Information Security

Induction
v021 – November 2018

Document ID: BSL_IS-Presentation-036

What is Information Security?
Information Security’s ultimate goal is to provide assurance of the
Confidentiality, Integrity, and Availability of our information at all times.

C Information
I
Security

A
The protection of information is ensured through a combination of
technical, procedural, and human controls.
> These controls are defined in formal documents such as:
– Policies
– Standards
– Procedures
> They provide services such as:
– Authentication (verifying who is accessing systems and data)
– Authorisation (defining what can people see and do with systems and data)
– Monitoring (capturing actions made whilst accessing systems and data)

3
Why is Information Security needed?
Legal requirements
Certain types of information require protection by law

Client requirements
All client contracts include formal Information Security obligations

Bravura Solutions’ own requirements

BSL needs to protect itself

Bravura Solutions values its clients, its products and its data!

4
Why: Legal Requirements
What is PII ?
> Personally Identifiable Information
> Information about a person (who can be identified from the data)
– Investor data – Employee data
> all geographies where Bravura operates and processes PII have privacy legislation
to enforce strict collection, processing and protection requirements for Personal Data

Adhere to Privacy Laws regarding PII

> Protect PII at all times with suitable controls
> Never use PII in ways it was not intended to when collected
> Notify your manager, Legal team, or InfoSec team when you become aware of any
breach of Privacy

Are you handling PII?

– Unlawful disclosure, processing, and handling can result in large monetary liabilities to
Bravura Solutions
– Protection can be through Obfuscation, Encryption, and / or Authorisation.

5
Why: Client Requirements
> Clients impose a large number of contractual obligations to
Bravura Solutions.
> These revolve mostly around the security of the products, as well
as the protection of the data processed on their behalf.

> The keys obligations are:

– The information is reasonably secured at all times.
– Client information in any form must only be shared with personnel who have a
reasonable requirement for accessing the information.
– Security policies, procedures and standards must be followed by all personnel.
– Records of who accessed what information and any action performed is recorded and
logged.

6
Bravura Solutions’ Requirements
Protect our information and assets, including:
> Product technical Intellectual Property (Source Code, Design documents)
> Product information (Training material – Product Roadmap)
> Marketing/Sales information
> Financial information
> HR data

Information you use on a daily basis belongs to at least one of

these categories!

7
So, what actually needs protection?
Most information handled by Bravura Solutions employees or
its representatives (suppliers & partners), inclusive of:
> Personally Identifiable Information in all its forms
> Client information (including contracts and fees)
> Product source code
> Financial records
> RFP material
> HR data
> Policies, standards, and procedures
> … almost everything!

8
What if we failed to secure data & systems?
Information could be disclosed to unauthorised parties:
> Human error
> Malicious actions
> Being disposed-of incorrectly
Information could be lost:
> Being wiped or encrypted by a virus (ransomware)
> Faulty backups media or inadequate backup processes
Client services could be impacted:
> Making client services inaccessible (Denial of Service ‘DoS’ attack)
> Unauthorised access to client sensitive information (data leakage)

Failure to protect information may result in one or more of:

> Disciplinary action against, or dismissal of, the staff responsible for the issue
> Regulatory fines
> Payment of service credit to customers
> Bad publicity and reputational damage
> Contract cancellations from existing customers and loss of new business opportunities
> Threat to the very existence of the company!
9
Who is responsible for Information
Security?

The Information Security team?

> Yes

IT?
> Yes
The Legal team?
> Yes
The executive team and the board?
> Yes
All employees, contractors, partners and suppliers?

> Yes!
10
Who are we protecting against?
Internal Threat factors
> Mistakes and accidents
> Disgruntled employees
> Staff negligence

External Threat factors

> Malicious propagating code (viruses, worms, Trojans)
> Hackers / Crackers
> Competitors

11
What are your obligations?
As defined in your employment contract:
> All staff are personally responsible and accountable for their actions in relation
to Information Security at Bravura Solutions.

You must protect information when using, storing, transmitting,

copying, sharing and processing it. This is achieved by:
> Reading and following the Information Security policies, standards, and
procedures applicable to you
> Asking others (your colleagues, your managers, IT, InfoSec) for assistance.

Think before you act – be mindful and careful!

12
Storing information
Only use company-provided storage for confidential data:
> Network drives (when in office)
> Laptop computers with encrypted drives (when out of office)
> Encrypted mobile phones
> Encrypted USB drives (check with IT)
> Printed information when unattended should be stored in a lockable cabinet or
drawer
> Backup data on your laptop/workstation’s local hard drive regularly

Do not use anything not provided or approved by the

business, including:
> Portable storage systems (CDs, USB keys, etc...)
> Any private media (personal laptop or smart phone)

13
Accessing and sharing information
Manage access to information
> Access can be requested and granted only when there is a defined business
need
> Access must be revoked when it’s no longer required
> Report unauthorized access to resources or data or improper disclosure/leaking
of confidential data

Information can be shared with third parties under specific

circumstances:
> A defined business requirement exists for this access to be granted
> The third party has been vetted and authorized by InfoSec team
> The data owner has given approval for this access
> The access is revoked when no longer needed

14
Transmitting information
When transmitting confidential data, secure it appropriately.
> Select the proper medium to transfer information using the proper protection
tools
> Obfuscation must be considered prior to sending sensitive client information
> Check that you are authorised to send the information
> Verify that the recipient is authorised to receive it

> Encrypt it or Obfuscate it

15
Passwords
Passwords form the basic component of Authentication
> Your username combined with your password are your digital identity
> They determine who you are, and what you are authorized to access
Do:
> Choose a suitable password or pass-phrase
> Contact the Helpdesk for assistance with your access, if required
> Remember the difference between Authorisation and Encryption passwords
Do NOT:
> Disclose your password to anyone
> Leave any written form of your password (sticky note)
> Attempt to obtain or use anyone’s else account
> Use the same password on multiple systems, and specifically, do not utilise your corporate
passwords on non-Bravura Solutions systems

Activities traced back to a user will be assumed to have been performed by

the owner of the account used, with all implied consequences

16
Usage of IT equipment
Unless authorized, you may not tamper with equipment or
infrastructure, DO NOT:
> Install / reinstall operating systems
> Install programs obtained from the Internet
> Create or modify user accounts
> Physically open your equipment to add or remove components
> Remove, modify or deactivate any configuration or software, especially antivirus and
other
You must allow IT to maintain and secure your equipment:
> Allow the timely deployment of patches
> Connect your equipment to the network regularly
> Bring your equipment in for maintenance / audits when requested

Our IT teams are here to ensure the operation and security of your
devices; please contact the team for any assistance you may need

17
Malicious software
Do NOT:
> Open email attachments or click on links if you are not 100% sure that they are
legitimate – beware of targeted phishing attempts!
> Deactivate the antivirus on any system
> Attempt to read data off USB keys, CDs or other media whose origin is uncertain
or unknown

Report any unexpected or abnormal behaviour on your

workstation IMMEDIATELY
> It is much easier to contain a virus before it has started to spread
> Report slowness, unexpected error messages, abnormal behaviour to IT

Your computer is only as secure as you are

> Your behavior provides the best protection!

18
Internet Browsing and Social Media

Do NOT:
> Change any Internet configuration settings on your workstation – ask helpdesk!
> Participate in activities which undermine the reputation or image of Bravura
Solutions, its clients, or staff (e.g. accessing websites with illegal, questionable
or inappropriate content from corporate assets or corporate offices)

When posting information on social media, Do NOT:

> Post detailed information about business ongoing projects and ventures –
Bravura Solutions is bound by client NDAs
> Post information about office gossip and rumours or about colleagues, our
clients, or the company
> Represent Bravura Solutions unless formally authorised to do so

19
Physical security
Take appropriate care of company IT equipment
> If your office access card gets lost / stolen, report it immediately
> Immediately report any breach of physical security (e.g. theft or loss of equipment)
> Ensure opportunities for theft are minimised (do not check laptops in when flying)
Always lock your devices when not in use:
> Lock your PC screen when away from your desk
> Lock your PC or smartphone immediately after use when not in office or in public
areas
Ensure printed data is protected:
> Collect printouts containing non-public information immediately upon printing
> Ensure sensitive documents are locked away during non-working hours
> Only use the secure bins/shredders to dispose of physical / hard media.
Guests must:
> Check in and out at reception
> Be escorted from and to public office areas
> Never be left alone in the office
20
Social Engineering

Beware of cold callers (vishing)

> Do not give out information to, or follow instructions from people whose identity
you are not certain of
Doors & Entrances
> Do not tailgate or allow others to tailgate you

Conference calls
> Ensure the number of attendees as reported by the system matches the number
of expected participants (*4 for a private roll call, *# for a number of attendees)
> Do not share your conference call chair number!

21
Remember!
Use common sense in all aspects of Information Security:
> Do NOT share passwords
> Do NOT copy, transmit, share, process or store sensitive, confidential or secret data
without appropriate protection
> Do NOT open attachments, click on links in emails you are not expecting!
> Please report anything suspicious, abnormal or unusual as soon as possible!
> Lost data? Sent data to somebody by mistake? Please report it as soon as possible!
> Unsure about what you should or shouldn’t do in a specific situation? Please ask!
> Report any abuse of computing facilities, including unauthorized sharing or granting
of passwords and privileges or distribution of inappropriate material

Security is everybody’s responsibility!

22
The Information Security team
> Shane Moore, London (EMEA Information Security Officer)
> Joseph Mikhail, Sydney (APAC Information Security Officer)

> Brett McFadden, London (User Access Control SME)

> Robert Tappin, London (Cyber-Security SME)

> Dariusz Lysyszyn, Warsaw (Application Security Lead)

> Tomasz Warda, Warsaw (Network Security Analyst)

> Kunal Gaurav, Gurgaon (Operations Security)

> Punit Kumar, Gurgaon (Application Security)
> Sandeep Kumar, Gurgaon (Operations Security)
> Vishek Verma, Gurgaon (Internal Audit)

> Distribution list: information_security@bravurasolutions.com

> Wiki page: go to the Intranet and select ‘Departments’ followed by ‘Information Security’
23
Location of the Information Security policies
On the Bravura Solutions Intranet, browse to:
 Our Organisation \ Policies \ Bravura Global Policies \Bravura Solutions Information Security Policies

24
Questions and Answers

25
Thank you

26