380 likes | 730 Views
The Role of Information Security in Everyday Business. <Company>. Information Security Explained. Information Security Explained The Need for Information Security Your Security Role at <Company> Vital <Company> Assets Security Threats & Countermeasures Home Computer Use
E N D
The Role of Information Security in Everyday Business <Company>
Information Security Explained • Information Security Explained • The Need for Information Security • Your Security Role at <Company> • Vital <Company> Assets • Security Threats & Countermeasures • Home Computer Use • Helpful Security Resources • Closing Comments
Information Security Explained Information security involves the preservation of: • Confidentiality: Ensuring information is disclosed to, and reviewed exclusively by intended recipients / authorized individuals • Integrity: Ensuring the accuracy and completeness of information and processing methods • Availability: Ensuring that information and associated assets are accessible, whenever necessary, by authorized individuals
The Need for Information Security • Information Security Explained • The Need for Information Security • Your Security Role at <Company> • Vital <Company> Assets • Security Threats & Countermeasures • Home Computer Use • Helpful Security Resources • Closing Comments
The Need for Information Security • It is the law • <Provide overview here>
The Need for Information Security (2) • In the news • “Mcafee: Auditor failed to encrypt employee-recordsCD, left it on plane,” mercury news, 2/23/06 • “Another security breach reported - Stolen laptop hadclients' private data, says Ernst & Young,” San FranciscoChronicle, 2/25/06 • “The network is the risk: in August, the Zotob virus disabled CNN and ABC News...” Risk & Insurance Magazine, 9/15/05 • “Glouco employee charged with theft: He and his brother are accused of creating fake firms to take $110,000-plus from the utilities authority,” The Philadelphia Inquirer, 2/24/06 • “ChoicePoint multi-million dollar penalty illustrates need for congress to enact strong id-theft protections, regulate data brokers,” US Newswire, 1/26/06 • Consequences • Many of the victims are you, the people. • Reputations are compromised through media coverage. • Substantial financial loss is incurred by impacted organizations.
The Need for Information Security (3) • Previous <company> security incidents • <Provide overview of applicable previous security incidents experienced by company here>
The Need for Information Security (4) • The consequences of insufficient security • Loss of competitive advantage • Identity theft • Equipment theft • Service interruption (e.g., e-mail and <application>) • Embarrassing media coverage • Compromised customer confidence; loss of business • Legal penalties
Your Security Role at <Company> • Information Security Explained • The Need for Information Security • Your Security Role at <Company> • Vital <Company> Assets • Security Threats & Countermeasures • Home Computer Use • Helpful Security Resources • Closing Comments
Your security role at <company> • You can prevent several security threats facing <company> • Comply with our corporate security policies • Key policy one • Key policy two • Key policy three • All of <company>’s corporate security policies may be located: • <Provide all locations here>
Your security role at <company> • You can prevent several security threats facing <company> (2) • Treat everything you do at <company> as you would treat the well-being of anything of vital importance to you • Examples of questions you should ask yourself before performing a specific activity include: • Could the actions I am about to perform in any way either harm myself or <company>? • Is the information I am currently handling of vital importance either to myself or <company>? • Is the information I am about toreview legitimate / authentic? • Have I contacted appropriate<company> personnel withquestions regarding my uncertaintyof how to handle this sensitivesituation?
Your security role at <company> • Whom to contact • It is critical for you to contact appropriate <company> personnel the moment you suspect something is wrong • <Name “1”, title, reason to contact> • <…> • <Name “n”, title, reason to contact>
Vital <company> Assets • Information Security Explained • The Need for Information Security • Your Security Role at <Company> • Vital <Company> Assets • Security Threats & Countermeasures • Home Computer Use • Helpful Security Resources • Closing Comments
Vital <company> assets • Your effectiveness in securing <company>’s assets begins with understanding what is of vital importance to <company> • <Asset “1”> • <…> • <Asset “n”>
Security Threats & Countermeasures • Information Security Explained • The Need for Information Security • Your Security Role at <Company> • Vital <Company> Assets • Security Threats & Countermeasures • Home Computer Use • Helpful Security Resources • Closing Comments
Security threats & countermeasures • Malicious software: viruses • Malicious code embedded in e-mail messages that are capable of inflicting a great deal of damage and causing extensive frustration • Stealing files containing personal information • Sending emails from your account • Rendering your computer unusable • Removing files from your computer • What you can do • Do not open attachments to e-mails: • Received from unknown individuals • That in any way appear suspicious • If uncertain, contact <contact> • Report all suspicious e-mails to <contact>
Security threats & countermeasures • Malicious software: spyware • Any technology that aids in gathering informationabout you or <company> without their knowledgeand consent. • Programming that is put in a computer to secretly gather information about the user and relay it to advertisers or other interested parties. • Cookies are used to store information about you on your own computer. • If a Web site stores information about you in a cookie of which you are unaware, the cookie is considered a form of spyware. • Spyware exposure can be caused by a software virus or in result of installing a new program. • What you can do • Do not click on options in deceptive / suspicious pop-up windows. • Do not install any software without receiving prior approval from <contact>. • If you experience slowness / poor computer performance or excessive occurrences of pop-up windows, contact <contact>.
Security threats & countermeasures • Unauthorized systems access • Individuals maliciously obtain unauthorized access to computers, applications, confidential information, and other valuable assets • Not all guilty parties are unknown; some can be your co-workers • Unauthorized systems access can result in theft and damage of vital information assets • What you can do • Use strong passwords for all accounts • Commit passwords to memory • If not possible, store all passwords in a secure location (i.e., not on a sticky note affixed to your monitor or the underside of your keyboard) • Never tell any one your password • Never use default passwords • Protect your computer with a password-protected screensaver • Report suspicious individuals / activities to <contact> • Report vulnerable computers to <department>
Security threats & countermeasures • Shoulder surfing • The act of covertly observing employees’ actions with theobjective of obtaining confidential information • What you can do • Be aware of everyone around you… and what they are doing • Airline and train travel • Airports, hotels, cafes, and restaurants; all public gathering areas • Internet cafes • Computer labs • Do not perform work involving confidential <company> information if you are unable to safeguard yourself from shoulder surfing • Request a privacy screen for your <company>-issued laptop computer from <contact>
Security threats & countermeasures • Unauthorized facility access • Individuals maliciously obtain unauthorized access to offices with the objective to steal equipment, confidential information, and other valuable <company> assets • What you can do • Do not hold the door for unidentified individuals; i.e., do not permit “tail gaiting” • <Provide company procedures regarding challenging and reporting individuals with no visible visitor / employee ID badges> • Shred all <company> confidential documents • Do not leave anything of value exposed in your office / work space (e.g., Lock all <company> confidential documentsin desk drawers / file cabinets) • Escort any of your own visitors throughout theduration of their visit
Security threats & countermeasures • Curious personnel • An employee who is not necessarily malicious thatperforms activities testing the limits of their network and facilities access • What you can do • Retrieve your <company> confidential faxes and printed documents immediately • Shred all <company> confidential documents • Lock all <company> confidential documents in desk drawers / file cabinets • Follow the guidance previously provided to prevent unauthorized systems access • Report suspicious activity / behavior to your supervisor
Security threats & countermeasures • Disgruntled employees • Upset / troubled employees with an intent to harm other employees or <company> • What you can do • Contact <contact> if you suspect an employee is disgruntled and potentially dangerous • Be observant of others and report suspicious / inappropriate behavior to <contact> • Exercise extreme care when awareof unfriendly termination
Security threats & countermeasures • Social engineering • Taking advantage of people’s helping nature /conscience for malicious purposes • What you can do • Never lose sight of the fact that successful socialengineering attacks rely on you, <company> employees • If a received phone call is suspicious, request to return their call • Do not provide personal / confidential <company> information to a caller until you are able to verify the caller’s identity, and their association with their employer’s company • Never provide a caller with any one’s password, including your own • Report any unrecognized person in a <company> facility to <contact>
Security threats & countermeasures • Phishing • An online scam whereby emails are sent by criminals who seek to steal your identity, rob your bank account, or take over your computer • What you can do • Use the “stop-look-call” technique: • Stop: Do not react to phishing ploys consisting of “upsetting” or “exciting” information • Look: Look closely at the claims in the email, and carefully review all links and Web addresses • Call: Do not reply to e-mails requesting you to confirm account information; call or email the company in question to verify if the email is legitimate • Never email personal information • When submitting personal / confidential information via a Web site, confirm the security lock is displayed in the browser • Review credit card and bank accountstatements for suspicious activity • Report suspicious activity to <contact>
Security threats & countermeasures • Information theft through free instant messaging services (IM) • Privacy threats caused by using free IM services in the workplace include personal information leakage, loss of confidential information, and eavesdropping • <Corporate IM security policy here> • What you can do • Depending upon with whom you are communicating, and how IM was implemented, every message you send – even to a co-worker sitting in the next cubicle – may traverse outside of <company>’s corporate network • All of the messages you send may be highly susceptible to being captured and reviewed by malicious people • Never send confidential messages or any files to individuals • Realize that there is no means of knowing that the person you are communicating with is really who they say they are
Home Computer Use • Information Security Explained • The Need for Information Security • Your Security Role at <Company> • Vital <Company> Assets • Security Threats & Countermeasures • Home Computer Use • Helpful Security Resources • Closing Comments
Home computer use • Specific conditions and procedures should be followed when using home computers for business purposes • <Condition “1”> • <…> • <Condition “n”>
Home computer use • Specific conditions and procedures should be followed when using home computers for business purposes (2) • <Procedure summary “1”> • <…> • <Procedure summary “n”>
Helpful Security Resources • Information Security Explained • The Need for Information Security • Your Security Role at <Company> • Vital <Company> Assets • Security Threats & Countermeasures • Home Computer Use • Helpful Security Resources • Closing Comments
Helpful security resources • Outlined below are several helpful security resources • http://www.microsoft.com/athome/security/default.mspx • Security guidance for home computer use, which in many cases also apply to <company> computer use
Helpful security resources • Outlined below are several helpful security resources (2) • http://www.microsoft.com/athome/security/spyware/software/default.mspx & http://www.microsoft.com/athome/security/spyware/software/about/overview.mspx • Microsoft’s Windows Defender product, which is a free program that helps protect your home computers against pop-ups, slow performance, and security threats caused by spyware and other unwanted software
Helpful security resources • Outlined below are several helpful security resources (3) • http://safety.live.com/site/en-US/center/howsafe.htm • Microsoft resources that help protect your home computers against hackers, malicious software, and other security threats
Helpful security resources • Outlined below are several helpful security resources (4) • http://www.microsoft.com/presspass/newsroom/msn/factsheet/WindowsOneCareLiveFS.mspx • Windows Live OneCare is a service that continually protects and maintains your home computers
Closing Comments • Information Security Explained • The Need for Information Security • Your Security Role at <Company> • Vital <Company> Assets • Security Threats & Countermeasures • Home Computer Use • Helpful Security Resources • Closing Comments
Closing comments • Be security-conscious regarding anything of vital importance to <company> and yourself • When your personal safety, <company>’s safety, or any confidential information is involved, always ask yourself, “what measures should I perform to keep myself and my employer safe, and my employer’s confidential information protected against harm, theft, and inappropriate disclosure?” • Apply similar considerations discussed in today’s security awareness session when at home • Threats do not stop at the work place; they extend to your home and other surroundings • Do not allow this security awareness session lead to paranoia • Use what you learned today to make more informed decisions to protect yourself, <company>, and others • This security awareness session is the beginning of <company>’s information security awareness and training program • <Provide a brief summary of what should be expected next, and the strategic direction of your ISATP>