Welcome to New Hire Orientation Information Security

Information Security Awareness Training Welcome Why is this important… Identity theft is the #1 fastest growing crime in the (world) Many of us has (direct or indirect) access to sensitive data. Custodians, data entry people, call center employees, HR, IT, Healthcare. UMMS Information Security CWM Office of Compliance & Review

What is Information Security? Info Sec is the protection of data in all forms Electronic files Static files Database files Paper documents Printed materials Hand written notes Photographs Recordings Video recordings Audio recordings Conversations Telephone Cell phone Face to face Messages Email Fax Video Instant messages Paper messages Whether or not an employee uses a computer in their job, We must consider that sensitive data can be found in many forms -Above List- Papers printed and left on the train Face-to-face conversations, FAX, telephone calls… Visible computer monitors with sensitive data can cause a reportable breach, and worse – the school may not even know it happened, much less – respond to it.

Why is this Important? A data breach could result in: Requirement to report the loss HIPAA, FERPA, MGL c.93H, PCI, SOX, others Civil and criminal penalties Damage to organizational reputation Loss of revenue Individual accountability Potential impacts of breach HIPAA fee structure $50k per record up to $1.5M $10k per record up to $250k for repeat violations $100 per record up to $25k for repeat violations Criminal, Civil fines, Organizational reputation, Lost revenue (unlike TJX), Individual accountability

Isn’t this just a technical problem? Technology defenses comprise roughly 15% of our controls Technical controls often cannot compensate for user’s behavior Cyber-criminals focus on users as a weak link in security Having a security-aware workforce is a requirement in today’s threat landscape Technology continues to keep out most “legacy” threats, (viruses, etc.) and many new ones. Users who click on SPAM eMail or who visit infected web sites invite malware inside our network perimeter Getting users to click on the “bad things” is the focus of cyber criminals. These are organized criminal syndicates. Knowing not to click on XYZ is today’s best defense.

What are the risks? Evolving “Threat Landscape” Older attacks targeted infrastructure Modern attacks target users Nature of threat landscape Over 90% of Cyber thieves are affiliated with organized crime Their sophistication rivals those of commercial software vendors Methods of infection Cyber thieves attack high-volume web sites Computers that visit the site become infected Email-borne ‘malware’ Infected machine “phones home” to say I’m infected Use the infected computer to strengthen their hold on the organization “Attacks” used to consist of mostly harmless, but annoying website defacements and viruses. These attacks were obvious and relatively unsophisticated. Today’s attacks are quiet, below the radar, and impactful. 90% are perpetrated by organized crime, and cross multiple international jurisdictions, typically those that do not have good diplomatic relations. Methods of infection: “Poisoned web site”, Email borne “badness”, each gives the attackers a ‘toe-hold’ on the target. Amateurs target systems, Professionals target users --Kevin Mitnick

What can I do? Become aware of cyber threats Understand that YOU are often the front line of defense against cyber threats Understand data sensitivity and how to manage data appropriately Safeguard information that is entrusted to you Report suspected InfoSec incidents Develop awareness of these problems Understand that YOUR computer habits can either invite or discourage “badness” Understand the sensitivity of data that is entrusted to you, and know how to handle it. Report suspected incidents…

Security Resources On-line security awareness course: http://onlinetraining.umassmed.edu/infosecreg/event/event_info.html UMMS IS Help Desk 508-856-8643 CWM Office of Compliance and Review 508-856-6547 Security Resources Awareness Course (UMMS)