Transcript Why Teach a Hybrid Course? - Northern Virginia Community College

IT Security Awareness:
Information Security is
Everyone’s Business
A Guide to Information Technology Security at
Northern Virginia
Community College
Goals of IT Security
Awareness Training
 To assist faculty and staff in using safe,
secure computer practice to safeguard
College computing systems and data they
store or access.
 To answer any questions about information
security requirements and procedures
 To promote Computer Security Awareness
Information Technology
Security Awareness
What Is IT Security
Awareness?
Information Technology Security Awareness
means understanding various information
technology threats that exist in one's
computing environment and taking reasonable
steps to guard against them.
Who Is Responsible for IT
Security?
Everyone who uses a computer needs to know
how to keep his or her computer and data
secure to ensure a safe working
environment.
NOTE: Security Awareness is one of the thirteen
security components required in the COV ITRM
Standard SEC2001-01.1.
Who Must Have Security
Awareness Training?
 All new employees who use information
technology or have access to areas where
information resources reside, must receive
formal training within 30 days
 Refresher training must be provided to all
personnel annually at a minimum
What Are User Personal
Responsibilities?




Report security violations
Develop “end-of-day” security procedures
Practice proper telephone and e-mail security
Clear physical area in office of sensitive data
when not in office
 Do not leave your portable unattended
 Lock your office, if possible
What Are the Consequences
for Security Violations?
 Risk to security and integrity of personal or
confidential information
 Los of employee and public trust resulting in
embarrassment and bad publicity
 Costly reporting requirements in case of compromise
of sensitive information
 Internal disciplinary action(s) up to and including
termination of employment, possible penalties,
prosecution, & potential for sanctions/lawsuits
What Must Be Included in the
Security Awareness Training
Program?
 Provide both general and position
appropriate security awareness content
 Specify timeframes for receiving initial,
ongoing and refresher training
 Be documented on an auditable medium
 Be approved by the Information Systems
Security Officer
How Is Security Awareness
Training Documented?
 Receipt of training must be documented in
employee’s personnel file with employee’s
acknowledgement of receipt and understanding
 All training must be documented and filed with
Information Systems Security Officer and
available for audit
How Can Training Be
Delivered?





New employee orientation
General sessions
Departmental sessions
Web delivery via Web Pages, PowerPoint or video
Tip of the month via email to distribution lists
How Can Training Be
Delivered?




Posters
Brochures
“Security Day”
Brown bag lunch sessions
Computer Security
How Do I Secure My
Computer?







Use a firewall
Use strong passwords
Use antivirus software
Install security patches
Share files correctly
Back up files regularly
Don’t store sensitive information on hard
drive
How Can I Prevent Spyware
on my Computer?
 Avoid free tool bars for your browser since
they may come with spyware
 Regularly use spam cleaners to remove
spyware.
Using USB Drives Safely
How Do I Use USB Flash
Drives Safely?
 Back up files on USB flash drive
 Do not store sensitive data, such as SSNs or
student grades, on USB flash drive
 If possible, use password to protect data on
USB flash drive
 Remember to remove drive from your
computer before walking away
Safe Email Practice
What Is Safe Email Practice?
 Don’t open email attachments unless you
know what they are.
 Don’t open, forward or reply to spam or
suspicious emails; delete them.
 Be aware of sure signs of scam email.
• Not addressed to you by name
• Asks for personal or financial information
• Asks you for password
• Asks you to forward it to lots of other people
Safe Email Practice
 Don’t click on website addresses in emails
unless you know what you are opening.
 Use official VCCS student email to
communicate with students about grades or to
provide feedback on assignments.
 Report email security concerns to IT Help Desk.
How Do I Recognize Phishing?
 Phishing is type of email or instant message
scam designed to steal your identity.
 Phishing is the act of attempting to
fraudulently acquire sensitive information,
such as usernames, passwords, and credit
card details, by masquerading as trustworthy
entity in electronic communication using
email or instant message.
How Can I Safeguard
Against Phishing?
 Don’t reply to email or pop-up messages that ask
for personal or financial information.
 Don’t click on links in email or instant message.
 Don’t cut and paste link from questionable
message into your Web browser.
 Use antivirus and firewalls and update them
regularly.
 Don’t email personal or financial information.
 If you are scammed, visit Federal Trade
Commission’s Identity Theft website –
www.consumer.gov/idtheft
Protecting Sensitive
Information
How Do I Protect Sensitive Data?
 Protect sensitive information on lists and
reports with social security numbers (SSNs).
 Limit access to lists and reports with SSNs to
those who specifically need SSNs for official
college business.
 Never store SSNs or lists with SSNs on
laptops or home computers.
 Save and store sensitive information on server
managed by campus or college IT staff.
Protection of Sensitive Data
 Never copy sensitive data to CDs, disks, or
portable storage devices.
 Do not sore lists with sensitive information on
the Web.
 Lock printed materials with sensitive data in
drawers or cabinets when you leave at night.
 When done with printed sensitive material,
shred them.
Protection of Sensitive Data
 Remove sensitive materials from printer right
away.
 If problem with printer, turn off printer to remove
sensitive material from printer’s memory.
 Personally deliver sensitive materials to recipient
or distribute information electronically using
College’s email system.
 Arrange for shared electronic file that requires
user ID and password.
Password Security
Guidelines
What Are the Password
Security Guidelines?
 Passwords must be treated as sensitive and
confidential information.
 Never share your password with anyone for
any reason.
 Passwords should not be written down, stored
electronically, or published.
Password Security Guidelines
 Be sure to change initial passwords, password
resets and default passwords first time you log in.
 Use different passwords for your different
accounts.
 Create passwords that are
• not common,
• avoid common keyboard sequences,
• contain personal information, such as pets & birthdays.
Top Ten List of
Good Computing
Practices
What Are the Steps to Take
to Ensure Safe Computing?
 Use cryptic passwords that can’t be easily
guessed and protect your passwords.
 Secure your area, files and portable equipment
before leaving them unattended.
 Make sure your computer is protected with
anti-virus and all security patches and updates.
Steps to Ensure Safe Computing
 Make backup copies of data you do not want to
lose and store the copies very securely.
 Don’t save sensitive information on portable
devises, such as laptops, memory sticks, PDAs
data phones, CDs/DVDs.
 Practice safe emailing.
 Be responsible when using the Internet.
Steps to Ensure Safe Computing
 Don’t install unknown or suspicious programs
on your computer.
 Prevent illegal duplication of proprietary
software.
 Protect against sypware/adware.
How Should I Report
Security Incidents?
 Immediately report suspected security
incidents & breaches to your supervisor and
the IT Help Desk.
Resources
Resource Handout
 Use the handout found on the IT Security
Awareness Training website as easy
reference for steps to follow to ensure
information security.
College and Campus
Resources
 Contact the IT HelpDesk
[email protected]
703-426-4141
 Contact the Office of Instructional & Information
Technology Support Services
703-323-3278
 Contact your campus Information Technology
Manager (ITMs)
Campus IT Staff Contacts
 Dave Babel (AL) [email protected]
703-845-6019
 Bruce Ghofrany (AN) [email protected]
323-4259
 Jeff Howlett (MEC) [email protected]
703-822-6666
 Kevin Kelley (LO) [email protected]
703-450-2569
 Lynn Bowers (MA) [email protected]
703-257-6652
 Lynn Feist (WO) [email protected]
703-878-5659
 Peter Tharp (CS) [email protected]
703-323-3705
 Tom Pyron (ELI) [email protected]
703-323-3800