Copyright© 2010 WeComply, Inc. All rights reserved. 10/13/2015 Information Security

Copyright© 2010 WeComply, Inc. All rights reserved. 10/13/2015 Information Security

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/20103 Overview Information Security We must meet strict confidentiality standards for certain information We must safeguard business/confidential information we deal with day-to-day Policy is intended to help us protect information we deal with, handle it responsibly and keep it confidential Policy is based on — Prudent and responsible business practices Contractual obligations Laws and regulations

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/20104 Electronic ID and Passwords Confidential information must remain secure at all times Access to confidential information is granted on "need- to-know“ basis You have level of access needed to perform your job duties User ID/password is your electronic identity Protect your password at all times — even from your co-workers Lost/stolen password can compromise confidentiality and lead to identity theft

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/20105 Pop Quiz! Roz hates to think of passwords and makes her latest password "u9gi'y/8o" by just letting her fingers glide over the keyboard randomly. Is this password strong or weak? A.Strong. B.Weak.

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/20106 Avoiding Identity Theft To avoid identity theft — Memorize passwords — don't write them down Use password that is not immediately associated with you Make password hard to crack Never let anyone "borrow" your password People who use your password to access organization’s information are intruders who should be reported to your supervisor or IT Department

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/20107 Avoiding Identity Theft (cont’d) To avoid identity theft — Memorize passwords — don't write them down Use password that is not immediately associated with you Make password hard to crack Never let anyone "borrow" your password People who use your password to access Company information are intruders who should be reported to your supervisor or IT Department

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/20108 Information Classification Information is divided into four classes: Restricted — e.g., passwords Confidential — protected health information; personal, confidential and business-confidential information Internal — personal and business information for internal use only Public Restricted and confidential information must be encrypted. Confidential information must not be left unattended on fax machines, desktops or computer screens. Business confidential information must not be disclosed to anyone who has not signed a nondisclosure agreement

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/20109 Special Note…

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/ Computer Viruses and Hoaxes Computer viruses, worms and Trojan horses can damage our information assets Contact IT Department immediately if you think your computer is infected Malicious code infects computer networks through — attachments CD-ROMs or other storage media Downloads from the Internet Hoaxes — messages that warn of virus/worm that doesn't really exist — should not be forwarded

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/ Computer Viruses and Hoaxes (cont’d) Computer viruses, worms and Trojan horses can damage our information assets Contact IT Department immediately if you think your computer is infected Malicious code infects computer networks through — attachments CD-ROMs or other storage media Downloads from the Internet Hoaxes — messages that warn of virus/worm that doesn't really exist — should not be forwarded

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/ Using Our E-Communication Systems Our e-communication systems are to be used primarily for conducting Company business You should have no expectation of privacy when using them Activities prohibited on our e-communication systems: Pornography, obscene material or offensive language Excessive personal use Inappropriate comments about characteristics protected by law Material that would reflect poorly on the Company Other content that violates any law or regulation

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/ Extra Precautions Keep these precautions in mind: Spam — delete junk-mail received your work account Questionable attachments — be careful about opening attachments unless you know sender and contents of attachment

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/ Workspace Security Workspace-security tips: Beware of "Tailgaters" in Secure Facilities Don't hold a door open for strangers Report incidents of unauthorized entry to security Protect Your Work Area Secure all media containing confidential information when not in use Shred confidential/sensitive information that you need to dispose of Use screensavers with passwords Lock your computer when you are away from it

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/ In the news…

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/ Social Engineering There are many low-tech ways — called social engineering — used to gain unauthorized access to confidential information: Impersonating an authorized person online, by phone or even in person Coaxing information out of employees by preying on their trust, charming them or flirting Rigging the system, offering to "fix it," then accessing passwords in the course of repairing it Entering work area and looking over people's shoulders to see passwords Sifting through unshredded documents in trash

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/ Pop Quiz! Sean took some work home with him. He decided to clean out his briefcase and dispose of some old memos and an out dated employee phone list in the recycling bin behind his apartment building. Sean didn't bother shredding any of the old paperwork because he was sure it contained no confidential information. Were there any security concerns here? A.No, if he was sure that the documents contained no confidential information. B.Yes, because the information could be useful to hackers. C.Maybe, if the documents contained information that was not totally out of date.

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/ Business Continuity Plans Business Continuity Plans are designed to prevent or reduce downtime in event of catastrophe You are responsible for — Reviewing/understanding your department's BCP and making necessary preparations Backing up and storing information assets in authorized manner Knowing location of fire exits and escape routes Having alternate method of coming to work

Copyright© 2010 WeComply, Inc. All rights reserved. 10/13/2015 Final Quiz

Copyright© 2010 WeComply, Inc. All rights reserved. 10/13/2015 Questions?

Copyright© 2010 WeComply, Inc. All rights reserved. 10/13/2015 Thank you for participating! This course and the related materials were developed by WeComply, Inc. and the Association of Corporate Counsel.