1. infotex Awareness Training Tools

2. m.infotex.com/tools Information Security Tools

3. infotex Social Media Slides

4. Quick Instructions Use this presentation as you wish, and consider inserting it into your normal awareness training. Know that infotex can help you design an Awareness Training Program that mitigates a substantial amount of risk in your Information Security Program.

5. Quick Instructions Be sure to compare this to your own Acceptable Use Policy.  Some of the slides represent selections that can go both ways. For example, some banks allow users to access social media sites, some don’t.

6. Quick Instructions The subjects of the slides can also be used in your periodic reminders that you should be sending on a scheduled basis (most banks are monthly). Consider using the subject material as posts in your own Social Media sites.

7. Copyright Issues We’re offering these slides for your own creative use. You do not need to credit us but we always appreciate it when you do.

8. One Last Note: Find more horror stories on privacyrights.org or m.infotex.com/horror

9. THE SLIDES! and now...

10. Insert a humorous picture of you surfing at home. (or just a title page.)

11. Insert a humorous picture of you surfing in public. (or just a title page.)

12. Social Media And the risks of social networking.

13. Social Networking Sites Facebook Facebook LinkedIn LinkedIn Myspace Myspace Twitter Twitter YouTube YouTube Etc. Etc.

14. Social Media Risks The AUP Prohibits access to Social Media sites using bank assets. The AUP Prohibits access to Social Media sites using bank assets. You should not be checking in on Facebook, LinkedIn, etc. from assets owned by the bank. You should not be checking in on Facebook, LinkedIn, etc. from assets owned by the bank.

15. Social Networking Sites Employees must exercise good judgment in the use of social media sites. Employees must exercise good judgment in the use of social media sites. Unless a good business reason exists, employees should refrain from putting any company information on their own networking sites. Unless a good business reason exists, employees should refrain from putting any company information on their own networking sites. And be VERY careful what you post. And be VERY careful what you post.

16. “Safe Social Networking” Joan keeps in touch with a wide variety of friends on Facebook, many of them bank customers. Occasionally a friend will post on Joan’s wall, asking her about the loan rates on mortgage loans.

17. “Safe Social Networking” Joan always says she can’t discuss bank business on Facebook, and encourages them to come into the bank. She then notifies Mark Etting, who finds a way to meet Joan’s friends.

18. “Abuse of AUP” Joe was asked about loan pricing once. He replied that his bank always has the best prices, and to give his name when they go talk to Joan Department. She has a crush on Joe and will sharpen her pencil for you. And stay away from that Mark Etting jerk.

19. “Safe Social Networking” Joe participates in a LinkedIn “group” about information security policy, and has posted questions about social networking policy and how to monitor social networking sites. He has been careful not to mention any employee names or frustrations he has with the problem.

20. “Abuse of AUP” Joan was really upset by a customer who came into the bank at 4:55 p.m. and made her stay to fill out a loan application. On her Myspace page, she put “my pet peeve is customers who come into the bank right before we close.”

21. Social Networking Sites Posting information about bank customers is prohibited without prior authorization from the Information Security Officer (Name Here). Posting information about bank customers is prohibited without prior authorization from the Information Security Officer (Name Here).

22. “Safe Social Networking” Joan took a lot of pictures at the recent Customer Appreciate Event. She asked her Information Security Officer for permission to post them on the bank’s Facebook page.

23. “Abuse of AUP” Perci had to handle yet another difficult customer today. Since it’s against policy to access Facebook from her workstation, she gets out her new i-phone, and tweets “That Rusty Garajki is a BIG JERK.”

24. Social Networking Guidelines Anything about the bank that is not information found in a typical resume should be handled very carefully. Anything about the bank that is not information found in a typical resume should be handled very carefully. Employees must recognize, prior to putting any bank information on a website, that this information will be available indefinitely and could injure the bank’s reputation. Employees must recognize, prior to putting any bank information on a website, that this information will be available indefinitely and could injure the bank’s reputation.

25. “Safe Social Networking” Perci is a strong believer of maintaining a strong network of business associates and has found LinkedIn to be a helpful tool in this endeavor. She lists herself as Personnel Director at the bank, but does not include bank e-mail addresses or phone numbers in her profile.

26. “Safe Social Networking” Mark’s making good money at the bank but is always open to potential opportunities. He has a detailed resume on Monster.com, as well as one on craigslist.com. His resume is only available to qualified job offerings.

27. “Abuse of AUP” On Mark’s myspace page he has the following post:  “I’m getting out of this place. It’s no secret we’re going broke. Watch me get fired for writing that. It’s PUBLIC INFORMATION idiots!”

28. Social Networking Guidelines As such, any postings which do not exude good professional judgment may be grounds for disciplinary action and employees may be asked to remove information from websites whenever possible. As such, any postings which do not exude good professional judgment may be grounds for disciplinary action and employees may be asked to remove information from websites whenever possible. As an employee of the bank, you agree that what you post on the Internet is similar to what you would say in a public meeting, and thus... As an employee of the bank, you agree that what you post on the Internet is similar to what you would say in a public meeting, and thus...

29. And thus... You agree that you may be held accountable for the content of your postings. You agree that you may be held accountable for the content of your postings.

30. Meanwhile, while at home...

31. Especially on social media sites, understand what you’re getting into before you actually get into it! Read Privacy Statements.

32. And review them regularly. Review Privacy Settings.

34. Facebook Data Classifications Everyone Anybody can see it, they don’t have to be your friends first.

35. Facebook Data Classifications Everyone Friends of Friends Anybody can see it, they don’t have to be your friends first. Still “public” because of “7 degrees of separation” phenomenon

36. Facebook Data Classifications Everyone Friends of Friends Friends Only Anybody can see it, they don’t have to be your friends first. Public Information Because of indiscriminate friending, this can still be dangerous.

37. Facebook Data Classifications Everyone Friends of Friends Friends Only Other Anybody can see it, they don’t have to be your friends first. Public Information Still dangerous Whitelisting approach: you get to choose who sees your posts.

38. Data Classification at Bank Other: Whitelisting posts is about the only post that we would consider to be “confidential.” Thus, anything about the bank will be governed by the Acceptable Use Policy. It’s best to just assume that anything about the bank is governed by the AUP.

47. Beware orchestrated attacks... We have made guidelines for “safe social networking” available because there are a lot of personal vulnerabilities in your use of these sites. If you DO have any questions about this, feel free to talk to the ISO or your supervisor individually.

48. ?

49. Are you ready for a horror story?

53. ?

54. © infotex, inc. 2011