DanSources Information Security Presentation for Staff, Consultants, Contingent, Contract Workers ©2011 DanSources Technical Services Welcome 2 ©2011 DanSources Technical Services Welcome to DanSources As a DanSources Staff Member, Consultant, Contract or Contingent worker, your employment may require that you have access to our Clients intranet, Client information, or Client computer systems. This is training program designed to make you aware of your responsibilities for safeguarding our Customers information, and maintaining the integrity and security of the systems to which you have access. You may also be bound by contractual provisions specific to projects or customer activities on which you are working. Please take this opportunity to make sure that you understand the rules, can recognize potential dangers, and know when and how to ask for help. We count on you to act responsibly and do the right thing to protect the Client, our employees, and our customers. 3 @2011 DanSources Technical Services Course notes Within this course you will find links to some online resources. You may want to bookmark some of these resources so you can easily access them later. If you do not have access to the Client intranet, you may need to obtain the additional information from your manager. At the conclusion of this course you will be required to attest to the fact that you have completed the course and understand your responsibilities. After you have completed the course, we will email you a form to sign validating your completion of the course. 4 @2011 DanSources Technical Services Information Security 5 @2011 DanSources Technical Services Information Security Information security is headline news around the world. The headlines show this matter to be serious and far-reaching. 6 @2011 DanSources Technical Services Introduction In this course, we will discuss information security and the protection of the Client’s information assets. This is important because the loss of information compromises our competitiveness in the marketplace and our success as a business. We have an obligation to our customers, and each other to protect information assets that are entrusted to us, whether we are dealing with information in physical, electronic, or intellectual form. Protecting the Client’s information is every worker's responsibility. To help you understand and fulfill this responsibility, we will review the requirements and guidelines for protecting Client 's information assets. 7 @2011 DanSources Technical Services Information Security: The Weak Link Consider this scenario Using a technique called “social engineering,” a hacker tries to breach the company’s computer network by randomly calling workers and trying to get them to give out passwords. The caller reaches Marie (an employee) and states that he is calling from the “help desk.” Identifying himself as Steve Smith, he says he is trying to resolve a network issue. He notes that she works for Joe, and asks Marie to give him Joe’s password, which he’ll need for the work he’s doing. Marie seems reluctant, so he applies some pressure, naming another manager he says he can conference in on the call. Marie, feeling that this doesn’t seem right, begins to question the caller. She asks again, “What is your name and who do you work for?” When he doesn’t give a manager’s name but merely repeats that he works for the help desk, she states she can look him up in the Global Address List to confirm. He abruptly disconnects the call. This confirms Marie’s suspicion that he was a hacker. Marie was cautious and did not put the company’s network at risk. 8 @2011 DanSources Technical Services The Weak Link—continued Not all threats to information security involve techniques using sophisticated technology. In this scenario a hacker uses "social engineering" techniques to exploit human nature. The employee in the scenario, Marie, did a good job of asking questions about the caller's identity and whether he was entitled to the information he was requesting. Marie correctly attempted to validate the caller's identity and need for the information and was not fooled into cooperating with the hacker. In this scenario, the hacker was trying to obtain Joe's password. Another important point to remember is that at the Client, Marie should never have her manager's password. We don’t share our passwords with others. 9 @2011 DanSources Technical Services What is social engineering? Social engineering is commonly defined as the manipulation (e.g., trickery, lying, etc.) of people into performing acts or divulging confidential information. It is one of the more common techniques outsiders use to breach the security of an organization and gain unauthorized access to systems and information. What can happen? What can happen if the Client information is not protected? Security breaches and compromised information can impact the Client’s competitive advantage, tarnish our brand, and be costly both for Client and our customers and damage to your reputation for future employment. 10 @2011 DanSources Technical Services Prevent security threats External parties place a high value on information assets that might help them understand Client’s strategic direction as well as product development status, the nature of our security controls, and other sensitive information. Beware of non-Client acquaintances who probe for information about you and your work and do not have a valid business need for this information. They may be attempting to obtain Client information for their own benefit or for another party, thus compromising Client 's competitive advantage. Visibly display your Client badge at all times while inside an Client facility. Ask others not wearing their badge to follow this Client security requirement. 11 @2011 DanSources Technical Services Protect yourself and our Client How do we protect ourselves and our company against social engineering? There is no foolproof way, because the art of deception is always changing. However, there are some steps you can take to avoid becoming a victim and compromising Client's sensitive information. We'll explore these in the following scenario. Someone you do not know personally calls you and claims to be an Client worker. You ask the person to send you an email and include contact information. Did you handle this appropriately? A. Yes B. No 12 @2011 DanSources Technical Services Protect yourself and our Client Did you handle this appropriately? A. Yes B. No The correct answer is: A. Yes Asking the caller to send you an email with their contact information is a way of authenticating the person's identity. It allows you to gather information about the person and verify that they are who they say they are. In addition, you must also ensure the person is authorized to have the information they are requesting. Other ways to authenticate are: – Look them up in PeopleFinder. – Ask them for their manager's name, their organization, or other identifiable information. 13 @2011 DanSources Technical Services Protect yourself and our Client —continued Be alert! Social engineers are skilled! You don't need to be paranoid, just be aware that this type of activity does occur. If your instincts tell you that something doesn't feel right, proceed with caution. It's better to be safe than sorry. Be aware that social engineers use phone, email, and even face-to-face contact. If you are in a situation where you have to question someone's identity or ask why the person needs the information, be polite but firm. This person may in fact be a legitimate Client employee looking for information for which there is a business need. If legitimate, the requestor will understand and appreciate your caution as long as you are polite. If you are suspicious about a phone call, email or person asking inappropriate questions, report it to your site manager and the DanSources Account Manager or our Facilities Security Officer (FSO). Our FSO is Dan Fahey, email: danfahey@dansources.com, Phone: 301-217-0425 ext 400 14 @2011 DanSources Technical Services Protect devices In our daily work at Client we use a wide variety of devices such as PCs (laptops and desktops), printers, smartphones, external drives, and USB flash drives. These devices enable us to receive, store, and send information. What actions can we take to protect these devices, and the information assets they contain? Find out by completing the exercises on the next few screens. 15 @2011 DanSources Technical Services Protect devices—continued The use of USB flash drives from unknown sources is a growing concern. You should only use USB flash drives that are obtained from known sources such as established retailers and Client suppliers. USB flash drives from an unknown source could potentially contain a virus that might damage your computer, infect others on the Client network, or even leak confidential information to an attacker. What should you do if you find a USB flash drive that does not belong to you or if you receive a free one? A. Review the contents on your PC to see if it is usable. B. Do not insert the device into your USB port nor use the device at all. C. If found in an Client facility, turn it in to Security at the site. If your site does not have Security personnel, give it to your manager. D. Scan the device on your PC for viruses before inspecting any data. E. Both B and C. 16 @2011 DanSources Technical Services Protect devices—continued What should you do if you find a USB flash drive that does not belong to you or if you receive a free one? A. Review the contents on your PC to see if it is usable. B. Do not insert the device into your USB port nor use the device at all. C. If found in an Client facility, turn it in to Security at the site. If your site does not have Security personnel, give it to your manager. D. Scan the device on your PC for viruses before inspecting any data. E. Both B and C. The correct answer is: E. Both B and C. Do NOT insert the device into your USB port or use it at all, even to scan for viruses! USB flash drives from an unknown source could potentially contain a virus that might damage your computer, infect others on the Client network, or even leak confidential information to an attacker. If found in an Client facility, turn it in to Security at the site. If your site does not have Security personnel, give it to your manager. 17 @2011 DanSources Technical Services Protect devices—continued Protect your PC and smartphone as you would any other valuable item. Which of the following actions helps to protect your PC? A. In your work environment, secure your laptop with a locking device. When the laptop is not in use, put it away in a locked drawer or cabinet. B. Encrypt your PC per Client IT Security requirements. C. Record the model and serial number of your PC and maintain this information somewhere other than with your PC. D. Use strong passwords and do not share with anyone. Strong passwords must have the required minimum length, use different types of characters, and must be changed if suspected to be compromised. E. All of the above. 18 @2011 DanSources Technical Services Protect devices—continued Which of the following actions helps to protect your PC? A. In your work environment, secure your laptop with a locking device. When the laptop is not in use, put it away in a locked drawer or cabinet. B. Encrypt your PC per Client IT Security requirements. C. Record the model and serial number of your PC and maintain this information somewhere other than with your PC. D. Use strong passwords and do not share with anyone. Strong passwords must have the required minimum length, use different types of characters, and must be changed if suspected to be compromised. E. All of the above. The correct answer is: E. All of the above. All of the actions listed are important measures to take to protect your PC. 19 @2011 DanSources Technical Services Protect devices—continued Your PC and smartphone are especially vulnerable while you are traveling. Follow these best practices during travel. – Keep your eye on your PC or smartphone. • Never let your PC or smartphone out of your sight in an airport or other public area. • If you set your PC down while checking in at the airport counter or hotel registration desk, protect it. For example, lean it against your leg so you can feel its presence, or hold it between your feet. 20 @2011 DanSources Technical Services Protect devices—continued Best practices during travel: – Carry your PC or smartphone with you • When traveling by plane or rail, never place your PC or smartphone in checked baggage. • Don't leave your PC or smartphone unattended or in the overhead compartment. • Never store them in a public locker. • Keep your PC or smartphone out of sight while driving and do not leave them behind in your vehicle. If you have no other option, lock them in the trunk, out of sight, before arriving at your destination. • If you must leave your PC in a hotel room, keep it out of sight and ensure it is appropriately secured. 21 @2011 DanSources Technical Services Protect devices—continued Best practices during travel: – Restrict access to your data • Encrypt your removable storage devices such as flash drives and external hard drives. Use strong passwords and do not share them with anyone. – Secure sensitive information • Be aware that anyone can read over your shoulder when you are in a public place, so do not view anything on your PC or smartphone screen that you wouldn't want the public to view. 22 @2011 DanSources Technical Services Protecting sensitive information Ensure that sensitive data is protected by taking these precautions: – Distribute documents and provide access to data only to those parties who have a defined business-need to know the information and only for the required type of access. – Do not leave hardcopy or electronic confidential files in public areas. – Use the private printing option when printing sensitive information to shared printers within Client facilities. – Securely destroy information no longer needed through Client's approved processes. 23 @2011 DanSources Technical Services Electronic Information Security Review these five additional points about protecting information in electronic form. – Passwords • In addition to having strong passwords, be sure all passwords you set on Client-controlled applications or servers for Client-business use are different from any passwords set on personal non-Client email accounts (e.g., Gmail, Hotmail) and different from any passwords on other systems not under Client's control. • Never provide your Client windows domain username and password to a non-Client web site. 24 @2011 DanSources Technical Services Electronic Information Security—continued – Email security • Encrypt or digitally sign emails when appropriate, depending upon the data sensitivity label. • Ensure the data on your PC is protected. • Protect sensitive data on your removable devices, such as USB hard drives and flash drives using RME (Removable Media Encryption). 25 @2011 DanSources Technical Services Electronic Information Security—continued – Links in emails • Do not click on links in unexpected or suspicious emails. Otherwise you subject yourself and Client to a malicious software attack or unauthorized disclosure of sensitive information. – Approved devices • Use only Client approved voice communications devices when selecting voice headsets and phones, including wired phones, mobile/cellular phones, and cordless phones for Client business use. – Wireless networks • Do not install any unauthorized wireless access points in an Client facility or on Client’s network. 26 @2011 DanSources Technical Services Information security do's and don'ts Here are some additional tips for protecting Client's information assets: • DON'T place Client sensitive information assets on any social networking sites. • DON'T discuss sensitive Client business in public. • DO safeguard Client information assets to which you have access and only provide it to authorized individuals with a business need to have the information. • DO ensure that the latest antivirus software is running on your system with the latest updates. 27 @2011 DanSources Technical Services Information security do's and don'ts— continued Additional tips for protecting Client's information assets: • DO properly dispose of information assets no longer needed. • DO remove all sensitive materials from conference rooms after meetings. Ensure chalkboards and whiteboards are erased and information recorded on a flip chart is secured or destroyed. • DO immediately report any loss of information assets. 28 @2011 DanSources Technical Services Lifecycle of information Client uses a lifecycle of information approach in protecting information assets. This means it is our responsibility to protect every stage of a product or an information asset's lifecycle—from design or acquisition to disposal, or from proposal to termination. Best practices for this approach: – When an information asset is generated, it is the originator's responsibility to determine how it should be labeled. – Once generated, the information asset must be properly labeled, transmitted, stored, and access controls applied for the appropriate type of access. – Information assets should only be distributed to those parties with a business need to know the contents. 29 @2011 DanSources Technical Services Lifecycle of information—continued Best practices for this approach: – In order to protect your PCs, smartphones, and Client, ensure that all security software updates are completed as soon as they are available. – Any person who is provided with an information asset must ensure it is safeguarded against unauthorized access at all times. – Information assets no longer needed or outdated must be destroyed through approved means. – The Guidelines for Labeling Client Information Assets provides valuable information on labeling and handling sensitive data. 30 @2011 DanSources Technical Services Conclusion 31 ©2011 DanSources Technical Services In summary – Unauthorized disclosure of Client information is not allowed and harms Client by weakening our competitive position. – To provide lifecycle of information protection for Client's information assets, employees and third parties with access to these assets must comply with established Client information security standards. – When confronted with internal and/or external requests for information, always authenticate the identity of the person making the request and the specific need for the information. 32 @2011 DanSources Technical Services In summary—continued – Protect your PCs and other devices as you would other valuable items. Ensure your PC and removable storage devices are encrypted and physically protected. – Remember, You are protecting DanSources and the Client! 33 @2011 DanSources Technical Services Information Security @Client Take-Aways for keeping information secure 1. Physically secure your PC and other electronic devices. 2. Ensure your PC is encrypted. 3. Use strong passwords; never share or disclose them. 4. Have approved anti-malware software running with current definitions. 5. Do not download suspicious or unapproved software from unsolicited e-mail and do not click on links to unfamiliar websites. 6. Accept PC-COE updates and apply security patches. 34 @2011 DanSources Technical Services Information Security @Client Take-Aways for keeping information secure—continued 7. Protect information assets in all forms (electronic, hardcopy, intellectual) during the entire life cycle and use approved methods to dispose of the information. 8. Use collaboration tools securely (e.g., encrypt emails when required; apply access controls on shared files). 9. Understand and follow Client security policies and procedures. 10. Be aware of surroundings and stay alert. Validate all requests for Client information assets. 11. Report security incidents. 35 @2011 DanSources Technical Services Course completion By informing your manager, you agree to the following: – I have completed the Information Security at Client for Contingent Workers Training. – I understand that this course was an overview and that I am responsible for reviewing the appropriate resources and policies. – I acknowledge my responsibility to comply with the requirements set out in this course and with any other relevant agreements specific to any project or customer activities on which I am working. In addition, I acknowledge my responsibility to comply with the referenced policies and to seek appropriate resources should I have a question or need to report a violation. 36 @2011 DanSources Technical Services Conclusion Congratulations! You have now completed the Information Security at DanSources Technical Services for Contingent Workers Training. Remember if you come across any incident that needs reporting contact your Site Manager, your DanSources Account Manager or the Facilities Security Officer – Dan Fahey We maintain normal daytime operating hours and can be emailed or a message left at any time. Dan Fahey – FSO Email: danfahey@dansources.com 301-217-0425 ext 400 Thank you for your participation. 37 @2011 DanSources Technical Services 38 ©2011 DanSources Technical Services