Upload
ocinc
View
1.716
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
SET
INFORMATION SYSTEMS AND DATA SECURITY AWARENESS PROGRAM
FUSION BPO SERVICES, Inc.
SET'Information is an asset which, like other
important business assets, has value to
an organization and consequently needs
to be suitably protected’
SET What is Information Systems and Data security Policy?Can be defined as rules that regulate how an
organization manages and protects its internal information, external customer or clients information and computing resources.
Why do we need Security Policy?
The policy tells the users, staff, managers, what they can do, what they cannot do and what they must do to comply with the Security Policy and Practice.
Purpose:
To ensure business continuity by reducing/minimizing damage to the business by safeguarding the confidentiality, integrity and availability of information.
SETWhy do I need to learn about computer security?
Isn’t this just an IT Problem?
Everyone who uses a computer needs to understand how to keep his or her computer and data secure.
13
SET Why I Need Information Security Training
Security Awareness is a critical part of an organization's information security program; it is the human knowledge and behaviors that the organization uses to protect itself against information security risks. Humans, just like computers, store, process and transfer information. As a result many attackers today target the human, bypassing most security controls and using techniques such as social engineering to get the information they want. Awareness, not just technology, is now a key factor in an organization's goal to:
Reduce risk, Protect its reputation, Improve governance, and Be compliant.
5
SET Why I Need Information Security Training
Security Awareness Training is designed to educate users on the appropriate use, protection and security of information, individual user responsibilities and ongoing maintenance necessary to protect the confidentiality, integrity, and availability of information assets, resources, and systems from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption. The long term benefits to your organization of a successful security awareness program include enhanced awareness, increased security and improved online productivity for employees and the company as a whole.
6
SET
What Is Information Security
The quality or state of being secure to be free from danger
Security is achieved using several strategies simultaneously or used in combination with one another
Security is recognized as essential to protect vital processes and the systems that provide those processes
Security is not something you buy, it is something you do
SET
What Is Information Security
The architecture where an integrated combination of appliances, systems and solutions, software, alarms, and vulnerability scans working together
Monitored 24x7 Having People, Processes, Technology,
policies, procedures, Security is for PPT and not only for appliances
or devices
SET
INFORMATION SECURITY
1. Protects information from a range of threats
2. Ensures business continuity
3. Minimizes financial loss
4. Optimizes return on investments
5. Increases business opportunities
SET
Security breaches leads to…
• Reputation loss
• Financial loss
• Intellectual property loss
• Legislative Breaches leading to legal actions
(Cyber Law)
• Loss of customer confidence
• Business interruption costs
LOSS OF GOODWILL
SET
What is Risk? Risk: A possibility that a threat exploits a
vulnerability in an asset and causes damage or loss to the asset.
Threat: Something that can potentially cause damage to the organization, IT Systems or network.
Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat.
SET
Good security practices follow the “90/10” rule
10% of security safeguards are technical
90% of security safeguards rely on us – the user - to adhere to good computing practices
12
SET
What are the consequences of security violations?
Disciplinary action (up to expulsion or termination) Embarrassment to yourself and/or the Company Having to recreate lost data Identity theft Data corruption or destruction Loss of patient, employee, and public trust Costly reporting requirements and penalties Unavailability of vital data
13
SET
Good Computer Security Practices
14
SET Passwords
Your password is your key to OC Inc Fusion BPO Services data and resources.
Remember: Carelessness is Dangerous! If you receive a phone call from someone claiming that they are
a contractor working with IT Security, would you give them your
password? NO! How many of you have written your password down? What did
you do with the paper? Is it tucked safely and securely away? If it is in the first place you would look (like under the keyboard) – someone else would look there too!
15
SET Password construction and Management
When selecting a password, you may naturally want to choose something easy to remember. But, if it is easy for you, it may be easy for some one else to crack!
A password should not be:
Your name or any family members name, to include pets!
Your street name, car type, favorite singer, etc.
Any easily guessed or recognized name or word
Your previous password with a sequentially increased number at the end.
16
SET Password construction and Management A password should be:
A mixture of letters (both upper and lower case) and numbers and/or special characters
At least eight characters long, preferably longer
– for example iH8TDieTs is a very good password. It has capitals, lower case, and numbers. AND…. It isn’t too tough to remember. Just say: I hate diets.
A password should never be:
…Taped to a monitor or keyboard or desk or desk accessory or any where visible
…Shared with ANY ONE – NOT EVEN A SUPERVISOR!
17
SET
Examples of PasswordsWeak 12345 Password STCC Pecan Gateway1 abc123
18
Strong
• tCj0Tm
• iL2e0c
• 1cRmPW!
• CyMm@M0?
SET Email Usage
Some experts feel email is the biggest security threat of all. This is the fastest, most-effective method of spreading malicious code to the largest number of users. It is also a large source of wasted technology resources.
Examples of Waste:
Electronic Greeting Cards
Chain Letters
Jokes and graphics
Spam and junk email
19
SET Pitfalls to email1. Email is NOT secure – It is essential to understand
that email does not go directly to the intended recipient. It is routed through various systems first. Remember, it is not impervious to prying eyes!
2. Email is open to abuse – Scams, mass mailings, junk mail, and deceptive advertising can be delivered to your computer mail box as easily as your home mail box.
3. Email is potentially harmful – this is the easiest, most effective conveyance of malicious code.
20
SET Should You Open the E-mail Attachment?
If it's suspicious, don't open it! What is suspicious?
Not work-related Attachments not expected Attachments with a suspicious file extension
(*.exe, *.vbs, *.bin, *.com, *.scr, or *.pif) Web link Unusual topic lines; “Your car?”; “Oh!” ; “Nice
Pic!”; “Family Update!”; “Very Funny!”
21
SET E-Mail Security – Risk Areas
1. Spamming. Unsolicited bulk e-mail, including commercial solicitations, advertisements, chain letters, pyramid schemes, and fraudulent offers.
Do not reply to spam messages. Do not spread spam. Remember, sending chain letters is against policy.
Do not forward chain letters. It’s the same as spamming! Do not open or reply to suspicious e-mails.
2. Phishing Scams. E-Mail pretending to be from trusted names, such as Citibank or PayPal or Amazon, but directing recipients to rogue sites. A reputable company will never ask you to send your password through e-mail.
3. Spyware. Spyware is adware which can slow computer processing down; hijack web browsers; spy on key strokes and cripple computers
22
SETE-mail Usage
Use official mail for business purposes onlyFollow the mail storage guidelines to avoid blocking of E-mails If you come across any junk / spam mail, do the following
a) Remove the mail.b) Inform the security help deskc) Inform the same to server administratord) Inform the sender that such mails are undesired
Do not use official ID for any personal subscription purpose Do not send unsolicited mails of any type like chain letters
or E-mail Hoax Do not send mails to client unless you are authorized to do
so Do not post non-business related information to large
number of users Do not open the mail or attachment which is suspected to
be virus or received from an unidentified sender
23
SET Internet UsageUse internet services for business
purposes only
Do not access internet through dial-up connectivity
Do not use internet for viewing, storing or transmitting obscene or pornographic material
Do not use internet for accessing auction sites Do not use internet for hacking other computer
systems Do not use internet to download / upload
commercial software / copyrighted material Technology Department is continuously monitoring Internet
Usage. Any illegal use of internet and other assets shall call for Disciplinary Action.
24
SET Physical Security
Would you leave your credit card exposed or unattended in a public place? Do you lock your car? Secure your wallet or purse?
Take those same precautions with your PC!
Log off or lock your PC when unattended.
Shutdown your PC when you leave for the day…EVERYDAY!
Lock doors in accordance with Fusion BPO Services Policy.
Secure your Password!!!!
25
SET Access Control - Physical Follow Security Procedures Wear Identity Cards and Badges at all times Ask unauthorized visitor his credentials All visitors must be escorted while onsite
• Bring visitors in operations area without prior permission
• Bring hazardous and combustible material in secure area
• Practice “Piggybacking”
• Bring and use pen drives, zip drives, iPods, other storage devices unless and otherwise authorized to do so
26
SET Unique User Log-In / User Access Controls
Access Controls: Users are assigned a unique “User ID” for log-in purposes Each individual user’s access to OC Inc./Fusion BPO
Services system(s) is appropriate and authorized Access is “role-based”, e.g., access is limited to the minimum information needed to do your job
Unauthorized access to OC Inc./Fusion BPO Services by former employees is prevented by terminating access
User access to information systems is logged and audited for inappropriate access or use.
27
SET Workstation SecurityWorkstations
Physical Security measures include: Disaster Controls Physical Access Controls Device & Media Controls
Log-off before leaving a workstation unattended. This will prevent other individuals from accessing secured data under
your User-ID and limit access by unauthorized users.
Lock-up! – Offices, windows, workstations, sensitive papers and PDAs, laptops, mobile devices / media.
Lock your workstation (Cntrl+Alt+Del and Lock) – Windows XP, Windows 2000
28
SET
Antivirus and Firewall
Make sure your computer has anti-virus, anti-spyware and firewall protection as well as all necessary security patches. Don’t install unknown or unsolicited programs on your computer
29
SET
Report Security Incidents You are responsible to: Report and respond to security
incidents and security breaches. Know what to do in the event of a
security breach or incident related to Data Security and/or Personal Information.
Report security incidents & breaches to:IT Security Team
30
SET
Your Responsibility to Adhere to OCI Security-Information Security Policies
Users of electronic information resources are responsible for familiarizing themselves with and complying with all company policies, procedures and standards relating to information security.
Users are responsible for appropriate handling of electronic information resources.
31
SET Why can’t I play games online? On- Line Gaming on a company computer is against company
policy.
Playing games on a company computer is forbidden.
Gaming sites, like MP3 download sites, are good places to pick up a virus. Script kiddies and hackers swarm around these sites like vultures. They use all the tricks of their trade to glean password and network information from gamers.
This is easy to avoid. Don’t do it!
32
SET Types of sites to avoid and WHY
Corporate sites that have a vested interest in protecting and maintaining public trust are more vigorous in protecting visitor’s email addresses and information. For example, sites such as CNN and Headline News want visitors to feel confident and comfortable on their web sites – so they will take measures to secure their sites. However, many other sites do NOT take measures to protect visitor’s data. In fact, they are notorious for harvesting and selling such data.
Please do not use your OC Inc. Fusion BPO Services computer or email address for joke sites, dating sites, horoscopes, chat rooms, free grocery coupons and other related sites. Sites promising free goods and vacations and fun – good ones to put on the NO GO list.
These are all easy to avoid and you will likely reduce your junk mail as well..
33
SET Common Terminology What is a cookie? Cookies are small text files that some Web
sites create when you visit. The file is used to store information on your computer.
What does encrypted mean? The translation of data into a secret code. Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text ; encrypted data is referred to as cipher text.
What is a virus? A virus is a piece of code that is written specifically to execute itself without the users knowledge or permission. It will usually attach itself to a file in order to replicate and spread itself. Some viruses are harmless while others can cause serious damage.
34
SET Common Terminology cont. What is a Phishing? The act of sending an e-mail falsely
claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The Web site, however, is bogus and set up only to steal the user’s information.
What is spam? Electronic junk mail. Spam is generally e-mail advertising for some product sent to a mailing list or newsgroup. In addition to wasting people's time with unwanted e-mail, spam also eats up a lot of network bandwidth. Some ISP’s, such AOL, have instituted policies to prevent spammers from spamming their subscribers.
What is an audit trail ? A record showing who has accessed a computer system and what operations he or she has performed during a given period of time.
35
SET Common Terminology cont.
What is Unauthorized Access?- Any time a user gains access to a computer network without the consent of the computer's administrator.
What is Access Control-The prevention of unauthorized use of information assets. It is the policy rules and deployment mechanisms, which control access to information systems, and physical access to premises.
Compliance- Adherence to those policies, procedures, guidelines, laws, regulations and contractual arrangements to which the business process is subject.
Malicious Software: Software, for example, a virus, designed to damage or disrupt a system.
36
SET
Common Terminology cont. Password: Confidential authentication information
composed of a string of character Server: A server is a computer system, or a set of
processes on a computer system providing services to clients across a network.
User: A person or entity with authorized access. Protected Information: Any participant or client
information that the Department may have in its records or files that must be safeguarded pursuant to Department policy. This includes but is not limited to "individually identifying information".
37
SET
Common Terminology cont.
Integrity: The property that data or information have not been altered or destroyed in an unauthorized manner.
FTP (File Transfer Protocol): A protocol that allows for the transfer of files between an FTP client and FTP server.
Disclose: The release, transfer, relay, provision of access to, or conveying of client information to any individual or entity outside the Department.
Confidential Information: Any client information (defined above) that OC Inc may have in its records or files on any OC Inc client that must be safeguarded pursuant to OC Inc policy. This includes, but is not limited to, “individually identifying information”
38
SET Typical Symptoms of computer infection
File deletion
File corruption
Visual effects
Pop-Ups
Erratic (and unwanted) behavior
Computer crashes
39
SET Problems Hackers Cause
A hacker intrusion could create a legal liability and public embarrassment for you and your organization
Vandalism—Destruction or digital defacement of a computer or its data for destruction’s sake
Theft—Gaining access to intellectual or proprietary technology or information, sometimes for resale
Hijacking—Many of the financially motivated hackers are interested in remotely controlling PCs
Identity theft—Electronic theft of personal info that can be used to steal financial resources
Terrorism—Some experts believe that terrorists will eventually launch an attack using hacking techniques
40
SET Malware Malware – (aka Crime ware and Computer
Contaminant) is any program which can corrupt files and/or secretly report your information from your computer or network
Viruses, Worms, Trojans, and Spyware are the most common types of malware
Many of these destructive programs attempt to reinstall and replicate themselves and are designed to be very difficult to remove from the host computer
41
SET Malware
Virus ‐ Software that gets installed on your computer, usually without your knowledge
– You can get “infected” by accessing something that is already infected with a virus
– Sources include floppy disk,USB drives, website, and email Worm – Software that actively tries to spread itself to infect other
computers – Software worms can actively scan networks to infect others – Worms can also be spread by e‐mail applications that use the
computer address book Trojan ‐ Damaging software that hides its identity by posing as
something else such as a screen saver or a greeting card. The Trojan, once installed, gives the attacker a back door into your system that can be used by the hacker as needed.
42
SET IT ACT PROVISIONS Email would now be a valid and legal form of
communication in our country that can be duly produced and approved in a court of law.
Companies shall now be able to carry out electronic commerce using the legal infrastructure provided by the Act.
Digital signatures have been given legal validity and sanction in the Act.
The Act now allows Government to issue notification on the web thus heralding e-governance
Statutory remedy in case if anyone breaks into companies computer systems or network and causes damages or copies data
43
SET Risks and Threats
44
High User Knowledge of IT
Systems
Theft, Sabotage, Misuse
Virus Attacks
Systems & Network Failure
Lack Of Documentation
Lapse in Physical Security
Natural Calamities &
Fire
SET User Responsibilities
Ensure your system is locked when you are away Always store laptops/media in a lockable place Ensure sensitive business information is under lock and key when
unattended Ensure back-up of sensitive and critical information assets Understand Compliance Issues such as
Cyber Law IPR, Copyrights, NDA Contractual Obligations with customer
Verify credentials, if the message is received from unknown sender
Always switch off your computer before leaving for the day Keep your self updated on information security aspects
45
SET Do’s And Don'ts
Email and messaging read your organization’s email policy report any spam or phishing emails to your IT team
that are not blocked or filtered report phishing emails to the organisation they are
supposedly from use your organization’s contacts or address book.
This helps to stop email being sent to the wrong address.
Phishing is an attempt to obtain your personal information (for example, account details) by sending you an email that appears to be from a trusted source (for example, your bank)
46
SET Do’s And Don'ts
Email and messaging
click on links in unsolicited emails. Be especially wary of emails requesting or asking you to confirm any personal information, such as passwords, bank details and so on.
turn off any email security measures that your IT team has put in place or recommended
email sensitive information unless you know it is encrypted. Talk to your IT team for advice.
try to bypass your organisation’s security measures to access your email off-site (for example, forwarding email to a personal account)
reply to chain emails.
47
SETDo’s And Don'ts
Passwords Follow OC Inc’ s password policy use a strong password (strong passwords are
usually eight characters or more and contain upper and lower case letters, as well as numbers)
make your password easy to remember, but hard to guess
choose a password that is quick to type use a mnemonic (such as a rhyme, acronym or
phrase) to help you remember your password. Change your password(s) if you think someone may have found out what they are.
48
SET Do’s And Don'ts
Passwords Don’ts share your passwords with anyone else write your passwords down use your work passwords for your own personal
online accounts save passwords in web browsers if offered to do so use your username as a password use names as passwords email your password or share it in an instant
message.
49
SET Do’s And Don'ts
Working on-site lock sensitive information away when left
unattended Remember working at home is a privilege
Don’t let strangers or unauthorised people into staff areas
position screens where they can be read from outside the room.
50
SET
Final Note
51
SET
Fusion BPO Services, Inc
THANK YOUIT SECURITY DEPARTMENT
52