Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
InfoSec Awareness 101
Transcript of InfoSec Awareness 101
Translating this into
Secure personal information when not in use
Wear your employee ID at all times
Challenge unaccompanied guests or people not wearing AJW ID
Positioning computer screens away from windows to prevent accidental disclosures of personal information
the Basics of "InfoSec"
AJ Walter Aviation is responsible, as part of it’s commitment to:
Data Protection Act 1998
To ensure that staff are aware of the policies and procedures in place, and the reasons why we are tightening up on our working practice
Keep all information and passwords secure
It is everyone's responsibility to protect data
3 main aspects of InfoSec
& Social Engineering
Be aware that there are people who will try and trick others to give out personal information
Prevent these disclosures by carrying out identity checks before giving out personal information to someone making an incoming call
Perform similar checks when making outgoing calls
Consider limiting the amount of personal information given out over the telephone and to follow up with written confirmation if necessary
What is it?
It is an international standard for an Information Security Management System (ISMS)
Essentially ISO27001:2013 is a best practice approach which is intended to bring information security under explicit management control
Are AJ Walter Aviation ISO27001 Certified?
No, not currently. But...
We are committed to achieving compliance in 2017
Translating this into
Encrypt personal information that is being taken out of the office if it would cause damage or distress if lost or stolen
Lock or log off computers when away from desks
Dispose of confidential paper securely by shredding
Ensure your desk is tidy and clear of sensitive information
Information is an asset which, like other important business assets, has value to an organisation and consequently needs to be suitably protected
What is Information?
Printed or written on paper
Transmitted by post or electronic means
Visual e.g. videos, diagrams
Published on the Web
Verbal/aural e.g. conversations, phone calls
Intangible e.g. knowledge, experience, expertise, ideas
Types of Information
Information security is in essence the methods used in protecting information assets from accidental or deliberate:
What is Infomation Security (InfoSec)?
The Bigger Picture
People who use or have an interest in our information security include:
Shareholders / owners
Management & staff
Customers / clients, suppliers & business partners
Service providers, contractors, consultants & advisors
Authorities, regulators & judges
External Threats To Our Information?
People who have an unethical interest in our information include:
Information Security Committee
Head of IT & Data Security
Emergency Response Team
IT, Legal, Quality, HR
Last but not least, you!
The Bottom Line:
Who Is Responsible For InfoSec?
Smartly dressed, confident and polite, the offenders don’t look like criminals as they follow staff into access-controlled areas, sometimes using a mobile phone to avoid being approached or questioned.
But, once inside, they steal property such as wallets, credit cards and corporate information
Intro to Phishing Scams
Password Security Awareness
Physical Security Awareness
Fulfill Your Security Obligations
Stay up to date on information security:
Visit the Information Security QMaps
What Is An ISMS?
An information security management system (ISMS) is a set of policies and procedures for systematically managing an organisation's sensitive data.
The goal of an ISMS is to minimize risk and ensure business continuity by pro-actively limiting the impact of a security breach.
There are three elements to protecting information:
– Protecting information from unauthorised disclosure to people or processes.
– Defending information systems and resources from malicious, unauthorised users to ensure accessibility by authorised users.
– Assuring the reliability and accuracy of information and IT resources.
Access Control Do's
Follow Security Procedures
Wear Identity Cards and Badges
Ask unauthorised visitors for credentials
Always use at least 7 character password with combination of alphabets, numbers and special characters (*, %, @, #, $, ^)
Use passwords that can be easily remembered by you
Change passwords regularly as per the password policy
Use passwords that are significantly different from earlier passwords
Access Control Don'ts
Bring visitors in operations area without prior permission
Bring and use usb drives, ipods, other storage devices unless and otherwise authorised to do so
Use passwords which reveals your personal information or words found in dictionary
Write down or Store passwords
Share passwords over phone or email
Use passwords which do not match the password policy complexity criteria
Use internet services for business purposes
Keep your identity safeguarded
Do not access internet through unauthorised connectivity
Do not use internet for viewing, storing or transmitting obscene or pornographic material
Do not use internet for accessing auction sites
Do not use internet for hacking other computer systems
Do not use internet to download / upload commercial software / copyrighted material
Use official mail for business purposes only
Follow the mail storage guidelines to avoid blocking of emails
If you come across any suspicious mail, do the following:
Delete the email
Inform the IT Helpdesk
Do not use official ID for any personal subscription purpose
Do not forward unsolicited mails of any type like chain letters or email Hoax
Do not post non-business related information to large number of users
Do not open emails from unknown senders or attachments
Threats To Our Information
Information Security Management System (ISMS)
Lack of change control
Don't Get Caught Out
Wear your employee ID badge at all times
Never let strangers in to the building, please refer them to reception to obtain a security pass
Be vigilant when entering the building
Report any suspicious behavior or people you believe have unauthorised access
Signs of a Social Engineer Attack
Refusal to give contact information
Small mistakes (misspellings,
misnomers, odd questions)
Requesting forbidden information
Statistics has shown that most damage is done by insiders -- people with authorised access to internal systems.
Many insiders have the access and knowledge to compromise or shut down entire systems and networks.
You are expected to report information that comes to your attention and that raises potential concerns about information security.
Call the Information Security Officer on extension 8385 or email firstname.lastname@example.org
Damage from Within
Social engineering is the practice of obtaining confidential information by manipulation of legitimate users.
A social engineer will commonly use the telephone or Internet to trick people into revealing sensitive information or getting them to do something that is against typical policies.
Social engineers exploit the natural tendency of a person to trust another’s word, rather than exploiting computer security holes.
Thank You For Stopping By
If you have any comments or recommendations regarding this material or IT security in general, please forward them to email@example.com
Information security is everyone’s responsibility