SlideShare a Scribd company logo

Security Awareness Training - For Companies With Access to NYS "Sensitive" Information

David Menken
David Menken

Presentation to a New York not-for-profit corporation on compliance with New York laws regarding security awareness and data breach notification

Technology
1 of 20
Information Security User Awareness and Best Practices Presented by David A. Menken, Smith Buss & Jacobs, LLP to December 15, 2014 David A. Menken, Esq. Smith Buss & Jacobs LLP 733 Yonkers Avenue Yonkers NY 10704 dmenken@sbjlaw.com 914-457-4186 www.sbjlaw.com
2
3 Importance of Security The Internet allows an attacker to attack from anywhere. Malicious code from an email, a web page or a USB, can infect the entire organization. A breach is often the result of a simple mistake. What you risk with poor security knowledge and practice:  Risk of identity theft  Risk of monetary theft  Risk of cancellation of contracts  Risk of a lawsuit (for you and your company)  Risk of liability for fines and penalties  Risk of termination of employment if company policies are not followed
What We Need to Take Away Security: We must protect our computers and data in the same way that we secure the doors to our homes. Safety: We must behave in ways that protect us against risks and threats that come with technology. 4
Why We Are Here This Morning You have access to NYS Govt. information, so it must comply with NYS Cyber Security Policy P03-002 v3.4 in its data handling and data confidentiality requirements. • Information must be housed only on internal servers • Information must be segmented from the rest of EIC's network • Access must be controlled by encryption per AES254 standards • Access must be contingent on roll-based permissions and strong passwords • Information must be secured behind a strong firewall and not available to the Internet • Information can be unencrypted only to perform data analysis • When information is destroyed, must be pursuant to DOD grade destruction • Security must be monitored in real time • Employees must be trained in security awareness 5
Why We Are Here This Morning Employees MUST Undertake Training 1. New employees must receive general security awareness training, to include recognizing and reporting insider threats, within 30 days of hire. 2. Additional training must be completed before access is provided to specific sensitive information not covered in the general security training. 3. All security training must be reinforced at least annually and must be tracked by your company 6
7 How We Can Detect an Intrusion/Malware  Antivirus software detects a problem  Pop-ups suddenly appear  Disk space disappears  Home page changes  Files or transactions appear that should not be there  System slows down to a crawl  Unusual messages, sounds, or displays  Your mouse moves by itself  Frequent firewall alerts about unknown programs trying to access the Internet  Your computer shuts down and powers off by itself  Often we cannot detect an intrusion
8
9 Best Practices to Preserve Security Handling Sensitive Data • Protect all "sensitive" data and files. "Sensitive" is data, documents, or files which, if compromised, would have an adverse effect on the company or its employees or customers. • Store data in a secure physical environment, only on devices owned and approved by IT Support. • Encrypt and password-protect data when in transit (email) or mobile devices (laptops, CD’s, USB “thumb” drives). • NYS data has special encryption requirements.
• Only devices owned or approved by IT Support may be connected to the systems – See the “Bring Your Own Device” Policy. • PCs must be manually locked when unattended, must automatically lock after a period of inactivity. • PCs must require a password to re-activate. • Files must be stored and backed up on the server, not on the desktop or C: drive. 10 Best Practices to Preserve Security Handling Devices and Files
• Passwords must comply with security standards • A good password is: • yours alone • secret • easily remembered by you • at least 8 characters, complex • not guessable • changed regularly (every 90 days) • 5 unsuccessful attempts will lock your account • System or browser may not be configured to remember (cache) passwords • Users may NEVER share passwords for any reason • Two-factor authentication 11 Best Practices to Preserve Security Handling Logons and Passwords
• Configure operating systems for automatic security updates and patches • Configure applications for automatic security updates and patches (e.g., MS Office, Acrobat) • Configure security software to scan web pages, email, attachments, and downloads • Keep security software up to date and configured for regular scans 12 Best Practices to Preserve Security Handling Security Updates and Patches
• Lock your workstation when you leave your desk or leave your laptop/mobile device unattended • Press the Windows Key and “L” (at the same time) • Press Ctrl-Alt-Del and “Lock Computer” • Lock sensitive documents and materials in a file cabinet • Dispose of sensitive materials appropriately • Never share your access key, card or fob • Always question unescorted strangers • Immediately report all suspicious activities and breaches of physical security 13 Best Practices to Preserve Security Handling Physical Security
• Don’t fall prey to “social engineering” • Do not open email attachments unless you are expecting the email with the attachment and you trust the sender. • Do not click on links in emails unless you are absolutely sure of their validity. • REMEMBER: The most prevalent and persistent threats to your security come to you in your Inbox, even supposedly from people you may know. • They all have this in common: they are designed to get you to click on an item like an attachment, link or picture. Stop - Think - Then (maybe) Click 14 Best Practices to Preserve Security Handling Email Threats
• Browsing Can Hazardous To Your PC • The Common Threat: On the web, the threats come from malicious links. • Most of the threats come when you click on a link that launches a malicious program or re-directs you to a dangerous site. 15 Best Practices to Preserve Security Handling Threats from Your Browser
• Mobile Workers: Be Careful With Your Connections • Assume public wireless networks are not secure • Use a Virtual Private Network: Allows you to launch a secure Internet connection • Device Encryption: Should be installed on all mobile devices that connect to company systems 16 Best Practices to Preserve Security Handling Telework Threats
Reported Data Breaches of Not for Profit Corporations in 2014 (reported by Privacy Rights Clearinghouse) 17 Oct. 2014 Community Technology Alliance (provides tech support to non-profits in San Jose) notified individuals of a potential compromise of their personal information, when an employee's laptop was stolen. Sept. 2014 BayBio.org (life sciences non-profit in Bay Area) notified individuals of a data breach to their online payment system. The hacker, via an email, inserted files that captured keystrokes of visitors to their site. July 2014 Central City Concern (poverty and homelessness NGO in Oregon) suffered a data breach when an unauthorized access by a former employee resulted in the breach of client data. March 2014 Service Coordination Inc. (provides services to developmentally disabled in Maryland) suffered a breach involving one file which contained SSNs and medical info of 9,700 clients when someone hacked its computers.
18 New York Data Breach Law N.Y. St. Tech. Law §208 (applies to state agencies) and N.Y. Gen. Bus. Law, §899-aa (applies to business) Guarantees persons the right to know what private information was exposed during a breach, so that they can take the necessary steps to both prevent and repair any damage incurred. Obligates any person or business that conducts business in NY and owns or licenses computerized data that includes private information, or any person or business that maintains such data, to notify a person whose unencrypted data was stolen.
19 New York Data Breach Law Definition of “Private Information” • Personal information of a natural person (i.e., information which can be used to identify that person, such as name, email address) • In combination with any one or more of the following data elements (1) Social security number (2) Drivers license or similar identification (3) Account number, credit/debit card number, in combination with password of security code. • When either non-encrypted or encrypted with a data key that was also acquired
If you have any questions please contact me: David A. Menken Smith Buss & Jacobs LLP 733 Yonkers Avenue, Yonkers NY 10704 914-457-4186 dmenken@sbjlaw.com 20

Recommended

Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalAtlantic Training, LLC.
 
Information Security Awareness Training Open
Information Security Awareness Training OpenInformation Security Awareness Training Open
Information Security Awareness Training OpenFred Beck MBA, CPA
 
IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeAtlantic Training, LLC.
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingWilliam Mann
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDmitriy Scherbina
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@R_Yanus
 
End-User Security Awareness
End-User Security AwarenessEnd-User Security Awareness
End-User Security AwarenessSurya Bathulapalli
 
User security awareness
User security awarenessUser security awareness
User security awarenessK. A. M Lutfullah
 

Recommended

Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalAtlantic Training, LLC.
 
Information Security Awareness Training Open
Information Security Awareness Training OpenInformation Security Awareness Training Open
Information Security Awareness Training OpenFred Beck MBA, CPA
 
IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeAtlantic Training, LLC.
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingWilliam Mann
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDmitriy Scherbina
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@R_Yanus
 
End-User Security Awareness
End-User Security AwarenessEnd-User Security Awareness
End-User Security AwarenessSurya Bathulapalli
 
User security awareness
User security awarenessUser security awareness
User security awarenessK. A. M Lutfullah
 
Security Awareness Training.pptx
Security Awareness Training.pptxSecurity Awareness Training.pptx
Security Awareness Training.pptxMohammedYaseen638128
 
Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Programdavidcurriecia
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awarenessMichel Bitter
 
Information security awareness - 101
Information security awareness - 101Information security awareness - 101
Information security awareness - 101mateenzero
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness TrainingDave Monahan
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by FortinetAtlantic Training, LLC.
 
Building An Information Security Awareness Program
Building An Information Security Awareness ProgramBuilding An Information Security Awareness Program
Building An Information Security Awareness ProgramBill Gardner
 
Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3DallasHaselhorst
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness TrainingJen Ruhman
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxDinesh582831
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information SecurityKen Holmes
 
ICT and end user security awareness slides
ICT and end user security awareness slidesICT and end user security awareness slides
ICT and end user security awareness slidesjubke
 
Basic Security Training for End Users
Basic Security Training for End UsersBasic Security Training for End Users
Basic Security Training for End UsersCommunity IT Innovators
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Information Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityInformation Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityAtlantic Training, LLC.
 
Securityawareness
SecurityawarenessSecurityawareness
SecurityawarenessJayfErika
 
New Hire Information Security Awareness
New Hire Information Security AwarenessNew Hire Information Security Awareness
New Hire Information Security Awarenesshubbargf
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee TrainingPaige Rasid
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
Information security awareness training
Information security awareness trainingInformation security awareness training
Information security awareness trainingSandeep Taileng
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 
Basic_computerHygiene
Basic_computerHygieneBasic_computerHygiene
Basic_computerHygieneEricK Gasana
 

More Related Content

What's hot

Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Programdavidcurriecia
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awarenessMichel Bitter
 
Information security awareness - 101
Information security awareness - 101Information security awareness - 101
Information security awareness - 101mateenzero
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness TrainingDave Monahan
 
Building An Information Security Awareness Program
Building An Information Security Awareness ProgramBuilding An Information Security Awareness Program
Building An Information Security Awareness ProgramBill Gardner
 
Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3DallasHaselhorst
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness TrainingJen Ruhman
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxDinesh582831
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information SecurityKen Holmes
 
ICT and end user security awareness slides
ICT and end user security awareness slidesICT and end user security awareness slides
ICT and end user security awareness slidesjubke
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Information Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityInformation Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityAtlantic Training, LLC.
 
Securityawareness
SecurityawarenessSecurityawareness
SecurityawarenessJayfErika
 
New Hire Information Security Awareness
New Hire Information Security AwarenessNew Hire Information Security Awareness
New Hire Information Security Awarenesshubbargf
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee TrainingPaige Rasid
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
Information security awareness training
Information security awareness trainingInformation security awareness training
Information security awareness trainingSandeep Taileng
 

What's hot (20)

Security Awareness Training.pptx
Security Awareness Training.pptxSecurity Awareness Training.pptx
Security Awareness Training.pptx
 
Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Program
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness
 
Information security awareness - 101
Information security awareness - 101Information security awareness - 101
Information security awareness - 101
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness Training
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
 
Building An Information Security Awareness Program
Building An Information Security Awareness ProgramBuilding An Information Security Awareness Program
Building An Information Security Awareness Program
 
Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness Training
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptx
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information Security
 
ICT and end user security awareness slides
ICT and end user security awareness slidesICT and end user security awareness slides
ICT and end user security awareness slides
 
Basic Security Training for End Users
Basic Security Training for End UsersBasic Security Training for End Users
Basic Security Training for End Users
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Information Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityInformation Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier University
 
Securityawareness
SecurityawarenessSecurityawareness
Securityawareness
 
New Hire Information Security Awareness
New Hire Information Security AwarenessNew Hire Information Security Awareness
New Hire Information Security Awareness
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee Training
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Information security awareness training
Information security awareness trainingInformation security awareness training
Information security awareness training
 

Similar to Security Awareness Training - For Companies With Access to NYS "Sensitive" Information

Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 
Basic_computerHygiene
Basic_computerHygieneBasic_computerHygiene
Basic_computerHygieneEricK Gasana
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber securityAnimesh Roy
 
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataLaw Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataAccellis Technology Group
 
Module2_General_Security
Module2_General_SecurityModule2_General_Security
Module2_General_SecurityDulcey Whyte
 
Chapter 13
Chapter 13Chapter 13
Chapter 13bodo-con
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecuritylearnt
 
Information security / Cyber Security ppt
Information security / Cyber Security pptInformation security / Cyber Security ppt
Information security / Cyber Security pptGryffin EJ
 
BCE L-3omputer security Basics.pptx
BCE L-3omputer security Basics.pptxBCE L-3omputer security Basics.pptx
BCE L-3omputer security Basics.pptxKirti Verma
 
A Cybersecurity Planning Guide for CFOs
A Cybersecurity Planning Guide for CFOsA Cybersecurity Planning Guide for CFOs
A Cybersecurity Planning Guide for CFOsgppcpa
 
Cysec.pptx
Cysec.pptxCysec.pptx
Cysec.pptxjondon17
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptxMBRoman1
 

Similar to Security Awareness Training - For Companies With Access to NYS "Sensitive" Information (20)

Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
 
Basic_computerHygiene
Basic_computerHygieneBasic_computerHygiene
Basic_computerHygiene
 
cybersecurity
cybersecurity cybersecurity
cybersecurity
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber security
 
it-security.ppt
it-security.pptit-security.ppt
it-security.ppt
 
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataLaw Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
 
Module2_General_Security
Module2_General_SecurityModule2_General_Security
Module2_General_Security
 
Chapter 13
Chapter 13Chapter 13
Chapter 13
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecurity
 
Information security
Information securityInformation security
Information security
 
Cyberattacks.pptx
Cyberattacks.pptxCyberattacks.pptx
Cyberattacks.pptx
 
Information security / Cyber Security ppt
Information security / Cyber Security pptInformation security / Cyber Security ppt
Information security / Cyber Security ppt
 
BCE L-3omputer security Basics.pptx
BCE L-3omputer security Basics.pptxBCE L-3omputer security Basics.pptx
BCE L-3omputer security Basics.pptx
 
Information security
Information securityInformation security
Information security
 
Computer security
Computer securityComputer security
Computer security
 
A Cybersecurity Planning Guide for CFOs
A Cybersecurity Planning Guide for CFOsA Cybersecurity Planning Guide for CFOs
A Cybersecurity Planning Guide for CFOs
 
Cysec.pptx
Cysec.pptxCysec.pptx
Cysec.pptx
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptx
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptx
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptx
 

Recently uploaded

Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 

Recently uploaded (20)

Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 

Security Awareness Training - For Companies With Access to NYS "Sensitive" Information

  • 1. Information Security User Awareness and Best Practices Presented by David A. Menken, Smith Buss & Jacobs, LLP to December 15, 2014 David A. Menken, Esq. Smith Buss & Jacobs LLP 733 Yonkers Avenue Yonkers NY 10704 dmenken@sbjlaw.com 914-457-4186 www.sbjlaw.com
  • 2. 2
  • 3. 3 Importance of Security The Internet allows an attacker to attack from anywhere. Malicious code from an email, a web page or a USB, can infect the entire organization. A breach is often the result of a simple mistake. What you risk with poor security knowledge and practice:  Risk of identity theft  Risk of monetary theft  Risk of cancellation of contracts  Risk of a lawsuit (for you and your company)  Risk of liability for fines and penalties  Risk of termination of employment if company policies are not followed
  • 4. What We Need to Take Away Security: We must protect our computers and data in the same way that we secure the doors to our homes. Safety: We must behave in ways that protect us against risks and threats that come with technology. 4
  • 5. Why We Are Here This Morning You have access to NYS Govt. information, so it must comply with NYS Cyber Security Policy P03-002 v3.4 in its data handling and data confidentiality requirements. • Information must be housed only on internal servers • Information must be segmented from the rest of EIC's network • Access must be controlled by encryption per AES254 standards • Access must be contingent on roll-based permissions and strong passwords • Information must be secured behind a strong firewall and not available to the Internet • Information can be unencrypted only to perform data analysis • When information is destroyed, must be pursuant to DOD grade destruction • Security must be monitored in real time • Employees must be trained in security awareness 5
  • 6. Why We Are Here This Morning Employees MUST Undertake Training 1. New employees must receive general security awareness training, to include recognizing and reporting insider threats, within 30 days of hire. 2. Additional training must be completed before access is provided to specific sensitive information not covered in the general security training. 3. All security training must be reinforced at least annually and must be tracked by your company 6
  • 7. 7 How We Can Detect an Intrusion/Malware  Antivirus software detects a problem  Pop-ups suddenly appear  Disk space disappears  Home page changes  Files or transactions appear that should not be there  System slows down to a crawl  Unusual messages, sounds, or displays  Your mouse moves by itself  Frequent firewall alerts about unknown programs trying to access the Internet  Your computer shuts down and powers off by itself  Often we cannot detect an intrusion
  • 8. 8
  • 9. 9 Best Practices to Preserve Security Handling Sensitive Data • Protect all "sensitive" data and files. "Sensitive" is data, documents, or files which, if compromised, would have an adverse effect on the company or its employees or customers. • Store data in a secure physical environment, only on devices owned and approved by IT Support. • Encrypt and password-protect data when in transit (email) or mobile devices (laptops, CD’s, USB “thumb” drives). • NYS data has special encryption requirements.
  • 10. • Only devices owned or approved by IT Support may be connected to the systems – See the “Bring Your Own Device” Policy. • PCs must be manually locked when unattended, must automatically lock after a period of inactivity. • PCs must require a password to re-activate. • Files must be stored and backed up on the server, not on the desktop or C: drive. 10 Best Practices to Preserve Security Handling Devices and Files
  • 11. • Passwords must comply with security standards • A good password is: • yours alone • secret • easily remembered by you • at least 8 characters, complex • not guessable • changed regularly (every 90 days) • 5 unsuccessful attempts will lock your account • System or browser may not be configured to remember (cache) passwords • Users may NEVER share passwords for any reason • Two-factor authentication 11 Best Practices to Preserve Security Handling Logons and Passwords
  • 12. • Configure operating systems for automatic security updates and patches • Configure applications for automatic security updates and patches (e.g., MS Office, Acrobat) • Configure security software to scan web pages, email, attachments, and downloads • Keep security software up to date and configured for regular scans 12 Best Practices to Preserve Security Handling Security Updates and Patches
  • 13. • Lock your workstation when you leave your desk or leave your laptop/mobile device unattended • Press the Windows Key and “L” (at the same time) • Press Ctrl-Alt-Del and “Lock Computer” • Lock sensitive documents and materials in a file cabinet • Dispose of sensitive materials appropriately • Never share your access key, card or fob • Always question unescorted strangers • Immediately report all suspicious activities and breaches of physical security 13 Best Practices to Preserve Security Handling Physical Security
  • 14. • Don’t fall prey to “social engineering” • Do not open email attachments unless you are expecting the email with the attachment and you trust the sender. • Do not click on links in emails unless you are absolutely sure of their validity. • REMEMBER: The most prevalent and persistent threats to your security come to you in your Inbox, even supposedly from people you may know. • They all have this in common: they are designed to get you to click on an item like an attachment, link or picture. Stop - Think - Then (maybe) Click 14 Best Practices to Preserve Security Handling Email Threats
  • 15. • Browsing Can Hazardous To Your PC • The Common Threat: On the web, the threats come from malicious links. • Most of the threats come when you click on a link that launches a malicious program or re-directs you to a dangerous site. 15 Best Practices to Preserve Security Handling Threats from Your Browser
  • 16. • Mobile Workers: Be Careful With Your Connections • Assume public wireless networks are not secure • Use a Virtual Private Network: Allows you to launch a secure Internet connection • Device Encryption: Should be installed on all mobile devices that connect to company systems 16 Best Practices to Preserve Security Handling Telework Threats
  • 17. Reported Data Breaches of Not for Profit Corporations in 2014 (reported by Privacy Rights Clearinghouse) 17 Oct. 2014 Community Technology Alliance (provides tech support to non-profits in San Jose) notified individuals of a potential compromise of their personal information, when an employee's laptop was stolen. Sept. 2014 BayBio.org (life sciences non-profit in Bay Area) notified individuals of a data breach to their online payment system. The hacker, via an email, inserted files that captured keystrokes of visitors to their site. July 2014 Central City Concern (poverty and homelessness NGO in Oregon) suffered a data breach when an unauthorized access by a former employee resulted in the breach of client data. March 2014 Service Coordination Inc. (provides services to developmentally disabled in Maryland) suffered a breach involving one file which contained SSNs and medical info of 9,700 clients when someone hacked its computers.
  • 18. 18 New York Data Breach Law N.Y. St. Tech. Law §208 (applies to state agencies) and N.Y. Gen. Bus. Law, §899-aa (applies to business) Guarantees persons the right to know what private information was exposed during a breach, so that they can take the necessary steps to both prevent and repair any damage incurred. Obligates any person or business that conducts business in NY and owns or licenses computerized data that includes private information, or any person or business that maintains such data, to notify a person whose unencrypted data was stolen.
  • 19. 19 New York Data Breach Law Definition of “Private Information” • Personal information of a natural person (i.e., information which can be used to identify that person, such as name, email address) • In combination with any one or more of the following data elements (1) Social security number (2) Drivers license or similar identification (3) Account number, credit/debit card number, in combination with password of security code. • When either non-encrypted or encrypted with a data key that was also acquired
  • 20. If you have any questions please contact me: David A. Menken Smith Buss & Jacobs LLP 733 Yonkers Avenue, Yonkers NY 10704 914-457-4186 dmenken@sbjlaw.com 20