(Policies and Best Practices) - Security awareness efforts have the purpose of changing behavior and/or reinforcing good security policies. NIST SP 800-16 defines security awareness as a means to “focus the employees’ attention on security”, not actually the process of training employees on security. It explains that “awareness presentations allow individuals to recognize IT security concerns and respond accordingly.” Establishing proper security awareness services and providing employees with presentations and other awareness material can reduce the incidence of accidental (or deliberate) security breaches and helps to create security awareness between employees, making them accountable for violations. Awareness programs are designed to modify employee behavior in a short time frame. This material and services give employees an immediate insight on security controls and measures that cover the basics. They mostly promote: how to handle information, use applications and operate within an organization. The idea is to make employees aware of policy penalties for failure to comply, and providing mechanisms for discovering and uncovering policy violations. The availability of posters, presentations, pamphlets, videos, Internet and/or intranet, e-mails, and other publicity means such as establishing an “awareness day” help computer and non-computer users in general to promote security awareness on campus for all categories of employees. The following resources are provided free of charge:

(On-line tutorials)- The following IA tutorials are provided for students and faculty at the NIH Website at the following link: http://irtsectraining.nih.gov/public.aspx

Some of the tutorials available are:

• Entire Computer Security Awareness Course.

• Securing Remote Computers.

• Privacy Awareness Course.

(Security Tools)- The following links provide free security tools and information:

• Microsoft provides security tools and bulletins at their Microsoft TechNet: Security TechCenter at:
  http://technet.microsoft.com/en-us/security/cc297183.aspx#EUD

• Students in the IA Lab have access to McAfee Threat Center. This site provides valuable information and security tools to inform students about new threats, viruses, and security tools: http://vil.nai.com/vil/default.aspx

• About.com Internet/Network Security is a site that helps students who are new to computing, or at least new to computer security, to understand the threats and how to protect their computers. It helps them understand the fundamentals that they need to know in order to secure and protect data. There are different sections containing security tools, newsletters, forums, and a collection of tips, how-to's and other advice to help understand the basics of computer and network security, and wireless security. Site includes: Security 101, Wireless Security, Basic Security, Web Browser Security, Email and Phishing Security, Pop-Ups and Spyware, Virus and Malware Security, Advanced Security, Information Resources, Tools & Utilities, Product and Book Reviews, Security Bulletins, and more: http://netsecurity.about.com/

(Guidelines to best practices)- The following links lead to sites that provide information on security issues to encourage IA awareness:

• National Institute of Standards and Technology was founded in 1901. NIST is a non-regulatory federal agency within the U.S. Department of Commerce. NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. http://nist.gov.

• The NIST Computer Security Division provides guidelines and policies for IA awareness. The site can be accessed at:
  http://csrc.nist.gov/index.html.

• Guidelines can be found to build an information technology security awareness and training p program at:
  http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf.

• Virus Bulletin started in 1989 as a magazine dedicated to providing PC users with a regular source of intelligence about computer viruses, their prevention, detection and removal, and how to recover programs and data following an attack. Virus Bulletin quickly became the leading specialist publication in the field of viruses and related malware.
  http://www.virusbtn.com/index

• NIATEC is a consortium of academic, industry, and government organizations to improve the literacy, awareness, training and education standards in Information Assurance. As the federally designated cornerstone for essential education and training components of a strong Information Assurance initiative, the mission is to establish an effective Information Assurance infrastructure for academic, industry and government organizations. http://niatec.info/ViewPage.aspx?id=0

(Incident Response Plan for Virus Attacks)- (General Recommendations)
The symptoms to determine if a virus infection has occurred:

• The programs on the system start to load slowly or slower than usual. This happens because the virus is spreading to other files in your system.

• Unusual files appear on the hard drive or files start to disappear from the system. Many viruses delete key files in the system to render it inoperable.

• Program sizes change from the installed versions. This occurs because the virus is attaching itself to these programs in the disk.

• The browser, word processing application, or other software begins to exhibit unusual operating characteristics. Screen or menus may change.

• The system mysteriously shuts itself down or starts up, and does a great deal of anticipated disk activity.

• Access is mysteriously lost to disk drives or other system resources. The virus has changed the settings of a device to make it unusable.

• The system suddenly reboots or gives unexpected error messages during startup.

After the Virus Attack
If the antivirus software has detected the attack:

• Delete the virus or quarantine the file that carries it. Record any message.

• Update virus software as soon as possible.

If the computer is behaving strangely and you suspect a virus has not been detected:

• Back-up files to a removable media.

• Turn the computer off by pulling the plug.

• Completely reformat drives and reinstall the operating systems and applications.

• After reinstalling operating systems and applications install new antivirus software, download recent antivirus files, and scan the entire system.

• After the scan is completed, reinstall data files and scan the system again for the actual viruses.

• This process should eliminate all viruses from the system, application, and data files.

Before the Attack

• The best method of protection is to use a layered approach. Antivirus software should be at the desktop. The second method of preventing viruses is education. Do not open suspicious files and open only those files that are reasonably sure to be virus free. Scan every removable media, disk, e-mail and documents received before you open them.

• Virus scanners – search hard disks, for viruses, detect and remove any viruses that might be in the computer.

• Virus protection – It is necessary to update the virus software on a regular basis, possibly every day. New virus threats are recorded daily and new profiles should be added to the virus list.

Data Classification

Confidential data is information that is not to be publicly disclosed. The disclosure, use, or destruction of confidential information can have adverse effects, and possibly carry significant civil, fiscal, or criminal liability. This designation is used for highly sensitive information whose access is restricted to selected authorized employees. The recipients of confidential information have an obligation not to reveal the contents to another individual unless that person has a valid need to know about the information. Confidential information must not be copied without authorization from the identified owner.

• Documents used at a strategic level are usually confidential in their initial stages.

• Trade secrets or intellectual property such as research activities.

• HIPPA records.

• Financial account information which by contract or agreement has committed to ensuring confidentiality.

• Legal investigations conducted by institutions.

• Employee screening information.

Confidential data can be organized into three categories:

• Data that the unauthorized release could cause personal, institutional, financial loss, or a violation of statue, act or law.

• Proprietary data that the disclosure can cause significant harm to the reputation.

• Data that the unauthorized release would constitute a violation of confidentiality agreed to as a condition of possessing or producing or transmitting.

Sensitive data is information generally used internally or with an authorized partner. Its unauthorized release would not result in any business, financial, or legal loss but could negatively impact the privacy of individuals named or the integrity or reputation of the company. Some examples of sensitive data are:

• Research data not considered confidential.

• Marketing data.

• Employee Directory information that has been suppressed.

• Customer data.

• Proprietary financial, budgetary personal information not explicitly approved by authorized parties to public release.

• E-mails and other communications regarding internal matters which have not been specifically approved for public release.

Public data is defined as any information that can be accessed by any external or internal entity. Examples of public data are:

• Promotional material.

• Brochures.

• Company vision, mission and values.

• Directories.

• Contact information.