Security Orientation

Security Objectives To educate about IT security exposures and risks To communicate and promote IT security responsibilities To identify consequences of IT security policy violations To protect information and assets To prevent and detect malicious activities To comply with legislative, privacy and contractual requirements

Things you should report to your supervisor and/or IT support • Password compromised • Hacking attempt • Computer virus infection • Computer files missing • Unexplained changes to system data/configuration • Theft/loss of IT equipment

Things you should report to your supervisor and/or IT support con’t • Unauthorized people using or attempting to use IT equipment.

• Unauthorized people gaining access to protected areas.

• New vulnerabilities and exploits discovered in existing IT systems.

• Violations of acceptable use policy

E-mail Security • Do not open unsolicited e-mail attachments • Do not send restricted information by e-mail • Confidential Information must be encrypted prior to being sent via e-mail [NOTE TO PRESENTER: Omit this bullet if not appropriate in your organization.] • Restricted information should not be sent via e-mail • if it is necessary to send over e-mail stronger security controls must be put into place • Avoid error’s in e-mail by verifying the e-mail address or distribution list before sending

E-mail Security con’t • Avoid sending if the information is confidential, “personal information” or “personal health information” • Sanitize or clean up information as much as possible • Limit the distribution of the information to those who “need to know” • If you receive a message in error, please do not copy it, distribute it to another person or use it for any other purpose, delete it, and advise the sender of the error by return email or telephone.

Mobile Computing • Take good care of devices • Limit the amount of confidential, “personal information” or “personal health information” • If confidential information is on the mobile device it should be encrypted • Delete confidential information immediately after the completion of use • Use a notebook lock down security cable

Mobile Computing con’t • Connect to the network to receive software updates regularly • Place notebooks out of sight in cars before arriving at your destination • Preferably in a locked trunk, otherwise theft is more likely to occur • Use caution when connecting to unsecured wireless networks

Mobile Computing con’t DON’Ts • Install any non approved software • Disable any data encryption, screen-saver password and anti-virus software • Leave the mobile device in a public area without supervision

Passwords • Protect your password, this is the key to the data, programs, and services you are entrusted to access • Don’t share or record your password in any form that may be accessible

Safe Workspace Guidelines • Log out or lock your computer when you leave it unattended • Do not open unsolicited e-mail attachments from people • Keep confidential and restricted files locked up • Once approved for disposal, shred confidential or restricted documents right away, don’t save them • Do not reveal your password to anyone

Safe Workspace Guidelines con’t • Keep your desk clean of personal and personal health information • Exit or close your web browser when not accessing Internet or Intranet sites • Keep floppy disks, CD's, paper files and reports in a secure place • Keep portable devices in sight or locked up (laptops, USB, PDA’s, cell’s) • Position monitor and printers so that others cannot see them

Physical Files • When handling physical files, keep these points in mind: • Use a secure locking file cabinet or desk for the files if they contain confidential or personally identifiable information • Don’t share the keys for locking cabinets or desks with anyone that does not have a work-related need for them • Do not take files with you outside of your work area • Do not leave print outs unattended at the printer • If you have to send files through inter-office mail ensure you enclose them in a way that the recipient can tell if they were tampered with in transit so they can notify you • Preferably, use a sealed envelope provided by a courier that will obtain a signature at point of delivery

Visitors • When seeing someone in your work area, determine if they are a legitimate visitor or an unauthorized person • assist visitors in finding the location they need to go • assist unauthorized people to the door or call your manager to report the presence of an unauthorized person • Don’t let people remain in the work area unescorted or unaccompanied • Don’t let anyone use computing equipment without explicit authorization

User Responsibilities • Only use IT Resources for business purposes • Practice security conscious behaviour at all times • Discuss personally identifiable information only in private locations • Do not share passwords or post passwords where they are visible • Report all information security incidents promptly • Access only the minimum identifiable personal Information necessary to perform job functions • Return all IT Resources upon termination of employment

User Responsibilities con’t • Read the policies and relevant guidelines • Employees must check with their supervisor/manager or Privacy Officer if they have questions • Complete any required security training as provided • Sign a Confidentiality Agreement and or Oath of Office • Be responsible for the security of his or her own Workstation (computer and desk) • Be responsible for the use of his or her User ID and Passwords

Your responsibilities • To protect information and assets • To prevent and detect malicious activities • To understand IT security exposures, and risks • To communicate and promote IT security responsibilities • To comply with legislative, privacy and contractual requirements • To understand consequences of IT security policy violations

Your responsibilities con’t • Know your data – What’s on top of your desk? “Clean desk” • Disclose on a “need to know” basis – Communications within the organization • Comply with legislation – Be knowledgeable of organizational policies and procedures • Communicate privacy concerns to the organization’s Privacy Officer