IS‐906: Workplace Security Awareness FEMA course - liabilityissue/Information-Assurance GitHub Wiki

DISCLAIMER THIS INFORMATION CAME DIRECTLY FROM THE FEMA WEBSITE FOR THE CONTINUITY TRAINING. IT HAS BEEN EDITED TO AN EXTENT

Components of Risk

Threat - A natural or manmade occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment, and/or property.
Vulnerability - Physical features or operational attributes that render an entity open to exploitation or susceptible to a given hazard. Vulnerabilities may be associated with physical factors (e.g., a broken fence), cyber factors (e.g., lack of a firewall), or human factors (e.g., untrained guards).
Consequence (Impact) - The effect of an event, incident, or occurrence. For the purposes of the National Infrastructure Protection Plan, consequences are divided into four main categories: public health and safety, economic, psychological, and governance impacts.

Access and Security Control Threats

The first threat to the workplace is unauthorized access to sensitive areas or information by persons, equipment, or materials. It is important to secure access points by:
Limiting the number of access points.
Using appropriate locks (e.g., padlock, keyed cylinder, or electronic entry control system).
Controlling doors and other entrances.
Restricting access to key assets, roofs, and heating, ventilation, and air conditioning (HVAC) systems.
Using access identification systems such as employee badges, card readers, keypads, and biometric identification.
Posting signs at access points and restricted access areas.

Visitors

Nonemployees should wear a visitor's badge and should be escorted at all times. For more information on the specific security policies for your workplace, please refer to your organization's security officer or management representative.
If your workplace does not use an ID badge system, follow your appropriate recognition methods (for example, vest, hat, or uniform) and apply the recognition procedures and reporting requirements taught in this course.

Unknown Individuals

You should challenge unknown or suspiciously behaving people that you encounter within a secured area if they:
Are not accompanied by someone you recognize.
Are not wearing appropriate identification.
Have an appearance that is inconsistent with the workplace dress code.
Seem lost or are asking for directions to specific areas.

Challenging Unknown Individuals

Maintain a safe distance of at least three steps (10 feet) between yourself and the person you are challenging.
Be persistent in your questioning.

Criminal and Terrorist Threats

All organizations, from hotels, banks, and grocery stores to manufacturing plants and nonprofit organizations, can be venues for criminal or terrorist activities.
Be alert to any persons who behave suspiciously or engage in unusual actions; these behaviors may be indications of criminal or terrorist activity. Make sure that you:
Understand how criminals or terrorists could use your facility for their own purposes.
Promptly alert your security personnel, management, and appropriate authorities when you see suspicious behavior or items, or unusual activity.
Report something if it looks or feels wrong. Security is everyone's responsibility.

Suspicious Behaviors

Nervous behavior, evasive attitudes, or undue concern with privacy by guests or visitors.
Attempts to gain access to restricted areas.
Individuals taking notes, pictures, or videos of facility.

Unusual Events or Suspicious Items

Changed or unusual situations around your workplace such as tampered HVAC units, abandoned vehicles, damaged fence line, or missing property.
Suspicious packages or items, especially: Large amounts of unusual substances (e.g., acetone, peroxide, or drain cleaner). Fumes, odors, or liquids coming from the package. Disassembled electrical components such as wires, circuit boards, or batteries. Plans, drawings, schematics, or maps.

Unattended or Suspicious Vehicles

Unattended or suspicious vehicles. Abandoned vehicles may be used to hide suspicious or stolen items, or worse, they could be a vehicle-borne improvised explosive device (VBIED) containing explosives for use in a terrorist act.
Changes in vehicle patterns. Common vehicles such as mail trucks, delivery trucks, buses, or taxis may be suspicious during certain times of day—for example, a second mail delivery, an idle delivery truck, a bus on a different route, or a taxi circling the building numerous times.
Report abandoned vehicles parked on the property or adjacent to your facility. Be on the lookout for private vehicles loading or unloading unusual or suspicious items on or around the property.
Be alert for familiar vehicles arriving at an unusual, unscheduled, or inappropriate time.
Report your observations to security personnel or an appropriate supervisor immediately.
Observe and, if possible, write down the vehicle's license plate number and description (make, model, color, body damage, bumper stickers, and accessories).

Bomb Threat Procedures

Keep calm
Keep the caller on the line as long as possible.
Record every word spoken by the caller on a form such as the sample bomb threat checklist (see next screen).
Obtain as much information as possible about the caller's threat without antagonizing or threatening the caller.
Pay particular attention to peculiar background noises and to anything you can glean from the caller's voice, such as gender, accent, and speech pattern.
Report the incident immediately to the security officer, management representative, and/or your supervisor.

Suspicious Mail and/or Package

Be alert for:
Letters that include a threat or have suspicious contents such as white powder or pictures of the workplace.
Packages with oil or grease spots, an inaccurate address, or excessive postage and/or packaging.
If you encounter a suspicious mail item or package:
Isolate the item. Do not open or handle it yourself.
If you do open an item that contains a suspicious substance, evacuate the area and immediately wash your hands with soap and water.
Contact your management or security personnel.
Do not destroy written threats or envelopes in which they are received unless directed to do so by your management or security procedures.

Theft and Diversion

Theft is an unlawful or unauthorized acquisition, by force or stealth:
By an insider (member of staff) or by an outsider (someone who is not a member of the staff).
Diversion is an unlawful or unauthorized acquisition, by fraud or deceit.

Workplace Violence

A current or former employee or an acquaintance of a current or former employee may have the potential to carry out violent behavior at your workplace.

Indicators of Potential Violence

Depression/withdrawal.
Repeated violations of company policies.
Explosive outbursts of anger or rage without provocation.
Behavior that may suggest paranoia (e.g., “everybody is against me”).
Escalation of domestic problems into the workplace.
Talk of severe financial problems.
Talk of previous incidents of violence.

Information and Cyber Threats

Your workplace may use computers to manage day-to-day operations. Organizations control access to computers through computer accounts and passwords. If an unauthorized person obtains the account name and/or password, the security process can fail.

Personally Identifiable Information

Personally identifiable information (PII) is any information that permits the identity of an individual to be inferred directly or indirectly. PII includes any information that is linked or linkable to that individual, regardless of whether the individual is a U.S. citizen, a legal permanent resident, or a visitor to the United States.
If you collect PII:
Apply the "need to know" principle before disclosing PII to other personnel.
Challenge the need for the requested PII before sharing.
Consider PII materials for official use only.
Limit the collection of PII for authorized purposes only.

Safeguarding Information

Store sensitive information in a room or area that has access control measures to prevent unauthorized access by visitors or members of the public (e.g., locked desk drawers, offices, and file cabinets).
Never email sensitive information to unauthorized individuals.
Never leave sensitive information on community printers.
Take precautions to avoid the loss or theft of computer devices and removable storage media.
Destroy all sensitive information by appropriate methods (e.g., burn bag or paper shredder) when it is no longer needed.
Notify your immediate supervisor if you suspect or confirm that a privacy incident has occurred.

Information Security

Put a date and time in your diary or calendar to clear your paperwork.
Use secure recycling bins for office paper that is no longer needed.
Do not print emails unnecessarily.
If possible, handle any piece of paper only once—act on it, file it, or dispose of it.
Consider scanning paper items and storing them on the hard drive of your computer.
Always clear your desktop or workspace before you go home.

Cybersecurity Protective Measures

Firewalls and virus protection systems.
Password procedures.
Information encryption software.
Computer access control systems.
Computer security staff background checks (at initial hire and periodically).
Computer security staff training and 24/7 on-call technical support.
Computer system recovery and restoration plans.
Intrusion detection systems.
Redundant and backup systems, and offsite backup data storage.

Strong Passwords

You should never give your password to anyone, and you should create a strong password that:
Includes a minimum of eight characters with a combination of: *Alpha characters in both uppercase and lowercase;
Numbers; and
Special characters (- ! @ # $ % ^ & * ( ){ } [ ] | + \ - < > ? /) or alternate alpha characters.
Does not consist solely of a dictionary word in any language, proper noun, name of person/child, pet, or fictional character.
Does not use information that a hacker could easily obtain or guess about you, such as a Social Security number, serial number, birth date, or telephone number.