Information Security

Awareness Training
o ISO 27001
o Information Security Basics

o Information Security Threats

o User Responsibilities

o Reporting Security Incidents

o IT Acts

o Online Safety Tips

o IT Acceptable use policy

o NALCO cyber security guidelines

ISO 27001 : 2013
ISO 27001: 2013 Standard
 IT SECURITY POLICY
 Policy Statement: Information Security will be an integral part of all business

and social processes at National Aluminium Company Limited (NALCO).

 Objective: NALCO will strive to ensure Confidentiality, Integrity, and

Availability, of its Information Assets.

 Commitment: NALCO is committed to meet the Information Security

requirements of the Government of India and all other stakeholders by

effectively implementing the Information Security Management System
(ISMS).
 Improvement: The ISMS implemented at NALCO will be periodically

reviewed for effectiveness and will be suitably enhanced in view of changing

trends and threats to the information assets.
Sd/-
Date : 03-12-2016 Chairman-cum-Managing Director
 Information
Security Basics
Information in a Business Environment
 Printed or written on paper

 Stored electronically

 Transmitted by mail or electronic means

 Shown on corporate videos

 Spoken in conversations

 Classified Information
 Intellectual Property
 Business Plans
 Customer Details
 Financial Records
 Future Plans
Forms of Information
Video
Soft Hard /
Files stored on the Audio Video/Voice
Written on paper Conferences via IP
system
phone (VoIP)

Product related
Files in transit Printouts
video/vocal/voice

Stored on storage Recording of

Published by
disks/external sensitive
organization
drives conferences
Some more Information Locations
 Internet Web Servers

 In trash cans: physical and logical

 Employees

 Contractors

 Service providers

 Trainees

 Consultants

 Customers

 Associates
 What is Information Security?
“Preservation of Confidentiality, Integrity and
Availability of Information”
Ensuring that authorized
users have access to
Information and associated
assets when required

Confidentiality Availability
Ensuring that Information
is accessible only to
those authorized to have Information
access

Integrity
Safeguarding the accuracy and
completeness of Information
and processing methods
Significance of C,I and A
The importance of Confidentiality, Integrity and Availability can be
different for different assets:
 Marketing Brochure
 Employee’s personal information in HR records
 OTP (before it is used)
 OTP (after it is used)
 Company’s Financial Balance Sheet
 Make and Version No. of Network Equipment
 Business Plan
 Location of DR site
Why is Information Security Needed ?

Loss/Destruction
Business Requirements
Hacking and objectives

Compliance to Rules/
Regulations

Theft / Sabotage
3 Pillars of Security
Technology

Information
Security Mgmt
System (ISMS)

People
Process
Security Of IT Infrastructure
INTERNET

APPLICATION

SYSTEM

NETWORK
Security Of IT Infrastructure
INTERNET

APPLICATION

SYSTEM

NETWORK Network
Security
Security Of IT Infrastructure
INTERNET

APPLICATION

SYSTEM

Systems
Security
NETWORK Network
Security
Security Of IT Infrastructure
INTERNET

Application
Security

APPLICATION

SYSTEM

Systems
Security
NETWORK Network
Security
Security Of IT Infrastructure
INTERNET
Web App
Security

Application Port 80
Security
WEB
APPS

APPLICATION

SYSTEM

Systems
Security
NETWORK Network
Security
 Benefits of ISMS
 Helps achieve and maintain security of Information as
required by the business needs of the various Stake Holders
 Ensure Confidentiality, Integrity & Availability of
organization’s data and information
 Identifies, classifies & protects all critical information
appropriately considering costs vs benefits
 Ensures compliance of systems with organizational
information security policy as well as Legal and Statutory
requirements
 Information
Security Threats
Information Security Threats
● Physical Theft
 Theft of devices ● Data Corruption
 Theft of media  Virus attack
 Modification
 Forgery
● Logical Theft
 Sabotage
 Illegal copying
 Fraud
 Stealing password
 Hacking
 Trojan ● Social Engineering
 Espionage
Changing Threat Scenario

First Generation
Perpetrators: Amateur Hackers
Method: Virus, Worms, etc
Objective: Destruction of data and
crashing systems randomly, for fun
Changing Threat Scenario
Second Generation
Perpetrator: Professional Cyber-crime
gangs
Method: Key-stroke Loggers,
Banking Trojans, Ransomware etc.
Objective: Making money by stealing Credit
Card data, high-jacking net-banking
sessions, etc.
Changing Threat Scenario
Third Generation
Perpetrators: Nation-state groups
Method: Weaponized
malware targeting control
systems, e.g. Stuxnet, Duqu
Objective: Cyber warfare,
Industrial espionage
 Ukraine Power Grid Hack
 23rd Dec 2015: Roughly one-third of the country’s population was
left without power on a cold winter night
 Hackers had remotely seized control of 30 Sub-stations
 Denial of Service attack launched to stop telephone
communication
 Disabled even UPS and Modems to leave the Engineers in the
Central Control Center groping in the dark
 Destroyed files on Servers and Workstations to make recovery take
weeks
 Later it was found that Compromise of Corporate networks had
taken place 6 months earlier
 Pune’s COSMOS Bank loses Rs 94 Cr
 It was a cyber attack on the Pune based bank from multinational

cyber criminals operating from 22 nations

 During the malware attack, a proxy EFT switch was created and all

payment approvals were passed by the proxy switching system

 On August 11, 2018, Rs 78 crore was withdrawn in about 12,000 Visa

card transactions in 28 countries

 When suspicious transactions were detected, the bank shut down

its Visa and Rupay card payment system

 On August 13, the hackers transferred Rs 14 crore into an account in

the Hang Seng Bank in Hong Kong by initiating a SWIFT

transaction
Human Factors in Information Security
 Human Factors in Information Security
Examples
Malicious Email
Virus writers manage to find ways to leverage on general
users’ curiosity by coming up with interesting subject
line, body text and file name
 Malware Infection
 Malware is malicious
software used or
Trojan created to disrupt computer
Adware Viruses operation, gain access to
Freewar sensitive information or
Spyware
e
private computer systems.

Worms
Keylogge  Malware includes viruses,
rs
worms, Trojan horses,
spyware, adware,
Rootkit
s Malware Botnets and other malicious
programs.
 Social Engineering
External Auditor: How do you make sure that
the attachment in the email is secure?

Employee: I send it with password protection

which is pass@1234

External Auditor: NOW it is not secured 

Social engineering is the art of manipulating people into performing actions

or divulging confidential information.
“The art and science of getting people to comply with your wishes”
 Phishing
 It is the act of tricking someone into
giving confidential information (like
passwords and credit card
information) on a fake web page or
Phishing site
email form pretending to come from requesting for
ATM pin,
a legitimate company (like their Account no.
bank).
Shoulder Surfing
 Shoulder surfing refers to using direct
observation techniques, such as
looking over someone's shoulder, to get
information.
 It is commonly used to obtain
passwords, PINs, security codes, and
similar data.
User Responsibilities
User Responsibilities
Password Security
Desktop Security (clear screen & clear desk)
Secure Printer Usage
Portable Devices Security
Secure Internet Usage
Secure Email Usage
Physical Security
Secure Storage & Disposal
Reporting Security Incident
 Password Security

User Responsibilities
 DO NOT share your personal as well
as CLIENT password.
 Do not keep any dictionary words as a
part of your password.
 Change them regularly.
Password Security (Contd.)
 Change temporary/default passwords on first log-on.
 To enhance security, password complexity is enabled. Before selecting a
password following guidelines should be referred:
 Password should be of minimum 8 characters.
 Password should contain characters from three of the following four
categories:
 Uppercase (A-Z), lowercase (a-z), digit (0-9),Special characters (! $ # %)

 Passwords used in 3 previous cases should not be used again.

 User account is locked after five unsuccessful retries.
 Maximum password age is 45 days.
 User is responsible for activities against his/her user-ids.
 Avoid keeping a paper record of passwords.
 Do not include passwords in any automated log-on process.
Desktop Security (clear screen & clear desk)

User Responsibilities
 Lock your system (desktop / laptop / tablet
/ smart phone) when not using
 For Windows press Windows (button) + L
 Do not leave hard copy of sensitive
information in the open
 Do not keep critical data on desktop screen.
 Desktop Security (contd.)
User Responsibilities
 Do not store explicit material, or pirated
files like mp3, movies, images
 Do not store personal files (personal
images, videos etc) on official systems
 One should abide by Copy Right Act by
protecting Intellectual Property.
 Do not install/uninstall any software,
including freeware, on/from the
computer.
 Do not save the data in the same drive as
OS.
 Shut down and switched off individual
workstations.
 Remote access of the desktop to an
external agency will require.
 Secure Printer Usage

User Responsibilities
 Do not leave documents unattended in Photostat machine or printer.
 Always ensure to collect the printout.
 In case the printout is not correct , properly dispose of it by tearing or shredding.
 Portable Devices Security

User Responsibilities
 Encrypt and password protect portable devices
 Update anti virus regularly
 Back-up critical data and software programs
 Use a security cable to lock the device when unattended.
 Never leave Bluetooth enabled on mobile phones
 Portable Devices Security(Contd.)
 Use of removable devices is not permitted, unless specifically
permitted by the competent authority.
 Format USB after use.

 Do not connect personal mobile to Intranet.

 Scan the removable media before using it.

 Take utmost care for security of any official data kept in removable
media like CD/DVD/Official USB Drive etc.
 Data shall be completely erased by Systems department from the
removable media, like USB/Hard Disk/Pen Drive, before discarding
it. Destroy CD/DVD containing data before disposal.
Internet Security

User Responsibilities
• Never post company information on
websites.
• Do not update sensitive data on
internet.
• Your activities on the net are open
information.
• Do not visit unwanted websites.
Internet security contd.
Pop-Up Ads
A pop-up ad can deliver a malicious payload as soon as the ad appears on the
viewer’s screen
In some cases, the malware will execute when the viewer clicks the "X" to
close the pop-up window.
User Responsibilities
• Recommended that users block all pop-up ads
 Internet Security (Contd.)
 Internet access is provided to employees as per prevailing policy.

 Do not use internet for illegal activity, to access illegal materials, or to

access materials that are obscene/pornographic/sexually explicit
material.
 Social chatting on Internet is disallowed.

 No online storage accounts like Yahoo Briefcase, Dropbox, Google

Drive, etc. must be accessed to store official or Personally Identifiable
Information (PII).
 Secure Email Usage

User Responsibilities
• Use official email account for official
purpose only
• Do not open email attachments received
from unknown or suspicious sources
• Do not store, send or respond to
unsolicited emails like chain mails etc
• Use password protection or encryption
while sending sensitive files over emails.
• Password protect your Outlook (Pst) files.
• Use ‘Reply All’ option only if necessary
 E-Mail
 Emails are configured for approved NALCO employees/users by the

Systems department.
 Based on policy, different mailbox spaces are provided to the email

users.
 Regularly archive mail and delete unwanted mail. In case of mailbox

getting full, users should contact Systems department for solution.

 Follow high professional standards while communicating on email.

 Auto-forwarding to private email is prohibited.

 Forging of email headers is prohibited.

 Impersonating other users over emails is prohibited.
 Postings by employees from NALCO email address to newsgroups should

contain a disclaimer.

 Protect email configured on smartphone/ laptop by password.

 Split the attachments to restrict to the size limit.

 Mass-mailings to all employees at unit/organization level should be

authorized by concerned GM.
 Company policy prohibits creating, circulating, distributing, storing
and/or downloading.
 Emails containing information and/or suggested action about potential
viruses must not be forwarded/send.
 Physical Security

User Responsibilities
• Always display identification badge when in company premises
• Never leave your identity badge unattended. Keep it with you always
• Never let others use your identity badges – Trail will lead to you
• Loss of Identity badge should be reported to the concerned authorities
• If you notice something suspicious in your office or work space, please bring it
to the notice of security.
 Secure Storage & Disposal

User Responsibilities
• Storage Devices like DVD, CD, pen
drive , hard disk should be broken into
small pieces before disposing.
• Do not throw sensitive documents into
the dustbin.
• Shred them (Sensitive documents) or
tear them into small pieces
• Wipe the information on white boards
after the meetings
Reporting Security Incidents
Reporting Security Incident

The responsibility for Incident Reporting lies with all NALCO

employees, contractors and third party users, as applicable.
• Identifying a Security Incident - Any incident, the occurrence of
which violates an explicit or implied security policy is a security
incident.
•  Incident / Security Weakness Reporting - All security incidents,
irrespective of the severity level, are to be reported through the email
helpdesk@nalcoindia.co.in. Employees are advised not to try and
prove the weakness as it may cause damage to the organization and
result in legal liability for the employee trying to prove it.
Examples of Security Events
 Unauthorized use of User ID/ Password compromise
 Theft of any Information Asset
 Unauthorized disclosure, amendment to corruption of information
 Loss of company, client, personal information
 External or internal hacking of network
 Unforeseen effects of change (e.g. change in system configuration)
 Fraud related to Information security
 Improper use of Internet/email
 Accidental or deliberate damage
 Unauthorized attempt to gain information
 Website defacement
Examples of Security Events contd.
 Intrusion
 Unauthorized logical access
 Theft or espionage of information or physical assets
 Denial of service
 Malicious software (virus, worms etc.)
 Unexplained system behavior
 Unauthorized access to secure areas
 Unauthorized movement of equipment and any other physical assets
 Detection of fire/smoke in the premises
 Malfunctions of hardware or software
Examples of Security Weaknesses

Applications used in the organization not tested for

security
Event logs are not write-protected
Housekeeping staff not trained for security awareness
 Miscellaneous Information

• Do not login through insecure networks (like cyber café, free WiFi
connection at shops) as password can be stolen via key loggers or
Trojans.
• Do not use pirated software for any business purpose.
• Ensure to take back up of all your official data via shared folder.
• Do not circulate chain letters, inappropriate jokes, videos etc.
• Do not attempt to interfere with, obstruct or prevent anyone else
from reporting security incidents.
• Stay up to date on information security risks and requirements.
IT Acts
Information Technology Act, 2000
(also known as ITA-2000, or the IT Act)
Promote IT industry
Regulate e-commerce
Facilitate e-governance
Recognition to electronic records and digital
signatures
Formation of a Controller of Certifying Authorities for
digital signatures
Define cyber crimes & Prescribe penalties
Foster security practices
Information Technology Amendment Act,
2008 (ITAA-2008)

Address issues that the original bill failed to cover

Accommodate further development of IT
Information Security Awareness
Online Safety Tips
 Do’s
• Ensure strong password policy.
• Make personal or private folder separately.
• Perform regular backups of important data.
• Physically secure your machine/ laptop.
• Download and install software only from trustworthy online sources.
• Close windows containing pop-up ads or unexpected warnings.
• Use antivirus software, and update it on a regular basis to recognize the latest
threats.
• RegularIy update your operating system, web browser and other major
soft wares.
• Set 0S updates to auto-download and enable firewall.
• Use free open source security tools for finding and fixing OS flaws.
Don'ts
• Don’t forget to turn off the file sharing option.
• Do not leave your laptop unattended, even for a few minutes.
• In any circumstances you should not install or use pirated copies of
software’
• Do not connect unknown devices to your computer.
• Don’t forget to disable guest accounts/delete unused accounts.
Do’s
• Always use the secured web browser to avoid the risks.
• To avoid any attacks always use updated web browser.
• Enable password protection for the web browser.
• Make sure to verify the authenticity of the site before
downloading any files.
• Delete the cookies and browsing history regularly.
• Use privacy/security settings which are inbuilt in the browser.
• Always use the private browser settings.
Don’t
• Don’t forget to delete browsing history which deletes all the cookies,
temp files, history, and active x filtering.
• Don’t forget to turn off all JavaScript or ActiveX support in your web
browser before you visit any unknown websites.
• Many computer users are not aware of the click on the web links; don’t
give any personal information in any untrusted links.
• Don’t allow pop-ups and plugins; disable them in the browser
settings.
Do’s
• Always access the files with the permission of the owner.
• Always respect the copyright laws and policies.
• Respect the privacy of others, just as you expect the same from others.
• Use Internet ethically and do not harm others.
• Complain about illegal communication and activities to parents or
teachers.
• Avoid usage of the bad language.
• Hide or avoid publishing personal information online.
Don’t
• Do not use computers to snoop around and steal other’s information.
• Do not use a computer to bear false witness
• Do not Copy or use proprietary software for which one have not paid.
• Do not use computers to retrieve or modify the others information.
 Safe downloads

Download is a process of transferring data from a remote or host computer to a local

or client computer. Downloading is not the same as data transfer moving or copying
data between two storage devices would be data transfer, but receiving data from the
Internet is downloading. We can download any multimedia content from anywhere.
You can download any kind of files from Internet like documents, music, videos,
images and software and many more
 Do’s
• Look at the size of the file before you download from the trust worthy
websites.
• Close all the applications that are running on your computer, let only one set-
up file run at a time of downloading.
• Scan all the files after you download whether from websites or links received
through e-mails.
• Always use updated antivirus, spam filter and spyware to help detect and
remove virus, spyware from the application/files/documents before download.
• Set secure browser settings before you download anything.
• Check the validity and issuer of the security certificate in the
website before any downloads.
 Don’t
• Don’t forget to ensure that your system has an updated antivirus and firewall.
• Don’t download the unlicensed soft wares which may infect your machine.
• Don’t forget to check for https:// in the url.
• Don’t forget to avoid file types that ore prone to viruses.
• Don’t accept offers like free downloads because that may contain malicious
software.
• Don’t get attracted to false advertisements for downloading free
softwares/games/movies.
Do’s
• Always check the authenticity of the person before you accept a request as
friend.
• Check and use the privacy settings of the Social Networking sites.
• Never post anything which may harm you and your family credibility.
• Change password of your account frequently.
• Avoid posting photographs, videos and any other sensitive information to
unknown persons in Social network sites.
Don’t
• Don’t give or post any personal information like your name, address of the
school/home, phone numbers, age, sex, debit/credit cord details.
• Don’t give out your password to anyone other than your parent or guardian.
• Don’t post the plans and activities which you ore going to do in networking
sites.
• Don’t respond to harassing or rude comments which ore posted on your
profile.
 Do’s
• Record the unique 15 digit IMEI number.
• Use auto lock to automatically lock the phone or keypad lock protected by passcode/
security patterns to restrict access to your mobile phone.
• Report lost or stolen devices immediately to the nearest Police Station and
concerned service provider.
• Use the feature of Mobile Tracking which automatically sends messages to two
preselected phone numbers of your choice which could help if the mobile phone is lost
stolen.
• Take regular backup of your phone and external memory card.
• Before transferring the data to Mobile from computer, the data should be scanned
with latest Antivirus with all updates.
• Use Wi-Fi only when required. It is advisable to switch off the service when not in use.
• Download APPS only from trusted sources to avoid spywares.
 Don’t
• Never leave your mobile device unattended.
• Do not turn on applications [camera, audio/video players] and connections
[Bluetooth, infrared, Wi-Fi] when not in use to avoid security issues.
• Never allow unknown devices to connect through Bluetooth.
• Never keep sensitive information like user rimes/passwords on mobile
phones.
• Never connect to unknown networks or untrusted networks.
Do’s
• Download the APP only from trusted sources and read the APP’s privacy
policy.
• Understand that some apps access only the data they need to function, others
access data that’s not related to the purpose of the app.
• Update the mobile operating system & firmware regularly.
• Provide strong authentication system for all apps.
• Keep track of the apps you use.
• Reset your phone to factory settings to remove any malware.
• Always keep a lock on your phone to avoid unauthorized access.
• Disable automatic downloads in your phone.
• Always keep an updated anti virus security solution installed.
Don’t

• Don’t Believe that all contents available on play stores are trusted.
• Don’t forget to take back up of all personnel data like contacts.
• Don’t Blindly trust the source of any mobile SDK.
• Don’t keep all apps which you do not require.
• Don’t connect to unsecure internet connections.
• Don’t keep your Wi-Fi, Bluetooth ON continuously.
• Don’t allow APP’s to access the data in your mobile.
Cyber bullying

Cyberbullying is bullying which happens among kids that take place using
electronic technology. It can be carried out through electronic technology which
includes devices and equipment such as cell phones, computers, and tablets
as well as communication tools including social media sites, text messages,
e-mail, chat rooms, discussion groups and websites in Internet.

Cyber bullying can include teasing and being made fun of, spreading rumours
online, sending unwanted messages and defamation.
Do’s
• Think twice before you post anything online.
• Take action Immediately if you are bullied talk to/inform your parent/teacher for
help.
• Understand that all types of bullying are unacceptable and such behaviour Is
subject to disciplinary action.
• Meet any immediate medical or mental health needs.
• Model respectful behaviour and never send/forward mean or hurtful text
messages to any one.
Don’t
• Do not send photos and videos of others without their permission
to try and embarrass.
• Do not spread rumours or lies about anyone via e-mails or social
networking sites or text messages.
• Don’t ignore it. Don’t think you can work it out without adult help.
• Don’t force other children to say publicly what they saw.
• Don’t question the children involved in front of others.
Do’s
 Make sure to choose the user names without using your real names.
 Be careful while posting personal details in social networking sites.
 Set rules for online chatting. Always take security measures like
privacy settings and set the limited view of your profiles.
 Always avoid the topic related to your gender, age, location, and don’t
share problems at home and school.
 Tell your parents/teacher immediately if anything happens online
makes you feel uncomfortable or frightened.
Don’t
 Do not do the things asked by predator, don’t be scared to say ‘NO’,
immediately inform your parents.
 If someone tries to abuse you don’t logoff immediately, inform parents and
inform the law enforcement.
 Do not get lead by any strangers into changing your habits and thoughts.
 Do not accept gifts and if some stranger for no reason asks you to meet
personally and tries to be very affectionate, be aware that these are the tactics
of online predators, they are trying to mislead you.
Do’s
 Be cautious about opening any attachments or downloading files you
receive from strangers.
 Look for stranger e-mail ID before you enter/give away any personal
information.
 Use frequently updated antivirus, antispyware and firewall software.
 Always update your web browser and enable phishing filter.
 If you receive any suspicious e-mail do call the company to confirm if it is
legitimate or not.
 Do use a separate e-mail accounts for shopping online, personal etc.
Don’t
 Don’t reply to any e-mail or pop-up message that asks for personal or
financial information.
 Don’t open attachments that you were not expecting, especially ZIP files and
NEVER run .exe files.
 Don’t use your company e-mail address for personal things.
 Don’t open any spam e-mail
 Don’t open suspicious videos or images in social networking sites since
social networking sites since social networking sites are prime target for
phishing.
 Never respond to phone call asking for bank details. It might be vishing(voice
phishing). Beware of phishing phone calls.
Do’s
• Verify the site Is secured or not. Always look for http:://,lock symbol and SSL
certifcates.
• Before downloading shopping app:, confirm what access they have to other
information on your phone. Select app: that require less permission.
• Do be careful with the debit/credit card transaction: while online shopping.
• Do keep track of your account statements.
• Do check fraudulent sites and e-mail messages, read all the disclosures for
online shopping. Scam sites may ask you to enter credit card information or
directly transfer funds.
Don’t
• Don’t shop on public computers or using public WIFI.
• Don’t believe everything you read.
• Don’t - Fall for gift card scams. If you receive an e-mail that claims you can
receive a gift card and requests your credit card or banking information,
delete it.
• Do not accept the card received directly from bank in case if it is damaged or
seal is open.
Do’s
• Deactivate your account on a Lost/Stolen Phone.
• Hide your last seen time.
• Hide WhatsApp photos from your gallery.
• Always keep a lock on your phone to avoid unauthorized access.
• Keep privacy setting in WhatsApp such as only show profile picture to your
contacts.
• Avoid adding strangers in your contact.
Don’t
• Do not add people to groups without their permission.
• Don’t carry out personal conversations in groups.
• Don’t send personal messages to professional contacts.
• Don’t use excessive emoji’s and do not share the news without
confirmation.
• Don’t message at strange hours.
• Don’t message unnecessary content.
Do’s
 Always do low format for first time usage.
 Always delete the drive securely to clear the contents.
 Always scan USB disk with latest antivirus before accessing.
 Protect your USB with password.
 Encrypt the files/folders on the device.
 Use USB security products to access or copy data in your USB.
 Always protect your documents with strong password.
Don’t
 Do not accept any promotional USB device from unknown members.
 Never keep sensitive information like username/passwords on USB disk.
 Never forward the virus affected data to other mobiles.
Do’s
 Validate the website you are accessing.
 Install personal Firewall.
 Be cautious if you are asked for personal information
 Use encryption to protect sensitive data transmitted over public networks
and the internet.
 Install anti-virus, perform scheduled virus scanning and keep virus signature
up-to-date.
 Apply security patching timely.
 Backup your system and data, and store it securely.
Don’t
 Don’t download data from doubtful sources.
 Don’t visit untrustworthy sites out of curiosity, or access the URLs provided
in those websites.
 Don’t use illegal software and programs.
 Don’t download programs without permission of the copyright owner.
Do’s
 Carefully examine your list of unopened messages.
 Be especially careful with documents containing macros while downloading
attachments , always select the “disable macros” option.
 Beware of dangerous files types ! Some file types have been deemed unsafe.
Most of these file types are executable or exploited and are considered unsafe
to send and receive as e-mail attachments.
 Use e-mail filtering software.
 Only give your e-mail address to people you know.
 Use pgp or digital certificate to encrypt e-mails which contain confidential
information.
 Use digital signature to send e-mails for authentication.
Don’t
• Never open e-mail attachments with file extensions such s
VBS,SHS,PIF etc.
• Don’t send unsolicited e-mail and attachments.
• Don’t forward chain letters.
• Don’t respond to or participate in e-mail hoaxes.
• Don’t send attachments which use the “unsafe” file types.
• Use a temporary e-mail account for online shopping and posting to online
discussion boards.
• Don’t send mail bomb, forward or reply to junk e-mail or hoax message.
• Don't open attachments from unknown senders which might contain
malicious code.
Do’s
 Put reliable information as it reaches entire world and assume what you
publish on the web is permanent.
 Avoid competition with other bloggers.
 State the terms of use, copy right in blog properly to viewers to protect your
blogs.
 Manage your blog anonymously or adopt an alias for all online posting. This
will help protect you in the event that you draw unwanted attention.
 Your audience could be much larger than you realize.
 Evaluate blogging service and their features like a password secured blogs etc
of your children.
Don’t
 Don’t give away your personal information into the blogging sites.
 Don’t use photo refrain from posting a picture. Photos can invite trouble or
unwanted attention
 Don’t use inappropriate dialogue: be careful not to engage in dialogue that
could be interpreted in a way that it was not intended.
Do’s
 Check whether there are any key loggers installed in the system.
 Use authentication procedure as the different people use the public
machine.
 Consider changing any passwords you may have used on a public computer
once you get back home.
 Be careful who is watching over your shoulder and check for spywares.
 Use a trusted web-based spyware detection program to scan for spyware
before using an untrusted public computer.
 While using the internet, ensure to use the browser tools to delete files
cookies and to clear browsing history.
Don’t
 Don’t save your login information.
 Don’t leave the computer unattended with sensitive information on the
screen.
 Don’t forget to erase your tracks.
 Don’t enter sensitive information into a public computer.
 Avoid financial transaction that might reveal valuable passwords or personal
information such as credit card numbers.
Do’s
 Adopt a user policy for instant messaging.
 Be aware that instant messages can be saved.
 Do be aware of malware infections and related security risks.
 Do encourage workers to organize their contact lists to separate business
contacts from family and friends.
 Keep your instant message simple, and to the point, and know when to say
goodbye.
 Never think that your digital footprint can be erased.
Don’t
• Don’t use instant messaging to communicate confidential or sensitive
information,
• Don’t allow excessive personal messaging at work.
• Don't compromise your school/ company’s liability, or your own reputation.
• Don’t share personal data or information through instant messaging.
Do’s
 Always take backup of your data regularly.
 Make sure you have updated antivirus software on your computer.
 Enable automated patches for your operating system and web browser.
 Always scan your system with updated anti-virus, Anti-malware and Anti-
spyware soft wares.
 Use a pop-up blocker.
 Only download soft wares from sites you know and trust.
Don’t
• Don’t open attachments from unsolicited emails, even if they come from people
in your contact list.
• Don’t click on a url contained in an unsolicited email, even if you think it looks
safe.
• Don’t forget to use the same precautions on your mobile phone as you would
on your computer when using the internet.
• Don’t forget to prevent the loss of essential files due to a ransomware infection,
is recommended that individuals and business always conduct regular system
back-ups and store the backed-up data offline.
Do’s
 Always use strong password for encryption.
 Always use the maximum key size supported by access point for encryption.
 Isolate the wireless network from wired network with a firewall and an
antivirus gateway.
 Restrict access to the access point based on mac address.
 Always maintain a updated firmware.
 Use vpn or ipsec for protecting communication.
 Enable mac address filtering on wi-fi devices.
Don’t
 Do not broadcast your network name.
 Do not make the ssid information public.
 Do not forget to disable dhcp service.
 Do not forget to change the default username and password of the access
point.
 Do not forget to shut down the access point when not in use.
Do’s
 Isolate your computer from the network.
 Shutdown and remove the hard drive and connect it to another computer as a
non-bootable drive.
 Scan your drive for infection and malware.
 Backup/reload the operating system from trusted media and install
updates.
Don’t
• Don’t forget to reinstall anti-virus, anti-spyware, and other security
software prior to any other programs.
• Don’t forget to scan your data backup disks for viruses before you
copy them back to your computer.
• Don’t forget to make a complete bock of your system frequently.
• Don’t forget to preserve any information resident on the
compromised computer.
Do’s
 Use at least 8 characters or more to create a password. The more number of
special characters we use, the more secure is our password.
 Create a password consisting of a combination of lowercase, uppercase,
numbers and special characters etc.
 Use different passwords for different accounts.
 Use passphrase to easily remember your password.
 Avoid using the words from dictionary. They can be cracked easily.
 Create a password such that it can be remembered. This avoids the need to
write passwords somewhere, which is not advisable.
 Make sure the password must be difficult to guess.
 Change the password frequently at least 2 weeks once.
 Be careful while entering a password when someone is sitting beside you.
Don’t
 Do not use a password that was used earlier.
 Don’t store the passwords on computer without encryption utility.
 Do not use the name of things located around you as passwords for your
account.
 Don’t send your passwords through e-mail or as a message.
A Friend In Need Is A Friend In
Deed
A Friend In Need Is A Friend In Deed

A Friend In Need Is A Friend In Deed

 A Friend In Need Is A Friend In Deed

A Friend In Need Is A Friend In Deed

A f 1 n ! @ f I D
 A Friend In Need Is A Friend In Deed

A Friend In Need Is A Friend In Deed

A f 1 n ! @ f i D

Af1n!@fiD
Do’s
• Use auto-Iock and a passcode.
• Note the International Mobile Equipment Identity (IMEI) number
of your mobile phone and keep it at a safe place This helps to trace
your mobile phone if it is stolen/lost.
• Apply for blocking the sim card and get a Replacement sim card.
• Report to your bank and police immediately.
• Consider tracking software.
Don’t
• If location technology indicates the device is somewhere other than where
you left it, do not attempt the recovery yourself. Get the police involved. Do
not attempt the recovery yourself. Get the police involved.
• Don’t forget to report the theft immediately.
• Don’t forget to remotely lock your phone.
• Don’t forget to change your passwords.
• Don’t forget to locate your phone via GPS.
When e-mail account is hacked?
 Do’s
• Check to see which devices have recently connected to your account.
• Reset your password.
• Report the incident to the e-mail site.
• Notify everyone on your contact list that you have been compromised.
• If your friends tell you they’ve received spam from your e-mail address, it’s safe
to assume your computer’s security has been compromised, verify it.
• If you don’t mind losing the e-mail address, the best thing to do is close it down
and open a new one.
• Set your e-mail account to require 2-step verification in addition to your password
whenever you log into your e-mail account from a new device.
Don’t
• Don’t fail to review your personal e-mail settings.
• Don’t forget to Use your e-mail user name wisely.
• Don’t forget to reclaim your account.
• Don’t forget to scan your computer for malware.
• Don’t forget to check what else has been compromised.
• Don’t forget to remember the security questions with answers at the time of
registration.
When Facebook is hacked?
 Do’s
• To get back into your account, log into Facebook and follow the instructions to
verify your identity
• Never share your password. You should be the only one who knows it.
• Use two-factor authentication a security feature that helps protect your Facebook
account in addition to your password.
• Do click end activity immediately to log you off of Facebook on that
• computer, phone or tablet.
• Report compromised account ,answers your security question and regain
access to your account.
• Remove suspicious application. Never click suspicious links, even if they
appear to come from a friend or a company you know.
• Scan your computer, Use extra security features.
• Notify your friends and family.
 Don’t
• Don’t share your password with strangers.
• Don’t accept friend request from strangers.
• Don’t forget to logout from the account while you open in anyone’s
phone or any web browser.
• Don’t forget to keep a strong password.
To get back into your account, login into Facebook and follow the instructions to
verify your identity.

Step 1: Report compromised account https: //www.facebook.com/ hacked

Click the button Your account has been Compromised.

Find Your Account https:

//www. facebook.com/Iogin/identify?ctx=logincIwv1OO

Then type in your e-mail address, Login name , Full Name or your specified
Phone No.

Step 2: Enter the password that you used, to enter into your account before
you got HACKED
Step 3: Because you entered an old actually now wrong password new
page will come up. Just click the reset my password button.

Step 4: Your primary e-mail would be changed so as to avoid sending

your “reset your password link” to the hacker’s account so, Click “no
longer have access to these?” link.

Step 5: Now write your new e-mail address that you want to send the
‘change password link’ and set as your primary e-mail.

Step 6: Follow the next steps and you would have your account back in
24 hours.
When cyber bullied?
Do’s
• Save and store the emails, chat logs or SMS’s in case of Police investigation.
• Know that its not your fault.
• Block the bully on your phone. e-mail or instant messaging program. If it is
happening while in chat, leave the room.
• Don’t respond or retaliate.
• Get a new phone number if being harassed on your phone
• Save the evidence.
• Tell the person to stop.
• Reach out for help.
• Use available tech tools.
• Protect your accounts
• If someone you know is being bullied, take action.
Don’t
• Do not respond to nasty e-mails, chats, SMS or comments - this is
what the bully wants so ignore them.
• Don't forget to take elders advice and complain to cyber police if the
person who is harassing you continues this behaviour.
• Don’t think that you can solve the problem by yourself.
• Don’t question the children involved ¡n front of other kids.
• Don’t be ashamed to inform your elders/parents/teachers.
Online Safety Tips For Children
Online gaming Safety for children
Do’s
• Keep your devices up-to-date to protect them from malware and other
threats.
• Keep a strong password should be at least 12 characters long with alpha
numeric special characters think about strong and are easy to remember
passwords which are hard to guess.
• Never reveal your real name, location, gender, age, or any other personal
information.
• Play age appropriate, knowledgeable and educational games for fun and
entertainment only.
• Beware of predators and cyber threats while playing.
• Assess and take advice from your elders before you start playing.
• Know the risks about online games and practice good judgment and take
advice from parents/elders.
Don'ts
• Never accept downloads from strangers. This includes cheat
programs that may claim to help you perform better in the game,
but really could be carrying malware.
• Do not meet a stranger from your gaming world in person.
People are not always who they say they are.
• Don’t spend more time for playing online games, have a time
limit,
• Do not respond if any stranger is making you uncomfortable while
playing.
Do’s

• Monitor their digital behaviour, time spent and keep an eye on their
Internet usage.
• If your child comes to you with an issue, stay calm and listen.
• Update yourself about the threats and risks arising in the Internet
world.
• Protect your computer/devices by ensuring up-to-date antivirus,
antispyware, anti-malware firewall and parental controls.
• Check the age rating, appropriateness , terms and condition of the
online games before your children play.
• Discuss the online risks and the precautions with your child.
• Create a time table for all activities of your child and create a common
email for your family to sign up for online games
Don’ts
• Don't allow your children to meet any stranger from the online world.
• Don’t let your children download anything without your permission.
• Don’t let your children to play online game without knowing its effects and
your supervision.
• Don’t download software's and games from unknown websites.
• Don’t let your children fall prey to cyber bullying.
• Don’t download and use pirated software's.
IT Acceptable Use Policy (ITAUP)
 ITAUP
Purpose
 Use of computing equipment, telecommunication networks
and technology resources.
Scope
 Personnel having access and using IT services.
Intended Audience
 Employees, Contractors, Consultants, Trainees.
Action
 To read, understand, agree and give undertaking.
Ownership
 NALCO is sole proprietor
 Users should not engage in any activity that is illegal under
law of the land
 Report theft, loss or unauthorized disclosure of information.
 ITAUP Contd.

General Use and Practices

 IT facilities and services are for official work and minimally for
personal work.
 Providing any information on NALCO, other than public
information, to parties is not allowed without due authorization
from concerned authority.
 ITAUP Contd.

User Access Management

 Unique User-IDs are issued to each user as per the policy.

 Unauthorized access to restricted files or networks is disallowed

 Users will respect the privacy of other users.

 System usage is liable to be reviewed/audited periodically.

 ITAUP Contd.

System and Network Activities

 Installation of any wireless device in the company’s LAN/desktop is

not allowed.
 User shall log-off from applications or network services.
 ITAUP Contd.
Secure usage of Laptops/Tablets
 Handle the laptop/tablet with care by not dropping or bumping it.
 Do not place heavy objects on the laptop/tablet.
 Do not have liquids or other eatables near a laptop to prevent damage from
spilling or droppings.
 Do not expose laptop to extreme temperatures which melts components.
 While shutting down the laptop after usage, ensure that all lights are out, all
external cables are unplugged and no removable media is inside. Put it in the
laptop case.
 Never check-in laptop as luggage in flights. It should be carried as cabin-
baggage.
 If the laptop is lost or stolen, it should be reported immediately to the
Administration & Systems department and take necessary action like FIR.
 ITAUP Contd.
Privacy Control
 NALCO has full respect for individual privacy and rights.
 CCTV Surveillance System is operational in secure areas to monitor access and use of IT resources. The
recordings by the camera will be reviewed by authorised staff and a copy retained for specified period of
time for records / reference.
 The Company may monitor or keep a record of communications (at any time with or without notice)
either directly or via an external agency and/or record use of the IT Resources in order to (including, but
not limited to):
 Detect and/or prevent crime.
 Ascertain and/or demonstrate whether Users and/or the Company are complying with the
Company's rules and policies and also with legal and/or regulatory obligations which User and/or
the Company are subject to.
 Ascertain communications relevant to Business.
 Ascertain and/or demonstrate standards of service.

 The Company will, in conducting such monitoring activities, use all reasonable endeavours to comply
with regulatory guidelines and to respect User privacy and that of third parties using the IT Resources.
 ITAUP Contd.

Coverage
 DESKTOP/PC/WORKSTATION
 SECURE PRINTER USAGE
 PASSWORD CONTROL AND USAGE
 E-MAIL
 INTERNET
 SECURE USAGE OF LAPTOPS/TABLETS
 USE OF REMOVABLE DEVICES
 SPECIFIC RESTRICTIONS
 DECLARATION BY CONTRACT STAFF
 DECLARATION BY CONTRACTOR
 NON-DISCLOSURE AGREEMENT BY CONTRACTOR
NALCO cyber security guidelines
 Coverage of Cyber Security Guidelines - Brief
1. IT Devices on NALCO Network
 Use of Desktop/Laptop
 Security and Proprietary Information
INTRANET
 Use of software on Desktops

 Sharing of Information

2.Use of Portable devices

3.Use of External Storage Media
4.Use of E-mail service
5. Server and Database Security
6.Application Security
 Database Access

 Package Updates
 Access Control

 Responsibility of Application Users

 Responsibility of HODs
 It’s your Information
It’s your Responsibility