Quick Instructions Use this presentation as you wish, and
consider inserting it into your normal awareness training. Know
that infotex can help you design an Awareness Training Program that
mitigates a substantial amount of risk in your Information Security
Program.
Slide 5
Quick Instructions Be sure to compare this to your own
Acceptable Use Policy. Some of the slides represent selections that
can go both ways. For example, some banks allow users to access
social media sites, some dont.
Slide 6
Quick Instructions The subjects of the slides can also be used
in your periodic reminders that you should be sending on a
scheduled basis (most banks are monthly). Consider using the
subject material as posts in your own Social Media sites.
Slide 7
Copyright Issues Were offering these slides for your own
creative use. You do not need to credit us but we always appreciate
it when you do.
Slide 8
One Last Note: Find more horror stories on privacyrights.org or
m.infotex.com/horror
Slide 9
THE SLIDES! and now...
Slide 10
Insert a humorous picture of you surfing at home. (or just a
title page.)
Slide 11
Insert a humorous picture of you surfing in public. (or just a
title page.)
Slide 12
Social Media And the risks of social networking.
Slide 13
Social Networking Sites Facebook Facebook LinkedIn LinkedIn
Myspace Myspace Twitter Twitter YouTube YouTube Etc. Etc.
Slide 14
Social Media Risks The AUP Prohibits access to Social Media
sites using bank assets. The AUP Prohibits access to Social Media
sites using bank assets. You should not be checking in on Facebook,
LinkedIn, etc. from assets owned by the bank. You should not be
checking in on Facebook, LinkedIn, etc. from assets owned by the
bank.
Slide 15
Social Networking Sites Employees must exercise good judgment
in the use of social media sites. Employees must exercise good
judgment in the use of social media sites. Unless a good business
reason exists, employees should refrain from putting any company
information on their own networking sites. Unless a good business
reason exists, employees should refrain from putting any company
information on their own networking sites. And be VERY careful what
you post. And be VERY careful what you post.
Slide 16
Safe Social Networking Joan keeps in touch with a wide variety
of friends on Facebook, many of them bank customers. Occasionally a
friend will post on Joans wall, asking her about the loan rates on
mortgage loans.
Slide 17
Safe Social Networking Joan always says she cant discuss bank
business on Facebook, and encourages them to come into the bank.
She then notifies Mark Etting, who finds a way to meet Joans
friends.
Slide 18
Abuse of AUP Joe was asked about loan pricing once. He replied
that his bank always has the best prices, and to give his name when
they go talk to Joan Department. She has a crush on Joe and will
sharpen her pencil for you. And stay away from that Mark Etting
jerk.
Slide 19
Safe Social Networking Joe participates in a LinkedIn group
about information security policy, and has posted questions about
social networking policy and how to monitor social networking
sites. He has been careful not to mention any employee names or
frustrations he has with the problem.
Slide 20
Abuse of AUP Joan was really upset by a customer who came into
the bank at 4:55 p.m. and made her stay to fill out a loan
application. On her Myspace page, she put my pet peeve is customers
who come into the bank right before we close.
Slide 21
Social Networking Sites Posting information about bank
customers is prohibited without prior authorization from the
Information Security Officer (Name Here). Posting information about
bank customers is prohibited without prior authorization from the
Information Security Officer (Name Here).
Slide 22
Safe Social Networking Joan took a lot of pictures at the
recent Customer Appreciate Event. She asked her Information
Security Officer for permission to post them on the banks Facebook
page.
Slide 23
Abuse of AUP Perci had to handle yet another difficult customer
today. Since its against policy to access Facebook from her
workstation, she gets out her new i-phone, and tweets That Rusty
Garajki is a BIG JERK.
Slide 24
Social Networking Guidelines Anything about the bank that is
not information found in a typical resume should be handled very
carefully. Anything about the bank that is not information found in
a typical resume should be handled very carefully. Employees must
recognize, prior to putting any bank information on a website, that
this information will be available indefinitely and could injure
the banks reputation. Employees must recognize, prior to putting
any bank information on a website, that this information will be
available indefinitely and could injure the banks reputation.
Slide 25
Safe Social Networking Perci is a strong believer of
maintaining a strong network of business associates and has found
LinkedIn to be a helpful tool in this endeavor. She lists herself
as Personnel Director at the bank, but does not include bank e-mail
addresses or phone numbers in her profile.
Slide 26
Safe Social Networking Marks making good money at the bank but
is always open to potential opportunities. He has a detailed resume
on Monster.com, as well as one on craigslist.com. His resume is
only available to qualified job offerings.
Slide 27
Abuse of AUP On Marks myspace page he has the following post:
Im getting out of this place. Its no secret were going broke. Watch
me get fired for writing that. Its PUBLIC INFORMATION idiots!
Slide 28
Social Networking Guidelines As such, any postings which do not
exude good professional judgment may be grounds for disciplinary
action and employees may be asked to remove information from
websites whenever possible. As such, any postings which do not
exude good professional judgment may be grounds for disciplinary
action and employees may be asked to remove information from
websites whenever possible. As an employee of the bank, you agree
that what you post on the Internet is similar to what you would say
in a public meeting, and thus... As an employee of the bank, you
agree that what you post on the Internet is similar to what you
would say in a public meeting, and thus...
Slide 29
And thus... You agree that you may be held accountable for the
content of your postings. You agree that you may be held
accountable for the content of your postings.
Slide 30
Meanwhile, while at home...
Slide 31
Especially on social media sites, understand what youre getting
into before you actually get into it! Read Privacy Statements.
Slide 32
And review them regularly. Review Privacy Settings.
Slide 33
Slide 34
Facebook Data Classifications Everyone Anybody can see it, they
dont have to be your friends first.
Slide 35
Facebook Data Classifications Everyone Friends of Friends
Anybody can see it, they dont have to be your friends first. Still
public because of 7 degrees of separation phenomenon
Slide 36
Facebook Data Classifications Everyone Friends of Friends
Friends Only Anybody can see it, they dont have to be your friends
first. Public Information Because of indiscriminate friending, this
can still be dangerous.
Slide 37
Facebook Data Classifications Everyone Friends of Friends
Friends Only Other Anybody can see it, they dont have to be your
friends first. Public Information Still dangerous Whitelisting
approach: you get to choose who sees your posts.
Slide 38
Data Classification at Bank Other: Whitelisting posts is about
the only post that we would consider to be confidential. Thus,
anything about the bank will be governed by the Acceptable Use
Policy. Its best to just assume that anything about the bank is
governed by the AUP.
Slide 39
Slide 40
Slide 41
Slide 42
Slide 43
Slide 44
Slide 45
Slide 46
Slide 47
Beware orchestrated attacks... We have made guidelines for safe
social networking available because there are a lot of personal
vulnerabilities in your use of these sites. If you DO have any
questions about this, feel free to talk to the ISO or your
supervisor individually.