5. INFORMATION SECURITY
Be cautious of suspicious emails & links from
strangers & delete them
Keep your desk tidy & shred or lock confidential
information
Always use strong, hard to guess passwords &
change your password every few months
Lock your computer or smart phone when not in
use
Back up information regularly & use antivirus
always
Follow company security protocol & report security
incidents to IT personnel
Respond to emails or calls asking for confidential
information
Click on strange links
Use an unprotected computer or internet
connection for working on confidential
information
Leave confidential information laying on your
desk or in office for visitors to see
Share your password with anyone, even people
you know
Store sensitive information on your smart phone
Install illegal or unapproved software
7. REFERENCES
Helmick, J.. (2015). Pluralsight: SSCP®: Risk Identification, Monitoring, and Analysis.
Retrieved from Helmick, J., CMGT400 - Intro to Information Assurance & Security
website.
The Hong Kong Polytechnic University. (2014). Information Technology
Services. Retrieved from https://www.polyu.edu.hk/its/general-
information/newsletter/97-2015/may-15/405-top-12-information-
security-do-s-and-don-ts
Laybats, C., & Tredinnick, L. (2016). Information security. Business
Information Review, 33(2), 76-80. doi:10.1177/0266382116653061
Merkow, M.S. & Briethaupt, J. (2014). Information security: Principles and practices (2nd
ed.). Pearson Education.
Whitman, M. E., & Mattord, H. J. (2014). Principles of information security (5th ed.).
Boston, MA: Cengage Learning
Editor's Notes
Title Page
Introduction
The topic of security can be a little bit intimidating for new employees. Companies heavily focus on security nowadays, and rightfully so! A breach in security can cost an organization thousands, and sometimes millions, of dollars in assets, whether they are tangible or intangible. I feel that this topic has been daunted with heavy, harsh rhetoric when many security rules follow basic core skills we already use.
Back in high school, did you ever hide your paper because you did not want someone to see your answers? This is a simplistic form of security. That’s it. It's not complicated. Taking these types of memories and applying them to your workspace today, along with some ground rules implemented by our company, will assure that your workspace and assets remain secure.
Risk Management (Part I)
When it comes to information security, risk management is what it's all about. So, what IS risk management? Basically, it is the complete step by step process of analyzing risks and measuring those risks against the impact they can impose on the information system an organization relies on for daily operation. Risk management looks at the big picture. How do we identify risks? We have to look at the risk specifically and understand why it IS a risk. Diagnosing how severe that risk is, and making plans to keep those risks from happening in the future, or at least identifying the marks of vulnerabilities that are created by that risk so we can strengthen that weakness.
C.I.A.
While the monogram CIA is well known for Central Intelligence Agency, in the case of information security, it means something altogether different. These familiar initials actually stand for a conventional information security triad used ever since huge mainframe computers were developed. CIA stands for Confidentiality, Integrity, and Availability. This triad is outlined to guide the information security policies of an organization. The standard created for the CIA triad is meant to shield valuable information of a business or individual who may have sensitive data on their computer or other information technology. It also assists organizations in their basic goals that must be met regarding information security.
Risk Management (Part II)
Risk management is important no matter what department you work in or what subject on which you are working. This is because modern day technology has branched into every part of a business; from the Maintenance Department to the company CEO.
In this second look at risk management, we dig in a bit deeper to break it down to its essence. So, again, what is Risk Management? Risk Management is the method where we identify a risk, evaluate the damage it can cause, and then take the necessary action to shrink that risk to an acceptable level to the organization.
This risk identification, assessment, and control are the framework for risk management. So, how comfortable is the company with the degree of risk? To answer this question, we have to analyze each step of risk management.
Risk Identification. In this step, we need to identify our assets. Not only identify, but we also must take a complete inventory of our assets as well as categorize them. After completion, we then need to classify, prioritize and put an actual value on all the company’s assets. This seems a bit tedious, but we must know what we stand to lose if we have a security breach.
After we complete asset identification, we need to look at our threats. What threats does our company face? We need to identify and prioritize all our threats. After this, we then need to take another look at our assets and try to find all the different vulnerabilities those assets have.
Risk Assessment. Now we must look at any risk that has already caused damage. We need to look at the damage and determine a further course of action. First, we should analyze any loss currently perceived and determine its cause, and how often it occurs. How large is the loss? What is the calculated risk? Was the loss minimal, or was it a significant security breach? Is there a level of acceptable risk?
Risk Control. This step is where we actually make the decision as to what is considered an “acceptable” loss. Many organizations consider no level of information security loss as acceptable, however, it may be more financially sound to just stop the loss and leave it at that. Especially if the risk is considered minimal. Here we devise control strategies and justify sharing of information. These controls need to not only be implemented, but also monitored.
Security Dos and Don’ts
While security certainly seems like a complicated issue, if we break it down to some simple ideas, concepts, and rules, we can see that information security is just an extension of normal, every day tasks we perform on a daily basis. Locking your car, checking the lock on your back door before going to bed, even locking the bathroom door in a public bathroom. These are all examples of security. The only difference is we now have to develop good habits concerning information security. These Do’s and Don’ts may come in handy. We can also see that most of these tips are not complicated at all.
Do
Be cautious of suspicious emails & links from strangers & delete them
Keep your desk tidy & shred or lock confidential information
Always use strong, hard to guess passwords & change your password every few months
Lock your computer or smart phone when not in use
Back up information regularly & use antivirus always
Follow company security protocol & report security incidents to IT personnel
Don’t
Respond to emails or calls asking for confidential information
Click on strange links
Use an unprotected computer or internet connection for working on confidential information
Leave confidential information laying on your desk or in office for visitors to see
Share your password with anyone, even people you know
Store sensitive information on your smart phone
Install illegal or unapproved software
When we look at these items, we notice that most of these information security measures are not very difficult. They just need to be done in a thorough manner so as to create automatic routines in your work day. After a few months, all these ways of ensuring information security will be second nature. Additionally, if you would see anything out of the ordinary, it will be even clearer to you because of the routine you have established.
Conclusion
Using life skills you already possess means half the battle is already won. That knowledge along with ground rules implemented by our company will assure that your workspace and our organization’s assets remain secure.
While security is a top priority for all agencies, we hope that you will feel comfortable enough, as part of our team, to bring up any questions or concerns you have about keeping assets safe or concerns about security assurance.
As we end this presentation, I hope that you will find the topic of security to be a little less intimidating. Even when we follow all the protocols and safety nets we can, we are human, and humans make mistakes. That is why we work as a team. You are never alone if you have a question or think that something may be out of the norm, we are here to work through it together.
References
Helmick, J.. (2015). Pluralsight: SSCP®: Risk Identification, Monitoring, and Analysis. Retrieved from Helmick, J., CMGT400 - Intro to Information Assurance & Security website.
The Hong Kong Polytechnic University. (2014). Information Technology Services. Retrieved from https://www.polyu.edu.hk/its/general-information/newsletter/97-2015/may-15/405-top-12-information-security-do-s-and-don-ts
Laybats, C., & Tredinnick, L. (2016). Information security. Business Information Review, 33(2), 76-80. doi:10.1177/0266382116653061
Merkow, M.S. & Briethaupt, J. (2014). Information security: Principles and practices (2nd ed.). Pearson Education.
Whitman, M. E., & Mattord, H. J. (2014). Principles of information security (5th ed.). Boston, MA: Cengage Learning