BP GLOBAL HOSTING SERVICES

SECURITY TRAINING
Graham Morrison & Rupesh Mistry
BP Account Security Office
April 2011
12010
2010
HP Confidential
HP Confidential

MANDATORY SECURITY TRAINING

The target audience for this training is:

Everyone involved in delivering services to BP

Either directly as part of the BP Account (HP employee or contractor)
As part or a leveraged HP service team
As a member of a Third Party company working on behalf of HP to deliver services to BP

Frequency of training

Within the first 30 days of starting work on the BP Account

And at least once every two years

Notes

Answers to questions are provided in the following bullet. Consider what the answers
mean in the context of the services that you provide to the BP Account

Some key policy documents are embedded in this training for convenience. Always
ensure that you are working from the current version as they may have been updated

Please view this presentation in Slide Show mode

2010 HP Confidential

BP ACCOUNT SECURITY TRAINING

CONTENT
Security Policy
Where to seek advice
Key points
Personal online safety
Complete your self-certification

Note: Minimal use of graphics in this training is deliberate to keep file

size to a minimum and improve the ease of transfer to those who require
3 email
2010 HPdistribution
Confidential

TRUE OR FALSE?
Information security is primarily a technology issue?
False. Information security is a business issue and a
culture issue. Although technology will play a major part
in keeping a business secure, the weakest link is always
the human element

2010 HP Confidential

BP ACCOUNT
SECURITY TRAINING

Security Policy
5

2010 HP Confidential

TERMINOLGY
Security Policy (What we do and why)

High-level commitments, such as Information systems should be regularly checked

for compliance with security implementation standards

Any breach of the policy may result in disciplinary action which may include
immediate termination of employment or termination or non-renewal of contractual
arrangements

Processes, Procedures & Standards (How we do it)

Detailed instructions to ensure adherence to Security Policy. May be technical or

non-technical, for example:
Microsoft Active Directory implementation method
Administrative procedures to ensure that everyone undertakes security
awareness training

Compliance (Prove that we have done it)

Evidence to demonstrate to HP & BP that we have correctly followed procedures

2010 HP Confidential

BP ACCOUNT SECURITY POLICY

The controlled copy is available on the Account SharePoint

If you cannot access SharePoint, obtain the latest version via your BP
Account Manager or Single Point Of Contact (SPOC)

Is based on international best practice (ISO27002)

Security Policies refer out to detailed operational processes
& procedures for implementation details, e.g. Information
Handling
Has been jointly signed-off by BP & the HP BP Account
BP Account
Please now review the BP Account Security Security
Policy
Policy v1-0

2010 HP Confidential

INFORMATION SECURITY ORGANISATION

BP & HP have regular joint Operational Security Review meetings
that include:

BP GOI Security & BP data centre Security/Compliance representation plus BP

Account Security

Standard reviews of Security Policy, Security Awareness & Training, any recent
account Security Incidents & potential areas where improvements are required

Additional topical items

All BP Account members must:

Have an Account Line Manager (HP employees) or SPOC (Third Party employees)

Be listed in the Account Register

Have a clearly identified role on the account

Have completed mandatory training

2010 HP Confidential

ASSET MANAGEMENT
BP assets are recorded in BPs Configuration Management Database
(CMDB)
PCs & other peripherals are recorded separately
BP
Classification
Description
Information
Classifications
BP Internal

Confidential

Secret

BP Internal Information is information that should be secured from public access, but that would not cause significant loss or
embarrassment to BP Group if it were made public. This is information intended for use only by BP Staff and contractors
that does not meet the criteria for Confidential or Secret information.
Confidential information is information the disclosure, modification, misuse, or destruction of which could be significantly
prejudicial to the interests of BP businesses and functions, or could cause significant embarrassment or difficulty for BP
businesses and functions or their employees.
Secret information is information of high value or sensitivity, the disclosure or misuse of which could cause serious damage
to the interests of BP businesses and functions and which needs to be restricted to a small number of specifically
identified individuals.

Most BP information that you handle will be up to BP Confidential

9

2010 HP Confidential

HANDLING BP CLASSIFIED INFORMATION

Is defined as Secret or Confidential
For detailed handling instructions refer to:

BP Global Information Handling Standard v3.01

Information Handling Instructions v3.03

BP Handling
Standard

BP Handling
Instructions

Non-compliance with these instructions is treated

extremely seriously

HP employees breaching this standard may be removed from the BP

Account

If you are unsure what to do, seek advice from:

Your BP Account Line Manager or SPOC
BP Account Security

10

2010 HP Confidential

STORING CLASSIFIED INFORMATION ON A

Classified information should not be stored on laptops unless
PC
necessary

HP PCs

If necessary, traditional EDS COE PCs may be used because they:

Are fully encrypted using Pointsec
Have Pointsec Media Encryption + WinZip available
Note: Pointsec is gradually being replaced by a McAfee alternative

If necessary, traditional HP PCs may be used only if they are encrypted

PC encryption roll-out using McAfee is underway and will complete during 2010
Refer to HP Intranet pages for the latest information

BP PCs

11

May only use available BP tools

Refer to BP for further information

2010 HP Confidential

SENDING CLASSIFIED INFORMATION TO

From HP PCs
BP

People not yet migrated to @hp.com email & using traditional EDS COE PCs
May use Pointsec Media Encryption + WinZip until migration to S/MIME & McAfee is complete

People on @hp.com email using traditional EDS COE PCs with an HP retrofit

Transferring
Information to BP

May use HPs S/MIME encrypted email

People on @hp.com email using an HP PC

May use HPs S/MIME encrypted email

If you havent already it is strongly recommended that

you configure your PC for S/MIME
From BP PCs

People using @bp.com email

May only use available BP tools
Refer to BP for further information

12

2010 HP Confidential

HUMAN RESOURCES SECURITY

HP pre-employment screening takes place in accordance with
agreed local working practices
Additional

& specific screening may apply for certain roles on the BP

Account

Non-compliance with security policies and procedures is a

disciplinary issue
Managers are responsible for ensuring that all:
Team

members are correctly represented in the Account Organisation Chart

and the Account Register

Team

member access rights are reviewed at least every 6 months

Assets

& access rights are removed from team members as soon as they
are no longer required

13

2010 HP Confidential

QUESTION
What is Social Engineering?
A.

A group of hackers coming together to attempt to exploit a system

B.

The manipulation of individuals into revealing confidential information

C.

A large group of botnets being used to cause a denial of service

attack

D.

Posting of your own personal data on sites such as Facebook,

MySpace and Linked-In

Answer B. Individuals can be manipulated in many ways,

for example: someone making a call pretending to be from
the Helpdesk and asking for confidential information such
as passwords
14

2010 HP Confidential

PHYSICAL SECURITY
Always wear your pass card. Challenge anyone not wearing
theirs
Ensure visitors are accompanied at all times
Help to prevent tailgating
Report broken door locks
Discuss sensitive information only when certain it is safe to
do so
Do not leave bags unattended
Store media in locked cabinets
15

2010 HP Confidential

Routine physical security tests are performed!

OPERATIONS MANAGEMENT
Operations procedures must be followed
No unauthorised changes are permitted
Non-HP employees must report to an HP SPOC
Check that AntiVirus software is up to date
Media must be handled/disposed of correctly
Sensitive information must only be sent to BP using approved
methods
Activity logs must be produced and retained to facilitate any
necessary investigations
16

2010 HP Confidential

ACCESS CONTROL
Users will only be granted the minimum access
necessary to allow them to do their job
Accounts must be removed when users leave or change
roles
Userids/passwords may not be shared
Unattended PCs must be locked
The BP Account operates a clear desk policy
Network connections must be officially approved
17

2010 HP Confidential

QUESTION
Analysis of a recent large scale phishing attack
identified which of the following?
A.

94% of passwords were not alphanumeric

B.

123456 was the most common password

C.

People tend to have the same password across many accounts

D.

All of the above. Worrying isnt it?

Answer D (Sadly). If your passwords fit just one of these

criteria you should seriously consider making changes
as soon as possible

18

2010 HP Confidential

SPEAR PHISHING ATTACKS

Are focused attacks appearing to come from people you
know

Usually employed in a business environment

May look like they come from your employer, or from a

colleague who could be expected to send an email
message to everyone in the company, for example: the
Head of IT or Human Resources
May include requests for userids or passwords
Could contain hidden malicious software
Be careful!
19

2010 HP Confidential

TRUE OR FALSE?
Complex passwords are hard to remember?
True (& False). A complex password such as
J&Jwuth2fapow" is difficult to remember on its own

20

Try instead to remember Jack and Jill went up the hill to fetch a pail
of water. Remembering this particular password suddenly becomes
much easier

Why not try it yourself with a phrase from a song, movie or book?

2010 HP Confidential

INFORMATION SYSTEMS MAINTENANCE

Business requirements for information systems must
include security controls from the start

Security controls must be designed in, not bolted on

Only deploy approved hardware/software

Only authorised changes are permitted
HP SPOCs are responsible for ensuring secure
operations by their Third Party organisations
Vulnerability tools are used to monitor the estate

21

Results are reviewed and corrective actions agreed with BP

2010 HP Confidential

SECURITY INCIDENTS
If you suspect an incident report it immediately

It is better to cancel it later if subsequently it is found to be invalid than to

delay the initial investigation

BP Digital Security Alert Centre: ITSDSAlertCentre@bp.com

HP Intranet: Responding to IT Security Incidents

Information has a higher value than hardware

Laptop thefts

BP Laptops: notify your local BP Helpdesk

BP Policy states that: it is no longer acceptable to leave a laptop in the boot/trunk of your
vehicle

HP Laptops: notify HPs Corporate IT Security Incident Response Team

In addition, always notify the BP Account

22

Your BP Account Line Manager/SPOC and BP Account Security

2010 HP Confidential

COMPLIANCE & AUDITS

Compliance

Routine demonstration of our adherence to applicable regulatory

guidelines. Supporting evidence produced during normal business
activities is checked

Current applicable legislation for the BP Account includes Sarbanes

Oxley (SOX) and the Financial Services Authority (FSA)

Audits

23

Systematic evaluations measuring conformance to a set of

established criteria

We may be audited by HP Internal Audit against HP criteria, BP or

their agents against BP criteria or be subject to audits with a specific
focus such as Quality Management

2010 HP Confidential

COMPLIANCE & AUDITS

The Account is regularly audited across the following areas:

Change Management

Data Backup and Recovery

Database User Access Management

Incident and Problem Management

IT Operations

IT Service Continuity

Logical Access (User Administration)

Management of Service Levels

Physical Access and Environmental Controls

These are ongoing activities and everyone should understand

which outputs they are required to produce and when.
24

2010 HP Confidential

BP ACCOUNT
SECURITY TRAINING

Where to seek advice

25

2010 HP Confidential

CONTACT BP ACCOUNT SECURITY IF

Any new security risks are identified
Security Policy non-compliances are discovered
The use of cryptography is required
A security incident occurs
Security advice is needed
You identify areas requiring Security Awareness briefings
Contacts

Tel: +44 (0) 7584 335016

Graham Morrison: Graham.Morrison@hp.com

016 599
2010 HP Confidential

26

Rupesh Mistry: RMistry@hp.com

Tel: +44 (0)7818

CONTACT THE COMPLIANCE TEAM IF

You are unsure what evidence to provide
You are unable to provide evidence on time
You identify any gaps in compliance evidence
Contact

27

GIS Iberia Compliance (HP GAL entry) or

gisiberiacompliance@hp.com (external address)

2010 HP Confidential

BP ACCOUNT
SECURITY TRAINING

Key points
28

2010 HP Confidential

ITS ALL ABOUT YOU!

You keep your credit cards safe so

Treat your building pass cards the same way

You dont give your house keys to strangers so

Dont share your passwords

You dont leave private information around so

Lock your PC & papers away when not in use

You are accountable for your own security so

Dont leave it to someone else

You & the customer depend on trust so

29

Security makes good business sense for all of us

2010 HP Confidential

LEAD BY EXAMPLE
Keep mandatory Security Training up to date
Be familiar with Security Policy contents
Demonstrate security understanding
Wear your pass card & challenge anyone who isnt
Clear your desk when you go home
Ensure that your PC is appropriately secured
Take ownership of security issues

Know where/when to seek advice

Your BP Account Line Manager or SPOC
BP Account Security
30

2010 HP Confidential

BP ACCOUNT
SECURITY TRAINING

Personal online safety

31

2010 HP Confidential

ENCOURAGE ONLINE SAFETY IN

EVERYONE
For advice to support online activities on non-work PCs,
try these:

Is your new password strong enough?

Test it with Microsofts Password Checker

Too many passwords to remember? These may help:

KeePass Password Safe or Password Safe

How do I protect my family online?

Visit Get Safe Online for advice

Some banks now provide free tools to help protect online banking

Remember

32

If you need advice in a work context please contact the Account

Security Team

2010 HP Confidential

BP ACCOUNT
SECURITY TRAINING

Complete your selfcertification

33

2010 HP Confidential

TRAINING COMPLETION
This training is not deemed complete unless the
Account joiners and leavers team (
bpjoinersandleavers@hp.com) have:
1.

Received a self-certification email from your work email address

2.

Updated the Account Register to show the date when you sent
your self-certification email

3.

Stored for audit purposes your self-certification email

The following slide will initiate these actions

You may check your recorded self-certification date at
any time on the Account SharePoint by contacting the
Account joiners and leavers team
34

2010 HP Confidential

SELF-CERTIFICATION ACTION REQUIRED

Exit PowerPoint show
Double click on the Send Self-Certification icon below

It will open a Microsoft Outlook email message

If you do not use Microsoft Outlook, see instructions in the Note page of this slide

Update the message with your contact details

Send the email

Send
Self-Certification

35

2010 HP Confidential

THANK YOU FOR

COMPLETING THIS SECURITY
TRAINING

36

2010 HP Confidential