The PRIMARY objective of security awareness is to:  A.
ensure that security policies are understood. B.
influence employee behavior. C.
ensure legal and regulatory
compliance D.
notify of actions for noncompliance. Explanation: It is most important that security-conscious behavior be encouraged among employees through training that influences expected responses to security incidents. Ensuring that policies are read and understood, giving employees fair warning of potential disciplinary action, or meeting legal and regulatory requirements is important but secondary.
Security Awareness
Protecting Institutional and Student Information PurposeThe purpose of security awareness is to focus attention on security, creating sensitivity to the threats and vulnerabilities of computer systems and recognition of the need to protect data, information and systems. Objectives
- Understanding security risks to the confidentiality, integrity, and availability of our information systems and data
- Understanding safeguards available to reduce the information security risks to our users, data and information systems
- Understanding best practices that will protect our users and information systems from information security risks
What is Computer Security?- Computer security is the protection of computing
systems and the data that they store or access
Why is Computer Security Important?• Computer security allows your campus to carry out its mission by:- Allowing faculty, staff, and students to carry out their jobs, education, and research.
- Supporting critical business processes
- Protecting sensitive information
Why Would Anyone Want to Hack Your Computer?• Your computer could be used to:
Hide programs that launch attacks on other computers and servers Generate large volumes of unwanted network traffic, slowing down the entire campus network Distribute illegal software or media files Scan for your personal information and send it to a third party (identity theft) Log all of your keystrokes to obtain passwords
Why You Should Care About Computer Security? •
Computer Security is not just an IT problem- The 90/10 Rule:
- 10% of security safeguards are technical
- 90% of security safeguards rely on the computer user to adhere to good computing practices.
- Example: The lock on your car is the 10%. You remembering to close the door, lock the lock, put up the windows, and keep control of your keys is the 90%
Essential Security Measures• Physical Security:- Secure
your office and desk before leaving them unattended
- Check doors, drawers, and windows
- Lock up any sensitive materials in your area
- Never share your key, alarm code, or access card
- Introduce yourself to strangers in your area in order to determine their purpose
Essential Security Measures (cont.)• Make sure your computer is protected with an up to date antivirus package and all necessary security updates. Understand what you
need to do to keep your operating system patched and your antivirus current.Essential Security Measures (cont.)- If flash drives, or other mobile device storage, is allowed by policy then they should be encrypted
- Smart phones should require a password to unlock
Essential Security Measures (cont.)• Do not install unknown or unsolicited software- Unknown software can contain viruses or open a back door into your computer
- Make backup copies of data you are not willing to lose and store the copies securely
Essential Security Measures (cont.)• Shut down, lock, log off, or put your computer to sleep before leaving it unattended- <ctrl><alt><delete> or <windows><L> on a PC
- Apple menu or power button on a Mac
- Your computer should require a password to start up or wake-up
- Make sure that automatic login and guest
accounts are disabled on your computer
- The best way to do this is to make sure each user account on your computer requires a password
Internet Privacy and Security• Social Networking and Blogs- Social networking sites, like MySpace and Facebook, along with personal web pages, twitter, and blogs have become sites for personal information and uncensored opinions
- You should not reveal personal details or confidential information
online. Assume that anything you post in the previously mentioned areas is public and could be used against you.
- You should not post anything on the Internet that you would not be willing to display on a banner in a public place
- Seemingly innocent information about your interests, family or history could be used by hackers or stalkers
- Things you post online can be very difficult to remove. Even if you delete the information copies can still exist on other
computers, web sites, or in search engines.
Internet Privacy and Security (Cont.)• Always remember that the Internet is not private- Do not give out personal or sensitive information to anyone you don't know or who doesn't have a legitimate need for it
- Do not provide personal, sensitive or confidential information to Internet sites, surveys or forms unless you are using a trusted, secure web page
- At a minimum look for "https" in
the URL and a little padlock in the corner of your browser before giving personal information. The padlock and https, usually indicate a secure connection
- Do not put any sensitive information in locations that are accessible from the Internet
Internet Privacy and Security (Cont.)• Security cautions- Just opening a malicious web page can infect a poorly protected computer.
- Use only known, trusted, secure websites when
you enter sensitive or personal information online
- Beware of scams, even on well-known sites like eBay and Craigslist
Internet Privacy and Security (Cont.)• Instant Messaging- Exercise extreme caution when using Instant Messaging (IM) applications
- Do not reveal personal or sensitive information via IM
- Use separate passwords for IM since it is generally insecure
- Do not open files sent to you via IM as they bypass
most anti-virus programs
Practice Safe Emailing• Email Risks- Opening email attachments can infect your computer
- Clicking on web addresses in emails can infect your computer
- It is very common for "greeting card" emails to actually link to viruses.
- Emails promising pictures of inappropriate celebrities are almost always linked to viruses
Practice Safe Emailing (cont.)• Email Risk
Areas- Spam: Unsolicited bulk email, including commercial solicitation, advertisements, chain letters and fraudulent offers.
- Phishing Scams: Email pretending to be from someone from a trusted company such as your bank or Paypal
- A reputable company will NEVER ask you to send password information through email
- Attachments: Email attachments may contain viruses.
- Especially avoid attachments with the following file extensions: .zip, .exe, .vbs, .wsh, and
.app
Practice Safe Emailing (cont.)• More risk areas- Fake security warning emails: only download security updates from trusted sites, never an unsolicited email link
- Never assume that email or attachments are private or confidential
- The State of Tennessee owns your campus email and any citizen can request copies of all your email.
Practice Safe Emailing (cont.)• Signs of "scam " email
- It is not addressed to you by name
- It asks for personal or financial information
- It asks you for a password
- It asks you to forward it to all of your friends (chain letters)
Tips for Avoiding Security Threats- Use strong passwords (a combination of capital and lowercase letters, numbers, and symbols)
- Do not share passwords with ANYONE
- Make sure your computer is protected with up to date antivirus and
operating system updates
- Don't click on unknown web links or attachments, and don't download unknown files or programs onto your computer
- Do not use an account with administrative privileges for daily computer use.
Consequences of Compromised Security- Risk to security and integrity of personal of confidential information
- Loss of valuable business information
- Loss of employee and student trust, embarrassment, bad publicity,
media coverage, news reports
- Costly reporting requirements in the case of a compromise of certain types of personal, financial and health information
- Internal disciplinary action
What Can You Do to Protect Yourself and Your Campus?- Learn "good computing security practices."
- Incorporate these practices into your everyday routine.
- Encourage others to use these practices as well
- Report anything unusual
Protection of Credit Cards - What is PCI DSS?- PCI-DSS stands for the Payment Card Industry - Data Security Standard
- The five largest credit card companies determined that standardized requirements would minimize fraud, theft, and credit card misuse
- The PCI Security Standards Council was created to manage and oversee the PCI-DSS requirements
Protection of Credit Cards - Complying with PCI-DSS- The
institution is required to comply to with the requirement of PCI-DSS
- If the institution does not comply then we risk paying penalties and losing the ability to accept credit cards as payment
- These requirements apply to all electronic and paper transactions
- We are required to protect all credit card transactions and card holder data
- Cardholder data is any personally identifiable data associated with a cardholder and include:
- Name
- Social Security
Number
- Account Number
- Expiration date
- CVC/CVV/CID code (3 or 4 digit code used as an extra verification method)
Protection of Credit Cards - PCI-DSS Employee Responsibilities- Do not write down or store credit card information
- Credit card payment is to not be taken over the phone
- Credit card payments should be input by the cardholder via secured electronic connections or swiped using credit card terminal
- Manual entry is restricted to direct input in the payment system while the cardholder is present
- All documents with credit card numbers and CVC/CVV/CID codes are to be destroyed immediately utilizing incineration or a diamond cut shredder
- All improper storage or handling of credit card information should be reported to a supervisor immediately
Gramm-Leach Bliley Act (GLBA)- The Federal Trade Commission (FTC) requires financial
institutions to establish policies and procedures for safeguarding customer financial information by complying with the Gramm-Leach-Bliley Act (GLBA). The GLBA also includes specific requirements regarding the privacy of customer financial information. The FTC has ruled that being in compliance with the Family Educational Rights and Privacy Act (FERPA) satisfies the privacy requirement of the GLBA, but does not satisfy the safeguarding provisions.
Gramm-Leach Bliley Act
(GLBA)• Objectives- Ensure the security and confidentiality of customer records and information
- Protect against any anticipated threats to the security or integrity of such records
- Protect against unauthorized access to, or use of, such records or information that could result in substantial harm or inconvenience to any customer
Red Flag Rules - Identity Theft Protection- The institution is required by the
Federal Trade Commission to implement and train employees in regards to the Red Flag Rules
- Red Flag Rules require the institution to have an Identity Theft Program designed to detect, prevent, and mitigate identity theft in regards to financial accounts
- Once detected the institution must assess the risk, investigate if necessary, and develop an action plan to mitigate or monitor the suspicious activity
- Activities for higher education that cause colleges and universities
to be considered creditors include:
- Perkins Loans
- Participation in the Federal Family Education Loan Program
- Institutional loans to students, faculty or staff
- Payment Plan for tuition
Red Flag Rules - Identity Theft Protection- Employees must be able to recognize and know how to respond to incidents of identity theft and fraud
- Identify - Identify relevant red flags, including but not
limited to,
- Address discrepancies
- Name discrepancies on identifications and other documents
- Presentation of suspicious documents
- Personal information inconsistent with what is already on file
Unusual or suspicious activity related to an existing account - Notice from customer, law enforcement or other sources of unusual activity on an account
- Detect - Detecting the red flags once identified
- Response
- Responding to red flags and reporting to supervisor
Red Flag Rules - Identity Theft Protection- Indicators that may raise "Red Flags" with examples:
- Suspicious documents
- any document that appears to be altered, forged, photo not the same, inconsistent with what is on file
- Suspicious personal identifying information
- ID inconsistent with other sources
- Use of security challenge questions
- Unusual use of or suspicious activity related to account
- Requests to add a new person to account shortly after opening
- Request for access to inactive account
- Alerts, notifications or warnings from a credit or consumer reporting agency
- Fraud alert, credit freeze
- Activity inconsistent with previous activity
Training RequirementsAll new staff may be required to
complete this training. Upon successful completion the employee will print, sign, and submit their certification attesting to the fact they understand their responsibility to safeguard customer financial information. A copy of this certification will be maintained by Human Resources. Existing staff may be required to successfully complete this online training module annually. In addition to the email record of completion, the employee will print, sign, and submit the certificate of
completion to Human Resources. Proficiency TestYou have now completed the training review. In order to complete your certification you must take the quiz by clicking "Quiz Group" below. After answering the question click the "NEXT" button to see the next question. After completing the test you may review the answers. You must answer a minimum number of questions correctly to pass. Once you have reviewed your answers click "NEXT PAGE" at the
bottom to print and send your certificate. DO NOT CLICK RETRY IF YOU PASS . CertificationType your name in the space below and click "EMail Score" to record your completion of this training module. Click "Print
Certificate" to print a certificate of completion. When the certificate window opens, right click on the certificate and select Print. You must select Preference and set your printer to landscape before clicking Print. You may also print a copy of your score by clicking "Print Score Summary".
What is the main purpose of security awareness training?
Security awareness training is a formal process for educating employees and third-party stakeholders, like contractors and business partners, how to protect an organization's computer systems, along with its data, people and other assets, from internet-based threats or criminals.
What is the most important security awareness training?
Organizations looking to heighten security awareness among employees need to cover a wide variety of security awareness training topics, but social engineering tops the list.
|
