VIRUSES
Viruses are frequently transmitted by e-mail. Some telltale signs are:
- Expressions of love
- Here's that file you wanted
- Pornography
- Games or screensavers
Some virus messages are actually hoaxes, advising you to delete critical files or download infected software from a web site. Viruses can send e-mail using a friend or coworker's system, effectively impersonating them.
Delete suspicious e-mail. When in doubt, consider whether the message has a legitimate business use. Do not open an attachment unless you are comfortable with the content of the rest of the message.
Anti-virus software uses stored virus definitions to detect and quarantine viruses. Virus definitions must be updated to defend against new viruses.
WORKSTATION SECURITY
An unlocked workstation is a violation of security policy and leaves the system open to compromise.
You should always lock your workstation before leaving your desk:
- Press Ctrl + Alt + Del
- Click on "Lock Computer"
- Or press the Windows Button and the letter L. This will also lock the PC.
Both methods eliminate a period of vulnerability while the system is left unattended. The system can be unlocked by supplying your login ID and password.
TRUST YOUR INSTINCTS
When investigating a security incident, it is often discovered that people knew or suspected that something was going on before the incident occurred.
From time to time people may raise a false alarm and that's OK. It happens to security professionals occasionally and is to be expected.
Trust your instincts and use your best judgment. When you call to report an incident, provide as much detail as possible. The security group does not bite. ;-)
PASSWORDS
Hackers use software and word lists to automate password submittals. Source materials include dictionary files and lists of common names, characters, movies, etc. Using these methods, hackers can compromise weak passwords in under an hour.
Per company policy, passwords must be 8 characters and consist of 3 of the following elements:
- Upper case
- Lower case
- Numeric characters
- Special characters (i.e. * ! @ & )
The following password elements are prohibited:
- Common elements (i.e. words, names, sports, movies & shows, groups, songs, etc.)
- Elements relating to the user (i.e. user id, graduation, birthdays, phone numbers, SSN, pets, etc.)
- Keyboard patterns (i.e. 1q2w3e4r)
- Repeating patterns (i.e. ah*fJDS1, ah*fJDS2, etc.)
The following practices are prohibited:
- Recording user ids or passwords on paper
- Group accounts or shared passwords (passwords provide accountability, user to system)
- Distribution of passwords by e-mail or other insecure methods (i.e. fax)
- Use of the same password on multiple systems
Before distributing a password, positively identify the person and their need-to-know. Examples include:
- Confirmation by employee ID
- Checking driver’s license against the company directory
- Calling back at the number listed in the directory
- Confirmation with a supervisor
- Confirmation with human resources
Passwords should be stored in password management software (i.e. eWallet or Password Safe).
Change your password at least every 6 months and whenever you suspect it has been compromised.
The help desk will not ask for your password. Report any attempts to obtain it to the security group.
CONTINUITY
Continuity is a key component to the success of any business. Single points of failure are a threat to continuity. Business depends on its employees to complete their duties. It also needs a reliable supply of goods and services. Its phone and IT systems must be highly available. Each employee must address continuity.
PERSONNEL CONTINUITY
Each critical function must have a primary and alternate formally assigned. Document mission essential procedures thoroughly. Documentation should be routinely updated and marked with the date of last revision.
RESOURCE CONTINUITY
Each department should consider the goods and services required to fulfill its mission. Verify that external organizations have methods to ensure reliable service/delivery in the event of equipment failure, supply chain issues, and emergencies such as natural disasters, terrorism, etc. If necessary, make legally binding backup agreements with separate providers.
PLANNING
Business continuity and disaster recovery should be addressed with comprehensive plans. Each department must contribute. Off-site storage and alternate work sites with phones and IT systems are also required. Verify your organization's state of preparedness by testing the plans at least annually.
CLEAN DESK POLICY
It is crucial to protect sensitive information from disclosure. Office space is frequented by visitors, consultants, vendors, cleaning crews, maintenance and fellow employees.
Please keep your workspace neat. If it is messy, you may not notice when something is missing. Throughout the day:
- Lock sensitive documents and computer media in drawers or filing cabinets
- Physically secure laptops with security cables
- Secure your workstation before walking away (Ctrl+Alt+Delete or windows key + L)
At the end of the day, take a moment to:
- Tidy up and secure sensitive material
- Lock drawers, file cabinets and offices
- Secure expensive equipment (laptops, PDAs, etc.)
DESTRUCTION OF SENSITIVE MATERIALS
Hackers and industrial spies have long used "dumpster diving" as a method for gathering sensitive information. Sensitive materials must be thoroughly sanitized before being discarded.
PAPER
Paper containing sensitive information must be shredded. Use high quality cross cut shredders to cut paper into fine/small pieces. Place shredders in common areas. Personal shredders should be purchased for employees that work daily with sensitive information. (Some clients have a “No Paper, writing instruments, etc.”) This means there should be absolutely no paper, pens, markers, etc. on the production floor. Violation could result in a written warning up to termination of employment.
CD-ROMS
CD-ROMs should be fed through a CD-ROM shredder. An alternative would be to snap CD-ROMs in half. The process of breaking a CD-ROM can send shards of plastic flying. The sharp edges of a broken CD-ROM can cut. A shredder is a better solution.
MAGNETIC MEDIA
Floppy disks and backup tapes should be opened and cut into small pieces. Hard drives should be over written 3 times with zeros and ones. Magnetic media containing extremely sensitive material should be sanitized with the magnetic field of a degaussing device. Degaussers can be expensive. As an alternative, disassemble each hard drive and sand the surface of its platters.
PHOTOGRAPHY
Photography has always been a threat to information security. Spy films highlight how easy it is to use a small camera to swipe confidential information. In just a moment of opportunity, a camera can be used to take information with no one the wiser. With digital cameras the size of a pack of cigarettes and cell phone camera combos, it is easier than ever to slip in a camera unnoticed.
In some cases visitors have stolen intellectual property by taking pictures on escorted tours. Visitors must never be permitted to take photographs. Do not leave visitors alone with sensitive materials, even for a moment.
Challenge anyone taking pictures in an unusual situation by asking "May I help you?" and following up with something like "What are the pictures for?". Immediately report any suspicious activity to the security group.
BACKUP YOUR DATA
Any files stored locally on your workstation will be lost in the event of a hardware failure. This includes your entire C drive and your workstation's desktop.
Store files on your personal network drive (X drive). It is backed up nightly. Use of your X drive also makes it possible to quickly replace your workstation for hardware and operating system upgrades.
PERSONAL TELEPHONE CALLS/CELL PHONES
The Company’s primary method of communication with its customers and business associates is through its telephone system, because of this, it is necessary to limit the use of the telephone system to Company business only. Accordingly, Company telephones should not be used for an employee’s personal telephone calls. In addition, except in the case of an emergency, employees are asked to discourage friends and relatives from calling them at work. Personal phone calls should only be made during lunch or break periods. Personal long-distance calls should be collect or charged to the employee’s personal credit card.
The Company is aware that employees utilize their personal or company-supplied cellular phones for business purposes. At the same time, cell phones are a distraction and security risk in the workplace. Camera phones can present risks to Company, including violations of client contracts, potentially compromising customer information, trade secrets, or the privacy of other employees.
To ensure workplace effectiveness employees are asked to leave personal cell phones in vibrate or silent mode while in the facility. Personal cell phones may only be answered in designated areas within the building, such as facility break rooms. Agents should check with their supervisor prior to leaving the calling floor to answer a personal cell phone. Use of personal cell phones, including texting, or charging the device, on the calling floor is subject to corrective action up to and including termination.