You are on page 1of 14

Information Security and ISO 27001 Awareness

Objective

What is ISO 27001? Information Security Data Classification Physical Security Clear Desk & Clear Screen Policy Data Security Acceptable use of email, internet resources Incident Reporting

Firstsource 2007 | confidential | May 20, 2012 | 2

What is ISO 27001?


Controls-based policy
A comprehensive set of controls comprising best practices in information security.

An Information standard
Encompasses all types of information

Whatever form the information may take, or means by which it is shared or stored, it should always be appropriately protected (ISO17799:2000)
Clauses 8, Control Groups 11, Controls -134

Certifiable
Internationally recognized Risk-management based
Firstsource 2007 | confidential | May 20, 2012 | 3

Information Security
Information is an asset to all individuals and businesses. Information Security refers to the protection of these assets in order to achieve:

i) Confidential

ii) Integrity

iii) Availability

Information Security

Confidentiality
Protecting sensitive information from unauthorized disclosure or interception.

Availability Ensuring that information and vital services are available to users when required.

Integrity
Safeguarding the accuracy and completeness of information

Firstsource 2007 | confidential | May 20, 2012 | 4

Data Classification
Secret
Contains highly sensitive, strategic Firstsource information that is material, non-public.

Examples

Financial forecasting and planning information Earnings estimates Major litigation information Information on acquisition or merger plans

Highly Confidential

Contains personal data regarding Firstsource personnel or sensitive information about project/client data.

Examples

Benefits, employee earnings, payroll data Performance feedback forms Social security numbers, home addresses and telephone numbers Health information Client lists and contact information Preferences, opinions and intentions regarding any individual Client billing information Clients architecture diagrams Business development tracking information

Firstsource 2007 | confidential | May 20, 2012 | 5

Data Classification

Confidential

Contains Firstsource, client and some personal data which is marked confidential, known to be confidential or is not generally available to the public.

Examples

Employee phone or voice mail directory Organization charts Market offering information Asset-based solutions Internal meeting presentation materials Project deliverables

Unrestricted

Contains any data that is available to the public.

Examples

Company advertising literature once it has been used Data contained on http://www.Firstsource.com/

Firstsource 2007 | confidential | May 20, 2012 | 6

Physical Security
Physical controls
Display

Physical controls
Escort

Physical controls
Display

your badge at all times within Firstsource India BPO premises.

Do

not be chivalrous and open doors for others. It is mandatory for everyone to flash their access cards whenever you enter or leave a floor. Disable access cards of resigned employees immediately.
Firstsource 2007 | confidential | May 20, 2012 | 7

visitors at all times They do not belong to Firstsource India BPO and no information is Public here loss of access cards immediately this will prevent unauthorized access using your card.

Report

Handle

ex-employees as

visitors
Ensure

that all visitors sign-in their details at the entrance

the danglers in your cars for identifying as Firstsource India BPO employees Do Not record information using stateof-the-art mobile phones or other recording equipment Do not use personal computing device or equipment e.g. laptops, USB drives, CDs etc

Clear Desk & Clear Screen Policy


Dos

Pick up confidential and proprietary items quickly off the printer Shred any unwanted or old documents Clear out voicemail before you leave for the day Lock confidential and proprietary documents and computer media in drawers or filing cabinets Physically secure laptops with company approved cable locks Any documents marked Secret/Highly Confidential/Confidential should not be left on the desk unattended

Log out of Windows or invoke the password protected screen-saver by pressing Ctrl-Alt-Del on the Keyboard, and selecting Lock Workstation prior to leaving the computer

Include disclaimers while sending confidential fax messages. Exchange information with other Firstsource entities or third party organizations through approved courier agencies.

Verify your recipients identity before discussing confidential information over the phone.

Firstsource 2007 | confidential | May 20, 2012 | 8

Clear Desk & Clear Screen Policy


Donts

Pin-up any confidential information or client data in the workspace Write or make notes on any piece of paper, which you might loose

Remove any Firstsource confidential Information Pin-up from the workspaces Save client related documents on PC hard disks Access Confidential information without business need

Change Screen Saver Settings

Firstsource 2007 | confidential | May 20, 2012 | 9

Data Security

All Documents should be labeled. Clear boards and charts after any meeting. Ensure all confidential, high confidential documents are shredded immediately after use. Any loose paper left unattended on desk will be shredded without any warning. User should ensure they have unique and identifiable ID and passwords for all applications they might use for their official work Should promptly follow the password policies of Firstsource and where applicable those of client In case of Login trouble to any application, user should always contact Helpdesk. Should not share others ID / Passwords User is accountable to all activities done on Firstsource systems using his / her IDs Avoid discussing sensitive and confidential information in open workspaces and public places like: Airports, Restrooms, Restaurants, Elevators.

Firstsource 2007 | confidential | May 20, 2012 | 10

Acceptable use of email, internet resources

Unacceptable use of Firstsource resources includes any activity which is:

illegal inappropriate which take up excessive time or company resources.

Do not respond to spam e-mail or forward it to others. Delete spam without opening. Turn off the Microsoft Outlook preview pane before deleting spam messages. Do not request removal from the spammer's distribution list, even if this option is offered. Do not use Firstsource e-mail for non-business-related purposes. Be judicious of the websites you access and never browse a site that contains inappropriate material. use caution when creating rules to avoid discarding important messages.

Firstsource 2007 | confidential | May 20, 2012 | 11

Incident Reporting
What is a security incident?
Any

event that compromises CIA of information.

Event could be physical, IT related, Policy related etc.


Sometimes a security weakness precedes an incident Theft, Violence or Riots, Physical security access control failure, Unauthorized physical access, Misuse/tampering with information, Unauthorized distribution of information, Virus outbreak, Hacking etc.

Some examples are:

All physical Security Incident should be reported to Local F&S Helpdesk. For BCP related Queries , contact your supervisors or India BPO BCP Team

All Information Security Incidents should be reported to Centralized Technical Support Desk on 5555 & or Send email to Information.security@firstsource.com
All HR related Incidents should be reported to HR Helpline on 6666

Firstsource 2007 | confidential | May 20, 2012 | 12

Important dates to remember

Pre-Assessment Audit June 1/2, 2006 Stage 1 Audit (Document Review) June 6/7,2006 Certification Audit June 13/14, 2006

Firstsource 2007 | confidential | May 20, 2012 | 13

THANK YOU
Firstsource (NSE: FSL, BSE: 532809, Reuters: FISO.BO, Bloomberg: FSOL@IN) is a global provider of BPO (business process outsourcing) services headquartered in India. Firstsource provides customized business process management to global

leaders in the Banking & Financial Services, Telecom & Media and Healthcare
sectors. Its clients include Fortune 500 Financial Services, Telecommunications and Healthcare companies. Firstsource has a global delivery model with operations in India, US, UK, Argentina and Philippines. (www.firstsource.com)

You might also like