annual training information security awareness

Annual Training – Information Security Awareness

This course is intended for all Haemonetics employees, including contractors and temporary workers. In this global course you will learn about Information Security Awareness: confidentiality, integrity and availability.

This course is expected to take 30 minutes to complete. You must complete the course and successfully pass the quiz (80% or higher) to get credit for this module.

Content Owner : Data Protection Officer

Company ConfidentialTI1317(AC)1Page





Global Training – Information Security Awareness

Company ConfidentialTI1317(AC)

An easy to remember acronym is CIA:

• Confidentiality – Limiting access only to those who are authorized.

• Integrity – Preventing intentional or unintentional modification of data.

• Availability – Making sure the data is available when it should be.

What is Information Security ?







Role Responsibility

Data Protection

Officer (DPO)

Sets and enforces data protection and

cybersecurity policies

Global

Compliance

Officer (GPO)

Ensures data protection and

cybersecurity policies conform to laws

and regulations of the countries in which

Haemonetics operates

Incident

Response Team

Comprising the DPO, GPO, and

leadership in Commercial, IT, Quality

and Communications, manages

response to high-risk security incidents

Every

Haemonetics

team member

Ensures the protection of Haemonetics

information assets, including hardware,

software systems, and data, including

customer data entrusted to

Haemonetics

Cybersecurity and Data Protection responsibilities are defined in our SOPs:







To ensure good cybersecurity and data protection practices, Haemonetics has

aligned to the NIST Cyber Security Framework (CSF). This framework has been

widely adopted by global organizations as a holistic way to ensure confidentiality,

integrity, and availability.

NIST (National Institute of Standards and Technology) Framework







We have two primary cyber threats to Haemonetics, and your actions are key to

addressing each:

• Data Breach. In addition to our employees’ personal data, we also

host personal data for some of our customers. Failure to implement a

level of security appropriate to the magnitude of risk and its

consequences, could result in significant fines and legal liabilities for

the company, while damaging our reputation across the market

• Malware. Malware is often referred to as a computer virus. A

particular type of malware of concern to us is called ransomware,

which is designed to lock out our systems. This could significantly

disrupt our service, manufacturing, and distribution operations for

hours, days, or even weeks. In addition to lost revenue, this could

damage our reputation and thereby erode our long-term market share.

How do I contribute to Haemonetics’ cybersecurity posture?







• Data breach and ransomware attacks usually begin as “Phishing.” “Phishing” is a technique

used by hackers to steal your userid and password via email.

• A hacker may pose as one of your regular contacts– even as a Haemonetics employee. Or

he may pose as a centralized function, such as “SharePoint Administrator” or “HR

Administrator.”

• Most often, the hacker will try to get you to enter your userid and password or to open an

attachment. Cues for a possible phishing attack include the appearance of the external

email banner, spelling and grammar errors in the email text, and an undue sense of urgency

on the part of the sender

• Some clues that an email should be treated as suspicious are:

• The external banner is displayed, although the sender appears to be a Haemonetics

employee

• There is an urgent call to action: “do this now or your access will be removed,” etc.

• There is an attachment or a hyperlink that you were not expecting

• There are spelling or grammatical errors in the body of the email

How do I defend against these threats?







• A hacker may pose as someone on the phone or in a text message to have you let down

your defenses, or to request sensitive information.

• To avoid being phished, always be on your guard on unsolicited requests for information,

especially those coming from external parties, and those containing links or

attachments. When in doubt, send the email and send it to

[email protected] for analysis before responding.

• If you inadvertently enter your userid and password on a suspicious site, change your

password immediately and report the issue to [email protected]

mailto:[email protected]








Your user credentials (userid and password) must be protected.

A hacker who successfully obtains your userid and password can access any

system to which you have access without fear of detection

Using tools available on the so-called Dark Web, a hacker who successfully

obtains your userid and password can escalate his access to perform transactions

that you yourself cannot, from downloading PII to electronically transferring funds.







Do Not Do

• Share your password with anyone (except

temporarily to authorized IT support personnel

actively troubleshooting: change your password as

soon as the session is complete)

• Use complex passwords of at

least 10 characters, including

uppercase, lowercase, and

special characters.

• Always lock computer using

Ctrl-Alt-Del when unattended. • Write passwords down and store them physically or

on your computer, or use the “remember my

password” feature for web-based applications.

• Use common expressions, your birthdate, or other

easily-guessed elements in your password

• Use your Haemonetics password for non-

Haemonetics accounts, like Amazon or Netflix, or

your Amazon or Netflix passwords for Haemonetics

Best Practices and Guidelines - Passwords

Please refer to SOP2659 for further details







• “Malware” is a category of software intended to do harm. It’s another term for

“computer viruses.”

• One category of malware is ransomware. Ransomware locks out computer resources

until ransom is paid to the attacker.

• Another category is a RAT, or Remote Access Trojan. This form of malware can provide

direct access to your computer to an attacker, or can export sensitive information

automatically.

• The best way to protect against malware is to avoid being phished: most malware is

introduced via attachments in phishing emails.

• Another key defense is to keep your Anti-Virus (AV) protection up-to-date. Your AV is

updated every time you start your computer on the network. This means you should

reboot every night, and that if your are a remote worker, that you should login to the

network via VPN at least once per week to secure the latest AV updates

Guarding against malware







PII is anything that could be used to identify a specific person. It’s not just social

security numbers: it includes names, email addresses, full-face photographs,

credit card and bank account information, and so forth. All PII must be

protected carefully using both organizational measures (such as access control

and data minimization) and technical measures (such as de-identification,

encryption, and secure networks).

Some PII elements are more sensitive than others. In general, anything whose

exposure could harm an individual requires particular protection. These

elements include social security, password and driver’s license, ID or passport

numbers, which could support identify theft, as well as protected health

information (such as diagnosis and treatment information), criminal history, and

religious and political affiliation.

A breach of PII could have major consequences for Haemonetics. In Europe, there

are specific rules to prevent and disclose breach of PII and failure to implement

and comply can result in a fine of up to two percent of global revenue under the

General Data Protection Regulation (GDPR). In the US, a breach can result in

fines under HIPAA regulations as well as class action lawsuits. A breach

anywhere in the world could result in major reputational damage, putting at risk

our ability to do business in certain geographies and with certain customers.

.

What is PII (Personally Identifiable Information)?







If you are developing a system or process that includes PII, whether for Haemonetics'

employees', third-parties' or customer patients' PII, be sure to execute or update the Data

Privacy/Protection Impact Assessment (DP/PIA) in accordance with SOP2871. The DP/PIA

is a structured way to evaluate risks associated with PII and to define the best means to

mitigate those risks.

If you handle customer PII, be sure to complete the required training to SOP2469

Never carry PII on portable media, including on your laptop or on flash drive. Always use

approved, secure platforms for PII processing.

Don’t re-use PII for a purpose other than that for which it was obtained. For example, donors

may have consented to share their data for a clinical trial, but we can’t then use their

contact information to do an unrelated customer survey

Never share PII except as required by documented processes. And minimize the information

that is shared. For example, if a customer sends you a screenshot containing PII, redact

the screenshot to exclude the PII elements before sharing it or loading it to your computer

system, unless that PII is specifically needed per the documented process, in which case

ensure that PII is processed according to applicable SOPs and kept for no longer than what

is strictly necessary.

Applying this to your daily work







Data protection extends beyond electronic records.

• Whether you’re dealing with employee personnel files or other sensitive information, be sure

to:

• Maintain a “clean desk” policy: sensitive paper records, including those containing PII, should

be returned to secure storage when you no longer need to work on them, or at the end of your

business day, whichever comes first

• When disposing of sensitive records, including those containing PII, be certain to dispose of

them in bins allocated for shredding

• Review your SOP or Work Instruction to determined if a Certificate of Destruction is needed for

any hard copy records being shredded







• All Haemonetics systems are to be used for business purposes only

• Limited reasonable personal use is permitted on an as-needed basis Employees

are responsible for exercising good judgment regarding reasonableness of personal

use, and personal use of systems should not be routine

• All users are prohibited from accessing or transmitting material that is offensive in

nature, or that could be construed as creating a hostile work environment

• Data created on Haemonetics systems remains property of Haemonetics – Please

promptly remove your personal data & avoid saving personal data on Haemonetics-

owned systems

• Haemonetics reserves the right to periodically

audit networks and systems

Information Technology Use Policy - Highlights







• All employees, contractors, vendors, third party users and all visitors are required to wear

some form of visible identification

• All employees should notify site security or the office coordinator if they encounter

unescorted visitors without proper identification

• Please accompany contractors and third party users to the restricted areas (data centers,

human resources, etc) if their duties require access to those areas

• As an employee, it is your responsibility to make sure the visitor signs out before he / she

leaves the Haemonetics premises

• Make sure that the person behind you entering Haemonetics offices has a valid identification

before letting him / her in with you. Otherwise direct them to the main entrance for proper

check-in.

• Any suspicious activity / people should be immediately reported to site security or the office

coordinator

• Never leave your mobile device unattended, such as in a car, in checked baggage, or at an

airport charging station. If your mobile device is lost or stolen, contact the help desk to report

the loss to security operations.

Physical Security - Guidelines







• Haemonetics has a Data Governance, Classification and Retention Policy (BPD-00084) that

determines how data will be classified and managed throughout its life cycle.

• Haemonetics classifies all data as either Restricted, For Internal Use Only, or Public.

Examples:

Data Governance

Classification Definition Examples

Restricted Highly sensitive information PII, material financial

information, intellectual

property, strategy

documents

For Internal

Use Only

Haemonetics internal

information

SOPs, Work

Instructions, reports

Public Publicly disclosed

information

Customer Letters,

press releases, job

postings







• Always process data in an approved Haemonetics system. For example, never download

PII to your laptop, thumb drive, or personal cloud storage account.

• Pay particular attention to the use of Restricted data, following the applicable SOPs and

Work Instructions for your area of responsibility. Remember that systems processing

Restricted data should be encrypted at rest and in transit and in general should use your

network logon controls (Single Sign On with VPN or Multi-Factor Authentication)

• Keep For Internal Use Only information within Haemonetics. SOPs and other FIUO

documents can be shared only as needed and with a Non-Disclosure Agreement (NDA) in

place.

• Seek the appropriate approval before making Haemonetics information public. For example,

a Customer Letter should be approved in the Document Management system before being

distributed, and you should obtain approval from Corporate Communications before

publishing an article in a professional journal.

Data Governance Tips







Global SOP– Cybersecurity and Data Protection SOP2870

Global SOP- Data Protection Impact Assessment SOP2871

Global SOP- Physical Security SOP2959

BPD-00056 – Global Data Privacy Policy

BPD-00084-- Data Classification, Governance and Retention Policy

Password Policies – SOP2659

Acceptable Use – SOP2660

Customer Data Protection – SOP2469

To Learn More:







Help to keep Haemonetics secure by:

• Staying current with training and, if you’re a manager, ensuring that

your direct reports are current with their training

• Reading security alerts published through HaemoNet

• Being on guard for potential phishing attacks, and sending suspicious

emails to [email protected] for analysis and action

• Following required procedures for password protection, acceptable

use, and PII protection

Security is Everyone’s Responsibility!


annual training information security awareness

Documents