Employee Security Training[1]@

Employee Information Security Awareness Training

Objectives Help you identify common information security risks Help you develop good security practices Introduce select Information Security Manual (ISM), Practices and Standards Review requirements for protecting information Passwords Social Engineering Securing Your Workstation E-Mail Risk Mobile Devices Security on the Road Unauthorized Software

Protecting Information Classified information must be protected Specific handling requirements based on risk of modification, disclosure, or loss It is equally important to protect unclassified but sensitive information such as: Daily routines Phone numbers Software versions Systems Travel schedules

Company Information Adversaries Hackers Cyber Criminals Foreign Countries Organized Crime Terrorists Who wants information on the Company?

Types of Information That Can Be Exploited Names, phone numbers, e-mail addresses Software and hardware information Process information Location information Projects Work schedules Comments about co-workers or boss

Where Could this Information Come From? Pieces of information can be obtained from overheard conversations, web logs (blogs), personal web sites, online resumes, news reports, interviews, etc. Social engineering techniques - conning people into revealing sensitive data is effective, but often the information is publicly available (or can be overheard) Combined, these pieces of information can be VERY valuable

Why Would Anyone Be Interested? To get the inside “scoop” Target known hardware/software vulnerabilities to compromise our systems Target a physical attack to damage infrastructure

What Can I Do? Report all suspected information security compromises immediately Be aware of others trying to gain information from you Be aware Don’t be afraid to speak up if you see or hear company information in public that shouldn’t be shared with others of what information you are sharing, where you share it, and with whom you share it

Rules of OpSec Don’t discuss past, current or future company business in public areas Don’t talk to outsiders about company personnel issues, including names of co-workers and schedules Don’t openly discuss company office locations and addresses in public or online Don’t post information about company business in public forums online; examples include: References to the company References to your employment at the company Information about your job responsibilities Information about our computing environment Your company e-mail account or phone number

Rules of OpSec (cont.) Don’t discuss computer-related information publicly, including the types of software and other systems you use at the company Don’t divulge any information over the phone to people calling from outside the company Remember, none of your online activities are anonymous Don’t do anything that may pose a risk or cause embarrassment to the company Talk to your management if you’re not certain about what you can/can’t share Don’t assume outsiders aren’t trying to collect information on the company – they are!

At least eight characters long The longer your password is, the more difficult it is for someone to guess. Use upper- and lower-case letters, 2 numbers and 2 special characters, like $ or #. Don’t use: Dictionary words Combination of or reverse spelling of words, Foreign language or technical words, proper names, location names or user IDs. Create Strong Passwords

Create strong passwords. Create passwords that are easy for you to remember, but difficult for others to guess. Protect your password. Giving users passwords over the phone or changing user passwords in response to telephone or personal requests when the requestor is not authenticated Passwords

Pick a phrase that has meaning to you but would be hard for others to guess. I am going to New York for a wonderful vacation I@g2NY4awv! I am starting my vacation on Saturday, August 2 Ia$mv0Sa2* Pick a long word. Supermarket - replace vowels with #s & symbols Sp3rm@rk3t$ Make Passwords Easy to Remember

Protect Your Passwords Protect passwords at all times. Protect them as you would your money and credit cards. Never share passwords unless authorized by management under exceptional circumstances. Technical support personnel do not need your password to resolve problems. Avoid writing your password down. Make your mainframe password unique. Passwords for accessing company -related systems must be different from any passwords used for external Internet sites like Amazon.com.

SecureLogin Password Management Tool Automatically saves and enters passwords for many applications Applications currently taking advantage of Secure Login Tools E-mail Job specific Applications etc For more documentation, refer to the Information Security Department’s Web site

Hacker technique to trick people into revealing their passwords and other information Hackers don’t have to come in over the Internet. They may easily get information by asking for it. Studies have shown that even the best security technology cannot prevent devious acts as well as you can. Social Engineering

Guarding Against Social Engineering Impersonating Do not share your password with anyone. Be suspicious. If someone contacts you and asks for information you don't think you should provide, suggest having your management contact them. Shoulder Surfing Don’t let anyone watch you key in your password. Eavesdropping Use caution when discussing company information – especially information about the company systems and vulnerabilities. Dumpster Diving Do not dispose of company documents in public trash receptacles. It’s best to dispose of any document containing Bank information at the company.

Responding to Social Engineering Even if you’re careful, you can still give out information to a social engineer. Always report compromises of your password or other classified information to your Information Security Officer or management immediately. Report all suspicious incidents to your management.

Information Handling – Classification Three levels of classification Based on risk associated with unauthorized modification, disclosure, or loss of information Documents labeled with the following classifications should be handled in accordance with ISM guidelines: Secret – serious loss Confidential – significant loss Internal – some loss

Information Handling – Protecting Do not share classified information with anyone who is not a company employee. Do not leave Secret or Confidential documents unprotected – always secure them. Even unclassified information may need protection. You may have access to unclassified information that is not available to the public. You may disclose this nonpublic information only as required for company purposes and only as authorized .

Information Handling – Protecting Disposal Highly classified documents must always be shredded. Emailing Do not send classified documents outside the company. Follow appropriate requirements if you send highly classified documents within the company. More on Handling Classified Information Refer to Handling Classified Information card for details on handling requirements for printed and electronic media and e-mail

Securing Your Workstation Employees must restrict access to workstations when they’re left unattended. Any time you step away from your computer, you must ensure that your workstation is secured. When leaving for more than eight hours (for example, when you leave work for the day), shut down your workstation unless it needs to remain on because of business requirements. Restrict access by doing one of the following: Press Ctrl-Alt-Del and select the appropriate option (Lock Computer, Log Off or Shut Down).

E-Mail Risks Opening files attached to an e-mail Loads all data within the file, including any viruses, onto the PC. Do not view, open, edit, save, or forward unexpected or questionable e-mail attachments; if in doubt, verify content & intent with sender. If you can’t verify, delete the message. Clicking links (URLs) in the text of an e-mail Might send you directly to a dangerous site. Do not click links (URLs) embedded in text of unexpected or suspicious e-mail. E-Mail Out of Office Feature Carefully review your Out of Office settings and ensure you are not replying to Internet e-mails.

Safe E-Mail Practices If you receive an Execution Security Alert Call your local help desk Never click Trust Signer or Execute Once Chain Letters Do not pass along chain letters. Newsletters or Newsgroups Use discretion when subscribing to newsletters or newsgroups. Personal Use Don’t violate any policies or laws with your occasional & incidental personal use. Monitoring of your computer activities may occur.

Secure Your Mobile Devices When you are outside of the company : Never lose control of your device. Keep it with you at all times. When you are inside the company : Keep small devices (like cell phone, BlackBerry, etc.) with you or locked in a cabinet or desk drawer. Secure your laptop as appropriate. Follow all remote access requirements if you are connecting remotely to the company network.

Mobile Devices Blackberry’s and PDA’s Report to local police Notify appropriate company staff Area management If your Laptop is lost or stolen Report to local police Notify appropriate company staff Area management

Security on the Road Non-Technical Remote Work Risks Performing work remotely brings with it a unique set of threats. Home Home Office Vehicles Coffee Shops/Bookstores Satellite Offices

Security on the Road Non-Technical Travel Risks Performing high priority job functions while traveling creates opportunities for danger. Airports Airplanes Vehicles Wireless Hotspots Satellite Offices Hotels

Security on the Road The Role of the Mobile Device Why has the mobile and wireless device become such a necessity for the business traveler? Executive/Management Engineering Field Support IT Personnel Human Resources Consumer Support

Carelessness with Data False Sense of Security Lack of Normal Resources Less Concern For Security Foreign Wireless Networks Contact With Strangers Devices Not Secure Breaking Security Policies Not Protecting Devices Lack of Awareness of Surroundings Security on the Road Common Business Travel Pitfalls Some mistakes most commonly made that increase the likelihood of security breach: Business travel security cannot be taken lightly.

What if your laptop disappears? Immediate Notifications: If the loss occurs away from work premises you must report the incident to the relevant local law enforcement agency as soon as possible. If your laptop is lost or stolen you must notify your management immediately. They will then notify the appropriate work personnel to mitigate any potential information or security breach.

Laptop Issues Keep control of your laptop Airport, hotel and conference check-in areas On-board – trains, planes, busses and cabs On the road – shuttle busses, limos, rental cars, parking and waiting areas Do not check as luggage Be alert for “shoulder surfers” Treat a laptop as you would your desktop workstation

Laptop Security Laptops have become a major target for thieves. The data stored on the laptops is generally worth more than the cost of the laptop itself. The thief may only want the laptop for the network access it can provide to: Launch DoS attacks Criminal activity Business disruption

Laptop Security Guidelines Perform file back-ups regularly Lock laptops away when not in use Avoid identifiable carrying cases Do not check as baggage Do not leave in unattended conference rooms Store laptops in hotel or room safes Keep login/logon information secure Encrypt sensitive information Be aware of your surroundings

Unauthorized Software Only approved software may be loaded on PC’s and Laptops. Unauthorized software may expose the company to viruses, worms, malicious code or copyright violations. Obtain management authorization before installing software. Do not install unauthorized games, screen savers, music and video files, etc. on company PCs. Never download unauthorized software from the Internet. Never install software downloaded from home or given to you on a CD. Never make unauthorized changes to standard Bank software, such as virus scanning programs. Never attach unauthorized devices, such as PC video cameras. Always shut down your workstation when you leave work for the day unless the workstation must remain powered on for business reasons. Always remind others of all these risks.

Unauthorized Software Never download unauthorized software from the Internet. Never install software downloaded from home or given to you on a CD. Never make unauthorized changes to standard Bank software, such as virus scanning programs. Never attach unauthorized devices, such as PC video cameras. Always shut down your workstation when you leave work for the day unless the workstation must remain powered on for business reasons. Always remind others of all these risks.

Information Security Policy Framework Information Security Framework Principles Practices Standards Guidelines

ID Badge Protection Photo ID’s assist in visual identification of individuals at facilities. Worn by all employees. Politely request others to show you their badge if it is not visible. If ID badge is also access card, be aware of access restrictions (after hours, remote sites). Report lost ID badge immediately.

Company Policies Information Security Manual: All suspected information security incidents must be reported as quickly as possible through the appropriate internal channels Computer Use Policy: It is the responsibility of the employee to be aware at all times of the location of the laptop and satisfied that it is physically secure Report loss or theft as soon as possible to local management Local management should also provide a copy of the loss information to Protection, Audit, Information Security and Management Information Screensaver Lock Policy E-Mail policy Webinar Training Policy Workstation Power-down Policy Modem Use Policy Software Installation Standard Personal Firewall Standard Computer Use Policy

Summary Passwords Create strong passwords that are easy for you to remember. Never share your password without approval. Social Engineering Be suspicious when talking on the phone to an unknown caller. Use care when discussing company information in public places. Notify management of known or suspected threats. Information Handling Do not allow access to information without a “need to know.” Protect classified information and follow ISM classification and handling requirements. Securing Your Workstation Restrict access to your workstation when you leave it unattended. E-Mail Risks Verify suspicious e-mail with questionable attachments with the sender. Do not click links in suspicious e-mails. If in doubt, delete the e-mail. Do not use e-mail for chain letters.

Summary Mobile Devices Secure your mobile devices at all times. Follow remote access requirements when connecting to the company remotely. Unauthorized Software Do not load any software without approval. May use company computers for occasional and incidental personal use as long as you neither endanger our systems nor violate policies. Your computer activities may be monitored. Protect the company – Be vigilant If you observe a security violation, report it to management and correct it, if possible.

Employee Security Training[1]@

More Related Content

What's hot

Similar to Employee Security Training[1]@

In this document

Employee Security Training[1]@