1 / 24

Comprehensive Employee Training for Data Security Awareness

This training covers risks associated with technology, data security practices, social engineering, and device protocols to safeguard sensitive information. It includes sessions on handling NPI, preventing pretexting, securing external personnel interactions, and ensuring secure use of devices and passwords.

demi
Télécharger la présentation

Comprehensive Employee Training for Data Security Awareness

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Employee Training Presented By:

  2. Paper • Technology has not eliminated this risks • Dumpster divers • Mobile phones with cameras • Opportunist • Expectations • Use appropriate shred bins • Secure and empty personal bins daily • Remove paper from printers/faxes/common areas as quickly as possible • Clean desk: • Keep NPI out of site from public

  3. Verbal Communication • Discussions containing NPI should be conducted in appropriate locations at appropriate volume • Follow documented steps for authenticating users over phone • What info can be communicated • What is verification process • What to do if call is suspicious

  4. Pretexting/Social Engineering • Illegally gain access to customer information • Methods: • Impersonating • A customer • Another official within your institution • Another institution • Government regulatory agency • Law enforcement • Red Flag (ID Theft) Rules

  5. Pretext Continued • Indicators: • Requesting address change • Missing information • Calls placed from numbers different than those listed on account • Callers reluctant or refuse to give a call-back number • Odd request • Aggressive callers • Talkative callers • Absentminded callers

  6. External Personnel • IT, HVAC, Printers, Plumbing, etc. • Verify • Log (have IT committee review) • Escort/Accompany

  7. Desk • Public accessible areas • Monitor placement • Clean desk • Lock drawers • Remove keys • Hide passwords • Lower level offices • Blinds • Monitor placement

  8. Devices • Work purpose only • Employee only • No friends or family • No removable drives (USB drives) • Unless prior approval • Follow appropriate encryption policies • Follow proper use policy - do not install any software (or hardware) without prior approval • Includes iPods, MP3 players, etc. • iTunes, WeatherBug, etc.

  9. Mobile Devices • Mobile Policy Review • Must sign before using • Devices must be password protected • Devices must support and use idle time lockout • Must report lost/stolen devices immediately • Tracking capability • Remote wipe capability • Encrypted storage

  10. Laptops • Laptops removed from office • Work purposes only • No personal Internet browsing • Web browsing is primary way for device to be compromised • No one else allowed to use (friends/family) • Do not leave in car • Do not check at airport • Do not store passwords with device • Encrypted storage

  11. Email • Follow (manual and automatic) encryption practices if message contains NPI • Attachments - Receiving • Never open from unknown source • Never open from known source but in unsolicited email • Attachments - Sending • Do not use for personal use • Do not forward jokes, chain letters, etc. • Links • Never open from unknown source • Never open if unexpected from known source • Familiarize yourself with common phishing attacks

  12. Social Media • Do not access social media at work • Unless authorized to manage institution’s social media sites • Do not post information about financial institution on social media unless preapproved • Be careful of what information you share • Check security settings under “Settings” or “Options” menus to limit access to personal information

  13. Passwords • Passwords key to security success • Weak or shared passwords open up vulnerabilities • Grant access to computers and programs • Can not be shared, written down, sitting out

  14. Poor Passwords • Contain less than 8 characters • Word found in the dictionary • Names of pets, family, friends, characters • Birthdays or other personal dates • Phone numbers • Addresses • Any of the above spelled backwards or preceded/followed by a digit

  15. Good Passwords • Contain upper and lower case character • Contain digits and punctuation characters • Have no personal information (family/pets/etc) • Should change on regular basis (e.g. 60 days) • Not be a word, slang, or jargon

  16. Other Considerations • Do not use same password for personal and business applications • When possible do not use the same password for multiple sites, applications, programs, etc. • Do not share with secretary, family members, friends

  17. Password Don’ts • Don't reveal a password over the phone to ANYONE • Don't reveal a password in an email message • Don't reveal a password to the boss • Don't talk about a password in front of others • Don't hint at the format of a password (e.g. "my family name") • Don't reveal a password on questionnaires or security forms • Don't share a password with family members • Don't reveal a password to co-workers while on vacation

  18. Passphrases • Consider using passphrases • Good because contain several words with usually a high number of characters, upper/lower case and punctuation. • Sample passphrase • "TheTrafficOnThe101InTheMorningIsBad!" • “I’mAlwaysLateToWork!”

  19. Letter Substitution • Another good option is letter substitution

  20. Letter Substitution • JohnySmith = J()hny$m!+h • Combine a passphrase with letter substitution for a really strong password • ILoveMyBoss becomes !10v3MyB()$$ • Which do you think is harder to break?

  21. Password Safe • Consider a password management program • Find one that encrypts passwords and is trusted • One free program is Password Safe • http://passwordsafe.sourceforge.net/

  22. Incident Response Steps • Detail steps • Detail personnel in steps • Review centralized place where all appropriate documentation is maintained

  23. More Resources • Phishing: • http://www.occ.gov/topics/consumer-protection/fraud-resources/internet-pirates.html • Info Security Video: • http://www.ftc.gov/bcp/edu/multimedia/interactive/infosecurity/index.html

  24. Questions

More Related