take this course
to supplemental content are provided, should you wish
to read more about a particular topic. This
extra material is optional. It is not covered on
the associated course quiz. The supplemental content
will usually be presented in a new browser window, which you
may close at any time.
For the recommended reading sequence for these materials,
see the HIPS Series Overview.
Approximate reading time for this course is 12 minutes (exclusive
of linked content). The quiz for this course is here.
• • • •
1. Why are you here?
As you probably already know, security training is usually
required for everyone in an organization's workforce who has
access to its information systems. It's required by
law. It's required by ethics. It's required by
business common sense.
What does protecting your identity have to do with that?
Everything. Identity security is the cornerstone of
protecting all of an organization's assets -- not just
information systems and data, but physical, financial and
human resources as well.
We'll explain why in this course, and give you simple steps
for keeping your own identity secure at work.
Learning to protect your identity at work also has personal
theft is one of the fastest-growing crimes worldwide.
Millions of persons are victims of this type of fraud each
year. It can take years to recover from damage to finances
What you learn here can protect you from identity theft in
your personal transactions too.
2. Right people, right things
What is the goal of a security system? One answer is
that security aims to let in only the "right people," and
keep out the "wrong people." That's true when we are
talking about limiting access to physical spaces like buildings.
It's also true when we are concerned with access to virtual
spaces like the files on a computer or a destination on the
Sometimes this task is called "controlling the perimeter."
That's not all. A security system must also make sure
the people that have been let in -- gotten "inside the perimeter"
-- do only the "right things" while inside.
Identity security, combined with other security tools, addresses
this as well. We'll discuss how in the second part of
this module. But let's begin with the problem of figuring
out who the "right people" are.
3. Identity checks in the physical world
In our everyday lives, we do identity checks all the time.
Familiar living things -- family, friends, pets, co-workers --
get identified as "right" because they look, sound, smell
and behave in the ways we expect. This kind of assessment
is so ordinary we're often not even conscious of it.
We must continually assess strangers' identities too.
For example, what if someone arrived at your house, claiming
to be from the phone company? You'd use your senses
and your common sense to assess this claim, based on the factors
like appearance, possessions, and knowledge:
4. Securing the physical world
- Does the person have a valid ID badge?
- How about a phone company uniform, vehicle and other equipment?
- How about a plausible reason for the visit?
Since the focus is on information security, this course concentrates
on identity in the virtual world. That doesn't mean
physical security is unimportant. Quite the opposite.
A secure physical environment is as critical to protecting
computing and networking equipment as it is to securing an
organization's other assets.
Your office may have physical security measures like door
locks, alarms, surveillance cameras, and security officers
on patrol. But you too are a part of protecting the
physical perimeter. Always keep an eye out for persons
who appear to be in the wrong place. Don't be afraid
to (politely) challenge a stranger for identification.
Don't be too busy to make sure a stranger gets to the right
place, and stays out of the wrong ones.
Besides watching out for out-of-place persons, how can you
help secure your organization's physical world? By protecting
the things that control physical access: ID badges, magnetic
and smart-card keys, conventional (metal) keys, combination
lock codes, and so on.
Make sure you keep all of these secure to prevent theft --
either with you or in a protected place. File a report
immediately with the security department about anything that
is stolen or lost.
Rapid reporting protects the organization. Locks can
be changed, card-keys deactivated, and other steps taken to
limit potential damage. It also protects you.
A person who has these things is capable of assuming your
identity, and anything they do may appear to have been done
5. Identity checks in the virtual world
Modern life offers the convenience of not having to be physically
present to interact with others. Many kinds of transactions
can now be completed via phone, fax, email or visiting a Web
This convenience opens up a Pandora's box of problems.
It is difficult enough to establish the identity of a stranger
standing right in front of you. It's much more difficult
to identify someone who exists only as a voice on the telephone,
a piece of paper rolling out of a fax machine, or a message
in an email or postal letter.
Identity theft schemes like phishing
are a much greater problem today as a consequence.
Whenever you must identify someone in such a "virtual" context,
you need to exercise extra care.
6. Securing the virtual world
Before exchanging information over a medium like the telephone,
organizations such as banks and credit card issuers try to
verify who you are. Typically this is done by asking
questions about things only you should know, such as your
Social Security number (SSN).
You may not have thought about it, but you also have a security
task in such circumstances. You must try to be sure you're
actually dealing with the bank or credit card company, and
not an imposter. You need to be especially cautious
if the contact was not initiated by you.
For your workplace transactions using telephone, fax, mail
or email, you must exercise care to be sure you're dealing
with the right organization and the right person. That
means always verifying phone numbers and addresses.
It may also mean asking questions to verify identity.
Be aware that in these situations, identification is often
based entirely on factual knowledge -- of a SSN, account
number, address, birth date, parent's name, pre-established
PIN number or password. You can't establish identity
by appearance or behavior when a person isn't physically present.
And there's usually no way to present a physical item, like
a driver's license or other ID card.
This dependence on personal data for identity means you must
always be careful about disclosing it -- whether it's
information about you or about a customer.
You also need to be careful about storing or disposing of
such data. Failure to do so sets you or the customer
up for identity theft. (Failure to exercise due care
could also set you or your organization up for a lawsuit.)
7. Computer systems and passwords
Before you can use a shared computer system or a secure web
site, you usually have to provide information. Specifically,
you must answer a pair of questions to verify your identity --
providing your user-ID and an associated password.
To protect your identity, and the security of the shared
computer system or secure Web site, it's critical to pick
good passwords and protect them appropriately. (For
tips, take the Picking
and Protecting Passwords course.)
If you think a password has been compromised, change it immediately.
In most cases, it's recommended that you also report the matter
to the appropriate security department. Doing so may
prevent further damage -- and, as with a key or ID badge,
protect you from blame for damage already done.
8. Computer systems and access tokens
Some computer systems now rely on smart cards or other kinds
of "access token" to establish identity. An access token
must be put through, or near to, a reader or equivalent sensor
Sometimes it's also necessary to enter a PIN number or password,
as with ATM cards. This is called "two-factor" authentication -- because
it's based on something you have (the card token) and something
you know (the PIN).
As with old-fashioned metal keys, it's critical to protect
access tokens by keeping them with you or in a safe place.
Just as with a compromised password, it's critical to notify
the appropriate security department if a token is lost or
stolen, so that it can be deactivated. It's particularly
critical if it's a "one-factor" token like an old-fashioned metal
key or a card that must simply be swiped (no PIN needed).
9. Computer systems and biometrics
Some computer systems now rely on biometric identification.
Devices exist to take measurements of faces, eyes, fingers,
palms, and just about any other subset of bodies you could
envision. Some systems can analyze voices, handwritten
signatures, the way a person walks, and even the way someone
Biometric identification has a great advantage over the other
methods: there's nothing to lose or forget!
So, why don't we use fingerprints and retinal scans for identification
now, instead of easily-forgotten passwords and easily lost
cards and keys? For the moment, biometric IDs still
suffer from accuracy and cost disadvantages, but expect them
to become common for computer access and for identification
in daily life.
10. Access controls
So far, we've focused on letting only the "right people"
into information systems, and keeping the "wrong people" out.
We also need to limit what particular persons can
do -- such as what programs they are allowed to run,
or what files they can view, modify or delete.
Measures to enforce such limits are called access
Why do we need them? First, it's not a perfect world.
Sometimes despite our best efforts the wrong people will get
past our identification barriers. We need some way to
limit damage when this occurs.
Second, even if we let only the right people in, they can
still make mistakes despite the best of intentions.
(And not everyone has good intentions -- workplace crimes
are most commonly committed by insiders.)
11. Your own access privileges
All access controls have a common aim: They try to limit
each person to what is needed to get his/her work done.
In health care settings, this is sometimes called the minimum
necessary access to information. If you have a military
background, you may be more familiar with terms like "compartments"
If you find that you or someone you supervise needs more
access privileges to get a job done, make a formal request
for that. Do not "borrow" the identity of someone with
greater access privileges -- even if it's just "temporary."
(It can be considered a crime.)
Alternatively, if you find that you or someone you supervise
has been given more access privileges than really needed,
make a request to have those reduced. It's safer!
12. Monitoring and recording activity
Identification barriers and access controls exist to prevent
problems. As an additional layer of protection, computer
systems monitor usage and keep records of "who did what."
This activity log is sometimes called an audit
trail -- a term borrowed from accounting.
Monitoring and logging helps detect security problems that
weren't prevented by identity and access controls. Always
be aware that everything you do on a computer system may be
recorded and subject to inspection for security purposes.
This is another reason to protect your identity, and report
promptly if you think your identity may have been compromised:
Any activity that occurs using your identity will be recorded
as having been done by you.
13. Using activity records yourself
Audit trails can contain a lot of data -- many thousands
of records just for a single day of system activity.
So they are typically "read" by a computer program that flags
suspicious behavior for humans to analyze later.
Sometimes you can read part of your audit trail information
yourself. For example, some systems inform you at login
when you last logged in; or they identify the last time you
used or modified a particular data file.
Get in the habit of looking at this information, to be sure
it reflects something you did. If activity data doesn't
seem right, it may mean your identity has been compromised.
(For exactly the same reasons, monitoring your own financial
records can detect identity theft.)
14. Mistakes are inevitable
No identification system can be perfect. Passwords
get compromised; card-keys get lost, biometric sensors get
fooled. That's why we have the backup protections of
access controls, monitoring and audit trails.
A security system also cannot be perfect in another way:
You -- very much in the category of "right people" to
be sure -- may sometimes have trouble getting past security
Maybe you will forget your password, or mistype it so many
times that a system "locks you out." Maybe you will
forget to bring your ID or card-key to work. Maybe you
will misplace your USB or other computer access token.
Please be patient, and remember that the inconvenience you
experience is essential for security.
15. Inconvenience is inevitable too
Even when everything is working perfectly, identification
processes still require a bit of time and inconvenience.
Audit trail recording processes require surveillance, which
may feel like an invasion of privacy.
We know it can be a pain to type in a password or PIN, swipe
a card-key through a reader, put your finger or palm on a
scanner, or present your ID to a security guard. We
know it can be annoying (at best) to contemplate that other
persons are monitoring what you do.
Nothing in life is free. This is the price of keeping
information -- and everything else -- secure.
The price of insecurity is much higher.
16. If you remember nothing else
(1) Identity can be established by what you "are" --
physical characteristics, behavior, etc. While it's
not yet common for machines, it's an essential technique for
humans to detect intruders and other "out of place" persons.
(2) Identity can be established by what you know --
a password, PIN or personal data like an SSN. Protect
this information. Be very careful about how and with
whom you share it.
(3) Identity can be established by what you have --
metal keys, card-keys, ID badges, USB and other computer access
tokens. Protect these from loss or theft, and be careful
(4) Audit trails log activity to detect problems. Be
aware you're being monitored. When you can, use audit
trail data yourself to detect problems.
• • • •
Help us make
this course better -- take the online
The quiz for this course is here.
• • • •