Information Security

Purpose

Our information security policies were created to help us protect:

  • Our client’s data and intellectual property
  • Innolitics’ data and intellectual property
  • Protected health information that we may come into contact with during our work

Learning Material

Please carefully read (or re-read) our Information Security policies in our company handbook.

Read this HHS Letter about Phishing Attacks.

Read through the Risk Analysis in our company’s HIPAA procedure document. (Note that there is no need to read other sections.)

Exercises

To learn as much as possible from these exercises, write your responses before revealing the provided answers. If any exercises seem irrelevant, you can skip them and instead write a justification as to why they are unimportant. These justifications will help us improve the lesson for future employees.

Exercise 1

Confirm that your master password for 1password meets our definition of a “secure password” and is not written down anywhere. If it doesn’t, change it so that it does. In particular, note that it must be unique.

Exercise 2

Confirm that your email password meets our definition of a “secure password” and is not written down anywhere. If it doesn’t, change it so that it does. In particular, note that it must be unique.

Exercise 3

Confirm that your workstation requires a password, fingerprint, or facial recognition to unlock. If it doesn’t, set this up.

Exercise 4

Confirm that your workstation automatically locks after one hour of inactivity. If it doesn’t, set this up.

Exercise 5

What should you do if David emails asking for your 1password master password, then you ping him in Slack, and he confirms that he wants it?

Answer

Call Yujan and tell him that David’s email and Slack accounts have been hacked.

Exercise 6

Confirm that your harddrive is encrypted. If it isn’t, set this up.

Setup for macOS

You can read about FileValut here.

Exercise 7

Confirm that your workstation automatically checks for and installs security updates for your operating system (alternatively, you must develop a sytem that will remind you to manually apply security updates and produce a record that you did so once each quarter)

Exercise 8

If you use SSH to access remote servers, confirm that you have a differrent SSH-key for each workstation and that you have a passphrase for the SSH-key.

Exercise 9

Do you think any of our information policies are unnecessarily burdensome in general or for your situation?

Exercise 10

Do you think our risk analysis had any large gaps?

Exercise 11

Do you think our information policy has any inapproprialty large gaps (note, there will always be gaps, its just a matter of whether the gaps are too big)?

Continuous Lesson Improvement

Please help us make these lessons as relevant and up-to-date for future engineers as possible!

You can help in several ways:

  • Shorten or clarify the writing. We're all busy and less is more.
  • Ask if the purpose of the lesson is unclear. We want all of the lessons to seem useful.
  • Remove exercises or learning material that aren't useful.
  • Add more exercises, exercise answers, or learning material as appropriate.

You can quickly open the lesson page in the GitHub editor. Create a new branch and pull request and assign it to David.