Stop!! THINK Click Who must complete this training All Users: This training is required for all individuals, including contractors and vendors, with security access to sensitive or confidential systems owned by the Department for Aging and Rehabilitative Services (DARS). New Users: Each individual must complete this training when security access is granted. Annually: Refresher security training is required annually. Certification: Supervisors must certify and report completion of training to their DARS system administrator or contacts. FRS-Support/LTESS-EES: Donna Bonessi Div for the Aging: Leonard Eshmont Stop! THINK Click Accessibility This program is designed to meet standards for accessibility for individuals with disabilities. This presentation is adapted for use in a small class or staff meeting that allows individuals to participate by listening to the narrator or reading the content directly from each slide. This program is also formatted for use with screen readers. The program should be narrated directly from the slide presentation. For individuals that are deaf or hard of hearing, closed captioning is not required and interpreters are not needed unless external discussion is included. Stop! THINK Click Learning Objectives In this program you will review: Policy: Review and understand current security policies that govern your use of COV and DARS systems and data. Threats: Identify common threats to COV systems, confidential data and sensitive information. Your Role: Understand what you can do to improve security, and how to report incidents and suspicious activities. Stop! THINK Click Section One: Overview of Cyber Security Policies This section reviews current scope of policies for the Commonwealth of Virginia (COV) as they relate to devices and files, logons and passwords, security updates, physical security, and protected data. Stop! THINK Click Section One-Policies: Scope of Policies All COV agencies, contractors and vendors with access to sensitive or confidential systems are required to adhere to policies governing personally identifying data, protected health information, and sensitive data, including policies published by the Virginia Information Technology Agency (VITA). All Users with access to COV networks and DARS systems must follow these policies. The Information Security Access Agreement (ISAA) is required to be signed by all individuals requesting access to COV and DARS systems. Stop! THINK Click Section One-Policies: Logons/Passwords COV requires enforcement or the following standards Use of “strong passwords” which include upper case alpha, lower case alpha, numeric (0-9) and non-alphabetic characters (~ ! # $ % ^ & *) in positions 2-6. Passwords must be changed every 90 days. Passwords cannot be changed in less than 7 days. and cannot have been used within last 4 changes. Five unsuccessful attempts will lock your account. These are secure standards you should also apply to all of your accounts, including personal accounts. Stop! THINK Click Section One-Policies: Logons/Passwords (continued) Your Role: The policy also states that end users are responsible for enforcement of certain standards: Your system or browser may not be configured to remember passwords. Passwords will not be written down and posted in plain sight. You may NEVER share your passwords with anyone else for any reason. Stop! THINK Click Section One-Policies: Security Updates VITA enforces the following standards for security updates and patches: Operating systems will be protected by applying automatic security updates and patches. Applications are configured for automatic security updates and patches (For example, for Microsoft Office, Outlook, Internet Explorer, Adobe Reader). Security Software such as McAfee and Norton Antivirus will be kept up to date and configured for regular scans. Security software should be set to scan Internet pages, email, attachments, and downloads. Your role: You should not change automatic settings or over-ride security updates. Stop! THINK Click Section One-Policies: Devices and Files Devices, including external digital storage devices, must be owned or approved by your organization to be connected to sensitive DARS systems. PC’s will be manually locked when unattended, automatically locked after a period of inactivity, for example, fifteen minutes, set to require a password to re-activate, logged off overnight. Files must be stored and backed up on your server and must be encrypted when shared over network connections. Stop! THINK Click Section One-Policies: Physical Security Physical security policy requires protection of your work space, physical devices and files. You must: Lock or shut down your workstation when you leave your desk or leave your laptop/mobile device unattended. Lock sensitive paper documents and materials in a file cabinet. Dispose of sensitive materials appropriately. Never share your building access key, card or fob. Always question unescorted strangers. You must always report incidents and suspicious activities to your manager and security officer. Stop! THINK Click Section One-Policies: Protected Data Certain types of data are protected and regulated by the: Social Security Administration (SSA) Controls the use of social security numbers (SSN’s) U.S Department of Health and Human Services (HHS) Administers the Health Insurance Portability and Accountability Act (HIPAA) Virginia Information Technology Agency (VITA) Responsible for the information security standards commonly referred to as “Sec 501” Library of Virginia (LVA) Governs all records, including electronic files, under the authority of the “Virginia Public Records Act”) Stop! THINK Click Section One-Policies: Protected Data (continued) Types of protected data can include: Protected Health Information (PHI) Such as data contained in medical and health records and is governed by HIPAA. Personally Identifiable Information (PII) Includes use of Social Security Numbers (SSN) governed by the SSA, and can include the SSN in combination with other identifying information such as name, date of birth, employment, insurance, residence and telephone numbers. If lost, compromised, or disclosed without authorization, this information could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. Sensitive data Defined as data, documents, or files which, if compromised, would have an adverse effect on the COV, your agency or organization, and is governed by VITA (Sec 501) and the Library of Virginia (Records Act). Stop! THINK Click Section One-Policies: Protected Data (continued) Required Protections by Users: All PHI, PII and sensitive data must be protected by: Storing data and files in a secure physical environment, Storing files only on devices owned and approved by your organization, Encrypting mobile and external storage devices that contain these files, including laptops, external hard drives, USB “thumb” drives and CD’s. Encrypting files that are “in transit” which includes files sent via email and non-secure direct file transfer Stop! THINK Click Section One-Policies: Summary Your role: Always be aware that COV/DARS systems are governed by security policies and regulations, and follow safe practices that are in your control. Do not share your access with anyone, including your passwords, keys, badges, and access codes. Keep your PC desktop locked when you are not using it, and lock your mobile devices in a secure location. Protect your files and do not send them via email or share them electronically without encryption. Be aware of your work area and physical surroundings and report suspicious activity. Stop! THINK Click Section Two: Common Cyber Security Threats This section reviews common cyber security threats with suggestions on what you can do to protect yourself and COV/DARS systems from harm. Stop! THINK Click Section Two-Threats: Two Basic Concepts Concept One: Electronic systems may not be secure. VITA and DARS, and your organization attempt to provide protections with firewalls, electronic enforcement and monitoring systems. But that does not completely protect you from interacting with malicious and harmful software. You can still be targeted directly and persistently by email messages, texts, and malicious Internet links. Concept Two: You control what you click. Even with all the security COV/DARS and your organization can apply, most end user threats are targeted specifically in hopes that you will go ahead and click on a harmful link, attachment, picture, video or icon in an email or web page, including social media applications. Stop! THINK Click Section Two-Threats: The Key to Your Role Stop!: Pause before you click Your work relies on email and Internet interactions. Take a moment and remember that each click could be potentially harmful. Even if it at first appears to be from a legitimate source. Think!: Verify and Validate You must be aware, be alert and diligent. Always look for the signs that external entities are trying to gain access to your PC and your network. Click: Proceed only if you are confident it is safe Stop! THINK Click Section Two-Threats: Email Threats Phishing, Spoofs, Hoaxes, Malware, Scams and Spam The most prevalent and persistent threats to your security arrive in your Inbox. They come by different names and may even appear legitimate and even supposedly from people you may know. The Common Threat: Malicious emails appeal to your greed, your fear, your sense of humor, your curiosity, and even your compassion. They are designed to get you to click on an item such as an attachment, link, picture, or video. Result: If you click, you may launch a harmful program or be directed to a harmful web site. You may then find your personal information compromised, and you may subject your organization’s network to malicious software and possibly direct infiltration. Stop! THINK Click Section Two-Threats: Email (continued) Stop!: Pause before you click. Do not assume that links in your email are automatically safe, Especially if the link is requesting you to provide personal information. Think: Look at emails carefully If you cannot identify the source and attachments as legitimate, or you cannot be sure the links are safe by looking at the actual destination web address, you can logically conclude that you should be cautious. Click: Only after you are confident that the action is legitimate and safe. Protect all of your email accounts. Report all incidents and suspicious activity to security. Stop! THINK Click Section Two-Threats: Internet Threats Browsing Can Hazardous To Your PC The Internet is a significant resource for business and government services. However, some of the same issues that attack email can create security issues that you need to be aware of while browsing directly on the Internet. The Common Threat: On the web, the threats mainly come from malicious links. Most of the threats come when you click on a link, icon, picture, video, etc., that launches malicious programs or redirect you to dangerous sites. Result: If you click, you may then find your personal, client, and sensitive business information compromised. You may also subject your network, PC and other devices to malicious software. Stop! THINK Click Section Two-Threats: Internet (continued) Stop: Pause before you click Do not automatically click on Internet links until you have confidence in them. This includes pictures, videos, and navigational elements. Think: Look at the actual address for the links Look at the actual address for the links in question. For instance if the link indicates “Click Here” be sure to identify the actual destination web address before you proceed. Look for external web addresses that are secure. The address should begin with “https://” instead of “http://” Click: Only after you are sure the destination web site is safe. Browse Safely Report all suspicious links and web sites to security. Stop! THINK Click Section Two-Threats: Social Media Social Media can be un-sociable While usually relatively safe (for instance, DARS Face Book and Twitter pages) the rapid increase in social networking and collaborative sites like Face Book, LinkedIn, You Tube, and Twitter have offered new opportunities for hackers and thieves. The Common Threat: It is PERSONAL! By nature these sites are personal. You may be sharing highly personal information, including information about yourself, employer and perhaps even about clients. You are communicating with others in a highly interactive, very public, and non-secure environment. Result: You could find highly personal and sensitive information compromised. When visiting and using these sites always use the highest level security settings and be careful of the personal information and even images that you post. Stop! THINK Click Section Two-Threats: Social Media (continued) Stop: before you, “like,” “share” or “post” Assume that everything you post can possibly be re-posted and used without your permission Think: Is it secure and appropriate? Use the highest security and privacy settings for your personal social media accounts Be careful of sharing work related information and in particular do not share any information about clients or violate the mandate against dual relationships Be aware that malicious links, videos, and other harmful items can be posted on social networking sites Check to see if links posted by others are designed to take you to alternate sites that appear suspicious Click: Only after you are sure the action is legitimate and appropriate and that you are not compromising your personal information or others Be social, but also be careful, and appropriate Report all suspicious postings and information breaches to security Stop! THINK Click Section Two-Threats: Files Files Require Protection and Encryption The DARS business process requires sharing of information that is confidential, personally identifiable and sensitive. This information must be secured and maintained according to federal standards, COV security standards and Library of Virginia requirements. Information that is being digitally shared is termed “In Transit” and must be encrypted. This includes files that are being sent via email. If digital encryption is not available the policy allows for files to be faxed. The Common Threat: Data Leak and Data Breach Unprotected files may be leaked and data may be stolen. Result: Potential financial and legal penalties Data leaks and breaches may result in identity theft, financial loss, and other malicious uses. Incidents come with legal and financial implications to the COV and DARS, and to individuals. Stop! THINK Click Section Two-Threats: Files (continued) Stop: Before you save or share a file Assume there is a potential for a data leak or data breach. Understand that sending unprotected files via email is not secure. Be cautious that transferring files on the Internet may also not be secure, depending on how the site is configured. For instance, https versus http. Think: Is it Secure? When you are saving a file, are you storing it on a secure server , an encrypted PC or external device that is owned and approved by your organization? Assume that sharing any file is potentially a data leak. If sharing a file using email, are you able to use encryption? Click: Only if you are saving the file to a secure location Only if you are sharing a file using encryption. If not, use fax Share Files Securely. Report immediately all suspected data breaches and data losses Stop! THINK Click Section Two-Threats: Telework/Internet Connections For mobile workers: be careful with your connections The ability to work away from the office is beneficial and flexible. But mobile workers need take special note of the inherent risks when connected to public access points including wireless connections. Special care should taken when working with these connectopms. The Common Threat: It is Public! Public access points, or Internet connections, are just that: Public. All your activity is potentially exposed. Especially if it is wireless. Result: Compromised systems and data breaches Individuals with the knowledge and ability can take over an unprotected PC and load malicious software or steal information including passwords. Stop! THINK Click Section Two-Threats: Telework/Internet Connections (continued) Be sure to connect securely to public access points Virtual Private Network (VPN): ○ VPN allows you to launch a secure Internet connection so that even with a public access point, you are able to work connected securely to DARS systems, connect to your own organization’s applications and file shares with a greater level of confidence. Device Encryption: ○ Always make sure your Laptop, Tablet Smart Phone or other mobile device is password-protected. ○ Device encryption and anti-virus software should be installed on all mobile devices that connect to COV systems. Stop! THINK Click Section Two-Threats : Telework/Internet Connections (continued) Stop: Check your connection Assume all public Internet connections are not secure, including all wireless access points. Think: Is it Secure? When you are prompted to connect to a public access point, be sure you know what you are connecting to. It is not secure unless you connect to a public access point using VPN. Click: Only if you are confident in the connection and you are using VPN. Telework Safely! Always use VPN when you are mobile Stop! THINK Click Section Two-Threats : Reporting Incidents Report incidents and suspicious activities including potential data leaks and data breaches to: Your Manager Your Organization’s Security Officer Your DARS System Administrator or Security Contact ○ For ESO’s (LTESS/EES): - Donna Bonessi or Ella Barnes ○ For AAA’s (NWD): - Leonard Eshmont Stop! THINK Click DARS Cyber Security Pledge I, _____________________________________________ Date: _________________ PLEDGE to: Stop, and Think (consider appropriateness and risk) before I Click on links, attachments and other objects that connect to the Internet or launch programs. Take personal responsibility for security, follow my organization’s security policies, and adhere to sound security practices. Lock my computer whenever I leave my work area. Safeguard portable computing equipment when I am in public places. Create and use strong passwords, and never share my password(s) with anyone. Never leave a written password (sticky note, etc.) near my computer, or easily accessible. Promptly report all security incidents or concerns to my organization’s security officer or other appropriate contact. Safeguard Protected Health Information (PHI), Personally Identifiable Information (PII) and sensitive data from any inappropriate disclosure. Work to the best of my ability to keep my organization’s staff, property and information safe and secure. Spread the message to my friends, co-workers and community about staying safe online Stop! THINK Click Remember: Security is a shared responsibility. Take the time and care every day to protect yourself, your organization, your clients, and your family, through your own cyber-safe practices. Stop! THINK Click Additional Resources VITA http://www.vita.virginia.gov/security/toolkit/ OnGuardOnline.Gov: Securing your computer: http://www.onguardonline.gov/topics/secure-your- computer NIST: 7 Practices for Safer Computing http://csrc.nist.gov/groups/SMA/fasp/documents/security_ ate/stopthinkclick.pdf Stop! THINK Click