Security Awareness Training-Ver1.0

Table of Contents
Information Security Management System Awareness
• INTRODUCTION
• PHYSICAL ACCESS CONTROL
• WORK AREA SECURITY
• COMPUTER ACCESS
• INTERNET ACCESS
• REMOTE ACCESS POLICY
• LAPTOPS SECURITY
• VIRUS PROTECTION
• ELECTRONIC MAIL
• SOFTWARE LICENSE
• SOCIAL ENGINEERING
• COMPLIANCE
SECURITY UPDATE – PROJECT MANAGEMENT
IS Team Collabera, Bangalore

Information Security Forum
• Anantharam V K • Manjula Kiron

• Anil Chandran C • Martin Francis T
• Bhaskaran Iyer • Prashob P K
• Gopi Krishnan S • Sahadev Dwaraknath
• Harish A S • Sajee Sivaraman
• Hema J • Siva Kumar R
• Hemanth Kumar H • Veena B.N
• Jagadish Iyengar
• Kavita Rao
• Krishnamurthy
Ramamurthy
• Lisa Joshy

Helpdesk-IT
Phone Email
Phone Email
CMS
CMS

 
 Hardware/O
Hardware/O
Web S
Web S
Events
Interface Events
Interface
Helpdesk Reporting
Helpdesk Reporting
&
Team &
Team Monitoring
Monitoring
SPOC
SPOC
Coordinate Internal
Coordinate Call Internal
with Call Service
with Resolution Service
Vendor Resolution Support
Vendor Support
• HELPDESK CONTACT
• Ph: - 6111
• Email id: -helpdeskit@collabera.com
• Display Name: HelpdeskIT-Collabera-Bangalore

Helpdesk-IT
• DESKTOP SUPPORT TIME
Koramangala Ecospace
Service Window: Infrastructure (all Critical Service Window: Infrastructure (all Critical
servers / links) servers / links)
Days Staffing Timings Days Staffing Timings
Monday - Full Load 8-00 am to 9-00 pm Monday - Full Load 8-00 am to 9-00 pm
Friday Friday
Saturday On call 9-00 am to 5-00 pm Saturday On call 9-00 am to 5-00 pm

Sunday On call 9-00 am to 5-00 pm Sunday On call 9-00 am to 5-00 pm
Service Window: End-user support Service Window: End-user support

(desktop/laptop) (desktop/laptop)
Days Staffing Timings Days Staffing Timings
Monday - Full Load 7-00 am to 11-00 pm Monday - standard 24/7
Friday Friday
Saturday skaletal 9-00 am to 5-00 pm Saturday standard 24/7

Sunday skaletal 9-00 am to 5-00 pm Sunday standard 24/7
Standard IT Infra
Delivery and Support Teams.
• P4 / 1GB RAM / 80GB HDD / with below software's.

• Windows XP Prof
• Microsoft Office 2000 Prof / Office XP Std / 2003 Std / 2007 Std / 2007 Prof /
2007 Ent Ed
• Easy Zip 2000
• Acrobat Reader
• Printer Driver
• Trend Office scan
NOTE
• Additional Requirements should be planned and driven by Project IT-Budget
through Project Manager / Program Manager with Hardware Software
Request Form.

Introduction-ISMS
Purpose
The purpose of this presentation is to provide:
•Information Security Awareness.

•Training employees in ISMS spheres of activities.
•Guidance on security.
This applies to all users of Collabera facilities – employees, contractors

and other third party vendors

Introduction-ISMS
• Information is an asset having value to the organization and hence

needs to be adequately secure and protected
• Information security is essential
• To protect information from a wide range of threats in order to

ensure business continuity.
• Minimize business losses and maximize return on investments

and business opportunities.

What is ISMS
Information Security Management System
• Strategic decision of an organization

• Design and implementation
• Needs and objectives
• Security requirements
• Processes employed
• Size and structure of the organization
• Scaled with ‘needs’ – simple situation requires a

simple ISMS solution

What is ISMS
ISO 27001 has been prepared to provide a model for:

• Establishing
• Implementing
• Operating
• Monitoring
• Reviewing
• Maintaining &
• Improving
WHICH IS THE
Information Security Management System (ISMS)

Process Approach
Process Approach
• ISO 27001 has adopted a Process Approach
• Organization needs to identify and manage many activities in order to

function effectively
• Any activity using resources and managed in order to enable the

transformation of Inputs into Outputs, can be considered to be a
Process
Inputs >>>>>>> Process >>>>>>> Outputs

Process Approach
Process Approach contd..

Process approach for ISMS encourages users to emphasize the
importance of:
• Understanding an organization’s information security requirements

and the need to establish POLICY and OBJECTIVES for information
security
• Implementing and operating CONTROLS to manage an

organization’s information security risks in the context of the
organization’s overall business risks
• Monitoring and reviewing the performance and effectiveness of the

ISMS, and
• CONTINUAL IMPROVEMENT based on objective measurement

ISMS
“ISMS” is defined as:

That part of the overall management system, based on a
business risk approach, to establish, implement, operate,
monitor, review, maintain and improve information security
ISO 27001:2005

Information Physical Security Network Business Continuity

Security & Security
Access Control
 Policies and Procedures  Authentication is  Gateway Firewalls are  BCP and DR plans have
are implemented to implemented in the installed to protect been established
assure safety, availability, organization to provide a network  L1,L2,L3 disaster
integrity & confidentiality secure enviornment for  VPN is established to the locations are identified
of our customers data the employees client network for secure  RTO and RPO has been
 Security roles and  Smoke detectors, fire communication defined based on the
responsibilities are extinguishers are installed  Penetration Testing is business needs
established for all the to ensure protection of all carried out in periodic
employees resources  Mock drills and Resiliency
intervals Tests are conducted to
 ISMS Training is provided  2 Factor Autnetication &  Routers are installed and ascertain readiness
to all employees about CCTVs have been monitored to regulate
the relevance & installed at the required network traffic
importance of information locations
security  Appropriate access rights
to the information systems
are granted to employees
based on the role
Security Controls have been effectively deployed in Collabera
ISO 27001:2005 Certified

Information as an Asset
Information as an Asset
Information is:
‘An asset that, like other important business assets, is essential to an
organization’s business and consequently needs to be suitably
protected.’
Asset Definition:
“anything that has value to the organization”

Information Security Definition
Information Security Definition
“preservation of confidentiality, integrity and

availability of information; in addition, other
properties, such as authenticity, accountability, non-
repudiation, and reliability can also be involved”

Information Security
• What is Information Security?
• Confidentiality - ensuring that

information can only be
accessed by those with the
proper authorization
PDCA MODEL
• Integrity: safeguarding the
accuracy and completeness of
information/data and ways in PLAN DO
which it is processed Establish
Implement
& Optimize
the ISMS the ISMS
• Availability: ensuring that
authorized users have access to
information and associated
assets whenever required ACT CHECK
Maintain Monitor
& Improve & Review
the ISMS the ISMS

Collabera Information Security Policy
• “Collabera Management is committed to adequately secure the

organization & client information by ensuring the protection of
confidentiality, integrity and availability of the assets”.
• “Collabera Management will deploy adequate controls to secure the

assets which need to be followed & adhered to by all employees
.The controls apply to secure the assets are supported by issue
based sub policies. All employees are responsible for maintaining
the security of the assets”.
• “All employees are requested to report any security weakness or

breaches to their superiors.”
• “All employees shall be made aware of the Security policy and

disciplinary action imposed on employees who have violated the
security requirements of the organization”.

Physical Access Control
• All users are issued an access card when they join Collabera.
• Always use your access cards to enter & exit the facility
• Do not leave the main entry doors open.
• Do not let in unauthorized (staff / outsiders) persons into the facility.
• If you notice anybody piggy backing or doors which do not lock

automatically, report the incident to Security staff

Working in Secure Areas
• Food or drinks, Hazardous material and any form of Personal storage media should not be
carried inside Secure Area
• Awareness and clear written instructions should be given to cleaning staff on do’s and don’t
inside the Secure Area.
• Secure Area should not be used to stock any boxes, unused equipment, backup tapes, CD’s,
papers.
• Accessories like keyboard, monitor, and mouse should not be removed from live systems.
• Secure Area support staff should be intimated immediately of abnormal or suspicious

activities if noticed.
• All Secure Area rack keys should be placed at the appropriate location in master key cabinet.
• Startup-Shutdown procedures for all critical systems hosted in the Secure Area should be
followed
• Servers / Network devices used for testing / evaluation should be present in a separate
network segment and should not interact with production network segment.

Desktop Security & Password Policy
Clear Screen & Clear Desk Password Policy
• Each employee is responsible for • Each user is provided a password for system
keeping his/her computer secure, and network access.
including access to it.
• Change the default password on first login.
• Lock your workstation every time
you leave your desk.
• Select a robust password of minimum 12
characters.
• Keep hardcopies of all sensitive
documents locked.
• Password must include alphanumeric
characters and at least one special character.
• Passwords will expire after 60 days.
• Password will be locked out after 5

unsuccessful logins.
• NEVER share your passwords.

Computer Usage
• NEVER test security weaknesses, report them.
• NEVER Share directories on your PC. Should you have a compelling business
reason for doing so, ensure the share is removed immediately after usage
• Do NOT share root drives.
• Do NOT use modems in the Collabera LAN, if you have a specific need, get a
security clearance from your superior.
• Do NOT store or access any data that can be classified as pornographic,

hacking, racist or provocative.
• Do NOT download and install freeware or /shareware - should you have a

business reason to install freeware/shareware, please get approval by your
Superior and Head IT.

Internet Access
• Internet access is provided for Prohibited websites are :

business use.
• Adult and Sexually Explicit sites
• Do not download MP3, screen • Government Sensitive and
savers Terrorist Organization Sites
• Marriage Sites
• If you need specific services, • Spamming Sites
like chat, ftp, etc., get an • Hacking sites
approval of the Superior and
then contact IT Operations • Remote Proxies
team. • Gambling sites
• Job Search
• If you land on un-intended sites • Any site, which encourages
or getting automatic pop-up earnings by means of
sites, while trying to reach some commission on sales, sub-
sites, call IT Help desk and contract for
register the incident. recruitment/placement etc.

Remote Access Policy
• Accessing all information systems in Collabera internal networks via VPN or any
other technology shall comply with Collabera Information Security policies
• Should use the most up-to-date anti-virus software, which is the corporate standard.
• Responsibility of Collabera users with remote access privileges to Collabera’s

corporate network to ensure that, their remote access connection is given the same
consideration as the user's on-site connection.
• It is responsibility of employees with VPN privileges to ensure that unauthorized users

are not allowed access to Collabera internal networks using their access privileges.
• Do not perform illegal activities or use the access for outside business interests.
• User shall bear the responsibility for the consequences arising out of misuse.
• Dual (split) tunneling shall not be permitted.
• Employees shall not connect to dial up networking when they are connected to
Collabera VPN.

Laptop Security
• Ensure physical safety & security of the your Laptops
• Ensure the laptop is kept in your immediate possession in a locked environment.
• User is accountable for the theft or any damage to the laptop
• Report any theft or damage to Head-IT Operations & Head-Admin as quickly as

possible to ensure further damages are prevented.
• Never install/uninstall any hardware/software that is not authorized by IT personnel.
• Shall ensure at all times that Anti virus software is updated regularly.
• Ensure Backup is done for all critical information stored on your laptop
• Ensure that you do not use dial-up facility when the laptop is connected to Collabera
networks.
• Visitor’s Laptop shall be restricted from connecting to Collabera network.

• Connecting to Collabera network shall be allowed only after inspection & prior approval
by authorized IT personnel
Virus Protection
• Please ensure your computer has antivirus installed; else call IT Help desk
• Do not uninstall the antivirus program, if it causes system conflicts call IT Help
desk for help.
• NEVER ignore virus related warnings.
• If you receive virus through mails, please contact IT Help desk immediately.
• Do not open any email message or e-mail attachments which is received from
unknown sources and immediately delete such e-mails as it may contain virus

Electronic Mail
• Collabera electronic mail should be used only for the conduct of the
Collabera business
• Do NOT send chain mails, or mails containing large attachments which

do not classify as business communication
• Be careful when addressing e-mail – know whom you are sending the
mail to. Do not use the “Reply to All” option without checking.
• Do NOT respond to mails that ask you to click on a link from people you
do not know.
• Do NOT send or respond to SPAM. Your address book will be copied or

deleted or misused more and damages can be caused to your data.
• Do not provide company mail id for subscribing to online magazines &

newsletters
Application Downloads
• Do not install any Freeware or evaluation software on your systems -

seek IT OPS Team help
• If you are not able to interpret the licensing applicability, contact IT OPS
Team .
• Should you need specific software, contact your manager for approval
and IT Help desk for installation.

Data Backup
• It is the responsibility of users to initiate backup requests to IT Team by
sending a completed Backup Request/Archival form, approved by their
reporting manager.
• Backup is performed daily, weekly, fortnightly & monthly.
• Restoration Requests have to be routed similarly through the reporting

manager.
• Only critical information required for business operations shall be

backed up
• Data to be backed up should not reside in the C drive (root drive)
• Source codes should be stored in VSS/CVS only.
• User emails shall be backed up only if the user closes outlook express
access before leaving for the day
Security Incident Management
• Detailed Security Incident Process
 Analysis of data flows
 Decisions on the nature and scope of monitoring
 Appropriate policies governing detection and response
 Formation and equipping of response teams
 Detection implementation, including the proper use of technology, and

Response to an intrusion, including the containment and restoration of
systems and appropriate reporting.
• Effective Security Incident Response Process
 Incidents affecting security should be reported through appropriate
management channels as quickly as possible.
 All employees and contractors should be made aware of the procedures
for reporting different types of incidents
o security breach, threats, vulnerabilities, or security-related software
malfunction that might have an impact on the Receiver Company's
operations.
o All employees and contractors should be required to report any observed
or suspected threats, vulnerabilities, or incidents as quickly as possible to
the designated point of contact.
Security Incident Reporting
• Report any violation of the security sub-policies or any malfunction of systems

which could lead to a security breach immediately such incidents to your
reporting manager.
• Sample of security incidents:
 any visitor without visitor badge.
 An outsider has gained un-authorized access to the premises of
Collabera.
 Any visitor in the work area without an escort.
 Any sensitive information on desks unattended.
 Any access-controlled doors non-operational.
 Your colleague violating Collabera Information Security policies.
 Personal friends / visitors inside the premises without permission from
higher ups.
 Any Virus attack

Social Engineering
• Do not disclose your password to others … even system administrators… unless

absolutely required.
• Do not give out sensitive information over email/telephone

(Unless you are authorized to do so as part of customer facilitation)
• Do not leave sensitive documents on your desk /printer /fax /public places
• Never discuss your company confidential information with outsiders even in

informal gatherings
• Never use company confidential information to solicit for better opportunities.

Compliance
• STPI
• Do NOT transmit data without prior approvals.

• Do NOT download Software.
• All BONDED items coming in and going out of STPI Bonded areas should
be documented & informed to superiors.
• ISMS
• Follow policies & procedures laid down by the ISMS.

Security Update - Project Management
ProjectInitiation
Project Initiation
ProjectResource
Project ResourceManagement
Management
RiskAssessment
Risk Assessment&&Management
Management
Process&&Procedures
Process Procedures
Interfaces
Interfaces
Trainingand
Training andAwareness
Awareness
Compliance
Compliance

Project Initiation
Project KICK OFF
• RESOURCE Requirements Evaluation and Finalization
• Risk Assessment and Mitigation Strategies
• Project Tailoring Guidelines – AQS – Process and Procedures
• Backup and Restoration – VSS / CVS / Mails
• Client Communication Plan
• Client Specific Security Requirements – Audits & Compliances
• Ensure Security Awareness Training of Team Members

Resource Management

Risk Management

Back up Lifecycle

Back up Periodicity

Interfaces and Communication Plan
• Communication Plan
• VPN Details
• Information Exchange Plans
Communication Plan

IT Release – Resource Movement

Resource Training & Requirements

Thank You

Security Awareness Training-Ver1.0

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Security Awareness Training-Ver1.0

Încărcat de

Drepturi de autor:

Formate disponibile

Table of Contents

Information Security Management System Awareness

SECURITY UPDATE – PROJECT MANAGEMENT

IS Team Collabera, Bangalore

• Anantharam V K • Manjula Kiron

IS Team Collabera, Bangalore

IS Team Collabera, Bangalore

Saturday On call 9-00 am to 5-00 pm Saturday On call 9-00 am to 5-00 pm

Service Window: End-user support Service Window: End-user support

Saturday skaletal 9-00 am to 5-00 pm Saturday standard 24/7

Delivery and Support Teams.

• P4 / 1GB RAM / 80GB HDD / with below software's.

IS Team Collabera, Bangalore

The purpose of this presentation is to provide:

•Information Security Awareness.

This applies to all users of Collabera facilities – employees, contractors

IS Team Collabera, Bangalore

• Information is an asset having value to the organization and hence

• Information security is essential

• To protect information from a wide range of threats in order to

• Minimize business losses and maximize return on investments

IS Team Collabera, Bangalore

Information Security Management System

• Strategic decision of an organization

• Scaled with ‘needs’ – simple situation requires a

IS Team Collabera, Bangalore

ISO 27001 has been prepared to provide a model for:

IS Team Collabera, Bangalore

• Organization needs to identify and manage many activities in order to

• Any activity using resources and managed in order to enable the

Inputs >>>>>>> Process >>>>>>> Outputs

IS Team Collabera, Bangalore

Process Approach contd..

• Understanding an organization’s information security requirements

• Implementing and operating CONTROLS to manage an

• Monitoring and reviewing the performance and effectiveness of the

• CONTINUAL IMPROVEMENT based on objective measurement

“ISMS” is defined as:

IS Team Collabera, Bangalore

Information Security Management System

Information Physical Security Network Business Continuity

Security Controls have been effectively deployed in Collabera

ISO 27001:2005 Certified

IS Team Collabera, Bangalore

Information Security Definition

“preservation of confidentiality, integrity and

IS Team Collabera, Bangalore

• What is Information Security?

• Confidentiality - ensuring that

IS Team Collabera, Bangalore

• “Collabera Management is committed to adequately secure the

• “Collabera Management will deploy adequate controls to secure the

• “All employees are requested to report any security weakness or

• “All employees shall be made aware of the Security policy and

IS Team Collabera, Bangalore

• Do not leave the main entry doors open.

• Do not let in unauthorized (staff / outsiders) persons into the facility.

• If you notice anybody piggy backing or doors which do not lock

IS Team Collabera, Bangalore

• Secure Area support staff should be intimated immediately of abnormal or suspicious

IS Team Collabera, Bangalore

Clear Screen & Clear Desk Password Policy

• Passwords will expire after 60 days.