SlideShare a Scribd company logo
1 of 32
ISO 27001:2022
Information Security
Awareness Training
June 9, 2023
© 2023 Syndigo LLC 2
Contents
• Introduction to Information Security and ISO 27001
Overview
• Key Highlights of ISO 27001/2:2022
• Organizational Controls
• People Controls
• Physical Controls
• Technological Controls
• Key Points to remember
• References
• Q&A
3
Introduction to Information Security &
ISO 27001 Overview
© 2023 Syndigo LLC
Overview of ISO
Key Benefits of ISO
Compliance in
Regulatory, Legal
and Contractual
Obligations
Compliance with
Data Privacy Laws
Increases Trust Level
Of Customers And
Brand Reputation
Consistent Security
Culture
Enhances
Security Posture
Introduction to
Information
Security and
ISO 27001
Overview
The information security model is made up of three main components: Confidentiality, Integrity and Availability. Each
component represents a fundamental objective of information security. In a nutshell, the term Information Security essentially
means
“The right information (Integrity) to the right people (Confidentiality) at the right time (Availability)”.
ISO 27001 is an internationally recognized standard, published by the International Organization for Standardization (ISO). It is a
framework that helps organizations “establish, implement, operate, monitor, review, maintain and continually improve its
information security management system”. It is a combination of policies and processes for organizations to use. ISO 27001’s
best-practice approach helps organizations manage their information security by addressing people, processes and technology.
© 2023 Syndigo LLC
Information Security Clauses and Domains
ISO 27001
Clauses
• Understanding the
organization and its
context
• Understanding the needs
and expectations of
interested parties.
• Determining the scope of
the ISMS
• ISMS
• Leadership and
commitment
• Policy
• Organizational roles,
responsibilities and
authorities.
Leadership
• Actions to address risks
and opportunities
• Information security
objectives and
planning to achieve them
Planning
• Resources
• Competence
• Awareness
• Communication
• Documented Information
Support
• Nonconformity and
corrective action
• Continual improvement
Improvement
Act
Check
Plan
Do
Input Output
• Operational planning
and control
• Information security
risk assessment
• Information security
risk treatment
Operation
• Monitoring,
measurement,
analysis and
evaluation
• Internal audit
• Management
review
Performance evaluation
Organizational Controls Controls
01
02
03
04
People Controls
Physical Controls
Technological Controls
4 ‘domains’ of 93 controls:
ISO 27002
Domains
Context of the Organization
© 2023 Syndigo LLC
Retain customers & win new business
ISO 27001 certification helps organization demonstrate good security practices,
thereby improving working relationship and retaining existing clients. It also gives
proven marketing edge against your competitors.
Reduce the need for frequent Audits
Provides a globally accepted indication of security effectiveness, negating
the need for repeated customer audits.
Comply with business, legal, contractual and regulatory requirements
ISO 27001 security controls help to protect information in line with
increasingly rigid regulatory requirement such as GDPR.
Prevent financial penalties
ISO 27001 enables organizations to avoid the potentially devastating financial loss
caused by data breaches.
Protect and enhance your reputation
Protect your organization against cyber attacks and demonstrates that you have
taken the necessary steps to protect your business.
Why to certify
7
Key Highlights of ISO 27001/2:2022
© 2023 Syndigo LLC
Key highlights of ISO 27001/2:2022
11 New
Controls:
Threat intelligence 5.7
01
02
03
04
05
07
08
09
10
11
06
Information security for use of cloud services 5.23
ICT readiness for business continuity 5.30
Physical security monitoring 7.4
Configuration management 8.9
Information deletion 8.10
Data masking 8.11
Data leakage prevention 8.12
Monitoring activities 8.16
Web filtering 8.23
Secure coding 8.28
4 ‘domains’ of 93
controls:
People (8 controls)
01
02
03
04
Organizational (37 controls)
Technological (34 controls)
Physical (14 controls)
4 ‘domains’ of 93
controls:
Additional Annexure has
been added, i.e., now
there are two annexures
A and B in the new
standard
11 new controls have
been added and 57
controls from 2013 have
been merged
Number of controls
has
decreased from 114 to
93
Annexure B provides
backwards compatibility
with ISO 27002:2013
The security controls
listed in ISO 27001
Annexure A will be
updated to 4
9
Organizational Controls
© 2023 Syndigo LLC
Organizational Controls
Access and Asset Management
Access Control
Some of organization’s practices as per policy are:
 Access Rights shall be assigned to the personnel on a ‘need-to-know’
basis and a ‘need-to-do’ (minimum requirement for the functional role)
basis.
 The access rights of employees to information and information
processing facilities shall be removed upon termination of their
employment, contract or agreement, or in case the access is no longer
required.
 An NDA (Non-Disclosure Agreement) must be entered with the ‘Third
Party’ before granting access to the company’s network
 User access reviews for critical system accounts and privileged
accounts are conducted every 60 days and for all other accounts at an
interval of 90 days.
Some of the industry’s best practices are:
 Access should be revoked as soon as there is no need for access.
 Access provision should be based on the business needs of the
requestor.
 User access review should be conducted for all user accounts and
data-sharing sites (with Confidential information) to ensure only
authorized users have access to sensitive data hosted on it.
Asset Classification
RESTRICTED CONFIDENTIAL INTERNAL PUBLIC
Highly sensitive
information
restricted to
specific named
individuals on a
need-to-know
basis
Information that is
sensitive and
intended for
restricted specific
business groups
of colleagues on
a need-to-know
basis.
Company
information
intended for use
by all colleagues
(or anyone inside
Riversand) on a
need-to-know
basis.
Approved
information for
public disclosure.
Research
information
leading to
Intellectual
Property;
Authentication
credentials; -
Personal data
revealing racial or
ethnic origin,
political opinions,
religious or
philosophical
beliefs, etc.
Policies and
Standard
Internal technical
publications
Business Partner
details (contact
/roles /hierarchy/
identifiers)
Marketing flyers;
Public website
content;
Product
Marketing
features.
© 2023 Syndigo LLC
Organizational Controls
Password and Email Security Requirements
Strong passwords help you in securing your
digital identity while accessing applications and information.
Passwords should be:
 Passwords chosen must be a minimum of fifteen (15) characters in length for
standard user account as well as for Generic and Service Accounts.
 From the following four different subsets of character classifications, pick at least
1 character, from at least 3 of the different subsets.
 Uppercase letter (A-Z)
 Lowercase letter (a-z)
 Digit (0-9)
 Special character (~`!@#$%^&*()+=_-{}[]|:;”’?/<>,.)
 Must change as mandated (90 days for standard user accounts and 365 days for
Generic and Service Accounts).
× Do not use the same password for different accounts.
× Do not use the “remember password” option in browser or applications.
× Do not enter password when using unsecured Wi-Fi connections, hackers can
intercept them.
× Do not login on computers you do not control (at cafe or libraries) they may have
malware that steal your password.
Strong Passwords
You must adopt the following guidelines for secure email usage:
 Riversand’s business email addresses may not be used for non-business-related
purposes.
 Employees are responsible for all activity on their assigned email account.
 Employees should avoid opening any suspicious emails and attachments from
unknown senders. Suspicious emails should be forwarded to
securityincident@riversand.com.
Some of the Industry’s Best Practices are:
 Every email should have a signature and an information security disclaimer.
 Be cautious when the e-mail redirects you to a site that asks you to submit your
account credentials. Always double-check the URL.
× Avoid sending messages with large file attachments to the email distribution list.
Email Usage
© 2023 Syndigo LLC
Organizational Controls
Privacy and Data Protection
Introduction
What are Personal Data and Special Categories of (Sensitive) Personal Data?
Personal Data – any information relating to an identified or identifiable natural person; an
identifiable natural person is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location data, an online
identifier or to one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that natural person.
Special Categories of (Sensitive) Personal Data – any information revealing racial or
ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership,
and the processing of genetic data, biometric data for the purpose of uniquely identifying a
natural person, data concerning health or data concerning a natural person’s sex life or
sexual orientation.
Examples of Personal Data:
Name, Address, Phone Number, Email address, Social security number, place of birth, date
of birth
Key Privacy
Elements
Governance Notice
Collection
and Use
Lawful
Processing
Integrity
Individual’s
Rights
Security and
Breach
Notification
Data
Transfers
Promotes that individuals are aware of their privacy and
data protection-related rights and empowers individuals to
take control of personal data
© 2023 Syndigo LLC
Organizational Controls
Business Continuity Planning
Introduction
A Business Continuity Plan (BCP) is a document that outlines how a business will
continue operating during an unplanned disruption in service. It’s more
comprehensive than a disaster recovery plan and contains contingencies for business
processes, assets, human resources and business partners – every aspect of the
business that might be affected.
Business continuity planning
(BCP) is the process a
company undergoes to create
a prevention and recovery
system from potential threats
such as natural disasters or
cyber-attacks
BCP is designed to protect
personnel and assets and
make sure they can function
quickly when disaster strikes
BCPs should be tested to
ensure there are no
weaknesses, which can be
identified and corrected
KEY TAKEAWAYS
Responsibilities
Report any potential incidents to your local
management or the designated official
Support your local management team in the execution
of the defined response, continuity and recovery
activities, as per your defined roles
Respond to evacuation alarms and drills as per set
procedures
Prevent incidents by working according to Riversand’s
Emergency Evacuation Drill Procedure
© 2023 Syndigo LLC
Organizational Controls
Information Security Incident Management
Unavailability
of critical
systems/netwo
rks Compromise
of critical
systems/
networks
Suspected/
Successful
hacking
attempts
Hardware
resource and
component
lost/stolen
Loss of
information
due to
unknown
reasons
Power
problems and
loss of data
Natural
calamity or
disaster
Virus incidents
regarding
e-mail, Internet,
CD, diskette.
Server
breakdown
resulting in non-
availability of
resources
Incident
Introduction
Security Incident: A Security Incident is defined as the occurrence of any exceptional situation
that could compromise the Confidentiality, Integrity or Availability of Information and Information
Systems of Riversand. It is related to exceptional situations or a situation that warrants the
intervention of senior management, which has the potential to cause injury or significant property
damage.
Reporting Information Security Events
 Employees and third-party staff shall be made aware of their responsibilities and procedure
for reporting the security incidents that they observe or suspect
 All information security events shall be reported to securityincident@riversand.com or
through the portal link https://riversand.atlassian.net/servicedesk/customer/portal/22
 Employees can also reach out to CISO, in case reporting of information security events is
required on urgent basis or adequate information is needed against the same
© 2023 Syndigo LLC
15
Organizational Controls
Information security in supplier relationships
Vendor risk management (VRM) or Supplier Risk Management is the process of ensuring that the use of service providers
and IT suppliers does not create an unacceptable potential for business disruption or a negative impact on business
performance.
Introduction
Some of Riversand’s practices as per policy are:
 Third parties must abide by Riversand Information Security Policy (ISP) in addition to the information security clauses as
agreed in the supplier agreement with Riversand.
 Vendor security checks shall be conducted with supplier/third parties with whom Riversand intends to share confidential
or restricted data.
Some of the industry’s best practices are:
 It is mandatory for the vendors/suppliers and the contractors to be a part of the mandatory information security
awareness training.
 Vendors and suppliers should know the reporting channel to report any information security breach/incidents if they
observe any.
× DON’T treat the due diligence process as a one-and-done activity that can be set aside after the contract is signed.
Doing so will prevent you from identifying and addressing any emerging risks
× DON’T forget about the activity’s risk because it’s outsourced. Remember that the risk is still your responsibility!
© 2023 Syndigo LLC
16
Organizational Controls
Cloud Security
Introduction
Cloud security is a collection of procedures and technology designed to address external and
internal threats to business security. Organizations need cloud security as they move toward
their digital transformation strategy and incorporate cloud-based tools and services as part of
their infrastructure.
The Best Practices of Cloud Security for protecting cloud infrastructure
 Secure access to the cloud
 Manage user access privileges
 Provide visibility with employee monitoring
 Monitor privileged users
 Educate employees against phishing
 Ensure you meet IT compliance requirements
 Respond to security incidents
17
People Controls
© 2023 Syndigo LLC
People Controls
Human Resource Security and Remote Working Best Practices
Human Resource Security
Prior to Employment
Screening:
Prior to employment, candidates are subject to personal
verification screening of their experience, credentials and/or other
personal factors relevant to the role.
During Employment
Ensure that employees and contractors are aware of and fulfill
their information security responsibilities.
Termination and Change of Employment
Key activities during an employee termination or change of
employment:
• Departing employee must adhere to terms and conditions.
• Employee’s manager must notify HR about termination or
change of employment.
Remote Working Best Practices
Testing
Effectiveness
Proper
Technology
Incident
Reporting
Secure
Connections
Communication
Programs
Trust
© 2023 Syndigo LLC
People Controls
Social Engineering
Different types of Social Engineering
attacks
Baiting : A scammer uses a false promise to lure a victim into a
trap which may steal personal and financial information or inflict
the system with malware.
Pretexting : A criminal creates a fictional backstory that is used
to manipulate someone into providing private information or to
influence behavior.
Scareware : Victims are bombarded with false alarms and
fictitious threats. Users are deceived to think their system is
infected with malware.
Phishing: Attempting to acquire sensitive information by
masquerading as a trustworthy entity using bulk email, SMS text
messaging, or by phone.
Spear Phishing: Spear phishing is a targeted phishing attack.
While phishing emails are attempts to scam masses of people,
spear phishing emails are sent to just one person or
organization.
Consider this example of spear phishing that convinced an employee to
transfer $500,000 to a foreign investor:
• Thanks to careful spear phishing research, the cyber criminal knows the
company CEO is traveling.
• An email is sent to a company employee that looks like it came from the
CEO. There is a slight discrepancy in the email address – but the
spelling of the CEO’s name is correct.
• In the email, the employee is asked to help the CEO out by transferring
$500,000 to a new foreign investor.
• The email stresses that the CEO would do this transfer herself, but since
she is traveling, she can’t make the fund transfer in time to secure the
foreign investment partnership.
• Without verifying the details, the employee decides to act.
• A few days later, the victimized employee, CEO, and company
colleagues realize they have been victims of a social engineering attack
and have lost $500,000.
How does Social Engineering attack
happen?
© 2023 Syndigo LLC
Phishing is a way of attempting to acquire information such as
usernames, passwords, and credit card details by masking as a
trustworthy entity and stealing YOUR IDENTITY by sending
emails that seems diligent.
Types of Phishing Attacks
People Controls
Phishing Attacks
Traditional Phishing:
It usually involves a mass email that goes out to thousands of individuals.
Cloned Phishing:
A legitimate email containing is used to create an almost identical or cloned email.
Spear Phishing :
A targeted and personalized attack on specific organization or an individual.
Smishing:
Phishing email is received on mobile device via text message.
Vishing:
Phishing is attempted over voice call via telephone / mobile phone.
Whaling:
Phishing is attempted on senior executives or high-profile managers.
21
Physical Controls
© 2023 Syndigo LLC
Physical Controls
Physical & Environmental Controls - Requirements
Visitor and Physical Security
You must adopt the following guidelines for Visitor and Physical
Security :
 An acceptable form of identification must be provided. All visitors
to site must produce an official ID upon arrival. The visitor
recording system must be fully completed.
 Visitors are not to be issued an access badge allowing access to
restricted areas or zones without prior authorization from the
appropriate host or manager of the area.
 All visitors are required to provide official ID as stated above and
sign into the visitor recording system.
 Do not leave access-controlled doors open / Do not allow
tailgating or piggybacking.
Clear Screen and Clear Desk Policy
You must adopt the following guidelines :
 Lock the windows session when leaving your desk, even for a short
period of time, like for example going for a coffee or to the printer.
You do not need anyone sneaking around your work or putting it in
danger. Just press windows + L.
 Do not leave sensitive documents unattended at your desk. Store
them in a locked file or drawer.
 Clean Whiteboard/Flipchart after meeting: If you don’t need
sensitive documents anymore use the shredder to destroy them.
 Only share business information on a need-to-know basis. Inside
and outside our office.
© 2023 Syndigo LLC
Physical Controls
Secure Remote Devices – Best Practices
You must adopt the following guidelines for secure laptops:
 Always lock your laptop screen while you are away
 Connect to Riversand’s VPN as and when required
× Do not leave your laptop unattended in public places
× Do not let anyone else use your laptop
× Do not disable anti-virus on the laptop
× Do not download any files from unauthorized websites
× Do not connect to the freely available public Wi-Fi while working
remotely
Laptops
You must adopt the following guidelines for secure mobile
devices:
 Enable password protection to the mobile device and Connect only to
known and secure wi-fi access points
 All mobile devices must be registered in a centrally managed inventory
by using an approved automated process or solution
 Access to Riversand’s applications such as email, HR/payroll, web
browsers, etc. must be secured using Riversand’s provided
authentication and protection measures
 All Riversand's information on a mobile computing device must be
securely disposed of when decommissioned, terminated, stolen or lost
 It is prohibited to install and use malicious apps
× Do not let anyone use your mobile device
× Do not click on suspicious links sent through SMS/Emails
Mobile Devices
24
Technology Controls
© 2023 Syndigo LLC
Technology Controls
Malware, Vulnerability Management & Cryptography – Requirements
Malware and Vulnerability Management
It is the science of writing in secret code so that only the
intended recipient of a message can understand its content
Encryption converts usable information (known as plain text)
into a format that is useless. Below is indicative list of best
practices to be followed in case of cryptography:
 Weaker or older version of algorithm must not be used
 Algorithms with known vulnerability must not be used
 Under key management, the cryptographic key must only
be used for intended purpose
Cryptography
 Malware can enter and destroy the system from
small neglects. Below mentioned are the various
ways in which a malware can enter the system.
Virus
Worms
Phishing
Identity
Thefts
 A vulnerability, as defined by the International
Organization for Standardization (ISO 27002), is “a
weakness of an asset or group of assets that can be
exploited by one or more threats.”
Below is indicative list of requirements to be followed in case
of Vulnerability Management
 All vulnerabilities must be assessed and remediated as
per timelines defined
 Vulnerabilities must be patched through a reliable
approved server or repository
© 2023 Syndigo LLC
Technology Controls
Recent Cyber Attacks
 "India recorded the second highest number of attacks, with a total of 7.7 per cent of the total attacks on the healthcare industry in 2021," according to cyber security
intelligence firm CloudSEK's report seen by PTI.
 Specifically, researchers focused on four common types of cyberattacks: Ransomware, Business Email Compromise (BEC) attacks, Cloud compromises, and Supply
chain attacks.
AIIMS: The attack on the All-India Institute of Medical Sciences (AIIMS) came to light on November 23, 2022. The attack could
have exposed around 40 million patient data.
SpiceJet: In June, Indian airline operator SpiceJet cancelled many of its flights after being targeted by an attempted ransomware
attack. SpiceJet was forced to suspend flights, that resulted in delays and cancellations.
Log4j Breach
In December 2021, a zero-day vulnerability was discovered in the Log4j Java library.Log4j is used worldwide across software
applications and online services, and the vulnerability required very little expertise to exploit.
Audi and Volkswagen Cybersecurity Breach
In June 2021, Audi and Volkswagen revealed that a data breach affected more than 3.3 million customers and prospective buyers,
who were primarily U.S.based.
© 2023 Syndigo LLC
Technology Controls
Internet Security & Reporting Suspicious / Unusual
behavior
Internet Security
Internet is backbone for running our business processes. Hence,
we should ensure:
 Check for secure web connections (https)
 Double-check on the URL if it is legitimate
 Check the authenticity of the source
 For any suspicious or unusual behavior on your laptop,
immediately disconnect it from the network first and contact
Information Security Team
× Do not use the internet to access nonbusiness related sites,
social networks or file transfer
× Never click on pop ups
× Do not upload sensitive information on any public platform
Reporting Suspicious / Unusual behavior
Examples of suspicious/unusual behavior include, but not only limited to:
 Unknown individuals taking photo in an office premise
 Visitors walking around unattended without badges
 User working on some other user’s system
 User sharing his / her password
What can you do to help mitigate the risk?
 Be alert for suspicious behaviors
 Notify Information Security team immediately post observing any of the
suspicious / unusual behavior
 Suspicious emails should be forwarded to
securityincident@riversand.com
 Refer the Information Security Incident Management Procedure for
more details on reporting risks
28
Key Points to Remember
© 2023 Syndigo LLC
Quick Recap
Do’s :
1. Follow the password policy for new passwords and
change passwords as directed
2. Report any incident/ suspicious activity as directed by the
Information Security policy
3. Follow a clear-desk, clear-screen policy
4. Use your mobile devices appropriately
5. When in the premise, always wear an ID card that is
always visible.
6. Always escort visitors
7. Classify digital and paper documents according to the
organizational classification policy
Don'ts :
1. Do not click on any suspicious email/link
2. Do not leave important documents on the desk
3. Do not leave critical documents out of the printer
4. Do not use social media to disclose organizational
information
5. Do not fall for scams/traps that leads to loss of
confidentiality of the organizational information
6. Do not to use corporate email IDs in any outside
websites/portals
© 2023 Syndigo LLC
References
Please use the below link to refer the Security policies:
Sharepoint link for policies
© 2023 Syndigo LLC
Q&A
© 2023 Syndigo LLC
Thank you

More Related Content

Similar to Syndigo Information Security Awarness Training Deck FINAL June 2023.pptx

Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance reportBee_Ware
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report- Mark - Fullbright
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?PECB
 
IT governance and Information System Security
IT governance and Information System SecurityIT governance and Information System Security
IT governance and Information System SecurityCSSRL PUNE
 
Microsoft Office 365 Security and Compliance
Microsoft Office 365 Security and ComplianceMicrosoft Office 365 Security and Compliance
Microsoft Office 365 Security and ComplianceDavid J Rosenthal
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practicesamiable_indian
 
Demystifying SOC 2 Certification: Enhancing Trust in Data Security
Demystifying SOC 2 Certification: Enhancing Trust in Data SecurityDemystifying SOC 2 Certification: Enhancing Trust in Data Security
Demystifying SOC 2 Certification: Enhancing Trust in Data SecurityShyamMishra72
 
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdfControlCase
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
Looking Beyond GDPR Compliance Deadline
Looking Beyond GDPR Compliance DeadlineLooking Beyond GDPR Compliance Deadline
Looking Beyond GDPR Compliance Deadlineaccenture
 
Brandon Consulting Overview
Brandon Consulting OverviewBrandon Consulting Overview
Brandon Consulting OverviewRonan Martin
 
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...GrapesTech Solutions
 
SOC 2 Certification Unveiled: Understanding the Core Principles
SOC 2 Certification Unveiled: Understanding the Core PrinciplesSOC 2 Certification Unveiled: Understanding the Core Principles
SOC 2 Certification Unveiled: Understanding the Core PrinciplesShyamMishra72
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Chandan Singh Ghodela
 
Rethinking Trust in Data
Rethinking Trust in Data Rethinking Trust in Data
Rethinking Trust in Data DATAVERSITY
 
IT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet SystemsIT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet SystemsVisionet Systems, Inc.
 
5 Reasons Why Your Business Should Consider Strong Authentication!
5 Reasons Why Your Business Should Consider Strong Authentication!5 Reasons Why Your Business Should Consider Strong Authentication!
5 Reasons Why Your Business Should Consider Strong Authentication!Caroline Johnson
 

Similar to Syndigo Information Security Awarness Training Deck FINAL June 2023.pptx (20)

Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance report
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
 
IT governance and Information System Security
IT governance and Information System SecurityIT governance and Information System Security
IT governance and Information System Security
 
Microsoft Office 365 Security and Compliance
Microsoft Office 365 Security and ComplianceMicrosoft Office 365 Security and Compliance
Microsoft Office 365 Security and Compliance
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practices
 
Demystifying SOC 2 Certification: Enhancing Trust in Data Security
Demystifying SOC 2 Certification: Enhancing Trust in Data SecurityDemystifying SOC 2 Certification: Enhancing Trust in Data Security
Demystifying SOC 2 Certification: Enhancing Trust in Data Security
 
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
 
Responsible for information
Responsible for informationResponsible for information
Responsible for information
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Looking Beyond GDPR Compliance Deadline
Looking Beyond GDPR Compliance DeadlineLooking Beyond GDPR Compliance Deadline
Looking Beyond GDPR Compliance Deadline
 
Brandon Consulting Overview
Brandon Consulting OverviewBrandon Consulting Overview
Brandon Consulting Overview
 
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
 
SOC 2 Certification Unveiled: Understanding the Core Principles
SOC 2 Certification Unveiled: Understanding the Core PrinciplesSOC 2 Certification Unveiled: Understanding the Core Principles
SOC 2 Certification Unveiled: Understanding the Core Principles
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001
 
Rethinking Trust in Data
Rethinking Trust in Data Rethinking Trust in Data
Rethinking Trust in Data
 
IT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet SystemsIT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet Systems
 
5 Reasons Why Your Business Should Consider Strong Authentication!
5 Reasons Why Your Business Should Consider Strong Authentication!5 Reasons Why Your Business Should Consider Strong Authentication!
5 Reasons Why Your Business Should Consider Strong Authentication!
 

Recently uploaded

PPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training CenterPPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training Centerejlfernandez22
 
Right to life and personal liberty under article 21
Right to life and personal liberty under article 21Right to life and personal liberty under article 21
Right to life and personal liberty under article 21vasanthakumarsk17
 
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksUnderstanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksFinlaw Associates
 
Guide for Drug Education and Vice Control.docx
Guide for Drug Education and Vice Control.docxGuide for Drug Education and Vice Control.docx
Guide for Drug Education and Vice Control.docxjennysansano2
 
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesAre There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesChesley Lawyer
 
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxSarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxAnto Jebin
 
Town of Haverhill's Motion for Summary Judgment on DTC Counterclaims
Town of Haverhill's Motion for Summary Judgment on DTC CounterclaimsTown of Haverhill's Motion for Summary Judgment on DTC Counterclaims
Town of Haverhill's Motion for Summary Judgment on DTC CounterclaimsRich Bergeron
 
1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in Sales1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in SalesMelvinPernez2
 
RA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptxRA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptxJFSB1
 
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...Rich Bergeron
 
Illinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideIllinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideillinoisworknet11
 
Choosing the Right Business Structure for Your Small Business in Texas
Choosing the Right Business Structure for Your Small Business in TexasChoosing the Right Business Structure for Your Small Business in Texas
Choosing the Right Business Structure for Your Small Business in TexasBrandy Austin
 
Hungarian legislation made by Robert Miklos
Hungarian legislation made by Robert MiklosHungarian legislation made by Robert Miklos
Hungarian legislation made by Robert Miklosbeduinpower135
 
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment CaseTown of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment CaseRich Bergeron
 
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTSTHE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTSRoshniSingh312153
 
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdfWurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdfssuser3e15612
 
Labour legislations in India and its history
Labour legislations in India and its historyLabour legislations in India and its history
Labour legislations in India and its historyprasannamurthy6
 
citizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicablecitizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicableSaraSantiago44
 
Grey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptxGrey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptxBharatMunjal4
 
Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.2020000445musaib
 

Recently uploaded (20)

PPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training CenterPPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training Center
 
Right to life and personal liberty under article 21
Right to life and personal liberty under article 21Right to life and personal liberty under article 21
Right to life and personal liberty under article 21
 
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksUnderstanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
 
Guide for Drug Education and Vice Control.docx
Guide for Drug Education and Vice Control.docxGuide for Drug Education and Vice Control.docx
Guide for Drug Education and Vice Control.docx
 
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesAre There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
 
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxSarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
 
Town of Haverhill's Motion for Summary Judgment on DTC Counterclaims
Town of Haverhill's Motion for Summary Judgment on DTC CounterclaimsTown of Haverhill's Motion for Summary Judgment on DTC Counterclaims
Town of Haverhill's Motion for Summary Judgment on DTC Counterclaims
 
1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in Sales1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in Sales
 
RA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptxRA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptx
 
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...
 
Illinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideIllinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guide
 
Choosing the Right Business Structure for Your Small Business in Texas
Choosing the Right Business Structure for Your Small Business in TexasChoosing the Right Business Structure for Your Small Business in Texas
Choosing the Right Business Structure for Your Small Business in Texas
 
Hungarian legislation made by Robert Miklos
Hungarian legislation made by Robert MiklosHungarian legislation made by Robert Miklos
Hungarian legislation made by Robert Miklos
 
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment CaseTown of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
 
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTSTHE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
 
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdfWurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
 
Labour legislations in India and its history
Labour legislations in India and its historyLabour legislations in India and its history
Labour legislations in India and its history
 
citizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicablecitizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicable
 
Grey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptxGrey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptx
 
Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.
 

Syndigo Information Security Awarness Training Deck FINAL June 2023.pptx

  • 2. © 2023 Syndigo LLC 2 Contents • Introduction to Information Security and ISO 27001 Overview • Key Highlights of ISO 27001/2:2022 • Organizational Controls • People Controls • Physical Controls • Technological Controls • Key Points to remember • References • Q&A
  • 3. 3 Introduction to Information Security & ISO 27001 Overview
  • 4. © 2023 Syndigo LLC Overview of ISO Key Benefits of ISO Compliance in Regulatory, Legal and Contractual Obligations Compliance with Data Privacy Laws Increases Trust Level Of Customers And Brand Reputation Consistent Security Culture Enhances Security Posture Introduction to Information Security and ISO 27001 Overview The information security model is made up of three main components: Confidentiality, Integrity and Availability. Each component represents a fundamental objective of information security. In a nutshell, the term Information Security essentially means “The right information (Integrity) to the right people (Confidentiality) at the right time (Availability)”. ISO 27001 is an internationally recognized standard, published by the International Organization for Standardization (ISO). It is a framework that helps organizations “establish, implement, operate, monitor, review, maintain and continually improve its information security management system”. It is a combination of policies and processes for organizations to use. ISO 27001’s best-practice approach helps organizations manage their information security by addressing people, processes and technology.
  • 5. © 2023 Syndigo LLC Information Security Clauses and Domains ISO 27001 Clauses • Understanding the organization and its context • Understanding the needs and expectations of interested parties. • Determining the scope of the ISMS • ISMS • Leadership and commitment • Policy • Organizational roles, responsibilities and authorities. Leadership • Actions to address risks and opportunities • Information security objectives and planning to achieve them Planning • Resources • Competence • Awareness • Communication • Documented Information Support • Nonconformity and corrective action • Continual improvement Improvement Act Check Plan Do Input Output • Operational planning and control • Information security risk assessment • Information security risk treatment Operation • Monitoring, measurement, analysis and evaluation • Internal audit • Management review Performance evaluation Organizational Controls Controls 01 02 03 04 People Controls Physical Controls Technological Controls 4 ‘domains’ of 93 controls: ISO 27002 Domains Context of the Organization
  • 6. © 2023 Syndigo LLC Retain customers & win new business ISO 27001 certification helps organization demonstrate good security practices, thereby improving working relationship and retaining existing clients. It also gives proven marketing edge against your competitors. Reduce the need for frequent Audits Provides a globally accepted indication of security effectiveness, negating the need for repeated customer audits. Comply with business, legal, contractual and regulatory requirements ISO 27001 security controls help to protect information in line with increasingly rigid regulatory requirement such as GDPR. Prevent financial penalties ISO 27001 enables organizations to avoid the potentially devastating financial loss caused by data breaches. Protect and enhance your reputation Protect your organization against cyber attacks and demonstrates that you have taken the necessary steps to protect your business. Why to certify
  • 7. 7 Key Highlights of ISO 27001/2:2022
  • 8. © 2023 Syndigo LLC Key highlights of ISO 27001/2:2022 11 New Controls: Threat intelligence 5.7 01 02 03 04 05 07 08 09 10 11 06 Information security for use of cloud services 5.23 ICT readiness for business continuity 5.30 Physical security monitoring 7.4 Configuration management 8.9 Information deletion 8.10 Data masking 8.11 Data leakage prevention 8.12 Monitoring activities 8.16 Web filtering 8.23 Secure coding 8.28 4 ‘domains’ of 93 controls: People (8 controls) 01 02 03 04 Organizational (37 controls) Technological (34 controls) Physical (14 controls) 4 ‘domains’ of 93 controls: Additional Annexure has been added, i.e., now there are two annexures A and B in the new standard 11 new controls have been added and 57 controls from 2013 have been merged Number of controls has decreased from 114 to 93 Annexure B provides backwards compatibility with ISO 27002:2013 The security controls listed in ISO 27001 Annexure A will be updated to 4
  • 10. © 2023 Syndigo LLC Organizational Controls Access and Asset Management Access Control Some of organization’s practices as per policy are:  Access Rights shall be assigned to the personnel on a ‘need-to-know’ basis and a ‘need-to-do’ (minimum requirement for the functional role) basis.  The access rights of employees to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or in case the access is no longer required.  An NDA (Non-Disclosure Agreement) must be entered with the ‘Third Party’ before granting access to the company’s network  User access reviews for critical system accounts and privileged accounts are conducted every 60 days and for all other accounts at an interval of 90 days. Some of the industry’s best practices are:  Access should be revoked as soon as there is no need for access.  Access provision should be based on the business needs of the requestor.  User access review should be conducted for all user accounts and data-sharing sites (with Confidential information) to ensure only authorized users have access to sensitive data hosted on it. Asset Classification RESTRICTED CONFIDENTIAL INTERNAL PUBLIC Highly sensitive information restricted to specific named individuals on a need-to-know basis Information that is sensitive and intended for restricted specific business groups of colleagues on a need-to-know basis. Company information intended for use by all colleagues (or anyone inside Riversand) on a need-to-know basis. Approved information for public disclosure. Research information leading to Intellectual Property; Authentication credentials; - Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, etc. Policies and Standard Internal technical publications Business Partner details (contact /roles /hierarchy/ identifiers) Marketing flyers; Public website content; Product Marketing features.
  • 11. © 2023 Syndigo LLC Organizational Controls Password and Email Security Requirements Strong passwords help you in securing your digital identity while accessing applications and information. Passwords should be:  Passwords chosen must be a minimum of fifteen (15) characters in length for standard user account as well as for Generic and Service Accounts.  From the following four different subsets of character classifications, pick at least 1 character, from at least 3 of the different subsets.  Uppercase letter (A-Z)  Lowercase letter (a-z)  Digit (0-9)  Special character (~`!@#$%^&*()+=_-{}[]|:;”’?/<>,.)  Must change as mandated (90 days for standard user accounts and 365 days for Generic and Service Accounts). × Do not use the same password for different accounts. × Do not use the “remember password” option in browser or applications. × Do not enter password when using unsecured Wi-Fi connections, hackers can intercept them. × Do not login on computers you do not control (at cafe or libraries) they may have malware that steal your password. Strong Passwords You must adopt the following guidelines for secure email usage:  Riversand’s business email addresses may not be used for non-business-related purposes.  Employees are responsible for all activity on their assigned email account.  Employees should avoid opening any suspicious emails and attachments from unknown senders. Suspicious emails should be forwarded to securityincident@riversand.com. Some of the Industry’s Best Practices are:  Every email should have a signature and an information security disclaimer.  Be cautious when the e-mail redirects you to a site that asks you to submit your account credentials. Always double-check the URL. × Avoid sending messages with large file attachments to the email distribution list. Email Usage
  • 12. © 2023 Syndigo LLC Organizational Controls Privacy and Data Protection Introduction What are Personal Data and Special Categories of (Sensitive) Personal Data? Personal Data – any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Special Categories of (Sensitive) Personal Data – any information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Examples of Personal Data: Name, Address, Phone Number, Email address, Social security number, place of birth, date of birth Key Privacy Elements Governance Notice Collection and Use Lawful Processing Integrity Individual’s Rights Security and Breach Notification Data Transfers Promotes that individuals are aware of their privacy and data protection-related rights and empowers individuals to take control of personal data
  • 13. © 2023 Syndigo LLC Organizational Controls Business Continuity Planning Introduction A Business Continuity Plan (BCP) is a document that outlines how a business will continue operating during an unplanned disruption in service. It’s more comprehensive than a disaster recovery plan and contains contingencies for business processes, assets, human resources and business partners – every aspect of the business that might be affected. Business continuity planning (BCP) is the process a company undergoes to create a prevention and recovery system from potential threats such as natural disasters or cyber-attacks BCP is designed to protect personnel and assets and make sure they can function quickly when disaster strikes BCPs should be tested to ensure there are no weaknesses, which can be identified and corrected KEY TAKEAWAYS Responsibilities Report any potential incidents to your local management or the designated official Support your local management team in the execution of the defined response, continuity and recovery activities, as per your defined roles Respond to evacuation alarms and drills as per set procedures Prevent incidents by working according to Riversand’s Emergency Evacuation Drill Procedure
  • 14. © 2023 Syndigo LLC Organizational Controls Information Security Incident Management Unavailability of critical systems/netwo rks Compromise of critical systems/ networks Suspected/ Successful hacking attempts Hardware resource and component lost/stolen Loss of information due to unknown reasons Power problems and loss of data Natural calamity or disaster Virus incidents regarding e-mail, Internet, CD, diskette. Server breakdown resulting in non- availability of resources Incident Introduction Security Incident: A Security Incident is defined as the occurrence of any exceptional situation that could compromise the Confidentiality, Integrity or Availability of Information and Information Systems of Riversand. It is related to exceptional situations or a situation that warrants the intervention of senior management, which has the potential to cause injury or significant property damage. Reporting Information Security Events  Employees and third-party staff shall be made aware of their responsibilities and procedure for reporting the security incidents that they observe or suspect  All information security events shall be reported to securityincident@riversand.com or through the portal link https://riversand.atlassian.net/servicedesk/customer/portal/22  Employees can also reach out to CISO, in case reporting of information security events is required on urgent basis or adequate information is needed against the same
  • 15. © 2023 Syndigo LLC 15 Organizational Controls Information security in supplier relationships Vendor risk management (VRM) or Supplier Risk Management is the process of ensuring that the use of service providers and IT suppliers does not create an unacceptable potential for business disruption or a negative impact on business performance. Introduction Some of Riversand’s practices as per policy are:  Third parties must abide by Riversand Information Security Policy (ISP) in addition to the information security clauses as agreed in the supplier agreement with Riversand.  Vendor security checks shall be conducted with supplier/third parties with whom Riversand intends to share confidential or restricted data. Some of the industry’s best practices are:  It is mandatory for the vendors/suppliers and the contractors to be a part of the mandatory information security awareness training.  Vendors and suppliers should know the reporting channel to report any information security breach/incidents if they observe any. × DON’T treat the due diligence process as a one-and-done activity that can be set aside after the contract is signed. Doing so will prevent you from identifying and addressing any emerging risks × DON’T forget about the activity’s risk because it’s outsourced. Remember that the risk is still your responsibility!
  • 16. © 2023 Syndigo LLC 16 Organizational Controls Cloud Security Introduction Cloud security is a collection of procedures and technology designed to address external and internal threats to business security. Organizations need cloud security as they move toward their digital transformation strategy and incorporate cloud-based tools and services as part of their infrastructure. The Best Practices of Cloud Security for protecting cloud infrastructure  Secure access to the cloud  Manage user access privileges  Provide visibility with employee monitoring  Monitor privileged users  Educate employees against phishing  Ensure you meet IT compliance requirements  Respond to security incidents
  • 18. © 2023 Syndigo LLC People Controls Human Resource Security and Remote Working Best Practices Human Resource Security Prior to Employment Screening: Prior to employment, candidates are subject to personal verification screening of their experience, credentials and/or other personal factors relevant to the role. During Employment Ensure that employees and contractors are aware of and fulfill their information security responsibilities. Termination and Change of Employment Key activities during an employee termination or change of employment: • Departing employee must adhere to terms and conditions. • Employee’s manager must notify HR about termination or change of employment. Remote Working Best Practices Testing Effectiveness Proper Technology Incident Reporting Secure Connections Communication Programs Trust
  • 19. © 2023 Syndigo LLC People Controls Social Engineering Different types of Social Engineering attacks Baiting : A scammer uses a false promise to lure a victim into a trap which may steal personal and financial information or inflict the system with malware. Pretexting : A criminal creates a fictional backstory that is used to manipulate someone into providing private information or to influence behavior. Scareware : Victims are bombarded with false alarms and fictitious threats. Users are deceived to think their system is infected with malware. Phishing: Attempting to acquire sensitive information by masquerading as a trustworthy entity using bulk email, SMS text messaging, or by phone. Spear Phishing: Spear phishing is a targeted phishing attack. While phishing emails are attempts to scam masses of people, spear phishing emails are sent to just one person or organization. Consider this example of spear phishing that convinced an employee to transfer $500,000 to a foreign investor: • Thanks to careful spear phishing research, the cyber criminal knows the company CEO is traveling. • An email is sent to a company employee that looks like it came from the CEO. There is a slight discrepancy in the email address – but the spelling of the CEO’s name is correct. • In the email, the employee is asked to help the CEO out by transferring $500,000 to a new foreign investor. • The email stresses that the CEO would do this transfer herself, but since she is traveling, she can’t make the fund transfer in time to secure the foreign investment partnership. • Without verifying the details, the employee decides to act. • A few days later, the victimized employee, CEO, and company colleagues realize they have been victims of a social engineering attack and have lost $500,000. How does Social Engineering attack happen?
  • 20. © 2023 Syndigo LLC Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masking as a trustworthy entity and stealing YOUR IDENTITY by sending emails that seems diligent. Types of Phishing Attacks People Controls Phishing Attacks Traditional Phishing: It usually involves a mass email that goes out to thousands of individuals. Cloned Phishing: A legitimate email containing is used to create an almost identical or cloned email. Spear Phishing : A targeted and personalized attack on specific organization or an individual. Smishing: Phishing email is received on mobile device via text message. Vishing: Phishing is attempted over voice call via telephone / mobile phone. Whaling: Phishing is attempted on senior executives or high-profile managers.
  • 22. © 2023 Syndigo LLC Physical Controls Physical & Environmental Controls - Requirements Visitor and Physical Security You must adopt the following guidelines for Visitor and Physical Security :  An acceptable form of identification must be provided. All visitors to site must produce an official ID upon arrival. The visitor recording system must be fully completed.  Visitors are not to be issued an access badge allowing access to restricted areas or zones without prior authorization from the appropriate host or manager of the area.  All visitors are required to provide official ID as stated above and sign into the visitor recording system.  Do not leave access-controlled doors open / Do not allow tailgating or piggybacking. Clear Screen and Clear Desk Policy You must adopt the following guidelines :  Lock the windows session when leaving your desk, even for a short period of time, like for example going for a coffee or to the printer. You do not need anyone sneaking around your work or putting it in danger. Just press windows + L.  Do not leave sensitive documents unattended at your desk. Store them in a locked file or drawer.  Clean Whiteboard/Flipchart after meeting: If you don’t need sensitive documents anymore use the shredder to destroy them.  Only share business information on a need-to-know basis. Inside and outside our office.
  • 23. © 2023 Syndigo LLC Physical Controls Secure Remote Devices – Best Practices You must adopt the following guidelines for secure laptops:  Always lock your laptop screen while you are away  Connect to Riversand’s VPN as and when required × Do not leave your laptop unattended in public places × Do not let anyone else use your laptop × Do not disable anti-virus on the laptop × Do not download any files from unauthorized websites × Do not connect to the freely available public Wi-Fi while working remotely Laptops You must adopt the following guidelines for secure mobile devices:  Enable password protection to the mobile device and Connect only to known and secure wi-fi access points  All mobile devices must be registered in a centrally managed inventory by using an approved automated process or solution  Access to Riversand’s applications such as email, HR/payroll, web browsers, etc. must be secured using Riversand’s provided authentication and protection measures  All Riversand's information on a mobile computing device must be securely disposed of when decommissioned, terminated, stolen or lost  It is prohibited to install and use malicious apps × Do not let anyone use your mobile device × Do not click on suspicious links sent through SMS/Emails Mobile Devices
  • 25. © 2023 Syndigo LLC Technology Controls Malware, Vulnerability Management & Cryptography – Requirements Malware and Vulnerability Management It is the science of writing in secret code so that only the intended recipient of a message can understand its content Encryption converts usable information (known as plain text) into a format that is useless. Below is indicative list of best practices to be followed in case of cryptography:  Weaker or older version of algorithm must not be used  Algorithms with known vulnerability must not be used  Under key management, the cryptographic key must only be used for intended purpose Cryptography  Malware can enter and destroy the system from small neglects. Below mentioned are the various ways in which a malware can enter the system. Virus Worms Phishing Identity Thefts  A vulnerability, as defined by the International Organization for Standardization (ISO 27002), is “a weakness of an asset or group of assets that can be exploited by one or more threats.” Below is indicative list of requirements to be followed in case of Vulnerability Management  All vulnerabilities must be assessed and remediated as per timelines defined  Vulnerabilities must be patched through a reliable approved server or repository
  • 26. © 2023 Syndigo LLC Technology Controls Recent Cyber Attacks  "India recorded the second highest number of attacks, with a total of 7.7 per cent of the total attacks on the healthcare industry in 2021," according to cyber security intelligence firm CloudSEK's report seen by PTI.  Specifically, researchers focused on four common types of cyberattacks: Ransomware, Business Email Compromise (BEC) attacks, Cloud compromises, and Supply chain attacks. AIIMS: The attack on the All-India Institute of Medical Sciences (AIIMS) came to light on November 23, 2022. The attack could have exposed around 40 million patient data. SpiceJet: In June, Indian airline operator SpiceJet cancelled many of its flights after being targeted by an attempted ransomware attack. SpiceJet was forced to suspend flights, that resulted in delays and cancellations. Log4j Breach In December 2021, a zero-day vulnerability was discovered in the Log4j Java library.Log4j is used worldwide across software applications and online services, and the vulnerability required very little expertise to exploit. Audi and Volkswagen Cybersecurity Breach In June 2021, Audi and Volkswagen revealed that a data breach affected more than 3.3 million customers and prospective buyers, who were primarily U.S.based.
  • 27. © 2023 Syndigo LLC Technology Controls Internet Security & Reporting Suspicious / Unusual behavior Internet Security Internet is backbone for running our business processes. Hence, we should ensure:  Check for secure web connections (https)  Double-check on the URL if it is legitimate  Check the authenticity of the source  For any suspicious or unusual behavior on your laptop, immediately disconnect it from the network first and contact Information Security Team × Do not use the internet to access nonbusiness related sites, social networks or file transfer × Never click on pop ups × Do not upload sensitive information on any public platform Reporting Suspicious / Unusual behavior Examples of suspicious/unusual behavior include, but not only limited to:  Unknown individuals taking photo in an office premise  Visitors walking around unattended without badges  User working on some other user’s system  User sharing his / her password What can you do to help mitigate the risk?  Be alert for suspicious behaviors  Notify Information Security team immediately post observing any of the suspicious / unusual behavior  Suspicious emails should be forwarded to securityincident@riversand.com  Refer the Information Security Incident Management Procedure for more details on reporting risks
  • 28. 28 Key Points to Remember
  • 29. © 2023 Syndigo LLC Quick Recap Do’s : 1. Follow the password policy for new passwords and change passwords as directed 2. Report any incident/ suspicious activity as directed by the Information Security policy 3. Follow a clear-desk, clear-screen policy 4. Use your mobile devices appropriately 5. When in the premise, always wear an ID card that is always visible. 6. Always escort visitors 7. Classify digital and paper documents according to the organizational classification policy Don'ts : 1. Do not click on any suspicious email/link 2. Do not leave important documents on the desk 3. Do not leave critical documents out of the printer 4. Do not use social media to disclose organizational information 5. Do not fall for scams/traps that leads to loss of confidentiality of the organizational information 6. Do not to use corporate email IDs in any outside websites/portals
  • 30. © 2023 Syndigo LLC References Please use the below link to refer the Security policies: Sharepoint link for policies
  • 31. © 2023 Syndigo LLC Q&A
  • 32. © 2023 Syndigo LLC Thank you