Professional Documents
Culture Documents
Security Awareness Training - March 1, 2016: Town of Bedford, MA
Security Awareness Training - March 1, 2016: Town of Bedford, MA
Business
Geographic Political
Malicious Actions
Unintended Events Mismanagement
(Internal & External)
Internal
and
External Internal
External
Team
Hackers - Viruses
(International)
X
Social Engineering
(Confidence Man/Woman)
Employees
N
With access to funds
andW confidential
E X
information
S
Privacy Regulations
Regulations Defined:
Rules and administrative codes issued by governmental
agencies at all levels, municipal, county, state and federal.
Although they are not laws, regulations have the force of law,
since they are adopted under authority granted by statutes, and
often include penalties for violations.
http://dictionary.law.com
Privacy Regulations
In combination with any one or more of the following data elements that
relate to such resident:
a) Social Security number
b) Driver's license number or state-issued identification card number
c) Financial account number, or credit or debit card number, with or without
any required security code, access code, personal identification number or
password, that would permit access to a resident’s financial account;
provided, however, that “Personal information” shall not include information
that is lawfully obtained from publicly available information, or from federal,
state or local government records lawfully made available to the general
public.
The Need for
Information Security
Public information:
– Already a matter of public record or
knowledge
– Freely distributed and accessible by anyone
Non-public information:
– Personal information (often called PII –
personally identifiable information)
– Identity information, financial records,
healthcare records, etc.
– Internal plans and other operating information
that should not be made public
How to protect non-public
information – HARDCOPY
HARDCOPY
– Secure storage when not in active use:
• Locked drawers/cabinets, vault, etc.
– “Clean desk” policy:
• Multiple individuals have physical access during and after
business hours
• During: public, visitors, staff, other city employees
• After: cleaning staff, building management, etc.
– Irrevocably destroy when no longer needed (following
records retention schedule)
• Locked shred bins, cross-cut shredders, adherence to archival
schedules & protocols
• Straight (or line) shreds can be easily reconstructed via
software
– Escort visitors for duration of visit, especially to
sensitive/non-public areas
Line shredding reconstruction
examples
Example of classified US gov’t line shredded
document reconstructed by Iranian government
(manually)
Erin Benson
Compass IT Compliance, LLC
ebenson@compassitc.com