Documente Academic
Documente Profesional
Documente Cultură
Content
1. 1. 1. Introduction
Objective of this training Introduction to information security Security Policy Security Organization Asset classification & control Physical & environment security Communications & operation mgmt Access control Compliance Personnel security
1.
Security Tips
Content
Introduction
Objective of this training Introduction to information security Security Policy Security Organization Asset classification & control Physical & environment security Communications & operation mgmt Access control Compliance Personnel security
Security Framework
-
Security Requirements
-
Security Tips
Objective
To create general security awareness amongst staff and achieve high level of compliance in meeting the requirements stated in information security policies
Content
Introduction
Objective of this training Introduction to information security Security Framework Security Policy Security Organization Security Requirements Asset classification & control Physical & environment security Communications & operation mgmt Access control Compliance Personnel security
Security Tips
What is Information?
Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected
Types of Information
Customer Internal Public Shared - customer sales data - pricing - news content - knowledge management
Forms of Information
Transmitted electronically - email Stored electronically - database Verbal - spoken Printed - fax, documents
1. Confidentiality
A I C
2. Integrity
Ensuring the accuracy and completeness of information
3. Availability
Ensuring that authorized users have access to information
1. 2. 3. 4. 5.
Protect information assets Maintain competitive edge Ensure legal compliance Protect companys image Identify security threats
Security-related THREATS
Virus Office Data Corruption
System
SEN
Employee
Env. threat
Out of Office
Eqmt Failure
Theft of software
Internet
INTERNAL USED ONLY
Email 6.6%
Loss/Misplacement 42.1%
al ti en id nf Co
Theft 25.5%
Route
(in 2005)
Cause
al ti en id nf Co
FY05 0 1 2 2 2 3 1 4 FY06 3 1 0 0 0 3 2 4
FY07* 2 0 0 2 0 1 2 9
* FY07 data as at 19 Feb08 * FY07 data as at 19 Feb08
11
Content
CLICK TO CONTINUE
Introduction
Objective of this training Introduction to information security Security Policy Security Organization Asset classification & control Physical & environment security Communications & operation mgmt Access control Compliance Personnel security
Security Framework
-
Security Requirements
-
Security Tips
12
13
(2 ) Basic policy re garding e se curityre quire ) garding e ach se ach curity re quire ment ment (2 Basic policy re
Chapter 1: Introduction, Chapter 2:Scope, Chapter 3: Classes of Sony Chapter 1: Introduction, Chapter 2:Scope, Chapter 3: Classes of Sony Information Security Policy, Chapter 4: 4.1 Sony Group Informati on Information Security Policy, Chapter 4: 4.1 Sony Group Informati on Security Management System Security Management System
Chapter 4: 4.2 External parties, Chapter 5: Asset management, Ch apter Chapter 4: 4.2 External parties, Chapter 5: Asset management, Ch apter 6: Human resources security, Chapter 7: Physical and environment al 6: Human resources security, Chapter 7: Physical and environment al security, Chapter 8: Communications and operations management, security, Chapter 8: Communications and operations management, Chapter 9: Access control, Chapter10: Information systems acquis ition, Chapter 9: Access control, Chapter10: Information systems acquis ition, development and maintenance, Chapter 11: Information security development and maintenance, Chapter 11: Information security incident management, Chapter 12: Business continuity management incident management, Chapter 12: Business continuity management Chapter 13: Compliance Chapter 13: Compliance
De taile rules (minimum se curityrequire me taile d curity require nts) me nts) De d rules (minimum se impleme nting the GISP nting the GISP impleme
Workplace Solutions Workplace Solutions Human Re sources Human Resource s Human resources se curity, e tc.
Acce control ss Physical security, twork management Ne e tc. velopme & maintena , De nt nce e tc.
14
15
Content
Introduction
Objective of this training Introduction to information security Security Policy Security Organization Asset classification & control Physical & environment security Communications & operation mgmt Access control Compliance Personnel security
Security Framework
-
Security Requirements
-
Security Tips
16
HQ
Oneda CFO
Seligman
Hara Global Security Office GGC SVP SVP CIO SVP Head : F.Sakai CWS : T.Aoki, A.Igarashi ISM BT/IS HR CenterK.Taniguchi Office : Security Management PIM F.Sakai Legal : M.Kudo WS CC Legal HR IS IS : F. Sakai PIM : T.Waga Inc. Security Mgt. Dept. SGS S.Lee ISM : M.Shigenari CC : TBC PIM Gp. ISM Gp
Fujita
Kirihara
Hasejima
1) To integrate Information Security and PIM activities. 2) To integrate HR, Facility, IS, CC & Legal functions to cooperate with Information Security and PIM related issues.
Security Management Dept. Head : S.Lee : T.Waga Legal PIM HR WS IS ISM : M.Shigenari
CC
ISM/PIM
IS Legal
HR WS
17
IS Rusila
IS Kanna
HR/Personnel Jamalul
HR/Security Kuldeep
Procurement Chiang/Ratna
BA Robiza
ESH Siva
Prod Fazli/Hasnida
INTERNAL USED ONLY
18
Content
CLICK TO CONTINUE
Introduction
Objective of this training Introduction to information security Security Policy Security Organization Asset classification & control Physical & environment security Communications & operation mgmt Access control Compliance Personnel security
Security Framework
-
Security Requirements
-
Security Tips
19
20
Information Classification
Why we need Information classification?
Information that falls in to unauthorized hands can be damaging to both SONY and our customers
Information Classification
1) SECRET: the most important and sensitive information. Personnel who are allowed to access this kind of information must be strictly examined and limited to those with a need for access.
Example:- Password
2) CONFIDENTIAL: important and sensitive information. Personnel who are allowed to access this kind of information must be those whose duties justify a need-to-know. Example:- Management information, business plans, midterm plans,
22
23
BASELINE SAMPLE
24
SAMPLE
Revision No. S PEM INF ORMAT ION S ECURIT INCIDENTREPORTF Y ORM Guideline - Labeling (Form is to be used when reporting a possible virus, hacker attack, Dos attacks, fraud or other security inc idents) Font Type: ARIAL PERSON REPORT ING T INCIDENT HE :Font Size: 10 Font Style: Bold Area: Preferably Bottom Center of the content page Form No. AD-F032
25
Personal Information
What Is Personal Information?
At Sony, a persons name, address, phone number, e-mail address, etc., are personally identifying information, and if any of these are included, the whole piece of information is considered personal information. Moreover, even credit card numbers, bank account numbers, gender, date of birth, age, usage history and preference data for products and services, and other information that alone could not identify a person is grouped with personally identifying information and treated as personal information. The scope of personal information is the same for customers, employees of business partners, and Sony employees.
Secret
Customer Information
Confidential
Names, addresses, phone numbers, e- mail addresses, age, date of birth, gender, marital status, salary, assets, etc. Basic employee information, plus the following information: Family information, date of birth, work history, home address/phone number/email address, salary, position, etc.
Emergency contact network, etc. Survey answers, etc.
Social security numbers, credit card numbers, drivers license numbers, bank account numbers, passwords, etc. Philosophy, creed, religion, etc. Information that could lead to discrimination. Group activities, health condition, medical information, etc.
Employee Information
Basic employee information (Names, division names, company phone numbers/fax numbers, company e-mail address, global ID)
Basic information about business partner Basic information about business partner Business cards employees, plus the following employees information: (Names, company phone numbers/fax Home (or mobile) phone numbers andnumbers, employee job titles) other private information E-mail addresses
Etc.
26
27
Content
Introduction
Objective of this training Introduction to information security Security Policy Security Organization Asset classification & control Physical & environment security Communications & operation mgmt Access control Compliance Personnel security
Security Framework
-
Security Requirements
-
Security Tips
28
29
Staff shall ensure that their visitors get visitor pass before gaining entry to office premises and they should be escorted Challenge unknown visitors Contract and temporary staff physical access & logical access profile are restricted
INTERNAL USED ONLY
30
31
Equipment Security
Handling procedure
Prior approval from superior to be obtained before all movements of equipment and software outside the office premises Sensitive data should be removed from equipment sent for servicing
Media containing sensitive information should be disposed securely (physically destroy it)
INTERNAL USED ONLY
32
33
34
Content
Introduction
Objective of this training Introduction to information security Security Policy Security Organization Asset classification & control Physical & environment security Communications & operation mgmt Access control Compliance Personnel security
Security Framework
-
Security Requirements
-
Security Tips
35
37
Windows XP Professional operating system Symantec Antivirus software SMS Tools software to enable automatic distribution of the latest security patches from Client Security Management Services.
38
a. Do not connect a non-company PC, such as a private PC, to the internal network. b. Do not work on a private PC by taking information home on external recording media or by e-mail.
39
40
41
Information Exchange1
Voice
Exercise care when disclosing or discussing classified information over the phone Ensure that audience present at both ends are authorized to receive information being discussed during 3 way teleconferencing Ensure that you do not access your mail box in the presence of others when using display phone Should not access your voicemail with the phone speakers on
INTERNAL USED ONLY
43
Information Exchange2
Fax
When faxing sensitive documents, staff must ensure that Manual fax function is used to fax out Prior arrangement is made with so that recipient can collect document immediately All document is cleared from the fax machine before leaving
Video Conferencing
Staff hosting video conference shall ensure that audience present at both ends are authorized to receive any classified information that is being disclosed or discussed
44
Content
Introduction
Objective of this training Introduction to information security Security Policy Security Organization Asset classification & control Physical & environment security Communications & operation mgmt Access control Compliance Personnel security
Security Framework
-
Security Requirements
-
Security Tips
45
Password Management
Password
1. Use min. 6 character 2. Use both letters and numbers 3. Use both upper and lower case 4. Use special characters 5. Use simple passwords, so that it can be memorized easily without writing it down and it can be typed quickly and smoothly without looking at the keyboard
46
Password Management
Users Responsibilities
1. Do not disclose User ID and password 2. Do not keep a paper record of passwords, unless this can be stored securely 3. Change password whenever there is any indication of possible compromise 4. Change the password periodically
47
Mobile Computing...1
Do not allow unauthorized persons to use your mobile computers INTERNAL USED ONLY
Mobile Computing...2
Users Responsibilities
If the mobile device is unattended during remote access, discontinue remote access or render it unusable by others Do not keep mobile computer and token or password together Loss, damage and vandalism to mobile computers and equipment must be reported to HR immediately
49
Content
Introduction
Objective of this training Introduction to information security Security Policy Security Organization Asset classification & control Physical & environment security Communications & operation mgmt Access control Compliance Personnel security
Security Framework
-
Security Requirements
-
Security Tips
50
Copyright Act
1. 2. 3. Only licensed software shall be used for business activities within the organization Staff who installs any unlicensed software shall be held fully responsible for any copyright infringement Software that is installed for trial run shall be removed from the system when the trial run period is over
51
Content
Introduction
Objective of this training Introduction to information security Security Policy Security Organization Asset classification & control Physical & environment security Communications & operation mgmt Access control Compliance Personnel security
Security Framework
-
Security Requirements
-
Security Tips
52
Staff Responsibilities
Staff shall be responsible to uphold security in the company to abide by the company security policy to ensure security is not compromised while performing their job to observe utmost confidentiality of all information learned and/or received to abide by the applicable legislations eg. intellectual proprietary rights, copyrights to report any security incidents or weaknesses
Any violation of policy or security breach will result in disciplinary action against staff.
53
Non-IT Related An action that would be in breach of organization security policies or procedures
Eg: improper handling or disclosure of classified document, vandalism..
54
PERS ON REPORT ING T INCIDENT HE : Date: Name: Designation: Phone Number: Fax Number: Location of incident: Time: Division/ Department: Email Address: Extension Number:
GID:
Please get the Information Security Incident Form at Lotus Note [IS Approve Form] [Form No:F032]
How was the incident detected? When was it detected? Date and T ime
INCIDENTCAT EGORY:
Leakage of C lassified information Loss or theft of information assets Theft of sourc e of programming code Unauthorized ac cess to the information assets of Sony G roup (inc l. Website defac ement) Probe/ Scan/ Unauthorized electronic monitoring (Sniffers) Malicious code / Virus (inc l. worms and Trojans) DoS (Denial of Service) Misuse of information assets of Sony G roup by employee Human errors by employee resulting in classified information disc losure Legal and regulatory violations / Antisoc ial c onduc t by employee C yber C rime (Phishing, identity theft, telecom and/ or financial fraud, etc .) (pls. desc ribe) Other Info. Sec . C oncerns, please desc ribe:
T form is fill up by: his (Name) Report Person Name: Date/ Time: (Date/ Time) Division Manager (Signature) Info. S ec. Officer
Signature
56
Content
Introduction
Objective of this training Introduction to information security Security Policy Security Organization Asset classification & control Physical & environment security Communications & operation mgmt Access control Compliance Personnel security
Security Framework
-
Security Requirements
-
Security Tips
57
Security Tips: Password Management Use Letters, Numbers and Special Characters
Um!bre1a H@t4you ra1nCo@t
58
Phrases:
Use the first letter of each word in a phrase or sentence.
: : : :
59
Compound Words
Misspell compound words to construct a strong password
60
Disappoint them!!!
61
Do not fall for Social Engineers They will say anything to get valuable information
62
Do not discuss company or customer information in public Social engineers are listening to you
63
Do not allow Piggybacking Use your own access card to enter secure areas
64
You cant unring a bell The best way to protect sensitive information is not to share it
65
66
Taking a break? Lock your computer, when not in use Use password protected screen savers
67
68
NATURE of SECURITY Know who belongs in your environment Challenge and escort unknown visitors
69
Theres always free cheese in a mousetrap Exercise caution when downloading/launching any files from the Internet/email
70
71
Delete chain e-mail do not forward or reply to someone as it is considered mail spamming and it increases mail traffic
72
73
74
75
CLICK TO CONTINUE
THE END
76
Title: Information Security Quiz Name : Emp ID : Div/Dept : Date : _________________________ _________________________ _________________________ _________________________
Important : To pass the quiz, you need to obtain 9 or more correct answers. Please answers all the questions.
What are the 3 information classifications used in Sony? (I) SECRET (II) CONFIDENTIAL (III) INTERNAL USE ONLY (IV) IMPORTANT A. (I), (II) & (III) B. (I) only C. (II) only D. (I), (II), (III) & (IV) Which of the following rules is NOT correct for password handling? A. Do not write down your password B. Use 'Remember password (auto complete)' function so that you need not remember the password C. Ensure that no one is looking over your shoulder when you are entering your password D. Change your password if it has been revealed to others
77
Which of the following rules is NOT correct for handling of external recording media with classified information? A. Personal recording media can be used to store company information B. Store external recording media under lock and key at your workplace C. Immediately after using an external recording media, completely delete all information on it Non-Company computer should not be connected to Sony internal network. A. TRUE B. FALSE The rules of using emails in the office include: (I) Do not set your company e-mail address to automatically forward incoming e-mail to a different address outside the company. (II) Refrain from sending e-mails to external mailing lists. (III) Password-protect e-mail attachment with confidential information, and send the password in a separate mail. A. (I) only B. (II) & (III) C. (I), (II) & (III)
78
If an information security incident occurs or you suspect one has, you should promptly report it to: A. the Managing Director of the company you are in B. your superior & to the Information Security Representative C. no one, and ignore the occurrence of the incident or suppress your suspicion What are the security measures you must take to protect your PC or notebook from Virus? (I) Do not install software unnecessary to your work (II) Do not view suspicious websites or download suspicious files (III) Leave the real-time virus scanning function turned ON A. (I) only B. (II) only C. (II) & (III) D. (I), (II) & (III) When leaving your PC unattended: (I) Lock your computer (e.g. press control, Alt & Delete) (II) Enable password protected screen saver A. (I) only B. (II) only C. (I) & (II)
79
How do you handle classified documents? (I) Store SECRET & CONFIDENTIAL documents in a locked cabinet (II) Completely dispose of classified documents with an unrecoverable method (e.g. shredding) (III) Do not let documents out of your possession when taking them outside the company for business purpose (IV) Leave CONFIDENTIAL documents unattended on your desk when going home A. (I) only B. (I), (II) & (III) C. (II) & (III) D. (I), (II), (III) & (IV) What are the rules regarding In-house Internet Access? (I) Do not view bulletin boards, etc., that are unrelated to work (II) Do not access sites that are unrelated to work (III) Do not use free e-mail, instant messenger, or web chat services on your work PC A. (I) only B. (II) only C. (II) & (III) D. (I), (II) & (III)
10
80
Title: Information Security Quiz Name : Emp ID : Div/Dept : Date : _________________________ _________________________ _________________________ _________________________
Important : To pass the quiz, you need to obtain 9 or more correct answers. Please answers all the questions.
What are the 3 information classifications used in Sony? (I) SECRET (II) CONFIDENTIAL (III) INTERNAL USE ONLY (IV) IMPORTANT A. (I), (II) & (III) B. (I) only C. (II) only D. (I), (II), (III) & (IV) Which of the following rules is NOT correct for password handling? A. Do not write down your password B. Use 'Remember password (auto complete)' function so that you need not remember the password C. Ensure that no one is looking over your shoulder when you are entering your password D. Change your password if it has been revealed to others
81
Which of the following rules is NOT correct for handling of external recording media with classified information? A. Personal recording media can be used to store company information B. Store external recording media under lock and key at your workplace C. Immediately after using an external recording media, completely delete all information on it Non-Company computer should not be connected to Sony internal network. A. TRUE B. FALSE The rules of using emails in the office include: (I) Do not set your company e-mail address to automatically forward incoming e-mail to a different address outside the company. (II) Refrain from sending e-mails to external mailing lists. (III) Password-protect e-mail attachment with confidential information, and send the password in a separate mail. A. (I) only B. (II) & (III) C. (I), (II) & (III)
82
If an information security incident occurs or you suspect one has, you should promptly report it to: A. the Managing Director of the company you are in B. your superior & to the Information Security Representative C. no one, and ignore the occurrence of the incident or suppress your suspicion What are the security measures you must take to protect your PC or notebook from Virus? (I) Do not install software unnecessary to your work (II) Do not view suspicious websites or download suspicious files (III) Leave the real-time virus scanning function turned ON A. (I) only B. (II) only C. (II) & (III) D. (I), (II) & (III) When leaving your PC unattended: (I) Lock your computer (e.g. press control, Alt & Delete) (II) Enable password protected screen saver A. (I) only B. (II) only C. (I) & (II)
83
How do you handle classified documents? (I) Store SECRET & CONFIDENTIAL documents in a locked cabinet (II) Completely dispose of classified documents with an unrecoverable method (e.g. shredding) (III) Do not let documents out of your possession when taking them outside the company for business purpose (IV) Leave CONFIDENTIAL documents unattended on your desk when going home A. (I) only B. (I), (II) & (III) C. (II) & (III) D. (I), (II), (III) & (IV) What are the rules regarding In-house Internet Access? (I) Do not view bulletin boards, etc., that are unrelated to work (II) Do not access sites that are unrelated to work (III) Do not use free e-mail, instant messenger, or web chat services on your work PC A. (I) only B. (II) only C. (II) & (III) D. (I), (II) & (III)
10
84