160 likes | 309 Views
Data Security and Privacy (DS&P)Awareness for ERNST YOUNG LLP – SAP ERP Global Blueprint Project. Objective. Objective : Ensure that IBM project team members are aware of IBM and client-specific Data Security & Privacy requirements. Goal :
E N D
Data Security and Privacy (DS&P)Awareness for ERNST YOUNG LLP – SAP ERP Global Blueprint Project
Objective Objective : Ensure that IBM project team members are aware of IBM and client-specific Data Security & Privacy requirements. Goal : To educate IBM Workforce and comply with IBM DSP policies and client contract DSP requirements. 2-Nov-14
What is IBM’s Global Data Security & Privacy Definition? Data Privacy: The ability of individuals to determine when, how, and to what extent information about them is used or disclosed to others • Sensitive personal information (SPI) could be misused to harm a person in a financial, employment or social way. [The USA also focuses on information facilitating identity theft (SSN, account code, PIN, etc.), and on medical information] • Personally identifiable information (PI) includes any data element relating to identified or identifiable individuals • Business sensitive information (BSI) is information protected by a client or other company as important to their business, the improper exposure or use of which could harm them. *IBM’s definition of SPI can be found at: http://w3.ibm.com/ibm/privacy/practices_guidance.html Security:The practices we employ through people, processes and technology to protect information to minimize the potential of a data breach or security compromise All IBM projects must follow foundational Data Security and Privacy standards and policies. 2-Nov-14
Client Sensitive Information – ERNST YOUNG LLP - SAP ERP Global • Only SAP Application Hosts PI/SPI/BSI Information • Client sensitive information lies at Production Environment • PI (Personal Information) – Customer Name, Customer Address, Customer Account ID • BSI (Business Sensitive Information) – E&Y Billing Period, E&Y Account ID and E&Y Account Balance • Data access restriction is applied 2-Nov-14
Protecting Confidential Information What is Confidential information? Any information that could damage IBM or Client by its misappropriation or unauthorized disclosure is termed IBM Confidential Examples of Confidential information: financial data relating to IBM or Client operations or financial position Product design data and source code during development, and possibly, design data and source code Disclose details of production schedules. Customer / Employee details Who can access Confidential Information? IBM or Client Confidential information can be accessed only with a "need-to-know“ and management approval. You can disclose to third parties only when: Management or client approved or... Confidential non-disclosure agreement signed Approved by IBM Legal Counsel • What if I Fail to comply with IBM security policies • This could lead to: • suspension • termination • other disciplinary action 2-Nov-14
Appropriate security practices must be taken to protect SPI/PI. Why is DS&P Important: Data Security and Privacy Breaches are High Impact / Low Frequency Events? Contributing Factors: • Loss: Accidental, intentional • Theft: Physical, logical • Misuse: Employee, third party • Disclosure: Inadvertent, inappropriate • Access: Unauthorized • Increasing Regulatory Requirements Key Factors: • IBM’s Reputation • Contractual Requirements • Compliance with Global and Regional Regulations and Directives • Client Relationships: “Trust” …. Also impact to individual persons 2-Nov-14
What are the DS&P matters on my project that I should be aware of? • Service applications accessed by IBM team members might contain customer details including the name, address, account and credit card details. These information are categorized as PI/SPI. Any intentional/unintentional disclosure of these through IBM may result in legal liabilities and reputational loss for IBM • Customer information is considered as business sensitive information (BSI). Customer information include business plan, project details, details of the client business processes and procedures and any information of IBM or Servic, which when leaked will impact their business or reputation. • The customized source code is the intellectual property of Service and hence is considered BSI. The source code should not be copied, transferred or replicated. • IBM management and team should understand the implications and evaluate the associated risk before accepting any new access or elevated privileges to the applications or database. This should be done only after a thorough risk assessment and PE approval, and after ensuring adequate controls are in place • All IBM project members must ensure that their laptops are compliant with WST. Project members must check from time to time that all requirements are green in WST. Subcontractors must ensure that their laptops are up to date with the latest patches and updates for their operating system and anti virus software. 2-Nov-14
How Can You Make A Difference!!! Did you Know that the group that represents the most likely source of an asset loss through inappropriate computer use is the employees from within the organization. • Information security begins with every individual. • We need your help to maintain the integrity and reliability of our computer resources • You need to be aware of the risks that are associated with an action or a resource • You need to use good judgment • You need to report unusual incidents "People are the weakest link. You can have the best technology, firewalls, intrusion-detection systems, biometric devices - and somebody can call an unsuspecting employee. That's all, they have got everything." 2-Nov-14
Physical Security Do’s • When on IBM premises always carry your IBM ID card on your person and display it prominently • When on customer premises always carry the customer given ID card and display it prominently • Workstations should be physically locked (e.g. cable locks) when unattended • If any physical asset including ID badge/Portable media/Laptops etc are lost or stolen, report to physical security officer and manager immediately Don'ts • Do not tailgate • Do not allow anyone to tailgate • Do not loan your ID badge to another employee • Do not leave your laptops unattended in your vehicle of in any public place 2-Nov-14
Internet Security and E mail Security Don’ts • Do not post IBM or client specific/ proprietary information on public sites. • Do not access online music/ games sites, P2P software (Kazaa, Napster, Skype etc.), chat sites and/or other inappropriate forums through IBM or Client site. • Do not download or copy freeware and shareware software from the Internet or any other source. • Never send passwords or other personal information about yourself to anyone. • Do not auto forward emails from external addresses to your official mail email id or vice versa • Do not forward chain mails / spam while accessing IBM or client mail systems. • Never send inappropriate messages • Do not use the client email infrastructure for communication on non-client related IBM confidential matters. • Do’s • Use Internet only for business related work. • Report obscene emails • Delete unsolicited advertising e-mail without replying to it 2-Nov-14
Password Policy Do’s Password set should be a minimum of 8 characters Change passwords every 90 days or less. If there is no technical process to the password change, you must comply manually with the password change requirement Passwords must contain a mix of alphabetics,special characters and numbers. The use of a passphrase is advised. Change your password if you suspect its compromised Always change the default password When changing your password, you must select a new password, i.e., do not change the password to one that you used in the past Don’ts Personal details like DoB, Anniversary dates, Spouse/Children names etc should not be used in the passwords. Avoid using names of places, or other common dictionary words as your password. Don’t reveal your password to anyone. Don’t write down your password for the world to see. 2-Nov-14
Data Protection / Backup If there is a valid business need to store PI/SPI/BSI on your workstation. Usage of portable removable media such as CD/DVD, removable HDD,a USB storage device or a data backup tape is not allowed. The external storage media used for backing up data must be physically secured in secure rooms or cabinets under lock and key Activate a power on password and a password controlled time out/lock out feature on all hand held devices containing backup data IBM Confidential or other business sensitive data should not be placed on a handheld device if there is no way to secure the device Link: http://w3-03.ibm.com/tools/it/ittools.nsf/main/security_fileencryptionsolutions 2-Nov-14
Workplace Security • Do’s • Follow the clean desk policy. • Collect printouts from printer trays promptly. • All confidential documents/ literature/ information should be kept under lock and key. • At the end of your working day, lock all your papers in the storage provided. • Keep your drawer keys secure. • All confidential documents should be shredded prior to disposal • Activate the password protected keyboard/screen lock when leaving your work area. Don’ts • Do not leave your drawer keys at insecure locations • Do not leave Post-it Notes with confidential information at a place from where it can be picked by anyone. • Do not leave any papers on your workstation after you leave for the day. • Do not leave any documents on the printer once you have printed them. • Do not attempt to install/run any software/code/application without prior approval from IBM or Client. • Do not attempt to bypass any security controls • Do not attempt to access any IBM or client information which you are permitted to , or which is not relevant or required in the current responsibilities. 2-Nov-14
Security Incident Reporting If you suspect a security incident is in progress or has occurred, it is important for you to act promptly by contacting your location Security department / Project Manager. Employees are not to attempt to investigate or take action against the offender unless directed to do so by Security personnel. If your workstation or portable media containing PI/SPI/BSI is lot or stolen, or if you suspect that somebody has compromised its security, you must immediately report the security incident and specify that sensitive information may have been exposed. Link: http://w3-03.ibm.com/security/secweb.nsf/ContentDocsByCtryTitle/Corporate~Incident+reporting?Open&Country=Global+Services 2-Nov-14
Essential Links IBM Confidential 2-Nov-14 15
Thank You!! 2-Nov-14