IT Security Awareness Program

IT Security Awareness Program. [image] Information Technology.

TABLE OF CONTENTS. 1 Domain Login ID & Passwords 2 Managing Passwords 3 E-Mail Policy 4 Company Policies.

GLOBAL PRESENCE. Industries Served. Global Servicing.

DOMAIN LOGIN ID & PASSWORD. Login ID Ownership Login ID Responsibility Password Change Reusage of Password The login ID owner must take every precaution to protect his/her domain login password Password must be changed at least every 90 days The login ID owner is responsible for all actions performed under his/her login ID There must be 24 consecutive unique passwords before they can be re-used 1 2 4 5 1st Login Suspicious Activity The user must change their passwords upon first login Users, if suspicious of a password being hacked, should report to IT Department immediately 3 6.

MANAGING THE PASSWORD. 1 2 3 Don't reveal a password in an email Don't talk about a password in front of others Don't reveal a password to co-workers/anyone on any occasion 4 5 6 Don't use password remembering tools unless approved by the network administrator Don’t write your password where others have access to it Avoid applications that display password information on the screen 7 If you are suspicious of your password being broken, report to IT team immediately.

O365 MULTIFACTOR AUTHENTICATION. Why Multi-Factor Authentication (MFA) Is a MUST - Edafio Technology Partners Approve Code Register Authorization Click Approve from a mobile notification (Install Microsoft Authenticator via Play store or Appstore) Enter a code received by SMS text message Answer a registered phone number and press # Retrieve an authorization code from a mobile app (Microsoft Authenticator) Users need to provide an additional verification method to prove access to a trusted device. The verification methods available with Office 365 can be any of the following: MFA Sign-in Options: First Login After MFA Is Enabled on User Account Log into your account using browser and URL http://outlook.office365.com with username and password. Your first login after MFA has been enabled will require you to set up your additional identity verification methods..

E-MAIL POLICY. Only work-related emails are permitted – no personal emails allowed.

COMPANY POLICIES. [image] HR Policies systEys QMS Process Documents HR Admin Policies ERT ISMS Process Documents 'sus & IT Policies Disk Templates & Forms.

TYPES AND DEFINITIONS OF EMAIL ATTACKS. Spam- User irrelevant emails that have been sent in a mass by an unknown source. Malware- Software utilized to interrupt production & gain access to systems via deploying malicious software. URL Phishing- Attacker embeds malicious URL in what seems to be a legitimate URL. Scamming- Attempts to gain monetary value from the organization or its employees. Spear Phishing- Impersonates high-level staff (President, HR, IT, etc.) to gain confidential information. Domain Impersonation- Attackers create fake emails or URLs associated with legitimate businesses that lead end users into leaking company data. Brand Impersonation- Impersonation of a trusted company (vendors ARi works with) to gain sensitive data. Extortion- Uses fear tactics such as threats or force to obtain company data or funds. Business Email Compromise- High-level spoofing, spear phishing, and malware attack on a business. This attack has a high impact on an organization. Conversation Hijacking- Attacker will insert them into an email thread using spoofing methods to gain confidential information. Lateral Phishing- The use of already “hijacked” email accounts from other legitimate organizations to gain sensitive organizational data. Account Takeover- Attackers seek credentials gained by “black-market” sources to gain organizational data using the resources as a social engineering tactic..

INTERNET USAGE. Usage of the Internet is allowed only for work-related Be accountable for what you surf and live by transparency Use your intellectual honesty and best judgment while availing the facility given to you Be cautious about viruses while browsing Approach the IT team if you wish to download or any software or tools from the Internet If you find yourself at a site where you think you should not be, close it immediately and inform the IT team Know your internet usage is tracked, and you will be held accountable for all sites you visit Do‘s.

INTERNET USAGE. No sign with solid fill No sign with solid fill No sign with solid fill No sign with solid fill No sign with solid fill No sign with solid fill No sign with solid fill No sign with solid fill Related image Do not surf, register, or subscribe to any site with non-work-related data Do not reveal any personal/official information Do not send any work-related data to your personal email Do not download patented technical matter or illegal materials Do not use Internet for personal email & chatting Do not listen or view online music or videos Do not upload any work relevant materials to other websites Do not stop scheduled virus scans. They are scheduled for a reason Don’ts.

DATA SECURITY. Never send any data or documents to anyone unrelated / no longer related to the organization Employees are not allowed to transfer any work-related material to removable storage (USB , CD & DVD etc.) without consent from management via Privilege Request Form. All confidential information (documents/manuals/printouts etc.) must be kept in your desk cabinet and locked before leaving each day Shutdown any open systems at the end of the day. Lock the screen (press Windows + L) when leaving your PC, even for a short while. Anyone using a system other than their allotted computer should logout after usage, not simply lock the screen when leaving or leave without doing any of the above (Ex. conference room system).

INVENTORY CONTROL. Once the “Equipment Release Form” is signed and dated, it is the user's responsibility to ensure all ARi assets stay with the responsible user assigned to the ARi assets. If assets are “swapped”, misplaced, damaged, or stolen, the responsible user may be held financially responsible If additional ARi assets are required, create a ticket in LinkUs for the request.

PRINTER USAGE. All ARi users should take their ARi printouts immediately With customer printouts, users should take printouts according to customer policies / guidelines All printer usage is logged by user Users are responsible for maintaining all hard copies’ confidentiality.

WI-FI AND MODEM USAGE. [image] s NETWOR. Access to external (non-ARi) Wi-Fi access points by ARi employees is strictly prohibited, and ARi wireless access points are limited to ARi Laptops. If using a public connection, use the Cisco Anyconnect VPN. No personal laptops are allowed into the office..

PHYSICAL SECURITY. Employee Security Badge Stock Illustrations – 1,544 Employee Security Badge Stock Illustrations, Vectors & Clipart - Dreamstime.

IT SECURITY AWARENESS PROGRAM SCHEDULE. Every employee must attend the detailed security awareness program within the first month of joining Every employee must take the security awareness test and pass within the first month of joining All employees must attend the quarterly IT Security & Policies awareness program The IT team will inform all employees of the training dates in advance via email.

CLEAR SCREEN POLICY. All the documents you prepare while working in your systems are likely vulnerable You likely keep some confidential data in your papers, notebooks, and desktop. To overcome this, you need to clean your desktop before leaving for the day. Store no data on the desktop! Clear screen policy includes arranging your systems back into position and checking no documents are left on the desk..

CONFIDENTIALITY CLASSIFICATION OF RECORDS. Classification Criteria Access -Permissions C1 - Public Any information that can be publicly made available to anyone including those not working with and representing the company. Examples: Annual reports, press statements, companies web page etc., Security at this level is minimal. Edit – Author View - All C2 - Internal Any information that is internal to Company and needs to be restricted from being accessed by anyone who does not belong to Company or is not involved in helping Company fulfill its purpose or mission and objectives. Examples: ISMS documentation, Company Policy documents, Internal circulars etc., Security at this level is controlled but normal. Edit – Author View – All employees C3 - Restricted Any information specific to one or a few departments of Company based on the nature of information processing exercise performed and requires special authorization for accessing and possessing knowledge. These are project specific information assets. Some of this information can be shared with clients or third- party service providers on a case-to-case basis. Examples: Project plans, project documents, proposals, contracts etc., Such information is accessed by authorized personal of the project or department Security at this level is high. Edit – Author View – Project or department members C4 - Confidential Any information, the knowledge of which has to be restricted to a select few like the core management team of Company and needs special authorization of the Head of the department with prior approval of Senior Management based on the nature of the information. The authorization is provided on a case-to-case basis based on the nature of the information and its criticality. Information of this nature, if made public or shared within the organization can seriously impact companies operations. Examples: Business plans, financial information, IPR, etc., Security at this level is very high. Edit – Author View – Defined by the author on need basis C5 - Highly Confidential Any information that is strictly confidential and cannot be shared with anybody other than CEO and the Board of Company. CEO may authorize sharing this information on a need basis. Examples: Investments strategies, long term plans, Mergers and Acquisitions, etc. Securities at this level is highest possible. Edit – Author View – Defined by the author on need basis.

SUPPORT TICKETING SYSTEM - LiNKus. [image] Vickets to Approve support Ticket Support Ticket Su bject Support Deparunent Category Sup-wrt Privilege Created Da te Company Created By Last updated By Ticket Creator Info. Oate Agreed ARiPL Jonnala Rajasekhar Closed Note: Type NA if work station is not applicable Descripticu-l Descri ptiOn Attachments Agent Comments Need more Info, Add description. Attach mentS Description Tracking Status Tracking.

ACCESS CONTROL. For new joiners, only main door access is provided. Depending on team, we will provide the access to other doors like lab, shipping room etc.. Server Room and IT Room access is strictly limited to IT Dept. employees only. If you need access to any of the other doors like the lab and shipping room, contact the Admin Team..

EP 1:46 QUICK REFERENCE GUIDE. ENTERPRISE PROCEDURE $NFJDEN"AVINFORMÄTION Caterpillar Confidential Information (CCI) is information that could cause harm to Caterpillar or its shareholders if disclosed to unauthorized users, especially those outside of Caterpillar_ Consequences can include the loss of competitive advantage or sales, damage to a person, damage to operations or to Caterpillar's reputation or loss of customer, shareholder or business partner confidence. Confidential information is an asset and may be commercial, technical or personal in nature. tot'tttM It may be in hard copy or electronic form- View EP for more information- Information or Data Owner Information or Data Custodian Authorized User What's Your Role? An *'dividual within Caterpillar who faces the greatest negative impact from disclosure or loss of the information_ He or she is accountable for ensuring the information is created and appropriately classified, protected and maintained, but may delegate the day-to-day handling of the informatbn (e.g., department heads, product managers. technical managers or stewards. division managers, marketing managers, senior bus*'ess managers. new product integration managers or HR managers). The person, organization, process Or system that implements and/or administers the information security controls AS requested by the infi.rmation owner_ This role is responsible fiz.r marking and confidential infonnation by the requirements of EP 1 :46_ Any employee, contract worker, temporary worker or third-party user who has been approved by his or her business unit to access any part Of Caterpillar's network. Authorized users must review and abide by security controls in Enterprise Procedures, Information Security Directives and other standards. Know Where You Can Store It Mobile Device Portable communication device with information storage capability (e.g., laptops, tablets, smart phones) Cater illar: Confidential Green Yes Cate illar: Confidential Y ell o w Yes, if encrypted Cate illar: Confidential Red Yes, if datafflle is encrypted Portable Storage Media A small. removable electronic storage device (e.g., portable hard drives, thumbmash drives, USB keys) Cater illar: Confidential Green Yes Cater illar: Confidential Y ellow Yes, if encrypted illar: Confidential Red Never What is High Value Technical Information? High-Value Technical Information is an individual piece of technical _information. or collection of documents. worth at least $30 million. Refer 119 Enterprise Procedure 2:27 for guidance on its protection Learn More Find information on Enterprise Procedures, Information Security Directives and CCI CATERPILLAW.

EP 1:46 QUICK REFERENCE GUIDE. ENTERPRISE PROCEDURE • éÖNFJDENTJAIONFORMÄTtON Definition Example Marking and Caterpillar: Confidential Green Ccrvfiænt•a.l that have a LIWTED regai•æ to if or - Enterprise polic—s iræmal project rnatehals - techk•al hfc•mzticm, such as easily re•-ærsed CAD desi.--,: sin-vulatbn, n-ønufacturng, assembly: validaticn: etc.; most IE starda.-ds; tec*mical Acæg is vie•æd by au envioyees ard .pn»riate VGW-y mark or as - Retain a safe ot he on an apøvged systern (e.g.. PC, share, cloud partner) - e—ctrcnic rt•terial stored a ff - the Securo Third Party Risk - Ree—e for e—ctrcnic access - Of by - Be sent via or shæd on p•hEc - Be or to, a Z-blic a thi—d-party place wie•• he p.-ov;or - Leaæ clear sight Cate-pil>r where pWic may haw Caterpillar: Confidential Yellow Sensiive that will have a to CaterpiUar f Iæt, or rekased wi&out — ana'ßes (e_g_, busir•ess. — Se•tsitive &tails (e.g., — irhrn-et&.; custonzr - Moct drafts. •ld — or secrets as NPI research hfz•m-etjcn rc•uir.e project Æ:dates, critical erginærirg drawrgs ara CAD tians test - is aue•orized by he is a reed-to-know basis a iob equires it) — infornztim cr "JST — V•siHy nzrk or electronic as - Sæ Enterprise 227 to pro&ct01 Green »plyhee. ti•e — Be —yr.-ted YarwmissWi — Be kept key rot - San. Confi&rnial Caterpillar: Confidential Red that invact to Caterp•ar lost, or a'horization - Tec*mical É16rrnaticn secrets such certain pn:åact decim - Informascm a (eg-, - strategic merger - Access be azth:rized by a basis ard is centrolled a basis - The or MUST review æcess or — VvsiEy nzrk or as - Mark gi•æn a *ins party: •For use by [Nane or Entity] (e g •urne of diusi•xvh.anE of third party) - See 227 protecti•m br tie bekw: - on systems *iat nzet for - rmh—fætor extemany - Data storage retum re-cs•et email fa•wardirw - Chy Wd or mad for - Be key. only MUST NOT: - Be For nore &taik protecü«l reqLirenE"ts, please at CATERPu_AR CONFIDENTIAL NONCOWLIANCE; If all efforts to rneet standard have been is process must mbrmat& ultimately risks frorn E P l: directives. CATERPILLAR&.

Escalation Matrix. IT Team - Escalation Matrix ESCA LATION Contact Person Kind of Issue Response Time Resolution Time Contact Details E-MAIL To:- L1 IT-Team Level one Issues 15 Min. 30 Min. 040-66887249 044-61320610 [email protected] L2 IT Lead Reminder for L1 Issues and Direct L2 Issues 15 Min. 45 Min. 040-66887250 044-61320610 [email protected] L3 IT Manager Reminder for L1/ L2 Issues and Direct L3 Issues 30 Min. 03 Hrs 040-66887250 044-61320610 [email protected] [email protected] L4 Divisional Manager Reminder for L1/L2/L3 Issues and Direct L4 Issues 02 Hrs 12 Hrs 040-66887260 [email protected] L5 Director - Operations Reminder for L1/L2/L3/L4 and Direct L5 Issue 04 Hrs 12 Hrs 040-66887260 [email protected].

ORG – CHAT ( IT TEAM). OP Juneja Director - IT Kasi Viswanath Nunna Manager – IT Richard Austin Guidry System Administrator (USA) Mareeswaran Ayyanar Manager –IT Ramakrishna Ganji Sr. System Administrator Rajakumar V ClearCase Administrator Jeeva Raja Desktop Engineer Vimal Prasanth P Desktop Engineer Muralikrishna Badugu Asst.Manager Manoj Kumar Sr.System Administrator Rajasekhar Jonnala Desktop Engineer Jasshpreet Singh Trainee.

IT Team Hyderabad. [image] 0m Prakash Juneja Manoj Kumar 0m Prakash Kasi Viswanath Nunna Rajasekhar Jonnala Muralikrishna Badugu Jasspreet Singh.

[image] 0m Prakash Juneja Rajakumar V Mareeswaran Ayyanar Jeeva Raja Ramakrishna Ganji Vimal Prasanth P.

IT Team USA. 0m Prakash Juneja. Kasi Viswanath Nunna.

Questions & Suggestions. [image].