Information Security Awareness Seminar for End Users Dubai Municipality.

Information Security Awareness Seminar

for End Users

Dubai Municipality

Paula Chamounand Jennifer Hsu

PricewaterhouseCoopers – Security Services

Presented by

PricewaterhouseCoopers | 3SECURITY AWARENESS SEMINAR,

MARCH 2002

Today’s Agenda

Introduction

Security Awareness Issues – Part I

Break

Security Awareness Issues – Part II

Wrap-Up Session & Game

Q & A

2

3

1

4

5

6


MARCH 2002

Introduction

1Definitions

Business Objectives

Your Roles and Responsibilities

Information Security Mission

Enterprise Approach


MARCH 2002

Dubai Municipality Service Objectives

DM Objective Provide efficient and secure services to clients, other

governmental agencies, suppliers and

Service processes are changing In order to be more efficient and user friendly, service

processes are changing and depending more and more on information systems

Changes increase risk


MARCH 2002

Definitions

What is Risk? Risk is exposure to possible loss or injury; an internal or

external force that threatens the achievement of business objectives.

What is Risk Management? The process of implementing controls to provide reasonable

assurance that business objectives will be achieved and undesired events will be prevented, detected and/or corrected.


MARCH 2002

SUCCESS

SUCCESS depends upon the achievement of objectives.Achievement of objectives is driven by effective risk

management.Therefore, effective risk management = SUCCESS

The Case for Risk Management


MARCH 2002

Definitions

What is Information Systems? Information systems is the technology that contains all the

information that is vital to an organization

What is Information Systems Security? Information Systems Security refers to safeguarding

information from unauthorized access, manipulation and misuse, and ensuring that information is available to the right person.

Protecting your House analogy

Why is Information Security important to DM? To prevent unauthorized or fraudulent transactions,

manipulation or destruction of information, and unauthorized disclosure of customer or confidential information.


MARCH 2002

Enterprise Approach to Information Security

Why is Information Security so important and why are we doing this now?

DM wants to lead the way in meeting its business objectives

The E Government Implementation Project implemented, installed and configured the Web technology infrastructure for the DM.

PwC was tasked to:

– Develop the DM portal (bilingual).

– Manage the Security Work-stream.

– Re-engineer, develop and deploy 13 services.


MARCH 2002

Information Security in Layers

Internet

Internet

Routers

Portal Gateway

Portal Server

Web Server

Application Server

Content Management Server

Database Server

DNS/LDAP/Messaging

Back End Firewall

Intranet

Intranet

Each layer has created another door of entry


MARCH 2002

Information Security is Critical

PwC was also asked to assist in building a Security foundation and culture at DM to help mitigate security risk

•Security Mission Statement

•Senior Management Commitment

•Security Organization including Roles and Responsibilities

•Security Policies

•Technical Controls to assist IT in configuring technology securely ( to come)

•A Plan to implement and role these out


MARCH 2002

Information Security is Critical

Information security is critical to ensuring all service processes run efficiently and safely and making sure business objective are met

•This presentation will focus on creating awareness on some common security risks.

•We will also focus on how to mitigate them through the policies/roles created


MARCH 2002

Roles and Responsibilities

•Information Security is Everyone’s Job

Information security must be embedded as part of the organization’s culture. It is important that everyone, from the highest to the lowest level, share this responsibility in order to protect and secure DM’s vital assets.

•Information Security Committee will be formed

Senior Members form all units will be represented to discuss and strategize security issues

– Head of Internal Audit– Head of IT– Head of Personnel– Head of Department


MARCH 2002

Information Security Unit

Who are they? – A new department within the DM organization reporting to

the Director General who will be responsible for disseminating, enforcing, monitoring security policies as well as follow up on information security incidents.


MARCH 2002

All Dubai Municipality Employee Roles

Be aware of your working environment.

How you handle information.

The people around you.

How you communicate.

Know and understand company security policy and procedures. (developed and to be distributed).

Read through policy booklet.

Make it a point to comply with policies and procedures.

Report incidents.


MARCH 2002

Roles and Responsibilities of Senior Management

Senior management is responsible for:

Protecting information at a level commensurate with its value

Delegating security responsibilities to “Information Owners” and “Information Custodians”

– To perform daily security responsibilities

Implementing security practices within new or acquired business units

Promoting security awareness to all employees

Awareness of security issues and how to mitigate themAll business units are responsible for complying with the

Enterprise Security Policy and Standards.


MARCH 2002

What Does All This Mean to Me?

In order for Dubai Municipality to achieve its objectives,a team effort is required.


MARCH 2002

The Importance of Information in the Organization

Information is a vital asset to the company and must be protected.

In order to protect that data, employees will have certain responsibilities.

The following roles will provide a description of duties for data classification and information protection.


MARCH 2002

Information Owner Roles

An information owner is the manager of the business unit responsible for the creation of any data and/or the business unit directly impacted by the loss of that data.

For most situations the system owner is the information owner.


MARCH 2002

Information Owner Responsibilities

Assigning initial classification levels.

Periodic reviews to ensure classification levels meet current business needs.

Ensuring security controls are in place commensurate with the classification level.

Reviewing and ensuring current access rights.

Determining back-up requirements for the information.


MARCH 2002

Information Custodian Roles

An Information custodian is any employee, vendor, contractor, or other authorized person who has the responsibility for maintaining and/or supporting corporate information.


MARCH 2002

Information Custodian Responsibilities

Ensure that Information Owners are provided with the proper means to review current user access.

Work closely with the information owners to implement security controls commensurate of the value of the data.


MARCH 2002

Information User Roles

An information user is any employee, vendor, contractor or other authorized person who uses information in the course of their daily work.


MARCH 2002

Information User Responsibilities

Maintaining the confidentiality of your operating system and application passwords.

Reporting suspected security violations to your immediate supervisor.

Using corporate information and related resources responsibly and for authorized purposes only.


MARCH 2002

Security Issues: YOUR ROLE

WHAT YOU NEED TO DO It takes everyone to protect information.

As an employee of Dubai Municipality, you must comply with the information security policy. The Dubai Municipality information security program needs your support to be successful.


MARCH 2002

Information Security Mission Statement

Information Security Mission

Dubai Municipality’s vision is to take all necessary steps to provide for the public of Dubai, employees and our partners in a secure and trustworthy information environment. Specifically, we will:

safeguard against accidental or intentional loss of information

prevent unauthorized manipulation or disclosure of information

Provide timely availability of information


MARCH 2002

PASSWORDS

INTERNET

EMAIL

UNATTENDED COMPUTER

TALKING IN PUBLIC

SOCIAL ENGINEERING

Security Awareness Issues – Part I

2


MARCH 2002

Security Issues: INTERNET

PROBLEM DESCRIPTION Information posted on the Internet can be read by anyone.

Downloaded files could contain a virus.

Accessing a hostile web site can damage data or collect passwords and other sensitive data without your knowledge.

Your activity on the Internet can and will be monitored.

Exploring non-business related web sites decreases productivity and can lead to disciplinary action.


MARCH 2002


PROBLEM EXAMPLE A US based food chain found confidential information placed on the Internet using the names of top executives and disclosing poor financial performance and possible plans for a bankruptcy filing.

Associated Press, 18/6/1999.

Security experts have identified signs that organized criminals are using trick software that lets teenage enthusiasts-known as script kiddies- attack networks for amusement. The software then secretly sends the findings of these surveys to experienced crackers.

Network Week, 16/2/1999.


MARCH 2002


PROBLEM SOLUTION

Limit non-business use of the world wide web (WWW)The world wide web can be used for non-business use on a limited basis. Browsing sites that could be considered offensive are strictly prohibited.

Do not post business information on public forumsNever submit, discuss, or otherwise disclose information about or belonging to Dubai Municipality through any form of Internet communication, including news groups.

Do not download software from unknown sourcesSoftware from the Internet must be properly licensed and checked for authenticity and viruses and should never be installed unless directed to do so.

These are included in DM’s newly created Policies. The plan for distributing them will be made shortly


MARCH 2002

Security Issues: EMAIL

PROBLEM DESCRIPTION Sending information through email without encryption is like sending it on a postcard, it can be read by others.

Sending chain letters can create an enormous amount of email traffic.

Sending inappropriate or offensive material through email can offend others.

Opening or replying to an email from unknown individuals can result in more junk mail or a link to a virus.

The email application belongs to DM, therefore your email should not be thought of as private.


MARCH 2002

Security Issues: EMAIL

PROBLEM EXAMPLE An internal investigation at a US- based investment firm began after an employee complained about an offensive email message. It ended when the company fired 18 employees, allowed one to resign and disciplined 41 others.


MARCH 2002

Security Issues: EMAIL Information

PROBLEM SOLUTION

The primary use for email must be for business purposesDo not use email for sending unsolicited mail.

Never send or forward chain lettersChain letters can create a massive amount of traffic on the network in a short amount of time and are not productive in the work environment.

Never send distasteful or offensive material through EmailSending offensive material in email can offend others and can result in disciplinary action.

Offensive email can be traced, you could be charged,Dubai Municipality’s image could be damaged.These are included in DM’s newly created Policies. The plan for distributing them will be made shortly


MARCH 2002

Security Issues: UNATTENDED COMPUTER

PROBLEM DESCRIPTION Many computers are left unattended without password protected screen savers or without being properly logged off.

A computer that is signed on and left unattended can be used by an unauthorized individual to access data.

Your electronic ID will be recorded for any actions taken.

Your electronic ID represents YOU!


MARCH 2002


PROBLEM EXAMPLE ID Theft

Employees leave computers logged in without a password protected screen saver. This allows an unauthorized users to browse sensitive information such as payroll and personnel records, financial data, product plans, and customer information.

See article “Protecting Your Assets;” The Wall Street Journal Europe, March 15-17 2002


MARCH 2002


PROBLEM SOLUTION

Use a password protected screen saverYou must change your settings to have the screen saver password launch after 10 minutes of inactivity.

Log off when you leave your workstation for an extended periodWhenever you leave for the day or an extended period you must log off the workstation completely.

Don’t log in for others using your ID and Password!Your ID is your electronic identity and allows you access to the resources you need. You are responsible for all activity done under your ID. Never allow others to work using your ID.



MARCH 2002

Security Issues: PASSWORDS

PROBLEM DESCRIPTION Passwords are often easily guessed and “crackable.”

Passwords are often shared with others.

Passwords are often written down near the workstation.

Passwords expirations are usually kept too long compounding the weaknesses above.

Passwords are only as good as you make them.


MARCH 2002


PROBLEM EXAMPLE Passwords are typically written down around the work area.

When running password crackers, the software identifies passwords that are weak and can be cracked very easily.


MARCH 2002


PROBLEM SOLUTION

Never tell your password to anyoneCreating a good password and keeping it secure is the key to protecting your data.

Choose an alpha-numeric password of at least 6 charactersA minimum of 6 characters prevents password cracking to be performed in a timely manner if the characters contain symbols.

Change your password every 60 daysYou must change your password every 60 days or anytime you believe that it has been compromised.

Create passwords that are not easily “cracked” or “guessed”Passwords with no vowels, but with numbers and symbols are best. A pass phrase is a great way to create a password. For example the password “IJ97,tho!” would make a good choice but “MEAGAN34”does not.



MARCH 2002

Security Issues: TALKING IN PUBLIC

PROBLEM DESCRIPTION Discussing sensitive information in public can reveal information about employees, clients, and business transactions that are confidential.

Using public telephones and cellular phones are times when people unknowingly disclose information to unintended parties.


MARCH 2002


PROBLEM SOLUTION

Don’t discuss sensitive business in public areasDiscussions held in restaurants, airports and other public places can often be overheard and you never know who is listening.

Be aware of discussing business on public phones and cellular phoneDiscussions held on public and cellular telephones can be overheard and can also be tapped or intercepted.



MARCH 2002


PROBLEM EXAMPLE

•PwC Associate revealed sensitive client information in a restaurant


MARCH 2002

What is Social Engineering?

• Acquiring information or gaining access to corporate resources from employees through deceptive techniques.

• Attackers see social engineering as phone scams and games that pit their knowledge and wits against other humans in order to gain passwords, keycards, and basic information on a system or organization.


MARCH 2002

Security Issues: SOCIAL ENGINEERING

PROBLEM EXAMPLE

“Acting” as an help desk representative to obtain a user’s password

Obtained an executive’s password through his assistant

Also refer to article “Protecting Your Assets”

Dealing with outsourced consultants


MARCH 2002


PROBLEM DESCRIPTION People often don’t notice or question the presence of strangers in the building.

Callers can drop names of people in the organization in order to gain a sense of credibility and then ask for information.

Callers can often create scenarios that sound very believable to obtain information from employees for use in unauthorized access of information.


MARCH 2002


PROBLEM SOLUTION

Question the presence of strangers in the work areaIf someone is in your building and looks suspicious or out of place, question their presence and/or report the incident. Unauthorized physical access can allow someone to obtain access to sensitive information.

Always wear your ID BadgesYour Dubai Municipality ID badge identifies you and must be worn at all times.

Identify the caller before providing any informationIf someone calls you, make sure you know who you are talking with before providing any information. If necessary, request a telephone number and call them back. Report any suspicious activity immediately.



MARCH 2002

Question

Q: What is an example of a good password?

A: Minimum of 6 characters that contains upper and lower case letters, numbers and special characters.


MARCH 2002

Break

315 minutes


MARCH 2002

4

Security Awareness Issues – Part II

REMOTE ACCESS

LAPTOP

VIRUS

SOFTWARE PIRACY

ORGANIZATIONAL SECURITY POLICIES


MARCH 2002

Security Issues: LAPTOP

PROBLEM DESCRIPTION The expanded use of laptops is pushing sensitive data outside the walls of the company.

The data on the laptop is usually worth much more than the laptop itself.

The portability of the laptop tends to put it into situations that are at higher risk.


MARCH 2002

Security Issues: LAPTOP

PROBLEM SOLUTION

When you travel with a laptop, don’t check it in like luggageThe laptop should never leave your physical control. If you travel, do not check your laptop with the rest of your luggage and lock it up or put it out of site while in a hotel.

Be careful of scams at airport security stationsThe security checkpoint is a common place for laptops to be stolen due to the forced separation of you and your laptop. Do not place your laptop on the belt until the checkpoint is clear for you to walk through.

Use security devices for laptops whenever possibleUse encryption software, locking cables, and other such tools. This will help prevent the information from getting into the wrong hands.These are included in DM’s newly created Policies. The plan for distributing them will be made shortly


MARCH 2002

Security Issues: VIRUS

PROBLEM DESCRIPTION Incidents of virus attacks are on the rise.

Viruses can destroy not only your data but the entire company’s data and are on the rise.

Viruses can be found in executable files in email attachments.

Viruses can be found in macros embedded in documents.

Virus hoaxes often cause unnecessary panic.


MARCH 2002


PROBLEM EXAMPLE Computer virus and “worm” attacks on information systems have caused businesses to lose a total of $7.6 Billion US dollars, in the first half of 1999 as a result of disabled computers according to the research firm Computer Economics.

Reuters, 20/6/1999.


MARCH 2002


PROBLEM SOLUTION

Verify you have anti-virus software that is up to date and protecting information in real timeIt is crucial that your anti-virus software be up to date with the latest detection capability. You must enable the real-time detection function on your provided Norton software.

Don’t forward virus hoaxesVirus hoaxes are informational email announcements that explain a new virus that doesn’t actually exist. They are full of sentences ending in exclamation marks (!) and ask you to send the email to everyone you know. An official or legitimate alert would not ask you to forward the email and would not make it sound like an emergency.



MARCH 2002

Security Issues: SOFTWARE PIRACY

PROBLEM DESCRIPTION Dubai Municipality may be liable for any unlicensed software running on Dubai Municipality systems.

It is illegal to copy software unless Dubai Municipality has licensed it for that purpose.


MARCH 2002


PROBLEM EXAMPLE A German court sentenced an American man to four years in prison without probation for importing illegally copied Microsoft software.

Reuters, 16/6/1999.

Almost two-fifths of all new business software applications installed world-wide in 1998 were pirated, according to a survey by Business Software Alliance and Software and Information Industry Association.

Reuters, 6/7/1999.


MARCH 2002


PROBLEM SOLUTION

Do not install unlicensed software on Dubai Municipality computersDubai Municipality must comply with software license agreements.

Do not make unauthorized additional copies of company softwareMaking additional unauthorized copies of company software is illegal and can expose the company to financial losses in fines and penalties.

Unless it is part of the standard desktop, then the user has the responsibility to ensure the installed software is properly licensed.



MARCH 2002

Security Issues: REMOTE ACCESS

PROBLEM DESCRIPTION Dialup modems connected to a public network are very risky.

Remote access points can be vulnerable if not used properly and protected.

Automation of login procedures for remote access to Dubai Municipality’s resources creates a security exposure.

Modems create security risks that expose Dubai Municipality’s information.


MARCH 2002


PROBLEM EXAMPLE War dialer (modem intrusion) software is freely available and can be used to identify active modem lines versus phone lines.


MARCH 2002


PROBLEM SOLUTION

Do not stay logged on to a remote access connection when not in useThe number of Dubai Municipality remote access connections are limited. Always log off after you are done.

Do not automate the logon of a remote access connectionIt is very easy to save the password or put the user ID and password into a script to log on to a system. This exposes the system if your computer should be stolen or compromised by an unauthorized user.

Do not install modems or remote control software on your systemDial-up modems and remote control software are strictly prohibited. These are included in DM’s newly created Policies. The plan for distributing them will be made shortly


MARCH 2002

INCIDENT REPORTING

Users who suspect a security breach or violation of security policy must communicate their concerns to their direct supervisor immediately.

The details surrounding the incident must then be communicated to The Dubai Municipality Information Security Unit immediately.

If a virus is suspected on a system, the Help Desk should be contacted immediately for appropriate actions.

It is the users responsibility, with appropriate technical assistance from the Help Desk and the ISU, to ensure that the virus has been successfully removed.

The Information Security Committee will review and follow up on all reported security incidents.


MARCH 2002

LAPTOP & VIRUSES

INTERNET & EMAIL

UNATTENDED COMPUTER & PASSWORDS

TALKING IN PUBLIC & SOCIAL ENGINEERING

REMOTE ACCESS

ORGANIZATIONAL POLICIES

GAME

5

Wrap-Up Session & Game


MARCH 2002

Often the weak link in security is not technological…

… but HUMAN.


MARCH 2002

6 Q&A

Date post:	24-Dec-2015
Category:	Documents
Upload:	ferdinand-nelson
View:	224 times
Download:	4 times

Information Security Awareness Seminar for End Users Dubai Municipality.

Documents