Information Security User Awareness Training
AgendaWhat do we have that is of value?Who else may it be valuable to?What would happen if…What the law saysHow we aim to protect our assetsWhat part do I play in keeping our assets safe?Summary and QuestionsQuiz
Our Information AssetsPersonal informationBudgetsBusiness plansHuman resourcesCustomer recordsIntellectual propertyLegalProduct specs
FinancialContractualSuppliersPhysicalPeopleTaxCommercial termsOperational procedures
Who may be interested in our information assets?
Cyber-criminals – organised gangsCompetitors – at home and abroadHacktivists – politically motivatedNation states – cyber-warfareFraudsters – individuals inside or outside the
organisation
What would happen if…Someone else gained
access to our assets(loss of Confidentiality)
Our assets were corrupted in some way(loss of Integrity)
We couldn’t access our assets(loss of Availability)
How would it affect our:• Customers• Employees• Reputation• Finances• Compliance with laws• Ability to meet
contractual obligations• Health and Safety
What the law says (UK)Data Protection Act 1988Copyright, Designs and Patents Act 1988Malicious Communications Act 1988Computer Misuse Act 1990Freedom of Information Act 2000Privacy and Electronic Communications Regulations
2003Digital Economy Act 2010
How will we protect our assets?ISO/IEC 27001 – the Information Security StandardManagement CommitmentBe clear about our policiesAssess our risksPut appropriate controls in placeProvide resources, training and awarenessMonitor, review and improve
The ISO/IEC 27001 standard
ISO/IEC 27001 Controls
What part do I play?Physical securityAccess and
PasswordsEmailUsing the Internet
Anti-VirusMobile computingRemovable mediaInformation disposalSecurity incidents
Physical SecuritySecuring doors and windowsTailgatingWearing badgesLooking after cards and PINsSigning in and escorting visitorsChallenging strangersClear desk policyOverlookingDeliveries
Access and PasswordsOnly use your own user accountsNever let anyone else use your user accountChoose a strong passwordNever tell anyone your passwordNever write it downUse a different password for each systemUse two factor authentication where possible
EmailUse for work-related emails onlyNever send confidential information by email unless
it is encryptedAlways check that you are sending an email to the
correct personRead and comply with the Email PolicyProtect your email password
Email is often used to verify password resets in other applications
Phishing EmailsAttacks
Mass - randomSpear – targetted on
one organisationWhaling – targetted on
one individualTypes
Click-throughAttachmentsWeb form capture
How do I tell?UnexpectedSpelling mistakesLack of personal
information usedAsking for an action
Open attachment Go to website Provide information
Beware! They are becoming increasingly convincing
Using the InternetDon’t disable your firewall softwareEnsure your browser and associated programs are up to
dateCheck that links go to the site statedCheck for HTTPS and the padlock symbol when
performing confidential transactionsDon’t download unknown programsLimit work-related information posted on social media
sitesDo not visit sites that are against the Internet Acceptable
Use Policy
Anti-VirusNever disable your anti-virus protectionKeep your AV signatures and updates currentAllow a scan to be performed regularlyReport any viruses found to the IT Help Desk
Mobile ComputingNever leave unattended in a public place or vehicleKeep locked away when not in useNo confidential information to be stored on mobile
devices unless previously approvedUse screen lock and if possible whole disk
encryptionDo not install unauthorised softwareDo not allow others to use your business deviceConsider backups and anti-virus protection
Removable MediaAny attachable devices with storage e.g.
USB drives, memory cards, CD/DVDsShould not be used unless previously
approvedMust be encrypted if confidential information
is to be storedNever insert unknown media into your PC or
device e.g. a USB stick you have found
Information DisposalDispose of information appropriately
according to its typeConfidential information must be disposed
of securelyPaper must be shreddedElectronic devices or media that may contain
confidential information must be disposed of securely Hard disks may be shredded
Security IncidentsAn incident may be an actual or potential
breach of policy or loss of dataInformation security incidents should be
reported to the IT Help DeskIn some cases, there may be a need to
treat the area as a crime sceneEvidence should be preserved where
possible
SummaryWe must protect our information assetsThe consequences to the organisation are
potentially very severeThe organisation will do what it can…but you have a key part to play in achieving thisBe careful and vigilant, especially on the InternetIf you’re unsure, please ask your manager
Questions
Quiz1. Name three of our information assets2. Name two groups who may try to gain
unauthorised access to our information assets3. Give two ways in which the organisation may be
affected by an information security breach4. ISO/IEC xxxxx is the Information Security standard
– what is xxxxx?5. Give an example of a “strong password”
Quiz cont.6. If you recognise a “Phishing” email what should
you do with it?7. If you find a USB memory stick in the car park what
action should you take?8. What are your responsibilities when you have a
visitor?9. Who would you report an information security
incident to?10. Whose responsibility is information security within
our organisation?