
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 9 - Network...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 9 - Network...Understanding Computers: Today and Tomorrow, 13th Edition Chapter 9 - Network...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 9 - Network...
 
Cybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataCybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient Data
 
Basic_computerHygiene
Basic_computerHygieneBasic_computerHygiene
Basic_computerHygiene
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentation
 
Privacy , Security and Ethics Presentation
Privacy , Security and Ethics PresentationPrivacy , Security and Ethics Presentation
Privacy , Security and Ethics Presentation
 
Improve Cybersecurity Education Or Awareness Training
Improve Cybersecurity Education Or Awareness TrainingImprove Cybersecurity Education Or Awareness Training
Improve Cybersecurity Education Or Awareness Training
 
internet securityand cyber law Unit2
internet securityand cyber law Unit2internet securityand cyber law Unit2
internet securityand cyber law Unit2
 
SingHealth Cyber Attack (project)
SingHealth Cyber Attack (project)SingHealth Cyber Attack (project)
SingHealth Cyber Attack (project)
 
Cybercrime And Cyber forensics
Cybercrime And Cyber forensics Cybercrime And Cyber forensics
Cybercrime And Cyber forensics
 
Discovering Computers: Chapter 11
Discovering Computers: Chapter 11Discovering Computers: Chapter 11
Discovering Computers: Chapter 11
 
Chapter 13 security and ethical challenges
Chapter 13 security and ethical challengesChapter 13 security and ethical challenges
Chapter 13 security and ethical challenges
 
Chapter 3 ethics and privacy
Chapter 3 ethics and privacyChapter 3 ethics and privacy
Chapter 3 ethics and privacy
 

Similar to Security is a Culture GB v 9

Meeting the Cybersecurity Challenge
Meeting the Cybersecurity ChallengeMeeting the Cybersecurity Challenge
Meeting the Cybersecurity ChallengeNet at Work
 
Security Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Innovation
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular usersGeoffrey Vaughan
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 
CyberSecurityPPdddsdsddssdsdssaT_V3_1.pptx
CyberSecurityPPdddsdsddssdsdssaT_V3_1.pptxCyberSecurityPPdddsdsddssdsdssaT_V3_1.pptx
CyberSecurityPPdddsdsddssdsdssaT_V3_1.pptxprtabal_25
 
Cybersecurity about Phishing and Secutity awareness
Cybersecurity about Phishing and Secutity awarenessCybersecurity about Phishing and Secutity awareness
Cybersecurity about Phishing and Secutity awarenessImran Khan
 
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19TechSoup
 
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfMansoorAhmed57263
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptOoXair
 
Office 365 Security Features That Nonprofits Should Know and Use
Office 365 Security Features That Nonprofits Should Know and UseOffice 365 Security Features That Nonprofits Should Know and Use
Office 365 Security Features That Nonprofits Should Know and UseTechSoup
 
Cyber Security and Healthcare
Cyber Security and HealthcareCyber Security and Healthcare
Cyber Security and HealthcareJonathon Coulter
 
Cyber crime and cyber security
Cyber crime and cyber securityCyber crime and cyber security
Cyber crime and cyber securityKaushal Solanki
 
It security the condensed version
It security the condensed version It security the condensed version
It security the condensed version Brian Pichman
 
securityawareness.pptx
securityawareness.pptxsecurityawareness.pptx
securityawareness.pptxbinowe
 
Securityawareness
SecurityawarenessSecurityawareness
SecurityawarenessJayfErika
 
securityawareness.pptx
securityawareness.pptxsecurityawareness.pptx
securityawareness.pptxreagan sapul
 

Similar to Security is a Culture GB v 9 (20)

Personal Threat Models
Personal Threat ModelsPersonal Threat Models
Personal Threat Models
 
Meeting the Cybersecurity Challenge
Meeting the Cybersecurity ChallengeMeeting the Cybersecurity Challenge
Meeting the Cybersecurity Challenge
 
Security Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Best Practices for Regular Users
Security Best Practices for Regular Users
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular users
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
 
CyberSecurityPPdddsdsddssdsdssaT_V3_1.pptx
CyberSecurityPPdddsdsddssdsdssaT_V3_1.pptxCyberSecurityPPdddsdsddssdsdssaT_V3_1.pptx
CyberSecurityPPdddsdsddssdsdssaT_V3_1.pptx
 
Cybersecurity about Phishing and Secutity awareness
Cybersecurity about Phishing and Secutity awarenessCybersecurity about Phishing and Secutity awareness
Cybersecurity about Phishing and Secutity awareness
 
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
 
Harshit security
Harshit securityHarshit security
Harshit security
 
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
 
Office 365 Security Features That Nonprofits Should Know and Use
Office 365 Security Features That Nonprofits Should Know and UseOffice 365 Security Features That Nonprofits Should Know and Use
Office 365 Security Features That Nonprofits Should Know and Use
 
Cyber Security and Healthcare
Cyber Security and HealthcareCyber Security and Healthcare
Cyber Security and Healthcare
 
it-security.ppt
it-security.pptit-security.ppt
it-security.ppt
 
Cyber crime and cyber security
Cyber crime and cyber securityCyber crime and cyber security
Cyber crime and cyber security
 
It security the condensed version
It security the condensed version It security the condensed version
It security the condensed version
 
securityawareness.pptx
securityawareness.pptxsecurityawareness.pptx
securityawareness.pptx
 
Securityawareness
SecurityawarenessSecurityawareness
Securityawareness
 
securityawareness.pptx
securityawareness.pptxsecurityawareness.pptx
securityawareness.pptx
 
Cyberattacks.pptx
Cyberattacks.pptxCyberattacks.pptx
Cyberattacks.pptx
 

Security is a Culture GB v 9

  • 1. Garry Bolland Information Security Officer / Data Protection Office x3671 Security is a Culture
  • 3. Security starts at Home • Have an updated Virus (& Malware) checker • Use Strong Passwords • Don’t download from unknown sites • Don’t open emails from unknown sources • Keep your security software patches up to date • Back-up copies of important/precious files, etc. • Shop online Safely • Beware of Bogus calls for Computer help
  • 5. Email – Phishing Scams Don’t get hooked by a bogus eMail Stop & Think DON’T CLICK
  • 6. What is a Phishing Attack? • Phishing is the act of attempting to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. • Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.
  • 8. Guidance from Tax Office • HM Revenue & Customs (HMRC) will never send notifications of a tax rebate / refund by email, or ask you to disclose personal or payment information by email. • Do not visit the website contained within the email or disclose any personal or payment information. • http://www.hmrc.gov.uk/security/examples.htm
  • 9. Guidance from RLBUHT • Don’t’ click on any links within the email • Do NOT respond • Save the email (Save As) • Forward to Server Team • They will get N3 network to BLOCK that email address • Brightmail should remove any Virus Component • Delete Email
  • 18. What are Data Flows? • Data Flows are a requirement that must be done every 2 years • They are done per Department of every Data (PID) that flows into / out of the Trust • They take the form of a spread sheet that asks for all process on how data flows i.e. by letter, fax, email, File Transfer Protocol (FTP), etc. • Phase out Fax & send encrypted email (PGP).
  • 19. What are Data Flows - Spreadsheet?
  • 20. Email Usage Email is a business tool and the language used in all correspondence should reflect this Staff should not use abusive language or profanity in any correspondence regardless of who it’s being sent to Email filtering software is currently in place that monitors all incoming and outgoing Email for abusive language and profanity Staff must also not send any Personal Identifiable Data (PID) or commercially sensitive data insecurely. Here are some do’s and don'ts: RLBUHT Trust to RLBUHT Trust - Secure  NHS Mail to NHS Mail - Secure  NHS Mail to the following domains: x.gsi.gov.uk .gsi.gov.uk; gse.gov.uk; gsx.gov.uk; pnn.police.uk; csjm.net; scn.gov.uk; gcsx.gov.uk; mod.uk  RLBUHT Trust to another Trust – not secure  RLBUHT Trust to NHS Mail - not secure  NHS Mail to RLBUHT Trust - not secure 
  • 21. PGP – Email Encryption (sending) • Within Outlook select Tags • Select Sensitivity Drop-down • Change Normal to Confidential • Select Close • Send as normal • Recipient gets re-directed to RLBUHT portal • Recipient enters passphrase • No Patient, No., DOB names in Header (Not encrypted).
  • 22. PGP – Email Encryption (receiving)
  • 25. PGP – Email Encryption (receiving)
  • 26. PGP – Email Encryption (receiving)
  • 27. PGP – Email Encryption (receiving)
  • 28. Facebook & Twitter • Facebook is an online (internet) social networking service • It enables people & groups to chat, share ideas & photographs • The Trust allows the use of this facility during allocated lunch breaks for personal use • It does not allow ‘posting’ of Trust related information • Do not post anything that may bring the Trust into disrepute – Don’t be a Twit be a careful Tweeter • Warning - Facebook has a license to use your content in any way it sees fit.
  • 29. Blogs • A blog (a truncation of the expression web log) • A personal website or web page on which an individual records opinions, links to other sites, etc. on a regular basis • As for Facebook don’t bring the Trust into disrepute • And certainly don’t start to record medical information even if anonymised. • You will be ask to remove and delete
  • 30. Why shouldn’t ‘we’ be using XP? • Microsoft no loner supporting XP since July 8th 2014 • Anti-Virus Vendors may stop supporting XP (MSE to July 2015) • A greater risk to vulnerabilities • Patch Tuesday fixed latest IE Flaw • Migrate to Windows 7 (or Windows 8) • But not all process’s run on Win7/8 (Risk) • Residual Risk or Accept
  • 31. Why are some Sites Blocked? • Both large and small companies block sites to cut down on security breaches • and boost productivity (Facebook etc. now OK) • To prevent downloading virus's and malicious code • To prevent unauthorised software • To prevent any licensing copyright laws
  • 32. Why can’t I just download any software? • Control of Software • Trust Process – IT Asset Management Policy - Section 9 – Design Board – Meets every 3rd Tuesday of the Month – Project Mandate Form
  • 34. Why do I need an NDA? • Non–Disclosure Agreement (NDA) – Is required when dealing with outside contractors dealing with patient, staff or financial Trust data – is a legal contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another • Information Sharing Agreement (ISA)
  • 35. Why do I need an ISA? • Information Sharing Agreement (ISA) – Is required when dealing with outside contractors dealing with patient, staff or financial Trust data, when data is shared, copied, moved of site (or viewed by external Contractors – is a legal contract between at least two parties – Data Controller – Data Processor
  • 36. What is the IG Toolkit? • It is a requirement placed on all NHS organisations (or partners) • The Information Governance Toolkit (IGT) is an online tool that enables organisations to measure their performance against the information governance requirements • To provide NHS organisations with a means of self assessing performance against key aspects of information governance
  • 37. Who are the ICO? • The Information Commissioner’s Office is the UK’s independent authority set up to uphold information rights in the public interest, • promoting openness by public bodies • and data privacy for individuals • And they have the ability to fine the Trust up to £500,000 per incident if a breach is caused
  • 38. Why do I need a Clear Desk Policy? • Information needs to be Protected (especially outside normal working hours) • Need to Know Principal • Lock unused documents in desks or lock whole office • Lock PC’s when not in use • File documents so that can easily be referenced or located • A Tidy Ship is a Happy Ship
  • 39. What is an IAO/IAA? • Trust systems that store information (patient, staff or financial) are information Assets • If you are a Manager of a Department or a System then it is likely you are an Information Asset Owner (IAO) or if you administer it you are an Information Asset Administrator (IAA) • AS an IAO/IAA you have to manage this asset and any risks associated with it and defined by Policy _
  • 40. What is DATIX? • Software for Patient Safety – A tool to register clinical incidents within the Trust • Software for IT Risks – A tool to register IT incidents/risks within the Trust – Additional access over & above clinical risks for IT Project Risks (TB)
  • 41. I am being Monitored? • Data Loss Prevention (DLP) is a automated tool that monitors all outgoing email for patient, staff or financial information (Outlook or Web Mail) • Websense is an automated tool that monitors all web traffic and blocks certain web sites • All Clinical Systems have account log in details & monitor who logs in and when • Note Tablets/Laptops & Desktops have tracking • You have been Warned.
  • 42. Programme Managers • Need to know how IG relates to programs • IG Checklist – Privacy Impact Assessment – NDA/ISA & Data Flows – Does it contain PID – Is it being transferred Securely – Asset Register and Risk Assessments (IAO/IAA) – Design Board – Requirements to satisfy IG Toolkit
  • 43. On Line IG Training - ESR •Use Your Smart Card and sign into ESR

Editor's Notes

  1. Email is a business tool and the language used in all correspondence should reflect this. There are filtering tools that block emails containing any profanity so please don’t place any inappropriate language in your emails. Remember you emails belong to the trust and can be requested under FOI. And never put anything into an email that you are not prepared to say face to face. Please follow these basis rules around sending personal identifiable data securely – NHS Mail to NHS Mail is the only secure emailing method for this Trust. And remember that we can supply your manager with a report on your internet access. Do not send any identifiable information via a Goggle mail account, or Hotmail account or any personal account as firstly this is not secure and secondly it can be freely distributed. Anything sent by g-mail becomes the intellectual property of Google. Re the patriots act in America. For consultants, Do you email information to patients, what does it contain? does it include demographics or clinical information. Please make sure that you read a copy of the email and internet policy as this presentation only covers a very small amount of guidance relating to email and internet usage. In relation to sending any emails containing personal identifiable information from now on the 1st offence PW 2nd meeting with PW & JN 3rd Disciplinary.