Click here to continue Introduction Objective By the end of this instructional course users will be able to Understand the basic concepts of Data Security Ensuring data is available when needed ID: 784197
Download The PPT/PDF document "Data Security Protecting Sensitive Infor..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Data Security
Protecting Sensitive Information
Click here to continue
Slide2Introduction
Objective
By the end of this instructional course, users will be able to:
Understand the (basic) concepts of Data Security:
Ensuring data is available when needed
Maintaining consistent data quality
Protecting data from unauthorized use
Exhibit an understanding of Data Security by:
Identifying the relevant laws which apply to Data Security
Detecting examples of gaps in Data Security
Recognizing strong Data Security policy
Slide3Laws & Legislation
Data Security isn’t just good practice…it’s the law. Specifically, there are
two
important pieces of legislation you need to be familiar with:
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Requires Covered Entities to comply with regulations regarding the privacy and security of healthcare information.
Health Information Technology for Economic and Clinical Health (HITECH) Act
Addresses the privacy and security concerns associated with the electronic transmission of health information
1
.
These two pieces of legislation for the basis of our data security policy, so be familiar with them!
Slide4Laws & Legislation
Data Security can be easy, just remember the acronym
CIA
.
C
I
A
Confidentiality
– ensure electronic protected health information is
not
made available or disclosed to unauthorized persons or processes.
Integrity
– make sure electronic protected health information is
not
altered or destroyed
in any manner
.
Availability
– make sure that electronic protected health information is accessible and usable upon demand by authorized users.
(click each letter to see its meaning)
Slide5Laws & Legislation
Knowledge Check
What are the names of the two pieces of legislation on which our company data security policies are based?
A.
B.
C.
HIPPO and HILITE
HIPAA and HITECH
CIA and FBI
Slide6Laws & Legislation
Knowledge Check
What are the names of the two pieces of legislation on which our company data security policies are based?
A.
B.
C.
HIPPO and HILITE
HIPAA and HITECH
CIA and FBI
Why is this incorrect?
Try again.
INC
ORRECT
Slide7Laws & Legislation
Knowledge Check
What are the names of the two pieces of legislation on which our company data security policies are based?
A.
B.
C.
HIPPO and HILITE
HIPAA and HITECH
CIA and FBI
Why is this incorrect?
Try again.
INC
ORRECT
Slide8Laws & Legislation
Knowledge Check
What are the names of the two pieces of legislation on which our company data security policies are based?
A.
B.
C.
HIPPO and HILITE
HIPAA and HITECH
CIA and FBI
CORRECT!
The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) are what our data security policies are based on.
Slide9Protect Your Workstation
Usernames and passwords identify you as a registered user and allows the company to know who is using a computer and when.
To ensure protection for both you and the company:
Log in using
only
your assigned username and password; do not “borrow” passwords
Log off or lock your PC when it is not in use or when you are away from it
Do not leave your password written down anywhere where it can be found
If it is necessary to write down your password for you to remember it, keep it in a locked drawer or cabinet
Slide10Protect Your Workstation
Creating a strong password is one of the best ways to ensure confidential information is protected.
A strong password is not something that is easily guessed. Do
not
use any of the following for a password:
Birthdates
Addresses
Family names
Slide11Protect Your Workstation
A weak password can easily be strengthened with a few small tweaks.
Try replacing certain letters with numbers or symbols (known as 1337 –or-
Leet
), or phonetically similar letter combinations. This creates a unique password which is memorable for the user, but difficult to be cracked by hackers.
A = @ H = # O = 0 V + \/
B = 8 I = ! P = |D W = \/\/
C = < J = _| Q = (,) X = ><
D = > K = |< R = |2 Y = `/
E = 3 L = |_ S = 2 Z = (/)
F = |= M = |\/| T = +
G = 6 N = |\| U = |_|
See Examples
Slide12Good
Better
Best
password pa55w0rd Pa55W0rD6257
IloveJenny
I0v3j3nny
eye10v3J3nny
Consider the following examples:
Protect Your Workstation
AuntSue
AuntSue1978 auN+5u31978
123456 one2three4five6 0n3toothr3345sixx
Slide13Case Study
*
Knowledge Check
Joe Smith works in the office across from you. He has two children: Bob Michael and Joe Junior. He recently changed his password to ‘
BobandJoeJr
’, and his account was hacked into later in the week.
After resolving the issue, Joe was instructed to create a new, safer, password. He complied and his new password comprised of letters and numbers with no discernible meaning other than to Joe.
Joe then wrote down his new password and hid it under his stapler. Later in the week, his co-worker Jim was locked out of his PC and needed to finish an important document. Joe told Jim to retrieve his password and log in to his PC to finish his work. With the document
* Some information has been changed in this scenario.
complete, Jim logged off Joe’s computer and eventually regained his own access.
Since then, each individual has been working with no issues.
Protect Your Workstation
Slide14Given the information presented in the case study, were the following actions appropriate ( ) or inappropriate ( )?
Case Study
Knowledge Check
Using ‘
BobandJoeJR
’ as his password
Appropriate Inappropriate
Try again!
Correct. This password is too apparent, it should be comprised of letters and numbers with no obvious reason other than to the user.
Why is this inappropriate?
Protect Your Workstation
View case study information
(click
on either the Appropriate or Inappropriate icon)
Slide15Given the information presented in the case study, were the following actions appropriate ( ) or inappropriate ( )?
Case Study
Knowledge Check
Creating a new, unique password
comprised
of letters and numbers
Appropriate Inappropriate
Try again!
Correct. Using a combination of letters and numbers to create a password is good policy. These types of passwords are not easily guessed.
Why is this appropriate?
Protect Your Workstation
View case study information
(click
on either the Appropriate or Inappropriate icon)
Slide16Given the information presented in the case study, were the following actions appropriate ( ) or inappropriate ( )?
Case Study
Knowledge Check
Writing down his
password and
hiding
it
under his stapler
Appropriate Inappropriate
Try again!
Correct. If you
must
write down your password, ensure it is in a locked space such as a drawer or cabinet.
Why is this inappropriate?
Protect Your Workstation
View case study information
(click
on either the Appropriate or Inappropriate icon)
Slide17Given the information presented in the case study, were the following actions appropriate ( ) or inappropriate ( )?
Case Study
Knowledge Check
Allowing a co-worker to use his login
information
Appropriate Inappropriate
Try again!
Correct. Never use another person’s login information.
Why is this inappropriate?
Protect Your Workstation
View case study information
(click
on either the Appropriate or Inappropriate icon)
Slide18Malicious Software
Malicious software exists for the sole purpose of harming your computer. These programs attack the confidentiality, integrity, and availability of your information.
Malicious software
can
include:
(click on each for more information)
Viruses
Worms
Trojans
Spyware
Viruses:
Small programs that attach themselves to legitimate programs. When activated by an unwary user, it begins performing tasks given to it by its creator.
Viruses can corrupt files and delete data.
Worm:
Similar to a virus, a worm replicates itself and usually contains functionality that interferes with normal computer use. Unlike viruses, worms do not attach themselves to other files or programs.
Worms can spread automatically over a network, moving from one computer to another, causing massive damage.
Trojan:
Short for Trojan Horse, a Trojan pretends to be a legitimate program while actually performing malicious tasks.
Trojans can cause damage to your PC and provide unauthorized use.
Spyware:
Spyware sneaks onto your PC through shareware or freeware downloaded by the user. Once on a computer, spyware gathers information about the user and sends it back to its creator.
Spyware can capture e-mail addresses, passwords, credit card information, and much more.
Slide19Knowledge Check
Choose the answer that best fits.
A ______________ pretends to be a legitimate program while
s
ecretly performing malicious tasks.
A.
B.
C.
Virus
Worm
Trojan
D
.
Spyware
Malicious Software
Slide20Knowledge Check
Choose the answer that best fits.
A ______________ pretends to be a legitimate program while
s
ecretly performing malicious tasks.
A.
B.
C.
Virus
Worm
Trojan
D
.
Spyware
INC
ORRECT
Why is this incorrect?
Try again.
Malicious Software
Slide21Knowledge Check
Choose the answer that best fits.
A ______________ pretends to be a legitimate program while
s
ecretly performing malicious tasks.
A.
B.
C.
Virus
Worm
Trojan
D
.
Spyware
INC
ORRECT
Why is this incorrect?
Try again.
Malicious Software
Slide22Knowledge Check
Choose the answer that best fits.
A ______________ pretends to be a legitimate program while
s
ecretly performing malicious tasks.
A.
B.
C.
Virus
Worm
Trojan
D
.
Spyware
INC
ORRECT
Why is this incorrect?
Try again.
Malicious Software
Slide23Knowledge Check
Choose the answer that best fits.
A ______________ pretends to be a legitimate program while
s
ecretly performing malicious tasks.
A.
B.
C.
Virus
Worm
Trojan
D
.
Spyware
CORRECT!
Also known as a Trojan Horse, a
trojan
can appear to be a genuine program, but actually causes hard to your computer.
Malicious Software
Slide24Knowledge Check
Choose the answer that best fits.
A ______________ replicates itself and contains functionality
that interferes with a PC’s normal use and can spread over a network to other computers
A.
B.
C.
Virus
Worm
Trojan
D
.
Spyware
Malicious Software
Slide25Knowledge Check
A.
B.
C.
Virus
Worm
Trojan
D
.
Spyware
INC
ORRECT
Why is this incorrect?
Try again.
Choose the answer that best fits.
A ______________ replicates itself and contains functionality
that interferes with a PC’s normal use and can spread over a network to other computers
Malicious Software
Slide26Knowledge Check
INC
ORRECT
Why is this incorrect?
Try again.
Choose the answer that best fits.
A ______________ replicates itself and contains functionality
that interferes with a PC’s normal use and can spread over a network to other computers
Malicious Software
A.
B.
C.
Virus
Worm
Trojan
D
.
Spyware
Slide27Knowledge Check
INC
ORRECT
Why is this incorrect?
Try again.
Choose the answer that best fits.
A ______________ replicates itself and contains functionality
that interferes with a PC’s normal use and can spread over a network to other computers
Malicious Software
A.
B.
C.
Virus
Worm
Trojan
D
.
Spyware
Slide28Knowledge Check
CORRECT!
Worms are similar to viruses, and can replicate and spread
a
cross a network to spread itself onto other computers.
Choose the answer that best fits.
A ______________ replicates itself and contains functionality
that interferes with a PC’s normal use and can spread over a network to other computers
Malicious Software
A.
B.
C.
Virus
Worm
Trojan
D
.
Spyware
Slide29To prevent your computer from becoming infected with malicious software, follow these steps:
Never open e-mail attachments or download/execute files from unknown sources.
If you are unsure of the sender or wary of their identity, err on the side of caution. Call or e-mail the suspected sender to verify the information being sent.
Do not install any unauthorized toolbars or other “helpful” programs, unless otherwise approved
Do not disable any antivirus software installed on your PC
E-mail Security
Slide30Suppose the inbox below is yours. Click on each e-mail to learn whether or not it should be opened.
E-mail Security
Slide31Sender: John Co-worker
Subject: Regarding our 2:00 meeting today
This e-mail is OK to be opened. You had a 2:00 meeting scheduled with John, and he mentioned being excessively busy this week.
In other words, you could adequately anticipate an e-mail from John.
Return to the inbox
E-mail Security
Slide32Sender: Prince Abu-
Zyed
et Al
Subject: Amazing business opportunity
This e-mail should not be opened. You have never heard of this person before, and weren’t expecting any new “business opportunities.”
This could an example of “phishing,” when people attempt to gain personal information through trickery. Additionally, the e-mail could contain a virus which could harm your computer.
Click
here
to learn more about phishing.
E-mail Security
Return to the inbox
Slide33Sender: Human Resources
Subject: New employee conduct manual
This e-mail can be opened. You regularly receive e-mails from Human Resources at this address, and it’s the time of year when their documentation is updated.
E-mail Security
Return to the inbox
Slide34Sender: info673291a7@freephones.com
Subject: Urgent Response Requested
Do
not
open this e-mail. Despite having “Urgent Response Required” in the subject line, you have never heard of info673291a7@freephones.com
Very often fraudulent e-mails contain keywords like “urgent” or references to new/changing laws in their subject line. If you do not know the sender, do not open the e-mail.
E-mail Security
Return to the inbox
Slide35Sender: Suzy Co-worker
Subject: Download this cool free screensaver!
Despite the fact that you know Suzy, this e-mail should not be opened. You work with Suzy every day, and she hasn’t ever mentioned sending you any software.
Additionally, installing unauthorized software (like a screensaver) is against company policy. The file could be a Trojan Horse and could damage your PC.
E-mail Security
Return to the inbox
Slide36Sender: Steve Johnson
Subject: How about a game of golf after work?
This e-mail can be opened. Steve is your boss, and an avid golfer; and he has mentioned wanting to play with you.
Although the e-mail didn’t come from his company e-mail account, you could reasonably assume is came from him as you know he is out of the office today. If in doubt, give him a call to confirm the e-mail came from him.
E-mail Security
Return to the inbox
Slide37E-mail Security
Return to the inbox
Phishing is a term that refers to an act when someone sends an seemingly legitimate e-mail, claiming to be from your credit card company, bank, or online store you have shopped at.
The goal of phishing is to gain personal, private information such as social security numbers or bank information (account numbers, ATM pin codes). Actual companies will never ask for this information, they have it on file.
Often times, links within the e-mail lead to “spoof” websites. Spoof sites are designed to look like those of actual companies, but are used to gain access to your personal information.
Click
here
to learn even more about phishing.
Slide38E-mail Security
When sending e-mail containing confidential information, you must use an Advanced Encryption Standard (AES) to encrypt the data.
One of the most common AES’s is WinZip.
To ensure your confidential information is secure:
Encrypt and password protect the file using WinZip.
E-mail the encrypted files as an attachment.
In a
separate e-mail
, send the recipient the password to the encrypted file.
Slide39E-mail Security
Knowledge Check
True of False?
The e-mail below is most likely a phishing attempt, and
should be ignored.
A.
B.
True
False
Slide40E-mail Security
Knowledge Check
True of False?
The e-mail below is most likely a phishing attempt, and
should be ignored.
A.
B.
True
False
INC
ORRECT
Why is this incorrect?
Try again.
Slide41E-mail Security
Knowledge Check
True of False?
The e-mail below is most likely a phishing attempt, and
should be ignored.
A.
B.
True
False
CORRECT!
Reputable companies (such as banks) will never ask for personal information via e-mail. This e-mail should be deleted.
Slide42Confidential data must to be stored on a network drive or on your secured company-approved thumb drive.
Do
not
store confidential information on your local computer
C
drive, unauthorized external flash drive, or CD.
Personal mobile devices (laptops, tablets, smartphones, etc.) can store confidential information if approved by the Security Officer.
These devices must meet minimum encryption standards to be approved.
Storage & Disposal
Slide43Storage & Disposal
All technology containing confidential information must be properly destroyed. For floppy disks and CDs, utilize a multimedia shredder. If a shredder is not available, deposit the item in one of the shred bins located in your building.
For laptops, desktops, and mobile devices, the security team will employ a number of methods (multiple rewrites, low-level formats) to ensure data is properly disposed of.
When in doubt, contact the security team. It is better to be safe than sorry when it comes do confidential material.
Slide44Knowledge Check
Choose the best answer.
Your personal cell phone was approved for company use, and you’ve used it to view work-related e-mail containing confidential information.
Now, your contract is up and you want to buy a new phone.
What should you do?
A.
B.
C.
Remove your SIM card and donate your old phone to a school or charitable organization.
Contact the Security Officer and have them take care of disposing the phone properly.
Take your phone outside, stomp on it, drive over it with your car, then throw it into a dumpster.
Storage & Disposal
Slide45Storage & Disposal
Knowledge Check
Why is this incorrect?
Try again.
Choose the best answer.
Your personal cell phone was approved for company use, and you’ve used it to view work-related e-mail containing confidential information.
Now, your contract is up and you want to buy a new phone.
What should you do?
A.
B.
C.
Remove your SIM card and donate your old phone to a school or charitable organization.
Contact the Security Officer and have them take care of disposing the phone properly.
Take your phone outside, stomp on it, drive over it with your car, then throw it into a dumpster.
INC
ORRECT
Slide46Storage & Disposal
Knowledge Check
Choose the best answer.
Your personal cell phone was approved for company use, and you’ve used it to view work-related e-mail containing confidential information.
Now, your contract is up and you want to buy a new phone.
What should you do?
A.
B.
C.
Remove your SIM card and donate your old phone to a school or charitable organization.
Contact the Security Officer and have them take care of disposing the phone properly.
Take your phone outside, stomp on it, drive over it with your car, then throw it into a dumpster.
CORRECT!
Even after removing a SIM card or severely damaging an electronic device, data can still be recovered. The Security Officer will ensure all the necessary measures are taken to remove confidential data from your phone.
Slide47Storage & Disposal
Knowledge Check
Why is this incorrect?
Try again.
Choose the best answer.
Your personal cell phone was approved for company use, and you’ve used it to view work-related e-mail containing confidential information.
Now, your contract is up and you want to buy a new phone.
What should you do?
A.
B.
C.
Remove your SIM card and donate your old phone to a school or charitable organization.
Contact the Security Officer and have them take care of disposing the phone properly.
Take your phone outside, stomp on it, drive over it with your car, then throw it into a dumpster.
INC
ORRECT
Slide48Knowledge Check
You’ve received a file containing confidential information.
Select the secure, approved location where the file should be saved
Slide49Why is this incorrect?
Try again.
Knowledge Check
INC
ORRECT
You’ve received a file containing confidential information.
Select the secure, approved location where the file should be saved
Slide50Knowledge Check
INC
ORRECT
You’ve received a file containing confidential information.
Select the secure, approved location where the file should be saved
Why is this incorrect?
Try again.
Slide51Knowledge Check
INC
ORRECT
You’ve received a file containing confidential information.
Select the secure, approved location where the file should be saved
Why is this incorrect?
Try again.
Slide52Knowledge Check
INC
ORRECT
You’ve received a file containing confidential information.
Select the secure, approved location where the file should be saved
Why is this incorrect?
Try again.
Slide53Knowledge Check
You’ve received a file containing confidential information.
Select the secure, approved location where the file should be saved
CORRECT!
Confidential information should
never
be stored on a local drive.
Given your choices, the file should only have been saved on the (company-approved) flash drive.
If a network drive were available, this would have also been an approved option.
Slide54Knowledge Check
Returning to your desk after meeting with the Accounting department, you notice you have received three new e-mail messages.
Using the information you’ve
learned, choose to open or delete the messages by clicking on the appropriate buttons.
To begin the exercise, click the mail icon below.
Begin
Slide55Knowledge Check
(click Delete or Open)
Slide56Knowledge Check
INC
ORRECT
Given that you just came from a meeting with the Accounting department, it is reasonable to expect an e-mail from them. It is OK to open this e-mail.
Why is this incorrect?
Try again.
Slide57Knowledge Check
CORRECT!
Given that you just came from a meeting with the Accounting department, it is reasonable to expect an e-mail from them. It is OK to open this e-mail.
Slide58Knowledge Check
(click Delete or Open)
Slide59Knowledge Check
INC
ORRECT
The e-mail address is vague, and most likely one you’ve never seen before. Additionally, the Subject of the message is not work related. This e-mail should not be opened, delete it.
Why is this incorrect?
Try again.
Slide60Knowledge Check
CORRECT!
The e-mail address is vague, and most likely one you’ve never seen before. Additionally, the Subject of the message is not work related. This e-mail should not be opened, delete it.
Slide61Knowledge Check
(click Delete or Open)
Slide62Knowledge Check
INC
ORRECT
Unless an attachment comes from a verified source, they should never be opened. Antivirus software will always come from the Security team.
Why is this incorrect?
Try again.
Slide63Knowledge Check
CORRECT!
Unless an attachment comes from a verified source, they should never be opened. Antivirus software will always come from the Security team
. This e-mail should be deleted!
Slide64Conclusion
This concludes the Data Security training. To review, you have learned:
Laws & Legislation
Workstation Security
Malicious Software
E-mail Security
Data Storage & Disposal
Click
here
to review the material
Click
here
to view a list of resources.
Slide65Conclusion
This concludes the Data Security training. To review, you have learned:
Laws & Legislation
Workstation Security
Malicious Software
E-mail Security
Data Storage & Disposal
Click
here
to review the material
Click
here
to view a list of resources.
Resources
All images courtesy of Microsoft
®
Source material for this resource from the Michigan Public Health Institute Employee Handbook, August 2006
Cory Lammers, 2012