Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Information Security Awareness Training

No description

Purdys Chocolatier

on 4 November 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Information Security Awareness Training

Information Security
Awareness Training

Chapter 1:
Introduction to Information Security

- Enabling people to carry out their jobs

- Supporting critical business process

- Protecting personal and sensitive information
What is Computer Security?
Computer Security is the protection of computing systems and the data that they store or access.
Why is Computer Security Important?
Computer Security allows Purdys to carry out its mission by :
Information Security is everyone's responsibility!
This means that everyone who uses a computer or mobile device needs to understand how to keep their computer, device and data secure.
Why do I need to learn about Computer Security? Isn't this just an I.T. problem?
Good Security Standards follow the
"90 / 10"
of security safeguards are technical.
of security safeguards rely on the computer user

to adhere to good computing practices
The lock on the door is the
. You remembering to lock the lock, checking to see if the door is closed, ensuring others do not prop the door open, keeping control of the keys, etc. is the
You need both parts for effective security.
Purdys employees
are also responsible for familiarizing themselves and complying with all of Purdys policies, procedures and standards relating to information security-
(see Purdys PCI Security Policy)

Learn "good computing security practices"

Incorporate these practices into your everyday routine. Encourage others to do so as well.

Report anything unusual - Notify the appropriate contacts if you become aware of a suspected security incident
Security Objectives
The Internet can be a hazardous place
An unprotected computer can become infected or compromised within a few seconds after it is connected to the network

A compromised computer is a hazard to everyone else, too -
not just to you
Record keystrokes and steal passwords.
Send spam and phishing emails.
Harvest (and then sell for profit) email addresses and passwords.
Access restricted or personal information on your computer or other systems that you have access to.
Illegally distribute music, movies and software.
Distribute child pornography.
Infect other systems.
Hide programs that launch attacks on other computers.
Generate large volumes of traffic, slowing down the entire
A compromised computer can be used for all kinds of surprising things.
A hacked computer can be used to...
What are the consequences for security violations?
Risk to security and integrity of personal or confidential information e.g. identity theft, data corruption or destruction, unavailability of critical information in an emergency, etc.
Loss of valuable business information
Loss of employee and public trust, embarrassment, bad publicity, media coverage, news reports
Costly reporting requirements in the case of a compromise of certain types of personal, financial and health information
Internal disciplinary action(s) up to and including termination of employment, as well as possible penalties, prosecution and the potential for sanctions / lawsuits
Don't be fooled by scams!
Criminals and hackers are constantly coming up with new schemes designed to compromise computers, trick you into revealing valuable information (personal, financial, etc.), steal passwords, or trick you out of money. It can be difficult to know if someone is telling the truth on the Internet. Scams can lead to identity theft, regular theft, access to your accounts and personal information, and compromised computers. A compromised computer can put ALL of your information and passwords at risk!
Chapter 2:
Protecting Your Device

Types of Scams

“There’s a problem with your account”

trying to trick you into sending your password or clicking on a link in order to fix a problem.
“Click this link” –
trying to trick you into clicking on a malicious link designed to steal your information or infect your computer.
“Open this attachment" –

similar to “click this link,” scams designed to trick you into opening a harmful attachment.
Phony security alerts –
email, pop-ups or Facebook notices warning that your computer is at risk of being infected, typically with a link to click.
Money Phishing –
trying to trick you out of money or bank/credit card account info. Often by pretending to be someone from another country who needs assistance accessing a large sum of money. Or a friend stuck in another country without any money. 
Phishing Scam Indicators
Purdys and other reputable organizations will NEVER email you for your password, Social Insurance number, or any confidential or personal information.

Take the following fun, informative quiz to test how well you distinguish between email schemes and legitimate email: http://www.sonicwall.com/furl/phishing/
Chapter 4:
Data Security

Only use known, encrypted wireless networks when working with sensitive information

Purdys “PHQ_Private” is encrypted and should be for business use only. It is used by staff that need access to the secure WiFi to share files, access shared drives and presentations. The PHQ_Guest is for visitors and who do not have access to company data but just simply require the internet, it’s not encrypted. It is available at both the Chester HQ and Kingsway locations.

Set devices to “ask” before joining networks so you don’t unknowingly connect to insecure wireless network
Chapter 3:
E-mail and Social Networks

Social Network and Blogs
Social networking sites (such as Facebook and Twitter), personal web pages, and blogs are notorious as public sources of personal information and uncensored opinions.
Do not reveal personal details or confidential info online. Assume that anything you post to these websites is public and could potentially be used against you.
 A good rule of thumb is to only post information you would be willing to put on a banner displayed in a public place. 
Seemingly innocent information about your interests, family, or history could be used by hackers for identity theft, or by stalkers or social engineers.
Also keep in mind that once you post something online, it can be very difficult to “take it back.” Even if you delete the information, copies can still exist on other computers, web sites, or in search engines.
Protect Information in Email and IM
Never assume that email, instant messages (IM) or attachments are private or confidential.

Don't send restricted data or personal information via email or instant message (IM). These are not secure methods of communication.

Avoid sending large attachments. 

Use the “Bcc” (blind carbon copy) line for large numbers of recipients. 

This protects the email addresses of the recipients by hiding them and makes your email easier to read. 

Delete email and attachments when you no longer need them
Don’t click on links or open attachments in unexpected email or in pop-up ads/windows. These could compromise your computer or take you to malicious web sites designed to steal information.

Just opening a malicious web page or attachment can infect a poorly protected computer. Make sure you know where you’re going before clicking on a link or opening something. 

Instead of clicking on an unknown link – including “tiny URLs” – look up the website yourself (e.g. Google it) and go there on your own
Security Cautions
File Sharing Restrictions
File sharing software is prohibited by the Purdy’s Acceptable Use Policy.
Be extremely careful with file sharing software
(BitTorrent, Kazaa, eDonkey, Limewire, etc.) and Instant Messaging (IM).
Improperly configured file sharing software can allow others access to your entire computer 
Files may not always be what they say they are
Also, if you share copyrighted files, you risk being disconnected from the Purdys network, as well as serious legal consequences
Some anti-virus programs cannot detect viruses in P2P/IM/chat files, so viruses and other malicious code can be spread this way
Protecting mobile devices/ computer
A good rule of thumb is not to store anything you're not willing to lose or share with the world. This said, following are some steps you can take to help protect information on these devices. Some of these steps may require additional configuration/setting changes:
Password-protect your mobile device with a complex password, and be sure your device requires a password to start up or resume activity.
Set it to automatically lock after a short period of inactivity.
Make sure your computer is protected with up-to-date antivirus and anti-spyware software
To help reduce the risk, look for "https" in the URL before you enter any sensitive information or a password. (The "s" stands for "secure")
Keep it with you or lock it up securely before you step away -- even just for a second.
Don't store sensitive information. Encrypt your device or sensitive contents if you do.
Don’t store passwords unless they’re encrypted.
Run current, up-to-date versions of the operating system and applications. Remember to sync often so you get available updates. Always install updates when your carrier tells you they are available.
Welcome to Purdys Information Security and Awareness Training !
This training consists of four chapters which will help you understand in depth about information security.
Estimated time of completion of this course : 20 minutes

Chapter 1 : Introduction to Information Security
Consequences of Security Violations
Types of Scams
Chapter 2: Protect Your Device
Computer and Mobile Device Security
How to Protect Your Passwords?
Precautions for Lost and Stolen Devices
Chapter 3 : Social Networks and E-mail
File Sharing Restrictions
Chapter 4 : Data Security
Types of Data
How to Protect Your Data?
What is Computer Security Incident?
Reporting Computer Security Incident

Types of Data
There are three types of data that every user should know and they are:
1. Restricted Data
2. Confidential Data
3. Non-Confidential Data

Restricted Data

- extremely sensitive information
Examples: Social Insurance Number (SIN), driver's license number, financial account numbers, credit card numbers, and password.
Restricted data requires the highest level of security, often driven by legal and regulatory requirements and penalties.
Leaks of this type of information can lead to identity theft, news coverage/publicity, and reputational damage and costs to the company.
Restricted Data-Credit Card Data/PCI
Credit card information is regulated by the Payment Card Industry (PCI) Data Security Standard (DSS)
Description of the PCI Standard
The PCI DSS is a set of security requirements developed by credit card companies to ensure consistent data security measures for sensitive credit cardholder data.

These requirements apply to anyone who stores, processes, transmits or otherwise has access to credit cardholder data. It also applies to all system components included in or connected to or the cardholder data environment.
Protect Your Data
Restricted data requires the highest level of security, often driven by legal and regulatory requirements and penalties.
Don’t work with sensitive Purdy’s information on a mobile device unless you can ensure the device meets Purdy’s security requirements.
Restricted data stored on mobile devices should be encrypted. This includes email, text messages, instant messages, documents, removable storage cards/devices, etc.
Encrypt passwords that provide access to restricted data. Even better, encrypt all stored passwords.
Make sure you have a secure (encrypted) connection before working with sensitive data.
Types of Data
2. Confidential data

- moderately sensitive information.
Confidential data needs to be protected from unauthorized access. Don't post publicly online. Examples: home address and phone, birth date, gender, religious or sexual orientation, and other personal information; student records, grades, evaluations, letters of recommendation; sensitive research (this can also be classified as restricted, such as with certain government research).

Non- Confidential Data

-Non-sensitive information.
It's okay to share non-confidential information with others or post online. It's also okay to send and store this information in Google and other services
Examples: Public company information, public web pages.
What is a Computer Security Incident?
A computer security incident is any attempted or successful unauthorized access, disclosure, or misuse of computing systems, data or networks (including hacking and theft).
A computer security incident may involve any or all of the following:
a violation of Purdy’s security policies and standards
unauthorized computer access
loss of information confidentiality
loss of information availability
computer/device theft
compromise of information integrity
a denial of service condition against data, network or computer
misuse of service, systems or information
physical or logical damage to systems
Report anything unusual. If it sets off a warning in your mind, it just may be a problem.
Don’t ignore it!

Immediately report suspected security incidents and breaches to
your supervisor and the Purdy’s IT team
. Be sure to indicate whether sensitive information may be at risk.

If you think your computer has been compromised, or someone might be accessing your computer remotely,
it is best if you can unplug the network cable (and turn your wireless off, if you have it) and leave the computer on until help arrives.
Reporting a computer security incident:
Social Engineering
Other Examples
Trying to trick or manipulate people into breaking normal security

Social engineers exploit people’s natural tendency to want to trust and be helpful. They also take advantage of our tendency to act quickly when faced with a crisis.
A scam designed to steal information or passwords, compromise computers or trick you out of money - typically via deceptive emails, texts, posts on social networking sites, pop-ups or phone calls.

attackers pose as someone in authority, or an IT representative, in order to obtain information or direct access to systems. Attackers may research the target so they know enough to convince you to trust them.

Dumpster Diving:
going through trash to obtain valuable information for targeted attacks. Any sensitive information--paper or electronic--that is thrown away or recycled intact is vulnerable to dumpster diving.
Keep your passwords secret!

Do not write your passwords on post-it notes! You are making it easier for hackers to steal your password.

Passwords shouldn't use complete dictionary words in any language spelled forwards or backwards, or a word preceded or followed by a digit (e.g., password1, 1password), your username or login, child's name, pet's name, birthdays, abc123, qwerty123, password1, or anything else easily guessable.

Never tell your Purdys password to someone on the phone (Purdys IT will not ask for this)

Use different passwords for different accounts. At a minimum, use a different password for less sensitive accounts than for more sensitive accounts. Also use different passwords for work and non-work.
How to Protect Your Password?
Prevention in case of Theft or Loss
Back up or sync your data regularly.
Set your device to erase itself after repeated failed log-on attempts.
Enable remote wipe.
Enable location tracking, keeping in mind the privacy implications.
Set the device to display a "call if found" phone number.

 Report to Purdys IT and local police if necessary
If you used the device for work, notify your supervisor and also report it to the Purdy’s IT team so they can help identify and address potential compromised accounts or data
For phones, notify your cellular carrier -- see if they can deactivate the device.
Change all passwords stored or used on the device, including email, Dropbox, banking, etc.
Notify credit card companies and banks if you used the device for shopping or banking.
Try to track its location, if possible.
Try remote wipe if sensitive data or passwords were stored.
Checklist for lost or stolen mobile devices:
Precautions for Lost and Stolen Devices
Information Security is everyone's responsibility. Good Security Standards follow the "90 / 10" Rule
[Refer Ch-1]
The Internet can be a hazardous place.
[Refer Ch-1]
Make sure your computer is protected with up-to-date antivirus and anti-spyware software.
[Refer Ch-2]
To help reduce the risk, look for "https" in the URL before you enter any sensitive information or a password. (The "s" stands for "secure".)
[Refer Ch-2]
Passwords should be at least eight (8) characters long with a mixture of upper- and lower-case letters, numbers, and symbols.
[Refer Ch-2]
Back up or sync your data regularly.
[Refer Ch-4]
If you think your computer has been compromised, or someone might be accessing your computer remotely, it is best if you can unplug the network cable (and turn your wireless off, if you have it) and leave the computer on until help arrives.
[Refer Ch-4]
Leaks of this type of information can lead to identity theft, news coverage/publicity, and reputational damage and costs to the company.
[Refer Ch-4]
- Purdys IT 2014
Passwords should be at least eight (8) characters long with a mixture of upper- and lower-case letters, numbers, and symbols.

Passwords that can't be complex should be at least 10 characters long.

A longer password consisting of several words separated by spaces can actually be more secure and easier to remember than a more complicated, obscure one.

Example: !H3ll0pw7!
Tips for Creating a Secure Password
(est time: 3 mins)
(est time: 6 mins)
(est time: 3 mins)
(est time: 6 mins)
(est time: 2 mins)
What Next?
Please send an e-mail to
with the following sentence:

I have read the contents of this training course.

Your name and Shop/Department
Full transcript