Who must complete this training
All Users:
This training is required for all individuals,
including contractors and vendors, with security access to
sensitive or confidential systems owned by the Department
for Aging and Rehabilitative Services (DARS).
New Users:
Each individual must complete this training when security access is granted.
Annually:
Refresher security training is required annually.
Certification: Supervisors must certify and report
completion of training to their DARS system administrator or
security contacts:
FRS-Support/LTESS-EES: Donna Bonessi
Div for the Aging: Leonard Eshmont
Accessibility
This program is designed to meet standards for accessibility
for individuals with disabilities.
Class Presentation: This presentation is adapted for use in
a small class or staff meeting that allows individuals to
participate by listening to the narrator or reading the content
directly from each slide.
The program should be narrated directly from the slide presentation. For individuals that are deaf or hard of hearing, closed captioning is not required and interpreters are not needed unless external
discussion is included.
Self-Paced: This presentation can also be used as a
standalone, self paced learning module using screen reader
assistive technologies.
Learning Objectives
In this program you will review:
Policy:
Review and understand current security
policies that govern your use of COV and DARS
systems and data.
Threats:
Identify common threats to COV systems,
confidential data and sensitive information.
Your Role:
Understand what you can do to improve
security, and how to report incidents and suspicious
activities.
Section One:
Overview
of
Cyber Security Policies
This section reviews current scope of policies for the
Commonwealth of Virginia (COV) as they relate to
devices and files, logons and passwords, security
updates, physical security, and protected data.
Section One-Policies:
Scope of Policies
All COV agencies, contractors and vendors
with access to sensitive or confidential systems are required to
adhere to policies governing personally identifying data,
protected health information, and sensitive data, including
policies published by the Virginia Information Technology
Agency (VITA).
All Users with access to COV networks and DARS systems
must follow these policies.
The
I
nformation
S
ecurity
A
ccess
A
greement (
ISAA
)
and Acceptable Use Policy
must be signed by all
Section One-Policies:
Logons and Passwords
COV requires enforcement or the following standards
Use of “strong passwords” which include upper case alpha,
lower case alpha, numeric (0-9) and non-alphabetic characters
(~ ! # $ % ^ & *) in positions 2-6.
Passwords must be changed every 90 days.
Passwords cannot be changed in less than 7 days.
and cannot have been used within last 4 changes.
Five unsuccessful attempts will lock your account.
Tip: These are secure standards you should also apply
to all of your accounts, including personal accounts.
Section One-Policies:
Logons/Passwords
(continued)
Your Role:
The policy also states that end users are
responsible for enforcement of certain standards:
Your system or browser may not be configured to remember passwords.
Passwords will not be written down and posted in plain sight.
You may NEVER share your passwords with anyone
else for any reason.
Section One-Policies:
Security Updates
VITA policy mandates the following standards for
security updates and patches:
Operating systems will be protected by applying automatic
security updates and patches.
Applications are configured for automatic security updates and
patches (
For example, for Microsoft Office, Outlook, InternetExplorer, Adobe Reader).
Security Software such as McAfee and Norton Antivirus will be
kept up to date and configured for regular scans.
Security software should be set to scan Internet pages, email,
attachments, and downloads.
Your role:
You should not change automatic settings
or over-ride security updates.
Section One-Policies:
Devices and Files
Devices, including external digital storage devices, must be
owned or approved by your organization to be connected to
sensitive DARS systems.
PC’s will be
manually locked when unattended,
automatically locked after a period of inactivity, for example, fifteen minutes,
set to require a password to re-activate,
logged off overnight.
Files must be stored and backed up on your server and
Section One-Policies:
Physical Security
Physical security policy requires protection of your
work space
,
physical devices
and
files
. You must:
Lock or shut down your workstation when you leave your desk
or leave your laptop/mobile device unattended.
Lock sensitive paper documents and materials in a file cabinet.
Dispose of sensitive materials appropriately.
Never share your building access key, card or security fob.
Always question unescorted strangers.
You must always report incidents and suspicious
Section One-Policies:
Protected Data
Certain types of data are protected and regulated by the:
Social Security Administration (SSA)
Controls the use of social security numbers (SSN’s)
U.S Department of Health and Human Services (HHS)
Administers the Health Insurance Portability and Accountability Act (HIPAA)
Virginia Information Technology Agency (VITA)
Responsible for the information security standards commonly referred to as “Sec 501”
Library of Virginia (LVA)
Governs all records, including electronic files, under the authority of the “Virginia Public Records Act”)
Section One-Policies:
Protected Data
(continued)Types of protected data can include:
P
rotected
H
ealth
I
nformation
(PHI)
Such as data contained in medical and health records and is governed by HIPAA.
P
ersonally
I
dentifiable
I
nformation
(PII)
Includes use of Social Security Numbers (SSN) governed by the SSA, and can include the SSN in combination with other identifying
information such as name, date of birth, employment, insurance, residence and telephone numbers.
If lost, compromised, or disclosed without authorization, this information could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.
Sensitive data
Defined as data, documents, or files which, if compromised, would have an adverse effect on the COV, your agency or organization, and is governed by VITA (Sec 501) and the Library of Virginia (Records Act).
Section One-Policies:
Protected Data
(continued)Required Protections by Users:
All PHI, PII and sensitive
data must be protected by:
Storing data and files in a
secure physical environment,
Storing files only on
devices owned and approved by your
organization,
Encrypting mobile and external storage devices
that
contain these files, including laptops, external hard drives,
USB “thumb” drives and CD’s.
Encrypting files that are “in transit”
which includes files sent
via email and non-secure direct file transfer.
Section One-Policies:
Summary of Policies
Your role:
Always be aware that COV/DARS systems are
governed by security policies and regulations, and follow safe
practices that are in your control.
Do not share your access
with anyone, including your
passwords, keys, badges, and access codes.
Keep your PC desktop locked
when you are not using it,
and lock your mobile devices in a secure location.
Protect your files
and do not send them via email or share
them electronically without encryption.
Be aware of your work area
and physical surroundings
and report suspicious activity.
Section Two:
Common Cyber Security Threats
This section reviews common cyber security threats
with suggestions on what you can do to protect
Section Two-Threats:
Basic Concepts
Concept One: Electronic systems may not be secure.
VITA and DARS, and your organization attempt to provide
protections with firewalls, electronic enforcement and monitoring systems.
But that does not completely protect you from interacting with malicious and harmful software. You can still be targeted directly and persistently by email messages, texts, and malicious Internet links.
Concept Two: You control what you click.
Even with all the security COV/DARS and your organization can apply, most end user threats are targeted specifically in hopes that you will go ahead and click on a harmful link, attachment, picture, video or icon in an email or web page, including social media
Section Two-Threats:
Your Role
Stop!
Pause before you click
Your work relies on email and Internet interactions. Take a
moment and remember that each click could be potentially
harmful. Even if it at first appears to be from a legitimate
source.
Think!
Verify and Validate
You must be aware, be alert and diligent. Always look for the
signs that external entities are trying to gain access to your PC
and your network.
Section Two-Threats:
Email Threats
Phishing, Spoofs, Hoaxes, Malware, Scams and Spam
The most prevalent and persistent threats to your security arrive in your Inbox.
They come by different names and may even appear legitimate and even supposedly from people you may know.
The Common Threat:
Malicious emails appeal to your greed, your fear, your sense of humor, your curiosity, and even your compassion.
They are designed to get you to click on an item such as an attachment, link, picture, or video.
Result:
If you click, you may launch a harmful program or be directed to a harmful web site. You may then find your personal information
compromised, and you may subject your organization’s network to malicious software and possibly direct infiltration.
Section Two-Threats:
Stop:
Do not assume that links in your email are automatically safe,
Especially if the link is requesting you to provide personal
information.
Think:
Look at all emails carefully. If you cannot identify the source
and attachments as legitimate, or you cannot be sure the links
are safe by looking at the actual destination web address, you
can logically conclude that you should be cautious.
Click:
Only after you are confident that the action is legitimate and
safe.
Protect all of your email accounts.
Section Two-Threats:
Internet Threats
Browsing Can Hazardous To Your PC
The Internet is a significant resource for business and
government services.
However, some of the same issues that attack email can
create security issues that you need to be aware of while
browsing directly on the Internet.
The Common Threat:
On the web, the threats mainly come from malicious links.
Most of the threats come when you click on a link, icon,
picture, video, etc., that launch malicious programs or re-direct
you to dangerous sites.
Result:
If you click, you may then find your personal, client, and
sensitive business information compromised. You may also
Section Two-Threats:
Internet
(continued)
Stop:
Do not automatically click on Internet links until you have
confidence in them. This includes pictures, videos, and
navigational elements.
Think:
Look at the actual address
for the links in question. For
instance if the link indicates “Click Here” be sure to identify the
actual destination web address before you proceed.
Look for external web addresses that are secure. The address
should begin with “http
s
://” instead of “http://”
Click:
Only after you are sure the destination web site is safe.
Browse Safely
Section Two-Threats:
Social Media
Social Media can be un-sociable
While usually relatively safe (for instance, DARS Face Book and Twitter pages) the rapid increase in social networking and
collaborative sites like Face Book, LinkedIn, You Tube, and Twitter have offered new opportunities for hackers and thieves.
The Common Threat:
It is PERSONAL! By nature these sites are personal. You may be sharing highly personal information, including information about yourself, employer and perhaps even about clients. You are
communicating with others in a highly interactive, very public, and non-secure environment.
Result:
You could find highly personal and sensitive information
compromised. When visiting and using these sites always use the highest level security settings and be careful of the personal
Section Two-Threats:
Social Media
(continued)
Stop
: before you, “like,” “share” or “post”
Assume that everything you post can possibly be re-posted and used without your permission
Think: Is it secure and appropriate?
Use the highest security and privacy settings for your personal social media accounts
Be careful of sharing work related information and in particular do not share any information about clients or violate the mandate against dual relationships
Be aware that malicious links, videos, and other harmful items can be posted on social networking sites
Check to see if links posted by others are designed to take you to alternate sites that appear suspicious
Click
:
Only after you are sure the action is legitimate and appropriate and that you are not compromising your personal information or others
Be social, but also be careful, and be appropriate.
Section Two-Threats:
Files
Files Require Protection and Encryption
The business process may require sharing of information that is confidential, personally identifiable and sensitive.
This information must be secured and maintained according to federal standards, COV security standards and Library of Virginia
requirements.
Information that is being digitally shared is termed “In Transit” and must be encrypted. This includes files that are being sent via email. If digital encryption is not available the policy allows for files to be faxed.
The Common Threat: Data Leak and Data Breach
Unprotected files may be leaked and data may be stolen.
Result: Potential financial and legal penalties
Data leaks and breaches may result in identity theft, financial loss, and other malicious uses. Incidents come with legal and financial implications to the COV and DARS, and to individuals.
Section Two-Threats:
Files
(continued)
Stop
: Before you save or share a file
Assume there is a potential for a data leak or data breach.
Understand that sending unprotected files via email is not secure.
Be cautious that transferring files on the Internet may also not be secure, depending on how the site is configured. For instance, https versus http.
Think: Is it Secure?
When you are saving a file, are you storing it on a secure server , an
encrypted PC or external device that is owned and approved by your organization?
Assume that sharing any file is potentially a data leak.
If sharing a file using email, are you able to use encryption?
Click
:
Only if you are saving the file to a secure location
Only if you are sharing a file using encryption. If not, use fax
Share Files Securely. Report immediately
all suspected data breaches and data losses
Section Two-Threats:
Telework/Internet Connections
For mobile workers: be careful with your connections
The ability to work away from the office is beneficial and flexible. But mobile workers need take special note of the inherent risks when connected to public access points including wireless connections. Special care should taken when working with these connectopms.
The Common Threat: It is Public!
Public access points, or Internet connections, are just that: Public. All your activity is potentially exposed. Especially if it is wireless.
Result: Compromised systems and data breaches
Individuals with the knowledge and ability can take over an
unprotected PC and load malicious software or steal information including passwords.
Section Two-Threats
:
Telework/Internet Connections
(continued)
Be sure to connect securely to public access points
Virtual Private Network (VPN):
○ VPN allows you to launch a secure Internet connection so that even with a public access point, you are able to work connected securely to DARS systems, connect to your own organization’s applications and file shares with a greater level of confidence.
Device Encryption:
○ Always make sure your Laptop, Tablet Smart Phone or other mobile device is password-protected.
○ Device encryption and anti-virus software should be installed on all mobile devices that connect to COV systems.
Section Two-Threats :
Telework/Internet Connections
(continued)
Stop: Check your connection
Assume all public Internet connections are not secure, including all wireless access points.
Think: Is it Secure?
When you are prompted to connect to a public access point, be sure you know what you are connecting to.
It is not secure unless you connect to a public access point using VPN.
Click:
Only if you are confident in the connection and you are using VPN.
Telework Safely!
Section Two-Threats :
Reporting Incidents
Report incidents and suspicious activities including
potential data leaks and data breaches to:
Your
Manager
Your Organization’s
Security Officer
Your
DARS System Administrator
or Security
Contact
○ For ESO’s (LTESS/EES):
-
Donna Bonessi or Ella Barnes
○ For AAA’s (NWD):
-
Leonard Eshmont
○ For Videoconferencing (VTC):
-
Joyce Haskins-McKune
Take the
Cyber Security Pledge!
Print and sign the pledge on the next slide
and post it as a reminder.
I, _____________________________________________ Date: _________________ PLEDGE to:
Stop, and Think (consider appropriateness and risk) before I Click on links, attachments and other objects that connect to the Internet or launch
programs.
Take personal responsibility for security, follow my organization’s security policies, and adhere to sound security practices.
Lock my computer whenever I leave my work area.
Safeguard portable computing equipment when I am in public places.
Create and use strong passwords, and never share my password(s) with anyone.
Never leave a written password (sticky note, etc.) near my computer, or easily accessible.
Promptly report all security incidents or concerns to my organization’s security officer or other appropriate contact.
Safeguard Protected Health Information (PHI), Personally Identifiable Information (PII) and sensitive data from any inappropriate disclosure.
Work to the best of my ability to keep my organization’s staff, property and information safe and secure.
Spread the message to my friends, co-workers and community about staying safe online
Remember:
Security is a shared responsibility.
Take the time and care every day
to protect yourself,
your organization,
your clients,
and your family,
THANK YOU
For completing the DARS Cyber Security
Awareness Training.
Certification:
Please register your completion with your ISO or
Supervisor
And report completion of training to your DARS
system administrator or contact.
FRS-Support/LTESS-EES: Donna Bonessi
Div for the Aging: Leonard Eshmont
VITA
OnGuardOnline.Gov: Securing your computer:
NIST: 7 Practices for Safer Computing