SET

INFORMATION SYSTEMS AND DATA SECURITY AWARENESS PROGRAM

FUSION BPO SERVICES, Inc.

SET'Information is an asset which, like other

important business assets, has value to

an organization and consequently needs

to be suitably protected’

SET What is Information Systems and Data security Policy?Can be defined as rules that regulate how an

organization manages and protects its internal information, external customer or clients information and computing resources.

Why do we need Security Policy?

The policy tells the users, staff, managers, what they can do, what they cannot do and what they must do to comply with the Security Policy and Practice.

Purpose:

To ensure business continuity by reducing/minimizing damage to the business by safeguarding the confidentiality, integrity and availability of information.

SETWhy do I need to learn about computer security?

Isn’t this just an IT Problem?

Everyone who uses a computer needs to understand how to keep his or her computer and data secure.

13

SET Why I Need Information Security Training

Security Awareness is a critical part of an organization's information security program; it is the human knowledge and behaviors that the organization uses to protect itself against information security risks. Humans, just like computers, store, process and transfer information. As a result many attackers today target the human, bypassing most security controls and using techniques such as social engineering to get the information they want. Awareness, not just technology, is now a key factor in an organization's goal to:

Reduce risk, Protect its reputation, Improve governance, and Be compliant.

5

SET Why I Need Information Security Training

Security Awareness Training is designed to educate users on the appropriate use, protection and security of information, individual user responsibilities and ongoing maintenance necessary to protect the confidentiality, integrity, and availability of information assets, resources, and systems from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption. The long term benefits to your organization of a successful security awareness program include enhanced awareness, increased security and improved online productivity for employees and the company as a whole.

6

SET

What Is Information Security

The quality or state of being secure to be free from danger

Security is achieved using several strategies simultaneously or used in combination with one another

Security is recognized as essential to protect vital processes and the systems that provide those processes

Security is not something you buy, it is something you do

SET

What Is Information Security

The architecture where an integrated combination of appliances, systems and solutions, software, alarms, and vulnerability scans working together

Monitored 24x7 Having People, Processes, Technology,

policies, procedures, Security is for PPT and not only for appliances

or devices

SET

INFORMATION SECURITY

1. Protects information from a range of threats

2. Ensures business continuity

3. Minimizes financial loss

4. Optimizes return on investments

5. Increases business opportunities

SET

Security breaches leads to…

• Reputation loss

• Financial loss

• Intellectual property loss

• Legislative Breaches leading to legal actions

(Cyber Law)

• Loss of customer confidence

• Business interruption costs

LOSS OF GOODWILL

SET

What is Risk? Risk: A possibility that a threat exploits a

vulnerability in an asset and causes damage or loss to the asset.

Threat: Something that can potentially cause damage to the organization, IT Systems or network.

Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat.

SET

Good security practices follow the “90/10” rule

10% of security safeguards are technical

90% of security safeguards rely on us – the user - to adhere to good computing practices

12

SET

What are the consequences of security violations?

Disciplinary action (up to expulsion or termination) Embarrassment to yourself and/or the Company Having to recreate lost data Identity theft Data corruption or destruction Loss of patient, employee, and public trust Costly reporting requirements and penalties Unavailability of vital data

13

SET

Good Computer Security Practices

14

SET Passwords

Your password is your key to OC Inc Fusion BPO Services data and resources.

Remember: Carelessness is Dangerous! If you receive a phone call from someone claiming that they are

a contractor working with IT Security, would you give them your

password? NO! How many of you have written your password down? What did

you do with the paper? Is it tucked safely and securely away? If it is in the first place you would look (like under the keyboard) – someone else would look there too!

15

SET Password construction and Management

When selecting a password, you may naturally want to choose something easy to remember. But, if it is easy for you, it may be easy for some one else to crack!

A password should not be:

Your name or any family members name, to include pets!

Your street name, car type, favorite singer, etc.

Any easily guessed or recognized name or word

Your previous password with a sequentially increased number at the end.

16

SET Password construction and Management A password should be:

A mixture of letters (both upper and lower case) and numbers and/or special characters

At least eight characters long, preferably longer

– for example iH8TDieTs is a very good password. It has capitals, lower case, and numbers. AND…. It isn’t too tough to remember. Just say: I hate diets.

A password should never be:

…Taped to a monitor or keyboard or desk or desk accessory or any where visible

…Shared with ANY ONE – NOT EVEN A SUPERVISOR!

17

SET

Examples of PasswordsWeak 12345 Password STCC Pecan Gateway1 abc123

18

Strong

• tCj0Tm

• iL2e0c

• 1cRmPW!

• CyMm@M0?

SET Email Usage

Some experts feel email is the biggest security threat of all. This is the fastest, most-effective method of spreading malicious code to the largest number of users. It is also a large source of wasted technology resources.

Examples of Waste:

Electronic Greeting Cards

Chain Letters

Jokes and graphics

Spam and junk email

19

SET Pitfalls to email1. Email is NOT secure – It is essential to understand

that email does not go directly to the intended recipient. It is routed through various systems first. Remember, it is not impervious to prying eyes!

2. Email is open to abuse – Scams, mass mailings, junk mail, and deceptive advertising can be delivered to your computer mail box as easily as your home mail box.

3. Email is potentially harmful – this is the easiest, most effective conveyance of malicious code.

20

SET Should You Open the E-mail Attachment?

If it's suspicious, don't open it! What is suspicious?

Not work-related Attachments not expected Attachments with a suspicious file extension

(*.exe, *.vbs, *.bin, *.com, *.scr, or *.pif) Web link Unusual topic lines; “Your car?”; “Oh!” ; “Nice

Pic!”; “Family Update!”; “Very Funny!”

21

SET E-Mail Security – Risk Areas

1. Spamming. Unsolicited bulk e-mail, including commercial solicitations, advertisements, chain letters, pyramid schemes, and fraudulent offers.

Do not reply to spam messages. Do not spread spam. Remember, sending chain letters is against policy.

Do not forward chain letters. It’s the same as spamming! Do not open or reply to suspicious e-mails.

2. Phishing Scams. E-Mail pretending to be from trusted names, such as Citibank or PayPal or Amazon, but directing recipients to rogue sites. A reputable company will never ask you to send your password through e-mail.

3. Spyware. Spyware is adware which can slow computer processing down; hijack web browsers; spy on key strokes and cripple computers

22

SETE-mail Usage

Use official mail for business purposes onlyFollow the mail storage guidelines to avoid blocking of E-mails If you come across any junk / spam mail, do the following

a) Remove the mail.b) Inform the security help deskc) Inform the same to server administratord) Inform the sender that such mails are undesired

Do not use official ID for any personal subscription purpose Do not send unsolicited mails of any type like chain letters

or E-mail Hoax Do not send mails to client unless you are authorized to do

so Do not post non-business related information to large

number of users Do not open the mail or attachment which is suspected to

be virus or received from an unidentified sender

23

SET Internet UsageUse internet services for business

purposes only

Do not access internet through dial-up connectivity

Do not use internet for viewing, storing or transmitting obscene or pornographic material

Do not use internet for accessing auction sites Do not use internet for hacking other computer

systems Do not use internet to download / upload

commercial software / copyrighted material Technology Department is continuously monitoring Internet

Usage. Any illegal use of internet and other assets shall call for Disciplinary Action.

24

SET Physical Security

Would you leave your credit card exposed or unattended in a public place? Do you lock your car? Secure your wallet or purse?

Take those same precautions with your PC!

Log off or lock your PC when unattended.

Shutdown your PC when you leave for the day…EVERYDAY!

Lock doors in accordance with Fusion BPO Services Policy.

Secure your Password!!!!

25

SET Access Control - Physical Follow Security Procedures Wear Identity Cards and Badges at all times Ask unauthorized visitor his credentials All visitors must be escorted while onsite

• Bring visitors in operations area without prior permission

• Bring hazardous and combustible material in secure area

• Practice “Piggybacking”

• Bring and use pen drives, zip drives, iPods, other storage devices unless and otherwise authorized to do so

26

SET Unique User Log-In / User Access Controls

Access Controls: Users are assigned a unique “User ID” for log-in purposes Each individual user’s access to OC Inc./Fusion BPO

Services system(s) is appropriate and authorized Access is “role-based”, e.g., access is limited to the minimum information needed to do your job

Unauthorized access to OC Inc./Fusion BPO Services by former employees is prevented by terminating access

User access to information systems is logged and audited for inappropriate access or use.

27

SET Workstation SecurityWorkstations

Physical Security measures include: Disaster Controls Physical Access Controls Device & Media Controls

Log-off before leaving a workstation unattended. This will prevent other individuals from accessing secured data under

your User-ID and limit access by unauthorized users.

Lock-up! – Offices, windows, workstations, sensitive papers and PDAs, laptops, mobile devices / media.

Lock your workstation (Cntrl+Alt+Del and Lock) – Windows XP, Windows 2000

28

SET

Antivirus and Firewall

Make sure your computer has anti-virus, anti-spyware and firewall protection as well as all necessary security patches. Don’t install unknown or unsolicited programs on your computer

29

SET

Report Security Incidents You are responsible to: Report and respond to security

incidents and security breaches. Know what to do in the event of a

security breach or incident related to Data Security and/or Personal Information.

Report security incidents & breaches to:IT Security Team

30

SET

Your Responsibility to Adhere to OCI Security-Information Security Policies

Users of electronic information resources are responsible for familiarizing themselves with and complying with all company policies, procedures and standards relating to information security.

Users are responsible for appropriate handling of electronic information resources.

31

SET Why can’t I play games online? On- Line Gaming on a company computer is against company

policy.

Playing games on a company computer is forbidden.

Gaming sites, like MP3 download sites, are good places to pick up a virus. Script kiddies and hackers swarm around these sites like vultures. They use all the tricks of their trade to glean password and network information from gamers.

This is easy to avoid. Don’t do it!

32

SET Types of sites to avoid and WHY

Corporate sites that have a vested interest in protecting and maintaining public trust are more vigorous in protecting visitor’s email addresses and information. For example, sites such as CNN and Headline News want visitors to feel confident and comfortable on their web sites – so they will take measures to secure their sites. However, many other sites do NOT take measures to protect visitor’s data. In fact, they are notorious for harvesting and selling such data.

Please do not use your OC Inc. Fusion BPO Services computer or email address for joke sites, dating sites, horoscopes, chat rooms, free grocery coupons and other related sites. Sites promising free goods and vacations and fun – good ones to put on the NO GO list.

These are all easy to avoid and you will likely reduce your junk mail as well..

33

SET Common Terminology What is a cookie? Cookies are small text files that some Web

sites create when you visit. The file is used to store information on your computer.

What does encrypted mean? The translation of data into a secret code. Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text ; encrypted data is referred to as cipher text.

What is a virus? A virus is a piece of code that is written specifically to execute itself without the users knowledge or permission. It will usually attach itself to a file in order to replicate and spread itself. Some viruses are harmless while others can cause serious damage.

34

SET Common Terminology cont. What is a Phishing? The act of sending an e-mail falsely

claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The Web site, however, is bogus and set up only to steal the user’s information.

What is spam? Electronic junk mail. Spam is generally e-mail advertising for some product sent to a mailing list or newsgroup. In addition to wasting people's time with unwanted e-mail, spam also eats up a lot of network bandwidth. Some ISP’s, such AOL, have instituted policies to prevent spammers from spamming their subscribers.

What is an audit trail ? A record showing who has accessed a computer system and what operations he or she has performed during a given period of time.

35

SET Common Terminology cont.

What is Unauthorized Access?- Any time a user gains access to a computer network without the consent of the computer's administrator.

What is Access Control-The prevention of unauthorized use of information assets. It is the policy rules and deployment mechanisms, which control access to information systems, and physical access to premises.

Compliance- Adherence to those policies, procedures, guidelines, laws, regulations and contractual arrangements to which the business process is subject.

Malicious Software: Software, for example, a virus, designed to damage or disrupt a system.

36

SET

Common Terminology cont. Password: Confidential authentication information

composed of a string of character Server: A server is a computer system, or a set of

processes on a computer system providing services to clients across a network.

User: A person or entity with authorized access. Protected Information: Any participant or client

information that the Department may have in its records or files that must be safeguarded pursuant to Department policy. This includes but is not limited to "individually identifying information".

37

SET

Common Terminology cont.

Integrity: The property that data or information have not been altered or destroyed in an unauthorized manner.

FTP (File Transfer Protocol): A protocol that allows for the transfer of files between an FTP client and FTP server.

Disclose: The release, transfer, relay, provision of access to, or conveying of client information to any individual or entity outside the Department.

Confidential Information: Any client information (defined above) that OC Inc may have in its records or files on any OC Inc client that must be safeguarded pursuant to OC Inc policy. This includes, but is not limited to, “individually identifying information”

38

SET Typical Symptoms of computer infection

File deletion

File corruption

Visual effects

Pop-Ups

Erratic (and unwanted) behavior

Computer crashes

39

SET Problems Hackers Cause

A hacker intrusion could create a legal liability and public embarrassment for you and your organization

Vandalism—Destruction or digital defacement of a computer or its data for destruction’s sake

Theft—Gaining access to intellectual or proprietary technology or information, sometimes for resale

Hijacking—Many of the financially motivated hackers are interested in remotely controlling PCs

Identity theft—Electronic theft of personal info that can be used to steal financial resources

Terrorism—Some experts believe that terrorists will eventually launch an attack using hacking techniques

40

SET Malware Malware – (aka Crime ware and Computer

Contaminant) is any program which can corrupt files and/or secretly report your information from your computer or network

Viruses, Worms, Trojans, and Spyware are the most common types of malware

Many of these destructive programs attempt to reinstall and replicate themselves and are designed to be very difficult to remove from the host computer

41

SET Malware

Virus ‐ Software that gets installed on your computer, usually without your knowledge

– You can get “infected” by accessing something that is already infected with a virus

– Sources include floppy disk,USB drives, website, and email Worm – Software that actively tries to spread itself to infect other

computers – Software worms can actively scan networks to infect others – Worms can also be spread by e‐mail applications that use the

computer address book Trojan ‐ Damaging software that hides its identity by posing as

something else such as a screen saver or a greeting card. The Trojan, once installed, gives the attacker a back door into your system that can be used by the hacker as needed.

42

SET IT ACT PROVISIONS Email would now be a valid and legal form of

communication in our country that can be duly produced and approved in a court of law.

Companies shall now be able to carry out electronic commerce using the legal infrastructure provided by the Act.

Digital signatures have been given legal validity and sanction in the Act. 

The Act now allows Government to issue notification on the web thus heralding e-governance

Statutory remedy in case if anyone breaks into companies computer systems or network and causes damages or copies data

43

SET Risks and Threats

44

High User Knowledge of IT

Systems

Theft, Sabotage, Misuse

Virus Attacks

Systems & Network Failure

Lack Of Documentation

Lapse in Physical Security

Natural Calamities &

Fire

SET User Responsibilities

Ensure your system is locked when you are away Always store laptops/media in a lockable place Ensure sensitive business information is under lock and key when

unattended Ensure back-up of sensitive and critical information assets Understand Compliance Issues such as

Cyber Law IPR, Copyrights, NDA Contractual Obligations with customer

Verify credentials, if the message is received from unknown sender

Always switch off your computer before leaving for the day Keep your self updated on information security aspects

45

SET Do’s And Don'ts

Email and messaging read your organization’s email policy report any spam or phishing emails to your IT team

that are not blocked or filtered report phishing emails to the organisation they are

supposedly from use your organization’s contacts or address book.

This helps to stop email being sent to the wrong address.

Phishing is an attempt to obtain your personal information (for example, account details) by sending you an email that appears to be from a trusted source (for example, your bank)

46

SET Do’s And Don'ts

Email and messaging

click on links in unsolicited emails. Be especially wary of emails requesting or asking you to confirm any personal information, such as passwords, bank details and so on.

turn off any email security measures that your IT team has put in place or recommended

email sensitive information unless you know it is encrypted. Talk to your IT team for advice.

try to bypass your organisation’s security measures to access your email off-site (for example, forwarding email to a personal account)

reply to chain emails.

47

SETDo’s And Don'ts

Passwords Follow OC Inc’ s password policy use a strong password (strong passwords are

usually eight characters or more and contain upper and lower case letters, as well as numbers)

make your password easy to remember, but hard to guess

choose a password that is quick to type use a mnemonic (such as a rhyme, acronym or

phrase) to help you remember your password. Change your password(s) if you think someone may have found out what they are.

48

SET Do’s And Don'ts

Passwords Don’ts share your passwords with anyone else write your passwords down use your work passwords for your own personal

online accounts save passwords in web browsers if offered to do so use your username as a password use names as passwords email your password or share it in an instant

message.

49

SET Do’s And Don'ts

Working on-site lock sensitive information away when left

unattended Remember working at home is a privilege

Don’t let strangers or unauthorised people into staff areas

position screens where they can be read from outside the room.

50

SET

Final Note

51

SET

Fusion BPO Services, Inc

THANK YOUIT SECURITY DEPARTMENT

52