Embed Size (px)
Citation preview
Information Security Training2010
Authored by:
Gwinnett Medical Center
Information Security DepartmentModified for affiliated schools’ students & instructors by:
Linda Horst, RN, BSN, BC
Objectives
After you finish this Computer-Based Learning (CBL) module, you should be able to:
Explain the basic concepts included in the GMC Security Initiative.
Explain your security responsibilities and the part you play in protecting sensitive information and assets belonging to GMC.
Topics Covered in this CBL
GMC Information Security Initiative Acceptable use Social engineering Passwords Desktop security Computer viruses Disposal of sensitive information Notebook computers and portable devices Information Security incidents or breaches Reporting incidents of breaches
GMC Information Security Initiative
Mission
The mission of the GMC Information Security Initiative is to protect the Confidentiality, Integrity, and Availability of GMC information and information technology by applying Innovation, Sound strategies, and Proven security best practices.
GMC Information Security Initiative
Regulations, Standards
The GMC Information Security Initiative is based on the following regulations and standards:
Health Insurance Portability and Accountability Act (HIPAA).
National Institute of Standards and Technology (NIST) standards.
Health Information Technology for Economic and Clinical Health (HITECH) Act.
Payment Card Industry (PCI) standards. Joint Commission (JC) accreditation.
GMC Information Security Initiative
GMC Responsibilities
GMC must: Set up and follow information security policies. Train employees to follow the policies. Have an information security official who is
responsible for making sure security rules are set up and followed.
Make sure certain sensitive information stays secure. Control access to electronic protected health
information (ePHI). Protect ePHI from alteration, destruction, loss, and
disclosure to unauthorized persons.
GMC Information Security Initiative
Associate Responsibilities
Associates must: Comply with GMC security policies and
procedures. Sign a confidentiality agreement:
Before beginning work, and With each performance review, or annually, or
as appropriate. Agree, in writing, to follow security policies. Report security breaches or incidents.
Acceptable Use
GMC Assets
Our GMC network, e-mail system, Internet, and connections to external services are mainly for business use.
You can use GMC technology for personal use if: You get your instructor and the unit’s managers
permission. Your personal use does not interfere with your work or
the work of others. You may not remove GMC assets – such as
computers or printers – from the facility.
Acceptable Use
E-mail Abuses of e-mail privileges include:
Profanity, obscenities or derogatory remarks. Pornographic material. Threats and hate literature. Chain letters inside or outside the
organization. Sexual, ethnic, racial or other workplace
harassment. Do not open e-mails from someone that
you do not know.
Acceptable Use
Internet Surfing You may not visit inappropriate Internet sites or
engage in inappropriate communications. Examples include sites or communications that
are: Pornographic. Culturally offensive. Racist or hate-related. Related to gambling. Related to computer hacking. Terroristic.
Acceptable Use
Internet Newsgroups
If you post anything on an Internet newsgroup or bulletin board from a GMCe-mail address:
Include a disclaimer stating that the opinions you’ve expressed are strictly your own and not necessarily those of GMC.
Exception: If the posting is in the course of business duties.
Acceptable Use
Your Privacy When you use GMC information
technology and computer systems, your activities are not private.
GMC monitors activity that occurs on its network.
If you misuse GMC computer equipment, you are subject to disciplinary action.
Acceptable Use
Your Privacy, continued
GMC monitors electronic forms of communication, including:
Internet use. Corporate e-mail (Outlook). Web-based e-mail (Yahoo! Mail, Hotmail, etc.). Instant messaging. Peer-to-peer file sharing (KazaA, Napster, etc.). File transfer (FTP). Telnet sessions.
Acceptable Use
Your Privacy, continued
GMC monitors computer use to ensure that: Sensitive information is being sent out
correctly. There are no sexually harassing or
pornographic communications taking place. Associates are using their time and resources
appropriately. Associates are viewing appropriate websites.
Social Engineering
Social engineering is the process of tricking or manipulating someone into giving access to sensitive information without the person realizing he or she has been manipulated.
Social engineering remains one of the greatest vulnerabilities for the organization and the most successful way to defeat security.
Social Engineering, continued
Examples of social engineering: Tailgating:
One person, or more than one person, follow(s) an authorized person through a secured door or other entrance when the authorized person opens the door legitimately.
Shoulder Surfing Direct observation techniques, such as
looking over someone's shoulder, to get information.
Social Engineering, continued
Examples of social engineering: Impersonation:
A person pretends to be someone that he or she is not – such as a PC tech, support staff, or member of the cleaning crew – in order to gain information.
Example: You receive a phone call from someone claiming to be a PC tech or GMC associate requesting such information as: Passwords User name Other sensitive information
Passwords
Passwords: Are a series of characters – such as
a,b,c,1,2,3 – known only to you as the person approved to use the computer system.
Allow you to access the GMC network and applications you are authorized to use.
Help make sure you are not an intruder and that you are the user.
Prevent unauthorized access to the GMC network.
Passwords
Make Them Strong
“Strong” passwords: Contain characters from three of the following
four categories: A capital letter, such as A, B, X, or T A lower case letter, such as a, b, x, or t A number: such as 1,4,7, or 9 A special character, such as @ * # $ \ or &
Are at least eight alphanumeric characters long. Are changed at least once every 90 days.
Passwords
“Don’ts” Do not share passwords with anyone.
Doing so makes you responsible for the actions others take with your computer access.
When possible, do not use the same password for accessing multiple GMC applications.
Do not use the “remember password” feature of computer programs.
Passwords
Storage and Breaches Do not store passwords in your office where
they are accessible to others. Example: On sticky notes or attached to your
computer or keyboard.
Keep written passwords on your person. Example: Inside your badge.
If you suspect that your password has been compromised, report the incident to the Customer Response Center at x23333.
Password
Desktop Security
Log off and exit computer programs when leaving a workstation.
When not in use, protect all: Computers, Computer terminals, and Printers…
– with – Key locks, Passwords, or Other controls.
Ensure that your computer screen is turned so that passersby cannot read information on the screen (shoulder surfing).
Desktop Security
Screensaver GMC uses screen savers throughout the system. Personal computers are set to time-out after a period of
inactivity: Clinical:
1-minute screen timeout for inactivity. Not password protected.
Administrative: 15-minute screen timeout for inactivity. Password protected.
Exempt: No screen saver. Not password protected. Exempt list additions must be supported by a good business reason and
approved by Information Security and either the Chief Information Officer (CIO) or the Senior Information Security Officer (SISO).
Desktop Security
Data Backup The hard disc in your computer is always at risk of
breaking down. Back up your important documents to your H: or G:
drive. The H: drive is your “Home” or personal network drive.
As a rule, only your login name will have access to this data. The G: drive is your “Group” or department share drive.
The members of your department or group all have access to this data.
Information Services backs up these network-based drives nightly.
Generic logins – those logins used by many people – usually do not have H: or G: drive access.
Computer Viruses
Computer viruses are dangerous! A computer virus is a program that:
Runs on a computer without the knowledge or permission of the user, and
Is meant to damage your computer or to gain access to your information.
GHS runs anti-virus software, but we need your help to ensure that we all do the best job we can to protect our network and the sensitive information that we are privileged to handle.
Computer Viruses, continued
Viruses can: Spread onto computer discs and across a
network. Corrupt data files. Format your hard drive. Delete files. Install software that will allow a hacker
access to your system. Cause a total failure of a computer system.
Computer Viruses, continued
Viruses spread through: CDs. Internet sites. File downloads. E-mail.
If you suspect that your computer has a virus, contact the CRC at x23333.
Computer Viruses, continued
Never: Download software or files from the Internet
unless they are from a known and reputable source.
Open unknown or unexpected e-mail attachments.
Download files from disc or jump drives: Received from a source you do not trust. Created by an unprotected computer.
Open an e-mail from someone that you do not know.
Disposal of Media
You must dispose of media containing sensitive information so that the information cannot be accessed by any unauthorized person.
Proper media disposal methods: Paper records: Place in Shredit Bins. Discs: Take to Information Services
(Operations). Hard disc drives: Contact the CRC at x23333.
Notebook Computers, Portable Devices
Data on notebook computers and portable devices are at greater risk than other data.
Never leave a notebook computer or portable devices unattended. Lock it up!
Never leave a notebook computer case or portable devices visible in your car.
Store as little sensitive information on the notebook computer or portable device as possible.
If your notebook computer or portable device is lost or stolen, report it to the Information Security and Public Safety departments immediately.
Security Incidents or Breaches
There are three types of information security breaches:
1. Acts of carelessness or negligence Example: Leaving a notebook computer visible in your
car.
2. Acts of curiosity or concern without authorized need to know Example: Watching over someone’s shoulder to see
sensitive information that you are not authorized to view.
3. Acts of malice or for personal gain Example: Theft of GMC computer equipment.
Reporting Incidents or Breaches
If you believe an information security incident or breach has occurred:
Let your instructor and manager know, especially if you notice any problems with meeting the rule requirements.
Report incidents or breaches of sensitive GMC information to: Security hotline: 404-291-8233 or E-mail: Information-
[email protected] or Corporate Compliance Hotline: 888-696-9881.
Reporting Incidents or Breaches, continued
GMC takes disciplinary actions in response to confirmed information security breaches.
If you fail to report a known or suspected breach, or if you report a breach for malicious reasons, you might receive a disciplinary action or be removed from your academic experience.
The Information Security department investigates all suspected information security breaches.
Disciplinary action may result in termination of employment and or your academic experience.
As an associate, if you disagree with the disciplinary action, you can file a grievance.
Information Security Policies
You can access the information security policiescovered in this CBL on Gwinnettwork.
9530-100 Information Security Program 9530-101 Information Security Training 9530-102 Disposal of Media Containing Sensitive Information 9530-103 Clear Screen and Desk 9530-104 E-mail Usage 9530-105 User Password Management 9530-106 Internet/Intranet Usage 9530-107 Secure PC/Workstation Location 9530-108 Virus Checking 9530-109 Acceptable Use of Computer Equipment 300-517 Associate Disciplinary Actions for Confidentiality and Information Security Breaches
Congratulations!
You have completed this CBL module. Continue on to take the test by referring
back to the Student Orientation Website. Questions? Contact Information Security:
Emmanuel Ogidigben 678-312-4691 Tracy Goodman 678-312-4381 Allen Olmstead 678-312-4243
GreatJob!
