Awareness Training on Information Security

Information Security User Awareness Training

AgendaWhat do we have that is of value?Who else may it be valuable to?What would happen if…What the law saysHow we aim to protect our assetsWhat part do I play in keeping our assets safe?Summary and QuestionsQuiz

Our Information AssetsPersonal informationBudgetsBusiness plansHuman resourcesCustomer recordsIntellectual propertyLegalProduct specs

FinancialContractualSuppliersPhysicalPeopleTaxCommercial termsOperational procedures

Who may be interested in our information assets?

Cyber-criminals – organised gangsCompetitors – at home and abroadHacktivists – politically motivatedNation states – cyber-warfareFraudsters – individuals inside or outside the

organisation

What would happen if…Someone else gained

access to our assets(loss of Confidentiality)

Our assets were corrupted in some way(loss of Integrity)

We couldn’t access our assets(loss of Availability)

How would it affect our:• Customers• Employees• Reputation• Finances• Compliance with laws• Ability to meet

contractual obligations• Health and Safety

What the law says (UK)Data Protection Act 1988Copyright, Designs and Patents Act 1988Malicious Communications Act 1988Computer Misuse Act 1990Freedom of Information Act 2000Privacy and Electronic Communications Regulations

2003Digital Economy Act 2010

How will we protect our assets?ISO/IEC 27001 – the Information Security StandardManagement CommitmentBe clear about our policiesAssess our risksPut appropriate controls in placeProvide resources, training and awarenessMonitor, review and improve

The ISO/IEC 27001 standard

ISO/IEC 27001 Controls

What part do I play?Physical securityAccess and

PasswordsEmailUsing the Internet

Anti-VirusMobile computingRemovable mediaInformation disposalSecurity incidents

Physical SecuritySecuring doors and windowsTailgatingWearing badgesLooking after cards and PINsSigning in and escorting visitorsChallenging strangersClear desk policyOverlookingDeliveries

Access and PasswordsOnly use your own user accountsNever let anyone else use your user accountChoose a strong passwordNever tell anyone your passwordNever write it downUse a different password for each systemUse two factor authentication where possible

EmailUse for work-related emails onlyNever send confidential information by email unless

it is encryptedAlways check that you are sending an email to the

correct personRead and comply with the Email PolicyProtect your email password

Email is often used to verify password resets in other applications

Phishing EmailsAttacks

Mass - randomSpear – targetted on

one organisationWhaling – targetted on

one individualTypes

Click-throughAttachmentsWeb form capture

How do I tell?UnexpectedSpelling mistakesLack of personal

information usedAsking for an action

Open attachment Go to website Provide information

Beware! They are becoming increasingly convincing

Using the InternetDon’t disable your firewall softwareEnsure your browser and associated programs are up to

dateCheck that links go to the site statedCheck for HTTPS and the padlock symbol when

performing confidential transactionsDon’t download unknown programsLimit work-related information posted on social media

sitesDo not visit sites that are against the Internet Acceptable

Use Policy

Anti-VirusNever disable your anti-virus protectionKeep your AV signatures and updates currentAllow a scan to be performed regularlyReport any viruses found to the IT Help Desk

Mobile ComputingNever leave unattended in a public place or vehicleKeep locked away when not in useNo confidential information to be stored on mobile

devices unless previously approvedUse screen lock and if possible whole disk

encryptionDo not install unauthorised softwareDo not allow others to use your business deviceConsider backups and anti-virus protection

Removable MediaAny attachable devices with storage e.g.

USB drives, memory cards, CD/DVDsShould not be used unless previously

approvedMust be encrypted if confidential information

is to be storedNever insert unknown media into your PC or

device e.g. a USB stick you have found

Information DisposalDispose of information appropriately

according to its typeConfidential information must be disposed

of securelyPaper must be shreddedElectronic devices or media that may contain

confidential information must be disposed of securely Hard disks may be shredded

Security IncidentsAn incident may be an actual or potential

breach of policy or loss of dataInformation security incidents should be

reported to the IT Help DeskIn some cases, there may be a need to

treat the area as a crime sceneEvidence should be preserved where

possible

SummaryWe must protect our information assetsThe consequences to the organisation are

potentially very severeThe organisation will do what it can…but you have a key part to play in achieving thisBe careful and vigilant, especially on the InternetIf you’re unsure, please ask your manager

Questions

Quiz1. Name three of our information assets2. Name two groups who may try to gain

unauthorised access to our information assets3. Give two ways in which the organisation may be

affected by an information security breach4. ISO/IEC xxxxx is the Information Security standard

– what is xxxxx?5. Give an example of a “strong password”

Quiz cont.6. If you recognise a “Phishing” email what should

you do with it?7. If you find a USB memory stick in the car park what

action should you take?8. What are your responsibilities when you have a

visitor?9. Who would you report an information security

incident to?10. Whose responsibility is information security within

our organisation?