annual training information security awareness
TRANSCRIPT
Annual Training – Information Security Awareness
This course is intended for all Haemonetics employees, including contractors and temporary workers. In this global course you will learn about Information Security Awareness: confidentiality, integrity and availability.
This course is expected to take 30 minutes to complete. You must complete the course and successfully pass the quiz (80% or higher) to get credit for this module.
Content Owner : Data Protection Officer
Company ConfidentialTI1317(AC)1Page
Annual Training – Information Security Awareness
This course is intended for all Haemonetics employees, including contractors and temporary workers. In this global course you will learn about Information Security Awareness: confidentiality, integrity and availability.
This course is expected to take 30 minutes to complete. You must complete the course and successfully pass the quiz (80% or higher) to get credit for this module.
Content Owner : Data Protection Officer
Global Training – Information Security Awareness
Company ConfidentialTI1317(AC)
An easy to remember acronym is CIA:
• Confidentiality – Limiting access only to those who are authorized.
• Integrity – Preventing intentional or unintentional modification of data.
• Availability – Making sure the data is available when it should be.
What is Information Security ?
Page 2
Annual Training – Information Security Awareness
This course is intended for all Haemonetics employees, including contractors and temporary workers. In this global course you will learn about Information Security Awareness: confidentiality, integrity and availability.
This course is expected to take 30 minutes to complete. You must complete the course and successfully pass the quiz (80% or higher) to get credit for this module.
Content Owner : Data Protection Officer
Global Training – Information Security Awareness
Company ConfidentialTI1317(AC)
Role Responsibility
Data Protection
Officer (DPO)
Sets and enforces data protection and
cybersecurity policies
Global
Compliance
Officer (GPO)
Ensures data protection and
cybersecurity policies conform to laws
and regulations of the countries in which
Haemonetics operates
Incident
Response Team
Comprising the DPO, GPO, and
leadership in Commercial, IT, Quality
and Communications, manages
response to high-risk security incidents
Every
Haemonetics
team member
Ensures the protection of Haemonetics
information assets, including hardware,
software systems, and data, including
customer data entrusted to
Haemonetics
Cybersecurity and Data Protection responsibilities are defined in our SOPs:
Page 3
Annual Training – Information Security Awareness
This course is intended for all Haemonetics employees, including contractors and temporary workers. In this global course you will learn about Information Security Awareness: confidentiality, integrity and availability.
This course is expected to take 30 minutes to complete. You must complete the course and successfully pass the quiz (80% or higher) to get credit for this module.
Content Owner : Data Protection Officer
Global Training – Information Security Awareness
Company ConfidentialTI1317(AC)
To ensure good cybersecurity and data protection practices, Haemonetics has
aligned to the NIST Cyber Security Framework (CSF). This framework has been
widely adopted by global organizations as a holistic way to ensure confidentiality,
integrity, and availability.
NIST (National Institute of Standards and Technology) Framework
Page 4
Annual Training – Information Security Awareness
This course is intended for all Haemonetics employees, including contractors and temporary workers. In this global course you will learn about Information Security Awareness: confidentiality, integrity and availability.
This course is expected to take 30 minutes to complete. You must complete the course and successfully pass the quiz (80% or higher) to get credit for this module.
Content Owner : Data Protection Officer
Global Training – Information Security Awareness
Company ConfidentialTI1317(AC)
We have two primary cyber threats to Haemonetics, and your actions are key to
addressing each:
• Data Breach. In addition to our employees’ personal data, we also
host personal data for some of our customers. Failure to implement a
level of security appropriate to the magnitude of risk and its
consequences, could result in significant fines and legal liabilities for
the company, while damaging our reputation across the market
• Malware. Malware is often referred to as a computer virus. A
particular type of malware of concern to us is called ransomware,
which is designed to lock out our systems. This could significantly
disrupt our service, manufacturing, and distribution operations for
hours, days, or even weeks. In addition to lost revenue, this could
damage our reputation and thereby erode our long-term market share.
How do I contribute to Haemonetics’ cybersecurity posture?
Page 5
Annual Training – Information Security Awareness
This course is intended for all Haemonetics employees, including contractors and temporary workers. In this global course you will learn about Information Security Awareness: confidentiality, integrity and availability.
This course is expected to take 30 minutes to complete. You must complete the course and successfully pass the quiz (80% or higher) to get credit for this module.
Content Owner : Data Protection Officer
Global Training – Information Security Awareness
Company ConfidentialTI1317(AC)
• Data breach and ransomware attacks usually begin as “Phishing.” “Phishing” is a technique
used by hackers to steal your userid and password via email.
• A hacker may pose as one of your regular contacts– even as a Haemonetics employee. Or
he may pose as a centralized function, such as “SharePoint Administrator” or “HR
Administrator.”
• Most often, the hacker will try to get you to enter your userid and password or to open an
attachment. Cues for a possible phishing attack include the appearance of the external
email banner, spelling and grammar errors in the email text, and an undue sense of urgency
on the part of the sender
• Some clues that an email should be treated as suspicious are:
• The external banner is displayed, although the sender appears to be a Haemonetics
employee
• There is an urgent call to action: “do this now or your access will be removed,” etc.
• There is an attachment or a hyperlink that you were not expecting
• There are spelling or grammatical errors in the body of the email
How do I defend against these threats?
Page 6
Annual Training – Information Security Awareness
This course is intended for all Haemonetics employees, including contractors and temporary workers. In this global course you will learn about Information Security Awareness: confidentiality, integrity and availability.
This course is expected to take 30 minutes to complete. You must complete the course and successfully pass the quiz (80% or higher) to get credit for this module.
Content Owner : Data Protection Officer
Global Training – Information Security Awareness
Company ConfidentialTI1317(AC)
• A hacker may pose as someone on the phone or in a text message to have you let down
your defenses, or to request sensitive information.
• To avoid being phished, always be on your guard on unsolicited requests for information,
especially those coming from external parties, and those containing links or
attachments. When in doubt, send the email and send it to
[email protected] for analysis before responding.
• If you inadvertently enter your userid and password on a suspicious site, change your
password immediately and report the issue to [email protected]
Page 7
Annual Training – Information Security Awareness
This course is intended for all Haemonetics employees, including contractors and temporary workers. In this global course you will learn about Information Security Awareness: confidentiality, integrity and availability.
This course is expected to take 30 minutes to complete. You must complete the course and successfully pass the quiz (80% or higher) to get credit for this module.
Content Owner : Data Protection Officer
Global Training – Information Security Awareness
Company ConfidentialTI1317(AC)
Your user credentials (userid and password) must be protected.
A hacker who successfully obtains your userid and password can access any
system to which you have access without fear of detection
Using tools available on the so-called Dark Web, a hacker who successfully
obtains your userid and password can escalate his access to perform transactions
that you yourself cannot, from downloading PII to electronically transferring funds.
Page 8
Annual Training – Information Security Awareness
This course is intended for all Haemonetics employees, including contractors and temporary workers. In this global course you will learn about Information Security Awareness: confidentiality, integrity and availability.
This course is expected to take 30 minutes to complete. You must complete the course and successfully pass the quiz (80% or higher) to get credit for this module.
Content Owner : Data Protection Officer
Global Training – Information Security Awareness
Company ConfidentialTI1317(AC)
Do Not Do
• Share your password with anyone (except
temporarily to authorized IT support personnel
actively troubleshooting: change your password as
soon as the session is complete)
• Use complex passwords of at
least 10 characters, including
uppercase, lowercase, and
special characters.
• Always lock computer using
Ctrl-Alt-Del when unattended. • Write passwords down and store them physically or
on your computer, or use the “remember my
password” feature for web-based applications.
• Use common expressions, your birthdate, or other
easily-guessed elements in your password
• Use your Haemonetics password for non-
Haemonetics accounts, like Amazon or Netflix, or
your Amazon or Netflix passwords for Haemonetics
Best Practices and Guidelines - Passwords
Please refer to SOP2659 for further detailsPage 9
Annual Training – Information Security Awareness
This course is intended for all Haemonetics employees, including contractors and temporary workers. In this global course you will learn about Information Security Awareness: confidentiality, integrity and availability.
This course is expected to take 30 minutes to complete. You must complete the course and successfully pass the quiz (80% or higher) to get credit for this module.
Content Owner : Data Protection Officer
Global Training – Information Security Awareness
Company ConfidentialTI1317(AC)
• “Malware” is a category of software intended to do harm. It’s another term for
“computer viruses.”
• One category of malware is ransomware. Ransomware locks out computer resources
until ransom is paid to the attacker.
• Another category is a RAT, or Remote Access Trojan. This form of malware can provide
direct access to your computer to an attacker, or can export sensitive information
automatically.
• The best way to protect against malware is to avoid being phished: most malware is
introduced via attachments in phishing emails.
• Another key defense is to keep your Anti-Virus (AV) protection up-to-date. Your AV is
updated every time you start your computer on the network. This means you should
reboot every night, and that if your are a remote worker, that you should login to the
network via VPN at least once per week to secure the latest AV updates
Guarding against malware
Page 10
Annual Training – Information Security Awareness
This course is intended for all Haemonetics employees, including contractors and temporary workers. In this global course you will learn about Information Security Awareness: confidentiality, integrity and availability.
This course is expected to take 30 minutes to complete. You must complete the course and successfully pass the quiz (80% or higher) to get credit for this module.
Content Owner : Data Protection Officer
Global Training – Information Security Awareness
Company ConfidentialTI1317(AC)
PII is anything that could be used to identify a specific person. It’s not just social
security numbers: it includes names, email addresses, full-face photographs,
credit card and bank account information, and so forth. All PII must be
protected carefully using both organizational measures (such as access control
and data minimization) and technical measures (such as de-identification,
encryption, and secure networks).
Some PII elements are more sensitive than others. In general, anything whose
exposure could harm an individual requires particular protection. These
elements include social security, password and driver’s license, ID or passport
numbers, which could support identify theft, as well as protected health
information (such as diagnosis and treatment information), criminal history, and
religious and political affiliation.
A breach of PII could have major consequences for Haemonetics. In Europe, there
are specific rules to prevent and disclose breach of PII and failure to implement
and comply can result in a fine of up to two percent of global revenue under the
General Data Protection Regulation (GDPR). In the US, a breach can result in
fines under HIPAA regulations as well as class action lawsuits. A breach
anywhere in the world could result in major reputational damage, putting at risk
our ability to do business in certain geographies and with certain customers.
.
What is PII (Personally Identifiable Information)?
Page 11
Annual Training – Information Security Awareness
This course is intended for all Haemonetics employees, including contractors and temporary workers. In this global course you will learn about Information Security Awareness: confidentiality, integrity and availability.
This course is expected to take 30 minutes to complete. You must complete the course and successfully pass the quiz (80% or higher) to get credit for this module.
Content Owner : Data Protection Officer
Global Training – Information Security Awareness
Company ConfidentialTI1317(AC)
If you are developing a system or process that includes PII, whether for Haemonetics'
employees', third-parties' or customer patients' PII, be sure to execute or update the Data
Privacy/Protection Impact Assessment (DP/PIA) in accordance with SOP2871. The DP/PIA
is a structured way to evaluate risks associated with PII and to define the best means to
mitigate those risks.
If you handle customer PII, be sure to complete the required training to SOP2469
Never carry PII on portable media, including on your laptop or on flash drive. Always use
approved, secure platforms for PII processing.
Don’t re-use PII for a purpose other than that for which it was obtained. For example, donors
may have consented to share their data for a clinical trial, but we can’t then use their
contact information to do an unrelated customer survey
Never share PII except as required by documented processes. And minimize the information
that is shared. For example, if a customer sends you a screenshot containing PII, redact
the screenshot to exclude the PII elements before sharing it or loading it to your computer
system, unless that PII is specifically needed per the documented process, in which case
ensure that PII is processed according to applicable SOPs and kept for no longer than what
is strictly necessary.
Applying this to your daily work
Page 12
Annual Training – Information Security Awareness
This course is intended for all Haemonetics employees, including contractors and temporary workers. In this global course you will learn about Information Security Awareness: confidentiality, integrity and availability.
This course is expected to take 30 minutes to complete. You must complete the course and successfully pass the quiz (80% or higher) to get credit for this module.
Content Owner : Data Protection Officer
Global Training – Information Security Awareness
Company ConfidentialTI1317(AC)
Data protection extends beyond electronic records.
• Whether you’re dealing with employee personnel files or other sensitive information, be sure
to:
• Maintain a “clean desk” policy: sensitive paper records, including those containing PII, should
be returned to secure storage when you no longer need to work on them, or at the end of your
business day, whichever comes first
• When disposing of sensitive records, including those containing PII, be certain to dispose of
them in bins allocated for shredding
• Review your SOP or Work Instruction to determined if a Certificate of Destruction is needed for
any hard copy records being shredded
Page 13
Annual Training – Information Security Awareness
This course is intended for all Haemonetics employees, including contractors and temporary workers. In this global course you will learn about Information Security Awareness: confidentiality, integrity and availability.
This course is expected to take 30 minutes to complete. You must complete the course and successfully pass the quiz (80% or higher) to get credit for this module.
Content Owner : Data Protection Officer
Global Training – Information Security Awareness
Company ConfidentialTI1317(AC)
• All Haemonetics systems are to be used for business purposes only
• Limited reasonable personal use is permitted on an as-needed basis Employees
are responsible for exercising good judgment regarding reasonableness of personal
use, and personal use of systems should not be routine
• All users are prohibited from accessing or transmitting material that is offensive in
nature, or that could be construed as creating a hostile work environment
• Data created on Haemonetics systems remains property of Haemonetics – Please
promptly remove your personal data & avoid saving personal data on Haemonetics-
owned systems
• Haemonetics reserves the right to periodically
audit networks and systems
Information Technology Use Policy - Highlights
Page 14
Annual Training – Information Security Awareness
This course is intended for all Haemonetics employees, including contractors and temporary workers. In this global course you will learn about Information Security Awareness: confidentiality, integrity and availability.
This course is expected to take 30 minutes to complete. You must complete the course and successfully pass the quiz (80% or higher) to get credit for this module.
Content Owner : Data Protection Officer
Global Training – Information Security Awareness
Company ConfidentialTI1317(AC)
• All employees, contractors, vendors, third party users and all visitors are required to wear
some form of visible identification
• All employees should notify site security or the office coordinator if they encounter
unescorted visitors without proper identification
• Please accompany contractors and third party users to the restricted areas (data centers,
human resources, etc) if their duties require access to those areas
• As an employee, it is your responsibility to make sure the visitor signs out before he / she
leaves the Haemonetics premises
• Make sure that the person behind you entering Haemonetics offices has a valid identification
before letting him / her in with you. Otherwise direct them to the main entrance for proper
check-in.
• Any suspicious activity / people should be immediately reported to site security or the office
coordinator
• Never leave your mobile device unattended, such as in a car, in checked baggage, or at an
airport charging station. If your mobile device is lost or stolen, contact the help desk to report
the loss to security operations.
Physical Security - Guidelines
Page 15
Annual Training – Information Security Awareness
This course is intended for all Haemonetics employees, including contractors and temporary workers. In this global course you will learn about Information Security Awareness: confidentiality, integrity and availability.
This course is expected to take 30 minutes to complete. You must complete the course and successfully pass the quiz (80% or higher) to get credit for this module.
Content Owner : Data Protection Officer
Global Training – Information Security Awareness
Company ConfidentialTI1317(AC)
• Haemonetics has a Data Governance, Classification and Retention Policy (BPD-00084) that
determines how data will be classified and managed throughout its life cycle.
• Haemonetics classifies all data as either Restricted, For Internal Use Only, or Public.
Examples:
Data Governance
Page 16
Classification Definition Examples
Restricted Highly sensitive information PII, material financial
information, intellectual
property, strategy
documents
For Internal
Use Only
Haemonetics internal
information
SOPs, Work
Instructions, reports
Public Publicly disclosed
information
Customer Letters,
press releases, job
postings
Annual Training – Information Security Awareness
This course is intended for all Haemonetics employees, including contractors and temporary workers. In this global course you will learn about Information Security Awareness: confidentiality, integrity and availability.
This course is expected to take 30 minutes to complete. You must complete the course and successfully pass the quiz (80% or higher) to get credit for this module.
Content Owner : Data Protection Officer
Global Training – Information Security Awareness
Company ConfidentialTI1317(AC)
• Always process data in an approved Haemonetics system. For example, never download
PII to your laptop, thumb drive, or personal cloud storage account.
• Pay particular attention to the use of Restricted data, following the applicable SOPs and
Work Instructions for your area of responsibility. Remember that systems processing
Restricted data should be encrypted at rest and in transit and in general should use your
network logon controls (Single Sign On with VPN or Multi-Factor Authentication)
• Keep For Internal Use Only information within Haemonetics. SOPs and other FIUO
documents can be shared only as needed and with a Non-Disclosure Agreement (NDA) in
place.
• Seek the appropriate approval before making Haemonetics information public. For example,
a Customer Letter should be approved in the Document Management system before being
distributed, and you should obtain approval from Corporate Communications before
publishing an article in a professional journal.
Data Governance Tips
Page 17
Annual Training – Information Security Awareness
This course is intended for all Haemonetics employees, including contractors and temporary workers. In this global course you will learn about Information Security Awareness: confidentiality, integrity and availability.
This course is expected to take 30 minutes to complete. You must complete the course and successfully pass the quiz (80% or higher) to get credit for this module.
Content Owner : Data Protection Officer
Global Training – Information Security Awareness
Company ConfidentialTI1317(AC)
Global SOP– Cybersecurity and Data Protection SOP2870
Global SOP- Data Protection Impact Assessment SOP2871
Global SOP- Physical Security SOP2959
BPD-00056 – Global Data Privacy Policy
BPD-00084-- Data Classification, Governance and Retention Policy
Password Policies – SOP2659
Acceptable Use – SOP2660
Customer Data Protection – SOP2469
To Learn More:
Page 18
Annual Training – Information Security Awareness
This course is intended for all Haemonetics employees, including contractors and temporary workers. In this global course you will learn about Information Security Awareness: confidentiality, integrity and availability.
This course is expected to take 30 minutes to complete. You must complete the course and successfully pass the quiz (80% or higher) to get credit for this module.
Content Owner : Data Protection Officer
Global Training – Information Security Awareness
Company ConfidentialTI1317(AC)
Help to keep Haemonetics secure by:
• Staying current with training and, if you’re a manager, ensuring that
your direct reports are current with their training
• Reading security alerts published through HaemoNet
• Being on guard for potential phishing attacks, and sending suspicious
emails to [email protected] for analysis and action
• Following required procedures for password protection, acceptable
use, and PII protection
Security is Everyone’s Responsibility!
Page 19