Who must complete this training

Who must complete this training



All Users:

This training is required for all individuals,

including contractors and vendors, with security access to

sensitive or confidential systems owned by the Department

for Aging and Rehabilitative Services (DARS).



New Users:



Annually:

.

Certification: Supervisors must certify and report

completion of training to their DARS system administrator or

security contacts:

 FRS-Support/LTESS-EES: Donna Bonessi

 Div for the Aging: Leonard Eshmont

Accessibility

This program is designed to meet standards for accessibility

for individuals with disabilities.



Class Presentation: This presentation is adapted for use in

a small class or staff meeting that allows individuals to

participate by listening to the narrator or reading the content

directly from each slide.

 The program should be narrated directly from the slide presentation. For individuals that are deaf or hard of hearing, closed captioning is not required and interpreters are not needed unless external

discussion is included.



Self-Paced: This presentation can also be used as a

standalone, self paced learning module using screen reader

assistive technologies.

Learning Objectives

In this program you will review:



Policy:

Review and understand current security

policies that govern your use of COV and DARS

systems and data.



Threats:

Identify common threats to COV systems,

confidential data and sensitive information.



Your Role:

Understand what you can do to improve

security, and how to report incidents and suspicious

activities.

Section One:

Overview

of

Cyber Security Policies

This section reviews current scope of policies for the

Commonwealth of Virginia (COV) as they relate to

devices and files, logons and passwords, security

updates, physical security, and protected data.

Section One-Policies:

Scope of Policies



All COV agencies, contractors and vendors

with access to sensitive or confidential systems are required to

adhere to policies governing personally identifying data,

protected health information, and sensitive data, including

policies published by the Virginia Information Technology

Agency (VITA).



All Users with access to COV networks and DARS systems

must follow these policies.



The

I

nformation

S

ecurity

A

ccess

A

greement (

ISAA

)

and Acceptable Use Policy

must be signed by all

Section One-Policies:

Logons and Passwords



COV requires enforcement or the following standards



Use of “strong passwords” which include upper case alpha,

lower case alpha, numeric (0-9) and non-alphabetic characters

(~ ! # $ % ^ & *) in positions 2-6.



Passwords must be changed every 90 days.



Passwords cannot be changed in less than 7 days.



and cannot have been used within last 4 changes.



Five unsuccessful attempts will lock your account.



Tip: These are secure standards you should also apply

to all of your accounts, including personal accounts.

Section One-Policies:

Logons/Passwords



Your Role:

The policy also states that end users are

responsible for enforcement of certain standards:

 Your system or browser may not be configured to remember passwords.

 Passwords will not be written down and posted in plain sight.



You may NEVER share your passwords with anyone

else for any reason.

Section One-Policies:

Security Updates



VITA policy mandates the following standards for

security updates and patches:



Operating systems will be protected by applying automatic

security updates and patches.



Applications are configured for automatic security updates and

patches (

Explorer, Adobe Reader).



Security Software such as McAfee and Norton Antivirus will be

kept up to date and configured for regular scans.



Security software should be set to scan Internet pages, email,

attachments, and downloads.



Your role:

You should not change automatic settings

or over-ride security updates.

Section One-Policies:

Devices and Files



Devices, including external digital storage devices, must be

owned or approved by your organization to be connected to

sensitive DARS systems.



PC’s will be

 manually locked when unattended,

 automatically locked after a period of inactivity, for example, fifteen minutes,

 set to require a password to re-activate,

 logged off overnight.



Files must be stored and backed up on your server and

Section One-Policies:

Physical Security



Physical security policy requires protection of your

work space

,

physical devices

and

files

. You must:



Lock or shut down your workstation when you leave your desk

or leave your laptop/mobile device unattended.



Lock sensitive paper documents and materials in a file cabinet.



Dispose of sensitive materials appropriately.



Never share your building access key, card or security fob.



Always question unescorted strangers.



You must always report incidents and suspicious

Section One-Policies:

Protected Data

Certain types of data are protected and regulated by the:



Social Security Administration (SSA)

 Controls the use of social security numbers (SSN’s)



U.S Department of Health and Human Services (HHS)

 Administers the Health Insurance Portability and Accountability Act (HIPAA)



Virginia Information Technology Agency (VITA)

 Responsible for the information security standards commonly referred to as “Sec 501”



Library of Virginia (LVA)

 Governs all records, including electronic files, under the authority of the “Virginia Public Records Act”)

Section One-Policies:

Protected Data

Types of protected data can include:



P

rotected

H

ealth

I

nformation

(PHI)

 Such as data contained in medical and health records and is governed by HIPAA.



P

ersonally

I

dentifiable

I

nformation

(PII)

 Includes use of Social Security Numbers (SSN) governed by the SSA, and can include the SSN in combination with other identifying

information such as name, date of birth, employment, insurance, residence and telephone numbers.

 If lost, compromised, or disclosed without authorization, this information could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.



Sensitive data

 Defined as data, documents, or files which, if compromised, would have an adverse effect on the COV, your agency or organization, and is governed by VITA (Sec 501) and the Library of Virginia (Records Act).

Section One-Policies:

Protected Data

Required Protections by Users:

All PHI, PII and sensitive

data must be protected by:



Storing data and files in a

secure physical environment,



Storing files only on

devices owned and approved by your

organization,



Encrypting mobile and external storage devices

that

contain these files, including laptops, external hard drives,

USB “thumb” drives and CD’s.



Encrypting files that are “in transit”

which includes files sent

via email and non-secure direct file transfer.

Section One-Policies:

Summary of Policies

Your role:

Always be aware that COV/DARS systems are

governed by security policies and regulations, and follow safe

practices that are in your control.



Do not share your access

with anyone, including your

passwords, keys, badges, and access codes.



Keep your PC desktop locked

when you are not using it,

and lock your mobile devices in a secure location.



Protect your files

and do not send them via email or share

them electronically without encryption.



Be aware of your work area

and physical surroundings

and report suspicious activity.

Section Two:

Common Cyber Security Threats

This section reviews common cyber security threats

with suggestions on what you can do to protect

Section Two-Threats:

Basic Concepts



Concept One: Electronic systems may not be secure.

 VITA and DARS, and your organization attempt to provide

protections with firewalls, electronic enforcement and monitoring systems.

 But that does not completely protect you from interacting with malicious and harmful software. You can still be targeted directly and persistently by email messages, texts, and malicious Internet links.



Concept Two: You control what you click.

 Even with all the security COV/DARS and your organization can apply, most end user threats are targeted specifically in hopes that you will go ahead and click on a harmful link, attachment, picture, video or icon in an email or web page, including social media

Section Two-Threats:

Your Role

Stop!

Pause before you click



Your work relies on email and Internet interactions. Take a

moment and remember that each click could be potentially

harmful. Even if it at first appears to be from a legitimate

source.



Think!

Verify and Validate



You must be aware, be alert and diligent. Always look for the

signs that external entities are trying to gain access to your PC

and your network.

Section Two-Threats:

Email Threats



Phishing, Spoofs, Hoaxes, Malware, Scams and Spam

 The most prevalent and persistent threats to your security arrive in your Inbox.

 They come by different names and may even appear legitimate and even supposedly from people you may know.



The Common Threat:

 Malicious emails appeal to your greed, your fear, your sense of humor, your curiosity, and even your compassion.

 They are designed to get you to click on an item such as an attachment, link, picture, or video.



Result:

 If you click, you may launch a harmful program or be directed to a harmful web site. You may then find your personal information

compromised, and you may subject your organization’s network to malicious software and possibly direct infiltration.

Section Two-Threats:

Email



Stop:



Do not assume that links in your email are automatically safe,

Especially if the link is requesting you to provide personal

information.

Think:



Look at all emails carefully. If you cannot identify the source

and attachments as legitimate, or you cannot be sure the links

are safe by looking at the actual destination web address, you

can logically conclude that you should be cautious.



Click:



Only after you are confident that the action is legitimate and

safe.

Protect all of your email accounts.

Section Two-Threats:

Internet Threats



Browsing Can Hazardous To Your PC



The Internet is a significant resource for business and

government services.



However, some of the same issues that attack email can

create security issues that you need to be aware of while

browsing directly on the Internet.



The Common Threat:



On the web, the threats mainly come from malicious links.

Most of the threats come when you click on a link, icon,

picture, video, etc., that launch malicious programs or re-direct

you to dangerous sites.



Result:



If you click, you may then find your personal, client, and

sensitive business information compromised. You may also

Section Two-Threats:

Internet



Stop:



Do not automatically click on Internet links until you have

confidence in them. This includes pictures, videos, and

navigational elements.



Think:



Look at the actual address

for the links in question. For

instance if the link indicates “Click Here” be sure to identify the

actual destination web address before you proceed.



Look for external web addresses that are secure. The address

should begin with “http

s

://” instead of “http://”



Click:



Only after you are sure the destination web site is safe.

Browse Safely

Section Two-Threats:

Social Media



Social Media can be un-sociable

 While usually relatively safe (for instance, DARS Face Book and Twitter pages) the rapid increase in social networking and

collaborative sites like Face Book, LinkedIn, You Tube, and Twitter have offered new opportunities for hackers and thieves.



The Common Threat:

 It is PERSONAL! By nature these sites are personal. You may be sharing highly personal information, including information about yourself, employer and perhaps even about clients. You are

communicating with others in a highly interactive, very public, and non-secure environment.



Result:

 You could find highly personal and sensitive information

compromised. When visiting and using these sites always use the highest level security settings and be careful of the personal

Section Two-Threats:

Social Media



Stop

: before you, “like,” “share” or “post”

 Assume that everything you post can possibly be re-posted and used without your permission



Think: Is it secure and appropriate?

 Use the highest security and privacy settings for your personal social media accounts

 Be careful of sharing work related information and in particular do not share any information about clients or violate the mandate against dual relationships

 Be aware that malicious links, videos, and other harmful items can be posted on social networking sites

 Check to see if links posted by others are designed to take you to alternate sites that appear suspicious



Click

:

 Only after you are sure the action is legitimate and appropriate and that you are not compromising your personal information or others

Be social, but also be careful, and be appropriate.

Section Two-Threats:

Files



Files Require Protection and Encryption

 The business process may require sharing of information that is confidential, personally identifiable and sensitive.

 This information must be secured and maintained according to federal standards, COV security standards and Library of Virginia

requirements.

 Information that is being digitally shared is termed “In Transit” and must be encrypted. This includes files that are being sent via email. If digital encryption is not available the policy allows for files to be faxed.



The Common Threat: Data Leak and Data Breach

 Unprotected files may be leaked and data may be stolen.



Result: Potential financial and legal penalties

 Data leaks and breaches may result in identity theft, financial loss, and other malicious uses. Incidents come with legal and financial implications to the COV and DARS, and to individuals.

Section Two-Threats:

Files



Stop

: Before you save or share a file

 Assume there is a potential for a data leak or data breach.

 Understand that sending unprotected files via email is not secure.

 Be cautious that transferring files on the Internet may also not be secure, depending on how the site is configured. For instance, https versus http.



Think: Is it Secure?

 When you are saving a file, are you storing it on a secure server , an

encrypted PC or external device that is owned and approved by your organization?

 Assume that sharing any file is potentially a data leak.

 If sharing a file using email, are you able to use encryption? 

Click

:

 Only if you are saving the file to a secure location

 Only if you are sharing a file using encryption. If not, use fax

Share Files Securely. Report immediately

all suspected data breaches and data losses

Section Two-Threats:

Telework/Internet Connections



For mobile workers: be careful with your connections

 The ability to work away from the office is beneficial and flexible. But mobile workers need take special note of the inherent risks when connected to public access points including wireless connections. Special care should taken when working with these connectopms.



The Common Threat: It is Public!

 Public access points, or Internet connections, are just that: Public. All your activity is potentially exposed. Especially if it is wireless.



Result: Compromised systems and data breaches

 Individuals with the knowledge and ability can take over an

unprotected PC and load malicious software or steal information including passwords.

Section Two-Threats

:

Telework/Internet Connections



Be sure to connect securely to public access points



Virtual Private Network (VPN):

○ VPN allows you to launch a secure Internet connection so that even with a public access point, you are able to work connected securely to DARS systems, connect to your own organization’s applications and file shares with a greater level of confidence.



Device Encryption:

○ Always make sure your Laptop, Tablet Smart Phone or other mobile device is password-protected.

○ Device encryption and anti-virus software should be installed on all mobile devices that connect to COV systems.

Section Two-Threats :

Telework/Internet Connections



Stop: Check your connection

 Assume all public Internet connections are not secure, including all wireless access points.



Think: Is it Secure?

 When you are prompted to connect to a public access point, be sure you know what you are connecting to.

 It is not secure unless you connect to a public access point using VPN.



Click:

 Only if you are confident in the connection and you are using VPN.

Telework Safely!

Section Two-Threats :

Reporting Incidents



Report incidents and suspicious activities including

potential data leaks and data breaches to:



Your

Manager



Your Organization’s

Security Officer



Your

DARS System Administrator

or Security

Contact

○ For ESO’s (LTESS/EES):

-

Donna Bonessi or Ella Barnes

○ For AAA’s (NWD):

-

Leonard Eshmont

○ For Videoconferencing (VTC):

-

Joyce Haskins-McKune

Take the

Cyber Security Pledge!

Print and sign the pledge on the next slide

and post it as a reminder.

I, _____________________________________________ Date: _________________ PLEDGE to:

 Stop, and Think (consider appropriateness and risk) before I Click on links, attachments and other objects that connect to the Internet or launch

programs.

 Take personal responsibility for security, follow my organization’s security policies, and adhere to sound security practices.

 Lock my computer whenever I leave my work area.

 Safeguard portable computing equipment when I am in public places.

 Create and use strong passwords, and never share my password(s) with anyone.

 Never leave a written password (sticky note, etc.) near my computer, or easily accessible.

 Promptly report all security incidents or concerns to my organization’s security officer or other appropriate contact.

 Safeguard Protected Health Information (PHI), Personally Identifiable Information (PII) and sensitive data from any inappropriate disclosure.

 Work to the best of my ability to keep my organization’s staff, property and information safe and secure.

 Spread the message to my friends, co-workers and community about staying safe online

Remember:

Security is a shared responsibility.

Take the time and care every day

to protect yourself,

your organization,

your clients,

and your family,

THANK YOU

For completing the DARS Cyber Security

Awareness Training.

Certification:



Please register your completion with your ISO or

Supervisor



And report completion of training to your DARS

system administrator or contact.

 FRS-Support/LTESS-EES: Donna Bonessi

 Div for the Aging: Leonard Eshmont



VITA





OnGuardOnline.Gov: Securing your computer:





NIST: 7 Practices for Safer Computing

