SPEM Information Security Committee Material

INTERNAL USED ONLY1

InformationInformationSecuritySecurity

AwarenessAwarenessTraining Training

INTERNAL USED ONLY2

ContentContent

1. Introduction- Objective of this training- Introduction to information security

2. Security Framework- Security Policy- Security Organization

3. Security Requirements- Asset classification & control- Physical & environment security- Communications & operation mgmt- Access control- Compliance- Personnel security

4. Security Tips

INTERNAL USED ONLY3

ContentContent

Introduction- Objective of this training- Introduction to information securityIntroduction to information security

Security FrameworkSecurity Framework- Security PolicySecurity Policy- Security OrganizationSecurity Organization

Security RequirementsSecurity Requirements- Asset classification & controlAsset classification & control- Physical & environment securityPhysical & environment security- Communications & operation mgmtCommunications & operation mgmt- Access controlAccess control- ComplianceCompliance- Personnel securityPersonnel security

Security TipsSecurity Tips

INTERNAL USED ONLY4

ObjectiveObjective

To create general security awareness amongst staff and

achieve high level of compliance in

meeting the requirements stated in

information security policies

INTERNAL USED ONLY5

ContentContent

Introduction- Objective of this trainingObjective of this training- Introduction to information security




INTERNAL USED ONLY6

What is Information?What is Information?“Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected”

Types of Information

• Customer - customer sales data• Internal - pricing• Public - news content• Shared - knowledge management

Forms of Information

• Transmitted electronically- email• Stored electronically - database• Verbal - spoken • Printed - fax, documents

INTERNAL USED ONLY7

C I C I

AA1. Confidentiality

Ensuring that information is accessible only to those authorized to have access

2. Integrity

Ensuring the accuracy and completeness of information

3. Availability

Ensuring that authorized users have access to information

What is Information Security ?What is Information Security ?

INTERNAL USED ONLY8

Importance of Information SecurityImportance of Information Security

1. Protect information assets2. Maintain competitive edge3. Ensure legal compliance4. Protect company’s image5. Identify security threats

INTERNAL USED ONLY9

Security-related THREATS Security-related THREATS

Out ofOffice

Office

Mobile ＰＣ

ＤｅｓｋｔｏｐＰＣ

EmployeePartner

Env. threat

Theft of info

VirusData

Corruption

Disclosureof confi

data

Theft of software

EqmtFailure

InaccurateInfo

Data Corruption

UnauthorisedAccess

Theft

PrivatePC

LostPC

Internet

SENSystem

DataBase

ﾎｰﾑﾍﾟｰｼﾞWebsite

Disaster

InfoLeakage

Web pageDefaced Unauthorized

Access

Disclosureof confi

data

INTERNAL USED ONLY10

Theft 25.5%

(Resource : NPO Japan Network Security Association)

Loss/Misplacement 42.1%

Operational Error 12.4%

Administration Error 12.4%

Increase of Non-IS cause

Paper Document

49.9%

Cause

PC 16.8%

Removable Media 15.7%

(in 2005)

Internet/Web 6.4%

Email6.6%

UnauthorizedInformation Removal

3.3%

Bug/Security Hole 0.9%Worms/Viruses1.1%

Configurations Error1.2%Unauthorized Access1.4%

Internal Crime Internal Fraud 1.4%

Non-Intended Use 1.9%

Route

Confidential

Confidential

Types of Personal Information Leakage (JP)Types of Personal Information Leakage (JP)


INTERNAL USE ONLY

AP Information Security Incident Statistics

* FY07 data as at 19 Feb08* FY07 data as at 19 Feb08

0

2

4

6

8

10

12

14

16

18

Mobile Phone Lost 0 3 2

PIM mishandling 1 1 0

Operational error 2 0 0

RAS Token Lost 2 0 2

Virus 2 0 0

Website / Email 3 3 1

Notebook Lost Inside 1 2 2

Notebook Lost Outside 4 4 9

FY05 FY06 FY07*

Confidential

Confidential


ContentContent

IntroductionIntroduction- Objective of this trainingObjective of this training- Introduction to information securityIntroduction to information security

Security Framework- Security Policy- Security OrganizationSecurity Organization



CLICK TO CONTINUE

CLICK TO CONTINUE


The purpose of the Global Information Security Policy (GISP) and Global Information Security Standards (GISS) based on this Policy is as follows:

Clearly define the authorities and responsibilities relating to Sony Group’s Information Security.

· Clearly define overall direction and policy regarding Sony Group’s Information Security.

· Establish Sony Group’s Information Security Management System in accordance with the requirements set forth for the ISMS in the British Standard (BS) 7799: 2005.

· Establish Sony Group’s Information Security Management System to secure compliance with the requirements set forth in the Sony Group Code of Conduct.

Group Information Security PolicyGroup Information Security Policy


Global InformationSecurity Policy Statement

Global InformationSecurity Policy (GISP)

Global InformationSecurity Standard (GISS)

Commitment of CEO to Sony Group’s Information SecurityCommitment of CEO to Sony Group’s Information Security

Detailed rules (minimum security requirements) implementing the GISP

Detailed rules (minimum security requirements) implementing the GISP

ＩＳＩＳ Workplace SolutionsWorkplace Solutions Human ResourcesHuman Resources

・Access control・Network management・Development & maintenance,

etc.

・Physical security,etc.

・Human resourcessecurity, etc.

Policies regarding InformationSecurity common to Sony Group

(1) Structure of Sony Group’s Information Security Management SystemChapter 1: Introduction, Chapter 2:Scope, Chapter 3: Classes of Sony Information Security Policy, Chapter 4: 4.1 Sony Group Information Security Management System

(2) Basic policy regarding each security requirementChapter 4: 4.2 External parties, Chapter 5: Asset management, Chapter 6: Human resources security, Chapter 7: Physical and environmental security, Chapter 8: Communications and operations management, Chapter 9: Access control, Chapter10: Information systems acquisition, development and maintenance, Chapter 11: Information security incident management, Chapter 12: Business continuity managementChapter 13: Compliance

Policies regarding InformationSecurity common to Sony Group

(1) Structure of Sony Group’s Information Security Management SystemChapter 1: Introduction, Chapter 2:Scope, Chapter 3: Classes of Sony Information Security Policy, Chapter 4: 4.1 Sony Group Information Security Management System

(2) Basic policy regarding each security requirementChapter 4: 4.2 External parties, Chapter 5: Asset management, Chapter 6: Human resources security, Chapter 7: Physical and environmental security, Chapter 8: Communications and operations management, Chapter 9: Access control, Chapter10: Information systems acquisition, development and maintenance, Chapter 11: Information security incident management, Chapter 12: Business continuity managementChapter 13: Compliance

Source: GISP3.0

(13 Sections)

(8 Standards documents)

GISP 3.0 / GISS 1.0 StructureGISP 3.0 / GISS 1.0 Structure


Global Information Security Policy Global Information Security Policy


ContentContent


Security Framework- Security PolicySecurity Policy- Security Organization




CEO/ECEOCEO/ECEO

SeligmanGGC

SeligmanGGC

FujitaSVP

FujitaSVP

KiriharaSVP

KiriharaSVP

HasejimaCIO

HasejimaCIO

Oneda CFOOneda CFO

Information Security Committee

SGS Inc. Security Mgt. Dept.

ISM GpPIM Gp.

HQHQ

RISO/OCISORISO/OCISO

Each Gp. Company

S.Lee

Region/Business Domain

ISHR WSLegal

（ Function Wise ） Global Network

LegalLegal

HRHR

WSWS

ISIS

HubHub

Legal

HR

WS

IS

ISM/PIM

ISMS

BT/IS Center Security Management Office

Legal HR WS IS

ISMPIM

1) To integrate Information Security and PIM activities.

2) To integrate HR, Facility, IS, CC & Legal functions to cooperate with Information Security and PIM related issues.

F.Sakai

Objectives

Information Security / PIM Organization

Last updated : 27 Feb 07

HaraSVP

HaraSVP

CC

CC

Global Security Office Head : F.Sakai CWS : T.Aoki, A.Igarashi HR : K.Taniguchi Legal : M.Kudo IS : F. Sakai PIM : T.Waga ISM : M.Shigenari CC : TBC

Security Management Dept. Head : S.Lee PIM : T.Waga ISM : M.Shigenari

Global Security Office Head : F.Sakai CWS : T.Aoki, A.Igarashi HR : K.Taniguchi Legal : M.Kudo IS : F. Sakai PIM : T.Waga ISM : M.Shigenari CC : TBC

Security Management Dept. Head : S.Lee PIM : T.Waga ISM : M.Shigenari

CCCC

CC

AP Regional Information Security Committee Management Office RISO : A. Komatsu Head : A. KomatsuWS : N. Yamada PIM* : Lim SBHR : T. Seki Staff : Teo SYLegal : K. Yoshikawa IS : A. Komatsu PIM* : Lim SB CC : Audrey Mok (*only for sales & Marketing companies)

AP Regional Information Security Committee Management Office RISO : A. Komatsu Head : A. KomatsuWS : N. Yamada PIM* : Lim SBHR : T. Seki Staff : Teo SYLegal : K. Yoshikawa IS : A. Komatsu PIM* : Lim SB CC : Audrey Mok (*only for sales & Marketing companies)


Managing Director

ISO

Advisor

IS HR/Personnel

HR/Security

CWLee

Norii, Zammani

Rusila Jamalul

PF Prod

David

ME

SPEM Information Security Organization

Division Information Security Representative

Information Security CommitteeInformation Security Committee

Kuldeep

Procurement BA ESHQA

Siva

Azian, Afifi, Sree

Fazli/Hasnida

Goh, Kamal,Azizah

RobizaChiang/Ratna

Ikeno

To plan security activities, set policy and procedure and execute them based on GISP & GISS

IS

Kanna

To implement and comply within respective division

INTERNAL USED ONLY

Advisor

Uchiyama

Last update 7th May’09Last update 7th May’09


ContentContent



Security Requirements- Asset classification & control- Physical & environment securityPhysical & environment security- Communications & operation mgmtCommunications & operation mgmt- Access controlAccess control- ComplianceCompliance- Personnel securityPersonnel security


CLICK TO CONTINUE

CLICK TO CONTINUE


What are the Type of Assets?What are the Type of Assets?

• Information• Software• People• Paper• Physical• Service• Company’s image & reputation


Information ClassificationInformation Classification Why we need Information classification?

Information that falls in to unauthorizedhands can be damaging to bothSONY and our customers

What needs to be classified?Physical

Printed – documents, invoicesHardware – media, diskette/tape

ElectronicComputer data, e-mail

Who should classify the information? Owner of the information


Information ClassificationInformation Classification

1) SECRET: the most important and sensitive information. Personnel who are allowed to access this kind of information must be strictly

examined and limited to those with a need for access.Example:- Password

2) CONFIDENTIAL: important and sensitive information. Personnel who are allowed to access this kind of information must be those

whose duties justify a need-to-know.Example:- Management information, business plans, midterm plans,

Production management and procurement information

3) INTERNAL USE ONLY: information that is widely disclosed internally. All Personnel may access this kind of information, but must not disclose or

disseminate it to any third party outside the Sony Group. Example: - Company newsletter, Employee rules, policies, guidelines,

manuals, employee training information and resources, and so on


INVENTORY LIST-”SECRET” SAMPLEFORM ID : AD-F040

FORM ID : AD-F039

INVENTORY LIST SECRET

INVENTORY LIST CONFIDENTIAL


BASELINE SAMPLE


SAMPLE

This form is fill up by:

Report Person Division Manager Info. Sec. Officer

Name:

Date/Time:

Signature

* Please submit additional documents for explanation if required

CONFIDENTIAL

(Name) (Date/Time) (Signature)

SPEMINFORMATION SECURITY INCIDENT REPORT FORM

(Form is to be used when reporting a possible virus, hacker attack, Dos attacks, fraud or other security incidents)

PERSON REPORTING THE INCIDENT:

Form No.

Revision No.

AD-F032

Guideline - Labeling• Font Type: ARIAL• Font Size: 10• Font Style: Bold• Area: Preferably Bottom Center of

the content page


Personal Information Personal Information

Secret Confidential Internal Use Only

Customer Information

Social security numbers, credit card numbers, driver’s license numbers, bank account numbers, passwords, etc.

Names, addresses, phone numbers, e-mail addresses, age, date of birth, gender, marital status, salary, assets, etc.

　

Employee Information

Philosophy, creed, religion, etc.Information that could lead to discrimination.Group activities, health condition, medical information, etc.

Basic employee information, plus the following information:Family information, date of birth, work history, home address/phone number/e-mail address, salary, position, etc.

Basic employee information(Names, division names, company phone numbers/fax numbers, company e-mail address, global ID)

Business Partner Employee Information

　

Basic information about business partner employees, plus the following information: Home (or mobile) phone numbers and other private information

Basic information about business partner employees(Names, company phone numbers/fax numbers, employee job titles)

Survey answers, etc.

Emergency contact network, etc.

Business cards

E-mail addresses

Etc.

At Sony, a person’s name, address, phone number, e-mail address, etc., are personally identifying information, and if any of these are included, the whole piece of information is considered personal information.Moreover, even credit card numbers, bank account numbers, gender, date of birth, age, usage history and preference data for products and services, and other information that alone could not identify a person is grouped with personally identifying information and treated as personal information.The scope of personal information is the same for customers, employees of business partners, and Sony employees.

What Is Personal Information?


Confidence in Sony - PERSONAL INFORMATION

Handling Of Personal Information Handling Of Personal Information

Key Points on “Basic Principles”

When collecting information, you must inform the individual, such as a customer, of the purposes of use of the Personal Information , obtain their consent to do so, and collect only the necessary information.

The Personal Information must be used and disclosed within the scope to which a customer has consented

Thoroughly implement appropriate security measures for all handling processes, from collection to disposal

When disclosing the collected Personal Information to a subcontractor, either inside or outside the Sony Group, take sufficient measures to manage those subcontractors.


ContentContent



Security Requirements- Asset classification & controlAsset classification & control- Physical & environment security- Communications & operation mgmtCommunications & operation mgmt- Access controlAccess control- ComplianceCompliance- Personnel securityPersonnel security



Office SecurityOffice Security

General Office Area• All staff shall wear the identification pass at

all times while in office premises• Identification pass/ access card is not

transferable.• Staff shall report loss of identification pass

and access card to HR immediately


• Staff shall ensure that only authorized person is allowed access to the office premises

• Staff shall ensure that their visitors get visitor pass before gaining

entry to office premises and they should be escorted

Challenge unknown visitors

• Contract and temporary staff physical access & logical access profile are restricted

Visitors / Contract StaffVisitors / Contract Staff


Equipment Security - Off-premiseEquipment Security - Off-premise

Equipment and media taken off-premises must

not be left unattended. Eg: Portable computers should be carried as

hand luggage and disguised where possible during travel

Equipment used during seminars, conferences and exhibitions should be chained and locked


Equipment SecurityEquipment Security

Handling procedure• Prior approval from superior to be obtained before all

movements of equipment and software outside the office premises

• Sensitive data should be removed from equipment sent for servicing

Media containing sensitive information should bedisposed securely (physically destroy it)


• Activate the Password protected screen saver

• Recommended waiting time = 10mins

Clear Screen PolicyClear Screen Policy


Clear Desk PolicyClear Desk Policy

• Do not leave sensitive documents unattended and secure them with lock and key

• When printing sensitive documents, collect the printouts immediately

• Photocopying of sensitivedocument must always beattended and staff must clearthe photocopier of all documentafter photocopying


ContentContent



Security Requirements- Asset classification & controlAsset classification & control- Physical & environment securityPhysical & environment security- Communications & operation mgmt- Access controlAccess control- ComplianceCompliance- Personnel securityPersonnel security



Controls against Malicious SoftwareControls against Malicious Software

• Ensure Anti-virus software is installed

• Do not disable the Anti-virus software

• Follow instruction sent by the LAN Admin for Anti-virus update Patch installation

DO NOT IGNORE SUCH INSTRUCTION

CONTACT HELPDESK/MIS FOR ASSISTANCE

This is to protect your PC's content andto prevent data loss


Use of Standard PC…1Use of Standard PC…1

To a certain extent, the internal network is protected from unauthorized access and attacks from the Internet.

However, if even one PC has a decreased level of security due to overconfidence in the network’s safety, it becomes a loophole that can expose the network and every PC connected to it to the following dangers:

INFORMATION LEAKAGEINFORMATION LEAKAGE

VIRUS INFECTIONVIRUS INFECTION

UNAUTHORIZED ACCESSUNAUTHORIZED ACCESS



The following security measures are applied to standard PCs to keep the security level in top condition at all times.They also include the necessary software (Microsoft Office, etc.) for smooth deployment of B2E services.

Standard PC – SONY VAIO

SSecurity measures applied to standard PCs:ecurity measures applied to standard PCs:

Windows XP Professional operating systemWindows XP Professional operating system

Symantec Antivirus softwareSymantec Antivirus software

SMS Tools software to enable automatic distribution of the latest SMS Tools software to enable automatic distribution of the latest

security patches from “Client Security Management Services.”security patches from “Client Security Management Services.”

SSecurity measures applied to standard PCs:ecurity measures applied to standard PCs:

Windows XP Professional operating systemWindows XP Professional operating system

Symantec Antivirus softwareSymantec Antivirus software

SMS Tools software to enable automatic distribution of the latest SMS Tools software to enable automatic distribution of the latest

security patches from “Client Security Management Services.”security patches from “Client Security Management Services.”

1.USE A “SONY STANDARD PC” WITH APPLIED SECURITY MEAUSRES.



As private PCs are not guaranteed to have the proper security measures, they pose a high risk as sources of virus epidemics and information leakage by virus infection.

They can also become breeding grounds for fraudulent acts.

a. Do not connect a non-company PC, such as a private PC, to the internal network.

b. Do not work on a private PC by taking information home on external recording media or by e-mail.

2.DO NOT USE A “PRIVATE PC” OR A “NON-COMPANY PC”


Use & Governance of Company’s Use & Governance of Company’s Electronic Mail & Internet AccessElectronic Mail & Internet Access

• Electronic mails and Internet access made available to staff is to assist them to perform their work more effectively and efficiently

• Any incidental use of emails and internet access for personal purposes is acceptable provided it does not detrimentally affect employee productivity, disrupt the systems or cause harm to the company’s reputation or business operations

• All emails and related system resources are the property of the company

• The company reserves the right to inspect, monitor, log, track or disclose email or Internet access activities


Responsibility of Staff in Email Usage• Should not use email to distribute hoaxes, chain letters,

advertisements, rude, obscene, slanderous or harassing messages

• Broadcasting of unsolicited views on social, political, religious or other non-business related matter is prohibited

• Should not use email to propagate viruses knowingly or maliciously

• Attempting to interfere with another’s email account or engage in harassment, whether through language, frequency or size of messages is prohibited



Responsibility of Staff in Internet Usage• Participation in Internet/Web based conferences, newsgroups,

bulletin boards, email list servers or other electronic forums must have prior approval from the Division Head level.

• Use of public tools such as msn skype,instant messenger not allowed.

• Must not access, download or distribute contents that : breach of law which may cause offence to others information that may incite violence

• Software may not be downloaded from the Internet without prior approval of the Div/Dept Head.



Information Exchange…1Information Exchange…1

Voice• Exercise care when disclosing or discussing

classified information over the phone

• Ensure that audience present at both ends are authorized to receive information being discussed during 3 way teleconferencing

• Ensure that you do not access your mail box in the presence of others when using display phone

• Should not access your voicemail with the phone speakers on


FaxWhen faxing sensitive documents, staff must ensure that Manual fax function is used to fax out Prior arrangement is made with so that recipient can

collect document immediately All document is cleared from the fax machine before

leaving

Video ConferencingStaff hosting video conference shall ensure that audience

present at both ends are authorized to receive any

classified information that is being disclosed or discussed

Information Exchange…2Information Exchange…2


ContentContent



Security Requirements- Asset classification & controlAsset classification & control- Physical & environment securityPhysical & environment security- Communications & operation mgmtCommunications & operation mgmt- Access control- ComplianceCompliance- Personnel securityPersonnel security



Password

1. Use min. 6 character

2. Use both letters and numbers

3. Use both upper and lower case

4. Use special characters

5. Use simple passwords, so that it can be memorized

easily without writing it down and it can be typed

quickly and smoothly without looking at the keyboard

Password ManagementPassword Management


User’s Responsibilities1. Do not disclose User ID and password

2. Do not keep a paper record of passwords, unless this can be stored securely

3. Change password whenever there is any indication of possible compromise

4. Change the password periodically

Password ManagementPassword Management


Usage of Mobile Computers• Mobile computers shall not be left unattended in

insecure locations, and should be locked away where possible

• Do not leave mobile computers in your vehicles

• Hand carry mobile computers during travel

• Backup your data regularly

• Do not allow unauthorized persons to use your mobile computers

Mobile Computing...1Mobile Computing...1


User’s Responsibilities

• If the mobile device is unattended during remote access, discontinue remote access or render it unusable by others

• Do not keep mobile computer and token or password together

• Loss, damage and vandalism to mobile computers and equipment must be reported to HR immediately

Mobile Computing...2Mobile Computing...2


ContentContent



Security Requirements- Asset classification & controlAsset classification & control- Physical & environment securityPhysical & environment security- Communications & operation mgmtCommunications & operation mgmt- Access controlAccess control- Compliance- Personnel securityPersonnel security



1. Only licensed software shall be used for business activities within the organization

2. Staff who installs any unlicensed software shall be held fully responsible for any copyright infringement

3. Software that is installed for trial run shall be removed from the system when the trial run period is over

Copyright Act Copyright Act


ContentContent



Security Requirements- Asset classification & controlAsset classification & control- Physical & environment securityPhysical & environment security- Communications & operation mgmtCommunications & operation mgmt- Access controlAccess control- ComplianceCompliance- Personnel security



Staff Responsibilities Staff Responsibilities • Staff shall be responsible to uphold security in the company

• to abide by the company security policy • to ensure security is not compromised while performing their

job• to observe utmost confidentiality of all information learned

and/or received• to abide by the applicable legislations eg. intellectual

proprietary rights, copyrights• to report any security incidents or weaknesses

Any violation of policy or security breach will result in disciplinary

action against staff.


Reporting Security IncidentReporting Security Incident

What is a Security Incident?

IT- Related •An adverse event or situation associated with information systemsEg: Unauthorized access, website defacement, network probing ..

•Any event that could result in loss or damage to assetsEg: Malicious codes, viruses, use of system privileges without authorization ..

Non-IT RelatedAn action that would be in breach of organization security policies or proceduresEg: improper handling or disclosure of classified document, vandalism..

IT Non-IT


Class 1 or 2

Incident occurred

YES

Division Manager Approval

SPEM Managing Director /Director

Division Information Security Representative

SPEM Information Security Committee

RISMO

Regional Security Incident Form

Fill Up SPEM Security Incident Form

SPEM Information Security

Officer

SPEM Information Security Incident Report FlowEg. 1. Leakage of secret information

2. Loss or theft of information asset 3. Unauthorized access to the information assets

Incident Classification Chart


Information Security Incident FormSPEM CONFIDENTIAL

INFORMATION SECURITY INCIDENT REPORT FORM

(Form is to be used when reporting a possible virus, hacker attack, Dos attacks, fraud or other security incidents)

PERSON REPORTING THE INCIDENT:

Date: Time:

Name:

Designation: Email Address: Phone Number: Extension Number:

Fax Number: GID:

Location of incident:

How was the incident detected?

When was it detected? Date and Time

INCIDENT CATEGORY:

Leakage of Classified information Loss or theft of information assets Theft of source of programming code Unauthorized access to the information assets of Sony Group (incl. Website defacement) Probe/Scan/Unauthorized electronic monitoring (Sniffers) Malicious code / Virus (incl. worms and Trojans) DoS (Denial of Service) Misuse of information assets of Sony Group by employee Human errors by employee resulting in classified information disclosure Legal and regulatory violations / Antisocial conduct by employee Cyber Crime (Phishing, identity theft, telecom and/or financial fraud, etc.) (pls. describe)

Other Info. Sec. Concerns, please describe:

This form is fill up by:

Report Person Division Manager Info. Sec. Officer

Name:

Date/Time:

Signature

* Please submit additional documents for explanation if required

Division/Department:

(Name) (Date/Time) (Signature)

Please get the Information SecurityIncident Form at Lotus Note [IS ApproveForm] [Form No:F032]


ContentContent




Security Tips


Security Tips: Password Management

Use Letters, Numbers and Special Characters

Um!bre1a

H@t4you

ra1nCo@t


Phrases:Use the first letter of each word in a phrase or sentence.

Phrase1 : Happy New Year 2003 !

Password : Hny2003!

Phrase2 : Gong Xi Fa Cai 2003

Password : Gxfc2003



Compound Words Misspell compound words to construct a strong password

Compound Word : Deadbolt

Password : Dea&bowlt8

Compound Word : Seashore

Password : See@sh0rr



Dumpster Divers hope to get sensitive information

Shred sensitive documents

Disappoint them!!!

Security Tips: Social Engineering Tips


Never, Ever give Private or Company information to unknown people

Do not fall for Social Engineers

They will say anything to get

valuable information

Hello, I am from helpdesk, I need your password

What is your name?



Do not discuss company or customer information in public

Social engineers are listening to you



Do not allow Piggybacking

Use your own access card to enter secure areas

Security Tips: Office Security


You can’t unring a bell

The best way to protect sensitive information is

not to share it

Security Tips: Information Handling


Handle personal information with care

We all value privacy

Security Tips: Information Handling


Taking a break…?

Lock your computer, when not in use

Use password protected screen savers

Security Tips: Clear Screen Policy


Do not leave sensitive documents unattended

on your desk

Security Tips: Clear Desk Policy


Know who belongs in your environment

Challenge and escort unknown visitors

NATURE of SECURITY


There’s always free cheese in a mousetrap

Exercise caution when downloading/launching any files from the Internet/email

Security Tips: Internet/ E-mail Security


Do not open the email, If the source is unknown

Received an Anonymous E-mail..?

Security Tips: E-mail Security


Delete chain e-mail – do not forward or reply

to someone as it is considered mail spamming and it

increases mail traffic

Security Tips: E-mail Security


Delete hoax virus email – call the Helpdesk (IS) and

log an incident if you are in doubt

Report if a virus is suspected

Security Tips: Virus Handling


Do not leave your laptop unattended when you

travel

Security Tips: Mobile Security


Security Tips: Mobile Security

Did you protect your laptop before going

home?

Lock your laptop Or Secure it inside locked

cabinet


THE

END

CLICK TO CONTINUE

CLICK TO CONTINUE


1 What are the 3 information classifications used in Sony?

(I) SECRET

(II) CONFIDENTIAL

(III) INTERNAL USE ONLY

(IV) IMPORTANT

A. (I), (II) & (III)

B. (I) only

C. (II) only

D. (I), (II), (III) & (IV)2 Which of the following rules is NOT correct for password handling?

A. Do not write down your password

B. Use 'Remember password (auto complete)' function so that you need not remember the password

C. Ensure that no one is looking over your shoulder when you are entering your password

D. Change your password if it has been revealed to others

Title: Information Security Quiz

Name : _________________________Emp ID : _________________________Div/Dept : _________________________Date : _________________________

Important : To pass the quiz, you need to obtain 9 or more correct answers.Please answers all the questions.


3 Which of the following rules is NOT correct for handling of external recording media with classified information?

A. Personal recording media can be used to store company information

B. Store external recording media under lock and key at your workplace

C. Immediately after using an external recording media, completely delete all information on it

4 Non-Company computer should not be connected to Sony internal network.

A. TRUE

B. FALSE

5 The rules of using emails in the office include:

(I) Do not set your company e-mail address to automatically forward incoming e-mail to a different address outside the company.

(II) Refrain from sending e-mails to external mailing lists.

(III) Password-protect e-mail attachment with confidential information, and send the password in a separate mail.

A. (I) only

B. (II) & (III)

C. (I), (II) & (III)



6 If an information security incident occurs or you suspect one has, you should promptly

report it to:

A. the Managing Director of the company you are in

B. your superior & to the Information Security Representative

C. no one, and ignore the occurrence of the incident or suppress your suspicion

7 What are the security measures you must take to protect your PC or notebook from Virus?

(I) Do not install software unnecessary to your work

(II) Do not view suspicious websites or download suspicious files

(III) Leave the real-time virus scanning function turned ON

A. (I) only

B. (II) only

C. (II) & (III)

D. (I), (II) & (III)

8 When leaving your PC unattended:

(I) Lock your computer (e.g. press control, Alt & Delete)

(II) Enable password protected screen saver

A. (I) only

B. (II) only

C. (I) & (II)



9 How do you handle classified documents?

(I) Store SECRET & CONFIDENTIAL documents in a locked cabinet

(II) Completely dispose of classified documents with an unrecoverable method (e.g. shredding)

(III) Do not let documents out of your possession when taking them outside the company for business purpose

(IV) Leave CONFIDENTIAL documents unattended on your desk when going home

A. (I) only

B. (I), (II) & (III)

C. (II) & (III)

D. (I), (II), (III) & (IV)

10 What are the rules regarding In-house Internet Access?

(I) Do not view bulletin boards, etc., that are unrelated to work

(II) Do not access sites that are unrelated to work

(III) Do not use free e-mail, instant messenger, or web chat services on your work PC

A. (I) only

B. (II) only

C. (II) & (III)

D. (I), (II) & (III)



1 What are the 3 information classifications used in Sony?

(I) SECRET

(II) CONFIDENTIAL

(III) INTERNAL USE ONLY

(IV) IMPORTANT

A. (I), (II) & (III)

B. (I) only

C. (II) only

D. (I), (II), (III) & (IV)2 Which of the following rules is NOT correct for password handling?

A. Do not write down your password

B. Use 'Remember password (auto complete)' function so that you need not remember the password

C. Ensure that no one is looking over your shoulder when you are entering your password

D. Change your password if it has been revealed to others


Name : _________________________Emp ID : _________________________Div/Dept : _________________________Date : _________________________

Important : To pass the quiz, you need to obtain 9 or more correct answers.Please answers all the questions.


3 Which of the following rules is NOT correct for handling of external recording media with classified information?

A. Personal recording media can be used to store company information

B. Store external recording media under lock and key at your workplace

C. Immediately after using an external recording media, completely delete all information on it

4 Non-Company computer should not be connected to Sony internal network.

A. TRUE

B. FALSE

5 The rules of using emails in the office include:

(I) Do not set your company e-mail address to automatically forward incoming e-mail to a different address outside the company.

(II) Refrain from sending e-mails to external mailing lists.

(III) Password-protect e-mail attachment with confidential information, and send the password in a separate mail.

A. (I) only

B. (II) & (III)

C. (I), (II) & (III)



6 If an information security incident occurs or you suspect one has, you should promptly

report it to:

A. the Managing Director of the company you are in

B. your superior & to the Information Security Representative

C. no one, and ignore the occurrence of the incident or suppress your suspicion

7 What are the security measures you must take to protect your PC or notebook from Virus?

(I) Do not install software unnecessary to your work

(II) Do not view suspicious websites or download suspicious files

(III) Leave the real-time virus scanning function turned ON

A. (I) only

B. (II) only

C. (II) & (III)

D. (I), (II) & (III)

8 When leaving your PC unattended:

(I) Lock your computer (e.g. press control, Alt & Delete)

(II) Enable password protected screen saver

A. (I) only

B. (II) only

C. (I) & (II)



9 How do you handle classified documents?

(I) Store SECRET & CONFIDENTIAL documents in a locked cabinet

(II) Completely dispose of classified documents with an unrecoverable method (e.g. shredding)

(III) Do not let documents out of your possession when taking them outside the company for business purpose

(IV) Leave CONFIDENTIAL documents unattended on your desk when going home

A. (I) only

B. (I), (II) & (III)

C. (II) & (III)

D. (I), (II), (III) & (IV)

10 What are the rules regarding In-house Internet Access?

(I) Do not view bulletin boards, etc., that are unrelated to work

(II) Do not access sites that are unrelated to work

(III) Do not use free e-mail, instant messenger, or web chat services on your work PC

A. (I) only

B. (II) only

C. (II) & (III)

D. (I), (II) & (III)


Documents

SPEM Information Security Committee Material