Uploaded byocinc
PPTX, PDF901 views

Pci compliance training agents

This document provides an overview of information systems and data security awareness. It defines information security policy as rules that regulate how an organization manages and protects internal, customer, and computing resources. The purpose is to ensure business continuity by reducing risks and safeguarding confidentiality, integrity, and availability of information. It emphasizes that security is a shared responsibility and outlines good practices like using strong passwords and avoiding opening suspicious email attachments.

Embed presentation

Downloaded 53 times
SET INFORMATION SYSTEMS AND DATA SECURITY AWARENESS PROGRAM FUSION BPO SERVICES, Inc.
SET 'Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected’
SET What is Information Systems and Data security Policy? Can be defined as rules that regulate how an organization manages and protects its internal information, external customer or clients information and computing resources. Why do we need Security Policy? The policy tells the users, staff, managers, what they can do, what they cannot do and what they must do to comply with the Security Policy and Practice. Purpose: To ensure business continuity by reducing/minimizing damage to the business by safeguarding the confidentiality, integrity and availability of information.
Why do I need to learn about computer SET security?  Isn’t this just an IT Problem?  Everyone who uses a computer needs to understand how to keep his or her computer and data secure. 13
SET Why I Need Information Security Training  Security Awareness is a critical part of an organization's information security program; it is the human knowledge and behaviors that the organization uses to protect itself against information security risks. Humans, just like computers, store, process and transfer information. As a result many attackers today target the human, bypassing most security controls and using techniques such as social engineering to get the information they want. Awareness, not just technology, is now a key factor in an organization's goal to:  Reduce risk,  Protect its reputation,  Improve governance, and  Be compliant. 5
SET Why I Need Information Security Training  Security Awareness Training is designed to educate users on the appropriate use, protection and security of information, individual user responsibilities and ongoing maintenance necessary to protect the confidentiality, integrity, and availability of information assets, resources, and systems from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption. The long term benefits to your organization of a successful security awareness program include enhanced awareness, increased security and improved online productivity for employees and the company as a whole. 6
SET What Is Information Security  The quality or state of being secure to be free from danger  Security is achieved using several strategies simultaneously or used in combination with one another  Security is recognized as essential to protect vital processes and the systems that provide those processes  Security is not something you buy, it is something you do
SET What Is Information Security  The architecture where an integrated combination of appliances, systems and solutions, software, alarms, and vulnerability scans working together  Monitored 24x7  Having People, Processes, Technology, policies, procedures,  Security is for PPT and not only for appliances or devices
SET INFORMATION SECURITY 1. Protects information from a range of threats 2. Ensures business continuity 3. Minimizes financial loss 4. Optimizes return on investments 5. Increases business opportunities
SET Security breaches leads to… • Reputation loss • Financial loss • Intellectual property loss • Legislative Breaches leading to legal actions (Cyber Law) • Loss of customer confidence • Business interruption costs LOSS OF GOODWILL
SET What is Risk?  Risk: A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset.  Threat: Something that can potentially cause damage to the organization, IT Systems or network.  Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat.
SET Good security practices follow the “90/10” rule  10% of security safeguards are technical  90% of security safeguards rely on us – the user - to adhere to good computing practices 12
SET What are the consequences of security violations?  Disciplinary action (up to expulsion or termination)  Embarrassment to yourself and/or the Company  Having to recreate lost data  Identity theft  Data corruption or destruction  Loss of patient, employee, and public trust  Costly reporting requirements and penalties  Unavailability of vital data 13
SET Good Computer Security Practices 14
SET Passwords  Your password is your key to OC Inc Fusion BPO Services data and resources.  Remember: Carelessness is Dangerous!  If you receive a phone call from someone claiming that they are a contractor working with IT Security, would you give them your password? NO!  How many of you have written your password down? What did you do with the paper? Is it tucked safely and securely away? If it is in the first place you would look (like under the keyboard) – someone else would look there too! 15
SET Password construction and Management  When selecting a password, you may naturally want to choose something easy to remember. But, if it is easy for you, it may be easy for some one else to crack!  A password should not be:  Your name or any family members name, to include pets!  Your street name, car type, favorite singer, etc.  Any easily guessed or recognized name or word  Your previous password with a sequentially increased number at the end. 16
SET Password construction and Management  A password should be:  A mixture of letters (both upper and lower case) and numbers and/or special characters  At least eight characters long, preferably longer  – for example iH8TDieTs is a very good password. It has capitals, lower case, and numbers. AND…. It isn’t too tough to remember. Just say: I hate diets.  A password should never be:  …Taped to a monitor or keyboard or desk or desk accessory or any where visible  …Shared with ANY ONE – NOT EVEN A SUPERVISOR! 17
SET Examples of Passwords Weak Strong  12345 • tCj0Tm  Password • iL2e0c  STCC • 1cRmPW!  Pecan • CyMm@M0?  Gateway1  abc123 18
SET Email Usage  Some experts feel email is the biggest security threat of all. This is the fastest, most-effective method of spreading malicious code to the largest number of users. It is also a large source of wasted technology resources.  Examples of Waste:  Electronic Greeting Cards  Chain Letters  Jokes and graphics  Spam and junk email 19
SET Pitfalls to email 1. Email is NOT secure – It is essential to understand that email does not go directly to the intended recipient. It is routed through various systems first. Remember, it is not impervious to prying eyes! 2. Email is open to abuse – Scams, mass mailings, junk mail, and deceptive advertising can be delivered to your computer mail box as easily as your home mail box. 3. Email is potentially harmful – this is the easiest, most effective conveyance of malicious code. 20
SET Should You Open the E-mail Attachment?  If it's suspicious, don't open it!  What is suspicious?  Not work-related  Attachments not expected  Attachments with a suspicious file extension (*.exe, *.vbs, *.bin, *.com, *.scr, or *.pif)  Web link  Unusual topic lines; “Your car?”; “Oh!” ; “Nice Pic!”; “Family Update!”; “Very Funny!” 21
SET E-Mail Security – Risk Areas 1. Spamming. Unsolicited bulk e-mail, including commercial solicitations, advertisements, chain letters, pyramid schemes, and fraudulent offers.  Do not reply to spam messages. Do not spread spam. Remember, sending chain letters is against policy.  Do not forward chain letters. It’s the same as spamming!  Do not open or reply to suspicious e-mails. 2. Phishing Scams. E-Mail pretending to be from trusted names, such as Citibank or PayPal or Amazon, but directing recipients to rogue sites. A reputable company will never ask you to send your password through e-mail. 3. Spyware. Spyware is adware which can slow computer processing down; hijack web browsers; spy on key strokes and cripple computers 22
SET E-mail Usage Use official mail for business purposes only Follow the mail storage guidelines to avoid blocking of E-mails  If you come across any junk / spam mail, do the following a) Remove the mail. b) Inform the security help desk c) Inform the same to server administrator d) Inform the sender that such mails are undesired  Do not use official ID for any personal subscription purpose  Do not send unsolicited mails of any type like chain letters or E-mail Hoax  Do not send mails to client unless you are authorized to do so  Do not post non-business related information to large number of users  Do not open the mail or attachment which is suspected to be virus or received from an unidentified sender 23
SET Internet Usage  Use internet services for business purposes only  Do not access internet through dial-up connectivity  Do not use internet for viewing, storing or transmitting obscene or pornographic material  Do not use internet for accessing auction sites  Do not use internet for hacking other computer systems  Do not use internet to download / upload commercial software / copyrighted material  Technology Department is continuously monitoring Internet Usage. Any illegal use of internet and other assets shall call for Disciplinary Action. 24
SET Physical Security Would you leave your credit card exposed or unattended in a public place? Do you lock your car? Secure your wallet or purse? Take those same precautions with your PC! Log off or lock your PC when unattended. Shutdown your PC when you leave for the day…EVERYDAY! Lock doors in accordance with Fusion BPO Services Policy. Secure your Password!!!! 25
SET Access Control - Physical  Follow Security Procedures  Wear Identity Cards and Badges at all times  Ask unauthorized visitor his credentials  All visitors must be escorted while onsite • Bring visitors in operations area without prior permission • Bring hazardous and combustible material in secure area • Practice ―Piggybacking‖ • Bring and use pen drives, zip drives, iPods, other storage devices unless and otherwise authorized to do so 26
SET Unique User Log-In / User Access Controls  Access Controls:  Users are assigned a unique “User ID” for log-in purposes  Each individual user’s access to OC Inc./Fusion BPO Services system(s) is appropriate and authorized  Access is “role-based”, e.g., access is limited to the minimum information needed to do your job  Unauthorized access to OC Inc./Fusion BPO Services by former employees is prevented by terminating access  User access to information systems is logged and audited for inappropriate access or use. 27
SET Workstation Security Workstations  Physical Security measures include:  Disaster Controls  Physical Access Controls  Device & Media Controls  Log-off before leaving a workstation unattended.  This will prevent other individuals from accessing secured data under your User-ID and limit access by unauthorized users.  Lock-up! – Offices, windows, workstations, sensitive papers and PDAs, laptops, mobile devices / media.  Lock your workstation (Cntrl+Alt+Del and Lock) – Windows XP, Windows 2000 28
SET Antivirus and Firewall Make sure your computer has anti-virus, anti-spyware and firewall protection as well as all necessary security patches. Don’t install unknown or unsolicited programs on your computer 29
SET Report Security Incidents  You are responsible to:  Report and respond to security incidents and security breaches.  Know what to do in the event of a security breach or incident related to Data Security and/or Personal Information.  Report security incidents & breaches to: IT Security Team 30
SET Your Responsibility to Adhere to OCI Security- Information Security Policies  Users of electronic information resources are responsible for familiarizing themselves with and complying with all company policies, procedures and standards relating to information security.  Users are responsible for appropriate handling of electronic information resources. 31
SET Why can’t I play games online?  On- Line Gaming on a company computer is against company policy.  Playing games on a company computer is forbidden.  Gaming sites, like MP3 download sites, are good places to pick up a virus. Script kiddies and hackers swarm around these sites like vultures. They use all the tricks of their trade to glean password and network information from gamers.  This is easy to avoid. Don’t do it! 32
SET Types of sites to avoid and WHY Corporate sites that have a vested interest in protecting and maintaining public trust are more vigorous in protecting visitor’s email addresses and information. For example, sites such as CNN and Headline News want visitors to feel confident and comfortable on their web sites – so they will take measures to secure their sites. However, many other sites do NOT take measures to protect visitor’s data. In fact, they are notorious for harvesting and selling such data. Please do not use your OC Inc. Fusion BPO Services computer or email address for joke sites, dating sites, horoscopes, chat rooms, free grocery coupons and other related sites. Sites promising free goods and vacations and fun – good ones to put on the NO GO list. These are all easy to avoid and you will likely reduce your junk mail as well.. 33
SET Common Terminology  What is a cookie? Cookies are small text files that some Web sites create when you visit. The file is used to store information on your computer.  What does encrypted mean? The translation of data into a secret code. Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text ; encrypted data is referred to as cipher text.  What is a virus? A virus is a piece of code that is written specifically to execute itself without the users knowledge or permission. It will usually attach itself to a file in order to replicate and spread itself. Some viruses are harmless while others can cause serious damage. 34
SET Common Terminology cont.  What is a Phishing? The act of sending an e-mail falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The Web site, however, is bogus and set up only to steal the user’s information.  What is spam? Electronic junk mail. Spam is generally e-mail advertising for some product sent to a mailing list or newsgroup. In addition to wasting people's time with unwanted e-mail, spam also eats up a lot of network bandwidth. Some ISP’s, such AOL, have instituted policies to prevent spammers from spamming their subscribers.  What is an audit trail ? A record showing who has accessed a computer system and what operations he or she has performed during a given period of time. 35
SET Common Terminology cont.  What is Unauthorized Access?- Any time a user gains access to a computer network without the consent of the computer's administrator.  What is Access Control-The prevention of unauthorized use of information assets. It is the policy rules and deployment mechanisms, which control access to information systems, and physical access to premises.  Compliance- Adherence to those policies, procedures, guidelines, laws, regulations and contractual arrangements to which the business process is subject.  Malicious Software: Software, for example, a virus, designed to damage or disrupt a system. 36
SET Common Terminology cont.  Password: Confidential authentication information composed of a string of character  Server: A server is a computer system, or a set of processes on a computer system providing services to clients across a network.  User: A person or entity with authorized access.  Protected Information: Any participant or client information that the Department may have in its records or files that must be safeguarded pursuant to Department policy. This includes but is not limited to "individually identifying information". 37
SET Common Terminology cont.  Integrity: The property that data or information have not been altered or destroyed in an unauthorized manner.  FTP (File Transfer Protocol): A protocol that allows for the transfer of files between an FTP client and FTP server.  Disclose: The release, transfer, relay, provision of access to, or conveying of client information to any individual or entity outside the Department.  Confidential Information: Any client information (defined above) that OC Inc may have in its records or files on any OC Inc client that must be safeguarded pursuant to OC Inc policy. This includes, but is not limited to, “individually identifying information” 38
SET Typical Symptoms of computer infection  File deletion  File corruption  Visual effects  Pop-Ups  Erratic (and unwanted) behavior  Computer crashes 39
SET Problems Hackers Cause  A hacker intrusion could create a legal liability and public embarrassment for you and your organization  Vandalism—Destruction or digital defacement of a computer or its data for destruction’s sake  Theft—Gaining access to intellectual or proprietary technology or information, sometimes for resale Hijacking—Many of the financially motivated hackers are interested in remotely controlling PCs  Identity theft—Electronic theft of personal info that can be used to steal financial resources  Terrorism—Some experts believe that terrorists will eventually launch an attack using hacking techniques 40
SET Malware  Malware – (aka Crime ware and Computer Contaminant) is any program which can corrupt files and/or secretly report your information from your computer or network  Viruses, Worms, Trojans, and Spyware are the most common types of malware  Many of these destructive programs attempt to reinstall and replicate themselves and are designed to be very difficult to remove from the host computer 41
SET Malware  Virus ‐ Software that gets installed on your computer, usually without your knowledge  – You can get “infected” by accessing something that is already infected with a virus  – Sources include floppy disk,USB drives, website, and email  Worm – Software that actively tries to spread itself to infect other computers  – Software worms can actively scan networks to infect others  – Worms can also be spread by e‐mail applications that use the computer address book  Trojan ‐ Damaging software that hides its identity by posing as something else such as a screen saver or a greeting card. The Trojan, once installed, gives the attacker a back door into your system that can be used by the hacker as needed. 42
SET IT ACT PROVISIONS  Email would now be a valid and legal form of communication in our country that can be duly produced and approved in a court of law.  Companies shall now be able to carry out electronic commerce using the legal infrastructure provided by the Act.  Digital signatures have been given legal validity and sanction in the Act.  The Act now allows Government to issue notification on the web thus heralding e-governance  Statutory remedy in case if anyone breaks into companies computer systems or network and causes damages or copies data 43
SET Risks and Threats Virus Attacks Theft, Sabotage, High User Misuse Knowledge of IT Systems Natural Lack Of Lapse in Calamities & Documentation Physical Fire Systems & Security Network Failure 44
SET User Responsibilities  Ensure your system is locked when you are away  Always store laptops/media in a lockable place  Ensure sensitive business information is under lock and key when unattended  Ensure back-up of sensitive and critical information assets  Understand Compliance Issues such as  Cyber Law  IPR, Copyrights, NDA  Contractual Obligations with customer  Verify credentials, if the message is received from unknown sender  Always switch off your computer before leaving for the day  Keep your self updated on information security aspects 45
SET Do’s And Don'ts Email and messaging  read your organization’s email policy  report any spam or phishing emails to your IT team that are not blocked or filtered  report phishing emails to the organisation they are supposedly from  use your organization’s contacts or address book. This helps to stop email being sent to the wrong address.  Phishing is an attempt to obtain your personal information (for example, account details) by sending you an email that appears to be from a trusted source (for example, your bank) 46
SET Do’s And Don'ts Email and messaging  click on links in unsolicited emails. Be especially wary of emails requesting or asking you to confirm any personal information, such as passwords, bank details and so on.  turn off any email security measures that your IT team has put in place or recommended  email sensitive information unless you know it is encrypted. Talk to your IT team for advice.  try to bypass your organisation’s security measures to access your email off-site (for example, forwarding email to a personal account)  reply to chain emails. 47
SET Do’s And Don'ts  Passwords  Follow OC Inc’ s password policy  use a strong password (strong passwords are usually eight characters or more and contain upper and lower case letters, as well as numbers)  make your password easy to remember, but hard to guess  choose a password that is quick to type  use a mnemonic (such as a rhyme, acronym or phrase) to help you remember your password. Change your password(s) if you think someone may have found out what they are. 48
SET Do’s And Don'ts  Passwords Don’ts  share your passwords with anyone else  write your passwords down  use your work passwords for your own personal online accounts  save passwords in web browsers if offered to do so  use your username as a password  use names as passwords  email your password or share it in an instant message. 49
SET Do’s And Don'ts  Working on-site  lock sensitive information away when left unattended  Remember working at home is a privilege  Don’t let strangers or unauthorised people into staff areas  position screens where they can be read from outside the room. 50
SET Final Note 51
SET Fusion BPO Services, Inc THANK YOU IT SECURITY DEPARTMENT 52

More Related Content

PPTX
Employee Awareness in Cyber Security - Kloudlearn
byKloudLearn
 
PDF
7 Things Every Ceo Should Know About Information Security
byCindy Kim
 
PPTX
Cyber Security Lessons from the NSA
byCipherCloud
 
PPTX
Cybersecurity Training Seminars, 44 Courses : Tonex Training
byBryan Len
 
PPTX
Information security for business majors
byPaul Melson
 
PDF
Security and SMBs
byGFI Software
 
PDF
How To Promote Security Awareness In Your Company
bydanielblander
 
PDF
Information security
byVijayananda Mohire
 
Employee Awareness in Cyber Security - Kloudlearn
byKloudLearn
 
7 Things Every Ceo Should Know About Information Security
byCindy Kim
 
Cyber Security Lessons from the NSA
byCipherCloud
 
Cybersecurity Training Seminars, 44 Courses : Tonex Training
byBryan Len
 
Information security for business majors
byPaul Melson
 
Security and SMBs
byGFI Software
 
How To Promote Security Awareness In Your Company
bydanielblander
 
Information security
byVijayananda Mohire
 

What's hot

PDF
Basic security concepts
byUpender Dravidum
 
PDF
Cybersecurity tips for employees
byPriscila Bernardes
 
PPT
Computer Security Policy D
byguest34b014
 
PPT
CCNA Security - Chapter 1
byIrsandi Hasan
 
PDF
Black Hat USA 2015: A Visual Snapshot of Security Threats, Trends and Ideas
byTripwire
 
PPTX
IT Security and Management - Security Policies
byMark John Lado, MIT
 
PPTX
Best Practice For Public Sector Information Security And Compliance
byOracle
 
PDF
Small Business Administration Recommendations
byMeg Weber
 
PPTX
Managing IT Security
byAjay Jassi
 
PDF
Ten Expert Tips on Internet of Things Security
byDean Bonehill ♠Technology for Business♠
 
PDF
Cybersecurity-2013
byJennie Hwang
 
PDF
Rogers eBook Security
byRogers Communications
 
DOC
Computer security and_privacy
bythinkict
 
PDF
Research Paper
byBrian Kasha
 
PDF
Information Security for Small Business
byJulius Clark, CISSP, CISA
 
PPTX
Issa Charlotte 2009 Patching Your Users
byMike Murray
 
PPTX
Cisco ccna security
byMt Mostafa
 
Basic security concepts
byUpender Dravidum
 
Cybersecurity tips for employees
byPriscila Bernardes
 
Computer Security Policy D
byguest34b014
 
CCNA Security - Chapter 1
byIrsandi Hasan
 
Black Hat USA 2015: A Visual Snapshot of Security Threats, Trends and Ideas
byTripwire
 
IT Security and Management - Security Policies
byMark John Lado, MIT
 
Best Practice For Public Sector Information Security And Compliance
byOracle
 
Small Business Administration Recommendations
byMeg Weber
 
Managing IT Security
byAjay Jassi
 
Ten Expert Tips on Internet of Things Security
byDean Bonehill ♠Technology for Business♠
 
Cybersecurity-2013
byJennie Hwang
 
Rogers eBook Security
byRogers Communications
 
Computer security and_privacy
bythinkict
 
Research Paper
byBrian Kasha
 
Information Security for Small Business
byJulius Clark, CISSP, CISA
 
Issa Charlotte 2009 Patching Your Users
byMike Murray
 
Cisco ccna security
byMt Mostafa
 

Similar to Pci compliance training agents

PDF
Customer information security awareness training
byAbdalrhmanTHassan
 
PDF
Employee Security Awareness Program
bydavidcurriecia
 
PDF
Security awareness-checklist 2019
byMustafa Kuğu
 
PPTX
Awareness Security 123.pptx
byRajuSingh730938
 
PDF
Getting users to care about security
byAlison Gianotto
 
PDF
Information Security for Small Business
byJulius Clark, CISSP, CISA
 
PPTX
sec.This includes policy settings that prevent unauthorized people
byJuliusECatipon
 
PPTX
USG_Security_Awareness_Primer (1).pptx
byssuser59e4b8
 
PPTX
USG_Security_Awareness_Primer.pptx
byBilmyRikas
 
PPT
It security in healthcare
byNicholas Davis
 
PPTX
InformationSecurity
bylearnt
 
PPT
3 Most Common Threats Of Information Security
byAna Meskovska
 
PPT
DNR-Security-Awareness-Training expert.ppt
bypdffree25
 
PPT
Rothke Sia 2006
byBen Rothke
 
PDF
iSchoolConnect_Information Security User Awareness Training_16th Nov 2021.ppt...
byRIYAJAIN179446
 
PPTX
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
byDataExchangeAgency
 
PDF
Frontier Secure: Handout for small business leaders on "How to be Secure"
byFrontier Small Business
 
PPTX
USG_Security_Awareness_Primer.pptx
bysumita02
 
PPTX
Security_Awareness_Primer.pptx
byFaith Shimba
 
PPT
Rainer+3e Student Pp Ts Ch03
bykbzdox ivanovich
 
Customer information security awareness training
byAbdalrhmanTHassan
 
Employee Security Awareness Program
bydavidcurriecia
 
Security awareness-checklist 2019
byMustafa Kuğu
 
Awareness Security 123.pptx
byRajuSingh730938
 
Getting users to care about security
byAlison Gianotto
 
Information Security for Small Business
byJulius Clark, CISSP, CISA
 
sec.This includes policy settings that prevent unauthorized people
byJuliusECatipon
 
USG_Security_Awareness_Primer (1).pptx
byssuser59e4b8
 
USG_Security_Awareness_Primer.pptx
byBilmyRikas
 
It security in healthcare
byNicholas Davis
 
InformationSecurity
bylearnt
 
3 Most Common Threats Of Information Security
byAna Meskovska
 
DNR-Security-Awareness-Training expert.ppt
bypdffree25
 
Rothke Sia 2006
byBen Rothke
 
iSchoolConnect_Information Security User Awareness Training_16th Nov 2021.ppt...
byRIYAJAIN179446
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
byDataExchangeAgency
 
Frontier Secure: Handout for small business leaders on "How to be Secure"
byFrontier Small Business
 
USG_Security_Awareness_Primer.pptx
bysumita02
 
Security_Awareness_Primer.pptx
byFaith Shimba
 
Rainer+3e Student Pp Ts Ch03
bykbzdox ivanovich
 

Pci compliance training agents

  • 1.
    SET INFORMATION SYSTEMS AND DATA SECURITY AWARENESS PROGRAM FUSION BPO SERVICES, Inc.
  • 2.
    SET 'Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected’
  • 3.
    SET What is Information Systems and Data security Policy? Can be defined as rules that regulate how an organization manages and protects its internal information, external customer or clients information and computing resources. Why do we need Security Policy? The policy tells the users, staff, managers, what they can do, what they cannot do and what they must do to comply with the Security Policy and Practice. Purpose: To ensure business continuity by reducing/minimizing damage to the business by safeguarding the confidentiality, integrity and availability of information.
  • 4.
    Why do Ineed to learn about computer SET security?  Isn’t this just an IT Problem?  Everyone who uses a computer needs to understand how to keep his or her computer and data secure. 13
  • 5.
    SET Why I Need Information Security Training  Security Awareness is a critical part of an organization's information security program; it is the human knowledge and behaviors that the organization uses to protect itself against information security risks. Humans, just like computers, store, process and transfer information. As a result many attackers today target the human, bypassing most security controls and using techniques such as social engineering to get the information they want. Awareness, not just technology, is now a key factor in an organization's goal to:  Reduce risk,  Protect its reputation,  Improve governance, and  Be compliant. 5
  • 6.
    SET Why I Need Information Security Training  Security Awareness Training is designed to educate users on the appropriate use, protection and security of information, individual user responsibilities and ongoing maintenance necessary to protect the confidentiality, integrity, and availability of information assets, resources, and systems from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption. The long term benefits to your organization of a successful security awareness program include enhanced awareness, increased security and improved online productivity for employees and the company as a whole. 6
  • 7.
    SET What Is Information Security  The quality or state of being secure to be free from danger  Security is achieved using several strategies simultaneously or used in combination with one another  Security is recognized as essential to protect vital processes and the systems that provide those processes  Security is not something you buy, it is something you do
  • 8.
    SET What Is Information Security  The architecture where an integrated combination of appliances, systems and solutions, software, alarms, and vulnerability scans working together  Monitored 24x7  Having People, Processes, Technology, policies, procedures,  Security is for PPT and not only for appliances or devices
  • 9.
    SET INFORMATION SECURITY 1. Protects information from a range of threats 2. Ensures business continuity 3. Minimizes financial loss 4. Optimizes return on investments 5. Increases business opportunities
  • 10.
    SET Security breaches leads to… • Reputation loss • Financial loss • Intellectual property loss • Legislative Breaches leading to legal actions (Cyber Law) • Loss of customer confidence • Business interruption costs LOSS OF GOODWILL
  • 11.
    SET What is Risk?  Risk: A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset.  Threat: Something that can potentially cause damage to the organization, IT Systems or network.  Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat.
  • 12.
    SET Good security practices follow the “90/10” rule  10% of security safeguards are technical  90% of security safeguards rely on us – the user - to adhere to good computing practices 12
  • 13.
    SET What are the consequences of security violations?  Disciplinary action (up to expulsion or termination)  Embarrassment to yourself and/or the Company  Having to recreate lost data  Identity theft  Data corruption or destruction  Loss of patient, employee, and public trust  Costly reporting requirements and penalties  Unavailability of vital data 13
  • 14.
    SET Good Computer Security Practices 14
  • 15.
    SET Passwords  Your password is your key to OC Inc Fusion BPO Services data and resources.  Remember: Carelessness is Dangerous!  If you receive a phone call from someone claiming that they are a contractor working with IT Security, would you give them your password? NO!  How many of you have written your password down? What did you do with the paper? Is it tucked safely and securely away? If it is in the first place you would look (like under the keyboard) – someone else would look there too! 15
  • 16.
    SET Password construction and Management  When selecting a password, you may naturally want to choose something easy to remember. But, if it is easy for you, it may be easy for some one else to crack!  A password should not be:  Your name or any family members name, to include pets!  Your street name, car type, favorite singer, etc.  Any easily guessed or recognized name or word  Your previous password with a sequentially increased number at the end. 16
  • 17.
    SET Password construction and Management  A password should be:  A mixture of letters (both upper and lower case) and numbers and/or special characters  At least eight characters long, preferably longer  – for example iH8TDieTs is a very good password. It has capitals, lower case, and numbers. AND…. It isn’t too tough to remember. Just say: I hate diets.  A password should never be:  …Taped to a monitor or keyboard or desk or desk accessory or any where visible  …Shared with ANY ONE – NOT EVEN A SUPERVISOR! 17
  • 18.
    SET Examples of Passwords Weak Strong  12345 • tCj0Tm  Password • iL2e0c  STCC • 1cRmPW!  Pecan • CyMm@M0?  Gateway1  abc123 18
  • 19.
    SET Email Usage  Some experts feel email is the biggest security threat of all. This is the fastest, most-effective method of spreading malicious code to the largest number of users. It is also a large source of wasted technology resources.  Examples of Waste:  Electronic Greeting Cards  Chain Letters  Jokes and graphics  Spam and junk email 19
  • 20.
    SET Pitfalls to email 1. Email is NOT secure – It is essential to understand that email does not go directly to the intended recipient. It is routed through various systems first. Remember, it is not impervious to prying eyes! 2. Email is open to abuse – Scams, mass mailings, junk mail, and deceptive advertising can be delivered to your computer mail box as easily as your home mail box. 3. Email is potentially harmful – this is the easiest, most effective conveyance of malicious code. 20
  • 21.
    SET Should You Open the E-mail Attachment?  If it's suspicious, don't open it!  What is suspicious?  Not work-related  Attachments not expected  Attachments with a suspicious file extension (*.exe, *.vbs, *.bin, *.com, *.scr, or *.pif)  Web link  Unusual topic lines; “Your car?”; “Oh!” ; “Nice Pic!”; “Family Update!”; “Very Funny!” 21
  • 22.
    SET E-Mail Security – Risk Areas 1. Spamming. Unsolicited bulk e-mail, including commercial solicitations, advertisements, chain letters, pyramid schemes, and fraudulent offers.  Do not reply to spam messages. Do not spread spam. Remember, sending chain letters is against policy.  Do not forward chain letters. It’s the same as spamming!  Do not open or reply to suspicious e-mails. 2. Phishing Scams. E-Mail pretending to be from trusted names, such as Citibank or PayPal or Amazon, but directing recipients to rogue sites. A reputable company will never ask you to send your password through e-mail. 3. Spyware. Spyware is adware which can slow computer processing down; hijack web browsers; spy on key strokes and cripple computers 22
  • 23.
    SET E-mail Usage Use official mail for business purposes only Follow the mail storage guidelines to avoid blocking of E-mails  If you come across any junk / spam mail, do the following a) Remove the mail. b) Inform the security help desk c) Inform the same to server administrator d) Inform the sender that such mails are undesired  Do not use official ID for any personal subscription purpose  Do not send unsolicited mails of any type like chain letters or E-mail Hoax  Do not send mails to client unless you are authorized to do so  Do not post non-business related information to large number of users  Do not open the mail or attachment which is suspected to be virus or received from an unidentified sender 23
  • 24.
    SET Internet Usage  Use internet services for business purposes only  Do not access internet through dial-up connectivity  Do not use internet for viewing, storing or transmitting obscene or pornographic material  Do not use internet for accessing auction sites  Do not use internet for hacking other computer systems  Do not use internet to download / upload commercial software / copyrighted material  Technology Department is continuously monitoring Internet Usage. Any illegal use of internet and other assets shall call for Disciplinary Action. 24
  • 25.
    SET Physical Security Would you leave your credit card exposed or unattended in a public place? Do you lock your car? Secure your wallet or purse? Take those same precautions with your PC! Log off or lock your PC when unattended. Shutdown your PC when you leave for the day…EVERYDAY! Lock doors in accordance with Fusion BPO Services Policy. Secure your Password!!!! 25
  • 26.
    SET Access Control - Physical  Follow Security Procedures  Wear Identity Cards and Badges at all times  Ask unauthorized visitor his credentials  All visitors must be escorted while onsite • Bring visitors in operations area without prior permission • Bring hazardous and combustible material in secure area • Practice ―Piggybacking‖ • Bring and use pen drives, zip drives, iPods, other storage devices unless and otherwise authorized to do so 26
  • 27.
    SET Unique User Log-In / User Access Controls  Access Controls:  Users are assigned a unique “User ID” for log-in purposes  Each individual user’s access to OC Inc./Fusion BPO Services system(s) is appropriate and authorized  Access is “role-based”, e.g., access is limited to the minimum information needed to do your job  Unauthorized access to OC Inc./Fusion BPO Services by former employees is prevented by terminating access  User access to information systems is logged and audited for inappropriate access or use. 27
  • 28.
    SET Workstation Security Workstations  Physical Security measures include:  Disaster Controls  Physical Access Controls  Device & Media Controls  Log-off before leaving a workstation unattended.  This will prevent other individuals from accessing secured data under your User-ID and limit access by unauthorized users.  Lock-up! – Offices, windows, workstations, sensitive papers and PDAs, laptops, mobile devices / media.  Lock your workstation (Cntrl+Alt+Del and Lock) – Windows XP, Windows 2000 28
  • 29.
    SET Antivirus and Firewall Make sure your computer has anti-virus, anti-spyware and firewall protection as well as all necessary security patches. Don’t install unknown or unsolicited programs on your computer 29
  • 30.
    SET Report Security Incidents  You are responsible to:  Report and respond to security incidents and security breaches.  Know what to do in the event of a security breach or incident related to Data Security and/or Personal Information.  Report security incidents & breaches to: IT Security Team 30
  • 31.
    SET Your Responsibility to Adhere to OCI Security- Information Security Policies  Users of electronic information resources are responsible for familiarizing themselves with and complying with all company policies, procedures and standards relating to information security.  Users are responsible for appropriate handling of electronic information resources. 31
  • 32.
    SET Why can’t I play games online?  On- Line Gaming on a company computer is against company policy.  Playing games on a company computer is forbidden.  Gaming sites, like MP3 download sites, are good places to pick up a virus. Script kiddies and hackers swarm around these sites like vultures. They use all the tricks of their trade to glean password and network information from gamers.  This is easy to avoid. Don’t do it! 32
  • 33.
    SET Types of sites to avoid and WHY Corporate sites that have a vested interest in protecting and maintaining public trust are more vigorous in protecting visitor’s email addresses and information. For example, sites such as CNN and Headline News want visitors to feel confident and comfortable on their web sites – so they will take measures to secure their sites. However, many other sites do NOT take measures to protect visitor’s data. In fact, they are notorious for harvesting and selling such data. Please do not use your OC Inc. Fusion BPO Services computer or email address for joke sites, dating sites, horoscopes, chat rooms, free grocery coupons and other related sites. Sites promising free goods and vacations and fun – good ones to put on the NO GO list. These are all easy to avoid and you will likely reduce your junk mail as well.. 33
  • 34.
    SET Common Terminology  What is a cookie? Cookies are small text files that some Web sites create when you visit. The file is used to store information on your computer.  What does encrypted mean? The translation of data into a secret code. Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text ; encrypted data is referred to as cipher text.  What is a virus? A virus is a piece of code that is written specifically to execute itself without the users knowledge or permission. It will usually attach itself to a file in order to replicate and spread itself. Some viruses are harmless while others can cause serious damage. 34
  • 35.
    SET Common Terminology cont.  What is a Phishing? The act of sending an e-mail falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The Web site, however, is bogus and set up only to steal the user’s information.  What is spam? Electronic junk mail. Spam is generally e-mail advertising for some product sent to a mailing list or newsgroup. In addition to wasting people's time with unwanted e-mail, spam also eats up a lot of network bandwidth. Some ISP’s, such AOL, have instituted policies to prevent spammers from spamming their subscribers.  What is an audit trail ? A record showing who has accessed a computer system and what operations he or she has performed during a given period of time. 35
  • 36.
    SET Common Terminology cont.  What is Unauthorized Access?- Any time a user gains access to a computer network without the consent of the computer's administrator.  What is Access Control-The prevention of unauthorized use of information assets. It is the policy rules and deployment mechanisms, which control access to information systems, and physical access to premises.  Compliance- Adherence to those policies, procedures, guidelines, laws, regulations and contractual arrangements to which the business process is subject.  Malicious Software: Software, for example, a virus, designed to damage or disrupt a system. 36
  • 37.
    SET Common Terminology cont.  Password: Confidential authentication information composed of a string of character  Server: A server is a computer system, or a set of processes on a computer system providing services to clients across a network.  User: A person or entity with authorized access.  Protected Information: Any participant or client information that the Department may have in its records or files that must be safeguarded pursuant to Department policy. This includes but is not limited to "individually identifying information". 37
  • 38.
    SET Common Terminology cont.  Integrity: The property that data or information have not been altered or destroyed in an unauthorized manner.  FTP (File Transfer Protocol): A protocol that allows for the transfer of files between an FTP client and FTP server.  Disclose: The release, transfer, relay, provision of access to, or conveying of client information to any individual or entity outside the Department.  Confidential Information: Any client information (defined above) that OC Inc may have in its records or files on any OC Inc client that must be safeguarded pursuant to OC Inc policy. This includes, but is not limited to, “individually identifying information” 38
  • 39.
    SET Typical Symptoms of computer infection  File deletion  File corruption  Visual effects  Pop-Ups  Erratic (and unwanted) behavior  Computer crashes 39
  • 40.
    SET Problems Hackers Cause  A hacker intrusion could create a legal liability and public embarrassment for you and your organization  Vandalism—Destruction or digital defacement of a computer or its data for destruction’s sake  Theft—Gaining access to intellectual or proprietary technology or information, sometimes for resale Hijacking—Many of the financially motivated hackers are interested in remotely controlling PCs  Identity theft—Electronic theft of personal info that can be used to steal financial resources  Terrorism—Some experts believe that terrorists will eventually launch an attack using hacking techniques 40
  • 41.
    SET Malware  Malware – (aka Crime ware and Computer Contaminant) is any program which can corrupt files and/or secretly report your information from your computer or network  Viruses, Worms, Trojans, and Spyware are the most common types of malware  Many of these destructive programs attempt to reinstall and replicate themselves and are designed to be very difficult to remove from the host computer 41
  • 42.
    SET Malware  Virus ‐ Software that gets installed on your computer, usually without your knowledge  – You can get “infected” by accessing something that is already infected with a virus  – Sources include floppy disk,USB drives, website, and email  Worm – Software that actively tries to spread itself to infect other computers  – Software worms can actively scan networks to infect others  – Worms can also be spread by e‐mail applications that use the computer address book  Trojan ‐ Damaging software that hides its identity by posing as something else such as a screen saver or a greeting card. The Trojan, once installed, gives the attacker a back door into your system that can be used by the hacker as needed. 42
  • 43.
    SET IT ACT PROVISIONS  Email would now be a valid and legal form of communication in our country that can be duly produced and approved in a court of law.  Companies shall now be able to carry out electronic commerce using the legal infrastructure provided by the Act.  Digital signatures have been given legal validity and sanction in the Act.  The Act now allows Government to issue notification on the web thus heralding e-governance  Statutory remedy in case if anyone breaks into companies computer systems or network and causes damages or copies data 43
  • 44.
    SET Risks and Threats Virus Attacks Theft, Sabotage, High User Misuse Knowledge of IT Systems Natural Lack Of Lapse in Calamities & Documentation Physical Fire Systems & Security Network Failure 44
  • 45.
    SET User Responsibilities  Ensure your system is locked when you are away  Always store laptops/media in a lockable place  Ensure sensitive business information is under lock and key when unattended  Ensure back-up of sensitive and critical information assets  Understand Compliance Issues such as  Cyber Law  IPR, Copyrights, NDA  Contractual Obligations with customer  Verify credentials, if the message is received from unknown sender  Always switch off your computer before leaving for the day  Keep your self updated on information security aspects 45
  • 46.
    SET Do’s And Don'ts Email and messaging  read your organization’s email policy  report any spam or phishing emails to your IT team that are not blocked or filtered  report phishing emails to the organisation they are supposedly from  use your organization’s contacts or address book. This helps to stop email being sent to the wrong address.  Phishing is an attempt to obtain your personal information (for example, account details) by sending you an email that appears to be from a trusted source (for example, your bank) 46
  • 47.
    SET Do’s And Don'ts Email and messaging  click on links in unsolicited emails. Be especially wary of emails requesting or asking you to confirm any personal information, such as passwords, bank details and so on.  turn off any email security measures that your IT team has put in place or recommended  email sensitive information unless you know it is encrypted. Talk to your IT team for advice.  try to bypass your organisation’s security measures to access your email off-site (for example, forwarding email to a personal account)  reply to chain emails. 47
  • 48.
    SET Do’s And Don'ts  Passwords  Follow OC Inc’ s password policy  use a strong password (strong passwords are usually eight characters or more and contain upper and lower case letters, as well as numbers)  make your password easy to remember, but hard to guess  choose a password that is quick to type  use a mnemonic (such as a rhyme, acronym or phrase) to help you remember your password. Change your password(s) if you think someone may have found out what they are. 48
  • 49.
    SET Do’s And Don'ts  Passwords Don’ts  share your passwords with anyone else  write your passwords down  use your work passwords for your own personal online accounts  save passwords in web browsers if offered to do so  use your username as a password  use names as passwords  email your password or share it in an instant message. 49
  • 50.
    SET Do’s And Don'ts  Working on-site  lock sensitive information away when left unattended  Remember working at home is a privilege  Don’t let strangers or unauthorised people into staff areas  position screens where they can be read from outside the room. 50
  • 51.
    SET Final Note 51
  • 52.
    SET Fusion BPO Services, Inc THANK YOU IT SECURITY DEPARTMENT 52