Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Role of Information Security in Everyday Business

Published byPatrick McPherson Modified over 10 years ago

Similar presentations

Presentation on theme: "The Role of Information Security in Everyday Business"— Presentation transcript:

1 The Role of Information Security in Everyday Business
Presentation customization recommendations: Microsoft encourages you to add your own content to achieve the following objectives: Ensure applicability of the presentation by tailoring the content to suit your specific organization. Conform the presentation to your corporate brand by adding your corporate logo, images, etc. Throughout this presentation, you will see information that is encased by red “<>” brackets. This is an indication that your interaction is required to complete these areas indicated in the presentation. Your interaction is required to ensure this presentation is sufficiently tailored to your specific organization. If not tailored as recommended, you run the risk of compromising the effectiveness of this presentation. Slide objective: N/A. Instructor notes: Microsoft recognizes that information security awareness and training is one of the most critical aspects of any organization’s information security strategy and supporting security operations. Microsoft also recognizes that IT professionals are typically responsible for facilitating the entire information security awareness and training program (ISATP) lifecycle – that is, IT professionals are responsible for the management, design, development, execution, and ongoing maintenance of ISATPs. To support IT professionals with the process of establishing and executing ISATPs, Microsoft has developed this information security awareness presentation guide titled, “The Role of Information Security in Everyday Business.” This Microsoft Presentation provides prescriptive guidance for delivering effective security awareness presentations to organizations’ entire workforces, and also can be used to serve as an official launch of an ISATP in your organization. In addition to this presentation, Microsoft has developed a white paper titled, “Key Considerations for Developing Effective Information Security Awareness and Training Programs.” This white paper provides IT professionals and other involved personnel prescriptive guidance outlining how to successfully and effectively address all components of the ISATP lifecycle. Lastly, Microsoft recognizes the substantial effort and expertise required to effectively and successfully develop and execute ISATPs. Microsoft recommends its customers contact their Microsoft Account Manager should assistance in developing and executing ISATPs be required. This security awareness presentation is designed to be suitable for all audiences, with a specific emphasis on end-users. While geared towards end-user audiences, it is recommended that this presentation be presented to all personnel in your organization. This security awareness presentation should not require more than 60 minutes of time to deliver to end-user audiences. The Role of Information Security in Everyday Business <Company>

2 Information Security Explained
The Need for Information Security Your Security Role at <Company> Vital <Company> Assets Security Threats & Countermeasures Home Computer Use Helpful Security Resources Closing Comments Slide customization recommendations: Replace each “<company>” indicator with the name of your company. Slide objective: N/A. Instructor notes:

3 Information Security Explained
Information security involves the preservation of: Confidentiality: Ensuring information is disclosed to, and reviewed exclusively by intended recipients / authorized individuals Integrity: Ensuring the accuracy and completeness of information and processing methods Availability: Ensuring that information and associated assets are accessible, whenever necessary, by authorized individuals Slide customization recommendations: N/A. Slide objective: To impart an understanding of what comprises information security in terms that all end-user audiences may understand. Instructor notes: It is recommended that you provide a practical example to accompany the definition of each term. A practical example you may wish to consider using is provided below for each component of the CIA information security triad: Confidentiality: Consider the scenario of your reviewing your current salary payment. While you may wish to share this information with your spouse or another family member, you would likely not want to share this type of information with a co-worker or other people with whom you may socialize. Integrity: If you have children in school, you want assurance that the grades and comments reflected in their report cards are accurate, and that they have not been modified in any inappropriate fashion. Availability: You want assurance that you may review your bank account on-line at any time. It is further recommended that you emphasize these principles do not only apply to the protection of information assets, but also to the protection of people, equipment – any asset of vital importance to your company.

4 The Need for Information Security
Information Security Explained The Need for Information Security Your Security Role at <Company> Vital <Company> Assets Security Threats & Countermeasures Home Computer Use Helpful Security Resources Closing Comments Slide customization recommendations: Replace each “<company>” indicator with the name of your company. Slide objective: N/A. Instructor notes:

5 The Need for Information Security
It is the law <Provide overview here> Slide customization recommendations: Refer to the instructor notes below for guidance prescribing the nature of content to place in the “<Provide overview here>” indicator in this slide. Slide objective: To emphasize that instituting security in your company is not discretionary; it is essential for sustaining your company, and ensuring the protection of all personnel. Use this slide to emphasize that your company is required by law to establish and implement a comprehensive corporate security strategy. Instructor notes: It is the law To set the tone for this portion of the presentation, it is recommended you open with the legal mandate for security to be instituted in your company. You will need to confirm with your colleagues whether your company conducts business in a regulated industry. If your business is regulated, you will need to confirm with your colleagues specifically which regulations apply. Provided below is a list of prevalent regulations that have the greatest likelihood of influencing your corporate security strategy: Health Insurance Portability and Accountability Act Gramm-Leach Bliley Act Sarbanes-Oxley Federal Information Security Management Act USA Patriot Act Controlling the Assault of Non-Solicited Pornography and Marketing Act Safe Harbor European Data Protection Directive The Children's Online Privacy Protection Act California SB 1386 (currently the Database Security Breach Notification Act, which has been enacted in several states in addition to California) Ensure the information you impart to your end-user audiences are in terms they will understand when providing an overview of applicable regulations.

6 The Need for Information Security (2)
In the news “Mcafee: Auditor failed to encrypt employee-records CD, left it on plane,” mercury news, 2/23/06 “Another security breach reported - Stolen laptop had clients' private data, says Ernst & Young,” San Francisco Chronicle, 2/25/06 “The network is the risk: in August, the Zotob virus disabled CNN and ABC News...” Risk & Insurance Magazine, 9/15/05 “Glouco employee charged with theft: He and his brother are accused of creating fake firms to take $110,000-plus from the utilities authority,” The Philadelphia Inquirer, 2/24/06 “ChoicePoint multi-million dollar penalty illustrates need for congress to enact strong id-theft protections, regulate data brokers,” US Newswire, 1/26/06 Consequences Many of the victims are you, the people. Reputations are compromised through media coverage. Substantial financial loss is incurred by impacted organizations. Slide customization recommendations: It is recommended that you ensure cited articles remain current during your ongoing information security awareness efforts. To increase the effectiveness of your cited articles, it is recommended that the age of the article not exceed six months from the date at which this presentation is being delivered. However, the applicability of each cited article to the message you are trying to convey should take precedence over the specific date at which the article was published. Slide objective: To emphasize that instituting security in your company is not discretionary; it is essential for sustaining your company, and ensuring the protection of all personnel. Use the cited articles in this slide to convince your end-user audiences that the threats are real. Instructor notes: It is recommended that you spend no more than two (2) minutes when presenting the contents of this slide. The specifics of each referenced article are provided below: McAfee & Deloitte & Touche incident: Posted on Fri, Feb. 24, 2006 Security giant's data lost MCAFEE: AUDITOR FAILED TO ENCRYPT EMPLOYEE-RECORDS CD, LEFT IT ON PLANE By Matthai Chakko Kuruvila Mercury News McAfee, the Santa Clara security software company, has lost the personal information of thousands of its employees due to a lapse by an external auditor. The auditor, an employee of Deloitte & Touche, left an unencrypted CD containing the employee information in an airline seat pocket on Dec. 15. The disc included the names, social security numbers and McAfee stock holdings for more than 9,000 employees, according to McAfee spokeswoman Siobhan MacDermott. ``They were traveling on an airplane and left it on the plane with a bunch of other CDs, including audio CDs,'' MacDermott said Thursday, noting that it's unclear what became of the disc. ``It may very well be in a trash can.'' The disc contained information on all of McAfee's U.S. and Canadian employees hired before April An estimated 3,290 current employees and 6,000 former employees potentially had their information compromised, MacDermott said. McAfee is offering employees two years worth of credit monitoring through Experian, one of the three major credit bureaus. MacDermott said McAfee is working with Deloitte to prevent a recurrence of such an incident. That a prominent computer security company would have been ensnared in the same type of privacy breach that has become almost common across many industries surprised and disappointed some consumer advocates. ``I don't understand it,'' said Ken McEldowney, executive director of San Francisco-based Consumer Action. ``How hard would it be to encrypt the data? How hard would it be to make sure important information like that is not on CDs that are not under tight control by the company? ``This is not brain surgery,'' McEldowney said. ``This is common sense. I'm baffled. I really am.'' McAfee's Web site proclaims that ``millions of homes and businesses trust McAfee for unmatched security expertise and comprehensive protection.'' MacDermott said it was not unusual for an auditor to have such personal information. She said Deloitte had made the CD for backup purposes, and it was their decision not to encrypt the data. ``It's not something that was directly in our control,'' MacDermott said. ``We have policies in place to prevent this from happening data compromised occurred on their end, as opposed to our end.'' Deloitte public relations director David Schutzman did not return phone calls Thursday. The auditor did not report the Dec. 15 incident to Deloitte until Jan. 8. Deloitte informed McAfee of the lapse on Jan. 11, but it took Deloitte until Jan. 30 to determine what was on the disc. MacDermott said it was not clear why the Deloitte employee took so long to report the incident. ``You would have to ask them that question,'' she said. Over the past year, more than 53 million consumer profiles in the United States have been lost, hacked or stolen, according to the Privacy Rights Clearinghouse, a consumer advocacy group. Companies have been forced to disclose the information due to a pioneering California law that requires businesses to notify individuals if their information has been potentially exposed. MacDermott said McAfee began sending out letters two weeks ago. Bruce Schneier, founder and chief technology officer for Counterpane Internet Security, said it is not surprising that these incidents are so common. ``The problem is that data storage is getting smaller,'' he said. ``We all have more and more things on smaller and smaller things, whether it's our iPod or our Treos. It's amazing how much you can lose just by losing a little thing.'' Because so much of security is still dependent on human judgment, ``that kind of thing is just going to continue.'‘ Ernst & Young incident: Another security breach reported Stolen laptop had clients' private data, says Ernst & Young Carrie Kirby, Chronicle Staff Writer Saturday, February 25, 2006 Following on the heels of an embarrassing security lapse by McAfee and its accounting firm Deloitte & Touche, financial giant Ernst & Young acknowledged Friday that it, too, had lost sensitive data that could be exploited by identity thieves. The two incidents, which were described in letters to potential victims obtained by The Chronicle, show just how ubiquitous security bungles have become. In a letter dated Feb. 13, Ernst & Young warned clients that their Social Security numbers were on a laptop that was stolen from an employee's locked car. The letter didn't say how many clients were affected. Ernst & Young spokesman Charles Perkins offered a prepared statement saying that the laptop was password protected, and appeared to have been stolen in a random criminal act. Santa Clara antivirus softwaremaker McAfee warned 9,000 current and former employees in a letter dated Feb. 17 that a compact disc containing their names and Social Security numbers was lost. An employee at McAfee's auditor, Deloitte & Touche LLC, left the unlabeled, unencrypted CD in the seat-back pocket of an airplane, along with some music discs, on Dec. 15, said spokeswoman Siobhan MacDermott. Deloitte confirmed the loss. There is no indication that the lost information in either case has been used for fraud, the companies say. Neither the disc nor the laptop file had labels indicating they contained sensitive information, and it could be that no one ever viewed them. However, there is a risk that the files could have been accessed by identity thieves, who use names and Social Security numbers to fraudulently apply for credit, work and even commit crimes using other people's names. Databases containing such personal information are routinely sold and traded among criminals on the Internet. Both Ernst & Young and McAfee offered the affected people free credit monitoring and other services to help them watch out for such fraud. Consumer advocate Beth Givens ruefully chuckled at the idea that companies that specialize in security and keeping track of important information would commit such gaffes. One of the services advertised on Ernst & Young's Web site is called "technology and security risk services," which entails helping companies find and fix security gaps. "It just points out how pervasive these security breaches are," said Givens, director of the San Diego nonprofit Privacy Rights Clearinghouse. Deloitte made the CD in order to back up a McAfee database of employee stock holdings, according to the letter. Many security lapses occur when companies are transporting data backups, Givens said. "There are so many things that companies need to factor into their security and privacy protection measures. It's not just firewalls for the computer systems, it's the handling of backup tapes, CDs and DVDs, and paper records," Givens said. One obvious precaution both companies should have been taking is encrypting sensitive data, Givens said. MacDermott said McAfee did not have a policy requiring its auditor to encrypt the data. "Moving forward, that will be an issue," said MacDermott, chalking it up to lessons learned. McAfee and Deloitte will be working together to make sure this kind of lapse doesn't happen again, MacDermott said. Carrie Kirby at The network is the risk: in August, the Zotob virus disabled CNN and ABC News, showing how vulnerable computer networks really are. In the financial services world, e-thieves can make off with financial data without leaving a trace. Corporate risk managers are beginning to recognize this exposure, and acting to mitigate it. Risk & Insurance; 9/15/2005; Green, Paula L. As computer criminals become as sophisticated and swift as the technology they use to commit their crimes, corporate executives are taking a closer look at whether they should invest in network-risk insurance. No longer just the province of Internet companies or e-retailers, network-risk cover gives companies vital financial protection in a business world where computer viruses can sweep around the globe in seconds and computer hackers can quickly abscond with the most intimate financial details of a company's customers. And as more businesses turn to the digital world for everything from accounting tasks to ordering supplies, and lawmakers up the liability ante for privacy breaches, corporate insurance buyers are taking note. "Risk managers are increasingly saying, 'Do I have this exposure, and how do I address it?'" says Norman Rafsol, senior vice president and chief underwriting officer in the professional liability division at American International Group Inc. in New York. "And the key is technology ... which has increased the scale of the potential losses. It's just not dumpster divers (looking for credit-card imprints) anymore. Criminals have more access to more information." "The threat to the balance sheet can be significant," adds Brad Gow, vice president, ACE professional risks, at ACE USA in Philadelphia. "And with so many companies doing more business online, many types of companies, whether retailers or manufacturers or service companies, have some degree of exposure." First developed about a halt-dozen years ago, the cover can provide a business with first-party and third-party protection against the tricky intangible losses that can occur when the complex security systems protecting its computer network break down. First-party cover would help a company recover the expenses involved in repairing their database of customers, for example, if it were damaged by a computer hacker who was able to implant a malicious code. The coverage should compensate a company for the cost of hiring technology experts to come in and rebuild the database, as well as the business-interruption costs resulting from the temporary loss of information. Third-party protection is the cover capturing the attention of executives as they read the spate of media headlines about data theft--such as the CardSystems Solutions Inc. fiasco this summer that may have exposed 40 million credit-card holders to fraud. If a computer hacker breaks a credit-card company's code, penetrates its firewall and taps into its database to release Social Security numbers and other sensitive data, a network-risk policy would cover the damages to the company's customers whose privacy has been violated. Its protection would also cover scenarios that involve authorized access and unauthorized use. So if a credit-card-company employee taps into 100,000 credit-card accounts, copies the data and sends it off to an accomplice in Southeast Asia, who then opens up new accounts and charges the maximum to each card, the network-risk cover also should kick in. MORE ASSETS, MORE COVERAGE Industry experts say interest in the coverage has surged over the last few years as more businesses place more information online and courts hand down rulings that exclude so-called "intangible assets," like computer data, from the array of perils covered in general property and liability policies. At the start of 2002, ISO, the industry's underwriting standards group, put out new policy forms that further reduced the exposure of insurance companies. "The ways that people do business are increasingly dependent on electronic processes," says Kevin Ralinich, managing director of technology and professional risks at Aon Financial Services Group in Chicago. "And general liability policies are excluding intangible assets. This type of law can impact the financial statements of companies." And it's not only court rulings that are placing pressure on corporations to be sure that financial losses stemming from these computer security breaches are covered. The more stringent reporting requirements of federal legislation such as the Sarbanes-Oxley Act of 2002, the Gramm-Leach-Bliley Act of 1999 and the Health Insurance Portability and Accountability Act of 1996 are also generating anxieties in board rooms and executive offices around the country. "The Sarbanes-Oxley Act subjects entities to accountability and internal control requirements. Section 404 requires public companies to qualify and quantify their risk. Ignoring network risk would be a violation," says Kalinich, adding that the law does not require public companies to purchase network-risk cover. The financial services industry--the keeper of billions of pieces of confidential customer information from Social Security numbers to credit ratings--has become more vulnerable to acts of cybercrime as it minds the privacy and security requirements of the Gramm-Leach-Bliley Act. And state legislation is also intensifying their vulnerability as laws--like the California Database Protection Act of expect data holders to notify customers when their data has been stolen or lost. Health-care companies are also finding themselves at the mercy of computer criminals as HIPAA forces them to carefully guard the confidentiality of their patient information. Christopher Keegan, senior vice president and national cyberpractice leader at Marsh Inc. in New York, agrees that court rulings that have excluded intangible assets from general liability policies, as well as recent legislative mandates, are partly behind the surge in interest. "To a great degree, the level of uncertainty is driving the demand for the policies," says Keegan. "But it's partly driven by the change in the nature of the hackers. It has shifted from school boys who are making a name for themselves, to international crime rings in Africa or Russia or Asia. They're ramping up their efforts as there are more and more places for them to attack." An Aon study of the 2004 insurance purchases of 2,000 Aon clients with annual revenues of more than $100 million showed that about 95 percent of Internet-based companies have network-risk cover; 58 percent of e-retailers have secured the cover; and 17.5 percent of all other entities, from manufacturing companies to educational institutions, bought the insurance. Five years ago, less than 5 percent of total insureds bought this type of insurance, and even two years ago, the buyers were less than half of what they are today, Ralinich says. Keegan believes another reason behind the buying surge is that the softer property/casualty market has freed up corporate insurance budgets for this relatively pricey product. Premiums vary widely--depending on the industry, the size and loss history of a company, and the uses of its computer network. "Financial institutions with a trading floor that rely on a computer system for billions of dollars of trading are going to have more exposure than a manufacturing firm," Keegan explains. Retentions are heading upward, but pricing remains steady and can range from $7,000 per $1 million of cover for a company at low risk to $ per $1 million of coverage for a firm with high risk. And the string of recent security breaches and growth of cybercrime haven't been lost on the reinsurance world. The half-dozen or so reinsurers that handle this specialized risk are becoming more selective and even dictating exclusions and other coverage terms, industry observers say. Reinsurers--fully aware that a massive assault on global computer systems could have greater ramifications on their bottom lines than even a terrorist attack or a record-breaking earthquake--are closely analyzing the book of business of their insurance clients to be sure they are not overexposed, Gow says. "There are no geographic limits, no industry limits with a worldwide computer virus that could spiral around the world," Gow says. "Reinsurers working with multiple carriers in multiple countries are being yew careful." PAULA L. GREEN, a freelance journalist based in New York, writes about national and international business topics. She can be reached at Glouco employee charged with theft: He and his brother are accused of creating fake firms to take $110,000-plus from the utilities authority. The Philadelphia Inquirer (Philadelphia, Pennsylvania) (via Knight-Ridder/Tribune Business News); 2/24/2006 Byline: Jan Hefler Feb. 24--A Gloucester County Utilities Authority technician and his brother have been charged with setting up shell corporations and forging documents to collect more than $110,000 to service agency computer equipment. Paul Kohler, 42, of Mullica Hill, was charged with theft by deception, submitting fraudulent claims to the government, making a false statement, forgery, and official misconduct. Kohler, who controlled the automated equipment that runs the sludge incinerator at the West Deptford plant, was arrested yesterday and released after posting $10,000 bail. He has worked at the plant for 13 years. Brian Kohler, 44, of Pennsauken, was charged with conspiracy to submit false claims to the government. He was released on his own recognizance. Bernie Weisenfeld, spokesman for the Gloucester County Prosecutor's Office, said Paul Kohler had created at least three shell corporations with out-of-state addresses that were simply mailbox services. From 1997 through 2005, Kohler submitted computer-servicing bids from those corporations, often at inflated costs and for materials that the utilities authority didn't need. His relatives' names were forged on the corporation documents, authorities said. "Paul Kohler was the technical person responsible for obtaining the bids," Weisenfeld said. Brian Kohler allegedly acted as the operator of one of the corporations, cashing authority checks and giving his brother part of the proceeds. Neither Kohler could be reached for comment. Ann Marie Donofrio, executive director of the utilities authority, also was also unavailable for comment. Gloucester County Prosecutor Sean F. Dalton said: "These individuals were systematically enriching themselves at the public's expense. It is particularly troubling that a longtime GCUA employee violated his public trust by engaging in this fraudulent conduct." Paul Kohler has been suspended with pay pending termination proceedings. A tip to authorities led to an audit of the bids and then to the investigation. Contact staff writer Jan Hefler at or Copyright (c) 2006, The Philadelphia Inquirer ChoicePoint Multi-Million Dollar Penalty Illustrates Need for Congress to Enact Strong ID-Theft Protections, Regulate Data Brokers. US Newswire; 1/26/2006 WASHINGTON, Jan 26, 2006 (U.S. Newswire via COMTEX) -- Consumers Union praised the Federal Trade Commission's multi-million dollar settlement against data broker ChoicePoint, the largest civil penalty in FTC history. However, comprehensive Congressional action is still needed to protect consumers' personal information from identity thieves. "This settlement serves as a wake-up call for Congress to ensure that all businesses that buy and sell our most personal information are held accountable, and that they protect vulnerable consumers from having their sensitive information stolen," said Susanna Montezemolo, Policy Analyst for Consumers Union, the nonprofit publisher of Consumer Reports. "Congress also needs to give consumers the tools they need to protect their own sensitive information," she said. "In the last year alone, nearly 60 million Americans have been put at risk for identity theft through no fault of their own because of the stream of data breaches by data brokers, credit card companies, and other businesses," she added. "Companies like ChoicePoint collect and sell our fingerprints, driving records, employment histories, financial history and insurance records, yet are unregulated by the government," Montezemolo said. "Americans can take every sensible precaution to protect themselves and still become identity theft victims because of the lax security by these companies." Consumers Union again called on Congress to regulate data brokers and provide real tools for consumers to protect themselves from identity theft. Consumers should at a minimum be allowed to review and correct the information that is compiled on them, be given notification on every security breach, and be given the right to freeze access to their personal information. For more information on what Congress should do, please visit

7 The Need for Information Security (3)
Previous <company> security incidents <Provide overview of applicable previous security incidents experienced by company here> Slide customization recommendations: While not delving into the specifics of each security incident, it is recommended that you provide a high-level overview of security incidents that have occurred at your organization. You may wish to reference at least one security incident that previously occurred due to an employee’s lack of security awareness (e.g., massive exposure to a virus due to an employee clicking on an infected attachment). Replace the “<company>” indicator with the name of your company. Refer to the instructor notes below for guidance prescribing the nature of content to place in the “<Provide overview of applicable previous security incidents experienced by company here>” indicator in this slide. Slide objective: To emphasize that instituting security in your company is not discretionary; it is essential for sustaining your company, and ensuring the protection of all personnel. This slide should be used to demonstrate that your organization is also susceptible to security threats. Instructor notes: This slide will help personalize security to each end-user participating in the security awareness presentation. Further, it will effectively prepare your end-user audiences for the next slide where you explain their role in your corporate security strategy. This is the beginning of the key transition point in this presentation where your end-users will begin to understand that a change in the manner in which they conduct their daily business activities (i.e., their behavior) will need to occur to increase assurance that your organization is protecting its assets in the best possible manner.

8 The Need for Information Security (4)
The consequences of insufficient security Loss of competitive advantage Identity theft Equipment theft Service interruption (e.g., and <application>) Embarrassing media coverage Compromised customer confidence; loss of business Legal penalties Slide customization recommendations: N/A. Slide objective: To emphasize that instituting security in your company is not discretionary; it is essential for sustaining your company, and ensuring the protection of all personnel. Use this slide to help your end-user audiences to understand the consequences associated with the vast number of security threats facing your organization. Instructor notes: The consequences While you will be addressing several of the prevalent threats in detail later in the presentation, it is recommended that you discuss the themes of threats that introduce risk to your organization. It is recommended you present themes in terms of the consequences associated with the threats. Provided below is information accompanying each theme that you may wish to communicate to your end-user audiences: Loss of competitive advantage Our company is successful due to the competitive advantage it has accumulated over time. Our competitive advantage is achieved through our people, our trade secrets (i.e., confidential information and procedures that we have developed to enable us to conduct business), and our intellectual property (i.e., confidential information that represents how we conduct business). There are many threats to the well-being of our competitive advantage. Should confidential information pertaining to our personnel, trade secrets, or intellectual property be compromised, it could have a severe impact on our competitive advantage. Therefore, our critical information and our personnel must be protected. Identity theft Identity theft involves the theft of information that may be used to identify an individual. Examples of such information – termed “personally identifiable information,” include social security numbers, birth dates, ethnicity, etc. As a further example, most of the information you would use to open a new credit card account is personally identifiable information (PII). Once this PII is stolen, criminals may use this information to purchase goods and services in your name, using your existing credit card accounts, or may create new credit card accounts in your name, using your PII. Equipment theft Unauthorized, non-<company> employees may enter our facilities. The risk associated with this unauthorized access is these criminals may steal equipment, such as laptop computers and servers. Service interruption If our network environment, our Web site, and our Web-based applications are not sufficiently protected, we will be susceptible to malicious attacks from criminals. Many of these attacks are designed to interrupt the operations of our information systems (e.g., our services and <mention one or two business applications with which all end-user audiences will be familiar>). Embarrassing media coverage You will see on the following slide several examples of media coverage that has compromised notable organizations’ reputations. It is likely that if <company> experiences a security incident that impacts our customers or business partners, such a security incident will become widely known and exploited in the media. This would severely impact <company>’s credibility, and many other aspects of our business we have exerted substantial time, money, and effort to build. Compromised customer confidence; loss of business Regardless if a security incident becomes widely known, <company>’s customers and business partners will likely be impacted. Our customers and business partners are becoming more sophisticated in their needs, and if they even suspect <company> is experiencing security issues, their confidence will be compromised. This compromised confidence will likely result in loss of business. Legal penalties Should <company> be found to be non-compliant with applicable regulations, legal fines / penalties could amount to the $millions. It is therefore important to ensure <company> is compliant with each of the regulations we previously discussed.

9 Your Security Role at <Company>
Information Security Explained The Need for Information Security Your Security Role at <Company> Vital <Company> Assets Security Threats & Countermeasures Home Computer Use Helpful Security Resources Closing Comments Slide customization recommendations: Replace each “<company>” indicator with the name of your company. Slide objective: N/A. Instructor notes:

10 Your security role at <company>
You can prevent several security threats facing <company> Comply with our corporate security policies Key policy one Key policy two Key policy three All of <company>’s corporate security policies may be located: <Provide all locations here> Slide customization recommendations: Replace each “<company>” indicator with the name of your company. Provide all of the locations your end-users may locate your company’s corporate security policies where the “<Provide all locations here>” indicator is presented in this slide. Slide objective: To emphasize that instituting security in your company is not discretionary; it is essential for sustaining your company, and ensuring the protection of all personnel. Use this slide to explain end-users’ role in your corporate security strategy. This is the beginning of the key transition point in this presentation where your end-users will begin to understand that a change in the manner in which they conduct their daily business activities (i.e., their behavior) will need to occur to increase assurance that your organization is protecting its assets in the best possible manner. Instructor notes: If your organization has not instituted corporate security policies, this slide should be removed from the presentation. However, you should urge the individual primarily responsible for security within your organization to develop, implement, and enforce corporate security policies as soon as possible.

11 Your security role at <company>
You can prevent several security threats facing <company> (2) Treat everything you do at <company> as you would treat the well-being of anything of vital importance to you Examples of questions you should ask yourself before performing a specific activity include: Could the actions I am about to perform in any way either harm myself or <company>? Is the information I am currently handling of vital importance either to myself or <company>? Is the information I am about to review legitimate / authentic? Have I contacted appropriate <company> personnel with questions regarding my uncertainty of how to handle this sensitive situation? Slide customization recommendations: Replace each “<company>” indicator with the name of your company. Slide objective: To emphasize that instituting security in your company is not discretionary; it is essential for sustaining your company, and ensuring the protection of all personnel. Use this slide to explain end-users’ role in your corporate security strategy. This is the beginning of the key transition point in this presentation where your end-users will begin to understand that a change in the manner in which they conduct their daily business activities (i.e., their behavior) will need to occur to increase assurance that your organization is protecting its assets in the best possible manner. Replace each “<company>” indicator with the name of your company. Instructor notes: Many security incidents that occur in organizations are due to inadvertent actions performed by employees. It is therefore your mission to help end-users understand that they need to think in a security-conscious manner before acting. The questions provided in this slide are examples of the thought process all employees should perform before performing any business activities involving any assets of value. It is recommended that you provide a consequence that is specific to your organization that could result by not addressing each of the questions in this slide. That is, you need to emphasize the detriment to the company if end-users do not exercise this type of a security-conscious thought process in everything they do. Regarding the statement indicating that employees should treat the business activities they conduct at your organization similar to how they would treat anything of vital importance to themselves, you should provide examples correlating what is important to their personal lives to what is important to your organization. For example, parents would not want an unauthorized person roaming their child’s school, just as your company does not want an unauthorized person accessing its facilities.

12 Your security role at <company>
Whom to contact It is critical for you to contact appropriate <company> personnel the moment you suspect something is wrong <Name “1”, title, reason to contact> <…> <Name “n”, title, reason to contact> Slide customization recommendations: Replace the “<company>” indicator with the name of your company. Replace the “<Name “x”, title, reason to contact>” indicators with contact information for company personnel with incident response responsibilities. These will be personnel that end-users may contact in the event an incident has or is suspected to have occurred. Slide objective: To emphasize that instituting security in your company is not discretionary; it is essential for sustaining your company, and ensuring the protection of all personnel. Use this slide to inform all end-users whom they should contact in the event they suspect either a breach in security has occurred, or that they have witnessed any form of suspicious activity. Instructor notes: Your organization’s personnel are a strong defense mechanism against security threats. It is very common for at least one employee to be aware of a security breach that may have occurred. Additionally, it is very common for at least one employee to have witnessed some form of suspicious activity before such suspicious activities result in costly security incidents. Therefore, it is recommended that you provide the contact information for personnel participants in this security awareness presentation should contact based upon various scenarios they may be involved in. For example, one person to contact could be the individual responsible for facility security. The scenario would be that an employee has detected the presence of an unknown, suspicious looking individual that was perusing a particular area within your facilities. Another example would be an employee who suspects they have been infected by a virus. The name and contact information, as well as the particular scenario, should be provided in this slide to impart an understanding among your end-user audiences regarding whom they should contact when various types of security incidents occur / suspicious activities are observed.

13 Vital <company> Assets
Information Security Explained The Need for Information Security Your Security Role at <Company> Vital <Company> Assets Security Threats & Countermeasures Home Computer Use Helpful Security Resources Closing Comments Slide customization recommendations: Replace each “<company>” indicator with the name of your company. Slide objective: N/A. Instructor notes:

14 Vital <company> assets
Your effectiveness in securing <company>’s assets begins with understanding what is of vital importance to <company> <Asset “1”> <…> <Asset “n”> Slide customization recommendations: Replace each “<company>” indicator with the name of your company. Refer to the instructor notes below for guidance prescribing the nature of content to place in the “<Asset “x”>” indicators in this slide. Slide objective: To emphasize that instituting security in your company is not discretionary; it is essential for sustaining your company, and ensuring the protection of all personnel. Use this slide to explain specifically which assets are of vital importance to your organization. Instructor notes: It is recommended that you do everything possible to eliminate interpretation of what personnel may perceive is important to your organization. This slide should be used to provide a somewhat exhaustive list of assets that are deemed vital to your organization. That is, these are the assets, if they were to be stolen / inappropriately disclosed to unauthorized parties, that could negatively impact your organization in ways that are described earlier in this presentation. It is also recommended that you communicate themes of assets that are presented in this slide. This will help mitigate the risk associated with not providing an all-exhaustive list of assets in this slide; i.e., it will enable end-user audiences to apply what you are communicating to other assets that may be of value to your organization. Examples of assets that are vital to many companies include: Financial statements; Human resources / employee’s personal information; Board of Directors’ communications (e.g., memos); Corporate strategic plans (e.g., IT strategic plan); Trade secrets / intellectual property; and Product and services pricing information. Lastly, by identifying these assets, it increases assurance that personnel will be more security-conscious in how they handle, store, and review these assets. Specifically, they will be more inclined to ask themselves the questions identified in the previous slide.

15 Security Threats & Countermeasures
Information Security Explained The Need for Information Security Your Security Role at <Company> Vital <Company> Assets Security Threats & Countermeasures Home Computer Use Helpful Security Resources Closing Comments Slide customization recommendations: Replace each “<company>” indicator with the name of your company. Slide objective: N/A. Instructor notes:

16 Security threats & countermeasures
Malicious software: viruses Malicious code embedded in messages that are capable of inflicting a great deal of damage and causing extensive frustration Stealing files containing personal information Sending s from your account Rendering your computer unusable Removing files from your computer What you can do Do not open attachments to s: Received from unknown individuals That in any way appear suspicious If uncertain, contact <contact> Report all suspicious s to <contact> Slide customization recommendations: Replace the “<contact>” indicators with the contact information of appropriate personnel that are responsible for troubleshooting virus issues. These are the personnel end-users will be instructed to contact if they suspect they have received malicious , or if they have been infected by a virus. Slide objective: To have end-users become cognizant of the dangers associated with attachments, and to always evaluate the authenticity of an before accessing attachments. To encourage end-users to use extreme caution before accessing attachments. Instructor notes: While there are several technologies available to prevent virus exposure in companies, companies’ best defense against virus exposure is its workforce (i.e., its people). This slide is organized where you will first explain what a virus is, and the nature of damage viruses are capable of inflicting on companies. After imparting this understanding, inform end-users what they can do to ensure they are not responsible for exposing your company to viruses by adhering to the content provided in the “What you can do” section of this slide. If your company currently uses an enterprise anti-virus solution, Microsoft recommends you enhance your protection against malicious software by implementing Microsoft’s Client Protection product. Microsoft Client Protection is a security product that helps protect business desktops, laptops, and servers from emerging threats such as spyware and rootkits, as well as viruses and other traditional attacks. You may find more information about Microsoft Client Protection at

17 Security threats & countermeasures
Malicious software: spyware Any technology that aids in gathering information about you or <company> without their knowledge and consent. Programming that is put in a computer to secretly gather information about the user and relay it to advertisers or other interested parties. Cookies are used to store information about you on your own computer. If a Web site stores information about you in a cookie of which you are unaware, the cookie is considered a form of spyware. Spyware exposure can be caused by a software virus or in result of installing a new program. What you can do Do not click on options in deceptive / suspicious pop-up windows. Do not install any software without receiving prior approval from <contact>. If you experience slowness / poor computer performance or excessive occurrences of pop-up windows, contact <contact>. Slide customization recommendations: Replace the “<company>” indicator with the name of your company. Replace the “<contact>” indicators with the contact information of appropriate personnel that are responsible for troubleshooting spyware issues. These are the personnel end-users will be instructed to contact if they either suspect they have been effected by spyware or may be susceptible to spyware. Slide objective: To have end-users become cognizant of the dangers associated with spyware, and to always evaluate the authenticity of pop-up menus before clicking on any options. To encourage end-users to contact appropriate company personnel whenever they suspect they have been effected by spyware or may be susceptible to spyware. Lastly, to impart an understanding that cookies are a mechanism used by spyware. Instructor notes: While there are several technologies available to prevent spyware exposure in companies, one of companies’ best defenses against spyware exposure is its workforce (i.e., its people). This slide is organized where you will first explain what spyware is, and the implications of spyware. After imparting this understanding, inform end-users what they can do to ensure they are not responsible for exposing your company to spyware by adhering to the content provided in the “What you can do” section of this slide. You may wish to demonstrate how cookies can be managed within Internet Explorer. If you provide such instruction, it is recommended that you prepare a cookie management “cheat sheet” that participants may take with them to their workspaces upon completion of this security awareness session.

18 Security threats & countermeasures
Unauthorized systems access Individuals maliciously obtain unauthorized access to computers, applications, confidential information, and other valuable assets Not all guilty parties are unknown; some can be your co-workers Unauthorized systems access can result in theft and damage of vital information assets What you can do Use strong passwords for all accounts Commit passwords to memory If not possible, store all passwords in a secure location (i.e., not on a sticky note affixed to your monitor or the underside of your keyboard) Never tell any one your password Never use default passwords Protect your computer with a password-protected screen saver Report suspicious individuals / activities to <contact> Report vulnerable computers to <department> Slide customization recommendations: Replace the “<contact>” indicator with the contact information of appropriate personnel that are responsible for addressing physical / facility security issues / incidents. Replace the “<department>” indicator with the name of the department that is responsible for addressing equipment security issues. These are the personnel end-users will be instructed to contact if they either suspect they have been effected by spyware or may be susceptible to spyware. In the third-to-last bullet of this slide, referring to protecting computers by using a password-protected screen saver, you may wish to provide a brief demonstration on how end-users can password-protect their screen saver. Should you decide to provide such guidance, it is recommended that you prepare a “password-protected screen saver cheat sheet” that each participant may take back to their respective workspaces upon the conclusion of this security awareness presentation. Slide objective: To impart an understanding that end-users’ computers and business applications contain vital company information, and that end-users’ computers need to be protected accordingly. To impart an understanding that each user’s computer is a conduit to vital company information, and if their computer is accessed by an unauthorized individual, such access could inflict severe damage to the company. Instructor notes: The key objective you will need to achieve as the instructor is to ensure your end-user audiences understand that their desktop / laptop computers contain vital company information. Further, you need to ensure your end-user audiences understand that their desktop / laptop computer is interconnected with several other laptop / desktop computers, servers, and applications. Once you impart this understanding and awareness, you need to explain the damage that could be inflicted to your company if a criminal were able to access company information through an unprotected end-user’s desktop / laptop computer. You should reiterate from slide number 8 the specific damage that could be inflicted from your company if a criminal were to gain unauthorized systems access. After imparting this understanding, use the recommendations provided in the “What you can do” section of this slide to provide guidance for your end-user audiences as to what they can do to prevent unauthorized systems access.

19 Security threats & countermeasures
Shoulder surfing The act of covertly observing employees’ actions with the objective of obtaining confidential information What you can do Be aware of everyone around you… and what they are doing Airline and train travel Airports, hotels, cafes, and restaurants; all public gathering areas Internet cafes Computer labs Do not perform work involving confidential <company> information if you are unable to safeguard yourself from shoulder surfing Request a privacy screen for your <company>-issued laptop computer from <contact> Slide customization recommendations: Replace the “<contact>” indicator with the contact information of appropriate personnel that are responsible for providing laptop privacy screens. Remove the last bullet if your company is not receptive to providing its workforce with laptop privacy screens. Replace the “<company>” indicator with the name of your company. Slide objective: To encourage all employees to be cognizant of their surroundings, and to protect confidential information they may be reviewing either on their computers or on printed documents from unauthorized observers. Instructor notes: The reality is many people are unaware of the threat of people observing their actions in an attempt to obtain confidential information. One of the most effective ways to help your audiences understand the likelihood of shoulder surfing is to provide credible scenarios. Provided below are some scenarios you may wish to discuss during this presentation: How many times have you seen individuals with their financial information sprawled across a table in a restaurant with an accountant helping them with tax return preparation during the tax season? How many times have you or someone you know peered at a laptop monitor belonging to a passenger sitting next / near you on a plane / train? How many times have you or someone you know peered at documents being reviewed by a passenger sitting next / near you on a plane / train? How many times have you or someone you know peered over the shoulder of someone working at a kiosk / computer in a computer lap / Internet café? Lastly, you should provide each end-user an “out.” You should indicate that they should not review confidential information if they do not think they can prevent shoulder surfing from occurring.

20 Security threats & countermeasures
Unauthorized facility access Individuals maliciously obtain unauthorized access to offices with the objective to steal equipment, confidential information, and other valuable <company> assets What you can do Do not hold the door for unidentified individuals; i.e., do not permit “tail gaiting” <Provide company procedures regarding challenging and reporting individuals with no visible visitor / employee ID badges> Shred all <company> confidential documents Do not leave anything of value exposed in your office / work space (e.g., Lock all <company> confidential documents in desk drawers / file cabinets) Escort any of your own visitors throughout the duration of their visit Slide customization recommendations: Replace the “<company>” indicators with the name of your company. Refer to the instructor notes for guidance regarding the content you should provide for the “<Provide company procedures regarding challenging and reporting individuals with no visible visitor / employee ID badges>” indicator in this slide. Slide objective: To impart an understanding that every end-user has responsibilities in regards to preventing unauthorized facility access, and to define specifically what these responsibilities are. Instructor notes: Unauthorized access to facilities is a common occurrence that costs companies $Millions annually. One of the key defenses against unauthorized facility access are companies’ workforces (i.e., people). After defining what comprises unauthorized facility access, and the implications therein (as provided in the “Unauthorized facility access” section of this slide), you will need to inform your audiences of their responsibilities / what they can do to help prevent unauthorized facility access. Most companies have instituted procedures regarding if and how employees should confront unknown individuals that are identified on facility grounds. These procedures are instituted not only to provide instruction to employees, but also to prevent employees from becoming engaged in dangerous situations that could endanger their safety and the safety of others. It is recommended that you consult with your facility security personnel to understand and represent instituted procedures in the “<Provide company procedures regarding challenging and reporting individuals with no visible visitor / employee ID badges>” portion of this slide.

21 Security threats & countermeasures
Curious personnel An employee who is not necessarily malicious that performs activities testing the limits of their network and facilities access What you can do Retrieve your <company> confidential faxes and printed documents immediately Shred all <company> confidential documents Lock all <company> confidential documents in desk drawers / file cabinets Follow the guidance previously provided to prevent unauthorized systems access Report suspicious activity / behavior to your supervisor Slide customization recommendations: Replace the “<company>” indicators with the name of your company. Slide objective: Without introducing too much paranoia or inviting future mistrust, the objective of this slide is to make end-users aware of the internal threat; the internal threat being the risk associated with curious co-workers. Instructor notes: Many employees of companies are unaware of the internal threat associated with curious personnel that stretch the limits of their systems and facility access privileges. One effective means to reduce the likelihood of being compromised by curious employees is to make it more difficult for them to achieve desired objectives. This goal may be achieved by instilling the knowledge that all of their co-workers will be operating in a capacity where they will be observant of such inappropriate behavior / activities, and will perform actions that will minimize the likelihood of employees accessing / obtaining confidential company information that is inappropriate for their role within the company. Use the recommendations provided in the “What you can do” section of this slide to impart practices that should be employed by the entire workforce.

22 Security threats & countermeasures
Disgruntled employees Upset / troubled employees with an intent to harm other employees or <company> What you can do Contact <contact> if you suspect an employee is disgruntled and potentially dangerous Be observant of others and report suspicious / inappropriate behavior to <contact> Exercise extreme care when aware of unfriendly termination Slide customization recommendations: Replace the “<company>” indicator with the name of your company. Replace the “<contact>” indicators with the contact information of appropriate personnel that are responsible for addressing physical / facility security and human resources issues / incidents. Slide objective: To impart an understanding that one of the most dangerous threats to companies is the presence of disgruntled employees. Instructor notes: Many of the risks associated with disgruntled employees can be averted if disgruntled employees are identified quickly, and if appropriate personnel are notified accordingly. This slide provides guidance regarding the actions employees should perform if any suspicious behavior is suspected or observed.

23 Security threats & countermeasures
Social engineering Taking advantage of people’s helping nature / conscience for malicious purposes What you can do Never lose sight of the fact that successful social engineering attacks rely on you, <company> employees If a received phone call is suspicious, request to return their call Do not provide personal / confidential <company> information to a caller until you are able to verify the caller’s identity, and their association with their employer’s company Never provide a caller with any one’s password, including your own Report any unrecognized person in a <company> facility to <contact> Slide customization recommendations: Replace the “<company>” indicator with the name of your company. Replace the <contact> indicator with the contact information for appropriate personnel responsible for facility security. Slide objective: To educate all end-users not to provide any confidential company / personal information when it is requested from a caller. Instructor notes: Social engineering is extremely effective because the tactics employed exploit people’s helping nature / good conscience. It is recommended that you emphasize the importance of never providing confidential company / personal information to an unknown caller. Further, it is important to reiterate from slide 18 that end-users should never provide anyone with their passwords. You may wish to provide examples of effective social engineering scams: Jury duty scam: Scam artists contact people and tell them warrants have been issued for their arrest due to not performing required jury duty. Personal information is requested from these scam artists in the context of withdrawing the issued warrants. Help desk scam: Scam artists contact you, and represent themselves as members of your helpdesk operations. They request your password, or the password of another under the auspices that they require the password in order to perform necessary systems maintenance. Account verification scam: Scam artists contact you and indicate they need various information pertaining to a particular account (e.g., bank or phone account) to confirm the information they have in their systems is correct.

24 Security threats & countermeasures
Phishing An online scam whereby s are sent by criminals who seek to steal your identity, rob your bank account, or take over your computer What you can do Use the “stop-look-call” technique: Stop: Do not react to phishing ploys consisting of “upsetting” or “exciting” information Look: Look closely at the claims in the , and carefully review all links and Web addresses Call: Do not reply to s requesting you to confirm account information; call or the company in question to verify if the is legitimate Never personal information When submitting personal / confidential information via a Web site, confirm the security lock is displayed in the browser Review credit card and bank account statements for suspicious activity Report suspicious activity to <contact> Slide customization recommendations: Replace the “<contact>” indicator with the contact information of appropriate personnel that are responsible for addressing general security issues. Slide objective: To explain what phishing is, and practices end-users can employ to protect themselves and the company from successful phishing attempts. Instructor notes: Phishing, which primarily leads to identity theft, is a worldwide epidemic. Use the practices outlined in the “What you can do” section of this slide to help your end-users understand how they may protect themselves against phishing. It is important to note that Beta 2 Internet Explorer 7 is currently available. Microsoft encourages you to install Beta 2 Internet Explorer 7 to evaluate its new phishing filtering capabilities.

25 Security threats & countermeasures
Information theft through free instant messaging services (IM) Privacy threats caused by using free IM services in the workplace include personal information leakage, loss of confidential information, and eavesdropping <Corporate IM security policy here> What you can do Depending upon with whom you are communicating, and how IM was implemented, every message you send – even to a co-worker sitting in the next cubicle – may traverse outside of <company>’s corporate network All of the messages you send may be highly susceptible to being captured and reviewed by malicious people Never send confidential messages or any files to individuals Realize that there is no means of knowing that the person you are communicating with is really who they say they are Slide customization recommendations: Replace the “<company>” indicator with the name of your company. If your organization uses Microsoft Live Communications Server as your enterprise IM solution, you may wish to present your corporate IM security policy where the “<IM corporate security policy here>” indicator is presented in this slide. Such a corporate IM security policy should prescribe that company information is only to be transmitted within the company’s internal network, a condition that would be effectively satisfied should your company be using Microsoft’s Live Communications Server. Slide objective: To impart an understanding of the risks associated within using IM products, and how end-users may minimize such risk by adopting prescribed practices. Instructor notes: Use the practices outlined in the “What you can do” section of this slide to help your end-users understand how they may protect themselves against the risks associated with IM use.

26 Home Computer Use Information Security Explained
The Need for Information Security Your Security Role at <Company> Vital <Company> Assets Security Threats & Countermeasures Home Computer Use Helpful Security Resources Closing Comments Slide customization recommendations: Replace each “<company>” indicator with the name of your company. Slide objective: N/A. Instructor notes:

27 Home computer use Specific conditions and procedures should be followed when using home computers for business purposes <Condition “1”> <…> <Condition “n”> Slide customization recommendations: Remove this slide if home computer use for business purposes is not permitted by your company. Refer to the instructor notes for guidance regarding the content you should provide for the “<Condition “x”>” indicators in this slide. Slide objective: To prescribe conditions and procedures that should be instituted by all personnel that are using their home computers for business purposes to protect your company’s interests. Instructor notes: Your company’s employees need to understand the conditions they must satisfy, and the procedures they must employ if they are to use their home computers for business purposes. Your company is only as strong as its weakest link, and if not managed effectively, your company could introduce substantial risk to its operations due to allowing home computer use for business purposes. The conditions and procedures that your IT department have instituted should be presented in this slide and explained in terms that may be easily understood by your entire workforce. An example of a condition that your company may wish to impose is that all home computer users install and maintain anti-virus software.

28 Home computer use Specific conditions and procedures should be followed when using home computers for business purposes (2) <Procedure summary “1”> <…> <Procedure summary “n”> Slide customization recommendations: Remove this slide if home computer use for business purposes is not permitted by your company. Refer to the instructor notes for guidance regarding the content you should provide for the “<Procedure summary “x”>” indicators in this slide. Slide objective: To prescribe conditions and procedures that should be instituted by all personnel that are using their home computers for business purposes to protect your company’s interests. Instructor notes: Your company’s employees need to understand the conditions they must satisfy, and the procedures they must employ if they are to use their home computers for business purposes. Your company is only as strong as its weakest link, and if not managed effectively, your company could introduce substantial risk to its operations due to allowing home computer use for business purposes. The conditions and procedures that your IT department have instituted should be presented in this slide and explained in terms that may be easily understood by your entire workforce. An example of a procedure that may be established by your company are steps prescribing how your standard corporate VPN client should be installed, configured, and used by home computer users.

29 Helpful Security Resources
Information Security Explained The Need for Information Security Your Security Role at <Company> Vital <Company> Assets Security Threats & Countermeasures Home Computer Use Helpful Security Resources Closing Comments Slide customization recommendations: Replace each “<company>” indicator with the name of your company. Slide objective: N/A. Instructor notes:

30 Helpful security resources
Outlined below are several helpful security resources Security guidance for home computer use, which in many cases also apply to <company> computer use Slide customization recommendations: It is important to note that the content in Microsoft’s Web sites will frequently change. If this consideration is important to your company, ensure that you visit the referenced Microsoft Web site in this slide and replace the screen capture herein with one that reflects the current state of the referenced Microsoft Web site. Slide objective: To provide Microsoft resources at the disposal of all company personnel that will enable them to better protect their home computers and themselves. To provide resources to increase their general security awareness, which will extend from the home to the workplace. Instructor notes: It is recommended that you review all of the content available in this site and present the information you feel will be most applicable to your end-user audiences, and most aligned with your company’s business objectives.

31 Helpful security resources
Outlined below are several helpful security resources (2) & Microsoft’s Windows Defender product, which is a free program that helps protect your home computers against pop-ups, slow performance, and security threats caused by spyware and other unwanted software Slide customization recommendations: It is important to note that the content in Microsoft’s Web sites will frequently change. If this consideration is important to your company, ensure that you visit the referenced Microsoft Web site in this slide and replace the screen capture herein with one that reflects the current state of the referenced Microsoft Web site. Slide objective: To provide Microsoft resources at the disposal of all company personnel that will enable them to better protect their home computers and themselves. To provide resources to increase their general security awareness, which will extend from the home to the workplace. Instructor notes: It is recommended that you review all of the content available in this site and present the information you feel will be most applicable to your end-user audiences, and most aligned with your company’s business objectives.

32 Helpful security resources
Outlined below are several helpful security resources (3) Microsoft resources that help protect your home computers against hackers, malicious software, and other security threats Slide customization recommendations: It is important to note that the content in Microsoft’s Web sites will frequently change. If this consideration is important to your company, ensure that you visit the referenced Microsoft Web site in this slide and replace the screen capture herein with one that reflects the current state of the referenced Microsoft Web site. Slide objective: To provide Microsoft resources at the disposal of all company personnel that will enable them to better protect their home computers and themselves. To provide resources to increase their general security awareness, which will extend from the home to the workplace. Instructor notes: It is recommended that you review all of the content available in this site and present the information you feel will be most applicable to your end-user audiences, and most aligned with your company’s business objectives.

33 Helpful security resources
Outlined below are several helpful security resources (4) Windows Live OneCare is a service that continually protects and maintains your home computers Slide customization recommendations: It is important to note that the content in Microsoft’s Web sites will frequently change. If this consideration is important to your company, ensure that you visit the referenced Microsoft Web site in this slide and replace the screen capture herein with one that reflects the current state of the referenced Microsoft Web site. Slide objective: To provide Microsoft resources at the disposal of all company personnel that will enable them to better protect their home computers and themselves. To provide resources to increase their general security awareness, which will extend from the home to the workplace. Instructor notes: It is recommended that you review all of the content available in this site and present the information you feel will be most applicable to your end-user audiences, and most aligned with your company’s business objectives.

34 Closing Comments Information Security Explained
The Need for Information Security Your Security Role at <Company> Vital <Company> Assets Security Threats & Countermeasures Home Computer Use Helpful Security Resources Closing Comments Slide customization recommendations: Replace each “<company>” indicator with the name of your company. Slide objective: N/A. Instructor notes:

35 Closing comments Be security-conscious regarding anything of vital importance to <company> and yourself When your personal safety, <company>’s safety, or any confidential information is involved, always ask yourself, “what measures should I perform to keep myself and my employer safe, and my employer’s confidential information protected against harm, theft, and inappropriate disclosure?” Apply similar considerations discussed in today’s security awareness session when at home Threats do not stop at the work place; they extend to your home and other surroundings Do not allow this security awareness session lead to paranoia Use what you learned today to make more informed decisions to protect yourself, <company>, and others This security awareness session is the beginning of <company>’s information security awareness and training program <Provide a brief summary of what should be expected next, and the strategic direction of your ISATP> Slide customization recommendations: Replace the “<company>” indicators with the name of your company. Replace the “<Provide a brief summary of what should be expected next, and the strategic direction of your ISATP>” indicator with a brief overview of the future direction of your company’s information security awareness and training program. You are encouraged to incorporate additional content that effectively reinforces previously discussed considerations, and that also effectively addres your company’s corporate security objectives. Slide objective: To provide a high-level reiteration of the key topics and considerations presented in this security awareness presentation. Instructor notes: N/A.

36 Questions and Answers

Download ppt "The Role of Information Security in Everyday Business"

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Surfing the net: Ways to protect yourself. Internet Safety Look into safeguarding programs or options your online service provider might offer. Look into.

Surfing the net: Ways to protect yourself. Internet Safety Look into safeguarding programs or options your online service provider might offer. Look into.
How to protect yourself, your computer, and others on the internet

How to protect yourself, your computer, and others on the internet
Online Safety. Introduction The Internet is a very public place Need to be cautious Minimize your personal risk while online Exposure to: viruses, worms,

Online Safety. Introduction The Internet is a very public place Need to be cautious Minimize your personal risk while online Exposure to: viruses, worms,
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
SECURITY AND SOCIAL ENGINEERING US Department of Commerce Office of Security Updated 09/26/11 Security is Everyone's Responsibility – See Something, Say.

SECURITY AND SOCIAL ENGINEERING US Department of Commerce Office of Security Updated 09/26/11 Security is Everyone's Responsibility – See Something, Say.
Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.

Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.

1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.
INTERNET SAFETY FOR STUDENTS

INTERNET SAFETY FOR STUDENTS
Internet safety By Lydia Snowden.

Internet safety By Lydia Snowden.
TRACs Security Awareness FY2009 Office of Information Technology Security 1.

TRACs Security Awareness FY2009 Office of Information Technology Security 1.
Practical Information Management

Practical Information Management
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.

Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Program Objective Security Basics

Program Objective Security Basics
PHISHING AND SPAM EMAIL INTRODUCTION There’s a good chance that in the past week you have received at least one email that pretends to be from your bank,

PHISHING AND SPAM INTRODUCTION There’s a good chance that in the past week you have received at least one that pretends to be from your bank,
HIPAA Privacy & Security Kay Carolin Barbara Ann Karmanos Cancer Center March 2009.

HIPAA Privacy & Security Kay Carolin Barbara Ann Karmanos Cancer Center March 2009.
BUS1MIS Management Information Systems Semester 1, 2012 Week 7 Lecture 1.

BUS1MIS Management Information Systems Semester 1, 2012 Week 7 Lecture 1.
PART THREE E-commerce in Action Norton University E-commerce in Action.

PART THREE E-commerce in Action Norton University E-commerce in Action.

Similar presentations

Ads by Google