Who must complete this training

Similar documents
SHS Annual Information Security Training

National Cyber Security Month 2015: Daily Security Awareness Tips

Cyber Self Assessment

NC DPH: Computer Security Basic Awareness Training

Marlon R Clarke, Ph. D., CISSP, CISM Director Network Operations and Services, NSU

Cyber Security Best Practices

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

HIPAA Security Training Manual

The Department of Health and Human Services Privacy Awareness Training. Fiscal Year 2015

Information Security It s Everyone s Responsibility

DHHS Information Technology (IT) Access Control Standard

HFS DATA SECURITY TRAINING

Computing Services Information Security Office. Security 101

How To Protect Your Information From Being Hacked By A Hacker

Appendix A. 1 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Online Security Awareness - UAE Exchange - Foreign Exchange Send Money UAE Exchange

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

Your security is our priority

IT Security DO s and DON Ts

HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY

Cybersecurity Best Practices

HIPAA and Health Information Privacy and Security

HIPAA Security Alert

Introduction to Computer Security

Must score 89% or above. If you score below 89%, we will be contacting you to go over the material individually.

BSHSI Security Awareness Training

How To Protect Research Data From Being Compromised

Protecting your business from fraud

The following information was provided by SANS and discusses IT Security Awareness. It was last updated in 2015.

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

ASCINSURE SPECIALTY RISK PRIVACY/SECURITY PLAN July 15, 2010

Internet threats: steps to security for your small business

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics

10 Quick Tips to Mobile Security

Protect Yourself. Who is asking? What information are they asking for? Why do they need it?

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

DSHS CA Security For Providers

Topics. What are privacy and security all about? How can I protect confidential information? What should I do if I see a problem?

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

Wellesley College Written Information Security Program

Know the Risks. Protect Yourself. Protect Your Business.

How to Practice Safely in an era of Cybercrime and Privacy Fears

INFORMATION SECURITY GUIDE. Employee Teleworking. Information Security Unit. Information Technology Services (ITS) July 2013

HIPAA Privacy & Security Rules

Network and Workstation Acceptable Use Policy

General Rules of Behavior for Users of DHS Systems and IT Resources that Access, Store, Receive, or Transmit Sensitive Information

Cyber Security Awareness

Information Security It s Everyone s Responsibility

Information Systems Security & Privacy Awareness Training

Information Security

Safe Practices for Online Banking

For All HIPAA Workforce Members Revised April 2013

Security Awareness. ITS Security Training. Fall 2015

A Guide to Information Technology Security in Trinity College Dublin

New River Community College. Information Technology Policy and Procedure Manual

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

Protect yourself online

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

Part 14: USB Port Security 2015

DATA SECURITY HACKS, HIPAA AND HUMAN RISKS

Corporate Account Take Over (CATO) Guide

Network Security for End Users in Health Care

Austin Peay State University

Retail/Consumer Client. Internet Banking Awareness and Education Program

PROTECT YOUR COMPUTER AND YOUR PRIVACY!

Data Access Request Service

Keeping you and your computer safe in the digital world.

TMCEC CYBER SECURITY TRAINING

Chronic Disease Management

HIPAA Self-Study Module Patient Privacy at Unity Health Care, Inc HIPAA Hotline

Information Security

Acceptable Use of Information Systems Standard. Guidance for all staff

SUPREME COURT OF COLORADO OFFICE OF THE CHIEF JUSTICE

Identity Theft Prevention Program Compliance Model

How To Protect The Time System From Being Hacked

When visiting online banking's sign-on page, your browser establishes a secure session with our server.

Tips for Banking Online Safely

Health Insurance Portability and Accountability Act (HIPAA) Overview

Learn to protect yourself from Identity Theft. First National Bank can help.

FedEx Guide for. Information Security. Version 5.0

Guadalupe Regional Medical Center

Tahoe Tech Group serves as your technology partner with a focus on providing cost effective and long term solutions.

Hot Topics in IT Security PREP#28 May 1, David Woska, Ph.D. OCIO Security

Sound Business Practices for Businesses to Mitigate Corporate Account Takeover

Career Connection, Inc. Data Privacy. Bringing Talent Together With Opportunity

Hamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

ONE Mail Direct for Mobile Devices

HIPAA PRIVACY AND SECURITY TRAINING P I E D M O N T COMMUNITY H EA LT H P L A N

Protecting Yourself from Identity Theft

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

CUSTOMER SECURITY AWARENESS PROGRAM

How to stay safe online

PHI- Protected Health Information

Authorized. User Agreement

SECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS

Responsible Access and Use of Information Technology Resources and Services Policy

Transcription:

Stop!! THINK Click

Who must complete this training All Users: This training is required for all individuals, including contractors and vendors, with security access to sensitive or confidential systems owned by the Department for Aging and Rehabilitative Services (DARS). New Users: Each individual must complete this training when security access is granted. Annually: Refresher security training is required annually. Certification: Supervisors must certify and report completion of training to their DARS system administrator or security contacts: FRS-Support/LTESS-EES: Donna Bonessi Div for the Aging: Leonard Eshmont DSA Videoconferencing (VTC): Joyce Haskins-McKune

Accessibility This program is designed to meet standards for accessibility for individuals with disabilities. Class Presentation: This presentation is adapted for use in a small class or staff meeting that allows individuals to participate by listening to the narrator or reading the content directly from each slide. The program should be narrated directly from the slide presentation. For individuals that are deaf or hard of hearing, closed captioning is not required and interpreters are not needed unless external discussion is included. Self-Paced: This presentation can also be used as a standalone, self paced learning module using screen reader assistive technologies.

Learning Objectives In this program you will review: Policy: Review and understand current security policies that govern your use of COV and DARS systems and data. Threats: Identify common threats to COV systems, confidential data and sensitive information. Your Role: Understand what you can do to improve security, and how to report incidents and suspicious activities.

Section One: Overview of Cyber Security Policies This section reviews current scope of policies for the Commonwealth of Virginia (COV) as they relate to devices and files, logons and passwords, security updates, physical security, and protected data.

Section One-Policies: Scope of Policies All COV agencies, contractors and vendors with access to sensitive or confidential systems are required to adhere to policies governing personally identifying data, protected health information, and sensitive data, including policies published by the Virginia Information Technology Agency (VITA). All Users with access to COV networks and DARS systems must follow these policies. The Information Security Access Agreement (ISAA) and Acceptable Use Policy must be signed by all individuals requesting access to COV and DARS systems.

Section One-Policies: Logons and Passwords COV requires enforcement or the following standards Use of strong passwords which include upper case alpha, lower case alpha, numeric (0-9) and non-alphabetic characters (~! # $ % ^ & *) in positions 2-6. Passwords must be changed every 90 days. Passwords cannot be changed in less than 7 days. and cannot have been used within last 4 changes. Five unsuccessful attempts will lock your account. Tip: These are secure standards you should also apply to all of your accounts, including personal accounts.

Section One-Policies: Logons/Passwords (continued) Your Role: The policy also states that end users are responsible for enforcement of certain standards: Your system or browser may not be configured to remember passwords. Passwords will not be written down and posted in plain sight. You may NEVER share your passwords with anyone else for any reason.

Section One-Policies: Security Updates VITA policy mandates the following standards for security updates and patches: Operating systems will be protected by applying automatic security updates and patches. Applications are configured for automatic security updates and patches (For example, for Microsoft Office, Outlook, Internet Explorer, Adobe Reader). Security Software such as McAfee and Norton Antivirus will be kept up to date and configured for regular scans. Security software should be set to scan Internet pages, email, attachments, and downloads. Your role: You should not change automatic settings or over-ride security updates.

Section One-Policies: Devices and Files Devices, including external digital storage devices, must be owned or approved by your organization to be connected to sensitive DARS systems. PC s will be manually locked when unattended, automatically locked after a period of inactivity, for example, fifteen minutes, set to require a password to re-activate, logged off overnight. Files must be stored and backed up on your server and must be encrypted when shared over network connections.

Section One-Policies: Physical Security Physical security policy requires protection of your work space, physical devices and files. You must: Lock or shut down your workstation when you leave your desk or leave your laptop/mobile device unattended. Lock sensitive paper documents and materials in a file cabinet. Dispose of sensitive materials appropriately. Never share your building access key, card or security fob. Always question unescorted strangers. You must always report incidents and suspicious activities to your manager and security officer.

Section One-Policies: Protected Data Certain types of data are protected and regulated by the: Social Security Administration (SSA) Controls the use of social security numbers (SSN s) U.S Department of Health and Human Services (HHS) Administers the Health Insurance Portability and Accountability Act (HIPAA) Virginia Information Technology Agency (VITA) Responsible for the information security standards commonly referred to as Sec 501 Library of Virginia (LVA) Governs all records, including electronic files, under the authority of the Virginia Public Records Act )

Section One-Policies: Protected Data (continued) Types of protected data can include: Protected Health Information (PHI) Such as data contained in medical and health records and is governed by HIPAA. Personally Identifiable Information (PII) Includes use of Social Security Numbers (SSN) governed by the SSA, and can include the SSN in combination with other identifying information such as name, date of birth, employment, insurance, residence and telephone numbers. If lost, compromised, or disclosed without authorization, this information could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. Sensitive data Defined as data, documents, or files which, if compromised, would have an adverse effect on the COV, your agency or organization, and is governed by VITA (Sec 501) and the Library of Virginia (Records Act).

Section One-Policies: Protected Data (continued) Required Protections by Users: All PHI, PII and sensitive data must be protected by: Storing data and files in a secure physical environment, Storing files only on devices owned and approved by your organization, Encrypting mobile and external storage devices that contain these files, including laptops, external hard drives, USB thumb drives and CD s. Encrypting files that are in transit which includes files sent via email and non-secure direct file transfer.

Section One-Policies: Summary of Policies Your role: Always be aware that COV/DARS systems are governed by security policies and regulations, and follow safe practices that are in your control. Do not share your access with anyone, including your passwords, keys, badges, and access codes. Keep your PC desktop locked when you are not using it, and lock your mobile devices in a secure location. Protect your files and do not send them via email or share them electronically without encryption. Be aware of your work area and physical surroundings and report suspicious activity.

Section Two: Common Cyber Security Threats This section reviews common cyber security threats with suggestions on what you can do to protect yourself and COV/DARS systems from harm.

Section Two-Threats: Basic Concepts Concept One: Electronic systems may not be secure. VITA and DARS, and your organization attempt to provide protections with firewalls, electronic enforcement and monitoring systems. But that does not completely protect you from interacting with malicious and harmful software. You can still be targeted directly and persistently by email messages, texts, and malicious Internet links. Concept Two: You control what you click. Even with all the security COV/DARS and your organization can apply, most end user threats are targeted specifically in hopes that you will go ahead and click on a harmful link, attachment, picture, video or icon in an email or web page, including social media applications.

Section Two-Threats: Your Role Stop! Pause before you click Your work relies on email and Internet interactions. Take a moment and remember that each click could be potentially harmful. Even if it at first appears to be from a legitimate source. Think! Verify and Validate You must be aware, be alert and diligent. Always look for the signs that external entities are trying to gain access to your PC and your network. Click! Proceed only if you are confident it is safe

Section Two-Threats: Email Threats Phishing, Spoofs, Hoaxes, Malware, Scams and Spam The most prevalent and persistent threats to your security arrive in your Inbox. They come by different names and may even appear legitimate and even supposedly from people you may know. The Common Threat: Malicious emails appeal to your greed, your fear, your sense of humor, your curiosity, and even your compassion. They are designed to get you to click on an item such as an attachment, link, picture, or video. Result: If you click, you may launch a harmful program or be directed to a harmful web site. You may then find your personal information compromised, and you may subject your organization s network to malicious software and possibly direct infiltration.

Section Two-Threats: Email (continued) Stop: Do not assume that links in your email are automatically safe, Especially if the link is requesting you to provide personal information. Think: Look at all emails carefully. If you cannot identify the source and attachments as legitimate, or you cannot be sure the links are safe by looking at the actual destination web address, you can logically conclude that you should be cautious. Click: Only after you are confident that the action is legitimate and safe. Protect all of your email accounts. Report all incidents and suspicious activity to security.

Section Two-Threats: Internet Threats Browsing Can Hazardous To Your PC The Internet is a significant resource for business and government services. However, some of the same issues that attack email can create security issues that you need to be aware of while browsing directly on the Internet. The Common Threat: On the web, the threats mainly come from malicious links. Most of the threats come when you click on a link, icon, picture, video, etc., that launch malicious programs or re-direct you to dangerous sites. Result: If you click, you may then find your personal, client, and sensitive business information compromised. You may also subject your network, PC and other devices to malicious software.

Section Two-Threats: Internet (continued) Stop: Do not automatically click on Internet links until you have confidence in them. This includes pictures, videos, and navigational elements. Think: Look at the actual address for the links in question. For instance if the link indicates Click Here be sure to identify the actual destination web address before you proceed. Look for external web addresses that are secure. The address should begin with https:// instead of http:// Click: Only after you are sure the destination web site is safe. Browse Safely Report all suspicious links and web sites to security.

Section Two-Threats: Social Media Social Media can be un-sociable While usually relatively safe (for instance, DARS Face Book and Twitter pages) the rapid increase in social networking and collaborative sites like Face Book, LinkedIn, You Tube, and Twitter have offered new opportunities for hackers and thieves. The Common Threat: It is PERSONAL! By nature these sites are personal. You may be sharing highly personal information, including information about yourself, employer and perhaps even about clients. You are communicating with others in a highly interactive, very public, and non-secure environment. Result: You could find highly personal and sensitive information compromised. When visiting and using these sites always use the highest level security settings and be careful of the personal information and even images that you post.

Section Two-Threats: Social Media (continued) Stop: before you, like, share or post Assume that everything you post can possibly be re-posted and used without your permission Think: Is it secure and appropriate? Use the highest security and privacy settings for your personal social media accounts Be careful of sharing work related information and in particular do not share any information about clients or violate the mandate against dual relationships Be aware that malicious links, videos, and other harmful items can be posted on social networking sites Check to see if links posted by others are designed to take you to alternate sites that appear suspicious Click: Only after you are sure the action is legitimate and appropriate and that you are not compromising your personal information or others Be social, but also be careful, and be appropriate. Report all suspicious postings and information breaches to security

Section Two-Threats: Files Files Require Protection and Encryption The business process may require sharing of information that is confidential, personally identifiable and sensitive. This information must be secured and maintained according to federal standards, COV security standards and Library of Virginia requirements. Information that is being digitally shared is termed In Transit and must be encrypted. This includes files that are being sent via email. If digital encryption is not available the policy allows for files to be faxed. The Common Threat: Data Leak and Data Breach Unprotected files may be leaked and data may be stolen. Result: Potential financial and legal penalties Data leaks and breaches may result in identity theft, financial loss, and other malicious uses. Incidents come with legal and financial implications to the COV and DARS, and to individuals.

Section Two-Threats: Files (continued) Stop: Before you save or share a file Assume there is a potential for a data leak or data breach. Understand that sending unprotected files via email is not secure. Be cautious that transferring files on the Internet may also not be secure, depending on how the site is configured. For instance, https versus http. Think: Is it Secure? When you are saving a file, are you storing it on a secure server, an encrypted PC or external device that is owned and approved by your organization? Assume that sharing any file is potentially a data leak. If sharing a file using email, are you able to use encryption? Click: Only if you are saving the file to a secure location Only if you are sharing a file using encryption. If not, use fax Share Files Securely. Report immediately all suspected data breaches and data losses

Section Two-Threats: Telework/Internet Connections For mobile workers: be careful with your connections The ability to work away from the office is beneficial and flexible. But mobile workers need take special note of the inherent risks when connected to public access points including wireless connections. Special care should taken when working with these connectopms. The Common Threat: It is Public! Public access points, or Internet connections, are just that: Public. All your activity is potentially exposed. Especially if it is wireless. Result: Compromised systems and data breaches Individuals with the knowledge and ability can take over an unprotected PC and load malicious software or steal information including passwords.

Section Two-Threats: Telework/Internet Connections (continued) Be sure to connect securely to public access points Virtual Private Network (VPN): VPN allows you to launch a secure Internet connection so that even with a public access point, you are able to work connected securely to DARS systems, connect to your own organization s applications and file shares with a greater level of confidence. Device Encryption: Always make sure your Laptop, Tablet Smart Phone or other mobile device is password-protected. Device encryption and anti-virus software should be installed on all mobile devices that connect to COV systems.

Section Two-Threats : Telework/Internet Connections (continued) Stop: Check your connection Assume all public Internet connections are not secure, including all wireless access points. Think: Is it Secure? When you are prompted to connect to a public access point, be sure you know what you are connecting to. It is not secure unless you connect to a public access point using VPN. Click: Only if you are confident in the connection and you are using VPN. Telework Safely! Always use VPN when you are mobile

Section Two-Threats : Reporting Incidents Report incidents and suspicious activities including potential data leaks and data breaches to: Your Manager Your Organization s Security Officer Your DARS System Administrator or Security Contact For ESO s (LTESS/EES): - Donna Bonessi or Ella Barnes For AAA s (NWD): - Leonard Eshmont For Videoconferencing (VTC): - Joyce Haskins-McKune

Take the Cyber Security Pledge! Print and sign the pledge on the next slide and post it as a reminder.

DARS Cyber Security Pledge I, Date: PLEDGE to: Stop, and Think (consider appropriateness and risk) before I Click on links, attachments and other objects that connect to the Internet or launch programs. Take personal responsibility for security, follow my organization s security policies, and adhere to sound security practices. Lock my computer whenever I leave my work area. Safeguard portable computing equipment when I am in public places. Create and use strong passwords, and never share my password(s) with anyone. Never leave a written password (sticky note, etc.) near my computer, or easily accessible. Promptly report all security incidents or concerns to my organization s security officer or other appropriate contact. Safeguard Protected Health Information (PHI), Personally Identifiable Information (PII) and sensitive data from any inappropriate disclosure. Work to the best of my ability to keep my organization s staff, property and information safe and secure. Spread the message to my friends, co-workers and community about staying safe online

Remember: Security is a shared responsibility. Take the time and care every day to protect yourself, your organization, your clients, and your family, through your own cyber-safe practices.

THANK YOU For completing the DARS Cyber Security Awareness Training. Certification: Please register your completion with your ISO or Supervisor And report completion of training to your DARS system administrator or contact. FRS-Support/LTESS-EES: Donna Bonessi Div for the Aging: Leonard Eshmont DSA Videoconferencing (VTC): Joyce Haskins-McKune

Additional Resources VITA http://www.vita.virginia.gov/security/toolkit/ OnGuardOnline.Gov: Securing your computer: http://www.onguardonline.gov/topics/secure-your-computer NIST: 7 Practices for Safer Computing http://csrc.nist.gov/groups/sma/fasp/documents/security_ate/sto pthinkclick.pdf

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information