SPEM Information Security Committee Material

Information Security Awareness Training
INTERNAL USED ONLY
Content
1. 1. 1. Introduction
Objective of this training Introduction to information security Security Policy Security Organization Asset classification & control Physical & environment security Communications & operation mgmt Access control Compliance Personnel security
Security Framework Security Requirements
1.
Security Tips
INTERNAL USED ONLY
Content
Introduction
Security Framework
-
Security Requirements
-
Security Tips
INTERNAL USED ONLY
Objective
To create general security awareness amongst staff and achieve high level of compliance in meeting the requirements stated in information security policies
INTERNAL USED ONLY
Content
Introduction
Objective of this training Introduction to information security Security Framework Security Policy Security Organization Security Requirements Asset classification & control Physical & environment security Communications & operation mgmt Access control Compliance Personnel security
Security Tips
INTERNAL USED ONLY
What is Information?
Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected
Types of Information
Customer Internal Public Shared - customer sales data - pricing - news content - knowledge management
Forms of Information
Transmitted electronically - email Stored electronically - database Verbal - spoken Printed - fax, documents
INTERNAL USED ONLY
What is Information Security ?
1. Confidentiality
A I C
Ensuring that information is accessible only to those authorized to have access
2. Integrity
Ensuring the accuracy and completeness of information
3. Availability
Ensuring that authorized users have access to information
INTERNAL USED ONLY
Importance of Information Security
1. 2. 3. 4. 5.
Protect information assets Maintain competitive edge Ensure legal compliance Protect companys image Identify security threats
INTERNAL USED ONLY
Security-related THREATS
Virus Office Data Corruption
Disclosure Unauthorised of confi Access data
Data Base Disaster
System
SEN
Employee
Partner Disclosure of confi data
Env. threat
Mobile Web site Info Leakage Web page Defaced
Theft Private PC Unauthorized Access Lost PC Theft of info
Out of Office
Data Inaccurate Corruption Info
Eqmt Failure
Theft of software
Internet
INTERNAL USED ONLY
Types of Personal Information Leakage (JP)

Internal Crime Internal Fraud 1.4% Non-Intended Use 1.9% Unauthorized Information Removal 3.3% Configurations Error1.2% Worms/Viruses1.1% Unauthorized Bug/Security Hole 0.9% Access1.4%
Email 6.6%
Administration Error 12.4%
Operational Error 12.4%
Loss/Misplacement 42.1%
al ti en id nf Co
Theft 25.5%
Internet/ Web 6.4% Paper Document 49.9%
Removable Media 15.7% PC 16.8%
Route
(in 2005)
Cause
Increase of Non-IS cause

10
(Resource : NPO USED ONLY INTERNAL Japan Network Security Association)
AP Information Security Incident Statistics

18 16 14 12 10 8 6 4 2 0 Mobile Phone Lost PIM mishandling Operational error RAS Token Lost Virus Website / Email Notebook Lost Inside Notebook Lost Outside
INTERNAL USED ONLY
al ti en id nf Co
FY05 0 1 2 2 2 3 1 4 FY06 3 1 0 0 0 3 2 4
FY07* 2 0 0 2 0 1 2 9
* FY07 data as at 19 Feb08 * FY07 data as at 19 Feb08
11
INTERNAL USE ONLY
Content
CLICK TO CONTINUE
Introduction
Security Framework
-
-
Security Tips
INTERNAL USED ONLY
12
Group Information Security Policy

The purpose of the Global Information Security Policy (GISP) and Global Information Security Standards (GISS) based on this Policy is as follows: Clearly define the authorities and responsibilities relating to Sony Groups Information Security. Clearly define overall direction and policy regarding Sony Groups Information Security. Establish Sony Groups Information Security Management System in accordance with the requirements set forth for the ISMS in the British Standard (BS) 7799: 2005. Establish Sony Groups Information Security Management System to secure compliance with the requirements set forth in the Sony Group Code of Conduct.
INTERNAL USED ONLY
13
GISP 3.0 / GISS 1.0 Structure

Global Information Se curity Policy State ment Commitment of CEO to Sony Group s Information Security Commitment of CEO to Sony Group s Information Security Policie sregarding Information Se curitycommon to Sony Group s curity common to Sony Group Policie regarding Information Se (1 ) Structure of Sony Group s Information Se curity ) curity (1 Structure of Sony Group s Information Se Manage me Syste m me nt m Manage nt Syste
Global Information Security Policy (GISP)

(13 Sections)
(2 ) Basic policy re garding e se curityre quire ) garding e ach se ach curity re quire ment ment (2 Basic policy re
Chapter 1: Introduction, Chapter 2:Scope, Chapter 3: Classes of Sony Chapter 1: Introduction, Chapter 2:Scope, Chapter 3: Classes of Sony Information Security Policy, Chapter 4: 4.1 Sony Group Informati on Information Security Policy, Chapter 4: 4.1 Sony Group Informati on Security Management System Security Management System
Chapter 4: 4.2 External parties, Chapter 5: Asset management, Ch apter Chapter 4: 4.2 External parties, Chapter 5: Asset management, Ch apter 6: Human resources security, Chapter 7: Physical and environment al 6: Human resources security, Chapter 7: Physical and environment al security, Chapter 8: Communications and operations management, security, Chapter 8: Communications and operations management, Chapter 9: Access control, Chapter10: Information systems acquis ition, Chapter 9: Access control, Chapter10: Information systems acquis ition, development and maintenance, Chapter 11: Information security development and maintenance, Chapter 11: Information security incident management, Chapter 12: Business continuity management incident management, Chapter 12: Business continuity management Chapter 13: Compliance Chapter 13: Compliance
Global Information Security Standard (GISS)

(8 Standards documents)
De taile rules (minimum se curityrequire me taile d curity require nts) me nts) De d rules (minimum se impleme nting the GISP nting the GISP impleme
Workplace Solutions Workplace Solutions Human Re sources Human Resource s Human resources se curity, e tc.
Acce control ss Physical security, twork management Ne e tc. velopme & maintena , De nt nce e tc.
INTERNAL USED ONLY Source: GISP3.0
14
Global Information Security Policy
INTERNAL USED ONLY
15
Content
Introduction
Security Framework
-
-
Security Tips
INTERNAL USED ONLY
16
Information Security / PIM Organization

Objectives
CEO/ECEO
Information Security Committee
HQ
Oneda CFO
Seligman
Hara Global Security Office GGC SVP SVP CIO SVP Head : F.Sakai CWS : T.Aoki, A.Igarashi ISM BT/IS HR CenterK.Taniguchi Office : Security Management PIM F.Sakai Legal : M.Kudo WS CC Legal HR IS IS : F. Sakai PIM : T.Waga Inc. Security Mgt. Dept. SGS S.Lee ISM : M.Shigenari CC : TBC PIM Gp. ISM Gp
Fujita
Kirihara
Hasejima
1) To integrate Information Security and PIM activities. 2) To integrate HR, Facility, IS, CC & Legal functions to cooperate with Information Security and PIM related issues.
Region/Business Security AP Regional InformationDomain Hub Committee Management Office

RISO WS HR Legal IS PIM* CC : A. Komatsu : RISO/OCISO N. Yamada : T. Seki : K. Yoshikawa CC : A. Komatsu : Lim SB : Audrey Mok
ISMS
Head : A. Komatsu PIM* : Lim SB IS HR Staff : Teo SY

Legal WS
Security Management Dept. Head : S.Lee : T.Waga Legal PIM HR WS IS ISM : M.Shigenari
CC
(*only for sales & Marketing companies)
Each Gp. Company
ISM/PIM
Function Wise Global Network

INTERNAL USED ONLY
Last updated : 27 Feb 07 CC
IS Legal
HR WS
17
SPEM Information Security Organization

Information Security Committee
Managing Director Ikeno ISO Advisor Uchiyama CWLee Advisor Norii, Zammani To plan security activities, set policy and procedure and execute them based on GISP & GISS
IS Rusila
IS Kanna
HR/Personnel Jamalul
HR/Security Kuldeep
Division Information Security Representative
To implement and comply within respective division
Procurement Chiang/Ratna
BA Robiza
QA Goh, Kamal, Azizah
ESH Siva
PF David INTERNAL USED ONLY Last update 7th May09
Prod Fazli/Hasnida
INTERNAL USED ONLY
ME Azian, Afifi, Sree
18
Content
CLICK TO CONTINUE
Introduction
Security Framework
-
-
Security Tips
INTERNAL USED ONLY
19
What are the Type of Assets?

Information Software People Paper Physical Service Companys image & reputation
INTERNAL USED ONLY
20
Information Classification
Why we need Information classification?
Information that falls in to unauthorized hands can be damaging to both SONY and our customers
What needs to be classified?

Physical
Printed documents, invoices Hardware media, diskette/tape

Electronic
Computer data, e-mail

INTERNAL USED ONLY
Owner of the information
Who should classify the information?

21
Information Classification
1) SECRET: the most important and sensitive information. Personnel who are allowed to access this kind of information must be strictly examined and limited to those with a need for access.
Example:- Password
2) CONFIDENTIAL: important and sensitive information. Personnel who are allowed to access this kind of information must be those whose duties justify a need-to-know. Example:- Management information, business plans, midterm plans,
Production management and procurement information

3) INTERNAL USE ONLY: information that is widely disclosed internally. All Personnel may access this kind of information, but must not disclose or disseminate it to any third party outside the Sony Group. Example: - Company newsletter, Employee rules, policies, guidelines,
manuals, employee training information and resources, and so on
INTERNAL USED ONLY
22
INVENTORY LIST-SECRET SAMPLE

FORM ID : AD-F040 FORM ID : AD-F039 INVENTORY LIST SECRET INVENTORY LIST CONFIDENTIAL
INTERNAL USED ONLY
23
BASELINE SAMPLE
INTERNAL USED ONLY
24
SAMPLE
Revision No. S PEM INF ORMAT ION S ECURIT INCIDENTREPORTF Y ORM Guideline - Labeling (Form is to be used when reporting a possible virus, hacker attack, Dos attacks, fraud or other security inc idents) Font Type: ARIAL PERSON REPORT ING T INCIDENT HE :Font Size: 10 Font Style: Bold Area: Preferably Bottom Center of the content page Form No. AD-F032
T form is fill up by: his
(Name) Report Person Name: Date/Time: Signature
(Date/Time) Division Manager
(Signature) Info. Sec. Officer
* Please submit additional doc uments for explanation if required

CONFIDENTIAL
INTERNAL USED ONLY
25
Personal Information
What Is Personal Information?
At Sony, a persons name, address, phone number, e-mail address, etc., are personally identifying information, and if any of these are included, the whole piece of information is considered personal information. Moreover, even credit card numbers, bank account numbers, gender, date of birth, age, usage history and preference data for products and services, and other information that alone could not identify a person is grouped with personally identifying information and treated as personal information. The scope of personal information is the same for customers, employees of business partners, and Sony employees.
Secret
Customer Information
Confidential
Names, addresses, phone numbers, e- mail addresses, age, date of birth, gender, marital status, salary, assets, etc. Basic employee information, plus the following information: Family information, date of birth, work history, home address/phone number/email address, salary, position, etc.
Emergency contact network, etc. Survey answers, etc.
Internal Use Only
Social security numbers, credit card numbers, drivers license numbers, bank account numbers, passwords, etc. Philosophy, creed, religion, etc. Information that could lead to discrimination. Group activities, health condition, medical information, etc.
Employee Information
Basic employee information (Names, division names, company phone numbers/fax numbers, company e-mail address, global ID)
Business Partner Employee Information
Basic information about business partner Basic information about business partner Business cards employees, plus the following employees information: (Names, company phone numbers/fax Home (or mobile) phone numbers andnumbers, employee job titles) other private information E-mail addresses
Etc.
INTERNAL USED ONLY
26
Handling Of Personal Information

Confidence in Sony - PERSONAL INFORMATION
Key Points on Basic Principles

When collecting information, you must inform the individual, such as a customer, of the purposes of use of the Personal Information , obtain their consent to do so, and collect only the necessary information. The Personal Information must be used and disclosed within the scope to which a customer has consented Thoroughly implement appropriate security measures for all handling processes, from collection to disposal When disclosing the collected Personal Information to a subcontractor, either inside or outside the Sony Group, take sufficient measures to manage those subcontractors.
INTERNAL USED ONLY
27
Content
Introduction
Security Framework
-
-
Security Tips
INTERNAL USED ONLY
28
Office Security General Office Area

All staff shall wear the identification pass at all times while in office premises Identification pass/ access card is not transferable. Staff shall report loss of identification pass and access card to HR immediately
INTERNAL USED ONLY
29
Visitors / Contract Staff

Staff shall ensure that only authorized person is allowed access to the office premises

Staff shall ensure that their visitors get visitor pass before gaining entry to office premises and they should be escorted Challenge unknown visitors Contract and temporary staff physical access & logical access profile are restricted
INTERNAL USED ONLY
30
Equipment Security - Off-premise

Equipment and media taken off-premises must not be left unattended. Eg: Portable computers should be carried as hand luggage and disguised where possible during travel Equipment used during seminars, conferences and exhibitions should be chained and locked
INTERNAL USED ONLY
31
Equipment Security
Handling procedure
Prior approval from superior to be obtained before all movements of equipment and software outside the office premises Sensitive data should be removed from equipment sent for servicing
Media containing sensitive information should be disposed securely (physically destroy it)
INTERNAL USED ONLY
32
Clear Screen Policy

Activate the Password protected screen saver Recommended waiting time = 10mins
INTERNAL USED ONLY
33
Clear Desk Policy

Do not leave sensitive documents unattended and secure them with lock and key When printing sensitive documents, collect the printouts immediately Photocopying of sensitive document must always be attended and staff must clear the photocopier of all document after photocopying
INTERNAL USED ONLY
34
Content
Introduction
Security Framework
-
-
Security Tips
INTERNAL USED ONLY
35
Controls against Malicious Software

Ensure Anti-virus software is installed Do not disable the Anti-virus software Follow instruction sent by the LAN Admin for Anti-virus update Patch installation DO NOT IGNORE SUCH INSTRUCTION CONTACT HELPDESK/MIS FOR ASSISTANCE
This is to protect your PC's content and to prevent data loss
36
INTERNAL USED ONLY
Use of Standard PC1

To a certain extent, the internal network is protected from unauthorized access and attacks from the Internet. However, if even one PC has a decreased level of security due to overconfidence in the networks safety, it becomes a loophole that can expose the network and every PC connected to it to the following dangers:
INFORMATION LEAKAGE VIRUS INFECTION UNAUTHORIZED ACCESS
INTERNAL USED ONLY
37
Use of Standard PC2

1.USE A SONY STANDARD PC WITH APPLIED SECURITY MEAUSRES. The following security measures are applied to standard PCs to keep the security level in top condition at all times. They also include the necessary software (Microsoft Office, etc.) for smooth deployment of B2E services.
Standard PC SONY VAIO
Security measures applied to standard PCs:
Windows XP Professional operating system Symantec Antivirus software SMS Tools software to enable automatic distribution of the latest security patches from Client Security Management Services.
INTERNAL USED ONLY
38
Use of Standard PC3

2.DO NOT USE A PRIVATE PC OR A NON-COMPANY PC
As private PCs are not guaranteed to have the proper security measures, they pose a high risk as sources of virus epidemics and information leakage by virus infection. They can also become breeding grounds for fraudulent acts.
a. Do not connect a non-company PC, such as a private PC, to the internal network. b. Do not work on a private PC by taking information home on external recording media or by e-mail.
INTERNAL USED ONLY
39
Use & Governance of Companys Electronic Mail & Internet Access

Electronic mails and Internet access made available to staff is to assist them to perform their work more effectively and efficiently Any incidental use of emails and internet access for personal purposes is acceptable provided it does not detrimentally affect employee productivity, disrupt the systems or cause harm to the companys reputation or business operations All emails and related system resources are the property of the company The company reserves the right to inspect, monitor, log, track or disclose email or Internet access activities
INTERNAL USED ONLY
40

Responsibility of Staff in Email Usage Should not use email to distribute hoaxes, chain letters, advertisements, rude, obscene, slanderous or harassing messages Broadcasting of unsolicited views on social, political, religious or other non-business related matter is prohibited Should not use email to propagate viruses knowingly or maliciously Attempting to interfere with anothers email account or engage in harassment, whether through language, frequency or size of messages is prohibited
INTERNAL USED ONLY
41

Responsibility of Staff in Internet Usage Participation in Internet/Web based conferences, newsgroups, bulletin boards, email list servers or other electronic forums must have prior approval from the Division Head level. Use of public tools such as msn skype,instant messenger not allowed. Must not access, download or distribute contents that : breach of law which may cause offence to others information that may incite violence Software may not be downloaded from the Internet without prior approval of the Div/Dept Head.
42
INTERNAL USED ONLY
Information Exchange1
Voice
Exercise care when disclosing or discussing classified information over the phone Ensure that audience present at both ends are authorized to receive information being discussed during 3 way teleconferencing Ensure that you do not access your mail box in the presence of others when using display phone Should not access your voicemail with the phone speakers on
INTERNAL USED ONLY
43
Information Exchange2
Fax
When faxing sensitive documents, staff must ensure that Manual fax function is used to fax out Prior arrangement is made with so that recipient can collect document immediately All document is cleared from the fax machine before leaving
Video Conferencing
Staff hosting video conference shall ensure that audience present at both ends are authorized to receive any classified information that is being disclosed or discussed
44
INTERNAL USED ONLY
Content
Introduction
Security Framework
-
-
Security Tips
INTERNAL USED ONLY
45
Password Management
Password
1. Use min. 6 character 2. Use both letters and numbers 3. Use both upper and lower case 4. Use special characters 5. Use simple passwords, so that it can be memorized easily without writing it down and it can be typed quickly and smoothly without looking at the keyboard
46
INTERNAL USED ONLY
Password Management
Users Responsibilities
1. Do not disclose User ID and password 2. Do not keep a paper record of passwords, unless this can be stored securely 3. Change password whenever there is any indication of possible compromise 4. Change the password periodically
INTERNAL USED ONLY
47
Mobile Computing...1
Usage of Mobile Computers

Mobile computers shall not be left unattended in insecure locations, and should be locked away where possible Do not leave mobile computers in your vehicles Hand carry mobile computers during travel Backup your data regularly
48
Do not allow unauthorized persons to use your mobile computers INTERNAL USED ONLY
Mobile Computing...2
Users Responsibilities
If the mobile device is unattended during remote access, discontinue remote access or render it unusable by others Do not keep mobile computer and token or password together Loss, damage and vandalism to mobile computers and equipment must be reported to HR immediately
49
INTERNAL USED ONLY
Content
Introduction
Security Framework
-
-
Security Tips
INTERNAL USED ONLY
50
Copyright Act
1. 2. 3. Only licensed software shall be used for business activities within the organization Staff who installs any unlicensed software shall be held fully responsible for any copyright infringement Software that is installed for trial run shall be removed from the system when the trial run period is over
INTERNAL USED ONLY
51
Content
Introduction
Security Framework
-
-
Security Tips
INTERNAL USED ONLY
52
Staff Responsibilities
Staff shall be responsible to uphold security in the company to abide by the company security policy to ensure security is not compromised while performing their job to observe utmost confidentiality of all information learned and/or received to abide by the applicable legislations eg. intellectual proprietary rights, copyrights to report any security incidents or weaknesses
Any violation of policy or security breach will result in disciplinary action against staff.
53
INTERNAL USED ONLY
Reporting Security Incident

IT Non-IT
What is a Security Incident?

IT- Related An adverse event or situation associated with information systems
Eg: Unauthorized access, website defacement, network probing ..
Any event that could result in loss or damage to assets

Eg: Malicious codes, viruses, use of system privileges without authorization ..
Non-IT Related An action that would be in breach of organization security policies or procedures
Eg: improper handling or disclosure of classified document, vandalism..
54
INTERNAL USED ONLY
SPEM Information Security Incident Report Flow

Incident occurred Eg. 1. Leakage of secret information 2. Loss or theft of information asset 3. Unauthorized access to the information assets
Division Information Security Representative Fill Up SPEM Security Incident Form
Division Manager Approval
SPEM Information Security YES Committee
SPEM Information Security Officer

Class 1 or 2
Incident Classification Chart

Regional Security Incident Form RISMO 55
SPEM Managing Director /Director
INTERNAL USED ONLY
Information Security Incident Form

S PEM INFORMAT ION S ECURIT INCIDENTREPORTFORM Y
(Form is to be used when reporting a possible virus, hacker attack, Dos attacks, fraud or other security incidents) CONFIDENTIAL
PERS ON REPORT ING T INCIDENT HE : Date: Name: Designation: Phone Number: Fax Number: Location of incident: Time: Division/ Department: Email Address: Extension Number:
GID:
Please get the Information Security Incident Form at Lotus Note [IS Approve Form] [Form No:F032]
How was the incident detected? When was it detected? Date and T ime
INCIDENTCAT EGORY:
Leakage of C lassified information Loss or theft of information assets Theft of sourc e of programming code Unauthorized ac cess to the information assets of Sony G roup (inc l. Website defac ement) Probe/ Scan/ Unauthorized electronic monitoring (Sniffers) Malicious code / Virus (inc l. worms and Trojans) DoS (Denial of Service) Misuse of information assets of Sony G roup by employee Human errors by employee resulting in classified information disc losure Legal and regulatory violations / Antisoc ial c onduc t by employee C yber C rime (Phishing, identity theft, telecom and/ or financial fraud, etc .) (pls. desc ribe) Other Info. Sec . C oncerns, please desc ribe:
T form is fill up by: his (Name) Report Person Name: Date/ Time: (Date/ Time) Division Manager (Signature) Info. S ec. Officer
INTERNAL USED ONLY
Signature
56
* Please submit additional documents for explanation if required
Content
Introduction
Security Framework
-
-
Security Tips
INTERNAL USED ONLY
57
Security Tips: Password Management Use Letters, Numbers and Special Characters
Um!bre1a H@t4you ra1nCo@t
INTERNAL USED ONLY
58
Security Tips: Password Management
Phrases:
Use the first letter of each word in a phrase or sentence.
Phrase1 Password Phrase2 Password
: : : :
Happy New Year 2003 ! Hny2003! Gong Xi Fa Cai 2003 Gxfc2003
INTERNAL USED ONLY
59
Security Tips: Password Management
Compound Words
Misspell compound words to construct a strong password
Compound Word Password Compound Word Password
: Deadbolt : Dea&bowlt8 : Seashore : See@sh0rr
INTERNAL USED ONLY
60
Security Tips: Social Engineering Tips

Dumpster Divers hope to get sensitive information
Disappoint them!!!
Shred sensitive documents

INTERNAL USED ONLY
61

Hello, I am from helpdesk, I need your password What is your name?
Do not fall for Social Engineers They will say anything to get valuable information
Never, Ever give Private or Company information to unknown people

INTERNAL USED ONLY
62
Do not discuss company or customer information in public Social engineers are listening to you
INTERNAL USED ONLY
63
Security Tips: Office Security
Do not allow Piggybacking Use your own access card to enter secure areas
INTERNAL USED ONLY
64
Security Tips: Information Handling
You cant unring a bell The best way to protect sensitive information is not to share it
INTERNAL USED ONLY
65
Security Tips: Information Handling
We all value privacy Handle personal information with care
INTERNAL USED ONLY
66
Security Tips: Clear Screen Policy
Taking a break? Lock your computer, when not in use Use password protected screen savers
INTERNAL USED ONLY
67
Security Tips: Clear Desk Policy
Do not leave sensitive documents unattended on your desk
INTERNAL USED ONLY
68
NATURE of SECURITY Know who belongs in your environment Challenge and escort unknown visitors
INTERNAL USED ONLY
69
Security Tips: Internet/ E-mail Security
Theres always free cheese in a mousetrap Exercise caution when downloading/launching any files from the Internet/email
INTERNAL USED ONLY
70
Security Tips: E-mail Security

Received an Anonymous E-mail..? Do not open the email, If the source is unknown
INTERNAL USED ONLY
71
Security Tips: E-mail Security
Delete chain e-mail do not forward or reply to someone as it is considered mail spamming and it increases mail traffic
INTERNAL USED ONLY
72
Security Tips: Virus Handling

Report if a virus is suspected Delete hoax virus email call the Helpdesk (IS) and log an incident if you are in doubt
INTERNAL USED ONLY
73
Security Tips: Mobile Security
Do not leave your laptop unattended when you travel
INTERNAL USED ONLY
74
Security Tips: Mobile Security

Did you protect your laptop before going home?
Lock your laptop Or Secure it inside locked cabinet
INTERNAL USED ONLY
75
CLICK TO CONTINUE
THE END
INTERNAL USED ONLY
76
Title: Information Security Quiz Name : Emp ID : Div/Dept : Date : _________________________ _________________________ _________________________ _________________________
Important : To pass the quiz, you need to obtain 9 or more correct answers. Please answers all the questions.
What are the 3 information classifications used in Sony? (I) SECRET (II) CONFIDENTIAL (III) INTERNAL USE ONLY (IV) IMPORTANT A. (I), (II) & (III) B. (I) only C. (II) only D. (I), (II), (III) & (IV) Which of the following rules is NOT correct for password handling? A. Do not write down your password B. Use 'Remember password (auto complete)' function so that you need not remember the password C. Ensure that no one is looking over your shoulder when you are entering your password D. Change your password if it has been revealed to others
INTERNAL USED ONLY
77
Title: Information Security Quiz
Which of the following rules is NOT correct for handling of external recording media with classified information? A. Personal recording media can be used to store company information B. Store external recording media under lock and key at your workplace C. Immediately after using an external recording media, completely delete all information on it Non-Company computer should not be connected to Sony internal network. A. TRUE B. FALSE The rules of using emails in the office include: (I) Do not set your company e-mail address to automatically forward incoming e-mail to a different address outside the company. (II) Refrain from sending e-mails to external mailing lists. (III) Password-protect e-mail attachment with confidential information, and send the password in a separate mail. A. (I) only B. (II) & (III) C. (I), (II) & (III)
INTERNAL USED ONLY
78
If an information security incident occurs or you suspect one has, you should promptly report it to: A. the Managing Director of the company you are in B. your superior & to the Information Security Representative C. no one, and ignore the occurrence of the incident or suppress your suspicion What are the security measures you must take to protect your PC or notebook from Virus? (I) Do not install software unnecessary to your work (II) Do not view suspicious websites or download suspicious files (III) Leave the real-time virus scanning function turned ON A. (I) only B. (II) only C. (II) & (III) D. (I), (II) & (III) When leaving your PC unattended: (I) Lock your computer (e.g. press control, Alt & Delete) (II) Enable password protected screen saver A. (I) only B. (II) only C. (I) & (II)
INTERNAL USED ONLY
79
How do you handle classified documents? (I) Store SECRET & CONFIDENTIAL documents in a locked cabinet (II) Completely dispose of classified documents with an unrecoverable method (e.g. shredding) (III) Do not let documents out of your possession when taking them outside the company for business purpose (IV) Leave CONFIDENTIAL documents unattended on your desk when going home A. (I) only B. (I), (II) & (III) C. (II) & (III) D. (I), (II), (III) & (IV) What are the rules regarding In-house Internet Access? (I) Do not view bulletin boards, etc., that are unrelated to work (II) Do not access sites that are unrelated to work (III) Do not use free e-mail, instant messenger, or web chat services on your work PC A. (I) only B. (II) only C. (II) & (III) D. (I), (II) & (III)
10
INTERNAL USED ONLY
80
Title: Information Security Quiz Name : Emp ID : Div/Dept : Date : _________________________ _________________________ _________________________ _________________________
Important : To pass the quiz, you need to obtain 9 or more correct answers. Please answers all the questions.
What are the 3 information classifications used in Sony? (I) SECRET (II) CONFIDENTIAL (III) INTERNAL USE ONLY (IV) IMPORTANT A. (I), (II) & (III) B. (I) only C. (II) only D. (I), (II), (III) & (IV) Which of the following rules is NOT correct for password handling? A. Do not write down your password B. Use 'Remember password (auto complete)' function so that you need not remember the password C. Ensure that no one is looking over your shoulder when you are entering your password D. Change your password if it has been revealed to others
INTERNAL USED ONLY
81
Which of the following rules is NOT correct for handling of external recording media with classified information? A. Personal recording media can be used to store company information B. Store external recording media under lock and key at your workplace C. Immediately after using an external recording media, completely delete all information on it Non-Company computer should not be connected to Sony internal network. A. TRUE B. FALSE The rules of using emails in the office include: (I) Do not set your company e-mail address to automatically forward incoming e-mail to a different address outside the company. (II) Refrain from sending e-mails to external mailing lists. (III) Password-protect e-mail attachment with confidential information, and send the password in a separate mail. A. (I) only B. (II) & (III) C. (I), (II) & (III)
INTERNAL USED ONLY
82
If an information security incident occurs or you suspect one has, you should promptly report it to: A. the Managing Director of the company you are in B. your superior & to the Information Security Representative C. no one, and ignore the occurrence of the incident or suppress your suspicion What are the security measures you must take to protect your PC or notebook from Virus? (I) Do not install software unnecessary to your work (II) Do not view suspicious websites or download suspicious files (III) Leave the real-time virus scanning function turned ON A. (I) only B. (II) only C. (II) & (III) D. (I), (II) & (III) When leaving your PC unattended: (I) Lock your computer (e.g. press control, Alt & Delete) (II) Enable password protected screen saver A. (I) only B. (II) only C. (I) & (II)
INTERNAL USED ONLY
83
How do you handle classified documents? (I) Store SECRET & CONFIDENTIAL documents in a locked cabinet (II) Completely dispose of classified documents with an unrecoverable method (e.g. shredding) (III) Do not let documents out of your possession when taking them outside the company for business purpose (IV) Leave CONFIDENTIAL documents unattended on your desk when going home A. (I) only B. (I), (II) & (III) C. (II) & (III) D. (I), (II), (III) & (IV) What are the rules regarding In-house Internet Access? (I) Do not view bulletin boards, etc., that are unrelated to work (II) Do not access sites that are unrelated to work (III) Do not use free e-mail, instant messenger, or web chat services on your work PC A. (I) only B. (II) only C. (II) & (III) D. (I), (II) & (III)
10
INTERNAL USED ONLY
84

SPEM Information Security Committee Material

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

SPEM Information Security Committee Material

Încărcat de

Drepturi de autor:

Formate disponibile

Information Security Awareness Training

INTERNAL USED ONLY

Security Framework Security Requirements

INTERNAL USED ONLY

INTERNAL USED ONLY

INTERNAL USED ONLY

INTERNAL USED ONLY

INTERNAL USED ONLY

What is Information Security ?

Ensuring that information is accessible only to those authorized to have access

INTERNAL USED ONLY

Importance of Information Security

INTERNAL USED ONLY

Disclosure Unauthorised of confi Access data

Data Base Disaster

Partner Disclosure of confi data

Mobile Web site Info Leakage Web page Defaced

Theft Private PC Unauthorized Access Lost PC Theft of info

Data Inaccurate Corruption Info

Types of Personal Information Leakage (JP)

Administration Error 12.4%

Operational Error 12.4%

Internet/ Web 6.4% Paper Document 49.9%

Removable Media 15.7% PC 16.8%

Increase of Non-IS cause

(Resource : NPO USED ONLY INTERNAL Japan Network Security Association)

AP Information Security Incident Statistics

INTERNAL USE ONLY

INTERNAL USED ONLY

Group Information Security Policy

INTERNAL USED ONLY

GISP 3.0 / GISS 1.0 Structure

Global Information Security Policy (GISP)

Global Information Security Standard (GISS)

INTERNAL USED ONLY Source: GISP3.0

Global Information Security Policy

INTERNAL USED ONLY

INTERNAL USED ONLY

Information Security / PIM Organization

Region/Business Security AP Regional InformationDomain Hub Committee Management Office

Head : A. Komatsu PIM* : Lim SB IS HR Staff : Teo SY

(*only for sales & Marketing companies)

Each Gp. Company

Function Wise Global Network

SPEM Information Security Organization

Division Information Security Representative

To implement and comply within respective division

QA Goh, Kamal, Azizah

PF David INTERNAL USED ONLY Last update 7th May09

ME Azian, Afifi, Sree

INTERNAL USED ONLY

What are the Type of Assets?

INTERNAL USED ONLY

What needs to be classified?

Printed documents, invoices Hardware media, diskette/tape

Computer data, e-mail

Owner of the information

Who should classify the information?

Production management and procurement information

manuals, employee training information and resources, and so on

INTERNAL USED ONLY

INVENTORY LIST-SECRET SAMPLE

INTERNAL USED ONLY