Pci compliance training agents

1,821 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,821
On SlideShare
0
From Embeds
0
Number of Embeds
356
Actions
Shares
0
Downloads
42
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Pci compliance training agents

  1. 1. SET INFORMATION SYSTEMS AND DATA SECURITY AWARENESS PROGRAM FUSION BPO SERVICES, Inc.
  2. 2. SET Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected’
  3. 3. SET What is Information Systems and Data security Policy? Can be defined as rules that regulate how an organization manages and protects its internal information, external customer or clients information and computing resources. Why do we need Security Policy? The policy tells the users, staff, managers, what they can do, what they cannot do and what they must do to comply with the Security Policy and Practice. Purpose: To ensure business continuity by reducing/minimizing damage to the business by safeguarding the confidentiality, integrity and availability of information.
  4. 4. Why do I need to learn about computerSET security?  Isn’t this just an IT Problem?  Everyone who uses a computer needs to understand how to keep his or her computer and data secure. 13
  5. 5. SET Why I Need Information Security Training  Security Awareness is a critical part of an organizations information security program; it is the human knowledge and behaviors that the organization uses to protect itself against information security risks. Humans, just like computers, store, process and transfer information. As a result many attackers today target the human, bypassing most security controls and using techniques such as social engineering to get the information they want. Awareness, not just technology, is now a key factor in an organizations goal to:  Reduce risk,  Protect its reputation,  Improve governance, and  Be compliant. 5
  6. 6. SET Why I Need Information Security Training  Security Awareness Training is designed to educate users on the appropriate use, protection and security of information, individual user responsibilities and ongoing maintenance necessary to protect the confidentiality, integrity, and availability of information assets, resources, and systems from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption. The long term benefits to your organization of a successful security awareness program include enhanced awareness, increased security and improved online productivity for employees and the company as a whole. 6
  7. 7. SET What Is Information Security  The quality or state of being secure to be free from danger  Security is achieved using several strategies simultaneously or used in combination with one another  Security is recognized as essential to protect vital processes and the systems that provide those processes  Security is not something you buy, it is something you do
  8. 8. SET What Is Information Security  The architecture where an integrated combination of appliances, systems and solutions, software, alarms, and vulnerability scans working together  Monitored 24x7  Having People, Processes, Technology, policies, procedures,  Security is for PPT and not only for appliances or devices
  9. 9. SET INFORMATION SECURITY 1. Protects information from a range of threats 2. Ensures business continuity 3. Minimizes financial loss 4. Optimizes return on investments 5. Increases business opportunities
  10. 10. SET Security breaches leads to… • Reputation loss • Financial loss • Intellectual property loss • Legislative Breaches leading to legal actions (Cyber Law) • Loss of customer confidence • Business interruption costs LOSS OF GOODWILL
  11. 11. SET What is Risk?  Risk: A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset.  Threat: Something that can potentially cause damage to the organization, IT Systems or network.  Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat.
  12. 12. SET Good security practices follow the “90/10” rule 10% of security safeguards are technical 90% of security safeguards rely on us – the user - to adhere to good computing practices 12
  13. 13. SET What are the consequences of security violations? Disciplinary action (up to expulsion or termination) Embarrassment to yourself and/or the Company Having to recreate lost data Identity theft Data corruption or destruction Loss of patient, employee, and public trust Costly reporting requirements and penalties Unavailability of vital data 13
  14. 14. SET Good Computer Security Practices 14
  15. 15. SET Passwords Your password is your key to OC Inc Fusion BPO Services data and resources.  Remember: Carelessness is Dangerous! If you receive a phone call from someone claiming that they are a contractor working with IT Security, would you give them your password? NO! How many of you have written your password down? What did you do with the paper? Is it tucked safely and securely away? If it is in the first place you would look (like under the keyboard) – someone else would look there too! 15
  16. 16. SET Password construction and Management When selecting a password, you may naturally want to choose something easy to remember. But, if it is easy for you, it may be easy for some one else to crack! A password should not be: Your name or any family members name, to include pets! Your street name, car type, favorite singer, etc. Any easily guessed or recognized name or word Your previous password with a sequentially increased number at the end. 16
  17. 17. SET Password construction and Management  A password should be:  A mixture of letters (both upper and lower case) and numbers and/or special characters  At least eight characters long, preferably longer  – for example iH8TDieTs is a very good password. It has capitals, lower case, and numbers. AND…. It isn’t too tough to remember. Just say: I hate diets.  A password should never be:  …Taped to a monitor or keyboard or desk or desk accessory or any where visible  …Shared with ANY ONE – NOT EVEN A SUPERVISOR! 17
  18. 18. SET Examples of Passwords Weak Strong  12345 • tCj0Tm  Password • iL2e0c  STCC • 1cRmPW!  Pecan • CyMm@M0?  Gateway1  abc123 18
  19. 19. SET Email Usage  Some experts feel email is the biggest security threat of all. This is the fastest, most-effective method of spreading malicious code to the largest number of users. It is also a large source of wasted technology resources.  Examples of Waste:  Electronic Greeting Cards  Chain Letters  Jokes and graphics  Spam and junk email 19
  20. 20. SET Pitfalls to email 1. Email is NOT secure – It is essential to understand that email does not go directly to the intended recipient. It is routed through various systems first. Remember, it is not impervious to prying eyes! 2. Email is open to abuse – Scams, mass mailings, junk mail, and deceptive advertising can be delivered to your computer mail box as easily as your home mail box. 3. Email is potentially harmful – this is the easiest, most effective conveyance of malicious code. 20
  21. 21. SET Should You Open the E-mail Attachment?  If its suspicious, dont open it!  What is suspicious?  Not work-related  Attachments not expected  Attachments with a suspicious file extension (*.exe, *.vbs, *.bin, *.com, *.scr, or *.pif)  Web link  Unusual topic lines; “Your car?”; “Oh!” ; “Nice Pic!”; “Family Update!”; “Very Funny!” 21
  22. 22. SET E-Mail Security – Risk Areas1. Spamming. Unsolicited bulk e-mail, including commercial solicitations, advertisements, chain letters, pyramid schemes, and fraudulent offers.  Do not reply to spam messages. Do not spread spam. Remember, sending chain letters is against policy.  Do not forward chain letters. It’s the same as spamming!  Do not open or reply to suspicious e-mails.2. Phishing Scams. E-Mail pretending to be from trusted names, such as Citibank or PayPal or Amazon, but directing recipients to rogue sites. A reputable company will never ask you to send your password through e-mail.3. Spyware. Spyware is adware which can slow computer processing down; hijack web browsers; spy on key strokes and cripple computers 22
  23. 23. SET E-mail Usage Use official mail for business purposes only Follow the mail storage guidelines to avoid blocking of E-mails  If you come across any junk / spam mail, do the following a) Remove the mail. b) Inform the security help desk c) Inform the same to server administrator d) Inform the sender that such mails are undesired  Do not use official ID for any personal subscription purpose  Do not send unsolicited mails of any type like chain letters or E-mail Hoax  Do not send mails to client unless you are authorized to do so  Do not post non-business related information to large number of users  Do not open the mail or attachment which is suspected to be virus or received from an unidentified sender 23
  24. 24. SET Internet Usage  Use internet services for business purposes only  Do not access internet through dial-up connectivity  Do not use internet for viewing, storing or transmitting obscene or pornographic material  Do not use internet for accessing auction sites  Do not use internet for hacking other computer systems  Do not use internet to download / upload commercial software / copyrighted material  Technology Department is continuously monitoring Internet Usage. Any illegal use of internet and other assets shall call for Disciplinary Action. 24
  25. 25. SET Physical SecurityWould you leave your credit card exposed or unattended in a public place? Do you lock your car? Secure your wallet or purse?Take those same precautions with your PC!Log off or lock your PC when unattended.Shutdown your PC when you leave for the day…EVERYDAY!Lock doors in accordance with Fusion BPO Services Policy.Secure your Password!!!! 25
  26. 26. SET Access Control - Physical  Follow Security Procedures  Wear Identity Cards and Badges at all times  Ask unauthorized visitor his credentials  All visitors must be escorted while onsite • Bring visitors in operations area without prior permission • Bring hazardous and combustible material in secure area • Practice ―Piggybacking‖ • Bring and use pen drives, zip drives, iPods, other storage devices unless and otherwise authorized to do so 26
  27. 27. SET Unique User Log-In / User Access Controls Access Controls:  Users are assigned a unique “User ID” for log-in purposes  Each individual user’s access to OC Inc./Fusion BPO Services system(s) is appropriate and authorized  Access is “role-based”, e.g., access is limited to the minimum information needed to do your job  Unauthorized access to OC Inc./Fusion BPO Services by former employees is prevented by terminating access  User access to information systems is logged and audited for inappropriate access or use. 27
  28. 28. SET Workstation SecurityWorkstations Physical Security measures include:  Disaster Controls  Physical Access Controls  Device & Media Controls Log-off before leaving a workstation unattended.  This will prevent other individuals from accessing secured data under your User-ID and limit access by unauthorized users. Lock-up! – Offices, windows, workstations, sensitive papers and PDAs, laptops, mobile devices / media.  Lock your workstation (Cntrl+Alt+Del and Lock) – Windows XP, Windows 2000 28
  29. 29. SET Antivirus and Firewall Make sure your computer has anti-virus, anti-spyware and firewall protection as well as all necessary security patches. Don’t install unknown or unsolicited programs on your computer 29
  30. 30. SET Report Security Incidents  You are responsible to:  Report and respond to security incidents and security breaches.  Know what to do in the event of a security breach or incident related to Data Security and/or Personal Information.  Report security incidents & breaches to: IT Security Team 30
  31. 31. SET Your Responsibility to Adhere to OCI Security- Information Security Policies Users of electronic information resources are responsible for familiarizing themselves with and complying with all company policies, procedures and standards relating to information security. Users are responsible for appropriate handling of electronic information resources. 31
  32. 32. SET Why can’t I play games online? On- Line Gaming on a company computer is against company policy. Playing games on a company computer is forbidden. Gaming sites, like MP3 download sites, are good places to pick up a virus. Script kiddies and hackers swarm around these sites like vultures. They use all the tricks of their trade to glean password and network information from gamers. This is easy to avoid. Don’t do it! 32
  33. 33. SET Types of sites to avoid and WHYCorporate sites that have a vested interest in protecting and maintaining public trust are more vigorous in protecting visitor’s email addresses and information. For example, sites such as CNN and Headline News want visitors to feel confident and comfortable on their web sites – so they will take measures to secure their sites. However, many other sites do NOT take measures to protect visitor’s data. In fact, they are notorious for harvesting and selling such data. Please do not use your OC Inc. Fusion BPO Services computer or email address for joke sites, dating sites, horoscopes, chat rooms, free grocery coupons and other related sites. Sites promising free goods and vacations and fun – good ones to put on the NO GO list. These are all easy to avoid and you will likely reduce your junk mail as well.. 33
  34. 34. SET Common Terminology What is a cookie? Cookies are small text files that some Web sites create when you visit. The file is used to store information on your computer. What does encrypted mean? The translation of data into a secret code. Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text ; encrypted data is referred to as cipher text. What is a virus? A virus is a piece of code that is written specifically to execute itself without the users knowledge or permission. It will usually attach itself to a file in order to replicate and spread itself. Some viruses are harmless while others can cause serious damage. 34
  35. 35. SET Common Terminology cont. What is a Phishing? The act of sending an e-mail falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The Web site, however, is bogus and set up only to steal the user’s information. What is spam? Electronic junk mail. Spam is generally e-mail advertising for some product sent to a mailing list or newsgroup. In addition to wasting peoples time with unwanted e-mail, spam also eats up a lot of network bandwidth. Some ISP’s, such AOL, have instituted policies to prevent spammers from spamming their subscribers. What is an audit trail ? A record showing who has accessed a computer system and what operations he or she has performed during a given period of time. 35
  36. 36. SET Common Terminology cont.  What is Unauthorized Access?- Any time a user gains access to a computer network without the consent of the computers administrator.  What is Access Control-The prevention of unauthorized use of information assets. It is the policy rules and deployment mechanisms, which control access to information systems, and physical access to premises.  Compliance- Adherence to those policies, procedures, guidelines, laws, regulations and contractual arrangements to which the business process is subject.  Malicious Software: Software, for example, a virus, designed to damage or disrupt a system. 36
  37. 37. SET Common Terminology cont.  Password: Confidential authentication information composed of a string of character  Server: A server is a computer system, or a set of processes on a computer system providing services to clients across a network.  User: A person or entity with authorized access.  Protected Information: Any participant or client information that the Department may have in its records or files that must be safeguarded pursuant to Department policy. This includes but is not limited to "individually identifying information". 37
  38. 38. SET Common Terminology cont.  Integrity: The property that data or information have not been altered or destroyed in an unauthorized manner.  FTP (File Transfer Protocol): A protocol that allows for the transfer of files between an FTP client and FTP server.  Disclose: The release, transfer, relay, provision of access to, or conveying of client information to any individual or entity outside the Department.  Confidential Information: Any client information (defined above) that OC Inc may have in its records or files on any OC Inc client that must be safeguarded pursuant to OC Inc policy. This includes, but is not limited to, “individually identifying information” 38
  39. 39. SET Typical Symptoms of computer infection  File deletion  File corruption  Visual effects  Pop-Ups  Erratic (and unwanted) behavior  Computer crashes 39
  40. 40. SET Problems Hackers Cause  A hacker intrusion could create a legal liability and public embarrassment for you and your organization  Vandalism—Destruction or digital defacement of a computer or its data for destruction’s sake  Theft—Gaining access to intellectual or proprietary technology or information, sometimes for resale Hijacking—Many of the financially motivated hackers are interested in remotely controlling PCs  Identity theft—Electronic theft of personal info that can be used to steal financial resources  Terrorism—Some experts believe that terrorists will eventually launch an attack using hacking techniques 40
  41. 41. SET Malware  Malware – (aka Crime ware and Computer Contaminant) is any program which can corrupt files and/or secretly report your information from your computer or network  Viruses, Worms, Trojans, and Spyware are the most common types of malware  Many of these destructive programs attempt to reinstall and replicate themselves and are designed to be very difficult to remove from the host computer 41
  42. 42. SET Malware Virus ‐ Software that gets installed on your computer, usually without your knowledge – You can get “infected” by accessing something that is already infected with a virus – Sources include floppy disk,USB drives, website, and email Worm – Software that actively tries to spread itself to infect other computers – Software worms can actively scan networks to infect others – Worms can also be spread by e‐mail applications that use the computer address book Trojan ‐ Damaging software that hides its identity by posing as something else such as a screen saver or a greeting card. The Trojan, once installed, gives the attacker a back door into your system that can be used by the hacker as needed. 42
  43. 43. SET IT ACT PROVISIONS  Email would now be a valid and legal form of communication in our country that can be duly produced and approved in a court of law.  Companies shall now be able to carry out electronic commerce using the legal infrastructure provided by the Act.  Digital signatures have been given legal validity and sanction in the Act.  The Act now allows Government to issue notification on the web thus heralding e-governance  Statutory remedy in case if anyone breaks into companies computer systems or network and causes damages or copies data 43
  44. 44. SET Risks and Threats Virus Attacks Theft, Sabotage, High User Misuse Knowledge of IT Systems Natural Lack Of Lapse in Calamities & Documentation Physical Fire Systems & SecurityNetwork Failure 44
  45. 45. SET User Responsibilities Ensure your system is locked when you are away Always store laptops/media in a lockable place Ensure sensitive business information is under lock and key when unattended Ensure back-up of sensitive and critical information assets Understand Compliance Issues such as  Cyber Law  IPR, Copyrights, NDA  Contractual Obligations with customer Verify credentials, if the message is received from unknown sender Always switch off your computer before leaving for the day Keep your self updated on information security aspects 45
  46. 46. SET Do’s And Donts Email and messaging  read your organization’s email policy  report any spam or phishing emails to your IT team that are not blocked or filtered  report phishing emails to the organisation they are supposedly from  use your organization’s contacts or address book. This helps to stop email being sent to the wrong address.  Phishing is an attempt to obtain your personal information (for example, account details) by sending you an email that appears to be from a trusted source (for example, your bank) 46
  47. 47. SET Do’s And Donts Email and messaging  click on links in unsolicited emails. Be especially wary of emails requesting or asking you to confirm any personal information, such as passwords, bank details and so on.  turn off any email security measures that your IT team has put in place or recommended  email sensitive information unless you know it is encrypted. Talk to your IT team for advice.  try to bypass your organisation’s security measures to access your email off-site (for example, forwarding email to a personal account)  reply to chain emails. 47
  48. 48. SET Do’s And Donts  Passwords  Follow OC Inc’ s password policy  use a strong password (strong passwords are usually eight characters or more and contain upper and lower case letters, as well as numbers)  make your password easy to remember, but hard to guess  choose a password that is quick to type  use a mnemonic (such as a rhyme, acronym or phrase) to help you remember your password. Change your password(s) if you think someone may have found out what they are. 48
  49. 49. SET Do’s And Donts  Passwords Don’ts  share your passwords with anyone else  write your passwords down  use your work passwords for your own personal online accounts  save passwords in web browsers if offered to do so  use your username as a password  use names as passwords  email your password or share it in an instant message. 49
  50. 50. SET Do’s And Donts  Working on-site  lock sensitive information away when left unattended  Remember working at home is a privilege  Don’t let strangers or unauthorised people into staff areas  position screens where they can be read from outside the room. 50
  51. 51. SET Final Note 51
  52. 52. SET Fusion BPO Services, Inc THANK YOU IT SECURITY DEPARTMENT 52

×