Confidential Information

Objective: Demonstrate knowledge of proper handling of confidential information

Limit employee access to data and information

1. When giving access to data, ensure the least privileges are assigned.
2. Provide access to only the system or information required doing a job. This helps to avoid insider abuse.
3. Segregation of duties should be followed while assigning roles and responsibilities. For example, an employee initiating a transaction should not be allowed to approve it as well.

Source: Small business information security workbook, version 2.2. Lincke, 2011

How To

• How to Keep Your Personal Information Secure - http://www.consumer.ftc.gov/topics/computer-security
• Safeguarding Your Data - http://www.us-cert.gov/ncas/tips/ST06-008

Lesson Plan

Teaching tip: Ask the participants to name examples of confidential data and material and to describe what should be done to secure them.

1. Dangers

a. An individual that was passing by could quickly and easily steal documents left on a desk or another insecure location.

b. Sensitive data that is not shredded can easily be picked up by an outsider by simply going through the trash.

2. Confidential data and material

a. Any piece of information in any form that contains personal or sensitive information pertaining to any person or entity.

3. What you can do:

a. Lock up or destroy any confidential information when leaving your workstation.

b. Do not let unauthorized individuals view confidential information.

Discussion point: Ask the participants if they have seen any instances of information not being handled properly.

Note: The material contained in this lesson plan was adapted from the case study "Awareness and Accountability in Information Security Training” (Mellor & Noyes, 2005) and used with permission.

Lessons

Tutorials

Forms

• ISA Training Checklist
• Trainee List
• Trainer Module

Data Backup

Email

Objective: Recognize email threats

Security concerns about e-mail attachments and e-mails requesting sensitive information:

• Attachments should be opened only from trusted senders.
• If you are not expecting an e-mail attachment from the sender, it is a good idea to call and confirm, before opening the attachment.
• Spam e-mail often asks for sensitive information.

Source: Small business information security workbook, version 2.2. Lincke, 2011

How To

• Reducing Spam - http://www.us-cert.gov/cas/tips/ST04-007.html
• Scam - http://www.noticebored.com/06_NB_scam_alert_on_lonely_hearts.pdf
• Spam - http://www.consumer.ftc.gov/articles/0038-spam
• Using Caution with Email Attachments - http://www.us-cert.gov/cas/tips/ST04-010.html

Lesson Plan

Teaching tip: Discuss where the acceptable use policy is located and bring a copy with you to show the employees, if possible.

1. Dangers

a. Email is often unencrypted; and therefore, should not be trusted to send confidential information..

b. Never click on an unexpected email attachment without verifying that it is safe.

2. Confidential data and material

a. Corrupt attachments.

b. Files containing viruses or Trojan horses.

3. Monitoring

a. Email communications can be monitored by administrators.

4. Policy

a. Be aware of the company email acceptable use policy and strictly adhere to it.

Discussion point: Ask the participants if they have seen any instances of information not being handled properly.

Note: The material contained in this lesson plan was adapted from the case study "Awareness and Accountability in Information Security Training” (Mellor & Noyes, 2005) and used with permission.

Lessons

Internet Use

Objective: Recognize risks associated with using the Internet

Security considerations for web surfing

1. Never use an admin account to surf the Web. If there was a compromise the malicious code would have admin rights.

Security considerations for web surfing

1. Always used secure browser to do online activities. Before entering secure data, ensure a small lock appears in the bottom right of the screen.
2. Frequently delete temp files, cookies, history, saved passwords etc. On Windows Internet Explorer this is accomplished via Tools->Options->General->Delete. On Mozilla Firefox use Tools->Clear Private Data, and Tools->Options->Privacy->Show Cookies->Remove All Cookies.

Source: Small business information security workbook, version 2.2. Lincke, 2011

How To

• Browsing Safely: Understanding Active Content and Cookies - http://www.us-cert.gov/cas/tips/ST04-007.html
• Evaluating Your Web Browser's Security Settings - http://www.us-cert.gov/ncas/tips/ST05-001

Lesson Plan

Teaching tip: This would be a great time to bring out a copy of company policy and point out to the participants the parts that pertain to this section.

1. Dangers

a. Web sites can install many different types of malicious software applications.

b. While several malicious web applications require user authorization to be installed, several install automatically.

2. Internet usage

a. Usage can be monitored by administrators.

b. Be aware of the company acceptable use policy and strictly adhere to it.

3. What you can do:

a. Always be aware and use caution in the sites you are visiting.

Discussion point: Ask the participants if they have seen any instances of information not being handled properly.

Note: The material contained in this lesson plan was adapted from the case study "Awareness and Accountability in Information Security Training” (Mellor & Noyes, 2005) and used with permission.

Lessons

Policy Templates

• Internet Security Policy Templates - http://www.sans.org/security-resources/policies/internet.php

Presentations

• Microsoft Internet Security at Work Presentation - http://go.microsoft.com/?linkid=9713965

Mobile Devices

Network Security

Router/Firewall Configurations

The recommended settings to provide security for your organization’s Internet connection:

1. Install a hardware firewall between your office network and the Internet. Most of the routers have built-in firewall protection with an easy-to-use interface.
2. Change the default password of the router, and if possible, change the default login name.
3. Ensure that any employees working with office data at home also adhere to these rules.

Secure your wireless access point and networks

Recommendations to secure wireless access points include:

1. Disable broadcasting of Service Set Identifier (SSID).
2. Change default administrator password.
3. Enable WiFi Protected Access 2 (WPA-2) using the Advanced Encryption Standard (AES) to ensure strong encryption is used while transmitting data.

Personal Security

Train your employees in basic security principles

1. On the first day of work, employees should be given training on organizational security policies and how to protect sensitive data.
2. Limit use of telephone, printers and other business-owned resources for personal use.
3. Request employees sign a statement that they understand the policies and the penalties for not following them.
4. Security training can also be provided by external sources, such as technical college or commercial training vendors.

Recommended personnel practices in hiring employees

1. Do a comprehensive background check, including criminal background check, before hiring a new employee, particularly if they will have access to assets or secure information. Other useful checks include credit check and reference check.
2. Change default administrator password.
3. Enable WiFi Protected Access 2 (WPA-2) using the Advanced Encryption Standard (AES) to ensure strong encryption is used while transmitting data.

Phishing

Personal Security

Objective: Identify methods of physical security (lock office, desk, cabinet)

Control physical access to your computers and network components

1. Maintain good physical security (locked doors, private keys).
2. Do not allow any unauthorized person to work on your computers.
3. Position your computer’s display to hide information on the screen.
4. Cleaning crew and network repair personnel are often unsupervised in work area. Take precautions.

Source: Small business information security workbook, version 2.2. Lincke, 2011

Lesson Plan

1. Dangers
1. a. If you don’t maintain proper physical security, you could be at risk for attacks. You never know if your colleague John is waiting for you to leave your workstation so he can access the system in your name or steal something of yours. Lock up and keep threats physically out of reach.
2. People often impersonate legitimate employees or personnel to gain access to sensitive places and material. Be aware of who is really supposed to be there.
2. Methods of Physical Security
1. Properly lock up and secure your workstation upon leaving.
2. Lock your office door. Close your cabinets and lock them too, if possible.
3. Try and remind others to do the same thing. Sooner or later someone is bound to forget. Be a help, not a hindrance.

Discussion point: You wouldn’t leave your workplace for the day and not lock it, so why should you leave your work area unlocked or unprotected when it contains such sensitive information?

Note: The material contained in this lesson plan was adapted from the case study "Awareness and Accountability in Information Security Training” (Mellor & Noyes, 2005) and used with permission.

Policy Templates

• Physical Security Policy Templates - http://www.sans.org/security-resources/policies/physical.php

Social Engineering

Objective: Recognize social engineering attempts

How to protect against Social Engineering:

1. Providing sensitive information to strangers pretending to be a part of the organization should be avoided. Any such activity should be reported to the management.
2. Employees should be trained against social engineering attacks from in-person, phone, e-mail, or other electronic methods.

Source: Small business information security workbook, version 2.2. Lincke, 2011.

Lesson Plan

Teaching tip: Talk about possible social engineering situations that may happen at work.

1. Dangers
1. “Amateurs hack systems, professionals hack people” (Mellor & Noyes, 2005).
2. A password or any other confidential information is only as confidential as people are willing to keep it.
3. Social engineers often prey on sympathy or desire to avoid conflict.
2. How to combat Social Engineering
1. Social engineering is an attempt to manipulate legitimate users to gain unauthorized information.
2. Always be aware of who you are communicating with and what information they are requesting from you.
3. Don’t give out information (no matter how insignificant it seems) to someone who isn’t authorized to know it.
4. Don’t offer supplemental information that is not necessary.
   e.g. If Linda is gone for the day and someone calls up and asks if she is in, don’t tell them that she always takes the third Friday off. Just tell them she is not in. Be aware and be careful.

Note: The material contained in this lesson plan was adapted from the case study "Awareness and Accountability in Information Security Training” (Mellor & Noyes, 2005) and used with permission.

Lessons

Podcasts

• Getting in Front of Social Engineering - http://www.cert.org/podcast/show/20080429hinson.html

Posters

• Social Engineering Awareness - Poster – http://www.sans.org/security-resources/policies/desk-top.php

Reading

• A Tried and True Weapon: Social Engineering - http://securingourecity.org/resources/whitepapers/Social_Engineering_Borghello.pdf

Policy Templates

• Social Engineering Awareness Policy – http://www.sans.org/security-resources/policies/desk-top.php

Forms (FIX ME DONOVAN!!!)

• ISA Training Checklist
• Trainee List
• Trainer Module

Storage Media

Objective: Recognize risks associated with storage media and portable computers

How to dispose of old computers and media

1. Destroy a hard disk by drilling several holes into it and beating the hard disk platter with a hammer to ensure data is unrecoverable.
2. Papers containing sensitive information should be shredded. Other removable media (like CD, DVD, USB, floppy drives) should be destroyed as well.
3. When organizations do not follow the proper procedure to destroy sensitive data, identity theft can result.

How to get help with information security when you need it

1. Help or advice should be obtained from a competent, specialized person, when needed.

Source: Small business information security workbook, version 2.2. Lincke, 2011.

Games

1. Mission: Laptop Security - http://www.onguardonline.gov/media/game-0008-mission-laptop-security

1. Effectively Erasing Files - http://www.us-cert.gov/cas/tips/ST05-011.html
2. Erasing Information and Disposal of Electronic Media: A Non-Technical Guide - http://msisac.cisecurity.org/resources/guides/documents/Erasing%20and%20Disposal%20Guide.pdf
3. Protecting Portable Devices: Data Security - http://www.us-cert.gov/cas/tips/ST04-017.html
4. Using Caution with USB Drives - http://www.us-cert.gov/cas/tips/ST08-001.html

Lesson Plan

Teaching tip: Ensure that the participants understand the importance of not storing confidential information on removable devices or portable computers.

1. Dangers
1. Storage media and portable computers are dangerous due to the ease that they can be stolen.
2. Removable storage media can also be copied quickly without any kind of verification.
2. Handling storage media and portable computers
1. Storage media can be anything that stores data, including hard drives, CDs, and USB devices.
2. Portable computers, such as laptops and PDAs.
3. What you can do
4. Avoid storing confidential information on removable storage devices or portable computers.
5. Lock and properly secure removable storage devices at all times.

Discussion point:Discussion point: Ask the participants if they have ever seen any of these items left out around the workplace.

Note: The material contained in this lesson plan was adapted from the case study "Awareness and Accountability in Information Security Training” (Mellor & Noyes, 2005) and used with permission.

Unauthorized Programs

Objective: Understand issues in downloading software from the Internet

1. Software download should be done only from trusted websites like Microsoft for Windows updates and Office application updates.
2. Avoid downloading and using freeware or shareware, since most of them either do not come with technical support or full functionality.
3. Identify types of unauthorized programs.
4. Limit authority to install software. To restrict installation of software, ensure employees do not use administrative accounts as normal login.

Source: Small business information security workbook, version 2.2. Lincke, 2011.

Lesson Plan

Teaching tip: Ensure that the participants understand the importance of not storing confidential information on removable devices or portable computers.

1. Dangers
1. Unauthorized programs can serve as a launching point for viruses and Trojans.
2. A virus could infect one computer or a whole network of computers.
3. A Trojan could be used to send login and password information or other sensitive information to a third party.
2. Unauthorized programs
1. Any software that is not pre-installed on the computer system could potentially be an unauthorized program.
2. Refer to the company acceptable use policy and strictly adhere to it.
3. Follow the basic rule: If you are not sure, don’t do it or ask.
3. What you can do
4. Ask before loading any kind of software on your workstation.
5. If a piece of software is allowed, make sure to obtain a copy from a trusted source.

Discussion point: Ask the participants if they have heard any stories of viruses being spread around due to installing unauthorized software on computer systems.

Note: The material contained in this lesson plan was adapted from the case study "Awareness and Accountability in Information Security Training” (Mellor & Noyes, 2005) and used with permission.

Policy Templates

1. Software Installation Policy - http://www.sans.org/security-resources/policies/computer.php

Posters

1. Software Installation Policy – Poster - http://www.sans.org/security-resources/policies/computer.php

Viruses and Malware

Objective: Protect information/systems/networks from damage by viruses, spyware, and other malicious code.

The recommendations to ensure computers in the office network are protected from virus, spyware, and other malicious code include:

1. Anti-virus and anti-spyware software should be updated on a regular basis.
2. Anti-virus should be set to auto update daily, for example at 12 midnight and then do a scan one half hour later.
3. Anti-spyware should be set to auto update daily, for example at 2:30 AM and then a full system scan one half hour later. This procedure makes sure that only one activity is performed at a time.
4. If the employees work from home, they should also have anti-virus and anti-spyware installed on their home computers.

Activities

• https://www.facebook.com/msftmmpc/app_236330836495399

Games

• Beware of Spyware - Beware of Spyware - http://www.onguardonline.gov/media/game-0002-beware-spyware

Glossaries

• Malware Terms - http://www.noticebored.com/18_NB_glossary_for_malware.pdf
• Microsoft Malware Protection Center - http://www.microsoft.com/security/portal/threat/encyclopedia/glossary.aspx

How To

• Coordinating Virus and Spyware Defense - Coordinating Virus and Spyware Defense - http://www.us-cert.gov/ncas/tips/ST06-009
• Understanding Anti-Virus Software - http://www.us-cert.gov/ncas/tips/ST04-005

Lessons

Presentations

• Presentation on Malware - http://www.noticebored.com/02_NB_staff_seminar_on_malware.pdf

Videos

• Protect Your Computer from Malware - http://www.onguardonline.gov/media/video-0056-protect-your-computer-malware>

Password

Objective: Demonstrate knowledge of secure password management

Require individual user accounts for each employee on business computers and for business applications

1. Every employee should have an individual login account.
2. Employees should not be logged in as administrator, to avoid harmful actions if the computer is compromised.
3. Passwords should be complex, including a combination of upper/lower case, numbers, and punctuation, and at least 8-10 characters long. Passwords should be changed every 3 months.
4. Login IDs and passwords should not be shared.

Source: Small business information security workbook, version 2.2. Lincke, 2011.