SlideShare une entreprise Scribd logo

Security Awareness Training - For Companies With Access to NYS "Sensitive" Information

David Menken
David Menken

Presentation to a New York not-for-profit corporation on compliance with New York laws regarding security awareness and data breach notification

Technologie
1  sur  20
Information Security User Awareness and Best Practices Presented by David A. Menken, Smith Buss & Jacobs, LLP to December 15, 2014 David A. Menken, Esq. Smith Buss & Jacobs LLP 733 Yonkers Avenue Yonkers NY 10704 dmenken@sbjlaw.com 914-457-4186 www.sbjlaw.com
2
3 Importance of Security The Internet allows an attacker to attack from anywhere. Malicious code from an email, a web page or a USB, can infect the entire organization. A breach is often the result of a simple mistake. What you risk with poor security knowledge and practice:  Risk of identity theft  Risk of monetary theft  Risk of cancellation of contracts  Risk of a lawsuit (for you and your company)  Risk of liability for fines and penalties  Risk of termination of employment if company policies are not followed
What We Need to Take Away Security: We must protect our computers and data in the same way that we secure the doors to our homes. Safety: We must behave in ways that protect us against risks and threats that come with technology. 4
Why We Are Here This Morning You have access to NYS Govt. information, so it must comply with NYS Cyber Security Policy P03-002 v3.4 in its data handling and data confidentiality requirements. • Information must be housed only on internal servers • Information must be segmented from the rest of EIC's network • Access must be controlled by encryption per AES254 standards • Access must be contingent on roll-based permissions and strong passwords • Information must be secured behind a strong firewall and not available to the Internet • Information can be unencrypted only to perform data analysis • When information is destroyed, must be pursuant to DOD grade destruction • Security must be monitored in real time • Employees must be trained in security awareness 5
Why We Are Here This Morning Employees MUST Undertake Training 1. New employees must receive general security awareness training, to include recognizing and reporting insider threats, within 30 days of hire. 2. Additional training must be completed before access is provided to specific sensitive information not covered in the general security training. 3. All security training must be reinforced at least annually and must be tracked by your company 6
7 How We Can Detect an Intrusion/Malware  Antivirus software detects a problem  Pop-ups suddenly appear  Disk space disappears  Home page changes  Files or transactions appear that should not be there  System slows down to a crawl  Unusual messages, sounds, or displays  Your mouse moves by itself  Frequent firewall alerts about unknown programs trying to access the Internet  Your computer shuts down and powers off by itself  Often we cannot detect an intrusion
8
9 Best Practices to Preserve Security Handling Sensitive Data • Protect all "sensitive" data and files. "Sensitive" is data, documents, or files which, if compromised, would have an adverse effect on the company or its employees or customers. • Store data in a secure physical environment, only on devices owned and approved by IT Support. • Encrypt and password-protect data when in transit (email) or mobile devices (laptops, CD’s, USB “thumb” drives). • NYS data has special encryption requirements.
• Only devices owned or approved by IT Support may be connected to the systems – See the “Bring Your Own Device” Policy. • PCs must be manually locked when unattended, must automatically lock after a period of inactivity. • PCs must require a password to re-activate. • Files must be stored and backed up on the server, not on the desktop or C: drive. 10 Best Practices to Preserve Security Handling Devices and Files
• Passwords must comply with security standards • A good password is: • yours alone • secret • easily remembered by you • at least 8 characters, complex • not guessable • changed regularly (every 90 days) • 5 unsuccessful attempts will lock your account • System or browser may not be configured to remember (cache) passwords • Users may NEVER share passwords for any reason • Two-factor authentication 11 Best Practices to Preserve Security Handling Logons and Passwords
• Configure operating systems for automatic security updates and patches • Configure applications for automatic security updates and patches (e.g., MS Office, Acrobat) • Configure security software to scan web pages, email, attachments, and downloads • Keep security software up to date and configured for regular scans 12 Best Practices to Preserve Security Handling Security Updates and Patches
• Lock your workstation when you leave your desk or leave your laptop/mobile device unattended • Press the Windows Key and “L” (at the same time) • Press Ctrl-Alt-Del and “Lock Computer” • Lock sensitive documents and materials in a file cabinet • Dispose of sensitive materials appropriately • Never share your access key, card or fob • Always question unescorted strangers • Immediately report all suspicious activities and breaches of physical security 13 Best Practices to Preserve Security Handling Physical Security
• Don’t fall prey to “social engineering” • Do not open email attachments unless you are expecting the email with the attachment and you trust the sender. • Do not click on links in emails unless you are absolutely sure of their validity. • REMEMBER: The most prevalent and persistent threats to your security come to you in your Inbox, even supposedly from people you may know. • They all have this in common: they are designed to get you to click on an item like an attachment, link or picture. Stop - Think - Then (maybe) Click 14 Best Practices to Preserve Security Handling Email Threats
• Browsing Can Hazardous To Your PC • The Common Threat: On the web, the threats come from malicious links. • Most of the threats come when you click on a link that launches a malicious program or re-directs you to a dangerous site. 15 Best Practices to Preserve Security Handling Threats from Your Browser
• Mobile Workers: Be Careful With Your Connections • Assume public wireless networks are not secure • Use a Virtual Private Network: Allows you to launch a secure Internet connection • Device Encryption: Should be installed on all mobile devices that connect to company systems 16 Best Practices to Preserve Security Handling Telework Threats
Reported Data Breaches of Not for Profit Corporations in 2014 (reported by Privacy Rights Clearinghouse) 17 Oct. 2014 Community Technology Alliance (provides tech support to non-profits in San Jose) notified individuals of a potential compromise of their personal information, when an employee's laptop was stolen. Sept. 2014 BayBio.org (life sciences non-profit in Bay Area) notified individuals of a data breach to their online payment system. The hacker, via an email, inserted files that captured keystrokes of visitors to their site. July 2014 Central City Concern (poverty and homelessness NGO in Oregon) suffered a data breach when an unauthorized access by a former employee resulted in the breach of client data. March 2014 Service Coordination Inc. (provides services to developmentally disabled in Maryland) suffered a breach involving one file which contained SSNs and medical info of 9,700 clients when someone hacked its computers.
18 New York Data Breach Law N.Y. St. Tech. Law §208 (applies to state agencies) and N.Y. Gen. Bus. Law, §899-aa (applies to business) Guarantees persons the right to know what private information was exposed during a breach, so that they can take the necessary steps to both prevent and repair any damage incurred. Obligates any person or business that conducts business in NY and owns or licenses computerized data that includes private information, or any person or business that maintains such data, to notify a person whose unencrypted data was stolen.
19 New York Data Breach Law Definition of “Private Information” • Personal information of a natural person (i.e., information which can be used to identify that person, such as name, email address) • In combination with any one or more of the following data elements (1) Social security number (2) Drivers license or similar identification (3) Account number, credit/debit card number, in combination with password of security code. • When either non-encrypted or encrypted with a data key that was also acquired
If you have any questions please contact me: David A. Menken Smith Buss & Jacobs LLP 733 Yonkers Avenue, Yonkers NY 10704 914-457-4186 dmenken@sbjlaw.com 20

Recommandé

Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@R_Yanus
 
Information Security Awareness Training Open
Information Security Awareness Training OpenInformation Security Awareness Training Open
Information Security Awareness Training OpenFred Beck MBA, CPA
 
Basic Security Training for End Users
Basic Security Training for End UsersBasic Security Training for End Users
Basic Security Training for End UsersCommunity IT Innovators
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingWilliam Mann
 
Information Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityInformation Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityAtlantic Training, LLC.
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDmitriy Scherbina
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptOoXair
 
End-User Security Awareness
End-User Security AwarenessEnd-User Security Awareness
End-User Security AwarenessSurya Bathulapalli
 

Recommandé

Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@R_Yanus
 
Information Security Awareness Training Open
Information Security Awareness Training OpenInformation Security Awareness Training Open
Information Security Awareness Training OpenFred Beck MBA, CPA
 
Basic Security Training for End Users
Basic Security Training for End UsersBasic Security Training for End Users
Basic Security Training for End UsersCommunity IT Innovators
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingWilliam Mann
 
Information Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityInformation Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityAtlantic Training, LLC.
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDmitriy Scherbina
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptOoXair
 
End-User Security Awareness
End-User Security AwarenessEnd-User Security Awareness
End-User Security AwarenessSurya Bathulapalli
 
New Hire Information Security Awareness
New Hire Information Security AwarenessNew Hire Information Security Awareness
New Hire Information Security Awarenesshubbargf
 
Information security awareness - 101
Information security awareness - 101Information security awareness - 101
Information security awareness - 101mateenzero
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee TrainingPaige Rasid
 
Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalAtlantic Training, LLC.
 
Cyber security training
Cyber security trainingCyber security training
Cyber security trainingWilmington University
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awarenessMichel Bitter
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness TrainingDave Monahan
 
IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeAtlantic Training, LLC.
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information SecurityKen Holmes
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness TrainingJen Ruhman
 
Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Programdavidcurriecia
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness TrainingDenis kisina
 
Information Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing SudanInformation Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing SudanAhmed Musaad
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness SnapComms
 
Security awareness
Security awarenessSecurity awareness
Security awarenessJosh Chandler
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 
Cybersecurity Awareness
Cybersecurity AwarenessCybersecurity Awareness
Cybersecurity AwarenessJoshuaWisniewski3
 
Basic_computerHygiene
Basic_computerHygieneBasic_computerHygiene
Basic_computerHygieneEricK Gasana
 
cybersecurity
cybersecurity cybersecurity
cybersecurity AkshaySajith3
 

Contenu connexe

Tendances

New Hire Information Security Awareness
New Hire Information Security AwarenessNew Hire Information Security Awareness
New Hire Information Security Awarenesshubbargf
 
Information security awareness - 101
Information security awareness - 101Information security awareness - 101
Information security awareness - 101mateenzero
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee TrainingPaige Rasid
 
Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalAtlantic Training, LLC.
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awarenessMichel Bitter
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness TrainingDave Monahan
 
IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeAtlantic Training, LLC.
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information SecurityKen Holmes
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness TrainingJen Ruhman
 
Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Programdavidcurriecia
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness TrainingDenis kisina
 
Information Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing SudanInformation Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing SudanAhmed Musaad
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness SnapComms
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 

Tendances (20)

New Hire Information Security Awareness
New Hire Information Security AwarenessNew Hire Information Security Awareness
New Hire Information Security Awareness
 
Information security awareness - 101
Information security awareness - 101Information security awareness - 101
Information security awareness - 101
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee Training
 
Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn Hospital
 
Cyber security training
Cyber security trainingCyber security training
Cyber security training
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness Training
 
IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community College
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information Security
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness Training
 
Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Program
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness Training
 
Information Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing SudanInformation Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing Sudan
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
Security awareness
Security awarenessSecurity awareness
Security awareness
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
 
Cybersecurity Awareness
Cybersecurity AwarenessCybersecurity Awareness
Cybersecurity Awareness
 

Similaire à Security Awareness Training - For Companies With Access to NYS "Sensitive" Information

Basic_computerHygiene
Basic_computerHygieneBasic_computerHygiene
Basic_computerHygieneEricK Gasana
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber securityAnimesh Roy
 
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataLaw Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataAccellis Technology Group
 
Module2_General_Security
Module2_General_SecurityModule2_General_Security
Module2_General_SecurityDulcey Whyte
 
Chapter 13
Chapter 13Chapter 13
Chapter 13bodo-con
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecuritylearnt
 
Information security / Cyber Security ppt
Information security / Cyber Security pptInformation security / Cyber Security ppt
Information security / Cyber Security pptGryffin EJ
 
BCE L-3omputer security Basics.pptx
BCE L-3omputer security Basics.pptxBCE L-3omputer security Basics.pptx
BCE L-3omputer security Basics.pptxKirti Verma
 
A Cybersecurity Planning Guide for CFOs
A Cybersecurity Planning Guide for CFOsA Cybersecurity Planning Guide for CFOs
A Cybersecurity Planning Guide for CFOsgppcpa
 
Cysec.pptx
Cysec.pptxCysec.pptx
Cysec.pptxjondon17
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptxMBRoman1
 
2.5 safety and security of data in ict systems 13 12-11
2.5 safety and security of data in ict systems 13 12-112.5 safety and security of data in ict systems 13 12-11
2.5 safety and security of data in ict systems 13 12-11mrmwood
 

Similaire à Security Awareness Training - For Companies With Access to NYS "Sensitive" Information (20)

Basic_computerHygiene
Basic_computerHygieneBasic_computerHygiene
Basic_computerHygiene
 
cybersecurity
cybersecurity cybersecurity
cybersecurity
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber security
 
it-security.ppt
it-security.pptit-security.ppt
it-security.ppt
 
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataLaw Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
 
Module2_General_Security
Module2_General_SecurityModule2_General_Security
Module2_General_Security
 
Chapter 13
Chapter 13Chapter 13
Chapter 13
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecurity
 
Information security
Information securityInformation security
Information security
 
Cyberattacks.pptx
Cyberattacks.pptxCyberattacks.pptx
Cyberattacks.pptx
 
Information security / Cyber Security ppt
Information security / Cyber Security pptInformation security / Cyber Security ppt
Information security / Cyber Security ppt
 
BCE L-3omputer security Basics.pptx
BCE L-3omputer security Basics.pptxBCE L-3omputer security Basics.pptx
BCE L-3omputer security Basics.pptx
 
Information security
Information securityInformation security
Information security
 
Computer security
Computer securityComputer security
Computer security
 
A Cybersecurity Planning Guide for CFOs
A Cybersecurity Planning Guide for CFOsA Cybersecurity Planning Guide for CFOs
A Cybersecurity Planning Guide for CFOs
 
Cysec.pptx
Cysec.pptxCysec.pptx
Cysec.pptx
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptx
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptx
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptx
 
2.5 safety and security of data in ict systems 13 12-11
2.5 safety and security of data in ict systems 13 12-112.5 safety and security of data in ict systems 13 12-11
2.5 safety and security of data in ict systems 13 12-11
 

Dernier

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 

Dernier (20)

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 

Security Awareness Training - For Companies With Access to NYS "Sensitive" Information

  • 1. Information Security User Awareness and Best Practices Presented by David A. Menken, Smith Buss & Jacobs, LLP to December 15, 2014 David A. Menken, Esq. Smith Buss & Jacobs LLP 733 Yonkers Avenue Yonkers NY 10704 dmenken@sbjlaw.com 914-457-4186 www.sbjlaw.com
  • 2. 2
  • 3. 3 Importance of Security The Internet allows an attacker to attack from anywhere. Malicious code from an email, a web page or a USB, can infect the entire organization. A breach is often the result of a simple mistake. What you risk with poor security knowledge and practice:  Risk of identity theft  Risk of monetary theft  Risk of cancellation of contracts  Risk of a lawsuit (for you and your company)  Risk of liability for fines and penalties  Risk of termination of employment if company policies are not followed
  • 4. What We Need to Take Away Security: We must protect our computers and data in the same way that we secure the doors to our homes. Safety: We must behave in ways that protect us against risks and threats that come with technology. 4
  • 5. Why We Are Here This Morning You have access to NYS Govt. information, so it must comply with NYS Cyber Security Policy P03-002 v3.4 in its data handling and data confidentiality requirements. • Information must be housed only on internal servers • Information must be segmented from the rest of EIC's network • Access must be controlled by encryption per AES254 standards • Access must be contingent on roll-based permissions and strong passwords • Information must be secured behind a strong firewall and not available to the Internet • Information can be unencrypted only to perform data analysis • When information is destroyed, must be pursuant to DOD grade destruction • Security must be monitored in real time • Employees must be trained in security awareness 5
  • 6. Why We Are Here This Morning Employees MUST Undertake Training 1. New employees must receive general security awareness training, to include recognizing and reporting insider threats, within 30 days of hire. 2. Additional training must be completed before access is provided to specific sensitive information not covered in the general security training. 3. All security training must be reinforced at least annually and must be tracked by your company 6
  • 7. 7 How We Can Detect an Intrusion/Malware  Antivirus software detects a problem  Pop-ups suddenly appear  Disk space disappears  Home page changes  Files or transactions appear that should not be there  System slows down to a crawl  Unusual messages, sounds, or displays  Your mouse moves by itself  Frequent firewall alerts about unknown programs trying to access the Internet  Your computer shuts down and powers off by itself  Often we cannot detect an intrusion
  • 8. 8
  • 9. 9 Best Practices to Preserve Security Handling Sensitive Data • Protect all "sensitive" data and files. "Sensitive" is data, documents, or files which, if compromised, would have an adverse effect on the company or its employees or customers. • Store data in a secure physical environment, only on devices owned and approved by IT Support. • Encrypt and password-protect data when in transit (email) or mobile devices (laptops, CD’s, USB “thumb” drives). • NYS data has special encryption requirements.
  • 10. • Only devices owned or approved by IT Support may be connected to the systems – See the “Bring Your Own Device” Policy. • PCs must be manually locked when unattended, must automatically lock after a period of inactivity. • PCs must require a password to re-activate. • Files must be stored and backed up on the server, not on the desktop or C: drive. 10 Best Practices to Preserve Security Handling Devices and Files
  • 11. • Passwords must comply with security standards • A good password is: • yours alone • secret • easily remembered by you • at least 8 characters, complex • not guessable • changed regularly (every 90 days) • 5 unsuccessful attempts will lock your account • System or browser may not be configured to remember (cache) passwords • Users may NEVER share passwords for any reason • Two-factor authentication 11 Best Practices to Preserve Security Handling Logons and Passwords
  • 12. • Configure operating systems for automatic security updates and patches • Configure applications for automatic security updates and patches (e.g., MS Office, Acrobat) • Configure security software to scan web pages, email, attachments, and downloads • Keep security software up to date and configured for regular scans 12 Best Practices to Preserve Security Handling Security Updates and Patches
  • 13. • Lock your workstation when you leave your desk or leave your laptop/mobile device unattended • Press the Windows Key and “L” (at the same time) • Press Ctrl-Alt-Del and “Lock Computer” • Lock sensitive documents and materials in a file cabinet • Dispose of sensitive materials appropriately • Never share your access key, card or fob • Always question unescorted strangers • Immediately report all suspicious activities and breaches of physical security 13 Best Practices to Preserve Security Handling Physical Security
  • 14. • Don’t fall prey to “social engineering” • Do not open email attachments unless you are expecting the email with the attachment and you trust the sender. • Do not click on links in emails unless you are absolutely sure of their validity. • REMEMBER: The most prevalent and persistent threats to your security come to you in your Inbox, even supposedly from people you may know. • They all have this in common: they are designed to get you to click on an item like an attachment, link or picture. Stop - Think - Then (maybe) Click 14 Best Practices to Preserve Security Handling Email Threats
  • 15. • Browsing Can Hazardous To Your PC • The Common Threat: On the web, the threats come from malicious links. • Most of the threats come when you click on a link that launches a malicious program or re-directs you to a dangerous site. 15 Best Practices to Preserve Security Handling Threats from Your Browser
  • 16. • Mobile Workers: Be Careful With Your Connections • Assume public wireless networks are not secure • Use a Virtual Private Network: Allows you to launch a secure Internet connection • Device Encryption: Should be installed on all mobile devices that connect to company systems 16 Best Practices to Preserve Security Handling Telework Threats
  • 17. Reported Data Breaches of Not for Profit Corporations in 2014 (reported by Privacy Rights Clearinghouse) 17 Oct. 2014 Community Technology Alliance (provides tech support to non-profits in San Jose) notified individuals of a potential compromise of their personal information, when an employee's laptop was stolen. Sept. 2014 BayBio.org (life sciences non-profit in Bay Area) notified individuals of a data breach to their online payment system. The hacker, via an email, inserted files that captured keystrokes of visitors to their site. July 2014 Central City Concern (poverty and homelessness NGO in Oregon) suffered a data breach when an unauthorized access by a former employee resulted in the breach of client data. March 2014 Service Coordination Inc. (provides services to developmentally disabled in Maryland) suffered a breach involving one file which contained SSNs and medical info of 9,700 clients when someone hacked its computers.
  • 18. 18 New York Data Breach Law N.Y. St. Tech. Law §208 (applies to state agencies) and N.Y. Gen. Bus. Law, §899-aa (applies to business) Guarantees persons the right to know what private information was exposed during a breach, so that they can take the necessary steps to both prevent and repair any damage incurred. Obligates any person or business that conducts business in NY and owns or licenses computerized data that includes private information, or any person or business that maintains such data, to notify a person whose unencrypted data was stolen.
  • 19. 19 New York Data Breach Law Definition of “Private Information” • Personal information of a natural person (i.e., information which can be used to identify that person, such as name, email address) • In combination with any one or more of the following data elements (1) Social security number (2) Drivers license or similar identification (3) Account number, credit/debit card number, in combination with password of security code. • When either non-encrypted or encrypted with a data key that was also acquired
  • 20. If you have any questions please contact me: David A. Menken Smith Buss & Jacobs LLP 733 Yonkers Avenue, Yonkers NY 10704 914-457-4186 dmenken@sbjlaw.com 20