Upload
chandan-singh
View
232
Download
0
Embed Size (px)
Citation preview
8/3/2019 Infosec Awareness Latest
1/33
January 2, 2012
Information Security Awareness Program
8/3/2019 Infosec Awareness Latest
2/33
What is information ?
Characteristics of information
What is information Security ?
What is ISMS ?
Clearing desk and Clear screen policy
Desktop and portable device policy
Password Policy
Email policy
Internet policy
ISO 27001
Security awareness clips
CONTENT
8/3/2019 Infosec Awareness Latest
3/33
What is information ?
BOB1St JAN
2011A12 Dubai IT Bangalore
Raw data
From above data , we can derive the following information:
On 1st of January BOB Travelled from Bangalore to Dubai by Kingfisher airline(IT)and his seat number was A12
Information is data that has been given meaning by way of relational connection.
Name
BOB
Date
1st JAN 2011
Airline
IT
Destination
Dubai
Seat No.
A12
Boarding
Bangalore
Structured Data
8/3/2019 Infosec Awareness Latest
4/33
Confidentiality Integrity
Availability
Three characteristics ofInformation
8/3/2019 Infosec Awareness Latest
5/33
What is Confidentiality?
Hey! my credit card number
is confidentialSo, is the business information
stored in your office system
Personal Business
Making sure only those people who are supposed to see the information see it.
Example :- A password or PIN number enforce confidentiality
8/3/2019 Infosec Awareness Latest
6/33
What is Integrity?
I want my credit card to be
charged the exact amount
Data in sensitive system
should not be changed
without permission
Making sure only those people who are supposed to change (edit)
the information can change it.
Example :- File permissions enforce Integrity
Personal Business
8/3/2019 Infosec Awareness Latest
7/33
What is Availability?
Keep backup of my
credit card statements in case
disputes arises
Backup of business data avoid
panic in case of systems failure
Making sure the information is available when the authorized people requires it.
Example :- Backup ensure availability
Personal Business
8/3/2019 Infosec Awareness Latest
8/33
What is Information Security ?
Information security focuses on protection of Confidentiality,Integrity, and Availability of Information
Confidentiality
Integrity
Availability
Business Information
8/3/2019 Infosec Awareness Latest
9/33
InformationSecurity Policy
InformationSecurity
Organizationalstructure
InformationSecurityStandard
InformationSecurity
process andprocedures
Administrative,Physical ,technicalcontrols
Monitoring &review systems
What is ISMS?
ISMS encompass the following
8/3/2019 Infosec Awareness Latest
10/33
CLEAR DESK & CLEAR SCREEN POLICY
8/3/2019 Infosec Awareness Latest
11/33
Objective:- Protect information stored in your computer and hard copy documents
from unauthorized Access
CLEAR DESK & CLEAR SCREEN POLICYCont..
How to practice this ?
lock your Computer using Ctrl + Alt + Del while you leave yourworkstation
If working on sensitive information, and you have a visitor to yourdesk, lock you screen to prevent the contents being read
When desks/offices are unoccupied, any confidentialinformation must be locked away in cabinets or offices
All waste paper, which contains any personal or confidentialinformation must be shredded or destroyed
8/3/2019 Infosec Awareness Latest
12/33
8/3/2019 Infosec Awareness Latest
13/33
DESKTOP & PORTABLE DEVICE SECURITY POLICY
8/3/2019 Infosec Awareness Latest
14/33
Employees are responsible for taking backups of laptop/desktop data
Objective:- Protect information stored in your computer and avoid malware Propagation
Employees are responsible for physical security of their laptops,blackberry etc..
Use of external USB storage devices is restricted.
Always scan for viruses when copying or downloading files to yourcomputer from CD/DVD and other sources
How to achieve this?
8/3/2019 Infosec Awareness Latest
15/33
8/3/2019 Infosec Awareness Latest
16/33
Password policyPassword policy
To ensure protection ofinformation from unauthorized
access
Use Complex password, that is use combinationof alpha numeric and special characters
Use minimum 8 characters for your password
Change password before 90 days
Do not repeat last 5 passwords
8/3/2019 Infosec Awareness Latest
17/33
Do not share your password
8/3/2019 Infosec Awareness Latest
18/33
No password behind keyboard
8/3/2019 Infosec Awareness Latest
19/33
EMAIL POLICY
8/3/2019 Infosec Awareness Latest
20/33
Company confidential information must not be sharedoutside the Company, without authorization, at any time
Email Policy - Objective
How to achieve this ?
Use official mail for Company business only
Avoid information leakage
8/3/2019 Infosec Awareness Latest
21/33
Email Policy objective :- Avoid legal issues
How to achieve this ?
BIAL retains the right to remove from its information systems any
material it views as offensive or potentially illegal
Ethnic & Racial harassment, abuse etc.. is strictly prohibited
Sending pornographic jokes or other contents of sexual nature viaemail, is considered sexual harassment and will be addressedaccording to HR Policy.
8/3/2019 Infosec Awareness Latest
22/33
Do not forward chain mails
8/3/2019 Infosec Awareness Latest
23/33
Here something that you might want to read it was on the news .Subject: FW: PLEEEEEASE READ!!!! It was on the news!
Dear friends,Something to share with all of u. Would u believe if this is true? Read on..... For those who need money badly and this is one opportunity totry it! I'm an attorney, and I know the law. This thing is for real. Rest assured AOL and Intel will follow through with their promises for fear offacing a multimill ion-dollar class action suit similar to the one f iled by PepsiCo against General Electric not too long ago.
Dear Friends,Please do not take this for a junk letter. Bill Gates is sharing his fortune. If you ignore this you wil l repent later. Microsoft and AOL are nowthe largest Internet companies and in an effort to make sure that Internet Explorer remains the most widely used program, Microsoft and
AOL are running an e-mail beta test. When you forward this e-mail to friends, Microsoft can and will track it (if you are a Microsoft Windowsuser) for a two week time period. For every person that you forward this e-mail to, Microsoft will pay you $245.00, for every person that yousent it to that forwards it on, Microsoft will pay you $243.00 and for every third person that receives it, you will be paid $241.00. Within twoweeks, Microsoft will contact you for your address and then send you a cheque.Regards.Charles S. BaileyGeneral Manager Field Operations
[CONTACT DETAILS REMOVED]
I thought this was a scam myself, but two weeks after receiving this e-mail and forwarding it on, Microsoft contacted me for my address andwithin days, I received a cheque for US$24,800.00. You need to respond before the beta testing is over. If anyone can afford this Bill Gatesis the man. It's all marketing expense to him. Please forward this to as many people as possible. You are bound to get at leastUS$10,000.00.
We're not going to help them out with their e-mail beta test without getting a little something for our time. My brother's girlfriend got in on thisa few months ago. When I went to visit him for the Baylor/UT game. She showed me her check. It was for the sum of $4,324.44 and wasstamped "Paid In Full".
Like I said before, I know the law, and this is for real Intel and AOL are now discussing a merger which would make them the largestInternet company and in an effort make sure that AOL remains the most widely used program, Intel and AOL are running an e-mail betatest.
Sample Hoax email-1
8/3/2019 Infosec Awareness Latest
24/33
Sample Scam email-2
Mr.Tim J W TookeyGroup Finance Director ofLloyds Banking Group25 Gresham Street, London EC2V [email protected]
Good day,
I am Mr. Tim J W Tookey, the Group Finance Director of Lloyds Banking Group. I personally discovered a dormant account with a total sum of $85,000,000.00
[EIGHTY FIVE MILLION DOLLARS] during our Bank's Annual Year Account Auditing.
Since the death of the deceased, nobody has operated in this account till date. Moreover, this account has NO BENEFICIARY attached to it. Definitely, this fund willbe confiscated by our BANKING CODE OF ETHICS if it remains dormant for a period of [10] year without any claims. In this regard, I earnestly need your fullcooperation in transferring this money out of our bank to avoid our bank confiscating this fund.
HOW THE TRANSACTION CAN BE HANDLED: As the group finance director of our bank, all our client account details and file are in my possession and that makesit easy for me to include your name as the beneficiary of the fund in all necessary documents involving the money we wish to transfer out from our bank.
Most importantly, you will be required to:(1). Act as the original beneficiary of the funds.(2). Receive the funds into a business/private bank account.
(3). At the completion of this transaction, the sharing rates shall be 50% for me while 50% for you.
Note: I will split the transfer into two 2 stages for easy and smooth transfer. Firstly, the sum of $80,000,000.00 will transfer to any valid foreign account you willnominate, then upon a successful transfer without any disappointment from our side; I will then fly to meet you in your home destination for sharing, thereafter we will
jointly transfer the remaining balance of $5,000,000.00. I will also like us to invest some part of the money in your country.
If you accept to work with me, you will be given 50% of the total money as your share and 50%. So the main question is, will you partner me in this transaction. If youare willing to cooperate in this projectthe get back to me on my private email address [email protected] view my identification link:
http://www.lloydsbankinggroup.com/about_us/directors/executive_directors.asp#timtookeyI AWAIT YOUR URGENT REPLY.
Yours Truly,Mr. Tim J W Tookey
8/3/2019 Infosec Awareness Latest
25/33
INTERNET ACCESS POLICY
8/3/2019 Infosec Awareness Latest
26/33
Ethnic & Racial harassment, abuse etc.. is strictly prohibited
The use of internet by company employees is permitted &encouraged where such use is suitable for business purpose &supports the goals & objectives of the company by
Providing internet access to all computer users
No time based restriction
Internet Policy
Objective:- Utilize technology for better productivity
Objective:- Avoid information leakage
Sending pornographic jokes or other contents of sexual nature viaemail, is considered sexual harassment and will be addressedaccording to HR Policy.
By restricting
Social networking sites
Instant messaging
Personal Network storage & backup sites
Publishing/disclosing any business sensitiveinformation on personalwebsites/portals/blogs/social networking sites
8/3/2019 Infosec Awareness Latest
27/33
Ethnic & Racial harassment, abuse etc.. is strictly prohibited
Restricting Internet access only to acceptablecategory of websites & contents.
Internet Policy
Objective:-Avoid legal action by
Monitoring internet use from all computers & devicesconnected to BIAL network
Logging internet access details and retaining it forforensic purpose
8/3/2019 Infosec Awareness Latest
28/33
Phishing
8/3/2019 Infosec Awareness Latest
29/33
8/3/2019 Infosec Awareness Latest
30/33
Sample Phishing email
8/3/2019 Infosec Awareness Latest
31/33
Sample Phishing email
8/3/2019 Infosec Awareness Latest
32/33
PHY
SIC
AL
&ENV
IRON
MEN
TAL
SECU
RITY
POLICY
8/3/2019 Infosec Awareness Latest
33/33