Information Security Awareness Program

January 2, 2012

CONTENT
 What is information ?  Characteristics of information  What is information Security ?  What is ISMS ?  Clearing desk and Clear screen policy  Desktop and portable device policy  Password Policy  Email policy  Internet policy  ISO 27001  Security awareness clips

What is information ? Raw data

BOB

1St JAN 2011

A12

Dubai

IT

Bangalore

Structured Data

Name BOB

Date 1st JAN 2011

Seat No. A12

Destination Dubai IT

Airline

Boarding Bangalore

From above data , we can derive the following information: On 1st of January BOB Travelled from Bangalore to Dubai by Kingfisher airline(IT) and his seat number was A12

Information is data that has been given meaning by way of relational connection.

Three characteristics of Information

Confidentiality

Integrity

Availability

What is Confidentiality?
Making sure only those people who are supposed to see the information see it.

Hey! my credit card number is confidential

So, is the business information stored in your office system

Personal

Business

Example :- A password or PIN number enforce confidentiality

What is Integrity?
Making sure only those people who are supposed to change (edit) the information can change it.

I want my credit card to be charged the exact amount

Data in sensitive system should not be changed without permission

Personal

Business

Example :- File permissions enforce Integrity

What is Availability?
Making sure the information is available when the authorized people requires it.

Keep backup of my credit card statements in case disputes arises

Backup of business data avoid panic in case of systems failure

Personal

Business

Example :- Backup ensure availability

What is Information Security ?

Business Information

Confidentiality Integrity Availability

Information security focuses on protection of Confidentiality, Integrity, and Availability of Information

What is ISMS?

ISMS encompass the following

Information Security Policy

Information Security Organizational structure

Information Security Standard

Information Security process and procedures

Administrative, Physical , technical controls

Monitoring & review systems

CLEAR DESK & CLEAR SCREEN POLICY

CLEAR DESK & CLEAR SCREEN POLICY Cont..

Objective:- Protect information stored in your computer and hard copy documents from unauthorized Access How to practice this ? lock your Computer using Ctrl + Alt + Del while you leave your workstation If working on sensitive information, and you have a visitor to your desk, lock you screen to prevent the contents being read

When desks/offices are unoccupied, any confidential information must be locked away in cabinets or offices

All waste paper, which contains any personal or confidential information must be shredded or destroyed

DESKTOP & PORTABLE DEVICE SECURITY POLICY

Objective:- Protect information stored in your computer and avoid malware Propagation

How to achieve this?

Employees are responsible for physical security of their laptops, blackberry etc..

Use of external USB storage devices is restricted.

Always scan for viruses when copying or downloading files to your computer from CD/DVD and other sources

Employees are responsible for taking backups of laptop/desktop data

Password policy

To ensure protection of information from unauthorized access

Use Complex password, that is use combination of alpha numeric and special characters Use minimum 8 characters for your password Change password before 90 days Do not repeat last 5 passwords

Do not share your password

No password behind keyboard

EMAIL POLICY

Email Policy - Objective

Avoid information leakage

How to achieve this ?

Use official mail for Company business only

Company confidential information must not be shared outside the Company, without authorization, at any time

Email Policy objective :- Avoid legal issues

How to achieve this ?

Ethnic & Racial harassment, abuse etc.. is strictly prohibited

Sending pornographic jokes or other contents of sexual nature via email, is considered sexual harassment and will be addressed according to HR Policy.

BIAL retains the right to remove from its information systems any material it views as offensive or potentially illegal

Do not forward chain mails

Sample Hoax email-1

Here something that you might want to read it was on the news . Subject: FW: PLEEEEEASE READ!!!! It was on the news!
Dear friends, Something to share with all of u. Would u believe if this is true? Read on..... For those who need money badly and this is one opportunity to try it! I'm an attorney, and I know the law. This thing is for real. Rest assured AOL and Intel will follow through with their promises for fear of facing a multimillion-dollar class action suit similar to the one filed by PepsiCo against General Electric not too long ago. Dear Friends, Please do not take this for a junk letter. Bill Gates is sharing his fortune. If you ignore this you will repent later. Microsoft and AOL are now the largest Internet companies and in an effort to make sure that Internet Explorer remains the most widely used program, Microsoft and AOL are running an e-mail beta test. When you forward this e-mail to friends, Microsoft can and will track it (if you are a Microsoft Windows user) for a two week time period. For every person that you forward this e-mail to, Microsoft will pay you $245.00, for every person that you sent it to that forwards it on, Microsoft will pay you $243.00 and for every third person that receives it, you will be paid $241.00. Within two weeks, Microsoft will contact you for your address and then send you a cheque. Regards. Charles S. Bailey General Manager Field Operations [CONTACT DETAILS REMOVED] I thought this was a scam myself, but two weeks after receiving this e-mail and forwarding it on, Microsoft contacted me for my address and within days, I received a cheque for US$24,800.00. You need to respond before the beta testing is over. If anyone can afford this Bill Gates is the man. It's all marketing expense to him. Please forward this to as many people as possible. You are bound to get at least US$10,000.00. We're not going to help them out with their e-mail beta test without getting a little something for our time. My brother's girlfriend got in on this a few months ago. When I went to visit him for the Baylor/UT game. She showed me her check. It was for the sum of $4,324.44 and was stamped "Paid In Full". Like I said before, I know the law, and this is for real Intel and AOL are now discussing a merger which would make them the largest Internet company and in an effort make sure that AOL remains the most widely used program, Intel and AOL are running an e-mail beta test.

Sample Scam email-2

Mr.Tim J W Tookey Group Finance Director of Lloyds Banking Group 25 Gresham Street, London EC2V 7HN www.lloydsbankinggroup.com timgdfbns@yahoo.com.hk

Good day, I am Mr. Tim J W Tookey, the Group Finance Director of Lloyds Banking Group. I personally discovered a dormant account with a total sum of $85,000,000.00 [EIGHTY FIVE MILLION DOLLARS] during our Bank's Annual Year Account Auditing. Since the death of the deceased, nobody has operated in this account till date. Moreover, this account has NO BENEFICIARY attached to it. Definitely, this fund will be confiscated by our BANKING CODE OF ETHICS if it remains dormant for a period of [10] year without any claims. In this regard, I earnestly need your full cooperation in transferring this money out of our bank to avoid our bank confiscating this fund. HOW THE TRANSACTION CAN BE HANDLED: As the group finance director of our bank, all our client account details and file are in my possession and that makes it easy for me to include your name as the beneficiary of the fund in all necessary documents involving the money we wish to transfer out from our bank. Most importantly, you will be required to: (1). Act as the original beneficiary of the funds. (2). Receive the funds into a business/private bank account. (3). At the completion of this transaction, the sharing rates shall be 50% for me while 50% for you. Note: I will split the transfer into two 2 stages for easy and smooth transfer. Firstly, the sum of $80,000,000.00 will transfer to any valid foreign account you will nominate, then upon a successful transfer without any disappointment from our side; I will then fly to meet you in your home destination for sharing, thereafter we will jointly transfer the remaining balance of $5,000,000.00. I will also like us to invest some part of the money in your country. If you accept to work with me, you will be given 50% of the total money as your share and 50%. So the main question is, will you partner me in this transaction. If you are willing to cooperate in this projectthe get back to me on my private email address timgdfbns@yahoo.com.hk view my identification link:

http://www.lloydsbankinggroup.com/about_us/directors/executive_directors.asp#timtookey I AWAIT YOUR URGENT REPLY. Yours Truly, Mr. Tim J W Tookey timgdfbns@yahoo.com.hk

INTERNET ACCESS POLICY

Internet Policy

Objective:- Utilize technology for better productivity The use of internet by company employees is permitted & encouraged where such use is suitable for business purpose & supports the goals & objectives of the company by Providing internet access to all computer users No time based restriction
Ethnic & Racial harassment, abuse etc.. is strictly prohibited

Objective:- Avoid information leakage Sending pornographic jokes or other contents of sexual nature via email, is considered sexual harassment and will be addressed By restricting according to HR Policy. Social networking sites Instant messaging Personal Network storage & backup sites Publishing/disclosing any business sensitive information on personal websites/portals/blogs/social networking sites

Internet Policy

Objective:-Avoid legal action by

Restricting Internet access only to acceptable category of websites & contents.

Ethnic & Racial harassment, abuse etc.. is strictly prohibited

Monitoring internet use from all computers & devices connected to BIAL network Logging internet access details and retaining it for forensic purpose

Phishing

Sample Phishing email

Sample Phishing email

PHYSICAL & ENVIRONMENTAL SECURITY POLICY