ISMS Awareness Presentation - CCEs.ppsx

8/11/2019 ISMS Awareness Presentation - CCEs.ppsx

1/45

1

ISMS AWARENESS


2/45

2

What is Information?

An asset essential to an organizations business and needsto be protected.

Forms of information- printed, written, stored electronically,transmitted by post, email.


3/45

3

What is Information Security?

The protection of information and information systems againstunauthorized access or modifications, whether in storage,

processing, or transit, and against denial of service to

authorized users.

Safe-guarding an organization's data from unauthorizedaccess or modification to ensure its availability, confidentiality,and integrity.


4/45

4

Why Information Security?

1. Protects information from a range of threats

2. Ensures business continuity

3. Minimizes financial loss

4. Optimizes return on investments

5. Increases business opportunities


5/45


6/45

6

Reputation loss

Financial loss

Intellectual property loss

Legislative Breaches leading to legalactions (Cyber Law)

Loss of customer confidence

Business interruption costs

Loss of goodwill

Security Breaches Leads to..


7/457

TBSS Information Security Policy

Inform at ion Secur i ty Pol icy Sta tement

TBSS is com mit ted to p rotec t the Conf ident ia l i ty, In tegr i ty and A ccess ib i l i ty o f i t s

Inform at ion , thereby prov iding com prehens ive assurance to a l l it s s takeholders .

To tha t end TBSS wi l l aggress ive ly u nravel and learn the ch anging landscape of r i sk ,

review org aniza t ion s tandards and pro cess per iodica l ly and focu s re lent less ly on

execution.


8/458

Information Classification

Information Classification Description

PublicDisclosure inside or outside organization would not cause any damage orinconvenience.

InternalDisclosure inside the organization for effective implementation ofprocedures and processes would not cause any damage or inconvenience

RestrictedDisclosure inside or outside organization would be inappropriate andinconvenient.

ConfidentialDisclosure inside or outside would cause significant harm to the interest ofthe organization.

SecretDisclosure inside or outside would cause serious damage to the interests ofthe organization.


9/459

1 Strengthen your computers defenses

2 Avoid downloading malware

3 Protect company data & financial assets

4 Create strong passwords & keep them private

5 Guard data & devices when youre on the go

Steps to Strengthen your information security


10/4510






a. Check for your system Antivirus update regularlyb. Do not download unauthorized softwaresc. Do not store Confidential documents on your local machine

d. Do not store songs and videos on to your system



11/4511






a. Think Before you click

b. Confirm that the message is legitimate

c. Close pop-up messages carefully



12/4512






a. Give a proper classification to the information

b. Information should be stored only in Share Portals

c. Information should be stored in a manner such that at least userID/password authentication is required for accessing the same



13/4513






a. Passwords must be treated as sensitive and confidentialinformation.

b. Never share your password with anyone for any reason.

c. Passwords should not be written down, stored electronically,or published.

d. Use different passwords for your different accounts.

e. Create passwords that arenot common,avoid common keyboard sequences,contain personal information, such as pets & birthdays.



14/451414






a. Use Organizations VPN for email communication

b. Confirm the connection

c. Do not use flash drives & Memory cards



15/4515

Guidelines and Safe practices for, Creation of Passwords

Email Usage

Clear desk

Internet Usage

Tailgating and Piggybacking

Social Engineering


16/4516

Password SecurityGuidelines


17/4517

Password Security Guidelines

Password should containAt least 8 charactersUppercase Letters (A-Z)Lowercase Letters (a-z)Numbers (0-9)Special characters (!@#$%^&*)

Use Hard-to-Guess passwords

Change password regularly (for every 30 days)

Memorize password and refrain from writing it down.

Never choose Remember password feature in any application

Last 5 passwords should not be reused for any reason.

Password should strictly be kept private and confidential.


18/4518


DOs Use a combination of lower and upper case letters,

Numbers and special characters Change the password regularly Create a complex, strong password, and protect its

secrecy

DONTs

Use of personal information(ex: birthday, home address, phone number)

Dictionary words (including foreign languages) Write it down Share it with anyone


19/4519


Which of the below passwords are strong?

Password@123

weak

abc@1122harshaSree@1841MpbN!h@5612

Strong

My P ets Baby Name Is Happy

Rsw3yO!D

Reemas S on Was 3 Years Old In December


20/4520

Safe EmailPractices


21/4521

Safe Email Practices

Do not open unexpected or suspicious E-mails.

Delete them if they does not concern you.

Be aware of sure signs of scam email.Not addressed to you by nameAsks for personal or financial informationAsks you for passwordAsks you to forward it to lots of other people

Before opening an email attachment, Save theattachment on to the disk and scan for viruses.

Do not forward chain e-mails containingconfidential information, unless the recipient is

the trusted information seeker.


22/4522

Safe Email Practices

A suspicious email address.(Note that the real emailaddress is not from Outlook.)

Generic salutations ratherthan using your name

Alarmist messages. Criminals

try to create a sense ofurgency so youll respondwithout thinking.


23/4523

Social Engineering


24/4524

Social Engineering

Socia l engineer ing i s a hacking technique tha t rel ies on hu man na ture . This approach i s us ed bymany h ackers to obta in inform at ion va luable to access ing a secure sys tem.

Rather than us ing sof tware to ident i fy secur i ty w eaknesses , hackers a t tempt to t r ick an ind iv idualin to reveal ing passwor ds and o ther informat ion tha t can com prom ise your sys tem secur i ty.

They use peoples inh erent na ture to t rus t to learn passw ords , logon IDs , server nam es , opera t ingsys tems, or o ther sens i t ive informat ion .


25/4525

For example, a hacker may attempt to gain system information from an employee by posing as a servicetechnician or system administrator with an urgent access problem.

Nobody should ever ask you fo r you r pas swords . This includes system administrators and help desk personnel.

Never hesitate to ask the following questions,

Ask for the correc t spe l l ing of thei r name

Ask for a contac t numb er and person ' s pos i t io n to have a ca l l back

Ask for the purpo se and urgency of the inform at ion

Ask the approval for seeking the inform at ion

Do no t g ive ou t pas swords .

If someone request you for sensitive information?

Social Engineering


26/45

26

Clear Desk Guidelines


27/45

27

What's Wrong with This Picture?


28/45

28


Lock the computer when yourworkspace is unattended.

Shut down the system atthe end of the day..!


29/45

29


All the Confidential and Internal usedocuments must be removed fromthe desk and locked in a drawer orfile cabinet when the workstation isunattended and at the end of the

workday.

All waste papers, which havepersonal or confidentialinformation, must be destroyedthrough shredding machines .


30/45

30


Passwords and any other confidentialinformation must not be posted on orunder a computer or in any otheraccessible location.

Copies of documents containing Confidential orInternal use information must be immediatelyremoved from printers. If problem with printer, turnoff printer to remove sensitive material from printers memory.


31/45


32/45

32

Handling Media Devices

Do not bring any personal removable media like USB storage devices, CDs, DVDs into office premises.

If i t i s requi red to br ing th e media device , same mu st be expl ic i t ly d ec lared a t secur i ty desk .

All events detected for th e use of USB mass s torage wil l be treated

as securi ty incidents and shall be dealt as per organizat ion's

inform at ion secur i ty inc ident management process


33/45

33

Handling Media Devices

If removable media devices are carried for office use

A prior authorization from business head is required, stating the usage.

Technology team should approve the same after scanning the content.


34/45

34

InternetUsageGuidelines


35/45

35

Internet Usage Guidelines

Acc ess to the In ternet i s prov ided to emp loyees for the benef i t of TBSS and i t scus tomers

Employees us ing the In ternet a re represent ing the company. Employees areresponsib le for ensur ing tha t the In ternet i s us ed in an effec t ive , eth ica l , and lawfulmanner.

The In ternet shou ld no t genera lly be used fo r personal ga in or advancem ent ofindiv idu al in teres t . Sol ic i ta t ion of non -TBSS bus iness o r use o f In ternet for p ersonalgain i s s t r ic t ly pro hibi ted .

Use of the In ternet must n ot d is ru pt the opera t ion of the TBSS netwo rk. It mu st notin ter fere wi th yo ur pro duct iv i ty.


36/45

36


Acc ess ing gam ing s i tes , adul t s i tes and in i t ia t ing anyhacking ac t iv i ty or denia l -of -serv ice a t tack over thein ternet are s t r ic t ly prohibi ted and Users are sole lyresponsib le for any legal ac t ion ar i s ing ou t of the same.

Fi le dow nloads l ike exe, mp3 e tc f rom the In ternet a renot perm i t ted unless speci f ica l ly autho r ized in w r i t ingby th e Techn olog y Team.

Users dur ing the i r course of in ternet access sho uld no tv io la te or inf r inge upo n the r ights of o thers , dow nload

pirated softw are (copy righ ted material).


37/45

37

Access to Ins tant Messengers shal l not bepermit ted . If required , i t shal l be sup por ted b y th ebus iness need supp or ted by requ i s i t e approva l s .


Users are sole ly respo nsib le for any legal ac t ion

ar is ing ou t of abuse or agains t n a t ional secur i tythat has or ig in ated f rom th ei r com pu ter /Lapto p.


38/45

38

Physical Security

Guidelines


39/45

39

I forgot my Identity card. can youplease tag me in, with your card..?

No, You should inform the reception,they will issue temporary Identitycard for you.

Physical Security Guidelines

It is mandatory for users to display the ID card / visitor pass legibly.

Users are not allowed to swipe their ID cards on restricted entry points.

Users must swipe their ID cards at all times to access all access controlled areas.

Loss of ID card to be reported to Facilities department and BMS team immediately.

Users are not allowed to lend their ID cards to others.


40/45

40


Users are not allowed to carry any removable media storage devices like Floppy,CD, Pen drive, etc into TBSS premises.

Usage of camera (also camera in the mobile phone) is prohibited inside TBSSpremises.

Users are required to cooperate with security for frisking.

Tailgating is strictly prohibited.

All company laptops must have Laptop cards attached to it.

Laptop users must display their laptop cards to carry laptops into & from TBSS

office premises


41/45

41


No Tailgating

Make sure that you are the only one entering with your access card..!Ensure Access Doors to controlled areas closed securely after Entering and exiting.


42/45

42


You need to know Fire / Emergency Exits.

Evacuation plan / procedure

Emergency information.

Reporting mechanisms.


43/45

43

Acceptable Usage Policy

Clear Desk Policy

Email Policy

Information Security Incident Management policy

Information Security Policy

Internet Utilization Policy

Password Policy

Physical Security Policy

Printer Usage Policy

ISO 27001: 2013 documents available at the below mentioned link:

http://be.serwizsol.com/Internal/Forms/View.aspx?RootFolder=%2FInternal%2FISO%2027001&View=%7bD59EBEF6%2dBB33%2d4A8A%2d8FE6%2dE35ADB51165E%7d

You need to know below ISMS policies available in Drishti

ISMS Policies
http://be.serwizsol.com/Internal/Forms/View.aspx?RootFolder=/Internal/ISO%2027001&View={D59EBEF6-BB33-4A8A-8FE6-E35ADB51165E}http://be.serwizsol.com/Internal/Forms/View.aspx?RootFolder=/Internal/ISO%2027001&View={D59EBEF6-BB33-4A8A-8FE6-E35ADB51165E}http://be.serwizsol.com/Internal/Forms/View.aspx?RootFolder=/Internal/ISO%2027001&View={D59EBEF6-BB33-4A8A-8FE6-E35ADB51165E}http://be.serwizsol.com/Internal/Forms/View.aspx?RootFolder=/Internal/ISO%2027001&View={D59EBEF6-BB33-4A8A-8FE6-E35ADB51165E}


44/45

44

INFORMATION SECURITY

Report all information security incidents to [email protected]
mailto:[email protected]:[email protected]:[email protected]:[email protected]


45/45

Reach us at :E-mail : [email protected]

ISMS Awareness Presentation - CCEs.ppsx

Documents

Transcript of ISMS Awareness Presentation - CCEs.ppsx