Information Security and ISO 27001 Awareness

Objective
 What is ISO 27001?

 Information Security

 Data Classification

 Physical Security

 Clear Desk & Clear Screen Policy

 Data Security

 Acceptable use of email, internet resources

 Incident Reporting

Firstsource © 2007 | confidential | December 27, 2019 | 2

 What is ISO 27001?

Controls-based policy
A comprehensive set of controls comprising best
practices in information security.

An Information standard
Encompasses all types of information

“Whatever form the information may take, or means

by which it is shared or stored, it should always be
appropriately protected” (ISO17799:2000)

Clauses 8, Control Groups – 11, Controls -134

Certifiable
Internationally recognized
Risk-management based

Firstsource © 2007 | confidential | December 27, 2019 | 3

Information Security

Information is an asset to all individuals and businesses. Information Security refers to the protection of these
assets in order to achieve:
i) Confidential ii) Integrity iii) Availability

Information Security

Confidentiality Availability
Protecting sensitive Ensuring that information
information from and vital services are
unauthorized disclosure Integrity available to users when
or interception. required.
Safeguarding the
accuracy and
completeness of
information

Firstsource © 2007 | confidential | December 27, 2019 | 4

 Data Classification

Secret Contains highly sensitive, strategic Firstsource information that is material, non-public.

Examples  Financial forecasting and planning information

 Earnings estimates
 Major litigation information
 Information on acquisition or merger plans

Highly Confidential Contains personal data regarding Firstsource personnel or sensitive information about project/client data.

Examples  Benefits, employee earnings, payroll data

 Performance feedback forms
 Social security numbers, home addresses and telephone numbers
 Health information
 Client lists and contact information
 Preferences, opinions and intentions regarding any individual
 Client billing information
 Client’s architecture diagrams
 Business development tracking information

Firstsource © 2007 | confidential | December 27, 2019 | 5

Data Classification

Confidential Contains Firstsource, client and some personal data which is marked confidential, known to be
confidential or is not generally available to the public.

Examples  Employee phone or voice mail directory

 Organization charts
 Market offering information
 Asset-based solutions
 Internal meeting presentation materials
 Project deliverables

Unrestricted Contains any data that is available to the public.

Examples  Company advertising literature once it has been used

 Data contained on http://www.Firstsource.com/

Firstsource © 2007 | confidential | December 27, 2019 | 6

 Physical Security

Physical controls Physical controls Physical controls

• Escortvisitors at all •Display the danglers in
• Display your badge at
times – They do not your cars for identifying
all times within
belong to Firstsource
Firstsource India BPO as Firstsource India BPO
India BPO and no
premises. employees
information is ‘Public’
• Do not be chivalrous here • Do Not record
and open doors for information using state-
• Report loss of access
others. It is mandatory of-the-art mobile phones
cards immediately – this
for everyone to flash or other recording
will prevent unauthorized
their access cards equipment
access using your card.
whenever you enter or • Do not use personal
• Handle ex-employees as
leave a floor. computing device or
visitors equipment e.g. laptops,
• Disable access cards of
resigned employees • Ensure that all visitors USB drives, CD’s etc
immediately. sign-in their details at the
entrance

Firstsource © 2007 | confidential | December 27, 2019 | 7

Clear Desk &
Clear Screen Policy

Do’s
 Pick up confidential and proprietary items quickly off the printer

 Shred any unwanted or old documents

 Clear out voicemail before you leave for the day

 Lock confidential and proprietary documents and computer media in drawers or filing cabinets

 Physically secure laptops with company approved cable locks

 Any documents marked ‘Secret/Highly Confidential/Confidential’ should not be left on the desk unattended

 Log out of Windows or invoke the password protected screen-saver by pressing Ctrl-Alt-Del on the Keyboard, and selecting Lock Workstation
prior to leaving the computer

 Include disclaimers while sending confidential fax messages.

 Exchange information with other Firstsource entities or third party organizations through approved courier agencies.

 Verify your recipient’s identity before discussing confidential information over the phone.

Firstsource © 2007 | confidential | December 27, 2019 | 8

 Clear Desk &
Clear Screen Policy

Don’ts
 Pin-up any confidential information or client data in the workspace

 Write or make notes on any piece of paper, which you might loose

 Remove any Firstsource confidential Information Pin-up from the workspaces

 Save client related documents on PC hard disks

 Access Confidential information without business need

 Change Screen Saver Settings

Firstsource © 2007 | confidential | December 27, 2019 | 9

Data Security

 All Documents should be labeled.

 Clear boards and charts after any meeting.

 Ensure all confidential, high confidential documents are shredded immediately after use.

 Any loose paper left unattended on desk will be shredded without any warning.

 User should ensure they have unique and identifiable ID and passwords for all applications they might use for their official work

 Should promptly follow the password policies of Firstsource and where applicable those of client

 In case of Login trouble to any application, user should always contact Helpdesk. Should not share other’s ID / Passwords

 User is accountable to all activities done on Firstsource systems using his / her ID’s

 Avoid discussing sensitive and confidential information in open workspaces and public places like: Airports, Restrooms, Restaurants,
Elevators.

Firstsource © 2007 | confidential | December 27, 2019 | 10

Acceptable use of email,
internet resources

 Unacceptable use of Firstsource resources includes any activity which is:

- illegal
- inappropriate
- which take up excessive time or company resources.

 Do not respond to spam e-mail or forward it to others.

 Delete spam without opening.

 Turn off the Microsoft Outlook preview pane before deleting spam messages.

 Do not request removal from the spammer's distribution list, even if this option is offered.

 Do not use Firstsource e-mail for non-business-related purposes.

 Be judicious of the websites you access and never browse a site that contains inappropriate material.

 use caution when creating rules to avoid discarding important messages.

Firstsource © 2007 | confidential | December 27, 2019 | 11

 Incident Reporting

What is a security incident?

 Any event that compromises CIA of information.
 Event could be physical, IT related, Policy related etc.
 Sometimes a security weakness precedes an incident
Some examples are:
Theft, Violence or Riots, Physical security access control failure, Unauthorized
physical access, Misuse/tampering with information, Unauthorized distribution of
information, Virus outbreak, Hacking etc.

 All physical Security Incident should be reported to Local F&S Helpdesk.

 For BCP related Queries , contact your supervisors or India BPO BCP Team
 All Information Security Incidents should be reported to Centralized Technical
Support Desk on 5555 & or Send email to
Information.security@firstsource.com
 All HR related Incidents should be reported to HR Helpline on 6666

Firstsource © 2007 | confidential | December 27, 2019 | 12

Important dates to remember

 Pre-Assessment Audit – June 1/2, 2006

 Stage 1 Audit (Document Review) – June 6/7,2006

 Certification Audit – June 13/14, 2006

Firstsource © 2007 | confidential | December 27, 2019 | 13

THANK YOU
Firstsource (NSE: FSL, BSE: 532809, Reuters: FISO.BO, Bloomberg: FSOL@IN) is a
global provider of BPO (business process outsourcing) services headquartered in
India. Firstsource provides customized business process management to global
leaders in the Banking & Financial Services, Telecom & Media and Healthcare
sectors. Its clients include Fortune 500 Financial Services, Telecommunications and
Healthcare companies. Firstsource has a global delivery model with operations in
India, US, UK, Argentina and Philippines. (www.firstsource.com)