Security Awareness Training PA Turnpike Commission

Introduction

The PA Turnpike Commission, (PTC), is committed to protecting customer and other sensitive information from unauthorized access or disclosure. This security training focuses on the following types of information, with an emphasis on information in electronic form:

PII – Personally Identifiable Information. This is information, including financial information, that can potentially be used to

uniquely identify a person. Examples include: Name. Social Security Number. Credit Card Information. Driver License Number.

ePHI – Electronic Protected Health Information. This is individually identifiable health information. Examples include:

Name. Member ID Number. Medical history. Medical condition.

Introduction

Numerous laws and regulations including the Health Insurance Portability and Accountability Act, (HIPAA), Security Rule, and PA Senate Bill 712, Breach of Personal Information Notification Act, require the PTC to protect personal information and employee health information. Protecting personal/customer information is also a critical business enabler that is needed to maintain customer confidence in us.

Everyone at the PTC is responsible for: Protecting the confidentiality, integrity, and availability of sensitive

information. Reading and adhering to PTC security policies. Becoming familiar with the PTC security web site. Becoming familiar with security communications whenever published.

Remember, YOU are the key to security at the PTC.

“But why do I need to learn about security, isn’t it just an IT problem?”

Good security practices follow the 90 / 10 Rule: 10% of security safeguards are technical 90% of security safeguards rely on the user, (you), to follow good

security practices Example:

The lock on the door is 10%, (technical). You, remembering to lock the door, checking to see if the door is closed,

ensuring that others don’t prop the door open, and controlling access to keys, is the 90%.

The 10%, technical, is worthless without you!

Security Objectives

Learn good security practices: Policies. Procedures. Security web site. Security communications.

Report potential security incidents. If you suspect that there is an issue, it just may be a problem and you should report it.

Include the following security practices into your daily routine.

Access Control – Physical Security

Access to PTC facilities must be controlled and protected. This will help to prevent unauthorized access to sensitive information, and contribute to creating a safer work environment for everyone at the PTC. You contribute to achieving this goal by:

Prominently wearing your PTC photo ID badge at all times when you are in a PTC building.

Never loaning your photo ID badge to anyone. Following visitor policy. When meeting with a visitor ensure that they:

Sign in at the receptionist desk. Are escorted at all times when visiting a PTC building. Wear a visitors badge while visiting a PTC building. Sign out at the receptionist desk when they are leaving.

And please report unescorted visitors/strangers to the receptionist desk.

Access Control – Unique User ID

You are assigned a unique user ID that identifies you on PTC information systems and you are responsible for its use.

Your unique user ID enables the PTC to: Limit access to the minimum needed to perform your job. Track information system activity in an effort to discover unauthorized access

events or other potential violations. Facilitate the appropriate use of information systems.

Requests for new user IDs or changes to existing user ID access privileges are administered through a formal process using the Technology Request Form. The submission of an approved technology request is required before any user ID is created or access privileges are modified.

You must never attempt to circumvent the access request process.

Access Control - Passwords

Your password verifies who you are, and it is the key that allows the use of your user ID. The following password rules must be followed:

Never share your password with anyone. If you must write your password down, always store it in a secure location. Don’t let your web browser or any system ‘remember’ your password so it can

automatically log you on. Your password:

Must be at least 8 characters in length. Must be a mix of letters (uppercase and/or lowercase), numbers, and/or

special characters. Must not contain your user ID, any part of your name, your family members

names, or any other information that is easily associated with you. Can not be a password that you have recently used. Must not be a word from the dictionary with random numbers.

Workstation Security

We are all responsible for using information systems in a professional, ethical, and lawful manner, and protecting information systems from unauthorized access.

Lock your computer when you are away from your desk – even for a few minutes.

The placement of the PC in your work area must also be considered in order to minimize the possibility of unauthorized viewing of sensitive information. For example, monitors should be placed so that information displayed on them cannot be easily viewed through windows or by passersby.

Don’t leave sensitive information at remote printers, copiers, or fax machines.

Virus Protection

The PTC has installed anti-virus software on all computers, to protect sensitive information from malicious software. This anti-virus software is updated on a regular basis.

You can help to prevent computer virus infections by doing the following: Never disabling the anti-virus software on your PC. Never downloading files from the Internet that are not required to do your job. Never opening suspicious e-mail attachments. Delete the e-mail unless you can

verify that it came from a known source. Deleting junk e-mail without opening it.

Portable Computing Devices

Portable computing devices such as laptops or personal digital assistants, (PDAs), require increased protection because there is a greater risk of loss with these types of devices.

Sensitive information must not be stored on a portable computing device unless an approved safeguard, i.e. encryption, has been installed and enabled on the device.

A portable computing device must never be left unattended when in a public area such as an airport or restaurant.

A portable computing device must never be left in plain view when left in a vehicle.

At work, if a portable computing device will be left unattended for an extended period of time it must be secured. For example, at the end of the workday, if an individual is going to leave their laptop at work, it must be secured in a locked desk, cabinet, or office.

Media Control

When sensitive information has been stored on a computing device, or other form of electronic media such as CDs or tapes, special precautions must be taken before the re-use or disposal of the computing device or media. Sensitive information must be removed from the computing device or media when it is no longer needed, or the media must be destroyed.

You are responsible for ensuring the proper disposal of electronic media in your possession.

Electronic media such as CDs and DVDs must be physically destroyed. DO NOT simply throw them into the trash. Contact the IT Helpdesk, at ext. 5678, with any questions you may have.

Never store sensitive information on memory sticks or non-PTC media.Paper Media:

Paper containing sensitive information must also be disposed of appropriately, that is, it must be shredded.

Data Backup and Storage

Information that is stored on the PTC network is backed up on a regular basis to ensure its continued availability. To guard against data loss, you must store important information in the appropriate location so it is included in the system backup schedule.

Information that is stored on a network drive is backed up on a regular basis, therefore, always store important information on a network drive. Appropriate storage locations should be discussed with management within your business unit before storing information on the network, because storing the information in an incorrect location may provide unauthorized access to the information.

Sensitive information should never be permanently stored on the hard drive of a desktop or laptop computer. If sensitive information must temporarily be stored on a desktop or laptop, you are personally responsible for the data backup and secure storage of the data.

Remote Access

The only approved method of remotely accessing shared drives within the PTC network requires the use of a PTC computing device using the standard remote access solution. Services published to the World Wide Web, such as Outlook Web Access, may be accessed from non-PTC computing devices such as home PCs.

Remote access requires management approval and will be limited based on current job responsibilities.

The use of unauthorized remote access methods or technologies, including unauthorized wireless access points or modems, is expressly prohibited.

E-mail Security

E-mail is like a postcard, and may be viewed during transmission, therefore sensitive information must never be included in e-mail that will be sent over a public network, i.e. the Internet, unless it has been secured using an Information Security approved solution.

Should you open an e-mail attachment? If it’s suspicious, don’t open it. What is suspicious?

Not work related. Not expected. Attachments with suspicious file extensions such as, .exe, .vbs, .bin, .com, .pif. Web link. Unusual subject lines including deals, get rich quick offers, or ads.

Internet Security

As is the case with e-mail, the Internet is not private and access can be traced to you.

The Internet is a useful business tool to aid in the performance of your job, and must be used responsibly.

You may not attempt to access the Internet by any means other than the PTC corporate solution.

Protection of PTC information systems requires everyone to act responsibly when accessing the Internet:

Be suspicious of accessing sites offering questionable content. These often result in spam or the release of malicious software.

Be careful about providing personal, or other sensitive information to a web site or to web based surveys that are not from trusted sources.

Internet Security

DO Use The Internet: To aid in the performance of your assigned job responsibilities. To support official PTC activities. In compliance with corporate policy. To improve your work-related skills and access information that will make you a more effective employee.

DON’T Use The Internet: To transmit sensitive PTC information unless it has been appropriately secured, i.e. encrypted. For conducting personal for-profit transactions, or to operate a personal business. To participate or promote any activity that is prohibited by local, state, or federal law. To download software unless this activity is in compliance with PTC Policy Letter No. 8.5, Licensed

Software Use. To exchange or download audio or video files. To access, receive or transmit threatening, obscene, or harassing materials including comments based on

race, national origin, sex, sexual orientation, age, disability, religion, or political beliefs, or any other materials that a reasonable individual may find personally offensive or inappropriate.

To access resources, including broadcasting services such as Internet radio, which may disrupt or monopolize PTC computer system resources.

Social Engineering

Social engineering is the act of tricking people into revealing information they normally wouldn’t. It’s a con game. A social engineer relies on your natural tendencies to be helpful and trusting to try to get you to believe that they have authorized access to information, hoping that they will get you to reveal confidential information, such as a password, that will actually give them access to information.

Social engineers are typically looking for information such as: Names, titles, phone numbers, schedules. Credit card and cell numbers. Easy physical access to a building or restricted area. Any information that they can piece together to appear legitimate.

Tricks of the social engineering trade: Piggybacking into a building. Dumpster diving into garbage looking for useful information. “Innocent” conversations used to gather information. Helpdesk scam. A person calls and pretends to be from the helpdesk and asks for your

password.

Social Engineering

Prevent social engineering: Never share your password. Don’t give out sensitive information by phone or e-mail, without verifying the

source and protecting the information. Shred all sensitive papers, and destroy electronic media, such as CDs, that

contain sensitive information. Don’t open unsolicited or suspicious e-mail.

If a request is made to you to access sensitive information and you doubt its validity, politely refuse the request and notify your manager. Your manager will then evaluate the situation and determine if a security incident may have occurred.

Reporting Security Incidents

You are responsible for reporting any type of activity that could indicate a security incident. Security incidents will typically involve the unauthorized access to PTC facilities, or information and information systems. Examples include, but are not limited to:

Sharing user IDs. A perception that someone is trying to use your user ID. An unauthorized person within a PTC facility. A person with access to sensitive information that is not needed to perform

their job. A request for your password by anyone. CDs or paper containing sensitive information, thrown in the trash.

You can report a security incident, using the Fraud and Abuse Tip-Box, in the following ways:

Write to the PTC Tip-Box, PO Box 19, Highspire, PA 17034-0019 Send an e-mail to tip_box@paturnpike.com

Sanctions for Violations

As mentioned previously, everyone at the PTC is responsible for complying with PTC policies. PTC workforce members who violate PTC policy are subject to corrective actions.

Depending upon the severity of the violation, corrective action may start at any level up to and including immediate termination.

Conclusion

Remember:

YOU are the key to security at the PTC!

Please visit the security web site regularly for updated security information, and feel free to contact any member of the security group with any comments or questions that you may have.

Click the link below, and you’ll be transferred to a page where you will register that you have viewed this presentation! Thanks!

Confirmation Page