3. Objectives
3
After completing this training, you should be able to:
• Understand cyber security threats associated with
email and other forms of electronic communications
• Learn tips on how to safely maneuver through the
internet
• Understand why it is important to protect our
information assets and your role in the process
• Learn how to better secure your computer and data
• Understand the importance of passwords and how
to create a strong password
• Understand how international travel can pose risks
to information assets
• Locate policies, standards and travel preparation on
the Employee Portal
5. Electronic Communication
• Any Communication (email, instant messaging, text
messaging, etc.)sent in support of the corporate
business is considered the corporate message and is
subject to monitoring.
Do not Send:
• Anything which could be interpreted as abusive or
harassing
• Unsolicited advertising or anything that could be
interpreted as a scam
5
6. Electronic Communication-Do’s
• Be careful of the information shared outside of the
company and its competitive value.
• Protect information inside the company by not sharing
it with those without a need-to-know.
• Use approved “Chat” applications (set up by IT
helpdesk) for instant messaging needs. The use of
other commercial instant messaging products could
allow viruses to infect your computer.
• Be mindful of the Information Security Policies and
procedures restrictions on information sharing.
Improper use of electronic communication in support of
the corporate business can put the corporate at risk and
is a violation of company policy.
6
7. Email Viruses
Email is the most common source of computer viruses. What
can you do to avoid computer viruses?
When receiving email from questionable sources:
• Do not open attachments.
• Do not click on web links.
• Do not respond to the email.
• If you don’t know the sender or what it concerns, the
safest thing to do is delete the email.
• Forward the email to mailscam@mailserver.com
Even be cautious of email which appears to be from
someone you know. The email could have been forwarded
from a questionable or unknown email address. Be certain of
the source before you click on a link.
7
8. Email
• Email is inherently unsafe because it is the easiest way for
someone to breach the system and to trick you.
• Do not forward any confidential company email outside of the
corporate policy (i.e., personal email accounts , etc.).
• If your job requires you to email confidential information to
outside parties, including personal information, use the e-mail
policy for the policy, Secure Email*.
*encrypt-to convert or scramble computer data and messages
into something incomprehensible.
8
9. Spam
• Spam is unsolicited email ( junk email). It may be
targeted to a certain group or a mass mailing.
• the corporate e-mail spam service blocks millions of
spam email everyday; however some do manage to
get through.
• For the majority of cases, delete the spam.
• If you feel someone should be alerted , call the help
desk or forward the email to
mailscam@corporate.com
9
10. Phishing
Phishing is a type of cyber attack involving forged emails
and websites. Typically, an email is sent with a disturbing
message such as “Your bank account has been
suspended” and includes a website link or an attachment.
The website link looks like a viable website, such as a
financial institution, but is actually the hacker’s website.
To avoid being caught by a phishing email, individuals
should:
• Contact the business directly.
• Be suspicious of any email requesting personal
information.
• Do not open links or attachments from questionable
sources.
• Delete the email.
10
12. Use Good Judgment
the corporate monitors internet usage and block
certain websites for a variety of reasons.
Please be aware that anything you do on the
internet can be traced.
When accessing the internet from email links use
sound judgment. Be extremely wary of emails
asking for information or asking you to click a link. If
the email states “You’ve got to see this,” ask
yourself why.
Please use sound judgement when accessing
personal web-based email such as Yahoo, Gmail, or
other non-the corporate email systems from your
the corporate Computer.
12
13. Blocked Website Categories
Certain types of websites are blocked from the the
corporate network. Some examples include:
• Adult/Mature Content
• Gambling
• Games
• Hacking
• Personals/Dating
• Social Media
• Violence/Hate/Racism
• Weapons
Contact IT for a complete list of Blocked Websites
Categories.
13
14. Malware
• Malware is a term for malicious software which is
designed to be installed on a computer without the
owner’s knowledge.
• Spyware is a type of malware which monitors your
computer activity and reports this activity back to the
owner of the spyware. Spyware can keep track of the
websites you visit.
• Based on this information, spam or phishing emails
can be created by hackers to target your interests or
work profession.
• Therefore, visiting unfamiliar sites could infect your
computer with malware.
14
15. Caution Before You Click
Computers can get infected with malware by simply
visiting an infected website. That is why it is very
important to be careful when clicking a link in email,
search lists, or web pages.
Malware can also steal data. This includes personal
data such as computer ID’s, passwords, social security
and account numbers.
To avoid having your identity compromised by
malware:
• Be careful what internet sites you visit.
• Do not open attachments or links from unknown
sources.
• Don’t download without your managers approval
for free software download offers.
15
16. Social Networking (i.e. Facebook, LinkedIn, Twitter)
• Be very careful what information is shared on these
sites . Always consider what could be done with this
information and the possible impact it may have.
• Certain data posted on these sites may allow a
targeted email fraud, phishing, or spam attack to be
developed.
• In addition, the personal information posted may be
used in a social engineering attack, where someone
masquerades as you or a person close to you.
• Access to many social networking sites is blocked from
the the corporate network due to the risk of exposure.
16
17. Public Wireless Access
• Public Wireless Internet is available at many
locations. It is important to understand when
you use these networks you are no longer on a
network controlled by either you or the
corporate.
• Many of the security controls in place at work
are not available on a public network. You
cannot assume a public network is secure.
• Protect company information by ALWAYS using
your the corporate secure Virtual Private
Network (VPN) connection when accessing a
public network.
• Always use extreme caution when handling the
corporate information.
17
18. Personal Devices
Do not connect personal devices to the corporate network. Examples include:
• IPads
• Tablets
• Wireless camera
• Wireless Printers
Do not use personal software for company business.
• Using personal software for company business violates company license
agreements.
18
20. Protecting Information
• Non-public company information should be
protected, both inside and outside the company.
• Unauthorized disclosure of company information
can put the corporate at risk. We could lose
competitive advantage, create legal problems,
violate regulatory requirements, or tarnish the
image of the company.
• Information should only be shared with individuals
on a need-to-know basis. the corporate uses access
restrictions on File Shares to protect stored
information and Secure File Transfer Protocol
(SFTP) to securely transfer information.
20
21. Information Protection
Confidential information should never be left unattended
in place such as :
• Meeting rooms
• Fax machines
• Printers
• Desks
• Dry erase boards
• Unlocked file cabinets
• Unsecured shared drives
Dispose of personal or confidential information in a secure
manner (i.e., shred, delete data from hard drive according
to company guidelines, or incinerate).
Use a clean desk approach. Lock up confidential/sensitive
papers when you are not using them.
21
22. File Share Ownership for “Common Drive”
Information
• Per the corporate policy, File Share owners must be a manager or supervisor.
• File Share owners are responsible for all content and access they own.
• Ownership roles must be reviewed annually and updated when there is a change in job
responsibilities.
• Owners should limit access to only those who have a business need to access the information.
• Data owners should adhere to the the corporate Information Security Handling and Classification
Policy (NO-POL-0026) to ensure content is retained based on regulatory obligations, industry
benchmarks and sound business practices. The policy is available on the corporate’s intranet.
• Do not store Personally Identifiable Information (PII) on a File Share that is accessible by any
employee who does not have a legitimate business purpose for accessing that information.
22
23. Unauthorized Software
• Installing unauthorized software is a violation of
company policy that may result in disciplinary action.
Software downloaded from the internet can contain
vulnerabilities that put the entire association at risk.
• the corporate catalogs, tracks, and updates the
software contained in the standard computer image
for vulnerabilities. However, updates cannot be done
for unauthorized software thus putting the
association’s at risk.
• Software downloaded to share music can often make
other files on your computer available for sharing to
others and lead to disclosure of sensitive information.
• These precautions apply to all the corporate owned
devices, including mobile devices (NO-POL-0013).
23
24. Mobile Device Security
Every individual at the corporate is responsible
for protecting the company’s information and
equipment.
• Laptops, smart phones, tablets and other
mobile devices(i.e., thumb drives) should be
locked or kept in your personal possession at
all times.
• When traveling, be sensitive to where and
when you use mobile devices such as phones ,
laptops, and tablets. Don't allow others to
“look over your shoulder”.
• Never Leave laptops or other mobile devices
in clear view inside a vehicle.
• Immediately report any stolen mobile device
storing corporate information to Help Desk.
Mobile devices, including smart phones and
tablets, must be password protected.
24
25. Corporate Mobile Devices and Personal Information
• the corporate may elect to to provide corporately owned
mobile devices to enable the Company workforce. These
devices may include tablets such as iPads, smart phones,
Androids or other types of mobile devices.
• Though the devices are for corporate use, it is easy to
commingle personal information with corporate data on
the device.
• To ‘commingle’ company information and personal
information means to mix them in some fashion.
Commingling company information and personal
information has privacy and security consequences.
• Examples of commingling data include:
• Personal emails and/or documents stored on a
corporate device
• Corporate email stored on a personal email account
• Call records of personal telephone calls made on a
corporate device
25
26. Commingling – No Expectation of Privacy
• the corporate permits limited personal use of corporate
computing resources .
• There are many consequences, to storing personal information
on a corporate device, including mobile devices. Some of these
consequences are :
• Employees can have no expectation of privacy related to
personal information stored on the corporate device
• If the employee is involved in personal litigation, and
relevant personal data is on the corporate device, that
device may be subject to discovery and :
• The Company may be compelled to provide the
personal information to counsel, placing personal
information at risk of exposure, and
• The device may be unavailable to the company for a
time which could place company data at risk of
exposure.
26
27. USB Flash/Thumb Drives
• USB drives are becoming a way to spread unwanted
malicious progrthe corporate.
• It is important no to insert personal-use USB drives into
the corporate equipment. This may inadvertently
transport a virus or other unwanted progrthe corporate.
• One hacking trick is to leave infected USB drives laying
around in public places for people to pick up and use.
While it is enticing to find a ‘free’ USB drive, inserting it
into your corporate or home computer is strongly
discouraged.
• To protect information contained on USB drives, look for
devices that use a password or allow encryption
(scrambling the information into secret code).A user
manual often comes with the device to explain these
features.
• If you work inside process control environments use only
dedicated portable media to transfer information to
Supervisory Control and Data Acquisition (SCADA) systems
or process computer systems. Do not use this portable
media for any other purpose.
27
28. What to do if you notice a Security Issue
If you suspect the corporate’s security has been compromised,
a security issue has occurred or unauthorized information has
been accessed or released, contact:
• The Help Desk
• Your Manager or Supervisor
28
29. Social Engineering
• Social Engineering is the art of manipulating
people into performing actions or divulging
confidential information. Email is a common
method used.
• They create a scenario based on a few known
facts(names ,phone numbers, etc.) which seems
believable. If the story is credible, then most
people are more than willing to help the social
engineer.
• For example, a social engineer may claim to be an
the corporate IT employee who needs your
password to fix a computer problem. In reality,
they are trying to gain access to the corporate
computers using your ID and password.
• Be very cautious and think twice before giving out
the corporate information.
29
31. Physical Security for Information Assets• Facilities housing the corporate information assets
are physically restricted to authorized individuals
and require a valid the corporate ID.
• These facilities or buildings must be protected by
physical security controls that prevent unauthorized
individuals from gaining access. Visitors are required
to sign in and be accompanied by an escort while in
company facilities.
• Remember:
• Never allow others to user your badge
• Never allow tailgating (holding a door or gate
open for another person that requires a badge).
• Report lost or stolen badges immediately:
• HR Administration
• Mangers or Supervisors
• Help Desk
31
32. Sabotage on the corporate Facilities
Individuals should watch for one or more of the following signs:
• Physical surveillance of the corporate facilities
• Any threats to individuals or property
• Attempts to gain unauthorized access to restricted areas
• Vandalism to company property
What should you do ?
• If threated or in danger , move to safety and call 911.
• Notify HR Administration.
• Do not touch anything. Preserve evidence for investigators.
32
33. Lock Your Computer
• Lock your computer when you walk away. It is easy to do :
• 1. Press the Ctrl+Alt+Del KEYS AT THE SAME TIME
• 2. Then select the “Lock Computer” option
• You are responsible for all actions that occur with your ID.
if you leave your computer unattended and unlocked,
someone else could take action ( such as send email)
using your identity or access your personal information
(view your paycheck) via Portal.
• Your computer should always be in a physically secured
location.
• Use the provided cable lock/tether to secure laptops left
unattended.
33
35. Your Password
• Your password is an integral part of the overall
protection of the corporate’s information
assets.
• Hackers will try to steal passwords and IDs to
break into the corporate systems.
• If your password is compromised , the hacker
has the ability to access anything you can
access, using your identity.
• Never use your the corporate ID or account
password on non the corporate systems such as
Amazon, Facebook or EBay. Once a password is
compromised, the next logical step for a hacker
is to try that password on other systems that
you access.
35
36. Password Guidelines & Suggestions
The science of password cracking has been simplified with the use
of high speed progrthe corporate that employ databases
containing words and phrases. There are ways to protect your
password from these types of attacks, such as creating a password
by using a password phrase.
Tips: What Not to Do:
• Do not write down or share your password.
• Do not use the same password for everything(i.e., work,
personal banking, etc.)
• Do not use information that others could associate with you,
like names of family members or pets.
• Do not use cyclical, incremental, or patterned passwords.
• Do not use words spelled backwards.
• Do not use keyboard patterns (i.e., “asdf”).
For information on creating a strong password, see Password
Requirements located on the Password Policy (NO-POL- 0022).
36
37. Tips for Creating a Strong Password
Create a strong , secure password that is easy to remember.
Use a combination of upper case, lower case, numbers, and
special characters to make your password complex.
• Example: Use the phrase "it is not enough to do your best ; you
must know what to do, and Then do your best.” W.Edwards
Deming
• Take the first letter from each word, separate every four letters with a
comma, and then put a two digit number at the end.
• Add a number or punctuation every few letters or between syllables.
• A 12 character password would then be “iine,tdyb,12”.
• Your the corporate password should only be used for your the
corporate’s account. Use a different password for all personal
email accounts.
37
38. Privacy
• Privacy is a set of fair information practices to ensure:
• Personal information is accurate, relevant, and current.
• All collections, uses, and disclosures of personal information are known and appropriate.
• Personal information is protected.
The Policy for Privacy:
• Implements procedures and controls at all levels to protect the confidentiality and integrity of
information stored and processed on systems.
38
39. Different types and forms of Personally Identifiable
Information (PII)
•Social Security number (SSN)
• Health Insurance Claim Number (HICN)
• Date of birth (DOB)
• National Provider Identification (NPI)
• Driver’s license number
• Passport number
• Personal Health Information (PHI)
• Biometric Information
• PII must be protected in any form : paper, electronic, oral.
39
40. Recognize threats to information systems and privacy
• Share information on a need to know basis.
• Never access PII unless authorized to do so to perform your job.
• Only store PII on encrypted devices.
• Encrypt emails and double – check that the recipient name(s) is correct before sending.
• When faxing, confirm that you have the correct fax number and call the recipient to confirm receipt.
40
41. Privacy Roles and Responsibilities
Objective: Understand personal responsibility to protect information systems.
Privacy policies and procedures require you to:
• Collect, use, and disclose personal information for reasons that are for a
legitimate job function, support the mission of the corporate and are allowed by law.
• Disclose only the minimum amount of information.
• Access information only for authorized purposes.
• Follow standards to safeguard personal information throughout the information
life cycle.
• Report suspected privacy violations or incidents.
• Comply with all applicable privacy laws.
• Shred documents containing PII; NEVER place them in the trash. Contact the IT
Department for proper disposal of equipment like copy machines and
computers.
As a member of the the corporate workforce, you are responsible for privacy policies and procedures.
41
44. Things You Can Do To Help Keep the
Company Secure
It is the responsibility of each member of the corporate workforce to protect
our enterprise information assets.
Here are some things you can do to help:
• Only the corporate equipment can be connected to the internal business
network.
• Do not load any unapproved software on your the corporate equipment.
• Do not change any corporate security settings.
• Avoid opening email and attachments from questionable sources.
• Lock your workstation before you walk away.
• Protect the corporate data in all formats(i.e., thumb drive, hard copy, CD,
etc.)
• Use a strong password.
• Do not write down or share your password.
• Ensure each member of the workforce has access to only what they need.
• Beware of social engineering.
• Report any lost or stolen company information asset (laptop, mobile phone
,etc.) to the Help Desk. 44
