Our information security policies were created to help us protect:
Please carefully read (or re-read) our Information Security policies in our company handbook.
Read this HHS Letter about Phishing Attacks.
Read through the Risk Analysis in our company’s HIPAA procedure document. (Note that there is no need to read other sections.)
To learn as much as possible from these exercises, write your responses before revealing the provided answers. If any exercises seem irrelevant, you can skip them and instead write a justification as to why they are unimportant. These justifications will help us improve the lesson for future employees.
Confirm that your master password for 1password meets our definition of a “secure password” and is not written down anywhere. If it doesn’t, change it so that it does. In particular, note that it must be unique.
Confirm that your email password meets our definition of a “secure password” and is not written down anywhere. If it doesn’t, change it so that it does. In particular, note that it must be unique.
Confirm that your workstation requires a password, fingerprint, or facial recognition to unlock. If it doesn’t, set this up.
Confirm that your workstation automatically locks after one hour of inactivity. If it doesn’t, set this up.
What should you do if David emails asking for your 1password master password, then you ping him in Slack, and he confirms that he wants it?
Call Yujan and tell him that David’s email and Slack accounts have been hacked.
Confirm that your harddrive is encrypted. If it isn’t, set this up.
You can read about FileValut here.
Confirm that your workstation automatically checks for and installs security updates for your operating system (alternatively, you must develop a sytem that will remind you to manually apply security updates and produce a record that you did so once each quarter)
If you use SSH to access remote servers, confirm that you have a differrent SSH-key for each workstation and that you have a passphrase for the SSH-key.
Do you think any of our information policies are unnecessarily burdensome in general or for your situation?
Do you think our risk analysis had any large gaps?
Do you think our information policy has any inapproprialty large gaps (note, there will always be gaps, its just a matter of whether the gaps are too big)?
Please help us make these lessons as relevant and up-to-date for future engineers as possible!
You can help in several ways:
You can quickly open the lesson page in the GitHub editor. Create a new branch and pull request and assign it to David.