Professional Documents
Culture Documents
SECURITY TRAINING
Graham Morrison & Rupesh Mistry
BP Account Security Office
April 2011
12010
2010
HP Confidential
HP Confidential
Frequency of training
Notes
Answers to questions are provided in the following bullet. Consider what the answers
mean in the context of the services that you provide to the BP Account
Some key policy documents are embedded in this training for convenience. Always
ensure that you are working from the current version as they may have been updated
TRUE OR FALSE?
Information security is primarily a technology issue?
False. Information security is a business issue and a
culture issue. Although technology will play a major part
in keeping a business secure, the weakest link is always
the human element
2010 HP Confidential
BP ACCOUNT
SECURITY TRAINING
Security Policy
5
2010 HP Confidential
TERMINOLGY
Security Policy (What we do and why)
Any breach of the policy may result in disciplinary action which may include
immediate termination of employment or termination or non-renewal of contractual
arrangements
If you cannot access SharePoint, obtain the latest version via your BP
Account Manager or Single Point Of Contact (SPOC)
2010 HP Confidential
Standard reviews of Security Policy, Security Awareness & Training, any recent
account Security Incidents & potential areas where improvements are required
Have an Account Line Manager (HP employees) or SPOC (Third Party employees)
2010 HP Confidential
ASSET MANAGEMENT
BP assets are recorded in BPs Configuration Management Database
(CMDB)
PCs & other peripherals are recorded separately
BP
Classification
Description
Information
Classifications
BP Internal
Confidential
Secret
BP Internal Information is information that should be secured from public access, but that would not cause significant loss or
embarrassment to BP Group if it were made public. This is information intended for use only by BP Staff and contractors
that does not meet the criteria for Confidential or Secret information.
Confidential information is information the disclosure, modification, misuse, or destruction of which could be significantly
prejudicial to the interests of BP businesses and functions, or could cause significant embarrassment or difficulty for BP
businesses and functions or their employees.
Secret information is information of high value or sensitivity, the disclosure or misuse of which could cause serious damage
to the interests of BP businesses and functions and which needs to be restricted to a small number of specifically
identified individuals.
2010 HP Confidential
BP Handling
Standard
BP Handling
Instructions
10
2010 HP Confidential
HP PCs
BP PCs
11
2010 HP Confidential
People not yet migrated to @hp.com email & using traditional EDS COE PCs
May use Pointsec Media Encryption + WinZip until migration to S/MIME & McAfee is complete
People on @hp.com email using traditional EDS COE PCs with an HP retrofit
Transferring
Information to BP
12
2010 HP Confidential
Account
Team
Assets
& access rights are removed from team members as soon as they
are no longer required
13
2010 HP Confidential
QUESTION
What is Social Engineering?
A.
B.
C.
D.
2010 HP Confidential
PHYSICAL SECURITY
Always wear your pass card. Challenge anyone not wearing
theirs
Ensure visitors are accompanied at all times
Help to prevent tailgating
Report broken door locks
Discuss sensitive information only when certain it is safe to
do so
Do not leave bags unattended
Store media in locked cabinets
15
2010 HP Confidential
OPERATIONS MANAGEMENT
Operations procedures must be followed
No unauthorised changes are permitted
Non-HP employees must report to an HP SPOC
Check that AntiVirus software is up to date
Media must be handled/disposed of correctly
Sensitive information must only be sent to BP using approved
methods
Activity logs must be produced and retained to facilitate any
necessary investigations
16
2010 HP Confidential
ACCESS CONTROL
Users will only be granted the minimum access
necessary to allow them to do their job
Accounts must be removed when users leave or change
roles
Userids/passwords may not be shared
Unattended PCs must be locked
The BP Account operates a clear desk policy
Network connections must be officially approved
17
2010 HP Confidential
QUESTION
Analysis of a recent large scale phishing attack
identified which of the following?
A.
B.
C.
D.
18
2010 HP Confidential
2010 HP Confidential
TRUE OR FALSE?
Complex passwords are hard to remember?
True (& False). A complex password such as
J&Jwuth2fapow" is difficult to remember on its own
20
Try instead to remember Jack and Jill went up the hill to fetch a pail
of water. Remembering this particular password suddenly becomes
much easier
Why not try it yourself with a phrase from a song, movie or book?
2010 HP Confidential
21
2010 HP Confidential
SECURITY INCIDENTS
If you suspect an incident report it immediately
22
2010 HP Confidential
Audits
23
2010 HP Confidential
Change Management
IT Operations
IT Service Continuity
2010 HP Confidential
BP ACCOUNT
SECURITY TRAINING
2010 HP Confidential
26
27
2010 HP Confidential
BP ACCOUNT
SECURITY TRAINING
Key points
28
2010 HP Confidential
29
2010 HP Confidential
LEAD BY EXAMPLE
Keep mandatory Security Training up to date
Be familiar with Security Policy contents
Demonstrate security understanding
Wear your pass card & challenge anyone who isnt
Clear your desk when you go home
Ensure that your PC is appropriately secured
Take ownership of security issues
2010 HP Confidential
BP ACCOUNT
SECURITY TRAINING
2010 HP Confidential
Some banks now provide free tools to help protect online banking
Remember
32
2010 HP Confidential
BP ACCOUNT
SECURITY TRAINING
2010 HP Confidential
TRAINING COMPLETION
This training is not deemed complete unless the
Account joiners and leavers team (
bpjoinersandleavers@hp.com) have:
1.
2.
Updated the Account Register to show the date when you sent
your self-certification email
3.
2010 HP Confidential
Send
Self-Certification
35
2010 HP Confidential
36
2010 HP Confidential