information security awareness training. agenda what is information security? information ecosystem...
TRANSCRIPT
Information Security Information Security Awareness TrainingAwareness Training
AgendaAgenda
What is Information Security?Information EcosystemC-I-AGodrej & Boyce Information Security
Organization Structure.Godrej & Boyce Information Security
PoliciesExceptionsSocial EngineeringReporting Information Security
Incidents04/19/232 Classification : Internal
What is Information What is Information Security ???Security ??? Information security means
protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction
04/19/233 Classification : Internal
The 'Information Ecosystem' includes business partners, customers, service providers, regulatory bodies etc.
Any one of them has the potential to become a weak link and jeopardize the security of the entire system.
An 'Information Ecosystem©' consists of People, Processes and the Technology that connects them.
Partners CustomersService
ProvidersRegulatory
Bodies
Firewalls
Passwords
Routers
Disaster Recovery
Forensics
Monitoring
IT
Processes People
IPR / databases / Entrusted Information / MIS / Innovation etc.
Interface
Information EcosystemInformation Ecosystem
04/19/234 Classification : Internal
Non- Digital
Digital
Information exists in digital AND non-digital forms
Types of InformationTypes of Information
04/19/235 Classification : Internal
Information
Through Inference
Through Other Depts / Colleagues
Through Public Source
Through Creative Ideas
Through Legal / Statutory / Regulatory / Contractual Obligation / Requirement
Others
Infosec Value ChainInfosec Value Chain
04/19/23Classification : Internal6
What should be secured???
04/19/237 Classification : Internal
Information Security TriadInformation Security Triad
Confidentiality :◦Unauthorized disclosure of
information- Ensuring PrivacyIntegrity :
◦Unauthorized changes to information- Ensuring Completeness, Accuracy, and Validity
Availability :◦Ensuring Information available as
and when required by the business04/19/238 Classification : Internal
How to Secure How to Secure Information???Information???
04/19/239 Classification : Internal
ISO 27001: An OverviewISO 27001: An Overview
ISO 27001 is the most internationally accepted information security standard
The standard essentially gives specifications, guidance and direction to implement an Information Security Management System (ISMS) to dynamically address and manage information security risks faced by an organization
Mandatory clauses : 4 to 8Normative References : 133 controls,
39 control objectives, 11 Domains
04/19/2310 Classification : Internal
Implement and operate- Formulate a risk treatment plan- Implement the risk treatment plan- Implement controls selected to meet the control objectives
Establish the context - Define ISMS scope- Define policy- Identify risks- Assess risks- Select control objectives and control for treatment of risks- Prepare a statement of applicability (SoA)
Monitor and review- Execute monitoring procedures
- Undertake regular reviews
of the effectiveness - Conduct internal audits at planned intervals
Maintain and Improve
- Implement identified improvements - Take appropriate corrective and preventive actions - Communicate the results and actions and agree with all interested parties - Ensure that improvements achieve their intended
objectives
ISMS implementation at Godrej & ISMS implementation at Godrej & Boyce Boyce
04/19/2311 Classification : Internal
PlanPlan
DoDo CheckCheck
ActAct
Improvement
Continual
ISMS ScopeISMS ScopeThere are 10 Departments in scope of
ISMS◦ BAAN◦ BIG (BIG 1,Big 2, WPDG)◦ Finance◦ HR Soft( HR Soft, HR Pay)◦ HR◦ OTG SS◦ OTG NS◦ OTG CO◦ OTG IS◦ QA
04/19/23 Classification : Internal12
Risk Management Risk Management MethodologyMethodologyIdentification and classification of
assets
Asset sensitivity ratings
Asset wise risk assessment
Risk Treatment
Designing policies and procedures
04/19/23 Classification : Internal13
GODREJ & BOYCE GODREJ & BOYCE INFORMATION INFORMATION SECURITY SECURITY ORGANIZATIONORGANIZATION
04/19/2314 Classification : Internal
Godrej & Boyce Security Organization Godrej & Boyce Security Organization StructureStructure
04/19/2315 Classification : Internal
Godrej & Boyce Information Godrej & Boyce Information Security Management Forum(ISMF)Security Management Forum(ISMF)PIMPARKAR A R - CEO-GITLPATANKAR S V – GMRAUT SUSHIL S – HEAD OTGVAISHALI VICTOR RAJ – HEAD HRKHANDHAR BHAVESH K - HEAD FINANCEFERNANDES S V - MR QMSRUPARELIYA NARENDRA G - CORP PURC
04/19/2316 Classification : Internal
Information Security Information Security OfficerOfficerARIF BHATKAR (OTG IS)
04/19/2317 Classification : Internal
Godrej & Boyce Information Godrej & Boyce Information Security Implementation Security Implementation TeamTeam NIRMALA R.THADANI - QA UNA PRAVEEN SATHAYE - WPDG RANJAN BHAVSAR – BIG ABHISHEK SUNANDAN - BIG SRILAKSHMI NUNNA – HRSOFT / HR PAY SHWETA PAGNIS - HR SOFT / HRPAY DHANYA MATHEW – HR SOFT / HR PAY SRINIVAS SINGH – BAAN VISHAL KUMAR - BAAN AROON BAKSHI – OTG NS ANUP BHAROT – OTG NS SATAM V S – OTG SS(UNIX) VASUDEO KELKAR – OTG SS(UNIX / LINUX) THOMAS P V – OTG SS (WINDOWS) PRASID MUKHERJI – OTG IS ARUN J SHIRODKAR – OTG CO HITESH PANCHAL – OTG CO HYACINTHA LOPES - HR SUCHIT SHAH – FINANCE
04/19/2318 Classification : Internal
INFORMATION INFORMATION SECURITY POLICIES SECURITY POLICIES AND PROCEDURESAND PROCEDURES
04/19/2319 Classification : Internal
Information Security Policies Information Security Policies and Procedures and Procedures Godrej & Boyce Information
Security Policies and Procedures are available on GITL Intranet.
All employees should read and understand these policies and procedures
Non-compliance to Godrej & Boyce Information Security Policies / Procedure may lead to Disciplinary Actions.
04/19/23 Classification : Internal20
DATA DATA CLASSIFICATIONCLASSIFICATION
04/19/2321 Classification : Internal
Data ClassificationData Classification Classification Scheme
◦ Public
◦ Internal
◦ Confidential
Consistent labeling and handling of information
assets.
Declassification / Downgrading.
Sensitive documents and data storage media should
be stored in physically secure locations.
Disposal guidelines.
04/19/2322 Classification : Internal
Classification SchemeClassification Scheme Confidential
◦ Applies to sensitive business information, the unwanted disclosure of which can bring substantial financial damage, damage to company's reputation or lead to grave legal consequences. This also applies to information, which can be of value to competitors that can influence the success or the existence of the entire company or part of its business.
◦ Access to Confidential information is restricted only to few employees or associated entities.
◦ Confidential information / documents will not be available to all the people within G&B- DC or outsiders.
◦ Example : Strategy planning , approach paper, client papers , bids
Internal◦ Applies to business information for which unwanted disclosure can
have damaging consequences. ◦ This is generally information, which is accessible to a wide circle of
employees but is not intended for outsiders.◦ Example : Emails, Internal Communication, Process documents,
Operating Procedures etc
04/19/2323 Classification : Internal
Classification SchemeClassification SchemePublic
◦ This classification applies to information, which has been explicitly approved by the management for release to the public. (No Visible classification required, any document not found classified will be treated as public document) By definition, there is no such thing as unauthorized disclosure of this information and it may be freely disseminated without potential harm.
◦ Example: Press release, Information on websites etc
04/19/2324 Classification : Internal
PHYSICAL SECURITYPHYSICAL SECURITY
User Responsibilities
04/19/2325 Classification : Internal
Physical SecurityPhysical SecurityUser Responsibilities
◦ Always Escort visitors.◦ Display identification badge when on Godrej
premises.◦ Loss of Identity badge / Access cards should be
reported to HR.◦ If you notice something suspicious please bring it to
the notice of the security guard or ISO.All the visitors should make entry in visitor
registerUser should also declare their electronic
belonging ex: Laptop, Pendrives etc
04/19/2326 Classification : Internal
PASSWORD SECURITY PASSWORD SECURITY
04/19/2327 Classification : Internal
Password SecurityPassword Security Do’s
◦ Change your passwords regularly on expiry or when compromised.
◦ Use strong passwords meeting the password criteria.◦ In case of password reset or issue of new password contact
the system / application administrators
Don’ts◦ Use same password for Godrej accounts as for other
commercial or personal accounts.◦ Share your user credentials with others◦ Use the "Remember Password" feature of applications.◦ Reveal a password over the phone to ANYONE◦ Reveal a password in an email message◦ Reveal a password to your supervisor or others in your
reporting function◦ Hint at the format of a password (e.g., "my family name")◦ Reveal a password on questionnaires or security forms
04/19/2328 Classification : Internal
Password CriteriaPassword Criteria Passwords of information systems will be of a
minimum length of 8 characters. The characters in the password will be a
combination of numeric, alphabetic and special characters.
The passwords will be difficult to guess or derive by using personal information such as names, telephone numbers, date of births etc.
Passwords will be changed every 60 days. Password history will be maintained for 5 past
used passwords. All temporary passwords will be changed at first
log-on. Passwords in any automated log-on process will
be avoided.
04/19/2329 Classification : Internal
Strong Passwords - Strong Passwords - ExampleExample
04/19/23 Classification : Internal30
I Am Working In Godrej For Last 4 Years
I@MwIG4L4Y
InfoSec is my Responsibility today onwards
I$i$mR2day0n^^@rdS
EMAIL SECURITYEMAIL SECURITYAcceptable Use Policy - Email
04/19/2331 Classification : Internal
Email SecurityEmail SecurityGodrej & Boyce E-mail must be used primarily for business purposes
only. User Responsibilities
◦ Do not automatically forward or send/receive e-mails to any address outside Godrej domain
◦ Do not access personal emails from Godrej facilities◦ Do not send chain letters or joke emails◦ Employees receiving emails which contain offensive content should
immediately report this to the OTG G&B- DC employees should not indulge in unauthorized use or forging
of email header information. G&B- DC employees should not publish company email id on public
newsgroups or non-work related websites, since this might result in spam attacks.
All unnecessary emails should be deleted to conserve disk space. Files larger than 1 MB should be zipped before sending; E-Mails with attachments should not exceed 5MB Godrej & Boyce has rights to read / review any message as and
when required.
04/19/2332 Classification : Internal
SYSTEM AND SYSTEM AND NETWORK SECURITYNETWORK SECURITY
Acceptable Use Policy – Information processing equipment and services
04/19/2333 Classification : Internal
System and Network System and Network SecuritySecurityFollowing is prohibited
◦ Unauthorized copying of copyrighted material.◦ Introduction of malicious programs into the
Godrej & Boyce network.◦ Port scanning or security scanning by end
users.◦ Using Godrej & Boyce computing assets to
transmit offensive material.◦ Giving access to telnet, ftp or any other service
to external party.◦ Unwanted software’s should not be
downloaded on desktops and servers.
‘04/19/2334 Classification : Internal
DESKTOP AND DESKTOP AND LAPTOP SECURITYLAPTOP SECURITY
04/19/23 Classification : Internal35
Desktop and Laptop Desktop and Laptop SecuritySecurityUsers should not change any settings on the laptop.
Users shall ensure that they have latest Anti virus software /security patches updated
Ensure the laptop is physically secured at all times
Pirated, freeware and shareware software shall not be downloaded or installed onto user laptops
Desktop and Laptop should be hardened as per the Hardening Guidelines
04/19/23 Classification : Internal36
CLEAR DESK CLEAR CLEAR DESK CLEAR SCREENSCREEN
04/19/2337 Classification : Internal
04/19/2338 Classification : Internal
Clear Desk Clear ScreenClear Desk Clear ScreenLock your workstation before leaving your
desk:◦ Press Ctrl + Alt + Del.◦ Click on “Lock Computer”.◦ For Win XP systems, press Windows + L, for
locking the PC.Clear off all documents from your desk at
the end of day. Keep all sensitive documents under lock
and key.Do not leave keys unattended. Clear off whiteboards when you vacate
meeting rooms.04/19/2339 Classification : Internal
EXCEPTIONSEXCEPTIONS
04/19/2340 Classification : Internal
ExceptionsExceptions
All EXCEPTIONS will be approved and authorized by Head-Technology for use of devices/services such as USB drives/Pen drives/Data Cards, software etc on need basis.
04/19/2341 Classification : Internal
SOCIAL ENGINEERINGSOCIAL ENGINEERING
04/19/2342 Classification : Internal
Social EngineeringSocial Engineering Social Engineering is the human side of breaking into our systems
and network.
Social Engineers tend to exploit social attributes like:-
◦ Trust
◦ The desire to be ‘helpful’
◦ The wish to get something for nothing
◦ Curiosity
◦ Fear of the unknown, or of losing something
◦ Ignorance
◦ Carelessness and/or complacence.
Your Responsibility
◦ Take care not to give out information which is Critical, Sensitive, or personal in nature. Be especially alert if someone calls and tries to use authority to obtain information. When in doubt, seek advice from your manager.
04/19/2343 Classification : Internal
INFORMATION INFORMATION SECURITY INCIDENT SECURITY INCIDENT REPORTINGREPORTING
04/19/2344 Classification : Internal
What are Information What are Information Security Incidents?Security Incidents?An Incident is any event –real or suspected,
that can have adversely affect the security of the organizations’ information and information assets
Examples of Incident:◦ Hacking, information leakage ◦ Hardware / Software crashes, network
disruption / slowdown◦ Power outage leading to disruption of services◦ Social incidents like terrorism, strikes, mass
absences◦ Non-compliance with Godrej & Boyce Information
Security Policies and Procedures◦ Malware attacks
04/19/2345 Classification : Internal
Incident reportingIncident reportingImmediately report the incident
via speedflow or report it to ISO or ISIT Members
04/19/2346 Classification : Internal
Incase of any queries contact Information Security Management Team or Information Security Officer
04/19/2347 Classification : Internal
THANK YOUTHANK YOU
04/19/2348 Classification : Internal