Professional Documents
Culture Documents
Submitted by
Certificate
This is to certify that the project entitled “DATA SECURITY” is a bonafide work done by AVINASH
KUMAR (9030241104) of MBA (ISS 2009-11) in partial fulfillment of the requirements for the degree
of Masters of Business Administration of this Institute.
Date: 29/07/2010
Place: Pune
I feel great pleasure while submitting this report titled “DATA SECURITY “as a part of my project study.
I express my gratitude and esteemed regards to my project guide SANJAY SEN GUPTA for providing me
invaluable gratitude and inspiration in carrying out my project studies from inception to completion at INDIAN
OIL CORPORATION LIMETED in PATNA. His constant support and encouragement enabled me to complete
this work successfully.
I would also like to express my sincere thanks to Mr. S. MATHUR (IS) , ABHIJITT DEBROY for their constant
encouragement. I am also thankful to the entire IT department at Indian oil corporation Ltd., Patna and
concerned staff members for providing necessary support and friendliness throughout this project. I would like
to thank Mr. J.L CHATTOPADHYA (HR), for giving me an opportunity to work in such an esteemed company.
I would like to express my sincere thanks to my internal guide at SCIT Prof. Sonal Joglekar .
And last but not the list I would like to express my regard to Mr. ANIL VAIDYA director of S.C.I.T.
Sincerely,
AVINASH KUMAR
SCIT, PUNE.
ABSTRACT: ........................................................................................................................ 5
INTRODUCTION:- ............................................................................................................... 6
DATA SECURITY..........................................................................................................11
CHAPTER-2....................................................................................................................... 13
FINDINGS:- ................................................................................................................... 28
RECOMMENDATIONS:- ..................................................................................................33
Chapter 4 - CONCLUSION:................................................................................................44
BIBLIOGRAPHY:- .............................................................................................................. 52
Project Objective
To understand about data security.
What are the consequences if data has been compromised.
Different ways by which data can be leaked or compromised.
Various ways by which we can maintain data security.
An Insight into the Project
Scope of the study:- The assessment performed focussed on external and internal network
and application infrastructure and its related systems and the Internet portal itself. It
intended to be an overall assessment of the network, and those systems and subnets that
fall within the scope of this project.
Research Methodology: - This research work is done to first find out the factors which
affect the data security & secondly on the basis of survey analysis, formulate
recommendations to improve security levels to protect data.
a) Primary Data:- The data was be gathered through a survey based research approach
with the help of questionnaire. As the research work of writing & asking question was totally
carried out by one person only, so human error related to recording of responses cannot be
totally ruled out.
b) Secondary Data:- The source of secondary data was the sites which are mentioned in
bibliography & under the subscript where ever it is used in this report.
Indian Oil Corporation Ltd. is the highest ranked Indian company in the prestigious Fortune
‘Global 500’. It was ranked at 135th position in 2010. It is also the 20th largest petroleum
company in the world.
Indian Oil Corporation Ltd. is currently India's largest company by sales with a turnover of
Rs.247,479 crore (US $59.22 billion), and profit of Rs. 6963 crore (US $ 1.67 billion) for fiscal
2010.
Indian Oil and its subsidiaries today accounts for 49% petroleum products market share in
India.
VISION OF IOCL
A major diversified, transnational, integrated energy company, with national leadership and a
strong environment conscience, playing a national role in oil security & public distribution.
MISSION OF IOCL
IOCL has the following mission:
To achieve international standards of excellence in all aspects of energy and
diversified business with focus on customer delight through value of products and
services and cost reduction.
To maximize creation of wealth, value and satisfaction for the stakeholders.
To attain leadership in developing, adopting and assimilating state-of- the-art
technology for competitive advantage.
To provide technology and services through sustained Research and Development.
To foster a culture of participation and innovation for employee growth and
contribution.
To cultivate high standards of business ethics and Total Quality Management for a
strong corporate identity and brand equity.
To help enrich the quality of life of the community and preserve ecological balance
and heritage through a strong environment conscience.
VALUES OF IOCL
India’s flagship national oil company and downstream petroleum major, Indian Oil
Corporation Ltd. (Indian Oil) is celebrating its Golden Jubilee in 2009. It is India's largest
commercial enterprise, with a sales turnover of Rs. 2, 85,337 crore – the highest-ever for an
Indian company – and a net profit of . 2, 950 crore for the year 2009-10. Indian Oil is also
the highest ranked Indian company in the prestigious Fortune 'Global 500' listing, having
moved up 11 places to the 105th position in 2009. India’s Flagship National Oil Company
Incorporated as Indian Oil Company Ltd. on 30th June, 1959, it was renamed as Indian Oil
Corporation Ltd. on 1st September, 1964 following the merger of Indian Refineries Ltd.
(established 1958) with it. Indian Oil and its subsidiaries account for approximately 48%
petroleum products market share, 34% national refining capacity and 71% downstream
sector pipelines capacity in India. Indian Oil operates the largest and the widest network of
petrol & diesel stations in the country, numbering over 18,278. It reaches Indane cooking gas
to the doorsteps of over 53 million households in nearly 2,700 markets through a network of
about 5,000 Indane distributors. Indian Oil's ISO-9002 certified Aviation Service commands
over 63% market share in aviation fuel business, meeting the fuel needs of domestic and
international flag carriers, private airlines and the Indian Defence Services. The Corporation
also enjoys a dominant share of the bulk consumer business, including that of railways, state
transport undertakings, and industrial, agricultural and marine sectors. Technology Solutions
Provider Indian Oil's world-class R&D Centre is perhaps Asia's finest. Besides pioneering
work in lubricants formulation, refinery processes, pipeline transportation and alternative
fuels, the Centre is also the nodal agency of the Indian hydrocarbon sector for ushering in
Hydrogen fuel economy in the country. It has set up a commercial Hydrogen-CNG station at
an Indian Oil retail outlet in New Delhi this year. The Centre holds 214 active patents,
including 113 international patents. To safeguard the interest of the valuable customers,
interventions like retail automation, vehicle tracking and marker systems have been
introduced to ensure quality and quantity of petroleum products. Widening Horizons To
achieve the next level of growth, Indian Oil is currently forging ahead on a well laid-out road
map through vertical integration— upstream into oil exploration & production (E&P) and
Globalization Initiatives
Indian Oil has set up subsidiaries in Sri Lanka, Mauritius and the United Arab Emirates
(UAE), and is simultaneously scouting for new business opportunities in the energy markets
of Asia and Africa.
Petroleum Objectives
To ensure adequate return on the capital employed and maintain a reasonable annual
dividend on equity capital.
To ensure maximum economy in expenditure.
To manage and operate all facilities in an efficient manner so as to generate
adequate internal resources to meet revenue cost and requirements for project
investment, without budgetary support.
To develop long-term corporate plans to provide for adequate growth of the
Corporation’s business.
To reduce the cost of production of petroleum products by means of systematic cost
control measures and thereby sustain market leadership through cost
competitiveness.
To complete all planned projects within the scheduled time and approved cost.
Obligations
Towards customers and dealers:- To provide prompt, courteous and efficient
service and quality products at competitive prices.
DATA SECURITY
While a great deal of attention has been given to protecting companies’ electronic assets
from outside threats – from intrusion prevention systems to firewalls to vulnerability
management – organizations must now turn their attention to an equally dangerous situation:
the problem of DATA SECURITY from the inside. In fact, in many organizations there’s a
gaping hole in the controlled, secure environment created to protect electronic assets. This
hole is the now ubiquitous way businesses and individuals communicate with each other –
over the Internet. Whether it’s email, instant messaging, webmail, a form on a website, or file
transfer, electronic communications exiting the company still go largely uncontrolled and
unmonitored on their way to their destinations – with the ever-present potential for
confidential information to fall into the wrong hands. Should sensitive information be
exposed, it can wreak havoc on the organization’s bottom line through fines, bad publicity,
loss of strategic customers, loss of competitive intelligence and legal action. Given today’s
The issue of DATA SECURITY encompasses everything from confidential information about
one customer being exposed, to thousands of source code files for a company’s product
being sent to a competitor. Whether deliberate or accidental, DATA SECURITY occurs any
time employees, consultants, or other insiders release sensitive data about customers,
finances, intellectual property, or other confidential information (in violation of company
policies and regulatory requirements). With all the avenues available to employees today
to electronically expose sensitive data, the scope of the DATA SECURITY problem is an
order of magnitude greater than threat protection from outsiders. Consider the extent of the
effort required to cover all the loss vectors an organization has the potential to encounter:
• Data in motion – Any data that is moving through the network to the outside via the
Internet
• Data at rest – Data that resides in files systems, databases and other storage methods
• Data at the endpoint – Data at the endpoints of the network (e.g. data on USB devices,
external drives, MP3 players , laptops, and other highly-mobile devices).
Given the prevalence of electronic communications, data in motion (i.e., data that is travelling
through and out of the network) is one of the most significant DATA SECURITY vectors to
address today. For example, an employee sends documents to a personal email address so
he or she can work from home. Or a hospital employee accidentally sends patient
information to the wrong person. A summer intern unknowingly cuts and pastes confidential
product information into a blog entry. There are many avenues in which confidential data or
proprietary secrets can leave an organization via the Internet:
Email
Webmail
HTTP (message boards, blogs and other websites)
Instant Messaging
Peer-to-peer sites and sessions
FTP
1. More data is being stored in smaller spaces. Today's hard drives store 500 times the
data stored on the drives of a decade ago. Increasing storage capacities amplify the
impact of DATA SECURITY, making mechanical precision more critical.
2. Data has become more mission-critical. Hospital patient records. A graduate school
thesis. Personal finance and tax information. Payroll records. Users today are storing
more information electronically than ever. The loss of mission critical data can have
staggering petroleum, legal and productivity ramifications on businesses and home
user alike.
3. Backup tools and techniques are not 100% reliable. Most computer users rely on
backups as their safety net in the event of DATA SECURITY (a recommended
practice). On track research indicates that 80 percent of its DATA SECURITY
customers regularly back up their data, only to find them less than adequate at the
critical moment they need to restore them. Backups assume that hardware and
storage media are in working order; that the data is not corrupted, and that your
backup is recent enough to provide full recovery. In reality, hardware and software do
fail and backups don't always contain current enough data.
• Controller failure
• Polymorphic viruses
Examples • Fires
• Floods
• Brownouts
One of the key reasons that organizations have not yet deployed DATA LOSS
PROTECTION SYSTEM. Systems can be explained by the fact that many decision makers
are not aware of the potential risks they face, nor might they be aware of the data breach
examples in their own industries. For example:
Organizations that do not properly address DATA SECURITY can suffer a variety
of problems, including:
Loss of intellectual property
Email systems, file transfer systems, instant messaging systems, blogs, wikis, Web tools,
Thumb drives and other tools can be used to send confidential information in violation of
corporate policy, common sense and the law. The result is that trade secrets, designs,
proprietary processes and other knowledge assets can all be compromised if not adequately
protected.
Loss of reputation
Unfettered use of email by employees can lead to significant and adverse legal
judgments. For example, several years ago employees of British insurance company
Norwich Union sent rumors using the corporate email system that falsely claimed that a
competitor, Western Provident Association, was undergoing a government investigation
and was experiencing petroleum problems. After Western Provident filed suit, Norwich
Union publicly apologized for its employees’ behavior and paid a judgment of £450,000
(~US$780,000) in court costs and damages.
SECURITY OBJECTIVES:-
Information security enables a petroleum institution to meet its business objectives by
implementing business systems with due consideration of information technology (IT)-
related risks to the organization, business and trading partners, technology service
providers, and customers. Organizations meet this goal by striving to accomplish the
following objectives.
Physical Security Perimeter - physical border security facility has been implemented
to protect the Information processing service. Some examples of such security facility
are card control entry gate, walls, manned reception etc.,
Physical entry Controls- entry controls are in place to allow only authorised
personnel into various areas within organisation. The rooms, which have the
Information processing service, are locked or have lockable cabinets or safes.
Clear Desk and clear screen - automatic computer screen locking facility is enabled.
This would lock the screen when the computer is left unattended for a period.
Fault Logging - faults are reported and well managed. This includes corrective action
being taken, review of the fault logs and checking the actions taken.
Security of Electronic email - there is a policy in place for the acceptable use of
electronic mail or does security policy does address the issues with regards to use of
electronic mail. Whether controls such as antivirus checking, isolating potentially
Access Control Policy - the business requirements for access control have been
defined and documented. The Access control policy address the rules and rights for
each user or a group of user. The users and service providers were given a clear
statement of the business requirement to be met by access controls.
Monitoring system use - Procedures are set up for monitoring the use of information
processing facility. The procedure should ensure that the users are performing only
the activities that are explicitly authorised.
Protection of system test data - system test data is protected and controlled. The
use of operational database containing personal information should be avoided for
test purposes. If such information is used, the data should be depersonalised before
use.
Name :
Designation :
Department :
Date :
DISPOSAL OF MEDIA :- The media that are no longer required are not disposed off
securely and safely. They are just placed.
ACCESS CONTROL POLICY:- The Access control policy does address the rules and
rights for each User or a group of user but it is not strictly implemented.
DIGITAL SIGNATURE:- Digital signatures were not used to protect the authenticity
and integrity of electronic documents.
DISASTER RECOVERY PLAN:- Many employees were not aware of the disaster
recovery plan of the organisation. They don’t know whom to consult at the time of
disaster.
STEP-1 UNDERSTAND HOW SERIOUS THE PROBLEM IS:- The first step that
decision makers may want to take to solve the data breach problem is to audit the current
state of electronic communication and file management in the organization. Doing so will
reveal the extent of the risks that an organization faces and will help to make real the
problem to IT management, as well as senior line-of-business decision makers. In many
cases, this will help an organization to realize that the risks and problems it faces are not
merely a potential, theoretical problem, but are instead a real and present business danger
that it must address. While this is not always a necessary step given the abundance of
evidence that exists for the data breach problem, it may be required by some organizations
in order to convince senior managers of the extent of their own organization’s problems.
Audits of communication and file management tools can be conducted in a variety of ways.
For example:
Monitoring tools can be used to archive email communication, instant messages, blog
posts and other employee communications. Searches can then be conducted on this
content to look for credit card numbers, Social Security numbers, emails that are sent
to competitors’ domains, specific violations of statutes or corporate policies and other
information.
Another method is to draw a random sample of emails and then search the content for
similar types of information. The purpose of such an audit is to identify and to quantify
the problem of unmanaged communication so that senior management, legal
counsel, HR and others can understand the extent of the risk the organization faces.
UNAWARE STAFFS - As employees focus on their specific job duties, they often
overlook standard network security rules. For example, they might choose passwords
that are very simple to remember so that they can log on to their networks easily.
However, such passwords might be easy to guess or crack by hackers using simple
common sense or a widely available password cracking software utility. Employees
can unconsciously cause other security breaches including the accidental contraction
and spreading of computer viruses. One of the most common ways to pick up a virus
is from a floppy disk or by downloading files from the Internet. Employees who
transport data via floppy disks can unwittingly infect their corporate networks with
viruses they picked up from computers in copy centres or libraries. They might not
even know if viruses are resident on their PCs. Corporations also face the risk of
infection when employees download files, such as PowerPoint presentations, from
the Internet. Surprisingly, companies must also be wary of human error. Employees,
whether they are computer novices or computer savvy, can make such mistakes as
erroneously installing virus protection software or accidentally overlooking warnings
regarding security threats.
DISGRUNTLED STAFFS- Far more unsettling than the prospect of employee error
causing harm to a network is the potential for an angry or vengeful staff member to
RECOMMENDATIONS:-
NETWORK SECURITY:-
Network connected to the internet is protected by firewall.
Controls are put on the use of network recourses such as file sharing, Printing etc. to
allow only authorized and authenticated users to use.
Organization implements VPN software for handheld devices, for remote network
connections.
Developing an Awareness and Training Strategy and Plan: - Completion of the needs
assessment allows an agency to develop a strategy for developing, implementing, and
maintaining its IT security awareness and training program.
Existing national and local policy that requires the awareness and training to be
accomplished;
Goals to be accomplished for each aspect of the program (e.g., awareness, training,
education, professional development [certification]);
Mandatory (and if applicable, optional) courses or material for each target audience;
Documentation, feedback, and evidence of learning for each aspect of the program;
Establishing Priorities: - Once the security awareness and training strategy and plan have
been finalized, an implementation schedule must be established. If this needs to occur in
phases (e.g., due to budget constraints and resource availability), it is important to decide the
factors to be used in determining which initiative to schedule first and in what sequence. Key
factors to consider are:
State of Current Compliance – This involves looking at major gaps in the awareness
and training program (e.g., gap analysis) and targeting deficient areas for early rollout.
Funding the Security Awareness and Training Program: - Approaches used to express
the funding requirement may include:
Allocation per user by role (e.g., training for key security personnel and system
administrators will be more costly than general security training for those in the
organization not performing security-specific functions);
There are a variety of sources of material on security awareness that can be incorporated
into an awareness program. The material can address a specific issue, or in some cases,
can describe how to begin to develop an entire awareness program, session, or campaign.
Sources of timely material may include:
Review and evaluation:- Whether the Security policy has an owner, who is
responsible for its maintenance and review according to a defined review process.
Whether the process ensures that a review takes place in response to any changes
affecting the basis of the original assessment, example: significant security incidents,
new vulnerabilities or changes to organisational or technical infrastructure.
Identification of risks from third party:- Whether risks from third party access are
identified and appropriate security controls implemented. Whether the types of
accesses are identified, classified and reasons for access are justified. Whether
security risks with third party contractors working onsite was identified and appropriate
controls are implemented.
Physical entry Controls:- What entry controls are in place to allow only authorised
personnel into various areas within organisation.
Power Supplies:- Whether the equipment is protected from power failures by using
permanence of power supplies such as multiple feeds, uninterruptible power supply
(ups), backup generator etc.,
Cabling Security:- Whether the power and telecommunications cable carrying data
or supporting information services are protected from interception or damage.
Clear Desk and clear screen:- Whether automatic computer screen locking facility is
enabled. This would lock the screen when the computer is left unattended for a period.
Documented Operating procedures:- Whether the Security Policy has identified any
Operating procedures such as Back-up, Equipment maintenance etc., Whether such
procedures are documented and used.
Control against malicious software:- Whether there exists any control against
malicious software usage. Whether the security policy does address software
licensing issues such as prohibiting usage of unauthorised software. Whether there
exists any Procedure to verify all warning bulletins are accurate and informative with
regards to the malicious software usage. Whether Antivirus software is installed on the
computers to check and isolate or remove any viruses from computer and media.
Whether this software signature is updated on a regular basis to check any latest
viruses. Whether all the traffic originating from un-trusted network in to the
organisation is checked for viruses. Example: Checking for viruses on email, email
attachments and on the web, FTP traffic.
Web-based training – This technique is currently the most popular for distributed
environments. “Attendees” of a web-based session can study independently and learn
at their own pace. Testing and accountability features can be built in to gauge
performance. Training models incorporating this technique are beginning to provide
the additional benefit of interaction between instructor and student or among students.
Loss of reputation
The Internet has undoubtedly become the largest public data network, enabling and
facilitating both personal and business communications worldwide. The volume of traffic
moving over the Internet, as well as corporate networks, is expanding exponentially every
day. More and more communication is taking place via e-mail; mobile workers,
telecommuters, and branch offices are using the Internet to remotely connect to their
corporate networks; and commercial transactions completed over the Internet, via the World
Wide Web, now account for large portions of corporate revenue. While the Internet has
transformed and greatly improved the way we do business, this vast network and its
associated technologies have opened the door to an increasing number of security threats
from which corporations must protect themselves. Although network attacks are presumably
more serious when they are inflicted upon businesses that store sensitive data, such as
personal medical or financial records, the consequences of attacks on any entity range from
mildly inconvenient to completely debilitating—important data can be lost, privacy can be
violated, and several hours, or even days, of network downtime can ensue. Despite the
costly risks of potential security breaches, the Internet can be one of the safest means by
which to conduct business. For example, giving credit card information to a telemarketer over
the phone or a waiter in a restaurant can be more risky than submitting the information via a
Web site, because electronic commerce transactions are usually protected by security
technology. Waiters and telemarketers are not always monitored or trustworthy. Yet the fear
of security problems can be just as harmful to businesses as actual security breaches.
General fear and suspicion of computers still exists and with that comes a distrust of the
Internet. This distrust can limit the business opportunities for companies, especially those
that are completely Web based. Thus, companies must enact security policies and instate
safeguards that not only are effective, but are also perceived as effective. Organizations
must be able to adequately communicate how they plan to protect their customers.
Chapter 4 - CONCLUSION:
Data loss prevention is a serious issue for companies, as the number of incidents (and the
cost to those experiencing them) continues to increase. Whether it’s a malicious attempt, or
an inadvertent mistake, data loss can diminish a company’s brand, reduce shareholder
value, and damage the company’s goodwill and reputation. By leveraging best practices,
companies can seek out a data loss prevention solution that best suits their particular needs.
For compliance with regulations such as HIPAA and PCI, protection of intellectual property,
and enforcement of appropriate use policies, a best-of-breed Data security solution for data
in motion will help address one of the most significant vectors for data loss: electronic
communications. Combined with data at rest and data at endpoint solutions (which protect
file systems, databases and data on various portable devices), a data in motion solution
helps protect companies across the board from the risk of data loss. Organizations that
proactively embrace this challenge will reap the benefit of deeper compliance with regulatory
policies and greater protection for valuable intellectual assets.
After the potential sources of threats and the types of damage that can occur have
been identified, putting the proper security policies and safeguards in place becomes much
easier. Organizations have an extensive choice of technologies, ranging from anti-virus
Identity
Once your policies are set, identity methods and technologies must be employed to help
positively authenticate and verify users and their access privileges.
Passwords
Making sure that certain areas of the network are “password protected”—only accessible by
those with particular passwords—is the simplest and most common way to ensure that only
those who have permission can enter a particular part of the network. In the physical security
analogy above, passwords are analogous to badge access cards. However, the most
powerful network security infrastructures are virtually ineffective if people do not protect their
passwords. Many users choose easily remembered numbers or words as passwords, such
as birthdays, phone numbers, or pets’ names, and others never change their passwords and
are not very careful about keeping them secret. The golden rules, or policies, for passwords
are:
Change passwords regularly
Make passwords as meaningless as possible
Never divulge passwords to anyone until leaving the company
Digital Certificates
Digital certificates or public key certificates are the electronic equivalents of driver’s licenses
or passports, and are issued by designated Certificate Authorities (CAs). Digital certificates
are most often used for identification when establishing secure tunnels through the Internet,
such as in virtual private networking (VPN).
Access Control
Before a user gains access to the network with his password, the network must evaluate if
the password is valid. Access control servers validate the user’s identity and determine which
areas or information the user can access based on stored user profiles. In the physical
security analogy, access control servers are equivalent to the gatekeeper who oversees the
use of the access card.
Firewalls
A firewall is a hardware or software solution implemented within the network infrastructure to
enforce an organization’s security policies by restricting access to specific network
resources. In the physical security analogy, a firewall is the equivalent to a door lock on a
perimeter door or on a door to a room inside of the building—it permits only authorized users,
such as those with a key or access card, to enter. Firewall technology is even available in
versions suitable for home use. The firewall creates a protective layer between the network
and the outside world. In effect, the firewall replicates the network at the point of entry so that
Expertise
While electronic scanning tools can be very thorough in detecting network security
vulnerabilities, they may be complemented with a security assessment by professional
security consultants. A security assessment is a concentrated analysis of the security
posture of a network, highlighting security weaknesses or vulnerabilities that need to be
improved. Periodic assessments are helpful in ensuring that, in the midst of frequent
changes in a network, the security posture of the network is not weakened. In the physical
security analogy, a periodic security assessment such as scanning is like a guard periodically
patrolling the entire secured area, checking locks on doors and windows, reporting any
irregularities that might exist, and providing guidance for correction.
Allen, Julia H. (2001). The CERT Guide to System and Network Security Practices.
Boston, MA: Addison-Wesley. ISBN 0-201-73723-X.
http://www.cisco.com/go/security
Peltier, Thomas R. (2001). Information Security Risk Analysis. Boca Raton, FL:
Auerbach publications. ISBN 0-8493-0880-1.
www.google.com