To be customize with customer corporate image

1
IT Security Awareness Program an Introduction
A security awareness program is a formal program with the goal of training users of the potential threats to an
organization's information and how to avoid situations that might put the organization's data at risk.

The goals of the security awareness program are to lower the organization's attack surface, to empower users
to take personal responsibility for protecting the organization's information, and to enforce the policies and
procedures the organization has in place to protect its data. Policies and procedures might include but are not
limited to computer use policies, Internet use policies, remote access policies, and other policies that aim to
govern and protect the organization's data.

2
In information security, people are the weakest link
People want to be helpful. People want to do a good job. People want to give good customer service to their
coworkers, clients, and vendors. People are curious. Social engineers seek to exploit these characteristics in
humans. “Social Engineering is defined as the process of deceiving people into giving away access or
confidential information”. The only known defense for social engineering attacks is an effective security
awareness program. Unless users understand the tactics and techniques of social engineers, they will fall prey
and put the organization's data at risk.

3
Bank Security Awareness Training methodology
1. Gathering information about the target before the test (reconnaissance)
2. Identifying all possible entry points, vulnerabilities, and weaknesses
3. Attempting an exploit to gain entry
4. Reporting back findings and providing detailed instructions for remediation

4
Questions to ask to determine how vulnerable your network
✓ How long ago was my last vulnerability test?
✓ How many changes and or upgrades has my network had since my last vulnerability test?
✓ Do the counter measures I have in place to prevent an intrusion actually work?
✓ What security layers should I implement next to best protect my company's assets?
✓ Do I know where confidential and sensitive data is located on my network enterprise wide?
✓ How do I know if my IT Security reports are accurate?

5
Vulnerability Assessment

6
Awareness training should cover
• Safe Web surfing
• Acceptable uses for the Internet (for those allowed access)
• Policies against downloading software to desktops
• The type of Web sites are prohibited by policy, especially those likely to breed spyware
• Tips on spotting potentially infected desktops
• When to call the Help Desk

7
EMPLOYEE PRACTICE

8
 You are the TARGET…
• You, and your access to corporate data, are now the primary target of hackers.
• Gaining access to your login information allows them to impersonate you,
or use your computer, to gain access to corporate systems and data.
• Technology can address only a fraction of security risks.
 SANS Securing The Human
• Training must be taken once a year and consists of a group of short videos followed by short quizzes.
• Security Awareness Training is mandatory for all Banner Finance / HR users.
• Certificate of completion can be printed at end of assessments.
• {customer certification link}
Security Awareness Basics
• University Policies • Data Security and Encryption
• Password Security • Mobile Device Security
• Duo Account Security
• Email Security
• Securing The Human Training
• Safe Browsing • Reporting an incident
• Ransomware • Reminders
• Privacy • Other Security Resources
 WFH ( Working From Home )
not use default passwords that are preconfigured on your wireless
networks as they could be compromised.

12
Working From Home
Ensure you retain a work–life balance and can switch off
properly in the evening.

13
Working From Home
Look out for signs of stress in colleagues.
Be supportive and available to lend an ear.

14
Working From Home
Do not leave your laptop on show overnight,
unattended, or by open windows.
Lock it away or store it in a safe place.

15
Working From Home
Have regular team video calls.
They can be a really positive way to start the day.

16
Working From Home
Play some good audible background while working,
and take frequent breaks so you don’t burn out.

17
Working From Home
If posting on social media, ensure your laptop screen
is not in the picture, or blur it out as it could disclose
sensitive information.

18
Working From Home
Try to separate your work environment
from your home environment.

19
Working From Home
Have virtual coffees or lunches with people
you would normally hang out with at work.

20
 Working From Home
If you are talking about something confidential
while on the phone or in a video call,
be aware of your surroundings, such as open windows.

21
Working From Home
Wake up at least an hour before your scheduled work
so you can set your mind to what you need to do or
want to get done.

22
Working From Home
Create a to-do list with targets
of what you want to achieve that day.

23
Working From Home
While it is important to keep working hard,
it’s also important to reward yourself.

24
Simple every day habits which employees should practice
Simple every day habits which employees should practice to understand the basics of security and realize that
everyone has a role to play in protecting an institution's assets and reputation.

25
Practice #1/10
Passwords - choose wisely and use strong passwords Email- can serve as a medium for e-mail viruses and
other attacks
Do's -
Do's -
• Use numbers, letters, punctuation marks and
symbols. (Example: Fl4#6r instead of Flower) • Be cautious with attachments
• Change your password every 6 months • Update your antivirus software regularly
• Always scan attachments manually with antivirus
software before opening them, only if they must
Don'ts - be opened.
• Never write your password or share them
• Do not use the same password on multiple systems Don'ts -
• Do not use your social security number or last 4 • Do not open attachments unless absolutely
digits of SSN in your password necessary, especially if they are sent by a stranger

26
Practice #2/10
Web Surfing - may lead to theft of data and
passwords and virus deployment.
Do's - Backups
• Minimize personal use of web browsing at work Do's -
• Avoid cookies and software downloads • Schedule backups regularly, save often
• Do not visit chat rooms at work • Store all important files and documents securely
Don'ts - on disks or CDs
• Do not use Web-based e-mail systems for the
communication of any sensitive information

27
Practice #3/10
Malware - Viruses, Worms and Trojans
Do's - Instant Messaging
• Update anti-virus and anti-spyware weekly Do's -
• Use the anti-virus software to run full disk scans • Update IM software regularly
monthly Don'ts -
• Scan all floppies, CDs, or other external media that • Do not release any confidential information or
have been used on external systems illicit material
• Be very careful with email attachments

28
Practice #4/10 Telecommuting/Remote Access
Do's -

PDAs • Use a personal firewall

Do's - • Use encryption

• Physically secure them • Use a lower risk format to exchange documents,

such as RTF or text files, which are not vulnerable
• Use passwords and encryption to the transmission of viruses and other malware
• Disable wireless auto connection • Backup your files regularly on ZIP disk or CD-ROM.
This measure ensures that vital information will
not be lost in the case of viruses and general
hardware failures

29
 Clean Desk Policy
Do's -
• Please keep your workspace neat. If it is messy, you may not
Practice #5/10 notice when something is missing
• Lock sensitive documents and computer media in drawers or
Destruction of Sensitive Material filing cabinets

Do's - • Physically secure laptops with security cables

• Secure your workstation before walking away (Ctrl+Alt+Delete or
• Use high quality cross cut shredders to cut paper windows key + l)
into fine/small pieces
Don'ts -
• CD-ROMs should be fed through a CD-ROM • Do not post sensitive documents. Examples include:
shredder
• User IDs & Passwords
• Floppy disks and backup tapes should be opened • IP addresses
and cut into small pieces
• Contracts
• Account numbers
• Client lists
• Intellectual property
• Employee records

30
Practice #6/10
Phishing/Identity Theft - both are actions attempted to fraudulently
acquire sensitive information, such as usernames, passwords and
credit card details, by masquerading as a trustworthy entity in an Work Station Security - an unlocked workstation is a violation of
electronic communication or by using the identifying information of security policy and leaves the system open to compromise
another person without his or her authority.
Do's -
Do's -
• Please configure a password-protected screen saver to lock after
• Report all suspicious emails that you come across in your in box 10 minutes of inactivity:
or strange calls all of which prod you to share information like
your mother's maiden name, your birth date, and the last four • You should also lock your workstation before leaving your desk-
digits of your SSN to appropriate office authorities • a. Press Ctrl + Alt + Del
Don'ts - • b. Click on "Lock Computer"
• Do not open attachments unless absolutely necessary, especially
if they are sent by a stranger
• Do not disclose any sensitive information including mother's
maiden name, your birth date, and the last four digits of your SSN
in any form of written communication or electronic media

31
 Laptops - The loss of a laptop can cause irreparable
harm to an institution. Laptops must be secured
and used responsibly to prevent compromise of
sensitive information or unauthorized network
access.
Practice #7/10 Do's -
Don't Be Afraid to Say No • When leaving a laptop unattended in a hotel
room or office space, lock it to an unmovable or
Do's - extremely heavy object using its security cable
• When someone asks you to violate policy or • Use firewall software to defend against hacking
procedure, hold firm and do what's right, attempts on public networks and the Internet
management will support your decision • Anti virus definitions must be updated weekly to
be effective. Keep your definitions current to
avoid a system outage while you are traveling
• Do not save passwords in files, web browsers,
VPN clients or any other insecure software
• Store passwords with encrypted password
management software

32
 Give Information on a Need to Know Basis - unauthorized disclosure
of sensitive information represents a serious threat to an institution.
Almost everyone has heard the expression "loose lips sink ships".
Practice #8/10 Do's -
Visitor Escort - Unescorted visitors represent a serious • Disclose sensitive information only to those that need it
threat to the security of an institution. to perform their duties

Do's - • Carefully consider distribution of information to business

partners, consultants and clients. In addition to meeting
• Visitors must be escorted at all times. Watch visitors confidentiality and need-to-know requirements, ensure
closely that all information is protected under a non-disclosure
agreement.
• If you need to step away, ensure that someone else
accepts responsibility for watching the visitor
Don'ts -
• Frequent visitors should be given ID cards/ badges of
some sort which they can wear so that they can be easily • Do not disclose sensitive information to coworkers unless
identified they have a business related need-to-know. Key questions
are "What are you using the information for?" and "Who
• At no time should a visitor be given access to the will you share it with?"
company network without formal authorization from the
senior management • Do not disclose sensitive information to friends, family or
anyone who does not have a need-to-know.

33
Practice #9/10 Piggy Backing & Tailgating - Piggybacking occurs when
Appropriate Use of Corporate IT Equipment an authorized person allows someone to follow them
through a door to secure area. Tailgating occurs when
Do's - an unauthorized person slips in through a door
• Handle office equipment and software with care before it closes.
and heightened sensitivity Do's -
Don'ts - • If you find a door that does not automatically close
• Do not alter any configuration of operating system or has a broken lock, contact building security
and CPU without notification from authorized Don'ts -
personnel
• Do not hold the door for anyone you do not know
• Do not use office equipment for personal purposes personally and make sure no one slips in behind
you

34
Practice #10/10
Personnel Screening
Do's -
• Verification and background checks on permanent
staff should be conducted at the time of job Computers
applications. This should include character Don'ts -
reference, confirmation of claimed academic and
professional qualifications and independent • Do not keep computers online when not in use,
identity checks either shut them off or physically disconnect them
from the Internet connection
• All employees should be asked to sign
confidentiality or non-disclosure agreement as a
part of their initial terms and conditions of the
employment process

35
Thank You

36