Upload
shalingis
View
42
Download
0
Embed Size (px)
Citation preview
INTERNAL USED ONLY1
InformationInformationSecuritySecurity
AwarenessAwarenessTraining Training
INTERNAL USED ONLY2
ContentContent
1. Introduction- Objective of this training- Introduction to information security
2. Security Framework- Security Policy- Security Organization
3. Security Requirements- Asset classification & control- Physical & environment security- Communications & operation mgmt- Access control- Compliance- Personnel security
4. Security Tips
INTERNAL USED ONLY3
ContentContent
Introduction- Objective of this training- Introduction to information securityIntroduction to information security
Security FrameworkSecurity Framework- Security PolicySecurity Policy- Security OrganizationSecurity Organization
Security RequirementsSecurity Requirements- Asset classification & controlAsset classification & control- Physical & environment securityPhysical & environment security- Communications & operation mgmtCommunications & operation mgmt- Access controlAccess control- ComplianceCompliance- Personnel securityPersonnel security
Security TipsSecurity Tips
INTERNAL USED ONLY4
ObjectiveObjective
To create general security awareness amongst staff and
achieve high level of compliance in
meeting the requirements stated in
information security policies
INTERNAL USED ONLY5
ContentContent
Introduction- Objective of this trainingObjective of this training- Introduction to information security
Security FrameworkSecurity Framework- Security PolicySecurity Policy- Security OrganizationSecurity Organization
Security RequirementsSecurity Requirements- Asset classification & controlAsset classification & control- Physical & environment securityPhysical & environment security- Communications & operation mgmtCommunications & operation mgmt- Access controlAccess control- ComplianceCompliance- Personnel securityPersonnel security
Security TipsSecurity Tips
INTERNAL USED ONLY6
What is Information?What is Information?“Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected”
Types of Information
• Customer - customer sales data• Internal - pricing• Public - news content• Shared - knowledge management
Forms of Information
• Transmitted electronically- email• Stored electronically - database• Verbal - spoken • Printed - fax, documents
INTERNAL USED ONLY7
C I C I
AA1. Confidentiality
Ensuring that information is accessible only to those authorized to have access
2. Integrity
Ensuring the accuracy and completeness of information
3. Availability
Ensuring that authorized users have access to information
What is Information Security ?What is Information Security ?
INTERNAL USED ONLY8
Importance of Information SecurityImportance of Information Security
1. Protect information assets2. Maintain competitive edge3. Ensure legal compliance4. Protect company’s image5. Identify security threats
INTERNAL USED ONLY9
Security-related THREATS Security-related THREATS
Out ofOffice
Office
Mobile PC
Desktop PC
EmployeePartner
Env. threat
Theft of info
VirusData
Corruption
Disclosureof confi
data
Theft of software
EqmtFailure
InaccurateInfo
Data Corruption
UnauthorisedAccess
Theft
PrivatePC
LostPC
Internet
SENSystem
DataBase
ホームページWebsite
Disaster
InfoLeakage
Web pageDefaced Unauthorized
Access
Disclosureof confi
data
INTERNAL USED ONLY10
Theft 25.5%
(Resource : NPO Japan Network Security Association)
Loss/Misplacement 42.1%
Operational Error 12.4%
Administration Error 12.4%
Increase of Non-IS cause
Paper Document
49.9%
Cause
PC 16.8%
Removable Media 15.7%
(in 2005)
Internet/Web 6.4%
Email6.6%
UnauthorizedInformation Removal
3.3%
Bug/Security Hole 0.9%Worms/Viruses1.1%
Configurations Error1.2%Unauthorized Access1.4%
Internal Crime Internal Fraud 1.4%
Non-Intended Use 1.9%
Route
Confidential
Confidential
Types of Personal Information Leakage (JP)Types of Personal Information Leakage (JP)
INTERNAL USED ONLY11
INTERNAL USE ONLY
AP Information Security Incident Statistics
* FY07 data as at 19 Feb08* FY07 data as at 19 Feb08
0
2
4
6
8
10
12
14
16
18
Mobile Phone Lost 0 3 2
PIM mishandling 1 1 0
Operational error 2 0 0
RAS Token Lost 2 0 2
Virus 2 0 0
Website / Email 3 3 1
Notebook Lost Inside 1 2 2
Notebook Lost Outside 4 4 9
FY05 FY06 FY07*
Confidential
Confidential
INTERNAL USED ONLY12
ContentContent
IntroductionIntroduction- Objective of this trainingObjective of this training- Introduction to information securityIntroduction to information security
Security Framework- Security Policy- Security OrganizationSecurity Organization
Security RequirementsSecurity Requirements- Asset classification & controlAsset classification & control- Physical & environment securityPhysical & environment security- Communications & operation mgmtCommunications & operation mgmt- Access controlAccess control- ComplianceCompliance- Personnel securityPersonnel security
Security TipsSecurity Tips
CLICK TO CONTINUE
CLICK TO CONTINUE
INTERNAL USED ONLY13
The purpose of the Global Information Security Policy (GISP) and Global Information Security Standards (GISS) based on this Policy is as follows:
Clearly define the authorities and responsibilities relating to Sony Group’s Information Security.
· Clearly define overall direction and policy regarding Sony Group’s Information Security.
· Establish Sony Group’s Information Security Management System in accordance with the requirements set forth for the ISMS in the British Standard (BS) 7799: 2005.
· Establish Sony Group’s Information Security Management System to secure compliance with the requirements set forth in the Sony Group Code of Conduct.
Group Information Security PolicyGroup Information Security Policy
INTERNAL USED ONLY14
Global InformationSecurity Policy Statement
Global InformationSecurity Policy (GISP)
Global InformationSecurity Standard (GISS)
Commitment of CEO to Sony Group’s Information SecurityCommitment of CEO to Sony Group’s Information Security
Detailed rules (minimum security requirements) implementing the GISP
Detailed rules (minimum security requirements) implementing the GISP
ISIS Workplace SolutionsWorkplace Solutions Human ResourcesHuman Resources
・Access control・Network management・Development & maintenance,
etc.
・Physical security,etc.
・Human resourcessecurity, etc.
Policies regarding InformationSecurity common to Sony Group
(1) Structure of Sony Group’s Information Security Management SystemChapter 1: Introduction, Chapter 2:Scope, Chapter 3: Classes of Sony Information Security Policy, Chapter 4: 4.1 Sony Group Information Security Management System
(2) Basic policy regarding each security requirementChapter 4: 4.2 External parties, Chapter 5: Asset management, Chapter 6: Human resources security, Chapter 7: Physical and environmental security, Chapter 8: Communications and operations management, Chapter 9: Access control, Chapter10: Information systems acquisition, development and maintenance, Chapter 11: Information security incident management, Chapter 12: Business continuity managementChapter 13: Compliance
Policies regarding InformationSecurity common to Sony Group
(1) Structure of Sony Group’s Information Security Management SystemChapter 1: Introduction, Chapter 2:Scope, Chapter 3: Classes of Sony Information Security Policy, Chapter 4: 4.1 Sony Group Information Security Management System
(2) Basic policy regarding each security requirementChapter 4: 4.2 External parties, Chapter 5: Asset management, Chapter 6: Human resources security, Chapter 7: Physical and environmental security, Chapter 8: Communications and operations management, Chapter 9: Access control, Chapter10: Information systems acquisition, development and maintenance, Chapter 11: Information security incident management, Chapter 12: Business continuity managementChapter 13: Compliance
Source: GISP3.0
(13 Sections)
(8 Standards documents)
GISP 3.0 / GISS 1.0 StructureGISP 3.0 / GISS 1.0 Structure
INTERNAL USED ONLY15
Global Information Security Policy Global Information Security Policy
INTERNAL USED ONLY16
ContentContent
IntroductionIntroduction- Objective of this trainingObjective of this training- Introduction to information securityIntroduction to information security
Security Framework- Security PolicySecurity Policy- Security Organization
Security RequirementsSecurity Requirements- Asset classification & controlAsset classification & control- Physical & environment securityPhysical & environment security- Communications & operation mgmtCommunications & operation mgmt- Access controlAccess control- ComplianceCompliance- Personnel securityPersonnel security
Security TipsSecurity Tips
INTERNAL USED ONLY17
CEO/ECEOCEO/ECEO
SeligmanGGC
SeligmanGGC
FujitaSVP
FujitaSVP
KiriharaSVP
KiriharaSVP
HasejimaCIO
HasejimaCIO
Oneda CFOOneda CFO
Information Security Committee
SGS Inc. Security Mgt. Dept.
ISM GpPIM Gp.
HQHQ
RISO/OCISORISO/OCISO
Each Gp. Company
S.Lee
Region/Business Domain
ISHR WSLegal
( Function Wise ) Global Network
LegalLegal
HRHR
WSWS
ISIS
HubHub
Legal
HR
WS
IS
ISM/PIM
ISMS
BT/IS Center Security Management Office
Legal HR WS IS
ISMPIM
1) To integrate Information Security and PIM activities.
2) To integrate HR, Facility, IS, CC & Legal functions to cooperate with Information Security and PIM related issues.
F.Sakai
Objectives
Information Security / PIM Organization
Last updated : 27 Feb 07
HaraSVP
HaraSVP
CC
CC
Global Security Office Head : F.Sakai CWS : T.Aoki, A.Igarashi HR : K.Taniguchi Legal : M.Kudo IS : F. Sakai PIM : T.Waga ISM : M.Shigenari CC : TBC
Security Management Dept. Head : S.Lee PIM : T.Waga ISM : M.Shigenari
Global Security Office Head : F.Sakai CWS : T.Aoki, A.Igarashi HR : K.Taniguchi Legal : M.Kudo IS : F. Sakai PIM : T.Waga ISM : M.Shigenari CC : TBC
Security Management Dept. Head : S.Lee PIM : T.Waga ISM : M.Shigenari
CCCC
CC
AP Regional Information Security Committee Management Office RISO : A. Komatsu Head : A. KomatsuWS : N. Yamada PIM* : Lim SBHR : T. Seki Staff : Teo SYLegal : K. Yoshikawa IS : A. Komatsu PIM* : Lim SB CC : Audrey Mok (*only for sales & Marketing companies)
AP Regional Information Security Committee Management Office RISO : A. Komatsu Head : A. KomatsuWS : N. Yamada PIM* : Lim SBHR : T. Seki Staff : Teo SYLegal : K. Yoshikawa IS : A. Komatsu PIM* : Lim SB CC : Audrey Mok (*only for sales & Marketing companies)
INTERNAL USED ONLY18
Managing Director
ISO
Advisor
IS HR/Personnel
HR/Security
CWLee
Norii, Zammani
Rusila Jamalul
PF Prod
David
ME
SPEM Information Security Organization
Division Information Security Representative
Information Security CommitteeInformation Security Committee
Kuldeep
Procurement BA ESHQA
Siva
Azian, Afifi, Sree
Fazli/Hasnida
Goh, Kamal,Azizah
RobizaChiang/Ratna
Ikeno
To plan security activities, set policy and procedure and execute them based on GISP & GISS
IS
Kanna
To implement and comply within respective division
INTERNAL USED ONLY
Advisor
Uchiyama
Last update 7th May’09Last update 7th May’09
INTERNAL USED ONLY19
ContentContent
IntroductionIntroduction- Objective of this trainingObjective of this training- Introduction to information securityIntroduction to information security
Security FrameworkSecurity Framework- Security PolicySecurity Policy- Security OrganizationSecurity Organization
Security Requirements- Asset classification & control- Physical & environment securityPhysical & environment security- Communications & operation mgmtCommunications & operation mgmt- Access controlAccess control- ComplianceCompliance- Personnel securityPersonnel security
Security TipsSecurity Tips
CLICK TO CONTINUE
CLICK TO CONTINUE
INTERNAL USED ONLY20
What are the Type of Assets?What are the Type of Assets?
• Information• Software• People• Paper• Physical• Service• Company’s image & reputation
INTERNAL USED ONLY21
Information ClassificationInformation Classification Why we need Information classification?
Information that falls in to unauthorizedhands can be damaging to bothSONY and our customers
What needs to be classified?Physical
Printed – documents, invoicesHardware – media, diskette/tape
ElectronicComputer data, e-mail
Who should classify the information? Owner of the information
INTERNAL USED ONLY22
Information ClassificationInformation Classification
1) SECRET: the most important and sensitive information. Personnel who are allowed to access this kind of information must be strictly
examined and limited to those with a need for access.Example:- Password
2) CONFIDENTIAL: important and sensitive information. Personnel who are allowed to access this kind of information must be those
whose duties justify a need-to-know.Example:- Management information, business plans, midterm plans,
Production management and procurement information
3) INTERNAL USE ONLY: information that is widely disclosed internally. All Personnel may access this kind of information, but must not disclose or
disseminate it to any third party outside the Sony Group. Example: - Company newsletter, Employee rules, policies, guidelines,
manuals, employee training information and resources, and so on
INTERNAL USED ONLY23
INVENTORY LIST-”SECRET” SAMPLEFORM ID : AD-F040
FORM ID : AD-F039
INVENTORY LIST SECRET
INVENTORY LIST CONFIDENTIAL
INTERNAL USED ONLY24
BASELINE SAMPLE
INTERNAL USED ONLY25
SAMPLE
This form is fill up by:
Report Person Division Manager Info. Sec. Officer
Name:
Date/Time:
Signature
* Please submit additional documents for explanation if required
CONFIDENTIAL
(Name) (Date/Time) (Signature)
SPEMINFORMATION SECURITY INCIDENT REPORT FORM
(Form is to be used when reporting a possible virus, hacker attack, Dos attacks, fraud or other security incidents)
PERSON REPORTING THE INCIDENT:
Form No.
Revision No.
AD-F032
Guideline - Labeling• Font Type: ARIAL• Font Size: 10• Font Style: Bold• Area: Preferably Bottom Center of
the content page
INTERNAL USED ONLY26
Personal Information Personal Information
Secret Confidential Internal Use Only
Customer Information
Social security numbers, credit card numbers, driver’s license numbers, bank account numbers, passwords, etc.
Names, addresses, phone numbers, e-mail addresses, age, date of birth, gender, marital status, salary, assets, etc.
Employee Information
Philosophy, creed, religion, etc.Information that could lead to discrimination.Group activities, health condition, medical information, etc.
Basic employee information, plus the following information:Family information, date of birth, work history, home address/phone number/e-mail address, salary, position, etc.
Basic employee information(Names, division names, company phone numbers/fax numbers, company e-mail address, global ID)
Business Partner Employee Information
Basic information about business partner employees, plus the following information: Home (or mobile) phone numbers and other private information
Basic information about business partner employees(Names, company phone numbers/fax numbers, employee job titles)
Survey answers, etc.
Emergency contact network, etc.
Business cards
E-mail addresses
Etc.
At Sony, a person’s name, address, phone number, e-mail address, etc., are personally identifying information, and if any of these are included, the whole piece of information is considered personal information.Moreover, even credit card numbers, bank account numbers, gender, date of birth, age, usage history and preference data for products and services, and other information that alone could not identify a person is grouped with personally identifying information and treated as personal information.The scope of personal information is the same for customers, employees of business partners, and Sony employees.
What Is Personal Information?
INTERNAL USED ONLY27
Confidence in Sony - PERSONAL INFORMATION
Handling Of Personal Information Handling Of Personal Information
Key Points on “Basic Principles”
When collecting information, you must inform the individual, such as a customer, of the purposes of use of the Personal Information , obtain their consent to do so, and collect only the necessary information.
The Personal Information must be used and disclosed within the scope to which a customer has consented
Thoroughly implement appropriate security measures for all handling processes, from collection to disposal
When disclosing the collected Personal Information to a subcontractor, either inside or outside the Sony Group, take sufficient measures to manage those subcontractors.
INTERNAL USED ONLY28
ContentContent
IntroductionIntroduction- Objective of this trainingObjective of this training- Introduction to information securityIntroduction to information security
Security FrameworkSecurity Framework- Security PolicySecurity Policy- Security OrganizationSecurity Organization
Security Requirements- Asset classification & controlAsset classification & control- Physical & environment security- Communications & operation mgmtCommunications & operation mgmt- Access controlAccess control- ComplianceCompliance- Personnel securityPersonnel security
Security TipsSecurity Tips
INTERNAL USED ONLY29
Office SecurityOffice Security
General Office Area• All staff shall wear the identification pass at
all times while in office premises• Identification pass/ access card is not
transferable.• Staff shall report loss of identification pass
and access card to HR immediately
INTERNAL USED ONLY30
• Staff shall ensure that only authorized person is allowed access to the office premises
• Staff shall ensure that their visitors get visitor pass before gaining
entry to office premises and they should be escorted
Challenge unknown visitors
• Contract and temporary staff physical access & logical access profile are restricted
Visitors / Contract StaffVisitors / Contract Staff
INTERNAL USED ONLY31
Equipment Security - Off-premiseEquipment Security - Off-premise
Equipment and media taken off-premises must
not be left unattended. Eg: Portable computers should be carried as
hand luggage and disguised where possible during travel
Equipment used during seminars, conferences and exhibitions should be chained and locked
INTERNAL USED ONLY32
Equipment SecurityEquipment Security
Handling procedure• Prior approval from superior to be obtained before all
movements of equipment and software outside the office premises
• Sensitive data should be removed from equipment sent for servicing
Media containing sensitive information should bedisposed securely (physically destroy it)
INTERNAL USED ONLY33
• Activate the Password protected screen saver
• Recommended waiting time = 10mins
Clear Screen PolicyClear Screen Policy
INTERNAL USED ONLY34
Clear Desk PolicyClear Desk Policy
• Do not leave sensitive documents unattended and secure them with lock and key
• When printing sensitive documents, collect the printouts immediately
• Photocopying of sensitivedocument must always beattended and staff must clearthe photocopier of all documentafter photocopying
INTERNAL USED ONLY35
ContentContent
IntroductionIntroduction- Objective of this trainingObjective of this training- Introduction to information securityIntroduction to information security
Security FrameworkSecurity Framework- Security PolicySecurity Policy- Security OrganizationSecurity Organization
Security Requirements- Asset classification & controlAsset classification & control- Physical & environment securityPhysical & environment security- Communications & operation mgmt- Access controlAccess control- ComplianceCompliance- Personnel securityPersonnel security
Security TipsSecurity Tips
INTERNAL USED ONLY36
Controls against Malicious SoftwareControls against Malicious Software
• Ensure Anti-virus software is installed
• Do not disable the Anti-virus software
• Follow instruction sent by the LAN Admin for Anti-virus update Patch installation
DO NOT IGNORE SUCH INSTRUCTION
CONTACT HELPDESK/MIS FOR ASSISTANCE
This is to protect your PC's content andto prevent data loss
INTERNAL USED ONLY37
Use of Standard PC…1Use of Standard PC…1
To a certain extent, the internal network is protected from unauthorized access and attacks from the Internet.
However, if even one PC has a decreased level of security due to overconfidence in the network’s safety, it becomes a loophole that can expose the network and every PC connected to it to the following dangers:
INFORMATION LEAKAGEINFORMATION LEAKAGE
VIRUS INFECTIONVIRUS INFECTION
UNAUTHORIZED ACCESSUNAUTHORIZED ACCESS
INTERNAL USED ONLY38
Use of Standard PC…2Use of Standard PC…2
The following security measures are applied to standard PCs to keep the security level in top condition at all times.They also include the necessary software (Microsoft Office, etc.) for smooth deployment of B2E services.
Standard PC – SONY VAIO
SSecurity measures applied to standard PCs:ecurity measures applied to standard PCs:
Windows XP Professional operating systemWindows XP Professional operating system
Symantec Antivirus softwareSymantec Antivirus software
SMS Tools software to enable automatic distribution of the latest SMS Tools software to enable automatic distribution of the latest
security patches from “Client Security Management Services.”security patches from “Client Security Management Services.”
SSecurity measures applied to standard PCs:ecurity measures applied to standard PCs:
Windows XP Professional operating systemWindows XP Professional operating system
Symantec Antivirus softwareSymantec Antivirus software
SMS Tools software to enable automatic distribution of the latest SMS Tools software to enable automatic distribution of the latest
security patches from “Client Security Management Services.”security patches from “Client Security Management Services.”
1.USE A “SONY STANDARD PC” WITH APPLIED SECURITY MEAUSRES.
INTERNAL USED ONLY39
Use of Standard PC…3Use of Standard PC…3
As private PCs are not guaranteed to have the proper security measures, they pose a high risk as sources of virus epidemics and information leakage by virus infection.
They can also become breeding grounds for fraudulent acts.
a. Do not connect a non-company PC, such as a private PC, to the internal network.
b. Do not work on a private PC by taking information home on external recording media or by e-mail.
2.DO NOT USE A “PRIVATE PC” OR A “NON-COMPANY PC”
INTERNAL USED ONLY40
Use & Governance of Company’s Use & Governance of Company’s Electronic Mail & Internet AccessElectronic Mail & Internet Access
• Electronic mails and Internet access made available to staff is to assist them to perform their work more effectively and efficiently
• Any incidental use of emails and internet access for personal purposes is acceptable provided it does not detrimentally affect employee productivity, disrupt the systems or cause harm to the company’s reputation or business operations
• All emails and related system resources are the property of the company
• The company reserves the right to inspect, monitor, log, track or disclose email or Internet access activities
INTERNAL USED ONLY41
Responsibility of Staff in Email Usage• Should not use email to distribute hoaxes, chain letters,
advertisements, rude, obscene, slanderous or harassing messages
• Broadcasting of unsolicited views on social, political, religious or other non-business related matter is prohibited
• Should not use email to propagate viruses knowingly or maliciously
• Attempting to interfere with another’s email account or engage in harassment, whether through language, frequency or size of messages is prohibited
Use & Governance of Company’s Use & Governance of Company’s Electronic Mail & Internet AccessElectronic Mail & Internet Access
INTERNAL USED ONLY42
Responsibility of Staff in Internet Usage• Participation in Internet/Web based conferences, newsgroups,
bulletin boards, email list servers or other electronic forums must have prior approval from the Division Head level.
• Use of public tools such as msn skype,instant messenger not allowed.
• Must not access, download or distribute contents that : breach of law which may cause offence to others information that may incite violence
• Software may not be downloaded from the Internet without prior approval of the Div/Dept Head.
Use & Governance of Company’s Use & Governance of Company’s Electronic Mail & Internet AccessElectronic Mail & Internet Access
INTERNAL USED ONLY43
Information Exchange…1Information Exchange…1
Voice• Exercise care when disclosing or discussing
classified information over the phone
• Ensure that audience present at both ends are authorized to receive information being discussed during 3 way teleconferencing
• Ensure that you do not access your mail box in the presence of others when using display phone
• Should not access your voicemail with the phone speakers on
INTERNAL USED ONLY44
FaxWhen faxing sensitive documents, staff must ensure that Manual fax function is used to fax out Prior arrangement is made with so that recipient can
collect document immediately All document is cleared from the fax machine before
leaving
Video ConferencingStaff hosting video conference shall ensure that audience
present at both ends are authorized to receive any
classified information that is being disclosed or discussed
Information Exchange…2Information Exchange…2
INTERNAL USED ONLY45
ContentContent
IntroductionIntroduction- Objective of this trainingObjective of this training- Introduction to information securityIntroduction to information security
Security FrameworkSecurity Framework- Security PolicySecurity Policy- Security OrganizationSecurity Organization
Security Requirements- Asset classification & controlAsset classification & control- Physical & environment securityPhysical & environment security- Communications & operation mgmtCommunications & operation mgmt- Access control- ComplianceCompliance- Personnel securityPersonnel security
Security TipsSecurity Tips
INTERNAL USED ONLY46
Password
1. Use min. 6 character
2. Use both letters and numbers
3. Use both upper and lower case
4. Use special characters
5. Use simple passwords, so that it can be memorized
easily without writing it down and it can be typed
quickly and smoothly without looking at the keyboard
Password ManagementPassword Management
INTERNAL USED ONLY47
User’s Responsibilities1. Do not disclose User ID and password
2. Do not keep a paper record of passwords, unless this can be stored securely
3. Change password whenever there is any indication of possible compromise
4. Change the password periodically
Password ManagementPassword Management
INTERNAL USED ONLY48
Usage of Mobile Computers• Mobile computers shall not be left unattended in
insecure locations, and should be locked away where possible
• Do not leave mobile computers in your vehicles
• Hand carry mobile computers during travel
• Backup your data regularly
• Do not allow unauthorized persons to use your mobile computers
Mobile Computing...1Mobile Computing...1
INTERNAL USED ONLY49
User’s Responsibilities
• If the mobile device is unattended during remote access, discontinue remote access or render it unusable by others
• Do not keep mobile computer and token or password together
• Loss, damage and vandalism to mobile computers and equipment must be reported to HR immediately
Mobile Computing...2Mobile Computing...2
INTERNAL USED ONLY50
ContentContent
IntroductionIntroduction- Objective of this trainingObjective of this training- Introduction to information securityIntroduction to information security
Security FrameworkSecurity Framework- Security PolicySecurity Policy- Security OrganizationSecurity Organization
Security Requirements- Asset classification & controlAsset classification & control- Physical & environment securityPhysical & environment security- Communications & operation mgmtCommunications & operation mgmt- Access controlAccess control- Compliance- Personnel securityPersonnel security
Security TipsSecurity Tips
INTERNAL USED ONLY51
1. Only licensed software shall be used for business activities within the organization
2. Staff who installs any unlicensed software shall be held fully responsible for any copyright infringement
3. Software that is installed for trial run shall be removed from the system when the trial run period is over
Copyright Act Copyright Act
INTERNAL USED ONLY52
ContentContent
IntroductionIntroduction- Objective of this trainingObjective of this training- Introduction to information securityIntroduction to information security
Security FrameworkSecurity Framework- Security PolicySecurity Policy- Security OrganizationSecurity Organization
Security Requirements- Asset classification & controlAsset classification & control- Physical & environment securityPhysical & environment security- Communications & operation mgmtCommunications & operation mgmt- Access controlAccess control- ComplianceCompliance- Personnel security
Security TipsSecurity Tips
INTERNAL USED ONLY53
Staff Responsibilities Staff Responsibilities • Staff shall be responsible to uphold security in the company
• to abide by the company security policy • to ensure security is not compromised while performing their
job• to observe utmost confidentiality of all information learned
and/or received• to abide by the applicable legislations eg. intellectual
proprietary rights, copyrights• to report any security incidents or weaknesses
Any violation of policy or security breach will result in disciplinary
action against staff.
INTERNAL USED ONLY54
Reporting Security IncidentReporting Security Incident
What is a Security Incident?
IT- Related •An adverse event or situation associated with information systemsEg: Unauthorized access, website defacement, network probing ..
•Any event that could result in loss or damage to assetsEg: Malicious codes, viruses, use of system privileges without authorization ..
Non-IT RelatedAn action that would be in breach of organization security policies or proceduresEg: improper handling or disclosure of classified document, vandalism..
IT Non-IT
INTERNAL USED ONLY55
Class 1 or 2
Incident occurred
YES
Division Manager Approval
SPEM Managing Director /Director
Division Information Security Representative
SPEM Information Security Committee
RISMO
Regional Security Incident Form
Fill Up SPEM Security Incident Form
SPEM Information Security
Officer
SPEM Information Security Incident Report FlowEg. 1. Leakage of secret information
2. Loss or theft of information asset 3. Unauthorized access to the information assets
Incident Classification Chart
INTERNAL USED ONLY56
Information Security Incident FormSPEM CONFIDENTIAL
INFORMATION SECURITY INCIDENT REPORT FORM
(Form is to be used when reporting a possible virus, hacker attack, Dos attacks, fraud or other security incidents)
PERSON REPORTING THE INCIDENT:
Date: Time:
Name:
Designation: Email Address: Phone Number: Extension Number:
Fax Number: GID:
Location of incident:
How was the incident detected?
When was it detected? Date and Time
INCIDENT CATEGORY:
Leakage of Classified information Loss or theft of information assets Theft of source of programming code Unauthorized access to the information assets of Sony Group (incl. Website defacement) Probe/Scan/Unauthorized electronic monitoring (Sniffers) Malicious code / Virus (incl. worms and Trojans) DoS (Denial of Service) Misuse of information assets of Sony Group by employee Human errors by employee resulting in classified information disclosure Legal and regulatory violations / Antisocial conduct by employee Cyber Crime (Phishing, identity theft, telecom and/or financial fraud, etc.) (pls. describe)
Other Info. Sec. Concerns, please describe:
This form is fill up by:
Report Person Division Manager Info. Sec. Officer
Name:
Date/Time:
Signature
* Please submit additional documents for explanation if required
Division/Department:
(Name) (Date/Time) (Signature)
Please get the Information SecurityIncident Form at Lotus Note [IS ApproveForm] [Form No:F032]
INTERNAL USED ONLY57
ContentContent
IntroductionIntroduction- Objective of this trainingObjective of this training- Introduction to information securityIntroduction to information security
Security FrameworkSecurity Framework- Security PolicySecurity Policy- Security OrganizationSecurity Organization
Security RequirementsSecurity Requirements- Asset classification & controlAsset classification & control- Physical & environment securityPhysical & environment security- Communications & operation mgmtCommunications & operation mgmt- Access controlAccess control- ComplianceCompliance- Personnel securityPersonnel security
Security Tips
INTERNAL USED ONLY58
Security Tips: Password Management
Use Letters, Numbers and Special Characters
Um!bre1a
H@t4you
ra1nCo@t
INTERNAL USED ONLY59
Phrases:Use the first letter of each word in a phrase or sentence.
Phrase1 : Happy New Year 2003 !
Password : Hny2003!
Phrase2 : Gong Xi Fa Cai 2003
Password : Gxfc2003
Security Tips: Password Management
INTERNAL USED ONLY60
Compound Words Misspell compound words to construct a strong password
Compound Word : Deadbolt
Password : Dea&bowlt8
Compound Word : Seashore
Password : See@sh0rr
Security Tips: Password Management
INTERNAL USED ONLY61
Dumpster Divers hope to get sensitive information
Shred sensitive documents
Disappoint them!!!
Security Tips: Social Engineering Tips
INTERNAL USED ONLY62
Never, Ever give Private or Company information to unknown people
Do not fall for Social Engineers
They will say anything to get
valuable information
Hello, I am from helpdesk, I need your password
What is your name?
Security Tips: Social Engineering Tips
INTERNAL USED ONLY63
Do not discuss company or customer information in public
Social engineers are listening to you
Security Tips: Social Engineering Tips
INTERNAL USED ONLY64
Do not allow Piggybacking
Use your own access card to enter secure areas
Security Tips: Office Security
INTERNAL USED ONLY65
You can’t unring a bell
The best way to protect sensitive information is
not to share it
Security Tips: Information Handling
INTERNAL USED ONLY66
Handle personal information with care
We all value privacy
Security Tips: Information Handling
INTERNAL USED ONLY67
Taking a break…?
Lock your computer, when not in use
Use password protected screen savers
Security Tips: Clear Screen Policy
INTERNAL USED ONLY68
Do not leave sensitive documents unattended
on your desk
Security Tips: Clear Desk Policy
INTERNAL USED ONLY69
Know who belongs in your environment
Challenge and escort unknown visitors
NATURE of SECURITY
INTERNAL USED ONLY70
There’s always free cheese in a mousetrap
Exercise caution when downloading/launching any files from the Internet/email
Security Tips: Internet/ E-mail Security
INTERNAL USED ONLY71
Do not open the email, If the source is unknown
Received an Anonymous E-mail..?
Security Tips: E-mail Security
INTERNAL USED ONLY72
Delete chain e-mail – do not forward or reply
to someone as it is considered mail spamming and it
increases mail traffic
Security Tips: E-mail Security
INTERNAL USED ONLY73
Delete hoax virus email – call the Helpdesk (IS) and
log an incident if you are in doubt
Report if a virus is suspected
Security Tips: Virus Handling
INTERNAL USED ONLY74
Do not leave your laptop unattended when you
travel
Security Tips: Mobile Security
INTERNAL USED ONLY75
Security Tips: Mobile Security
Did you protect your laptop before going
home?
Lock your laptop Or Secure it inside locked
cabinet
INTERNAL USED ONLY76
THE
END
CLICK TO CONTINUE
CLICK TO CONTINUE
INTERNAL USED ONLY77
1 What are the 3 information classifications used in Sony?
(I) SECRET
(II) CONFIDENTIAL
(III) INTERNAL USE ONLY
(IV) IMPORTANT
A. (I), (II) & (III)
B. (I) only
C. (II) only
D. (I), (II), (III) & (IV)2 Which of the following rules is NOT correct for password handling?
A. Do not write down your password
B. Use 'Remember password (auto complete)' function so that you need not remember the password
C. Ensure that no one is looking over your shoulder when you are entering your password
D. Change your password if it has been revealed to others
Title: Information Security Quiz
Name : _________________________Emp ID : _________________________Div/Dept : _________________________Date : _________________________
Important : To pass the quiz, you need to obtain 9 or more correct answers.Please answers all the questions.
INTERNAL USED ONLY78
3 Which of the following rules is NOT correct for handling of external recording media with classified information?
A. Personal recording media can be used to store company information
B. Store external recording media under lock and key at your workplace
C. Immediately after using an external recording media, completely delete all information on it
4 Non-Company computer should not be connected to Sony internal network.
A. TRUE
B. FALSE
5 The rules of using emails in the office include:
(I) Do not set your company e-mail address to automatically forward incoming e-mail to a different address outside the company.
(II) Refrain from sending e-mails to external mailing lists.
(III) Password-protect e-mail attachment with confidential information, and send the password in a separate mail.
A. (I) only
B. (II) & (III)
C. (I), (II) & (III)
Title: Information Security Quiz
INTERNAL USED ONLY79
6 If an information security incident occurs or you suspect one has, you should promptly
report it to:
A. the Managing Director of the company you are in
B. your superior & to the Information Security Representative
C. no one, and ignore the occurrence of the incident or suppress your suspicion
7 What are the security measures you must take to protect your PC or notebook from Virus?
(I) Do not install software unnecessary to your work
(II) Do not view suspicious websites or download suspicious files
(III) Leave the real-time virus scanning function turned ON
A. (I) only
B. (II) only
C. (II) & (III)
D. (I), (II) & (III)
8 When leaving your PC unattended:
(I) Lock your computer (e.g. press control, Alt & Delete)
(II) Enable password protected screen saver
A. (I) only
B. (II) only
C. (I) & (II)
Title: Information Security Quiz
INTERNAL USED ONLY80
9 How do you handle classified documents?
(I) Store SECRET & CONFIDENTIAL documents in a locked cabinet
(II) Completely dispose of classified documents with an unrecoverable method (e.g. shredding)
(III) Do not let documents out of your possession when taking them outside the company for business purpose
(IV) Leave CONFIDENTIAL documents unattended on your desk when going home
A. (I) only
B. (I), (II) & (III)
C. (II) & (III)
D. (I), (II), (III) & (IV)
10 What are the rules regarding In-house Internet Access?
(I) Do not view bulletin boards, etc., that are unrelated to work
(II) Do not access sites that are unrelated to work
(III) Do not use free e-mail, instant messenger, or web chat services on your work PC
A. (I) only
B. (II) only
C. (II) & (III)
D. (I), (II) & (III)
Title: Information Security Quiz
INTERNAL USED ONLY81
1 What are the 3 information classifications used in Sony?
(I) SECRET
(II) CONFIDENTIAL
(III) INTERNAL USE ONLY
(IV) IMPORTANT
A. (I), (II) & (III)
B. (I) only
C. (II) only
D. (I), (II), (III) & (IV)2 Which of the following rules is NOT correct for password handling?
A. Do not write down your password
B. Use 'Remember password (auto complete)' function so that you need not remember the password
C. Ensure that no one is looking over your shoulder when you are entering your password
D. Change your password if it has been revealed to others
Title: Information Security Quiz
Name : _________________________Emp ID : _________________________Div/Dept : _________________________Date : _________________________
Important : To pass the quiz, you need to obtain 9 or more correct answers.Please answers all the questions.
INTERNAL USED ONLY82
3 Which of the following rules is NOT correct for handling of external recording media with classified information?
A. Personal recording media can be used to store company information
B. Store external recording media under lock and key at your workplace
C. Immediately after using an external recording media, completely delete all information on it
4 Non-Company computer should not be connected to Sony internal network.
A. TRUE
B. FALSE
5 The rules of using emails in the office include:
(I) Do not set your company e-mail address to automatically forward incoming e-mail to a different address outside the company.
(II) Refrain from sending e-mails to external mailing lists.
(III) Password-protect e-mail attachment with confidential information, and send the password in a separate mail.
A. (I) only
B. (II) & (III)
C. (I), (II) & (III)
Title: Information Security Quiz
INTERNAL USED ONLY83
6 If an information security incident occurs or you suspect one has, you should promptly
report it to:
A. the Managing Director of the company you are in
B. your superior & to the Information Security Representative
C. no one, and ignore the occurrence of the incident or suppress your suspicion
7 What are the security measures you must take to protect your PC or notebook from Virus?
(I) Do not install software unnecessary to your work
(II) Do not view suspicious websites or download suspicious files
(III) Leave the real-time virus scanning function turned ON
A. (I) only
B. (II) only
C. (II) & (III)
D. (I), (II) & (III)
8 When leaving your PC unattended:
(I) Lock your computer (e.g. press control, Alt & Delete)
(II) Enable password protected screen saver
A. (I) only
B. (II) only
C. (I) & (II)
Title: Information Security Quiz
INTERNAL USED ONLY84
9 How do you handle classified documents?
(I) Store SECRET & CONFIDENTIAL documents in a locked cabinet
(II) Completely dispose of classified documents with an unrecoverable method (e.g. shredding)
(III) Do not let documents out of your possession when taking them outside the company for business purpose
(IV) Leave CONFIDENTIAL documents unattended on your desk when going home
A. (I) only
B. (I), (II) & (III)
C. (II) & (III)
D. (I), (II), (III) & (IV)
10 What are the rules regarding In-house Internet Access?
(I) Do not view bulletin boards, etc., that are unrelated to work
(II) Do not access sites that are unrelated to work
(III) Do not use free e-mail, instant messenger, or web chat services on your work PC
A. (I) only
B. (II) only
C. (II) & (III)
D. (I), (II) & (III)
Title: Information Security Quiz