DSHS Information Technology Security Awareness Training

DSHS Information Technology Security Awareness Training

DSHS Information Technology Security Awareness Training SECURITY AWARENESS TRAINING FOR DSHS CONTRACTORS Click below to continue Welcome to IT Security We are pleased to offer the DSHS Information Technology (IT) Security Awareness Training course. We know your time will be time well spent, and will benefit the department and our customers. All DSHS employees and contractors are required to take this course annually. To get credit for completing this course, you will

need to notify your supervisor, human resources, or trainer once completed. There is no audio narration in the course. This course should take between 20 and 45 minutes to finish. Thank you. Your security responsibilities start here... Lesson 1: Introduction to Security Awareness Any DSHS employee or contractor may have access to information that needs to be protected. We are each

responsible for its safekeeping. This course shows why and how each of us can protect and preserve DSHS information and information systems on a daily basis as we work. For additional information, click the links provided at the left side of the pages of this course. Why is security important to DSHS? Security Importanc e Various state and federal laws and regulations hold DSHS accountable for protecting

information about its clients and employees. Violation of this trust can result in lawsuits and sanctions in the millions of dollars. Why is security important to you? You are responsible for safeguarding DSHS information and the computer systems entrusted to your care. Unauthorized disclosure of the department's information, or inappropriate use of the computer systems, may result in disciplinary action up to and including fines and/or cancelation of your contract. Yes, there will be a quiz!

Each lesson includes a series of questions. The questions are presented in Multiple-choice, True/ False, or Yes/No format. Each question has one best answer. You can keep score of your selection for each question and count the number of correct selections you make, keep track on a separate sheet numbered 1-12. Please answer the sample question on the next page. Lesson 1Quiz Lesson 1: Introduction to Security

Awareness 1) Why is IT Security important to me? IT Security is already built within the system. IT Security is someone elses job. IT Security is not my problem. IT Security is my daily obligation. Lesson 1Quiz Lesson 1: Introduction to Security Awareness 1) Why is IT Security important to me?

IT Security is already built within the system. IT Security is someone elses job. IT Security is not my problem. IT Security is my daily obligation. You are the initial point of entry for most viruses, malware, etc. so you must remain diligent. Lesson 2: Bogus Messages Lesson 2: Bogus Messages You may have seen bogus email messages (sometimes

called spam or phishing messages) or bogus pop-up messages. They are designed to get you to click a link and/or provide information such as a password. Clicking could also infect your computer with a virus. Common Questions Common Question s How can I tell if a message is

bogus? If I am not sure, who should I ask? If it is bogus, who should I tell? How Can I Tell? How can I tell if a message is bogus? It is not always easy to tell, but here are some simple tips. 1. Read carefully any message that asks you to click a link, or to enter a password.

2. Is it an email that appears to come from someone you know? Would he or she normally send you a message like this? How can I tell? (cont.) 3. Pop-ups or windows: How Can I Tell?

Do you routinely see messages like this one? If not, have your computer support staff told you to expect a message like this one? Were you on a non DSHS web site when the message appeared? Does the message contain grammatical errors? Who Should I Ask?

If I am not sure, who should I ask? If in doubt, talk to your supervisor, help desk, or computer support staff. Who Should I Tell? If I know a message is bogus, who should I tell? To report bogus messages attach the original of any bogus email message to a new message, and send it to your computer support staff.

Conclusion Bogus Messages Conclusion Read messages carefully. If in doubt, talk to your supervisor, help desk, or computer support staff. Lesson 2: Bogus Messages Lesson 2 Quiz 2) What things should I look for to determine if an email message could

be bogus? If it asks me to click a link or enter a password, read it carefully. Does it appear to come from someone I know, and would he or she normally send a message like this? All of the above Lesson 2: Bogus Messages Lesson 2 Quiz 2) What things should I look for to determine if an email message could be bogus?

If it asks me to click a link or enter a password, read it carefully. Does it appear to come from someone I know, and would he or she normally send a message like this? All of the above Make certain the email looks and reads as genuine. NEVER send your password or enter personal information at a link. DSHS will never ask for this information via email. Lesson 2: Bogus Messages Lesson 2 Quiz

3) If I am not sure whether a message is bogus, I should talk to my supervisor, help desk, or computer support staff. True False Lesson 2: Bogus Messages Lesson 2 Quiz 3) If I am not sure whether a message is bogus, I should talk to my supervisor, help desk, or computer support staff.

True False If you have any question about an email then contact your local IT help person or your supervisor. This lesson explains: Lesson 3: Protecting Information How you can protect DSHS information. Why protecting DSHS

information is so important. Why Protect Information? Virginia Doe 321-12-3456 4 (360) 555-123 st 1210 E 1 St Admin , WA deen05.01 AberPolicy Personal information about clients and employees must be protected because:

Our clients give us personal information to receive a service. They trust us to keep that information private--to not disclose that information except as needed to provide that service. Various state and federal laws require us to keep information private. State law requires us to notify persons whose personal information we have inappropriately disclosed. Classes of Information

Not all DSHS information requires the same level of protection. Managers are required to make sure that information entrusted to their care is classified according to the following four broad categories, and protected accordingly. "Public Information" can be released to the public. "Sensitive Information" is not specifically protected by law, but should be limited to official use only. Classes of Information , continued

"Confidential Information" is specifically protected by law. It generally includes personal information about individual clients and employees. "Confidential Information Requiring Special Handling" has especially strict handling requirements. Some examples of "Confidential Information Requiring Special Handling" include: - Protected Health Information (PHI), as defined by HIPAA rules. - Information that identifies a person as a client of an alcohol or substance abuse treatment, or mental health program. So, how can I protect the

Departments Information? Protecting Information Store information in a safe place. Normally, you should save any files in your home directory (folder) or a shared directory (folder) on a serverNOT on your Local Disk (C:) If you need to store confidential information anywhere else e.g. on your Local Disk (C:), flash memory device (thumb drive), or CD, you must: Have documented management approval; and

Get instructions on how to protect the information (contact your computer support staff). Protecting Information (cont.) Do not directly connect any employee owned device or recordable media to a computer or network. This includes: Smart phones. Flash memory devices (thumb drives). Writable CDs or DVDs. Protecting Information (cont.)

Protecting Information Do store paper documents containing confidential information in locked containers (e.g. file cabinets) after normal working hours. Do lock your computer screen whenever you leave it. Do not share confidential information with coworkers who do not need it to do their jobs.

Protecting Information (cont.) Protecting Information If you are authorized to send confidential information through e-mail messages over the Internet (i.e. outside the state/intergovernmental network) you must use a secure messaging process such as the DSHS Secure EMail Message system.

Protecting Information (cont.) Protecting Information Do immediately report loss, theft, or unauthorized disclosure of data in any form (e.g. paper or electronic) that potentially includes DSHS confidential information, to the ISSD Service Desk at 1-888-329-4773, 360902-7700, or email [email protected] this includes data lost by contractors.

Sharing Information with Business Partners When DSHS shares confidential information with other entities (e.g. private contractors or other government agencies), there must be a formal contract that meets specific requirements. For details on sharing DSHS information, please contact your contracts staff.

Some DSHS information is protected by law. Federal Information Some DSHS information is protected under state and/or federal law. Social Security Administration (SSA) data is one such example. SSA client data is confidential. Its protected by RCW 74.04.060 at the Washington State level and by the federal Privacy Act of 1974. Federal Information,

Continued Protected SSA data is defined as all personal client information obtained from or verified by the Social Security Administration. SSA client data may be provided directly to the client or their representative. SSA data may only be disclosed to agencies or other individuals for purposes related to program administration after an individual data share for that individual or agency has been established with the SSA. When in doubt about whether or not youre allowed to disclose, ask your supervisor! Federal

Information, Continued Employees are held personally accountable for the appropriate use of SSA client data. It must be handled and stored securely, never left out for others to see, and destroyed in a secure manner when no longer needed. Unauthorized inspection, use, or disclosure of SSA client data can result in termination, prison time, and/or a fine of up to $5,000. If you suspect that SSA client data has been lost or breached you must report it to your supervisor immediately. (SSA requires that you report the incident within one hour.) The following slide explains how to report.

Federal Information, Continued Any loss or breach of SSA client data must be reported to the United States Computer Emergency Readiness Team (US-CERT). A report must be filed within one hour. In addition to filing a US-CERT report, any loss or breach of SSA client data must also be reported to the DSHS Privacy Officer. If you are unable to contact the DSHS Privacy Officer within one hour, call SSAs National Network Service Center (NNSC) toll free at: 877-697-4889

(Select Security and PII Reporting) Lesson 3: Protecting Information Lesson 3 Quiz 4) Which classification of data requires the greatest protection? Public Information Sensitive Information Confidential Information Confidential Information Requiring Special Handling

Lesson 3: Protecting Information Lesson 3 Quiz 4) Which classification of data requires the greatest protection? Public Information Sensitive Information Confidential Information Confidential Information Requiring Special Handling This information includes personally identifiable health information, PHI, which is covered under HIPAA.

Lesson 3: Protecting Information Lesson 3 Quiz 5) Before I save any files containing confidential information on my Local Disk (C:), a flash memory device (thumb drive), or CD, I must: Have documented management approval Have received instructions on how to protect the information Both of the above

Lesson 3: Protecting Information Lesson 3 Quiz 5) Before I save any files containing confidential information on my Local Disk (C:), a flash memory device (thumb drive), or CD, I must: Have documented management approval Have received instructions on how to protect the information Both of the above In addition to management approval the information must also

be encrypted. Lesson 3: Protecting Information Lesson 3 Quiz 6) I may save the following kinds of information on my home computer: Confidential client information Notes on a DSHS business meeting No DSHS information Lesson 3: Protecting Information Lesson 3

Quiz 6) I may save the following kinds of information on my home computer: Confidential client information Notes on a DSHS business meeting No DSHS information Never save any DSHS or client information to your home computer, even if its just temporary. Lesson 3: Protecting Information Lesson 3 Quiz

7) I may plug or insert the following items, which I personally own, into my DSHS computer: A flash memory Device (thumb drive) A smart phone A writable CD or DVD None of the above Lesson 3: Protecting Information Lesson 3 Quiz 7) I may plug or insert the following items, which I personally own, into my

DSHS computer: A flash memory Device (thumb drive) A smart phone A writable CD or DVD None of the above Personal devices, usb items such as lights or a cup warmer, or anything not specifically provided by your local IT may not be plugged into your DSHS computer. Not even to charge your cell phone or other devices. Lesson 3: Protecting Information Lesson 3 Quiz 8) When I leave my computer, I dont need to lock the screen because it

locks automatically after 20 minutes: True False Lesson 3: Protecting Information Lesson 3 Quiz 8) When I leave my computer, I dont need to lock the screen because it locks automatically after 20 minutes: True False

The 20 minute lock is only a backup in case you forget to manually lock when stepping away. Lesson 3: Protecting Information Lesson 3 Quiz 9) I can send confidential DSHS information in an e-mail to a contracted service provider, using my Outlook email account, because Outlook automatically encrypts messages. True

False Lesson 3: Protecting Information Lesson 3 Quiz 9) I can send confidential DSHS information in an e-mail to a contracted service provider, using my Outlook email account, because Outlook automatically encrypts messages. True False

A secure email system must be used as Outlook does not encrypt messages automatically. In this lesson you will learn about: Lesson 4: Passwords Keeping passwords secret. Constructing passwords that are hard to guess. How to Protect Your

Passwords You are responsible for constructing safe passwords and protecting them from unauthorized disclosure. Passwords for DSHS systems must be kept SECRET. Sharing a password with anyone else is PROHIBITED, except for emergency access. Do resist attempts by How to Protect Your Passwords,

continued unauthorized persons to get you to reveal your password e.g. by phone or email. Do change your password immediately following discovery that it has been compromised or otherwise shared. Do not store a password on your computer for automatic entry. Do not write your How to Protect

Your Passwords, continued... password down and leave it in a place where unauthorized persons might discover it, such as under your keyboard. Do not store a password in the same case as a portable computer. Constructing Good Passwords Create a password that is easy

for you to remember, but hard for anyone else to guess. Hackers use computer programs and dictionaries to guess passwords. Try creating acronyms or phrases, and varying the spelling of words e.g. [email protected] Don't include your user ID or any part of your full name. Don't use names of family members. Constructing Good Passwords, continued...

Your passwords must: Be a minimum of eight characters in length Contain at least one special character Like a %, &, or + character Contain at least two of the following kinds of characters:

Upper case letters Lower case letters Numbers Protect your Passwords... Summary Password Summary Remember, your passwords are the keys to your Keep passwords secret. computer, network, and information that you do not want to let

Create passwords that are persons unauthorized access. easy for you to remember, but hard for others to guess. So, Always Protect your Passwords Lesson 4: Passwords Lesson 4 Quiz 10) The following is good password practice:

Dont share it with other people. Change it immediately if someone else has learned it. Dont put it where anyone else might find it. All of the above Lesson 4: Passwords Lesson 4 Quiz 10) The following is good password practice: Dont share it with other people.

Change it immediately if someone else has learned it. Dont put it where anyone else might find it. All of the above If your supervisor needs to have your password then you should supply it in a sealed envelope. Once opened and used by your supervisor you are to immediately change your password and provide them with a new sealed envelope containing your password. Lesson 4: Passwords Lesson 4 Quiz

11) When you make up a password, you should: Make it easy for you to remember, but hard for others to guess. Dont include your user name. Include some numbers or special characters. All of the above Lesson 4: Passwords Lesson 4 Quiz 11) When you make up a password, you should:

Make it easy for you to remember, but hard for others to guess. Dont include your user name. Include some numbers or special characters. All of the above An example using the standard unsecure password of Password would be to alter it to make it harder to figure out so it could become: ^[email protected] Lesson 5: Using and Protecting Computer Systems

In this Lesson you will learn about: Appropriate use of computer systems. Remote Access. Physical Protection. You may only use agency computer systems, such as e-mail and Internet access, for appropriate purposes. Appropriate Use of Computer Systems

Personal use is strictly limited. You may not access external e- mail systems such as Gmail, MSNHotmail, etc. from agency computers. What is Remote Access? o Remote Access "Remote Access" means accessing systems when away from the office. For example by using Outlook Web Access (OWA) or the Citrix Virtual Workplace service.

Is Approval Required? o Employees must have management approval to use remote access. Protecting Computers Physical Protection: Physically protect portable computing devices, including laptops, tablets, and handheld devices, by: Keeping them in locked storage when not in use; Keeping them under your control when

traveling; Do not leave a device in a vehicle parked outside overnight. Reporting lost items: Immediately report lost, misplaced, or stolen portable computing devices to the ISSD Service Desk at 1-888-329-4773 , 360-902-7700, or e-mail [email protected] Lesson 5 Quiz Lesson 5: Using and Protecting Computer Systems 12) I should protect portable

computing devices (including laptops and handheld devices) by: Not leaving them in a vehicle parked outside overnight. Keeping them in locked storage when not in use. Keeping them under my control when traveling. All of the above Lesson 5 Quiz Lesson 5: Using and Protecting Computer Systems 12) I should protect portable computing devices (including laptops and handheld devices) by:

Not leaving them in a vehicle parked outside overnight. Keeping them in locked storage when not in use. Keeping them under my control when traveling. All of the above Portable devices should always be in your possession while traveling. Lesson 6: Course Review & Wrap up Welcome to the final lesson of this course, which will include: A quick review;

Getting credit; and Your comments on the course. Recap of Lessons 1, 2 and 3 In Lesson 1: Introduction, you learned: Why protecting DSHS information and computer systems is important to you. In Lesson 2: Bogus Messages, you learned: How to spot bogus email and popup messages.

In Lesson 3: Data Classification and Protection, you learned: How to protect confidential information. Recap of Lessons 4 and 5 In Lesson 4: Passwords, you learned about: Keeping passwords secret. Constructing passwords that are hard to guess. In Lesson 5: Using and Protecting Computer Systems, you learned about:

Appropriate use of computer systems. Remote Access. Physical Protection. Once you exit the course: Getting Credit You should notify your supervisor, human resources person, or training person, whichever is appropriate for your office, that you have completed the course.

A record of your annual course completion will be placed in your employee personnel record. Thank You! ALTSA DDA IT Security Team Comments: This course will be updated periodically. Please Email any comments or suggestions to DSHS IT Security .

Recently Viewed Presentations

  • EU funds supporting WindEurope

    EU funds supporting WindEurope

    Register with the European Commission Authentication Service - ECAS portal ('participant portal') and you have a 9-digit Participant Identification Code (PIC) ('beneficiary register') ... H2020 online manual. 5. Join a consortium (2) https://
  • Présentation PowerPoint

    Présentation PowerPoint

    Des outils sur EDUCNET Fiches - exemples d'usages des ENT dans les disciplines Des expérimentations innovantes : le projet Audio [email protected] de l'académie de Bordeaux le projet [email protected] (Ecoute @utonome Répétée) de l'académie de Dijon Educnet Langues, site national Espace...
  • Bonus Pastor Catholic College

    Bonus Pastor Catholic College

    Bonus Pastor Catholic College Patricia John-Baptiste Dee Simmons Bonus Pastor Catholic College FACTS Mixed 11-16 comprehensive school based in Lewisham Voluntary aided within the Diocese of Southwark 95% of students are Baptised and practising members of the Catholic Church 750...
  • Chapter 4- Products of Weathering Several things can

    Chapter 4- Products of Weathering Several things can

    Chapter 4- Products of Weathering Several things can happen to products 1- removal of materials by leaching e.g., CaCO3 2- reaction of materials, either in situ or as they are physically moved, to create new crystalline structures
  • RELATED EVENTS TUESDAY JANUARY 20th, 2015 8:30 Canadian

    RELATED EVENTS TUESDAY JANUARY 20th, 2015 8:30 Canadian

    LAND IMPROVEMENT CONTRACTORS OF ONTARIO. 57thAnnual Convention. Land Improvement Contractors of Ontario. Joined by the. Drainage Superintendents Association of Ontario. January 20-22, 2015
  • Cultural Competence A strong cultural identity is essential

    Cultural Competence A strong cultural identity is essential

    The EYLF Educators Guide (2010, 25-26) describes cultural competency as. a journey that encompasses skills, knowledge and attitudes. It highlights the. need for cultural competency to filtrate through three levels- the individual, the service level and the systems level.
  • Training Units and Developing Leaders for Full Spectrum

    Training Units and Developing Leaders for Full Spectrum

    Units now simply have one METL focused on conducting full spectrum operations and adjust that METL overtime based on their training assessment or if assigned a mission. METL also serves as a unifying focus for subordinates and higher units as...
  • Searching and Integrating Information on the Web

    Searching and Integrating Information on the Web

    See earlier slides for examples Notice that all these definitions depend on the language of the rewriting considered. Here we consider "conjunctive queries." MiniCon Algorithm: Rachel Pottinger and Alon Levy, "A scalable algorithm for answering queries using views," VLDB 2000.