Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Awareness Training by HIMSS Louisiana Chapter

8,916 views

Published on

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

Security Awareness Training by HIMSS Louisiana Chapter

  1. 1. “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004
  2. 2. Agenda  Why  Who  What  When  Where and How  Tests for Understanding  Documentation Slide 2
  3. 3. Why Security Awareness Training  Regulatory/Corporate Compliance  Users Don’t Get It  It Can’t Happen Here Syndrome  Make Our Lives Easier  Goals of Security Awareness Training Slide 3
  4. 4. Why: Regulatory/Corporate Compliance  Sarbanes-Oxley • Requires companies to become more fiscally accountable  JCAHO • “To continuously improve the safety and quality of care provided to the public through the provision of health care accreditation and related services that support performance improvement in health care organizations. “  USA Patriot Act • Requires seeking, detecting, and reporting computer trespasses  HIPAA • Requires CIA of patients' private information Slide 4
  5. 5. Why: Users Don’t Get It  There’s nothing important on my computer  We have virus software so my computer is protected from everything  All threats are from the outside  It’s not my job/I’m too busy to worry about security  Technology provides full protection Slide 5
  6. 6. Why: It Can’t Happen Here Syndrome  Use Examples from Your Organization  Use Examples from Others: • • • • • • • • • Two years of research material lost with no backup Test results are changed Falsified ID is used to send threatening e-mail Employees running side business with our technology Hospital machines used as zombies for DDOS attacks Virus, worm, trojan infestations and attacks Illegal music downloading Online gaming IT equipment stolen Slide 6
  7. 7. Why: Make Our Lives Easier  Routine Helpdesk Calls are Reduced  Fewer Malicious Code Outbreaks  Lowers Data Restore Requests  Able to Focus on Projects  Users Feel Ownership  Users Think More Highly of IT  Less Time Spent Firefighting Slide 7
  8. 8. Goals of Security Awareness Training  Establish a knowledge baseline for the entire organization  Modifying user behavior helps the security team  Adds a human component to defense-in-depth  Securing people is at least as important as securing systems Slide 8
  9. 9. Who Needs Security Awareness Training  Employees  Non-employees Slide 9
  10. 10. Who: Employees  All Employees • Determine minimum level for everyone • Include volunteers, medical staff and administration  Department Champions • Find your IT want-to-bes • Use them to help smooth the path  Management • Make sure that they are not embarrassed • Provide justification for expenditures  IT Staff • Keep them fully informed Slide 10
  11. 11. Who: Non-employees  On-site • Volunteers • Medical Staff • Others  Remote • Medical Staff • Public • Support  Contract/Non-contract • Escort? Slide 11
  12. 12. What: Security Awareness Training  Most Common Mistakes  Training Topics  Acceptable Use Policy/Agreement Slide 12
  13. 13. What: Most Common Mistakes  Poor Password Management  Workstation Attached and Unattended  Malicious E-mail Attachments  Ineffective Anti-virus Software  Uncontrolled Laptops  Unreported Security Violations  Updates, Hot Fixes, Service Packs not Installed  Poor Perimeter Protection • Electronic • Physical Slide 13
  14. 14. What: Training Topics  Data Backup/Restore  Physical Security  Portables  Social Engineering  ID/Passwords  E-mail  Wireless  Malicious Software Slide 14
  15. 15. Data Backup/Restore  Users are responsible for communicating their needs  IT is responsible for making sure it happens • Included in IT procedures • Tools supplied to users Slide 15
  16. 16. Physical Security  Every User is an Extension of the Security Force  Lock Offices as Often as Practical  Restrict Open External Entrances  Technology • • • • Cameras Motion sensors Alarm systems Tags Slide 16
  17. 17. Portables  Favorite Target of Thieves  Less Likely to Draw Attention  Easily Hidden  “Turn” Fast at Pawn Shops and Online  Almost Always Contain “Sensitive” Data Slide 17
  18. 18. Social Engineering  “This is (manager, director, etc.) and I need…”  “This is Sue with the Help Desk and we are: • verifying your passwords…” • troubleshooting logon problems…” • got your (bogus) request to change your…”  E-mail Attachments  Dumpster Diving  Recover Data from Surplus Equipment/Media Slide 18
  19. 19. ID/Passwords  Users are responsible for what happens with their ID/password  If you HAVE to write them down treat the paper like a credit card  Change passwords if there is a possibility it has been compromised  Use complex passwords  The sanctions for not protecting login credentials are… Slide 19
  20. 20. From the University of Michigan Passwords Are Like Underwear:  Change yours often!  Don’t leave yours lying around!  The longer the more protection!  Don’t share yours with friends!  Be mysterious! Slide 20
  21. 21. E-Mail  E-mails Exist in Multiple Places  Deleting an Email from One Place Does Not Delete it from Anywhere Else  Be Aware of “bcc”  Spam Effects and Avoidance  Verify Attachments Before Opening  Don’t Send Confidential Information via Standard E-mail  E-mail Can be Forged Slide 21
  22. 22. Wireless  Don’t Plug in Your Own Wireless Access Point  Don’t Change the Secure Configuration: • To make it work with your home network • So it will connect in the airport • To access other facilities networks  Use a Wire When Available • Faster • More secure • Less competition for access point bandwidth Slide 22
  23. 23. Malicious Software  Leave Virus Protection and Firewall Programs Running  Check for or Allow Updates  Recognize Potential Malicious Activities: • • • • • Hard drive running when no programs are running Unusual or unexpected logon screens Boot up speed or sequence changes Performance degradation Returned e-mails  Others? Slide 23
  24. 24. What: Acceptable Use Policy/Agreement  Include All Security Topics  Templates and Examples are Available Online  Include in Training  Have Users Sign  May Include Confidentiality and Privacy Slide 24
  25. 25. When: Security Awareness Training  Prior to System/Facility Access • Require security training • Have Acceptable Use Policy; Confidentiality; Privacy and other agreements signed  Ongoing • • • • New Hire Reminder Annual Include security every chance  Non-employees Slide 25
  26. 26. Where and How: Security Awareness Training  Posters  Newsletters  Login Dialogue Boxes  E-mails  Display Tables  Contests  “Mystery Guest” Slide 26
  27. 27. Tests for Understanding  Positives • Proof that learning occurred • Program improvements  Negatives • Proof that learning did not occur • Handling the failures Slide 27
  28. 28. Documentation  Annual Plan  Who/What/When Matrix  Proof of Occurrence  Quality Review  Meeting Minutes Slide 28
  29. 29. From George Mason University S.E.C.U.R.E. I.T.  Simple (All users can implement these procedures)  Effective (Problems are solved by following procedures)  Concerned (All users should be concerned about security)  Useful (Procedures keep resources safe and available)  Responsibility (All users must follow the AUP)  Economical (Resources are protected and conserved)  Information (Confidentiality, integrity, accessibility)  Technology (Hardware is protected and preserved) Slide 29
  30. 30. Thank You Healthlink Incorporated 3800 Buffalo Speedway, Suite 550 Houston, TX . 77098 1.800.223.8956 claude.younger@healthlinkinc.com www.healthlinkinc.com

×