You are on page 1of 53

Symbiosis Centre for Information Technology

“A constituent of Symbiosis International (Deemed University)”


Accredited by NAAC with ‘A’ Grade

A Report on the DATA SECURITY


at
INDIAN OIL CORPORATION
LIMITED-PATNA

Submitted by

Name of the student: AVINASH KUMAR


PRN : 9030241104
MBA (ISS)
(2009-11)

Year of submission 2010


Symbiosis Centre for Information Technology
“A constituent of Symbiosis International (Deemed University)”
Accredited by NAAC with ‘A’ Grade

Certificate

This is to certify that the project entitled “DATA SECURITY” is a bonafide work done by AVINASH
KUMAR (9030241104) of MBA (ISS 2009-11) in partial fulfillment of the requirements for the degree
of Masters of Business Administration of this Institute.

Internal Evaluator External Evaluator Director

Name & Signature Name & Signature

Date: 29/07/2010

Place: Pune

Seal of the Institute

DATA SECURITY Page 2


ACKNOWLEDGEMENT

I feel great pleasure while submitting this report titled “DATA SECURITY “as a part of my project study.

I express my gratitude and esteemed regards to my project guide SANJAY SEN GUPTA for providing me
invaluable gratitude and inspiration in carrying out my project studies from inception to completion at INDIAN
OIL CORPORATION LIMETED in PATNA. His constant support and encouragement enabled me to complete
this work successfully.

I would also like to express my sincere thanks to Mr. S. MATHUR (IS) , ABHIJITT DEBROY for their constant
encouragement. I am also thankful to the entire IT department at Indian oil corporation Ltd., Patna and
concerned staff members for providing necessary support and friendliness throughout this project. I would like
to thank Mr. J.L CHATTOPADHYA (HR), for giving me an opportunity to work in such an esteemed company.

I would like to express my sincere thanks to my internal guide at SCIT Prof. Sonal Joglekar .

And last but not the list I would like to express my regard to Mr. ANIL VAIDYA director of S.C.I.T.

Sincerely,
AVINASH KUMAR
SCIT, PUNE.

DATA SECURITY Page 3


Table of Contents
Table of Contents............................................................................................................... 4

ABSTRACT: ........................................................................................................................ 5

INTRODUCTION:- ............................................................................................................... 6

ABOUT INDIAN OIL CORPORATION LIMITED.....................................................................7

DATA SECURITY..........................................................................................................11

CHAPTER-2....................................................................................................................... 13

ANALYSIS OF WORK DONE...............................................................................................13

STATISTICS ABOUT LEADING CAUSES OF DATA LOSS..................................................14

SECURITY OBJECTIVES:- ............................................................................................... 18

DATA SECURITY IN INDIAN OIL CORPORATION LIMITED:-..............................................18

DIFFERENT WAYS BY WHICH DATA IS PROTECTED IN “INDIAN OIL CORPORATION


LIMITED”:-..................................................................................................................... 19

MY FINDING IN INDIAN OIL CORPORATION –PATNA....................................................21

FINDINGS:- ................................................................................................................... 28

WHAT SHOULD BE DONE TO PROTECT DATA:-..............................................................29

RECOMMENDATIONS:- ..................................................................................................33

Sources of Awareness Material .................................................................................36

Chapter 3 - Learning experiences on Business / Technology:-.........................................40

Chapter 4 - CONCLUSION:................................................................................................44

BIBLIOGRAPHY:- .............................................................................................................. 52

DATA SECURITY Page 4


ABSTRACT:
While a great deal of attention has been given to protecting companies’ Electronic assets
from outside threats – from intrusion prevention systems to firewalls to vulnerability
management – organizations must now turn their attention to an equally dangerous situation:
the problem of data loss from the inside. In fact, in many organizations there’s a gaping hole
in the controlled, secure environment created to protect electronic assets. This hole is the
now ubiquitous way businesses and individuals communicate with each other – over the
Internet. Whether it’s email, instant messaging, webmail, a form on a website, or file transfer,
electronic communications exiting the company still go largely uncontrolled and unmonitored
on their way to their destinations – with the ever-present potential for confidential information
to fall into the wrong hands. Should sensitive information be exposed, it can wreak havoc on
the organization’s bottom line through fines, bad publicity, loss of strategic customers, loss of
competitive intelligence and legal action.

DATA SECURITY Page 5


INTRODUCTION:-

Need for the research


Information is one of the oil related organisation most important assets. Protection of
information assets is necessary to establish and maintain trust between the petroleum
institution and its customers, maintain compliance with the law, and protect the reputation of
the institution. Timely and reliable information is necessary to process transactions and
support petroleum institution and customer decisions. An oil institution’s earnings and
capital can be adversely affected if information becomes known to unauthorized parties, is
altered, or is not available when it is needed.
The security of the industry’s systems and information is essential to its safety
and soundness and to the privacy of customer petroleum information. The security programs
must have strong board and senior management level support, integration of security
activities and controls throughout the organization’s business processes, and clear
accountability for carrying out security responsibilities.

Project Objective
 To understand about data security.
 What are the consequences if data has been compromised.
 Different ways by which data can be leaked or compromised.
 Various ways by which we can maintain data security.
An Insight into the Project

Scope of the study:- The assessment performed focussed on external and internal network
and application infrastructure and its related systems and the Internet portal itself. It
intended to be an overall assessment of the network, and those systems and subnets that
fall within the scope of this project.

Research Methodology: - This research work is done to first find out the factors which
affect the data security & secondly on the basis of survey analysis, formulate
recommendations to improve security levels to protect data.

Sources and tools of data collection:-

a) Primary Data:- The data was be gathered through a survey based research approach
with the help of questionnaire. As the research work of writing & asking question was totally
carried out by one person only, so human error related to recording of responses cannot be
totally ruled out.

b) Secondary Data:- The source of secondary data was the sites which are mentioned in
bibliography & under the subscript where ever it is used in this report.

DATA SECURITY Page 6


Limitation of the Research:- There were few limitations in this research work. The sample
covers only “INDIAN OIL CORPORATION LIMITED -PATNA OFFICE” This limitation is
because of the time span. So, there is a much broader need to increase the sample size to
get more concrete results. One of the limitations was that, I was the only person involved in
reporting the data. Therefore, asking of same question from so many people can register
some error in reporting the data which is called human error.

ABOUT INDIAN OIL CORPORATION LIMITED


IOC (Indian Oil Corporation) was formed in 1964 as the result of merger of Indian Oil
Company Ltd. (Estd. 1959) and Indian Refineries Ltd. (Estd. 1958).

Indian Oil Corporation Ltd. is the highest ranked Indian company in the prestigious Fortune
‘Global 500’. It was ranked at 135th position in 2010. It is also the 20th largest petroleum
company in the world.

Indian Oil Corporation Ltd. is currently India's largest company by sales with a turnover of
Rs.247,479 crore (US $59.22 billion), and profit of Rs. 6963 crore (US $ 1.67 billion) for fiscal
2010.

Indian Oil and its subsidiaries today accounts for 49% petroleum products market share in
India.

VISION OF IOCL
A major diversified, transnational, integrated energy company, with national leadership and a
strong environment conscience, playing a national role in oil security & public distribution.

MISSION OF IOCL
IOCL has the following mission:
 To achieve international standards of excellence in all aspects of energy and
diversified business with focus on customer delight through value of products and
services and cost reduction.
 To maximize creation of wealth, value and satisfaction for the stakeholders.
 To attain leadership in developing, adopting and assimilating state-of- the-art
technology for competitive advantage.
 To provide technology and services through sustained Research and Development.
 To foster a culture of participation and innovation for employee growth and
contribution.
 To cultivate high standards of business ethics and Total Quality Management for a
strong corporate identity and brand equity.
 To help enrich the quality of life of the community and preserve ecological balance
and heritage through a strong environment conscience.

VALUES OF IOCL

DATA SECURITY Page 7


Values exist in all organizations and are an integral part of any it. Indian Oil nurtures a set of
core values:
 CARE
 INNOVATION
 PASSION
 TRUST

India’s flagship national oil company and downstream petroleum major, Indian Oil
Corporation Ltd. (Indian Oil) is celebrating its Golden Jubilee in 2009. It is India's largest
commercial enterprise, with a sales turnover of Rs. 2, 85,337 crore – the highest-ever for an
Indian company – and a net profit of . 2, 950 crore for the year 2009-10. Indian Oil is also
the highest ranked Indian company in the prestigious Fortune 'Global 500' listing, having
moved up 11 places to the 105th position in 2009. India’s Flagship National Oil Company
Incorporated as Indian Oil Company Ltd. on 30th June, 1959, it was renamed as Indian Oil
Corporation Ltd. on 1st September, 1964 following the merger of Indian Refineries Ltd.
(established 1958) with it. Indian Oil and its subsidiaries account for approximately 48%
petroleum products market share, 34% national refining capacity and 71% downstream
sector pipelines capacity in India. Indian Oil operates the largest and the widest network of
petrol & diesel stations in the country, numbering over 18,278. It reaches Indane cooking gas
to the doorsteps of over 53 million households in nearly 2,700 markets through a network of
about 5,000 Indane distributors. Indian Oil's ISO-9002 certified Aviation Service commands
over 63% market share in aviation fuel business, meeting the fuel needs of domestic and
international flag carriers, private airlines and the Indian Defence Services. The Corporation
also enjoys a dominant share of the bulk consumer business, including that of railways, state
transport undertakings, and industrial, agricultural and marine sectors. Technology Solutions
Provider Indian Oil's world-class R&D Centre is perhaps Asia's finest. Besides pioneering
work in lubricants formulation, refinery processes, pipeline transportation and alternative
fuels, the Centre is also the nodal agency of the Indian hydrocarbon sector for ushering in
Hydrogen fuel economy in the country. It has set up a commercial Hydrogen-CNG station at
an Indian Oil retail outlet in New Delhi this year. The Centre holds 214 active patents,
including 113 international patents. To safeguard the interest of the valuable customers,
interventions like retail automation, vehicle tracking and marker systems have been
introduced to ensure quality and quantity of petroleum products. Widening Horizons To
achieve the next level of growth, Indian Oil is currently forging ahead on a well laid-out road
map through vertical integration— upstream into oil exploration & production (E&P) and

DATA SECURITY Page 8


downstream into petrochemicals – and diversification into natural gas marketing, bio fuels,
wind power projects, besides globalisation of its downstream operations.

Globalization Initiatives
Indian Oil has set up subsidiaries in Sri Lanka, Mauritius and the United Arab Emirates
(UAE), and is simultaneously scouting for new business opportunities in the energy markets
of Asia and Africa.

Lanka IOC Plc (LIOC)


Lanka IOC Ltd. operates about 150 petrol & diesel stations in Sri Lanka, and has a very
efficient lube marketing network. Its major facilities include an oil terminal at Trincomalee, Sri
Lanka's largest petroleum storage facility and an 18,000 tonnes per annum capacity
lubricants blending plant and state-of-the-art fuels and lubricants testing laboratory at
Trincomalee. Presently, it holds a market share of about 40%. In a highly competitive bunker
market, catering to all types of bunker fuels and lubricants at all ports of Sri Lanka, viz.,
Colombo, Trincomalee and Galle. It is the major supplier of lubricants and greases to the
three arms of the Defence services of Sri Lanka. LIOC's market share in petrol increased
stands at 24.8% in 2008 with an overall market share of 16.9%.

Indian Oil (Mauritius) Ltd. (IOML)


Indian Oil (Mauritius) Ltd. has an overall market share of nearly 22% and commands a 35%
market share in aviation fuelling business, apart from its bunkering business. It operates a
modern petroleum bulk storage terminal at Mer Rouge port, besides 17 filling stations. In
addition to the ongoing expansion of retail network, IOML has to its credit the first ISO-9001
product-testing laboratory in Mauritius.

Indian Oil Middle-East FZE (IOME)


The Corporation's UAE subsidiary, IOC Middle East FZE, which oversees business
expansion in the Middle East, is mainly into blending and marketing of SERVO lubricants and
marketing of petroleum products in the Middle East, Africa and CIS countries. Finished lubes
were exported to Oman , Qatar , Yemen , Bahrain , UAE and Nepal .

Objectives & Obligations


Objectives:
 To serve the national interests in oil and related sectors in accordance and consistent
with Government policies.
 To ensure maintenance of continuous and smooth supplies of petroleum products by
way of crude oil refining, transportation and marketing activities and to provide
appropriate assistance to consumers to conserve and use petroleum products
efficiently.

DATA SECURITY Page 9


 To enhance the country's self-sufficiency in crude oil refining and build expertise in
laying of crude oil and petroleum product pipelines.
 To further enhance marketing infrastructure and reseller network for providing
assured service to customers throughout the country.
 To create a strong research& development base in refinery processes, product
formulations, pipeline transportation and alternative fuels with a view to
minimizing/eliminating imports and to have next generation products.
 To optimise utilisation of refining capacity and maximize distillate yield and gross
refining margin.
 To maximise utilisation of the existing facilities for improving efficiency and increasing
productivity.
 To minimise fuel consumption and hydrocarbon loss in refineries and stock loss in
marketing operations to effect energy conservation.
 To earn a reasonable rate of return on investment.
 To avail of all viable opportunities, both national and global, arising out of the
Government of India’s policy of liberalisation and reforms.
 To achieve higher growth through mergers, acquisitions, integration and diversification
by harnessing new business opportunities in oil exploration &production,
petrochemicals, natural gas and downstream opportunities overseas.
 To inculcate strong ‘core values’ among the employees and continuously update skill
sets for full exploitation of the new business opportunities.
 To develop operational synergies with subsidiaries and joint ventures and
continuously engage across the hydrocarbon value chain for the benefit of society at
large.

Petroleum Objectives
 To ensure adequate return on the capital employed and maintain a reasonable annual
dividend on equity capital.
 To ensure maximum economy in expenditure.
 To manage and operate all facilities in an efficient manner so as to generate
adequate internal resources to meet revenue cost and requirements for project
investment, without budgetary support.
 To develop long-term corporate plans to provide for adequate growth of the
Corporation’s business.
 To reduce the cost of production of petroleum products by means of systematic cost
control measures and thereby sustain market leadership through cost
competitiveness.
 To complete all planned projects within the scheduled time and approved cost.

Obligations
 Towards customers and dealers:- To provide prompt, courteous and efficient
service and quality products at competitive prices.

DATA SECURITY Page 10


 Towards suppliers:- To ensure prompt dealings with integrity, impartiality and
courtesy and help promote ancillary industries.
 Towards employees:- To develop their capabilities and facilitate their advancement
through appropriate training and career planning. To have fair dealings with
recognised representatives of employees in pursuance of healthy industrial relations
practices and sound personnel policies.
 Towards community:- To develop techno-economically viable and environment
friendly products. To maintain the highest standards in respect of safety, environment
protection and occupational health at all production units.
 Towards Defence Services:- To maintain adequate supplies to Defence and other
paramilitary services during normal as well as emergency situations.

DATA SECURITY

While a great deal of attention has been given to protecting companies’ electronic assets
from outside threats – from intrusion prevention systems to firewalls to vulnerability
management – organizations must now turn their attention to an equally dangerous situation:
the problem of DATA SECURITY from the inside. In fact, in many organizations there’s a
gaping hole in the controlled, secure environment created to protect electronic assets. This
hole is the now ubiquitous way businesses and individuals communicate with each other –
over the Internet. Whether it’s email, instant messaging, webmail, a form on a website, or file
transfer, electronic communications exiting the company still go largely uncontrolled and
unmonitored on their way to their destinations – with the ever-present potential for
confidential information to fall into the wrong hands. Should sensitive information be
exposed, it can wreak havoc on the organization’s bottom line through fines, bad publicity,
loss of strategic customers, loss of competitive intelligence and legal action. Given today’s

DATA SECURITY Page 11


strict regulatory and ultra-competitive environment, DATA SECURITY prevention (DLP) is
one of the most critical issues facing CIOs, CSOs and CISOs.

Defining the DATA SECURITY Problem:-

The issue of DATA SECURITY encompasses everything from confidential information about
one customer being exposed, to thousands of source code files for a company’s product
being sent to a competitor. Whether deliberate or accidental, DATA SECURITY occurs any
time employees, consultants, or other insiders release sensitive data about customers,
finances, intellectual property, or other confidential information (in violation of company
policies and regulatory requirements). With all the avenues available to employees today
to electronically expose sensitive data, the scope of the DATA SECURITY problem is an
order of magnitude greater than threat protection from outsiders. Consider the extent of the
effort required to cover all the loss vectors an organization has the potential to encounter:
• Data in motion – Any data that is moving through the network to the outside via the
Internet
• Data at rest – Data that resides in files systems, databases and other storage methods
• Data at the endpoint – Data at the endpoints of the network (e.g. data on USB devices,
external drives, MP3 players , laptops, and other highly-mobile devices).

Getting to the Heart of the Matter Uncontrolled Communications:-

Given the prevalence of electronic communications, data in motion (i.e., data that is travelling
through and out of the network) is one of the most significant DATA SECURITY vectors to
address today. For example, an employee sends documents to a personal email address so
he or she can work from home. Or a hospital employee accidentally sends patient
information to the wrong person. A summer intern unknowingly cuts and pastes confidential
product information into a blog entry. There are many avenues in which confidential data or
proprietary secrets can leave an organization via the Internet:
 Email
 Webmail
 HTTP (message boards, blogs and other websites)
 Instant Messaging
 Peer-to-peer sites and sessions
 FTP

DATA SECURITY Page 12


CHAPTER-2

ANALYSIS OF WORK DONE

DATA SECURITY Page 13


STATISTICS ABOUT LEADING CAUSES OF DATA LOSS.
Despite technological advances in the reliability of magnetic storage media, DATA
SECURITY continues to rise, making data recovery more important than ever. On track
engineers have identified three trends that are leading to this increase in lost data.

1. More data is being stored in smaller spaces. Today's hard drives store 500 times the
data stored on the drives of a decade ago. Increasing storage capacities amplify the
impact of DATA SECURITY, making mechanical precision more critical.
2. Data has become more mission-critical. Hospital patient records. A graduate school
thesis. Personal finance and tax information. Payroll records. Users today are storing
more information electronically than ever. The loss of mission critical data can have
staggering petroleum, legal and productivity ramifications on businesses and home
user alike.
3. Backup tools and techniques are not 100% reliable. Most computer users rely on
backups as their safety net in the event of DATA SECURITY (a recommended
practice). On track research indicates that 80 percent of its DATA SECURITY
customers regularly back up their data, only to find them less than adequate at the
critical moment they need to restore them. Backups assume that hardware and
storage media are in working order; that the data is not corrupted, and that your
backup is recent enough to provide full recovery. In reality, hardware and software do
fail and backups don't always contain current enough data.

Leading Causes of DATA LOSS

DATA SECURITY Page 14


Hardware or System Malfunctions (44 percent of all DATA LOSS)

Possible • Error message stating the device is not


Symptoms recognized
• Previously accessible data suddenly gone
• Scraping or rattling sound
• Hard drive not spinning

• Computer hard drive doesn't function

Examples • Electrical failure


• Head/media crash

• Controller failure

Preventive • Protect electrical components by using


Measures computers in a dry, shaded, dust-free area
• Protect against power surges with an
uninterruptible power supply (UPS)

• Do not shake or remove the covers on hard


drives or tapes.

Human Error (32 percent of all DATA LOSS)

Possible • Previously accessible data suddenly gone


Symptoms
• Message similar to "File Not Found"

Examples • Accidental deletion or drive format

• Trauma caused by drop or fall

Preventive • Never attempt any operation, like installations


Measures or repairs, with which you don't have
experience

• Avoid moving your computer, especially when


it's in operation

Software Corruption (14 percent of all DATA LOSS)

Possible • System messages relating to memory errors


Symptoms • Software application won't load

• Error message stating data is corrupted or


inaccessible

Examples • Corruption caused by diagnostic or repair tools


• Failed backups

DATA SECURITY Page 15


• Configuration complexity

Preventive • Back up data regularly


Measures
• Use diagnostic utilities with caution

Computer Viruses (7 percent of all DATA LOSS)

Possible • Blank screen


Symptoms • Strange and unpredictable behavior
• Error message stating

• "File Not Found" Message announcing virus


appears on screen

Examples • Boot sector viruses


• File infecting viruses

• Polymorphic viruses

Preventive • Use a good anti-virus package


Measures • Obtain software from reputable sources

• Scan all incoming data, including packaged


software, for viruses

Natural Disasters (3 percent of all DATA LOSS)

Possible • While floods and earthquakes have obvious


Symptoms symptoms, brownouts and lightning strikes
often leave no clues

Examples • Fires
• Floods

• Brownouts

Preventive • Store tested backups in an off-site location


Measures • Install a UPS

• Don't store critical data in a flood plain

DATA SECURITY is Becoming Much More Important


MANY ARE UNAWARE OF THE PROBLEMS WITH DATA SECURITY

One of the key reasons that organizations have not yet deployed DATA LOSS
PROTECTION SYSTEM. Systems can be explained by the fact that many decision makers
are not aware of the potential risks they face, nor might they be aware of the data breach
examples in their own industries. For example:

DATA SECURITY Page 16


 Employees will often accidentally send confidential data in an email – such as credit
card numbers, Social Security numbers or other confidential information – without
realizing that the data needs to be encrypted during transmission.
 There are many cases in which confidential data, unbeknownst to the sender, is
buried in an email thread that is forwarded to others.
 Email is sometimes sent email to the wrong person, often resulting in the leak of
confidential information.
 Some employees will send confidential data via personal Webmail accounts to
others or to themselves to avoid file size limitations on attachments or so that they can
work on documents at home.
 Web 2.0 applications represent a significant potential for DATA SECURITY. For
example, MySpace, Facebook and other social networking sites have been on the
receiving end of healthcare-related data. Hidden malware installed on endpoints has
harvested personal information like credit card numbers and quietly uploaded this
content via HTTP/HTTPS.

Organizations that do not properly address DATA SECURITY can suffer a variety
of problems, including:
 Loss of intellectual property
Email systems, file transfer systems, instant messaging systems, blogs, wikis, Web tools,
Thumb drives and other tools can be used to send confidential information in violation of
corporate policy, common sense and the law. The result is that trade secrets, designs,
proprietary processes and other knowledge assets can all be compromised if not adequately
protected.

 Loss of reputation

If an electronic communication system is used in violation of corporate policy, an


organization can suffer serious damage to its reputation.
.

 Harmful legal judgments

Unfettered use of email by employees can lead to significant and adverse legal
judgments. For example, several years ago employees of British insurance company
Norwich Union sent rumors using the corporate email system that falsely claimed that a
competitor, Western Provident Association, was undergoing a government investigation
and was experiencing petroleum problems. After Western Provident filed suit, Norwich
Union publicly apologized for its employees’ behavior and paid a judgment of £450,000
(~US$780,000) in court costs and damages.

 Compromise of corporate security


A failure to properly monitor outbound communications can lead to a variety of
security-related problems, including compromised PCs acting as zombies for sending
spam and consumer instant messaging clients that can spread worms and malware.

DATA SECURITY Page 17


There are a variety of tools commonly used in the workplace that bypass conventional
security defenses, including Skype, peer-to-peer file-sharing software and chat tools.

SECURITY OBJECTIVES:-
Information security enables a petroleum institution to meet its business objectives by
implementing business systems with due consideration of information technology (IT)-
related risks to the organization, business and trading partners, technology service
providers, and customers. Organizations meet this goal by striving to accomplish the
following objectives.

 Availability—the ongoing availability of systems addresses the processes, policies,


and controls used to ensure authorized users have prompt access to information.
This objective protects against intentional or accidental attempts to deny legitimate
users access to information or system.

 Integrity of Data or Systems—System and data integrity relate to the processes,


policies, and controls used to ensure information has not been altered in an
unauthorized manner and that systems are free from unauthorized manipulation that
will compromise accuracy, completeness, and reliability.

 Confidentiality of Data or Systems—Confidentiality covers the processes, policies,


and controls employed to protect information of customers and the institution against
unauthorized access or use.

 Accountability—Clear accountability involves the processes, policies, and controls


necessary to trace actions to their source. Accountability directly supports non-
repudiation, deterrence, intrusion prevention, security monitoring, recovery, and legal
admissibility of records.

 Assurance—Assurance addresses the processes, policies, and controls used to


develop confidence that technical and operational security measures work as
intended. Assurance levels are part of the system design and

DATA SECURITY IN INDIAN OIL CORPORATION LIMITED:-


Information system department is responsible for all the I.T related services in “INDIAN OIL
CORPORATION LIMITED”. As we INDIAN OIL CORPORATION LIMITED comes in
NAVRATAN INDUSTRIES of Indian government. So, data security is very important in

DATA SECURITY Page 18


INDIAN OIL CORPORATION LIMITED. The hierarchy of information system department is
like:-

MANAGER INFORMATION SYSTEM


MANAGER( I.S) ASSISTANCE MANAGER INFORMATION SYSTEM
(I.S) OFFICER

DIFFERENT WAYS BY WHICH DATA IS PROTECTED IN “INDIAN


OIL CORPORATION LIMITED”:-
 PASSWORD PROTECTION- All the employees of the organisation use eight
character passwords. If any forget his password the INFORMATION DEPARTMENT
reset his password and ask the employee to change the default password.

 ANTI-VIRUS SOFTWARE- In INDIAN OIL CORPORATION LIMITED PATNA the anti


virus used is SYMANTEC , VERSION-11.0.4 and it is regularly updated.

 Responding to security incidents and malfunctions- A formal reporting procedure


exists, to report security incidents through appropriate management channels as
quickly as possible. A formal reporting procedure or guideline exists for users, to
report security weakness in, or threats to, systems or services.

 Disciplinary process - there is a formal disciplinary process in place for employees


who have violated organisational security policies and procedures. Such a process
can act as a deterrent to employees who might otherwise be inclined to disregard
security procedures.

 Physical Security Perimeter - physical border security facility has been implemented
to protect the Information processing service. Some examples of such security facility
are card control entry gate, walls, manned reception etc.,

 Physical entry Controls- entry controls are in place to allow only authorised
personnel into various areas within organisation. The rooms, which have the
Information processing service, are locked or have lockable cabinets or safes.

 Equipment siting protection - the equipment was located in appropriate place to


minimise unnecessary access into work areas. The items requiring special protection
were isolated to reduce the general level of protection required.

DATA SECURITY Page 19


 Cabling Security - the power and telecommunications cable carrying data or
supporting information services are protected from interception or damage.

 Clear Desk and clear screen - automatic computer screen locking facility is enabled.
This would lock the screen when the computer is left unattended for a period.

 Control against malicious software - There exists control against malicious


software usage. The security policy does address software licensing issues such as
prohibiting usage of unauthorised software. There exists Procedure to verify all
warning bulletins are accurate and informative with regards to the malicious software
usage. All the traffic originating from un-trusted network in to the organisation is
checked for viruses. Example: Checking for viruses on email, email attachments and
on the web, FTP traffic.

 Information back-up - Back-up of essential business information such as production


server, critical network components, configuration backup etc., were taken regularly.
Example: Mon-Thu: Incremental Backup and Fri: Full Backup. The backup media
along with the procedure to restore the backup are stored securely and well away
from the actual site. The backup media are regularly tested to ensure that they could
be restored within the time frame allotted in the operational procedure for recovery.

 Fault Logging - faults are reported and well managed. This includes corrective action
being taken, review of the fault logs and checking the actions taken.

 Network Controls - effective operational controls such as separate network and


system administration facilities were be established where necessary.
Responsibilities and procedures for management of remote equipment, including
equipment in user areas were established. There exist special controls to safeguard
confidentiality and integrity of data processing over the public network and to protect
the connected systems. Example: Virtual Private Networks, other encryption and
hashing mechanisms etc.,

 Management of removable computer media - there exist a procedure for


management of removable computer media such as tapes, disks, cassettes, memory
cards and reports.

 Security of Electronic email - there is a policy in place for the acceptable use of
electronic mail or does security policy does address the issues with regards to use of
electronic mail. Whether controls such as antivirus checking, isolating potentially

DATA SECURITY Page 20


unsafe attachments, spam control, anti relaying etc., are put in place to reduce the
risks created by electronic email.

 Access Control Policy - the business requirements for access control have been
defined and documented. The Access control policy address the rules and rights for
each user or a group of user. The users and service providers were given a clear
statement of the business requirement to be met by access controls.

 Monitoring system use - Procedures are set up for monitoring the use of information
processing facility. The procedure should ensure that the users are performing only
the activities that are explicitly authorised.

 Protection of system test data - system test data is protected and controlled. The
use of operational database containing personal information should be avoided for
test purposes. If such information is used, the data should be depersonalised before
use.

MY FINDING IN INDIAN OIL CORPORATION –PATNA


METHOD USED IN FINDINGS:- I made a survey on I.T SECURITY by using questionaries.
There are some graphs by which i made a analysis.

Name :
Designation :
Department :
Date :

Questionnaires on Data Security in Indian Oil Corporation Limited


[Please put a √ Tick Mark on the relevant answer]
Srl Answer
No Question Yes No
1 Are you aware about your Active Directory Login ID and Password? YES NO
If Yes,
1a Do you regularly change your Password? YES NO
1b Do you share your User id and Password? YES NO
Does your Active Directory Login "Lock Out" after a pre-determined number of failed login YES NO
1c attempts?
1d Are you aware of the access rights in your Active Directory Login? YES NO
2 Are you aware of Anti-Virus Software? YES NO
If Yes,
2a Do you know which Anti-Virus Software being used in your Organization? YES NO
2b Is your system's Anti-Virus definition having the latest patch updated? YES NO
3 Do you have a SAP ID? YES NO
If Yes,

DATA SECURITY Page 21


3a Are you aware of the access / transaction rights given to you? YES NO
3b Do you regularly change your Password? YES NO
3c Do you share your SAP User Id and Password with anyone else in the organization? YES NO
3d Are you aware of the implications of sharing SAP User id and Password? YES NO
4 Do you regularly use email for official communication? YES NO
If Yes,
4a Do you use your corporate e-mailing system for your official communication? YES NO
4b Do you use Gmail, Rediffmail, Hotmail also for Official Communication? YES NO
Do you send sensitive official data through your non-official email id like GMAIL, YES NO
4c Rediffmail etc?
4d Does anyone other than you also access your email? YES NO
4e Are you aware of the problems of unauthorised use of email system? YES NO
4f Do you access your official email from Internet? YES NO
4g Do you have same password for two mailing account? YES NO
5 Are you concerned about your Data? YES NO
6 Can you differentiate between Critical Data and Non-Critical Data? YES NO
7 Do you use usb in office and use the same outside? YES NO
8 If you receive an e-mail from an unknown person with attachment will you open that attachment? YES NO
9 Do you know about “Disaster Recovery Plan” of your organisation? YES NO
10 Do you know about Phishing? YES NO
11 Do you know about “Social Engineering” YES NO
12 Have you heard about “Data Security”? YES NO
If Yes, Have you heard about any data security standards? Name One YES NO
13 ………………………………………………………..
14 Have you ever attended seminar on data security? YES NO

Total i have taken a 30 samples in INDIAN OIL CORPORATION LIMITED-PATNA. On the


basis of that i get the graphs.

DATA SECURITY Page 22


This graph shows that many employees were not even aware of their active directory login id
and password.

DATA SECURITY Page 23


DATA SECURITY Page 24
DATA SECURITY Page 25
DATA SECURITY Page 26
DATA SECURITY Page 27
FINDINGS:-
 LACK OF I.T SECURITY AWARENESS:- Many employees in the “Indian oil
corporation limited were not aware of I.T SECURITY. Many of them are not aware of
threats like phishing, social engineering.

 PASSWORD MANAGEMENT:- The password used by the employees in the


organisation is of eight digit but it is not a combination of letters. numbers and
symbols. So it is easy for the hacker to hack their password.

 USE OF COMMUNICATION MEDIUM:- INDIAN OIL CORPORATION LIMITED-


PATNA OFFICE uses LOTUS as their mailing portal but some of the employees uses

DATA SECURITY Page 28


mailing system like gmail, rediffmail, yahoomail as their maiing medium. This activity
broaden the chance of data loss.

 DISPOSAL OF MEDIA :- The media that are no longer required are not disposed off
securely and safely. They are just placed.

 ACCESS CONTROL POLICY:- The Access control policy does address the rules and
rights for each User or a group of user but it is not strictly implemented.

 DIGITAL SIGNATURE:- Digital signatures were not used to protect the authenticity
and integrity of electronic documents.

 DISASTER RECOVERY PLAN:- Many employees were not aware of the disaster
recovery plan of the organisation. They don’t know whom to consult at the time of
disaster.

WHAT SHOULD BE DONE TO PROTECT DATA:-

STEP-1 UNDERSTAND HOW SERIOUS THE PROBLEM IS:- The first step that
decision makers may want to take to solve the data breach problem is to audit the current
state of electronic communication and file management in the organization. Doing so will
reveal the extent of the risks that an organization faces and will help to make real the
problem to IT management, as well as senior line-of-business decision makers. In many
cases, this will help an organization to realize that the risks and problems it faces are not
merely a potential, theoretical problem, but are instead a real and present business danger
that it must address. While this is not always a necessary step given the abundance of
evidence that exists for the data breach problem, it may be required by some organizations
in order to convince senior managers of the extent of their own organization’s problems.

Audits of communication and file management tools can be conducted in a variety of ways.
For example:
 Monitoring tools can be used to archive email communication, instant messages, blog
posts and other employee communications. Searches can then be conducted on this
content to look for credit card numbers, Social Security numbers, emails that are sent
to competitors’ domains, specific violations of statutes or corporate policies and other
information.
 Another method is to draw a random sample of emails and then search the content for
similar types of information. The purpose of such an audit is to identify and to quantify
the problem of unmanaged communication so that senior management, legal
counsel, HR and others can understand the extent of the risk the organization faces.

DATA SECURITY Page 29


STEP-2 ESTABLISH POLICIES FOCUSED ON STOPPING BREACHES:-
After the audit has been completed and digested by senior managers, an organization should
establish very detailed and thorough corporate policies that focus on all of the issues related
to the use of electronic communication and file management capabilities, including:
 Appropriate and inappropriate use of email by employees and what constitutes
inappropriate use. This should include not only the content of emails, but also parties
to whom email should not be sent, the types of content that should be encrypted, how
email should be used on mobile devices, whether or not email should be checked
from home, and so forth.
 The extent to which corporate systems may be employed for personal use.
 Use of personal Webmail accounts over company-owned networks and/or use of
these accounts during work hours.
 The types of information that should be sent through various media.
 The types of communications that constitute business records, how long business
records should be preserved, and when and how they should be deleted.
 Limits on the type of tools that may be used. For example, a company may want to
prevent the installation and use of consumer-oriented instant messaging clients, or it
may want to limit use only to a particular client.
 Organizations must understand any regulations that govern monitoring polices,
particularly in countries that place restriction on how monitoring practices may be
carried out.
STEP-3 DEPLOY RIGHT TOOLS:- The critical next step is to deploy the technologies
that will enforce the corporate policies that have been established. While policies are
necessary to establish what an organization needs to protect, they will be ineffective at
solving all of the data breach problems an organization might experience.

 Identify the leak points


Focus on the potential leak points that are important to the organization, including email,
instant messaging systems, Web-based systems, removable storage, laptops, FTP systems
and other potential sources of data leaks.

 Include capabilities to meet current and future requirements


It is important to deploy a technology that will meet the large and growing number of potential
data leaks an organization might encounter. This includes inspecting for file metadata,
industry-specific keywords and phrases, regular expressions (e.g., email)

 Deploy systems that will take appropriate action


Based on the suspected level of data breach, the systems that monitor outbound
communication should take the appropriate action. For example, an employees’ instant
message that contains what looks like a Social Security number may warrant nothing more
than a popup window on the sender’s display that reminds them of a corporate policy against
sending this information through an instant messaging client. On the other hand, an email
that contains an attachment with proprietary information sent through an employee’s

DATA SECURITY Page 30


personal Webmail account may warrant immediate redirection of the message to a
compliance officer or supervisor for further review before the message is sent. In short,
suspected data breaches should trigger only the appropriate actions of discarding messages,
quarantining them for further review, copying them to a supervisor, requiring encryption,
archiving them, etc. Incident management is a key component of any system, since each
suspected data breach should be handled with the right level of enforcement. For example,
in a large organization it would be impractical to route every suspect email to a compliance
officer or supervisor for review.

 Promote appropriate employee handling of data


For example, if an employee sends an inappropriate message to a co-worker or a
confidential document to a competitor’s domain, a monitoring system should remind
employees of corporate policies that may exist regarding the appropriateness of the
communications vehicle they have chosen or other corporate policies. Copying of sensitive
documents to removable storage devices should be monitored because of the high risk of
DATA THEFT from these devices.

 Perform the appropriate level of inspection


Based on corporate policies, the role of the employee in the organization and other factors,
content should be inspected based on the appropriate policies. For example, certain
employees may require different levels of outbound content inspection and data retention
than others – a broker/dealers email to a client may trigger a different set of policies
compared to a clerical staff member’s email to the same client. Certain recipients of an email
may trigger different policies based on the company’s history with those recipients. A CEO’s
email to an external auditor should trigger different inspection and retention requirements
than those triggered by a marketing staff member’s email. It is important to expend the
appropriate level of computing resources necessary to satisfy corporate and other policies in
order to maximize the performance of electronic communication and management systems.
For example, performing very deep content inspection on every message that flows through
the corporate network is simply not necessary in many cases. However, inspecting content
flowing through key threat vectors, such as removable storage or encrypted Webmail
channels, is critical.

 Train and make employees aware of corporate policies


Employees should receive regular training on corporate policies and good data management
practices and should continually be made aware of appropriate ways to send information.

 Implement forensics capabilities


Organizations may want to implement forensics capabilities in order to check on how data
has been handled after it has been sent, either for legal purposes or simply to understand
how its data is being managed. The ability to learn about how outbound content was sent
and processed is just as important in many cases as monitoring this content prior to its being

DATA SECURITY Page 31


sent. It is also useful to retain copies or actual email, attachments, or files being copied to
USB devices.

 Implement a sender authentication scheme


While not an outbound content scanning mechanism, it is important for any organization to
implement an authentication mechanism, such as SPF or DKIM, to ensure that recipients of
its emails are given some level of assurance that the sending organization is valid.

 Tight integration with existing infrastructure


In order to speed reduce costs, organizations should consider solutions that are well
integrated with their IT infrastructure whenever possible. This approach will also speed
implementation and lower on-going administration costs.

WHO ARE THE ENEMIES OF DATA SECURITY

 HACKERS - This generic and often over-romanticized term applies to computer


enthusiasts who take pleasure in gaining access to other people’s computers or
networks. Many hackers are content with simply breaking in and leaving their
“footprints,” which are joke applications or messages on computer desktops. Other
hackers, often referred to as “crackers,” are more malicious, crashing entire computer
systems, stealing or damaging confidential data, defacing Web pages, and ultimately
disrupting business. Some amateur hackers merely locate hacking tools online and
deploy them without much understanding of how they work or their effects.

 UNAWARE STAFFS - As employees focus on their specific job duties, they often
overlook standard network security rules. For example, they might choose passwords
that are very simple to remember so that they can log on to their networks easily.
However, such passwords might be easy to guess or crack by hackers using simple
common sense or a widely available password cracking software utility. Employees
can unconsciously cause other security breaches including the accidental contraction
and spreading of computer viruses. One of the most common ways to pick up a virus
is from a floppy disk or by downloading files from the Internet. Employees who
transport data via floppy disks can unwittingly infect their corporate networks with
viruses they picked up from computers in copy centres or libraries. They might not
even know if viruses are resident on their PCs. Corporations also face the risk of
infection when employees download files, such as PowerPoint presentations, from
the Internet. Surprisingly, companies must also be wary of human error. Employees,
whether they are computer novices or computer savvy, can make such mistakes as
erroneously installing virus protection software or accidentally overlooking warnings
regarding security threats.

 DISGRUNTLED STAFFS- Far more unsettling than the prospect of employee error
causing harm to a network is the potential for an angry or vengeful staff member to

DATA SECURITY Page 32


inflict damage. Angry employees, often those who have been reprimanded, fired, or
laid off, might vindictively infect their corporate networks with viruses or intentionally
delete crucial files. This group is especially dangerous because it is usually far more
aware of the network, the value of the information within it, where high-priority
information is located, and the safeguards protecting it.

 SNOOPS - Whether content or disgruntled, some employees might also be curious or


mischievous. Employees known as “snoops” partake in corporate espionage, gaining
unauthorized access to confidential data in order to provide competitors with
otherwise inaccessible information. Others are simply satisfying their personal
curiosities by accessing private information, such as financial data, a romantic e-mail
correspondence between co-workers, or the salary of a colleague. Some of these
activities might be relatively harmless, but others, such as previewing private
financial, patient, or human resources data, are far more serious, can be damaging to
reputations, and can cause financial liability for a company

RECOMMENDATIONS:-

SOME IMPORTANT TIPS CAN BE USED

 Encourage or require employees to choose passwords that are not obvious.


 Require employees to change passwords every 90 days.
 Make sure your virus protection subscription is current.
 Educate employees about the security risks of e-mail attachments.
 Implement a complete and comprehensive network security solution.
 Assess your security posture regularly.
 When an employee leaves a company, remove that employee’s network access
immediately.
 If you allow people to work from home, provide a secure, centrally managed server for
remote traffic.
 Update your Web server software regularly.
 Do not run any unnecessary network services.

NETWORK SECURITY:-
 Network connected to the internet is protected by firewall.

DATA SECURITY Page 33


 All dial in access into the internal network is properly controlled with authentication
and logs

 Administration to network components is done by authorized staff Only.

 Controls are put on the use of network recourses such as file sharing, Printing etc. to
allow only authorized and authenticated users to use.

 Organization implements encryption to protect information on handheld devices.

 Organization implements VPN software for handheld devices, for remote network
connections.

 Unapproved software and applications should be removed.

 Do Not Auto-Connect to Open Wi-Fi Networks- Connecting to an open Wi-Fi network


such as a free wireless hotspot or your neighbour’s router exposes your computer to
security risks. Although not normally enabled, most computers have a setting
available allowing these connections to happen automatically without notifying you
(the user). This setting should not be enabled except in temporary situations.

Developing an Awareness and Training Strategy and Plan: - Completion of the needs
assessment allows an agency to develop a strategy for developing, implementing, and
maintaining its IT security awareness and training program.

 Existing national and local policy that requires the awareness and training to be
accomplished;

 Scope of the awareness and training program;

 Roles and responsibilities of agency personnel, who should design, develop,


implement, and maintain the awareness and training material, and who should ensure
that the appropriate users attend or view the applicable material.

 Goals to be accomplished for each aspect of the program (e.g., awareness, training,
education, professional development [certification]);

 Target audiences for each aspect of the program;

 Mandatory (and if applicable, optional) courses or material for each target audience;

 Learning objectives for each aspect of the program;

 Topics to be addressed in each session or course;

 Deployment methods to be used for each aspect of the program;

 Documentation, feedback, and evidence of learning for each aspect of the program;

DATA SECURITY Page 34


 Evaluation and update of material for each aspect of the program

Establishing Priorities: - Once the security awareness and training strategy and plan have
been finalized, an implementation schedule must be established. If this needs to occur in
phases (e.g., due to budget constraints and resource availability), it is important to decide the
factors to be used in determining which initiative to schedule first and in what sequence. Key
factors to consider are:

 Availability of Material/Resources—if awareness and training material and


necessary resources are readily available, key initiatives in the plan can be scheduled
early. However, if course material must be developed and/or instructors must be
identified and scheduled, these requirements should be considered in setting
priorities.

 Role and Organizational Impact—It is very common to address priority in terms of


organizational role and risk. Broad-based awareness initiatives that address the
enterprise wide mandate may receive high priority because the rules of good security
practices can be delivered to the workforce quickly. Also, it is common to look at high
trust/high impact positions (e.g., IT security program managers, security officers,
system administrators, and security administrators whose positions in the organization
have been determined to have a higher sensitivity) and ensure that they receive high
priority in the rollout strategy. These types of positions are typically commensurate
with the type of access (and to what system) these users possess.

 State of Current Compliance – This involves looking at major gaps in the awareness
and training program (e.g., gap analysis) and targeting deficient areas for early rollout.

 Critical Project Dependencies – If there are projects dependent upon a segment of


security training in order to prepare the necessary requirements for the system
involved.

Funding the Security Awareness and Training Program: - Approaches used to express
the funding requirement may include:

 Percent of overall training budget;

 Allocation per user by role (e.g., training for key security personnel and system
administrators will be more costly than general security training for those in the
organization not performing security-specific functions);

 Percent of overall IT Budget.

DATA SECURITY Page 35


Sources of Awareness Material

There are a variety of sources of material on security awareness that can be incorporated
into an awareness program. The material can address a specific issue, or in some cases,
can describe how to begin to develop an entire awareness program, session, or campaign.
Sources of timely material may include:

 E-mail advisories issued by industry-hosted news groups, academic institutions, or


the organization’s IT security office;

 Professional organizations and vendors;

 Online IT security daily news websites;

 Periodicals; and Conferences, seminars, and courses.

CHECKLISTS SHOULD BE USED TO PROTECT DATA:-

 Information security policy document:- Whether there exists an Information


security Policy, which is approved by the management, published and communicated
as appropriate to all employees. Whether it states the management commitment and
set out the organisational approach to managing information security.

 Review and evaluation:- Whether the Security policy has an owner, who is
responsible for its maintenance and review according to a defined review process.
Whether the process ensures that a review takes place in response to any changes
affecting the basis of the original assessment, example: significant security incidents,
new vulnerabilities or changes to organisational or technical infrastructure.

 Identification of risks from third party:- Whether risks from third party access are
identified and appropriate security controls implemented. Whether the types of
accesses are identified, classified and reasons for access are justified. Whether
security risks with third party contractors working onsite was identified and appropriate
controls are implemented.

 Security requirements in outsourcing contracts:- Whether security requirements


are addressed in the contract with the third party, when the organisation has
outsourced the management and control of all or some of its information systems,
networks and/ or desktop environments. The contract should address how the legal
requirements are to be met, how the security of the organisation’s assets are
maintained and tested, and the right of audit, physical security issues and how the
availability of the services is to be maintained in the event of disaster.

 Inventory of assets:- Whether an inventory or register is maintained with the


important assets associated with each information system. Whether each asset
identified has an owner, the security classification defined and agreed and the location
identified.

DATA SECURITY Page 36


 Classification guidelines:- Whether there is an Information classification scheme or
guideline in place; which will assist in determining how the information is to be
handled and protected.

 Information labelling and handling:- Whether an appropriate set of procedures are


defined for information labelling and handling in accordance with the classification
scheme adopted by the organisation.

 Including security in job responsibilities:- Whether security roles and


responsibilities as laid in Organisation’s information security policy is documented
where appropriate. This should include general responsibilities for implementing or
maintaining security policy as well as specific responsibilities for protection of
particular assets, or for extension of particular security processes or activities.

 Personnel screening and policy:- Whether verification checks on permanent staff


were carried out at the time of job applications. This should include character
reference, confirmation of claimed academic and professional qualifications and
independent identity checks.

 Confidentiality agreements:- Whether employees are asked to sign Confidentiality


or non-disclosure agreement as a part of their initial terms and conditions of the
employment. Whether this agreement covers the security of the information
processing facility and organisation assets.

 Terms and conditions of employment:- Whether terms and conditions of the


employment covers the employee’s responsibility for information security. Where
appropriate, these responsibilities might continue for a defined period after the end of
the employment.

 Information security education and training:- Whether all employees of the


organisation and third party users (where relevant) receive appropriate Information
Security training and regular updates in organisational policies and procedures.

 Reporting security incidents:- Whether a formal reporting procedure exists, to


report security incidents through appropriate management channels as quickly as
possible.

 Reporting security weaknesses:- Whether a formal reporting procedure or guideline


exists for users, to report security weakness in, or threats to, systems or services.

 Reporting software malfunctions:- Whether procedures were established to report


any software malfunctions.

 Disciplinary process:- Whether there is a formal disciplinary process in place for


employees who have violated organisational security policies and procedures. Such a
process can act as a deterrent to employees who might otherwise be inclined to
disregard security procedures.

DATA SECURITY Page 37


 Physical Security Perimeter:- What physical border security facility has been
implemented to protect the Information processing service. Some examples of such
security facility are card control entry gate, walls, manned reception etc.,

 Physical entry Controls:- What entry controls are in place to allow only authorised
personnel into various areas within organisation.

 Equipment sitting protection:- Whether the equipment was located in appropriate


place to minimise unnecessary access into work areas. Whether the items requiring
special protection were isolated to reduce the general level of protection required.

 Power Supplies:- Whether the equipment is protected from power failures by using
permanence of power supplies such as multiple feeds, uninterruptible power supply
(ups), backup generator etc.,

 Cabling Security:- Whether the power and telecommunications cable carrying data
or supporting information services are protected from interception or damage.

 Equipment Maintenance:- Whether the equipment is maintained as per the


supplier’s recommended service intervals and specifications. Whether the
maintenance is carried out only by authorised personnel.

 Secure disposal or re-use of equipment:- Whether storage device containing


sensitive information are physically destroyed or securely over written.

 Clear Desk and clear screen:- Whether automatic computer screen locking facility is
enabled. This would lock the screen when the computer is left unattended for a period.

 Documented Operating procedures:- Whether the Security Policy has identified any
Operating procedures such as Back-up, Equipment maintenance etc., Whether such
procedures are documented and used.

 Control against malicious software:- Whether there exists any control against
malicious software usage. Whether the security policy does address software
licensing issues such as prohibiting usage of unauthorised software. Whether there
exists any Procedure to verify all warning bulletins are accurate and informative with
regards to the malicious software usage. Whether Antivirus software is installed on the
computers to check and isolate or remove any viruses from computer and media.
Whether this software signature is updated on a regular basis to check any latest
viruses. Whether all the traffic originating from un-trusted network in to the
organisation is checked for viruses. Example: Checking for viruses on email, email
attachments and on the web, FTP traffic.

 Information back-up:- Whether Back-up of essential business information such as


production server, critical network components, configuration backup etc., were taken
regularly. Example: Mon-Thu: Incremental Backup and Fri: Full Backup. Whether the
backup media along with the procedure to restore the backup are stored securely and
well away from the actual site. Whether the backup media are regularly tested to
ensure that they could be restored within the time frame allotted in the operational
procedure for recovery.

DATA SECURITY Page 38


Some of the more common techniques that agencies can employ include:

 Interactive video training (IVT) – IVT is one of several distance-learning techniques


available for delivering training material. This technology supports two-way interactive
audio and video instruction. The interactive feature makes the technique more
effective than non-interactive techniques, but it is more expensive.

 Web-based training – This technique is currently the most popular for distributed
environments. “Attendees” of a web-based session can study independently and learn
at their own pace. Testing and accountability features can be built in to gauge
performance. Training models incorporating this technique are beginning to provide
the additional benefit of interaction between instructor and student or among students.

 Non-web, computer-based training – This technique continues to be popular even


with web availability. It can still be an effective method for distribution of training
material, especially if access to web-based material is not feasible. Like web-based
training, this technique does not allow for interaction between the instructor and
students or among students.

Onsite, instructor-led training (including peer presentations and mentoring) –


This is one of the oldest, but one of the most popular techniques for delivering training
material to an audience. The biggest advantage of the technique is the interactive
nature of the instruction. This technique, however, has several potential
disadvantages. In a large organization, there may be difficulty in scheduling sufficient
classes so that all of the target audience can attend. In an organization that has a
widely distributed workforce, there may be significant travel costs for instructors and
students. Although there are challenges for distributed environments, some learners
prefer this traditional method over other methods.

DATA SECURITY Page 39


Chapter 3 - Learning experiences on Business / Technology:-

1. Why data security is so important in all organisation


In simple terms, data security is the practice of keeping data protected from corruption and
unauthorized access. The focus behind data security is to ensure privacy while protecting
personal or corporate data is the raw form of information stored as columns and rows in our
databases, network servers and personal computers. This may be a wide range of
information from personal files and intellectual property to market analytics and details
intended to top secret. Data could be anything of interest that can be read or otherwise
interpreted in human form. However, some of this information isn't intended to leave the
system. The unauthorized access of this data could lead to numerous problems for the larger
corporation or even the personal home user. Having your bank account details stolen is just
as damaging as the system administrator who was just robbed for the client information in
their database. There has been a huge emphasis on data security as of late, largely because
of the internet. There are a number of options for locking down your data from software
solutions to hardware mechanisms. Computer users are certainly more conscious these
days, but are your data really secure? If you're not following the essential guidelines, your
sensitive information just may be at risk.

Information is one of a petroleum institution’s most important assets.


Protection of information assets is necessary to establish and maintain trust between the

DATA SECURITY Page 40


petroleum institution and its customers, maintain compliance with the law, and protect the
reputation of the institution. Timely and reliable information is necessary to process
transactions and support petroleum institution and customer decisions. A petroleum
institution’s earnings and capital can be adversely affected if information becomes known to
unauthorized parties, is altered, or is not available when it is needed. Information security is
the process by which an organization protects and secures its systems, media, and facilities
that process and maintains information vital to its operations. On a broad scale, the
petroleum institution industry has a primary role in protecting the nation’s petroleum services
infrastructure. The security of the industry’s systems and information is essential to its safety
and soundness and to the privacy of customer petroleum information. Individual petroleum
institutions and their service providers must maintain effective security programs adequate
for their operational complexity. These security programs must have strong board and senior
management level support, integration of security activities and controls throughout the
organization’s business processes, and clear accountability for carrying out security
responsibilities. This booklet provides guidance to examiners and organizations on assessing
the level of security risks to the organization and evaluating the adequacy of the
organization’s risk management. Organizations often inaccurately perceive information
security as the state or condition of controls at a point in time. Security is an ongoing
process, whereby the condition of a petroleum institution’s controls is just one indicator of its
overall security posture. Other indicators include the ability of the institution to continually
assess its posture and react appropriately in the face of rapidly changing threats,
technologies, and business conditions. A petroleum institution establishes and maintains
truly effective information security when it continuously integrates processes, people, and
technology to mitigate risk in accordance with risk assessment and acceptable risk tolerance
levels. Petroleum institutions protect their information by instituting a security process that
identifies risks, forms a strategy to manage the risks, implements the strategy, tests the
implementation, and monitors the environment to control the risks. While a great deal of
attention has been given to protecting companies’ electronic assets from outside threats –
from intrusion prevention systems to firewalls to vulnerability management – organizations
must now turn their attention to an equally dangerous situation: the problem of data loss from
the inside. In fact, in many organizations there’s a gaping hole in the controlled, secure
environment created to protect electronic assets. This hole is the now ubiquitous way
businesses and individuals communicate with each other – over the Internet. Whether it’s
email, instant messaging, webmail, a form on a website, or file transfer, electronic
communications exiting the company still go largely uncontrolled and unmonitored on their
way to their destinations – with the ever-present potential for confidential information to fall
into the wrong hands. Should sensitive information be exposed, it can wreak havoc on the
organization’s bottom line through fines, bad publicity, loss of strategic customers, loss of
competitive intelligence and legal action. Given today’s strict regulatory and ultra-competitive
environment, data loss prevention is one of the most critical issues facing CIOs, CSOs and
CISOs. For those creating and implementing a DATA SECURITY strategy, the task can
seem daunting. Fortunately, effective technical solutions are available. This report presents
best practices that organizations can leverage as they seek solutions for preventing leaks,
enforcing compliance, and protecting the company’s brand value and reputation.

DATA SECURITY Page 41


MANAGEMENT STRUCTURE
Information security is a significant business risk that demand engagement of the Board of
Directors and senior business management. It is the responsibility of everyone who has the
opportunity to control or report the institution’s data. Information security should be supported
throughout the institution, including the board of directors, senior management, information
security officers, employees, auditors, service providers, and contractors. Each role has
different responsibilities for information security and each individual should be accountable
for his or her actions. Accountability requires clear lines of reporting, clear communication of
expectations, and the delegation and judicious use of appropriate authority to bring about
appropriate compliance with the institution’s policies, Standards, and procedures.

RESPONSIBILITY AND ACCOUNTABILITY


The board of directors, or an appropriate committee of the board, is responsible for
overseeing the development, implementation, and maintenance of the institution’s
information security program, and making senior management accountable for its actions.
Oversight requires the board to provide management with guidance; approve information
security plans, policies and programs; and review reports on the effectiveness of the
information security program. The board should provide management with its expectations
and requirements and hold management accountable for
 Central oversight and coordination,
 Assignment of responsibility,
 Risk assessment and measurement,
 Monitoring and testing,
 Reporting
 Acceptable residual risk.

2. Consequences of data loss:-

 Loss of intellectual property


Email systems, file transfer systems, instant messaging systems, blogs, wikis, Web tools,
Thumb drives and other tools can be used to send confidential information in violation of
corporate policy, common sense and the law. The result is that trade secrets, designs,
proprietary processes and other knowledge assets can all be compromised if not adequately
protected.

 Loss of reputation

If an electronic communication system is used in violation of corporate policy, an


organization can suffer serious damage to its reputation.
.

 Harmful legal judgments

DATA SECURITY Page 42


Unfettered use of email by employees can lead to significant and adverse legal judgments.
For example, several years ago employees of British insurance company Norwich Union
sent rumors using the corporate email system that falsely claimed that a competitor,
Western Provident Association, was undergoing a government investigation and was
experiencing petroleum problems. After Western Provident filed suit, Norwich Union publicly
apologized for its employees’ behavior and paid a judgment of £450,000 (~US$780,000) in
court costs and damages.

 Compromise of corporate security


A failure to properly monitor outbound communications can lead to a variety of security-
related problems, including compromised PCs acting as zombies for sending spam and
consumer instant messaging clients that can spread worms and malware. There are a
variety of tools commonly used in the workplace that bypass conventional security
defences, including Skype, peer-to-peer file-sharing software and chat tools.

IMPORTANCE OF NETWORK SECURITY:-

The Internet has undoubtedly become the largest public data network, enabling and
facilitating both personal and business communications worldwide. The volume of traffic
moving over the Internet, as well as corporate networks, is expanding exponentially every
day. More and more communication is taking place via e-mail; mobile workers,
telecommuters, and branch offices are using the Internet to remotely connect to their
corporate networks; and commercial transactions completed over the Internet, via the World
Wide Web, now account for large portions of corporate revenue. While the Internet has
transformed and greatly improved the way we do business, this vast network and its
associated technologies have opened the door to an increasing number of security threats
from which corporations must protect themselves. Although network attacks are presumably
more serious when they are inflicted upon businesses that store sensitive data, such as
personal medical or financial records, the consequences of attacks on any entity range from
mildly inconvenient to completely debilitating—important data can be lost, privacy can be
violated, and several hours, or even days, of network downtime can ensue. Despite the
costly risks of potential security breaches, the Internet can be one of the safest means by
which to conduct business. For example, giving credit card information to a telemarketer over
the phone or a waiter in a restaurant can be more risky than submitting the information via a
Web site, because electronic commerce transactions are usually protected by security
technology. Waiters and telemarketers are not always monitored or trustworthy. Yet the fear
of security problems can be just as harmful to businesses as actual security breaches.
General fear and suspicion of computers still exists and with that comes a distrust of the
Internet. This distrust can limit the business opportunities for companies, especially those
that are completely Web based. Thus, companies must enact security policies and instate
safeguards that not only are effective, but are also perceived as effective. Organizations
must be able to adequately communicate how they plan to protect their customers.

DATA SECURITY Page 43


As with any type of crime, the threats to the privacy and integrity of data
come from a very small minority of vandals. However, while one car thief can steal only one
car at a time, a single hacker working from a basic computer can generate damage to a large
number of computer networks that wreaks havoc around the world. Perhaps even more
worrisome is the fact that the threats can come from people we know. In fact, most network
security experts claim that the majority of network attacks are initiated by employees who
work inside the corporations where breaches have occurred. Employees, through mischief,
malice, or mistake, often manage to damage their own companies’ networks and destroy
data. Furthermore, with the recent pervasiveness of remote connectivity technologies,
businesses are expanding to include larger numbers of telecommuters, branch offices, and
business partners. These remote employees and partners pose the same threats as internal
employees, as well as the risk of security breaches if their remote networking assets are not
properly secured and monitored. Whether you want to secure a car, a home, a nation, or a
computer network, a general knowledge of who the potential enemies are and how they work
is essential.

Chapter 4 - CONCLUSION:

Data loss prevention is a serious issue for companies, as the number of incidents (and the
cost to those experiencing them) continues to increase. Whether it’s a malicious attempt, or
an inadvertent mistake, data loss can diminish a company’s brand, reduce shareholder
value, and damage the company’s goodwill and reputation. By leveraging best practices,
companies can seek out a data loss prevention solution that best suits their particular needs.
For compliance with regulations such as HIPAA and PCI, protection of intellectual property,
and enforcement of appropriate use policies, a best-of-breed Data security solution for data
in motion will help address one of the most significant vectors for data loss: electronic
communications. Combined with data at rest and data at endpoint solutions (which protect
file systems, databases and data on various portable devices), a data in motion solution
helps protect companies across the board from the risk of data loss. Organizations that
proactively embrace this challenge will reap the benefit of deeper compliance with regulatory
policies and greater protection for valuable intellectual assets.
After the potential sources of threats and the types of damage that can occur have
been identified, putting the proper security policies and safeguards in place becomes much
easier. Organizations have an extensive choice of technologies, ranging from anti-virus

DATA SECURITY Page 44


software packages to dedicated network security hardware, such as firewalls and intrusion
detection systems, to provide protection for all areas of the network
Anti-virus Packages
Virus protection software is packaged with most computers and can counter most virus
threats if the software is regularly updated and correctly maintained. The anti-virus industry
relies on a vast network of users to provide early warnings of new viruses, so that antidotes
can be developed and distributed quickly. With thousands of new viruses being generated
every month, it is essential that the virus database is kept up to date. The virus database is
the record held by the anti-virus package that helps it to identify known viruses when they
attempt to strike. Reputable anti-virus software vendors will publish the latest antidotes on
their Web sites, and the software can prompt users to periodically collect new data. Network
security policy should stipulate that all computers on the network are kept up to date and,
ideally, are all protected by the same anti-virus package—if only to keep maintenance and
update costs to a minimum. It is also essential to update the software itself on a regular
basis. Virus authors often make getting past the anti-virus packages their first priority.
Security Policies
When setting up a network, whether it is a local area network (LAN), virtual LAN (VLAN), or
wide area network (WAN), it is important to initially set the fundamental security policies.
Security policies are rules that are electronically programmed and stored within security
equipment to control such areas as access privileges. Of course, security policies are also
written or verbal regulations by which an organization operates. In addition, companies must
decide who is responsible for enforcing and managing these policies and determine how
employees are informed of the rules and watch guards.

What are the policies?


The policies that are implemented should control who has access to which areas of the
network and how unauthorized users are going to be prevented from entering restricted
areas. For example, generally only members of the human resources department should
have access to employee salary histories. Passwords usually prevent employees from
entering restricted areas, but only if the passwords remain private. Written policies as basic
as to warn employees against posting their passwords in work areas can often preempt
security breaches. Customers or suppliers with access to certain parts of the network, must
be adequately regulated by the policies as well.

Who will enforce and manage the policies?


The individual or group of people who police and maintain the network and its security must
have access to every area of the network. Therefore, the security policy management
function should be assigned to people who are extremely trustworthy and have the technical
competence required. As noted earlier, the majority of network security breaches come from
within, so this person or group must not be a potential threat. Once assigned, network
managers may take advantage of sophisticated software tools that can help define,
distribute, enforce, and audit security policies through browser-based interfaces.

DATA SECURITY Page 45


How will you communicate the policies?
Policies are essentially useless if all of the involved parties do not know and understand
them. It is vital to have effective mechanisms in place for communicating the existing
policies, policy changes, new policies, and security alerts regarding impending viruses or
attacks.

Identity
Once your policies are set, identity methods and technologies must be employed to help
positively authenticate and verify users and their access privileges.
Passwords
Making sure that certain areas of the network are “password protected”—only accessible by
those with particular passwords—is the simplest and most common way to ensure that only
those who have permission can enter a particular part of the network. In the physical security
analogy above, passwords are analogous to badge access cards. However, the most
powerful network security infrastructures are virtually ineffective if people do not protect their
passwords. Many users choose easily remembered numbers or words as passwords, such
as birthdays, phone numbers, or pets’ names, and others never change their passwords and
are not very careful about keeping them secret. The golden rules, or policies, for passwords
are:
 Change passwords regularly
 Make passwords as meaningless as possible
 Never divulge passwords to anyone until leaving the company

Digital Certificates
Digital certificates or public key certificates are the electronic equivalents of driver’s licenses
or passports, and are issued by designated Certificate Authorities (CAs). Digital certificates
are most often used for identification when establishing secure tunnels through the Internet,
such as in virtual private networking (VPN).

Access Control
Before a user gains access to the network with his password, the network must evaluate if
the password is valid. Access control servers validate the user’s identity and determine which
areas or information the user can access based on stored user profiles. In the physical
security analogy, access control servers are equivalent to the gatekeeper who oversees the
use of the access card.
Firewalls
A firewall is a hardware or software solution implemented within the network infrastructure to
enforce an organization’s security policies by restricting access to specific network
resources. In the physical security analogy, a firewall is the equivalent to a door lock on a
perimeter door or on a door to a room inside of the building—it permits only authorized users,
such as those with a key or access card, to enter. Firewall technology is even available in
versions suitable for home use. The firewall creates a protective layer between the network
and the outside world. In effect, the firewall replicates the network at the point of entry so that

DATA SECURITY Page 46


it can receive and transmit authorized data without significant delay. However, it has built-in
filters that can disallow unauthorized or potentially dangerous material from entering the real
system. It also logs an attempted intrusion and reports it to the network aministrators.
Encryption
Encryption technology ensures that messages cannot be intercepted or read by anyone
other than the authorized recipient. Encryption is usually deployed to protect data that is
transported over a public network and uses advanced mathematical algorithms to “scramble”
messages and their attachments. Several types of encryption algorithms exist, but some are
more secure than others. Encryption provides the security necessary to sustain the
increasingly popular VPN technology. VPNs are private connections, or tunnels, over public
networks such as the Internet. They are deployed to connect telecommuters, mobile workers,
branch offices, and business partners to corporate networks or each other. All VPN hardware
and software devices support advanced encryption technology to provide the utmost
protection for the data that they transport.
Intrusion Detection
Organizations continue to deploy firewalls as their central gatekeepers to prevent
unauthorized users from entering their networks. However, network security is in many ways
similar to physical security in that no one technology serves all needs—rather, a layered
defences provides the best results. Organizations are increasingly looking to additional
security technologies to counter risk and vulnerability that firewalls alone cannot address. A
network-based intrusion detection system (IDS) provides around-the-clock network
surveillance. An IDS analyzes packet data streams within a network, searching for
unauthorized activity, such as attacks by hackers, and enabling users to respond to security
breaches before systems are compromised. When unauthorized activity is detected, the IDS
can send alarms to a management console with details of the activity and can often order
other systems, such as routers, to cut off the unauthorized sessions. In the physical analogy,
an IDS is equivalent to a video camera and motion sensor; detecting unauthorized or
suspicious activity and working with automated response systems, such as watch guards, to
stop the activity.

Expertise
While electronic scanning tools can be very thorough in detecting network security
vulnerabilities, they may be complemented with a security assessment by professional
security consultants. A security assessment is a concentrated analysis of the security
posture of a network, highlighting security weaknesses or vulnerabilities that need to be
improved. Periodic assessments are helpful in ensuring that, in the midst of frequent
changes in a network, the security posture of the network is not weakened. In the physical
security analogy, a periodic security assessment such as scanning is like a guard periodically
patrolling the entire secured area, checking locks on doors and windows, reporting any
irregularities that might exist, and providing guidance for correction.

DATA SECURITY Page 47


DATA SECURITY Page 48
DATA SECURITY Page 49
DATA SECURITY Page 50
DATA SECURITY Page 51
BIBLIOGRAPHY:-

 Allen, Julia H. (2001). The CERT Guide to System and Network Security Practices.
Boston, MA: Addison-Wesley. ISBN 0-201-73723-X.

 Peltier, Thomas R. (2002). Information Security Policies, Procedures, and Standards:


guidelines for effective information security management. Boca Raton, FL: Auerbach
publications. ISBN 0-8493-1137-3.

 http://www.cisco.com/go/security

 Peltier, Thomas R. (2001). Information Security Risk Analysis. Boca Raton, FL:
Auerbach publications. ISBN 0-8493-0880-1.

 www.google.com

DATA SECURITY Page 52


DATA SECURITY Page 53

You might also like