the role of information security in everyday business
Post on 26-Mar-2015
223 Views
Preview:
TRANSCRIPT
The Role of Information Security in Everyday Business
<Company>
Information Security Explained
Information Security Explained
The Need for Information Security
Your Security Role at <Company>
Vital <Company> Assets
Security Threats & Countermeasures
Home Computer Use
Helpful Security Resources
Closing Comments
Information Security Explained
Information security involves the preservation of:
Confidentiality: Ensuring information is disclosed to, and reviewed exclusively by intended recipients / authorized individuals
Integrity: Ensuring the accuracy and completeness of information and processing methods
Availability: Ensuring that information and associated assets are accessible, whenever necessary, by authorized individuals
The Need for Information Security
Information Security Explained
The Need for Information Security
Your Security Role at <Company>
Vital <Company> Assets
Security Threats & Countermeasures
Home Computer Use
Helpful Security Resources
Closing Comments
The Need for Information Security
It is the law
<Provide overview here>
The Need for Information Security (2)
In the news “Mcafee: Auditor failed to encrypt employee-records
CD, left it on plane,” mercury news, 2/23/06 “Another security breach reported - Stolen laptop had
clients' private data, says Ernst & Young,” San FranciscoChronicle, 2/25/06
“The network is the risk: in August, the Zotob virus disabled CNN and ABC News...” Risk & Insurance Magazine, 9/15/05
“Glouco employee charged with theft: He and his brother are accused of creating fake firms to take $110,000-plus from the utilities authority,” The Philadelphia Inquirer, 2/24/06
“ChoicePoint multi-million dollar penalty illustrates need for congress to enact strong id-theft protections, regulate data brokers,” US Newswire, 1/26/06
• Consequences– Many of the victims are you, the people.– Reputations are compromised through media coverage.– Substantial financial loss is incurred by impacted organizations.
The Need for Information Security (3)
Previous <company> security incidents
<Provide overview of applicable previous security incidents experienced by company here>
The Need for Information Security (4)
The consequences of insufficient security
Loss of competitive advantage
Identity theft
Equipment theft
Service interruption (e.g., e-mail and <application>)
Embarrassing media coverage
Compromised customer confidence; loss of business
Legal penalties
Your Security Role at <Company>
Information Security Explained
The Need for Information Security
Your Security Role at <Company>
Vital <Company> Assets
Security Threats & Countermeasures
Home Computer Use
Helpful Security Resources
Closing Comments
Your security role at <company>
You can prevent several security threats facing <company>
Comply with our corporate security policies• Key policy one• Key policy two• Key policy three• All of <company>’s corporate security policies may be located:
– <Provide all locations here>
Your security role at <company>
You can prevent several security threats facing <company> (2) Treat everything you do at <company> as you would treat the well-
being of anything of vital importance to you• Examples of questions you should ask yourself before performing a
specific activity include:– Could the actions I am about to perform in any way either harm
myself or <company>?– Is the information I am currently handling of vital importance either
to myself or <company>?– Is the information I am about to
review legitimate / authentic?– Have I contacted appropriate
<company> personnel withquestions regarding my uncertaintyof how to handle this sensitivesituation?
Your security role at <company>
Whom to contact
It is critical for you to contact appropriate <company> personnel the moment you suspect something is wrong
• <Name “1”, title, reason to contact>• <…>• <Name “n”, title, reason to contact>
Vital <company> Assets
Information Security Explained
The Need for Information Security
Your Security Role at <Company>
Vital <Company> Assets
Security Threats & Countermeasures
Home Computer Use
Helpful Security Resources
Closing Comments
Vital <company> assets
Your effectiveness in securing <company>’s assets begins with understanding what is of vital importance to <company>
<Asset “1”>
<…>
<Asset “n”>
Security Threats & Countermeasures
Information Security Explained
The Need for Information Security
Your Security Role at <Company>
Vital <Company> Assets
Security Threats & Countermeasures
Home Computer Use
Helpful Security Resources
Closing Comments
Security threats & countermeasures
Malicious software: viruses
Malicious code embedded in e-mail messages that are capable of inflicting a great deal of damage and causing extensive frustration
• Stealing files containing personal information• Sending emails from your account• Rendering your computer unusable• Removing files from your computer
What you can do
Do not open attachments to e-mails:• Received from unknown individuals• That in any way appear suspicious
If uncertain, contact <contact>
Report all suspicious e-mails to <contact>
Security threats & countermeasures
Malicious software: spyware Any technology that aids in gathering information
about you or <company> without their knowledgeand consent.
• Programming that is put in a computer to secretly gather information about the user and relay it to advertisers or other interested parties.
• Cookies are used to store information about you on your own computer.
– If a Web site stores information about you in a cookie of which you are unaware, the cookie is considered a form of spyware.
• Spyware exposure can be caused by a software virus or in result of installing a new program.
What you can do Do not click on options in deceptive / suspicious pop-up windows. Do not install any software without receiving prior approval from <contact>. If you experience slowness / poor computer performance or excessive
occurrences of pop-up windows, contact <contact>.
Security threats & countermeasures
Unauthorized systems access Individuals maliciously obtain unauthorized access to computers,
applications, confidential information, and other valuable assets• Not all guilty parties are unknown; some can be your co-workers• Unauthorized systems access can result in theft and damage of vital
information assetsWhat you can do
Use strong passwords for all accounts Commit passwords to memory
• If not possible, store all passwords in a secure location (i.e., not on a sticky note affixed to your monitor or the underside of your keyboard)
Never tell any one your password Never use default passwords Protect your computer with a password-protected screen
saver Report suspicious individuals / activities to <contact> Report vulnerable computers to <department>
Security threats & countermeasures
Shoulder surfing
The act of covertly observing employees’ actions with theobjective of obtaining confidential information
What you can do
Be aware of everyone around you… and what they are doing• Airline and train travel• Airports, hotels, cafes, and restaurants; all public gathering areas• Internet cafes• Computer labs
Do not perform work involving confidential <company> information if you are unable to safeguard yourself from shoulder surfing
Request a privacy screen for your <company>-issued laptop computer from <contact>
Security threats & countermeasures
Unauthorized facility access Individuals maliciously obtain unauthorized access to offices with the
objective to steal equipment, confidential information, and other valuable <company> assets
What you can do Do not hold the door for unidentified individuals; i.e., do not permit
“tail gaiting” <Provide company procedures regarding challenging and reporting
individuals with no visible visitor / employee ID badges> Shred all <company> confidential documents Do not leave anything of value exposed in your office / work space
(e.g., Lock all <company> confidential documentsin desk drawers / file cabinets)
Escort any of your own visitors throughout theduration of their visit
Security threats & countermeasures
Curious personnel
An employee who is not necessarily malicious thatperforms activities testing the limits of their network and facilities access
What you can do
Retrieve your <company> confidential faxes and printed documents immediately
Shred all <company> confidential documents
Lock all <company> confidential documents in desk drawers / file cabinets
Follow the guidance previously provided to prevent unauthorized systems access
Report suspicious activity / behavior to your supervisor
Security threats & countermeasures
Disgruntled employees
Upset / troubled employees with an intent to harm other employees or <company>
What you can do
Contact <contact> if you suspect an employee is disgruntled and potentially dangerous
Be observant of others and report suspicious / inappropriate behavior to <contact>
Exercise extreme care when awareof unfriendly termination
Security threats & countermeasures
Social engineering
Taking advantage of people’s helping nature /conscience for malicious purposes
What you can do
Never lose sight of the fact that successful socialengineering attacks rely on you, <company> employees
If a received phone call is suspicious, request to return their call• Do not provide personal / confidential <company> information to a
caller until you are able to verify the caller’s identity, and their association with their employer’s company
Never provide a caller with any one’s password, including your own
Report any unrecognized person in a <company> facility to <contact>
Security threats & countermeasures
Phishing An online scam whereby emails are sent by criminals who seek to steal your
identity, rob your bank account, or take over your computerWhat you can do
Use the “stop-look-call” technique:• Stop: Do not react to phishing ploys consisting of “upsetting” or “exciting”
information• Look: Look closely at the claims in the email, and carefully review all links and
Web addresses• Call: Do not reply to e-mails requesting you to confirm account information; call
or email the company in question to verify if the email is legitimate Never email personal information
• When submitting personal / confidential information via a Web site, confirm the security lock is displayed in the browser
Review credit card and bank accountstatements for suspicious activity
Report suspicious activity to <contact>
Security threats & countermeasures
Information theft through free instant messaging services (IM) Privacy threats caused by using free IM services in the workplace
include personal information leakage, loss of confidential information, and eavesdropping
• <Corporate IM security policy here>
What you can do Depending upon with whom you are communicating, and how IM
was implemented, every message you send – even to a co-worker sitting in the next cubicle – may traverse outside of <company>’s corporate network
• All of the messages you send may be highly susceptible to being captured and reviewed by malicious people
Never send confidential messages or any files to individuals Realize that there is no means of knowing that the person you are
communicating with is really who they say they are
Home Computer Use
Information Security Explained
The Need for Information Security
Your Security Role at <Company>
Vital <Company> Assets
Security Threats & Countermeasures
Home Computer Use
Helpful Security Resources
Closing Comments
Home computer use
Specific conditions and procedures should be followed when using home computers for business purposes
<Condition “1”>
<…>
<Condition “n”>
Home computer use
Specific conditions and procedures should be followed when using home computers for business purposes (2)
<Procedure summary “1”>
<…>
<Procedure summary “n”>
Helpful Security Resources
Information Security Explained
The Need for Information Security
Your Security Role at <Company>
Vital <Company> Assets
Security Threats & Countermeasures
Home Computer Use
Helpful Security Resources
Closing Comments
Helpful security resources
Outlined below are several helpful security resources
http://www.microsoft.com/athome/security/default.mspx• Security guidance for home computer use, which in many
cases also apply to <company> computer use
Helpful security resources
Outlined below are several helpful security resources (2) http://www.microsoft.com/athome/security/spyware/software/default.mspx &
http://www.microsoft.com/athome/security/spyware/software/about/overview.mspx
• Microsoft’s Windows Defender product, which is a free program that helps protect your home computers against pop-ups, slow performance, and security threats caused by spyware and other unwanted software
Helpful security resources
Outlined below are several helpful security resources (3)
http://safety.live.com/site/en-US/center/howsafe.htm• Microsoft resources that help protect your home computers
against hackers, malicious software, and other security threats
Helpful security resources
Outlined below are several helpful security resources (4)
http://www.microsoft.com/presspass/newsroom/msn/factsheet/WindowsOneCareLiveFS.mspx
• Windows Live OneCare is a service that continually protects and maintains your home computers
Closing Comments
Information Security Explained
The Need for Information Security
Your Security Role at <Company>
Vital <Company> Assets
Security Threats & Countermeasures
Home Computer Use
Helpful Security Resources
Closing Comments
Closing comments
Be security-conscious regarding anything of vital importance to <company> and yourself
When your personal safety, <company>’s safety, or any confidential information is involved, always ask yourself, “what measures should I perform to keep myself and my employer safe, and my employer’s confidential information protected against harm, theft, and inappropriate disclosure?”
Apply similar considerations discussed in today’s security awareness session when at home
Threats do not stop at the work place; they extend to your home and other surroundings
Do not allow this security awareness session lead to paranoia Use what you learned today to make more informed decisions to protect
yourself, <company>, and othersThis security awareness session is the beginning of <company>’s information security awareness and training program
<Provide a brief summary of what should be expected next, and the strategic direction of your ISATP>
Questions and Answers
top related