information security awareness training. agenda what is information security? information ecosystem...

Information Security Information Security Awareness TrainingAwareness Training

AgendaAgenda

What is Information Security?Information EcosystemC-I-AGodrej & Boyce Information Security

Organization Structure.Godrej & Boyce Information Security

PoliciesExceptionsSocial EngineeringReporting Information Security

Incidents04/19/232 Classification : Internal

What is Information What is Information Security ???Security ??? Information security means

protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction

04/19/233 Classification : Internal

The 'Information Ecosystem' includes business partners, customers, service providers, regulatory bodies etc.

Any one of them has the potential to become a weak link and jeopardize the security of the entire system.

An 'Information Ecosystem©' consists of People, Processes and the Technology that connects them.

Partners CustomersService

ProvidersRegulatory

Bodies

Firewalls

Passwords

Routers

Disaster Recovery

Forensics

Monitoring

IT

Processes People

IPR / databases / Entrusted Information / MIS / Innovation etc.

Interface

Information EcosystemInformation Ecosystem


Non- Digital

Digital

Information exists in digital AND non-digital forms

Types of InformationTypes of Information


Information

Through Inference

Through Other Depts / Colleagues

Through Public Source

Through Creative Ideas

Through Legal / Statutory / Regulatory / Contractual Obligation / Requirement

Others

Infosec Value ChainInfosec Value Chain

04/19/23Classification : Internal6

What should be secured???


Information Security TriadInformation Security Triad

Confidentiality :◦Unauthorized disclosure of

information- Ensuring PrivacyIntegrity :

◦Unauthorized changes to information- Ensuring Completeness, Accuracy, and Validity

Availability :◦Ensuring Information available as

and when required by the business04/19/238 Classification : Internal

How to Secure How to Secure Information???Information???


ISO 27001: An OverviewISO 27001: An Overview

ISO 27001 is the most internationally accepted information security standard

The standard essentially gives specifications, guidance and direction to implement an Information Security Management System (ISMS) to dynamically address and manage information security risks faced by an organization

Mandatory clauses : 4 to 8Normative References : 133 controls,

39 control objectives, 11 Domains


Implement and operate- Formulate a risk treatment plan- Implement the risk treatment plan- Implement controls selected to meet the control objectives

Establish the context - Define ISMS scope- Define policy- Identify risks- Assess risks- Select control objectives and control for treatment of risks- Prepare a statement of applicability (SoA)

Monitor and review- Execute monitoring procedures

- Undertake regular reviews

of the effectiveness - Conduct internal audits at planned intervals

Maintain and Improve

- Implement identified improvements - Take appropriate corrective and preventive actions - Communicate the results and actions and agree with all interested parties - Ensure that improvements achieve their intended

objectives

ISMS implementation at Godrej & ISMS implementation at Godrej & Boyce Boyce


PlanPlan

DoDo CheckCheck

ActAct

Improvement

Continual

ISMS ScopeISMS ScopeThere are 10 Departments in scope of

ISMS◦ BAAN◦ BIG (BIG 1,Big 2, WPDG)◦ Finance◦ HR Soft( HR Soft, HR Pay)◦ HR◦ OTG SS◦ OTG NS◦ OTG CO◦ OTG IS◦ QA

04/19/23 Classification : Internal12

Risk Management Risk Management MethodologyMethodologyIdentification and classification of

assets

Asset sensitivity ratings

Asset wise risk assessment

Risk Treatment

Designing policies and procedures


GODREJ & BOYCE GODREJ & BOYCE INFORMATION INFORMATION SECURITY SECURITY ORGANIZATIONORGANIZATION


Godrej & Boyce Security Organization Godrej & Boyce Security Organization StructureStructure


Godrej & Boyce Information Godrej & Boyce Information Security Management Forum(ISMF)Security Management Forum(ISMF)PIMPARKAR A R - CEO-GITLPATANKAR S V – GMRAUT SUSHIL S – HEAD OTGVAISHALI VICTOR RAJ – HEAD HRKHANDHAR BHAVESH K - HEAD FINANCEFERNANDES S V - MR QMSRUPARELIYA NARENDRA G - CORP PURC


Information Security Information Security OfficerOfficerARIF BHATKAR (OTG IS)


Godrej & Boyce Information Godrej & Boyce Information Security Implementation Security Implementation TeamTeam NIRMALA R.THADANI - QA UNA PRAVEEN SATHAYE - WPDG RANJAN BHAVSAR – BIG ABHISHEK SUNANDAN - BIG SRILAKSHMI NUNNA – HRSOFT / HR PAY SHWETA PAGNIS - HR SOFT / HRPAY DHANYA MATHEW – HR SOFT / HR PAY SRINIVAS SINGH – BAAN VISHAL KUMAR - BAAN AROON BAKSHI – OTG NS ANUP BHAROT – OTG NS SATAM V S – OTG SS(UNIX) VASUDEO KELKAR – OTG SS(UNIX / LINUX) THOMAS P V – OTG SS (WINDOWS) PRASID MUKHERJI – OTG IS ARUN J SHIRODKAR – OTG CO HITESH PANCHAL – OTG CO HYACINTHA LOPES - HR SUCHIT SHAH – FINANCE


INFORMATION INFORMATION SECURITY POLICIES SECURITY POLICIES AND PROCEDURESAND PROCEDURES


Information Security Policies Information Security Policies and Procedures and Procedures Godrej & Boyce Information

Security Policies and Procedures are available on GITL Intranet.

All employees should read and understand these policies and procedures

Non-compliance to Godrej & Boyce Information Security Policies / Procedure may lead to Disciplinary Actions.


DATA DATA CLASSIFICATIONCLASSIFICATION


Data ClassificationData Classification Classification Scheme

◦ Public

◦ Internal

◦ Confidential

Consistent labeling and handling of information

assets.

Declassification / Downgrading.

Sensitive documents and data storage media should

be stored in physically secure locations.

Disposal guidelines.


Classification SchemeClassification Scheme Confidential

◦ Applies to sensitive business information, the unwanted disclosure of which can bring substantial financial damage, damage to company's reputation or lead to grave legal consequences. This also applies to information, which can be of value to competitors that can influence the success or the existence of the entire company or part of its business.

◦ Access to Confidential information is restricted only to few employees or associated entities.

◦ Confidential information / documents will not be available to all the people within G&B- DC or outsiders.

◦ Example : Strategy planning , approach paper, client papers , bids

Internal◦ Applies to business information for which unwanted disclosure can

have damaging consequences. ◦ This is generally information, which is accessible to a wide circle of

employees but is not intended for outsiders.◦ Example : Emails, Internal Communication, Process documents,

Operating Procedures etc


Classification SchemeClassification SchemePublic

◦ This classification applies to information, which has been explicitly approved by the management for release to the public. (No Visible classification required, any document not found classified will be treated as public document) By definition, there is no such thing as unauthorized disclosure of this information and it may be freely disseminated without potential harm.

◦ Example: Press release, Information on websites etc


PHYSICAL SECURITYPHYSICAL SECURITY

User Responsibilities


Physical SecurityPhysical SecurityUser Responsibilities

◦ Always Escort visitors.◦ Display identification badge when on Godrej

premises.◦ Loss of Identity badge / Access cards should be

reported to HR.◦ If you notice something suspicious please bring it to

the notice of the security guard or ISO.All the visitors should make entry in visitor

registerUser should also declare their electronic

belonging ex: Laptop, Pendrives etc


PASSWORD SECURITY PASSWORD SECURITY


Password SecurityPassword Security Do’s

◦ Change your passwords regularly on expiry or when compromised.

◦ Use strong passwords meeting the password criteria.◦ In case of password reset or issue of new password contact

the system / application administrators

Don’ts◦ Use same password for Godrej accounts as for other

commercial or personal accounts.◦ Share your user credentials with others◦ Use the "Remember Password" feature of applications.◦ Reveal a password over the phone to ANYONE◦ Reveal a password in an email message◦ Reveal a password to your supervisor or others in your

reporting function◦ Hint at the format of a password (e.g., "my family name")◦ Reveal a password on questionnaires or security forms


Password CriteriaPassword Criteria Passwords of information systems will be of a

minimum length of 8 characters. The characters in the password will be a

combination of numeric, alphabetic and special characters.

The passwords will be difficult to guess or derive by using personal information such as names, telephone numbers, date of births etc.

Passwords will be changed every 60 days. Password history will be maintained for 5 past

used passwords. All temporary passwords will be changed at first

log-on. Passwords in any automated log-on process will

be avoided.


Strong Passwords - Strong Passwords - ExampleExample


I Am Working In Godrej For Last 4 Years

I@MwIG4L4Y

InfoSec is my Responsibility today onwards

I$i$mR2day0n^^@rdS

EMAIL SECURITYEMAIL SECURITYAcceptable Use Policy - Email


Email SecurityEmail SecurityGodrej & Boyce E-mail must be used primarily for business purposes

only. User Responsibilities

◦ Do not automatically forward or send/receive e-mails to any address outside Godrej domain

◦ Do not access personal emails from Godrej facilities◦ Do not send chain letters or joke emails◦ Employees receiving emails which contain offensive content should

immediately report this to the OTG G&B- DC employees should not indulge in unauthorized use or forging

of email header information. G&B- DC employees should not publish company email id on public

newsgroups or non-work related websites, since this might result in spam attacks.

All unnecessary emails should be deleted to conserve disk space. Files larger than 1 MB should be zipped before sending; E-Mails with attachments should not exceed 5MB Godrej & Boyce has rights to read / review any message as and

when required.


SYSTEM AND SYSTEM AND NETWORK SECURITYNETWORK SECURITY

Acceptable Use Policy – Information processing equipment and services


System and Network System and Network SecuritySecurityFollowing is prohibited

◦ Unauthorized copying of copyrighted material.◦ Introduction of malicious programs into the

Godrej & Boyce network.◦ Port scanning or security scanning by end

users.◦ Using Godrej & Boyce computing assets to

transmit offensive material.◦ Giving access to telnet, ftp or any other service

to external party.◦ Unwanted software’s should not be

downloaded on desktops and servers.

‘04/19/2334 Classification : Internal

DESKTOP AND DESKTOP AND LAPTOP SECURITYLAPTOP SECURITY


Desktop and Laptop Desktop and Laptop SecuritySecurityUsers should not change any settings on the laptop.

Users shall ensure that they have latest Anti virus software /security patches updated

Ensure the laptop is physically secured at all times

Pirated, freeware and shareware software shall not be downloaded or installed onto user laptops

Desktop and Laptop should be hardened as per the Hardening Guidelines


CLEAR DESK CLEAR CLEAR DESK CLEAR SCREENSCREEN


Clear Desk Clear ScreenClear Desk Clear ScreenLock your workstation before leaving your

desk:◦ Press Ctrl + Alt + Del.◦ Click on “Lock Computer”.◦ For Win XP systems, press Windows + L, for

locking the PC.Clear off all documents from your desk at

the end of day. Keep all sensitive documents under lock

and key.Do not leave keys unattended. Clear off whiteboards when you vacate

meeting rooms.04/19/2339 Classification : Internal

EXCEPTIONSEXCEPTIONS


ExceptionsExceptions

All EXCEPTIONS will be approved and authorized by Head-Technology for use of devices/services such as USB drives/Pen drives/Data Cards, software etc on need basis.


SOCIAL ENGINEERINGSOCIAL ENGINEERING


Social EngineeringSocial Engineering Social Engineering is the human side of breaking into our systems

and network.

Social Engineers tend to exploit social attributes like:-

◦ Trust

◦ The desire to be ‘helpful’

◦ The wish to get something for nothing

◦ Curiosity

◦ Fear of the unknown, or of losing something

◦ Ignorance

◦ Carelessness and/or complacence.

Your Responsibility

◦ Take care not to give out information which is Critical, Sensitive, or personal in nature. Be especially alert if someone calls and tries to use authority to obtain information. When in doubt, seek advice from your manager.


INFORMATION INFORMATION SECURITY INCIDENT SECURITY INCIDENT REPORTINGREPORTING


What are Information What are Information Security Incidents?Security Incidents?An Incident is any event –real or suspected,

that can have adversely affect the security of the organizations’ information and information assets

Examples of Incident:◦ Hacking, information leakage ◦ Hardware / Software crashes, network

disruption / slowdown◦ Power outage leading to disruption of services◦ Social incidents like terrorism, strikes, mass

absences◦ Non-compliance with Godrej & Boyce Information

Security Policies and Procedures◦ Malware attacks


Incident reportingIncident reportingImmediately report the incident

via speedflow or report it to ISO or ISIT Members


Incase of any queries contact Information Security Management Team or Information Security Officer


THANK YOUTHANK YOU


information security awareness training. agenda what is information security? information ecosystem...

Documents

information security

information systems

information available

information security

internal slide

information ecosystem

information mis innovation

internal audits