I

N
INFORMATION SECURITY
F

T
I

O
N
S
E
 What is Information?
What is Information Security?
A
What is RISK?
G
An Introduction to ISO for information
E technology
User Responsibilities
N

2
I

N
'Information is an asset which, like other
F
important business assets, has value to
O an organization and consequently
needs to be suitably protected‟
R

M BS ISO 27002:2005
A

T
I

3
I
Information can be
N

F  Created
 Stored
O
 Destroyed
R
 Processed
N I
M
 Transmitted
A F
 Used – (For proper & improper purposes)
T E
I  Corrupted
C  Lost
O

Y  Stolen
L

C 4
I
N
 Printed or written on paper
F
 Stored electronically
O
 Transmitted by post or using electronics means
R  Shown on corporate videos

M  Displayed / published on web

A  Verbal – spoken in conversations

T T
I ‘…Whatever form the information takes, or
Y means by which it is shared or stored, it
O should always be appropriately protected’
P
(BS ISO 27002:2005)
N
E
5
I
What Is Information Security
N
F

 The quality or state of being secure to be free from danger

O

R
 Security is achieved using several strategies

M
 Security is achieved using several strategies simultaneously or
A used in combination with one another

T
I  Security is recognized as essential to protect vital processes
S and the systems that provide those processes
O
E
N
C  Security is not something you buy, it is something you do

I
6
I
What Is Information Security
N

F
 The architecture where an integrated combination
O of appliances, systems and solutions, software,
alarms, and vulnerability scans working together
R
 Monitored 24x7
M
 Having People, Processes, Technology, policies,
A procedures,

T  Security is for PPT and not only for appliances or

I devices

O
N
S
E 6/16/201
1
Mohan Kamat 7
I

O
PEOPLE

E C
PROCESSES
C O

P TECHNOLOGY

E
6/16/2011 Mohan Kamat 8
 People “Who we are”

People who use or interact with the

P Information include:
Share Holders / Owners
E Management
Employees
O Business Partners
Service providers
P Contractors
Customers / Clients
L Regulators
etc…
E

6/16/201
1
Mohan Kamat 9
 Process “what we do”
The processes refer to "work practices" or workflow.
Processes are the repeatable steps to accomplish
business objectives. Typical process in our IT
P Infrastructure could include:

R Helpdesk / Service management

Incident Reporting and Management
O Change Requests process
Request fulfillment
C
Access management
Identity management
E
Service Level / Third-party Services
Management
S
IT procurement process etc...
S

10
 Technology “what we use to improve what we do”

T
Network Infrastructure:
Cabling, Data/Voice Networks and equipment
E Telecommunications services (PABX), including VoIP
services , ISDN , Video Conferencing
C Server computers and associated storage devices
Operating software for server computers
H Communications equipment and related hardware.
Intranet and Internet connections
VPNs and Virtual environments
N
Remote access services
Wireless connectivity
O

G 6/16/201
1
Mohan Kamat 11
 Technology “what we use to improve what we do”

Application software:
Finance and assets systems, including Accounting packages,
T Inventory management, HR systems, Assessment and reporting
systems
Software as a service (Sass) - instead of software as a packaged or
E custom-made product. Etc..

C Physical Security components:

CCTV Cameras
Clock in systems / Biometrics
H Environmental management Systems: Humidity Control, Ventilation ,
Air Conditioning, Fire Control systems
Electricity / Power backup
N

O
Access devices:
Desktop computers
L Laptops, ultra-mobile laptops and PDAs
Thin client computing.
Digital cameras, Printers, Scanners,
O Photocopier etc.

G 6/16/201
1
Mohan Kamat 12
I INFORMATION SECURITY
N

O
1. Protects information from a range of threats
R 2. Ensures business continuity
3. Minimizes financial loss
M 4. Optimizes return on investments
5. Increases business opportunities
A

T
I

O Business survival depends on information

security.
N
S
E 6/16/201
1
Mohan Kamat 13
I
N
ISO 27002:2005 defines Information Security as the
F preservation of:

O
Ensuring that information is
R
– Confidentiality accessible only to those
authorized to have access
A
M T
O

N T
A Safeguarding the accuracy and
R completeness of information
– Integrity and processing methods
T
I I

B Ensuring that authorized

users have access to
– Availability information and associated
U assets when required

T 6/16/201
Mohan Kamat 14
1
Security breaches leads to…
• Reputation loss
• Financial loss
• Intellectual property loss
• Legislative Breaches leading to legal actions (Cyber
Law)
• Loss of customer confidence
• Business interruption costs

LOSS OF GOODWILL
6/16/201
1
Mohan Kamat 15
I

N
• Information Security is “Organizational Problem”
rather than “IT Problem”
F • More than 70% of Threats are Internal
S
• More than 60% culprits are First Time fraudsters
O
E • Biggest Risk : People

C • Biggest Asset : People

• Social Engineering is major threat

U
• More than 2/3rd express their inability to determine
R ―Whether my systems are currently compromised?‖

T
Y
S
U 6/16/201
1
Mohan Kamat 16
W
What is Risk?
H

A
IT Risk: A possibility that a threat exploits a
vulnerability in an asset and causes damage or
S loss to the asset.
R

I
Threat: Something that can potentially cause damage
S to the organisation, IT Systems or network.

Vulnerability: A weakness in the organization, IT

Systems, or network that can be exploited
by a threat.

17
 Relationship between Risk, Threats, and Vulnerabilities

exploit
Threats Vulnerabilities

Controls * Risk Information

reduce assets

Protection Asset values

Requirements

* Controls: A practice, procedure or mechanism that reduces risk

18
T
Threat Identification
H

R Elements of threats
E
I Agent : The catalyst that performs the
A threat.
D

T
Human
E
Machine
N Nature
T
I

F
I

A 6/16/201
Mohan Kamat 19
1
T

H Threat Identification
R
Elements of threats
E I
Motive : Something that causes the agent
A D
to act.
T E Accidental
N
Intentional
Only motivating factor that can be both
T
accidental and intentional is human
I

F
I

A 6/16/201
1
Mohan Kamat 20
T

H
Threat Identification
R

E I Elements of threats
A D Results : The outcome of the applied
T E
threat. The results normally lead to the
loss of CIA
N
Confidentiality
T Integrity
I
Availability
F
I

A 6/16/201
1
Mohan Kamat 21
T

H
Threats

R • Employees
• External Parties
E
• Low awareness of security issues
A • Growth in networking and distributed computing

T
• Growth in complexity and effectiveness of hacking tools
and viruses
S • Natural Disasters eg. fire, flood, earthquake

6/16/201
1
Mohan Kamat 22
 Threat Sources

Source Motivation Threat

Challenge System hacking
Ego Social engineering
External Hackers Game Playing Dumpster diving
Deadline
Financial Backdoors
problems Fraud
Internal Hackers Disenchantment Poor
document
ation

System attacks
Social engineering
Letter bombs
Revenge Viruses
Terrorist Political Denial of service
Unintentional Corruption of data
errors Malicious code
e/2 ployees
Programming introduction
Poorly
6/16
1 trained entry Unauthorized access 23
 No Categories of Threat Example
1 Human Errors or failures Accidents, Employee mistakes
2 Compromise to Intellectual Property Piracy, Copyright infringements
3 Deliberate Acts or espionage or Unauthorized Access and/or data collection
trespass

4 Deliberate Acts of Information Blackmail of information exposure /

extortion disclosure

5 Deliberate Acts of sabotage / Destruction of systems / information

vandalism

6 Deliberate Acts of theft Illegal confiscation of equipment or

information

7 Deliberate software attacks Viruses, worms, macros Denial of service

8 Deviations in quality of service from Power and WAN issues
service provider

9 Forces of nature Fire, flood, earthquake, lightening

10 Technical hardware failures or errors Equipment failures / errors
11 Technical software failures or errors Bugs, code problems, unknown loopholes
12 Technological Obsolesce Antiquated or outdated technologies

6/16/2011 Mohan Kamat 24

R

&
K
High User
Theft, Virus Attacks
Knowledge of IT
Sabotage,
Systems
S Misuse

E Natural
Systems & Lack Of Lapse in
Calamities &
Network Documentation
Fire
Failure Physical
A
Security
6/16/201
1
Mohan Kamat 25
 SO HOW DO
WE
OVERCOME
THESE
PROBLEMS?

6/16/201
1
Mohan Kamat 26
I
History
N
Early 1990
T • DTI (UK) established a working group
• Information Security Code of Practice
Management produced as BSI-DISC
R publication

O
I I 1995
D S • BS 7799 published as UK Standard
O
U
N
O 2 1999
T • BS 7799 - 1:1999 second revision published
7
C 0
0 2000
O 1 • BS 7799 - 1 accepted by ISO as ISO - 17799 published
T • BS 7799-2:2002 published

6/16/201
1
Mohan Kamat 27
I History
N

T • ISO 27001:2005
D
Information technology — Security techniques —
U T
R Information security management systems —
C Requirements
O
O
I I
T
O S
• ISO 27002:2005
N
O 2 Information technology — Security techniques — Code
7 of practice for information security management
0
0
1

6/16/201
1
Mohan Kamat 28
 ISO 27001

I
ISO 27001: This International Standard covers all types of
organizations (e.g. commercial enterprises, government
S agencies, non-profit organizations). This

O
2 International Standard specifies the requirements for
establishing; implementing, operating, monitoring, reviewing,
7 maintaining and improving documented ISMS within the context
0 of the organization’s overall business risks. It specifies
0 requirements for the implementation of security controls
customized to the needs of individual organizations or parts
1 thereof.

The ISMS is designed to ensure the selection of adequate and

proportionate security controls that protect information assets
and give confidence to interested parties

6/16/201
1
Mohan Kamat 29
 Features

F
Features of ISO 27001
E
• Plan, Do, Check, Act (PDCA) Process Model
• Process Based Approach
A • Stress on Continual Process Improvements
• Scope covers Information Security not
T
only IT
Security
U • Covers People, Process and Technology
• 5600 plus organisations worldwide have
R been certified
• 11 Domains, 39 Control objectives, 133 controls
E

S
6/16/201
1
Mohan Kamat 30
P PDCA Process

D
ISMS PROCESS
Interested Interested
C Parties Parties
Management Responsibility

A
PLAN
Establish
ISMS

P
DO ACT
Implement &
Maintain &
Operate the
R ISMS
Improve

C
Information
O Security Managed
E Requirements CHECK Information
& Monitor & Security
Review ISMS
Expectations
S

S 6/16/2011 Mohan Kamat 31

C

Information
O Security Policy

Organisation
N Compliance of Information
Security

T
Business
Asset
Continuity
R Planning
Management

O
C Incident
Human
Resource
Management
L Security

L Availability

A System
Development Physical
&
Maintenance Security
U
Communication
Access Control & Operations
S Management

32
C

• Information Security Policy - To provide

O
management direction and support for Information
security.
N
• Organisation Of Information Security
-
Management framework for implementation
T
• Asset Management - To ensure the security
R of valuable organisational IT and its related
assets
O • of
Human
humanResources
error, theft,Security
fraud or -misuse
To reduce the risks
of facilities.
C
L
• Physical & Environmental Security -To prevent
L unauthorised access, theft, compromise , damage,
information and information processing facilities.
A

S
6/16/201
1
Mohan Kamat 33
C
• Communications & Operations Management - To
ensure the correct and secure operation of information
O
processing facilities.
N • Access Control - To control access to information
and information processing facilities on „need to know‟
T and „need to do‟ basis.
• Information Systems Acquisition, Development
R
& Maintenance - To ensure security built into
O information systems
C • Information Security Incident Management - To
L ensure information security events and weaknesses
L associated with information systems are
communicated.
A

S
6/16/201
1
Mohan Kamat 34
C

N
•Business Continuity Management - To reduce
T disruption caused by disasters and security failures to an
acceptable level.
R •Compliance - To avoid breaches of any criminal and
civil law, statutory, regulatory or contractual obligations
O
and of any security requirements.
C
L
L

S
6/16/201
1
Mohan Kamat 35
I

M
IS POLICY

P
L SECURITY
ORGANISATION
MANAGEMENT
REVIEW

PLAN
E Establish
ISMS

M
T C ASSET
DO
Implement &
ACT
Maintain & CORRECTIVE &
E IDENTIFICATION
&
Operate the
Improve
PREVENTIVE
ISMS ACTIONS
N
I CLASSIFICATION
O E
S

N
P S
CHECK
Monitor &
Review
T C ISMS

CONTROL
CHECK
SELECTION &
R Y
PROCESSES
IMPLEMENTATION

A
C OPERATIONALIZ
E THE
PROCESES
O
L
6/16/201
1
Mohan Kamat 36
B

N
• At the organizational level – Commitment
E
• At the legal level – Compliance
F • At the operating level - Risk management
I
• At the commercial level - Credibility
T and confidence
• At the financial level - Reduced costs
S
• At the human level - Improved
employee awareness

6/16/201
1
Mohan Kamat 37
U

S WHO IS AT THE CENTRE OF

E

R R

SECU RITY
S

S
I

U- R
B
I

L
I 6/16/201
1
Mohan Kamat 38
U

S Information Security Policy

E

R R

S IS Policy is approved by Top

Management
P
Policy is released on Intranet at
http://xx.xx.xx.xx/ISMS/index.htm
O

S
I

B
I

L
I 6/16/201
1
Mohan Kamat 39
I
Information Asset Classification
N
CONFIDENTIAL:
If this information is leaked outside Organisation, it will result in major financial and/or image loss.
F Compromise of this information will result in statutory, legal non- compliance.
Access to this information must be restricted based on the concept of need-to-know. Disclosure
A
C requires the information owner‟s approval. In case information needs to be disclosed to third
O parties a signed confidentiality agreement is also required. Examples include Customer contracts,
L rate tables, process documents and new product development plans.
S
S
E A INTERNAL USE ONLY:
S If this information is leaked outside Organisation, it will result in Negligible financial loss and/or
embarrassment.
T Disclosure of this information shall not cause serious harm to Organisation, and access is provided
S freely to all internal users. Examples include circulars, policies, training materials etc.
I PUBLIC:
Non availability will have no effect. If this information is leaked outside Organisation, it will result
in no loss.
F This information must be explicitly approved by the Corporate Communications Department or
I Marketing Department in case of marketing related information, as suitable for public
dissemination. Examples include marketing brochures, press releases.

T
I
6/16/201
1
Mohan Kamat 40
I Confidentiality - Information Asset

N Confidentiality of information refers to the protection of information from unauthorized

disclosure. The impact of unauthorized disclosure of confidential information can range
from jeopardizing organization security to the disclosure of private data of employees.
Following table provides guideline to determine Confidentiality requirements:
F
Confidentiality
A
S C
O Requirement Explanation
L Low Non-sensitive information available for public
S disclosure. The impact of unauthorized disclosure of
E A
S such information shall not harm Organisation anyway.
E.g. Press releases, Company‟s News letters
T e.g. Information published on company‟s website
S
Medium Information belonging to the company and not
I for
disclosure to public or external parties. The
unauthorized disclosure of information here can cause
F a limited harm to the organization.
I e.g. Organization Charts, Internal Telephone Directory.
High Information which is very sensitive or private, of
highest value to the organization and intended to use
C
by named individuals only. The unauthorized
disclosure of such information can cause severe harm
A (e.g. Legal or financial liability, adverse competitive
impact, loss of brand name). E.g. Client‟s pricing
T information, Merger and Acquisition related
I information, Marketing strategy
6/16/201
1
Mohan Kamat 41
I
Integrity - Information Asset
N
Integrity refers to the completeness and accuracy of Information. Integrity is lost if
unauthorized changes are made to data or IT system by either intentional or accidental
acts. If integrity of data is not restored back, continued use of the contaminated data
F could result in inaccuracy, fraud, or erroneous decisions. Integrity criteria of information
can be determined with guideline established in the following Table.
A
S C
O
L
S Integrity
E A
S Requireme
nt Explanation
T
S Low There is minimal impact
I
on business if the
accuracyand
F
I
completeness of data is degraded.
Medium There is significant impact on
C business if the asset if the
accuracy and completeness of
A data is degraded.
High The Integrity degradation
T is unacceptable.
I
6/16/201
1
Mohan Kamat 42
I Availability - Information Asset
N

F Availability indicates how soon the information is required, in case

A the same is lost. If critical information is unavailable to its end
S C
O users, the organization’s mission may be affected. Following Table
L
provides guideline to determine availability criteria of information
S assets.
E A
S

T
S Availability
I
Requireme Explanation
F nt
I Low There is minimal impact on business if the
asset / information is not Available for up
C
to 7 days
A
Medium There is significant impact on business if
the asset / information is not Available for
T up to 48 hours
I High The Asset / information is required on 24x7
6/16/201
1 basis Mohan Kamat 43
N

O
Non-information Assets [Physical]
N
I
N Information is processed with the help of technology. The
F C
L assets, which are helpful in creating, processing, output
O
A generation and storage. Such assets need to be identified
A S
S and valued for the purpose of their criticality in business
S process.
I

S
F
Asset valuation of non information / physical Assets like
I software, Hardware, Services is carried out based on
E different criteria applicable to the specific group of physical
C assets involved in organization‟s business processes.
T

T
I

6/16/201
O 1
Mohan Kamat 44
N
Confidentiality - Non-information Asset
O
Confidentiality factor is to be determined by the services rendered by the particular
asset in specific business process and the confidentiality requirement of the
N
I information / data processed or stored by the asset. This table provides a guideline to
identify the Confidentiality requirements and its link to Classification label.
N
F C
L
O Confidentiality
A
Requirement Explanation
A S Low Information processed / stored /
S S carried or services rendered by the
I
asset in the business process have
S confidentiality requirements as LOW.
F
I Medium Information processed / stored /
E carried or services rendered by the
C asset in the business process have
T confidentiality requirements as
A Medium.
High Information processed / stored /
T carried or services rendered by the
I asset in the business process have
confidentiality requirements as HIGH.
6/16/201
O 1
Mohan Kamat 45
N Integrity - Non Information Asset
O Integrity factor is to be determined by the reliability and dependability of the
particular asset in specific business process and the Integrity requirement of
the information / data processed or stored by the asset. This table provides
N
I a guideline to identify the Integrity requirements and its link to
N Classification label.
F C
L Integrity
O Requirement Explanation
A
S Low Dependency and reliability of the services rendered by
A S the particular asset in a business process is LOW.
S Information processed / stored / carried or services
I
rendered by the asset in the business process have
S Integrity requirements as LOW.
F Medium Dependency and reliability of the services rendered by
I the particular asset in a business process is Medium.
E
Information processed / stored / carried or services
C rendered by the asset in the business process have
T Integrity requirements as Medium.
High Dependency and reliability of the services rendered by
A
the particular asset in a business process is HIGH.
Information processed / stored / carried or services
T rendered by the asset in the business process have
I Integrity requirements as High.

6/16/201
O 1
Mohan Kamat 46
N
Availability - Non-information Asset
O
Availability factor is to be determined on the basis of impact of non
availability of the asset on the business process. This table provides a
N
I guideline to identify the Availability requirements and its link to
N Classification label.
F C
Integrity
O Requirement Explanation
Low Impact of non availability of an asset in a business
S
process is LOW.
S L Information processed / stored / carried or services
I
rendered by the asset in the business process have
S A Availability requirements as LOW.
F Medium Impact of non availability of an asset in a business
A
E I
S
process is Medium.
Information processed / stored / carried or services
T C rendered by the asset in the business process
have
A Availability requirements as MEDIUM.
High Impact of non availability of an asset in a business
process is HIGH.
T
Information processed / stored / carried or services
I rendered by the asset in the business process have
Availability requirements as HIGH.
6/16/201
O 1
Mohan Kamat 47
P
People Assets
E
Information is accessed or handled by the people from within the
O organisation as well as the people related to organisation for business
requirements.
P C
It becomes necessary to identify such people from within
A organisation as well as outside the organisation who the
L L organization‟s information assets. handle the
S A
S S
E The analysis such people, who has access rights to the assets of the
S organisation, is to be done by Business Process Owner i.e. process /
E
I function head.

T The people assets shall include roles handled by

F a. Employees
I b. Contract Employees
c. Contractors & his employees
C

T
I
6/16/201
1
Mohan Kamat 48
P
Confidentiality - People Assets
E
Confidentialit
y
O Explanation
Requirement
C
Low The role or third party identified has access
P
limited to information assets classified as
A
L 'Public'. Security breach by individual/s whom
L A
S
S the role is assigned would insignificantly affect
S
the business operations.
E
S Medium The role or third party identified has access
E
I limited to information assets classified as
'Internal‟ and 'Public'. Security breach by
T
F individual/s whom the role is assigned would
I moderately affect the business operations.
High The role employee or third party identified has
C access to all types of information assets
including information assets classified as
A 'Confidential' Or IT Assets classified as
'Critical'. Security breach by individual/s to
T whom the role is assigned would severely
I affect the business operations.
6/16/201
1
Mohan Kamat 49
P
Integrity – People Assets
E

O
Integrity
Requirement Explanation
P C Low The role or third party identified has limited privilege
A to change information assets classified as 'Internal' or
L L 'Public' and the his work is supervised. Security
S A
S S breach by individual/s to whom the role is assigned
E would insignificantly affect the business operations.
E S Medium The role or third party identified has privilege to
I change information assets classified as 'Internal', and
T 'Public' Security breach by individual/s whom the role
F is assigned would moderately affect the business
I operations.
High The role or third party identified has privilege to
change information assets classified as 'Confidential'
C
Or Change the configuration of IT assets classified as
'Critical' Security breach by individual/s to whom the
A role is assigned would severely affect the business
operations.
T
I
6/16/201
1
Mohan Kamat 50
P
Availability – People Assets
E

P C Availability
A Requiremen
L Explanation
L
S A t
S S
Low Unavailability of the individual/s whom the
E
S
role is assigned would have insignificant
E
I affect the business operations.
T
Medium Unavailability of the individual/s whom the
F role is assigned would moderately affect
I the business operations.
High Unavailability of the individual/s whom the
C
role is assigned would severely affect the
business operations.
A

T
I
6/16/201
1
Mohan Kamat 51
U

S Access Control - Physical

E
• Follow Security Procedures
R R • Wear Identity Cards and Badges
• Ask unauthorized visitor his credentials
E
• Attend visitors in Reception and Conference Room only
S

O • Bring visitors in operations area without

prior permission
N • Bring hazardous and combustible material in
secure
S area
I
• Practice ―Piggybacking‖
B • Bring and use pen drives, zip drives, ipods, other storage
I devices unless and otherwise authorized to do so

L
I 6/16/201
1
Mohan Kamat 52
U

S Password Guidelines
E
 Always use at least 8 character password with
R R combination of alphabets, numbers and special characters (*, %, @,
#, $, ^)
E  Use passwords that can be easily remembered by you
 Change password regularly as per policy
S  Use password that is significantly different from earlier passwords

O
 Use passwords which reveals your personal
N information or words found in dictionary
 Write down or Store passwords
S  Share passwords over phone or Email
I
 Use passwords which do not match above complexity
criteria
B
I

L
I 6/16/201
1
Mohan Kamat 53
U
Internet Usage
S

E  Use internet services for business purposes only

R R

E
 Do not access internet through dial-up connectivity
S  Do not use internet for viewing, storing or
transmitting obscene or pornographic material
P  Do not use internet for accessing auction sites
 Do not use internet for hacking other computer systems
O  Do not use internet to download / upload
commercial software / copyrighted material
N

S
I

B Technology Department is continuously monitoring Internet

I Usage. Any illegal use of internet and other assets shall call
for Disciplinary Action.
L
I 6/16/201
1
Mohan Kamat 54
U
E-mail Usage
S
 Use official mail for business purposes only
E  Follow the mail storage guidelines to avoid blocking of E-mails
 If you come across any junk / spam mail, do the following
R R a) Remove the mail.
b) Inform the security help desk
E c) Inform the same to server administrator
d) Inform the sender that such mails are undesired
S

O  Do not use official ID for any personal subscription purpose

 Do not send unsolicited mails of any type like chain letters or
N E-mail Hoax
 Do not send mails to client unless you are authorized to do so
S  Do not post non-business related information to large
I number of users
 Do not open the mail or attachment which is suspected to be
B virus or received from an unidentified sender
I

L
I 6/16/201
1
Mohan Kamat 55
U

S Security Incidents
E
Report Security Incidents (IT and Non-IT) to
R R Helpdesk through
• E-mail to info.sec@organisation.com
E • Telephone : xxxx-xxxx-xxxx
• Anonymous Reporting through Drop boxes
S

P
e.g.:
O IT Incidents: Mail Spamming, Virus attack, Hacking, etc.
Non-IT Incidents: Unsupervised visitor movement, Information
N
leakage, Bringing unauthorized Media
S
I
• Do not discuss security incidents with any one outside organisation
B
• Do not attempt to interfere with, obstruct or prevent anyone from reporting
I
incidents
L
I 6/16/201
1
Mohan Kamat 56
U
S
 Ensure your Desktops are having latest antivirus updates
E
 Ensure your system is locked when you are away
 Always store laptops/ media in a lockable place
R  Be alert while working on laptops during travel
R  Ensure sensitive business information is under lock and
key
E when unattended
 Ensure back-up of sensitive and critical information assets
S
 Understand Compliance Issues such as
P Cyber Law
IPR, Copyrights, NDA
O Contractual Obligations with customer
 Verify credentials, if the message is received from
N unknown sender
 Always switch off your computer before leaving for the day
S  Keep your self updated on information security aspects
I

B
I

L
I 6/16/201
1
Mohan Kamat 57
Human Wall Is Always Better Than A Firewall

. . . LET US BUILD A HUMAN WALL ALONG WITH FIREWALL

6/16/2011 Mohan Kamat 58
6/16/2011 Mohan Kamat 59