Please move your mouse cursor over the navigation

Please move your mouse cursor over the navigation panel below to familiarize yourself with the buttons. Click the Forward arrow button to continue.

Information Security Awareness Training Introduction to Information Security at EOLWD (15 minutes)

Mandatory Training All users of EOLWD information systems are required to complete this course. · New hires must complete this course prior to receiving network login credentials. · All employees, partners and contractors must review this course annually.

Training Goal By completing this course, you will increase your understanding of the following Information Security topics: 1. Information Security Fundamentals 2. Access Control 3. Threats & Vulnerabilities 4. Your responsibility in protecting information at EOLWD. There are review questions at the end of each section. Introduction to Information Security at EOLWD

1) Information Security Fundamentals Introduction to Information Security at EOLWD

1) Information Security Fundamentals What is Information Security? US Code 44 USC § 3542 (b) (2006): (1) The term “information security” means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction… Introduction to Information Security at EOLWD

1) Information Security Fundamentals Is “Information Security” just another name for “Computer Security”? No. Information Security is about protecting information in every form, including the following: • • Computers File storage devices Email messages Paper documents Telephone devices Verbal actions File cabinets, etc. Introduction to Information Security at EOLWD

1) Information Security Fundamentals Federal law requires Information Security training. The Federal Information Security Management Act of 2002 (FISMA) requires all federal and federally funded agencies to 1) Provide annual Information Security awareness training for all employees, partners and contractors. 2) Comply with Information Security audits. Ø EOLWD receives federal funds; therefore, it is subject to audit. FISMA audits have revealed a need for Information Security Awareness training at EOLWD. Introduction to Information Security at EOLWD

1) Information Security Fundamentals Information Security training is also required by Massachusetts Executive Order 504 – Order Regarding the Security and Confidentiality of Personal Information (2008) Ø Requires mandatory information security training …shall include guidance to employees regarding how to identify, maintain and safeguard records and data that contain personal information. Introduction to Information Security at EOLWD

1) Information Security Fundamentals What is considered “Personal Information”? q M. G. L. c. 93 H – Security Breaches: Ø "Personal Information" is a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements…: § (a) Social Security number § (b) driver's license number or state-issued identification card number § (c) financial account number, or credit or debit card number… Introduction to Information Security at EOLWD

1) Information Security Fundamentals Information Security at EOLWD q EOLWD manages large amounts of personal and financial information in order to provide services. Much of this information is considered sensitive or confidential. q The security of the following types of information is a very high priority at EOLWD: • Personal information • Financial information • Tax data • Work history. Introduction to Information Security at EOLWD

1) Information Security Fundamentals The aware EOLWD network user Ø Knows why Information Security is so important Ø Is aware of information system vulnerabilities Ø Understands and uses Information Security measures Ø Recognizes and responds appropriately to Information Security violations. Introduction to Information Security at EOLWD

1) Information Security Fundamentals Goals of Information Security The acronym "CIA" is often used to help people remember the three goals of Information Security: • Confidentiality • Integrity • Availability. Introduction to Information Security at EOLWD

1) Information Security Fundamentals Confidentiality is often defined as “…ensuring that information is accessible only to those authorized to have access. ” q EOLWD authorizes access to confidential information only when it has been determined that the user requires the information for valid business reasons related to the performance of his or her job. Introduction to Information Security at EOLWD

1) Information Security Fundamentals In Information Security, the word “Integrity“ is used to describe information that is q Authentic and complete q Sufficiently accurate for its purpose q Free of alteration. Introduction to Information Security at EOLWD

1) Information Security Fundamentals In Information Security, “Availability” refers to the assurance that the systems responsible for storing, processing and delivering information are accessible when needed, by those who need them. q Whenever availability of necessary information is compromised, an information security concern exists. Introduction to Information Security at EOLWD

1) Information Security Fundamentals "Total Integrity" is the term used to describe information that meets all three goals of Information Security - Confidentiality, Integrity and Availability. Information is considered reliable and is said to have Total Integrity when all the statements below are true: 1. It meets confidentiality requirements 2. It has not been altered 3. It is available when needed. Introduction to Information Security at EOLWD

1) Information Security Fundamentals Remember! When accessing confidential information, you must have a valid business reason related to the performance of your job. Introduction to Information Security at EOLWD

Review Select the word that completes this sentence best. The three goals of Information Security are Confidentiality, Integrity and ____________. Authentication Automation ain! y ag r T. e oic h c r ette ab s ’ e Correct! Great job! r The Go to the next slide! Availability Introduction to Information Security at EOLWD

Review Select the word that completes this sentence best. The Integrity of information is affected if someone ______ EOLWD data without a valid reason. n! saves alters copies gai a y r T ice. o h c t es e b Great job! h t t o Correct! N Go in! a g a to the nextoislide!. Try e c r ch e t t e ab s ’ e r e Th Introduction to Information Security at EOLWD

Review Select the word that completes this sentence best. Accidentally losing important data is a security concern because it can affect the ____________ of information. authentication. . T oice h c r te Correct! bet Great job! ’s a e automation. ain! g a ry Ther Go to the next slide! availability. Introduction to Information Security at EOLWD

2) Access Control Introduction to Information Security at EOLWD

2) Access Control “Access Control” is the management of admission to system and network resources. q In order to control access, the system needs to prove the identity of each user every time access is requested. This is called “authentication, ” and it is achieved by requiring a unique password to access the system. Introduction to Information Security at EOLWD

2) Access Control Access Requirements q Access is granted only to authenticated users according to existing policies. q Specific permission levels are set according to each user's work requirements. Introduction to Information Security at EOLWD

2) Access Control “Accountability” is an access control measure. q It ensures that events or actions within a system are traceable to a specific entity (user, process, device, etc. ). Introduction to Information Security at EOLWD

2) Access Control Network Security Measures EOLWD applies the following security measures to control network access and to protect the information stored in its systems: • • • Password requirements Firewalls Anti-virus software Regular data backup Policies for software installation and modifications, etc. Introduction to Information Security at EOLWD

2) Access Control Physical Security measures are applied to prevent unauthorized access to information that can be seen or heard etc. Examples of Physical Security: • Documents containing sensitive information stored in locked file cabinets. • Monitors positioned so that passersby cannot view confidential information that may be displayed. • Clean desktops where no sensitive information is lying around for unauthorized individuals to view when the desk is left unattended. Introduction to Information Security at EOLWD

Review Select the word that completes this sentence best. EOLWD _________ security measures include firewalls and antivirus software. physical ec Incorr n! i a g a. Try t Correct! Great job! network in! a g a Try . e c i Go to thettenext slide! o h rc e personal ab s ’ e r The Introduction to Information Security at EOLWD

Review True or False? Accountability means that user actions may be traced. True False Correct! Great job! ! ain ry ag t. T cnext e r Go to Ithe slide! r nco Introduction to Information Security at EOLWD

Review Select the word that completes this sentence best. Authentication is achieved by requiring that every system user has a unique ________ Correct! Great job! address password ect. ique r r o Inc s a un e. e quir ext slid e r ion t a the n c i o t t n e Go Auth rd. wo pass A secure password is more important to authenticate the system user. Go to the next slide. Introduction to Information Security at EOLWD

Review Select the word that completes this sentence best. One way to practice _______ security is to keep your file cabinets locked when you are away from your office. network physical of a t r a p ot n e r in! a a s g t a e n y i r ile cab network. T F Yes! Good job! ter u p m co n!slide! i Go to the next a g a. Try Nope virtual Introduction to Information Security at EOLWD

3) Threats & Vulnerabilities Introduction to Information Security at EOLWD

3) Threats & Vulnerabilities q Anything that jeopardizes the confidentiality, integrity or availability of information is categorized as either a threat or a vulnerability. Introduction to Information Security at EOLWD

3) Threats & Vulnerabilities Threats can be either intentional or unintentional. Examples q Unintentional situations which threaten the security of confidential data: • Confidential information is accidentally printed to a remote location. The data is then viewed by staff who are not authorized to view it. • A document which contains confidential data is left in a photocopy machine where anyone can view it or steal it. q Intentional: • A disgruntled current employee finds a password on a post-it and decides to use it to steal confidential information. Introduction to Information Security at EOLWD

3) Threats & Vulnerabilities Threats and vulnerabilities can be internal or external. q Internal: Current employees q External: • Former employees • Someone who accesses EOLWD buildings for legitimate reasons • Hackers who infiltrate EOLWD systems remotely. These individuals, internal or external, may have malicious intent, or they may do what they do simply for kicks, without intending to compromise specific data. Introduction to Information Security at EOLWD

Review True or False? EOLWD is concerned with external threats only, such as hackers who try to get past the network firewall. Not true, EOLWD is concerned with BOTH internal and external threats. True Right! Good job! False EOLWD is concerned with BOTH internal and external threats. Go to the next slide! Introduction to Information Security at EOLWD

Review Select the phrase that completes this sentence best. A printout of confidential information is accidentally left on a photocopy work table. This is an example of _______. confidential access ain! g That’s right! Good job! a. Try ice o h c est unauthorized copying an unintentional threat to confidentiality e b unintentional, it still Even. Nthough ot th compromises the security of this confidentiality information. Go to the next slide! Introduction to Information Security at EOLWD

4) Your Responsibility Introduction to Information Security at EOLWD

4) Your Responsibility Know your role: q Implementation of effective access control is a critical function of the EOLWD Information Technology (IT) Department. However, the active participation of every EOLWD network user is essential to ensure the best possible Information Security. q Any data security system is only as good as its weakest link. For instance, if just one password holder shares a network password with the wrong person, a significant amount of information could be stolen, possibly resulting in harmful consequences to any number of employees and/or customers. Introduction to Information Security at EOLWD

4) Your Responsibility Know the rules: q It's something like the responsibility you accept when you operate a motor vehicle. To drive safely, you need to learn the rules of the road and be aware of hazards. q Similarly, as an operator of an "information vehicle, " you should know the rules and the risks. q Just as your passengers expect you to drive carefully, the public trusts you to keep its information safe. Not only is it expected, but it's a right protected by law. Introduction to Information Security at EOLWD

4) Your Responsibility Read the policies: q Your EOLWD Information Security education begins on your first day of work, when you are asked to read and sign the "Information Technology Resources (ITR) Policy. " q The EOLWD Internal Control and Security web site contains the ITR Policy, the Password Policy, and other resources that are important to review. Introduction to Information Security at EOLWD

4) Your Responsibility Be careful: q When driving, the goal is to reach a destination. If you have an accident, or if you take a wrong turn, you are either going to be late or never reach your destination. q When using EOLWD data systems, serving the public is the goal. Ø Data access violations and errors can delay services or even cause termination of service processes. Introduction to Information Security at EOLWD

4) Your Responsibility Be aware: q To protect yourself from dangers posed by reckless drivers, it's wise to practice defensive driving. q Computer operators need to be aware and alert to avoid being "sideswiped“ by other operators who try to steal information or disable systems. A hacker is just one example of this type of operator. Introduction to Information Security at EOLWD

4) Your Responsibility Be prepared: q Security Awareness is knowledge which gives you the advantage of being prepared for security issues which you could face in the day-to-day routines of your job. q Security Awareness is knowing how to minimize vulnerabilities by knowing what to do if you think someone is attempting to • Wrongfully obtain personal information about customers, vendors or staff. • Utilize EOLWD resources for illegal or unethical purposes. Introduction to Information Security at EOLWD

4) Your Responsibility Take action! If you become aware of an Information Security violation, take ALL of the following actions: 1. Report the violation to your manager. 2. Report the violation to the EOLWD Help Desk (EOLWD Intranet home page, right side, Quick Links). 3. Complete and submit a Security Incident Report. (EOLWD Intranet home page, right side, Quick Links). Note: If you are unable to access the EOLWD Intranet, please send security incident details to the EOLWD Help Desk via email or telephone. Introduction to Information Security at EOLWD

Review True or False? If you become aware of an Information Security violation, report it to your manager and the Help Desk, and file an online Security Incident Report. True False Correct! Great job!e! thre l l a ! Do e u r T ally ide. u l t s c t a x It’s e ne h t o Go to the next slide! Introduction to Information Security at EOLWD

Review Select the word or phrase that completes this sentence best. Any data security system is only as good as its ____________. weakest link Correct! Greatajob! in! programmers y ag . Tr t c e rr Incothe next slide! Go to number of users Introduction to Information Security at EOLWD

Review Select the phrase that completes this sentence best. If you are authorized to access confidential information, you may access it ____________? only as needed in your job. whenever anyone asks you to. Correct! Great job! You should access confidential n! aiinformation g a information only when the. Try e c i o is needed inooorder d ch to do your job. Not to review information at any time. ag Go to the next slide! Introduction to Information Security at EOLWD

You have reached the end of Introduction to Information Security at EOLWD! To confirm that you have completed this module, please sign the Annual Policies and Security Form (or the New Hire Policies and Security Form). If you have any questions about material covered in this presentation, please contact the EOLWD Information Security Office at 617 -626 -6680.