2. TABLE OF CONTENTS
Physical Security..................................................................................................... 2
Don't Play in Traffic on the Information Superhighway ........................................... 3
Password Security .................................................................................................. 4
Cyber hoaxes .......................................................................................................... 5
Fax Security ............................................................................................................ 6
Voice Mail Security ................................................................................................. 7
Telecomm Security ................................................................................................. 8
Dos & Don’ts of Info Security (Hardware and Software) ......................................... 9
Information Security Policies ................................................................................... 10
Laptop Security and Air Travel ................................................................................ 11
Questions……………………………………………………………………………….....12
pg. 1
3. PHYSICAL SECURITY
Physical security is an important component of the information protection
program at Your company. Below are some tips that can help you avoid
overlooking physical security.
The 10 Commandments of Physical Security
Never walk way from your computer when you are logged onto the
mainframe, local area network, e-mail, or an application.
Always log out before leaving your desk even if it’s just for a minute.
Don’t write down your password and leave it lying around your workstation.
Adhere to a clean-desk policy. Keep your area clean and uncluttered. Clear
off your desk at the end of every workday.
Make time at the end of your day to secure your work area.
Use the locks on your desk, file cabinets, and diskette storage cases.
Don’t leave sensitive information lying around. Make sure all documents and
diskettes are secured properly.
Dispose of sensitive information properly. Shred sensitive documents. If
you’re discarding or recycling diskettes, make sure that they have been
erased not simply re-initialized.
Be careful not to damage diskettes or other media. Never use a ballpoint pen
to write directly onto a labeled diskette.
Don’t eat or drink near your computer or other electronic media. Liquids
spilled on your PC or keyboard can cause serious damage.
INFORMATION SECURITY ALWAYS MATTERS!
pg. 2
4. DON’T PLAY IN TRAFFIC ON THE INFORMATION SUPERHIGHWAY
How can you avoid getting into an accident on the Information Superhighway?
By adhering to a simple set of guidelines outlined below.
I will:
Protect your company’s information from unauthorized access, modification,
duplication, destruction or disclosure.
Protect my password and not share it with anyone.
Only transmit information that is unclassified.
Comply with copyright and software licensing agreements.
Report any suspicious activity or suspected compromises of your company’s
information systems to the Information Security Officer
Scan files downloaded from the Internet with anti-virus scanning software.
I will not:
Download games, viruses, unlicensed software, or offensive materials.
Use company-provided Internet access for unauthorized activities.
Transmit messages that adversely affect the company’s image.
Use another person’s password to access the Internet.
Transmit confidential information.
INFORMATION SECURITY ALWAYS MATTERS!
pg. 3
5. CREATE STRONG PASSWORDS AND CHANGE FREQUENTLY
Don’t think of your password as a way to get into your computer, think of it as a way to
keep others out. Don’t think of your password as a free ticket, think of it as an expensive,
highly prized, easily pocketed item coveted by dishonest insiders, malicious hackers, and
unethical competitors alike.
Your password should be a mix of letters and numbers and you should change it
frequently. Here are some hints for creating strong passwords:
Technique Words Password
String several words together adding I LOVE YOU ILOVE44U
numbers
Repeat words and add numbers BAT BAT22BAT
Spell a word phonetically Telephone TELEFON6
Combine personal facts Age + Favorite Color 29YELLOW
Substitute an I or O with a 1 (one) or Noisy Kid N01SYK1D
0 (zero)
Use an acronym from an easy to A Stitch in Time Saves ASITS9
Remember phrase Nine
Never use a password that you have read on a password protection checklist like this one.
Follow the techniques suggested, but don’t use the examples given.
INFORMATION SECURITY ALWAYS MATTERS!
pg. 4
6. CYBERHOAXES
“Good Times” is perhaps the most infamous virus hoax. It claimed that “the
Federal Communications Commission had discovered a virus that would destroy
your computer’s processor by setting it into an nth complexity infinite loop.” It
was a source of aggravation and confusion for months. At the height of the
hysteria, “Good Times” e-mail messages brought down one major corporation’s
whole network of networks.
What you can do about cyber hoaxes
Being a good “On-line User” means taking both individual and collective
responsibility for what happens on-line. Some cyber hoaxes and urban legends
may appear amusing but the dangers are real. If you receive an e-mail message
warning you about some imminent danger or spreading some outlandish tale not
reflected in the mainstream media, don’t act without thinking first. Ask yourself,
“Is the content of this message plausible?” “Is the alleged source of this
message plausible?” If the countless users who unwittingly spread the “Good
Times” message around the globe had taken a moment to ask themselves when
was the last time they received an e-mail message of any kind from the FCC, the
resounding answer would have been “never” and the hoax would have sunk into
oblivion.
If you receive an unsolicited e-mail message of an unusual nature (especially
one purporting to warn of on-line dangers) and it suggests that you forward it to
other on-line users—don’t do it! That’s another common sense tip that would
have ended “Good Times” early on. If you receive any such unusual messages,
you should contact your Information Security Officer before doing anything. But
you might just call on the phone, instead of simply forwarding the e-mail—in
many cases, the intent of the cyber hoax is to bring down the network by the
sheer volumes of messages.
INFORMATION SECURITY ALWAYS MATTERS!
pg. 5
7. FAX SECURITY
People don’t generally think of fax machines when they think of industrial
espionage or information warfare. Faxes are relatively low-tech. They aren’t
perceived as dangerous. They’re easy to use. But their seemingly harmless
functionality can be deluding. These simple devices have had a dramatic impact
on how business communications are conducted.
What can you do to help with fax security
Many common sense fax security tips are similar to those urged for voice and e-
mail.
Don’t send a fax containing anything that you wouldn’t want to hear on the
evening news.
Don’t send faxes of personal nature on company time or using company fax
equipment.
Never hurry the typing in of an outgoing fax number. Go slow and double-
check yourself
Take extra care whenever you send a broadcast fax.
Don’t let incoming faxes simply pile up and spill over. Get them properly
distributed.
If you're sending information intended only for the recipient, call the recipient
before and after sending the fax.
INFORMATION SECURITY ALWAYS MATTERS!
pg. 6
8. VOICEMAIL SECURITY
Hackers and phreakers are adept at gaining access to outside lines through
voice mail boxes, then running up costly long-distance phone bills for the
victimized organizations. Hackers, phreakers, and even drug dealers are known
to use abandoned voice mail boxes on large corporate systems to traffic in
contraband and conduct other nefarious activities. Below is a checklist to help
you in promoting voice mail security:
Checklist
When you first receive voice mail privileges, you should change your
password immediately. And, just as with your e-mail account and network
access, come up with a password that is easy for you to remember but
difficult for someone else to guess. Use a clever mix of letters and numbers.
Change your password frequently, at least every 30 days. Remember that
your voice mail account is on the front line of information security.
Don’t share your password with anyone
Record a personalized greeting in your own voice
Delete messages after you’ve listened to them
Don’t leave messages that contain sensitive, confidential, or personal
information in a voice mail box.
Report strange or suspicious voice mail messages to your Information
Security Officer. Don’t delete such messages—they may yield vital evidence
If you are aware of a still active voice mail box for an employee that has been
terminated or transferred, notify your information security personnel.
Take some time to learn about the voice mail system. This knowledge will
help you detect breaches in telecommunications security.
INFORMATION SECURITY ALWAYS MATTERS!
pg. 7
9. TELECOMM SECURITY
Cellular phones are the most singularly insecure medium over which to have a
confidential conversation. It is a fairly trivial matter (and a common one) for
hobbyists to listen in on cellular phone calls. For the middle class of organized
crime, it is a way of life. For corporate raider and foreign spies, it is standard
operating procedure.
Here are some suggestions on how to thwart cellular eavesdroppers:
Be careful about what kind of information you discuss over cell phones
Answer your cell phone by saying “hello,” instead of your full name and
company name, to reclaim to anonymity
Remind the person at the other end of the line that cellular communications
are very insecure
If you’re forced to discuss confidential or sensitive information, try to use only
first names of key players and try to avoid naming the different corporate
entities involved
Understand that when you dial into your organization’s voice mail system via
cell phone, it is possible for an eavesdropper to not only hear your messages
as your do, but more importantly to record and be able to replay the exact
tones of your voice mail password.
Even pagers are being exploited in telecommunications fraud. One scam
involves someone sending pages to get people to dial a number that results in a
billing of $25 or $30 each, like a 900 or 976 number. Many of these scams use
numbers in the 809 Caribbean area code. There is no warning prior to the
charge being assessed. This scam preys on the natural tendency of diligent and
harried workers to immediately respond to a page, thinking it’s a potential
customer. When the victim ends up reaching a weather report for the Sub-
Sahara or an X-rated chat line in Trinidad, they simply hang up thinking they
dialed the wrong number or the person paging them entered the wrong digits.
INFORMATION SECURITY ALWAYS MATTERS!
pg. 8
10. DOs AND DON’Ts OF HARDWARE AND SOFTWARE SECURITY
“Hardware” is physical equipment, including mechanical, electronic, and
magnetic components, used in data processing. “Software” refers to computer
programs, instructions, procedures, routines, and possibly associated
documentation concerned with the operation of a computer system.
DON’T use personally owned hardware or software at the work site to
perform work assignments and related functions.
DO use only your company-owned hardware to perform job duties
DO use only your company authorized software.
DO comply with all license agreements
DON’T make unauthorized copies of software.
DON’T use public domain software.
DO take reasonable precautions to prevent damage to hardware and
software from food or beverage spills.
DO store all removable and concealable items (e.g., diskettes, etc.) under
lock and key when not in use if applicable.
DON’T eat, drink, or smoke around computer equipment or software.
DO take reasonable precautions to ensure security of the computer when left
unattended.
DON’T pile papers, printouts, diskettes, etc. on computer equipment.
DO protect computer equipment from environmental hazards, (i.e., direct
sunlight, heat sources, vents, open windows, or other sources of dust and
moisture).
DON’T make or use illegal copies of proprietary software. Know and obey
copyright software laws and licensing restrictions.
DO store diskettes in protective storage containers.
DO label all diskettes.
DON’T touch any exposed areas of the diskette or attempt to open the metal
shield.
DO keep diskettes away from magnets and magnetized objects, including
power supply adapters and telephones.
DO provide the diskettes the same level of security as the data stored on
them.
DO use a password-protected screen-saver, if possible.
INFORMATION SECURITY ALWAYS MATTERS!
pg. 9
11. INFORMATION SECURITY POLICIES
A successful security program, just like the construction of a building, starts with
a strong foundation on which to build. Security policies and procedures are the
foundation on which all other security feature or disciplines are built. Your
company has developed several information security policies to protect its
information assets from loss or misuse. It is your responsibility to know and
comply with the following policies:
Information Asset Protection Policy
The Information Asset Protection Policy is the primary information security
policy. It states that all information is an asset of the company and will be
protected from unauthorized access, disclosure, modification, or destruction—
whether accidental or intentional. This policy provides the framework for
implementing an asset protection program.
Business Risk Assessment Policy
This policy addresses the requirement for annual risk assessment is
performed on distributed systems and the applications processed on those
systems.
Electronic Communications Policy
This policy covers the use of Electronic Communication resources including
connectivity to public and private networks. It also discusses the use of the
Internet and e-mail systems.
Privacy Policy
All employees are expected to follow this policy. It assures customers that
they can continue to entrust the company with customer personal information.
INFORMATION SECURITY ALWAYS MATTERS!
pg. 10
12. LAPTOPS AND AIR TRAVEL
There has been increased attention lately to the problems of laptop security while
traveling. With a substantial number of business travelers carrying laptops, the
airport security checkpoint has become the target for a scam aimed at separating
you from your laptop.
It involves two persons who look for a victim carrying a laptop and approaching a
metal detector. They position themselves in front of the unsuspecting passenger.
They stall until the unsuspecting passenger puts the laptop computer on the
conveyor belt. Then the first subject moves through the metal detector easily.
The second subject sets off the detector and begins the slow process of
emptying pockets, removing jewelry, etc. While this is happening, the first
subject takes the laptop as soon as it appears on the conveyor belt and moves
away quickly. When the passenger finally gets through the metal detector, the
laptop is gone. The subject that picked it up travels into the gate area and
disappears among the crowd. Sometimes even a third subject will take a hand
off from the first subject and the computer is out of the restricted area before the
passenger even knows that it is gone.
How Do You Avoid Being a Victim?
Don’t put your computer on the conveyor until the person in front of you has
cleared the detector
Make sure the computer has disappeared into the scanner before you pass
through the detector (otherwise someone on the outside can grab it before it
goes through).
Don’t carry your computer in a clearly definable computer carrying case
If you set off the detector, ask to be checked with the “wand” inside security
where you can watch your computer. If you go back out, the computer, which
has already passed through the scanner, may disappear.
INFORMATION SECURITY ALWAYS MATTERS!
pg. 11