Iso 27001 -2005-induction Sep07
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Iso 27001 -2005-induction Sep07 as PDF for free.
More details
- Words: 3,544
- Pages: 52
ISO 27001:2005 Induction - Sep 2007 Protection notice / Copyright notice
Contents What is Information Security? An Introduction to ISO 27001:2005 Siemens Corporate Information Security Guide Policies and Procedures Summary
Page 2
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
What is Information Security? Information Security It is nothing but the protection of information assets in such a way that accurate information shall be accessible only to authorized users whenever required. It also implies to the storage devices on which information is being stored. e.g. Hard disks, Floppy Disks, CDs, Tapes, Paper Documents etc.
Page 3
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Keys to Information Security Has my knowledge been disclosed?
Is my database reliable and not altered?
Confidentiality
Integrity
New paradigm
Validation
Availability
Are my transactions legally binding?
Page 4
Is my information available to authorised users?
Protect, detect, and recover from insecurities Protection notice / Copyright notice …. Sep 2007
For Internal Use only
P&Q
Need for Information Security More and more customers are asking for Information Security Requirements of several Certifications Legal Requirements (Data Privacy, SOX , IT Act 2000 etc.) Requirements as SISL is part of the Siemens global network Increase in risks with greater use of technology
Page 5
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Introduction to ISMS
ISMS
Information Security Management System ISMS is a management framework, based on ISO 27001, for providing security to critical information
Page 6
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Introduction to ISO 27001 ISO27001
ISO/IEC 27001:2005 Auditable Standard
Clauses: Mandatory Processes
Annex A: Control Objectives
4 The ISMS
11 Domains
5 Management Responsibility
39 Control Objectives 6 Internal ISMS Audits
133 controls 7 Management Review Microsoft Excel Worksheet
Page 7
8 ISMS Improvement Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
ISMS: PDCA Model - Formulate a risk treatment plan - Implement the risk treatment plan - Implement controls selected to meet the control objectives
Plan
Do
- Execute monitoring procedures - Undertake regular reviews of the effectiveness - Conduct internal audits at planned intervals
Page 8
Sep 2007
- Define ISMS Scope - Define Policy - Identify Risks - Assess Risks - Select Control objectives and control for treatment of risks -Prepare a statement of applicability
ACT
Check
For Internal Use only
- Implement Identified improvements -Take corrective and preventive actions -Communicate the results and actions and agree with all interested parties - Ensure that improvement achieve their intended objectives
Protection notice / Copyright notice P&Q
IS Organization Structure ISMF – Information Security Management Forum
Regional IS Operations in Charge
Information Security Officer
Administration Team for Physical Security
Incidence Response Team
ISMS Implementation Team – Business: ISAs
Network Security Administrator
ISMS Implementation Team – Support: ISAs
Communications Security Administrator Server Desktop Security Administrator
Business Continuity & DRP Team
Application Security Administrator
Ref: Procedure for Management Responsibility Page 9
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Corporate IS Policies Sr. No 1
Policy Name Entrance to the Corporate Information Security Guide
2
Rules for the Workplace / Use of Work Resources
3
Rules for Managers
4
Rules for the Operation of IT Systems, Networks, Services, and Applications
5
Protection of Corporate Proprietary Information
6
Secure Use of E-mail
7
Passwords
8
System/Data Access Control for IT Systems
9
Computer Viruses
10
Data Backup
11
Using Key Material of the Siemens Public Key Infrastructure for Encryption, Digital Signature, Authentication
12
IT Disaster Recovery Planning
13
Cooperation and Data Communication with Business Partners
Page 10
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Corporate IS Policies Sr. No 13-1
Policy Name Rules for Business Partners of Siemens
14
Mobile Security
15
Secure Network Topologies
16
Dynamic Assignment of IP Addresses
17
Sharing LAN Infrastructure with non-Siemens Tenants
18
Security of i2 Systems (Specific Users)
19
Security in SAP Systems (Specific Users)
20
Secure Portal Access (Specific Users)
21
Secure Portal Application Integration (Specific Users)
22
Use of Application Service Providing (Specific Users)
Find Corporate Information Security Guide (CISG) at http://cio.siemens.com Information Security Security Guide All Static Policies
Page 11
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
India Specific IS Policies Sr. No
Policy Name
1
Local Administrator Rights
2
Broadband
3
Rental Equipment
4
Wireless Internet Card
5
Email deletion of employees
6
Internet Access
For More : http://intranet.sisl.siemens.co.in/SISL_NEW/index.html
Page 12
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Policy 2 – Rules for the Workplace / Use of Work Resources
Protection notice / Copyright notice
Rules for the Workplace / Use of Work Resources Conduct at the workplace within company premises
Protect corporate proprietary information against unauthorized persons
Classify and treat company proprietary information according to its need for protection information
Handling visitors
Escort visitors in case of visit to secure areas
Challenge unknown visitors if found unescorted in secure areas
Sign the gate pass of the visitor at the time of leaving
Using Company owned IT Systems outside company premises
Must be approved before hand and local regulations must be observed
In open environments, make sure no unauthorized person can access company proprietary information
Page 14
Protection notice / Copyright notice P&Q
Remote access Intranet Sep 2007to the Siemens For Internal Usemust only be limited to approved services
Rules for the Workplace / Use of Work Resources Rules for all employees and managers
Protect corporate proprietary information against unauthorized persons
Classify and treat company proprietary information according to its need for protection
Handling documents/data media Keep confidential documents and data media locked Remove confidential documents / media after conferences For documents printed on network printers, ensure unauthorized person does not gains access Destroy documents/data media which aren't needed anymore properly Remove all data from hard drives before removal for further use Information security for faxes Make sure the dialed number is correct. Make sure the sender information is correct Page 15 a phoneSep Use only Make call2007 to verify that aFor faxInternal was received
Protection notice / Copyright notice correctly (important faxes only) P&Q
Policy 3 – Rules for Manager
Protection notice / Copyright notice
Policy 3 - Rules for Manager User Registration There should be a formal registration procedure for the new employee joining the organization User Deregistration There shall be a formal user deregistration procedure for granting access to all multi-user information systems and services. Installation of Software Proprietary software products are usually supplied under a licence agreement that limits the use of the products to specified machines.
Page 17
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Policy 5 – Protection of Corporate Proprietary Information
Protection notice / Copyright notice
Policy 5 – Protection of Corporate Proprietary Information “Corporate proprietary information comes under one of the four classifications, according to the protection it requires.”
Strictly Confidential Information that is extremely sensitive and is intended for use only by named individuals within the company.
Page 19
Confidential Information that is sensitive within the company and is intended for use only by specified groups of employees.
Sep 2007
For Internal Use Non-sensitive information available for Internal release.
For Internal Use only
Public Non-sensitive information available for external release.
Protection notice / Copyright notice P&Q
Policy 6 – Secure Use of Email
Protection notice / Copyright notice
Policy 6 - Secure Use of Email Rules for senders of email The recipient must be able to clearly identify the sender. -Never hide or falsify the sender's details. Check e-mails and file attachments for computer viruses. Use digital signatures to ensure the integrity of the content or the legal responsibility of the sender. Send corporate proprietary information to external partners only as part of contractually agreed business relationships. Send messages to specific persons and not to unnecessarily large distribution groups. Do not create or forward chain letters or unauthorized warning messages. Upon receipt of such emails, forward them to Local support Rules for recipients of email Access to mailboxes limited to the owner or to persons explicitly authorized by the owner. Do not change default security settings made by the system manager. If the user implements the security settings for the e-mail program they must be set to the highest security level. Check e-mails and inserted attachments for computer viruses when opening the e-mail. Handle e-mail according to the need for protection No automatic forwarding to external postboxes. Protection notice / Copyright notice Never attempt to read, delete, copy, change, decrypt or forward another person's e-mail. Page 21
Sep 2007
For Internal Use only
P&Q
Policy 7 Passwords
Protection notice / Copyright notice
Password Quality Password should be a mix of upper & lower case letters, numerals and at least one special characters For Normal Users – minimum 8 character length For Privilege Users – minimum 15 character length
For Users with Admin Rights - 15 character length Use enhanced password rules if demanded by system manager Do not reuse previous five passwords Do not use trivial passwords (e.g. words from dictionaries, keyboard patterns, user IDs). Use different passwords for different security levels (e.g. system access, remote access, encryption, applications)
Page 23
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Password Storage Do not reveal passwords to others. (Exception: System managers may tell authorized persons a new password)
Change pre-defined passwords after the first use Protect your password records against disclosure Passwords stored electronically must be encrypted Passwords may have to be lodged with a manager (without disclosure) Change passwords right away if a password may have become disclosed Change passwords within 90 days. 30 days for sensitive data /privileged accounts (e.g. system manager)
Page 24
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Policy 8 – System / Data Access Control for IT Systems
Protection notice / Copyright notice
Policy 8 - System / Data Access Control for IT Systems Rules for self-protection Use protection mechanisms according to regulations, and do not disable, modify or circumvent them. Access to own IT system only after authentication has been carried out, e.g. by entering a password. Protect access to own system resources. Lock opened access links, including during brief absence from the workstation, e.g. by enabling a screen saver. When work is over, close opened accesses or protect against unauthorized system/data access. Adopt deputizing regulations for access to own system/data resources. Rules for users on External IT systems No direct connection to Siemens intranet permitted, for remote access contact Local support Avoid transmission of corporate proprietary data on external systems wherever possible Delete session data at the end of the session from the external system (including in the recycle bin, in temporary directories, etc.). Delete Siemens data from private storage media before they are resold or disposed of in such a way that the data cannot be recovered. Transfer data from external systems to the company's own systems as soon as possible if this data is Protection notice / Copyright notice Sep 2007 Page 26 essential for the company.
For Internal Use only
P&Q
Policy 9 Computer Viruses
Protection notice / Copyright notice
Computer Viruses Handling Computer Viruses Creating and / or distributing computer viruses is strictly forbidden False reports on viruses / warning messages, chain letters, etc. must not be created or forwarded SysAdmin must be informed if suspicion exists that virus is present or the antivirus program repeatedly messages that a virus was removed or computer responds in an unfamiliar way Do not deactivate the anti-virus programs or change of the settings provided by the system administrator
Page 28
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Policy 10 – Data Backup
Protection notice / Copyright notice
Policy 10 - Data Backup Rules for Users that create their Own Data Backups A valid data backup concept must exist, even if it is a simple one. Back up all data, especially data which cannot be restored easily. Mark backup media, and protect against unauthorized access. Backup media containing data that must be highly available must be stored separately from the PC or workstation. Storing and disposal of data media containing company proprietary data must be in line with Policy "Protection of Corporate Proprietary Information".
Page 30
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Policy 11Using Key Material of the Siemens PKI for Encryption, Digital Signature, Authentication
Protection notice / Copyright notice
Policy 11- Using Key Material of the Siemens PKI for Encryption, Digital Signature, Authentication Rules for Managers Policy rules must be obeyed in scope of responsibility. The risks and consequences of a security breach must be assessed and minimized. The manager must acknowledge the revocation of all personal keys of all individuals leaving the company. The manager must acknowledge that all non-personal keys are returned if the possessor leaves the company or transfers. The manager can transfer the key ownership to a successor without revoking the key, when the owner of a non-personal key leaves the company or is transferred.
Page 32
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
DRP IT Disaster Recovery Planning
Protection notice / Copyright notice
When disaster strikes…. Attacks on Suburban trains Mumbai/India
Page 34
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
When disaster strikes…. Monsoon rain flooding Mumbai/India (07.2005) How do we continue our business during / after disaster?
Plan for Disaster Recovery & Business ContinuityMumbai/India and 26.-29. July 2005 follow the Instruction Manual Page 35
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Recovery Plan
CIO & Infrastructur e contribute to BCP
BCP Coordinators
Business DRP Continuity Plan
BCP/DRP Definition
Page 36
Sep 2007
BCP Coordinators contribute to BCP
BCP Coordinators For Internal Use only
Business Impact Analysis & Risk Analysis
Identify Mission Critical Processes
Infrastructure
IT Disaster
Non-IT Disaster Recovery Plan
Infrastructure Team
Cost Impacts & Risk Analysis
BCP Approach
Protection notice / Copyright notice P&Q
Business Continuity Mgmt BCM Organization Executive Decision Committee
EDC HR
EDC Org
RM T
Response Management Team
Page 37
Sep 2007
CCMS/
SRE/ Real Estates
Business Continuity Program Manager
Emergency Response Teams
Legal CEOCFO CIO
ERT_IT ERT Org
For Internal Use only
PR BCP Coordinator
HR
Infosec Officer
BU Representative s
…. .
ERT_Manu fact
ERT_xx …..
Protection notice / Copyright notice P&Q
Fire on WTC twin towers Example of Disaster that can happen in any Office premises: Panic and terror gave way to anger and disbelief on September 11, 2001 as New Yorkers mourned the massive loss of life after two hijacked commercial planes slammed into the World Trade Center's twin towers, which later crumpled to the ground in a heap of concrete, flames and ash. Page 38
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Behavior in Case of Fire In case of fire take the nearest escape route to the assembling point. point
The call to evacuate the building will be given by fire alarm, the Chief of the Disaster Preparedness Organisation (DPO) or the on-scene commander. commander
Page 39
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Behavior in Case of Fire Remember that – Elevators must not be used; – Exit smoke filled rooms in a bent over or in crawling position.
If it is not possible to leave a room safely, i.e. when the escape route is full of smoke: – close the doors, – make yourself visible and audible at the window, – wait for the emergency crew. Page 40
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Behavior in Case of Fire
Wait at a safe and readily visible place for the fire department to arrive and give them instructions if needed.
Additional Info
Page 41
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Business Continuity Mgmt Fire is only one of the disaster that can happen in the work place. Ref: Instruction Manual for additional guidelines
In case of any Disaster, inform the Emergency Response Team (ERT) identified for your SBU.
Page 42
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Policy 13 – Cooperation and Data Communication with Business Partners &
Protection notice / Copyright notice
Policy 13- Co-operation and data communication with Business Partner Rules on the disclosure of information Allow business partners access to corporate proprietary information only to the extent provided for in the applicable contractual agreements. All information resulting from the collaboration with a business partner is to be handled as corporate proprietary information Information that has to be passed to a business partner must carry the copyright and classification endorsements The written consent of the owner of corporate proprietary information must be obtained before the information may be made available to the business partner, unless the provider of the information is the owner. Own resources are to be protected against unauthorized access by the business partner. Data may only be shared with business partners using the applications and systems installed for this purpose in the particular company unit. Ref: Procedure from Risk from Third Parties Business Partner’s to follow Policy 13-1 :Rules for Business Partners of Siemens Page 44
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Policy 14 – Mobile Security
Protection notice / Copyright notice
Policy 14 - Mobile Security Usage of a mobile device Report loss or theft of devices to local support. Report any unknown / found devices to local support. Report the manipulation of devices to local support Store the device in a safe place. Non-Siemens devices must not be used. Backup the data regularly.
Page 46
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Policy 14 - Mobile Security Configuration of a mobile device Do not change default security settings. Have the security settings configured before using the device Check the security setting regularly Software of a mobile device Use the virus scanner software Enable Operating System Firewall Use access control software
Page 47
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Self Discipline ( Summary ) Don’t
download Freeware and Pirated Software's
Ensure
Latest Anti Virus is loaded on Desktops
Always
Use Strong Passwords and Change it periodically
Never
Share your Passwords
Store
Laptops / Data Media in Lockable Place
Take
regular Back Up of Important Data
Verify
the credentials if message is received from unknown sender
Erase
complete Data if Data Media is to be sent out for Repairs
Disposal Avoid Be
of defective Data Media incl. Documents by Crushing / Shredding
Business discussions at Public Places especially over the phone
alert while working on Laptops during Travel
Transmit Always
Page 48
confidential data in Encrypted Form only
switch off your computer before leaving for the day Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Intranet Resources
Corporate Information Security Guide https://cio.siemens.com/
Virus Competence Center https://vcc.siemens.com/
Computer Emergency Response Team https://www.cert.siemens.de/
Page 49
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Quiz Q1 You are about to go on vacation. What measures to you undertake on your last working day?
I lock up all portable data media I give a trustworthy co-worker my password, in case someone has to use my PC I take my computer home to prevent any misuse in my absence. I leave my ID-Card at the main reception desk I follow the appropriate steps outlined in the personnel regulations concerning vacation/ deputation.
Q2 Which rules governs password use?
They should not have more than 10 letters Punctual marks and symbols are not permitted They should be easy to remember such as your spouse's name They should never be written down They should be changed regularly
Note: There could be more than one correct choices Page 50
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Quiz Q3 Which rules are applicable for receiving Visitors at Siemens? b) c) d) e) f)
Siemens does not permit any visitors on company premises Visitors must be accompanied at all times All visitors must be picked up at the reception desk It is forbidden to hold any doors open for visitors I provide visitors with my ID Card to permit them free access to the building.
Q4 Which of the following is not part of the basis of Data Quality?
Confidentiality Integrity Availability Comparability Liability
Note: There could be more than one correct choices Page 51
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Thank You Page 52
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Contents What is Information Security? An Introduction to ISO 27001:2005 Siemens Corporate Information Security Guide Policies and Procedures Summary
Page 2
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
What is Information Security? Information Security It is nothing but the protection of information assets in such a way that accurate information shall be accessible only to authorized users whenever required. It also implies to the storage devices on which information is being stored. e.g. Hard disks, Floppy Disks, CDs, Tapes, Paper Documents etc.
Page 3
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Keys to Information Security Has my knowledge been disclosed?
Is my database reliable and not altered?
Confidentiality
Integrity
New paradigm
Validation
Availability
Are my transactions legally binding?
Page 4
Is my information available to authorised users?
Protect, detect, and recover from insecurities Protection notice / Copyright notice …. Sep 2007
For Internal Use only
P&Q
Need for Information Security More and more customers are asking for Information Security Requirements of several Certifications Legal Requirements (Data Privacy, SOX , IT Act 2000 etc.) Requirements as SISL is part of the Siemens global network Increase in risks with greater use of technology
Page 5
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Introduction to ISMS
ISMS
Information Security Management System ISMS is a management framework, based on ISO 27001, for providing security to critical information
Page 6
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Introduction to ISO 27001 ISO27001
ISO/IEC 27001:2005 Auditable Standard
Clauses: Mandatory Processes
Annex A: Control Objectives
4 The ISMS
11 Domains
5 Management Responsibility
39 Control Objectives 6 Internal ISMS Audits
133 controls 7 Management Review Microsoft Excel Worksheet
Page 7
8 ISMS Improvement Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
ISMS: PDCA Model - Formulate a risk treatment plan - Implement the risk treatment plan - Implement controls selected to meet the control objectives
Plan
Do
- Execute monitoring procedures - Undertake regular reviews of the effectiveness - Conduct internal audits at planned intervals
Page 8
Sep 2007
- Define ISMS Scope - Define Policy - Identify Risks - Assess Risks - Select Control objectives and control for treatment of risks -Prepare a statement of applicability
ACT
Check
For Internal Use only
- Implement Identified improvements -Take corrective and preventive actions -Communicate the results and actions and agree with all interested parties - Ensure that improvement achieve their intended objectives
Protection notice / Copyright notice P&Q
IS Organization Structure ISMF – Information Security Management Forum
Regional IS Operations in Charge
Information Security Officer
Administration Team for Physical Security
Incidence Response Team
ISMS Implementation Team – Business: ISAs
Network Security Administrator
ISMS Implementation Team – Support: ISAs
Communications Security Administrator Server Desktop Security Administrator
Business Continuity & DRP Team
Application Security Administrator
Ref: Procedure for Management Responsibility Page 9
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Corporate IS Policies Sr. No 1
Policy Name Entrance to the Corporate Information Security Guide
2
Rules for the Workplace / Use of Work Resources
3
Rules for Managers
4
Rules for the Operation of IT Systems, Networks, Services, and Applications
5
Protection of Corporate Proprietary Information
6
Secure Use of E-mail
7
Passwords
8
System/Data Access Control for IT Systems
9
Computer Viruses
10
Data Backup
11
Using Key Material of the Siemens Public Key Infrastructure for Encryption, Digital Signature, Authentication
12
IT Disaster Recovery Planning
13
Cooperation and Data Communication with Business Partners
Page 10
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Corporate IS Policies Sr. No 13-1
Policy Name Rules for Business Partners of Siemens
14
Mobile Security
15
Secure Network Topologies
16
Dynamic Assignment of IP Addresses
17
Sharing LAN Infrastructure with non-Siemens Tenants
18
Security of i2 Systems (Specific Users)
19
Security in SAP Systems (Specific Users)
20
Secure Portal Access (Specific Users)
21
Secure Portal Application Integration (Specific Users)
22
Use of Application Service Providing (Specific Users)
Find Corporate Information Security Guide (CISG) at http://cio.siemens.com Information Security Security Guide All Static Policies
Page 11
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
India Specific IS Policies Sr. No
Policy Name
1
Local Administrator Rights
2
Broadband
3
Rental Equipment
4
Wireless Internet Card
5
Email deletion of employees
6
Internet Access
For More : http://intranet.sisl.siemens.co.in/SISL_NEW/index.html
Page 12
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Policy 2 – Rules for the Workplace / Use of Work Resources
Protection notice / Copyright notice
Rules for the Workplace / Use of Work Resources Conduct at the workplace within company premises
Protect corporate proprietary information against unauthorized persons
Classify and treat company proprietary information according to its need for protection information
Handling visitors
Escort visitors in case of visit to secure areas
Challenge unknown visitors if found unescorted in secure areas
Sign the gate pass of the visitor at the time of leaving
Using Company owned IT Systems outside company premises
Must be approved before hand and local regulations must be observed
In open environments, make sure no unauthorized person can access company proprietary information
Page 14
Protection notice / Copyright notice P&Q
Remote access Intranet Sep 2007to the Siemens For Internal Usemust only be limited to approved services
Rules for the Workplace / Use of Work Resources Rules for all employees and managers
Protect corporate proprietary information against unauthorized persons
Classify and treat company proprietary information according to its need for protection
Handling documents/data media Keep confidential documents and data media locked Remove confidential documents / media after conferences For documents printed on network printers, ensure unauthorized person does not gains access Destroy documents/data media which aren't needed anymore properly Remove all data from hard drives before removal for further use Information security for faxes Make sure the dialed number is correct. Make sure the sender information is correct Page 15 a phoneSep Use only Make call2007 to verify that aFor faxInternal was received
Protection notice / Copyright notice correctly (important faxes only) P&Q
Policy 3 – Rules for Manager
Protection notice / Copyright notice
Policy 3 - Rules for Manager User Registration There should be a formal registration procedure for the new employee joining the organization User Deregistration There shall be a formal user deregistration procedure for granting access to all multi-user information systems and services. Installation of Software Proprietary software products are usually supplied under a licence agreement that limits the use of the products to specified machines.
Page 17
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Policy 5 – Protection of Corporate Proprietary Information
Protection notice / Copyright notice
Policy 5 – Protection of Corporate Proprietary Information “Corporate proprietary information comes under one of the four classifications, according to the protection it requires.”
Strictly Confidential Information that is extremely sensitive and is intended for use only by named individuals within the company.
Page 19
Confidential Information that is sensitive within the company and is intended for use only by specified groups of employees.
Sep 2007
For Internal Use Non-sensitive information available for Internal release.
For Internal Use only
Public Non-sensitive information available for external release.
Protection notice / Copyright notice P&Q
Policy 6 – Secure Use of Email
Protection notice / Copyright notice
Policy 6 - Secure Use of Email Rules for senders of email The recipient must be able to clearly identify the sender. -Never hide or falsify the sender's details. Check e-mails and file attachments for computer viruses. Use digital signatures to ensure the integrity of the content or the legal responsibility of the sender. Send corporate proprietary information to external partners only as part of contractually agreed business relationships. Send messages to specific persons and not to unnecessarily large distribution groups. Do not create or forward chain letters or unauthorized warning messages. Upon receipt of such emails, forward them to Local support Rules for recipients of email Access to mailboxes limited to the owner or to persons explicitly authorized by the owner. Do not change default security settings made by the system manager. If the user implements the security settings for the e-mail program they must be set to the highest security level. Check e-mails and inserted attachments for computer viruses when opening the e-mail. Handle e-mail according to the need for protection No automatic forwarding to external postboxes. Protection notice / Copyright notice Never attempt to read, delete, copy, change, decrypt or forward another person's e-mail. Page 21
Sep 2007
For Internal Use only
P&Q
Policy 7 Passwords
Protection notice / Copyright notice
Password Quality Password should be a mix of upper & lower case letters, numerals and at least one special characters For Normal Users – minimum 8 character length For Privilege Users – minimum 15 character length
For Users with Admin Rights - 15 character length Use enhanced password rules if demanded by system manager Do not reuse previous five passwords Do not use trivial passwords (e.g. words from dictionaries, keyboard patterns, user IDs). Use different passwords for different security levels (e.g. system access, remote access, encryption, applications)
Page 23
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Password Storage Do not reveal passwords to others. (Exception: System managers may tell authorized persons a new password)
Change pre-defined passwords after the first use Protect your password records against disclosure Passwords stored electronically must be encrypted Passwords may have to be lodged with a manager (without disclosure) Change passwords right away if a password may have become disclosed Change passwords within 90 days. 30 days for sensitive data /privileged accounts (e.g. system manager)
Page 24
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Policy 8 – System / Data Access Control for IT Systems
Protection notice / Copyright notice
Policy 8 - System / Data Access Control for IT Systems Rules for self-protection Use protection mechanisms according to regulations, and do not disable, modify or circumvent them. Access to own IT system only after authentication has been carried out, e.g. by entering a password. Protect access to own system resources. Lock opened access links, including during brief absence from the workstation, e.g. by enabling a screen saver. When work is over, close opened accesses or protect against unauthorized system/data access. Adopt deputizing regulations for access to own system/data resources. Rules for users on External IT systems No direct connection to Siemens intranet permitted, for remote access contact Local support Avoid transmission of corporate proprietary data on external systems wherever possible Delete session data at the end of the session from the external system (including in the recycle bin, in temporary directories, etc.). Delete Siemens data from private storage media before they are resold or disposed of in such a way that the data cannot be recovered. Transfer data from external systems to the company's own systems as soon as possible if this data is Protection notice / Copyright notice Sep 2007 Page 26 essential for the company.
For Internal Use only
P&Q
Policy 9 Computer Viruses
Protection notice / Copyright notice
Computer Viruses Handling Computer Viruses Creating and / or distributing computer viruses is strictly forbidden False reports on viruses / warning messages, chain letters, etc. must not be created or forwarded SysAdmin must be informed if suspicion exists that virus is present or the antivirus program repeatedly messages that a virus was removed or computer responds in an unfamiliar way Do not deactivate the anti-virus programs or change of the settings provided by the system administrator
Page 28
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Policy 10 – Data Backup
Protection notice / Copyright notice
Policy 10 - Data Backup Rules for Users that create their Own Data Backups A valid data backup concept must exist, even if it is a simple one. Back up all data, especially data which cannot be restored easily. Mark backup media, and protect against unauthorized access. Backup media containing data that must be highly available must be stored separately from the PC or workstation. Storing and disposal of data media containing company proprietary data must be in line with Policy "Protection of Corporate Proprietary Information".
Page 30
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Policy 11Using Key Material of the Siemens PKI for Encryption, Digital Signature, Authentication
Protection notice / Copyright notice
Policy 11- Using Key Material of the Siemens PKI for Encryption, Digital Signature, Authentication Rules for Managers Policy rules must be obeyed in scope of responsibility. The risks and consequences of a security breach must be assessed and minimized. The manager must acknowledge the revocation of all personal keys of all individuals leaving the company. The manager must acknowledge that all non-personal keys are returned if the possessor leaves the company or transfers. The manager can transfer the key ownership to a successor without revoking the key, when the owner of a non-personal key leaves the company or is transferred.
Page 32
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
DRP IT Disaster Recovery Planning
Protection notice / Copyright notice
When disaster strikes…. Attacks on Suburban trains Mumbai/India
Page 34
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
When disaster strikes…. Monsoon rain flooding Mumbai/India (07.2005) How do we continue our business during / after disaster?
Plan for Disaster Recovery & Business ContinuityMumbai/India and 26.-29. July 2005 follow the Instruction Manual Page 35
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Recovery Plan
CIO & Infrastructur e contribute to BCP
BCP Coordinators
Business DRP Continuity Plan
BCP/DRP Definition
Page 36
Sep 2007
BCP Coordinators contribute to BCP
BCP Coordinators For Internal Use only
Business Impact Analysis & Risk Analysis
Identify Mission Critical Processes
Infrastructure
IT Disaster
Non-IT Disaster Recovery Plan
Infrastructure Team
Cost Impacts & Risk Analysis
BCP Approach
Protection notice / Copyright notice P&Q
Business Continuity Mgmt BCM Organization Executive Decision Committee
EDC HR
EDC Org
RM T
Response Management Team
Page 37
Sep 2007
CCMS/
SRE/ Real Estates
Business Continuity Program Manager
Emergency Response Teams
ERT_IT ERT Org
For Internal Use only
PR BCP Coordinator
HR
Infosec Officer
BU Representative s
…. .
ERT_Manu fact
ERT_xx …..
Protection notice / Copyright notice P&Q
Fire on WTC twin towers Example of Disaster that can happen in any Office premises: Panic and terror gave way to anger and disbelief on September 11, 2001 as New Yorkers mourned the massive loss of life after two hijacked commercial planes slammed into the World Trade Center's twin towers, which later crumpled to the ground in a heap of concrete, flames and ash. Page 38
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Behavior in Case of Fire In case of fire take the nearest escape route to the assembling point. point
The call to evacuate the building will be given by fire alarm, the Chief of the Disaster Preparedness Organisation (DPO) or the on-scene commander. commander
Page 39
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Behavior in Case of Fire Remember that – Elevators must not be used; – Exit smoke filled rooms in a bent over or in crawling position.
If it is not possible to leave a room safely, i.e. when the escape route is full of smoke: – close the doors, – make yourself visible and audible at the window, – wait for the emergency crew. Page 40
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Behavior in Case of Fire
Wait at a safe and readily visible place for the fire department to arrive and give them instructions if needed.
Additional Info
Page 41
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Business Continuity Mgmt Fire is only one of the disaster that can happen in the work place. Ref: Instruction Manual for additional guidelines
In case of any Disaster, inform the Emergency Response Team (ERT) identified for your SBU.
Page 42
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Policy 13 – Cooperation and Data Communication with Business Partners &
Protection notice / Copyright notice
Policy 13- Co-operation and data communication with Business Partner Rules on the disclosure of information Allow business partners access to corporate proprietary information only to the extent provided for in the applicable contractual agreements. All information resulting from the collaboration with a business partner is to be handled as corporate proprietary information Information that has to be passed to a business partner must carry the copyright and classification endorsements The written consent of the owner of corporate proprietary information must be obtained before the information may be made available to the business partner, unless the provider of the information is the owner. Own resources are to be protected against unauthorized access by the business partner. Data may only be shared with business partners using the applications and systems installed for this purpose in the particular company unit. Ref: Procedure from Risk from Third Parties Business Partner’s to follow Policy 13-1 :Rules for Business Partners of Siemens Page 44
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Policy 14 – Mobile Security
Protection notice / Copyright notice
Policy 14 - Mobile Security Usage of a mobile device Report loss or theft of devices to local support. Report any unknown / found devices to local support. Report the manipulation of devices to local support Store the device in a safe place. Non-Siemens devices must not be used. Backup the data regularly.
Page 46
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Policy 14 - Mobile Security Configuration of a mobile device Do not change default security settings. Have the security settings configured before using the device Check the security setting regularly Software of a mobile device Use the virus scanner software Enable Operating System Firewall Use access control software
Page 47
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Self Discipline ( Summary ) Don’t
download Freeware and Pirated Software's
Ensure
Latest Anti Virus is loaded on Desktops
Always
Use Strong Passwords and Change it periodically
Never
Share your Passwords
Store
Laptops / Data Media in Lockable Place
Take
regular Back Up of Important Data
Verify
the credentials if message is received from unknown sender
Erase
complete Data if Data Media is to be sent out for Repairs
Disposal Avoid Be
of defective Data Media incl. Documents by Crushing / Shredding
Business discussions at Public Places especially over the phone
alert while working on Laptops during Travel
Transmit Always
Page 48
confidential data in Encrypted Form only
switch off your computer before leaving for the day Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Intranet Resources
Corporate Information Security Guide https://cio.siemens.com/
Virus Competence Center https://vcc.siemens.com/
Computer Emergency Response Team https://www.cert.siemens.de/
Page 49
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Quiz Q1 You are about to go on vacation. What measures to you undertake on your last working day?
I lock up all portable data media I give a trustworthy co-worker my password, in case someone has to use my PC I take my computer home to prevent any misuse in my absence. I leave my ID-Card at the main reception desk I follow the appropriate steps outlined in the personnel regulations concerning vacation/ deputation.
Q2 Which rules governs password use?
They should not have more than 10 letters Punctual marks and symbols are not permitted They should be easy to remember such as your spouse's name They should never be written down They should be changed regularly
Note: There could be more than one correct choices Page 50
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Quiz Q3 Which rules are applicable for receiving Visitors at Siemens? b) c) d) e) f)
Siemens does not permit any visitors on company premises Visitors must be accompanied at all times All visitors must be picked up at the reception desk It is forbidden to hold any doors open for visitors I provide visitors with my ID Card to permit them free access to the building.
Q4 Which of the following is not part of the basis of Data Quality?
Confidentiality Integrity Availability Comparability Liability
Note: There could be more than one correct choices Page 51
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Thank You Page 52
Sep 2007
For Internal Use only
Protection notice / Copyright notice P&Q
Related Documents
Iso 27001 -2005-induction Sep07
November 2019 10
Iso 27001 Chile.pdf
June 2020 13
Iso 27001 Los Controles
October 2019 15
Iso 27001 Pdca Cycle.docx
April 2020 16
Iso 27001 Certificate
July 2020 12