ISMS Awareness Presentation - CCEs - PPSX

1
ISMS AWARENESS
2
What is Information?
An asset essential to an organizations business and needs
to be protected.

Forms of information- printed, written, stored electronically,
transmitted by post, email.
3
What is Information Security?
The protection of information and information systems against
unauthorized access or modifications, whether in storage,
processing, or transit, and against denial of service to
authorized users.

Safe-guarding an organization's data from unauthorized
access or modification to ensure its availability, confidentiality,
and integrity.

4
Why Information Security?
1. Protects information from a range of threats

2. Ensures business continuity

3. Minimizes financial loss

4. Optimizes return on investments

5. Increases business opportunities

5

Confidentiality: Ensuring that information
is accessible only to those authorized to
have access based on need to know.

Integrity: Safeguarding the accuracy and
completeness of information

Availability: To ensure that authorized
users have access to information as and
when required.

What does information security preserve?
6
Reputation loss
Financial loss
Intellectual property loss
Legislative Breaches leading to legal
actions (Cyber Law)
Loss of customer confidence
Business interruption costs
Loss of goodwill
Security Breaches Leads to..
7
TBSS Information Security Policy

Information Security Policy Statement

TBSS is committed to protect the Confidentiality, Integrity and Accessibility of its
Information, thereby providing comprehensive assurance to all its stakeholders.

To that end TBSS will aggressively unravel and learn the changing landscape of risk,
review organization standards and process periodically and focus relentlessly on
execution.

8
Information Classification
Information Classification Description

Public
Disclosure inside or outside organization would not cause any damage or
inconvenience.

Internal
Disclosure inside the organization for effective implementation of
procedures and processes would not cause any damage or inconvenience

Restricted
Disclosure inside or outside organization would be inappropriate and
inconvenient.

Confidential
Disclosure inside or outside would cause significant harm to the interest of
the organization.

Secret
Disclosure inside or outside would cause serious damage to the interests of
the organization.
9
1 Strengthen your computers defenses
2 Avoid downloading malware
3 Protect company data & financial assets
4 Create strong passwords & keep them private
5 Guard data & devices when youre on the go
Steps to Strengthen your information security
10
a. Check for your system Antivirus update regularly
b. Do not download unauthorized softwares
c. Do not store Confidential documents on your local machine
d. Do not store songs and videos on to your system

11
a. Think Before you click

b. Confirm that the message is legitimate

c. Close pop-up messages carefully
12
a. Give a proper classification to the information

b. Information should be stored only in Share Portals

c. Information should be stored in a manner such that at least user
ID/password authentication is required for accessing the same

13
a. Passwords must be treated as sensitive and confidential
information.

b. Never share your password with anyone for any reason.

c. Passwords should not be written down, stored electronically,
or published.

d. Use different passwords for your different accounts.

e. Create passwords that are
not common,
avoid common keyboard sequences,
contain personal information, such as pets & birthdays.

14
14
a. Use Organizations VPN for email communication

b. Confirm the connection

c. Do not use flash drives & Memory cards

15
Guidelines and Safe practices for,

Creation of Passwords

Email Usage

Clear desk

Internet Usage

Tailgating and Piggybacking

Social Engineering

16
Password Security
Guidelines
17
Password Security Guidelines
Password should contain
At least 8 characters
Uppercase Letters (A-Z)
Lowercase Letters (a-z)
Numbers (0-9)
Special characters (!@#$%^&*)

Use Hard-to-Guess passwords

Change password regularly (for every 30 days)

Memorize password and refrain from writing it down.

Never choose Remember password feature in any application

Last 5 passwords should not be reused for any reason.

Password should strictly be kept private and confidential.
18
DOs

Use a combination of lower and upper case letters,
Numbers and special characters
Change the password regularly
Create a complex, strong password, and protect its
secrecy

DONTs

Use of personal information
(ex: birthday, home address, phone number)
Dictionary words (including foreign languages)
Write it down
Share it with anyone
19
Which of the below passwords are strong?
Password@123
weak
abc@1122
harshaSree@1841
MpbN!h@5612
Strong
My Pets Baby Name Is Happy
Rsw3yO!D
Reemas Son Was 3 Years Old In December
20
Safe Email
Practices
21
Safe Email Practices
Do not open unexpected or suspicious E-mails.
Delete them if they does not concern you.
Be aware of sure signs of scam email.
Not addressed to you by name
Asks for personal or financial information
Asks you for password
Asks you to forward it to lots of other people
Before opening an email attachment, Save the
attachment on to the disk and scan for viruses.
Do not forward chain e-mails containing
confidential information, unless the recipient is
the trusted information seeker.
22
Safe Email Practices
A suspicious email address.
(Note that the real email
address is not from Outlook.)
Generic salutations rather
than using your name
Alarmist messages. Criminals
try to create a sense of
urgency so youll respond
without thinking.
23
Social Engineering
24
Social Engineering
Social engineering is a hacking technique that relies on human nature. This approach is used by
many hackers to obtain information valuable to accessing a secure system.

Rather than using software to identify security weaknesses, hackers attempt to trick an individual
into revealing passwords and other information that can compromise your system security.

They use peoples inherent nature to trust to learn passwords, logon IDs, server names, operating
systems, or other sensitive information.
25
For example, a hacker may attempt to gain system information from an employee by posing as a service
technician or system administrator with an urgent access problem.

Nobody should ever ask you for your passwords. This includes system administrators and help desk personnel.
Never hesitate to ask the following questions,

Ask for the correct spelling of their name

Ask for a contact number and person's position to have a call back

Ask for the purpose and urgency of the information

Ask the approval for seeking the information

Do not give out passwords.
If someone request you for sensitive information?
Social Engineering
26
Clear Desk Guidelines
27
What's Wrong with This Picture?
28
Lock the computer when your
workspace is unattended.
Shut down the system at
the end of the day..!
29
All the Confidential and Internal use
documents must be removed from
the desk and locked in a drawer or
file cabinet when the workstation is
unattended and at the end of the
workday.
All waste papers, which have
personal or confidential
information, must be destroyed
through shredding machines.
30
Passwords and any other confidential
information must not be posted on or
under a computer or in any other
accessible location.
Copies of documents containing Confidential or
Internal use information must be immediately
removed from printers. If problem with printer, turn
off printer to remove sensitive material from printers
memory.
31
Handling
Removable
Media Devices
32
Handling Media Devices
Do not bring any personal removable media like USB storage devices, CDs, DVDs into office premises.

If it is required to bring the media device, same must be explicitly declared at security desk.
All events detected for the use of USB mass storage will be treated
as security incidents and shall be dealt as per organization's
information security incident management process
33
Handling Media Devices
If removable media devices are carried for office use

A prior authorization from business head is required, stating the usage.

Technology team should approve the same after scanning the content.

34
Internet
Usage
Guidelines
35
Internet Usage Guidelines
Access to the Internet is provided to employees for the benefit of TBSS and its
customers

Employees using the Internet are representing the company. Employees are
responsible for ensuring that the Internet is used in an effective, ethical, and lawful
manner.

The Internet should not generally be used for personal gain or advancement of
individual interest. Solicitation of non-TBSS business or use of Internet for personal
gain is strictly prohibited.

Use of the Internet must not disrupt the operation of the TBSS network. It must not
interfere with your productivity.
36
Accessing gaming sites, adult sites and initiating any
hacking activity or denial-of-service attack over the
internet are strictly prohibited and Users are solely
responsible for any legal action arising out of the same.

File downloads like exe, mp3 etc from the Internet are
not permitted unless specifically authorized in writing
by the Technology Team.

Users during their course of internet access should not
violate or infringe upon the rights of others, download
pirated software (copyrighted material).

37
Access to Instant Messengers shall not be
permitted. If required, it shall be supported by the
business need supported by requisite approvals.
Users are solely responsible for any legal action
arising out of abuse or against national security
that has originated from their computer/Laptop.
38
Physical Security
Guidelines
39
I forgot my Identity card. can you
please tag me in, with your card..?
No, You should inform the reception,
they will issue temporary Identity
card for you.
Physical Security Guidelines
It is mandatory for users to display the ID card / visitor pass legibly.

Users are not allowed to swipe their ID cards on restricted entry points.

Users must swipe their ID cards at all times to access all access controlled areas.

Loss of ID card to be reported to Facilities department and BMS team immediately.

Users are not allowed to lend their ID cards to others.
40

Users are not allowed to carry any removable media storage devices like Floppy,
CD, Pen drive, etc into TBSS premises.

Usage of camera (also camera in the mobile phone) is prohibited inside TBSS
premises.

Users are required to cooperate with security for frisking.

Tailgating is strictly prohibited.

All company laptops must have Laptop cards attached to it.

Laptop users must display their laptop cards to carry laptops into & from TBSS
office premises

41
No Tailgating
Make sure that you are the only one entering with your access card..!
Ensure Access Doors to controlled areas closed securely after Entering and exiting.
42

You need to know

Fire / Emergency Exits.

Evacuation plan / procedure

Emergency information.

Reporting mechanisms.
43
Acceptable Usage Policy

Clear Desk Policy

Email Policy

Information Security Incident Management policy

Information Security Policy

Internet Utilization Policy

Password Policy

Physical Security Policy

Printer Usage Policy

ISO 27001: 2013 documents available at the below mentioned link:

http://be.serwizsol.com/Internal/Forms/View.aspx?RootFolder=%2FInternal%2FISO%2027001&View=%7bD59
EBEF6%2dBB33%2d4A8A%2d8FE6%2dE35ADB51165E%7d
You need to know below ISMS policies available in Drishti
ISMS Policies
44
INFORMATION SECURITY
Report all information security incidents to IS@tata-bss.com
45
Reach us at :
E-mail: is@tata-bss.com

ISMS Awareness Presentation - CCEs - PPSX

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

ISMS Awareness Presentation - CCEs - PPSX

Caricato da

Copyright:

Formati disponibili

1

Potrebbero piacerti anche