Purpose
Our information security policies were created to help us protect:
- Our client’s data and intellectual property
- Innolitics’ data and intellectual property
- Protected health information that we may come into contact with during our work
Learning Material
Please carefully read (or re-read) our Information Security policies in our company handbook.
Read this HHS Letter about Phishing Attacks.
Read through the Risk Analysis in our company’s HIPAA procedure document. (Note that there is no need to read other sections.)
Exercises
To learn as much as possible from these exercises, write your responses before revealing the provided answers. If any exercises seem irrelevant, you can skip them and instead write a justification as to why they are unimportant. These justifications will help us improve the lesson for future employees.
Exercise 1
Confirm that your master password for 1password meets our definition of a “secure password” and is not written down anywhere. If it doesn’t, change it so that it does. In particular, note that it must be unique.
Exercise 2
Confirm that your email password meets our definition of a “secure password” and is not written down anywhere. If it doesn’t, change it so that it does. In particular, note that it must be unique.
Exercise 3
Confirm that your workstation requires a password, fingerprint, or facial recognition to unlock. If it doesn’t, set this up.
Exercise 4
Confirm that your workstation automatically locks after one hour of inactivity. If it doesn’t, set this up.
Exercise 5
What should you do if David emails asking for your 1password master password, then you ping him in Slack, and he confirms that he wants it?
Exercise 6
Confirm that your harddrive is encrypted. If it isn’t, set this up.
Exercise 7
Confirm that your workstation automatically checks for and installs security updates for your operating system (alternatively, you must develop a sytem that will remind you to manually apply security updates and produce a record that you did so once each quarter)
Exercise 8
If you use SSH to access remote servers, confirm that you have a differrent SSH-key for each workstation and that you have a passphrase for the SSH-key.
Exercise 9
Do you think any of our information policies are unnecessarily burdensome in general or for your situation?
Exercise 10
Do you think our risk analysis had any large gaps?
Exercise 11
Do you think our information policy has any inapproprialty large gaps (note, there will always be gaps, its just a matter of whether the gaps are too big)?