Information Risk Workforce Orientation
-
Upload
scribdabcd123 -
Category
Documents
-
view
219 -
download
0
Transcript of Information Risk Workforce Orientation
-
8/12/2019 Information Risk Workforce Orientation
1/29
Information RiskWorkforce Orientation
AEGON - Internal Use Only
This is a summary of Company Information Security Policies to assist new workforce members. Workforce
members include any employee, agent or third party who utilize AEGON companies internal resources on
behalf of the Company. It is not intended to be an all-encompassing document, but a quick overview to provide
initial direction until new workers have time to become better acquainted with the full Information Risk Program.
-
8/12/2019 Information Risk Workforce Orientation
2/29
-
8/12/2019 Information Risk Workforce Orientation
3/29
3AEGON - Internal Use Only
Your Commitment
As a new workforce member of the AEGON companies, it is important for you to
understand that maintaining a secure and reliable environment is vital to protecting
Company information assets. Your commitment is important to the Company as well as
its customers, business partners, stockholders, and employees.
Introduction
Why is this Important?
A large amount of the information handled by those working at the Company can be
considered business critical and confidential, and should be handled appropriately.
Your awareness and proper handling of information assets both internally and
externally to the Company is essential in order to minimize risks (e.g. unauthorized
disclosure or modification).
An impact to business critical and confidential information assets could adversely
affect the business interests of the Company or its customers, business partners,
stockholders or employees.
Policies and programs are in place to safeguard Company information assets.All
workforce members are responsible for the understanding and complying with these
policies and programs, and are accountable for reporting any known or suspected
violations. In this orientation, you will be introduced to some of those policies and
programs.
-
8/12/2019 Information Risk Workforce Orientation
4/29
4
Information Assets
AEGON - Internal Use Only
What is an Information Asset?
An information asset is any data owned and/or maintained by the Company for businesspurposes. Information assets can originate from our business units, partners, customers
or employees and may include data elements such as:
Health Information (e.g., lab results, health condition, medications used, etc.)
Personal Information (e.g., Social Security Number, drivers license number, Date ofBirth, etc.)
Financial Information (e.g., policy number, bank account and credit card numbers,
etc.)
Some Company information assets are protected by federal and state laws. Special
precautions need to be taken when handling and combining customer/employee names
with other sensitive data elements such as:
Customer/Employee Names and
Personal Data
Social Security Numbers
Account/Policy Numbers
Merger/Acquisition Information
Credit Card Numbers
New Product Information
Policy Information
Company Financial Data
-
8/12/2019 Information Risk Workforce Orientation
5/29
5
Information Assets
AEGON - Internal Use Only
What is an Information Asset?
Those working at the AEGON companies are exposed to information assets on a dailybasis. If you are in contact with any of the following, you are exposed to Company
information assets:
Billing Information
Employee/Personnel Data
Internal/ConfidentialMemos/Reports/Documents
Customer Account/Policy Records
eCommerce Websites
Product Development Plans
Financial Statistics and Statements
An information asset can be accessed, maintained and stored in electronic (digital) or
paper form. Common forms include computer hardware, software, storage media, and
portable devices, for example:
Computers/Laptops/Servers
Cell Phones/Blackberry Devices
Emails/Faxes
Memos/Reports/Documents
USB Storage Devices
Tape/Cartridge Storage Media
CD/DVDs
Websites
-
8/12/2019 Information Risk Workforce Orientation
6/29
6
Information Assets
AEGON - Internal Use Only
Information Asset Confidentiality Classification
The sensitivity and handling of an information asset is determined by its confidentiality
classification. An information asset that is labeled or categorized with any of the following
classifications is considered to be sensit ive :
Strictly ConfidentialThe most sensitive. Compromise wouldlead to financial, legalor competitive impact or fraud. (Examples include: reorganization plans, merger and
acquisition information, new product launches, unannounced financial statements, etc.)
Confidential Compromise couldpotentially lead to financial, legal or competitiveimpact or fraud. (Examples include: customer data, passwords, encryption keys,
employee personal and private information, payroll information, business plans, etc.)
Internal (Proprietary)Disclosure outside of the Company, employees, and thirdparties should be avoided to reduce the risk of compromise. (Examples include: inter-
office memos, policies and procedures, operational guidelines, bulletins, training
material, etc.)
An information asset that is labeled or categorized with the following classification is
considered to be non-sensi t ive :
Public Refers to all information determined not to be confidential orinternal/proprietary. This information comes from public sources or is provided by the
Company to the general public.
-
8/12/2019 Information Risk Workforce Orientation
7/297
Information Assets
AEGON - Internal Use Only
Managing Information Assets
It is essential to understand how information flows both internally and externally in order tominimize risks associated with information assets.
The emergence of more strict industry and regulatory information handling mandates,
such as data privacy regulations, require companies to implement reasonable internal
controls.
It is important to demonstrate that proper protection is always applied to sensitive
information assets.
Information assets must be managed and protected while:
In UseInformation that is currently being accessed and within a persons ororganizations control.
In Motion(or in transit)Information that is being transported from its origin or resting
location to another location.
At RestInformation in storage.
Sanitizing or Disposing (Destruction)The process of purging or physicallydamaging the information asset so that it is not usable and there is no known method
for unauthorized individuals to retrieve the information.
-
8/12/2019 Information Risk Workforce Orientation
8/298
Information Risks
AEGON - Internal Use Only
What are the key risks to our Information Assets?
The key risksassociated with Company information assets are:
Unauthorized Disclosure- The act of making known or revealing sensitive information
(e.g., customer account information, internal corporate knowledge, etc.) to unauthorized
groups or individuals.
Unauthorized Modification- To alter or change the structure, condition or meaning of
information (e.g., customer account information, financial data, etc.) without approval.
Unauthorized Destruction- To eliminate the existence, structure, or condition of
information (e.g., computer hard drives, web servers, database tables, etc.) without
approval.
Loss of Availability - Inaccessibility of information assets or systems (e.g., customer
account information, billing systems, websites, etc.) to users approved for access.
-
8/12/2019 Information Risk Workforce Orientation
9/299
Information Risk Management
AEGON - Internal Use Only
What is Information Risk Management?
Information Risk Management helps the AEGON companies analyze the risk to itsinformation assets by conducting risk assessments to determine:
What are the threats or vulnerabilities to our business operations or systems?
Should vulnerabilities be proactively addressed to lower the level of risk?
What controls do we have in place to protect us from threats and how strong are those
controls?
What is the likelihood that an event or incident will occur given our current level of risk
management?
If an event or incident does occur, what is the impact to the business?
What level of risk is acceptable?What mitigation activities need to be resolved in order
to more effectively manage the risks to Company business?
The bottom line at AEGON companiesrisk management
is everyones responsibility!
-
8/12/2019 Information Risk Workforce Orientation
10/2910
Information Risk Management
AEGON - Internal Use Only
How Can I Help Manage Information Risks?
As a new workforce memberyou may be wondering:
How can I help protect Company information assets?
What can I do to maintain a secure environment and safeguard
this workplace?
Where can I find more information?
Who can I ask if I have questions?
The following will explain how YOU can help manage risks to Company information
assets by your:
Knowledge of Information Management and Classification (IM&C); Record Retention.
Compliance with General Information Security Policies and applied safeguards (e.g.
Internet Usage, Electronic Communication, Access Controls, User IDs, Passwords,
Physical Access, Workplace, Mobile Computing Security, etc.)
Recognition and Reporting of Security Incidents.
Awareness in Business Continuity efforts.
http://images.google.com/imgres?imgurl=http://all-free-download.com/images/graphiclarge/question_mark_clip_art_9044.jpg&imgrefurl=http://all-free-download.com/graphic/vector-file/vector-clip-art/question_mark_clip_art_9044.html&usg=__Mwhyd8QfuBTLWZhpeU5X4gPPOY8=&h=425&w=425&sz=95&hl=en&start=17&um=1&tbnid=2iSOxNrlfITzgM:&tbnh=126&tbnw=126&prev=/images?q=Question+Mark+Clip+Art&hl=en&sa=N&um=1 -
8/12/2019 Information Risk Workforce Orientation
11/2911
Information Management and Classification Program
AEGON - Internal Use Only
Information Management and Classification Program (IM&C)
Ask yourself these questions:
Would I like my hospital to protect my healthcare information?
Would I like my bank to ensure my financial information is complete and accurate?
Would I like my bank to ensure my money is available when I need it?
At the AEGON Companies, the IM&C Program focuses on:
ConfidentialityInformation is accessible only by those who are authorized. IM&Chelps to prevent unauthorized access or disclosure of sensitive information which
may result in legal liability or customer distrust.
IntegrityInformation is accurate and complete. IM&C helps to protect criticalbusiness information assets from the risks which may compromise accuracy orcompleteness.
AvailabilityInformation is available when it is required. IM&C helps to identify therisks which may prevent critical business information assets from being available.
-
8/12/2019 Information Risk Workforce Orientation
12/2912
Record Retention Program
AEGON - Internal Use Only
Record Retention
Federal and State laws and regulations require that the AEGONs companies retain certainrecords for specified periods of time. In addition, records may need to be retrieved by the
Company to assist withits operations. Thus, good recordkeeping practices are an
important business function.
The Record Retention Program:
Defines guidance for determining what constitutes a Record.
Defines record types.
Determines retention periods for record types.
Defines specific destruction requirements.
Facilitates proper classification, indexing and storage methods.
Contact a manager or Record Retention representative for more information about your
divisions program and your responsibilities.
-
8/12/2019 Information Risk Workforce Orientation
13/2913
General Information Security Policies & Safeguards
AEGON - Internal Use Only
General Information Security Policies and Safeguards
Throughout your time at the AEGON companies, you will become aware of many differentpolicies and safeguards aimed to protect the confidentiality, integrity and availability of
Company information assets. The following sections will make you aware of the key General
Information Security Policies and practical safeguards including:
Internet Usage
Electronic CommunicationAccess Controls
User Identification Basics
Password Safeguards
Physical Access / Workplace SafeguardsClear Desk / Clear Screen
Mobile Computing
-
8/12/2019 Information Risk Workforce Orientation
14/2914
General Information Security Policies & Safeguards
AEGON - Internal Use Only
Internet Usage Policy
When using the Internet, you must follow the Internet Usage Policy which includes:Use mainly for business purposes and only for incidental or occasional personal use.
All Company provided Internet resources remain the property of the AEGON companies
and are subject to monitoring at any time.
Internet use is a privilege, not a right, and access may be revoked at any time.
The Company has a right to restrict access to websites it deems inappropriate or a high
risk to information assets.
Do not engage in activities that conflict with Company business interests or operations.
Unless specifically authorized by the Company, do not post Company information on public
websites (e.g. Facebook, Twitter, etc.).
If you post to a blog site, your affiliation to the Company is known, and you reference the
Company or the financial services industry in general, a disclaimer must be included that
clearly states your post is your opinion only and does not reflect the opinion or position of
the AEGON companies.
If you witness Internet usage that you consider to be a violation of this policy, refer to
Recognizing and Reporting a Security Incident for details.
-
8/12/2019 Information Risk Workforce Orientation
15/2915
General Information Security Policies & Safeguards
AEGON - Internal Use Only
Electronic Communication Policy
Applies, for example, to e-mail, Web-Mail, Instant Messaging, Blogging, Voice Mail and Phones
(e.g., Landline, Cell, Smart Phones). It is important that you follow the electronic communication
policy including, but not limited to:
Use mainly for business purposes and only for incidental or occasional personal use.
All electronic communications conducted via Company systems are the property of AEGON
companies and are subject to review at any time.
Sensitive information must never be sent via e-mail or other electronic file transfer methods
unless proper safeguards are applied, such as encryption.
Do not forward internal electronic communications outside of the Company without prior
consent from the originator or information owner.
Do not engage in activities that conflict with Company business interests or operations.
E-mail from unknown sources is a risk. As a general rule, do not open e-mail attachments
from those you dont know.
-
8/12/2019 Information Risk Workforce Orientation
16/2916
General Information Security Policies & Safeguards
AEGON - Internal Use Only
Access Controls
All technical and physical access controls at the Company are established to limit the
access rights an individual has to information assets including information, systems,
business applications and buildings:
Access is granted on a need-to-know basis; being granted access to only what isneeded for your job function.
Requests for access to information assets must be approved by the information assetowner or his/her authorized designee.
Challenge anyone who does not appear to have a need-to-know.
Once you are granted access to a given system, you must never:
Use any element of the system that you are not authorized to use.Attempt to bypass any access control system.
-
8/12/2019 Information Risk Workforce Orientation
17/2917
General Information Security Policies & Safeguards
AEGON - Internal Use Only
User Identification Basics
To properly identify a user, a unique User Name (User ID) is assigned to each individual.
Once you have been assigned a User ID, each system that you access will require you to
provide your User ID along with a password.
It is important to remember:
User IDs must only be used by those to whom they are assigned; Do NOT share your
User ID!You are accountable for all activity performed using your User ID.
Use Ctrl+Alt+Delete and then Enter (or press the Windows key + L) to lock yourdesktop or laptop when leaving it unattended for any reason.
Log out from your desktop or laptop upon leaving the office for the day or when no
longer being used.
-
8/12/2019 Information Risk Workforce Orientation
18/2918
General Information Security Policies & Safeguards
AEGON - Internal Use Only
Password Safeguards
The security provided by a User ID depends on the password being kept secret at all times.
Your password is the proof of your identity and should be properly safeguarded.
Never share your password. If your password is disclosed, contact your DISO
immediately. Remember: Keep your password confidential!
Do not ask others to reveal their password to you.
Never write down your password.
Do not use the remember my password feature on any internet site.
Your password must be changed at regular intervals.
Create strong passwords using a combination of upper case, lower case, standard
symbols (e.g., +, $, &, etc.), and at least one numeric character.
Your password should be easy for you to remember and
difficult for others to guess.
-
8/12/2019 Information Risk Workforce Orientation
19/29
19
General Information Security Policies & Safeguards
AEGON - Internal Use Only
Physical Access / Workplace Safeguards
Physical Access Safeguards are in place at the AEGON companies and must be followedby workforce members at all times. Maintaining good physical security requires the
following:
All individuals entering Companyfacilities are assigned an ID Card (or Badge) which must be
visibly worn at all times.
Each workforce member should use his/her own ID Card to enter secured areas. Do not share your ID Card with anyone.
If you forget your ID Card, contact Facilities Security Management to obtain a temporary ID
Card for entry.
ID Cards that have been lost or stolen must be reported immediately to Human Resources or
Facilities Security Management.All visitors must sign in and be escorted at all times.
Be aware of unknown individuals who try to follow you into a secured area without using his/her
own ID Card (also known as piggybacking or tailgating).
Report any suspicious behavior to a local facility security contact, DISO, or to a manager.
-
8/12/2019 Information Risk Workforce Orientation
20/29
20
General Information Security Policies & Safeguards
AEGON - Internal Use Only
Clear Desk / Clear Screen
When at your workplace or leaving the office follow these simple safeguards to assist inprotecting information assets:
Do not leave sensitive information accessible within your work area or on printers or fax
machines. Use password function when available.
At the end of the day, secure all sensitive paperwork in a locked drawer or cabinet.
Secure mobile devices including your laptop, cell/smart phones, PDA, USB drives, etc.
Remove sticky notes from your desk that contain sensitive information.
Do not leave sensitive information in your waste bin. Use Company provided locked
disposal bins to discard sensitive items (e.g., papers, diskettes, CDs, etc.).
If you are unsure if something should be recycled orshredded, use the locked disposal bins as a precaution.
Use Ctrl+Alt+Delete (or Windows L) to lock your desktopor laptop when leaving it unattended for any reason.
Log out from your desktop or laptop upon leaving the
office for the day or when no longer being used.
-
8/12/2019 Information Risk Workforce Orientation
21/29
21
General Information Security Policies & Safeguards
AEGON - Internal Use Only
Additional Safeguards
Physical security personnel located at the various entrances into the building are
there for your protection. Be cooperative with their requests for identification.
Do not discuss Company business or other information that may be considered
confidential or sensitive in public places where you may be heard.
Clean meeting rooms including tables, waste bins and whiteboards.Do not prop doors open. This may allow unauthorized entry and trigger an alarm.
.For additional information on Information Security Policies,
including safeguards, reference the following
Enterprise Information Risk Management Intranet site:
http://intranet.ds.global/transamerica/enterprise/irm/Pages/default.aspx
Contact the Division Information Security Officer (DISO) for
supplemental information referencing Information Security
Policies and safeguards.
http://intranet.ds.global/transamerica/enterprise/irm/Pages/default.aspxhttp://intranet.ds.global/transamerica/enterprise/irm/Pages/default.aspx -
8/12/2019 Information Risk Workforce Orientation
22/29
22
General Information Security Policies & Safeguards
AEGON - Internal Use Only
Traveling, Telecommuting, Mobile Computing
Today, most business professionals use laptops and other mobile equipment while at home,traveling, and as a part of their normal business routine. This equipment may include
laptops, cell phones, personal digital assistants (PDAs), Smart Phones, pagers, VPNtokens, USB drives, etc.
This type of equipment is extremely vulnerable. To minimize the risk extra precautions are
required while in the office, working remotely or traveling.
All Company policies, programs and safeguards still apply outside Company facilities
and must not be bypassed.
Do not conduct Company business or access information that may be considered as
confidential or sensitive in public places where it may be seen by unauthorized
individuals (e.g., airports, planes, restaurants, hotel lobbies, etc.).
Obey all applicable state and local laws regarding the usage of this type of equipmentwhile traveling.
-
8/12/2019 Information Risk Workforce Orientation
23/29
23
General Information Security Policies & Safeguards
AEGON - Internal Use Only
All Mobile Devices (including laptops, cell phones, Smart Phones, PDAs, etc.)
You are accountable for all activity performed with any Company mobile device assigned
to you.
Company mobile devices assigned to you must not be used by anyone but you.
Company equipment must not be left unattended or unsecured in public areas. (e.g.,
hotel rooms, automobiles, restaurants, airports, etc.)
Always use a cable lock to secure your laptop in unsecured locations.
Loss or theft of Company mobile devices must be reported immediately. Refer to
Recognizing and Reporting a Security Incident for more details.
Your mobile devices, such as laptops and USB drives, must employ Company standard
encryption.
Do not communicate sensitive information using Text or Instant Messaging.
The Company does not allow synchronizing e-mail to a personal PDA (a Company
issued Blackberry is permissible).
All business critical files stored on local drives must be backed up to Company network
drives to prevent unintentional or malicious loss of data.
-
8/12/2019 Information Risk Workforce Orientation
24/29
24
Recognizing and Reporting a Security Incident
AEGON - Internal Use Only
Recognizing and Reporting a Security Incident
All workforce members are responsible for compliance with the Company InformationSecurity Policy and are accountable for reporting any known or suspected violations.
Reporting a security breach as soon as it is noticed is paramount. Quick reporting can help
to minimize potential damage to the Company or to its customers, business partners,
stockholders, and employees.
Be on the lookout for the following:
Files or systems that should be accessible to you are suddenly unavailable or missing.
Output of sensitive and confidential information found in printer trays, left unprotected in
the work area, or sent to the wrong person or group.
Unauthorized persons or personnel are discovered in the work area.
Files appear, disappear, or undergo significant and unexpected changes in size.
Your password has been changed without your knowledge or involvement.
Report these or any other anomalies to a manager, the Divisional Information Security
Officer (DISO), S.H.A.R.E. hotline (1-866-263-7787), AIT Customer Service Center
(18888524357) or the Enterprise Information Risk Management Intranet site:
http://intranet.ds.global/transamerica/enterprise/irm/Pages/report-an-incident.aspx
http://intranet.ds.global/transamerica/enterprise/irm/Pages/report-an-incident.aspxhttp://intranet.ds.global/transamerica/enterprise/irm/Pages/report-an-incident.aspxhttp://intranet.ds.global/transamerica/enterprise/irm/Pages/report-an-incident.aspxhttp://intranet.ds.global/transamerica/enterprise/irm/Pages/report-an-incident.aspxhttp://intranet.ds.global/transamerica/enterprise/irm/Pages/report-an-incident.aspxhttp://intranet.ds.global/transamerica/enterprise/irm/Pages/report-an-incident.aspx -
8/12/2019 Information Risk Workforce Orientation
25/29
25
Business Continuity
AEGON - Internal Use Only
Business Continuity
Business Continuity is about keeping the AEGON companies operating during any plannedor unplanned business disruption. Business Continuity helps the Company to be proactively
prepared for such an event.
Events can be caused by natural or man made disasters and may include; floods,
hurricanes, blizzards, earthquakes, terrorists, power outages or technology failures.
The Business Continuity framework is divided into three phases:
Assessment -Ensures that the Company assumes the correct level of risk, since not
all risks can be totally eliminated or controlled. Understanding the critical processes
and their associated risks will help protect against unanticipated losses that could
significantly affect personnel, property, revenues and the ability to fulfill responsibilities
to customers, employees, shareholders, and the public.
Preparedness - Ensures that the Company is able to recover from potential disruptive
events. This is accomplished by having a comprehensive Business Continuity Plan thatincludes strategy, recovery and testing phases.
Event Management - Execution of Business Continuity Plans. In the event of an
outage, quick response and recovery are critical. This phase ensures that relief and
restoration activities are performed to restore the business functions to a pre-event
status.
-
8/12/2019 Information Risk Workforce Orientation
26/29
26
Business Continuity
AEGON - Internal Use Only
Business Continuity
At the AEGON companies your participation is critical in many ways. We have plans, but itsyour responsibility to become familiar with the departmental emergency response plan
by doing the following:
Know where the emergency shelter area is within the building.
Know where the meeting place is when you evacuate the building.
Identify the floor marshal.
Identify the BCP coordinator in the department and discuss your role.
Maintain your current contact information to preserve the integrity of essential
emergency communication channels.
-
8/12/2019 Information Risk Workforce Orientation
27/29
-
8/12/2019 Information Risk Workforce Orientation
28/29
28
Need More Information?
AEGON - Internal Use Only
For More Information
Visit the Enterprise Information Risk Management Intranet Site for additional information,
including Information Security Policies, Business Continuity, Disaster Recovery and much
more. Check out the website today!
http://intranet.ds.global/transamerica/enterprise/irm/Pages/default.aspx
Divisions may have additional information including information security procedures,
guidelines and resources available (e.g. intranet sites).
Contact the Divisional Information Security Officer (DISO), Risk Manager, or Business
Continuity Planning (BCP) Manager for questions regarding topics covered in this
orientation.
http://intranet.ds.global/transamerica/enterprise/irm/Pages/contact-us.aspx
My Information Security Acknowledgement
http://intranet.ds.global/transamerica/enterprise/irm/Pages/default.aspxhttp://intranet.ds.global/transamerica/enterprise/irm/Pages/contact-us.aspxhttp://intranet.ds.global/transamerica/enterprise/irm/Pages/contact-us.aspxhttp://intranet.ds.global/transamerica/enterprise/irm/Pages/contact-us.aspxhttp://intranet.ds.global/transamerica/enterprise/irm/Pages/contact-us.aspxhttp://intranet.ds.global/transamerica/enterprise/irm/Pages/default.aspx -
8/12/2019 Information Risk Workforce Orientation
29/29
My Information Security Acknowledgement(Use only if there is NO signed Non-Disclosure Agreement with the individual, contractor or entity)
Violationsof the Information Security Policies, Standards and Procedures jeopardize the Company in a number of
ways. Issues will be investigated and if a violation occurred corrective action may include, but not be limited to:
Loss of access privileges to information assets
Termination of working relationship
Other actions as deemed appropriate by management
Corrective action will be consistent with the nature of the incident in the context of all relevant circumstances.
I acknowledge that:
I have viewed the AEGON Companies Information Risk Workforce Orientation about Information Security;
Confidential business information is an important asset of the Company;
It is my responsibility to protect the confidentiality, integrity and availability of Company information;
I must report any suspected security incident to the manager, the Divisional Information Security Officer ,
S.H.A.R.E. hotline, AIT Customer Service Center or the Enterprise Information Risk Management Intranet;
Information security breaches are investigated and it is my responsibility to cooperate fully in any investigation;
Any violation of Information Security Policies, Standards or Procedures may result in termination of the work
relationship; e-mail and the Internet are primarily for business use and may be monitored by the Company.
PLEASE SIGN HERE TO ACKNOWLEDGE:
Name (print) ______________________________________
Signature ________________________________________
Date ____________________________________________