SlideShare a Scribd company logo
EMPLOYEE SECURITY AWARENESS
          PROGRAM


       By David Currie, CPA, CIA, CISA
         david.currie@earthlink.net




                                         pg. 0
TABLE OF CONTENTS



Physical Security..................................................................................................... 2

Don't Play in Traffic on the Information Superhighway ........................................... 3

Password Security .................................................................................................. 4

Cyber hoaxes .......................................................................................................... 5

Fax Security ............................................................................................................ 6

Voice Mail Security ................................................................................................. 7

Telecomm Security ................................................................................................. 8

Dos & Don’ts of Info Security (Hardware and Software) ......................................... 9

Information Security Policies ................................................................................... 10

Laptop Security and Air Travel ................................................................................ 11

Questions……………………………………………………………………………….....12




                                                                                                                 pg. 1
PHYSICAL SECURITY

Physical security is an important component of the information protection
program at Your company. Below are some tips that can help you avoid
overlooking physical security.

The 10 Commandments of Physical Security

   Never walk way from your computer when you are logged onto the
    mainframe, local area network, e-mail, or an application.
   Always log out before leaving your desk even if it’s just for a minute.
   Don’t write down your password and leave it lying around your workstation.
   Adhere to a clean-desk policy. Keep your area clean and uncluttered. Clear
    off your desk at the end of every workday.
   Make time at the end of your day to secure your work area.
   Use the locks on your desk, file cabinets, and diskette storage cases.
   Don’t leave sensitive information lying around. Make sure all documents and
    diskettes are secured properly.
   Dispose of sensitive information properly. Shred sensitive documents. If
    you’re discarding or recycling diskettes, make sure that they have been
    erased not simply re-initialized.
   Be careful not to damage diskettes or other media. Never use a ballpoint pen
    to write directly onto a labeled diskette.
   Don’t eat or drink near your computer or other electronic media. Liquids
    spilled on your PC or keyboard can cause serious damage.

INFORMATION SECURITY ALWAYS MATTERS!




                                                                            pg. 2
DON’T PLAY IN TRAFFIC ON THE INFORMATION SUPERHIGHWAY

How can you avoid getting into an accident on the Information Superhighway?
By adhering to a simple set of guidelines outlined below.

I will:

   Protect your company’s information from unauthorized access, modification,
    duplication, destruction or disclosure.
   Protect my password and not share it with anyone.
   Only transmit information that is unclassified.
   Comply with copyright and software licensing agreements.
   Report any suspicious activity or suspected compromises of your company’s
    information systems to the Information Security Officer
   Scan files downloaded from the Internet with anti-virus scanning software.

I will not:

   Download games, viruses, unlicensed software, or offensive materials.
   Use company-provided Internet access for unauthorized activities.
   Transmit messages that adversely affect the company’s image.
   Use another person’s password to access the Internet.
   Transmit confidential information.

INFORMATION SECURITY ALWAYS MATTERS!




                                                                            pg. 3
CREATE STRONG PASSWORDS AND CHANGE FREQUENTLY

Don’t think of your password as a way to get into your computer, think of it as a way to
keep others out. Don’t think of your password as a free ticket, think of it as an expensive,
highly prized, easily pocketed item coveted by dishonest insiders, malicious hackers, and
unethical competitors alike.

Your password should be a mix of letters and numbers and you should change it
frequently. Here are some hints for creating strong passwords:

Technique                                     Words                          Password

String several words together adding          I LOVE YOU                     ILOVE44U
numbers

Repeat words and add numbers                  BAT                            BAT22BAT

Spell a word phonetically                     Telephone                      TELEFON6

Combine personal facts                        Age + Favorite Color           29YELLOW

Substitute an I or O with a 1 (one) or        Noisy Kid                      N01SYK1D
0 (zero)

Use an acronym from an easy to                A Stitch in Time Saves         ASITS9
Remember phrase                               Nine


Never use a password that you have read on a password protection checklist like this one.
Follow the techniques suggested, but don’t use the examples given.

INFORMATION SECURITY ALWAYS MATTERS!




                                                                                      pg. 4
CYBERHOAXES

“Good Times” is perhaps the most infamous virus hoax. It claimed that “the
Federal Communications Commission had discovered a virus that would destroy
your computer’s processor by setting it into an nth complexity infinite loop.” It
was a source of aggravation and confusion for months. At the height of the
hysteria, “Good Times” e-mail messages brought down one major corporation’s
whole network of networks.

What you can do about cyber hoaxes

Being a good “On-line User” means taking both individual and collective
responsibility for what happens on-line. Some cyber hoaxes and urban legends
may appear amusing but the dangers are real. If you receive an e-mail message
warning you about some imminent danger or spreading some outlandish tale not
reflected in the mainstream media, don’t act without thinking first. Ask yourself,
“Is the content of this message plausible?” “Is the alleged source of this
message plausible?” If the countless users who unwittingly spread the “Good
Times” message around the globe had taken a moment to ask themselves when
was the last time they received an e-mail message of any kind from the FCC, the
resounding answer would have been “never” and the hoax would have sunk into
oblivion.

If you receive an unsolicited e-mail message of an unusual nature (especially
one purporting to warn of on-line dangers) and it suggests that you forward it to
other on-line users—don’t do it! That’s another common sense tip that would
have ended “Good Times” early on. If you receive any such unusual messages,
you should contact your Information Security Officer before doing anything. But
you might just call on the phone, instead of simply forwarding the e-mail—in
many cases, the intent of the cyber hoax is to bring down the network by the
sheer volumes of messages.

INFORMATION SECURITY ALWAYS MATTERS!




                                                                             pg. 5
FAX SECURITY

People don’t generally think of fax machines when they think of industrial
espionage or information warfare. Faxes are relatively low-tech. They aren’t
perceived as dangerous. They’re easy to use. But their seemingly harmless
functionality can be deluding. These simple devices have had a dramatic impact
on how business communications are conducted.

What can you do to help with fax security

Many common sense fax security tips are similar to those urged for voice and e-
mail.

   Don’t send a fax containing anything that you wouldn’t want to hear on the
    evening news.
   Don’t send faxes of personal nature on company time or using company fax
    equipment.
   Never hurry the typing in of an outgoing fax number. Go slow and double-
    check yourself
   Take extra care whenever you send a broadcast fax.
   Don’t let incoming faxes simply pile up and spill over. Get them properly
    distributed.
   If you're sending information intended only for the recipient, call the recipient
    before and after sending the fax.

INFORMATION SECURITY ALWAYS MATTERS!




                                                                                 pg. 6
VOICEMAIL SECURITY

Hackers and phreakers are adept at gaining access to outside lines through
voice mail boxes, then running up costly long-distance phone bills for the
victimized organizations. Hackers, phreakers, and even drug dealers are known
to use abandoned voice mail boxes on large corporate systems to traffic in
contraband and conduct other nefarious activities. Below is a checklist to help
you in promoting voice mail security:

Checklist

   When you first receive voice mail privileges, you should change your
    password immediately. And, just as with your e-mail account and network
    access, come up with a password that is easy for you to remember but
    difficult for someone else to guess. Use a clever mix of letters and numbers.
   Change your password frequently, at least every 30 days. Remember that
    your voice mail account is on the front line of information security.
   Don’t share your password with anyone
   Record a personalized greeting in your own voice
   Delete messages after you’ve listened to them
   Don’t leave messages that contain sensitive, confidential, or personal
    information in a voice mail box.
   Report strange or suspicious voice mail messages to your Information
    Security Officer. Don’t delete such messages—they may yield vital evidence
   If you are aware of a still active voice mail box for an employee that has been
    terminated or transferred, notify your information security personnel.
   Take some time to learn about the voice mail system. This knowledge will
    help you detect breaches in telecommunications security.

INFORMATION SECURITY ALWAYS MATTERS!




                                                                              pg. 7
TELECOMM SECURITY

Cellular phones are the most singularly insecure medium over which to have a
confidential conversation. It is a fairly trivial matter (and a common one) for
hobbyists to listen in on cellular phone calls. For the middle class of organized
crime, it is a way of life. For corporate raider and foreign spies, it is standard
operating procedure.

Here are some suggestions on how to thwart cellular eavesdroppers:

   Be careful about what kind of information you discuss over cell phones
   Answer your cell phone by saying “hello,” instead of your full name and
    company name, to reclaim to anonymity
   Remind the person at the other end of the line that cellular communications
    are very insecure
   If you’re forced to discuss confidential or sensitive information, try to use only
    first names of key players and try to avoid naming the different corporate
    entities involved
   Understand that when you dial into your organization’s voice mail system via
    cell phone, it is possible for an eavesdropper to not only hear your messages
    as your do, but more importantly to record and be able to replay the exact
    tones of your voice mail password.

Even pagers are being exploited in telecommunications fraud. One scam
involves someone sending pages to get people to dial a number that results in a
billing of $25 or $30 each, like a 900 or 976 number. Many of these scams use
numbers in the 809 Caribbean area code. There is no warning prior to the
charge being assessed. This scam preys on the natural tendency of diligent and
harried workers to immediately respond to a page, thinking it’s a potential
customer. When the victim ends up reaching a weather report for the Sub-
Sahara or an X-rated chat line in Trinidad, they simply hang up thinking they
dialed the wrong number or the person paging them entered the wrong digits.

INFORMATION SECURITY ALWAYS MATTERS!




                                                                                 pg. 8
DOs AND DON’Ts OF HARDWARE AND SOFTWARE SECURITY

“Hardware” is physical equipment, including mechanical, electronic, and
magnetic components, used in data processing. “Software” refers to computer
programs, instructions, procedures, routines, and possibly associated
documentation concerned with the operation of a computer system.

   DON’T use personally owned hardware or software at the work site to
    perform work assignments and related functions.
   DO use only your company-owned hardware to perform job duties
   DO use only your company authorized software.
   DO comply with all license agreements
   DON’T make unauthorized copies of software.
   DON’T use public domain software.
   DO take reasonable precautions to prevent damage to hardware and
    software from food or beverage spills.
   DO store all removable and concealable items (e.g., diskettes, etc.) under
    lock and key when not in use if applicable.
   DON’T eat, drink, or smoke around computer equipment or software.
   DO take reasonable precautions to ensure security of the computer when left
    unattended.
   DON’T pile papers, printouts, diskettes, etc. on computer equipment.
   DO protect computer equipment from environmental hazards, (i.e., direct
    sunlight, heat sources, vents, open windows, or other sources of dust and
    moisture).
   DON’T make or use illegal copies of proprietary software. Know and obey
    copyright software laws and licensing restrictions.
   DO store diskettes in protective storage containers.
   DO label all diskettes.
   DON’T touch any exposed areas of the diskette or attempt to open the metal
    shield.
   DO keep diskettes away from magnets and magnetized objects, including
    power supply adapters and telephones.
   DO provide the diskettes the same level of security as the data stored on
    them.
   DO use a password-protected screen-saver, if possible.

INFORMATION SECURITY ALWAYS MATTERS!




                                                                          pg. 9
INFORMATION SECURITY POLICIES

A successful security program, just like the construction of a building, starts with
a strong foundation on which to build. Security policies and procedures are the
foundation on which all other security feature or disciplines are built. Your
company has developed several information security policies to protect its
information assets from loss or misuse. It is your responsibility to know and
comply with the following policies:

 Information Asset Protection Policy

   The Information Asset Protection Policy is the primary information security
   policy. It states that all information is an asset of the company and will be
   protected from unauthorized access, disclosure, modification, or destruction—
   whether accidental or intentional. This policy provides the framework for
   implementing an asset protection program.

 Business Risk Assessment Policy

   This policy addresses the requirement for annual risk assessment is
   performed on distributed systems and the applications processed on those
   systems.

 Electronic Communications Policy

   This policy covers the use of Electronic Communication resources including
   connectivity to public and private networks. It also discusses the use of the
   Internet and e-mail systems.

 Privacy Policy

   All employees are expected to follow this policy. It assures customers that
   they can continue to entrust the company with customer personal information.


INFORMATION SECURITY ALWAYS MATTERS!




                                                                              pg. 10
LAPTOPS AND AIR TRAVEL

There has been increased attention lately to the problems of laptop security while
traveling. With a substantial number of business travelers carrying laptops, the
airport security checkpoint has become the target for a scam aimed at separating
you from your laptop.

It involves two persons who look for a victim carrying a laptop and approaching a
metal detector. They position themselves in front of the unsuspecting passenger.
They stall until the unsuspecting passenger puts the laptop computer on the
conveyor belt. Then the first subject moves through the metal detector easily.
The second subject sets off the detector and begins the slow process of
emptying pockets, removing jewelry, etc. While this is happening, the first
subject takes the laptop as soon as it appears on the conveyor belt and moves
away quickly. When the passenger finally gets through the metal detector, the
laptop is gone. The subject that picked it up travels into the gate area and
disappears among the crowd. Sometimes even a third subject will take a hand
off from the first subject and the computer is out of the restricted area before the
passenger even knows that it is gone.

How Do You Avoid Being a Victim?

 Don’t put your computer on the conveyor until the person in front of you has
  cleared the detector
 Make sure the computer has disappeared into the scanner before you pass
  through the detector (otherwise someone on the outside can grab it before it
  goes through).
 Don’t carry your computer in a clearly definable computer carrying case
 If you set off the detector, ask to be checked with the “wand” inside security
  where you can watch your computer. If you go back out, the computer, which
  has already passed through the scanner, may disappear.

INFORMATION SECURITY ALWAYS MATTERS!




                                                                             pg. 11
Questions?




David Currie, CPA, CIA, CISA

 david.currie@earthlink.net




                               pg. 12

More Related Content

What's hot

Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Stephen Cobb
 
Information Security Awareness Training Open
Information Security Awareness Training OpenInformation Security Awareness Training Open
Information Security Awareness Training Open
Fred Beck MBA, CPA
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness Training
Jen Ruhman
 
IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community College
Atlantic Training, LLC.
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information Security
Ken Holmes
 
Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3
DallasHaselhorst
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness
Michel Bitter
 
Security Awareness Training.pptx
Security Awareness Training.pptxSecurity Awareness Training.pptx
Security Awareness Training.pptx
MohammedYaseen638128
 
New Hire Information Security Awareness
New Hire Information Security AwarenessNew Hire Information Security Awareness
New Hire Information Security Awareness
hubbargf
 
Cybersecurity Awareness
Cybersecurity AwarenessCybersecurity Awareness
Cybersecurity Awareness
JoshuaWisniewski3
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness Training
Dave Monahan
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness Training
Denis kisina
 
Building An Information Security Awareness Program
Building An Information Security Awareness ProgramBuilding An Information Security Awareness Program
Building An Information Security Awareness Program
Bill Gardner
 
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
David Menken
 
Information Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing SudanInformation Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing Sudan
Ahmed Musaad
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee Training
Paige Rasid
 
Information security awareness, middle management
Information security awareness, middle managementInformation security awareness, middle management
Information security awareness, middle management
haneen Emeir, CISA, ISO27001
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
SnapComms
 
Cybersecurity Awareness Training Presentation v2021.08
Cybersecurity Awareness Training Presentation v2021.08Cybersecurity Awareness Training Presentation v2021.08
Cybersecurity Awareness Training Presentation v2021.08
DallasHaselhorst
 
Information Security Awareness for everyone
Information Security Awareness for everyoneInformation Security Awareness for everyone
Information Security Awareness for everyone
Yasir Nafees
 

What's hot (20)

Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Information Security Awareness Training Open
Information Security Awareness Training OpenInformation Security Awareness Training Open
Information Security Awareness Training Open
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness Training
 
IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community College
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information Security
 
Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness
 
Security Awareness Training.pptx
Security Awareness Training.pptxSecurity Awareness Training.pptx
Security Awareness Training.pptx
 
New Hire Information Security Awareness
New Hire Information Security AwarenessNew Hire Information Security Awareness
New Hire Information Security Awareness
 
Cybersecurity Awareness
Cybersecurity AwarenessCybersecurity Awareness
Cybersecurity Awareness
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness Training
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness Training
 
Building An Information Security Awareness Program
Building An Information Security Awareness ProgramBuilding An Information Security Awareness Program
Building An Information Security Awareness Program
 
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
 
Information Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing SudanInformation Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing Sudan
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee Training
 
Information security awareness, middle management
Information security awareness, middle managementInformation security awareness, middle management
Information security awareness, middle management
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
Cybersecurity Awareness Training Presentation v2021.08
Cybersecurity Awareness Training Presentation v2021.08Cybersecurity Awareness Training Presentation v2021.08
Cybersecurity Awareness Training Presentation v2021.08
 
Information Security Awareness for everyone
Information Security Awareness for everyoneInformation Security Awareness for everyone
Information Security Awareness for everyone
 

Viewers also liked

Security Training and Threat Awareness by Pedraza
Security Training and Threat Awareness by PedrazaSecurity Training and Threat Awareness by Pedraza
Security Training and Threat Awareness by Pedraza
Atlantic Training, LLC.
 
IT Security DOs and DONTs
IT Security DOs and DONTsIT Security DOs and DONTs
IT Security DOs and DONTs
IT Tech
 
IT Security DOs and DON'Ts
IT Security DOs and DON'Ts IT Security DOs and DON'Ts
IT Security DOs and DON'Ts
Sophos
 
Information Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityInformation Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier University
Atlantic Training, LLC.
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
Atlantic Training, LLC.
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
Cristian Mihai
 
How To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your CompanyHow To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your Company
danielblander
 
Employee security awareness communication
Employee security awareness communicationEmployee security awareness communication
Employee security awareness communication
SnapComms
 
IT Security Presentation
IT Security PresentationIT Security Presentation
IT Security Presentation
elihuwalker
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
Randy Bowman
 
Data Classification Presentation
Data Classification PresentationData Classification Presentation
Data Classification Presentation
Derroylo
 
HIPAA Training - 2011
HIPAA Training - 2011HIPAA Training - 2011
HIPAA Training - 2011
darichardson
 
Security Awareness Training by HIMSS Louisiana Chapter
Security Awareness Training by HIMSS Louisiana ChapterSecurity Awareness Training by HIMSS Louisiana Chapter
Security Awareness Training by HIMSS Louisiana Chapter
Atlantic Training, LLC.
 
Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn Hospital
Atlantic Training, LLC.
 
Internet Security
Internet SecurityInternet Security
Internet Security
Chris Rodgers
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 ppt
vasanthimuniasamy
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
Imperva
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentation
Bijay Bhandari
 
Internet security powerpoint
Internet security powerpointInternet security powerpoint
Internet security powerpoint
Arifa Ali
 

Viewers also liked (20)

Security Training and Threat Awareness by Pedraza
Security Training and Threat Awareness by PedrazaSecurity Training and Threat Awareness by Pedraza
Security Training and Threat Awareness by Pedraza
 
IT Security DOs and DONTs
IT Security DOs and DONTsIT Security DOs and DONTs
IT Security DOs and DONTs
 
IT Security DOs and DON'Ts
IT Security DOs and DON'Ts IT Security DOs and DON'Ts
IT Security DOs and DON'Ts
 
Information Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityInformation Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier University
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
 
How To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your CompanyHow To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your Company
 
Employee security awareness communication
Employee security awareness communicationEmployee security awareness communication
Employee security awareness communication
 
IT Security Presentation
IT Security PresentationIT Security Presentation
IT Security Presentation
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
 
Data Classification Presentation
Data Classification PresentationData Classification Presentation
Data Classification Presentation
 
HIPAA Training - 2011
HIPAA Training - 2011HIPAA Training - 2011
HIPAA Training - 2011
 
Security Awareness Training by HIMSS Louisiana Chapter
Security Awareness Training by HIMSS Louisiana ChapterSecurity Awareness Training by HIMSS Louisiana Chapter
Security Awareness Training by HIMSS Louisiana Chapter
 
Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn Hospital
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 ppt
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentation
 
Internet security powerpoint
Internet security powerpointInternet security powerpoint
Internet security powerpoint
 

Similar to Employee Security Awareness Program

Security and the Service Desk
Security and the Service DeskSecurity and the Service Desk
Security and the Service Desk
NorthCoastHDI
 
Cyber Security
Cyber SecurityCyber Security
Information Secuirty
Information SecuirtyInformation Secuirty
Information Secuirty
Carson City Library
 
Cyber crime & security
Cyber crime & securityCyber crime & security
Cyber crime & security
pinkutinku26
 
cyber crime, Cyber Security, Introduction, Umakant Bhaskar Gohatre
cyber crime, Cyber Security, Introduction, Umakant Bhaskar Gohatre cyber crime, Cyber Security, Introduction, Umakant Bhaskar Gohatre
cyber crime, Cyber Security, Introduction, Umakant Bhaskar Gohatre
Smt. Indira Gandhi College of Engineering, Navi Mumbai, Mumbai
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
Adeel Younas
 
CYBER SECURITY AWARENESS.pptx [Read-Only].pptx
CYBER SECURITY AWARENESS.pptx [Read-Only].pptxCYBER SECURITY AWARENESS.pptx [Read-Only].pptx
CYBER SECURITY AWARENESS.pptx [Read-Only].pptx
Dhruvsinhbhati
 
Be Cyber Smart! (DLH 10/25/2019)
Be Cyber Smart! (DLH 10/25/2019)Be Cyber Smart! (DLH 10/25/2019)
Be Cyber Smart! (DLH 10/25/2019)
David Herrington
 
IT security awareness
IT security awarenessIT security awareness
IT security awareness
Dr. Ramkumar Lakshminarayanan
 
Cyber security awareness presentation nepal
Cyber security awareness presentation nepalCyber security awareness presentation nepal
Cyber security awareness presentation nepal
ICT Frame Magazine Pvt. Ltd.
 
Home and Business Computer Security 2014
Home and Business Computer Security 2014Home and Business Computer Security 2014
Home and Business Computer Security 2014
B2BPlanner Ltd.
 
Keep Your Computers Safe And Secure
Keep Your Computers Safe And SecureKeep Your Computers Safe And Secure
Keep Your Computers Safe And Secure
Rob Clement
 
cyber security presentation (1).pdf
cyber security presentation (1).pdfcyber security presentation (1).pdf
cyber security presentation (1).pdf
w4tgrgdyryfh
 
Cybersecurity Awareness E-Book - WeSecureApp
Cybersecurity Awareness E-Book - WeSecureAppCybersecurity Awareness E-Book - WeSecureApp
Cybersecurity Awareness E-Book - WeSecureApp
WeSecureApp
 
Pci compliance training agents
Pci compliance training  agentsPci compliance training  agents
Pci compliance training agents
ocinc
 
Cybersecurity Awareness Month_2021_PartnerPresentation_Final.pdf
Cybersecurity Awareness Month_2021_PartnerPresentation_Final.pdfCybersecurity Awareness Month_2021_PartnerPresentation_Final.pdf
Cybersecurity Awareness Month_2021_PartnerPresentation_Final.pdf
Soo Chin Hock
 
Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508
Vishwan Aranha
 
10 most important cyber security tips for your users
10 most important cyber security tips for your users10 most important cyber security tips for your users
10 most important cyber security tips for your users
Simpliv LLC
 
CYBERSPACE SAFETY TIPS FOR SMEs.ppt
CYBERSPACE SAFETY TIPS FOR SMEs.pptCYBERSPACE SAFETY TIPS FOR SMEs.ppt
CYBERSPACE SAFETY TIPS FOR SMEs.ppt
JOHN BABATUNDE LEE
 
Cyber Crime & Security.pdf
Cyber Crime & Security.pdfCyber Crime & Security.pdf
Cyber Crime & Security.pdf
MohanPandey31
 

Similar to Employee Security Awareness Program (20)

Security and the Service Desk
Security and the Service DeskSecurity and the Service Desk
Security and the Service Desk
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Information Secuirty
Information SecuirtyInformation Secuirty
Information Secuirty
 
Cyber crime & security
Cyber crime & securityCyber crime & security
Cyber crime & security
 
cyber crime, Cyber Security, Introduction, Umakant Bhaskar Gohatre
cyber crime, Cyber Security, Introduction, Umakant Bhaskar Gohatre cyber crime, Cyber Security, Introduction, Umakant Bhaskar Gohatre
cyber crime, Cyber Security, Introduction, Umakant Bhaskar Gohatre
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
CYBER SECURITY AWARENESS.pptx [Read-Only].pptx
CYBER SECURITY AWARENESS.pptx [Read-Only].pptxCYBER SECURITY AWARENESS.pptx [Read-Only].pptx
CYBER SECURITY AWARENESS.pptx [Read-Only].pptx
 
Be Cyber Smart! (DLH 10/25/2019)
Be Cyber Smart! (DLH 10/25/2019)Be Cyber Smart! (DLH 10/25/2019)
Be Cyber Smart! (DLH 10/25/2019)
 
IT security awareness
IT security awarenessIT security awareness
IT security awareness
 
Cyber security awareness presentation nepal
Cyber security awareness presentation nepalCyber security awareness presentation nepal
Cyber security awareness presentation nepal
 
Home and Business Computer Security 2014
Home and Business Computer Security 2014Home and Business Computer Security 2014
Home and Business Computer Security 2014
 
Keep Your Computers Safe And Secure
Keep Your Computers Safe And SecureKeep Your Computers Safe And Secure
Keep Your Computers Safe And Secure
 
cyber security presentation (1).pdf
cyber security presentation (1).pdfcyber security presentation (1).pdf
cyber security presentation (1).pdf
 
Cybersecurity Awareness E-Book - WeSecureApp
Cybersecurity Awareness E-Book - WeSecureAppCybersecurity Awareness E-Book - WeSecureApp
Cybersecurity Awareness E-Book - WeSecureApp
 
Pci compliance training agents
Pci compliance training  agentsPci compliance training  agents
Pci compliance training agents
 
Cybersecurity Awareness Month_2021_PartnerPresentation_Final.pdf
Cybersecurity Awareness Month_2021_PartnerPresentation_Final.pdfCybersecurity Awareness Month_2021_PartnerPresentation_Final.pdf
Cybersecurity Awareness Month_2021_PartnerPresentation_Final.pdf
 
Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508
 
10 most important cyber security tips for your users
10 most important cyber security tips for your users10 most important cyber security tips for your users
10 most important cyber security tips for your users
 
CYBERSPACE SAFETY TIPS FOR SMEs.ppt
CYBERSPACE SAFETY TIPS FOR SMEs.pptCYBERSPACE SAFETY TIPS FOR SMEs.ppt
CYBERSPACE SAFETY TIPS FOR SMEs.ppt
 
Cyber Crime & Security.pdf
Cyber Crime & Security.pdfCyber Crime & Security.pdf
Cyber Crime & Security.pdf
 

Employee Security Awareness Program

  • 1. EMPLOYEE SECURITY AWARENESS PROGRAM By David Currie, CPA, CIA, CISA david.currie@earthlink.net pg. 0
  • 2. TABLE OF CONTENTS Physical Security..................................................................................................... 2 Don't Play in Traffic on the Information Superhighway ........................................... 3 Password Security .................................................................................................. 4 Cyber hoaxes .......................................................................................................... 5 Fax Security ............................................................................................................ 6 Voice Mail Security ................................................................................................. 7 Telecomm Security ................................................................................................. 8 Dos & Don’ts of Info Security (Hardware and Software) ......................................... 9 Information Security Policies ................................................................................... 10 Laptop Security and Air Travel ................................................................................ 11 Questions……………………………………………………………………………….....12 pg. 1
  • 3. PHYSICAL SECURITY Physical security is an important component of the information protection program at Your company. Below are some tips that can help you avoid overlooking physical security. The 10 Commandments of Physical Security  Never walk way from your computer when you are logged onto the mainframe, local area network, e-mail, or an application.  Always log out before leaving your desk even if it’s just for a minute.  Don’t write down your password and leave it lying around your workstation.  Adhere to a clean-desk policy. Keep your area clean and uncluttered. Clear off your desk at the end of every workday.  Make time at the end of your day to secure your work area.  Use the locks on your desk, file cabinets, and diskette storage cases.  Don’t leave sensitive information lying around. Make sure all documents and diskettes are secured properly.  Dispose of sensitive information properly. Shred sensitive documents. If you’re discarding or recycling diskettes, make sure that they have been erased not simply re-initialized.  Be careful not to damage diskettes or other media. Never use a ballpoint pen to write directly onto a labeled diskette.  Don’t eat or drink near your computer or other electronic media. Liquids spilled on your PC or keyboard can cause serious damage. INFORMATION SECURITY ALWAYS MATTERS! pg. 2
  • 4. DON’T PLAY IN TRAFFIC ON THE INFORMATION SUPERHIGHWAY How can you avoid getting into an accident on the Information Superhighway? By adhering to a simple set of guidelines outlined below. I will:  Protect your company’s information from unauthorized access, modification, duplication, destruction or disclosure.  Protect my password and not share it with anyone.  Only transmit information that is unclassified.  Comply with copyright and software licensing agreements.  Report any suspicious activity or suspected compromises of your company’s information systems to the Information Security Officer  Scan files downloaded from the Internet with anti-virus scanning software. I will not:  Download games, viruses, unlicensed software, or offensive materials.  Use company-provided Internet access for unauthorized activities.  Transmit messages that adversely affect the company’s image.  Use another person’s password to access the Internet.  Transmit confidential information. INFORMATION SECURITY ALWAYS MATTERS! pg. 3
  • 5. CREATE STRONG PASSWORDS AND CHANGE FREQUENTLY Don’t think of your password as a way to get into your computer, think of it as a way to keep others out. Don’t think of your password as a free ticket, think of it as an expensive, highly prized, easily pocketed item coveted by dishonest insiders, malicious hackers, and unethical competitors alike. Your password should be a mix of letters and numbers and you should change it frequently. Here are some hints for creating strong passwords: Technique Words Password String several words together adding I LOVE YOU ILOVE44U numbers Repeat words and add numbers BAT BAT22BAT Spell a word phonetically Telephone TELEFON6 Combine personal facts Age + Favorite Color 29YELLOW Substitute an I or O with a 1 (one) or Noisy Kid N01SYK1D 0 (zero) Use an acronym from an easy to A Stitch in Time Saves ASITS9 Remember phrase Nine Never use a password that you have read on a password protection checklist like this one. Follow the techniques suggested, but don’t use the examples given. INFORMATION SECURITY ALWAYS MATTERS! pg. 4
  • 6. CYBERHOAXES “Good Times” is perhaps the most infamous virus hoax. It claimed that “the Federal Communications Commission had discovered a virus that would destroy your computer’s processor by setting it into an nth complexity infinite loop.” It was a source of aggravation and confusion for months. At the height of the hysteria, “Good Times” e-mail messages brought down one major corporation’s whole network of networks. What you can do about cyber hoaxes Being a good “On-line User” means taking both individual and collective responsibility for what happens on-line. Some cyber hoaxes and urban legends may appear amusing but the dangers are real. If you receive an e-mail message warning you about some imminent danger or spreading some outlandish tale not reflected in the mainstream media, don’t act without thinking first. Ask yourself, “Is the content of this message plausible?” “Is the alleged source of this message plausible?” If the countless users who unwittingly spread the “Good Times” message around the globe had taken a moment to ask themselves when was the last time they received an e-mail message of any kind from the FCC, the resounding answer would have been “never” and the hoax would have sunk into oblivion. If you receive an unsolicited e-mail message of an unusual nature (especially one purporting to warn of on-line dangers) and it suggests that you forward it to other on-line users—don’t do it! That’s another common sense tip that would have ended “Good Times” early on. If you receive any such unusual messages, you should contact your Information Security Officer before doing anything. But you might just call on the phone, instead of simply forwarding the e-mail—in many cases, the intent of the cyber hoax is to bring down the network by the sheer volumes of messages. INFORMATION SECURITY ALWAYS MATTERS! pg. 5
  • 7. FAX SECURITY People don’t generally think of fax machines when they think of industrial espionage or information warfare. Faxes are relatively low-tech. They aren’t perceived as dangerous. They’re easy to use. But their seemingly harmless functionality can be deluding. These simple devices have had a dramatic impact on how business communications are conducted. What can you do to help with fax security Many common sense fax security tips are similar to those urged for voice and e- mail.  Don’t send a fax containing anything that you wouldn’t want to hear on the evening news.  Don’t send faxes of personal nature on company time or using company fax equipment.  Never hurry the typing in of an outgoing fax number. Go slow and double- check yourself  Take extra care whenever you send a broadcast fax.  Don’t let incoming faxes simply pile up and spill over. Get them properly distributed.  If you're sending information intended only for the recipient, call the recipient before and after sending the fax. INFORMATION SECURITY ALWAYS MATTERS! pg. 6
  • 8. VOICEMAIL SECURITY Hackers and phreakers are adept at gaining access to outside lines through voice mail boxes, then running up costly long-distance phone bills for the victimized organizations. Hackers, phreakers, and even drug dealers are known to use abandoned voice mail boxes on large corporate systems to traffic in contraband and conduct other nefarious activities. Below is a checklist to help you in promoting voice mail security: Checklist  When you first receive voice mail privileges, you should change your password immediately. And, just as with your e-mail account and network access, come up with a password that is easy for you to remember but difficult for someone else to guess. Use a clever mix of letters and numbers.  Change your password frequently, at least every 30 days. Remember that your voice mail account is on the front line of information security.  Don’t share your password with anyone  Record a personalized greeting in your own voice  Delete messages after you’ve listened to them  Don’t leave messages that contain sensitive, confidential, or personal information in a voice mail box.  Report strange or suspicious voice mail messages to your Information Security Officer. Don’t delete such messages—they may yield vital evidence  If you are aware of a still active voice mail box for an employee that has been terminated or transferred, notify your information security personnel.  Take some time to learn about the voice mail system. This knowledge will help you detect breaches in telecommunications security. INFORMATION SECURITY ALWAYS MATTERS! pg. 7
  • 9. TELECOMM SECURITY Cellular phones are the most singularly insecure medium over which to have a confidential conversation. It is a fairly trivial matter (and a common one) for hobbyists to listen in on cellular phone calls. For the middle class of organized crime, it is a way of life. For corporate raider and foreign spies, it is standard operating procedure. Here are some suggestions on how to thwart cellular eavesdroppers:  Be careful about what kind of information you discuss over cell phones  Answer your cell phone by saying “hello,” instead of your full name and company name, to reclaim to anonymity  Remind the person at the other end of the line that cellular communications are very insecure  If you’re forced to discuss confidential or sensitive information, try to use only first names of key players and try to avoid naming the different corporate entities involved  Understand that when you dial into your organization’s voice mail system via cell phone, it is possible for an eavesdropper to not only hear your messages as your do, but more importantly to record and be able to replay the exact tones of your voice mail password. Even pagers are being exploited in telecommunications fraud. One scam involves someone sending pages to get people to dial a number that results in a billing of $25 or $30 each, like a 900 or 976 number. Many of these scams use numbers in the 809 Caribbean area code. There is no warning prior to the charge being assessed. This scam preys on the natural tendency of diligent and harried workers to immediately respond to a page, thinking it’s a potential customer. When the victim ends up reaching a weather report for the Sub- Sahara or an X-rated chat line in Trinidad, they simply hang up thinking they dialed the wrong number or the person paging them entered the wrong digits. INFORMATION SECURITY ALWAYS MATTERS! pg. 8
  • 10. DOs AND DON’Ts OF HARDWARE AND SOFTWARE SECURITY “Hardware” is physical equipment, including mechanical, electronic, and magnetic components, used in data processing. “Software” refers to computer programs, instructions, procedures, routines, and possibly associated documentation concerned with the operation of a computer system.  DON’T use personally owned hardware or software at the work site to perform work assignments and related functions.  DO use only your company-owned hardware to perform job duties  DO use only your company authorized software.  DO comply with all license agreements  DON’T make unauthorized copies of software.  DON’T use public domain software.  DO take reasonable precautions to prevent damage to hardware and software from food or beverage spills.  DO store all removable and concealable items (e.g., diskettes, etc.) under lock and key when not in use if applicable.  DON’T eat, drink, or smoke around computer equipment or software.  DO take reasonable precautions to ensure security of the computer when left unattended.  DON’T pile papers, printouts, diskettes, etc. on computer equipment.  DO protect computer equipment from environmental hazards, (i.e., direct sunlight, heat sources, vents, open windows, or other sources of dust and moisture).  DON’T make or use illegal copies of proprietary software. Know and obey copyright software laws and licensing restrictions.  DO store diskettes in protective storage containers.  DO label all diskettes.  DON’T touch any exposed areas of the diskette or attempt to open the metal shield.  DO keep diskettes away from magnets and magnetized objects, including power supply adapters and telephones.  DO provide the diskettes the same level of security as the data stored on them.  DO use a password-protected screen-saver, if possible. INFORMATION SECURITY ALWAYS MATTERS! pg. 9
  • 11. INFORMATION SECURITY POLICIES A successful security program, just like the construction of a building, starts with a strong foundation on which to build. Security policies and procedures are the foundation on which all other security feature or disciplines are built. Your company has developed several information security policies to protect its information assets from loss or misuse. It is your responsibility to know and comply with the following policies:  Information Asset Protection Policy The Information Asset Protection Policy is the primary information security policy. It states that all information is an asset of the company and will be protected from unauthorized access, disclosure, modification, or destruction— whether accidental or intentional. This policy provides the framework for implementing an asset protection program.  Business Risk Assessment Policy This policy addresses the requirement for annual risk assessment is performed on distributed systems and the applications processed on those systems.  Electronic Communications Policy This policy covers the use of Electronic Communication resources including connectivity to public and private networks. It also discusses the use of the Internet and e-mail systems.  Privacy Policy All employees are expected to follow this policy. It assures customers that they can continue to entrust the company with customer personal information. INFORMATION SECURITY ALWAYS MATTERS! pg. 10
  • 12. LAPTOPS AND AIR TRAVEL There has been increased attention lately to the problems of laptop security while traveling. With a substantial number of business travelers carrying laptops, the airport security checkpoint has become the target for a scam aimed at separating you from your laptop. It involves two persons who look for a victim carrying a laptop and approaching a metal detector. They position themselves in front of the unsuspecting passenger. They stall until the unsuspecting passenger puts the laptop computer on the conveyor belt. Then the first subject moves through the metal detector easily. The second subject sets off the detector and begins the slow process of emptying pockets, removing jewelry, etc. While this is happening, the first subject takes the laptop as soon as it appears on the conveyor belt and moves away quickly. When the passenger finally gets through the metal detector, the laptop is gone. The subject that picked it up travels into the gate area and disappears among the crowd. Sometimes even a third subject will take a hand off from the first subject and the computer is out of the restricted area before the passenger even knows that it is gone. How Do You Avoid Being a Victim?  Don’t put your computer on the conveyor until the person in front of you has cleared the detector  Make sure the computer has disappeared into the scanner before you pass through the detector (otherwise someone on the outside can grab it before it goes through).  Don’t carry your computer in a clearly definable computer carrying case  If you set off the detector, ask to be checked with the “wand” inside security where you can watch your computer. If you go back out, the computer, which has already passed through the scanner, may disappear. INFORMATION SECURITY ALWAYS MATTERS! pg. 11
  • 13. Questions? David Currie, CPA, CIA, CISA david.currie@earthlink.net pg. 12