Welcome to CyberSecurity Annual

User Awareness 1 Refresher Training

2

Replay Back Next

Pause ||
What is Cybersecurity?

Cybersecurity is the practice of protecting computer systems and networks including the data the from:
• 1Lost
• 2Disclosed
• 3Modified

4
Battelle’s CyberSecurity Protection Program within our Information Management department is
chartered with protecting Battelle's:
• Information5
• Systems6
• Computers7
• Networks8

9
Technology alone cannot provided adequate protection.

10
Information Technology systems and data compromises are at an all time high, due to:
• 11
Increasing use of computers and the Internet
• 12
More prevalent “Zero Day10” exploits
• 13
Advanced sophistication and resources of hackers (e.g. organized crime, nation states)

14
Battelle is specifically targeted because we are a major government contractor.

Replay Back Next

What is Cybersecurity?

Home15 Office16 Another Location17

18
Be Smart, Safe, and Secure, because this is our Battelle.

Replay Back Next

Safeguarding Information and Data | Overview
1You are responsible for:
• 2Assigned computing devices
• 3Software
• 4Passwords
• 5SecurID tokens
• 6PINs
6 7
• 7Certificates 4 5
2
3

In this section, you will learn about Battelle’s principles and techniques of information
protection. You will also learn about removable media storage guidelines, sensitive
information categories and reporting requirements.

Replay Back Next

Pause ||
 1

Safequarding Information and Data |The Principles of Least Privilege

All staff members should apply the Principle of Least Privilege when granting access to sensitive information.

2 “you give an entity the least amount of

access it needs to do its job and nothing
else. In this definition, an entity can be a
person, computer, or anything on the
network.”
5
3
4

Replay Back Next

Pause ||
 1

Safequarding Information and Data |The Principles of Least Privilege

All staff members should apply the Principle of Least Privilege when granting access to sensitive information.

Replay Back Next

Pause ||
 1

Safeguarding Information and Data |Personal Computing Devices

Battelle staff members and contractors may have camera enabled devices in their possession in general access areas at all Battelle locations.

Use of a camera enabled device must be consistent with Battelle Policy 1.4 and staff and contractors are responsible to ensure:
1

• The proper usage of the device and approved areas for use are understood
2

• 3
The area around the camera field of view is visually checked to ensure no Business Sensitive, Strictly Private, proprietary, or
otherwise client related material is in the background of the shot

• The pictures are not posted on any external social networking sites
4

Replay Back Next

Pause ||
 1

Safeguarding Information and Data | Personal Computing Devices

Battelle staff members and contractors may have camera enabled devices in their possession in general access areas at all Battelle locations.

Use of a camera enabled device must be consistent with Battelle Policy 1.4 and staff and contractors are responsible to ensure:
1

• The proper usage of the device and approved areas for use are understood
2

• 3
The area around the camera field of view is visually checked to ensure no Business Sensitive, Strictly Private, proprietary, or
otherwise client related material is in the background of the shot

• The pictures are not posted on any external social networking sites
4

Replay Back Next

Pause ||
 Safeguarding Information and Data| Removable Storage
1Removable Media represents one of the largest threats to sensitive information.

Thumb Drives

CD’s/DVD’s
Diskettes External Hard Drives Backup Tapes MP3 Players

Be extremely careful when using removable media to transport sensitive information outside of Battelle.
Do so only if you must have it for work at home or while on travell.9
Take only the minimum information needed.10
When disposing of the device, return it to Battelle for proper disposal or sanitizing. Caution! Simply deleting the information does not
remove it. Rather, the device must be sanitized by overwriting a number of times. Contact the IM Service Desk for assistance in
sanitizing devices.11
Maintain positive control of the device at all times.12

If any device containing Battelle or client sensitive information is lost or stolen, it must be reported immediately to the IM Service Desk.
13
NEVER remove Government Classified or Government Sensitive information from Battelle on a laptop or a removable storage device.

Replay Back Next

Pause ||
Safeguarding Information and Data| Sensitive Information Categories
Sensitive information categories include.
• Government Classified3
• Export Controlled Information4
• Business Sensitive or Strictly Private5
• Sensitive Information6

Click on each category for more information.

Replay Back Next

Pause ||
 Roll Over

Government Classified

Top Secret, Secret, Confidential, and other categories of government classified information
require specialized security measures and are not approved for storage in IM systems, e-mail
servers, file servers, SharePoint sites, or PC hard drives.

Contact Battelle Government Security or your local Facility Security Officer with questions
concerning safeguards for classified information or to report the loss, compromise, or suspected
compromise of classified information. The proper reporting telephone numbers can be found on
the CyberSecurity Contact List.

Replay Back Next

Pause ||
 Roll Over

Government Sensitive Information

Certain information is designated by government agencies as sensitive but unclassified. Common
acronyms include FOUO (For Official Use Only) and SSI (Sensitive Security Information). There
are over 50 designators for this category of information. The specific acronym and the
safeguarding requirements are usually client and contract specific.
Contact Battelle Government Security or your local Facility Security Officer for information on
safeguarding Sensitive But Unclassified information or to report a loss or compromise.

Replay Back Next

Pause ||
 Roll Over

Export Controlled Information

The Department of State and Department of Commerce categorize certain information and
technology as being Export Controlled. The transmission of Export Controlled information or
technology outside of the United States or to foreign persons or entities within the United States
requires a license and must be in strict compliance with applicable export control laws and
regulations. Battelle is required to implement special security safeguards for export controlled
information and technology in our control. The Export Compliance Guide and the Technology
Control Plan describe export restrictions, access controls, and safeguards for export controlled
information. References to these documents can be found in the CyberSecurity Contact List.
There is an Export Control Manager assigned to each product line. For questions about whether
information you are working with is export controlled, contact your Export Control Manager.
Contact Legal Services for questions on export licensing or to report any export violation or
compromise.

Replay Back Next

Pause ||
 Roll Over
Business Sensitive or Strictly Private
Such information is generally not releasable to the public and must be safeguarded at all times.
The Total Information Protection (TIP) program describes the security measures required for
Business Sensitive information and can be found in SBMS.
Contact Battelle Government Security or your local Facility Security Officer for more information on
safeguarding Business Sensitive information or to report a loss or compromise.

Replay Back Next

Pause ||
Safeguarding Information and Data | Information Protection Techniques
1
Appropriate security techniques must be used to protect business information in electronic form when transmitting over public networks
including telephones and Internet, or transporting outside of Battelle on any digital media (hard drives, diskettes, CD/DVDs, Zip drives, thumb
drives, or other storage devices.
The following techniques can be used to protect information and data:
2

Metadata Removal3
Encrypting Sensitive Information4
Secure File Transfer5
Compliance Data6
Click on each Technique for more information.

*Metadata is the term describing embedded hidden data within Microsoft Office products

Iron Key is
the preferred
thumb drive
Battelle staff
should use.

Thumb Drives
Hard Drives CD/DVD Western Digital
Passports

Replay Back Next

Pause ||
 Roll Over

Metadata Removal

Metadata is embedded hidden data, for example, review comments, un-resolved tracked changes
(added and deleted text), author’s names, and more. It is Battelle’s best practice not to share or
transmit Microsoft Office Word, Excel, or PowerPoint files to non Battelle entities or individuals
without first removing all potentially embarrassing or damaging Metadata unless the external users
need to see the metadata (e.g., Tracked Changes and Comments for collaboration reasons).
Failure to remove certain types of metadata could be embarrassing, or worse yet, damaging to
Battelle.

Refer to the CyberSecurity web page for more information on tools to remove meta-data.

**Office 2007 has built in Metadata cleaning tool.

Replay Back Next

Pause ||
 Roll Over

Encrypting Sensitive Information

Exercise caution when sending sensitive information outside of Battelle via the Internet. It is
especially dangerous to include sensitive information in e-mail messages, because e-mail may be
stored in unencrypted form on multiple e-mail servers outside of Battelle.
Information Management has implemented an encrypted Secure File Transfer application (FX) to
securely transmit large data files over the Internet.
Commercial encryption software is available for hard drives, folders, or individual files. Contact IM
for recommendations.

Replay Back Next

Pause ||
 Roll Over

Secure File Transfer

The Battelle File Exchange service available at fx.battelle.org provides the secure transfer of large
files, up to 1GB, over the Internet as an alternative to email and other traditional methods, such as
File Transfer Protocol (FTP). FX can be used by all Battelle staff to exchange files between staff
and/or external recipients. FX may be used by contractors, clients and partners to exchange files
with Battelle staff.
Caution: FX is NOT APPROVED for government classified information.

Replay Back Next

Pause ||
 Roll Over

If dealiCompliance Datang with credit card (PCI) or Personally Identifiable Information (PII), please see Information
Management to ensure standards are followed.

• Personal Identifiable Information data (PII)

Information which can be used to distinguish or trace an individual's identity, such as their name, social security
number, biometric records, etc. alone, or when combined with other personal or identifying information which is
linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

• Payment Card Industry Data (PCI)

Is a worldwide information security standard assembled by the Payment Card Industry Security Standards
Council (PCI SSC). The standard was created to help organizations that process card payments prevent credit
card fraud through increased controls around data and its exposure to compromise. The standard applies to all
organizations which hold, process, or pass cardholder information from any card branded with the logo of one of
the card brands.

Note: Both types of data need to be protected and requires Information Management to be notified to ensure
compliance and appropriate controls are in place to protect the information.

Replay Back Next

Pause ||
Safeguarding your PC at Battelle
1
You have just learned about the primary principles and techniques that Battelle uses to protect information and data.
• 2
Assigned computing devices (including software and data)
• 3 Use of appropriate security measure commensurate with the value of data and equipment to ensure
• 4Device is not stolen
• 5Data is not lost or corrupted, used in unauthorized ways, or available to unauthorized persons
• All Battelle laptops are required to be encrypted with Battelle’s Safeboot encryption software available through WebRun

The following methods are used to safeguard your PC at Battelle. Click each method for more information.
6

Passwords
Virus Protection
Baseline Software
Backup of Computing devices
Sanitization
Screen Saver

Principle

Replay Back Next

Pause ||
 Roll Over
Passwords
Password protection is critical to reducing Cybersecurity threats. Take the time to create strong
passwords that are easily remembered, but difficult to guess. Battelle adheres to strong password
standards, which are automatically enforced by the system.

Battelle staff members must adhere to the following password guidelines:

Passwords Required— Passwords are required on all computing devices used to store or
access business information (PCs, BlackBerrys, cell phones, etc.).

Password Sharing— Personal network passwords and SecurID Personal Identification Numbers
(PINs) are for use by the assigned staff member only. Sharing personal passwords or PINs with
anyone, including family, friends, contractors, or other Battelle staff, is prohibited.

Password Storage and Handling— Passwords and PINs should be memorized. If a written
password is necessary, it must be carried on the staff member's person or kept in locked storage.
Passwords and PINs must not be kept with or attached to the device (PC, laptop, token, etc.).

Change Passwords Frequently— Network passwords must be changed at least every six months.

Auto-locking— Password-protected auto-locking (e.g., screen savers) must be configured on all

computing devices to automatically activate after a maximum 10 minutes' idle time, to minimize data
exposure.

Replay Back Next

Pause ||
 Roll Over

Virus Protection
Virus protection is critical for network defense. Current virus pattern files are required on all
computing devices connected to the Battelle network, including both business and home computing
devices. Battelle provides Trend Micro OfficeScan virus protection software for all Battelle users.
Staff members who access the Battelle network from home for work are licensed to use OfficeScan.

Replay Back Next

Pause ||
 Roll Over

Baseline Software
All staff members are required to maintain baseline software on all Battelle PCs connected to the
Battelle network, and are further required to install patches distributed by IM within the specified
timeframe. Computing devices that cannot meet these requirements because of project or
engineering constraints must be reviewed and approved by IM. The IT Asset Manager (ITAM) must
approve any non-baseline software. IM maintains a list of software already approved by the ITAM
as well as software that has been prohibited by the ITAM.
For more information, see the Desktop Baseline Software web site in the CyberSecurity Contacts
List.

Replay Back Next

Pause ||
 Roll Over
Backup of computing devices
Staff members are required to make periodic backup copies of business data residing on any
computing device for which they are responsible. The “Connected” automatic backup system is
available in Columbus and many regional offices. Contact your local IT Coordinator or the IM
Service Desk to determine if Connected is available to you.

Replay Back Next

Pause ||
 Roll Over
Sanitization
Information contained on discarded devices and media can lead to serious information compromise.
These devices and media include PCs, PDAs, BlackBerry devices, cellular telephones and all
removable media, including external hard drives, diskettes, CDs/DVDs, Zip drives, thumb drives, or
other storage devices.
Battelle staff members are required to remove all data and software when disposing of any system
that has been used to store or process Battelle data. Sanitizing, destroying, or disposing of all
devices and digital media must be accomplished by IM-approved methods. Battelle leased and
owned PCs, PDAs, BlackBerry devices, and cell phones must be returned to IM for disposal.
At the Columbus and West Jefferson, Ohio campuses, you may deposit many forms of electronic
media in the Business Sensitive Information Disposal Bins identified with a label as shown below.
Bins are typically located in the same room as the walk-up copiers and/or printers.
If your site does not have local procedures for disposal of electronic media, please contact
Government Security for guidance in establishing a local (or site-specific) Business Sensitive
Information Disposal Program.

Replay Back Next

Pause ||
 Roll Over

Screen Saver
Password protected auto-locking or screen savers are required on all computing devices that
contain Battelle information, including BlackBerry devices and PDAs, and must be set to activate
after 10 minutes of inactivity. This is automatically set for PCs on the Battelle network.
When you step away from your PC, you must manually lock your PC by pressing either the Window
and L key together, or the control-alt-delete keys and clicking Lock Computer.

Replay Back Next

Pause ||
Safeguarding the Network
Not only do you have the responsibility to protect your PC, you also need to protect our Battelle network.
We create a large amount of sensitive data:
1

• Intellectual property
1

• Product information
2

• Proposal Information
3

• Other sensitive materials

4

Replay Back Next

Pause ||
Safeguarding the Network | Visitors and Staff
Visitors must never be permitted to connect to the LAN (Local Area Network).
• Visitors can knowingly or unknowingly introduce malicious viruses or software into the network. 1
• Staff members are not permitted to directly connect non-Battelle owned or leased storage devices to the
Battelle network. If necessary, visitors can use Visitor Internet Ports( VIP) for Internet access. 2
• Visitor Internet Ports or(VIPs) are clearly labeled for access and are now available in many of our Battelle
conference rooms. All VIP enabled rooms are labeled as shown. 3
• Staff members may connect from VIPs into the LAN using IM-approved methods for remote access
• Visitors must utilize VIPs to connect to the Battelle internet. 4

2 4
1

Replay Back Next

Pause ||
Safeguarding the Network |Network Protections
To prevent compromise of our Battelle network, you must comply with the following prohibitions:
• Personally owned computing devices and removable storage devices – for example, thumb drives - are not
permitted to be connected to the Battelle network or Battelle computing devices. 1
• Peer-to-peer music sharing and file sharing is prohibited 2
• Automatic forwarding of Battelle mail to outside e-mail accounts 3
• Accessing personal e-mail accounts from the Battelle LAN 4
• Illegal, pornographic, or harassing material 5
• Wireless Access Points are prohibited on the Battelle LAN without explicit IM approval 6
At all times adhere to Battelle Professional and Ethical Standards. 7

Replay Back Next

Pause ||
Avoiding Attacks and Threats
All computers and networks are susceptible to attack, unauthorized use, or unauthorized access when connected
to the Internet.
3
Battelle has strong security controls on network servers and desktops, and uses a firewall to filter traffic from the
Internet; however, constant vigilance is required to keep your computer and our network safe.
5
To learn more about the tools hackers may use to gain access to your computer, click on each example below
roll your mouse over each example below:
• Virus
• Worm
• Keystroke Logger
• Trojan Horse 4
• Password Cracker
2
1

Replay Back Next

Pause ||
Avoiding Attacks and Threats | Email Precautions
E-mail is one of the primary methods by which PCs are compromised.

1
The following are guidelines that will help you identify suspicious e-mail and attachments

• 2
Be extremely cautious of e-mail from a sender you do not recognize; however, sender addresses are easily faked, so knowledge of the sender
is no guarantee that the e-mail is safe.

• If the e-mail is not work related, don’t open it.

• Be wary of any e-mail asking for personal information.

• Be suspicious if the language, grammar, spelling, or content of the e-mail is inappropriate.

• Exercise caution if an e-mail contains an attachment you were not anticipating. Many attachments which look safe, for example, Microsoft Word
files, are often infected. If you feel you need the attachment for Battelle business, contact the sender via phone if possible to confirm that the
attachment is legitimate. Replying to the e-mail may cause more spam to be generated to their account.

• Microsoft and other software vendors never distribute software updates via e-mail. If you receive an e-mail claiming to have software updates, it
is almost certainly infected. DO NOT OPEN IT. Report it immediately to the IM Service Desk.

• Electronic greeting cards or postcards frequently contain dangerous software and should be deleted immediately.

• Do not click on hotlinks in e-mail messages. Hotlinks in e-mail text are often spoofed, leading to attacks.

• E-mail is neither secure nor confidential. Exercise caution when sending sensitive information outside of Battelle via e-mail. Use Battelle's FX
(Secure File Transfer) utility to transmit sensitive information. See the IM website for instructions.

• E-mail that is threatening in nature must be reported to Security Operations or Battelle IM Service Desk.

Replay Back Next

Pause ||
Avoiding Attacks and Threats | Internet Browsing Precautions
Careless Internet browsing is another primary method by which PCs are compromised and then used to gain
network access.
3
Follow these guidelines when browsing the Internet:
• Exercise care if browsing sites of unknown security
• The Internet should be accessed from Battelle owned or leased equipment only for authorized business and
very limited personal use.
2
1

Replay Back Next

Pause ||
Avoiding Attacks and Threats | Social Engineering Precautions
Social Engineering is using social skills and tricks to convince you to give up critical information
Click on common attack techniques below for more information.
• Phishing
• Road Apple

2
1

Replay Back Next

Pause ||
Avoiding Attacks and Threats | Social Engineering Precautions
Social Engineering is using social skills and tricks to convince you to give up critical information
Click on common attack techniques below for more information.
• Phishing
• Road Apple 6,7

Replay Back Next

Pause ||
 Roll Over
Phishing applies to email appearing to come from a legitimate business — a bank, or credit card
company — requesting "verification" of information and warning of a dire consequence if the
recipient does not respond. The e-mail usually contains a hotlink to a fraudulent web page that
appears legitimate — with company logos and content — and includes a form to provide personal
information, ranging from a home address to passwords to an ATM card's PIN.
Never click on hotlinks in e-mail messages. These links are often spoofed and point to sites that
can download infections to your PC.

Replay Back Next

Pause ||
 Roll Over

Road Apple
A road apple is a real-world variation of a Trojan Horse that uses physical media and relies on the curiosity of the victim.
The attacker leaves a malware infected floppy disc, CD ROM or thumb drive in a location sure to be found (bathroom,
elevator, sidewalk), gives it a legitimate looking and curiosity piquing label - and simply waits.

In some cases, hackers have mailed official looking CDs or thumb drives to users. These are often imprinted with the
logo of clients or business partners. When the user inserts the CD or thumb drive into the PC, infected files are secretly
installed. These files can infect other PCs and servers on the network, and can lead to serious compromises of
information.

Replay Back Next

Pause ||
Security while Traveling
Battelle offers it’s employees a wide range of portable devices for business use.
1
These items can include:
• 2Laptops
• 3Cell phones
• 4Blackberry devices
• 5
Thumb drives
• 6 Identifiable articles

For information regarding travel outside of the country, please see the Travel website.

Replay Back Next

Roles and Responsibilities
Battelle staff members are responsible for the appropriate use and protection of assigned computing devices and software, and any
assigned authentication mechanisms (passwords, SecurID tokens, Certificates, etc.). Violations of security policy or loss of computing
devices or information must be reported to the IM Service Desk.

Review the chart below for more information regarding roles and responsibilities. Select each role to see the responsibility assigned.

Managers Ensuring Cybersecurity policies and procedures are implemented and enforced.

Information Owners Protecting the integrity, confidentiality, and accessibility of the information
commensurate with the damage that could occur if the information is
compromised. (examples, Project Leaders, SharePoint Admins, Web Masters,
etc.)

Information Management Configuration control, management oversight, and security of firewalls and
networks, and providing guidance to staff on cybersecurity issues.

Security Department Physical security, investigations, technology controls, regulatory compliance.

Ethics Standards Business Ethics and Conduct | CyberSecurity

•The protection of our vital computing and network resources, and the information that resides therein,
is of critical importance to Battelle. Use of Battelle network and computing resources is a privilege
extended to our staff to allow them to do their work more efficiently and effectively. (BPM 1.4.4)

Fact

Replay Back Next

Contacts and Information Sources
We are all responsible for protecting Battelle’s information and data. If you’re not sure about cybersecurity polices and procedure or are in
need of assistance, the links and contact information below will guide you to the correct information.

Be smart, safe and secure, because this is our Battelle.

1

2
If you’re not sure about cybersecurity polices and procedure or are in need of assistance, 3click on the link below to save the pdf
document to your desktop.

Fact

Replay Back Next

Summary
You have just completed your training on Cybersecurity. You should now be able to:
• 1Describe the goals of the Cybersecurity program and the type of threats Battelle is facing
• 2Describe the principles and techniques of information protection
• 3Describe the policies and solutions to safeguard your office computer
• 4Identify methods to safeguard the Battelle network
• 5Recognize how to avoid attacks and threats to Battelle
• 6Recognize CyberSecurity risks while traveling
• 7List roles and responsibilities of staff members and their importance to Battelle CyberSecurity
• 8List contacts and information sources for Battelle CyberSecurity

Replay Back Next

Pause ||