ISMS End User

Awareness

Wipro Consulting Services

Governance , Risk & Compliance

14th July 2017

© 2017 Wipro wipro.com confidential 1

Security Basics

© 2017 Wipro wipro.com confidential 2

 What is Information Security ?

“Information security is protecting the information through

preserving their Confidentiality, Integrity and Availability along with
the authenticity and reliability”
 Information Security Triad ?

Confidentiality Integrity Availability

Information is not
Safeguarding the Asset being accessible
made available to
accuracy and and usable upon
unauthorized
completeness of demand by
individuals, entities or
assets authorized entity
processes;

Measures include encryption, social Measures include Disaster Recovery

Measures include access controls,
engineering best practices, access Plan, redundancy, high availability,
Backups, etc.
rights, Secured storage, etc etc.
 Implementing Information Security

Policies
Process

Suitable policies and processes need to be

implemented for effective InfoSec

Security
Awareness
Information Procedures
and

People
Workshops Security Guidelines

An aware workforce is the best defence

against information security threats
Technology
Technical
Systems The right technology needs to be
implemented for cost effective InfoSec
Introduction to ISO
27001:2013 Standard

© 2017 Wipro wipro.com confidential 6

 ISO 27001:2013 Standard

• ISO 27001 is the International standard that provides guidelines for

safeguarding an organization’s asset
• ISO 27001:2005 was the first standard in the world dedicated to
Information Security
• ISO 27001:2013 was published on the 25th September 2013 and it
replaced ISO 27001:2005
• Comprehensive set of Clauses and Controls comprising best
practices in information security
• A framework for building a risk based security management system
ISMS Team

PSPCL Executive
Management DGM-
Information Security Council (ISC) IT(SD&I), SE-IT (A&PM)
Sr.XEN/(ISM)

Information Security Management

Process Owners with Team
Team(ISMT) Representatives
End User’s Role

© 2017 Wipro wipro.com confidential 9

Information Security – Who is responsible ?

IT Department takes care of Information Security

Myth !!

Reality ??

We all are responsible !!

 Information Security – Who is
responsible ?

We all are responsible !!

• Everyone who is an PSPCL employee

• Consultants who work with PSPCL
• Strategic Partners who work with PSPCL
• Contractors who work with PSPCL
 Information Asset Classification
What is an asset?
• An asset is any tangible or intangible thing or characteristic that has
value to an organization
• Examples – Customer forms, bills, Contracts, databases, IT
hardware, application software, system software, development tools,
system documentation, audit trails, etc.

Who is owner of the asset?

• Any person who has fiduciary responsibilities for the asset.

Why to classify Assets?

• To protect and secure as per their criticality and sensitivity.
• Helps meet regulatory and legal requirements
• Helps meet requirements of industry standards
Information Asset Classification Baseline

Secret

Highly Confidential

Confidential

Internal

Public
Information Asset Classification Baseline
Public
Non-Sensitive Information Available for external release..
Examples include periodicals, bulletins, financial statements, press releases, etc.

Internal
Information that is generally available to employees and approved non-employees such as contractors,
trainees. Examples include Staff memos, news letters, staff awareness program documentation or
bulletins, etc.

Confidential
Information that is less sensitive & related to business, is intended for use by employees, its other
business units, approved non-employees such as contractors, trainees and customer and can be printed in
hard copy format. Examples include departmental memos, work programs, schedules, plans, etc.
Highly Confidential
Information that is sensitive & related to project & personnel, is intended for use by employees, customer
and approved non-employees such as contractors, trainees can be printed in hard copy format only with the
approval of HODs. Examples include personal information, business plans, unpublished financial statements,
etc.
Secret
Information that is highly sensitive within and outside organization, Shall be applied to the documented information
Leakage of which can cause damage to National Security. Examples include Design documents , drawings,
contracts etc.
 Password Security
Do’s
• Keep your passwords secret
• As per policy, password should be
min 8 characters with alphabets,
numbers, and special characters
(#, @, *, $, &, %,)
• Use passwords that are easy to
remember but difficult to guess
• Change passwords every 90 days
to avoid password expiry
Don'ts
• Don’t use passwords which are
based on your personal info or
words found in dictionary
• Don’t write down or store
passwords
• Don’t share your passwords with
anyone
• Don’t reveal passwords in email,
chat or other communication
How long it takes to crack a Password ?
Length Lowercase +Uppercase +No. & Symbols
6 Characters 10 Mins 10 hrs 18 days
7 Characters 4 hrs 23 days 4 years
8 Characters 4 days 3 years 463 years
9 Characters 4 months 178 years 44,530 years
 Malware Protection

Malware is a ‘Malicious Software’ which is developed with intentions to cause harm

to Confidentiality, Integrity and Availability of Information

Some common Malware are Virus, Worms, Trojans, spyware

Ensure that the Antivirus is running on your desktops

In case the antivirus is not present or not functional, report it immediately to IT service desk

Scan all files coming from external sources (such as email, internet, USB).

Do not open or download any executable files (.exe) from email attachment
 Spam

Spam is an unsolicited e-mail broadcasted indiscriminately to multiple

mailing lists, individuals or news groups

Never reply to a spam or share any personal information

Don’t buy anything from a spam mail

Be careful while opening an email attachment if you suspect it to be unusual

Share your e-mail address only with people you know

Don't forward an email from someone you don't know to a list of people.
 Email Security

Do’s
• Use Email only for business
purposes
• Use only official email ids for official
purposes
• Retain important emails for
evidence/record purposes
Don'ts
• Transmitting offensive material like
political opinion, pornography and
sexual harassment material;
• “Spamming” unsolicited messages,
promotions, sending or forwarding
chain letters;
• Creating, sending, receiving or
storing materials that infringe the
copyright or other intellectual
property right of any third parties;
 Clear Desk & Clear Screen
Do’s
• Lock your desktop while leaving
work place
• Ensure your desk is clear and no
sensitive information lies around
• Be aware of shoulder surfers in
office or in public places
• Be cautious while handling
sensitive information
• Shred unwanted documents
Don'ts
• Don’t forget to collect your printouts
from printer
• Don’t forget to clear white board
while leaving meeting rooms
• Don’t use / install any unauthorized
software
 Mobile Usage – Best Practices

Take the time to learn and use the security settings on your mobile devices.

Do not allow the device to automatically connect to an unknown wireless

connection (unknown security settings may open the device to hacking or
malicious programs).
Never leave the device unattended

Use encryption and/or password protection security features.

Use a strong password. Create passwords that are tough for hackers to
crack, but easy for you to remember
 Social Media Usage – Best Practices

Take the time to learn and use the security settings on your
mobile devices.
Be aware that individuals online may not be who they claim to be.

Be familiar with and configure the security and privacy settings to

protect your user profile and information
Assume that information posted on a social media site is on the
Internet, even if you have restricted it to certain users
Know the reputation, terms of usage agreement, and the security
risks before you start using a social media site.
Use strong passwords to secure your social media accounts and
change them every 45 days.
 Social Engineering

Avoid discussing sensitive information with others in

public

Do not give out sensitive information over

email/telephone without proper verification of identity.

Always be assure of the other person’s identity, when

you receive a call which you are not expecting

When discussing any important business issue make

sure no one else is listening
Physical Security
 Information Security Incidents

A Security Incident means a real or potential security event which causes harmful
impact to business operations or users.

Virus and spyware hacking attempts

System malfunction
Loss or theft of data
Either failed or successful attempts to gain unauthorized access to data
Violation of PSPCL’s security policy
 Information Security Incidents Reporting

Do’s
• Report security incidents on the
Security incident portal
• Contact: IT department for all IT
related security incidents
• Contact the Security team for all
Physical Security related security
incidents
Don'ts
• Don’t discuss security incidents
with anyone outside PSPCL
• Don’t attempt to prevent anyone
from reporting the incident
• Never talk to media person unless
authorized
Key Points for Take Away

• PSPCL is certifying in ISO 27001:2013

• Safeguard company data – protect confidential files under lock & key

• Avoid Spam mails

• Maintain Clear Desk and Clear Screen

• Report Information Security Incidents to Helpdesk

Regional Office Compliance

• Maintain Information Asset Register

• Maintain Risk Register

• Update IT Asset register

• Follow ISMS Checklist

Pre-Audit observations

• Password Sharing

• SAP ID sharing

• Computer not locked

• Cabling hygiene

• Safeguarding of Server/Switch, network racks

• Fire extinguishers not installed properly

• Coverage of all offices under R-APDRP

Thank You
Anirudh Shetty
Consultant, GRC
Wipro Consulting Services