Information Security Awareness Session PDF
Document Details
Uploaded by Deleted User
2021
Tags
Related
Summary
This document is an information security awareness session, focusing on topics such as introduction to ISMS, core principles, user responsibilities, acceptable usage policy, purpose, and expectations. The content emphasizes the importance of information security, and how to proceed with good computing practices.
Full Transcript
Information Security Awareness Session 7/7/2021 Contents:- Introduction to ISMS Core Principles of Information Security User Responsibilities – Security practices Acceptable Usage Policy Summary 7/7/2021 Purpose Why do I need to learn about security? Good Security Standards...
Information Security Awareness Session 7/7/2021 Contents:- Introduction to ISMS Core Principles of Information Security User Responsibilities – Security practices Acceptable Usage Policy Summary 7/7/2021 Purpose Why do I need to learn about security? Good Security Standards follow the "90/10" Rule: 10% of security safeguards are technical 90% of security safeguards rely on the computer user to adhere to good computing practices Example: The lock on the door is the 10%. Remembering to lock, checking to see if it is closed, ensuring others do not prop the door open, keeping control of keys is the 90%. 10% security is worthless without user 23-06-2021 Expectations Embrace the change Appreciate the Value of information you handle Be aware of your Actions Seek help and advice Understand and adhere to Policies, Procedures and Guidelines – Same are uploaded on SSO Ask when in doubt Know the risks Be proactive Adopt good security practices at work and at home Participate proactively in training sessions Go through the training material shared by Compliance team Promptly report incidents/unusual events at [email protected] 7/7/2021 Introduction to ISMS: ISO 27001-2013 INFORMATION: Knowledge/Factual data Why is information tagged as an asset? “One of the KEY ingredients that drives your business is INFORMATION” Hence, Information is an Asset that, like any other business assets, is essential to an organization’s business & consequently needs to be suitably protected. Information Security: Information security means protecting information and information system from unauthorized access, use, disclosure, disruption, modification, reuse, inspection, recording or destruction. Information Security Management: It is the process of effectively managing the threats and risks to your organization's information through a system. Information Security Management System: Information security management system. It is that part of overall management system which establishes, implements, operates, monitors, reviews, maintains and improves information security. 7/7/2021 Where Does Information Lie In An Organization Every Department in an organization has information. Finance & Accounts :- Company financials, Costing and Analysis Reports, Agreement, Accounting Statements, etc. Human Resource:- Employee personal information, Payroll related and other relevant information. Project Operations :- Project plan and Drawings, Manuals, License Copies, third party certificates etc. Admin:- Administration Budget Report, Building plan, Purchase Orders, Work Orders, Agreements, Justification Reports etc. IT & Related Services:- Network Layout, Server configuration, SAP database, Critical Processing Software (Payroll), Intranet Portal etc. 7/7/2021 Information and Supporting Assets Storing Using Accessing 7/7/2021 Core Principles of Information Security 7/7/2021 Information Security Availability Confidentiality Integrity Policy Information / Policy terms and Maintaining the Records/Portals are personal details of correctness of the accessible when Policy Holders Policy Records required Information security is preservation of confidentiality, integrity and availability of information; * As defined in the ISO 27001 Standard under Terms and Definition Section 3.4 7/7/2021 Major Risk Factors: People, Process or Technology As per survey conducted by Gartner Inc.,a leading information technology research and advisory company. 7/7/2021 IT Security & Information Security Use a firewall Comply to all Legal regulations (IT Act) Install an antivirus software Supplier Relationships and HR Information Security security Choose a reputable pop-up Protection of information in blocker all forms. Protect of IT resources and Physically safeguard your assets computer IT Security Access control Password protection Strangers on the floor Update your computer's operating system from time to time 7/7/2021 User Responsibilities Display your identification badge prominently within the premises. Never let others use your identity badges – Trail will lead to you Never leave your identity badge unattended – Keep it with you always Loss of Identity Badge should be reported to the concerned authorities immediately Employees must ensure that visitors follow the Information Security policy. Educate visitors to Wear visitor badges while on the premises Declare all IT assets and storage media Do not leave access controlled doors open / Do not allow tailgating or piggybacking Users must promptly inform security if they notice a stranger without badge. 7/7/2021 Information Weapons – Data Storage 7/7/2021 Information Weapons – Data Storage 7/7/2021 Social Engineering – DOs & DON’Ts Be cautious when asked for unusual requests. Like password, CVV & PIN Never give away your passwords or credentials. Seek necessary approvals before sharing any Critical information. Discuss confidential information over the telephone only after confirming the identity of the receiver. Ensure your conversation is not overheard to unauthorized person. The best safeguard against social engineering attack is ‘Verify, Verify, Verify’. Never respond to unsolicited phone calls, visits or email messages from individuals asking about organizational information, unless you verify its authenticity. 7/7/2021 Password Security 7/7/2021 Password Security The minimum length shall be 8 characters. Password shall be combination of alpha, numeric and special characters as per password policy. Password shall not be the same as the user name or user id. Do not use own name, short form of own name, own initials, names of family, friends, co- workers, organization or popular characters. Password must be changed in 60 days. Do not keep any dictionary words as a part of your password. Do not display usernames, passwords on notice boards. Passwords should not be shared with anyone. Not even with your Leads and managers. Previous 5 preceding passwords should not be used. 7/7/2021 Examples of Strong Password i@wiJu5tdial3y = I am working in Jd for last 3 years Iha+a$Jd = I have a positive attitude at Justdial Itb*0715fB = I take bus at 07:15 from Bus stop Refer “ISMS-P04-Password Policy_V1.1” uploaded on SSO and Adhere the same. 7/7/2021 Laptop/Device Security DOs Follow “ISMS-P05-Acceptable Usage of Information Asset Policy” & “ISMS-P06-Physical And Environmental Security Policy” while carrying company provided laptops. Guard the laptop while travelling User shall use the Company provided device only after it has been hardened. Disable Bluetooth/Wi - fi on your laptop when not in use. Beware of shoulder surfing while using laptop in public places. DON’Ts Never leave laptops unattended Do not access unprotected LAN or Wi-Fi networks Do not allow anyone to operate your official laptop Do not use simple / generic passwords. 7/7/2021 Desktop/Laptop Usage Use of company provided computer system/laptop is restricted to official purpose only. Security Settings/Time and Anti-Virus configurations shall not be changed by user without authorization. User IDs and Passwords are sensitive information and shall not be shared with each other. The default passwords or those provided by IT shall be changed by end user on first login. Passwords shall be set in accordance with ISMS-P04-Password Policy. Users shall use applications only as per the company’s authorized software list. Users shall log off / Shut down as appropriate when not using the computers 7/7/2021 E-Mail Usage DOs Any information that users consider confidential / Secret should be encrypted while email exchange Users shall keep their email password secure as per ISMS-P04-Password Policy Users must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, Trojan horse code. Every email should have a signature and an information security disclaimer.. DON’Ts No Suggestive, vulgar, or obscene language. No Spam/Junk mails/Advertisements. No chain mailers No sharing of personal or private information Share information only on kneed to know basis after proper authorization Avoid mass mailing ,use of email distribution list, unnecessary cc,bcc. Avoid sending messages with large file attachments to email distribution list 7/7/2021 Clear Desk 7/7/2021 Clear Screen User Responsibilities Always ensure that you lock your system whenever you are away from your system. Do not keep confidential / sensitive files on your desktop of your systems. Do not clutter the desktop of your systems with too much files & folders. Company Profile 7/7/2021 Acceptable Usage Policy for Employees The user interface for information should be classified as per Information labeling and Handling policy. Employees should take all necessary steps to prevent unauthorized access to this information. Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts. Postings by employees from a Justdial email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of Justdial, unless posting is part of business duties. The following activities are strictly prohibited, with no exceptions: Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by Justdial. Making fraudulent offers of products, items, or services originating from any Justdial account. 7/7/2021 Internet Usage Internet usage is granted for the sole purpose of supporting business activities necessary to carry out job functions. All users must follow the corporate principles regarding resource usage and exercise good judgment in using the Internet. Employees must not disseminate any data classified as sensitive or confidential over the Internet that is not encrypted. Browsing sites that do not contribute to employees productivity. Downloading information or any kind of material that is not required for Justdial business functionality. Doing activities considered as malicious on public, government sites or any live site that is not owned by the employee. Justdial employees must use discretion when posting information using Justdial’s addresses on public Internet sites.. 7/7/2021 Phishing Different Types of Phishing: 1. Deceptive Phishing - A phisher sends bulk email with a message. Users are influenced to click on a link. 2. Malware-Based Phishing -Malware-based phishing involves running malicious software on the user’s machine. The malware can be introduced as an email attachment or as a downloadable file exploiting security vulnerabilities. This is a particular threat for small and medium businesses (SMBs) who fail to update their software applications. 7/7/2021 Example of Phishing email 7/7/2021 Continued 7/7/2021 Original Site 7/7/2021 How to Recognize? 7/7/2021 How to Identify a Secure Website ? 7/7/2021 Staying Safe on Social Media Limit the amount of personal information you post Be wary of strangers Evaluate your settings Be wary of third-party applications Clickjacking 7/7/2021 DOs Display your ID badges at all times within premises Escort visitors and question strangers Use strong passwords and do not share them Follow clear desk and clear screen policy Keep cupboards / drawers locked at all times when unattended Shred Confidential documents yourself Ensure physical security of information assets Surf and transact emails correctly Ensure backup of information IT Act compliance – Remove music, pornography and photographs 7/7/2021 Don’ts Do not discuss secret / confidential information in public Do not send confidential documents on email until properly encrypted or without password protection Do not appreciate unsolicited calls seeking confidential information Do not install personalized software and Games Do not reuse obsolete hard copies of confidential information in printers/photocopiers 7/7/2021 Disciplinary Process of Justdial The following disciplinary action will be taken against any employee not following the policies and procedures laid down by the Justdial: Warning email with a copy marked to the HOD ,CIO/compliance team and IT Head Deactivation login for 24hours or till the below process is completed: Signing a declaration form with acceptance of security breach Taking a sign-off on the same from the HOD Major security breach including and not restricted to the below list , can lead to suspension from services or termination of employment: Data Theft/ Data Leak Manipulation of Data Unauthorized exercise of permissions Suspected espionage or sabotage Any Act on Justdial network and it’s resources rendering it incapable to serve business Repeated violation of security policies and procedures Similarly, action will be taken against those employees encouraging/observing such an activity and not reporting the same to the concerned authority. 7/7/2021 REPORTING A DATA BREACH Any individual who accesses, uses or manages the personal data collected, stored or transmitted by Justdial is responsible for and shall report actual or suspected data breach immediately to the data protection officer at [email protected] 6/24/2021 Incident Reporting IT Incident Non-IT Incident Writing down password/s and leaving them on Loss of identity card display or somewhere easy to find SPAM / Junk e-mail Visitors / employees / third parties with photography, recording or video equipment in restricted areas Leaving unattended computers logged on Allowing unauthorized physical access to restricted areas Virus effect Theft of IT assets e.g. laptop, storage devices Any incident immediately report to [email protected] 7/7/2021 Any Doubts? Email to:- [email protected] Thank you…. 7/7/2021