Security Awareness

We just finished our annual employee briefings for IT security awareness as required by several regulations and our external auditors -- and of course a good idea in general. Awareness is not training but rather a point where we focus attention on this important topic.Our IT security manager at ACME, Bucky Rogers, was keen to develop a formal security awareness program. We used various resources and guides to create our overall program. This annual briefing is just one part. We also take the time to alert employees about new severe threats and use those alerts to remind them of our awareness policy as well as our various security bulletins (useful info) posted on our intranet.Read on???.. We present IT Security Awareness information at all our office sites, at employee staff meetings. We also provide a handout during those briefings. New hires also receive a briefing. Here are the general topics we cover in our annual briefings, all using layman terms.

AWARENESS-- Employee's Role. All staff members are responsible for ensuring computer security, the individual has a role. Individuals must recognize the importance of IT security concerns and respond accordingly.-- Reporting Issues. Do not hesitate to note possible issues. Bring any computer security related issues to the attention of the network or security staff.

PASSWORDS-- Guidance. Do not write down your password. Do not share your password with other users. Do not let other people know your password, even the IT staff.-- Aging. For security reasons employee account passwords for network/computer systems are set to force change every 60 days or the account will expire. Phone system password changes are required every three (3) months. Other systems may have similar expirations up to at most 6 months for expiration.-- Requirements. Passwords must be at least 8 characters long. Passwords may not contain your user name or any part of your full name. Passwords must contain characters from at least three of the following four classes: upper case letters, lower case letters, numerals, non-alphanumeric characters.

ACCEPTABLE USE-- Information. All employees have an obligation to protect confidential and sensitive information that is located on their computers, on the LAN, and in their e-mail files. Sensitive materials may preclude distribution outside of the company. Employees should not search through files or directories that are not part of their job function.-- Responsible Use. Employees are required to use e-mail and the Internet productively and responsibly.-- Property. E-mail and computers and the network are property of the company, considered official records. The company may monitor business-related computer and LAN files and e-mail communications at its discretion.

ELECTRONIC MAIL-- General. E-mail is not always secure. Use appropriate discretion when communicating via e-mail. -- Viruses. Do not open any email attachments unless you are sure of both the content and the sender sine attachments may contain viruses or worms.PHYSICAL SECURITY-- Locks. All desktops and laptops and monitors should be physically locked with a cable attached to the furniture when in the office.-- Laptops. All laptop users should use a cable and lock when traveling, at another office, or in a hotel. Laptop users should keep close watch on the equipment when on public transportation or for instance when on an airplane.

NETWORK SECURITY-- Protection. There are various levels of protection between the individual employee and the Internet and/or other networks. This includes our firewall, anti-virus systems, and other infrastructure.-- Patching. All systems from servers to desktops are kept updated to adjust for new threats.-- Audits. Systems are audited several times yearly from different organizations.

MISCELLANEOUS-- Network Drives. On network drives their exists folder and file security. Be aware that the default security for new top-level folders on the main shared drive allows all employees to view files.-- Software. Do not download any software onto your work computer unless approved by the information technology staff. -- Printouts / Faxes. Make sure to retrieve your intellectual property on printers and fax machines. -- Screen. If you will be away from your computer for any amount of time, lock the screen so that you have to enter your password to regain access to the desktop or laptop. -- Social Engineering. A potentially damaging type of computer/network attack that is becoming more prevalent on the Internet. The attacker convinces the victim to download and install a harmful virus or worm. Or the attacker convinces the victim to divulge their account or password or both.-- IT Security Guidance. For future reference, various helpful documents related to security exist on the company intranet. For instance there is a posting that shows how to protect oneself personally when online and as posting that covers anti-virus practices on home computers.