Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Awareness Training

Similar presentations


Presentation on theme: "Information Security Awareness Training"— Presentation transcript:

1 Information Security Awareness Training

2 Agenda What is Information Security? Information Ecosystem C-I-A
Godrej & Boyce Information Security Organization Structure. Godrej & Boyce Information Security Policies Exceptions Social Engineering Reporting Information Security Incidents 4/17/2017 Classification : Internal

3 What is Information Security ???
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction Start with what is the meaning of Information, ask the audience 4/17/2017 Classification : Internal

4 Information Ecosystem
An 'Information Ecosystem©' consists of People, Processes and the Technology that connects them. Partners Customers Service Providers Regulatory Bodies Firewalls Passwords Routers Disaster Recovery Forensics Monitoring IT Processes People IPR / databases / Entrusted Information / MIS / Innovation etc. Interface The 'Information Ecosystem' includes business partners, customers, service providers, regulatory bodies etc. Any one of them has the potential to become a weak link and jeopardize the security of the entire system. 1. Give an example relevant to Godrej 4/17/2017 Classification : Internal

5 Types of Information Information exists in digital AND non-digital forms Digital 1. Query the audience by asking what do they understand by Digital and Non-Digital forms Non- Digital 4/17/2017 Classification : Internal

6 Through Other Depts / Colleagues Through Creative Ideas
Infosec Value Chain Pendrives Paper Computer CD’s DVD’s Mobile Phones Credit Cards Media Players Data Tapes Microfilms / Microfiche Voice Recorders Video Tapes Memory Cards Identity Cards Image Voice Text Others Through Public Source Through Inference Information Through Other Depts / Colleagues Through Creative Ideas Through Legal / Statutory / Regulatory / Contractual Obligation / Requirement What are sources of information What are different formats in the information exists What are the different locations where information is stored 4/17/2017 Classification : Internal

7 What should be secured??? What information needs to be secured???
Discuss the different characteristics of information such as Availability, Accountability, Accuracy, Integrity, Confidentiality etc 4/17/2017 Classification : Internal

8 Information Security Triad
Confidentiality : Unauthorized disclosure of information- Ensuring Privacy Integrity : Unauthorized changes to information- Ensuring Completeness, Accuracy, and Validity Availability : Ensuring Information available as and when required by the business 4/17/2017 Classification : Internal

9 How to Secure Information???
1. To secure information we need an information security framework in place. 2. This framework ideally consists of developing and documenting several Security Policies, Procedures, Guidelines 3. Security polices and procedures need to be communicated to the end –users Training and awareness is one of the effective and preventive methods of securing information Regular ISMS audit need to be conducted to ensure compliance to the security policies and procedures Management should review the ISMS and provide its inputs to improve the ISMS ISMS is a continuous cycle of improvement and does not stop at merely achieving ISMS certification 4/17/2017 Classification : Internal

10 ISO 27001: An Overview ISO is the most internationally accepted information security standard The standard essentially gives specifications, guidance and direction to implement an Information Security Management System (ISMS) to dynamically address and manage information security risks faced by an organization Mandatory clauses : 4 to 8 Normative References : 133 controls, 39 control objectives, 11 Domains ISO is a standard released by International Organization for Standardization (ISO, Geneva) The standard consists of two parts – Mandatory Clauses and Normative References Mandatory clauses lay the basic foundation to build and Information Security Management System such as defining and documenting the ISMS scope – Physical and Logical boundaries Information Security Management Forum – to drive the ISMS Information Security Implementation Team - to implement the IS control Internal Audit team – to conduct audit and ensure compliance to organizations info-sec polices and procedures 4/17/2017 Classification : Internal

11 ISMS implementation at Godrej & Boyce
Establish the context - Define ISMS scope - Define policy - Identify risks - Assess risks - Select control objectives and control for treatment of risks - Prepare a statement of applicability (SoA) Maintain and Improve - Implement identified improvements - Take appropriate corrective and preventive actions - Communicate the results and actions and agree with all interested parties - Ensure that improvements achieve their intended objectives Plan Act Improvement Continual Implement and operate - Formulate a risk treatment plan - Implement the risk - Implement controls selected to meet the control objectives Monitor and review - Execute monitoring procedures - Undertake regular reviews of the effectiveness - Conduct internal audits at planned intervals Do Check 4/17/2017 Classification : Internal

12 ISMS Scope There are 10 Departments in scope of ISMS BAAN
BIG (BIG 1,Big 2, WPDG) Finance HR Soft( HR Soft, HR Pay) HR OTG SS OTG NS OTG CO OTG IS QA 4/17/2017 Classification : Internal

13 Risk Management Methodology
Identification and classification of assets Asset sensitivity ratings Asset wise risk assessment Risk Treatment Designing policies and procedures 4/17/2017 Classification : Internal

14 Godrej & Boyce Information Security Organization
4/17/2017 Classification : Internal

15 Godrej & Boyce Security Organization Structure
Information Security Management Forum (ISMF) Information Security Officer Information Security Implementation / Management Team (ISIT) What is ISC, ISO, Compliance Champions Names are displayed in the next slides to come 4/17/2017 Classification : Internal

16 Godrej & Boyce Information Security Management Forum(ISMF)
PIMPARKAR A R - CEO-GITL PATANKAR S V – GM RAUT SUSHIL S – HEAD OTG VAISHALI VICTOR RAJ – HEAD HR KHANDHAR BHAVESH K - HEAD FINANCE FERNANDES S V - MR QMS RUPARELIYA NARENDRA G - CORP PURC 4/17/2017 Classification : Internal

17 Information Security Officer
ARIF BHATKAR (OTG IS) 4/17/2017 Classification : Internal

18 Godrej & Boyce Information Security Implementation Team
NIRMALA R.THADANI - QA UNA PRAVEEN SATHAYE - WPDG RANJAN BHAVSAR – BIG ABHISHEK SUNANDAN - BIG SRILAKSHMI NUNNA – HRSOFT / HR PAY SHWETA PAGNIS - HR SOFT / HRPAY DHANYA MATHEW – HR SOFT / HR PAY SRINIVAS SINGH – BAAN VISHAL KUMAR - BAAN AROON BAKSHI – OTG NS ANUP BHAROT – OTG NS SATAM V S – OTG SS(UNIX) VASUDEO KELKAR – OTG SS(UNIX / LINUX) THOMAS P V – OTG SS (WINDOWS) PRASID MUKHERJI – OTG IS ARUN J SHIRODKAR – OTG CO HITESH PANCHAL – OTG CO HYACINTHA LOPES - HR SUCHIT SHAH – FINANCE 4/17/2017 Classification : Internal

19 Information Security Policies and Procedures
4/17/2017 Classification : Internal

20 Information Security Policies and Procedures
Godrej & Boyce Information Security Policies and Procedures are available on GITL Intranet. All employees should read and understand these policies and procedures Non-compliance to Godrej & Boyce Information Security Policies / Procedure may lead to Disciplinary Actions. 4/17/2017 Classification : Internal

21 Data Classification 4/17/2017 Classification : Internal

22 Data Classification Classification Scheme
Public Internal Confidential Consistent labeling and handling of information assets. Declassification / Downgrading. Sensitive documents and data storage media should be stored in physically secure locations. Disposal guidelines. This deals with the Procedure for Information Classification , Labeling and Handling. Classification Scheme To be discussed in detail in the next slides Consistent Classification Labeling All information must be labeled, from the time it is created until the time it is destroyed or re-labelled. Such markings must appear on all the information (hard copies, floppy disks, CD-ROMs, etc.). Declassification / Downgrading The designated information owner may, at any time, declassify or downgrade information. The owner must change the classification label appearing on the original document and notify all known recipients / users. Disposal guidelines Use secure means of disposal Record its disposal Check that data storage media such as backup devices, hard disks, CDs etc hasve been erased prior to disposal 4/17/2017 Classification : Internal

23 Classification Scheme
Confidential Applies to sensitive business information, the unwanted disclosure of which can bring substantial financial damage, damage to company's reputation or lead to grave legal consequences. This also applies to information, which can be of value to competitors that can influence the success or the existence of the entire company or part of its business. Access to Confidential information is restricted only to few employees or associated entities. Confidential information / documents will not be available to all the people within G&B- DC or outsiders. Example : Strategy planning , approach paper, client papers , bids Internal Applies to business information for which unwanted disclosure can have damaging consequences. This is generally information, which is accessible to a wide circle of employees but is not intended for outsiders. Example : s, Internal Communication, Process documents, Operating Procedures etc 4/17/2017 Classification : Internal

24 Classification Scheme
Public This classification applies to information, which has been explicitly approved by the management for release to the public. (No Visible classification required, any document not found classified will be treated as public document) By definition, there is no such thing as unauthorized disclosure of this information and it may be freely disseminated without potential harm. Example: Press release, Information on websites etc 4/17/2017 Classification : Internal

25 Physical Security User Responsibilities 4/17/2017
Classification : Internal

26 Physical Security User Responsibilities
Always Escort visitors. Display identification badge when on Godrej premises. Loss of Identity badge / Access cards should be reported to HR. If you notice something suspicious please bring it to the notice of the security guard or ISO. All the visitors should make entry in visitor register User should also declare their electronic belonging ex: Laptop, Pendrives etc 4/17/2017 Classification : Internal

27 Password Security 4/17/2017 Classification : Internal

28 Password Security Do’s Don’ts
Change your passwords regularly on expiry or when compromised. Use strong passwords meeting the password criteria. In case of password reset or issue of new password contact the system / application administrators Don’ts Use same password for Godrej accounts as for other commercial or personal accounts. Share your user credentials with others Use the "Remember Password" feature of applications. Reveal a password over the phone to ANYONE Reveal a password in an message Reveal a password to your supervisor or others in your reporting function Hint at the format of a password (e.g., "my family name") Reveal a password on questionnaires or security forms 4/17/2017 Classification : Internal

29 Password Criteria Passwords of information systems will be of a minimum length of 8 characters. The characters in the password will be a combination of numeric, alphabetic and special characters. The passwords will be difficult to guess or derive by using personal information such as names, telephone numbers, date of births etc. Passwords will be changed every 60 days. Password history will be maintained for 5 past used passwords. All temporary passwords will be changed at first log-on. Passwords in any automated log-on process will be avoided. 4/17/2017 Classification : Internal

30 Strong Passwords - Example
I Am Working In Godrej For Last 4 Years InfoSec is my Responsibility today onwards 4/17/2017 Classification : Internal

31 Email Security Acceptable Use Policy - Email 4/17/2017
Classification : Internal

32 Security Godrej & Boyce must be used primarily for business purposes only. User Responsibilities Do not automatically forward or send/receive s to any address outside Godrej domain Do not access personal s from Godrej facilities Do not send chain letters or joke s Employees receiving s which contain offensive content should immediately report this to the OTG G&B- DC employees should not indulge in unauthorized use or forging of header information. G&B- DC employees should not publish company id on public newsgroups or non-work related websites, since this might result in spam attacks. All unnecessary s should be deleted to conserve disk space. Files larger than 1 MB should be zipped before sending; s with attachments should not exceed 5MB Godrej & Boyce has rights to read / review any message as and when required. 4/17/2017 Classification : Internal

33 System and network security
Acceptable Use Policy – Information processing equipment and services System and network security 4/17/2017 Classification : Internal

34 System and Network Security
Following is prohibited Unauthorized copying of copyrighted material. Introduction of malicious programs into the Godrej & Boyce network. Port scanning or security scanning by end users. Using Godrej & Boyce computing assets to transmit offensive material. Giving access to telnet, ftp or any other service to external party. Unwanted software’s should not be downloaded on desktops and servers. ‘4/17/2017 Classification : Internal

35 Desktop and laptop security
4/17/2017 Classification : Internal

36 Desktop and Laptop Security
Users should not change any settings on the laptop. Users shall ensure that they have latest Anti virus software /security patches updated Ensure the laptop is physically secured at all times Pirated, freeware and shareware software shall not be downloaded or installed onto user laptops Desktop and Laptop should be hardened as per the Hardening Guidelines 4/17/2017 Classification : Internal

37 Clear Desk Clear Screen
4/17/2017 Classification : Internal

38 Focus on the this slides to let the users realise what are we coming to
4/17/2017 Classification : Internal

39 Clear Desk Clear Screen
Lock your workstation before leaving your desk: Press Ctrl + Alt + Del. Click on “Lock Computer”. For Win XP systems, press Windows + L, for locking the PC. Clear off all documents from your desk at the end of day. Keep all sensitive documents under lock and key. Do not leave keys unattended. Clear off whiteboards when you vacate meeting rooms. 4/17/2017 Classification : Internal

40 Exceptions 4/17/2017 Classification : Internal

41 Exceptions All EXCEPTIONS will be approved and authorized by Head-Technology for use of devices/services such as USB drives/Pen drives/Data Cards, software etc on need basis. 4/17/2017 Classification : Internal

42 Social engineering 4/17/2017 Classification : Internal

43 Social Engineering Social Engineering is the human side of breaking into our systems and network. Social Engineers tend to exploit social attributes like:- Trust The desire to be ‘helpful’ The wish to get something for nothing Curiosity Fear of the unknown, or of losing something Ignorance Carelessness and/or complacence. Your Responsibility Take care not to give out information which is Critical, Sensitive, or personal in nature. Be especially alert if someone calls and tries to use authority to obtain information. When in doubt, seek advice from your manager. Give examples real life examples to make clear understanding of the concept. 4/17/2017 Classification : Internal

44 Information security incident reporting
4/17/2017 Classification : Internal

45 What are Information Security Incidents?
An Incident is any event –real or suspected, that can have adversely affect the security of the organizations’ information and information assets Examples of Incident: Hacking, information leakage Hardware / Software crashes, network disruption / slowdown Power outage leading to disruption of services Social incidents like terrorism, strikes, mass absences Non-compliance with Godrej & Boyce Information Security Policies and Procedures Malware attacks 4/17/2017 Classification : Internal

46 Incident reporting Immediately report the incident via speedflow or report it to ISO or ISIT Members 4/17/2017 Classification : Internal

47 Incase of any queries contact Information Security Management Team or Information Security Officer 4/17/2017 Classification : Internal

48 Thank you 4/17/2017 Classification : Internal


Download ppt "Information Security Awareness Training"

Similar presentations


Ads by Google