PowerPoint Presentation

[Audio] WELCOME TO THE INFORMATION SECURITY MANAGEMENT SYSTEM AWARENESS TRAINING.

[Audio] We are here to present the Information Security Management System Awareness Training. The purpose of this training is to make all employees aware of Information Security policies that help us deal with problems when they arise and to meet our compliance training requirements. With the help of the I S M S awareness training program, we all can learn about the security best practices and technologies used for better streamlining of operations..

[Audio] You must have a question why ISO 27001 and not any other standards. Well, we, at Borek Solutions Group, support various existing clients with Operations, Systems, and Marketing. In order to safeguard our clients' information throughout these industries, the implementation of ISO 27001 is necessary. Not just a competitive advantage, but we remain in the position to improve the relations with our clients with the compliance of ISO 27001..

[Audio] ISO 27001:2022 Standard In today's digital era, a systematic approach is necessary for all organisation to secure their intellectual assets. ISO 27001 is the International Standard that provides guidelines for safeguarding an organization's asset ISO 27001:2005 was the first standard in the world dedicated to Information Security ISO 27001:2013 was published on the 25th September 2013 and it replaced ISO 27001:2005 On 25th October 2022, ISO 27001:2022 (Information Security Management System) was released, replacing version 27001:2013.

[Audio] Before we move ahead, let us understand what Information Security means. Read the definition above This means Information Security is the system of protecting information by preserving the confidentiality of information and, at the same time, making it available to the authorized person who integrates it with authorized processes. It is a practice to protect information by mitigating information risk..

[Audio] Let us have a detailed overview of ISO 27001:2022 standards.

[Audio] Have you heard about the Information Security Triad? Information Security Triad signifies the three key components- Confidentiality, Integrity and Availability. Each of these components represents a fundamental objective of information security. You can say that they are the 3 pillars of Information Security. Let's discuss each principle in detail. Principle 1: Confidentiality means information is available to authorized individuals, entities and processes. The measures to reduce the risk include encryption, social engineering, entities and processes. Principle 2: "Integrity of data" defines that the organization must ensure that the data is not tampered with when it is stored and in transit. It should always remain exactly the same as it was received or created. The measures to reduce risk include access control, backup system etc. Principle 3: The ability to ensure that information is consistently accessible when needed by authorized parties. This involves proper maintenance of hardware and technical infrastructure of systems that store and output this information. Measures to reduce risk include a Business Continuity Plan, redundancy, high availability etc..

[Audio] Implementation of Information Security can be achieved by framing suitable ISMS policy and setting befitting procedures and guidelines..

[Audio] The absence of an ISMS policy can possibly lead to several security incidents that may impact our business, such as IT downtime, business interruption, unnecessary financial losses, and extra costs. Our Intellectual property may get devalued. Moreover, our unawareness may lead to disruption of laws and regulations that can lead to prosecution, fines, and penalties. Our reputation and brand name may get damaged which may lead to loss of customer, market etc..

10. ISMS Team @ BOREK. Kushal Rao - MD Dhaval Solanki – CISO (Chief Information Security Officer) Hetal Patel – Information Security Officer – People Aniroodh Shewate –Information Security Officer - Admin.

MYTH !!. REALITY ??. 11. Information Security – Who Is Responsible?.

abstract. 12. Information Security – Who Is Responsible?.

End user role. 13.

Establish objectives necessary to deliver results in accordance with customer requirements and the organization’s policies.

15. Information Asset Classification. What is an Asset? An Asset is any tangible or intangible thing or characteristic that has value to the organization Example – Customer details, bills, contracts, database, IT hardware, application software, development tools, system documentation, audit trails, etc. Who is the owner of the asset? Any person who is responsible for the asset. Why to classify assets? To protect and secure as per their criticality and sensitivity Helps meet regulatory and legal requirements Helps meet requirements of industry standards.

16. Information Asset Classification Baseline. SECRET.

17. Password Security. Keep your password secret As per policy, the password must be min 8 characters with alphabets, numbers, and special characters (#,$,@,&,!,%) Use passwords that are easy to remember but difficult to guess Change passwords every 30 days to avoid password expiry. Don’t use passwords which include your personal info, especially your name, or common words. Don’t write down or store passwords Don’t share your password with anyone Don’t reveal passwords in email, chat or other communication Historical 12 passwords are not to be repeated.

18. Malware Protection. Malware is ‘Malicious Software’ which is developed to cause harm to the Confidentiality, Integrity and Availability of Information. Some common Malware are Viruses, Worms, Trojans, Spyware •Ensure that the antivirus is running on your desktops •In case the antivirus is not present or not functional, report it immediately to the IT service desk •Scan all files coming from external sources (such as email, internet, USB) •Do not open emails received from unexpected and suspicious senders, and report the same to the IT service desk •Do not open or download any executable files (.exe) from email attachment.

19. Spam. Spam is an unsolicited email broadcasted indiscriminately to multiple mailing lists and individuals or news groups Never reply to spam or share any personal information Don’t buy anything from a link received in a spam email Be careful while opening an email attachment if you have any suspicions Share your email address only with people you know Don’t forward any email from an unknown sender.

20. Email Security. Use email for business purposes only Use only official email ID for official purposes Retain important emails for evidence/record purposes Always verify the receivers email ID before sending the email Transmitting offensive material like political opinion, pornography and sexual harassment material Spamming unsolicited messages, promotions, sending or forwarding chain letters Creating, sending, receiving or storing materials that infringe the copyright or the other intellectual property rights of any third parties.

21. Clear Desk and Clear Screen. Lock your desktop while leaving your workplace Ensure your desk is clear and no sensitive information is lying around Ensure your desktop has only installed application shortcuts and no other files. Be aware of shoulder surfers in the office or public places Be cautious while handling sensitive information Shred unwanted documents Don’t forget to collect your printouts from the printer Don’t forget to clear white broad while leaving meeting rooms Don’t use / install.

22. Mobile Usage – Best Practices. Take the time to learn and use the security settings on your mobile devices Do not allow the device to automatically connect to an unknown wireless connection (Unknown security settings may open the device to hacking or malicious programs) Never leave the device unattended Use encryption and/or password protection security features Use a strong password. Create passwords that are tough for hackers to crack, but easy for you to remember.

23. Social Media Usage – Best Practices. Assume that information posted on a social media site is on the Internet, even if you have restricted it to certain users, and take actions accordingly Know the reputation, terms of usage agreement, and the security risks before you start using a social media site Use strong passwords to secure your social media accounts and change them periodically.

24. Social Engineering. Avoid discussing sensitive information with others in public Do not give out sensitive information over email/telephone without proper verification of identity Verify the person’s identity if you receive an unexpected call. Ensure that your conversations are not being heard while discussing any important business issues..

25. Physical Security. Control Implemented Security guards and various access control system put in place.

26. Information Security Incidents. A security incident means a real or potential security event which causes harmful impact to business operations or users..

27. Information Security Incident Reporting. Contact the IT department for all IT-related security incidents Contact Admin for all Physical security-related incidents Contact HR for all HR related security incidents Report security incidents on the Incident Register for the respective department Don’t discuss security incidents with anyone outside Borek Don’t attempt to prevent any one from reporting the incident Don’t post topics related to Information security on various social media channels Never talk to a media person unless authorized.

28. Key Takeaway Points. Borek Solutions Group is a ISO 27001:2015 certified and will get certified for 27001:2022 in 2023 Safeguard company data – protect confidential files under lock and key Avoid spam emails Maintain Clear Desk and Clear Screen Report Information Security Incidents to respective helpdesks.

Thank you…….. 29.