1 / 96

Security Awareness Training

You are Here!. Laws

salena
Télécharger la présentation

Security Awareness Training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Security Awareness Training COVER PAGE Change to suit your needs.COVER PAGE Change to suit your needs.

    2. You are Here! Laws & Regulations The Organization & IT Security System Interconnection & Information Sharing Sensitivity Risk Management Management Controls Acquisition/Development/Installation/Implementation Controls Operational Controls Technical Controls

    3. Why You Are Here Matrix: 1a This slide lets staff know why they are attending, a security awareness training. It also reminds them of the organizations existing policies. For example, HIPAA requires security awareness training For example, the State Administrative Manual (SAM) requires training to staff with respect to individual, agency and statewide security responsibilities and policies. [SAM 4842.2] Concepts covered should include: Specific laws, policies or procedures may affect your institution. An introduction to the concept that an employee has a responsibility in protecting assets within entity. Matrix: 1a This slide lets staff know why they are attending, a security awareness training. It also reminds them of the organizations existing policies. For example, HIPAA requires security awareness training For example, the State Administrative Manual (SAM) requires training to staff with respect to individual, agency and statewide security responsibilities and policies. [SAM 4842.2] Concepts covered should include: Specific laws, policies or procedures may affect your institution. An introduction to the concept that an employee has a responsibility in protecting assets within entity.

    4. Privacy Policy Review You Must Protect Information Your Responsibilities 1.You must keep information confidential. No gossiping 2.You must report misuses you see. 3.You have reporting options Know who to report to. Matrix: 1b, 1g(3-4) REVIEW OF PRIVACY POLICY - OPTIONAL Along with your specific Security policies and procedures this is an opportunity to remind staff that the Privacy Policies dovetail with Security. You Must Protect Information: Be conscious of what information our department has, be aware of how you use the information, knowing beyond a reasonable doubt that you have not compromised Entitys electronic security measures, report privacy/security breaches, fix systemic security problems quickly, and promote best practices within departments. Your Responsibility: 1.If you find yourself in a position where you are exposed to or working with health information specific to an individual, or similar confidential or restricted information, you must keep it confidential. Remember to not gossip. 2.If you see this kind of information being disclosed or used improperly you must report it. 3.In reporting you have several options. You may report to: your supervisor; your department Privacy Liaison; The Entity Privacy & Security Officer; the Entity Privacy & Security Appeals Officer; and lastly, the U.S. Department of Health and Human Services. Reporting will be kept confidential. Matrix: 1b, 1g(3-4) REVIEW OF PRIVACY POLICY - OPTIONAL Along with your specific Security policies and procedures this is an opportunity to remind staff that the Privacy Policies dovetail with Security. You Must Protect Information: Be conscious of what information our department has, be aware of how you use the information, knowing beyond a reasonable doubt that you have not compromised Entitys electronic security measures, report privacy/security breaches, fix systemic security problems quickly, and promote best practices within departments. Your Responsibility: 1.If you find yourself in a position where you are exposed to or working with health information specific to an individual, or similar confidential or restricted information, you must keep it confidential. Remember to not gossip. 2.If you see this kind of information being disclosed or used improperly you must report it. 3.In reporting you have several options. You may report to: your supervisor; your department Privacy Liaison; The Entity Privacy & Security Officer; the Entity Privacy & Security Appeals Officer; and lastly, the U.S. Department of Health and Human Services. Reporting will be kept confidential.

    5. Privileges & Responsibilities You are responsible for complying with Entity policies and State and Federal law Other Programs policies if they apply, you will be responsible for them So, read all policies! Matrix: 1b, 1g(3-4) This slide reminds staff that other policy, procedures or law could be more stringent and may affect their department or program differently. Remind staff to read all policies that apply to them and their job. They are responsible for complying with the department/program policy. You are responsible for complying with Entity policies and State and Federal law when using Entity resources. Some Departments, Divisions, or Programs have their own policies if they apply to your job function, you will be responsible for them, so be sure to read all policies! Matrix: 1b, 1g(3-4) This slide reminds staff that other policy, procedures or law could be more stringent and may affect their department or program differently. Remind staff to read all policies that apply to them and their job. They are responsible for complying with the department/program policy. You are responsible for complying with Entity policies and State and Federal law when using Entity resources. Some Departments, Divisions, or Programs have their own policies if they apply to your job function, you will be responsible for them, so be sure to read all policies!

    6. Matrix 1b During a typical day you may become aware of an attempt to breach an area of security. SECURITY AWARENESS IS: Knowing what to do if you feel someone is attempting to: - wrongfully take property or information (Trainers: ask for possible examples) (e.g. stealing a laptop) - obtain personal information about our staff, clients, or vendors (Trainers: ask for possible examples) (e.g. unauthorized sharing of client information) - use our resources for illegal or unethical purposes (Trainers: ask for possible examples) (e.g. surfing inappropriate web sites at work) Last month the number one visited web site here was _________. (Trainers: check with the IT department to get this information and use it as a tidbit to gain interest from staff) Matrix 1b During a typical day you may become aware of an attempt to breach an area of security. SECURITY AWARENESS IS: Knowing what to do if you feel someone is attempting to: - wrongfully take property or information (Trainers: ask for possible examples) (e.g. stealing a laptop) - obtain personal information about our staff, clients, or vendors (Trainers: ask for possible examples) (e.g. unauthorized sharing of client information) - use our resources for illegal or unethical purposes (Trainers: ask for possible examples) (e.g. surfing inappropriate web sites at work) Last month the number one visited web site here was _________. (Trainers: check with the IT department to get this information and use it as a tidbit to gain interest from staff)

    7. Remember the Awareness Mindset Understand there is the possibility that some people will deliberately or accidentally attempt to steal, damage or misuse the data in my computer system(s). Therefore, I will do what I can to keep that from happening. Matrix: 1b, 2e, 3c and 9d This is a reminder of personal responsibility to security. This is the mindset you want the staff to take away from the training. Matrix: 1b, 2e, 3c and 9d This is a reminder of personal responsibility to security. This is the mindset you want the staff to take away from the training.

    8. Where Do Intruders Come From? Who are these threat agents? Teenage pranksters Hacker junkies Disgruntled employees Terrorists (disruption of services) Criminals (selling information) Foreign intelligence agents Matrix: 1c(1), 1d, 5a(1) and 5c(1) INTRODUCTION TO THREAT AGENTS AND HOW THEY COULD AFFECT YOUR ENTITY Anywhere - at any time - intruders can attack, often hiding their identity. Ironically, the Internet, which was originally designed to promote unrestricted sharing of academic information, has become a global communications system where sensitive data is potentially available to anyone with a connection. SHOULD INCORPORATE ANY THREATS YOU WANT STAFF TO BE AWARE OF. DESCRIBE EACH AND HOW THEY COULD AFFECT YOUR NETWORK Matrix: 1c(1), 1d, 5a(1) and 5c(1) INTRODUCTION TO THREAT AGENTS AND HOW THEY COULD AFFECT YOUR ENTITY Anywhere - at any time - intruders can attack, often hiding their identity. Ironically, the Internet, which was originally designed to promote unrestricted sharing of academic information, has become a global communications system where sensitive data is potentially available to anyone with a connection. SHOULD INCORPORATE ANY THREATS YOU WANT STAFF TO BE AWARE OF. DESCRIBE EACH AND HOW THEY COULD AFFECT YOUR NETWORK

    9. Laws Health Insurance Portability and Accountability Act (HIPAA) California Public Records Act Freedom of Information Act Other relevant laws? Matrix: 1e, 1 f Yes-laws even have a place in IT Security. The information stored, created and transmitted in IT systems is protected by many laws: The California Public Records Act (PRA) is the State equivalent of the Federal Freedom of Information Act (FOIA). It regulates access by the public to public records held by government agencies, including medical information protected under HIPAA. The PRA applies to all State and local government agencies, offices, officers, departments, divisions, bureaus, boards, and commissions. (Gov. Code 6252(a), (b).) The FOIA applies only to federal agencies and does not create a right of access to records held by Congress, the courts, or by state or local government agencies. Each State has its own public access laws that should be consulted for access to state and local records. Matrix: 1e, 1 f Yes-laws even have a place in IT Security. The information stored, created and transmitted in IT systems is protected by many laws: The California Public Records Act (PRA) is the State equivalent of the Federal Freedom of Information Act (FOIA). It regulates access by the public to public records held by government agencies, including medical information protected under HIPAA. The PRA applies to all State and local government agencies, offices, officers, departments, divisions, bureaus, boards, and commissions. (Gov. Code 6252(a), (b).) The FOIA applies only to federal agencies and does not create a right of access to records held by Congress, the courts, or by state or local government agencies. Each State has its own public access laws that should be consulted for access to state and local records.

    10. What the Client Expects Matrix: 1f(2) Protect their personal health information just as you would want your personal information protected. This means: Dont discuss their information in earshot of others who do not have a need to know. Lock and protect hard copies/paper. Use passwords and physical security for personal information stored on computers and in databases. Not only is it good practice to do these things but HIPAA requires that protected health information be safeguarded.Matrix: 1f(2) Protect their personal health information just as you would want your personal information protected. This means: Dont discuss their information in earshot of others who do not have a need to know. Lock and protect hard copies/paper. Use passwords and physical security for personal information stored on computers and in databases. Not only is it good practice to do these things but HIPAA requires that protected health information be safeguarded.

    11. Dont copy that floppy(or MP3 file)! Dont download from unauthorized sites! Kazaa, WebShots, WebRadio Business Software Alliance Matrix: 1g(1), 5b, 6d(1) and 9d Topic moves from what is being pushed at staff to what staff could inadvertently do by not following internal policy and copyright laws. This is a good place to illustrate why it is against your policy to allow copying MP3s or using KAZAA at work, if that is your policy. KAZAA 45% of all downloads have malicious code. Webshots and Webradio (Streaming audio and video) use lots of bandwidth resources. OPTIONAL DISCUSSION: Business Software Alliance - A REPORTING AGENCY FOR SOFTWARE PIRACY (http://www.bsa.org/usa/index.cfm) The Business Software Alliance promotes global policies that foster innovation, growth and a competitive marketplace for commercial software and related technologies. Strong copyright protections, cyber security and barrier-free trade are crucial to achieving these goals.Matrix: 1g(1), 5b, 6d(1) and 9d Topic moves from what is being pushed at staff to what staff could inadvertently do by not following internal policy and copyright laws. This is a good place to illustrate why it is against your policy to allow copying MP3s or using KAZAA at work, if that is your policy. KAZAA 45% of all downloads have malicious code. Webshots and Webradio (Streaming audio and video) use lots of bandwidth resources. OPTIONAL DISCUSSION: Business Software Alliance - A REPORTING AGENCY FOR SOFTWARE PIRACY (http://www.bsa.org/usa/index.cfm) The Business Software Alliance promotes global policies that foster innovation, growth and a competitive marketplace for commercial software and related technologies. Strong copyright protections, cyber security and barrier-free trade are crucial to achieving these goals.

    12. Matrix: 1b, 1g(2) and 3d Insert your network policy on this slide. Listed on the slide are examples of different areas you may want to cover in your network policy. OPTIONAL TO USE A BULLET POINT FOR SPECIFIC POINTS AND GIVE AUDIENCE A COPY OF ENTIRE POLICY. YOU MAY NEED MORE THAN ONE SLIDE TO COVER ALL YOUR POLICIES.Matrix: 1b, 1g(2) and 3d Insert your network policy on this slide. Listed on the slide are examples of different areas you may want to cover in your network policy. OPTIONAL TO USE A BULLET POINT FOR SPECIFIC POINTS AND GIVE AUDIENCE A COPY OF ENTIRE POLICY. YOU MAY NEED MORE THAN ONE SLIDE TO COVER ALL YOUR POLICIES.

    13. Selecting Security Controls HIPAA requirements (laws & regulations) influence what security controls we put in place. An Entity balances their business processes with the potential liability if there is a breach of EPHI. Matrix: 1g(6) BALANCING CONTROLS An Entity balances their business processes with the potential liability if there is a breech of EPHI. This involves examining business processes for: ? EPHI that may be breached, ? Risk that a breach can occur, and How many people may be affected by the breach which may require mitigation. [to name a few] If an Entity reviews and understands applicable laws, has those laws covered in their mission statement and develops policies to support their mission statement and those laws, then they can begin to demonstrate due diligence. Matrix: 1g(6) BALANCING CONTROLS An Entity balances their business processes with the potential liability if there is a breech of EPHI. This involves examining business processes for: ? EPHI that may be breached, ? Risk that a breach can occur, and How many people may be affected by the breach which may require mitigation. [to name a few] If an Entity reviews and understands applicable laws, has those laws covered in their mission statement and develops policies to support their mission statement and those laws, then they can begin to demonstrate due diligence.

    14. You are Here! Laws & Regulations The Organization & IT Security System Interconnection & Information Sharing Sensitivity Risk Management Management Controls Acquisition/Development/Installation/Implementation Controls Operational Controls Technical Controls

    15. The Role of IT Security Within the Organization Entity Mission How IT supports that Mission IT systems that are a must to successfully achieve our mission Matrix: 2a-c Discuss Securitys role and how the Department mission, policies and procedures dovetail to protect information. Discuss your organizations mission and how it relates to your security policies. If security policies are not followed and there is a breach, how does that affect your mission?Matrix: 2a-c Discuss Securitys role and how the Department mission, policies and procedures dovetail to protect information. Discuss your organizations mission and how it relates to your security policies. If security policies are not followed and there is a breach, how does that affect your mission?

    16. Single registration of software and electronic notice to the manufacturer. Entity Property Computer Internet Connection Illegal Software Matrix: 2e and 6d(2.e) Introduce system audit logs from system software for network audits. Let staff know their activity is being monitored. At Work: It happens more often than you might think, through honest employees, routine software audits, technology support professionals, network administrators, software publishers and piracy watchdog groups. Some software automatically sends a message back to the manufacturer to ensure it is registered only once. Your computer is Entity property. So too, is your connection to the Internet via the network. The Entity is committed to ensuring that our systems are running legally licensed software and that our network is not supporting software piracy in any form. If you run illegal software on Entity equipment you are in violation of Entity Policy. Matrix: 2e and 6d(2.e) Introduce system audit logs from system software for network audits. Let staff know their activity is being monitored. At Work: It happens more often than you might think, through honest employees, routine software audits, technology support professionals, network administrators, software publishers and piracy watchdog groups. Some software automatically sends a message back to the manufacturer to ensure it is registered only once. Your computer is Entity property. So too, is your connection to the Internet via the network. The Entity is committed to ensuring that our systems are running legally licensed software and that our network is not supporting software piracy in any form. If you run illegal software on Entity equipment you are in violation of Entity Policy.

    17. Should You Open the E-mail Attachment? If it's suspicious, don't open it! What is suspicious? Not work-related Attachments not expected Attachments with a suspicious file extension (*.exe, *.vbs, *.bin, *.com, or *.pif) Web link Unusual topic lines; Your car? Oh! Nice Pic! Family Update! Very Funny! Matrix: 2e, 3f and 9d Discuss Email safety to prevent accidental introduction of malicious code/viruses. What is suspicious? E-mail that is not work-related. Attachments you were not expecting. Attachments with a suspicious file extension (*.exe, *.vbs, *.bin, *.com, or *.pif). A message that directs you to click on a web link. E-mail with unusual topic lines; Your car? Oh! Nice Pic! Family Update! Very Funny! Email from someone you do not know.Matrix: 2e, 3f and 9d Discuss Email safety to prevent accidental introduction of malicious code/viruses. What is suspicious? E-mail that is not work-related. Attachments you were not expecting. Attachments with a suspicious file extension (*.exe, *.vbs, *.bin, *.com, or *.pif). A message that directs you to click on a web link. E-mail with unusual topic lines; Your car? Oh! Nice Pic! Family Update! Very Funny! Email from someone you do not know.

    18. Web Surfing Active content and viruses or other malicious software Security risks in the PC and MAC versions of Internet Explorer and Netscape browsers Entity presets your security. Matrix: 2e and 9d CONTINUATION OF INTERNET SECURITY. Web surfing may feel both safe and anonymous. It's not! Active content, such as ActiveX controls and Java applets, creates the possibility that Web browsing will introduce viruses or other malicious software into the user's system. There are a variety of security risks in the PC and MAC versions of Internet Explorer and Netscape browsers that involve the JavaScript, Java and ActiveX subsystems. At work: Entity presets your security. TELL THEM WHAT PRESETS YOU HAVE PUT IN PLACE. CHCEK WITH THE IT DEPARTMENT FOR WHAT THEY ARE. OPTIONAL AT HOME SECURITY DISCUSSION At home: These risks can be eliminated by turning off those features. These risks can be reduced by setting your security to not allow others to access hardware or software. Matrix: 2e and 9d CONTINUATION OF INTERNET SECURITY. Web surfing may feel both safe and anonymous. It's not! Active content, such as ActiveX controls and Java applets, creates the possibility that Web browsing will introduce viruses or other malicious software into the user's system. There are a variety of security risks in the PC and MAC versions of Internet Explorer and Netscape browsers that involve the JavaScript, Java and ActiveX subsystems. At work: Entity presets your security. TELL THEM WHAT PRESETS YOU HAVE PUT IN PLACE. CHCEK WITH THE IT DEPARTMENT FOR WHAT THEY ARE. OPTIONAL AT HOME SECURITY DISCUSSION At home: These risks can be eliminated by turning off those features. These risks can be reduced by setting your security to not allow others to access hardware or software.

    19. Visiting Internet Sites Be careful about providing personal, sensitive information to an internet site. Be aware that you can get viruses from Instant Messenger-type services. Entity Policy on Instant Messenger Matrix: 2e and 9d INTRODUCTION TO HEADS UP COMPUTING This slide is a security reminder of things to be aware of when visiting Internet sites. Instant Messaging (IM) uses a P2P (peer to peer) program that is designed to go around the firewall compromises security. Be careful about providing personal, sensitive information to an internet site. Find out what the organization's security and privacy policies are it could be collecting your information, sharing, or selling it to other sources. Be aware that you can get viruses from Instant Messenger-type services. Insert your entities policy on Instant Messaging. Matrix: 2e and 9d INTRODUCTION TO HEADS UP COMPUTING This slide is a security reminder of things to be aware of when visiting Internet sites. Instant Messaging (IM) uses a P2P (peer to peer) program that is designed to go around the firewall compromises security. Be careful about providing personal, sensitive information to an internet site. Find out what the organization's security and privacy policies are it could be collecting your information, sharing, or selling it to other sources. Be aware that you can get viruses from Instant Messenger-type services. Insert your entities policy on Instant Messaging.

    20. Organizational vs. System Level IT Security Programs Organizational level IT security programs apply to the whole organization System level IT security programs are tailored to sections of the organization Matrix: 2f INTRODUCTION TO SECURITY LEVELS AND RESPONSIBILITIES Organizational level IT security programs are applied to the organization as a whole (e.g.Outlook, key lock cards, passwords, time outs on all PCs, etc.). System level IT security programs are more detailed and specific, and are tailored to sections of the organization (e.g. one branch or unit being supported on a single server with heightened security due to presence of HIV data). For example, only selected log-on may have access to a particular system. Security Levels Illustrated: An Entitys outermost firewall is organizational vs. additional system firewalls around claims processing or HIV clients. Matrix: 2f INTRODUCTION TO SECURITY LEVELS AND RESPONSIBILITIES Organizational level IT security programs are applied to the organization as a whole (e.g.Outlook, key lock cards, passwords, time outs on all PCs, etc.). System level IT security programs are more detailed and specific, and are tailored to sections of the organization (e.g. one branch or unit being supported on a single server with heightened security due to presence of HIV data). For example, only selected log-on may have access to a particular system. Security Levels Illustrated: An Entitys outermost firewall is organizational vs. additional system firewalls around claims processing or HIV clients.

    21. On the Wire Universal Access Estimated 500 million people with Internet access All of them can communicate with your connected computer Any of them can rattle the door to your computer to see if its locked Matrix: 2g, 5d-e and 9d Transitional Slide TRANSITION TO PASSWORD TRAINING There are an estimated 500 (up from 304 in May 2004) million people with Internet access. All 500 million of them can communicate with your connected computer. Any of the 500 million can rattle the door to your computer to see if its locked. Trainer: Check with IT staff to see if numbers are up-to-date.Matrix: 2g, 5d-e and 9d Transitional Slide TRANSITION TO PASSWORD TRAINING There are an estimated 500 (up from 304 in May 2004) million people with Internet access. All 500 million of them can communicate with your connected computer. Any of the 500 million can rattle the door to your computer to see if its locked. Trainer: Check with IT staff to see if numbers are up-to-date.

    22. Opportunities for Abuse To break into a safe, the safe cracker needs to know something about safes To break into your computer, the computer cracker only needs to know where to download a program Identity Theft is the fastest growing crime in the U.S. Matrix: 2g, 9c HACKERS ARE INCREASING.IT SECURITY REQUIREMENTS NEED TO INCREASE. To break into a safe, the safe cracker needs to know something about safes. To break into your computer, the computer cracker only needs to know where to download a program written by someone else who knows something about computers. Identity Theft is the fastest growing crime in the U.S. and it accounts for more than 750,000 victims a year and losses exceeded 2 Billion dollars. Matrix: 2g, 9c HACKERS ARE INCREASING.IT SECURITY REQUIREMENTS NEED TO INCREASE. To break into a safe, the safe cracker needs to know something about safes. To break into your computer, the computer cracker only needs to know where to download a program written by someone else who knows something about computers. Identity Theft is the fastest growing crime in the U.S. and it accounts for more than 750,000 victims a year and losses exceeded 2 Billion dollars.

    23. System Ownership vs. Information Ownership System ownership rests with IT staff, IT managers and executive staff Information ownership rests in the program area Matrix: 2h-i System ownership rests with not only the Entity, but also IT staff, IT managers and executive staff. IT staff research various system applications/equipment and present to management, who present to executive. Executives decides what the level of investment will be. IT staff maintain those applications and equipment. Information Ownership rests in the program area, with all staff and mangers who gather and act on that client/program information. For example, as program staff, I enter information about a client. I own responsibility for entering the information correctly and protecting any hard copy. The system that I enter that information into, is maintained and protected by IT staff. Matrix: 2h-i System ownership rests with not only the Entity, but also IT staff, IT managers and executive staff. IT staff research various system applications/equipment and present to management, who present to executive. Executives decides what the level of investment will be. IT staff maintain those applications and equipment. Information Ownership rests in the program area, with all staff and mangers who gather and act on that client/program information. For example, as program staff, I enter information about a client. I own responsibility for entering the information correctly and protecting any hard copy. The system that I enter that information into, is maintained and protected by IT staff.

    24. Who you gonna call? Matrix: 2j and 5c(1) IDENTIFY SECURITY CONTACTS Your IT security program needs to have a high profile! Let everyone know where IT rests in your organizational structure. Provide a clear listing of who to contact for certain types of IT problems. Dont hide your system level staff in a closet! Just because the system works seamlessly behind the scenes, doesnt mean the IT staff are ghosts. Suggested contacts: Help Desk, Whistleblower Hotline, Security and/or Privacy Official. Matrix: 2j and 5c(1) IDENTIFY SECURITY CONTACTS Your IT security program needs to have a high profile! Let everyone know where IT rests in your organizational structure. Provide a clear listing of who to contact for certain types of IT problems. Dont hide your system level staff in a closet! Just because the system works seamlessly behind the scenes, doesnt mean the IT staff are ghosts. Suggested contacts: Help Desk, Whistleblower Hotline, Security and/or Privacy Official.

    25. You are Here! Laws & Regulations The Organization & IT Security System Interconnection & Information Sharing Sensitivity Risk Management Management Controls Acquisition/Development/Installation/Implementation Controls Operational Controls Technical Controls

    26. How easy is it to hack? Fact: Hackers post 30-40 new tools to the Internet every month Anyone can search the Internet, find exploitable tools, and then "point and click" to start to hack. REMINDER: Any Hacking be it for fun or to see how its done is against the law & Entity Policy. The Entity does not have to defend you. Matrix: 3a POINTS OUT HOW EASY IT IS TO GET, AND USE HACKER TOOLS. ALSO POINTS OUT POINT AND CLICK HACKER TOOLS ARE UNSOPHISTICATED. Fact: Hackers post 30-40 new tools to Internet hacking sites every month, according to NIST (National Institute of Standards and Technology). Even an unsophisticated hacker can search the Internet, find and download exploitable tools, and then "point and click" to start a hack. REMINDER: Hacking for fun or to see how its done is against the law & Entity Policy. The Entity has no obligation to defend you under such circumstances. REMINDER IS OPTIONAL, DEPENDING ON YOUR POLICY, AND YOU COUNSELS OPINION.Matrix: 3a POINTS OUT HOW EASY IT IS TO GET, AND USE HACKER TOOLS. ALSO POINTS OUT POINT AND CLICK HACKER TOOLS ARE UNSOPHISTICATED. Fact: Hackers post 30-40 new tools to Internet hacking sites every month, according to NIST (National Institute of Standards and Technology). Even an unsophisticated hacker can search the Internet, find and download exploitable tools, and then "point and click" to start a hack. REMINDER: Hacking for fun or to see how its done is against the law & Entity Policy. The Entity has no obligation to defend you under such circumstances. REMINDER IS OPTIONAL, DEPENDING ON YOUR POLICY, AND YOU COUNSELS OPINION.

    27. Warfare Capability Matrix: 3a, 5a(1) and 5c CONCEPT OF OPEN NETWORK IN RELATION TO THREATS Cyber-terrorists spread their views through spam and web defacements. They also target critical infrastructure (e.g. financial, transportation, energy, or communications industry) to cause an economic or other critical impact. Open networks make it easy to do business internally, but this also means anyone who gains access to a system can damage it or the data housed in it. Matrix: 3a, 5a(1) and 5c CONCEPT OF OPEN NETWORK IN RELATION TO THREATS Cyber-terrorists spread their views through spam and web defacements. They also target critical infrastructure (e.g. financial, transportation, energy, or communications industry) to cause an economic or other critical impact. Open networks make it easy to do business internally, but this also means anyone who gains access to a system can damage it or the data housed in it.

    28. Matrix: 3a and 9c INTRODUCTION TO SOCIAL ENGINEERING. Trainer: Perhaps include a picture of people in your department with a person who is familiar to everyone in the audience. You cannot spot a social engineer just by looking at them, and it could be anyone. A social engineer is a person who will deceive or con others into divulging information that they wouldnt normally share. This picture includes: Will Padilla, Norma Springsteen, Linda Caruso, Sabrina Ledesma, Pam Miramontes, David Nelson, Dave Edwards When taken all were Yolo County employees.Matrix: 3a and 9c INTRODUCTION TO SOCIAL ENGINEERING. Trainer: Perhaps include a picture of people in your department with a person who is familiar to everyone in the audience. You cannot spot a social engineer just by looking at them, and it could be anyone. A social engineer is a person who will deceive or con others into divulging information that they wouldnt normally share. This picture includes: Will Padilla, Norma Springsteen, Linda Caruso, Sabrina Ledesma, Pam Miramontes, David Nelson, Dave Edwards When taken all were Yolo County employees.

    29. Matrix: 3a and 9c The slide continues to discuss social engineering. Social engineers prey on the best qualities of human nature: The desire to be helpful, The tendency to trust people, The fear of getting into trouble. A truly successful social engineer receives information entirely without raising any suspicion as to what they are doing. Matrix: 3a and 9c The slide continues to discuss social engineering. Social engineers prey on the best qualities of human nature: The desire to be helpful, The tendency to trust people, The fear of getting into trouble. A truly successful social engineer receives information entirely without raising any suspicion as to what they are doing.

    30. Matrix: 3a and 9c INSERT EXAMPLES IF APPROPRIATE Impersonation - Case studies indicate that Help Desks are the most frequent targets of social engineering attacks. Important user - A common ploy is to pretend to be not only an employee, but a high ranking employee. Third-party authorization A social engineer may have obtained the name of someone in the organization who has the authority to grant access to information. Tech support The social engineer pretends to be someone from IT support or a contractor and states: There are system problems and youll need to log me on to check the connection. Matrix: 3a and 9c INSERT EXAMPLES IF APPROPRIATE Impersonation - Case studies indicate that Help Desks are the most frequent targets of social engineering attacks. Important user - A common ploy is to pretend to be not only an employee, but a high ranking employee. Third-party authorization A social engineer may have obtained the name of someone in the organization who has the authority to grant access to information. Tech support The social engineer pretends to be someone from IT support or a contractor and states: There are system problems and youll need to log me on to check the connection.

    31. Phone Fraud Matrix: 3a Social Engineering on the Phone: Do you actually know who you are talking to on the other end of the line? Do they have an authorized need to know the information you have access to? Optional: Caller ID has been faked since 1984; Caller ID failure rate (false positive) is growing; does not always work. Now there are commercial programs available to disguise Caller ID. Matrix: 3a Social Engineering on the Phone: Do you actually know who you are talking to on the other end of the line? Do they have an authorized need to know the information you have access to? Optional: Caller ID has been faked since 1984; Caller ID failure rate (false positive) is growing; does not always work. Now there are commercial programs available to disguise Caller ID.

    32. Matrix: 3a In Person - the social engineer may enter the building and pretend to be an employee, guest or service personnel. May be dressed in a uniform. Uniforms can be easily purchased. May become part of the cleaning crew. May be allowed to roam without raising suspicion. Suit wearing folks may or may not be on site legitimately. They act like they belong in the building. Dumpster Diving this is not against the law in California. Shoulder Surfing-Looking at your monitor, camera phones, PDAs, etc. LAPTOPS NOT PROTECTED IN PUBLIC SETTING, CELL PHONE CONVERSATIONS, MONITORS FACING PUBLIC AREAS, PERSONAL INTERVIEWS IN PUBCLIC AREAS ARE ALL PREY TO SOCIAL ENGINEERS. Matrix: 3a In Person - the social engineer may enter the building and pretend to be an employee, guest or service personnel. May be dressed in a uniform. Uniforms can be easily purchased. May become part of the cleaning crew. May be allowed to roam without raising suspicion. Suit wearing folks may or may not be on site legitimately. They act like they belong in the building. Dumpster Diving this is not against the law in California. Shoulder Surfing-Looking at your monitor, camera phones, PDAs, etc. LAPTOPS NOT PROTECTED IN PUBLIC SETTING, CELL PHONE CONVERSATIONS, MONITORS FACING PUBLIC AREAS, PERSONAL INTERVIEWS IN PUBCLIC AREAS ARE ALL PREY TO SOCIAL ENGINEERS.

    33. Matrix: 3a SOCIAL ENGINEERING SIGNS: This slide lists some things social engineers might say or do to gain access to information. They may: Refuse to give contact their information Rush you Use Name-dropping Use Intimidation Make small mistakes Request confidential information Request you to do something without proper documentation and obviously not through the chain of command. Examples: I cannot be contacted OR Im on my cell phone and the battery is about to die OR The number they give you is a call out only number. Systems administrators or maintenance technicians who need to do something to your account will not require your password. Matrix: 3a SOCIAL ENGINEERING SIGNS: This slide lists some things social engineers might say or do to gain access to information. They may: Refuse to give contact their information Rush you Use Name-dropping Use Intimidation Make small mistakes Request confidential information Request you to do something without proper documentation and obviously not through the chain of command. Examples: I cannot be contacted OR Im on my cell phone and the battery is about to die OR The number they give you is a call out only number. Systems administrators or maintenance technicians who need to do something to your account will not require your password.

    34. Matrix: 3a and 5a RESPONSE TO SOCIAL ENGINEERING ATTACKS If someone asks you for information that is sensitive (such as company, client, or personal data) dont be afraid to ask a few questions. Ask for the correct spelling of the persons name. Ask for a number where you can return the call. Do not give information on the first call. Call them back. Ask why the information is needed. Ask who has authorized the request and let the caller know that you will verify the authorization AND DO IT!!! Be prepared for the caller to use the name of a person of high authority. Matrix: 3a and 5a RESPONSE TO SOCIAL ENGINEERING ATTACKS If someone asks you for information that is sensitive (such as company, client, or personal data) dont be afraid to ask a few questions. Ask for the correct spelling of the persons name. Ask for a number where you can return the call. Do not give information on the first call. Call them back. Ask why the information is needed. Ask who has authorized the request and let the caller know that you will verify the authorization AND DO IT!!! Be prepared for the caller to use the name of a person of high authority.

    35. Matrix: 3a, 5a and 9c(2) IS IT IN YOUR POLICY OR PROCEDURES TO REPORT? This is a good place to introduce your incident reporting procedures to staff if you havent already done so. GIVES MANAGEMENT A CHANCE TO WARN OTHERS OF THE TYPES OF ATTACKS OCCURING If you feel you have thwarted or perhaps been victimized by an attempt at social engineering, report the incident to your supervisor or manager immediately! No need to feel embarrassed; the caller was working your finest qualities! Matrix: 3a, 5a and 9c(2) IS IT IN YOUR POLICY OR PROCEDURES TO REPORT? This is a good place to introduce your incident reporting procedures to staff if you havent already done so. GIVES MANAGEMENT A CHANCE TO WARN OTHERS OF THE TYPES OF ATTACKS OCCURING If you feel you have thwarted or perhaps been victimized by an attempt at social engineering, report the incident to your supervisor or manager immediately! No need to feel embarrassed; the caller was working your finest qualities!

    36. How Is Entity Connected to the Inter/Intranet? From Worksite From Off Site Citrix Connections From Computing Labs Others (Library) Matrix: 3b and 6d(2.c) INTRODUCES HOW YOU ARE CONNECTED LOCALLY AND INTERNATIONALLY AND HOW SOME OF THE WORK TOOLS ARE CONNECTED In the World of the Internet, some of the most popular features: World Wide Web (research, access to documents, remote access to email or network) Usenet newsgroups Listserves Video-conferencing Matrix: 3b and 6d(2.c) INTRODUCES HOW YOU ARE CONNECTED LOCALLY AND INTERNATIONALLY AND HOW SOME OF THE WORK TOOLS ARE CONNECTED In the World of the Internet, some of the most popular features: World Wide Web (research, access to documents, remote access to email or network) Usenet newsgroups Listserves Video-conferencing

    37. Your Account Is Only As Secure As Its Password Entity = 120 day rotation Don't let others watch you log in. At Home Change your password often. Dont write your password on a post-it note Dont attach it to your video monitor or under the keyboard. Matrix: 3d, 5d-e, 9a(1), 9c(1) and 9d ROTATION DURATION SHOULD MATCH YOUR POLICY AND PROCEDURES Entity=120 days rotation The slide provides other password tips. Matrix: 3d, 5d-e, 9a(1), 9c(1) and 9d ROTATION DURATION SHOULD MATCH YOUR POLICY AND PROCEDURES Entity=120 days rotation The slide provides other password tips.

    38. Matrix: 3d, 5d-e, 9a(1) and 9d INTRODUCTION TO CREATING A STRONG PASSWORD It cant be obvious or exist in a dictionary (any language). Every word in an English language dictionary can be tried within minutes. Using a dictionary word for a password is like using a locker number for a combination. Attack dictionaries also include names, common misspellings, words with numbers, and other commonly used passwords. Dont use a password that has any obvious personal significance to you. Matrix: 3d, 5d-e, 9a(1) and 9d INTRODUCTION TO CREATING A STRONG PASSWORD It cant be obvious or exist in a dictionary (any language). Every word in an English language dictionary can be tried within minutes. Using a dictionary word for a password is like using a locker number for a combination. Attack dictionaries also include names, common misspellings, words with numbers, and other commonly used passwords. Dont use a password that has any obvious personal significance to you.

    39. Matrix: 3d, 5d-e, 9a(1) and 9d CONTINUES INTRODUCTION OF STRONG PASSWORD MUST MATCH YOUR PASSWORD POLICY EIGHT, UPPER, LOWER, NUMBER, PUNCUATION is the INDUSTRY STANDARD FOR STRONG PASSWORD How, you may ask, am I ever going to remember such a complicated password? Matrix: 3d, 5d-e, 9a(1) and 9d CONTINUES INTRODUCTION OF STRONG PASSWORD MUST MATCH YOUR PASSWORD POLICY EIGHT, UPPER, LOWER, NUMBER, PUNCUATION is the INDUSTRY STANDARD FOR STRONG PASSWORD How, you may ask, am I ever going to remember such a complicated password?

    40. Matrix: 3d, 5d-e, 9a(1) and 9d INTRODUCES PASS PHRASE REMINDER OR TICKLER PICTURE ON CORNER OF MONITOR DOES NOT REVEAL PHRASEMatrix: 3d, 5d-e, 9a(1) and 9d INTRODUCES PASS PHRASE REMINDER OR TICKLER PICTURE ON CORNER OF MONITOR DOES NOT REVEAL PHRASE

    41. Matrix: 3d, 5d-e, 9a(1) and 9d SAMPLES OF VANITY PLATES Other easy ways to remember the password. Matrix: 3d, 5d-e, 9a(1) and 9d SAMPLES OF VANITY PLATES Other easy ways to remember the password.

    42. Matrix: 3d, 5d-e, 9a(1) and 9d Matrix: 3d, 5d-e, 9a(1) and 9d

    43. Matrix: 3d, 5d-e, 9a(1) and 9d SHOULD MATCH YOUR POLICY Against policy to share passwords. There are a couple exceptions to the rule, however they are specific and documented. If you ever receive a telephone call from someone claiming to need your password, report it immediately. When you receive technical assistance, enter your password yourself. Do not reveal it. Matrix: 3d, 5d-e, 9a(1) and 9d SHOULD MATCH YOUR POLICY Against policy to share passwords. There are a couple exceptions to the rule, however they are specific and documented. If you ever receive a telephone call from someone claiming to need your password, report it immediately. When you receive technical assistance, enter your password yourself. Do not reveal it.

    44. Matrix: 3d, 5d-e, 9a(1) and 9d SHOULD BE SUPPORTED BY YOUR POLICY USE OF PASSWORD SHOULD BE LIMITED USE SHOULD BE MONITORED BY INDIVIDUAL PARTICULARLY IN SETTINGS NOT WORK RELATED Be careful about typing your password into a strange computer. Does the computer have anti-virus protection enabled? Is the owner trustworthy or is he/she possibly running a keyboard logger to record your keystrokes? (It has happened). Who was the last person to use that computer and what did he/she run on it? Never, never, never use the automatic logon feature in Microsoft. Matrix: 3d, 5d-e, 9a(1) and 9d SHOULD BE SUPPORTED BY YOUR POLICY USE OF PASSWORD SHOULD BE LIMITED USE SHOULD BE MONITORED BY INDIVIDUAL PARTICULARLY IN SETTINGS NOT WORK RELATED Be careful about typing your password into a strange computer. Does the computer have anti-virus protection enabled? Is the owner trustworthy or is he/she possibly running a keyboard logger to record your keystrokes? (It has happened). Who was the last person to use that computer and what did he/she run on it? Never, never, never use the automatic logon feature in Microsoft.

    45. Matrix: 3d, 5d-e, 9a(1) and 9d CONTINUATION of previous slide Be careful about typing your password into a strange program, website, or server. Why is it needed? Is it a legitimate request? Are they authorized to ask for it? No web site should be asking for your password. Matrix: 3d, 5d-e, 9a(1) and 9d CONTINUATION of previous slide Be careful about typing your password into a strange program, website, or server. Why is it needed? Is it a legitimate request? Are they authorized to ask for it? No web site should be asking for your password.

    46. Matrix: 3d, 9a(1) and 9d REPEATS CONCEPT OF PROTECTING ACCESS TO SYSTEM AND VULNERABILITY OF BEING INSIDE THE FIREWALL. Do not use the same password for an unofficial, entertainment, off-site, or nonessential service that you use for critical services. Do not use the same passwords at home that you use at work!!! Matrix: 3d, 9a(1) and 9d REPEATS CONCEPT OF PROTECTING ACCESS TO SYSTEM AND VULNERABILITY OF BEING INSIDE THE FIREWALL. Do not use the same password for an unofficial, entertainment, off-site, or nonessential service that you use for critical services. Do not use the same passwords at home that you use at work!!!

    47. Matrix: 3d, 9a(1) and 9d Optional Slide: Covers password use at home as well. PASSWORD ROTATION At home, if your information gets stolen from your computer, do you know it?Matrix: 3d, 9a(1) and 9d Optional Slide: Covers password use at home as well. PASSWORD ROTATION At home, if your information gets stolen from your computer, do you know it?

    48. Recap Common sense Simple rules Technology Remember By protecting yourself, you're also doing your part to protect Entity. OPTIONAL SIMPLE RECAP FOR BREAK OR DISCUSSION OF QUESTIONS. Common sense, some simple rules and a few pieces of technology can help protect your computer system from unauthorized use and damage. Its important to remember that by protecting yourself, you are also doing your part to protect the Entity. OPTIONAL SIMPLE RECAP FOR BREAK OR DISCUSSION OF QUESTIONS. Common sense, some simple rules and a few pieces of technology can help protect your computer system from unauthorized use and damage. Its important to remember that by protecting yourself, you are also doing your part to protect the Entity.

    49. Formal Agreement Trading Partners Business Associates Other agreements (e.g. MOUs and IAs) Matrix: 3e(1-2) Your organization has likely entered into a formal agreement with someone with whom they exchange data or information. You are individually accountable for your use and activity on the interconnected systems. How you conduct yourself could put the formal agreements at risk and you may be subject to sanctions if you do not follow the organizations security policies and procedures. Entity & State agencies need to have a process to do formal agreements before transmitting data/personal information. Also, not everyone has the same permissions to see the same information. Matrix: 3e(1-2) Your organization has likely entered into a formal agreement with someone with whom they exchange data or information. You are individually accountable for your use and activity on the interconnected systems. How you conduct yourself could put the formal agreements at risk and you may be subject to sanctions if you do not follow the organizations security policies and procedures. Entity & State agencies need to have a process to do formal agreements before transmitting data/personal information. Also, not everyone has the same permissions to see the same information.

    50. Entity EMAIL Policy Matrix: 3f OPTIONAL TO USE A BULLETED LIST FOR SPECIFIC POINTS of your email policy. GIVE AUDIENCE A COPY OF ENTIRE POLICY as a handout. Reminder to staff that any messages on their email account is Entity property and may be monitored. Also, dont write anything on email that you would be embarrassed if it were sent out to the wrong people by mistake or forwarded onto someone else. Matrix: 3f OPTIONAL TO USE A BULLETED LIST FOR SPECIFIC POINTS of your email policy. GIVE AUDIENCE A COPY OF ENTIRE POLICY as a handout. Reminder to staff that any messages on their email account is Entity property and may be monitored. Also, dont write anything on email that you would be embarrassed if it were sent out to the wrong people by mistake or forwarded onto someone else.

    51. Matrix: 3e(1) OPTIONAL TO USE A BULLET list FOR SPECIFIC POINTS GIVE AUDIENCE A COPY OF ENTIRE POLICY as a handout. Reminder to staff that any Internet usage on Entity equipment is subject to monitoring, if applicable to your policy. Matrix: 3e(1) OPTIONAL TO USE A BULLET list FOR SPECIFIC POINTS GIVE AUDIENCE A COPY OF ENTIRE POLICY as a handout. Reminder to staff that any Internet usage on Entity equipment is subject to monitoring, if applicable to your policy.

    52. EMAIL ETIQUETTE Provides: immediate response, tracking of issues, broadcast ability, planning tool, transfer large amounts of information. From, FW, RE, To, cc, bcc, Reply and Reply to All, Forward All caps LOOKS LIKE YOU ARE SHOUTING! No facial expression, no vocal tone, no physical indicators Use spellchecker, but read what you wrote, bad spelling leaves a poor impression Never answer in a hurry, especially if you are upset Matrix: 3f OPTIONAL EDUCATIONAL SLIDE From tells you specifically who it came from, who forwarded it. To usually indicates that you are one of the principle recipients and usually requires a response. Avoid following up to thank you. FW has been forwarded to you, CONSIDER where it came from and why it was forwarded to you. Answer accordingly. cc indicates that the sender wishes you to be aware of something, but usually does not require your response. bcc BEWARE, someone is letting you know something without the to and cc folks knowing you are aware of it. Reply sends your message back to the person the message came from ONLY. Very appropriate. Reply to all sends your message everyone. Rarely appropriate. If you are cc, the sender is not asking for you input to the entire group. THINGS TO REMEMBER Forward is someone sending something on to others. REMEMBER THAT YOUR MESSAGE CAN GO ANYWHERE!!!!! OTHER TIPS Refer to slideMatrix: 3f OPTIONAL EDUCATIONAL SLIDE From tells you specifically who it came from, who forwarded it. To usually indicates that you are one of the principle recipients and usually requires a response. Avoid following up to thank you. FW has been forwarded to you, CONSIDER where it came from and why it was forwarded to you. Answer accordingly. cc indicates that the sender wishes you to be aware of something, but usually does not require your response. bcc BEWARE, someone is letting you know something without the to and cc folks knowing you are aware of it. Reply sends your message back to the person the message came from ONLY. Very appropriate. Reply to all sends your message everyone. Rarely appropriate. If you are cc, the sender is not asking for you input to the entire group. THINGS TO REMEMBER Forward is someone sending something on to others. REMEMBER THAT YOUR MESSAGE CAN GO ANYWHERE!!!!! OTHER TIPS Refer to slide

    53. Electronic Commerce Matrix: 3g(1-3) This slide is an example of electronic commerce. Electronic Fund Transfer (EFT) can be a transfer of funds from your financial institution to a point of purchase sale or other payment. You connect to a server, are authenticated electronically usually by Who you are and What you know. Sometimes financial institutions use a timing device to get What you have. This is the three pieces of strong security. EDI is usually a minimum of Send and Receive. This example fits the Medi-Cal Targeted Case Management four step EDI. Like a written signature, the purpose of a digital signature is to guarantee that the individual sending the message really is who he or she claims to be. Digital signatures are especially important for electronic commerce and are a key component of most authentication schemes. To be effective, digital signatures must be unforgeable. There are a number of different encryption techniques to guarantee this level of security. (Webopedia) Matrix: 3g(1-3) This slide is an example of electronic commerce. Electronic Fund Transfer (EFT) can be a transfer of funds from your financial institution to a point of purchase sale or other payment. You connect to a server, are authenticated electronically usually by Who you are and What you know. Sometimes financial institutions use a timing device to get What you have. This is the three pieces of strong security. EDI is usually a minimum of Send and Receive. This example fits the Medi-Cal Targeted Case Management four step EDI. Like a written signature, the purpose of a digital signature is to guarantee that the individual sending the message really is who he or she claims to be. Digital signatures are especially important for electronic commerce and are a key component of most authentication schemes. To be effective, digital signatures must be unforgeable. There are a number of different encryption techniques to guarantee this level of security. (Webopedia)

    54. Privileges and Responsibilities Use of your Entity computer account is a privilege. Along with the privilege to use Entity network resources come some responsibilities. Remember that Internet traffic is logged, monitored, and saved. Matrix: 3h and 9b(1-2) This slide reiterates Entity network policy. SHOULD BE ENFORCED BY YOU POLICY Use of your Entity computer account is a privilege granted by the Entity so you can work, communicate with staff and associates, and take advantage of both Entity online resources and the Internet at large. Along with the privilege to use Entity network resources come some responsibilities. Remember that Internet traffic is logged, monitored, and saved. Matrix: 3h and 9b(1-2) This slide reiterates Entity network policy. SHOULD BE ENFORCED BY YOU POLICY Use of your Entity computer account is a privilege granted by the Entity so you can work, communicate with staff and associates, and take advantage of both Entity online resources and the Internet at large. Along with the privilege to use Entity network resources come some responsibilities. Remember that Internet traffic is logged, monitored, and saved.

    55. Internet Security and Use Entity has Internet services to support the advancement of business goals and objectives. Use of computer resources and networks must be business oriented. Messages from the e-mail system are NOT to be automatically forwarded. Accessing sites with offensive material is prohibited. Matrix: 3h, 5a(1) and 6d(2.d) INTRODUCTION OF WHY YOUR ENTITY IS WORRIED ABOUT YOUR INTERNET USE AND SOME INITIAL POLICY PIECES RELATED TO BEING CONNECTED Entity has Internet services to support the advancement of business goals and objectives. Ensure that the use of computer resources and networks is business oriented. In general, messages from the e-mail system are NOT to be automatically forwarded. Accessing sites with offensive material is prohibited. It presents a legal risk for you and the Entity. WARNING ABOUT ANONYMITY ON THE INTERNET Matrix: 3h, 5a(1) and 6d(2.d) INTRODUCTION OF WHY YOUR ENTITY IS WORRIED ABOUT YOUR INTERNET USE AND SOME INITIAL POLICY PIECES RELATED TO BEING CONNECTED Entity has Internet services to support the advancement of business goals and objectives. Ensure that the use of computer resources and networks is business oriented. In general, messages from the e-mail system are NOT to be automatically forwarded. Accessing sites with offensive material is prohibited. It presents a legal risk for you and the Entity. WARNING ABOUT ANONYMITY ON THE INTERNET

    56. Other Safety Measures Log off when not using your computer. Lock your workstation (Cntrl+Alt+Del and Lock). Automatic Screen Savers. Do not leave sensitive information on the copier or remote printers. Confirm fax numbers before sending. Matrix: 6d OPTIONAL PHYSICAL SAFETY MESURES. -Log off when not using your computer. (Gone for more than a hour?) (Energy savings too!!!) Lock your workstation (Cntrl+Alt+Del and Lock). (XP, Windows 2000) Automatic Screen Savers. (Set to five minutes with password protection.) Ensure sensitive information is not left on the copier or remote printers. (If you find sensitive infomration TAKE responsibility for it) Confirm fax numbers you enter. Auto Dial can reduce risk. ENSURE THESE FOLLOW YOUR POLICIES AND PROCEDURES Matrix: 6d OPTIONAL PHYSICAL SAFETY MESURES. -Log off when not using your computer. (Gone for more than a hour?) (Energy savings too!!!) Lock your workstation (Cntrl+Alt+Del and Lock). (XP, Windows 2000) Automatic Screen Savers. (Set to five minutes with password protection.) Ensure sensitive information is not left on the copier or remote printers. (If you find sensitive infomration TAKE responsibility for it) Confirm fax numbers you enter. Auto Dial can reduce risk. ENSURE THESE FOLLOW YOUR POLICIES AND PROCEDURES

    57. You are Here! Laws & Regulations The Organization & IT Security System Interconnection & Information Sharing Sensitivity Risk Management Management Controls Acquisition/Development/Installation/Implementation Controls Operational Controls Technical Controls

    58. Information Sensitivity Matrix: 4a(1-2) and 4b(1.b) DATA SECURITY LEVELS BASED ON CONTENT/USE/VALUE Security levels will vary depending on the sensitivity of the information. For example, Mental Health Services information. Staff roster is internal, not public. Billing codes are not sensitive UNLESS they contain client information. ALL INFORMATION COMBINED IS VERY HIGH. So.. The individual databases are classified accordingly, BUT server access where it all resides is VERY SENSITIVE. Matrix: 4a(1-2) and 4b(1.b) DATA SECURITY LEVELS BASED ON CONTENT/USE/VALUE Security levels will vary depending on the sensitivity of the information. For example, Mental Health Services information. Staff roster is internal, not public. Billing codes are not sensitive UNLESS they contain client information. ALL INFORMATION COMBINED IS VERY HIGH. So.. The individual databases are classified accordingly, BUT server access where it all resides is VERY SENSITIVE.

    59. IT Asset Protection Physical Technical Administrative Matrix: 4-c HIPAA Security provides for administrative, technical, and physical safeguards, also know as asset protection. Physical - Lock doors, file cabinets, restrict entry by unauthorized personnel Technical - Lock Workstation (CNTRL, Alt, Delete-Lock Screen) when not at your computer, use passwords, use virus protection, back-up data Administrative - Sanction policy, reporting incidents, termination procedures, workforce clearanceMatrix: 4-c HIPAA Security provides for administrative, technical, and physical safeguards, also know as asset protection. Physical - Lock doors, file cabinets, restrict entry by unauthorized personnel Technical - Lock Workstation (CNTRL, Alt, Delete-Lock Screen) when not at your computer, use passwords, use virus protection, back-up data Administrative - Sanction policy, reporting incidents, termination procedures, workforce clearance

    60. To decide whether a computer system is secure, you must first decide what secure means to you, then identify the threats that apply. Matrix: 4d-f SECURITY AWARENESS is set in context of Information Security. This slide introduces some concepts that fall under information security. INCLUDE OTHERS SPECIFIC TO YOUR ENTITY. Information security is ALWAYS in terms of CIA: Confidentiality is the ability to keep certain information private, to keep it from being shared inappropriately. If information is shared inappropriately the organization can be held liable for the negative consequences to clients and for mitigation efforts. THIS IS PRIVACY. Integrity is the ability to protect information and systems from malicious or accidental modification or corruption. Integrity is ensuring that the data is what it represents, that it has not been modified or deleted in some way. Programs will not be able to collect information or the information is worthless if it is not in a usable condition. Availability is the reliable and timely access to data and resources by authorized individuals. The public, the Entity and its partners soon become dependent on automated IT systems. When these systems are down, users become frustrated and could avoid using automated systems in the future, thus increasing the Entitys manual processing workload, or worse, delay or stop the delivery of services. Matrix: 4d-f SECURITY AWARENESS is set in context of Information Security. This slide introduces some concepts that fall under information security. INCLUDE OTHERS SPECIFIC TO YOUR ENTITY. Information security is ALWAYS in terms of CIA: Confidentiality is the ability to keep certain information private, to keep it from being shared inappropriately. If information is shared inappropriately the organization can be held liable for the negative consequences to clients and for mitigation efforts. THIS IS PRIVACY. Integrity is the ability to protect information and systems from malicious or accidental modification or corruption. Integrity is ensuring that the data is what it represents, that it has not been modified or deleted in some way. Programs will not be able to collect information or the information is worthless if it is not in a usable condition. Availability is the reliable and timely access to data and resources by authorized individuals. The public, the Entity and its partners soon become dependent on automated IT systems. When these systems are down, users become frustrated and could avoid using automated systems in the future, thus increasing the Entitys manual processing workload, or worse, delay or stop the delivery of services.

    61. Be aware! Learn and practice good security habits. Report anything unusual. So How Do We Start? Matrix: 5a, 6d(1), 6e(1), 6g, and 9c(2) INTRODUCTION OF THE SECURITY 90/10 RULE 90 10 The lock on the door is the 10%, you remembering to lock, check to see if it is closed, ensuring others do not prop the door open, keeping controls of keys is the 90%. 10% is worthless without YOU. First, become aware yourself know how to identify a potential issue. Use sound judgment. Next, learn and practice good security habits incorporate secure practices into your everyday routine. Encourage others to do as well. Finally, report anything unusual Notify the appropriate contacts if you become aware of a suspected security incident. If it sets off a warning in your mind it just may be a problem. Matrix: 5a, 6d(1), 6e(1), 6g, and 9c(2) INTRODUCTION OF THE SECURITY 90/10 RULE 90 10 The lock on the door is the 10%, you remembering to lock, check to see if it is closed, ensuring others do not prop the door open, keeping controls of keys is the 90%. 10% is worthless without YOU. First, become aware yourself know how to identify a potential issue. Use sound judgment. Next, learn and practice good security habits incorporate secure practices into your everyday routine. Encourage others to do as well. Finally, report anything unusual Notify the appropriate contacts if you become aware of a suspected security incident. If it sets off a warning in your mind it just may be a problem.

    62. You are Here! Laws & Regulations The Organization & IT Security System Interconnection & Information Sharing Sensitivity Risk Management Management Controls Acquisition/Development/Installation/Implementation Controls Operational Controls Technical Controls

    63. Three Areas of Security Under the 90/10 Rule In the room At the box On the wire Matrix: 5a and 9d THREE REALMS OF SECURITY MOVING TO IN THE ROOM. INTRODUCTION SLIDE TO THE NEXT FEW SLIDES. Matrix: 5a and 9d THREE REALMS OF SECURITY MOVING TO IN THE ROOM. INTRODUCTION SLIDE TO THE NEXT FEW SLIDES.

    64. Types of Threats Matrix: 5a(1) and 5b-c CONTINUATION OF THREATS INCLUDING INTERNAL THREATS Authorized Users/Internal Threats Data Entry Errors/Omissions Improper Disposal of EPHI Insiders Installation Errors Misuse of Privileges User Abuse/Fraud Matrix: 5a(1) and 5b-c CONTINUATION OF THREATS INCLUDING INTERNAL THREATS Authorized Users/Internal Threats Data Entry Errors/Omissions Improper Disposal of EPHI Insiders Installation Errors Misuse of Privileges User Abuse/Fraud

    65. Types of Threats Matrix: 5a(1) and 5b-c CONTINUATION OF THREATS INCLUDING EXTERNAL THREATS Hackers/External Threats Data/System Contamination Denial of Service Eavesdropping Emanations Insertion of Malicious Code/Software Jamming Misuse of known Operating System Weaknesses Matrix: 5a(1) and 5b-c CONTINUATION OF THREATS INCLUDING EXTERNAL THREATS Hackers/External Threats Data/System Contamination Denial of Service Eavesdropping Emanations Insertion of Malicious Code/Software Jamming Misuse of known Operating System Weaknesses

    66. In the Room Preventive Actions Remove mail from your mail box Deposit outgoing mail in post office collection mail boxes or at your local post office Never give personal information over the telephone Never provide client information without knowing who is getting it and for what purpose Matrix: 5a(2) and 9d EXAMPLES OF PREVENTATIVE ACTIONS Promptly remove mail from your mail box Deposit outgoing mail in post office collection mail boxes or at your local post office. Do not leave in unsecured mail receptacles Never give personal information over the telephone unless you initiated the call Never provide client information unless you know who is getting it and for what purpose OPTIONAL AT HOME SECTION AT HOME When disposing of unwanted pre-approved credit card applications, credit card receipts, credit card checks, bills and other financial information, SHRED IT! Empty your wallet and/or purse of extra credit cards and identification Never write down a PIN or password Matrix: 5a(2) and 9d EXAMPLES OF PREVENTATIVE ACTIONS Promptly remove mail from your mail box Deposit outgoing mail in post office collection mail boxes or at your local post office. Do not leave in unsecured mail receptacles Never give personal information over the telephone unless you initiated the call Never provide client information unless you know who is getting it and for what purpose OPTIONAL AT HOME SECTION AT HOME When disposing of unwanted pre-approved credit card applications, credit card receipts, credit card checks, bills and other financial information, SHRED IT! Empty your wallet and/or purse of extra credit cards and identification Never write down a PIN or password

    67. Threats & Vulnerabilities Matrix: 5a(2) and 5c This diagram demonstrates the need for added security controls when connecting to external systems and networks. In general, as vulnerability increases your Entity will want to adopt stronger security systems to reduce your vulnerability, and thus reduce your risk. Matrix: 5a(2) and 5c This diagram demonstrates the need for added security controls when connecting to external systems and networks. In general, as vulnerability increases your Entity will want to adopt stronger security systems to reduce your vulnerability, and thus reduce your risk.

    68. Unregistered Software Matrix: 5a(3), 6d(2.c) and 6d(2.e) PROBLEMS SURROUNDING UNLICENSED SOFTWARE Such software often lacks key elements of documentation and lacks warranty protection or upgrade options. Untested programs or disks may be infected with viruses. You put yourself at risk of prosecution by pirating a product protected by copyright law. Ensure that you only obtain software through approved methods and install it in accordance with the licensing agreement of the specific software. Matrix: 5a(3), 6d(2.c) and 6d(2.e) PROBLEMS SURROUNDING UNLICENSED SOFTWARE Such software often lacks key elements of documentation and lacks warranty protection or upgrade options. Untested programs or disks may be infected with viruses. You put yourself at risk of prosecution by pirating a product protected by copyright law. Ensure that you only obtain software through approved methods and install it in accordance with the licensing agreement of the specific software.

    69. Managing Risk Matrix: 5a(1-4) RISK MANAGEMENT CONCEPT In order to manage risk an Entity must : ? Keep current on IT threats, ? Know your security systems well, their vulnerabilities, know the likelihood of a vulnerability being exposed and design future improvements to reduce those vulnerabilities, and ? Calculate your risk on an ongoing basis. In order to reduce risk you must decrease vulnerabilities. Think of managing IT security risk like playing the stock market!Matrix: 5a(1-4) RISK MANAGEMENT CONCEPT In order to manage risk an Entity must : ? Keep current on IT threats, ? Know your security systems well, their vulnerabilities, know the likelihood of a vulnerability being exposed and design future improvements to reduce those vulnerabilities, and ? Calculate your risk on an ongoing basis. In order to reduce risk you must decrease vulnerabilities. Think of managing IT security risk like playing the stock market!

    70. Intruder Tools Matrix: 5c(1-2) and 9d INTRODUCTION TO TERMINOLOGY OF HACKER OR CYBER TERRORISTS AND THEIR TOOLS Vulnerability Scanning: Internet hackers constantly scan networks to try to identify where systems are vulnerable. (LOOKING FOR UNPROTECTED PORTS) Pre-Attack Probes: Is another name for this type of scanning. Password Cracker: Intruders use an auto program that continually tries to log into a system using a series of commonly used passwords, or using a dictionary as a source. Network Spoofing: A program that impersonates the sign-on routine. It collects your password, and returns a message that the system is unavailable. VIRUS uses the host application to reproduce itself. Damages data or system. SNIFFERS are small programs that let the computer ignore packet addresses and receive ANY information on the network. LOGIC BOMBS is malicious code triggered by a specific event or condition. TROJAN HORSE is a program that looks useful, yet is designed to run malicious code for unauthorized system access. WORMS are independent programs that reproduce themselves and tie up resources. Matrix: 5c(1-2) and 9d INTRODUCTION TO TERMINOLOGY OF HACKER OR CYBER TERRORISTS AND THEIR TOOLS Vulnerability Scanning: Internet hackers constantly scan networks to try to identify where systems are vulnerable. (LOOKING FOR UNPROTECTED PORTS) Pre-Attack Probes: Is another name for this type of scanning. Password Cracker: Intruders use an auto program that continually tries to log into a system using a series of commonly used passwords, or using a dictionary as a source. Network Spoofing: A program that impersonates the sign-on routine. It collects your password, and returns a message that the system is unavailable. VIRUS uses the host application to reproduce itself. Damages data or system. SNIFFERS are small programs that let the computer ignore packet addresses and receive ANY information on the network. LOGIC BOMBS is malicious code triggered by a specific event or condition. TROJAN HORSE is a program that looks useful, yet is designed to run malicious code for unauthorized system access. WORMS are independent programs that reproduce themselves and tie up resources.

    71. Types of Security Controls Matrix: 5d-e SECURITY CONTROLS These controls work together to form a comprehensive and secure defensive structure. Use the analogy of building a house. ? You manage the project. [Management Control] ? A general contractor takes the plans youve approved, acquires crews/materials/foremen and drives the timeframe. [ADII Control] ? The foremen control the operations for each crew. [Operational Control] ? The site is secured and necessary training arranged. [Security Awareness & Training Control] ? The entire project can be set up on project management software. [Technical Control]Matrix: 5d-e SECURITY CONTROLS These controls work together to form a comprehensive and secure defensive structure. Use the analogy of building a house. ? You manage the project. [Management Control] ? A general contractor takes the plans youve approved, acquires crews/materials/foremen and drives the timeframe. [ADII Control] ? The foremen control the operations for each crew. [Operational Control] ? The site is secured and necessary training arranged. [Security Awareness & Training Control] ? The entire project can be set up on project management software. [Technical Control]

    72. Examples of Security Controls Matrix: 5f(1-3) SECURITY CONTROLS CONTINUED Confidentiality protection in a technical control would be a server that restricts access to only those who need access. A locked file cabinet is a more simplistic operational control for protection of confidentiality. Integrity protection could also apply to restricted access, but to a data base or data that must not be modified or corrupted. A firewall is an example of a technical control. Availability protection are systems that ensure your data can be accessed by the appropriate people. It can be a sophisticated spam control application or as basic as a back-up generator. So you can have one type of control, a firewall or server, that provides protection of confidentiality, integrity and availability. It is the goal of the protection, not the actual control, that defines the category of protection. The important thing is to make sure you have all 3, confidentiality integrity availability, protected.Matrix: 5f(1-3) SECURITY CONTROLS CONTINUED Confidentiality protection in a technical control would be a server that restricts access to only those who need access. A locked file cabinet is a more simplistic operational control for protection of confidentiality. Integrity protection could also apply to restricted access, but to a data base or data that must not be modified or corrupted. A firewall is an example of a technical control. Availability protection are systems that ensure your data can be accessed by the appropriate people. It can be a sophisticated spam control application or as basic as a back-up generator. So you can have one type of control, a firewall or server, that provides protection of confidentiality, integrity and availability. It is the goal of the protection, not the actual control, that defines the category of protection. The important thing is to make sure you have all 3, confidentiality integrity availability, protected.

    73. Absolute vs. Acceptable Levels of Risk Absolute protection from risk is an impossibility Matrix: 5j ABSOLUTE VERSUS ACCEPTABLE/REASONABLE SECURITY Absolute protection from risk is an impossibility and a belief that you have absolute protection would lull an Entity into a false sense of security. Acceptable level of risk is a more realistic approach to managing risk. An Entity can define different levels of risk for different programs, systems or resources. Acceptable risk, for example, is trash which is thrown in a dumpster and has a low level of risk if sensitive material is shredded or disposed of in another manner. A list of HIV clients on a health server would have a high risk if it were on a laptop with no password or firewall protections being stored in someone's car. The risk could be reduced to an acceptable level if the data file is partitioned within a server that has restricted access controlled through a log in process. Matrix: 5j ABSOLUTE VERSUS ACCEPTABLE/REASONABLE SECURITY Absolute protection from risk is an impossibility and a belief that you have absolute protection would lull an Entity into a false sense of security. Acceptable level of risk is a more realistic approach to managing risk. An Entity can define different levels of risk for different programs, systems or resources. Acceptable risk, for example, is trash which is thrown in a dumpster and has a low level of risk if sensitive material is shredded or disposed of in another manner. A list of HIV clients on a health server would have a high risk if it were on a laptop with no password or firewall protections being stored in someone's car. The risk could be reduced to an acceptable level if the data file is partitioned within a server that has restricted access controlled through a log in process.

    74. Controls IT systems require controls that are: Adequate and appropriate Unique and have sophisticated protection Probability, severity and extent of potential harm Cost beneficial and effective Matrix: 5k(1-4) IT systems require controls that are both adequate and appropriate due to severe consequences of a breech. The technical nature of IT systems require unique and sophisticated protection. And those protections must be updated continuously, such as with patches or virus protection. The probability, severity and extent of potential harm drives the design of the control. An increase in these 3 parameters will increase the need for more security. Likewise, each security control needs to balance cost benefits and effectiveness with the appropriate control. Dont spend $150K to protect $10K worth of risk. Matrix: 5k(1-4) IT systems require controls that are both adequate and appropriate due to severe consequences of a breech. The technical nature of IT systems require unique and sophisticated protection. And those protections must be updated continuously, such as with patches or virus protection. The probability, severity and extent of potential harm drives the design of the control. An increase in these 3 parameters will increase the need for more security. Likewise, each security control needs to balance cost benefits and effectiveness with the appropriate control. Dont spend $150K to protect $10K worth of risk.

    75. Multiple Security Disciplines Integrate various security disciplines to strengthen your security, for example: Police and fire personnel. Train staff on CPR. Schedule audits and reviews. Security decision process. Involve program staff. Matrix: 5l-m and 6f(1-4) LAYERED SECURITY CONCEPT Utilize and integrate various security disciplines to strengthen your security, for example: Coordinate drills with police and fire personnel. Train staff on CPR. Schedule internal and external audits and reviews. Funnel all security information and findings into security decision process. Involve program staff in the development of security controls. Matrix: 5l-m and 6f(1-4) LAYERED SECURITY CONCEPT Utilize and integrate various security disciplines to strengthen your security, for example: Coordinate drills with police and fire personnel. Train staff on CPR. Schedule internal and external audits and reviews. Funnel all security information and findings into security decision process. Involve program staff in the development of security controls.

    76. You are Here! Laws & Regulations The Organization & IT Security System Interconnection & Information Sharing Sensitivity Risk Management Management Controls Acquisition/Development/Installation/Implementation Controls Operational Controls Technical Controls

    77. Management Controls Management controls are a type of security control that encompasses seven general areas. Policies & procedures that standardize system & application expectations. Standard operating procedures. Personnel security. System rules of behavior. Individual accountability. IT security awareness & training. User responsibilities for inappropriate actions of others. Matrix: 6a-b and 6f(1-4) MANAGEMENT SECURITY CONTROLS These areas of control are managed through the organizational structure of the Entity. Executive management and their appointees define, address and implement these areas of control. Controls are in place to support achieving the Entity mission and are generally defined, published and distributed through policies and procedures. When consistently reinforced, an Entity culture develops from the management controls. Some procedures are so common and generally applicable that they are identified as standard operating procedures, such as building shut down and lock up procedures, badge IDs and password log in. System rules of behavior define expectations of staff assigned to a system, such as intake.Matrix: 6a-b and 6f(1-4) MANAGEMENT SECURITY CONTROLS These areas of control are managed through the organizational structure of the Entity. Executive management and their appointees define, address and implement these areas of control. Controls are in place to support achieving the Entity mission and are generally defined, published and distributed through policies and procedures. When consistently reinforced, an Entity culture develops from the management controls. Some procedures are so common and generally applicable that they are identified as standard operating procedures, such as building shut down and lock up procedures, badge IDs and password log in. System rules of behavior define expectations of staff assigned to a system, such as intake.

    78. Personnel Security Much of an Entitys vulnerability is staff-related. If applicable, perform security clearances Define roles and responsibilities Separated Duties Role-based access Matrix: 6c(1-4) and 6f CONTINATION OF SECURITY LAYERS All of these controls support CIA, Confidentiality, Integrity & Availability! If applicable, perform security clearances for sensitive positions. Clearly define roles and responsibilities to avoid confusion and convey clear expectations of staff with regard to security. Certain IT duties need to be separated by staff and sometimes, work unit. Access controls are role based to ensure the appropriate staff has access to the information they need. Matrix: 6c(1-4) and 6f CONTINATION OF SECURITY LAYERS All of these controls support CIA, Confidentiality, Integrity & Availability! If applicable, perform security clearances for sensitive positions. Clearly define roles and responsibilities to avoid confusion and convey clear expectations of staff with regard to security. Certain IT duties need to be separated by staff and sometimes, work unit. Access controls are role based to ensure the appropriate staff has access to the information they need.

    79. Why should you ensure the software you are using is compliant with copyright law and Entity Policy? Matrix: 6d(1), 6d(2.e) and 6f ENCOURAGEMENT TO FOLLOW ENTITY POLICY AND COPYRIGHT LAW REGARDING ENTITY EQUIPMENT CAN LIST IMPACTS ACCORDING TO YOUR POLICY (PROGRESSIVE DISCIPLINE OR DISCONNECTION FROM THE NETWORK)Matrix: 6d(1), 6d(2.e) and 6f ENCOURAGEMENT TO FOLLOW ENTITY POLICY AND COPYRIGHT LAW REGARDING ENTITY EQUIPMENT CAN LIST IMPACTS ACCORDING TO YOUR POLICY (PROGRESSIVE DISCIPLINE OR DISCONNECTION FROM THE NETWORK)

    80. System Rules of Behavior Organization specific user rules are general and somewhat universal Matrix: 6d, 6e and 6f(1) USER RULES Organizational and System specific user rules are discussed in the slide. Organization specific user rules are general and somewhat universal; e.g. protect confidentiality, check out process for laptops, etc. System specific user rules: Access and limitation of system privileges need to be assigned. Intellectual property/copyright issues need to be communicated. Remote access and work-at-home issues need to be defined. Official vs. unofficial system use needs to be clearly stated. Individual accountability contributes to system and information quality. Individual acceptance of those responsibilities can be documented on a signed Security and Confidentiality Acknowledgement agreement. If the agreement is broken, sanctions or penalties for violations need to be enforced to reinforce the accountability. Matrix: 6d, 6e and 6f(1) USER RULES Organizational and System specific user rules are discussed in the slide. Organization specific user rules are general and somewhat universal; e.g. protect confidentiality, check out process for laptops, etc. System specific user rules: Access and limitation of system privileges need to be assigned. Intellectual property/copyright issues need to be communicated. Remote access and work-at-home issues need to be defined. Official vs. unofficial system use needs to be clearly stated. Individual accountability contributes to system and information quality. Individual acceptance of those responsibilities can be documented on a signed Security and Confidentiality Acknowledgement agreement. If the agreement is broken, sanctions or penalties for violations need to be enforced to reinforce the accountability.

    81. Managing Your Security System A formal plan is crucial Matrix: 6f(3) and 7c(1-4) FORMAL SECURITY PLAN OUTLINE Once your security system is designed, you need to manage the interaction of all sub-systems in order to make your system operational. A formal plan is crucial to successful management of our security system. Identify missions, purpose and assets by system. Define protection needs by system. Identify people responsible for what. Identify existing controls vs. controls needed and a timeline for their implementation. For example, if you set up a log of failed attempts to enter the system, someone needs to review the log and take needed action.Matrix: 6f(3) and 7c(1-4) FORMAL SECURITY PLAN OUTLINE Once your security system is designed, you need to manage the interaction of all sub-systems in order to make your system operational. A formal plan is crucial to successful management of our security system. Identify missions, purpose and assets by system. Define protection needs by system. Identify people responsible for what. Identify existing controls vs. controls needed and a timeline for their implementation. For example, if you set up a log of failed attempts to enter the system, someone needs to review the log and take needed action.

    82. You are Here! Laws & Regulations The Organization & IT Security System Interconnection & Information Sharing Sensitivity Risk Management Management Controls Acquisition/Development/Installation/Implementation Controls Operational Controls Technical Controls

    83. System Life Cycle Stages Define business processes for all system life cycle stages Initiation Development Test and evaluation Implementation Operations Termination Matrix: 6f and 7a-b SYTEM LIFECYCLE Refer to slides for discussion points. Matrix: 6f and 7a-b SYTEM LIFECYCLE Refer to slides for discussion points.

    84. Example of System Life Cycle Stages Acquiring hardware and software - consider the following: Matrix: 7a-b INPUTS FOR SYSTEM LIFE STAGES Define a business process for acquiring hardware and software that considers the following: Lead time? Whats the degree of user involvement? What specific outputs/reports do users require? How does acquisition impact system security? (e.g. users may not download software from any source without specific approvals.) Matrix: 7a-b INPUTS FOR SYSTEM LIFE STAGES Define a business process for acquiring hardware and software that considers the following: Lead time? Whats the degree of user involvement? What specific outputs/reports do users require? How does acquisition impact system security? (e.g. users may not download software from any source without specific approvals.)

    85. System Life Cycle Stages & IT Security Goals What is needed to protect system security? Matrix: 7a-b CONTINUATIONS OF LIFE CYCLE STAGES Refer to slides for discussion points . Matrix: 7a-b CONTINUATIONS OF LIFE CYCLE STAGES Refer to slides for discussion points .

    86. You are Here! Laws & Regulations The Organization & IT Security System Interconnection & Information Sharing Sensitivity Risk Management Management Controls Acquisition/Development/Installation/Implementation Controls Operational Controls Technical Controls

    87. Operational Controls Operational controls help maintain an optimal level of security level: Matrix: 6f(2) and 8 OPERATIONAL CONTROLS - help maintain an optimal level of security level and are comprised of the following three areas. 1. Physical and environmental protection include physical access controls, intrusion detection, fire/water/moisture/heat/electrical maintenance, and mobile and portable systems. 2. Contingency planning covers four areas: Importance of developing & testing contingency/disaster recovery plans. (Business Continuity Plans) Importance of users providing accurate information about processing needs, allowable down time and applications that can wait. Responsibility for backup copies of data files and software programs. Simple user contingency planning steps. 3. Marking, handling, shipping, storing, cleaning and clearing refers to paper hard copy or disks. Matrix: 6f(2) and 8 OPERATIONAL CONTROLS - help maintain an optimal level of security level and are comprised of the following three areas. 1. Physical and environmental protection include physical access controls, intrusion detection, fire/water/moisture/heat/electrical maintenance, and mobile and portable systems. 2. Contingency planning covers four areas: Importance of developing & testing contingency/disaster recovery plans. (Business Continuity Plans) Importance of users providing accurate information about processing needs, allowable down time and applications that can wait. Responsibility for backup copies of data files and software programs. Simple user contingency planning steps. 3. Marking, handling, shipping, storing, cleaning and clearing refers to paper hard copy or disks.

    88. You are Here! Laws & Regulations The Organization & IT Security System Interconnection & Information Sharing Sensitivity Risk Management Management Controls Acquisition/Development/Installation/Implementation Controls Operational Controls Technical Controls

    89. Matrix: 9a(1-3) Roles are defined PRIOR to allowing access and are a reflection of, and support, the Security Policy and Procedures. Roles are in relation to the data, and the data sensitivity. The USER Identification and Password are used to authenticate the user and allow access to predetermined amounts of data. All access privileges are based on the users role. Public access may have more stringent controls than internal users. Internal users generally have access to more information inside the organization, yet some may have nearly as many limitations as external, public, users.Matrix: 9a(1-3) Roles are defined PRIOR to allowing access and are a reflection of, and support, the Security Policy and Procedures. Roles are in relation to the data, and the data sensitivity. The USER Identification and Password are used to authenticate the user and allow access to predetermined amounts of data. All access privileges are based on the users role. Public access may have more stringent controls than internal users. Internal users generally have access to more information inside the organization, yet some may have nearly as many limitations as external, public, users.

    90. Tips For Safeguarding Your Privacy Online Practice Heads Up Computing Refers to the attitude you bring to computer use. Matrix: 9c(1) TIES INTERNET SURFING AND ITS VULNERABILITIES TO IDENTITY THEFT.Matrix: 9c(1) TIES INTERNET SURFING AND ITS VULNERABILITIES TO IDENTITY THEFT.

    91. Identity Theft Matrix: 9c(1) INTRODUCES IDENTITY THEFT AND THE GROWING CONCERNMatrix: 9c(1) INTRODUCES IDENTITY THEFT AND THE GROWING CONCERN

    92. What Is Identity Theft Acquisition of key pieces of identifying information for the purpose of impersonation. Matrix: 9c(1) DEFINITION AND OBJECT OF ID THEFT ATTEMPTS ID Theft: Acquisition of key pieces of identifying information for the purpose of impersonation. Identifying information includes: Name Address Date of Birth Social Security Number Mothers Maiden Name Credit Card Number ATM PINs Bank Account Numbers Matrix: 9c(1) DEFINITION AND OBJECT OF ID THEFT ATTEMPTS ID Theft: Acquisition of key pieces of identifying information for the purpose of impersonation. Identifying information includes: Name Address Date of Birth Social Security Number Mothers Maiden Name Credit Card Number ATM PINs Bank Account Numbers

    93. Identity Theft Purpose Matrix: 9c(1) Some uses of your identity information once it is stolen includes: Take over financial accounts Open new bank accounts Apply for loans Apply for credit cards Apply for Social Security benefits Purchase automobiles Rent apartments Establish services with utility companies Open cell phone accounts Write checks on accounts Purchase goods and services online INSERT LOCAL EXAMPLESMatrix: 9c(1) Some uses of your identity information once it is stolen includes: Take over financial accounts Open new bank accounts Apply for loans Apply for credit cards Apply for Social Security benefits Purchase automobiles Rent apartments Establish services with utility companies Open cell phone accounts Write checks on accounts Purchase goods and services online INSERT LOCAL EXAMPLES

    94. Identity Theft How They Do It High and Low Technology Shoulder surfing at ATMs and pay phones Stealing your mail Dumpster diving Utilizing corrupt employees Using checks drawn on credit cards Creating counterfeit checks Matrix: 9c(1) IDENTITY THEFT METHODS Shoulder surfing at ATMs and pay phones Stealing your mail Dumpster diving Utilizing corrupt employees Using checks drawn on credit cards (such as holiday checks) Creating counterfeit checks using open source software The California Department of Consumer Affairs Office of Privacy Protection can help. Visit their website at www.privacy.ca.gov. Matrix: 9c(1) IDENTITY THEFT METHODS Shoulder surfing at ATMs and pay phones Stealing your mail Dumpster diving Utilizing corrupt employees Using checks drawn on credit cards (such as holiday checks) Creating counterfeit checks using open source software The California Department of Consumer Affairs Office of Privacy Protection can help. Visit their website at www.privacy.ca.gov.

    95. Matrix: 9d INTRODUCES THE YOU ARE NOT ALONE ON THE INTERNET CONCEPT. Pop-up windows - A window will appear on the screen telling the user he has lost the Network Connection and must reenter their user name and password. A program will then e-mail the intruder. Mail attachments - Programs can be hidden in E-mail attachments. Viruses, Worms I love you Spam, Chain Letters, Hoaxes HACKERS ARE A TYPE OF SOCIAL ENGINEER.Matrix: 9d INTRODUCES THE YOU ARE NOT ALONE ON THE INTERNET CONCEPT. Pop-up windows - A window will appear on the screen telling the user he has lost the Network Connection and must reenter their user name and password. A program will then e-mail the intruder. Mail attachments - Programs can be hidden in E-mail attachments. Viruses, Worms I love you Spam, Chain Letters, Hoaxes HACKERS ARE A TYPE OF SOCIAL ENGINEER.

    96. Leaving Tracks Electronic trail through the Internet Entity knows where youve been Register stops Matrix: 9d TIES WEB SURFING TO SPAM AND THE ELECTRONIC TRAIL IS CREATED You leave an electronic trail through the Internet when you visit web sites with your browser. This means Entity knows where youve been. The sites you visit also register your stops there. Some sites may leave the logs open for casual viewing by local users at the site or even use them to create mailing lists. Matrix: 9d TIES WEB SURFING TO SPAM AND THE ELECTRONIC TRAIL IS CREATED You leave an electronic trail through the Internet when you visit web sites with your browser. This means Entity knows where youve been. The sites you visit also register your stops there. Some sites may leave the logs open for casual viewing by local users at the site or even use them to create mailing lists.

    97. Matrix: 9d(1-3) Organization SHOULD have specific reporting mechanisms as well as any specific actions the central authority wants the USER to do. Virus alerts SHOULD come from one source within an organization. This prevents the forwarding of erroneous virus alerts which may be a ruse to spread malicious code, or damage systems and equipment through false directives. Technical response is in relations to severity and staffing levels for support. Local Scan/Detect/Removal software may or may not be part of entity Policy and Procedures. Staff should be informed of their specific responsibility and any procedures regarding dealing with malicious code or activity. Matrix: 9d(1-3) Organization SHOULD have specific reporting mechanisms as well as any specific actions the central authority wants the USER to do. Virus alerts SHOULD come from one source within an organization. This prevents the forwarding of erroneous virus alerts which may be a ruse to spread malicious code, or damage systems and equipment through false directives. Technical response is in relations to severity and staffing levels for support. Local Scan/Detect/Removal software may or may not be part of entity Policy and Procedures. Staff should be informed of their specific responsibility and any procedures regarding dealing with malicious code or activity.

More Related