Information Security at HP for Contingent Workers

advertisement
DanSources
Information Security
Presentation
for Staff, Consultants,
Contingent, Contract Workers
©2011 DanSources Technical Services
Welcome
2
©2011 DanSources Technical Services
Welcome to DanSources
As a DanSources Staff Member, Consultant, Contract or
Contingent worker, your employment may require that
you have access to our Clients intranet, Client
information, or Client computer systems. This is training
program designed to make you aware of your
responsibilities for safeguarding our Customers
information, and maintaining the integrity and security of
the systems to which you have access.
You may also be bound by contractual provisions
specific to projects or customer activities on which you
are working.
Please take this opportunity to make sure that you
understand the rules, can recognize potential dangers,
and know when and how to ask for help. We count on
you to act responsibly and do the right thing to protect
the Client, our employees, and our customers.
3
@2011 DanSources Technical Services
Course notes
Within this course you will find links to some
online resources. You may want to bookmark
some of these resources so you can easily
access them later. If you do not have access to
the Client intranet, you may need to obtain the
additional information from your manager.
At the conclusion of this course you will be
required to attest to the fact that you have
completed the course and understand your
responsibilities.
After you have completed the course, we will
email you a form to sign validating your
completion of the course.
4
@2011 DanSources Technical Services
Information Security
5
@2011 DanSources Technical Services
Information Security
Information security is headline news around the world. The headlines show this
matter to be serious and far-reaching.
6
@2011 DanSources Technical Services
Introduction
In this course, we will discuss information
security and the protection of the Client’s
information assets. This is important because
the loss of information compromises our
competitiveness in the marketplace and our
success as a business.
We have an obligation to our customers, and
each other to protect information assets that
are entrusted to us, whether we are dealing
with information in physical, electronic, or
intellectual form.
Protecting the Client’s information is every
worker's responsibility. To help you understand
and fulfill this responsibility, we will review the
requirements and guidelines for protecting
Client 's information assets.
7
@2011 DanSources Technical Services
Information Security: The Weak Link
Consider this scenario
Using a technique called “social engineering,” a hacker tries to breach the
company’s computer network by randomly calling workers and trying to get them
to give out passwords.
The caller reaches Marie (an employee) and states that he is calling from the
“help desk.” Identifying himself as Steve Smith, he says he is trying to resolve a
network issue. He notes that she works for Joe, and asks Marie to give him
Joe’s password, which he’ll need for the work he’s doing. Marie seems reluctant,
so he applies some pressure, naming another manager he says he can
conference in on the call.
Marie, feeling that this doesn’t seem right, begins to question the caller. She
asks again, “What is your name and who do you work for?” When he doesn’t
give a manager’s name but merely repeats that he works for the help desk, she
states she can look him up in the Global Address List to confirm. He abruptly
disconnects the call. This confirms Marie’s suspicion that he was a hacker.
Marie was cautious and did not put the company’s network at risk.
8
@2011 DanSources Technical Services
The Weak Link—continued
Not all threats to information security involve
techniques using sophisticated technology. In this
scenario a hacker uses "social engineering"
techniques to exploit human nature. The employee in
the scenario, Marie, did a good job of asking
questions about the caller's identity and whether he
was entitled to the information he was requesting.
Marie correctly attempted to validate the caller's
identity and need for the information and was not
fooled into cooperating with the hacker.
In this scenario, the hacker was trying to obtain Joe's
password. Another important point to remember is
that at the Client, Marie should never have her
manager's password. We don’t share our passwords
with others.
9
@2011 DanSources Technical Services
What is social
engineering?
Social engineering is
commonly defined as the
manipulation (e.g.,
trickery, lying, etc.) of
people into performing
acts or divulging
confidential information.
It is one of the more
common techniques
outsiders use to breach
the security of an
organization and gain
unauthorized access to
systems and information.
What can happen?
What can happen if the Client information
is not protected?
Security breaches and compromised
information can impact the Client’s
competitive advantage, tarnish our brand,
and be costly both for Client and our
customers and damage to your
reputation for future employment.
10
@2011 DanSources Technical Services
Prevent security threats
External parties place a high value on information
assets that might help them understand Client’s
strategic direction as well as product
development status, the nature of our security
controls, and other sensitive information.
Beware of non-Client acquaintances who probe
for information about you and your work and do
not have a valid business need for this
information. They may be attempting to obtain
Client information for their own benefit or for
another party, thus compromising Client 's
competitive advantage.
Visibly display your Client badge at all times while
inside an Client facility. Ask others not wearing
their badge to follow this Client security
requirement.
11
@2011 DanSources Technical Services
Protect yourself and our Client
How do we protect ourselves and our company
against social engineering? There is no foolproof
way, because the art of deception is always
changing.
However, there are some steps you can take to
avoid becoming a victim and compromising Client's
sensitive information. We'll explore these in the
following scenario.
Someone you do not know personally calls you and
claims to be an Client worker. You ask the person
to send you an email and include contact
information.
Did you handle this appropriately?
A.
Yes
B.
No
12
@2011 DanSources Technical Services
Protect yourself and our Client
Did you handle this appropriately?
A.
Yes
B.
No
The correct answer is: A. Yes
Asking the caller to send you an email with their contact information is a way of
authenticating the person's identity. It allows you to gather information about the
person and verify that they are who they say they are. In addition, you must also
ensure the person is authorized to have the information they are requesting.
Other ways to authenticate are:
– Look them up in PeopleFinder.
– Ask them for their manager's name, their organization, or other identifiable
information.
13
@2011 DanSources Technical Services
Protect yourself and our Client —continued
Be alert! Social engineers are skilled! You don't need to be
paranoid, just be aware that this type of activity does occur.
If your instincts tell you that something doesn't feel right,
proceed with caution. It's better to be safe than sorry. Be
aware that social engineers use phone, email, and even
face-to-face contact.
If you are in a situation where you have to question
someone's identity or ask why the person needs the
information, be polite but firm. This person may in fact be a
legitimate Client employee looking for information for which
there is a business need. If legitimate, the requestor will
understand and appreciate your caution as long as you are
polite.
If you are suspicious about a phone call, email or person
asking inappropriate questions, report it to your site
manager and the DanSources Account Manager or our
Facilities Security Officer (FSO). Our FSO is Dan Fahey,
email: danfahey@dansources.com, Phone: 301-217-0425
ext 400
14
@2011 DanSources Technical Services
Protect devices
In our daily work at Client we use a wide variety of
devices such as PCs (laptops and desktops), printers,
smartphones, external drives, and USB flash drives.
These devices enable us to receive, store, and send
information.
What actions can we take to protect these devices, and
the information assets they contain? Find out by
completing the exercises on the next few screens.
15
@2011 DanSources Technical Services
Protect devices—continued
The use of USB flash drives from unknown sources is a growing concern. You
should only use USB flash drives that are obtained from known sources such
as established retailers and Client suppliers. USB flash drives from an unknown
source could potentially contain a virus that might damage your computer,
infect others on the Client network, or even leak confidential information to an
attacker.
What should you do if you find a USB flash drive that does not belong to you or
if you receive a free one?
A. Review the contents on your PC to see if it is usable.
B. Do not insert the device into your USB port nor use the device at all.
C. If found in an Client facility, turn it in to Security at the site. If your site does
not have Security personnel, give it to your manager.
D. Scan the device on your PC for viruses before inspecting any data.
E. Both B and C.
16
@2011 DanSources Technical Services
Protect devices—continued
What should you do if you find a USB flash drive that does not belong to you or if you receive a free
one?
A. Review the contents on your PC to see if it is usable.
B. Do not insert the device into your USB port nor use the device at all.
C. If found in an Client facility, turn it in to Security at the site. If your site does not have Security
personnel, give it to your manager.
D. Scan the device on your PC for viruses before inspecting any data.
E. Both B and C.
The correct answer is: E. Both B and C.
Do NOT insert the device into your USB port or use it at all, even to scan for
viruses! USB flash drives from an unknown source could potentially contain a
virus that might damage your computer, infect others on the Client network, or
even leak confidential information to an attacker.
If found in an Client facility, turn it in to Security at the site. If your site does not
have Security personnel, give it to your manager.
17
@2011 DanSources Technical Services
Protect devices—continued
Protect your PC and smartphone as you would any other valuable item.
Which of the following actions helps to protect your PC?
A. In your work environment, secure your laptop with a locking device. When
the laptop is not in use, put it away in a locked drawer or cabinet.
B. Encrypt your PC per Client IT Security requirements.
C. Record the model and serial number of your PC and maintain this
information somewhere other than with your PC.
D. Use strong passwords and do not share with anyone. Strong passwords
must have the required minimum length, use different types of characters,
and must be changed if suspected to be compromised.
E. All of the above.
18
@2011 DanSources Technical Services
Protect devices—continued
Which of the following actions helps to protect your PC?
A. In your work environment, secure your laptop with a locking
device. When the laptop is not in use, put it away in a
locked drawer or cabinet.
B. Encrypt your PC per Client IT Security requirements.
C. Record the model and serial number of your PC and
maintain this information somewhere other than with your
PC.
D. Use strong passwords and do not share with anyone.
Strong passwords must have the required minimum length,
use different types of characters, and must be changed if
suspected to be compromised.
E. All of the above.
The correct answer is: E. All of the above.
All of the actions listed are important measures to
take to protect your PC.
19
@2011 DanSources Technical Services
Protect devices—continued
Your PC and smartphone are especially vulnerable
while you are traveling. Follow these best practices
during travel.
– Keep your eye on your PC or smartphone.
• Never let your PC or smartphone out of your
sight in an airport or other public area.
• If you set your PC down while checking in at
the airport counter or hotel registration desk,
protect it. For example, lean it against your leg
so you can feel its presence, or hold it between
your feet.
20
@2011 DanSources Technical Services
Protect devices—continued
Best practices during travel:
– Carry your PC or smartphone with you
• When traveling by plane or rail, never place your PC or smartphone in
checked baggage.
• Don't leave your PC or smartphone unattended or in the overhead
compartment.
• Never store them in a public locker.
• Keep your PC or smartphone out of sight while driving and do not leave them
behind in your vehicle. If you have no other option, lock them in the trunk, out
of sight, before arriving at your destination.
• If you must leave your PC in a hotel room, keep it out of sight and ensure it is
appropriately secured.
21
@2011 DanSources Technical Services
Protect devices—continued
Best practices during travel:
– Restrict access to your data
• Encrypt your removable storage devices such as flash drives and external
hard drives. Use strong passwords and do not share them with anyone.
– Secure sensitive information
• Be aware that anyone can read over your shoulder when you are in a public
place, so do not view anything on your PC or smartphone screen that you
wouldn't want the public to view.
22
@2011 DanSources Technical Services
Protecting sensitive information
Ensure that sensitive data is protected by taking
these precautions:
– Distribute documents and provide access to
data only to those parties who have a defined
business-need to know the information and
only for the required type of access.
– Do not leave hardcopy or electronic
confidential files in public areas.
– Use the private printing option when printing
sensitive information to shared printers within
Client facilities.
– Securely destroy information no longer
needed through Client's approved processes.
23
@2011 DanSources Technical Services
Electronic Information Security
Review these five additional points about protecting information in electronic
form.
– Passwords
• In addition to having strong passwords, be sure all passwords you set on
Client-controlled applications or servers for Client-business use are different
from any passwords set on personal non-Client email accounts (e.g., Gmail,
Hotmail) and different from any passwords on other systems not under
Client's control.
• Never provide your Client windows domain username and password to a
non-Client web site.
24
@2011 DanSources Technical Services
Electronic Information Security—continued
– Email security
• Encrypt or digitally sign emails when appropriate, depending upon the data
sensitivity label.
• Ensure the data on your PC is protected.
• Protect sensitive data on your removable devices, such as USB hard drives
and flash drives using RME (Removable Media Encryption).
25
@2011 DanSources Technical Services
Electronic Information Security—continued
– Links in emails
• Do not click on links in unexpected or suspicious emails. Otherwise you
subject yourself and Client to a malicious software attack or unauthorized
disclosure of sensitive information.
– Approved devices
• Use only Client approved voice communications devices when selecting
voice headsets and phones, including wired phones, mobile/cellular phones,
and cordless phones for Client business use.
– Wireless networks
• Do not install any unauthorized wireless access points in an Client facility or
on Client’s network.
26
@2011 DanSources Technical Services
Information security do's and don'ts
Here are some additional tips for protecting
Client's information assets:
• DON'T place Client sensitive information
assets on any social networking sites.
• DON'T discuss sensitive Client business in
public.
• DO safeguard Client information assets to
which you have access and only provide it to
authorized individuals with a business need
to have the information.
• DO ensure that the latest antivirus software
is running on your system with the latest
updates.
27
@2011 DanSources Technical Services
Information security do's and don'ts—
continued
Additional tips for protecting Client's information assets:
• DO properly dispose of information assets no longer needed.
• DO remove all sensitive materials from conference rooms after meetings.
Ensure chalkboards and whiteboards are erased and information recorded
on a flip chart is secured or destroyed.
• DO immediately report any loss of information assets.
28
@2011 DanSources Technical Services
Lifecycle of information
Client uses a lifecycle of information approach in protecting information assets.
This means it is our responsibility to protect every stage of a product or an
information asset's lifecycle—from design or acquisition to disposal, or from
proposal to termination.
Best practices for this approach:
– When an information asset is generated, it is the originator's responsibility to
determine how it should be labeled.
– Once generated, the information asset must be properly labeled, transmitted,
stored, and access controls applied for the appropriate type of access.
– Information assets should only be distributed to those parties with a business
need to know the contents.
29
@2011 DanSources Technical Services
Lifecycle of information—continued
Best practices for this approach:
– In order to protect your PCs, smartphones, and
Client, ensure that all security software updates
are completed as soon as they are available.
– Any person who is provided with an information
asset must ensure it is safeguarded against
unauthorized access at all times.
– Information assets no longer needed or outdated
must be destroyed through approved means.
– The Guidelines for Labeling Client Information
Assets provides valuable information on labeling
and handling sensitive data.
30
@2011 DanSources Technical Services
Conclusion
31
©2011 DanSources Technical Services
In summary
– Unauthorized disclosure of Client
information is not allowed and harms Client
by weakening our competitive position.
– To provide lifecycle of information
protection for Client's information assets,
employees and third parties with access to
these assets must comply with established
Client information security standards.
– When confronted with internal and/or
external requests for information, always
authenticate the identity of the person
making the request and the specific need
for the information.
32
@2011 DanSources Technical Services
In summary—continued
– Protect your PCs and other devices as you would other valuable items.
Ensure your PC and removable storage devices are encrypted and physically
protected.
– Remember, You are protecting DanSources and the Client!
33
@2011 DanSources Technical Services
Information Security @Client Take-Aways
for keeping information secure
1.
Physically secure your PC and other electronic devices.
2.
Ensure your PC is encrypted.
3.
Use strong passwords; never share or disclose them.
4.
Have approved anti-malware software running with current definitions.
5.
Do not download suspicious or unapproved software from unsolicited e-mail
and do not click on links to unfamiliar websites.
6.
Accept PC-COE updates and apply security patches.
34
@2011 DanSources Technical Services
Information Security @Client Take-Aways
for keeping information secure—continued
7.
Protect information assets in all forms (electronic, hardcopy, intellectual)
during the entire life cycle and use approved methods to dispose of the
information.
8.
Use collaboration tools securely (e.g., encrypt emails when required; apply
access controls on shared files).
9.
Understand and follow Client security policies and procedures.
10. Be aware of surroundings and stay alert. Validate all requests for Client
information assets.
11. Report security incidents.
35
@2011 DanSources Technical Services
Course completion
By informing your manager, you agree to the
following:
– I have completed the Information Security at Client
for Contingent Workers Training.
– I understand that this course was an overview and
that I am responsible for reviewing the appropriate
resources and policies.
– I acknowledge my responsibility to comply with the
requirements set out in this course and with any
other relevant agreements specific to any project or
customer activities on which I am working. In
addition, I acknowledge my responsibility to comply
with the referenced policies and to seek appropriate
resources should I have a question or need to
report a violation.
36
@2011 DanSources Technical Services
Conclusion
Congratulations! You have now completed the
Information Security at DanSources Technical
Services for Contingent Workers Training.
Remember if you come across any incident that
needs reporting contact your Site Manager, your
DanSources Account Manager or the Facilities
Security Officer – Dan Fahey
We maintain normal daytime operating hours and
can be emailed or a message left at any time.
Dan Fahey – FSO
Email: danfahey@dansources.com
301-217-0425 ext 400
Thank you for your participation.
37
@2011 DanSources Technical Services
38
©2011 DanSources Technical Services
Download