Information Risk Workforce Orientation

8/12/2019 Information Risk Workforce Orientation

1/29

Information RiskWorkforce Orientation

AEGON - Internal Use Only

This is a summary of Company Information Security Policies to assist new workforce members. Workforce

members include any employee, agent or third party who utilize AEGON companies internal resources on

behalf of the Company. It is not intended to be an all-encompassing document, but a quick overview to provide

initial direction until new workers have time to become better acquainted with the full Information Risk Program.


2/29


3/29

3AEGON - Internal Use Only

Your Commitment

As a new workforce member of the AEGON companies, it is important for you to

understand that maintaining a secure and reliable environment is vital to protecting

Company information assets. Your commitment is important to the Company as well as

its customers, business partners, stockholders, and employees.

Introduction

Why is this Important?

A large amount of the information handled by those working at the Company can be

considered business critical and confidential, and should be handled appropriately.

Your awareness and proper handling of information assets both internally and

externally to the Company is essential in order to minimize risks (e.g. unauthorized

disclosure or modification).

An impact to business critical and confidential information assets could adversely

affect the business interests of the Company or its customers, business partners,

stockholders or employees.

Policies and programs are in place to safeguard Company information assets.All

workforce members are responsible for the understanding and complying with these

policies and programs, and are accountable for reporting any known or suspected

violations. In this orientation, you will be introduced to some of those policies and

programs.


4/29

4

Information Assets


What is an Information Asset?

An information asset is any data owned and/or maintained by the Company for businesspurposes. Information assets can originate from our business units, partners, customers

or employees and may include data elements such as:

Health Information (e.g., lab results, health condition, medications used, etc.)

Personal Information (e.g., Social Security Number, drivers license number, Date ofBirth, etc.)

Financial Information (e.g., policy number, bank account and credit card numbers,

etc.)

Some Company information assets are protected by federal and state laws. Special

precautions need to be taken when handling and combining customer/employee names

with other sensitive data elements such as:

Customer/Employee Names and

Personal Data

Social Security Numbers

Account/Policy Numbers

Merger/Acquisition Information

Credit Card Numbers

New Product Information

Policy Information

Company Financial Data


5/29

5

Information Assets


What is an Information Asset?

Those working at the AEGON companies are exposed to information assets on a dailybasis. If you are in contact with any of the following, you are exposed to Company

information assets:

Billing Information

Employee/Personnel Data

Internal/ConfidentialMemos/Reports/Documents

Customer Account/Policy Records

eCommerce Websites

Product Development Plans

Financial Statistics and Statements

An information asset can be accessed, maintained and stored in electronic (digital) or

paper form. Common forms include computer hardware, software, storage media, and

portable devices, for example:

Computers/Laptops/Servers

Cell Phones/Blackberry Devices

Emails/Faxes

Memos/Reports/Documents

USB Storage Devices

Tape/Cartridge Storage Media

CD/DVDs

Websites


6/29

6

Information Assets


Information Asset Confidentiality Classification

The sensitivity and handling of an information asset is determined by its confidentiality

classification. An information asset that is labeled or categorized with any of the following

classifications is considered to be sensit ive :

Strictly ConfidentialThe most sensitive. Compromise wouldlead to financial, legalor competitive impact or fraud. (Examples include: reorganization plans, merger and

acquisition information, new product launches, unannounced financial statements, etc.)

Confidential Compromise couldpotentially lead to financial, legal or competitiveimpact or fraud. (Examples include: customer data, passwords, encryption keys,

employee personal and private information, payroll information, business plans, etc.)

Internal (Proprietary)Disclosure outside of the Company, employees, and thirdparties should be avoided to reduce the risk of compromise. (Examples include: inter-

office memos, policies and procedures, operational guidelines, bulletins, training

material, etc.)

An information asset that is labeled or categorized with the following classification is

considered to be non-sensi t ive :

Public Refers to all information determined not to be confidential orinternal/proprietary. This information comes from public sources or is provided by the

Company to the general public.


7/297

Information Assets


Managing Information Assets

It is essential to understand how information flows both internally and externally in order tominimize risks associated with information assets.

The emergence of more strict industry and regulatory information handling mandates,

such as data privacy regulations, require companies to implement reasonable internal

controls.

It is important to demonstrate that proper protection is always applied to sensitive

information assets.

Information assets must be managed and protected while:

In UseInformation that is currently being accessed and within a persons ororganizations control.

In Motion(or in transit)Information that is being transported from its origin or resting

location to another location.

At RestInformation in storage.

Sanitizing or Disposing (Destruction)The process of purging or physicallydamaging the information asset so that it is not usable and there is no known method

for unauthorized individuals to retrieve the information.


8/298

Information Risks


What are the key risks to our Information Assets?

The key risksassociated with Company information assets are:

Unauthorized Disclosure- The act of making known or revealing sensitive information

(e.g., customer account information, internal corporate knowledge, etc.) to unauthorized

groups or individuals.

Unauthorized Modification- To alter or change the structure, condition or meaning of

information (e.g., customer account information, financial data, etc.) without approval.

Unauthorized Destruction- To eliminate the existence, structure, or condition of

information (e.g., computer hard drives, web servers, database tables, etc.) without

approval.

Loss of Availability - Inaccessibility of information assets or systems (e.g., customer

account information, billing systems, websites, etc.) to users approved for access.


9/299

Information Risk Management


What is Information Risk Management?

Information Risk Management helps the AEGON companies analyze the risk to itsinformation assets by conducting risk assessments to determine:

What are the threats or vulnerabilities to our business operations or systems?

Should vulnerabilities be proactively addressed to lower the level of risk?

What controls do we have in place to protect us from threats and how strong are those

controls?

What is the likelihood that an event or incident will occur given our current level of risk

management?

If an event or incident does occur, what is the impact to the business?

What level of risk is acceptable?What mitigation activities need to be resolved in order

to more effectively manage the risks to Company business?

The bottom line at AEGON companiesrisk management

is everyones responsibility!


10/2910

Information Risk Management


How Can I Help Manage Information Risks?

As a new workforce memberyou may be wondering:

How can I help protect Company information assets?

What can I do to maintain a secure environment and safeguard

this workplace?

Where can I find more information?

Who can I ask if I have questions?

The following will explain how YOU can help manage risks to Company information

assets by your:

Knowledge of Information Management and Classification (IM&C); Record Retention.

Compliance with General Information Security Policies and applied safeguards (e.g.

Internet Usage, Electronic Communication, Access Controls, User IDs, Passwords,

Physical Access, Workplace, Mobile Computing Security, etc.)

Recognition and Reporting of Security Incidents.

Awareness in Business Continuity efforts.
http://images.google.com/imgres?imgurl=http://all-free-download.com/images/graphiclarge/question_mark_clip_art_9044.jpg&imgrefurl=http://all-free-download.com/graphic/vector-file/vector-clip-art/question_mark_clip_art_9044.html&usg=__Mwhyd8QfuBTLWZhpeU5X4gPPOY8=&h=425&w=425&sz=95&hl=en&start=17&um=1&tbnid=2iSOxNrlfITzgM:&tbnh=126&tbnw=126&prev=/images?q=Question+Mark+Clip+Art&hl=en&sa=N&um=1


11/2911

Information Management and Classification Program


Information Management and Classification Program (IM&C)

Ask yourself these questions:

Would I like my hospital to protect my healthcare information?

Would I like my bank to ensure my financial information is complete and accurate?

Would I like my bank to ensure my money is available when I need it?

At the AEGON Companies, the IM&C Program focuses on:

ConfidentialityInformation is accessible only by those who are authorized. IM&Chelps to prevent unauthorized access or disclosure of sensitive information which

may result in legal liability or customer distrust.

IntegrityInformation is accurate and complete. IM&C helps to protect criticalbusiness information assets from the risks which may compromise accuracy orcompleteness.

AvailabilityInformation is available when it is required. IM&C helps to identify therisks which may prevent critical business information assets from being available.


12/2912

Record Retention Program


Record Retention

Federal and State laws and regulations require that the AEGONs companies retain certainrecords for specified periods of time. In addition, records may need to be retrieved by the

Company to assist withits operations. Thus, good recordkeeping practices are an

important business function.

The Record Retention Program:

Defines guidance for determining what constitutes a Record.

Defines record types.

Determines retention periods for record types.

Defines specific destruction requirements.

Facilitates proper classification, indexing and storage methods.

Contact a manager or Record Retention representative for more information about your

divisions program and your responsibilities.


13/2913

General Information Security Policies & Safeguards


General Information Security Policies and Safeguards

Throughout your time at the AEGON companies, you will become aware of many differentpolicies and safeguards aimed to protect the confidentiality, integrity and availability of

Company information assets. The following sections will make you aware of the key General

Information Security Policies and practical safeguards including:

Internet Usage

Electronic CommunicationAccess Controls

User Identification Basics

Password Safeguards

Physical Access / Workplace SafeguardsClear Desk / Clear Screen

Mobile Computing


14/2914



Internet Usage Policy

When using the Internet, you must follow the Internet Usage Policy which includes:Use mainly for business purposes and only for incidental or occasional personal use.

All Company provided Internet resources remain the property of the AEGON companies

and are subject to monitoring at any time.

Internet use is a privilege, not a right, and access may be revoked at any time.

The Company has a right to restrict access to websites it deems inappropriate or a high

risk to information assets.

Do not engage in activities that conflict with Company business interests or operations.

Unless specifically authorized by the Company, do not post Company information on public

websites (e.g. Facebook, Twitter, etc.).

If you post to a blog site, your affiliation to the Company is known, and you reference the

Company or the financial services industry in general, a disclaimer must be included that

clearly states your post is your opinion only and does not reflect the opinion or position of

the AEGON companies.

If you witness Internet usage that you consider to be a violation of this policy, refer to

Recognizing and Reporting a Security Incident for details.


15/2915



Electronic Communication Policy

Applies, for example, to e-mail, Web-Mail, Instant Messaging, Blogging, Voice Mail and Phones

(e.g., Landline, Cell, Smart Phones). It is important that you follow the electronic communication

policy including, but not limited to:

Use mainly for business purposes and only for incidental or occasional personal use.

All electronic communications conducted via Company systems are the property of AEGON

companies and are subject to review at any time.

Sensitive information must never be sent via e-mail or other electronic file transfer methods

unless proper safeguards are applied, such as encryption.

Do not forward internal electronic communications outside of the Company without prior

consent from the originator or information owner.

Do not engage in activities that conflict with Company business interests or operations.

E-mail from unknown sources is a risk. As a general rule, do not open e-mail attachments

from those you dont know.


16/2916



Access Controls

All technical and physical access controls at the Company are established to limit the

access rights an individual has to information assets including information, systems,

business applications and buildings:

Access is granted on a need-to-know basis; being granted access to only what isneeded for your job function.

Requests for access to information assets must be approved by the information assetowner or his/her authorized designee.

Challenge anyone who does not appear to have a need-to-know.

Once you are granted access to a given system, you must never:

Use any element of the system that you are not authorized to use.Attempt to bypass any access control system.


17/2917



User Identification Basics

To properly identify a user, a unique User Name (User ID) is assigned to each individual.

Once you have been assigned a User ID, each system that you access will require you to

provide your User ID along with a password.

It is important to remember:

User IDs must only be used by those to whom they are assigned; Do NOT share your

User ID!You are accountable for all activity performed using your User ID.

Use Ctrl+Alt+Delete and then Enter (or press the Windows key + L) to lock yourdesktop or laptop when leaving it unattended for any reason.

Log out from your desktop or laptop upon leaving the office for the day or when no

longer being used.


18/2918



Password Safeguards

The security provided by a User ID depends on the password being kept secret at all times.

Your password is the proof of your identity and should be properly safeguarded.

Never share your password. If your password is disclosed, contact your DISO

immediately. Remember: Keep your password confidential!

Do not ask others to reveal their password to you.

Never write down your password.

Do not use the remember my password feature on any internet site.

Your password must be changed at regular intervals.

Create strong passwords using a combination of upper case, lower case, standard

symbols (e.g., +, $, &, etc.), and at least one numeric character.

Your password should be easy for you to remember and

difficult for others to guess.


19/29

19



Physical Access / Workplace Safeguards

Physical Access Safeguards are in place at the AEGON companies and must be followedby workforce members at all times. Maintaining good physical security requires the

following:

All individuals entering Companyfacilities are assigned an ID Card (or Badge) which must be

visibly worn at all times.

Each workforce member should use his/her own ID Card to enter secured areas. Do not share your ID Card with anyone.

If you forget your ID Card, contact Facilities Security Management to obtain a temporary ID

Card for entry.

ID Cards that have been lost or stolen must be reported immediately to Human Resources or

Facilities Security Management.All visitors must sign in and be escorted at all times.

Be aware of unknown individuals who try to follow you into a secured area without using his/her

own ID Card (also known as piggybacking or tailgating).

Report any suspicious behavior to a local facility security contact, DISO, or to a manager.


20/29

20



Clear Desk / Clear Screen

When at your workplace or leaving the office follow these simple safeguards to assist inprotecting information assets:

Do not leave sensitive information accessible within your work area or on printers or fax

machines. Use password function when available.

At the end of the day, secure all sensitive paperwork in a locked drawer or cabinet.

Secure mobile devices including your laptop, cell/smart phones, PDA, USB drives, etc.

Remove sticky notes from your desk that contain sensitive information.

Do not leave sensitive information in your waste bin. Use Company provided locked

disposal bins to discard sensitive items (e.g., papers, diskettes, CDs, etc.).

If you are unsure if something should be recycled orshredded, use the locked disposal bins as a precaution.

Use Ctrl+Alt+Delete (or Windows L) to lock your desktopor laptop when leaving it unattended for any reason.

Log out from your desktop or laptop upon leaving the

office for the day or when no longer being used.


21/29

21



Additional Safeguards

Physical security personnel located at the various entrances into the building are

there for your protection. Be cooperative with their requests for identification.

Do not discuss Company business or other information that may be considered

confidential or sensitive in public places where you may be heard.

Clean meeting rooms including tables, waste bins and whiteboards.Do not prop doors open. This may allow unauthorized entry and trigger an alarm.

.For additional information on Information Security Policies,

including safeguards, reference the following

Enterprise Information Risk Management Intranet site:

http://intranet.ds.global/transamerica/enterprise/irm/Pages/default.aspx

Contact the Division Information Security Officer (DISO) for

supplemental information referencing Information Security

Policies and safeguards.
http://intranet.ds.global/transamerica/enterprise/irm/Pages/default.aspxhttp://intranet.ds.global/transamerica/enterprise/irm/Pages/default.aspx


22/29

22



Traveling, Telecommuting, Mobile Computing

Today, most business professionals use laptops and other mobile equipment while at home,traveling, and as a part of their normal business routine. This equipment may include

laptops, cell phones, personal digital assistants (PDAs), Smart Phones, pagers, VPNtokens, USB drives, etc.

This type of equipment is extremely vulnerable. To minimize the risk extra precautions are

required while in the office, working remotely or traveling.

All Company policies, programs and safeguards still apply outside Company facilities

and must not be bypassed.

Do not conduct Company business or access information that may be considered as

confidential or sensitive in public places where it may be seen by unauthorized

individuals (e.g., airports, planes, restaurants, hotel lobbies, etc.).

Obey all applicable state and local laws regarding the usage of this type of equipmentwhile traveling.


23/29

23



All Mobile Devices (including laptops, cell phones, Smart Phones, PDAs, etc.)

You are accountable for all activity performed with any Company mobile device assigned

to you.

Company mobile devices assigned to you must not be used by anyone but you.

Company equipment must not be left unattended or unsecured in public areas. (e.g.,

hotel rooms, automobiles, restaurants, airports, etc.)

Always use a cable lock to secure your laptop in unsecured locations.

Loss or theft of Company mobile devices must be reported immediately. Refer to

Recognizing and Reporting a Security Incident for more details.

Your mobile devices, such as laptops and USB drives, must employ Company standard

encryption.

Do not communicate sensitive information using Text or Instant Messaging.

The Company does not allow synchronizing e-mail to a personal PDA (a Company

issued Blackberry is permissible).

All business critical files stored on local drives must be backed up to Company network

drives to prevent unintentional or malicious loss of data.


24/29

24

Recognizing and Reporting a Security Incident


Recognizing and Reporting a Security Incident

All workforce members are responsible for compliance with the Company InformationSecurity Policy and are accountable for reporting any known or suspected violations.

Reporting a security breach as soon as it is noticed is paramount. Quick reporting can help

to minimize potential damage to the Company or to its customers, business partners,

stockholders, and employees.

Be on the lookout for the following:

Files or systems that should be accessible to you are suddenly unavailable or missing.

Output of sensitive and confidential information found in printer trays, left unprotected in

the work area, or sent to the wrong person or group.

Unauthorized persons or personnel are discovered in the work area.

Files appear, disappear, or undergo significant and unexpected changes in size.

Your password has been changed without your knowledge or involvement.

Report these or any other anomalies to a manager, the Divisional Information Security

Officer (DISO), S.H.A.R.E. hotline (1-866-263-7787), AIT Customer Service Center

(18888524357) or the Enterprise Information Risk Management Intranet site:

http://intranet.ds.global/transamerica/enterprise/irm/Pages/report-an-incident.aspx
http://intranet.ds.global/transamerica/enterprise/irm/Pages/report-an-incident.aspxhttp://intranet.ds.global/transamerica/enterprise/irm/Pages/report-an-incident.aspxhttp://intranet.ds.global/transamerica/enterprise/irm/Pages/report-an-incident.aspxhttp://intranet.ds.global/transamerica/enterprise/irm/Pages/report-an-incident.aspxhttp://intranet.ds.global/transamerica/enterprise/irm/Pages/report-an-incident.aspxhttp://intranet.ds.global/transamerica/enterprise/irm/Pages/report-an-incident.aspx


25/29

25

Business Continuity


Business Continuity

Business Continuity is about keeping the AEGON companies operating during any plannedor unplanned business disruption. Business Continuity helps the Company to be proactively

prepared for such an event.

Events can be caused by natural or man made disasters and may include; floods,

hurricanes, blizzards, earthquakes, terrorists, power outages or technology failures.

The Business Continuity framework is divided into three phases:

Assessment -Ensures that the Company assumes the correct level of risk, since not

all risks can be totally eliminated or controlled. Understanding the critical processes

and their associated risks will help protect against unanticipated losses that could

significantly affect personnel, property, revenues and the ability to fulfill responsibilities

to customers, employees, shareholders, and the public.

Preparedness - Ensures that the Company is able to recover from potential disruptive

events. This is accomplished by having a comprehensive Business Continuity Plan thatincludes strategy, recovery and testing phases.

Event Management - Execution of Business Continuity Plans. In the event of an

outage, quick response and recovery are critical. This phase ensures that relief and

restoration activities are performed to restore the business functions to a pre-event

status.


26/29

26

Business Continuity


Business Continuity

At the AEGON companies your participation is critical in many ways. We have plans, but itsyour responsibility to become familiar with the departmental emergency response plan

by doing the following:

Know where the emergency shelter area is within the building.

Know where the meeting place is when you evacuate the building.

Identify the floor marshal.

Identify the BCP coordinator in the department and discuss your role.

Maintain your current contact information to preserve the integrity of essential

emergency communication channels.


27/29


28/29

28

Need More Information?


For More Information

Visit the Enterprise Information Risk Management Intranet Site for additional information,

including Information Security Policies, Business Continuity, Disaster Recovery and much

more. Check out the website today!

http://intranet.ds.global/transamerica/enterprise/irm/Pages/default.aspx

Divisions may have additional information including information security procedures,

guidelines and resources available (e.g. intranet sites).

Contact the Divisional Information Security Officer (DISO), Risk Manager, or Business

Continuity Planning (BCP) Manager for questions regarding topics covered in this

orientation.

http://intranet.ds.global/transamerica/enterprise/irm/Pages/contact-us.aspx

My Information Security Acknowledgement
http://intranet.ds.global/transamerica/enterprise/irm/Pages/default.aspxhttp://intranet.ds.global/transamerica/enterprise/irm/Pages/contact-us.aspxhttp://intranet.ds.global/transamerica/enterprise/irm/Pages/contact-us.aspxhttp://intranet.ds.global/transamerica/enterprise/irm/Pages/contact-us.aspxhttp://intranet.ds.global/transamerica/enterprise/irm/Pages/contact-us.aspxhttp://intranet.ds.global/transamerica/enterprise/irm/Pages/default.aspx


29/29

My Information Security Acknowledgement(Use only if there is NO signed Non-Disclosure Agreement with the individual, contractor or entity)

Violationsof the Information Security Policies, Standards and Procedures jeopardize the Company in a number of

ways. Issues will be investigated and if a violation occurred corrective action may include, but not be limited to:

Loss of access privileges to information assets

Termination of working relationship

Other actions as deemed appropriate by management

Corrective action will be consistent with the nature of the incident in the context of all relevant circumstances.

I acknowledge that:

I have viewed the AEGON Companies Information Risk Workforce Orientation about Information Security;

Confidential business information is an important asset of the Company;

It is my responsibility to protect the confidentiality, integrity and availability of Company information;

I must report any suspected security incident to the manager, the Divisional Information Security Officer ,

S.H.A.R.E. hotline, AIT Customer Service Center or the Enterprise Information Risk Management Intranet;

Information security breaches are investigated and it is my responsibility to cooperate fully in any investigation;

Any violation of Information Security Policies, Standards or Procedures may result in termination of the work

relationship; e-mail and the Internet are primarily for business use and may be monitored by the Company.

PLEASE SIGN HERE TO ACKNOWLEDGE:

Name (print) ______________________________________

Signature ________________________________________

Date ____________________________________________

Information Risk Workforce Orientation

Documents

Transcript of Information Risk Workforce Orientation