Securing the Unsecured Security Awareness Training HIMSS Louisiana
- Slides: 30
“Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004
Agenda § Why § Who § What § When § Where and How § Tests for Understanding § Documentation Slide 2
Why Security Awareness Training § Regulatory/Corporate Compliance § Users Don’t Get It § It Can’t Happen Here Syndrome § Make Our Lives Easier § Goals of Security Awareness Training Slide 3
Why: Regulatory/Corporate Compliance § Sarbanes-Oxley • Requires companies to become more fiscally accountable § JCAHO • “To continuously improve the safety and quality of care provided to the public through the provision of health care accreditation and related services that support performance improvement in health care organizations. “ § USA Patriot Act • Requires seeking, detecting, and reporting computer trespasses § HIPAA • Requires CIA of patients' private information Slide 4
Why: Users Don’t Get It § There’s nothing important on my computer § We have virus software so my computer is protected from everything § All threats are from the outside § It’s not my job/I’m too busy to worry about security § Technology provides full protection Slide 5
Why: It Can’t Happen Here Syndrome § Use Examples from Your Organization § Use Examples from Others: • • • Two years of research material lost with no backup Test results are changed Falsified ID is used to send threatening e-mail Employees running side business with our technology Hospital machines used as zombies for DDOS attacks Virus, worm, trojan infestations and attacks Illegal music downloading Online gaming IT equipment stolen Slide 6
Why: Make Our Lives Easier § Routine Helpdesk Calls are Reduced § Fewer Malicious Code Outbreaks § Lowers Data Restore Requests § Able to Focus on Projects § Users Feel Ownership § Users Think More Highly of IT § Less Time Spent Firefighting Slide 7
Goals of Security Awareness Training § Establish a knowledge baseline for the entire organization § Modifying user behavior helps the security team § Adds a human component to defense-in-depth § Securing people is at least as important as securing systems Slide 8
Who Needs Security Awareness Training § Employees § Non-employees Slide 9
Who: Employees § All Employees • Determine minimum level for everyone • Include volunteers, medical staff and administration § Department Champions • Find your IT want-to-bes • Use them to help smooth the path § Management • Make sure that they are not embarrassed • Provide justification for expenditures § IT Staff • Keep them fully informed Slide 10
Who: Non-employees § On-site • Volunteers • Medical Staff • Others § Remote • Medical Staff • Public • Support § Contract/Non-contract • Escort? Slide 11
What: Security Awareness Training § Most Common Mistakes § Training Topics § Acceptable Use Policy/Agreement Slide 12
What: Most Common Mistakes § Poor Password Management § Workstation Attached and Unattended § Malicious E-mail Attachments § Ineffective Anti-virus Software § Uncontrolled Laptops § Unreported Security Violations § Updates, Hot Fixes, Service Packs not Installed § Poor Perimeter Protection • Electronic • Physical Slide 13
What: Training Topics § Data Backup/Restore § Physical Security § Portables § Social Engineering § ID/Passwords § E-mail § Wireless § Malicious Software Slide 14
Data Backup/Restore § Users are responsible for communicating their needs § IT is responsible for making sure it happens • Included in IT procedures • Tools supplied to users Slide 15
Physical Security § Every User is an Extension of the Security Force § Lock Offices as Often as Practical § Restrict Open External Entrances § Technology • • Cameras Motion sensors Alarm systems Tags Slide 16
Portables § Favorite Target of Thieves § Less Likely to Draw Attention § Easily Hidden § “Turn” Fast at Pawn Shops and Online § Almost Always Contain “Sensitive” Data Slide 17
Social Engineering § “This is (manager, director, etc. ) and I need…” § “This is Sue with the Help Desk and we are: • verifying your passwords…” • troubleshooting logon problems…” • got your (bogus) request to change your…” § E-mail Attachments § Dumpster Diving § Recover Data from Surplus Equipment/Media Slide 18
ID/Passwords § Users are responsible for what happens with their ID/password § If you HAVE to write them down treat the paper like a credit card § Change passwords if there is a possibility it has been compromised § Use complex passwords § The sanctions for not protecting login credentials are… Slide 19
From the University of Michigan Passwords Are Like Underwear: § Change yours often! § Don’t leave yours lying around! § The longer the more protection! § Don’t share yours with friends! § Be mysterious! Slide 20
E-Mail § E-mails Exist in Multiple Places § Deleting an Email from One Place Does Not Delete it from Anywhere Else § Be Aware of “bcc” § Spam Effects and Avoidance § Verify Attachments Before Opening § Don’t Send Confidential Information via Standard E-mail § E-mail Can be Forged Slide 21
Wireless § Don’t Plug in Your Own Wireless Access Point § Don’t Change the Secure Configuration: • To make it work with your home network • So it will connect in the airport • To access other facilities networks § Use a Wire When Available • Faster • More secure • Less competition for access point bandwidth Slide 22
Malicious Software § Leave Virus Protection and Firewall Programs Running § Check for or Allow Updates § Recognize Potential Malicious Activities: • • • Hard drive running when no programs are running Unusual or unexpected logon screens Boot up speed or sequence changes Performance degradation Returned e-mails § Others? Slide 23
What: Acceptable Use Policy/Agreement § Include All Security Topics § Templates and Examples are Available Online § Include in Training § Have Users Sign § May Include Confidentiality and Privacy Slide 24
When: Security Awareness Training § Prior to System/Facility Access • Require security training • Have Acceptable Use Policy; Confidentiality; Privacy and other agreements signed § Ongoing • • New Hire Reminder Annual Include security every chance § Non-employees Slide 25
Where and How: Security Awareness Training § Posters § Newsletters § Login Dialogue Boxes § E-mails § Display Tables § Contests § “Mystery Guest” Slide 26
Tests for Understanding § Positives • Proof that learning occurred • Program improvements § Negatives • Proof that learning did not occur • Handling the failures Slide 27
Documentation § Annual Plan § Who/What/When Matrix § Proof of Occurrence § Quality Review § Meeting Minutes Slide 28
From George Mason University S. E. C. U. R. E. I. T. § Simple (All users can implement these procedures) § Effective (Problems are solved by following procedures) § Concerned (All users should be concerned about security) § Useful (Procedures keep resources safe and available) § Responsibility (All users must follow the AUP) § Economical (Resources are protected and conserved) § Information (Confidentiality, integrity, accessibility) § Technology (Hardware is protected and preserved) Slide 29
Thank You § Healthlink Incorporated § 3800 Buffalo Speedway, Suite 550 § Houston, TX. 77098 § 1. 800. 223. 8956 § claude. younger@healthlinkinc. com § www. healthlinkinc. com
- Privacy awareness and hipaa privacy training cvs
- Cjis security awareness training
- Security education and training programs
- Chemical security awareness training
- Webroot security awareness training
- Suspicious packages training
- Hipaa privacy and security awareness training
- Uc cyber security awareness training answers
- Cda security awareness training
- Secured and unsecured bonds
- Secured and unsecured bonds
- Empricas
- Vitality unsecured
- Define commercial paper
- Private securty
- Himss 2016 floor plan
- Maryland himss
- Georgia himss
- Cahims practice exam
- Himss interoperability
- Ga himss
- Himss
- Louisiana sexual harassment training
- Cyber awareness meting
- Security awareness game
- Security awareness screensavers
- Workshop security awareness
- Security awareness program
- Stanford security awareness
- Annual security refresher training
- Opsec awareness