Information Security Awareness Training

SECURITY IS EVERYONE'S RESPONSIBILITY

Training Objectives and Overview

ObjectivesAfter completing this training, you should be able to:• Understand cyber security threats associated with

email and other forms of electronic communications• Learn tips on how to safely maneuver through the

internet• Understand why it is important to protect our

information assets and your role in the process• Learn how to better secure your computer and data• Understand the importance of passwords and how

to create a strong password• Understand how international travel can pose risks

to information assets• Locate policies, standards and travel preparation on

the Employee Portal

Electronic Communication

Electronic Communication• Any Communication (email, instant messaging, text

messaging, etc.)sent in support of the corporate business is considered the corporate message and is subject to monitoring.

Do not Send:

• Anything which could be interpreted as abusive or harassing• Unsolicited advertising or anything that could be

interpreted as a scam

Electronic Communication-Do’s• Be careful of the information shared outside of the

company and its competitive value.

• Protect information inside the company by not sharing it with those without a need-to-know.

• Use approved “Chat” applications (set up by IT helpdesk) for instant messaging needs. The use of other commercial instant messaging products could allow viruses to infect your computer.

• Be mindful of the Information Security Policies and procedures restrictions on information sharing.

Improper use of electronic communication in support of the corporate business can put the corporate at risk and is a violation of company policy.

Email VirusesEmail is the most common source of computer viruses. What can you do to avoid computer viruses?

When receiving email from questionable sources:• Do not open attachments.• Do not click on web links.• Do not respond to the email.• If you don’t know the sender or what it concerns, the safest

thing to do is delete the email.• Forward the email to mailscam@mailserver.com

Even be cautious of email which appears to be from someone you know. The email could have been forwarded from a questionable or unknown email address. Be certain of the source before you click on a link.

Email• Email is inherently unsafe because it is the easiest way for

someone to breach the system and to trick you.

• Do not forward any confidential company email outside of the corporate policy (i.e., personal email accounts , etc.).

• If your job requires you to email confidential information to outside parties, including personal information, use the e-mail policy for the policy, Secure Email*.

*encrypt-to convert or scramble computer data and messages into something incomprehensible.

Spam• Spam is unsolicited email ( junk email). It may be

targeted to a certain group or a mass mailing.

• the corporate e-mail spam service blocks millions of spam email everyday; however some do manage to get through.

• For the majority of cases, delete the spam.

• If you feel someone should be alerted , call the help desk or forward the email to mailscam@corporate.com

PhishingPhishing is a type of cyber attack involving forged emails and websites. Typically, an email is sent with a disturbing message such as “Your bank account has been suspended” and includes a website link or an attachment. The website link looks like a viable website, such as a financial institution, but is actually the hacker’s website.

To avoid being caught by a phishing email, individuals should:• Contact the business directly.• Be suspicious of any email requesting personal

information.• Do not open links or attachments from questionable

sources.• Delete the email.

Internet Usage

Use Good Judgmentthe corporate monitors internet usage and block certain websites for a variety of reasons.

Please be aware that anything you do on the internet can be traced.

When accessing the internet from email links use sound judgment. Be extremely wary of emails asking for information or asking you to click a link. If the email states “You’ve got to see this,” ask yourself why.

Please use sound judgement when accessing personal web-based email such as Yahoo, Gmail, or other non-the corporate email systems from your the corporate Computer.

Blocked Website CategoriesCertain types of websites are blocked from the the corporate network. Some examples include:

• Adult/Mature Content• Gambling• Games• Hacking• Personals/Dating• Social Media• Violence/Hate/Racism• Weapons

Contact IT for a complete list of Blocked Websites Categories.

Malware• Malware is a term for malicious software which is

designed to be installed on a computer without the owner’s knowledge.

• Spyware is a type of malware which monitors your computer activity and reports this activity back to the owner of the spyware. Spyware can keep track of the websites you visit.

• Based on this information, spam or phishing emails can be created by hackers to target your interests or work profession.

• Therefore, visiting unfamiliar sites could infect your computer with malware.

Caution Before You ClickComputers can get infected with malware by simply visiting an infected website. That is why it is very important to be careful when clicking a link in email, search lists, or web pages.

Malware can also steal data. This includes personal data such as computer ID’s, passwords, social security and account numbers.

To avoid having your identity compromised by malware:• Be careful what internet sites you visit.• Do not open attachments or links from unknown

sources.• Don’t download without your managers approval for

free software download offers.

Social Networking (i.e. Facebook, LinkedIn, Twitter)• Be very careful what information is shared on these

sites . Always consider what could be done with this information and the possible impact it may have.

• Certain data posted on these sites may allow a targeted email fraud, phishing, or spam attack to be developed.

• In addition, the personal information posted may be used in a social engineering attack, where someone masquerades as you or a person close to you.

• Access to many social networking sites is blocked from the the corporate network due to the risk of exposure.

Public Wireless Access• Public Wireless Internet is available at many

locations. It is important to understand when you use these networks you are no longer on a network controlled by either you or the corporate.

• Many of the security controls in place at work are not available on a public network. You cannot assume a public network is secure.

• Protect company information by ALWAYS using your the corporate secure Virtual Private Network (VPN) connection when accessing a public network.

• Always use extreme caution when handling the corporate information.

Personal Devices

Do not connect personal devices to the corporate network. Examples include:

• IPads• Tablets• Wireless camera• Wireless Printers

Do not use personal software for company business.

• Using personal software for company business violates company license agreements.

Data Security

Protecting Information• Non-public company information should be

protected, both inside and outside the company.

• Unauthorized disclosure of company information can put the corporate at risk. We could lose competitive advantage, create legal problems, violate regulatory requirements, or tarnish the image of the company.

• Information should only be shared with individuals on a need-to-know basis. the corporate uses access restrictions on File Shares to protect stored information and Secure File Transfer Protocol (SFTP) to securely transfer information.

Information ProtectionConfidential information should never be left unattended in place such as :• Meeting rooms• Fax machines• Printers• Desks• Dry erase boards• Unlocked file cabinets• Unsecured shared drives

Dispose of personal or confidential information in a secure manner (i.e., shred, delete data from hard drive according to company guidelines, or incinerate).

Use a clean desk approach. Lock up confidential/sensitive papers when you are not using them.

File Share Ownership for “Common Drive” Information

• Per the corporate policy, File Share owners must be a manager or supervisor.

• File Share owners are responsible for all content and access they own.

• Ownership roles must be reviewed annually and updated when there is a change in job responsibilities.

• Owners should limit access to only those who have a business need to access the information.

• Data owners should adhere to the the corporate Information Security Handling and Classification Policy (NO-POL-0026) to ensure content is retained based on regulatory obligations, industry benchmarks and sound business practices. The policy is available on the corporate’s intranet.

• Do not store Personally Identifiable Information (PII) on a File Share that is accessible by any employee who does not have a legitimate business purpose for accessing that information.

Unauthorized Software• Installing unauthorized software is a violation of

company policy that may result in disciplinary action. Software downloaded from the internet can contain vulnerabilities that put the entire association at risk.

• the corporate catalogs, tracks, and updates the software contained in the standard computer image for vulnerabilities. However, updates cannot be done for unauthorized software thus putting the association’s at risk.

• Software downloaded to share music can often make other files on your computer available for sharing to others and lead to disclosure of sensitive information.

• These precautions apply to all the corporate owned devices, including mobile devices (NO-POL-0013).

Mobile Device SecurityEvery individual at the corporate is responsible for protecting the company’s information and equipment.

• Laptops, smart phones, tablets and other mobile devices(i.e., thumb drives) should be locked or kept in your personal possession at all times.

• When traveling, be sensitive to where and when you use mobile devices such as phones , laptops, and tablets. Don't allow others to “look over your shoulder”.

• Never Leave laptops or other mobile devices in clear view inside a vehicle.

• Immediately report any stolen mobile device storing corporate information to Help Desk.

Mobile devices, including smart phones and tablets, must be password protected.

Corporate Mobile Devices and Personal Information• the corporate may elect to to provide corporately owned

mobile devices to enable the Company workforce. These devices may include tablets such as iPads, smart phones, Androids or other types of mobile devices.

• Though the devices are for corporate use, it is easy to commingle personal information with corporate data on the device.

• To ‘commingle’ company information and personal information means to mix them in some fashion. Commingling company information and personal information has privacy and security consequences.

• Examples of commingling data include:• Personal emails and/or documents stored on a

corporate device• Corporate email stored on a personal email account• Call records of personal telephone calls made on a

corporate device

Commingling – No Expectation of Privacy

• the corporate permits limited personal use of corporate computing resources .

• There are many consequences, to storing personal information on a corporate device, including mobile devices. Some of these consequences are :• Employees can have no expectation of privacy related to

personal information stored on the corporate device• If the employee is involved in personal litigation, and

relevant personal data is on the corporate device, that device may be subject to discovery and :• The Company may be compelled to provide the

personal information to counsel, placing personal information at risk of exposure, and

• The device may be unavailable to the company for a time which could place company data at risk of exposure.

USB Flash/Thumb Drives• USB drives are becoming a way to spread unwanted

malicious progrthe corporate.• It is important no to insert personal-use USB drives into

the corporate equipment. This may inadvertently transport a virus or other unwanted progrthe corporate.

• One hacking trick is to leave infected USB drives laying around in public places for people to pick up and use. While it is enticing to find a ‘free’ USB drive, inserting it into your corporate or home computer is strongly discouraged.

• To protect information contained on USB drives, look for devices that use a password or allow encryption (scrambling the information into secret code).A user manual often comes with the device to explain these features.

• If you work inside process control environments use only dedicated portable media to transfer information to Supervisory Control and Data Acquisition (SCADA) systems or process computer systems. Do not use this portable media for any other purpose.

What to do if you notice a Security Issue

If you suspect the corporate’s security has been compromised, a security issue has occurred or unauthorized information has been accessed or released, contact:

• The Help Desk• Your Manager or Supervisor

Social Engineering• Social Engineering is the art of manipulating people

into performing actions or divulging confidential information. Email is a common method used.

• They create a scenario based on a few known facts(names ,phone numbers, etc.) which seems believable. If the story is credible, then most people are more than willing to help the social engineer.

• For example, a social engineer may claim to be an the corporate IT employee who needs your password to fix a computer problem. In reality, they are trying to gain access to the corporate computers using your ID and password.

• Be very cautious and think twice before giving out the corporate information.

Physical Security

Physical Security for Information Assets• Facilities housing the corporate information assets

are physically restricted to authorized individuals and require a valid the corporate ID.

• These facilities or buildings must be protected by physical security controls that prevent unauthorized individuals from gaining access. Visitors are required to sign in and be accompanied by an escort while in company facilities.

• Remember:• Never allow others to user your badge• Never allow tailgating (holding a door or gate

open for another person that requires a badge).• Report lost or stolen badges immediately:

• HR Administration• Mangers or Supervisors• Help Desk

Sabotage on the corporate FacilitiesIndividuals should watch for one or more of the following signs:

• Physical surveillance of the corporate facilities• Any threats to individuals or property• Attempts to gain unauthorized access to restricted areas• Vandalism to company property

What should you do ?

• If threated or in danger , move to safety and call 911.• Notify HR Administration.• Do not touch anything. Preserve evidence for investigators.

Lock Your Computer• Lock your computer when you walk away. It is easy to do :• 1. Press the Ctrl+Alt+Del KEYS AT THE SAME TIME• 2. Then select the “Lock Computer” option

• You are responsible for all actions that occur with your ID. if you leave your computer unattended and unlocked, someone else could take action ( such as send email) using your identity or access your personal information (view your paycheck) via Portal.

• Your computer should always be in a physically secured location.

• Use the provided cable lock/tether to secure laptops left unattended.

Password Management

Your Password• Your password is an integral part of the overall

protection of the corporate’s information assets.

• Hackers will try to steal passwords and IDs to break into the corporate systems.

• If your password is compromised , the hacker has the ability to access anything you can access, using your identity.

• Never use your the corporate ID or account password on non the corporate systems such as Amazon, Facebook or EBay. Once a password is compromised, the next logical step for a hacker is to try that password on other systems that you access.

Password Guidelines & SuggestionsThe science of password cracking has been simplified with the use of high speed progrthe corporate that employ databases containing words and phrases. There are ways to protect your password from these types of attacks, such as creating a password by using a password phrase.

Tips: What Not to Do:• Do not write down or share your password.• Do not use the same password for everything(i.e., work,

personal banking, etc.)• Do not use information that others could associate with you,

like names of family members or pets.• Do not use cyclical, incremental, or patterned passwords.• Do not use words spelled backwards.• Do not use keyboard patterns (i.e., “asdf”).

For information on creating a strong password, see Password Requirements located on the Password Policy (NO-POL- 0022).

Tips for Creating a Strong PasswordCreate a strong , secure password that is easy to remember. Use a combination of upper case, lower case, numbers, and special characters to make your password complex.

• Example: Use the phrase "it is not enough to do your best ; you must know what to do, and Then do your best.” W.Edwards Deming• Take the first letter from each word, separate every four letters with a

comma, and then put a two digit number at the end.• Add a number or punctuation every few letters or between syllables.• A 12 character password would then be “iine,tdyb,12”.

• Your the corporate password should only be used for your the corporate’s account. Use a different password for all personal email accounts.

38

Privacy• Privacy is a set of fair information practices to ensure:

• Personal information is accurate, relevant, and current.• All collections, uses, and disclosures of personal information are known and appropriate.• Personal information is protected.

The Policy for Privacy:• Implements procedures and controls at all levels to protect the confidentiality and integrity of

information stored and processed on systems.

39

Different types and forms of Personally Identifiable

Information (PII)

•Social Security number (SSN)

• Health Insurance Claim Number (HICN)

• Date of birth (DOB)

• National Provider Identification (NPI)

• Driver’s license number

• Passport number

• Personal Health Information (PHI)

• Biometric Information

• PII must be protected in any form : paper, electronic, oral.

40

Recognize threats to information systems and privacy• Share information on a need to know basis.• Never access PII unless authorized to do so to perform your job.• Only store PII on encrypted devices.• Encrypt emails and double – check that the recipient name(s) is correct before sending.• When faxing, confirm that you have the correct fax number and call the recipient to confirm receipt.

41

Privacy Roles and Responsibilities Objective: Understand personal responsibility to protect information systems.

Privacy policies and procedures require you to:

• Collect, use, and disclose personal information for reasons that are for a

legitimate job function, support the mission of the corporate and are allowed by law.

• Disclose only the minimum amount of information.

• Access information only for authorized purposes.

• Follow standards to safeguard personal information throughout the information

life cycle.

• Report suspected privacy violations or incidents.

• Comply with all applicable privacy laws.

• Shred documents containing PII; NEVER place them in the trash. Contact the IT

Department for proper disposal of equipment like copy machines and

computers.

As a member of the the corporate workforce, you are responsible for privacy policies and procedures.

42

Privacy Violations • Privacy violations can result in severe consequences including:

Security Summary

Things You Can Do To Help Keep the Company Secure

It is the responsibility of each member of the corporate workforce to protect our enterprise information assets.Here are some things you can do to help:• Only the corporate equipment can be connected to the internal business

network.• Do not load any unapproved software on your the corporate equipment.• Do not change any corporate security settings.• Avoid opening email and attachments from questionable sources.• Lock your workstation before you walk away.• Protect the corporate data in all formats(i.e., thumb drive, hard copy, CD,

etc.)• Use a strong password.• Do not write down or share your password.• Ensure each member of the workforce has access to only what they need.• Beware of social engineering.• Report any lost or stolen company information asset (laptop, mobile

phone ,etc.) to the Help Desk.