E N D
1. Security Awareness Training COVER PAGE – Change to suit your needs.COVER PAGE – Change to suit your needs.
2. You are Here! Laws & Regulations
The Organization & IT Security
System Interconnection & Information Sharing
Sensitivity
Risk Management
Management Controls
Acquisition/Development/Installation/Implementation Controls
Operational Controls
Technical Controls
3. Why You Are Here Matrix: 1a
This slide lets staff know why they are attending, a security awareness training. It also reminds them of the organizations existing policies.
For example, HIPAA requires security awareness training
For example, the State Administrative Manual (SAM) requires training to staff with respect to individual, agency and statewide security responsibilities and policies. [SAM 4842.2]
Concepts covered should include:
Specific laws, policies or procedures may affect your institution.
An introduction to the concept that an employee has a responsibility in protecting assets within entity.
Matrix: 1a
This slide lets staff know why they are attending, a security awareness training. It also reminds them of the organizations existing policies.
For example, HIPAA requires security awareness training
For example, the State Administrative Manual (SAM) requires training to staff with respect to individual, agency and statewide security responsibilities and policies. [SAM 4842.2]
Concepts covered should include:
Specific laws, policies or procedures may affect your institution.
An introduction to the concept that an employee has a responsibility in protecting assets within entity.
4. Privacy Policy Review You Must Protect Information
Your Responsibilities
1. You must keep information
confidential. No gossiping
2. You must report misuses you see.
3. You have reporting options
– Know who to report to.
Matrix: 1b, 1g(3-4)
REVIEW OF PRIVACY POLICY - OPTIONAL
Along with your specific Security policies and procedures this is an opportunity to remind staff that the Privacy Policies dovetail with Security.
You Must Protect Information:
Be conscious of what information our department has, be aware of how you use the information, knowing beyond a reasonable doubt that you have not compromised Entity’s electronic security measures, report privacy/security breaches, fix systemic security problems quickly, and promote “best practices” within departments.
Your Responsibility:
1. If you find yourself in a position where you are exposed to or working with health information specific to an individual, or similar confidential or restricted information, you must keep it confidential. Remember to not gossip.
2. If you see this kind of information being disclosed or used improperly you must report it.
3. In reporting you have several options. You may report to: your supervisor; your department Privacy Liaison; The Entity Privacy & Security Officer; the Entity Privacy & Security Appeals Officer; and lastly, the U.S. Department of Health and Human Services. Reporting will be kept confidential.
Matrix: 1b, 1g(3-4)
REVIEW OF PRIVACY POLICY - OPTIONAL
Along with your specific Security policies and procedures this is an opportunity to remind staff that the Privacy Policies dovetail with Security.
You Must Protect Information:
Be conscious of what information our department has, be aware of how you use the information, knowing beyond a reasonable doubt that you have not compromised Entity’s electronic security measures, report privacy/security breaches, fix systemic security problems quickly, and promote “best practices” within departments.
Your Responsibility:
1. If you find yourself in a position where you are exposed to or working with health information specific to an individual, or similar confidential or restricted information, you must keep it confidential. Remember to not gossip.
2. If you see this kind of information being disclosed or used improperly you must report it.
3. In reporting you have several options. You may report to: your supervisor; your department Privacy Liaison; The Entity Privacy & Security Officer; the Entity Privacy & Security Appeals Officer; and lastly, the U.S. Department of Health and Human Services. Reporting will be kept confidential.
5. Privileges & Responsibilities You are responsible for complying with Entity policies and State and Federal law
Other Programs policies – if they apply, you will be responsible for them
So, read all policies! Matrix: 1b, 1g(3-4)
This slide reminds staff that other policy, procedures or law could be more stringent and may affect their department or program differently.
Remind staff to read all policies that apply to them and their job. They are responsible for complying with the department/program policy.
“You are responsible for complying with Entity policies and State and Federal law when using Entity resources.
Some Departments, Divisions, or Programs have their own policies – if they apply to your job function, you will be responsible for them, so be sure to read all policies!”
Matrix: 1b, 1g(3-4)
This slide reminds staff that other policy, procedures or law could be more stringent and may affect their department or program differently.
Remind staff to read all policies that apply to them and their job. They are responsible for complying with the department/program policy.
“You are responsible for complying with Entity policies and State and Federal law when using Entity resources.
Some Departments, Divisions, or Programs have their own policies – if they apply to your job function, you will be responsible for them, so be sure to read all policies!”
6. Matrix 1b
During a typical day you may become aware of an attempt to breach an area of security.
SECURITY AWARENESS IS:
Knowing what to do if you feel someone is attempting to:
- wrongfully take property or information (Trainers: ask for possible examples) (e.g. stealing a laptop)
- obtain personal information about our staff, clients, or vendors (Trainers: ask for possible examples) (e.g. unauthorized sharing of client information)
- use our resources for illegal or unethical purposes (Trainers: ask for possible examples) (e.g. surfing inappropriate web sites at work)
Last month the number one visited web site here was _________. (Trainers: check with the IT department to get this information and use it as a tidbit to gain interest from staff)
Matrix 1b
During a typical day you may become aware of an attempt to breach an area of security.
SECURITY AWARENESS IS:
Knowing what to do if you feel someone is attempting to:
- wrongfully take property or information (Trainers: ask for possible examples) (e.g. stealing a laptop)
- obtain personal information about our staff, clients, or vendors (Trainers: ask for possible examples) (e.g. unauthorized sharing of client information)
- use our resources for illegal or unethical purposes (Trainers: ask for possible examples) (e.g. surfing inappropriate web sites at work)
Last month the number one visited web site here was _________. (Trainers: check with the IT department to get this information and use it as a tidbit to gain interest from staff)
7. Remember the Awareness Mindset Understand there is the possibility that some people will deliberately or accidentally attempt to steal, damage or misuse the data in my computer system(s). Therefore, I will do what I can to keep that from happening.
Matrix: 1b, 2e, 3c and 9d
This is a reminder of personal responsibility to security. This is the mindset you want the staff to take away from the training. Matrix: 1b, 2e, 3c and 9d
This is a reminder of personal responsibility to security. This is the mindset you want the staff to take away from the training.
8. Where Do Intruders Come From? Who are these threat agents?
Teenage pranksters
Hacker junkies
Disgruntled employees
Terrorists (disruption of services)
Criminals (selling information)
Foreign intelligence agents Matrix: 1c(1), 1d, 5a(1) and 5c(1)
INTRODUCTION TO THREAT AGENTS AND HOW THEY COULD AFFECT YOUR ENTITY
Anywhere - at any time - intruders can attack, often hiding
their identity. Ironically, the Internet, which was originally
designed to promote unrestricted sharing of academic
information, has become a global communications system
where sensitive data is potentially available to anyone with a
connection.
SHOULD INCORPORATE ANY THREATS YOU WANT STAFF TO BE AWARE OF.
DESCRIBE EACH AND HOW THEY COULD AFFECT YOUR NETWORK
Matrix: 1c(1), 1d, 5a(1) and 5c(1)
INTRODUCTION TO THREAT AGENTS AND HOW THEY COULD AFFECT YOUR ENTITY
Anywhere - at any time - intruders can attack, often hiding
their identity. Ironically, the Internet, which was originally
designed to promote unrestricted sharing of academic
information, has become a global communications system
where sensitive data is potentially available to anyone with a
connection.
SHOULD INCORPORATE ANY THREATS YOU WANT STAFF TO BE AWARE OF.
DESCRIBE EACH AND HOW THEY COULD AFFECT YOUR NETWORK
9. Laws Health Insurance Portability and Accountability Act (HIPAA)
California Public Records Act
Freedom of Information Act
Other relevant laws?
Matrix: 1e, 1 f
Yes-laws even have a place in IT Security. The information stored, created and transmitted in IT systems is protected by many laws:
The California Public Records Act (PRA) is the State equivalent of the Federal Freedom of Information Act (FOIA).
It regulates access by the public to public records held by government agencies, including medical information protected under HIPAA.
The PRA applies to all State and local government agencies, offices, officers, departments, divisions, bureaus, boards, and commissions. (Gov. Code § 6252(a), (b).)
The FOIA applies only to federal agencies and does not create a right of access to records held by Congress, the courts, or by state or local government agencies. Each State has its own public access laws that should be consulted for access to state and local records.
Matrix: 1e, 1 f
Yes-laws even have a place in IT Security. The information stored, created and transmitted in IT systems is protected by many laws:
The California Public Records Act (PRA) is the State equivalent of the Federal Freedom of Information Act (FOIA).
It regulates access by the public to public records held by government agencies, including medical information protected under HIPAA.
The PRA applies to all State and local government agencies, offices, officers, departments, divisions, bureaus, boards, and commissions. (Gov. Code § 6252(a), (b).)
The FOIA applies only to federal agencies and does not create a right of access to records held by Congress, the courts, or by state or local government agencies. Each State has its own public access laws that should be consulted for access to state and local records.
10. What the Client Expects Matrix: 1f(2)
Protect their personal health information just as you would want your personal information protected. This means:
Don’t discuss their information in earshot of others who do not have a need to know.
Lock and protect hard copies/paper.
Use passwords and physical security for personal information stored on computers and in databases.
Not only is it good practice to do these things but HIPAA requires that protected health information be safeguarded.Matrix: 1f(2)
Protect their personal health information just as you would want your personal information protected. This means:
Don’t discuss their information in earshot of others who do not have a need to know.
Lock and protect hard copies/paper.
Use passwords and physical security for personal information stored on computers and in databases.
Not only is it good practice to do these things but HIPAA requires that protected health information be safeguarded.
11. Don’t copy that floppy…(or MP3 file)!
Don’t download from unauthorized sites!
Kazaa, WebShots, WebRadio…
Business Software Alliance
Matrix: 1g(1), 5b, 6d(1) and 9d
Topic moves from what is being “pushed” at staff to what staff could inadvertently do by not following internal policy and copyright laws.
This is a good place to illustrate why it is against your policy to allow copying MP3s or using KAZAA at work, if that is your policy.
KAZAA – 45% of all downloads have malicious code.
Webshots and Webradio (Streaming audio and video) use lots of bandwidth resources.
OPTIONAL DISCUSSION:
Business Software Alliance - A REPORTING AGENCY FOR SOFTWARE PIRACY (http://www.bsa.org/usa/index.cfm)
The Business Software Alliance promotes global policies that foster innovation, growth and a competitive marketplace for commercial software and related technologies. Strong copyright protections, cyber security and barrier-free trade are crucial to achieving these goals.Matrix: 1g(1), 5b, 6d(1) and 9d
Topic moves from what is being “pushed” at staff to what staff could inadvertently do by not following internal policy and copyright laws.
This is a good place to illustrate why it is against your policy to allow copying MP3s or using KAZAA at work, if that is your policy.
KAZAA – 45% of all downloads have malicious code.
Webshots and Webradio (Streaming audio and video) use lots of bandwidth resources.
OPTIONAL DISCUSSION:
Business Software Alliance - A REPORTING AGENCY FOR SOFTWARE PIRACY (http://www.bsa.org/usa/index.cfm)
The Business Software Alliance promotes global policies that foster innovation, growth and a competitive marketplace for commercial software and related technologies. Strong copyright protections, cyber security and barrier-free trade are crucial to achieving these goals.
12. Matrix: 1b, 1g(2) and 3d
Insert your network policy on this slide. Listed on the slide are examples of different areas you may want to cover in your network policy.
OPTIONAL TO USE A BULLET POINT FOR SPECIFIC POINTS AND GIVE AUDIENCE A COPY OF ENTIRE POLICY. YOU MAY NEED MORE THAN ONE SLIDE TO COVER ALL YOUR POLICIES.Matrix: 1b, 1g(2) and 3d
Insert your network policy on this slide. Listed on the slide are examples of different areas you may want to cover in your network policy.
OPTIONAL TO USE A BULLET POINT FOR SPECIFIC POINTS AND GIVE AUDIENCE A COPY OF ENTIRE POLICY. YOU MAY NEED MORE THAN ONE SLIDE TO COVER ALL YOUR POLICIES.
13. Selecting Security Controls HIPAA requirements (laws & regulations) influence what security controls we put in place.
An Entity balances their business processes with the potential liability if there is a breach of EPHI.
Matrix: 1g(6)
BALANCING CONTROLS
An Entity balances their business processes with the potential liability if there is a breech of EPHI.
This involves examining business processes for:
? EPHI that may be breached,
? Risk that a breach can occur, and
How many people may be affected by the breach which may require mitigation. [to name a few]
If an Entity reviews and understands applicable laws, has those laws covered in their mission statement and develops policies to support their mission statement and those laws, then they can begin to demonstrate due diligence.
Matrix: 1g(6)
BALANCING CONTROLS
An Entity balances their business processes with the potential liability if there is a breech of EPHI.
This involves examining business processes for:
? EPHI that may be breached,
? Risk that a breach can occur, and
How many people may be affected by the breach which may require mitigation. [to name a few]
If an Entity reviews and understands applicable laws, has those laws covered in their mission statement and develops policies to support their mission statement and those laws, then they can begin to demonstrate due diligence.
14. You are Here! Laws & Regulations
The Organization & IT Security
System Interconnection & Information Sharing
Sensitivity
Risk Management
Management Controls
Acquisition/Development/Installation/Implementation Controls
Operational Controls
Technical Controls
15. The Role of IT Security Within the Organization Entity Mission
How IT supports that Mission
IT systems that are a must to successfully achieve our mission
Matrix: 2a-c
Discuss Security’s role and how the Department mission, policies and procedures dovetail to protect information.
Discuss your organization’s mission and how it relates to your security policies. If security policies are not followed and there is a breach, how does that affect your mission?Matrix: 2a-c
Discuss Security’s role and how the Department mission, policies and procedures dovetail to protect information.
Discuss your organization’s mission and how it relates to your security policies. If security policies are not followed and there is a breach, how does that affect your mission?
16. Single registration of software and electronic notice to the manufacturer.
Entity Property
Computer
Internet Connection
Illegal Software
Matrix: 2e and 6d(2.e)
Introduce system audit logs from system software for network audits. Let staff know their activity is being monitored.
At Work: It happens more often than you might think, through honest employees, routine software audits, technology support professionals, network administrators, software publishers and piracy watchdog groups.
Some software automatically sends a message back to the manufacturer to ensure it is registered only once.
Your computer is Entity property. So too, is your connection to the Internet via the network. The Entity is committed to ensuring that our systems are running legally licensed software and that our network is not supporting software piracy in any form.
If you run illegal software on Entity equipment you are in violation of Entity Policy.
Matrix: 2e and 6d(2.e)
Introduce system audit logs from system software for network audits. Let staff know their activity is being monitored.
At Work: It happens more often than you might think, through honest employees, routine software audits, technology support professionals, network administrators, software publishers and piracy watchdog groups.
Some software automatically sends a message back to the manufacturer to ensure it is registered only once.
Your computer is Entity property. So too, is your connection to the Internet via the network. The Entity is committed to ensuring that our systems are running legally licensed software and that our network is not supporting software piracy in any form.
If you run illegal software on Entity equipment you are in violation of Entity Policy.
17. Should You Open the E-mail Attachment? If it's suspicious, don't open it!
What is suspicious?
Not work-related
Attachments not expected
Attachments with a suspicious file extension (*.exe, *.vbs, *.bin, *.com, or *.pif)
Web link
Unusual topic lines; “Your car? Oh! Nice Pic! Family Update! Very Funny!” Matrix: 2e, 3f and 9d
Discuss Email safety to prevent accidental introduction of malicious code/viruses.
What is suspicious?
E-mail that is not work-related.
Attachments you were not expecting.
Attachments with a suspicious file extension (*.exe, *.vbs, *.bin, *.com, or *.pif).
A message that directs you to click on a web link.
E-mail with unusual topic lines; “Your car? Oh! Nice Pic! Family Update! Very Funny!”
Email from someone you do not know.Matrix: 2e, 3f and 9d
Discuss Email safety to prevent accidental introduction of malicious code/viruses.
What is suspicious?
E-mail that is not work-related.
Attachments you were not expecting.
Attachments with a suspicious file extension (*.exe, *.vbs, *.bin, *.com, or *.pif).
A message that directs you to click on a web link.
E-mail with unusual topic lines; “Your car? Oh! Nice Pic! Family Update! Very Funny!”
Email from someone you do not know.
18. Web Surfing
Active content and viruses or other malicious software
Security risks in the PC and MAC versions of Internet Explorer and Netscape browsers
Entity presets your security. Matrix: 2e and 9d
CONTINUATION OF INTERNET SECURITY.
Web surfing may feel both safe and anonymous. It's not!
Active content, such as ActiveX controls and Java applets, creates the possibility that Web browsing will introduce viruses or other malicious software into the user's system.
There are a variety of security risks in the PC and MAC versions of Internet Explorer and Netscape browsers that involve the JavaScript, Java and ActiveX subsystems.
At work: Entity presets your security. TELL THEM WHAT PRESETS YOU HAVE PUT IN PLACE. CHCEK WITH THE IT DEPARTMENT FOR WHAT THEY ARE.
OPTIONAL “AT HOME” SECURITY DISCUSSION
At home:
These risks can be eliminated by turning off those features.
These risks can be reduced by setting your security to not allow others to access hardware or software.
Matrix: 2e and 9d
CONTINUATION OF INTERNET SECURITY.
Web surfing may feel both safe and anonymous. It's not!
Active content, such as ActiveX controls and Java applets, creates the possibility that Web browsing will introduce viruses or other malicious software into the user's system.
There are a variety of security risks in the PC and MAC versions of Internet Explorer and Netscape browsers that involve the JavaScript, Java and ActiveX subsystems.
At work: Entity presets your security. TELL THEM WHAT PRESETS YOU HAVE PUT IN PLACE. CHCEK WITH THE IT DEPARTMENT FOR WHAT THEY ARE.
OPTIONAL “AT HOME” SECURITY DISCUSSION
At home:
These risks can be eliminated by turning off those features.
These risks can be reduced by setting your security to not allow others to access hardware or software.
19. Visiting Internet Sites Be careful about providing personal, sensitive information to an internet site.
Be aware that you can get viruses from Instant Messenger-type services.
Entity Policy on Instant Messenger Matrix: 2e and 9d
INTRODUCTION TO HEADS UP COMPUTING
This slide is a security reminder of things to be aware of when visiting Internet sites.
Instant Messaging (IM) – uses a P2P (peer to peer) program that is designed to go around the firewall – compromises security.
Be careful about providing personal, sensitive information to an internet site. Find out what the organization's security and privacy policies are – it could be collecting your information, sharing, or selling it to other sources.
Be aware that you can get viruses from Instant Messenger-type services.
Insert your entities policy on Instant Messaging. Matrix: 2e and 9d
INTRODUCTION TO HEADS UP COMPUTING
This slide is a security reminder of things to be aware of when visiting Internet sites.
Instant Messaging (IM) – uses a P2P (peer to peer) program that is designed to go around the firewall – compromises security.
Be careful about providing personal, sensitive information to an internet site. Find out what the organization's security and privacy policies are – it could be collecting your information, sharing, or selling it to other sources.
Be aware that you can get viruses from Instant Messenger-type services.
Insert your entities policy on Instant Messaging.
20. Organizational vs. System Level IT Security Programs Organizational level IT security programs apply to the whole organization
System level IT security programs are tailored to sections of the organization Matrix: 2f
INTRODUCTION TO SECURITY LEVELS AND RESPONSIBILITIES
Organizational level IT security programs are applied to the organization as a whole (e.g.Outlook, key lock cards, passwords, “time outs” on all PCs, etc.).
System level IT security programs are more detailed and specific, and are tailored to sections of the organization (e.g. one branch or unit being supported on a single server with heightened security due to presence of HIV data). For example, only selected log-on may have access to a particular system.
Security Levels Illustrated:
An Entity’s outermost firewall is organizational vs. additional system firewalls around claims processing or HIV clients.
Matrix: 2f
INTRODUCTION TO SECURITY LEVELS AND RESPONSIBILITIES
Organizational level IT security programs are applied to the organization as a whole (e.g.Outlook, key lock cards, passwords, “time outs” on all PCs, etc.).
System level IT security programs are more detailed and specific, and are tailored to sections of the organization (e.g. one branch or unit being supported on a single server with heightened security due to presence of HIV data). For example, only selected log-on may have access to a particular system.
Security Levels Illustrated:
An Entity’s outermost firewall is organizational vs. additional system firewalls around claims processing or HIV clients.
21. On the Wire Universal Access… Estimated 500 million people with Internet access
All of them can communicate with your connected computer
Any of them can “rattle” the door to your computer to see if it’s locked Matrix: 2g, 5d-e and 9d
Transitional Slide –
TRANSITION TO PASSWORD TRAINING
There are an estimated 500 (up from 304 in May 2004) million people with Internet access.
All 500 million of them can communicate with your connected computer.
Any of the 500 million can “rattle” the door to your computer to see if it’s locked.
Trainer: Check with IT staff to see if numbers are up-to-date.Matrix: 2g, 5d-e and 9d
Transitional Slide –
TRANSITION TO PASSWORD TRAINING
There are an estimated 500 (up from 304 in May 2004) million people with Internet access.
All 500 million of them can communicate with your connected computer.
Any of the 500 million can “rattle” the door to your computer to see if it’s locked.
Trainer: Check with IT staff to see if numbers are up-to-date.
22. Opportunities for Abuse
To break into a safe, the safe cracker needs to know something about safes
To break into your computer, the
computer cracker only needs to know where to download a program
Identity Theft is the fastest growing crime in the U.S. Matrix: 2g, 9c
HACKERS ARE INCREASING….IT SECURITY REQUIREMENTS NEED TO INCREASE.
To break into a safe, the safe cracker needs to know something about safes.
To break into your computer, the computer cracker only needs to know where to download a program written by someone else who knows something about computers.
Identity Theft is the fastest growing crime in the U.S. and it accounts for more than 750,000 victims a year and losses exceeded 2 Billion dollars.
Matrix: 2g, 9c
HACKERS ARE INCREASING….IT SECURITY REQUIREMENTS NEED TO INCREASE.
To break into a safe, the safe cracker needs to know something about safes.
To break into your computer, the computer cracker only needs to know where to download a program written by someone else who knows something about computers.
Identity Theft is the fastest growing crime in the U.S. and it accounts for more than 750,000 victims a year and losses exceeded 2 Billion dollars.
23. System Ownership vs. Information Ownership System ownership rests with IT staff, IT managers and executive staff
Information ownership rests in the program area
Matrix: 2h-i
System ownership rests with not only the Entity, but also IT staff, IT managers and executive staff.
IT staff research various system applications/equipment and present to management, who present to executive.
Executives decides what the level of investment will be.
IT staff maintain those applications and equipment.
Information Ownership rests in the program area, with all staff and mangers who gather and act on that client/program information.
For example, as program staff, I enter information about a client. I own responsibility for entering the information correctly and protecting any hard copy. The system that I enter that information into, is maintained and protected by IT staff.
Matrix: 2h-i
System ownership rests with not only the Entity, but also IT staff, IT managers and executive staff.
IT staff research various system applications/equipment and present to management, who present to executive.
Executives decides what the level of investment will be.
IT staff maintain those applications and equipment.
Information Ownership rests in the program area, with all staff and mangers who gather and act on that client/program information.
For example, as program staff, I enter information about a client. I own responsibility for entering the information correctly and protecting any hard copy. The system that I enter that information into, is maintained and protected by IT staff.
24. “Who you gonna call?” Matrix: 2j and 5c(1)
IDENTIFY SECURITY CONTACTS
Your IT security program needs to have a high profile!
Let everyone know where IT rests in your organizational structure.
Provide a clear listing of who to contact for certain types of IT problems. Don’t hide your system level staff in a closet! Just because the “system” works seamlessly behind the scenes, doesn’t mean the IT staff are ghosts.
Suggested contacts: Help Desk, Whistleblower Hotline, Security and/or Privacy Official. Matrix: 2j and 5c(1)
IDENTIFY SECURITY CONTACTS
Your IT security program needs to have a high profile!
Let everyone know where IT rests in your organizational structure.
Provide a clear listing of who to contact for certain types of IT problems. Don’t hide your system level staff in a closet! Just because the “system” works seamlessly behind the scenes, doesn’t mean the IT staff are ghosts.
Suggested contacts: Help Desk, Whistleblower Hotline, Security and/or Privacy Official.
25. You are Here! Laws & Regulations
The Organization & IT Security
System Interconnection & Information Sharing
Sensitivity
Risk Management
Management Controls
Acquisition/Development/Installation/Implementation Controls
Operational Controls
Technical Controls
26. How easy is it to hack? Fact: Hackers post 30-40 new tools to the Internet every month
Anyone can search the Internet, find exploitable tools, and then "point and click" to start to hack.
REMINDER: Any Hacking be it for “fun” or to “see how it’s done” is against the law & Entity Policy. The Entity does not have to defend you. Matrix: 3a
POINTS OUT HOW EASY IT IS TO GET, AND USE HACKER TOOLS. ALSO POINTS OUT “POINT AND CLICK” HACKER TOOLS ARE UNSOPHISTICATED.
Fact: Hackers post 30-40 new tools to Internet hacking sites every month, according to NIST (National Institute of Standards and Technology).
Even an unsophisticated hacker can search the Internet, find and download exploitable tools, and then "point and click" to start a hack.
REMINDER: Hacking for “fun” or to “see how it’s done” is against the law & Entity Policy. The Entity has no obligation to defend you under such circumstances.
REMINDER IS OPTIONAL, DEPENDING ON YOUR POLICY, AND YOU COUNSEL’S OPINION.Matrix: 3a
POINTS OUT HOW EASY IT IS TO GET, AND USE HACKER TOOLS. ALSO POINTS OUT “POINT AND CLICK” HACKER TOOLS ARE UNSOPHISTICATED.
Fact: Hackers post 30-40 new tools to Internet hacking sites every month, according to NIST (National Institute of Standards and Technology).
Even an unsophisticated hacker can search the Internet, find and download exploitable tools, and then "point and click" to start a hack.
REMINDER: Hacking for “fun” or to “see how it’s done” is against the law & Entity Policy. The Entity has no obligation to defend you under such circumstances.
REMINDER IS OPTIONAL, DEPENDING ON YOUR POLICY, AND YOU COUNSEL’S OPINION.
27. Warfare Capability Matrix: 3a, 5a(1) and 5c
CONCEPT OF OPEN NETWORK IN RELATION TO THREATS
Cyber-terrorists spread their views through spam and web defacements.
They also target critical infrastructure (e.g. financial, transportation, energy, or communications industry) to cause an economic or other critical impact.
Open networks make it easy to do business internally, but this also means anyone who gains access to a system can damage it or the data housed in it.
Matrix: 3a, 5a(1) and 5c
CONCEPT OF OPEN NETWORK IN RELATION TO THREATS
Cyber-terrorists spread their views through spam and web defacements.
They also target critical infrastructure (e.g. financial, transportation, energy, or communications industry) to cause an economic or other critical impact.
Open networks make it easy to do business internally, but this also means anyone who gains access to a system can damage it or the data housed in it.
28. Matrix: 3a and 9c
INTRODUCTION TO SOCIAL ENGINEERING.
Trainer: Perhaps include a picture of people in your department with a person who is familiar to everyone in the audience.
You cannot spot a social engineer just by looking at them, and it could be anyone.
A social engineer is a person who will deceive or con others into divulging information that they wouldn’t normally share.
This picture includes: Will Padilla, Norma Springsteen, Linda Caruso, Sabrina Ledesma, Pam Miramontes, David Nelson, Dave Edwards When taken all were Yolo County employees.Matrix: 3a and 9c
INTRODUCTION TO SOCIAL ENGINEERING.
Trainer: Perhaps include a picture of people in your department with a person who is familiar to everyone in the audience.
You cannot spot a social engineer just by looking at them, and it could be anyone.
A social engineer is a person who will deceive or con others into divulging information that they wouldn’t normally share.
This picture includes: Will Padilla, Norma Springsteen, Linda Caruso, Sabrina Ledesma, Pam Miramontes, David Nelson, Dave Edwards When taken all were Yolo County employees.
29. Matrix: 3a and 9c
The slide continues to discuss social engineering.
Social engineers prey on the best qualities of human nature:
The desire to be helpful,
The tendency to trust people,
The fear of getting into trouble.
A truly successful social engineer receives information entirely without raising any suspicion as to what they are doing.
Matrix: 3a and 9c
The slide continues to discuss social engineering.
Social engineers prey on the best qualities of human nature:
The desire to be helpful,
The tendency to trust people,
The fear of getting into trouble.
A truly successful social engineer receives information entirely without raising any suspicion as to what they are doing.
30. Matrix: 3a and 9c
INSERT EXAMPLES IF APPROPRIATE
Impersonation - Case studies indicate that Help Desks are the most frequent targets of social engineering attacks.
Important user - A common ploy is to pretend to be not only an employee, but a high ranking employee.
Third-party authorization – A social engineer may have obtained the name of someone in the organization who has the authority to grant access to information.
Tech support – The social engineer pretends to be someone from IT support or a contractor and states:
“There are system problems and you’ll need to log me on to check the connection.”
Matrix: 3a and 9c
INSERT EXAMPLES IF APPROPRIATE
Impersonation - Case studies indicate that Help Desks are the most frequent targets of social engineering attacks.
Important user - A common ploy is to pretend to be not only an employee, but a high ranking employee.
Third-party authorization – A social engineer may have obtained the name of someone in the organization who has the authority to grant access to information.
Tech support – The social engineer pretends to be someone from IT support or a contractor and states:
“There are system problems and you’ll need to log me on to check the connection.”
31. Phone Fraud Matrix: 3a
Social Engineering on the Phone:
Do you actually know who you are talking to on the other end of the line?
Do they have an authorized need to know the information you have access to?
Optional: Caller ID has been “faked” since 1984; Caller ID failure rate (false positive) is growing; does not always work. Now there are commercial programs available to disguise Caller ID. Matrix: 3a
Social Engineering on the Phone:
Do you actually know who you are talking to on the other end of the line?
Do they have an authorized need to know the information you have access to?
Optional: Caller ID has been “faked” since 1984; Caller ID failure rate (false positive) is growing; does not always work. Now there are commercial programs available to disguise Caller ID.
32. Matrix: 3a
In Person - the social engineer may enter the building and pretend to be an employee, guest or service personnel.
– May be dressed in a uniform. Uniforms can be easily purchased.
– May become part of the cleaning crew.
– May be allowed to roam without raising suspicion. Suit wearing folks may or may not be on site legitimately.
They act like they belong in the building.
Dumpster Diving – this is not against the law in California.
Shoulder Surfing-Looking at your monitor, camera phones, PDAs, etc.
LAPTOPS NOT PROTECTED IN PUBLIC SETTING, CELL PHONE CONVERSATIONS, MONITORS FACING PUBLIC AREAS, PERSONAL INTERVIEWS IN PUBCLIC AREAS ARE ALL PREY TO SOCIAL ENGINEERS. Matrix: 3a
In Person - the social engineer may enter the building and pretend to be an employee, guest or service personnel.
– May be dressed in a uniform. Uniforms can be easily purchased.
– May become part of the cleaning crew.
– May be allowed to roam without raising suspicion. Suit wearing folks may or may not be on site legitimately.
They act like they belong in the building.
Dumpster Diving – this is not against the law in California.
Shoulder Surfing-Looking at your monitor, camera phones, PDAs, etc.
LAPTOPS NOT PROTECTED IN PUBLIC SETTING, CELL PHONE CONVERSATIONS, MONITORS FACING PUBLIC AREAS, PERSONAL INTERVIEWS IN PUBCLIC AREAS ARE ALL PREY TO SOCIAL ENGINEERS.
33. Matrix: 3a
SOCIAL ENGINEERING SIGNS:
This slide lists some things social engineers might say or do to gain access to information. They may:
Refuse to give contact their information
Rush you
Use Name-dropping
Use Intimidation
Make small mistakes
Request confidential information
Request you to do something without proper documentation and obviously not through the chain of command.
Examples:
“I cannot be contacted” OR “I’m on my cell phone and the battery is about to die” OR The number they give you is a “call out only” number.
Systems administrators or maintenance technicians who need to do something to your account will not require your password. Matrix: 3a
SOCIAL ENGINEERING SIGNS:
This slide lists some things social engineers might say or do to gain access to information. They may:
Refuse to give contact their information
Rush you
Use Name-dropping
Use Intimidation
Make small mistakes
Request confidential information
Request you to do something without proper documentation and obviously not through the chain of command.
Examples:
“I cannot be contacted” OR “I’m on my cell phone and the battery is about to die” OR The number they give you is a “call out only” number.
Systems administrators or maintenance technicians who need to do something to your account will not require your password.
34. Matrix: 3a and 5a
RESPONSE TO SOCIAL ENGINEERING ATTACKS
If someone asks you for information that is sensitive (such as company, client, or personal data) don’t be afraid to ask a few questions.
Ask for the correct spelling of the person’s name.
Ask for a number where you can return the call. Do not give information on the first call. Call them back.
Ask why the information is needed.
Ask who has authorized the request and let the caller know that you will verify the authorization
– AND DO IT!!!
Be prepared for the caller to use the name of a person of high authority.
Matrix: 3a and 5a
RESPONSE TO SOCIAL ENGINEERING ATTACKS
If someone asks you for information that is sensitive (such as company, client, or personal data) don’t be afraid to ask a few questions.
Ask for the correct spelling of the person’s name.
Ask for a number where you can return the call. Do not give information on the first call. Call them back.
Ask why the information is needed.
Ask who has authorized the request and let the caller know that you will verify the authorization
– AND DO IT!!!
Be prepared for the caller to use the name of a person of high authority.
35. Matrix: 3a, 5a and 9c(2)
IS IT IN YOUR POLICY OR PROCEDURES TO REPORT?
This is a good place to introduce your incident reporting procedures to staff if you haven’t already done so.
GIVES MANAGEMENT A CHANCE TO WARN OTHERS OF THE TYPES OF ATTACKS OCCURING
If you feel you have thwarted or perhaps been victimized by an attempt at social engineering, report the incident to your supervisor or manager immediately!
No need to feel embarrassed; the caller was working your finest qualities!
Matrix: 3a, 5a and 9c(2)
IS IT IN YOUR POLICY OR PROCEDURES TO REPORT?
This is a good place to introduce your incident reporting procedures to staff if you haven’t already done so.
GIVES MANAGEMENT A CHANCE TO WARN OTHERS OF THE TYPES OF ATTACKS OCCURING
If you feel you have thwarted or perhaps been victimized by an attempt at social engineering, report the incident to your supervisor or manager immediately!
No need to feel embarrassed; the caller was working your finest qualities!
36. How Is Entity Connected to the Inter/Intranet? From Worksite
From Off Site Citrix Connections
From Computing Labs
Others (Library) Matrix: 3b and 6d(2.c)
INTRODUCES HOW YOU ARE CONNECTED LOCALLY AND INTERNATIONALLY AND HOW SOME OF THE WORK TOOLS ARE CONNECTED
In the World of the Internet, some of the most popular features:
World Wide Web (research, access to documents, remote access to email or network)
Usenet newsgroups
Listserves
Video-conferencing
Matrix: 3b and 6d(2.c)
INTRODUCES HOW YOU ARE CONNECTED LOCALLY AND INTERNATIONALLY AND HOW SOME OF THE WORK TOOLS ARE CONNECTED
In the World of the Internet, some of the most popular features:
World Wide Web (research, access to documents, remote access to email or network)
Usenet newsgroups
Listserves
Video-conferencing
37. Your Account Is Only As Secure As Its Password Entity = 120 day rotation
Don't let others watch you log in.
At Home Change your password often.
Don’t write your password on a post-it note
Don’t attach it to your video monitor or under the keyboard. Matrix: 3d, 5d-e, 9a(1), 9c(1) and 9d
ROTATION DURATION SHOULD MATCH YOUR POLICY AND PROCEDURES “Entity=120 days rotation”
The slide provides other password tips.
Matrix: 3d, 5d-e, 9a(1), 9c(1) and 9d
ROTATION DURATION SHOULD MATCH YOUR POLICY AND PROCEDURES “Entity=120 days rotation”
The slide provides other password tips.
38. Matrix: 3d, 5d-e, 9a(1) and 9d
INTRODUCTION TO CREATING A “STRONG” PASSWORD
It can’t be obvious or exist in a dictionary (any language).
Every word in an English language dictionary can be tried within minutes.
Using a dictionary word for a password is like using a locker number for a combination.
Attack dictionaries also include names, common misspellings, words with numbers, and other commonly used passwords.
Don’t use a password that has any obvious personal significance to you.
Matrix: 3d, 5d-e, 9a(1) and 9d
INTRODUCTION TO CREATING A “STRONG” PASSWORD
It can’t be obvious or exist in a dictionary (any language).
Every word in an English language dictionary can be tried within minutes.
Using a dictionary word for a password is like using a locker number for a combination.
Attack dictionaries also include names, common misspellings, words with numbers, and other commonly used passwords.
Don’t use a password that has any obvious personal significance to you.
39. Matrix: 3d, 5d-e, 9a(1) and 9d
CONTINUES INTRODUCTION OF STRONG PASSWORD
MUST MATCH YOUR PASSWORD POLICY
EIGHT, UPPER, LOWER, NUMBER, PUNCUATION is the INDUSTRY STANDARD FOR STRONG PASSWORD
How, you may ask, am I ever going to remember such a complicated password?
Matrix: 3d, 5d-e, 9a(1) and 9d
CONTINUES INTRODUCTION OF STRONG PASSWORD
MUST MATCH YOUR PASSWORD POLICY
EIGHT, UPPER, LOWER, NUMBER, PUNCUATION is the INDUSTRY STANDARD FOR STRONG PASSWORD
How, you may ask, am I ever going to remember such a complicated password?
40. Matrix: 3d, 5d-e, 9a(1) and 9d
INTRODUCES PASS PHRASE
REMINDER OR TICKLER PICTURE ON CORNER OF MONITOR DOES NOT REVEAL PHRASEMatrix: 3d, 5d-e, 9a(1) and 9d
INTRODUCES PASS PHRASE
REMINDER OR TICKLER PICTURE ON CORNER OF MONITOR DOES NOT REVEAL PHRASE
41. Matrix: 3d, 5d-e, 9a(1) and 9d
SAMPLES OF VANITY PLATES
Other easy ways to remember the password.
Matrix: 3d, 5d-e, 9a(1) and 9d
SAMPLES OF VANITY PLATES
Other easy ways to remember the password.
42. Matrix: 3d, 5d-e, 9a(1) and 9d
Matrix: 3d, 5d-e, 9a(1) and 9d
43. Matrix: 3d, 5d-e, 9a(1) and 9d
SHOULD MATCH YOUR POLICY
Against policy to share passwords. There are a couple exceptions to the rule, however they are specific and documented.
If you ever receive a telephone call from someone claiming to need your password, report it immediately.
When you receive technical assistance, enter your password yourself. Do not reveal it.
Matrix: 3d, 5d-e, 9a(1) and 9d
SHOULD MATCH YOUR POLICY
Against policy to share passwords. There are a couple exceptions to the rule, however they are specific and documented.
If you ever receive a telephone call from someone claiming to need your password, report it immediately.
When you receive technical assistance, enter your password yourself. Do not reveal it.
44. Matrix: 3d, 5d-e, 9a(1) and 9d
SHOULD BE SUPPORTED BY YOUR POLICY
USE OF PASSWORD SHOULD BE LIMITED
USE SHOULD BE MONITORED BY INDIVIDUAL PARTICULARLY IN SETTINGS NOT WORK RELATED
Be careful about typing your password into a strange computer.
Does the computer have anti-virus protection enabled?
Is the owner trustworthy or is he/she possibly running a keyboard logger to record your keystrokes? (It has happened).
Who was the last person to use that computer and what did he/she run on it?
Never, never, never use the automatic logon feature in Microsoft.
Matrix: 3d, 5d-e, 9a(1) and 9d
SHOULD BE SUPPORTED BY YOUR POLICY
USE OF PASSWORD SHOULD BE LIMITED
USE SHOULD BE MONITORED BY INDIVIDUAL PARTICULARLY IN SETTINGS NOT WORK RELATED
Be careful about typing your password into a strange computer.
Does the computer have anti-virus protection enabled?
Is the owner trustworthy or is he/she possibly running a keyboard logger to record your keystrokes? (It has happened).
Who was the last person to use that computer and what did he/she run on it?
Never, never, never use the automatic logon feature in Microsoft.
45. Matrix: 3d, 5d-e, 9a(1) and 9d
CONTINUATION of previous slide
Be careful about typing your password into a strange program, website, or server.
Why is it needed?
Is it a legitimate request? Are they authorized to ask for it?
No web site should be asking for your password.
Matrix: 3d, 5d-e, 9a(1) and 9d
CONTINUATION of previous slide
Be careful about typing your password into a strange program, website, or server.
Why is it needed?
Is it a legitimate request? Are they authorized to ask for it?
No web site should be asking for your password.
46. Matrix: 3d, 9a(1) and 9d
REPEATS CONCEPT OF PROTECTING ACCESS TO SYSTEM AND VULNERABILITY OF BEING “INSIDE” THE FIREWALL.
Do not use the same password for an unofficial, entertainment, off-site, or nonessential service that you use for critical services.
Do not use the same passwords at home that you use at work!!!
Matrix: 3d, 9a(1) and 9d
REPEATS CONCEPT OF PROTECTING ACCESS TO SYSTEM AND VULNERABILITY OF BEING “INSIDE” THE FIREWALL.
Do not use the same password for an unofficial, entertainment, off-site, or nonessential service that you use for critical services.
Do not use the same passwords at home that you use at work!!!
47. Matrix: 3d, 9a(1) and 9d
Optional Slide: Covers password use at home as well.
PASSWORD ROTATION
At home, if your information gets stolen from your computer, do you know it?Matrix: 3d, 9a(1) and 9d
Optional Slide: Covers password use at home as well.
PASSWORD ROTATION
At home, if your information gets stolen from your computer, do you know it?
48. Recap Common sense
Simple rules
Technology
Remember – By protecting yourself, you're also doing your part to protect Entity.
OPTIONAL
SIMPLE RECAP FOR BREAK OR DISCUSSION OF QUESTIONS.
Common sense, some simple rules and a few pieces of technology can help protect your computer system from unauthorized use and damage.
It’s important to remember that by protecting yourself, you are also doing your part to protect the Entity.
OPTIONAL
SIMPLE RECAP FOR BREAK OR DISCUSSION OF QUESTIONS.
Common sense, some simple rules and a few pieces of technology can help protect your computer system from unauthorized use and damage.
It’s important to remember that by protecting yourself, you are also doing your part to protect the Entity.
49. Formal Agreement Trading Partners
Business Associates
Other agreements (e.g. MOUs and IAs)
Matrix: 3e(1-2)
Your organization has likely entered into a formal agreement with someone with whom they exchange data or information.
You are individually accountable for your use and activity on the interconnected systems.
How you conduct yourself could put the formal agreements at risk and you may be subject to sanctions if you do not follow the organizations security policies and procedures.
Entity & State agencies need to have a process to do formal agreements before transmitting data/personal information.
Also, not everyone has the same permissions to see the same information. Matrix: 3e(1-2)
Your organization has likely entered into a formal agreement with someone with whom they exchange data or information.
You are individually accountable for your use and activity on the interconnected systems.
How you conduct yourself could put the formal agreements at risk and you may be subject to sanctions if you do not follow the organizations security policies and procedures.
Entity & State agencies need to have a process to do formal agreements before transmitting data/personal information.
Also, not everyone has the same permissions to see the same information.
50. Entity EMAIL Policy Matrix: 3f
OPTIONAL TO USE A BULLETED LIST FOR SPECIFIC POINTS of your email policy.
GIVE AUDIENCE A COPY OF ENTIRE POLICY as a handout.
Reminder to staff that any messages on their email account is Entity property and may be monitored.
Also, don’t write anything on email that you would be embarrassed if it were sent out to the wrong people by mistake or forwarded onto someone else.
Matrix: 3f
OPTIONAL TO USE A BULLETED LIST FOR SPECIFIC POINTS of your email policy.
GIVE AUDIENCE A COPY OF ENTIRE POLICY as a handout.
Reminder to staff that any messages on their email account is Entity property and may be monitored.
Also, don’t write anything on email that you would be embarrassed if it were sent out to the wrong people by mistake or forwarded onto someone else.
51. Matrix: 3e(1)
OPTIONAL TO USE A BULLET list FOR SPECIFIC POINTS
GIVE AUDIENCE A COPY OF ENTIRE POLICY as a handout.
Reminder to staff that any Internet usage on Entity equipment is subject to monitoring, if applicable to your policy.
Matrix: 3e(1)
OPTIONAL TO USE A BULLET list FOR SPECIFIC POINTS
GIVE AUDIENCE A COPY OF ENTIRE POLICY as a handout.
Reminder to staff that any Internet usage on Entity equipment is subject to monitoring, if applicable to your policy.
52. EMAIL ETIQUETTE Provides: immediate response, tracking of issues, broadcast ability, planning tool, transfer large amounts of information.
From, “FW”, “RE”, To, cc, bcc, “Reply” and “Reply to All”, “Forward”
All caps LOOKS LIKE YOU ARE SHOUTING!
No facial expression, no vocal tone, no physical indicators
Use spellchecker, but read what you wrote, bad spelling leaves a poor impression
Never answer in a hurry, especially if you are upset Matrix: 3f
OPTIONAL EDUCATIONAL SLIDE
“From” tells you specifically who it came from, who forwarded it.
“To” usually indicates that you are one of the principle recipients and usually requires a response. Avoid following up to thank you. “FW” has been forwarded to you, CONSIDER where it came from and why it was forwarded to you. Answer accordingly.
“cc” indicates that the sender wishes you to be aware of something, but usually does not require your response.
“bcc” BEWARE, someone is letting you know something without the “to” and “cc” folks knowing you are aware of it.
“Reply” sends your message back to the person the message came from ONLY. Very appropriate.
“Reply to all” sends your message everyone. Rarely appropriate. If you are “cc”, the sender is not asking for you input to the entire group.
THINGS TO REMEMBER
“Forward” is someone sending something on to others. REMEMBER THAT YOUR MESSAGE CAN GO ANYWHERE!!!!!
OTHER TIPS
Refer to slideMatrix: 3f
OPTIONAL EDUCATIONAL SLIDE
“From” tells you specifically who it came from, who forwarded it.
“To” usually indicates that you are one of the principle recipients and usually requires a response. Avoid following up to thank you. “FW” has been forwarded to you, CONSIDER where it came from and why it was forwarded to you. Answer accordingly.
“cc” indicates that the sender wishes you to be aware of something, but usually does not require your response.
“bcc” BEWARE, someone is letting you know something without the “to” and “cc” folks knowing you are aware of it.
“Reply” sends your message back to the person the message came from ONLY. Very appropriate.
“Reply to all” sends your message everyone. Rarely appropriate. If you are “cc”, the sender is not asking for you input to the entire group.
THINGS TO REMEMBER
“Forward” is someone sending something on to others. REMEMBER THAT YOUR MESSAGE CAN GO ANYWHERE!!!!!
OTHER TIPS
Refer to slide
53. Electronic Commerce Matrix: 3g(1-3)
This slide is an example of electronic commerce.
Electronic Fund Transfer (EFT) can be a transfer of funds from your financial institution to a point of purchase sale or other payment.
You connect to a server, are authenticated electronically usually by “Who” you are and “What” you know. Sometimes financial institutions use a timing device to get “What” you have. This is the three pieces of strong security.
EDI is usually a minimum of “Send” and “Receive”. This example fits the Medi-Cal Targeted Case Management four step EDI.
Like a written signature, the purpose of a digital signature is to guarantee that the individual sending the message really is who he or she claims to be. Digital signatures are especially important for electronic commerce and are a key component of most authentication schemes. To be effective, digital signatures must be unforgeable. There are a number of different encryption techniques to guarantee this level of security. (Webopedia)
Matrix: 3g(1-3)
This slide is an example of electronic commerce.
Electronic Fund Transfer (EFT) can be a transfer of funds from your financial institution to a point of purchase sale or other payment.
You connect to a server, are authenticated electronically usually by “Who” you are and “What” you know. Sometimes financial institutions use a timing device to get “What” you have. This is the three pieces of strong security.
EDI is usually a minimum of “Send” and “Receive”. This example fits the Medi-Cal Targeted Case Management four step EDI.
Like a written signature, the purpose of a digital signature is to guarantee that the individual sending the message really is who he or she claims to be. Digital signatures are especially important for electronic commerce and are a key component of most authentication schemes. To be effective, digital signatures must be unforgeable. There are a number of different encryption techniques to guarantee this level of security. (Webopedia)
54. Privileges and Responsibilities Use of your Entity computer account is a privilege.
Along with the privilege to use Entity network resources come some responsibilities.
Remember that Internet traffic is logged, monitored, and saved. Matrix: 3h and 9b(1-2)
This slide reiterates Entity network policy. SHOULD BE ENFORCED BY YOU POLICY
Use of your Entity computer account is a privilege granted by the Entity so you can work, communicate with staff and associates, and take advantage of both Entity online resources and the Internet at large.
Along with the privilege to use Entity network resources come some responsibilities.
Remember that Internet traffic is logged, monitored, and saved.
Matrix: 3h and 9b(1-2)
This slide reiterates Entity network policy. SHOULD BE ENFORCED BY YOU POLICY
Use of your Entity computer account is a privilege granted by the Entity so you can work, communicate with staff and associates, and take advantage of both Entity online resources and the Internet at large.
Along with the privilege to use Entity network resources come some responsibilities.
Remember that Internet traffic is logged, monitored, and saved.
55. Internet Security and Use Entity has Internet services to support the advancement of business goals and objectives.
Use of computer resources and networks must be business oriented.
Messages from the e-mail system are NOT to be automatically forwarded.
Accessing sites with offensive material is prohibited. Matrix: 3h, 5a(1) and 6d(2.d)
INTRODUCTION OF “WHY” YOUR ENTITY IS WORRIED ABOUT YOUR INTERNET USE AND SOME INITIAL POLICY PIECES RELATED TO BEING CONNECTED
Entity has Internet services to support the advancement of business goals and objectives.
Ensure that the use of computer resources and networks is business oriented.
In general, messages from the e-mail system are NOT to be automatically forwarded.
Accessing sites with offensive material is prohibited. It presents a legal risk for you and the Entity.
WARNING ABOUT ANONYMITY ON THE INTERNET
Matrix: 3h, 5a(1) and 6d(2.d)
INTRODUCTION OF “WHY” YOUR ENTITY IS WORRIED ABOUT YOUR INTERNET USE AND SOME INITIAL POLICY PIECES RELATED TO BEING CONNECTED
Entity has Internet services to support the advancement of business goals and objectives.
Ensure that the use of computer resources and networks is business oriented.
In general, messages from the e-mail system are NOT to be automatically forwarded.
Accessing sites with offensive material is prohibited. It presents a legal risk for you and the Entity.
WARNING ABOUT ANONYMITY ON THE INTERNET
56. Other Safety Measures Log off when not using your computer.
Lock your workstation (Cntrl+Alt+Del and Lock).
Automatic Screen Savers.
Do not leave sensitive information on the copier or remote printers.
Confirm fax numbers before sending. Matrix: 6d
OPTIONAL
PHYSICAL SAFETY MESURES.
-Log off when not using your computer.
(Gone for more than a hour?) (Energy savings too!!!)
Lock your workstation (Cntrl+Alt+Del and Lock).
(XP, Windows 2000)
Automatic Screen Savers.
(Set to five minutes with password protection.)
Ensure sensitive information is not left on the copier or remote printers.
(If you find sensitive infomration TAKE responsibility for it)
Confirm fax numbers you enter.
Auto Dial can reduce risk.
ENSURE THESE FOLLOW YOUR POLICIES AND PROCEDURES
Matrix: 6d
OPTIONAL
PHYSICAL SAFETY MESURES.
-Log off when not using your computer.
(Gone for more than a hour?) (Energy savings too!!!)
Lock your workstation (Cntrl+Alt+Del and Lock).
(XP, Windows 2000)
Automatic Screen Savers.
(Set to five minutes with password protection.)
Ensure sensitive information is not left on the copier or remote printers.
(If you find sensitive infomration TAKE responsibility for it)
Confirm fax numbers you enter.
Auto Dial can reduce risk.
ENSURE THESE FOLLOW YOUR POLICIES AND PROCEDURES
57. You are Here! Laws & Regulations
The Organization & IT Security
System Interconnection & Information Sharing
Sensitivity
Risk Management
Management Controls
Acquisition/Development/Installation/Implementation Controls
Operational Controls
Technical Controls
58. Information Sensitivity Matrix: 4a(1-2) and 4b(1.b)
DATA SECURITY LEVELS BASED ON CONTENT/USE/VALUE
Security levels will vary depending on the sensitivity of the information. For example,
Mental Health Services information.
Staff roster is internal, not public.
Billing codes are not sensitive UNLESS they contain client information.
ALL INFORMATION COMBINED IS VERY HIGH.
So….. The individual databases are classified accordingly, BUT server access where it all resides is VERY SENSITIVE.
Matrix: 4a(1-2) and 4b(1.b)
DATA SECURITY LEVELS BASED ON CONTENT/USE/VALUE
Security levels will vary depending on the sensitivity of the information. For example,
Mental Health Services information.
Staff roster is internal, not public.
Billing codes are not sensitive UNLESS they contain client information.
ALL INFORMATION COMBINED IS VERY HIGH.
So….. The individual databases are classified accordingly, BUT server access where it all resides is VERY SENSITIVE.
59. IT Asset Protection Physical
Technical
Administrative Matrix: 4-c
HIPAA Security provides for administrative, technical, and physical safeguards, also know as asset protection.
Physical - Lock doors, file cabinets, restrict entry by unauthorized personnel
Technical - Lock Workstation (CNTRL, Alt, Delete-Lock Screen) when not at your computer, use passwords, use virus protection, back-up data…
Administrative - Sanction policy, reporting incidents, termination procedures, workforce clearance…Matrix: 4-c
HIPAA Security provides for administrative, technical, and physical safeguards, also know as asset protection.
Physical - Lock doors, file cabinets, restrict entry by unauthorized personnel
Technical - Lock Workstation (CNTRL, Alt, Delete-Lock Screen) when not at your computer, use passwords, use virus protection, back-up data…
Administrative - Sanction policy, reporting incidents, termination procedures, workforce clearance…
60. To decide whether a computer system is “secure”, you must first decide what “secure” means to you, then identify the threats that apply. Matrix: 4d-f
SECURITY AWARENESS is set in context of Information Security. This slide introduces some concepts that fall under information security. INCLUDE OTHERS SPECIFIC TO YOUR ENTITY.
Information security is ALWAYS in terms of CIA:
Confidentiality is the ability to keep certain information private, to keep it from being shared inappropriately. If information is shared inappropriately the organization can be held liable for the negative consequences to clients and for mitigation efforts. THIS IS PRIVACY.
Integrity is the ability to protect information and systems from malicious or accidental modification or corruption. Integrity is ensuring that the data is what it represents, that it has not been modified or deleted in some way. Programs will not be able to collect information or the information is worthless if it is not in a usable condition.
Availability is the reliable and timely access to data and resources by authorized individuals. The public, the Entity and it’s partners soon become dependent on automated IT systems. When these systems are down, users become frustrated and could avoid using automated systems in the future, thus increasing the Entity’s manual processing workload, or worse, delay or stop the delivery of services. Matrix: 4d-f
SECURITY AWARENESS is set in context of Information Security. This slide introduces some concepts that fall under information security. INCLUDE OTHERS SPECIFIC TO YOUR ENTITY.
Information security is ALWAYS in terms of CIA:
Confidentiality is the ability to keep certain information private, to keep it from being shared inappropriately. If information is shared inappropriately the organization can be held liable for the negative consequences to clients and for mitigation efforts. THIS IS PRIVACY.
Integrity is the ability to protect information and systems from malicious or accidental modification or corruption. Integrity is ensuring that the data is what it represents, that it has not been modified or deleted in some way. Programs will not be able to collect information or the information is worthless if it is not in a usable condition.
Availability is the reliable and timely access to data and resources by authorized individuals. The public, the Entity and it’s partners soon become dependent on automated IT systems. When these systems are down, users become frustrated and could avoid using automated systems in the future, thus increasing the Entity’s manual processing workload, or worse, delay or stop the delivery of services.
61. Be aware!
Learn and practice good security habits.
Report anything unusual. So How Do We Start? Matrix: 5a, 6d(1), 6e(1), 6g, and 9c(2)
INTRODUCTION OF THE SECURITY 90/10 RULE
90 – 10 The lock on the door is the 10%, you remembering to lock, check to see if it is closed, ensuring others do not prop the door open, keeping controls of keys is the 90%. 10% is worthless without YOU.
First, become aware yourself – know how to identify a potential issue. Use sound judgment.
Next, learn and practice good security habits – incorporate secure practices into your everyday routine. Encourage others to do as well.
Finally, report anything unusual – Notify the appropriate contacts if you become aware of a suspected security incident.
If it sets off a warning in your mind it just may be a problem.
Matrix: 5a, 6d(1), 6e(1), 6g, and 9c(2)
INTRODUCTION OF THE SECURITY 90/10 RULE
90 – 10 The lock on the door is the 10%, you remembering to lock, check to see if it is closed, ensuring others do not prop the door open, keeping controls of keys is the 90%. 10% is worthless without YOU.
First, become aware yourself – know how to identify a potential issue. Use sound judgment.
Next, learn and practice good security habits – incorporate secure practices into your everyday routine. Encourage others to do as well.
Finally, report anything unusual – Notify the appropriate contacts if you become aware of a suspected security incident.
If it sets off a warning in your mind it just may be a problem.
62. You are Here! Laws & Regulations
The Organization & IT Security
System Interconnection & Information Sharing
Sensitivity
Risk Management
Management Controls
Acquisition/Development/Installation/Implementation Controls
Operational Controls
Technical Controls
63. Three Areas of Security Under the 90/10 Rule In the room
At the box
On the wire Matrix: 5a and 9d
THREE REALMS OF SECURITY MOVING TO “IN THE ROOM”.
INTRODUCTION SLIDE TO THE NEXT FEW SLIDES.
Matrix: 5a and 9d
THREE REALMS OF SECURITY MOVING TO “IN THE ROOM”.
INTRODUCTION SLIDE TO THE NEXT FEW SLIDES.
64. Types of Threats Matrix: 5a(1) and 5b-c
CONTINUATION OF THREATS INCLUDING INTERNAL THREATS
Authorized Users/Internal Threats
Data Entry Errors/Omissions
Improper Disposal of EPHI
Insiders
Installation Errors
Misuse of Privileges
User Abuse/Fraud
Matrix: 5a(1) and 5b-c
CONTINUATION OF THREATS INCLUDING INTERNAL THREATS
Authorized Users/Internal Threats
Data Entry Errors/Omissions
Improper Disposal of EPHI
Insiders
Installation Errors
Misuse of Privileges
User Abuse/Fraud
65. Types of Threats Matrix: 5a(1) and 5b-c
CONTINUATION OF THREATS INCLUDING EXTERNAL THREATS
Hackers/External Threats
Data/System Contamination
Denial of Service
Eavesdropping
Emanations
Insertion of Malicious Code/Software
Jamming
Misuse of known Operating System Weaknesses
Matrix: 5a(1) and 5b-c
CONTINUATION OF THREATS INCLUDING EXTERNAL THREATS
Hackers/External Threats
Data/System Contamination
Denial of Service
Eavesdropping
Emanations
Insertion of Malicious Code/Software
Jamming
Misuse of known Operating System Weaknesses
66. In the Room Preventive Actions Remove mail from your mail box
Deposit outgoing mail in post office collection mail boxes or at your local post office
Never give personal information over the telephone
Never provide client information without knowing who is getting it and for what purpose
Matrix: 5a(2) and 9d
EXAMPLES OF PREVENTATIVE ACTIONS
Promptly remove mail from your mail box
Deposit outgoing mail in post office collection mail boxes or at your local post office.
Do not leave in unsecured mail receptacles
Never give personal information over the telephone unless you initiated the call
Never provide client information unless you know who is getting it and for what purpose
OPTIONAL “AT HOME” SECTION
AT HOME
When disposing of unwanted pre-approved credit card applications, credit card receipts, credit card checks, bills and other financial information, SHRED IT!
Empty your wallet and/or purse of extra credit cards and identification
Never write down a PIN or password
Matrix: 5a(2) and 9d
EXAMPLES OF PREVENTATIVE ACTIONS
Promptly remove mail from your mail box
Deposit outgoing mail in post office collection mail boxes or at your local post office.
Do not leave in unsecured mail receptacles
Never give personal information over the telephone unless you initiated the call
Never provide client information unless you know who is getting it and for what purpose
OPTIONAL “AT HOME” SECTION
AT HOME
When disposing of unwanted pre-approved credit card applications, credit card receipts, credit card checks, bills and other financial information, SHRED IT!
Empty your wallet and/or purse of extra credit cards and identification
Never write down a PIN or password
67. Threats & Vulnerabilities Matrix: 5a(2) and 5c
This diagram demonstrates the need for added security controls when connecting to external systems and networks. In general, as vulnerability increases your Entity will want to adopt stronger security systems to reduce your vulnerability, and thus reduce your risk.
Matrix: 5a(2) and 5c
This diagram demonstrates the need for added security controls when connecting to external systems and networks. In general, as vulnerability increases your Entity will want to adopt stronger security systems to reduce your vulnerability, and thus reduce your risk.
68. Unregistered Software Matrix: 5a(3), 6d(2.c) and 6d(2.e)
PROBLEMS SURROUNDING UNLICENSED SOFTWARE
Such software often lacks key elements of documentation and lacks warranty protection or upgrade options.
Untested programs or disks may be infected with viruses.
You put yourself at risk of prosecution by pirating a product protected by copyright law.
Ensure that you only obtain software through approved methods and install it in accordance with the licensing agreement of the specific software.
Matrix: 5a(3), 6d(2.c) and 6d(2.e)
PROBLEMS SURROUNDING UNLICENSED SOFTWARE
Such software often lacks key elements of documentation and lacks warranty protection or upgrade options.
Untested programs or disks may be infected with viruses.
You put yourself at risk of prosecution by pirating a product protected by copyright law.
Ensure that you only obtain software through approved methods and install it in accordance with the licensing agreement of the specific software.
69. Managing Risk Matrix: 5a(1-4)
RISK MANAGEMENT CONCEPT
In order to manage risk an Entity must :
? Keep current on IT threats,
? Know your security systems well, their vulnerabilities, know the likelihood of a vulnerability being exposed and design future improvements to reduce those vulnerabilities, and
? Calculate your risk on an ongoing basis.
In order to reduce risk you must decrease vulnerabilities.
Think of managing IT security risk like playing the stock market!Matrix: 5a(1-4)
RISK MANAGEMENT CONCEPT
In order to manage risk an Entity must :
? Keep current on IT threats,
? Know your security systems well, their vulnerabilities, know the likelihood of a vulnerability being exposed and design future improvements to reduce those vulnerabilities, and
? Calculate your risk on an ongoing basis.
In order to reduce risk you must decrease vulnerabilities.
Think of managing IT security risk like playing the stock market!
70. Intruder Tools Matrix: 5c(1-2) and 9d
INTRODUCTION TO TERMINOLOGY OF HACKER OR CYBER TERRORISTS AND THEIR TOOLS
Vulnerability Scanning: Internet hackers constantly scan networks to try to identify where systems are vulnerable. (LOOKING FOR UNPROTECTED PORTS)
Pre-Attack Probes: Is another name for this type of scanning.
Password Cracker: Intruders use an auto program that continually tries to log into a system using a series of commonly used passwords, or using a dictionary as a source.
Network Spoofing: A program that impersonates the sign-on routine. It collects your password, and returns a message that the system is unavailable.
VIRUS uses the host application to reproduce itself. Damages data or system.
SNIFFERS are small programs that let the computer ignore packet addresses and receive ANY information on the network.
LOGIC BOMBS is malicious code triggered by a specific event or condition.
TROJAN HORSE is a program that looks useful, yet is designed to run malicious code for unauthorized system access.
WORMS are independent programs that reproduce themselves and tie up resources. Matrix: 5c(1-2) and 9d
INTRODUCTION TO TERMINOLOGY OF HACKER OR CYBER TERRORISTS AND THEIR TOOLS
Vulnerability Scanning: Internet hackers constantly scan networks to try to identify where systems are vulnerable. (LOOKING FOR UNPROTECTED PORTS)
Pre-Attack Probes: Is another name for this type of scanning.
Password Cracker: Intruders use an auto program that continually tries to log into a system using a series of commonly used passwords, or using a dictionary as a source.
Network Spoofing: A program that impersonates the sign-on routine. It collects your password, and returns a message that the system is unavailable.
VIRUS uses the host application to reproduce itself. Damages data or system.
SNIFFERS are small programs that let the computer ignore packet addresses and receive ANY information on the network.
LOGIC BOMBS is malicious code triggered by a specific event or condition.
TROJAN HORSE is a program that looks useful, yet is designed to run malicious code for unauthorized system access.
WORMS are independent programs that reproduce themselves and tie up resources.
71. Types of Security Controls Matrix: 5d-e
SECURITY CONTROLS
These controls work together to form a comprehensive and secure defensive structure.
Use the analogy of building a house.
? You manage the project. [Management Control]
? A general contractor takes the plans you’ve approved, acquires crews/materials/foremen and drives the timeframe. [ADII Control]
? The foremen control the operations for each crew. [Operational Control]
? The site is secured and necessary training arranged. [Security Awareness & Training Control]
? The entire project can be set up on project management software. [Technical Control]Matrix: 5d-e
SECURITY CONTROLS
These controls work together to form a comprehensive and secure defensive structure.
Use the analogy of building a house.
? You manage the project. [Management Control]
? A general contractor takes the plans you’ve approved, acquires crews/materials/foremen and drives the timeframe. [ADII Control]
? The foremen control the operations for each crew. [Operational Control]
? The site is secured and necessary training arranged. [Security Awareness & Training Control]
? The entire project can be set up on project management software. [Technical Control]
72. Examples of Security Controls Matrix: 5f(1-3)
SECURITY CONTROLS CONTINUED
Confidentiality protection in a technical control would be a server that restricts access to only those who need access. A locked file cabinet is a more simplistic operational control for protection of confidentiality.
Integrity protection could also apply to restricted access, but to a data base or data that must not be modified or corrupted. A firewall is an example of a technical control.
Availability protection are systems that ensure your data can be accessed by the appropriate people. It can be a sophisticated spam control application or as basic as a back-up generator.
So you can have one type of control, a firewall or server, that provides protection of confidentiality, integrity and availability. It is the goal of the protection, not the actual control, that defines the category of protection.
The important thing is to make sure you have all 3, confidentiality – integrity – availability, protected.Matrix: 5f(1-3)
SECURITY CONTROLS CONTINUED
Confidentiality protection in a technical control would be a server that restricts access to only those who need access. A locked file cabinet is a more simplistic operational control for protection of confidentiality.
Integrity protection could also apply to restricted access, but to a data base or data that must not be modified or corrupted. A firewall is an example of a technical control.
Availability protection are systems that ensure your data can be accessed by the appropriate people. It can be a sophisticated spam control application or as basic as a back-up generator.
So you can have one type of control, a firewall or server, that provides protection of confidentiality, integrity and availability. It is the goal of the protection, not the actual control, that defines the category of protection.
The important thing is to make sure you have all 3, confidentiality – integrity – availability, protected.
73. Absolute vs. Acceptable Levels of Risk “Absolute protection” from risk is an impossibility Matrix: 5j
ABSOLUTE VERSUS ACCEPTABLE/REASONABLE SECURITY
Absolute protection” from risk is an impossibility and a belief that you have absolute protection would lull an Entity into a false sense of security.
Acceptable level” of risk is a more realistic approach to managing risk. An Entity can define different levels of risk for different programs, systems or resources.
Acceptable risk, for example, is trash which is thrown in a dumpster and has a low level of risk if sensitive material is shredded or disposed of in another manner. A list of HIV clients on a health server would have a high risk if it were on a laptop with no password or firewall protections being stored in someone's car. The risk could be reduced to an acceptable level if the data file is partitioned within a server that has restricted access controlled through a log in process.
Matrix: 5j
ABSOLUTE VERSUS ACCEPTABLE/REASONABLE SECURITY
Absolute protection” from risk is an impossibility and a belief that you have absolute protection would lull an Entity into a false sense of security.
Acceptable level” of risk is a more realistic approach to managing risk. An Entity can define different levels of risk for different programs, systems or resources.
Acceptable risk, for example, is trash which is thrown in a dumpster and has a low level of risk if sensitive material is shredded or disposed of in another manner. A list of HIV clients on a health server would have a high risk if it were on a laptop with no password or firewall protections being stored in someone's car. The risk could be reduced to an acceptable level if the data file is partitioned within a server that has restricted access controlled through a log in process.
74. Controls IT systems require controls that are:
“Adequate” and “appropriate”
Unique and have sophisticated protection
Probability, severity and extent of potential harm
Cost beneficial and effective Matrix: 5k(1-4)
IT systems require controls that are both “adequate” and “appropriate” due to severe consequences of a breech.
The technical nature of IT systems require unique and sophisticated protection. And those protections must be updated continuously, such as with patches or virus protection.
The probability, severity and extent of potential harm drives the design of the control. An increase in these 3 parameters will increase the need for more security.
Likewise, each security control needs to balance cost benefits and effectiveness with the appropriate control. Don’t spend $150K to protect $10K worth of risk.
Matrix: 5k(1-4)
IT systems require controls that are both “adequate” and “appropriate” due to severe consequences of a breech.
The technical nature of IT systems require unique and sophisticated protection. And those protections must be updated continuously, such as with patches or virus protection.
The probability, severity and extent of potential harm drives the design of the control. An increase in these 3 parameters will increase the need for more security.
Likewise, each security control needs to balance cost benefits and effectiveness with the appropriate control. Don’t spend $150K to protect $10K worth of risk.
75. Multiple Security Disciplines Integrate various security disciplines to
strengthen your security, for example:
Police and fire personnel.
Train staff on CPR.
Schedule audits and reviews.
Security decision process.
Involve program staff. Matrix: 5l-m and 6f(1-4)
LAYERED SECURITY CONCEPT
Utilize and integrate various security disciplines to
strengthen your security, for example:
Coordinate drills with police and fire personnel.
Train staff on CPR.
Schedule internal and external audits and reviews.
Funnel all security information and findings into security decision process.
Involve program staff in the development of security controls.
Matrix: 5l-m and 6f(1-4)
LAYERED SECURITY CONCEPT
Utilize and integrate various security disciplines to
strengthen your security, for example:
Coordinate drills with police and fire personnel.
Train staff on CPR.
Schedule internal and external audits and reviews.
Funnel all security information and findings into security decision process.
Involve program staff in the development of security controls.
76. You are Here! Laws & Regulations
The Organization & IT Security
System Interconnection & Information Sharing
Sensitivity
Risk Management
Management Controls
Acquisition/Development/Installation/Implementation Controls
Operational Controls
Technical Controls
77. Management Controls Management controls are a type of security control that encompasses seven general areas.
Policies & procedures that standardize system & application expectations.
Standard operating procedures.
Personnel security.
System rules of behavior.
Individual accountability.
IT security awareness & training.
User responsibilities for inappropriate actions of others.
Matrix: 6a-b and 6f(1-4)
MANAGEMENT SECURITY CONTROLS
These areas of control are ‘managed’ through the organizational structure of the Entity. Executive management and their appointees define, address and implement these areas of control. Controls are in place to support achieving the Entity mission and are generally defined, published and distributed through policies and procedures. When consistently reinforced, an Entity culture develops from the management controls.
Some procedures are so common and generally applicable that they are identified as standard operating procedures, such as building shut down and lock up procedures, badge ID’s and password log in.
System rules of behavior define expectations of staff assigned to a system, such as intake.Matrix: 6a-b and 6f(1-4)
MANAGEMENT SECURITY CONTROLS
These areas of control are ‘managed’ through the organizational structure of the Entity. Executive management and their appointees define, address and implement these areas of control. Controls are in place to support achieving the Entity mission and are generally defined, published and distributed through policies and procedures. When consistently reinforced, an Entity culture develops from the management controls.
Some procedures are so common and generally applicable that they are identified as standard operating procedures, such as building shut down and lock up procedures, badge ID’s and password log in.
System rules of behavior define expectations of staff assigned to a system, such as intake.
78. Personnel Security Much of an Entity’s vulnerability is staff-related.
If applicable, perform security clearances
Define roles and responsibilities
Separated Duties
Role-based access
Matrix: 6c(1-4) and 6f
CONTINATION OF SECURITY LAYERS
All of these controls support CIA, Confidentiality, Integrity & Availability!
If applicable, perform security clearances for sensitive positions.
Clearly define roles and responsibilities to avoid confusion and convey clear expectations of staff with regard to security.
Certain IT duties need to be separated by staff and sometimes, work unit.
Access controls are role based to ensure the appropriate staff has access to the information they need.
Matrix: 6c(1-4) and 6f
CONTINATION OF SECURITY LAYERS
All of these controls support CIA, Confidentiality, Integrity & Availability!
If applicable, perform security clearances for sensitive positions.
Clearly define roles and responsibilities to avoid confusion and convey clear expectations of staff with regard to security.
Certain IT duties need to be separated by staff and sometimes, work unit.
Access controls are role based to ensure the appropriate staff has access to the information they need.
79. Why should you ensure the software you are using is compliant with copyright law and Entity Policy?
Matrix: 6d(1), 6d(2.e) and 6f
ENCOURAGEMENT TO FOLLOW ENTITY POLICY AND COPYRIGHT LAW REGARDING ENTITY EQUIPMENT
CAN LIST IMPACTS ACCORDING TO YOUR POLICY (PROGRESSIVE DISCIPLINE OR DISCONNECTION FROM THE NETWORK)Matrix: 6d(1), 6d(2.e) and 6f
ENCOURAGEMENT TO FOLLOW ENTITY POLICY AND COPYRIGHT LAW REGARDING ENTITY EQUIPMENT
CAN LIST IMPACTS ACCORDING TO YOUR POLICY (PROGRESSIVE DISCIPLINE OR DISCONNECTION FROM THE NETWORK)
80. System Rules of Behavior Organization specific user rules are general and somewhat universal Matrix: 6d, 6e and 6f(1)
USER RULES – Organizational and System specific user rules are discussed in the slide.
Organization specific user rules are general and somewhat universal; e.g. protect confidentiality, check out process for laptops, etc.
System specific user rules:
Access and limitation of system privileges need to be assigned.
Intellectual property/copyright issues need to be communicated.
Remote access and work-at-home issues need to be defined.
Official vs. unofficial system use needs to be clearly stated.
Individual accountability contributes to system and information quality.
Individual acceptance of those responsibilities can be documented on a signed Security and Confidentiality Acknowledgement agreement. If the agreement is broken, sanctions or penalties for violations need to be enforced to reinforce the accountability.
Matrix: 6d, 6e and 6f(1)
USER RULES – Organizational and System specific user rules are discussed in the slide.
Organization specific user rules are general and somewhat universal; e.g. protect confidentiality, check out process for laptops, etc.
System specific user rules:
Access and limitation of system privileges need to be assigned.
Intellectual property/copyright issues need to be communicated.
Remote access and work-at-home issues need to be defined.
Official vs. unofficial system use needs to be clearly stated.
Individual accountability contributes to system and information quality.
Individual acceptance of those responsibilities can be documented on a signed Security and Confidentiality Acknowledgement agreement. If the agreement is broken, sanctions or penalties for violations need to be enforced to reinforce the accountability.
81. Managing Your Security System A formal plan is crucial Matrix: 6f(3) and 7c(1-4)
FORMAL SECURITY PLAN OUTLINE
Once your security system is designed, you need to manage the interaction of all sub-systems in order to make your system operational.
A formal plan is crucial to successful management of our security system.
Identify missions, purpose and assets by system.
Define protection needs by system.
Identify people responsible for what.
Identify existing controls vs. controls needed and a timeline for their implementation.
For example, if you set up a log of failed attempts to enter the system, someone needs to review the log and take needed action.Matrix: 6f(3) and 7c(1-4)
FORMAL SECURITY PLAN OUTLINE
Once your security system is designed, you need to manage the interaction of all sub-systems in order to make your system operational.
A formal plan is crucial to successful management of our security system.
Identify missions, purpose and assets by system.
Define protection needs by system.
Identify people responsible for what.
Identify existing controls vs. controls needed and a timeline for their implementation.
For example, if you set up a log of failed attempts to enter the system, someone needs to review the log and take needed action.
82. You are Here! Laws & Regulations
The Organization & IT Security
System Interconnection & Information Sharing
Sensitivity
Risk Management
Management Controls
Acquisition/Development/Installation/Implementation Controls
Operational Controls
Technical Controls
83. System Life Cycle Stages Define business processes for all system life cycle stages
Initiation
Development
Test and evaluation
Implementation
Operations
Termination Matrix: 6f and 7a-b
SYTEM LIFECYCLE
Refer to slides for discussion points. Matrix: 6f and 7a-b
SYTEM LIFECYCLE
Refer to slides for discussion points.
84. Example of System Life Cycle Stages Acquiring hardware and software - consider the following: Matrix: 7a-b
INPUTS FOR SYSTEM LIFE STAGES
Define a business process for acquiring hardware and software that considers the following:
Lead time?
What’s the degree of user involvement? What specific outputs/reports do users require?
How does acquisition impact system security? (e.g. users may not download software from any source without specific approvals.)
Matrix: 7a-b
INPUTS FOR SYSTEM LIFE STAGES
Define a business process for acquiring hardware and software that considers the following:
Lead time?
What’s the degree of user involvement? What specific outputs/reports do users require?
How does acquisition impact system security? (e.g. users may not download software from any source without specific approvals.)
85. System Life Cycle Stages & IT Security Goals What is needed to protect system security? Matrix: 7a-b
CONTINUATIONS OF LIFE CYCLE STAGES
Refer to slides for discussion points . Matrix: 7a-b
CONTINUATIONS OF LIFE CYCLE STAGES
Refer to slides for discussion points .
86. You are Here! Laws & Regulations
The Organization & IT Security
System Interconnection & Information Sharing
Sensitivity
Risk Management
Management Controls
Acquisition/Development/Installation/Implementation Controls
Operational Controls
Technical Controls
87. Operational Controls Operational controls help maintain an optimal level of security level:
Matrix: 6f(2) and 8
OPERATIONAL CONTROLS - help maintain an optimal level of security level and are comprised of the following three areas.
1. Physical and environmental protection include physical access controls, intrusion detection, fire/water/moisture/heat/electrical maintenance, and mobile and portable systems.
2. Contingency planning covers four areas:
Importance of developing & testing contingency/disaster recovery plans. (Business Continuity Plans)
Importance of users providing accurate information about processing needs, allowable down time and applications that can wait.
Responsibility for backup copies of data files and software programs.
Simple user contingency planning steps.
3. Marking, handling, shipping, storing, cleaning and clearing refers to paper hard copy or disks.
Matrix: 6f(2) and 8
OPERATIONAL CONTROLS - help maintain an optimal level of security level and are comprised of the following three areas.
1. Physical and environmental protection include physical access controls, intrusion detection, fire/water/moisture/heat/electrical maintenance, and mobile and portable systems.
2. Contingency planning covers four areas:
Importance of developing & testing contingency/disaster recovery plans. (Business Continuity Plans)
Importance of users providing accurate information about processing needs, allowable down time and applications that can wait.
Responsibility for backup copies of data files and software programs.
Simple user contingency planning steps.
3. Marking, handling, shipping, storing, cleaning and clearing refers to paper hard copy or disks.
88. You are Here! Laws & Regulations
The Organization & IT Security
System Interconnection & Information Sharing
Sensitivity
Risk Management
Management Controls
Acquisition/Development/Installation/Implementation Controls
Operational Controls
Technical Controls
89. Matrix: 9a(1-3)
Roles are defined PRIOR to allowing access and are a reflection of, and support, the Security Policy and Procedures.
Roles are in relation to the data, and the data sensitivity.
The USER Identification and Password are used to authenticate the user and allow access to predetermined amounts of data. All access privileges are based on the user’s role.
Public access may have more stringent controls than internal users.
Internal users generally have access to more information inside the organization, yet some may have nearly as many limitations as external, public, users.Matrix: 9a(1-3)
Roles are defined PRIOR to allowing access and are a reflection of, and support, the Security Policy and Procedures.
Roles are in relation to the data, and the data sensitivity.
The USER Identification and Password are used to authenticate the user and allow access to predetermined amounts of data. All access privileges are based on the user’s role.
Public access may have more stringent controls than internal users.
Internal users generally have access to more information inside the organization, yet some may have nearly as many limitations as external, public, users.
90. Tips For Safeguarding Your Privacy Online
Practice “Heads Up” Computing
Refers to the attitude you bring to
computer use. Matrix: 9c(1)
TIES INTERNET SURFING AND ITS VULNERABILITIES TO IDENTITY THEFT.Matrix: 9c(1)
TIES INTERNET SURFING AND ITS VULNERABILITIES TO IDENTITY THEFT.
91. Identity Theft Matrix: 9c(1)
INTRODUCES IDENTITY THEFT AND THE GROWING CONCERNMatrix: 9c(1)
INTRODUCES IDENTITY THEFT AND THE GROWING CONCERN
92. What Is Identity Theft Acquisition of key pieces of identifying information for the purpose of impersonation. Matrix: 9c(1)
DEFINITION AND OBJECT OF ID THEFT ATTEMPTS
ID Theft: Acquisition of key pieces of identifying information for the purpose of impersonation.
Identifying information includes:
Name
Address
Date of Birth
Social Security Number
Mother’s Maiden Name
Credit Card Number
ATM PIN’s
Bank Account Numbers
Matrix: 9c(1)
DEFINITION AND OBJECT OF ID THEFT ATTEMPTS
ID Theft: Acquisition of key pieces of identifying information for the purpose of impersonation.
Identifying information includes:
Name
Address
Date of Birth
Social Security Number
Mother’s Maiden Name
Credit Card Number
ATM PIN’s
Bank Account Numbers
93. Identity Theft Purpose Matrix: 9c(1)
Some uses of your identity information once it is stolen includes:
Take over financial accounts
Open new bank accounts
Apply for loans
Apply for credit cards
Apply for Social Security benefits
Purchase automobiles
Rent apartments
Establish services with utility companies
Open cell phone accounts
Write checks on accounts
Purchase goods and services online
INSERT LOCAL EXAMPLESMatrix: 9c(1)
Some uses of your identity information once it is stolen includes:
Take over financial accounts
Open new bank accounts
Apply for loans
Apply for credit cards
Apply for Social Security benefits
Purchase automobiles
Rent apartments
Establish services with utility companies
Open cell phone accounts
Write checks on accounts
Purchase goods and services online
INSERT LOCAL EXAMPLES
94. Identity Theft – How They Do It High and Low Technology
Shoulder surfing at ATMs and pay phones
Stealing your mail
Dumpster diving
Utilizing corrupt employees
Using checks drawn on credit cards
Creating counterfeit checks Matrix: 9c(1)
IDENTITY THEFT METHODS
Shoulder surfing at ATMs and pay phones
Stealing your mail
Dumpster diving
Utilizing corrupt employees
Using checks drawn on credit cards (such as holiday checks)
Creating counterfeit checks using open source software
The California Department of Consumer Affairs Office of Privacy Protection can help. Visit their website at www.privacy.ca.gov.
Matrix: 9c(1)
IDENTITY THEFT METHODS
Shoulder surfing at ATMs and pay phones
Stealing your mail
Dumpster diving
Utilizing corrupt employees
Using checks drawn on credit cards (such as holiday checks)
Creating counterfeit checks using open source software
The California Department of Consumer Affairs Office of Privacy Protection can help. Visit their website at www.privacy.ca.gov.
95. Matrix: 9d
INTRODUCES THE “YOU ARE NOT ALONE” ON THE INTERNET CONCEPT.
Pop-up windows - A window will appear on the screen telling the user he has lost the Network Connection and must reenter their user name and password.
A program will then e-mail the intruder.
Mail attachments - Programs can be hidden in E-mail attachments.
Viruses, Worms “I love you”
Spam, Chain Letters, Hoaxes
HACKERS ARE A TYPE OF SOCIAL ENGINEER.Matrix: 9d
INTRODUCES THE “YOU ARE NOT ALONE” ON THE INTERNET CONCEPT.
Pop-up windows - A window will appear on the screen telling the user he has lost the Network Connection and must reenter their user name and password.
A program will then e-mail the intruder.
Mail attachments - Programs can be hidden in E-mail attachments.
Viruses, Worms “I love you”
Spam, Chain Letters, Hoaxes
HACKERS ARE A TYPE OF SOCIAL ENGINEER.
96. Leaving Tracks Electronic trail through the Internet
Entity knows where you’ve been
Register stops Matrix: 9d
TIES WEB SURFING TO SPAM AND THE ELECTRONIC TRAIL IS CREATED
You leave an electronic trail through the Internet when you visit web sites with your browser. This means Entity knows where you’ve been.
The sites you visit also register your stops there. Some sites may leave the logs open for casual viewing by local users at the site or even use them to create mailing lists.
Matrix: 9d
TIES WEB SURFING TO SPAM AND THE ELECTRONIC TRAIL IS CREATED
You leave an electronic trail through the Internet when you visit web sites with your browser. This means Entity knows where you’ve been.
The sites you visit also register your stops there. Some sites may leave the logs open for casual viewing by local users at the site or even use them to create mailing lists.
97. Matrix: 9d(1-3)
Organization SHOULD have specific reporting mechanisms as well as any specific actions the central authority wants the USER to do.
Virus alerts SHOULD come from one source within an organization. This prevents the forwarding of erroneous virus alerts which may be a ruse to spread malicious code, or damage systems and equipment through false directives.
Technical response is in relations to severity and staffing levels for support.
Local Scan/Detect/Removal software may or may not be part of entity Policy and Procedures. Staff should be informed of their specific responsibility and any procedures regarding dealing with malicious code or activity.
Matrix: 9d(1-3)
Organization SHOULD have specific reporting mechanisms as well as any specific actions the central authority wants the USER to do.
Virus alerts SHOULD come from one source within an organization. This prevents the forwarding of erroneous virus alerts which may be a ruse to spread malicious code, or damage systems and equipment through false directives.
Technical response is in relations to severity and staffing levels for support.
Local Scan/Detect/Removal software may or may not be part of entity Policy and Procedures. Staff should be informed of their specific responsibility and any procedures regarding dealing with malicious code or activity.