Upload
jesse-sharp
View
232
Download
0
Tags:
Embed Size (px)
Citation preview
Information Security Group| https://isg.techmahindra.com
Topic of the day Photography is prohibited in BT enclosures.
Requirement Photography is prohibited in BT enclosures unless a written prior approval is obtained with business justification.
What care to take
BT and its customer data should never be photographed.
Perceived threats
Disclosure of confidential information in competitor hands. Data misuse, Violation of Data Protection Act...
Benefits Regulatory compliance to BT security policy. Confidentiality of information is preserved.
For more details, refer to the link: https://isg.techmahindra.com/btdocs/BTdocs_new.html
Topic of the day :BT UIN- Unique Identification Number (EIN)
Deactivation Process
What is that? BT UIN deactivation is required when Employee moves from BT Project to Non BT Project or moves out of TechM. Sending UIN Revocation request to BT Line Manager is a primary responsibility of the PM.
What is required? Immediately, without further delay, PM to send UIN Deactivation requests: “UIN deletion form” to BT line manager. PM also needs to update the UIN/CIN/EIN status field on EBS for the employee, under Project Management. PM to retain all those UIN deactivation request mails sent to BT for at least one year for audit purposes, as evidence.
Perceived Threats Unauthorized access to BT Projects data. Information leakage. Adverse impact on BT compliance if not revoked on time.
Benefits BT information available on Need-to-know and need-to-work basis; Correct count and status of UIN is available on EBS.
Read UIN Management Process V 1.3 on ISG portal at https://isg.techmahindra.com/btdocs/BTdocs_new.html
Topic of the day- TechM Information classification Level 5 - Public
Requirement All documents which are open to all are called as Public documents and can be shared outside the organization.
What care to take Information asset must be verified before classifying as public and making available in public domain.
Perceived threats If wrongly classified, unintentional disclosure of confidential information and attempt of Social Engineering may happen.
Benefits True representation of company image and reputation. Regular updates of company progress in public interest.
For more details, read Information and Asset Classification Policy ISG-N-N009, Issue 1.1 & DOCUMENT AND DATA
CONTROL PROCEDURE, GOV-C-P001, I2.7 on BMS.
Topic of the Day:
TechM Information Classification
Level 4 - Commercial in Confidence
For more details, read Information and Asset Classification Policy ISG-N-N009, Issue 1.1 &DOCUMENT AND DATA CONTROL PROCEDURE, GOV-C-P001, I2.7 on BMS.
What is that? Information marked as “Company Confidential” when shared as specimens with selected group of business associates like customers and suppliers may be treated as “commercial in Confidence”.
What care to take?
While reclassifying in this manner due care must be taken to maintain adequate security measures to safeguard such Confidential Information from unauthorized access, use and misappropriation.
Perceived Threats
Accidental or intentional disclosure of company critical data. Manipulation of company confidential information
Benefits Confidentiality and integrity of the information is preserved.
Topic of the Day: TechM Information Classification
Level 3 - Client Confidential
For more details, read Information and Asset Classification Policy ISG-N-N009, Issue 1.1 &DOCUMENT AND DATA CONTROL PROCEDURE, GOV-C-P001, I2.7 on BMS.
What is that? The documents those are confidential to all employees working on projects for a particular client. All customer documentation would be treated as client confidential.
What care to take?
Function heads/ data owners should identify, classify, label and maintain inventory of all information, which is client confidential in both hardcopy and electronic form.
Perceived Threats
Loss of confidentiality which may impact on customer confidence.
Benefits Protection of customer data and confidence. Compliance to international regulations on Data Protection.
TechM Information classification
Level 2 - RestrictedWhat is that? The information is restricted to selected Functions, identified groups or
persons.Requirement Restricted information shall be clearly marked as ‘Restricted’. It should not
be shared out of the intended group or function. Should be disposed off in secure way (shredding of documents after use).
Perceived threats
Loss of business, business interruption or legal breaches if information is compromised.
Benefits Confidentiality is preserved within the organization; Business continuity with less interruptions.
For more details, read Information and Asset Classification Policy ISG-N-N009, Issue 1.1 & DOCUMENT AND DATA
CONTROL PROCEDURE, GOV-C-P001, I2.7 on BMS.
Topic of the Day:
TechM Information Classification
Level 1 - Company Confidential
For more details, read Information and Asset Classification Policy ISG-N-N009, Issue 1.1 & DOCUMENT AND DATA CONTROL
PROCEDURE, GOV-C-P001, I2.7 on BMS.
What is that? All those internal documents including system-generated reports, which are not to be disclosed outside TechM may be classified as ‘Company Confidential’. Also, documents if not classified, are considered as Company Confidential.
What care to take? All information in TechM shall be clearly identified, owned and labeled. Confidential information should not be transmitted out of TechM in any form.
Perceived Threats Information disclosure; Unauthorized access to information
Benefits Easy to identify the assets which are confidential or business critical. Appropriate protection for each documented information.
Only Authorized People should access BT system.
Requirement Access to BT systems should be given only to the authorized people who work on BT Projects.
What care to take
Do not allow another person to work while you have used your UIN, Active Token, BT customer issued token to login to BT systems.Do not encourage unauthorized access to BT system.
Perceived threats Violation of BT Security policy due to unauthorized access; Disclosure of customer confidential information.
Benefits Customer confidence; Security & Legal Compliance.
Read more on ISG portal (in “Must See documents”): https://isg.techmahindra.com/btdocs/BTdocs_new.html
Be aware of BT Data and document Classification
Requirement Be aware of the BT Data and document classification and handling and disposing of the classified information. Classification levels- In Confidence, Internal, In Strict Confidence etc
What care to take •Do not leave Confidential information like IP addresses, diagrams etc on white boards and pin up boards. Please erase, remove them from display.•Use paper shredders to dispose of paper documents. •CDs, floppies & backup media should be physically destroyed, before disposing.
Perceived threats Unintentional or accidental disclosure of BT confidential information
Benefits Reduces the risk of unauthorized access, loss and/or damage to information during and outside normal working hours.
See detailed Policy on BT Information classification at ISG Portal https://isg.techmahindra.com/btdocs/BTdocs_new.html
Access to BT information should only be used to provide services to BT
Requirement Do not share and misuse the BT information other than to BT delivery. This is a violation of IPR.
What care to take
Access to BT should be provided on need-to-know basis; Periodic review of access rights should be performed; Sharing of BT confidential information with Non-BT employees should be restricted.
Perceived threats Violation of contractual obligations with BT; Copyright violation; Violation of IPR.
Benefits Confidentiality of information is preserved; Customer confidence
For more details, refer to “Must see documents” at ISG Portal https://isg.techmahindra.com/btdocs/BTdocs_new.html
Topic of the day “Personal data” as per Data Protection Act 1998
What is Personal data?
It is data relating to living individual who can be identified from such data or combining another data in possession with this data.
What does it include?
Bills & payment details, Account details like customer number, address, date of birth, Call details, Bank and credit card details of the customer.
How to protect? It should be handled under the control of data controller with clear purpose of holding it, fairness in processing and transparency with data subject(to be
continued in subsequent topics)
What is data subject?
Those living individuals to whom personal data relates.
Read more on Data Protection Act at- http://security.intra.bt.com/KZSCRIPTS/default.asp?cid=439
Topic of the day- Data Protection Principle #1
Requirement Personal data must be processed fairly and lawfully.
What care to take
The data processor should take additional measures necessary to protect personal data in accordance with its obligations. Be aware of Data Protection Act (DPA)
Perceived threats
Unauthorized disclosure, violation of Local Country Act, data misuse, data in competitor’s hand. .
Benefits Legal and regulatory compliance, customer confidence, Minimize security breach.
For more details, read http://security.intra.bt.com/KZSCRIPTS/default.asp?cid=439
Topic of the day- Data Protection Principle #2 Purpose limitation
Requirement Personal data must be obtained and processed for specific purpose only.
What care to take Technical and organizational security measures must be taken by the data custodian/ data processor.
Perceived threats Transferred to country outside the EEA. Accidental or unlawful destruction or loss, alteration. Unauthorized disclosure
Benefits Legal and regulatory compliance, customer confidence, Minimize security breach.
For more details, read http://security.intra.bt.com/KZSCRIPTS/default.asp?cid=439
Topic of the day- Data Protection Principle #3 Quality & Proportionality
Requirement Personal data must be adequate, relevant and not excessiveWhat care to take Quality & security measures must be taken by the data custodian/ data processor
to keep personal data of the customer accurate, complete and up-to-date.
Perceived threats Accidental or unlawful destruction or loss, alteration and disclosure. Old and/or excessive data may be processed unknowingly.
Benefits Reliance on the data, Legal and regulatory compliance, customer confidence, Minimize security breach.
For more details, read http://security.intra.bt.com/KZSCRIPTS/default.asp?cid=439
Topic of the day- Data Protection Principle #4 Proportionate security
Requirement Personal data must be accurate, up-to-date and proportionately safeguarded
What care to take Data processors must ensure that adequate security controls are in place to maintain Confidentiality and Integrity of the customer’s personal data.
Perceived threats Accidental or unlawful destruction or loss, alteration and disclosure.
Benefits Reliance on the data, customer confidence, Security Compliance.
For more details, read http://security.intra.bt.com/KZSCRIPTS/default.asp?cid=439
Topic of the day- Data Protection Principle #5 Limits on retention
Requirement Personal data must not be kept longer than necessary.
What care to take Data processors must ensure that the personal data is disposed of after its valid usage in a secured way.
Perceived threats Accidental or unlawful alteration and disclosure, Violation of Local Country Act, Customer lawsuits..
Benefits Customer confidence, Legal & regulatory Compliance. Data integrity.
For more details, read http://security.intra.bt.com/KZSCRIPTS/default.asp?cid=439
Topic of the day- Data Protection Principle #6 Rights of Access
Requirement Personal data must be processed in accordance with the rights of Data Subjects (the individuals whose data is in possession)
What care to take Data subjects must, whether directly or via a third party be provided with the personal information about them that an organization holds..
Perceived threats Disclosure of sources of the personal data; Violation of personal rights. Face a lawsuit by data subjects.
Benefits Customer in confidence; Compliance to Local Country Act.
For more details, read http://security.intra.bt.com/KZSCRIPTS/default.asp?cid=439
Project team should be aware of BCP of their project
Requirement PM to ensure that entire team is aware of BCP of the project.What care to take
Individual action points should be made clear to each team member in any event of disaster.Do not draft any BC Plan without project team involvement.
Perceived threats
Business interruption due to disaster like situation. Loss of revenue, image and reputation.
Benefits Team awareness and involvement in the activity; Recovery of essential services in time; Continuity of business operations.
For more details- Please refer your BCP document ISG-N-T013 which has been created through ISG Dashboard and available with Project Manager.
Please follow TechM Security Policies within office premises
Requirement Ensure you follow security policies in your daily activities within office premises. Breach of these policies will result in HR Disciplinary Action
What care to take
•Please lock your PC / Laptop before leaving the desk. Press <Ctrl+Alt+Del>•Please swipe your card to access the facility.•Do not Tail-Gate and also do not allow others to tailgate you. •For permitted temporary entry, take help from Security Guard and ensure every entry & exit is logged in register. •Make use of your drawers to lock all your important and confidential documents.
Perceived threats Violation of BT as well as TechM Security policy; HR disciplinary action against you.
Benefits Demonstration of good security posture across the organization.
Read more on ISG portal (in “Must See documents”): https://isg.techmahindra.com/btdocs/BTdocs_new.html
Maintain the list of BT provided assets
Requirement Follow Information classification and handling guideline of BT. Maintain asset inventory of your project and return all BT information assets when moving out of BT projects.
What care to take Do not shift /keep BT assets in Non-BT enclosures or share them with other IDU's.
Perceived threats Sharing of BT assets with unauthorized users; Accidental or intentional disclosure of confidential data.
Benefits Segregation of customer data. Regulatory and legal compliance.
For more details read Project Life Cycle Information Security Baseline Guideline ISG-N-G011 Issue 1.2 on BMS.
Topic of the day- Reporting security incident in time You can report it online…
Why it is required? Incident reporting enables us to identify vulnerabilities in the security aspects resulting in effective root cause analysis. If not reported in time may become a call to disaster.
What is security incident?
It is an event which results in a breach of our Security Policies defined and followed across TechM.
Perceived threats Security threat to information assets; call to disaster; service interruption
Benefits Less business interruptions; Establishes Business Continuity across the organization; Demonstration of Users awareness.
Report Security incident online at : https://isg.techmahindra.com/ims/login.aspx
Lock your Screens when you are away from your desk
Requirement Ensure your screens are locked when you are away, even for a short duration (Windows: Ctl+Alt+Del>Lock or Win+L). (Including BT Green Side, Client locations and even while working from home)
What care to take
You should follow clear desk & clear screen policy of TechM as you are responsible for all the activities on the systems (including desk and laptops) with your login ID.
Perceived threats
Unauthorized access/ disclosure of the sensitive or confidential information; internet abuse.
Benefits Compliance to Clear Screen Policy; Protection against unauthorized access. Confidentiality and integrity of your data.
Read more on ISG portal (in “Must See documents”): https://isg.techmahindra.com/btdocs/BTdocs_new.html
Topic of the day- Data Protection Principle #7 Security & Confidentiality
Requirement Personal data must be kept securely.What care to take Technical and organizational security measures must be taken to mitigate the
risks associated with the information assets. Process the data as per instructions from the data controller.
Perceived threats Accidental or unlawful destruction or loss, alteration. Unauthorized disclosure or access
Benefits Security compliance, Compliance to Data Protection Act. Confidentiality of the information.
For more details, read http://security.intra.bt.com/KZSCRIPTS/default.asp?cid=439
TechM mandatory document security classification labeling and handling
Requirement Information is classified in 5 categories* at TechM•Company Confidential•Restricted•Client Confidential •Commercial in Confidence•Public
Every document (paper or electronic form) must be marked appropriately on header and cover/ title page. Data owner has to establish user access rules for the document
What care to take Data owners are responsible for identifying, classifying, labeling, handling and maintaining the inventory of data. These include internal as well as client project related data both in hardcopy and electronic form. Care should be taken while sharing the data, depending on who should have access to the information.
Perceived threats Unauthorized access to information; Loss of confidentiality which may impact on customer confidence; security breach if information is compromised.
Benefits Easy identification of the confidential or business critical assets. Appropriate protection for each documented information. Protection of customer data and confidence.
* See detailed Policy Information and Asset Classification Policy ISG-N-N009, Issue 1.1 on BMS
Topic of the day- Data Protection Principle #8 Geographic limitations on data transfer
Requirement Personal data must not be transferred to country outside the EEA (European Economic Area) except in limited circumstances.
What care to take Understand Client and country specific Security requirements; Take related Security/ Compliance trainings and test (available on ESG) which are assigned to you.
Perceived threats Unlawful disclosure or access; Violation of LCA- Local Country Act.
Benefits Security and regulatory compliance, Compliance to Data Protection Act. Confidentiality of the information.
For more details, read http://security.intra.bt.com/KZSCRIPTS/default.asp?cid=439
Be cautious while posting queries on public discussion forums
Requirement Confidential information like software code under development, design diagrams, Data flow diagrams should be protected by not disclosing it on the discussion forums for any help or support.
What care to take Do not post client’s confidential information on public forum. Be cautious while posting queries on public discussion forums.
Perceived threats Disclosure of Customer’s confidential data; Misuse of the personal information; Loss of customer’s confidence
Benefits Quality delivery; High ratings in Customer Satisfaction. Adherence to Data Protection Act.
Read more on ISG portal (in “Must See documents”): https://isg.techmahindra.com/btdocs/BTdocs_new.html
Topic of the day- Use only company provided equipment to connect to BT network
Requirement Connect only authorized devices to BT networkWhat care to take The portable devices like USB, MP3 players, CD/DVD, mobile storage devices,
palmtops should not be brought inside BT enclosures.Perceived threats BT Security violation; Spread of virus, worm, Trojan in the network.
Benefits Secured working environment; Customer confidence; Regulatory and Security compliance.
Read more on ISG portal (in “Must See documents”): https://isg.techmahindra.com/btdocs/BTdocs_new.html
Topic of the day- Reporting security incident in time You can report it online…
Why it is required?
Incident reporting enables us to identify vulnerabilities in the security aspects resulting in effective root cause analysis. If not reported in time may become a call to disaster.
What is security incident?
It is an event which results in a breach of our Security Policies defined and followed across TechM.
Perceived threats
Security threat to information assets; call to disaster; service interruption
Benefits Less business interruptions; Establishes Business Continuity across the organization; Demonstration of Users awareness.
Report Security incident online at : https://isg.techmahindra.com/ims/login.aspx
Internet usage at BT Green sideRequirement Use Internet diligently at BT Green side.What care to take
Do not visit prohibited sites, hacking sites etc using the internet at BT Green Side. Browsing Inappropriate Internet content in the office provided system will get you in BIG trouble! You may be liable to pay for huge penalties imposed by BT and you can lose your job!
Perceived threats Violation of BT Internet policy; Misuse of BT provided internet services; Loss of customer’s confidence.
Benefits BT Security compliance; Acceptable usage of BT assets.
For more details read – Inappropriate Use of the Internet on BT Green Side: http://securitypolicy.intra.bt.com/kzscripts/policyviewer.asp?pcid=244Prohibited Uses of the Internet on BT Green Side: http://security.intra.bt.com/kzscripts/default.asp?cid=156
Please follow TechM Security Policies within office premises
Requirement Ensure you follow security policies in your daily activities within office premises. Breach of these policies will result in HR Disciplinary Action
What care to take
•Please lock your PC / Laptop before leaving the desk. Press <Ctrl+Alt+Del>•Please swipe your card to access the facility.•Do not Tail-Gate and also do not allow others to tailgate you. •For permitted temporary entry, take help from Security Guard and ensure every entry & exit is logged in register. •Make use of your drawers to lock all your important and confidential documents.
Perceived threats
Violation of BT as well as TechM Security policy; HR disciplinary action against you.
Benefits Demonstration of good security posture across the organization.
Read more on ISG portal (in “Must See documents”): https://isg.techmahindra.com/btdocs/BTdocs_new.html
Safekeeping BT Active Token and BT customer issued TokensRequirement Ensure your BT Active Token, BT customer issued Token is with you
all the times when you are in office.What care to take Do not place BT Active Tokens, BT customer issued Tokens on table
or at unlocked drawers etc.Keep it under your direct control or lock it away securely. Keep the password or PIN private. Report a lost token immediately so that its further use can be blocked.
Perceived threats Loss, damage, misuse; access limitation in case of unavailability.
Benefits Two-Factor User Authentication is achieved.
Read more on Process docs on ISG Portal at- https://isg.techmahindra.com/btdocs/BTdocs_new.html
Maintain the list of BT provided assets
Requirement Follow Information classification and handling guideline of BT. Maintain asset inventory of your project and return all BT information assets when moving out of BT projects.
What care to take Do not shift /keep BT assets in Non-BT enclosures or share them with other IDU's.
Perceived threats Sharing of BT assets with unauthorized users; Accidental or intentional disclosure of confidential data.
Benefits Segregation of customer data. Regulatory and legal compliance.
For more details read Project Life Cycle Information Security Baseline Guideline ISG-N-G011 Issue 1.2 on BMS.
Ensure you remove BT information from desk, machine when not requiredRequirement Remove any BT information from desk, machine when not required and when
associate leaves the project. Shred the documents if not required.Return all BT information assets when moving out of BT projects
What care to take Do not leave the BT documents near printer and do not send BT information through mail to external mail IDs.Do not retain the BT information while you are leaving BT project.
Perceived threats Unauthorized access to information; Disclosure of confidential information; Violation of Data Protection Act.
Benefits Confidentiality of customer’s data.
Read more on ISG Portal at- https://isg.techmahindra.com/btdocs/BTdocs_new.html
Ensure you work on BT projects only after signing the NDA Requirement Non Disclosure agreement of BT must be signed by all associates working on
BT projects. The signed NDA should be stored, retained by the PM and should be made available when asked by BT.
What care to take
Do not work on BT projects until NDA is signed and handed over to your PM.
Perceived threats
Non compliance to BT security policy; Breach of contractual agreement with BT.
Benefits Customer confidence; Legal compliance; adherence to Data Protection Act.
Read more about Confidentiality agreement templates on ISG Portal at- https://isg.techmahindra.com/btdocs/BTdocs_new.html
Mandatory BT Security Exams Requirement You need to complete BT mandatory exams & update the ESG Exam tracker
at your earliest. These exams do NOT require UIN to complete.What care to take Please get allocated by your Line Manager for the exams on following path:
Learning Centre > Manager+ > Line Manager > Mandates > Allocate Mandates to Employee > Allocation Channel: Generic
It takes 1 to 2 days for Exams to appear in the ESG Exam Tracker after allocation in the ESG Learning System.You should complete and update the ESG Exam tracker at the earliest. Refer to the link for more details - http://workingwithbt.extra.bt.com/index_new.html
Perceived threats Non compliance to BT security policy
Benefits Customer confidence; Demonstration of good security posture across TechM
Read more on BT Exam FAQ on ISG Portal at- https://isg.techmahindra.com/btdocs/BTdocs_new.html
Only BT authorized and approved software must be installed on your machinesRequirement Ensure no malicious code, and Trojans are part of software application and are
not introduced in BT systems.What care to take Ensure that BT systems are not infected in form of virus and other computer
software codes due to installation of pirated, unauthorized and unapproved software in your machine.
Perceived threats Virus infection on BT system, high risk and business impact to BT system; Loss of integrity of customer’s data.
Benefits Maintaining Confidentiality and Integrity of BT information, Security of BT network.
Read more on ISG Portal at- https://isg.techmahindra.com/btdocs/BTdocs_new.html
Sharing UIN/password is prohibited
Requirement UIN is a unique identification number, password provided to TechM employees by BT to access BT systems
What care to take
Do not share your UIN/ password, Active Token, BT customer issued Token with other. Do not keep your UIN/password along with active token, BT customer issued Token.Violations may attract strict disciplinary actions from BT and TechM HR.
Perceived Threats Unauthorized access to BT systems, Violation of BT security policy, Security breach, Information leakage.
Benefits Customer confidence, Confidentiality of BT information on Need-to-know and need-to-work basis is preserved.
For more details, refer to “Must see documents” at ISG Portal https://isg.techmahindra.com/btdocs/BTdocs_new.html
It has been observed that associates provided with client provided email IDs, generally use the client email IDs for internal communications also.
Requirement Associates should NOT use BT email ID for internal communications involving legal and confidential nature. Client provided email ID should be used only for transactions and correspondence related to client business purposes.
What care to take1. For internal communications, only Tech Mahindra email ID should be used. 2. Client provided email ID should be used only for transactions and
correspondence related to client business purposes.3. If the Tech Mahindra email is not configured, in such cases, Tech Mahindra
email can be accessed through web mail. If this is also not be possible, a SPOC with Tech Mahindra id to be nominated for all such emails for internal communications
Perceived threats - Confidential information can reside on client mail servers.- Such emails could possibly land up in the unauthorized hands where they
can be misused. Can impact business adversely. - Confidentiality breach from legal perspective
Benefits Legal compliance; Confidentiality of information
Do NOT use BT email ID for TechM internal communications
Project BCP must be reviewed and tested
Requirement Ensure to have project BCP reviewed and tested. Test report should be made available to BT when required.
What care to take
Maintain RTO, MOL, MTPOD defined properly for the project in line with the contractual agreements.
Perceived threats
Incomplete and untested BCP plan may fail to execute at the time of a Disaster.
Benefits Minimal impact in the event of disaster; Reliability on the BCP documentation.
For more details read- Business Continuity Management Framework document (ISG-N-M003) on BMS
Segregation of Development, Test and LIVE production environment at BT
Requirement Ensure Development, Test and LIVE production environment is not shared with each other and are physically and logically isolated.
What care to take
Do not work in parallel with development, test and production environments of BT network.
Perceived threats
Non compliance to BT security policy, Data loss or threat to data integrity
Benefits Avoidance of security breach while working with BT, Improving Customer confidence.
Read more on BT compliance Do’s & Don’ts on ISG Portal at- https://isg.techmahindra.com/btdocs/BTdocs_new.html