Awareness

  • I do not discuss personal nor confidential information in public.
  • I protect myself from tailgating, drafting, shoulder surfing, and video spying.
  • I re-engage latches and locks when I close them, and log out of websites promptly when finished using them.
  • I need to be sure consistently that I am not being watched nor followed.
  • I stay informed on new means to break security.
  • I am on alert with a "good lay of the land" and a good sense of what belongs.
  • If someone/something seems out of place, I investigate or report it.
  • I am not afraid to ask around.
  • I know physical security breaches can tarnish my reputation, take my property, take my competitive advantage, or harm my body.
  • I know criminals are opportunistic, and seek out ways to abuse the weakest place and time to make an attack.
  • I document information related to suspected breaches including who was notified about it, how/when/where the breach occurred, and what was done to contain the damage.
  • I don't hide important items in obvious places such as a doormat or under a keyboard.

Protecting privacy and personal information

I have the right to associate with whom I choose and to be left alone by others and the right to have control of and confidentiality regarding my personal information.

I respect and protect personal information and handle it carefully and securely. I am transparent and accountable for how I use personal information. I give others choice about how I use their information and allow them to view and edit the records about them that I may store. I expect the same care and concern that I would for my own information.

  • I protect basic facts about my life.
  • I do not trust nor disclose information to strangers nor suspected posers, nor do I rely on contact information from the suspected source.
  • I verify identities and credentials (permissions) of people who I meet in person, on the phone, or through electronic channels.
  • Even just a few pieces of information such as zip code and birthday can uniquely identify an individual.
  • I am aware that certain singular pieces of information can by themselves track an individual, including:
    • full name
    • home address
    • phone number
    • geographic location data
    • IP address
    • email address
    • account number
    • account login
    • biometrics
    • national, state, or work identifier
  • I keep my mobile devices and data secure from loss or theft using passwords, locks, encryption and physical proximity.
  • I know social engineering scams such as phishing can cause identity theft, harm reputation, harm finances, cause legal interaction, erode privacy, and disrupt work.

Links and URLs

  • I identify the URL before accessing the page.
  • I avoid bad QR codes and disable instant navigation on QR reader apps.
  • I hover over links before clicking to view the URL location, or right click to copy the URL location to examine it before navigating the link.
  • I use a search engine or another proper means to verify the identity of a legitimate website before visiting.
  • I add a + to URL shorteners so I can view the link first (for example, from tinyurl.com and bit.ly).
  • I read the authority portion of the URL carefully which lives between http:// or https:// and the first following / ? # slash, question mark, or pound sign before clicking a link. The righthand side of the link identifies the actual website/root domain, and anything to the left is the subdomain of the URL.
  • If the browser, search engine or security software warns about a dangerous URL, I don't ignore nor proceed with navigation.
  • I read the URL before navigating to it. I watch for IP addresses, misspelled names and extra - . @ hyphens, dots, or at signs in the URL that could affect the actual authority portion of the URL.
  • I realize any unverified, unencrypted, or misidentified website may be a spoof or man-in-the-middle attack.
  • Free downloads can tempt me to risk harm to my computer if I yield to their enticements without exploring better (legal) alternatives first.

Passwords

  • I create strong passwords, protect them, and never share them.
  • I use a variety of passwords and do not allow websites, auto-complete, and applications to store them directly.
  • I am familiar with techniques available to change and strengthen my passwords.
  • I don't use personal information in my passwords.
  • I use my most complex passwords for financial accounts or other sensitive accounts.
  • I don't use dictionary words nor, song nor book titles as passwords.
  • I use all character classes available to me in creating a password.
  • I use longer passwords to limit brute force attempts.
  • I don't rely on predictable character substitutions as sole means of adding complexity.

Discipline against trust

  • I secure with passwords, locks, physical barriers, encryption and surveillance.
  • I shred confidential information before disposal.
  • I beware of posers, or someone taking advantage of my helpful nature in a way that compels my help, such as for opening a door.
  • I don't leave my laptop in my car while eating at a restaurant.
  • I take measures to protect my personal information and devices from theft or personal gain.
  • I store valuables locked up and out of sight of onlookers at all times. If an onlooker may have seen me stow them, I must move them to discourage theft.
  • I lock my computer screen.
  • I protect my data stored on mobile devices and removable media with means such as encryption and strong pins and passwords.
  • I backup my devices on a regular basis to protect my data from loss.
  • I am wary of downloading software or apps from unknown sources or with insufficient public reviews.
  • I am wary of downloading software or apps that require excessive permissions such as viewing my address book and silently sending text messages.
  • I don't download unnecessary programs to my home or work computer.
  • I don't trust prompts in browser content areas, especially where it suggests urgency of action to download a program, to update your browser, or to install a plugin to view content.
  • I delete suspicious emails and text messages.
  • If in doubt, I do not scan, click nor download.
  • I do not login any accounts unnecessarily when I use public Wi-Fi or public computers. I restrict its use to public information.
  • I use a VPN and SSL encryptions to protect my computer and communications over networks and Wi-Fi connections.
  • I confirm encryption and identity of the website before I attempt to login.
  • I think about the headline test before I post to social media.
  • I seek a new perspective by second opinions or waiting on commitments I am not prepared to make.
  • I teach my family discipline against trust so they do not trust strangers nor posting too much information online.
  • I monitor child accounts and do not allow them administrator access nor install privileges.
  • I teach children about the dangers of social networks and bullying online.