Welcome to Information Technology: Security Awareness and Acceptable Use training for commonwealth employees.
The Commonwealth of Pennsylvania deploys tens of thousands of computers, telephones and mobile devices and provides state employees with access to millions of dollars of software and services to help serve the citizens of Pennsylvania.
These computers, telephones, mobile devices, software and services are funded by taxpayers and are intended to help conduct commonwealth business.
It is your responsibility to protect all commonwealth computers, telephones and mobile devices provided to you as well as the data they contain and the systems to which they connect.
After completing this training, you will be able to protect your:
• User name and password
• Computers and mobile devices
You will also be asked to read and acknowledge “Information Technology Acceptable Use Policy”-Management Directive 205.34.
• Don’t give your user name/password to a colleague to log in for you.
• Don’t give it to anyone temporarily filling in for your job duties.
• Don’t give it to a contractor or temporary employee.
• Don’t give it anyone that is locked out of their own account.
• Don’t provide it in response to an unsolicited email request.
• Don’t enter it into any non-commonwealth Web sites.
• Don’t write your user name or password down.
• Don’t store it near your computer.
Never, under any circumstances, give your password to anyone, especially if you receive a request for it via email or over the phone. Commonwealth IT professionals will never ask for your password. If someone is asking for your password there is a 100% chance it is NOT legitimate.
The only time it’s ok to provide your user name is if you verbally affirm that you are speaking with an authorized information technology professional from your agency or from the Office of Administration’s Office for Information Technology. Remember-never give your password to anyone.
Commonwealth information technology professionals will always talk with you on the phone and will never ask you by e-mail to send your user name and password.
Password Policies
• The commonwealth requires that you change your computer password every 60 days.
• Commonwealth policies dictate a certain amount of complexity in your password—it must be at least eight characters long and contain at least three of the following types of characters: uppercase letters, lowercase letters, numbers or special characters.
• The value of this built-in safety is diminished when you use similar passwords with common characteristics, such as “Fluffy1” then “Fluffy2” followed by “Fluffy3.”
• Please choose your password carefully. Do not use your commonwealth password for any other accounts.
If you can avoid it, don’t open email from senders you don’t recognize. Delete it. Even if you recognize the sender, if the contents seem out-of-character or questionable, delete the email. Never, ever click on links, open attachments or download anything unless you’re 100% sure it is safe. Never respond to emails that ask for sensitive or personally identifiable information, like user names, passwords, employee ID numbers, bank account or credit card numbers, etc. Never enter sensitive information into a web page/form that you access by clicking on a link in an email. Likewise, do not enter sensitive information into an automated telephone system that you access using a phone number provided in an email.
Phishing is a broadly launched social engineering type of attack in which an electronic identity is misrepresented in an attempt to trick individuals into revealing personal credentials that can be used fraudulently against them.
Once the personal information is obtained, it is usually used for identity theft and other criminal activity.
Look for these common Phishing Phrases:
"Verify
your account"
Reputable organizations will never ask you to send the following personal
information through email:
• Social Security numbers
• Bank account numbers
• Driver's license numbers
• Email addresses
• Passwords
• Your full name
“If you don't respond within 48 hours, your account will be closed"
These
messages convey a sense of urgency so that you'll respond immediately without
thinking; they might even claim that you must respond because your account may
have been compromised.
"Dear Valued Customer"
Phishing email messages are usually sent in bulk and often do not contain your first or last name.
And remember:
• NEVER respond to an email requesting personally identifiable information.
• NEVER click on links provided in email messages from unknown or untrusted sources.
• NEVER fill out fields included in the email message.
The Commonwealth of Pennsylvania, its information technology professionals, reputable financial service providers and legitimate charitable organizations will NEVER send unsolicited e-mail asking for sensitive data.
Never respond, no matter how credible or sophisticated the message seems.
Let your supervisor know if you get a questionable e-mail and what it contains.
You have a “Send Secure/Encrypt Message” button in your Microsoft Outlook e-mail.
If you use Outlook 2007, you must select the “Add-Ins” tab to access the button.
If you deal with sensitive data always click on “Send Secure/Encrypt Message” to send your e-mail.(for example, financial or health information, case management data, social security numbers, etc.)
If you’re not sure if you deal with sensitive data, ask your supervisor.
If you have questions about “Send Secure/Encrypt Message” functionality, ask your agency’s information technology office.
You should not use your work e-mail address for personal reasons or for non-work-related “subscription” type services.
Signing up for daily horoscopes, weather reports, sports updates, recipes and similar services substantially increases the risk that your e-mail address can get into the hands of cyber-criminals.
IMPORTANT!
All data and records—including those pertaining to computer use, Internet use, e-mail communication, voicemail communication, text messages and other electronic communication—whether sent, receive, or stored, and the content of such communications are presumed to be the property of the commonwealth.
All files, data or records stored on or accessed through commonwealth IT resources and all electronic communication and access to commonwealth IT resources may be traced, audited and/or monitored with or without notice to the user. Agencies may use tracking, blocking, logging and monitoring software to investigate IT resource use.
Requests for records pertaining to IT resources must be addressed consistent with all laws, directives or policies that would apply to the same information if maintained in a non-electronic format. Keep in mind that the commonwealth is committed to operating a government that is transparent to its citizens—meaning that government information is often available to the public upon request.
Keep your computer and mobile devices and the data on them safe. It’s best to keep your mobile devices such as laptops, smart phones, tablets, and similar items with you. If they’re not with you, they should be locked up safely. Never leave your mobile devices unattended, unsecured or visible in places like in your briefcase at an airport, in an unlocked gym locker, or on the seat of your car.
If your computer or mobile device is lost for even a short period of time or damaged in any way, it is critical that you contact your agency’s information technology office IMMEDIATELY. Do not delay for any reason.
Mobile devices such as laptops, tablets, smart phones, cell phones and similar items are small and can be easily lost. Remember, however, that these devices are powerful computers and can carry and access a wide range of commonwealth data.
The Commonwealth’s IT Acceptable Use Policy also applies to the use of mobile devices. In addition, all Commonwealth issued and personally owned (BYOD) mobile devices connecting to the commonwealth network must adhere to specific security requirements required by policy.
Double check with your agency’s IT department to ensure that your mobile devices—laptop computers, smart phones, tablets etc.—are properly configured for the type of device you have and data you access.
There are other precautions you must take to protect the commonwealth’s information.
• Secure your desktop computer by locking it when you step away from your desk for even a few minutes.
• Secure your work area by not letting anyone else enter without using their own credentials.
Let’s look at what can happen if your user name, password or email account is compromised.
For the safety of the commonwealth network, if your user name, password or e-mail account is compromised:
• Your commonwealth network account may be closed.
• You may be assigned a new account and e-mail address.
Consequences of being assigned a new account and e-mail address:
• Messages sent to the previous address will be returned to the sender as undeliverable. For security purposes, it is not possible to forward items from a previous address.
• You are likely to lose many of the customized features in your personal e-mail box.
• Your agency’s Chief Information Officer and Deputy Secretary for Administration may be notified.
Important things to keep in mind:
• Users are personally responsible for the security of authorized portable IT resources and must exercise care to ensure that these devices are not lost, stolen, or otherwise accessed in an unauthorized manner.
• All data and records, including those pertaining to computer use, Internet use, e-mail communication, voicemail communication, text messages and other electronic communication sent, received or stored on commonwealth IT resources are presumed to be the property of the commonwealth.
• All files, data or records stored on or accessed through IT resources and all electronic communication and access to commonwealth IT resources may be traced, audited and/or monitored, with or without notice to the user—including but not limited to all files stored on commonwealth computers, Internet activities, Internet website access, e-mail, voicemail and text messages.
• Authorized users may not attempt to access any data or programs contained on commonwealth systems for which they do not have authorization or explicit consent. Additionally, authorized users should take measures to protect the security of their data.
• The improper use of commonwealth IT resources may result in disciplinary action, including termination.
Please review “Information Technology Acceptable Use Policy” – Management Directive 205.34, ask your supervisor or agency’s IT department about anything that’s unclear, then affirm that you have received, understand and will abide by the policy by contacting your agency HR office.
This version of the course is intended for individuals who require an accommodation for a disability. Once you have fully reviewed the information in this training, contact your Human Resources Office to request credit for completing this course.
You will not receive credit for completing this course until you do so.