Documente Academic
Documente Profesional
Documente Cultură
Shriti Karia
Instructional Designer
KPMG
Where are we now?
Summary of the problem
Key drivers
Why is it important?
Consequences of not getting it right brand damage, fines, legal action, loss of customers, impact on market share.etc
Challenges
Despite putting things in place how can we ensure delegates take the content on board?
In addition to day job.
Almost BAU and an after thought and not a priority until it happens. I know attitude.
Scope of the training
Training standard for all but learning path varies based on role.
Periodic email reminder to all colleagues with due date
If you are a Director content will adapt to supporting your direct reports - manager responsibility as well as basic content?
Content for all staff to be the same with a test and attestation at the end done annually with appropriate consequences for
those not adhering to completion timescales none compliant status and impact on conduct performance at end of year review.
Would take into account when looking at roll out: The bank has 8,500 staff, split across a head office in London,
and 500 retail branches in most towns and cities, and a call centre. Most users have access to high-end IT
hardware, including mobile phones, laptops and tablets. Senior managers are regularly committed to using tablet
devices only, for greater portability, and unlikely to be carrying laptops. All mobile devices are run on the latest iOS
software, including all tablets. Laptops are a 80:20 blend of windows:mac. There are HD touchscreen TVs located
around the building, as well as interactive whiteboards and televisions in all meeting rooms.
Mac/Window compatibility
Access from home
On the move
Touch screen and mouse based access etc etc
What we will cover? - intro
Learning objectives and outcomes
My training solution
Approach
Learner journey (including screen mockups if
appropriate) I would do these as a separate
hand out
Passwords
Secure passwords
Why insecure passwords are a security risk
Use some content from here:
http://itsecurity.telelink.com/weak-passwords
Dont use obvious passwords, single words or things that people know about you
Eg Some other examples
My daughter Zoe loves to bake cakes for Granny Jean M d Z l 2 b c 4 G J
Going to Peter and Susans wedding in June G 2 P a n d S w I J
My best skiing holiday was one week in Austria M b s h w 1 w I A
Can ABC Bank move towards Single Sign On to all systems this will either involve no password to login to some systems, or the same
username and password usable across a number of applications.
But this is going to take some time, and in the interim we must ensure password problems dont negatively affect our customers
experience.
Good passwords are long and contain non-standard characters try converting a sentence you will remember
Password managers debate how secure these are for a bank other solutions what in place now - a good question I think.
This is really good to chat through http://uk.pcmag.com/password-managers-products/4296/guide/the-best-password-managers-of-2017
Software that lets you store many different passwords in one place how is this viewed in banking ? Data risk question/assumption.
Often an online service but can be synched between computers
Security
Security in the office
Why security in the office is important
No foreign USBs into computers
You need to make sure that only authorised contractors and visitors can access branches to carry out their work. There are 3 levels of
access for branch entry. Moves from lower to higher levels are not permitted without the appropriate new level of ID&V being applied.
The Branch Manager or Assistant Manager would need to ID&V the contractor using an online tool before a change of access level is
allowed.
Once youve located the visiting contractor/visitor
Select the grey image of the face that appears on the tool
If a photograph is present on the system it will appear, you must check that its a true likeness of the contractor/visitor present
If the ID given by the contractor/visitor has a signature, check against their signature on the Contractor/Visitor Log
Check that the name of the company the contractor/visitor works for corresponds to the name listed on the ID&V Tool
ID for staff:
Who is Known by a colleague
An expected visitor
Have the ID&V witnessed by the person who co-signs the visiting contractor/visitors log
Show the employee the Emergency Procedures Page detailing branch contacts during their visit
People who are not authorised to enter could do so, by pretending or tailgating
Even legitimate people should not see client-confidential documents
Protect your pc
Make sure you use a screensaver when youre away from your desk
Staff must always lock their screens when moving away from their desktop. To do this:
Press Ctrl + Alt + Delete to display Windows Security screen
Select Lock Computer
Or
Select the Lock Screen icon from the toolbar
To unlock press Ctrl + Alt + Delete to display your Login screen and enter your Username and Password
The Bank's Information Classification Standard covers all information, which may be placed into one of three classification levels:
Unrestricted
Information that is already in or has been authorised for the public domain, or information for which unauthorised public disclosure
would have no significant negative impact or consequences for ABits customers or its business partners.
Examples: Marketing materials, job advertisement, Public announcements, ABC publicly -accessible websites, Publications.
Confidential - Information which is proprietary to the organisation or related to a key business process, and to which access by all
employees is not necessary or appropriate. Access to this information is only required by those with a need-to-know to fulfil their
duties. Such information may have a negative impact if were to be disclosed to unauthorised personnel either internally or externally.
Personal and financial customer information must be classified as at least Confidential. If the information is of a sensitive personal
nature and warrants extra protection it must be classified as Secret. Refer to the Group Privacy Policy for more information on sensitive
personal information.
Examples: New product plans, Client contracts, Audit findings and reports, Legal contracts, Customer/client information, Strategies and
budgets, Vulnerability assessments, Performance appraisals, Staff remuneration and personal information, Information system security
configuration information.
Labeling information: Hard copies must have a visible Classification label on the title page as a minimum, and preferably in the footer of
each page. Envelopes containing Confidential information must have a visible Classification label on the front. Electronic information
must have an obvious Classification label, including labels within each page of multi-page documents.
Secret - Information for which unauthorised disclosure (internally or externally) may cause serious financial or reputational damage,
significant loss of competitive advantage, or regulatory sanction or legal action. Note that some information may only be considered
Secret for a short period of time.
Examples: Profit forecasts or annual results (prior to public release), Information on potential mergers or acquisitions, Strategic planning
information, Executive Committee minutes, Certain information system security configuration, Information for which unauthorised
disclosure may cause serious consequences, Certain audit findings and reports for which unauthorised disclosure may cause serious
consequences.
Labeling information: Hard copies must be given a visible Classification label on each page. Secret information must not be sent in single
envelopes; an envelope labeled as Secret must be sent within another envelope that is not labeled. Electronic information must have an
obvious Classification label, including labels within each page of multi-page documents.
Continued
Internal Only
Intended for distribution within ABC whether to just one, some or all colleagues. We would not want or need to publicise the information but the
impact of unauthorised disclosure (internally or externally) could be a financial or reputational risk if it became public.
Example:
ABC Q&A