ASA 2020 Script

Welcome to the Amazon Security Awareness Training!

Introduction

As you proceed through this training, there will be questions that test your existing
knowledge on that topic. To navigate through ASA, use the next button to move to
the next slide. Use the previous button to go back to an earlier slide. If you require
this training in an alternate format, please submit a ticket to the TAO team: Cut a
ticket

Cyber security attacks are on the rise and our customers, internal and external, trust
Amazon to keep data secure. Amazon Security Awareness is intended to help
Amazonians recognize and respond to threats. Amazonians must fully understand
their obligation for protecting data to preserve the trust customers place in Amazon.

ASA will cover the following topics:
o Data classification
o Phishing
o Insider threats
o and Privacy
Let’s get started!

Data classification

Question:
A data handling standard is defined as which of the following:
• A set of minimum requirements for the secure storage, processing, and
transmission of data.
• The standard that defines how public data is encrypted at rest.
• The standardized process in which data is removed and destroyed.
• A set of maximum requirements for how a data type must be handled.
o Answer explanation:
§ Correct: That’s right! A data handling standard is a set of
minimum requirements for the secure storage, processing, and
transmission of data.
§ Incorrect: Incorrect. A data handling standard is a set of
minimum requirements for the secure storage, processing, and
transmission of data.

Because data is Amazon's most valuable asset, Information Security created the
Data Classification and Handling Policy that addresses the need to classify
information assets into specific categories to ensure appropriate controls are in
place to prevent unauthorized access, disclosure, or misuse of information.

At Amazon, there are five categories used to classify data. All data falls under one of
the following Data Classification Categories:
• Critical data: Our most sensitive data and information. Exposure of this data
and information to unauthorized parties could cause extreme loss or harm to
Amazon or its customers and adversely affect our ability to do business.
Critical data has specialized handling requirements and access is restricted to
select authorized individuals and systems.
o Examples of critical data include Clear order history, Credit and debit
card numbers, CVV codes, and bank account numbers.
• Restricted data: Sensitive data and information that must only be stored in
systems that have been reviewed and approved by Information Security.
o Examples of restricted data include telephone number, email address,
and Zip Code.
• Highly Confidential data: Sensitive data and information, including specific
Human Resources Personally Identifiable Information (HR PII), that is
intended primarily for use within Amazon based on a need-to-know basis.
o Examples of highly confidential data include a single customer’s order
history, merger and acquisition documents, and most employee data.
• Confidential data: Sensitive data and information that would cause minimal
risk of loss or harm to Amazon if exposed to unauthorized parties.
o Examples of confidential data include a single customer's opaque
order history, opaque browse history, customer name, and seller
name.
• Public data: Data and information that is designed and intended to be
provided to any party outside the company and does not expose Amazon or
its partners and customers to any harm.
o Examples of public data include Amazon customer reviews, customer
recommendations, and seller reputation.

Phishing

Question:
Isabella thinks she has received a phishing email. How can she be sure its a phishing
email? Select all that apply.
Subject: Email account upgrade
From: [email protected]

Dear User,
Someone else was trying to use your Amazon ID to sign into iCloud via a web browser.

Date and Time: 28 October 2019, 1:38 PM
Browser: Firefox
Operating System: Windows
Location:Thailand

If the information above looks familiar, you can disregard this email.
If you have not recently and believe someone may be trying to access your account, you
should Click Here <http://goo.gl/rk87KW>.

Sincerely,
Technical Support Team
o This is not a phishing email
o Asks for personal information
o Suspicious link
o Unknown sender
§ Answer explanation:
• Correct: That’s right! Phishing emails are deceptive, they
come from illegitimate domains, have suspicious links
or attachments, come from unknown senders and invite
you to divulge personal information.
• Incorrect: Incorrect. Phishing emails are deceptive, they
come from illegitimate domains, have suspicious links
or attachments, come from unknown senders and invite
you to divulge personal information.

Question:
This email was reported as phishing. How can you tell it's a phishing email? Select
all that apply.
Subject: Contact shared a document with you
From: [email protected]

Hello,
A contact from your adress book has shared a document with yu. The donload link
expires in 48 hour. Plese donload know.
o Sender is suspicious
o Grammatical errors
o Invitation to act
o This is not a phishing email
§ Answer explanation:
• Correct: That's right! There are grammatical errors, an
unknown sender, and a suspicious document inviting
you to open.
• Incorrect: This email is a phishing email. There are
grammatical errors, an unknown sender, and a
suspicious document inviting you to open.


Phishing threats and amazon:
Based on data from Open Source Intelligence, Amazon targeted phishing increased
182% throughout the first quarter of 2019 and 411% year-over-year, making it the
8th most targeted company.

What is phishing?
The goal of phishing is to trick the recipient into believing that the message is
something they want or need.

How does phishing work?
Phishing emails encourage the recipient to act by clicking on malicious websites that
are set up to trick you into divulging personal or financial information, like
passwords, account IDs or credit card details.

How to report phishing:
As an Amazon employee, you are expected to report suspicious emails. Report a
phishing email to the Phishing report portal at https://phishing.amazon.com/.

Insider threats

Question:
You are working on a project dealing with critical data. One day, you see your co-
worker take out a USB drive, plug it into their computer, and upload documents to
the USB drive. What should you do? Select all that apply.
o Do nothing
o Tell your manager and cut a ticket to InfoSec
o Confiscate the USB
o Talk to your coworker about keeping critical data confidential.
§ Answer explanation:
• Correct: That's right! Data is a valuable resource at
Amazon. Critical data has specialized handling
requirements and exposure of this data can cause
extreme loss to Amazon and customers.
• Incorrect: Incorrect. Critical data is Amazon’s most
sensitive data. Take ownership by telling your manager
of the incident, cutting a ticket to InfoSec, and talking to
your co-worker about how to handle critical data.

Who is considered an insider threat?:
A current or former employee, contractor, or business partner who has or had
authorized access to Amazon’s network, systems, or data. 25% of all security
incidents involve insiders.

What is an insider threat?
When an insider intentionally or unintentionally misuses access to negatively affect
the confidentiality, integrity, or availability of Amazon’s critical information or
systems.

Here are some standard security techniques to prevent insider threats from
happening:
• Understand Amazon’s Zero Tolerance policy and the consequences of risky
security behavior.
• Always protect your password and NEVER share it!
• Be aware of your surroundings and report concerns right away.
• To report a security incident, visit https://security.amazon.com/ to click the
link REPORT A SECURITY INCIDENT.

Privacy

Question:
Scott is a data scientist and wants to perform an experiment around customer
engagement. He reaches out to Joe to get data to perform the experiment. Joe
exports the customer's information along with their order histories and
personalization preferences in a report and sends it to Scott.
What should Joe have done prior to sending this across to Scott? Select all that
apply.
o Understand the purpose of the experiment and all the teams that
will consume the data
o Evaluate if the data set requested is the minimum necessary for
the purpose identified by Scott
o Obtain approval from Joe and Scott’s manager on the purpose
and consult with respective line lawyers
o Provide data as soon as possible to Scott without any further delays
§ Answer explanation:
• Correct: That's right! Joe should not give customer
information without verifying how the data will be
used, what the minimum requirements are for the
specific dataset, and make sure he is consulting with his
manager and line lawyers before any information is
exported for any experiments.
• Incorrect: Incorrect. Joe should not give customer
information without verifying how the data will be
used, what the minimum requirements are for the
specific dataset, and make sure he is consulting with his
manager and line lawyers before any information is
exported for any experiments.

What does privacy mean?
Information privacy is the customer’s right to have some control over how their
personal data is collected and used.

Is Privacy the same as Security?
A B
1
Data Privacy: Data Security:
2
Privacy focuses on the Data Security focuses on protecting
use and governance of data from unauthorized attacks and
personal data. the exploitation of stolen data for
profit.
Privacy is central to Customer Trust. Trust is easy to break and hard to gain.
Customer trust is our first priority. Our customers trust us to handle their personal
data securely and responsibly, and we do not pursue practices that jeopardize that
trust, even if they would be permitted by applicable laws

Conclusion


We appreciate you taking the time to learn more about security at Amazon. Every
Amazonian is an owner of security. As you follow correct security practices you will
help keep Amazon data secure.

You can find more informative resources, policies, and guidance about Information
Security in the resources tab. Save these resources in your favorites so you can
access them instantly.

Your feedback helps us improve this training. To provide feedback, please click on
FEEDBACK in your Thinking Cap transcripts.

To exit this training, click the Exit button.