the technology partner for financial institutions employee training presented by:

The Technology Partner for Financial Institutions

Employee Training

Presented By:

The Technology Partner for Financial InstitutionsThe Technology Partner for Financial Institutions

Paper

• Technology has not eliminated this risks Dumpster divers Mobile phones with cameras Opportunist

• Expectations Use appropriate shred bins

• Secure and empty personal bins daily Remove paper from printers/faxes/common areas as

quickly as possible Clean desk:

• Keep NPI out of site from public


Verbal Communication

• Discussions containing NPI should be conducted in appropriate locations at appropriate volume

• Follow documented steps for authenticating users over phone What info can be communicated What is verification process What to do if call is suspicious


Pretexting/Social Engineering

• Illegally gain access to customer information Methods:• Impersonating

– A customer– Another official within your institution– Another institution– Government regulatory agency– Law enforcement

• Red Flag (ID Theft) Rules


Pretext Continued

• Indicators: Requesting address change Missing information Calls placed from numbers different than those listed on

account Callers reluctant or refuse to give a call-back number Odd request Aggressive callers Talkative callers Absentminded callers


External Personnel

• IT, HVAC, Printers, Plumbing, etc.• Verify• Log (have IT committee review)• Escort/Accompany


Desk

• Public accessible areas Monitor placement Clean desk Lock drawers• Remove keys

Hide passwords• Lower level offices

Blinds Monitor placement


Devices

• Work purpose only• Employee only

No friends or family• No removable drives (USB drives)

Unless prior approval Follow appropriate encryption policies

• Follow proper use policy - do not install any software (or hardware) without prior approval Includes iPods, MP3 players, etc. iTunes, WeatherBug, etc.


Mobile Devices

• Mobile Policy Review Must sign before using Devices must be password protected Devices must support and use idle time lockout Must report lost/stolen devices immediately• Tracking capability

Remote wipe capability Encrypted storage


Laptops

• Laptops removed from office Work purposes only• No personal Internet browsing

– Web browsing is primary way for device to be compromised

No one else allowed to use (friends/family) Do not leave in car Do not check at airport Do not store passwords with device Encrypted storage


Email

• Follow (manual and automatic) encryption practices if message contains NPI

• Attachments - Receiving Never open from unknown source Never open from known source but in unsolicited email

• Attachments - Sending Do not use for personal use Do not forward jokes, chain letters, etc.

• Links Never open from unknown source Never open if unexpected from known source

• Familiarize yourself with common phishing attacks


Social Media

• Do not access social media at work Unless authorized to manage institution’s social media

sites

• Do not post information about financial institution on social media unless preapproved

• Be careful of what information you share• Check security settings under “Settings” or “Options”

menus to limit access to personal information


Passwords

• Passwords key to security success Weak or shared passwords open up vulnerabilities Grant access to computers and programs• Can not be shared, written down, sitting out


Poor Passwords

• Contain less than 8 characters• Word found in the dictionary• Names of pets, family, friends, characters• Birthdays or other personal dates• Phone numbers• Addresses• Any of the above spelled backwards or

preceded/followed by a digit


Good Passwords

• Contain upper and lower case character• Contain digits and punctuation characters• Have no personal information

(family/pets/etc)• Should change on regular basis (e.g. 60 days)• Not be a word, slang, or jargon


Other Considerations

• Do not use same password for personal and business applications

• When possible do not use the same password for multiple sites, applications, programs, etc.

• Do not share with secretary, family members, friends


Password Don’ts

• Don't reveal a password over the phone to ANYONE • Don't reveal a password in an email message • Don't reveal a password to the boss • Don't talk about a password in front of others • Don't hint at the format of a password (e.g. "my family

name") • Don't reveal a password on questionnaires or security forms • Don't share a password with family members • Don't reveal a password to co-workers while on vacation


Passphrases

• Consider using passphrases Good because contain several words with usually

a high number of characters, upper/lower case and punctuation.

• Sample passphrase "TheTrafficOnThe101InTheMorningIsBad!" “I’mAlwaysLateToWork!”


Letter Substitution

• Another good option is letter substitutionL=1o=0 Or O=()S=5 Or S=$E=3a=@i=! Or I=1t=+


Letter Substitution

• JohnySmith = J()hny$m!+h

• Combine a passphrase with letter substitution for a really strong password

• ILoveMyBoss becomes !10v3MyB()$$ Which do you think is harder to break?


Password Safe

• Consider a password management program• Find one that encrypts passwords and is

trusted• One free program is Password Safe

http://passwordsafe.sourceforge.net/


Incident Response Steps

• Detail steps• Detail personnel in steps• Review centralized place where all appropriate

documentation is maintained


More Resources

• Phishing: http://www.occ.gov/topics/consumer-protection/

fraud-resources/internet-pirates.html

• Info Security Video: http://www.ftc.gov/bcp/edu/multimedia/

interactive/infosecurity/index.html


Questions

the technology partner for financial institutions employee training presented by:

Documents

technology partner

placement slide

public slide

suspicious slide

personal use

device encrypted storage

loststolen devices

unknown source