Information Security Awareness Training-2020-21

Basic concepts

LIC-ISMS-CO 2
 Information is a form of knowledge that we acquire through education, communication,
experience, day-to-day activities, research, analysis etc. It consists if data, facts and conclusions.
 For computer professionals, information is any data, expressed in terms of sequence of ‘ones’ &
‘zeros’.

Information can be: Information asset as defined in the section 2 (f) of

Created, modified, stored, destroyed, processed, the IT Act’ 2000 :
used for purposes  All information resources utilized in the course
Transmitted by electronic means, or by post etc. of any organization’s business;
Corrupted, lost, stolen  Includes all information, application (Software
Printed or written on a paper (Hard copy), stored developed or purchased) and technology
electronic means (Hardware, software, system software,
Displayed/published on web, videos, audios etc. application software, networks etc.)
Verbal – spoken in conversations
LIC-ISMS-CO 3
 Security is not reflected in the normal functioning of the system i.e. it is not a functional
requirement. Security monitors or guides the function, so that, certain properties are not
violated.
 Basically, system is implemented as intended as per the functional requirement of the
technical specification and the system should operate according to its intention.

 Security is a process, not a product:

 Concerns the specification of the system;
 Concerns design, implementation of the system, application code and protocols;
 Concerns the installation and operation of the system configurations and operational
parameters;
 Human actions e.g. users, administrators;

LIC-ISMS-CO 4
You are the first and last line of defence for LIC.
SECURITY
LIC-ISMS-CO 5
Information Security is defense of information and information assets – including
but not limited to, Information Technology.

LIC-ISMS-CO 6
Physical Guards
CCTV
Elements Restricted Zone
Downloading access
Access rights

System Anti-virus
Detection of malicious software
Elements Disablement of USB ports, CD drives

Process Authorized user/Access control

Software details
Elements Log entity

LIC-ISMS-CO 7
LIC-ISMS-CO 8
Cyber Attacks - 2019

LIC-ISMS-CO 9
 It is impossible to obtain perfect security – it is a process;
 Security should be considered balance between protection and availability;
 To achieve balance, the level of security must allow reasonable access, to protect against
various threats;

7 IS to 5
 Confidentiality  Application
 Integrity  Technology
 Availability  Data
 Effectiveness  Facilities
 Efficiency  Resources/people
 Reliability
 Compliance

LIC-ISMS-CO 10
WHY CARE NOW ???

LIC-ISMS-CO 11
WHY CARE NOW ???

Massive increased frequency and maturity of cyber attacks

LIC-ISMS-CO 12
LIC-ISMS-CO 13
 The times, they aren’t changing
Credential theft, social attacks (i.e., phishing and
business email compromise) and errors cause the
majority of breaches (67% or more).

These tactics prove effective for attackers, so

hackers return to them time and again. For most
organizations, these three tactics should be the
focus of the bulk of security efforts.

Tools used by Hackers

Email
Bowsers
User Rights
Instant Messaging
LIC-ISMS-CO 14
LIC-ISMS-CO 15
LIC-ISMS-CO 16
 Process
People
Keep Sensitive
Information
Protected

Keep Sensitive
Information Intact
& Valid

Keep the
information
available &
Accessible to
Authorized Users

Technology
17
Critical Characteristics/attributes of IS
Confidentiality  Keep secrets secret from unauthorized persons;
 Quality or state of preventing disclosure or exposure to unauthorized individuals or systems;

Integrity Being whole, complete, accurate. Not being corrupted, damaged, distracted.
Availability Authorized people who need this information should have access to the information, whenever they
want without any interference or obstruction, also need it in a correct format.
Accuracy  Free from mistakes/errors and having the value that the end user expects;
 Intentional or unintentional modification;
 Stored for the correct values or right value and must be represented in a consistent and
unambiguous form;
Authenticity  Quality or state of the information being genuine or not corrupted or fabricated or produced
from somewhere;
 Quality of being genuine or has not been corrupted from the original after its creation;
Utility Used for some meaningful purpose, available in a format to be helpful to the end user
Possession Authorized person should handle or possess the data as per roles and responsibilities.

LIC-ISMS-CO 18
18
Information System (IS) Assets

LIC-ISMS-CO 19
19
Information & its existence in various forms
Information Transmitted through
Information on local hard drives and
on networks phone lines or the Internet
displayed on screen

Information on Information on Information stored Information from fax

papers- written papers - printed on disks, tape, CD’s machines

LIC-ISMS-CO 20
20
 Information
Security Policies

LIC-ISMS-CO 21
 Access to network
Policy Hierarchy resource will be
granted through a
Policies unique user ID and
password
 High level statements that provide guidance
Passwords
to all who must take present and future
must be at
decisions for security of the organization least 8
Standards characters
long
 Requirement statements that provide
specific technical specifications
Procedures
 Mandatory actions
Guidelines
 Recommended actions Passwords should include one non-alpha
and not found in dictionary

LIC-IS-Central Office 22
Security policies help us to set standards and identify our roles, responsibilities and governance to
ensure Information Security.

50 approved IS Policies. Go through the IS Policies.

http://10.240.69.61/ITBPR/IS_Policy/IS_Policy.htm
LIC-IS-Central Office 23
50 Information Security Policies
Acceptable Usage Policy
Access Management Policy
Antivirus Policy
Application Security Policy
Asset Management
Asset/Media Disposal Policy
Backup Policy
Bring your own device (BYOD) policy
Business Continuity Management
Policy
Capacity Management
Change Management Policy
Cloud Computing Security Policy
Configuration Management Policy
Cryptographic Control Policy
Cyber Forensics Policy
Cyber Security Policy
Data Center Policy
Data Life Cycle Protection Policy
Data Migration Policy
Data privacy policy
Data retention Policy
Database Security Policy
Email / Collaboration Policy
Endpoint Security Policy
Incident Management Policy
IS Audit Policy
IT Outsourcing Policy
IT Procurement Policy
IT Risk Management Policy
ITDR Policy
Legal and Regulatory Compliance
Policy
Logging & Monitoring Policy
Mobile Security Policy
Network Security Policy
Operating System Security Policy
LIC-ISMS-CO
LIC-IS-Central Office
Operational Level Agreement (OLA)
Policy
Password Policy
Patch Management Policy
Personnel Security Policy
Physical & Environmental Security
Policy
Remote Access Policy
Service Level Agreement (SLA) Policy
Social Media Policy
Supplier Security policy
Technology Refresh Policy
Third Party Security Policy
User Life Cycle Management Policy
Virtualization Security Policy
Vulnerability Management Policy
Website Development and Security
policy
24
24
 Minor changes to Information Security Procedures

>Section 5.1 Asset Inventory and Ownership: Asset categories have been updated to Documents, People,
Physical, Service and Software.
LIC - Asset >Section 5.2. Asset Register based on CIA Values:
Management - CIA (Confidentiality, Integrity and Availability) values for each asset was not identified before and has been
Procedure added based as per the ISO 27001 requirement.
- Asset value which is the product of C, I and A values was also added to identify the important assets for each
department.
>Section 5.5 Offsite Backup Security: It was earlier mentioned in the procedure that backup media can be
LIC - Backup
stored at the residence of branch manager which is highly risky as the backup media is not encrypted and can
Procedure
be lost/stolen or damaged in transit.
 
 - It has been updated to: Backup should be stored in a fire-resistant cabinet.
> Section 5.2 Applications: Initially passwords for newly joined employees were communicated directly in
LIC - Password person which carries the risk of password leakage.
Procedure - It has been updated to: Default password should be communicated in a sealed envelope to the new/
transferred employee user.
LIC-ISMS-CO 25
LIC-IS-Central Office 25
Practicing Information Security Policies

Acceptable Physical Password Internet

Usage Policy Security Security Security

Asset
Email Data Management & its Software
Security Protection and secure disposal Usage
Privacy

Incident
Social System Cyber Security
Management
Engineering Security Policy

LIC-ISMS-CO 26
LIC-IS-Central Office 26
LIC-ISMS-Central Office 27
LIC-ISMS-Central Office 28
 Don’t
Ignore

LIC-ISMS-Central Office 29
 Mobile Security
-Trend Micro Mobile
Security client on
mobile devices
connected to LIC
network

LIC-ISMS-Central Office 30
Physical Security

Always ensure
that:
1.Doors to be closed after
anybody enters the restricted
area
2.Racks should be locked
3.Only authorised access
4.Escorted access for
outsiders
5.Documentation

LIC-ISMS-CO 31
31
Password Security

LIC-ISMS-CO 32
LIC-ISMS-Central Office 32
Bad Practices of using passwords

LIC-ISMS-CO 33
LIC-ISMS-Central Office 33
Tips for creating a strong password

LIC-ISMS-CO 34
LIC-ISMS-Central Office 34
Using & Remembering a Strong password

LIC-ISMS-CO 35
LIC-ISMS-Central Office 35
Password Security

LIC-ISMS-CO 36
36
Internet Security

LIC-ISMS-CO 37
37
Email Security

Keep Calm and

Don’t Click
LIC-ISMS-CO 38
38
Don’t Ignore 5 different ‘Are You Sure’ warnings

LIC-ISMS-CO 39
Email Security

LIC-ISMS-CO 40
40
 ‘Data/Information is a valuable asset which is of great value to LIC and
needs to be suitably protected’.

Protected Information:

 Personally identifiable information (PII)

 Protected/physical health information (PHI)
 Financial data (FD)
 Intellectual properties (IP)

Security is a process….privacy is a consequence. Rebecca Herold

LIC-ISMS-CO 41
LIC-IS-Central Office 41
DRAFT Data Protection Bill
Features Description
Bill To protect personal data that has been collected, disclosed, shared or otherwise processed within
the boundary/territory of India. It will apply to government and private organizations, any Indian
company and any Indian citizen.
Sensitive Personal Passwords, Financial data, Health Data, Biometric data, Genetic data, Caste or Tribe, Sex life and
Information (SIP) orientation, Religious or political belief or affiliation etc.
Obligations of Data Fair and reasonable processing, Purpose and collection limitation, lawful processing, Notice, Data
Collector (Data quality, Data storage limitation, Accountability
Fiduciary)
Data Principal/Data 1. Consent should be free, clear, informed, and capable of being withdrawn
Owner 2. Rights of Data Principal: Right to confirmation and access, Right to correction, Right to data
portability, Right to be forgotten
Data Protection Provide information and advice to Data fiduciary( collector), Monitor personal data processing
Officer activities, Act as a point of contact with Data protection impact assessment (DPAI), act as a point
of contact for data principles for raising grievances;
LIC-ISMS-CO 42
Data/Information Protection & Privacy

Protected/Physical/
Personal Health
Information

Personally
Identifiable
Information (PII)

Financial Data

LIC-ISMS-CO 43
LIC-ISMS-Central Office 43
Data Protection & Privacy – Tips to follow

LIC-ISMS-CO 44
44
Asset Management & its secure disposal

LIC-ISMS-CO 45
45
Software Usage– Tips to follow

LIC-ISMS-CO 46
46
Q1 2020 –Corona virus-Related Phishing Email Attacks Up 600%

LIC-ISMS-CO 47
Social Engineering
Social Engineering is the art of prying Obtaining sensitive
information out of someone else to information
obtain access or gain important details
about a particular system through the
use of deception.
Telephone equivalent of
GREATEST PHISHING ATTACKS phishing
Free Dunkin Donuts Phishing
Free Amazon Gift Card
Obtaining sensitive information
From fake IT return/refund, gift by sending emails
vouchers, Buy 1 get 1 free, Privacy
related notices to large-scale social
engineering attacks, cyber adversaries
utilize every opportunity to plant Targeting high-profile
malware to steal data or money. employees

LIC-ISMS-CO 48
Social Engineering attacks – Tips to follow

LIC-ISMS-CO 49
49
Incident Management

LIC-ISMS-CO 50
LIC-ISMS-Central Office 50
Incident management – Tips to Follow

Document the following

How the incident was handled ?
Root cause of analysis
Results of post incident review
Current status of remediation activities from prior incidents
LIC-ISMS-CO 51
LIC-ISMS-Central Office 51
System Security-Clear the screen & Clear the Desk

LIC-ISMS-CO 52
52
System Security – Tips to Follow

LIC-ISMS-CO 53
LIC-ISMS-Central Office 53
 Cyber Security Policy
Function Category
Asset Management
Business Environment
What processes and assets need
Identify Governance
protection? Risk Assessment
Risk Management Strategy
Access Control
Awareness and Training
Data Security
What safeguards are available? Protect Information Protection Processes & Procedures
Maintenance
Protective Technology
Anomalies and Events
What techniques can identify
Detect Security Continuous Monitoring
incidents? Detection Processes
Response Planning
Communications
What techniques can contain impacts
Respond Analysis
of incidents? Mitigation
Improvements
Recovery Planning
What techniques can restore
Recover Improvements
capabilities? LIC-ISMS-CO
Communications 54
LIC-ISMS-Central Office 54
1

LIC-ISMS-CO 55
1

LIC-ISMS-CO 56
THE SECURITY COMMANDMENTS – ‘Hygiene’

LIC-ISMS-CO 57
 To know IS policies, Not to download
procedures, guidelines software on your
official computer

Protect Official email id

Not to share information

with unauthorized
persons
Maintain the confidential
ity of data (PII,PHI, FD, Practice security policies
IPR) ”

Adhere strictly to an access

policy

Change Password regularly

Not to connect
open Wi-Fi
systems

Clear the desk and clear the

screen

58 LIC-ISMS-CO
 Information Security Portal :
http://10.240.9.237:8080
Contact Us:
Co_ziso@licindia.com
Co_isms@licindia.com
Contact Details : 67090375/67090384
VOIP : 90234/90227

59 LIC-ISMS-CO