Professional Documents
Culture Documents
Summary
Information Security
e.g. Hard disks, Floppy Disks, CDs, Tapes, Paper Documents etc.
Has my
knowledge Is my database
been disclosed? reliable and
not altered?
Confidentiality Integrity
New paradigm
Validation Availability
4 The ISMS
11 Domains
5 Management Responsibility
39 Control Objectives
6 Internal ISMS Audits
133 controls
7 Management Review
Microsoft Excel
Worksheet 8 ISMS Improvement
Protection notice / Copyright notice
Page 7 Sep 2007 For Internal Use only P&Q
ISMS: PDCA Model - Define ISMS Scope
- Define Policy
- Identify Risks
- Assess Risks
- Select Control objectives and
- Formulate a risk treatment plan Plan control for treatment of risks
- Implement the risk treatment plan -Prepare a statement of applicability
- Implement controls selected to
meet the control objectives
Do ACT
Server Desktop
Business Continuity &
Security Administrator
DRP Team
Application Security
Administrator
7 Passwords
9 Computer Viruses
10 Data Backup
11 Using Key Material of the Siemens Public Key Infrastructure for Encryption, Digital
Signature, Authentication
14 Mobile Security
Find Corporate Information Security Guide (CISG) at http://cio.siemens.com Information Security Security
Guide All Static Policies
2 Broadband
3 Rental Equipment
6 Internet Access
For More :
http://intranet.sisl.siemens.co.in/SISL_NEW/index.html
Handling visitors
Escort visitors in case of visit to secure areas
Challenge unknown visitors if found unescorted in secure areas
Sign the gate pass of the visitor at the time of leaving
Classify and treat company proprietary information according to its need for protection
For documents printed on network printers, ensure unauthorized person does not gains
access
Remove all data from hard drives before removal for further use
Information security for faxes
Make sure the dialed number is correct.
User Registration
There should be a formal registration procedure for the new employee joining the
organization
User Deregistration
There shall be a formal user deregistration procedure for granting access to all multi-user
information systems and services.
Installation of Software
Proprietary software products are usually supplied under a licence agreement that limits
the use of the products to specified machines.
Information that is
extremely sensitive and
is intended for use only Confidential
by named individuals
within the company. For Internal Use
Information that is
sensitive within the
company and is intended Non-sensitive information
available for Internal Public
for use only by specified
release.
groups of employees.
Non-sensitive
information available
for external release.
Access to mailboxes limited to the owner or to persons explicitly authorized by the owner.
Do not change default security settings made by the system manager.
If the user implements the security settings for the e-mail program they must be set to the highest
security level.
Check e-mails and inserted attachments for computer viruses when opening the e-mail.
Handle e-mail according to the need for protection
No automatic forwarding to external postboxes.
Never attempt to read, delete, copy, change, decrypt or forward another person's
Protection e-mail.
notice / Copyright notice
Page 21 Sep 2007 For Internal Use only P&Q
Policy 7 -
Passwords
Do not use trivial passwords (e.g. words from dictionaries, keyboard patterns, user
IDs). Use different passwords for different security levels (e.g. system access,
remote access, encryption, applications)
Use protection mechanisms according to regulations, and do not disable, modify or circumvent them.
Access to own IT system only after authentication has been carried out, e.g. by entering a password.
Protect access to own system resources.
Lock opened access links, including during brief absence from the workstation, e.g. by enabling a screen
saver.
When work is over, close opened accesses or protect against unauthorized system/data access.
Adopt deputizing regulations for access to own system/data resources.
No direct connection to Siemens intranet permitted, for remote access contact Local support
Delete session data at the end of the session from the external system (including in the recycle bin, in
temporary directories, etc.).
Delete Siemens data from private storage media before they are resold or disposed of in such a way
that the data cannot be recovered.
Transfer data from external systems to the company's own systems as soon as possible if this data is
Protection notice / Copyright notice
essential
Page 26 for the company.
Sep 2007 For Internal Use only P&Q
Policy 9 -
Computer Viruses
False reports on viruses / warning messages, chain letters, etc. must not be
created or forwarded
SysAdmin must be informed if suspicion exists that virus is present or the anti-
virus program repeatedly messages that a virus was removed or computer
responds in an unfamiliar way
How do we
continue our
business during /
after disaster?
Infrastructure
Impacts &
Analysis
Cost
Risk
Infrastructure BCP
Team Coordinators
Non-IT
Disaster
Recovery CIO & Business
IT Disaster Business
Plan Infrastructur BCP Coordinators
Recovery DRP Continuity Impact
e contribute contribute to BCP
to BCP Plan Analysis &
Plan
Risk
Analysis
Processes
Identify
Mission
Critical
BCP/DRP Definition
BCP
Coordinators
Protection notice / Copyright notice
Page 36 Sep 2007 For Internal Use only P&Q
Business Continuity Mgmt BCM Organization
Remember that
– Elevators must not be used;
– Exit smoke filled rooms in a bent over or
in crawling position.
Wait at a safe and readily visible place for the fire department to arrive and
give them instructions if needed.
Additional Info
Fire is only one of the disaster that can happen in the work place.
Ref: Instruction Manual for additional guidelines
Allow business partners access to corporate proprietary information only to the extent provided for
in the applicable contractual agreements.
All information resulting from the collaboration with a business partner is to be handled as
corporate proprietary information
Information that has to be passed to a business partner must carry the copyright and classification
endorsements
The written consent of the owner of corporate proprietary information must be obtained before the
information may be made available to the business partner, unless the provider of the information is
the owner.
Own resources are to be protected against unauthorized access by the business partner.
Data may only be shared with business partners using the applications and systems installed for
this purpose in the particular company unit.
Ref: Procedure from Risk from Third Parties
Business Partner’s to follow Policy 13-1 :Rules for Business Partners of Siemens
Protection notice / Copyright notice
Page 44 Sep 2007 For Internal Use only P&Q
Policy 14 –
Mobile Security