Download - “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004
![Page 1: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/1.jpg)
“Securing the Unsecured”Security Awareness Training
HIMSS Louisiana Chapter
October 8, 2004
![Page 2: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/2.jpg)
Slide 2
Agenda
Why Who What When Where and How Tests for Understanding Documentation
![Page 3: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/3.jpg)
Slide 3
Why Security Awareness Training
Regulatory/Corporate Compliance Users Don’t Get It It Can’t Happen Here Syndrome Make Our Lives Easier Goals of Security Awareness
Training
![Page 4: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/4.jpg)
Slide 4
Why: Regulatory/Corporate Compliance
Sarbanes-Oxley• Requires companies to become more fiscally accountable
JCAHO• “To continuously improve the safety and quality of care
provided to the public through the provision of health care accreditation and related services that support performance improvement in health care organizations. “
USA Patriot Act• Requires seeking, detecting, and
reporting computer trespasses HIPAA
• Requires CIA of patients' private information
![Page 5: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/5.jpg)
Slide 5
Why: Users Don’t Get It
There’s nothing important on my computer We have virus software so my computer is
protected from everything All threats are from the outside It’s not my job/I’m too busy to worry about security Technology provides full protection
![Page 6: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/6.jpg)
Slide 6
Why: It Can’t Happen Here Syndrome
Use Examples from Your Organization Use Examples from Others:
• Two years of research material lost with no backup
• Test results are changed
• Falsified ID is used to send threatening e-mail
• Employees running side business with our technology
• Hospital machines used as zombies for DDOS attacks
• Virus, worm, trojan infestations and attacks
• Illegal music downloading
• Online gaming
• IT equipment stolen
![Page 7: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/7.jpg)
Slide 7
Why: Make Our Lives Easier
Routine Helpdesk Calls are Reduced Fewer Malicious Code Outbreaks Lowers Data Restore Requests Able to Focus on Projects Users Feel Ownership Users Think More Highly of IT Less Time Spent Firefighting
![Page 8: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/8.jpg)
Slide 8
Goals of Security Awareness Training
Establish a knowledge baseline for the entire organization
Modifying user behavior helps the security team Adds a human component to defense-in-depth Securing people is at least as important as
securing systems
![Page 9: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/9.jpg)
Slide 9
Who Needs Security Awareness Training
Employees Non-employees
![Page 10: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/10.jpg)
Slide 10
Who: Employees
All Employees• Determine minimum level for everyone
• Include volunteers, medical staff and administration
Department Champions• Find your IT want-to-bes
• Use them to help smooth the path
Management• Make sure that they are not embarrassed
• Provide justification for expenditures
IT Staff• Keep them fully informed
![Page 11: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/11.jpg)
Slide 11
Who: Non-employees
On-site• Volunteers
• Medical Staff
• Others
Remote• Medical Staff
• Public
• Support
Contract/Non-contract• Escort?
![Page 12: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/12.jpg)
Slide 12
What: Security Awareness Training
Most Common Mistakes Training Topics Acceptable Use Policy/Agreement
![Page 13: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/13.jpg)
Slide 13
What: Most Common Mistakes
Poor Password Management Workstation Attached and Unattended Malicious E-mail Attachments Ineffective Anti-virus Software Uncontrolled Laptops Unreported Security Violations Updates, Hot Fixes, Service Packs not Installed Poor Perimeter Protection
• Electronic
• Physical
![Page 14: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/14.jpg)
Slide 14
What: Training Topics
Data Backup/Restore Physical Security Portables Social Engineering ID/Passwords E-mail Wireless Malicious Software
![Page 15: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/15.jpg)
Slide 15
Data Backup/Restore
Users are responsible for communicating their needs
IT is responsible for making sure it happens• Included in IT procedures
• Tools supplied to users
![Page 16: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/16.jpg)
Slide 16
Physical Security
Every User is an Extension of the Security Force Lock Offices as Often as Practical Restrict Open External Entrances Technology
• Cameras• Motion sensors• Alarm systems• Tags
![Page 17: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/17.jpg)
Slide 17
Portables
Favorite Target of Thieves Less Likely to Draw Attention Easily Hidden “Turn” Fast at Pawn Shops and Online Almost Always Contain “Sensitive” Data
![Page 18: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/18.jpg)
Slide 18
Social Engineering
“This is (manager, director, etc.)
and I need…” “This is Sue with the Help Desk and we are:
• verifying your passwords…”
• troubleshooting logon problems…”
• got your (bogus) request to change your…”
E-mail Attachments Dumpster Diving Recover Data from Surplus
Equipment/Media
![Page 19: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/19.jpg)
Slide 19
ID/Passwords
Users are responsible for what
happens with their ID/password If you HAVE to write them down treat the paper
like a credit card Change passwords if there is a
possibility it has been compromised Use complex passwords The sanctions for not protecting
login credentials are…
![Page 20: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/20.jpg)
Slide 20
From the University of Michigan
Passwords Are Like Underwear: Change yours often! Don’t leave yours lying around! The longer the more protection! Don’t share yours with friends! Be mysterious!
![Page 21: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/21.jpg)
Slide 21
E-mails Exist in Multiple Places Deleting an Email from One Place Does Not
Delete it from Anywhere Else Be Aware of “bcc” Spam Effects and Avoidance Verify Attachments Before Opening Don’t Send Confidential Information
via Standard E-mail E-mail Can be Forged
![Page 22: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/22.jpg)
Slide 22
Wireless
Don’t Plug in Your Own Wireless Access Point Don’t Change the Secure Configuration:
• To make it work with your home network
• So it will connect in the airport
• To access other facilities networks
Use a Wire When Available• Faster
• More secure
• Less competition for access
point bandwidth
![Page 23: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/23.jpg)
Slide 23
Malicious Software
Leave Virus Protection and Firewall Programs Running
Check for or Allow Updates Recognize Potential Malicious Activities:
• Hard drive running when no programs are running
• Unusual or unexpected logon screens
• Boot up speed or sequence changes
• Performance degradation
• Returned e-mails
Others?
![Page 24: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/24.jpg)
Slide 24
What: Acceptable Use Policy/Agreement
Include All Security Topics Templates and Examples are Available Online Include in Training Have Users Sign May Include Confidentiality
and Privacy
![Page 25: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/25.jpg)
Slide 25
When: Security Awareness Training
Prior to System/Facility Access• Require security training
• Have Acceptable Use Policy; Confidentiality; Privacy and other agreements signed
Ongoing• New Hire
• Reminder
• Annual
• Include security
every chance
Non-employees
![Page 26: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/26.jpg)
Slide 26
Where and How: Security Awareness Training
Posters Newsletters Login Dialogue Boxes E-mails Display Tables Contests “Mystery Guest”
![Page 27: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/27.jpg)
Slide 27
Tests for Understanding
Positives• Proof that learning occurred
• Program improvements
Negatives• Proof that learning did not occur
• Handling the failures
![Page 28: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/28.jpg)
Slide 28
Documentation
Annual Plan Who/What/When Matrix Proof of Occurrence Quality Review Meeting Minutes
![Page 29: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/29.jpg)
Slide 29
From George Mason University
S.E.C.U.R.E. I.T. Simple (All users can implement these procedures)
Effective (Problems are solved by following procedures)
Concerned (All users should be concerned about security)
Useful (Procedures keep resources safe and available)
Responsibility (All users must follow the AUP)
Economical (Resources are protected and conserved)
Information (Confidentiality, integrity, accessibility)
Technology (Hardware is protected and preserved)
![Page 30: “Securing the Unsecured” Security Awareness Training HIMSS Louisiana Chapter October 8, 2004](https://reader036.vdocuments.us/reader036/viewer/2022062716/56649e0a5503460f94af2401/html5/thumbnails/30.jpg)
Thank
Healthlink Incorporated3800 Buffalo Speedway, Suite 550
Houston, TX . 770981.800.223.8956
You