Professional Documents
Culture Documents
Training
Your Responsibility
Modern Threats
Your Responsibility
Modern Threats
May 2016:
https://www.youtube.com/watch?v=8kQZsl8on
wE
People contribute eminently with their own behavior and Security Awareness to the
Security of Informations. Of course this is also very important to CBM, especially if
confidential and/or personal data will be used, recorded or processed.
•Which contents of existing laws and guidelines to Information Security are important to
us
• Reputational damage
• Legal disputes
• Blackmail
• Confidentiality – Data, which have been stored or are part of a data transfer, must
be protected against an unauthorized access and modification.
Regulations
All sectors of CBM have to adhere to these country specific laws and
regulations.
Significance
Successively click on the above images, to get further information. Following this please click on the NEXT -
button to proceed the training.
Significance
If serious
Why isInformation
Information Security so important to us?
Security Incidents would be
reach the public (TV,
Newspaper), a reputational
damage to CBM could be
initiated. Not only Donors
could lose trust in our
organization.
Successively click on the above images, to get further information. Following this please click on the NEXT -
button to proceed the training.
Successively click on the above images, to get further information. Following this please click on the NEXT -
button to proceed the training.
Significance
People in need of help, who
are getting assistance of
Why is Information Security so important to us? CBM could lose their trust in
CBM if someone would
misuse their private data
(manipulated photos or
published medical charts)
especially if children are
affected.
Successively click on the above images, to get further information. Following this please click on the NEXT -
button to proceed the training.
Significance
Successively click on the above images, to get further information. Following this please click on the NEXT -
button to proceed the training.
Your Responsibility
Modern Threats
Protection of information
You are in an important role to get information protected which are available to you.
Important factors are technical security measures and regulations which are in place to
protect data e.g. of our donors, but at least with your behavior and action you can make
sure, that regulations will be followed and implemented in the daily practice and that
information will be protected appropriately.
It is your responsibility, to
• read, understand and apply correspondingly to regulations and procedures.
The Need-to-Know-Principle
Protection of Information
In this chapter we show you some typical scenarios which should increase your awareness in
typical situations of Information Security.
Protection of Information
Protection
You should know how you can ensure the protection of documents, your computer further
equipment and information which you have processed or which you are using. Please always
pay attention in case of an alarm or hints from internal security systems (e.g. window appears
with a warning from the internal Anti-Virus-Program or Internet Security System). In such a
case please consider carefully what you do next. To get help please contact the helpdesk.
Protection of Information
Modern threats
You should know actual existing threats, which could impair the security of information and
and you should be in the position to seize measures against such threats.
Protection of Information
Reporting / Alert
You must be aware about potential Information Security Incidents, so that you are able to
recognize these and that you can activate an alert. The immediate report of an incident to:
helpdesk@cbm.de is very important for an execution of further measures through internal or
external Security Experts and for a gapless documentation. There is a downloadable
Reporting-Template available on Sharepoint for all CBM employees (Information Security
Incident Report)
Protection of Information
Confidential or personal Information which you are partially working with, will be probably
printed out, used and saved on mobile devices, or communicated by mobile phone. Such
information must be protected against an unauthorized access or misusage.
Furthermore you are using a computer in your everyday work. Every computer must be
protected, because such devices are providing access to confidential or personal information.
Data Classification
Internal Public
Confidential information or data have to be protected against unauthorized access. This could
be: confidential content of a contract, financial data of the organization, information to
Security Incidents, strategic plans, confidential email correspondence, conversations about
future strategy of CBM. A disclosure of such information leads often to serious consequences.
(e.g. loss of confidence).
• Personal information and data
Personal information and data can be associated with a designated person (e.g. Curriculum
Vitae of an employee; List of Donors and their Account-Information; pay slip of an
employee; medical charts of benificiaries, private information of an employee etc.).
Especially personal information have to be protected, as they are liable to the data privacy
act. A violation of this law has often substancial consequences (e.g. fines).
Information and Data which is open to the public can be uncritcal classified as “Public“, because
thereby it is a question of information and data e.g. of a press release which was anyway
published in a newspaper, internet or in an advertisement.
• Internal information
If an information will be used only within the own organization and if it is not confidential or
personal it is an internal information (e.g. Invitation to the Christmas staff party). But if
such information will be send to an external (e.g. contractor) then it must be classified as
“external“.
Mnemotechnic verses:
If information should be open to the public and should be send via email to individuals it
should be classified as “Public“.
Data which will be send within CBM and are neither confidential nor personal should be
classified as “Internal“.
Chapter 2.0 (Page 15 of 16)
Mnemotechnical verse:
Please always take care especially with information of children. Never process, save or
publish data of children without a permission and much less if children are shown scantily
dressed on photos. Improvidence or Ignorance don‘t protect you against a sentence.
Your Responsibility
Modern Threats
Your Work-Desk
In pursuance of your occupation for CBM you must ensure, that no confidential or personal
information are visibly left on your desk. Unauthorized people could easily get such information
for an intentional misuse.
Which of the below shown documents are a breach to the Information Security, if they are
uncontrolled on an employees desk? Please click on each item to get an explanation.
CBM - Flyer
Curriculum Vitae of
an applicant
List of donors and the amount
of their donations Report of the last ILT
Conference
Your Work-Desk
CBM - Flyer
Yes, it is not a problem to leave the CBM-Flyer uncontrolled on your work-desk. The contents
are open to the public anyway. But you should always follow the “Clean Desk“ principle. A work-
desk without paperwork is always well protected against Information Security breaches.
Your Work-Desk
Curriculum Vitae of
an applicant
Please never leave a Curriculum Vitae visible on your working-desk. This document is full of
personal information which could be used by an unauthorized person for an intentional misuse.
Remember, as you already have learned, personal information must be protected against any
unauthorized access. The data privacy act has to be followed by the whole pupulation.
If any unauthorized person is able to get access to unprotected personal information in CBM and
this would raise a serious incident e.g. fraudulent transactions, manipulations, blackmailing or
defamation of the affected person, CBM would be taken completely in charge for the damage.
As this would be a violation against the valid data privacy act, CBM would probably get a high
monetary penalty, beside a global loss of confidence if the incident becomes public.
Your Work-Desk
A list with names of donors, their contact information and donations, has to be removed from
your work-desk. Because the information on this list is confidential and contains personal data.
If these information fall into wrong hands and if such incident will be published in the media,
surely CBM becomes an embarrasing issue. Beside of a drastic fine it will cause a loss of
confidence of donors, beneficiaries and partner organizations. Furthermore CBM would get a bad
reputation.
Your Work-Desk
If the report contains confidential information, which should not be disclosed, then this
document has to be removed from the work-desk if you leave.
Mnemotechnic verses:
Always leave a “Clean-Desk“ behind. Thereby you receive the assurance that no personal or
confidential information is visible and applicable for unauthorized people. Please recognize
that unauthorized people could also be internal (e.g. a colleague or an other CBM
employee).
Mobile Equipment
Most certainly you are using one or more mobile devices, (e.g. Surface, Notebook, Mobile-
Phone). Please always follow these principles:
•Don‘t use your mobile device at places, where unauthorized people are present.
•Don‘t use your mobile for confidential phone-calls, if a person could listen in to that call.
•Never copy confidential information of CBM on private storage media (e.g. private USB-Stick).
The usage of phones, fax machines, emails and printouts can raise an information leakage. In
some countries an organization is legally obliged, to inform customers, regulators and further
administrative bodies in case of a loss of Information.
Please take a look at three examples of possible misbehaviors. Please click on every person.
Please then continue with the training.
John
John has joined a conference call with colleagues and a donor and begins to talk about quantity
and amount of the last donation. He didn‘t recognized that a guest of CBM had entered the room
and that he has now disclosed confidential information.
Mnemotechnic verse:
Please always check, who is in your proximity and who joined the conference call
before discussing confidential information. If necessary move to a different room, or
discuss this item next time. As the above mentioned is a Security Incident please
immediately inform your line-manager and helpdesk about it.
Olivia
Olivia sent medical charts of beneficiaries as attachements via email, but too late she
regognized, that she unfortunately took the wrong distribution list. As a result of this she sent it
to unauthorized people.
Mnemotechnic verses:
Before sending an email please always check twice if you took the right recipients.
Especially take care if your email-system uses an automatic fill-in-function and in case
of copy and paste. If such an incident occurs please immediately contact the recipient
and ask him/her to delete the message unread. Afterwards inform your Line-Manager
and the Helpdesk about your misfortune.
Jack
Jack had received a huge email with confidential information of a colleague of CBM. He printed
out the complete attachment and putted it on his work-desk. When he came back from his
lunch-time the whole printout was vanished without a trace.
Mnemotechnical verses:
Think always twice, if you really must print confidential or personal information. If this
absolutely must happen don‘t leave the printout uncontrolled on your work-desk.
Especially if you work in an open plan office. Please inform immediately your line-
manager and the helpdesk about the incident.
Secure Conference-Calls
Generally for every Conference-Call a dedicated Secure-
ID should be used, this ensures, that only authorized
and invited people are able to join the call. The Secure-
ID should be generated individually for each conference
call.
At the beginning of a conference call you should check,
if only invited people are in the call. If a signal occurs
you should clarify who joined or left the conference call.
Secure Conference-Calls
Mnemotechnical verse:
Use always an individual Meeting-ID if you invite to a conference call. Before starting that
call and at each signal you should check the attendees. Make sure that nobody joined who
was not invited. Please hold a conference-call with confidential or personal topics
preferably in a discrete room.
Tools
Today a computer has a fundamental role in your everyday work. You maybe have access to lots of
information and to different folders in the existing network environment. In some circumstances you
also save data on the local drive. All these information have to be protected against fraudulent
attempts. Same holds true for Tablet-PCs and Smart-Phones.
How can you personally save provided tools? For further information click on the items below.
Permissions
Blocking
Access
Tools
Permissions
In scope of your occupation you require permissions so that you are able to work with necessary
data. Please make sure that you have these necessary permissions. If you have additional
requirements e.g. to an application, you must create a request according to the appropriate
change-process. Contact your Line-Manager if you are not sure, how you can raise a change-
request if you require necessary information for your task.
Tools
Blocking
Don‘t leave your working place without locking your PC (Windows Logo Button + L, or Alt + Strg +
Del.+ Enter). If you always lock your PC you ensure that in your absence no unauthorized person
can misuse your PC without hindrance.
Tools
Access
Your access to systems, should be ensured only for the appropriate range of your operation.
Changes of access-rights must be approved by your Manager to ensure the integrity of data.
To safe data of CBM, portable mass storage devices like USB-Sticks, or SD-Cards,
should not be used if they cannot protected with an encryption.
2. Before sending an email or Fax-message check carefully addresses and fax-numbers. Remove printed
or faxed documents immediatety out of the appropriate device.
4. If you want access data, check if you gained the correct permit.
5. Follow the “Clean Desk“ Principle. Don‘t leave documents with confidential or personal content on your
work desk.
6. Make sure that your password contains small- and capital-letters, numbers and special characters.
7. Dispose documents which contain confidential or personal data (also CD/DVD) only in one of the
positioned and closed waste container.
Your Responsibility
Modern Threats
The Progress
The progress in electronics and other technologies marches on rapidly. But also the technics of
hackers to get access to information, to manipulate these or block access to it for users.
Now you already have learned, how you protect information. But there are further threats with
you probably had to deal with but you not knew, which attack you faced and how you should
react to it. Now we look at this topics und you‘ll get information how you can protect data against
such modern threats.
•Social Engineering
•Malware
•Social Network
Social Engineering
Social Engineering via Internet or email is called and known as Phishing. Phishing is the trial, to get
one‘s hands on confidential and personal information, e.g. user-name and password, credit-card
numbers. and maybe further personal information, to misuse these for the attackers own purposes
(e.g. fraud, blackmail, injurious falsehood)
Phone
A typical attack of Social Engineering is the manipulation of employees
via phonecall, by which the attacker pretends to be:
Social Networks
A relative new threat, comes from Social Network Platforms. On these platforms people are publishing
every day a lot of personal information of their surroundings and using it for communication (e.g.
Facebook, Twitter, Flickr, XING, LinkedIn)
Emagine:
You are on holidays with your family and you have
published greetings and some photos from where you
actually are. Two days later you get a phone-call from
the police that a burglary happened and valuables has
been stolen out of your home.
•Use external storage media (e.g. USB-Sticks, CDs/DVDs) only, if these are
from a reliable source.
•You should not click on advertisements, which are routing to unknown web-
pages, especially if they advertise with compelling, suspicious and generous
conditions.
Your Responsibility
Modern Threats