the role of information security in everyday business

The Role of Information Security in Everyday Business

<Company>

Information Security Explained


The Need for Information Security

Your Security Role at <Company>

Vital <Company> Assets

Security Threats & Countermeasures

Home Computer Use

Helpful Security Resources

Closing Comments


Information security involves the preservation of:

Confidentiality: Ensuring information is disclosed to, and reviewed exclusively by intended recipients / authorized individuals

Integrity: Ensuring the accuracy and completeness of information and processing methods

Availability: Ensuring that information and associated assets are accessible, whenever necessary, by authorized individuals







Home Computer Use


Closing Comments


It is the law

<Provide overview here>

The Need for Information Security (2)

In the news “Mcafee: Auditor failed to encrypt employee-records

CD, left it on plane,” mercury news, 2/23/06 “Another security breach reported - Stolen laptop had

clients' private data, says Ernst & Young,” San FranciscoChronicle, 2/25/06

“The network is the risk: in August, the Zotob virus disabled CNN and ABC News...” Risk & Insurance Magazine, 9/15/05

“Glouco employee charged with theft: He and his brother are accused of creating fake firms to take $110,000-plus from the utilities authority,” The Philadelphia Inquirer, 2/24/06

“ChoicePoint multi-million dollar penalty illustrates need for congress to enact strong id-theft protections, regulate data brokers,” US Newswire, 1/26/06

• Consequences– Many of the victims are you, the people.– Reputations are compromised through media coverage.– Substantial financial loss is incurred by impacted organizations.


Previous <company> security incidents

<Provide overview of applicable previous security incidents experienced by company here>


The consequences of insufficient security

Loss of competitive advantage

Identity theft

Equipment theft

Service interruption (e.g., e-mail and <application>)

Embarrassing media coverage

Compromised customer confidence; loss of business

Legal penalties







Home Computer Use


Closing Comments

Your security role at <company>

You can prevent several security threats facing <company>

Comply with our corporate security policies• Key policy one• Key policy two• Key policy three• All of <company>’s corporate security policies may be located:

– <Provide all locations here>


You can prevent several security threats facing <company> (2) Treat everything you do at <company> as you would treat the well-

being of anything of vital importance to you• Examples of questions you should ask yourself before performing a

specific activity include:– Could the actions I am about to perform in any way either harm

myself or <company>?– Is the information I am currently handling of vital importance either

to myself or <company>?– Is the information I am about to

review legitimate / authentic?– Have I contacted appropriate

<company> personnel withquestions regarding my uncertaintyof how to handle this sensitivesituation?


Whom to contact

It is critical for you to contact appropriate <company> personnel the moment you suspect something is wrong

• <Name “1”, title, reason to contact>• <…>• <Name “n”, title, reason to contact>

Vital <company> Assets






Home Computer Use


Closing Comments

Vital <company> assets

Your effectiveness in securing <company>’s assets begins with understanding what is of vital importance to <company>

<Asset “1”>

<…>

<Asset “n”>







Home Computer Use


Closing Comments

Security threats & countermeasures

Malicious software: viruses

Malicious code embedded in e-mail messages that are capable of inflicting a great deal of damage and causing extensive frustration

• Stealing files containing personal information• Sending emails from your account• Rendering your computer unusable• Removing files from your computer

What you can do

Do not open attachments to e-mails:• Received from unknown individuals• That in any way appear suspicious

If uncertain, contact <contact>

Report all suspicious e-mails to <contact>


Malicious software: spyware Any technology that aids in gathering information

about you or <company> without their knowledgeand consent.

• Programming that is put in a computer to secretly gather information about the user and relay it to advertisers or other interested parties.

• Cookies are used to store information about you on your own computer.

– If a Web site stores information about you in a cookie of which you are unaware, the cookie is considered a form of spyware.

• Spyware exposure can be caused by a software virus or in result of installing a new program.

What you can do Do not click on options in deceptive / suspicious pop-up windows. Do not install any software without receiving prior approval from <contact>. If you experience slowness / poor computer performance or excessive

occurrences of pop-up windows, contact <contact>.


Unauthorized systems access Individuals maliciously obtain unauthorized access to computers,

applications, confidential information, and other valuable assets• Not all guilty parties are unknown; some can be your co-workers• Unauthorized systems access can result in theft and damage of vital

information assetsWhat you can do

Use strong passwords for all accounts Commit passwords to memory

• If not possible, store all passwords in a secure location (i.e., not on a sticky note affixed to your monitor or the underside of your keyboard)

Never tell any one your password Never use default passwords Protect your computer with a password-protected screen

saver Report suspicious individuals / activities to <contact> Report vulnerable computers to <department>


Shoulder surfing

The act of covertly observing employees’ actions with theobjective of obtaining confidential information

What you can do

Be aware of everyone around you… and what they are doing• Airline and train travel• Airports, hotels, cafes, and restaurants; all public gathering areas• Internet cafes• Computer labs

Do not perform work involving confidential <company> information if you are unable to safeguard yourself from shoulder surfing

Request a privacy screen for your <company>-issued laptop computer from <contact>


Unauthorized facility access Individuals maliciously obtain unauthorized access to offices with the

objective to steal equipment, confidential information, and other valuable <company> assets

What you can do Do not hold the door for unidentified individuals; i.e., do not permit

“tail gaiting” <Provide company procedures regarding challenging and reporting

individuals with no visible visitor / employee ID badges> Shred all <company> confidential documents Do not leave anything of value exposed in your office / work space

(e.g., Lock all <company> confidential documentsin desk drawers / file cabinets)

Escort any of your own visitors throughout theduration of their visit


Curious personnel

An employee who is not necessarily malicious thatperforms activities testing the limits of their network and facilities access

What you can do

Retrieve your <company> confidential faxes and printed documents immediately

Shred all <company> confidential documents

Lock all <company> confidential documents in desk drawers / file cabinets

Follow the guidance previously provided to prevent unauthorized systems access

Report suspicious activity / behavior to your supervisor


Disgruntled employees

Upset / troubled employees with an intent to harm other employees or <company>

What you can do

Contact <contact> if you suspect an employee is disgruntled and potentially dangerous

Be observant of others and report suspicious / inappropriate behavior to <contact>

Exercise extreme care when awareof unfriendly termination


Social engineering

Taking advantage of people’s helping nature /conscience for malicious purposes

What you can do

Never lose sight of the fact that successful socialengineering attacks rely on you, <company> employees

If a received phone call is suspicious, request to return their call• Do not provide personal / confidential <company> information to a

caller until you are able to verify the caller’s identity, and their association with their employer’s company

Never provide a caller with any one’s password, including your own

Report any unrecognized person in a <company> facility to <contact>


Phishing An online scam whereby emails are sent by criminals who seek to steal your

identity, rob your bank account, or take over your computerWhat you can do

Use the “stop-look-call” technique:• Stop: Do not react to phishing ploys consisting of “upsetting” or “exciting”

information• Look: Look closely at the claims in the email, and carefully review all links and

Web addresses• Call: Do not reply to e-mails requesting you to confirm account information; call

or email the company in question to verify if the email is legitimate Never email personal information

• When submitting personal / confidential information via a Web site, confirm the security lock is displayed in the browser

Review credit card and bank accountstatements for suspicious activity

Report suspicious activity to <contact>


Information theft through free instant messaging services (IM) Privacy threats caused by using free IM services in the workplace

include personal information leakage, loss of confidential information, and eavesdropping

• <Corporate IM security policy here>

What you can do Depending upon with whom you are communicating, and how IM

was implemented, every message you send – even to a co-worker sitting in the next cubicle – may traverse outside of <company>’s corporate network

• All of the messages you send may be highly susceptible to being captured and reviewed by malicious people

Never send confidential messages or any files to individuals Realize that there is no means of knowing that the person you are

communicating with is really who they say they are

Home Computer Use






Home Computer Use


Closing Comments

Home computer use

Specific conditions and procedures should be followed when using home computers for business purposes

<Condition “1”>

<…>

<Condition “n”>

Home computer use

Specific conditions and procedures should be followed when using home computers for business purposes (2)

<Procedure summary “1”>

<…>

<Procedure summary “n”>







Home Computer Use


Closing Comments

Helpful security resources

Outlined below are several helpful security resources

http://www.microsoft.com/athome/security/default.mspx• Security guidance for home computer use, which in many

cases also apply to <company> computer use


Outlined below are several helpful security resources (2) http://www.microsoft.com/athome/security/spyware/software/default.mspx &

http://www.microsoft.com/athome/security/spyware/software/about/overview.mspx

• Microsoft’s Windows Defender product, which is a free program that helps protect your home computers against pop-ups, slow performance, and security threats caused by spyware and other unwanted software


Outlined below are several helpful security resources (3)

http://safety.live.com/site/en-US/center/howsafe.htm• Microsoft resources that help protect your home computers

against hackers, malicious software, and other security threats


Outlined below are several helpful security resources (4)

http://www.microsoft.com/presspass/newsroom/msn/factsheet/WindowsOneCareLiveFS.mspx

• Windows Live OneCare is a service that continually protects and maintains your home computers

Closing Comments






Home Computer Use


Closing Comments

Closing comments

Be security-conscious regarding anything of vital importance to <company> and yourself

When your personal safety, <company>’s safety, or any confidential information is involved, always ask yourself, “what measures should I perform to keep myself and my employer safe, and my employer’s confidential information protected against harm, theft, and inappropriate disclosure?”

Apply similar considerations discussed in today’s security awareness session when at home

Threats do not stop at the work place; they extend to your home and other surroundings

Do not allow this security awareness session lead to paranoia Use what you learned today to make more informed decisions to protect

yourself, <company>, and othersThis security awareness session is the beginning of <company>’s information security awareness and training program

<Provide a brief summary of what should be expected next, and the strategic direction of your ISATP>

Questions and Answers

the role of information security in everyday business

Documents

security role

role of information

security breach

helpful security resources

completeness of information

personal information

s corporate security

comments slide