Program Objective• Security Basics

• Framework for managing information security

• user’s role in implementing & maintaining information security

Information Security

Information Security is a method by which an

organization ensures that-- it has control over its systems and data,

thereby protecting its investment in information

technology, customer’s confidence and its ability to

maintain business operations in effective and

efficient manner

Information Security Is NOT…

Its not just IS team or IT team….It’s more than that!

Information security is not only about applying technical controls and installing security devices.

Rather..

Information security is achieved by implementing a suitable set of controls like -

• policies

• procedures & guidelines

• technical systems

• security awareness workshops

Information Security Objectives

Confidentiality

IntegrityAvailability

Securing an information asset primarily

means ensuring it’s -

• Confidentiality

• Integrity

• Availability

What is Confidentiality?

Protecting sensitive records from unauthorized use and distribution

Examples include:-• Income Information

• Transaction Records• Customer site information, Designs & Layouts, intellectual property related

records.

Confidentiality

IntegrityAvailability

What is Integrity?

Maintaining the quality and validity of a record. Non-repudiation is the concept

arising out of integrity. It is a process by which the ultimate responsibility for a

transaction is pinned on the user/ customer

Examples include:-• Balance and transaction data is not changed in an unauthorized manner.• Formulation of medicine are not changed.

• Composition of materials are not altered

Confidentiality

IntegrityAvailability

What is Availability?

Ensuring that Records are accessible whenever required

Examples include:-• Information is available when it is required like Customer Information

• Customer Medical records.

Confidentiality

IntegrityAvailability

How every one is involved?An aware

workforce is the best defense

against information

security threats

The right technology needs

to be implemented for cost effective

Information Security

Suitable Policies and Processes need to be implemented for

effective Information Security

PEOPLE

PROCESSES TECHNOLOGY

INFORMATIONSECURITY

We are all responsible for Information security

Information Security Basics

What is an Asset?

• Asset is anything of value / importance to an organization.

• Asset can be of the following types:

• Data Assets – Records / Data Assets - others;

• Software Assets;

• Physical Assets;

• Services Asset;

• People Asset.

What is a Threat?

• A threat has the potential to cause an unwanted incident which may result in harm to a system, organization and its assets

• For e.g.

• Fire• Theft• Virus & worms• Malicious software

What are Vulnerabilities?

• Vulnerabilities are weaknesses associated with an assets. Trust is equal to voluntary vulnerability

These weaknesses may be exploited by a threat resulting in loss, damage or harm to assets

• For e.g.• Lack of physical protection

• Wrong selection and use of passwords

• Unprotected storage of documents

• Insufficient security training

What are Security Controls?

• Security controls are practices, procedures or mechanisms which

• protect against threats • reduce vulnerabilities • limit the impact of an incident

• For e.g.:-• Access control

• Access Cards

• Userid / Password

• Environmental controls• Fire control system

• Water leakage prevention

End User Responsibilities & Security Guidelines

Password Security> Control Implemented

• Password policy for operating system and application

> Your Support• Don’t

• Do not write it down or share it with ANYONE

• Never use

• Your logon id or its variations

• Words in dictionary

• Birth dates, name of spouse, Company name etc.

• Do

• Keep long passwords

• Change password frequently

• User secure systems

Select Strong Passwords

• 8 characters

• Has numbers (1,2..), capital

letters (A,B..) and special

characters (!,@..)

• Make simple words complex –

H1m@l@y@

• First letter of sentence –

J&Jwuth

Note: Do not use these examples as

your passwords

Laptop Security• Your Support

• Always lock your laptop when stepping away from it.• Lock your laptop to your desks using laptop locks.• Do not leave laptop unattended in public places• Use application passwords for all confidential data so that nobody

can access in case, laptop is lost• Never install any application on the PC which is not purchased or

downloaded from genuine suppliers site.

E-Mail Security• Pls change your password frequently.

• In case if you are leaving confidential data in the mail, please

ensure that they are encrypted, so that in case of compromise

of your email no body can use it.

• Don't open documents that are received from unknown

sources.

• Be aware of Trojan, viruses that are being sent across by

attachments.

• Donot share personal information to unknown recepeints

• Donot forward any email with other parties email-ids

• Donot respond to spam emails received from source not known

PhishingIt is not a virus, but ways to trick you into giving up personal or financial information

• Never use a link in E-mail to get to any web page• Never send personal or financial information to anyone

via E-mail• Access any financial institution site through the

genuine parent site than through emails

How to safeguard yourself?

Clear Desk & Clear Screen

– Lock all the restricted and confidential documents

in lockable container, i.e. in lock and key

– Do not leave sensitive documents on your

desk/printer/fax/ public places

– Always shred your unwanted documents properly

to avoid dumpster diving

– Lock your computer when you leave any place.

Source as above

Social Engineering

• Social engineering preys on qualities of human nature:

• the desire to be helpful • the tendency to trust people• the fear of getting into trouble

• Some of the ways in which social engineering is carried out are:

• Forged phone calls• Dumpster Diving• Persuasion• Phishing

• Do not discuss sensitive

information with others in public

• Do not give out sensitive

information over

email/telephone

• Make sure nobody is looking at you

when you are

typing in your password. “Avoid

Shoulder Surfing”

• Always be assure of the other

person’s identity, when you receive

a call which you are not expecting

PC best practices

• Buy genuine software• Install firewall, antivirus• Update patches given by OS and other

vendors• Do not open, download any executable file

or email attachment when in doubt

Physical Security

• Data Centre door ……..…… Keep it closed

• Access control card……... Use it , do not share it

• Always wear your identification and access badge

• Escort a visitor/ vendor to work/ server area

• Never leave the entry gate open

• Tail-gating/ Piggy-backing should be discouraged

• Never use camera phone at work / server area

• Never share your ID card with others

Thank You, Any Question, please put it in forum