Professional Documents
Culture Documents
Induction
v021 – November 2018
C Information
I
Security
A
The protection of information is ensured through a combination of
technical, procedural, and human controls.
> These controls are defined in formal documents such as:
– Policies
– Standards
– Procedures
> They provide services such as:
– Authentication (verifying who is accessing systems and data)
– Authorisation (defining what can people see and do with systems and data)
– Monitoring (capturing actions made whilst accessing systems and data)
3
Why is Information Security needed?
Legal requirements
Certain types of information require protection by law
Client requirements
All client contracts include formal Information Security obligations
Bravura Solutions values its clients, its products and its data!
4
Why: Legal Requirements
What is PII ?
> Personally Identifiable Information
> Information about a person (who can be identified from the data)
– Investor data – Employee data
> all geographies where Bravura operates and processes PII have privacy legislation
to enforce strict collection, processing and protection requirements for Personal Data
5
Why: Client Requirements
> Clients impose a large number of contractual obligations to
Bravura Solutions.
> These revolve mostly around the security of the products, as well
as the protection of the data processed on their behalf.
6
Bravura Solutions’ Requirements
Protect our information and assets, including:
> Product technical Intellectual Property (Source Code, Design documents)
> Product information (Training material – Product Roadmap)
> Marketing/Sales information
> Financial information
> HR data
7
So, what actually needs protection?
Most information handled by Bravura Solutions employees or
its representatives (suppliers & partners), inclusive of:
> Personally Identifiable Information in all its forms
> Client information (including contracts and fees)
> Product source code
> Financial records
> RFP material
> HR data
> Policies, standards, and procedures
> … almost everything!
8
What if we failed to secure data & systems?
Information could be disclosed to unauthorised parties:
> Human error
> Malicious actions
> Being disposed-of incorrectly
Information could be lost:
> Being wiped or encrypted by a virus (ransomware)
> Faulty backups media or inadequate backup processes
Client services could be impacted:
> Making client services inaccessible (Denial of Service ‘DoS’ attack)
> Unauthorised access to client sensitive information (data leakage)
IT?
> Yes
The Legal team?
> Yes
The executive team and the board?
> Yes
All employees, contractors, partners and suppliers?
> Yes!
10
Who are we protecting against?
Internal Threat factors
> Mistakes and accidents
> Disgruntled employees
> Staff negligence
11
What are your obligations?
As defined in your employment contract:
> All staff are personally responsible and accountable for their actions in relation
to Information Security at Bravura Solutions.
12
Storing information
Only use company-provided storage for confidential data:
> Network drives (when in office)
> Laptop computers with encrypted drives (when out of office)
> Encrypted mobile phones
> Encrypted USB drives (check with IT)
> Printed information when unattended should be stored in a lockable cabinet or
drawer
> Backup data on your laptop/workstation’s local hard drive regularly
13
Accessing and sharing information
Manage access to information
> Access can be requested and granted only when there is a defined business
need
> Access must be revoked when it’s no longer required
> Report unauthorized access to resources or data or improper disclosure/leaking
of confidential data
14
Transmitting information
When transmitting confidential data, secure it appropriately.
> Select the proper medium to transfer information using the proper protection
tools
> Obfuscation must be considered prior to sending sensitive client information
> Check that you are authorised to send the information
> Verify that the recipient is authorised to receive it
15
Passwords
Passwords form the basic component of Authentication
> Your username combined with your password are your digital identity
> They determine who you are, and what you are authorized to access
Do:
> Choose a suitable password or pass-phrase
> Contact the Helpdesk for assistance with your access, if required
> Remember the difference between Authorisation and Encryption passwords
Do NOT:
> Disclose your password to anyone
> Leave any written form of your password (sticky note)
> Attempt to obtain or use anyone’s else account
> Use the same password on multiple systems, and specifically, do not utilise your corporate
passwords on non-Bravura Solutions systems
16
Usage of IT equipment
Unless authorized, you may not tamper with equipment or
infrastructure, DO NOT:
> Install / reinstall operating systems
> Install programs obtained from the Internet
> Create or modify user accounts
> Physically open your equipment to add or remove components
> Remove, modify or deactivate any configuration or software, especially antivirus and
other
You must allow IT to maintain and secure your equipment:
> Allow the timely deployment of patches
> Connect your equipment to the network regularly
> Bring your equipment in for maintenance / audits when requested
Our IT teams are here to ensure the operation and security of your
devices; please contact the team for any assistance you may need
17
Malicious software
Do NOT:
> Open email attachments or click on links if you are not 100% sure that they are
legitimate – beware of targeted phishing attempts!
> Deactivate the antivirus on any system
> Attempt to read data off USB keys, CDs or other media whose origin is uncertain
or unknown
18
Internet Browsing and Social Media
Do NOT:
> Change any Internet configuration settings on your workstation – ask helpdesk!
> Participate in activities which undermine the reputation or image of Bravura
Solutions, its clients, or staff (e.g. accessing websites with illegal, questionable
or inappropriate content from corporate assets or corporate offices)
19
Physical security
Take appropriate care of company IT equipment
> If your office access card gets lost / stolen, report it immediately
> Immediately report any breach of physical security (e.g. theft or loss of equipment)
> Ensure opportunities for theft are minimised (do not check laptops in when flying)
Always lock your devices when not in use:
> Lock your PC screen when away from your desk
> Lock your PC or smartphone immediately after use when not in office or in public
areas
Ensure printed data is protected:
> Collect printouts containing non-public information immediately upon printing
> Ensure sensitive documents are locked away during non-working hours
> Only use the secure bins/shredders to dispose of physical / hard media.
Guests must:
> Check in and out at reception
> Be escorted from and to public office areas
> Never be left alone in the office
20
Social Engineering
Conference calls
> Ensure the number of attendees as reported by the system matches the number
of expected participants (*4 for a private roll call, *# for a number of attendees)
> Do not share your conference call chair number!
21
Remember!
Use common sense in all aspects of Information Security:
> Do NOT share passwords
> Do NOT copy, transmit, share, process or store sensitive, confidential or secret data
without appropriate protection
> Do NOT open attachments, click on links in emails you are not expecting!
> Please report anything suspicious, abnormal or unusual as soon as possible!
> Lost data? Sent data to somebody by mistake? Please report it as soon as possible!
> Unsure about what you should or shouldn’t do in a specific situation? Please ask!
> Report any abuse of computing facilities, including unauthorized sharing or granting
of passwords and privileges or distribution of inappropriate material
24
Questions and Answers
25
Thank you
26