350 likes | 396 Views
The Role of Information Security in Everyday Business. BSNSF Brought to you by the Fall 2009 WSUS Team of Jerry Freeman, Justin Fisher, Mary Miley, and Tim Rose. Information Security Explained. Information Security Explained The Need for Information Security Your Security Role at BSNSF
E N D
The Role of Information Security in Everyday Business BSNSF Brought to you by the Fall 2009 WSUS Team of Jerry Freeman, Justin Fisher, Mary Miley, and Tim Rose
Information Security Explained • Information Security Explained • The Need for Information Security • Your Security Role at BSNSF • Vital BSNSF Assets • Security Threats & Countermeasures • Home Computer Use • Helpful Security Resources • Closing Comments
Information Security Explained Information security involves the preservation of: • Confidentiality: Ensuring information is disclosed to, and reviewed exclusively by intended recipients / authorized individuals • Integrity: Ensuring the accuracy and completeness of information and processing methods • Availability: Ensuring that information and associated assets are accessible, whenever necessary, by authorized individuals
The Need for Information Security • Information Security Explained • The Need for Information Security • Your Security Role at BSNSF • Vital BSNSF Assets • Security Threats & Countermeasures • Home Computer Use • Helpful Security Resources • Closing Comments
The Need for Information Security • It is the law • HIPPA • Sarbanes-Oxley • Federal Information Security Management Act of 2002 • USA Patriot Act • Gramm-Leach Bliley Act
The Need for Information Security (2) • In the news • “Mcafee: Auditor failed to encrypt employee-recordsCD, left it on plane,” mercury news, 2/23/06 • “Another security breach reported - Stolen laptop hadclients' private data, says Ernst & Young,” San FranciscoChronicle, 2/25/06 • “The network is the risk: in August, the Zotob virus disabled CNN and ABC News...” Risk & Insurance Magazine, 9/15/05 • “Glouco employee charged with theft: He and his brother are accused of creating fake firms to take $110,000-plus from the utilities authority,” The Philadelphia Inquirer, 2/24/06 • “ChoicePoint multi-million dollar penalty illustrates need for congress to enact strong id-theft protections, regulate data brokers,” US Newswire, 1/26/06 • Consequences • Many of the victims are you, the people. • Reputations are compromised through media coverage. • Substantial financial loss is incurred by impacted organizations.
The Need for Information Security (3) • Previous BSNSF security incidents • Not aware of any past security breaches as this is a relatively new (reformatted) network • Have the employees (students) share one or two incidents they personally experienced in other positions
The Need for Information Security (4) • The consequences of insufficient security • Loss of competitive advantage • Identity theft • Equipment theft • Service interruption (e.g., e-mail and <application>) • Embarrassing media coverage • Compromised customer confidence; loss of business • Legal penalties
Your Security Role at BSNSF • Information Security Explained • The Need for Information Security • Your Security Role at BSNSF • Vital BSNSF Assets • Security Threats & Countermeasures • Home Computer Use • Helpful Security Resources • Closing Comments
Your security role at BSNSF • You can prevent several security threats facing BSNSF • Comply with our corporate security policies • Passwords must be 8 characters or longer utilizing upper and lower case plus punctuation, numbers, and special characters • Using Symantec Anti-Virus • Applying patches and updates regularly • Follow BSNSF’s Acceptable Use Policy • All of BSNSF’s corporate security policies may be located: • With Mr. Clevenger • Student Handbook
Your security role at BSNSF • You can prevent several security threats facing BSNSF (2) • Treat everything you do at BSNSF as you would treat the well-being of anything of vital importance to you • Examples of questions you should ask yourself before performing a specific activity include: • Could the actions I am about to perform in any way either harm myself or BSNSF? • Is the information I am currently handling of vital importance either to myself or BSNSF? • Is the information I am about toreview legitimate / authentic? • Have I contacted appropriate BSNSF personnel withquestions regarding my uncertaintyof how to handle this sensitivesituation?
Your security role at BSNSF • Whom to contact • It is critical for you to contact appropriate BSNSF personnel the moment you suspect something is wrong • Mr Gerald Clevenger, CIO • Your Team Leader • Class Security Manager
Vital BSNSF Assets • Information Security Explained • The Need for Information Security • Your Security Role at BSNSF • Vital BSNSF Assets • Security Threats & Countermeasures • Home Computer Use • Helpful Security Resources • Closing Comments
Vital BSNSF assets • Your effectiveness in securing BSNSF’s assets begins with understanding what is of vital importance to BSNSF • ISA and ASA servers • SharePoint servers • Active Directory • Firewall and ESX servers
Security Threats & Countermeasures • Information Security Explained • The Need for Information Security • Your Security Role at BSNSF • Vital BSNSF Assets • Security Threats & Countermeasures • Home Computer Use • Helpful Security Resources • Closing Comments
Security threats & countermeasures • Malicious software: viruses • Malicious code embedded in e-mail messages that are capable of inflicting a great deal of damage and causing extensive frustration • Stealing files containing personal information • Sending emails from your account • Rendering your computer unusable • Removing files from your computer • What you can do • Do not open attachments to e-mails: • Received from unknown individuals • That in any way appear suspicious • If uncertain, contact CIO • Report all suspicious e-mails to CIO and School NetAdmim
Security threats & countermeasures • Malicious software: spyware • Any technology that aids in gathering informationabout you or BSNSF without their knowledgeand consent. • Programming that is put in a computer to secretly gather information about the user and relay it to advertisers or other interested parties. • Cookies are used to store information about you on your own computer. • If a Web site stores information about you in a cookie of which you are unaware, the cookie is considered a form of spyware. • Spyware exposure can be caused by a software virus or in result of installing a new program. • What you can do • Do not click on options in deceptive / suspicious pop-up windows. • Do not install any software without receiving prior approval from Mr Clevenger. • If you experience slowness / poor computer performance or excessive occurrences of pop-up windows, contact Mr Clevenger.
Security threats & countermeasures • Unauthorized systems access • Individuals maliciously obtain unauthorized access to computers, applications, confidential information, and other valuable assets • Not all guilty parties are unknown; some can be your co-workers • Unauthorized systems access can result in theft and damage of vital information assets • What you can do • Use strong passwords for all accounts • Commit passwords to memory • If not possible, store all passwords in a secure location (i.e., not on a sticky note affixed to your monitor or the underside of your keyboard) • Never tell any one your password • Never use default passwords • Protect your computer with a password-protected screensaver • Report suspicious individuals / activities to a faculty member • Report vulnerable computers to Mr Clevenger
Security threats & countermeasures • Shoulder surfing • The act of covertly observing employees’ actions with theobjective of obtaining confidential information • What you can do • Be aware of everyone around you… and what they are doing • Airline and train travel • Airports, hotels, cafes, and restaurants; all public gathering areas • Internet cafes • Computer labs • Do not perform work involving confidential BSNSF information if you are unable to safeguard yourself from shoulder surfing • Request a privacy screen for your BSNSF-issued laptop computer from the school bookstore (if available)
Security threats & countermeasures • Unauthorized facility access • Individuals maliciously obtain unauthorized access to offices with the objective to steal equipment, confidential information, and other valuable BSNSF assets • What you can do • Do not hold the door for unidentified individuals; i.e., do not permit “tail gaiting” • Ask the individual how you can assist them. Escort the person(s) to the receptionist or the nearest faculty member. • Shred all BSNSF confidential documents • Do not leave anything of value exposed in your office / work space (e.g., Lock all BSNSF confidential documentsin desk drawers / file cabinets) • Escort any of your own visitors throughout theduration of their visit
Security threats & countermeasures • Curious personnel • An employee who is not necessarily malicious thatperforms activities testing the limits of their network and facilities access • What you can do • Retrieve your BSNSF confidential faxes and printed documents immediately • Shred all BSNSF confidential documents • Lock all BSNSF confidential documents in desk drawers / file cabinets • Follow the guidance previously provided to prevent unauthorized systems access • Report suspicious activity / behavior to your supervisor
Security threats & countermeasures • Disgruntled employees • Upset / troubled employees with an intent to harm other employees or BSNSF • What you can do • Contact Mr Clevenger if you suspect an employee is disgruntled and potentially dangerous • Be observant of others and report suspicious / inappropriate behavior to Mr Clevenger • Exercise extreme care when awareof unfriendly termination
Security threats & countermeasures • Social engineering • Taking advantage of people’s helping nature /conscience for malicious purposes • What you can do • Never lose sight of the fact that successful socialengineering attacks rely on you, BSNSF employees • If a received phone call is suspicious, request to return their call • Do not provide personal / confidential BSNSF information to a caller until you are able to verify the caller’s identity, and their association with their employer’s company • Never provide a caller with any one’s password, including your own • Report any unrecognized person in a BSNSF facility to Mr Clevenger
Security threats & countermeasures • Phishing • An online scam whereby emails are sent by criminals who seek to steal your identity, rob your bank account, or take over your computer • What you can do • Use the “stop-look-call” technique: • Stop: Do not react to phishing ploys consisting of “upsetting” or “exciting” information • Look: Look closely at the claims in the email, and carefully review all links and Web addresses • Call: Do not reply to e-mails requesting you to confirm account information; call or email the company in question to verify if the email is legitimate • Never email personal information • When submitting personal / confidential information via a Web site, confirm the security lock is displayed in the browser • Review credit card and bank accountstatements for suspicious activity • Report suspicious activity to your team leader
Security threats & countermeasures • Information theft through free instant messaging services (IM) • Privacy threats caused by using free IM services in the workplace include personal information leakage, loss of confidential information, and eavesdropping • The use of IM has not yet been approved and will not be used • What you can do • Depending upon with whom you are communicating, and how IM was implemented, every message you send – even to a co-worker sitting in the next cubicle – may traverse outside of BSNSF’s corporate network • All of the messages you send may be highly susceptible to being captured and reviewed by malicious people • Never send confidential messages or any files to individuals • Realize that there is no means of knowing that the person you are communicating with is really who they say they are
Home Computer Use • Information Security Explained • The Need for Information Security • Your Security Role at BSNSF • Vital BSNSF Assets • Security Threats & Countermeasures • Home Computer Use • Helpful Security Resources • Closing Comments
Home computer use • Specific conditions and procedures should be followed when using home computers for business purposes • Use must first be approved by the BSNSF Instructor • Home computer must have acceptable Anti-virus software installed and functioning • Home laptops / netbooks are subject to inspection at any time by school authorities
Helpful Security Resources • Information Security Explained • The Need for Information Security • Your Security Role at BSNSF • Vital BSNSF Assets • Security Threats & Countermeasures • Home Computer Use • Helpful Security Resources • Closing Comments
Helpful security resources • Outlined below are several helpful security resources • http://www.microsoft.com/athome/security/default.mspx • Security guidance for home computer use, which in many cases also apply to BSNSF computer use
Helpful security resources • Outlined below are several helpful security resources (2) • http://www.microsoft.com/athome/security/spyware/software/default.mspx & http://www.microsoft.com/athome/security/spyware/software/about/overview.mspx • Microsoft’s Windows Defender product, which is a free program that helps protect your home computers against pop-ups, slow performance, and security threats caused by spyware and other unwanted software
Helpful security resources • Outlined below are several helpful security resources (3) • http://safety.live.com/site/en-US/center/howsafe.htm • Microsoft resources that help protect your home computers against hackers, malicious software, and other security threats
Helpful security resources • Outlined below are several helpful security resources (4) • http://www.microsoft.com/presspass/newsroom/msn/factsheet/WindowsOneCareLiveFS.mspx • Windows Live OneCare is a service that continually protects and maintains your home computers
Closing Comments • Information Security Explained • The Need for Information Security • Your Security Role at BSNSF • Vital BSNSF Assets • Security Threats & Countermeasures • Home Computer Use • Helpful Security Resources • Closing Comments
Closing comments • Be security-conscious regarding anything of vital importance to BSNSF and yourself • When your personal safety, BSNSF’s safety, or any confidential information is involved, always ask yourself, “what measures should I perform to keep myself and my employer safe, and my employer’s confidential information protected against harm, theft, and inappropriate disclosure?” • Apply similar considerations discussed in today’s security awareness session when at home • Threats do not stop at the work place; they extend to your home and other surroundings • Do not allow this security awareness session lead to paranoia • Use what you learned today to make more informed decisions to protect yourself, BSNSF, and others • This security awareness session is the beginning of BSNSF’s information security awareness and training program • Assessments will follow in the weeks ahead to ensure compliance • This presentation can be found on the BSNSF Intranet • Annual refresher training will be conducted