Information Security Awareness

Policies & Practices @ Happiest Minds

Happiest Minds Internal 1
Training Objectives

• Why do we have to secure Information?

• Where do we begin?
• How do I implement?
• What are the measures required?
• How are the measures implemented?
• How can I apply the measures?
• How do I contribute to improve the
measures?

Happiest Minds Internal 2

When things go wrong.. It impacts

Undesirable Scenarios Undesirable Impacts

• What if your bank accounts are • You lose confidence in your Bank
hacked
• You incur financial loss and go
• If one of the credit cards misused
happens to be yours through a lot of pain
• Your healthcare provides loses • Your medical history on
your medical history file Facebook?
• Someone leaks your • Customer loses confidence in us
solution/proposal to competitors
• Accidental erasure of customer • Our reputation takes a hit
data • Business performance takes a hit
• A breach in network or data
security exposes customer
environment

Happiest Minds Internal 3

What can go wrong?

• What if your bank accounts Failure of network, application and user

are hacked level security
• If your credit cards happens to May be this is due to incorrect statement
be misused
• Your healthcare provides loses
your medical history file It could be due to lack of physical security
• Someone leaks your
solution/proposal to May be international / due to loss of USB
competitors drive
• Accidental erasure of Negligence, Errors & Omissions
customer data
• A breach in network or data Lack of awareness on security & customer
security exposes customer contractual requirements
environment

Happiest Minds Internal 4

Staying aligned

MVV Enablers Measures & Actions

Maintaining Confidentiality of Corporate
Information Information Security
Policy
Ensuring that Information is Acceptable Use of
kept reliable Information Assets

Preventing unauthorized ID card, Access

Integrity Policy
modifications to Systems or Controls, Passwords,
Information Anti-malware

Using computers & smart Licensed software,

“devices” responsibly BYOD, Audit trails,

Protecting Systems or Data Back-up, Monitoring,

from loss, theft or damage Reporting incidents

Performance Compliance
Happiest Minds Internal 5
Information security begins with You

• Security begins from on-boarding process

• Employment agreement clauses; Integrity policy
• Creating awareness about Information Security policies

• Securing information and related assets

• People are the key enablers of security by compliance to polices
• Security can only be as strong as the weakest link in a chain

• Safety & Security of people, a key aspect of ISMS

• To know the policies
• http://smilescentral.happiestminds.com >>Resources>>Policies>>
Information Security Policies
Direct Document Link : Information Security awareness

Happiest Minds Internal 6

Approach to ISMS – ISO27001

PLAN
Establish
ISMS

Internal and
External
Issues

ACT
ISO DO
Intended
Maintain & 27001 Implement
outcome of
& Operate
Improve ISMS
ISMS
ISMS

Needs and
Expectations
of Interested CHECK
parties Monitor &
Review

Happiest Minds Internal 7

Information Security Management
Structure

CEO &
Management
Strategic, Advisory,
Council
Monitoring & Practice

Chief Information Security Officer (CISO),

Information Security Manager (ISM) & Policy, coordination,
Security Coordination Committee
Audit & Practice

IT - Information Security Functions Implement &

Practice
Physical Personnel Quality & Legal
Security Business Units Compliance
Security Audits Implement & Practice
Admin PP Engg. & Biz DTES, IMSS &
Excellence. SPE Finance

Information Owners
Implement & Practice
(Units Heads, Project Managers, Practice Leads, Managers)

All Users of Happiest Minds Technologies Information Systems Practice

(Happiest Minds’, Consultants, Vendors etc.,)

Information Security is everyone's responsibility

Happiest Minds Internal 8
Information/Data Ownership

• Information/Data exists in many forms

– Electronic, paper, spoken, voice mails, processes, etc.
• Data requires ownership
– Creator owns the data on behalf of organization and as per role
– Wrt customer data, delivery team owns the data
– Owner assumes responsibility for the security of data assets
– Owner may appoint a custodian as per process
• Owners’ define/demand data protection
– As per customer’s requirements and
– Legal or regulatory compliance requirements
• Owners work with data custodian
– IT function is a typical custodian
• E.g. for functional or practice or project data stored on Office365 SharePoint or Redmine
– For data on laptops, smartphones or USB drives, Owner remains the custodian

Happiest Minds Internal 9

Owners’ or Custodians’ Responsibilities

• Owners are responsible for

– Classification of their information assets
– Risks associated with their assets
– Identifying specific security protection requirements
– E.g. Determining and controlling who can access and do what
– Ensuring that requirements are implemented and complied with
– Can delegate but retains accountability
– For any loss, damage, disclosure or other breaches

• Who can be an owner or custodian

– Practice Leads/Heads, Delivery Heads, Project Managers
– Business/Function heads have ultimate accountability

Happiest Minds Internal 10

Information Classification

• Published
– Information that can be released to the public, media, etc. or obtained from public
sources

• Internal
– All Happiest Minds can access e.g. policies

• Restricted
– E.g. project data, available to only team members

• Confidential
– Data requiring highly restricted access

• Client Confidential
– Data about customers or their customers requiring specific handling as per MSA

Happiest Minds Internal 11

Information Security

• Physical Security
• Password Controls
• Email usage, Internet usage
• Anti-Virus, Anti-malware
• Data security & Privacy
• Software Usage & Copyrights
• Safety of Computer Media
• Clear Desk and Clear screen
• Social Engineering
• Laptop Security
• Security Incident Reporting
• Data Back-up & Business Continuity
• BYOD, Legal Compliance
Happiest Minds Internal 12
Security begins at the doorstep

Do’s
 Always wear your photo ID while in SMILES premises
 Swipe in & out for marking presence in office
 Report lost or stolen ID or access card immediately to Head of Facility by email
 Escort your visitors, have them signed in/out and ask them to declare their
laptops, USBs & media
 Report to security at reception if you see any suspicious activity

Don’ts
 Do not share your access card
 Failing to get a temp ID or to record in register if you have forgotten your ID
 Attempting to enter restricted areas without authorization
 GNSOC, Server & communication switch rooms, UPS room, any area marked for
authorized personnel entry only

Happiest Minds Internal 13

Password policy

Do’s
 Comply with the policy
 Choose strong passwords
 Change your password before expiry
 Maintain secrecy of your log-on
credentials
 Avoid log-on after 3 failed attempts &
contact IT immediately
Don’ts
 Do not share your passwords
 Do not write them down
 Do not use a sequence when
changing passwords
 Do not ask for others passwords
 Do not try to guess & use others user
ID & password

 Report to IT Help Desk if your account has been disabled or if you suspect that your
account could have been compromised
Happiest Minds Internal 14
Clear Screen and Clear Desk policy

Do’s Don’ts
 Lock your desk(lap)tops before  Leaving your desk(lap)tops unlocked
leaving your desk  Leaving media and
 Log-off all sessions before leaving for sensitive/confidential documents
the day unattended
 Lock all project related media and  Failing to collect your print-outs
documents in the draws provided immediately
 Be aware of your surrounding while  Shoulder-surfing
discussing official matters  While leaving for the day forgetting
 Observe this policy while you are to shut-down your desktop & switch
away from the office your monitor off

 Be aware that sensitive data could leak through voicemails & faxes too
Happiest Minds Internal 15
Email & Internet – Acceptable Usage Policy

Do’s
 Use only for business purposes
 Avoid connecting thru’ insecure
networks
 Use licensed anti-virus on personal
devices
 Check recipient email IDs before
sending
 Be aware that mis-use of emails &
Internet may attract penal actions per
company policies & laws of the land
 Use Information Rights Management to
protect your emails
Don’ts
 Sending bulk/mass emails
 Forwarding email chains
 Emailing inappropriate content
 Visiting unauthorized sites
 Downloading & installing software
without IT/Manager’s approval
 Disabling security controls
 Attempting to hack or crack

 Be aware that your activity may be monitored for business and security
reasons
Happiest Minds Internal 16
Acceptable Use… cont.
Do’s
 Understand the criticality and
sensitivity of your data
 Classify your data appropriately
 Provide access to data based on
business needs
 Provide minimum access
 Monitor access
 Educate your users
 Revoke access once “business need”
is over
 Use SharePoint / File Server to store
all your data
 Follow Social Media policy
Happiest Minds Internal
Don’ts
 Forwarding official data to your
personal emails / Unauthorized
people
 Carrying official data on personal
devices without encryption
 Using applications like Dropbox
 Violating licensing agreements
 Posting data about Happiest Minds
Technologies confidential information
and its customers on social
networking sites
 Not backing up business data
17
While you are away from office

Do’s Don’ts
 Observing policies as you would  Leaving your laptop / mobile devices
when in office unattended
 Being aware of your surroundings  Checking in your laptop when you fly
while discussing official stuff on  Talking loudly about the purpose of
mobile phones in public areas your travel
 Keep your laptop & personal devices  Discussing about your project with
safe co-passengers
 Remember to use CTRL+ALT+DEL  Disabling security settings on your
 Follow customer security policies laptop
while working from their premises  Sharing your laptop
 Limiting the use of public network
connections

Happiest Minds Internal 18

Incident Reporting

What are Incidents?

Events that either has the potential to affect or has affected the confidentiality &
integrity of information or availability of information and related systems & applications

Incidents can be What you need to do?

» Loss of data; Virus attacks
» Hacking/Cracking attempts
» License violations
» Unauthorized disclosure of
confidential data
» Unauthorized software installation
» Loss of ID & Access card
» Unauthorized visitors
 Recognize security incidents
 Report security incidents
 To report
 Call SmilesDesk 3060
 Email to
Compliance@happiestminds.com
 Use SMILESCENTRAL helpdesk
 Report physical security
breaches/Incidents to Admin

Happiest Minds Internal 19

Back-up Process

 Your email data

 Office365 ensures that emails are available 24/7 as part of the service

 Your practice/functional/operational data

 Use of SharePoint/File Server ensures that data/information are available 24/7

 For customer projects,

 Identify Configuration Items and
 Store them in project management system

 IT maintains a back-up file server on SMILES LAN

 Request IT to allocate space on the file server; Secure back-up media if used

 Control access to your backed up data whether on Cloud or

stored locally
 And remove access when the “business need” is over

Happiest Minds Internal 20

What is Expected of You?

 Read, understand & comply with

security policies
 Use information system resources for
business purposes only
 Comply with customer security
requirements for your project
 Control access to your data
 Do a regular back-up of your data
 Report breaches/incidents promptly
 Never reveal your log-on credentials
 Keep your gadgets physically secure

Happiest Minds Internal 21

Outcomes of our coordinated actions are..

Information Available, Reliable & Protected

Infrastructure Accessible, Resilient & Secure

Policies Defined, Communicated, Understood &

Complied

Processes Defined, Implemented & Improved

Users / End Points Identified, Authenticated & Authorized

Technology Enabled, Efficient & Effective

Actions Guided, Aligned, Monitored & Improved

Happiest Minds Internal 22
Thank you !!

Information Security
is
(y)our responsibility

Reach us at
Compliance@Happiestminds.com
Document Control

Version Description of Change Approval Date of Issue

1.0 Initial issue Darshan Appayanna 9/9/2015
2.0 Document control added Darshan Appayanna 7/12/2016
2.1 General review and template update Darshan Appayanna 26/04/2017

Happiest Minds Internal 24