| | 2.7 Security
19. Information Security Awareness | | |
|---|
| 27.19 Information Security Awareness: | | 1. Every company has a legal obligation to provide adequate information security awareness information to their staff. The UK Information Commissioners Office may impose fines on those companies that do not comply with UK data protection laws. | | 2. Each approved person is personally responsible for all data processed by their computer session from the time that they sign-in to the time that they sign-out. It may be wise for a company to grant a person authentication rights to an application service after that persons information security awareness skills have been proven to be adequate. | | 3. Application Service Provider does not provide any software and does not recommend any software because all programs have security vulnerabilities. Each person is free to choose to use any browser program; including Microsoft Edge, Google Chrome, Microsoft Internet Explorer, Apple Safari, Opera, Android Silk, Mozilla Firefox or any other. | | 4. It is self-evident that not all approved people will know how to manage an application service that provides the ability for people to process many separate web pages at the same time. While a person is working on one procedure, an interruption may be handled by using other web pages to complete another procedure before returning to the original procedure within one hour. Multiple web pages enable data to be stacked side-by-side for comparison purposes and so data can be copy-and-pasted between pages. The greater productivity and effectiveness that comes from using multiple web pages creates the need to close pages when those pages are no longer needed. | | 5. Approved people with inadequate security awareness may be the most significant threat to bespoke application services. As the security skill shortage increases, the threat of an accidental or negligent data breach increases. As security awareness is improved, then the insider threat to the business data reduces and people can become must more productive. |
| 2. Glossary: | | 1. Public web pages do not contain any confidential business information and do not pose any security concerns. | | 2. Private web pages contain personal, confidential and sensitive business information that must be processed in compliance with UK data protection and security regulations. | | 3. Expiry is a security method to prevent private business data being accessed by a criminal by having it shown on a computer screen for no more than one hour with no activity. | | 4. Sign-Off is a security method to prevent a criminal being able to reuse a persons authentication rights between the time a person signs-in and the time a person signs-out. | | 5. Program is one or many vulnerable software browsers - if one program does not work use a different browser. | | 6. Container is a security method to prevent a criminal being able to copy business data from a table or form by packing that data in distinct browser containers. | | 7. Phishing is a criminal impersonation or intimidation attack by telephone or email. Every business electronic communication must be assumed to be a phishing attack until proven otherwise using other secure methods. |
| How to stay safe: don't buy, don't try and don't reply. |
| 3. Business Rules: | | 1. Every private web page is designed to expire at midnight. | | 2. Every signed-in session is designed to be signed-off at midnight. | | 3. Every private web page is designed with an expiry or refresh time - without exception. This is to prevent the private data being displayed for a month as a clear security breach. | | 4. Every popup private business data page is designed to expire after one hour of not being refreshed. An expired page may be closed or may be left open while the local computer has adequate memory to sustain the unused web page. A local computer with a large number of unused web pages open at the same time may eventually run out of memory and may stall. An expired page will not terminate a persons session and will not cause a person to have to sign-in. | | 5. Every private dashboard (and welcome page) is designed to be automatically refreshed every hour between 07:00 and 18:59 and then to sign-off after an hour of not being refreshed. The signed-off page will terminate the person session and keep the persons authentication rights safe from criminals. | | 6. Public web pages like this page never expire and never sign-off - a public web page may be displayed for a month or more with no security concerns. | | 7. When a person signs-in and when a person signs-out is recorded and that information shared with others. People who persistently fail to sign-off may be recommended for additional information security awareness training. |
| 4. Phishing: | | 1. Every business telephone call and email must be assumed to be sent by a criminal impersonating another person. Every business telephone call where the called uses intimidation to demand information or action must be assumed to be a criminal pretending to be who they say they are. | | 2. Criminals make a lot of money every day by sending out very large numbers of emails in the hope that just one person will be fooled into clicking on a link to download silent malware. Without anybody noticing, malware can copy all business data from all connected computers and send it to the criminal. Ransomware is an alternative where all connected computer data is encrypted and the company blackmailed to pay a ranson to have their own data decrypted. | | 3. When making a telephone call, assume that everything that is said will be copied by many agencies in many countries and could become tomorrows headline news. No private, confidential or sensitive information must ever be communicated by a public telephone call. | | 4. When viewing an email message, understand that each and every part of that email may be cloned by a criminal from the thousands of previous emails that they have been able to copy. Never reply to an email using the reply button - always send a new email to a real email address that has been verified to be complete and correct. Never open an email that is addressd to more than one person - its a chain letter that is aimed to intimidate a few vulnerable people who get caught up in the web of lies and deceit. | | 5. Electronic communications may be stored for the next 20 or 40 years before the content is used against a person. A person can be blackmailed by diligently adding or changing the occasional adjective in an email authored 20 years earlier, it can be engineered to make it objectionable, racist, sexist and unacceptable to the prevaling culture. When hundreds of slightly modified emails are released, then a persons professional career can be significantly impacted and their relationships with friends put under strain. | | 6. A significant factor about all electronic communications is that is that it will survive forevery - a persons children and their children may have to suffer from what was said as a joke many generations earlier. Cultures change and what was acceptable 40 years ago may no longer be acceptable and could be used by criminals to blackmail vulnerable people. | | 7. It can be assumed that competitors have access to most emails, attachments and phone call messages and that such information is for sale on the Internet. A reason that a competitors is always able to under cut prices, antisipate new product launches and hire the best people is that most companies have leaky electronic communications with no encryption. A few very successful companies have taken full advantage of the digital age, have deployed encrypted person-to-person electronic communication and do lot leak business data by telephone and public email. |
| 5. Physical Security: | | 1. Every company have a duty of care to protect the physical security of its people and their families. Risks and threats to people by criminals are minimised by increased information security awareness. | | 2. People and their families are protected from criminal attacks by ensuring that authentication rights to process business data is not extended to home computers using home networks during unusual hours. Continual monitoring of every request ensures that people are protected by preventing unusual and criminal behaviour. | | 3. Because system administrators are under threat from criminal attack, nobody is assigned special authentication rights to bypass encryption or to physically access business data. All business data is excessively encrypted and continually replicated to a swarm of physically secure data centers with dedicated racks of servers in remote locations. | | 4. Sovereignty is data is meaningless because excessive encryption means that any data is plausibly deniable to be in any physical place. Asking where the data is located is not logical because encrypted data is continually replicated to a swarm of data centers where the data is unreadable, meaningless and worthless. | | 5. Backup of data is meaningless because all data is continually replicated to a swarm of physically secure data centers - it is not plausible that all data centers could fail at the same time. In the event that a data center becomes not available, business continues with application services provided by other data centers. | | 6. Maintenance downtime is meaningless because programming has been reduced towards zero. Application services based on artificial intelligent technology is designed never to stop and cannot be stopped because its continually running in a large number of remote data centers. |
| 6. Business Email Rules: | | 1. A business email must never ask a person to disclose any Personally Identifiable Information (PII). | | 2. A business email must never give a person an email address or telephone number to reply the message. | | 3. Every reply to a business email must be ignored. | | 4. A business email must never ask for money or offer money or discuss any financial matter. A business invoice is a normal and expected transaction that is not an unsolicited business email message. | | 5. A business email must never include an attachment of any kind. | | 6. A business email must never disclose any private, confidential, sensitive or personal information. Never make a comment about a persons holiday, health, wealth, beliefs or family matters. | | 7. A business email must never be sent to more than one person. | | 8. A business email must never ask a person to download a program or patch some software. | | 9. A business email is just an optional reminder to nudge a person to sign-in and view their business messages using encrypted, safe and secure communications. |
| 7. Containers: | | 1. While a dashboard, report and document is processed as a normal web page, business data in tables, lists and forms is presented as the content of a container. The web browser container enables part of the web page to be refreshed and renewed without changing the whole page. By only changing some of the business data, it is much harder for a criminal to try to intercept and decode what business data has been changed. | | 2. The primary benefit is a significant performance improvement as the amount of data downloaded by any transaction is minimised. Facilities known as Web 2.0 deliver real usability benefits when container technology is deployed. | | 3. While security is not the primary benefit, it happens to provide an extra layer of security that adds to the cost of a criminal trying to hack into the business data. Specifically, if a criminal manages to copy a URL, that URL cannot be used to show business data because the applicable browser container will not exist. |
| 8. Session Management: | | 1. Criminals understand sessions and will try to capture a persons session identity, especially if they have closed their browser without signing off first. No private web page will be shown when a persons session has been terminated by the person signing off or the automatic one-hour sign-off procedure. It make no difference what kind of refesh has been applied to a web page, the refresh will not be permitted to show any private data after the session is terminated. | | 2. Public web pages, including guides can be shown at any time regardless of a persons session. Public web pages and guide pages do not expire, do not refresh and can be shown at any time of the day or night, subject to geo-location constraints. | | 3. Each dashboard (including welcome pages) will automatically refresh every 40 minutes from 7am to 7pm and will then will signoff after one hour without being refreshed. Each sheet and form do not need to expire because they will not longer work after the persons session has been terminated. Each sheet and form pose a data security threat if they are left to show business data after a person has left their computer. | | 4. Rationale: if a private web page is shown at 9am without any refresh clause that that web page could still be shown at 9am the next day or many days later. It should be classified as a data breach to continue to show business data overnight when it can be assumed that the computer screen is not attended. After midnight, all buttons and links would only show the home page, but the web page could be showing critical business data over a weekend. For this reason, no private web page is ever shown without some kind of automatic refresh or expiry. | | 5. Public web pages are shown without any refresh clause or session control - public data may be shown for the next week or more. |
| Document Control: | | 1. Document Title: Information Information Security Awareness. | | 2. Reference: 162719. | | 3. Keywords: Information Information Security Awareness. | | 4. Description: Information Information Security Awareness. | | 5. Privacy: Public education service as a benefit to humanity. | | 6. Issued: 11 Feb 2017. | | 7. Edition: 1.2. |
|
|