Security

Who is responsible for computer security?

Every member of Officience is responsible.

• Offies are expected to act responsibly and ethically when accessing Officience’s electronic data and technology resources.
• The security of a system is only as good as its weakest link. If even one person does not pay attention to security, the security of the whole system is compromised. Read example on Thalès Security.

Good Security Standards follow the "90/10" Rule :

• 10% of security safeguards are technical.
• 90% of security safeguards rely on the computer user (YOU) to adhere to good computing practices.

Security Topics

Best security practices for Offies

• Data protection - classification level of information
• Working Area
• Desktop/Laptop Security
• Laptop security while on traveling or remote work
• Mobile device security
• Password usage
• Internet Usage
• Email usage
• Data Backup & storage
• Use of Encryption
• Media Destruction

Protection from viruses, trojan horses, malicious codes

• Potential threats
• Malicious software
• Signs of malware & example
• How to protect against malware
• Instant Messaging
• P2P file sharing
• Identity theft
• Social engineering
• Email phishing
• Avoid being a victim
• Reporting security breaches

Data protection : Classification level of information

NDA (Non-disclosure agreement)

See Non-Disclosure Agreement

Protecting data at work

The best way to secure your system is to use a managed workstation. IT Support automatically updates anti-virus and patches on managed systems. Here are some additional tips to protect your data.

• Use strong passwords
• Pay attention to your computer's security
• Use email safely
• Use the Internet responsibly and securely
• Dispose of media properly

Pay attention to your computer's security

• Lock your computer with a password-protected screen saver before leaving your desk unattended.
• Before you go home, log off the network.
• Manage your data in a manner that reflects its sensitivity.

Protecting data at home

If you use your home computer to access applications at Offy and your home computer is not properly protected, you can put Offy’s systems at risk.

• Use unprivileged account for normal use
• Always use anti-virus software
• Use VPN to connect if possible
• Apply patches regularly
• Perform regular backups
• Shutdown your computer when not in use
• Work securely from home
• Protect against Malware
• Make wireless networks secure

IT Helpdesk does not provide support for home computers. If you need additional assistance with your home computer, please contact to us at: itsupportATofficience.com

Working Area

• Clear your desk at the end of day.
• Don't leave sensitive information (paper, cd/dvd,...) on your desk without protection.
• Don't try to plug any other devices into Officience network without approvals from ITS
• Don't use personal devices (laptop,...) without approvals from direct manager & ITS

Desktop/Laptop Security

• Lock screen as soon as leaving your seat
• Set password-enabled screen saver with inactive timeout, recommend 15 minutes
• Antivirus & firewall must be installed and enabled in the desktop
• Enable & install Windows, Linux & third party updates if available
• Don’t install software without ITS involvement

Laptop Security on traveling, remote work

• Apply best security practices for desktop, laptop above
• Keep only necessary documents on your laptop
• Set password for confidential documents
• Encrypt the storage for confidential information
• Use open public wireless carefully.
• Use only VPN to connect to Officience information systems

Mobile devices Security

• Never leave a smartphone unattended. Make it a personal habit to keep the phone closed at all time
• Keep only necessary documents on your phones
• Set password for confidential documents
• Use open public wireless carefully.
• Don't send private, personal information without vpn or ssl protection

Password Usage

Use strong passwords :

• Minimum of 8 characters in length
• Not a dictionary word or proper name
• Not the same as your user ID
• Change within a maximum of 90 days

Memorize It – Don’t write it down! Password Exchange :

• No password sharing
• Don’t send user & password in the same email without encryption

Best practice are:

• User id in 1 email & password in another email
• User id in email & password provided face-to-face, phone call, hangout

^{Superscript text}

Keep Your Computer Safe

Internet Safety

Internet Usage

Internet is for professional use.

Use the Internet responsibly and securely :

• Don't post sensitive company information or company-related comments on message boards, in chat rooms or anywhere else on the Internet.
• Don't visit inappropriate Internet sites.

Email Usage

Use email safely :

• Never open suspicious or unsolicited attachments
• Avoid responding to spam
• never provide credit card numbers, passwords or personal information in response to email messages
• install anti-virus software and update frequently

Double check the recipients before sending emails

Do not use corporate email for illegal actions

Data Backup & Storage

• Store your data in network drives to keep prevent data loss. All network drives are backuped
• Backup retention period is 1 week i.e your oldest data can be recovered is 1 week
• Data ⇒ Backup to Google Cloud (using Offy account)
• Data ⇒ Backup to Customer or Offy SharePoint

Use of Encryption

• Confidential information must be stored on the secure network with restricted access.
• Whenever it is requested by the information owner to store on any devices other than the secure network server, it must be encrypted.
• All confidential information transmitted to an email outside domain officience.com must be encrypted.

Media Destruction

Dispose of media properly : Before electronic media is disposed of, appropriate care must be taken to ensure that no unauthorized person can access data by ordinary means. Electronic media such as floppy disks, rewritable CD-ROMS, zip disks, videotapes, and audiotapes should be erased if the media type allows it or destroyed if erasure is not possible.

Protection from viruses, trojan horses, malicious codes

Potential threats

• Malicious Software (viruses, trojans, worms, spyware, or other)
• Instant Messaging
• Peer-to-Peer File Sharing
• Identity Theft
• Social Engineering
• Some applications such as Instant Messaging (IM), Peer-to-Peer (P2P) file sharing, pose serious security risks. You should consider anything typed into IM or transferred through P2P to be visible to the entire internet.
• When used in conjunction with Internet sites outside of Offy, they can cause undesirable and damaging consequences. For example, you are most likely to encounter malware browsing an external website. When accessing external websites, members of Offy must be especially cautious

Malicious software

Malicious software (malware) is a serious threat. These are programs that can "infect" other programs, damage hard drives, erase critical information, take critical systems off-line, and forward your data to external sites without your knowledge.

Malware includes:

• Viruses
• Worms
• Trojan Horse programs
• Spyware
• Programs which accidentally harm any system or data

Malware (cont)

Malware Example

Signs of malware

• Slowdown
• Pop-Ups
• Crashes
• Suspicious hard drive activity
• Running out of hard drive space
• Unusually high network activity
• New browser homepage, new toolbars and/or unwanted websites accessed without your input
• Unusual messages or programs that start automatically
• Your security solution is disabled
• Your friends tell you that they are getting strange messages from you
• New, unfamiliar icons on desktop + battery life drains quickly
• You see unusual error messages
• You are unable to access the Control Panel, Task Manager, Registry Editor or Command Prompt

Signs of malware: Example

What to do if your PC infected with malware

Anti-virus software running on Offy’s managed workstations protects against most malware.

Should you suspect that your computer is infected, take immediate action:

• Unplug the computer from the network
• Read the notice carefully…Is it from your real antivirus program?
• What does the notice say your AV program did with the infected file?
• SCAN the hard drive to see if the malware has been dealt with
• Shutdown your system
• Contact the IT Helpdesk for help.

Instant Messaging

Instant messaging is the popular method of typing online conversations in real time. Risks of Externally Hosted Instant Messaging:

• No virus protection
• A separate "exit" action is needed to stop it
• Hijacking and impersonation
• Malicious code
• Unauthorized access
• Poor password security
• Broadcasts the computer's presence online even if the interface is closed
• The data is sent to an external host before going to the intended recipient

On our Skype network, someone in your contact list send you a file, it’s has icon similar to a PDF or DOC file, but, in fact it’s an execute file. If you receive and open the file, your PC will infected with virus/trojan.

P2P file sharing

P2P (Peer-to-Peer) means file sharing between users on the Internet. Examples are Gnutella, KaZaA, Napster, Morpheus, eDonkey, BitTorrent and BearShare.

P2P file sharing is inherently insecure and lives on the fringes of legality. Badly-coded clients, viruses and Trojan Horses and potential lawsuits are just some of the many threats that users must face when they venture into the untamed wilderness of the P2P world. Some threats are:

• Some P2P programs share everything on your computer with anyone by default.
• Some P2P programs themselves contain "spyware".
• Much of the P2P activity is automatic, and its use is unmonitored.
• Creating multiple copies of a copyrighted work, music or videos and sharing them is illegal.
• Computers running P2P programs can be used to spread malware, share private documents, or use your file server for store-and-forward.
• Various types of illegal files can be downloaded and re-shared over these P2P networks by mistake.

Identity theft

identity theft is the unauthorized collection and use of your personal information for criminal purposes. This information can be used to open credit card and bank accounts, redirect mail, establish cellular phone service...If this happens, you could be left with the bills, charges, bad checks, and taxes.

Social engineering

Social engineering is the practice of obtaining confidential information by manipulation of legitimate users. A social engineer will commonly use the telephone or Internet to trick people into revealing sensitive information or getting them to do something that is against typical policies.

Some example about phishing mail

Fishing (fake email) : Phishing” is the act of sending an email pretending to be from someone “official” with the intention of gaining personal information.

Avoid being a victim

Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.

• Do not provide personal information or information about your organization unless you are certain of a person's authority to have the information.
• Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.

If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a web site connected to the request.

Reporting security breaches

What is a security incident?

Anytime you suspect a Offy computer has been compromised, whether that involves theft, hacking, a vicious virus, unauthorized use of IT technology or you witness an inappropriate or offensive use of email or the Web, you should report the incident, or seek help and advice from IT Support.

Why should I report a security incident ?

If your system has been infected or any data has been lost, IT Support resources can help you clean up your system. Furthermore, as a user of the network, you should be aware of your rights and responsibilities. How do I report a security incident? Report security violations and computing problems to the IT Help Desk at:

• itsupportATofficience.com
• securityATofficience.com

DEVICE USE

Guidelines for usage include:

• Storage and access of sexually explicit, racist, and hate oriented materials is prohibited.
• Illegal and/or fraudulent practices are prohibited.
• Installation of devices and software for non-business related activities is prohibited. This includes, but is not limited to, gaming devices/software, instant messaging software, wallpaper and screensavers not installed by IT.
• Attachment of devices and/or software to allow external access to the Offy network not explicitly approved by IT is prohibited.
• Installation of software not properly licensed, if required, is prohibited.
• Deactivation of support tools, including antivirus software, systems security, and monitoring tools.

Useful Email & Websites

Websites

• Corporate website: www.officience.com
• HRMS: hr4you.officience.com
• Corporate webmail: mail.officience.com
• Intranet: offyspace.com
• Helpdesk request: http://offyspace.com/sc/

Emails:

• IT Support: itsupportATofficience.com
• HR support: hrATofficience.com
• security alert: securityATofficience.com

See also

• Security team
• Thalès Security

Reference

• Security Training (by Hoai Linh NGO, 2017)