SlideShare a Scribd company logo

Employee Security Awareness Program

D
davidcurriecia

Publish this Employee Security Awareness Program in your company\'s newsletter to reach all employees.

1 of 13
EMPLOYEE SECURITY AWARENESS PROGRAM By David Currie, CPA, CIA, CISA david.currie@earthlink.net pg. 0
TABLE OF CONTENTS Physical Security..................................................................................................... 2 Don't Play in Traffic on the Information Superhighway ........................................... 3 Password Security .................................................................................................. 4 Cyber hoaxes .......................................................................................................... 5 Fax Security ............................................................................................................ 6 Voice Mail Security ................................................................................................. 7 Telecomm Security ................................................................................................. 8 Dos & Don’ts of Info Security (Hardware and Software) ......................................... 9 Information Security Policies ................................................................................... 10 Laptop Security and Air Travel ................................................................................ 11 Questions……………………………………………………………………………….....12 pg. 1
PHYSICAL SECURITY Physical security is an important component of the information protection program at Your company. Below are some tips that can help you avoid overlooking physical security. The 10 Commandments of Physical Security  Never walk way from your computer when you are logged onto the mainframe, local area network, e-mail, or an application.  Always log out before leaving your desk even if it’s just for a minute.  Don’t write down your password and leave it lying around your workstation.  Adhere to a clean-desk policy. Keep your area clean and uncluttered. Clear off your desk at the end of every workday.  Make time at the end of your day to secure your work area.  Use the locks on your desk, file cabinets, and diskette storage cases.  Don’t leave sensitive information lying around. Make sure all documents and diskettes are secured properly.  Dispose of sensitive information properly. Shred sensitive documents. If you’re discarding or recycling diskettes, make sure that they have been erased not simply re-initialized.  Be careful not to damage diskettes or other media. Never use a ballpoint pen to write directly onto a labeled diskette.  Don’t eat or drink near your computer or other electronic media. Liquids spilled on your PC or keyboard can cause serious damage. INFORMATION SECURITY ALWAYS MATTERS! pg. 2
DON’T PLAY IN TRAFFIC ON THE INFORMATION SUPERHIGHWAY How can you avoid getting into an accident on the Information Superhighway? By adhering to a simple set of guidelines outlined below. I will:  Protect your company’s information from unauthorized access, modification, duplication, destruction or disclosure.  Protect my password and not share it with anyone.  Only transmit information that is unclassified.  Comply with copyright and software licensing agreements.  Report any suspicious activity or suspected compromises of your company’s information systems to the Information Security Officer  Scan files downloaded from the Internet with anti-virus scanning software. I will not:  Download games, viruses, unlicensed software, or offensive materials.  Use company-provided Internet access for unauthorized activities.  Transmit messages that adversely affect the company’s image.  Use another person’s password to access the Internet.  Transmit confidential information. INFORMATION SECURITY ALWAYS MATTERS! pg. 3
CREATE STRONG PASSWORDS AND CHANGE FREQUENTLY Don’t think of your password as a way to get into your computer, think of it as a way to keep others out. Don’t think of your password as a free ticket, think of it as an expensive, highly prized, easily pocketed item coveted by dishonest insiders, malicious hackers, and unethical competitors alike. Your password should be a mix of letters and numbers and you should change it frequently. Here are some hints for creating strong passwords: Technique Words Password String several words together adding I LOVE YOU ILOVE44U numbers Repeat words and add numbers BAT BAT22BAT Spell a word phonetically Telephone TELEFON6 Combine personal facts Age + Favorite Color 29YELLOW Substitute an I or O with a 1 (one) or Noisy Kid N01SYK1D 0 (zero) Use an acronym from an easy to A Stitch in Time Saves ASITS9 Remember phrase Nine Never use a password that you have read on a password protection checklist like this one. Follow the techniques suggested, but don’t use the examples given. INFORMATION SECURITY ALWAYS MATTERS! pg. 4
CYBERHOAXES “Good Times” is perhaps the most infamous virus hoax. It claimed that “the Federal Communications Commission had discovered a virus that would destroy your computer’s processor by setting it into an nth complexity infinite loop.” It was a source of aggravation and confusion for months. At the height of the hysteria, “Good Times” e-mail messages brought down one major corporation’s whole network of networks. What you can do about cyber hoaxes Being a good “On-line User” means taking both individual and collective responsibility for what happens on-line. Some cyber hoaxes and urban legends may appear amusing but the dangers are real. If you receive an e-mail message warning you about some imminent danger or spreading some outlandish tale not reflected in the mainstream media, don’t act without thinking first. Ask yourself, “Is the content of this message plausible?” “Is the alleged source of this message plausible?” If the countless users who unwittingly spread the “Good Times” message around the globe had taken a moment to ask themselves when was the last time they received an e-mail message of any kind from the FCC, the resounding answer would have been “never” and the hoax would have sunk into oblivion. If you receive an unsolicited e-mail message of an unusual nature (especially one purporting to warn of on-line dangers) and it suggests that you forward it to other on-line users—don’t do it! That’s another common sense tip that would have ended “Good Times” early on. If you receive any such unusual messages, you should contact your Information Security Officer before doing anything. But you might just call on the phone, instead of simply forwarding the e-mail—in many cases, the intent of the cyber hoax is to bring down the network by the sheer volumes of messages. INFORMATION SECURITY ALWAYS MATTERS! pg. 5
FAX SECURITY People don’t generally think of fax machines when they think of industrial espionage or information warfare. Faxes are relatively low-tech. They aren’t perceived as dangerous. They’re easy to use. But their seemingly harmless functionality can be deluding. These simple devices have had a dramatic impact on how business communications are conducted. What can you do to help with fax security Many common sense fax security tips are similar to those urged for voice and e- mail.  Don’t send a fax containing anything that you wouldn’t want to hear on the evening news.  Don’t send faxes of personal nature on company time or using company fax equipment.  Never hurry the typing in of an outgoing fax number. Go slow and double- check yourself  Take extra care whenever you send a broadcast fax.  Don’t let incoming faxes simply pile up and spill over. Get them properly distributed.  If you're sending information intended only for the recipient, call the recipient before and after sending the fax. INFORMATION SECURITY ALWAYS MATTERS! pg. 6
VOICEMAIL SECURITY Hackers and phreakers are adept at gaining access to outside lines through voice mail boxes, then running up costly long-distance phone bills for the victimized organizations. Hackers, phreakers, and even drug dealers are known to use abandoned voice mail boxes on large corporate systems to traffic in contraband and conduct other nefarious activities. Below is a checklist to help you in promoting voice mail security: Checklist  When you first receive voice mail privileges, you should change your password immediately. And, just as with your e-mail account and network access, come up with a password that is easy for you to remember but difficult for someone else to guess. Use a clever mix of letters and numbers.  Change your password frequently, at least every 30 days. Remember that your voice mail account is on the front line of information security.  Don’t share your password with anyone  Record a personalized greeting in your own voice  Delete messages after you’ve listened to them  Don’t leave messages that contain sensitive, confidential, or personal information in a voice mail box.  Report strange or suspicious voice mail messages to your Information Security Officer. Don’t delete such messages—they may yield vital evidence  If you are aware of a still active voice mail box for an employee that has been terminated or transferred, notify your information security personnel.  Take some time to learn about the voice mail system. This knowledge will help you detect breaches in telecommunications security. INFORMATION SECURITY ALWAYS MATTERS! pg. 7
TELECOMM SECURITY Cellular phones are the most singularly insecure medium over which to have a confidential conversation. It is a fairly trivial matter (and a common one) for hobbyists to listen in on cellular phone calls. For the middle class of organized crime, it is a way of life. For corporate raider and foreign spies, it is standard operating procedure. Here are some suggestions on how to thwart cellular eavesdroppers:  Be careful about what kind of information you discuss over cell phones  Answer your cell phone by saying “hello,” instead of your full name and company name, to reclaim to anonymity  Remind the person at the other end of the line that cellular communications are very insecure  If you’re forced to discuss confidential or sensitive information, try to use only first names of key players and try to avoid naming the different corporate entities involved  Understand that when you dial into your organization’s voice mail system via cell phone, it is possible for an eavesdropper to not only hear your messages as your do, but more importantly to record and be able to replay the exact tones of your voice mail password. Even pagers are being exploited in telecommunications fraud. One scam involves someone sending pages to get people to dial a number that results in a billing of $25 or $30 each, like a 900 or 976 number. Many of these scams use numbers in the 809 Caribbean area code. There is no warning prior to the charge being assessed. This scam preys on the natural tendency of diligent and harried workers to immediately respond to a page, thinking it’s a potential customer. When the victim ends up reaching a weather report for the Sub- Sahara or an X-rated chat line in Trinidad, they simply hang up thinking they dialed the wrong number or the person paging them entered the wrong digits. INFORMATION SECURITY ALWAYS MATTERS! pg. 8
DOs AND DON’Ts OF HARDWARE AND SOFTWARE SECURITY “Hardware” is physical equipment, including mechanical, electronic, and magnetic components, used in data processing. “Software” refers to computer programs, instructions, procedures, routines, and possibly associated documentation concerned with the operation of a computer system.  DON’T use personally owned hardware or software at the work site to perform work assignments and related functions.  DO use only your company-owned hardware to perform job duties  DO use only your company authorized software.  DO comply with all license agreements  DON’T make unauthorized copies of software.  DON’T use public domain software.  DO take reasonable precautions to prevent damage to hardware and software from food or beverage spills.  DO store all removable and concealable items (e.g., diskettes, etc.) under lock and key when not in use if applicable.  DON’T eat, drink, or smoke around computer equipment or software.  DO take reasonable precautions to ensure security of the computer when left unattended.  DON’T pile papers, printouts, diskettes, etc. on computer equipment.  DO protect computer equipment from environmental hazards, (i.e., direct sunlight, heat sources, vents, open windows, or other sources of dust and moisture).  DON’T make or use illegal copies of proprietary software. Know and obey copyright software laws and licensing restrictions.  DO store diskettes in protective storage containers.  DO label all diskettes.  DON’T touch any exposed areas of the diskette or attempt to open the metal shield.  DO keep diskettes away from magnets and magnetized objects, including power supply adapters and telephones.  DO provide the diskettes the same level of security as the data stored on them.  DO use a password-protected screen-saver, if possible. INFORMATION SECURITY ALWAYS MATTERS! pg. 9
INFORMATION SECURITY POLICIES A successful security program, just like the construction of a building, starts with a strong foundation on which to build. Security policies and procedures are the foundation on which all other security feature or disciplines are built. Your company has developed several information security policies to protect its information assets from loss or misuse. It is your responsibility to know and comply with the following policies:  Information Asset Protection Policy The Information Asset Protection Policy is the primary information security policy. It states that all information is an asset of the company and will be protected from unauthorized access, disclosure, modification, or destruction— whether accidental or intentional. This policy provides the framework for implementing an asset protection program.  Business Risk Assessment Policy This policy addresses the requirement for annual risk assessment is performed on distributed systems and the applications processed on those systems.  Electronic Communications Policy This policy covers the use of Electronic Communication resources including connectivity to public and private networks. It also discusses the use of the Internet and e-mail systems.  Privacy Policy All employees are expected to follow this policy. It assures customers that they can continue to entrust the company with customer personal information. INFORMATION SECURITY ALWAYS MATTERS! pg. 10
LAPTOPS AND AIR TRAVEL There has been increased attention lately to the problems of laptop security while traveling. With a substantial number of business travelers carrying laptops, the airport security checkpoint has become the target for a scam aimed at separating you from your laptop. It involves two persons who look for a victim carrying a laptop and approaching a metal detector. They position themselves in front of the unsuspecting passenger. They stall until the unsuspecting passenger puts the laptop computer on the conveyor belt. Then the first subject moves through the metal detector easily. The second subject sets off the detector and begins the slow process of emptying pockets, removing jewelry, etc. While this is happening, the first subject takes the laptop as soon as it appears on the conveyor belt and moves away quickly. When the passenger finally gets through the metal detector, the laptop is gone. The subject that picked it up travels into the gate area and disappears among the crowd. Sometimes even a third subject will take a hand off from the first subject and the computer is out of the restricted area before the passenger even knows that it is gone. How Do You Avoid Being a Victim?  Don’t put your computer on the conveyor until the person in front of you has cleared the detector  Make sure the computer has disappeared into the scanner before you pass through the detector (otherwise someone on the outside can grab it before it goes through).  Don’t carry your computer in a clearly definable computer carrying case  If you set off the detector, ask to be checked with the “wand” inside security where you can watch your computer. If you go back out, the computer, which has already passed through the scanner, may disappear. INFORMATION SECURITY ALWAYS MATTERS! pg. 11
Questions? David Currie, CPA, CIA, CISA david.currie@earthlink.net pg. 12

Recommended

IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeAtlantic Training, LLC.
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@R_Yanus
 
End-User Security Awareness
End-User Security AwarenessEnd-User Security Awareness
End-User Security AwarenessSurya Bathulapalli
 
Information security awareness - 101
Information security awareness - 101Information security awareness - 101
Information security awareness - 101mateenzero
 
Information Security Awareness Training Open
Information Security Awareness Training OpenInformation Security Awareness Training Open
Information Security Awareness Training OpenFred Beck MBA, CPA
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness TrainingJen Ruhman
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingWilliam Mann
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDmitriy Scherbina
 

Recommended

IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeAtlantic Training, LLC.
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@R_Yanus
 
End-User Security Awareness
End-User Security AwarenessEnd-User Security Awareness
End-User Security AwarenessSurya Bathulapalli
 
Information security awareness - 101
Information security awareness - 101Information security awareness - 101
Information security awareness - 101mateenzero
 
Information Security Awareness Training Open
Information Security Awareness Training OpenInformation Security Awareness Training Open
Information Security Awareness Training OpenFred Beck MBA, CPA
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness TrainingJen Ruhman
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingWilliam Mann
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDmitriy Scherbina
 
New Hire Information Security Awareness
New Hire Information Security AwarenessNew Hire Information Security Awareness
New Hire Information Security Awarenesshubbargf
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber Security Infotech
 
Basic Security Training for End Users
Basic Security Training for End UsersBasic Security Training for End Users
Basic Security Training for End UsersCommunity IT Innovators
 
Security awareness
Security awarenessSecurity awareness
Security awarenessJosh Chandler
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awarenessMichel Bitter
 
Information Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityInformation Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityAtlantic Training, LLC.
 
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...David Menken
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by FortinetAtlantic Training, LLC.
 
Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalAtlantic Training, LLC.
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness TrainingDenis kisina
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptOoXair
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee TrainingPaige Rasid
 
IT Security DOs and DON'Ts
IT Security DOs and DON'Ts IT Security DOs and DON'Ts
IT Security DOs and DON'Ts Sophos
 
ICT and end user security awareness slides
ICT and end user security awareness slidesICT and end user security awareness slides
ICT and end user security awareness slidesjubke
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information SecurityKen Holmes
 
Customer information security awareness training
Customer information security awareness trainingCustomer information security awareness training
Customer information security awareness trainingAbdalrhmanTHassan
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Security Training and Threat Awareness by Pedraza
Security Training and Threat Awareness by PedrazaSecurity Training and Threat Awareness by Pedraza
Security Training and Threat Awareness by PedrazaAtlantic Training, LLC.
 
IT Security DOs and DONTs
IT Security DOs and DONTsIT Security DOs and DONTs
IT Security DOs and DONTsIT Tech
 

More Related Content

What's hot

New Hire Information Security Awareness
New Hire Information Security AwarenessNew Hire Information Security Awareness
New Hire Information Security Awarenesshubbargf
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber Security Infotech
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awarenessMichel Bitter
 
Information Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityInformation Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityAtlantic Training, LLC.
 
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...David Menken
 
Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalAtlantic Training, LLC.
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness TrainingDenis kisina
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptOoXair
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee TrainingPaige Rasid
 
IT Security DOs and DON'Ts
IT Security DOs and DON'Ts IT Security DOs and DON'Ts
IT Security DOs and DON'Ts Sophos
 
ICT and end user security awareness slides
ICT and end user security awareness slidesICT and end user security awareness slides
ICT and end user security awareness slidesjubke
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information SecurityKen Holmes
 
Customer information security awareness training
Customer information security awareness trainingCustomer information security awareness training
Customer information security awareness trainingAbdalrhmanTHassan
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 

What's hot (20)

New Hire Information Security Awareness
New Hire Information Security AwarenessNew Hire Information Security Awareness
New Hire Information Security Awareness
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)
 
Basic Security Training for End Users
Basic Security Training for End UsersBasic Security Training for End Users
Basic Security Training for End Users
 
Security awareness
Security awarenessSecurity awareness
Security awareness
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness
 
Information Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityInformation Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier University
 
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
 
Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn Hospital
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness Training
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee Training
 
IT Security DOs and DON'Ts
IT Security DOs and DON'Ts IT Security DOs and DON'Ts
IT Security DOs and DON'Ts
 
ICT and end user security awareness slides
ICT and end user security awareness slidesICT and end user security awareness slides
ICT and end user security awareness slides
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information Security
 
Customer information security awareness training
Customer information security awareness trainingCustomer information security awareness training
Customer information security awareness training
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 

Viewers also liked

Security Training and Threat Awareness by Pedraza
Security Training and Threat Awareness by PedrazaSecurity Training and Threat Awareness by Pedraza
Security Training and Threat Awareness by PedrazaAtlantic Training, LLC.
 
IT Security DOs and DONTs
IT Security DOs and DONTsIT Security DOs and DONTs
IT Security DOs and DONTsIT Tech
 
How To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your CompanyHow To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your Companydanielblander
 
Employee security awareness communication
Employee security awareness communicationEmployee security awareness communication
Employee security awareness communicationSnapComms
 
IT Security Presentation
IT Security PresentationIT Security Presentation
IT Security Presentationelihuwalker
 
Data Classification Presentation
Data Classification PresentationData Classification Presentation
Data Classification PresentationDerroylo
 
HIPAA Training - 2011
HIPAA Training - 2011HIPAA Training - 2011
HIPAA Training - 2011darichardson
 
Security Awareness Training by HIMSS Louisiana Chapter
Security Awareness Training by HIMSS Louisiana ChapterSecurity Awareness Training by HIMSS Louisiana Chapter
Security Awareness Training by HIMSS Louisiana ChapterAtlantic Training, LLC.
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 pptvasanthimuniasamy
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Imperva
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentationBijay Bhandari
 
Internet security powerpoint
Internet security powerpointInternet security powerpoint
Internet security powerpointArifa Ali
 
Cybercrime.ppt
Cybercrime.pptCybercrime.ppt
Cybercrime.pptAeman Khan
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 
Cyber crime and security ppt
Cyber crime and security pptCyber crime and security ppt
Cyber crime and security pptLipsita Behera
 

Viewers also liked (17)

Security Training and Threat Awareness by Pedraza
Security Training and Threat Awareness by PedrazaSecurity Training and Threat Awareness by Pedraza
Security Training and Threat Awareness by Pedraza
 
IT Security DOs and DONTs
IT Security DOs and DONTsIT Security DOs and DONTs
IT Security DOs and DONTs
 
How To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your CompanyHow To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your Company
 
Employee security awareness communication
Employee security awareness communicationEmployee security awareness communication
Employee security awareness communication
 
IT Security Presentation
IT Security PresentationIT Security Presentation
IT Security Presentation
 
Data Classification Presentation
Data Classification PresentationData Classification Presentation
Data Classification Presentation
 
HIPAA Training - 2011
HIPAA Training - 2011HIPAA Training - 2011
HIPAA Training - 2011
 
Security Awareness Training by HIMSS Louisiana Chapter
Security Awareness Training by HIMSS Louisiana ChapterSecurity Awareness Training by HIMSS Louisiana Chapter
Security Awareness Training by HIMSS Louisiana Chapter
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 ppt
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentation
 
Internet security powerpoint
Internet security powerpointInternet security powerpoint
Internet security powerpoint
 
Cybercrime.ppt
Cybercrime.pptCybercrime.ppt
Cybercrime.ppt
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 
Cyber crime and security ppt
Cyber crime and security pptCyber crime and security ppt
Cyber crime and security ppt
 

Similar to Employee Security Awareness Program

Security and the Service Desk
Security and the Service DeskSecurity and the Service Desk
Security and the Service DeskNorthCoastHDI
 
Cyber crime & security
Cyber crime & securityCyber crime & security
Cyber crime & securitypinkutinku26
 
CYBER SECURITY AWARENESS.pptx [Read-Only].pptx
CYBER SECURITY AWARENESS.pptx [Read-Only].pptxCYBER SECURITY AWARENESS.pptx [Read-Only].pptx
CYBER SECURITY AWARENESS.pptx [Read-Only].pptxDhruvsinhbhati
 
Be Cyber Smart! (DLH 10/25/2019)
Be Cyber Smart! (DLH 10/25/2019)Be Cyber Smart! (DLH 10/25/2019)
Be Cyber Smart! (DLH 10/25/2019)David Herrington
 
Home and Business Computer Security 2014
Home and Business Computer Security 2014Home and Business Computer Security 2014
Home and Business Computer Security 2014B2BPlanner Ltd.
 
Keep Your Computers Safe And Secure
Keep Your Computers Safe And SecureKeep Your Computers Safe And Secure
Keep Your Computers Safe And SecureRob Clement
 
cyber security presentation (1).pdf
cyber security presentation (1).pdfcyber security presentation (1).pdf
cyber security presentation (1).pdfw4tgrgdyryfh
 
Cybersecurity Awareness E-Book - WeSecureApp
Cybersecurity Awareness E-Book - WeSecureAppCybersecurity Awareness E-Book - WeSecureApp
Cybersecurity Awareness E-Book - WeSecureAppWeSecureApp
 
Pci compliance training agents
Pci compliance training agentsPci compliance training agents
Pci compliance training agentsocinc
 
Cybersecurity Awareness Month_2021_PartnerPresentation_Final.pdf
Cybersecurity Awareness Month_2021_PartnerPresentation_Final.pdfCybersecurity Awareness Month_2021_PartnerPresentation_Final.pdf
Cybersecurity Awareness Month_2021_PartnerPresentation_Final.pdfSoo Chin Hock
 
Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508Vishwan Aranha
 
10 most important cyber security tips for your users
10 most important cyber security tips for your users10 most important cyber security tips for your users
10 most important cyber security tips for your usersSimpliv LLC
 
CYBERSPACE SAFETY TIPS FOR SMEs.ppt
CYBERSPACE SAFETY TIPS FOR SMEs.pptCYBERSPACE SAFETY TIPS FOR SMEs.ppt
CYBERSPACE SAFETY TIPS FOR SMEs.pptJOHN BABATUNDE LEE
 
Cyber Crime & Security.pdf
Cyber Crime & Security.pdfCyber Crime & Security.pdf
Cyber Crime & Security.pdfMohanPandey31
 

Similar to Employee Security Awareness Program (20)

Security and the Service Desk
Security and the Service DeskSecurity and the Service Desk
Security and the Service Desk
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Information Secuirty
Information SecuirtyInformation Secuirty
Information Secuirty
 
Cyber crime & security
Cyber crime & securityCyber crime & security
Cyber crime & security
 
cyber crime, Cyber Security, Introduction, Umakant Bhaskar Gohatre
cyber crime, Cyber Security, Introduction, Umakant Bhaskar Gohatre cyber crime, Cyber Security, Introduction, Umakant Bhaskar Gohatre
cyber crime, Cyber Security, Introduction, Umakant Bhaskar Gohatre
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
CYBER SECURITY AWARENESS.pptx [Read-Only].pptx
CYBER SECURITY AWARENESS.pptx [Read-Only].pptxCYBER SECURITY AWARENESS.pptx [Read-Only].pptx
CYBER SECURITY AWARENESS.pptx [Read-Only].pptx
 
Be Cyber Smart! (DLH 10/25/2019)
Be Cyber Smart! (DLH 10/25/2019)Be Cyber Smart! (DLH 10/25/2019)
Be Cyber Smart! (DLH 10/25/2019)
 
IT security awareness
IT security awarenessIT security awareness
IT security awareness
 
Cyber security awareness presentation nepal
Cyber security awareness presentation nepalCyber security awareness presentation nepal
Cyber security awareness presentation nepal
 
Home and Business Computer Security 2014
Home and Business Computer Security 2014Home and Business Computer Security 2014
Home and Business Computer Security 2014
 
Keep Your Computers Safe And Secure
Keep Your Computers Safe And SecureKeep Your Computers Safe And Secure
Keep Your Computers Safe And Secure
 
cyber security presentation (1).pdf
cyber security presentation (1).pdfcyber security presentation (1).pdf
cyber security presentation (1).pdf
 
Cybersecurity Awareness E-Book - WeSecureApp
Cybersecurity Awareness E-Book - WeSecureAppCybersecurity Awareness E-Book - WeSecureApp
Cybersecurity Awareness E-Book - WeSecureApp
 
Pci compliance training agents
Pci compliance training agentsPci compliance training agents
Pci compliance training agents
 
Cybersecurity Awareness Month_2021_PartnerPresentation_Final.pdf
Cybersecurity Awareness Month_2021_PartnerPresentation_Final.pdfCybersecurity Awareness Month_2021_PartnerPresentation_Final.pdf
Cybersecurity Awareness Month_2021_PartnerPresentation_Final.pdf
 
Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508
 
10 most important cyber security tips for your users
10 most important cyber security tips for your users10 most important cyber security tips for your users
10 most important cyber security tips for your users
 
CYBERSPACE SAFETY TIPS FOR SMEs.ppt
CYBERSPACE SAFETY TIPS FOR SMEs.pptCYBERSPACE SAFETY TIPS FOR SMEs.ppt
CYBERSPACE SAFETY TIPS FOR SMEs.ppt
 
Cyber Crime & Security.pdf
Cyber Crime & Security.pdfCyber Crime & Security.pdf
Cyber Crime & Security.pdf
 

Employee Security Awareness Program

  • 1. EMPLOYEE SECURITY AWARENESS PROGRAM By David Currie, CPA, CIA, CISA david.currie@earthlink.net pg. 0
  • 2. TABLE OF CONTENTS Physical Security..................................................................................................... 2 Don't Play in Traffic on the Information Superhighway ........................................... 3 Password Security .................................................................................................. 4 Cyber hoaxes .......................................................................................................... 5 Fax Security ............................................................................................................ 6 Voice Mail Security ................................................................................................. 7 Telecomm Security ................................................................................................. 8 Dos & Don’ts of Info Security (Hardware and Software) ......................................... 9 Information Security Policies ................................................................................... 10 Laptop Security and Air Travel ................................................................................ 11 Questions……………………………………………………………………………….....12 pg. 1
  • 3. PHYSICAL SECURITY Physical security is an important component of the information protection program at Your company. Below are some tips that can help you avoid overlooking physical security. The 10 Commandments of Physical Security  Never walk way from your computer when you are logged onto the mainframe, local area network, e-mail, or an application.  Always log out before leaving your desk even if it’s just for a minute.  Don’t write down your password and leave it lying around your workstation.  Adhere to a clean-desk policy. Keep your area clean and uncluttered. Clear off your desk at the end of every workday.  Make time at the end of your day to secure your work area.  Use the locks on your desk, file cabinets, and diskette storage cases.  Don’t leave sensitive information lying around. Make sure all documents and diskettes are secured properly.  Dispose of sensitive information properly. Shred sensitive documents. If you’re discarding or recycling diskettes, make sure that they have been erased not simply re-initialized.  Be careful not to damage diskettes or other media. Never use a ballpoint pen to write directly onto a labeled diskette.  Don’t eat or drink near your computer or other electronic media. Liquids spilled on your PC or keyboard can cause serious damage. INFORMATION SECURITY ALWAYS MATTERS! pg. 2
  • 4. DON’T PLAY IN TRAFFIC ON THE INFORMATION SUPERHIGHWAY How can you avoid getting into an accident on the Information Superhighway? By adhering to a simple set of guidelines outlined below. I will:  Protect your company’s information from unauthorized access, modification, duplication, destruction or disclosure.  Protect my password and not share it with anyone.  Only transmit information that is unclassified.  Comply with copyright and software licensing agreements.  Report any suspicious activity or suspected compromises of your company’s information systems to the Information Security Officer  Scan files downloaded from the Internet with anti-virus scanning software. I will not:  Download games, viruses, unlicensed software, or offensive materials.  Use company-provided Internet access for unauthorized activities.  Transmit messages that adversely affect the company’s image.  Use another person’s password to access the Internet.  Transmit confidential information. INFORMATION SECURITY ALWAYS MATTERS! pg. 3
  • 5. CREATE STRONG PASSWORDS AND CHANGE FREQUENTLY Don’t think of your password as a way to get into your computer, think of it as a way to keep others out. Don’t think of your password as a free ticket, think of it as an expensive, highly prized, easily pocketed item coveted by dishonest insiders, malicious hackers, and unethical competitors alike. Your password should be a mix of letters and numbers and you should change it frequently. Here are some hints for creating strong passwords: Technique Words Password String several words together adding I LOVE YOU ILOVE44U numbers Repeat words and add numbers BAT BAT22BAT Spell a word phonetically Telephone TELEFON6 Combine personal facts Age + Favorite Color 29YELLOW Substitute an I or O with a 1 (one) or Noisy Kid N01SYK1D 0 (zero) Use an acronym from an easy to A Stitch in Time Saves ASITS9 Remember phrase Nine Never use a password that you have read on a password protection checklist like this one. Follow the techniques suggested, but don’t use the examples given. INFORMATION SECURITY ALWAYS MATTERS! pg. 4
  • 6. CYBERHOAXES “Good Times” is perhaps the most infamous virus hoax. It claimed that “the Federal Communications Commission had discovered a virus that would destroy your computer’s processor by setting it into an nth complexity infinite loop.” It was a source of aggravation and confusion for months. At the height of the hysteria, “Good Times” e-mail messages brought down one major corporation’s whole network of networks. What you can do about cyber hoaxes Being a good “On-line User” means taking both individual and collective responsibility for what happens on-line. Some cyber hoaxes and urban legends may appear amusing but the dangers are real. If you receive an e-mail message warning you about some imminent danger or spreading some outlandish tale not reflected in the mainstream media, don’t act without thinking first. Ask yourself, “Is the content of this message plausible?” “Is the alleged source of this message plausible?” If the countless users who unwittingly spread the “Good Times” message around the globe had taken a moment to ask themselves when was the last time they received an e-mail message of any kind from the FCC, the resounding answer would have been “never” and the hoax would have sunk into oblivion. If you receive an unsolicited e-mail message of an unusual nature (especially one purporting to warn of on-line dangers) and it suggests that you forward it to other on-line users—don’t do it! That’s another common sense tip that would have ended “Good Times” early on. If you receive any such unusual messages, you should contact your Information Security Officer before doing anything. But you might just call on the phone, instead of simply forwarding the e-mail—in many cases, the intent of the cyber hoax is to bring down the network by the sheer volumes of messages. INFORMATION SECURITY ALWAYS MATTERS! pg. 5
  • 7. FAX SECURITY People don’t generally think of fax machines when they think of industrial espionage or information warfare. Faxes are relatively low-tech. They aren’t perceived as dangerous. They’re easy to use. But their seemingly harmless functionality can be deluding. These simple devices have had a dramatic impact on how business communications are conducted. What can you do to help with fax security Many common sense fax security tips are similar to those urged for voice and e- mail.  Don’t send a fax containing anything that you wouldn’t want to hear on the evening news.  Don’t send faxes of personal nature on company time or using company fax equipment.  Never hurry the typing in of an outgoing fax number. Go slow and double- check yourself  Take extra care whenever you send a broadcast fax.  Don’t let incoming faxes simply pile up and spill over. Get them properly distributed.  If you're sending information intended only for the recipient, call the recipient before and after sending the fax. INFORMATION SECURITY ALWAYS MATTERS! pg. 6
  • 8. VOICEMAIL SECURITY Hackers and phreakers are adept at gaining access to outside lines through voice mail boxes, then running up costly long-distance phone bills for the victimized organizations. Hackers, phreakers, and even drug dealers are known to use abandoned voice mail boxes on large corporate systems to traffic in contraband and conduct other nefarious activities. Below is a checklist to help you in promoting voice mail security: Checklist  When you first receive voice mail privileges, you should change your password immediately. And, just as with your e-mail account and network access, come up with a password that is easy for you to remember but difficult for someone else to guess. Use a clever mix of letters and numbers.  Change your password frequently, at least every 30 days. Remember that your voice mail account is on the front line of information security.  Don’t share your password with anyone  Record a personalized greeting in your own voice  Delete messages after you’ve listened to them  Don’t leave messages that contain sensitive, confidential, or personal information in a voice mail box.  Report strange or suspicious voice mail messages to your Information Security Officer. Don’t delete such messages—they may yield vital evidence  If you are aware of a still active voice mail box for an employee that has been terminated or transferred, notify your information security personnel.  Take some time to learn about the voice mail system. This knowledge will help you detect breaches in telecommunications security. INFORMATION SECURITY ALWAYS MATTERS! pg. 7
  • 9. TELECOMM SECURITY Cellular phones are the most singularly insecure medium over which to have a confidential conversation. It is a fairly trivial matter (and a common one) for hobbyists to listen in on cellular phone calls. For the middle class of organized crime, it is a way of life. For corporate raider and foreign spies, it is standard operating procedure. Here are some suggestions on how to thwart cellular eavesdroppers:  Be careful about what kind of information you discuss over cell phones  Answer your cell phone by saying “hello,” instead of your full name and company name, to reclaim to anonymity  Remind the person at the other end of the line that cellular communications are very insecure  If you’re forced to discuss confidential or sensitive information, try to use only first names of key players and try to avoid naming the different corporate entities involved  Understand that when you dial into your organization’s voice mail system via cell phone, it is possible for an eavesdropper to not only hear your messages as your do, but more importantly to record and be able to replay the exact tones of your voice mail password. Even pagers are being exploited in telecommunications fraud. One scam involves someone sending pages to get people to dial a number that results in a billing of $25 or $30 each, like a 900 or 976 number. Many of these scams use numbers in the 809 Caribbean area code. There is no warning prior to the charge being assessed. This scam preys on the natural tendency of diligent and harried workers to immediately respond to a page, thinking it’s a potential customer. When the victim ends up reaching a weather report for the Sub- Sahara or an X-rated chat line in Trinidad, they simply hang up thinking they dialed the wrong number or the person paging them entered the wrong digits. INFORMATION SECURITY ALWAYS MATTERS! pg. 8
  • 10. DOs AND DON’Ts OF HARDWARE AND SOFTWARE SECURITY “Hardware” is physical equipment, including mechanical, electronic, and magnetic components, used in data processing. “Software” refers to computer programs, instructions, procedures, routines, and possibly associated documentation concerned with the operation of a computer system.  DON’T use personally owned hardware or software at the work site to perform work assignments and related functions.  DO use only your company-owned hardware to perform job duties  DO use only your company authorized software.  DO comply with all license agreements  DON’T make unauthorized copies of software.  DON’T use public domain software.  DO take reasonable precautions to prevent damage to hardware and software from food or beverage spills.  DO store all removable and concealable items (e.g., diskettes, etc.) under lock and key when not in use if applicable.  DON’T eat, drink, or smoke around computer equipment or software.  DO take reasonable precautions to ensure security of the computer when left unattended.  DON’T pile papers, printouts, diskettes, etc. on computer equipment.  DO protect computer equipment from environmental hazards, (i.e., direct sunlight, heat sources, vents, open windows, or other sources of dust and moisture).  DON’T make or use illegal copies of proprietary software. Know and obey copyright software laws and licensing restrictions.  DO store diskettes in protective storage containers.  DO label all diskettes.  DON’T touch any exposed areas of the diskette or attempt to open the metal shield.  DO keep diskettes away from magnets and magnetized objects, including power supply adapters and telephones.  DO provide the diskettes the same level of security as the data stored on them.  DO use a password-protected screen-saver, if possible. INFORMATION SECURITY ALWAYS MATTERS! pg. 9
  • 11. INFORMATION SECURITY POLICIES A successful security program, just like the construction of a building, starts with a strong foundation on which to build. Security policies and procedures are the foundation on which all other security feature or disciplines are built. Your company has developed several information security policies to protect its information assets from loss or misuse. It is your responsibility to know and comply with the following policies:  Information Asset Protection Policy The Information Asset Protection Policy is the primary information security policy. It states that all information is an asset of the company and will be protected from unauthorized access, disclosure, modification, or destruction— whether accidental or intentional. This policy provides the framework for implementing an asset protection program.  Business Risk Assessment Policy This policy addresses the requirement for annual risk assessment is performed on distributed systems and the applications processed on those systems.  Electronic Communications Policy This policy covers the use of Electronic Communication resources including connectivity to public and private networks. It also discusses the use of the Internet and e-mail systems.  Privacy Policy All employees are expected to follow this policy. It assures customers that they can continue to entrust the company with customer personal information. INFORMATION SECURITY ALWAYS MATTERS! pg. 10
  • 12. LAPTOPS AND AIR TRAVEL There has been increased attention lately to the problems of laptop security while traveling. With a substantial number of business travelers carrying laptops, the airport security checkpoint has become the target for a scam aimed at separating you from your laptop. It involves two persons who look for a victim carrying a laptop and approaching a metal detector. They position themselves in front of the unsuspecting passenger. They stall until the unsuspecting passenger puts the laptop computer on the conveyor belt. Then the first subject moves through the metal detector easily. The second subject sets off the detector and begins the slow process of emptying pockets, removing jewelry, etc. While this is happening, the first subject takes the laptop as soon as it appears on the conveyor belt and moves away quickly. When the passenger finally gets through the metal detector, the laptop is gone. The subject that picked it up travels into the gate area and disappears among the crowd. Sometimes even a third subject will take a hand off from the first subject and the computer is out of the restricted area before the passenger even knows that it is gone. How Do You Avoid Being a Victim?  Don’t put your computer on the conveyor until the person in front of you has cleared the detector  Make sure the computer has disappeared into the scanner before you pass through the detector (otherwise someone on the outside can grab it before it goes through).  Don’t carry your computer in a clearly definable computer carrying case  If you set off the detector, ask to be checked with the “wand” inside security where you can watch your computer. If you go back out, the computer, which has already passed through the scanner, may disappear. INFORMATION SECURITY ALWAYS MATTERS! pg. 11
  • 13. Questions? David Currie, CPA, CIA, CISA david.currie@earthlink.net pg. 12