COLLEGE INTERNS REPORT

Symbiosis Centre for Information Technology“A constituent of Symbiosis International (Deemed University)”

Accredited by NAAC with ‘A’ Grade

A Report on the DATA SECURITY

at

INDIAN OIL CORPORATION LIMITED-PATNA

Submitted by

Name of the student: AVINASH KUMAR

PRN : 9030241104

MBA (ISS)

(2009-11)

Year of submission 2010

Symbiosis Centre for Information Technology“A constituent of Symbiosis International (Deemed University)”

Accredited by NAAC with ‘A’ Grade

Certificate

This is to certify that the project entitled “DATA SECURITY ” is a bonafide work done by AVINASH

KUMAR (9030241104) of MBA (ISS 2009-11) in partial fulfillment of the requirements for the degree

of Masters of Business Administration of this Institute.

Internal Evaluator External Evaluator Director

Name & Signature Name & Signature

Date: 29/07/2010

Place: Pune

Seal of the Institute

DATA SECURITY

ACKNOWLEDGEMENT

I feel great pleasure while submitting this report titled “DATA SECURITY “as a part of my project study.

I express my gratitude and esteemed regards to my project guide SANJAY SEN GUPTA for providing me

invaluable gratitude and inspiration in carrying out my project studies from inception to completion at INDIAN

OIL CORPORATION LIMETED in PATNA. His constant support and encouragement enabled me to complete

this work successfully.

I would also like to express my sincere thanks to Mr. S. MATHUR (IS) , ABHIJITT DEBROY for their constant

encouragement. I am also thankful to the entire IT department at Indian oil corporation Ltd., Patna and

concerned staff members for providing necessary support and friendliness throughout this project. I would like

to thank Mr. J.L CHATTOPADHYA (HR), for giving me an opportunity to work in such an esteemed company.

I would like to express my sincere thanks to my internal guide at SCIT Prof. Sonal Joglekar .

And last but not the list I would like to express my regard to Mr. ANIL VAIDYA director of S.C.I.T.

Sincerely,AVINASH KUMARSCIT, PUNE.

DATA SECURITY

Table of ContentsABSTRACT:............................................................................................................................................................5

INTRODUCTION:-..............................................................................................................................................6

ABOUT INDIAN OIL CORPORATION LIMITED........................................................................................7

DATA SECURITY.....................................................................................................................................11

CHAPTER-2......................................................................................................................................................13

ANALYSIS OF WORK DONE.........................................................................................................................13

STATISTICS ABOUT LEADING CAUSES OF DATA LOSS...................................................................14

SECURITY OBJECTIVES:-........................................................................................................................18

DATA SECURITY IN INDIAN OIL CORPORATION LIMITED:-.............................................................18

DIFFERENT WAYS BY WHICH DATA IS PROTECTED IN “INDIAN OIL CORPORATION LIMITED”:-.....................................................................................................................................................19

MY FINDING IN INDIAN OIL CORPORATION –PATNA.......................................................................21

FINDINGS:-...................................................................................................................................................28

WHAT SHOULD BE DONE TO PROTECT DATA:-................................................................................29

RECOMMENDATIONS:-.............................................................................................................................33

Sources of Awareness Material..............................................................................................................35

Chapter 3 - Learning experiences on Business / Technology:-.................................................................40

Chapter 4 - CONCLUSION:............................................................................................................................44

BIBLIOGRAPHY:-............................................................................................................................................51

DATA SECURITY

ABSTRACT: While a great deal of attention has been given to protecting companies’ Electronic assets from outside threats – from intrusion prevention systems to firewalls to vulnerability management – organizations must now turn their attention to an equally dangerous situation: the problem of data loss from the inside. In fact, in many organizations there’s a gaping hole in the controlled, secure environment created to protect electronic assets. This hole is the now ubiquitous way businesses and individuals communicate with each other – over the Internet. Whether it’s email, instant messaging, webmail, a form on a website, or file transfer, electronic communications exiting the company still go largely uncontrolled and unmonitored on their way to their destinations – with the ever-present potential for confidential information to fall into the wrong hands. Should sensitive information be exposed, it can wreak havoc on the organization’s bottom line through fines, bad publicity, loss of strategic customers, loss of competitive intelligence and legal action.

DATA SECURITY

INTRODUCTION:-

Need for the researchInformation is one of the oil related organisation most important assets. Protection of information assets is necessary to establish and maintain trust between the petroleum institution and its customers, maintain compliance with the law, and protect the reputation of the institution. Timely and reliable information is necessary to process transactions and support petroleum institution and customer decisions. An oil institution’s earnings and capital can be adversely affected if information becomes known to unauthorized parties, is altered, or is not available when it is needed. The security of the industry’s systems and information is essential to its safety and soundness and to the privacy of customer petroleum information. The security programs must have strong board and senior management level support, integration of security activities and controls throughout the organization’s business processes, and clear accountability for carrying out security responsibilities.

Project Objective To understand about data security. What are the consequences if data has been compromised. Different ways by which data can be leaked or compromised. Various ways by which we can maintain data security.

An Insight into the Project

Scope of the study:- The assessment performed focussed on external and internal network and application infrastructure and its related systems and the Internet portal itself. It intended to be an overall assessment of the network, and those systems and subnets that fall within the scope of this project.

Research Methodology: - This research work is done to first find out the factors which affect the data security & secondly on the basis of survey analysis, formulate recommendations to improve security levels to protect data.

Sources and tools of data collection:-

a) Primary Data:- The data was be gathered through a survey based research approach with the help of questionnaire. As the research work of writing & asking question was totally carried out by one person only, so human error related to recording of responses cannot be totally ruled out.

b) Secondary Data:- The source of secondary data was the sites which are mentioned in bibliography & under the subscript where ever it is used in this report.

DATA SECURITY

Limitation of the Research:- There were few limitations in this research work. The sample covers only “INDIAN OIL CORPORATION LIMITED -PATNA OFFICE” This limitation is because of the time span. So, there is a much broader need to increase the sample size to get more concrete results. One of the limitations was that, I was the only person involved in reporting the data. Therefore, asking of same question from so many people can register some error in reporting the data which is called human error.

ABOUT INDIAN OIL CORPORATION LIMITEDIOC (Indian Oil Corporation) was formed in 1964 as the result of merger of Indian Oil Company Ltd. (Estd. 1959) and Indian Refineries Ltd. (Estd. 1958).

Indian Oil Corporation Ltd. is the highest ranked Indian company in the prestigious Fortune ‘Global 500’. It was ranked at 135th position in 2010. It is also the 20th largest petroleum company in the world.

Indian Oil Corporation Ltd. is currently India's largest company by sales with a turnover of Rs.247,479 crore (US $59.22 billion), and profit of Rs. 6963 crore (US $ 1.67 billion) for fiscal 2010.

Indian Oil and its subsidiaries today accounts for 49% petroleum products market share in India.

VISION OF IOCLA major diversified, transnational, integrated energy company, with national leadership and astrong environment conscience, playing a national role in oil security & public distribution.

MISSION OF IOCLIOCL has the following mission:

To achieve international standards of excellence in all aspects of energy and diversified business with focus on customer delight through value of products and services and cost reduction.

To maximize creation of wealth, value and satisfaction for the stakeholders. To attain leadership in developing, adopting and assimilating state-of- the-art

technology for competitive advantage. To provide technology and services through sustained Research and Development. To foster a culture of participation and innovation for employee growth and

contribution. To cultivate high standards of business ethics and Total Quality Management for a

strong corporate identity and brand equity. To help enrich the quality of life of the community and preserve ecological balance

and heritage through a strong environment conscience.

VALUES OF IOCL

DATA SECURITY

Values exist in all organizations and are an integral part of any it. Indian Oil nurtures a set of core values:

CARE INNOVATION PASSION TRUST

India’s flagship national oil company and downstream petroleum major, Indian Oil Corporation Ltd. (Indian Oil) is celebrating its Golden Jubilee in 2009. It is India's largest commercial enterprise, with a sales turnover of Rs. 2, 85,337 crore – the highest-ever for an Indian company – and a net profit of . 2, 950 crore for the year 2009-10. Indian Oil is also the highest ranked Indian company in the prestigious Fortune 'Global 500' listing, having moved up 11 places to the 105th position in 2009. India’s Flagship National Oil Company Incorporated as Indian Oil Company Ltd. on 30th June, 1959, it was renamed as Indian Oil Corporation Ltd. on 1st September, 1964 following the merger of Indian Refineries Ltd. (established 1958) with it. Indian Oil and its subsidiaries account for approximately 48% petroleum products market share, 34% national refining capacity and 71% downstream sector pipelines capacity in India. Indian Oil operates the largest and the widest network of petrol & diesel stations in the country, numbering over 18,278. It reaches Indane cooking gas to the doorsteps of over 53 million households in nearly 2,700 markets through a network of about 5,000 Indane distributors. Indian Oil's ISO-9002 certified Aviation Service commands over 63% market share in aviation fuel business, meeting the fuel needs of domestic and international flag carriers, private airlines and the Indian Defence Services. The Corporation also enjoys a dominant share of the bulk consumer business, including that of railways, state transport undertakings, and industrial, agricultural and marine sectors. Technology Solutions Provider Indian Oil's world-class R&D Centre is perhaps Asia's finest. Besides pioneering work in lubricants formulation, refinery processes, pipeline transportation and alternative fuels, the Centre is also the nodal agency of the Indian hydrocarbon sector for ushering in Hydrogen fuel economy in the country. It has set up a commercial Hydrogen-CNG station at an Indian Oil retail outlet in New Delhi this year. The Centre holds 214 active patents, including 113 international patents. To safeguard the interest of the valuable customers, interventions like retail automation, vehicle tracking and marker systems have been introduced to ensure quality and quantity of petroleum products. Widening Horizons To achieve the next level of growth, Indian Oil is currently forging ahead on a well laid-out road map through vertical integration— upstream into oil exploration & production (E&P) and downstream into petrochemicals – and diversification into natural gas marketing, bio fuels, wind power projects, besides globalisation of its downstream operations.

DATA SECURITY

Globalization InitiativesIndian Oil has set up subsidiaries in Sri Lanka, Mauritius and the United Arab Emirates (UAE), and is simultaneously scouting for new business opportunities in the energy markets of Asia and Africa.

Lanka IOC Plc (LIOC)Lanka IOC Ltd. operates about 150 petrol & diesel stations in Sri Lanka, and has a very efficient lube marketing network. Its major facilities include an oil terminal at Trincomalee, Sri Lanka's largest petroleum storage facility and an 18,000 tonnes per annum capacity lubricants blending plant and state-of-the-art fuels and lubricants testing laboratory at Trincomalee. Presently, it holds a market share of about 40%. In a highly competitive bunker market, catering to all types of bunker fuels and lubricants at all ports of Sri Lanka, viz., Colombo, Trincomalee and Galle. It is the major supplier of lubricants and greases to the three arms of the Defence services of Sri Lanka. LIOC's market share in petrol increased stands at 24.8% in 2008 with an overall market share of 16.9%.

Indian Oil (Mauritius) Ltd. (IOML) Indian Oil (Mauritius) Ltd. has an overall market share of nearly 22% and commands a 35% market share in aviation fuelling business, apart from its bunkering business. It operates a modern petroleum bulk storage terminal at Mer Rouge port, besides 17 filling stations. In addition to the ongoing expansion of retail network, IOML has to its credit the first ISO-9001 product-testing laboratory in Mauritius.

Indian Oil Middle-East FZE (IOME)The Corporation's UAE subsidiary, IOC Middle East FZE, which oversees business expansion in the Middle East, is mainly into blending and marketing of SERVO lubricants and marketing of petroleum products in the Middle East, Africa and CIS countries. Finished lubes were exported to Oman , Qatar , Yemen , Bahrain , UAE and Nepal .

Objectives & ObligationsObjectives:

To serve the national interests in oil and related sectors in accordance and consistent with Government policies.

To ensure maintenance of continuous and smooth supplies of petroleum products by way of crude oil refining, transportation and marketing activities and to provide appropriate assistance to consumers to conserve and use petroleum products efficiently.

To enhance the country's self-sufficiency in crude oil refining and build expertise in laying of crude oil and petroleum product pipelines.

DATA SECURITY

To further enhance marketing infrastructure and reseller network for providing assured service to customers throughout the country.

To create a strong research& development base in refinery processes, product formulations, pipeline transportation and alternative fuels with a view to minimizing/eliminating imports and to have next generation products.

To optimise utilisation of refining capacity and maximize distillate yield and gross refining margin.

To maximise utilisation of the existing facilities for improving efficiency and increasing productivity.

To minimise fuel consumption and hydrocarbon loss in refineries and stock loss in marketing operations to effect energy conservation.

To earn a reasonable rate of return on investment. To avail of all viable opportunities, both national and global, arising out of the

Government of India’s policy of liberalisation and reforms. To achieve higher growth through mergers, acquisitions, integration and diversification

by harnessing new business opportunities in oil exploration &production, petrochemicals, natural gas and downstream opportunities overseas.

To inculcate strong ‘core values’ among the employees and continuously update skill sets for full exploitation of the new business opportunities.

To develop operational synergies with subsidiaries and joint ventures and continuously engage across the hydrocarbon value chain for the benefit of society at large.

Petroleum Objectives To ensure adequate return on the capital employed and maintain a reasonable annual

dividend on equity capital. To ensure maximum economy in expenditure. To manage and operate all facilities in an efficient manner so as to generate

adequate internal resources to meet revenue cost and requirements for project investment, without budgetary support.

To develop long-term corporate plans to provide for adequate growth of the Corporation’s business.

To reduce the cost of production of petroleum products by means of systematic cost control measures and thereby sustain market leadership through cost competitiveness.

To complete all planned projects within the scheduled time and approved cost.

Obligations Towards customers and dealers:- To provide prompt, courteous and efficient

service and quality products at competitive prices. Towards suppliers:- To ensure prompt dealings with integrity, impartiality and

courtesy and help promote ancillary industries.

DATA SECURITY

Towards employees:- To develop their capabilities and facilitate their advancement through appropriate training and career planning. To have fair dealings with recognised representatives of employees in pursuance of healthy industrial relations practices and sound personnel policies.

Towards community:- To develop techno-economically viable and environment friendly products. To maintain the highest standards in respect of safety, environment protection and occupational health at all production units.

Towards Defence Services:- To maintain adequate supplies to Defence and other paramilitary services during normal as well as emergency situations.

DATA SECURITY

While a great deal of attention has been given to protecting companies’ electronic assets from outside threats – from intrusion prevention systems to firewalls to vulnerability management – organizations must now turn their attention to an equally dangerous situation: the problem of DATA SECURITY from the inside. In fact, in many organizations there’s a gaping hole in the controlled, secure environment created to protect electronic assets. This hole is the now ubiquitous way businesses and individuals communicate with each other – over the Internet. Whether it’s email, instant messaging, webmail, a form on a website, or file transfer, electronic communications exiting the company still go largely uncontrolled and unmonitored on their way to their destinations – with the ever-present potential for confidential information to fall into the wrong hands. Should sensitive information be exposed, it can wreak havoc on the organization’s bottom line through fines, bad publicity, loss of strategic customers, loss of competitive intelligence and legal action. Given today’s strict regulatory and ultra-competitive environment, DATA SECURITY prevention (DLP) is one of the most critical issues facing CIOs, CSOs and CISOs.

DATA SECURITY

Defining the DATA SECURITY Problem:-

The issue of DATA SECURITY encompasses everything from confidential information about one customer being exposed, to thousands of source code files for a company’s product being sent to a competitor. Whether deliberate or accidental, DATA SECURITY occurs any time employees, consultants, or other insiders release sensitive data about customers, finances, intellectual property, or other confidential information (in violation of company policies and regulatory requirements). With all the avenues available to employees today to electronically expose sensitive data, the scope of the DATA SECURITY problem is an order of magnitude greater than threat protection from outsiders. Consider the extent of the effort required to cover all the loss vectors an organization has the potential to encounter:• Data in motion – Any data that is moving through the network to the outside via the Internet• Data at rest – Data that resides in files systems, databases and other storage methods• Data at the endpoint – Data at the endpoints of the network (e.g. data on USB devices, external drives, MP3 players , laptops, and other highly-mobile devices).

Getting to the Heart of the Matter Uncontrolled Communications:-

Given the prevalence of electronic communications, data in motion (i.e., data that is travelling through and out of the network) is one of the most significant DATA SECURITY vectors to address today. For example, an employee sends documents to a personal email address so he or she can work from home. Or a hospital employee accidentally sends patient information to the wrong person. A summer intern unknowingly cuts and pastes confidential product information into a blog entry. There are many avenues in which confidential data or proprietary secrets can leave an organization via the Internet:

Email Webmail HTTP (message boards, blogs and other websites) Instant Messaging Peer-to-peer sites and sessions FTP

DATA SECURITY

CHAPTER-2

ANALYSIS OF WORK DONE

DATA SECURITY

STATISTICS ABOUT LEADING CAUSES OF DATA LOSS.Despite technological advances in the reliability of magnetic storage media, DATA SECURITY continues to rise, making data recovery more important than ever. On track engineers have identified three trends that are leading to this increase in lost data.

1. More data is being stored in smaller spaces. Today's hard drives store 500 times the data stored on the drives of a decade ago. Increasing storage capacities amplify the impact of DATA SECURITY, making mechanical precision more critical.

2. Data has become more mission-critical. Hospital patient records. A graduate school thesis. Personal finance and tax information. Payroll records. Users today are storing more information electronically than ever. The loss of mission critical data can have staggering petroleum, legal and productivity ramifications on businesses and home user alike.

3. Backup tools and techniques are not 100% reliable. Most computer users rely on backups as their safety net in the event of DATA SECURITY (a recommended practice). On track research indicates that 80 percent of its DATA SECURITY customers regularly back up their data, only to find them less than adequate at the critical moment they need to restore them. Backups assume that hardware and storage media are in working order; that the data is not corrupted, and that your backup is recent enough to provide full recovery. In reality, hardware and software do fail and backups don't always contain current enough data.

Leading Causes of DATA LOSS

Hardware or System Malfunctions (44 percent of all DATA LOSS)

Possible Symptoms

Error message stating the device is not recognized

DATA SECURITY

Previously accessible data suddenly gone

Scraping or rattling sound

Hard drive not spinning

Computer hard drive doesn't function

Examples Electrical failure

Head/media crash

Controller failure

Preventive Measures

Protect electrical components by using computers in a dry, shaded, dust-free area

Protect against power surges with an uninterruptible power supply (UPS)

Do not shake or remove the covers on hard drives or tapes.

Human Error (32 percent of all DATA LOSS)

Possible Symptoms

Previously accessible data suddenly gone

Message similar to "File Not Found"

Examples Accidental deletion or drive format

Trauma caused by drop or fall

Preventive Measures

Never attempt any operation, like installations or repairs, with which you don't have experience

Avoid moving your computer, especially when it's in operation

Software Corruption (14 percent of all DATA LOSS)

Possible Symptoms

System messages relating to memory errors

Software application won't load

Error message stating data is corrupted or inaccessible

Examples Corruption caused by diagnostic or repair tools

Failed backups

Configuration complexity

DATA SECURITY

Preventive Measures

Back up data regularly

Use diagnostic utilities with caution

Computer Viruses (7 percent of all DATA LOSS)

Possible Symptoms

Blank screen Strange and unpredictable behavior

Error message stating

"File Not Found" Message announcing virus appears on screen

Examples Boot sector viruses

File infecting viruses

Polymorphic viruses

Preventive Measures

Use a good anti-virus package

Obtain software from reputable sources

Scan all incoming data, including packaged software, for viruses

Natural Disasters (3 percent of all DATA LOSS)

Possible Symptoms

While floods and earthquakes have obvious symptoms, brownouts and lightning strikes often leave no clues

Examples Fires

Floods

Brownouts

Preventive Measures

Store tested backups in an off-site location

Install a UPS

Don't store critical data in a flood plain

DATA SECURITY is Becoming Much More ImportantMANY ARE UNAWARE OF THE PROBLEMS WITH DATA SECURITY

One of the key reasons that organizations have not yet deployed DATA LOSS PROTECTION SYSTEM. Systems can be explained by the fact that many decision makers are not aware of the potential risks they face, nor might they be aware of the data breach examples in their own industries. For example:

DATA SECURITY

Employees will often accidentally send confidential data in an email – such as credit card numbers, Social Security numbers or other confidential information – without realizing that the data needs to be encrypted during transmission.

There are many cases in which confidential data, unbeknownst to the sender, is buried in an email thread that is forwarded to others.

Email is sometimes sent email to the wrong person, often resulting in the leak of confidential information.

Some employees will send confidential data via personal Webmail accounts to others or to themselves to avoid file size limitations on attachments or so that they can work on documents at home.

Web 2.0 applications represent a significant potential for DATA SECURITY. For example, MySpace, Facebook and other social networking sites have been on the receiving end of healthcare-related data. Hidden malware installed on endpoints has harvested personal information like credit card numbers and quietly uploaded this content via HTTP/HTTPS.

Organizations that do not properly address DATA SECURITY can suffer a variety of problems, including: Loss of intellectual property

Email systems, file transfer systems, instant messaging systems, blogs, wikis, Web tools, Thumb drives and other tools can be used to send confidential information in violation of corporate policy, common sense and the law. The result is that trade secrets, designs, proprietary processes and other knowledge assets can all be compromised if not adequately protected.

Loss of reputation

If an electronic communication system is used in violation of corporate policy, an organization can suffer serious damage to its reputation..

Harmful legal judgments

Unfettered use of email by employees can lead to significant and adverse legal judgments. For example, several years ago employees of British insurance company Norwich Union sent rumors using the corporate email system that falsely claimed that a competitor, Western Provident Association, was undergoing a government investigation and was experiencing petroleum problems. After Western Provident filed suit, Norwich Union publicly apologized for its employees’ behavior and paid a judgment of £450,000 (~US$780,000) in court costs and damages.

Compromise of corporate securityA failure to properly monitor outbound communications can lead to a variety of security-related problems, including compromised PCs acting as zombies for sending spam and consumer instant messaging clients that can spread worms and malware.

DATA SECURITY

There are a variety of tools commonly used in the workplace that bypass conventional security defenses, including Skype, peer-to-peer file-sharing software and chat tools.

SECURITY OBJECTIVES:- Information security enables a petroleum institution to meet its business objectives by implementing business systems with due consideration of information technology (IT)- related risks to the organization, business and trading partners, technology service providers, and customers. Organizations meet this goal by striving to accomplish the following objectives.

Availability—the ongoing availability of systems addresses the processes, policies, and controls used to ensure authorized users have prompt access to information. This objective protects against intentional or accidental attempts to deny legitimate users access to information or system.

Integrity of Data or Systems—System and data integrity relate to the processes, policies, and controls used to ensure information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that will compromise accuracy, completeness, and reliability.

Confidentiality of Data or Systems—Confidentiality covers the processes, policies, and controls employed to protect information of customers and the institution against unauthorized access or use.

Accountability—Clear accountability involves the processes, policies, and controls necessary to trace actions to their source. Accountability directly supports non-repudiation, deterrence, intrusion prevention, security monitoring, recovery, and legal admissibility of records.

Assurance—Assurance addresses the processes, policies, and controls used to develop confidence that technical and operational security measures work as intended. Assurance levels are part of the system design and

DATA SECURITY IN INDIAN OIL CORPORATION LIMITED:-Information system department is responsible for all the I.T related services in “INDIAN OIL CORPORATION LIMITED”. As we INDIAN OIL CORPORATION LIMITED comes in NAVRATAN INDUSTRIES of Indian government. So, data security is very important in

DATA SECURITY

INDIAN OIL CORPORATION LIMITED. The hierarchy of information system department is like:-

MANAGER INFORMATION SYSTEMMANAGER( I.S) ASSISTANCE MANAGER

(I.S)INFORMATION SYSTEM OFFICER

DIFFERENT WAYS BY WHICH DATA IS PROTECTED IN “INDIAN OIL CORPORATION LIMITED”:-

PASSWORD PROTECTION- All the employees of the organisation use eight character passwords. If any forget his password the INFORMATION DEPARTMENT reset his password and ask the employee to change the default password.

ANTI-VIRUS SOFTWARE- In INDIAN OIL CORPORATION LIMITED PATNA the anti virus used is SYMANTEC , VERSION-11.0.4 and it is regularly updated.

Responding to security incidents and malfunctions- A formal reporting procedure exists, to report security incidents through appropriate management channels as quickly as possible. A formal reporting procedure or guideline exists for users, to report security weakness in, or threats to, systems or services.

Disciplinary process - there is a formal disciplinary process in place for employees who have violated organisational security policies and procedures. Such a process can act as a deterrent to employees who might otherwise be inclined to disregard security procedures.

Physical Security Perimeter - physical border security facility has been implemented to protect the Information processing service. Some examples of such security facility are card control entry gate, walls, manned reception etc.,

Physical entry Controls- entry controls are in place to allow only authorised personnel into various areas within organisation. The rooms, which have the Information processing service, are locked or have lockable cabinets or safes.

Equipment siting protection - the equipment was located in appropriate place to minimise unnecessary access into work areas. The items requiring special protection were isolated to reduce the general level of protection required.

Cabling Security - the power and telecommunications cable carrying data or supporting information services are protected from interception or damage.

DATA SECURITY

Clear Desk and clear screen - automatic computer screen locking facility is enabled. This would lock the screen when the computer is left unattended for a period.

Control against malicious software - There exists control against malicious software usage. The security policy does address software licensing issues such as prohibiting usage of unauthorised software. There exists Procedure to verify all warning bulletins are accurate and informative with regards to the malicious software usage. All the traffic originating from un-trusted network in to the organisation is checked for viruses. Example: Checking for viruses on email, email attachments and on the web, FTP traffic.

Information back-up - Back-up of essential business information such as production server, critical network components, configuration backup etc., were taken regularly. Example: Mon-Thu: Incremental Backup and Fri: Full Backup. The backup media along with the procedure to restore the backup are stored securely and well away from the actual site. The backup media are regularly tested to ensure that they could be restored within the time frame allotted in the operational procedure for recovery.

Fault Logging - faults are reported and well managed. This includes corrective action being taken, review of the fault logs and checking the actions taken.

Network Controls - effective operational controls such as separate network and system administration facilities were be established where necessary. Responsibilities and procedures for management of remote equipment, including equipment in user areas were established. There exist special controls to safeguard confidentiality and integrity of data processing over the public network and to protect the connected systems. Example: Virtual Private Networks, other encryption and hashing mechanisms etc.,

Management of removable computer media - there exist a procedure for management of removable computer media such as tapes, disks, cassettes, memory cards and reports.

Security of Electronic email - there is a policy in place for the acceptable use of electronic mail or does security policy does address the issues with regards to use of electronic mail. Whether controls such as antivirus checking, isolating potentially unsafe attachments, spam control, anti relaying etc., are put in place to reduce the risks created by electronic email.

Access Control Policy - the business requirements for access control have been defined and documented. The Access control policy address the rules and rights for each user or a group of user. The users and service providers were given a clear statement of the business requirement to be met by access controls.

DATA SECURITY

Monitoring system use - Procedures are set up for monitoring the use of information processing facility. The procedure should ensure that the users are performing only the activities that are explicitly authorised.

Protection of system test data - system test data is protected and controlled. The use of operational database containing personal information should be avoided for test purposes. If such information is used, the data should be depersonalised before use.

MY FINDING IN INDIAN OIL CORPORATION –PATNAMETHOD USED IN FINDINGS:- I made a survey on I.T SECURITY by using questionaries. There are some graphs by which i made a analysis.

Name :Designation :Department :Date :

Questionnaires on Data Security in Indian Oil Corporation Limited[Please put a √ Tick Mark on the relevant answer]

Srl No Question

AnswerYes No

1 Are you aware about your Active Directory Login ID and Password? YES NO

If Yes,

1a Do you regularly change your Password? YES NO

1b Do you share your User id and Password? YES NO

1cDoes your Active Directory Login "Lock Out" after a pre-determined number of failed login

attempts?YES NO

1d Are you aware of the access rights in your Active Directory Login? YES NO

2 Are you aware of Anti-Virus Software? YES NO

If Yes,

2a Do you know which Anti-Virus Software being used in your Organization? YES NO

2b Is your system's Anti-Virus definition having the latest patch updated? YES NO

3 Do you have a SAP ID? YES NO

If Yes,

3a Are you aware of the access / transaction rights given to you? YES NO

3b Do you regularly change your Password? YES NO

3c Do you share your SAP User Id and Password with anyone else in the organization? YES NO

3d Are you aware of the implications of sharing SAP User id and Password? YES NO

4 Do you regularly use email for official communication? YES NO

If Yes,

4a Do you use your corporate e-mailing system for your official communication? YES NO

4b Do you use Gmail, Rediffmail, Hotmail also for Official Communication? YES NO

4cDo you send sensitive official data through your non-official email id like GMAIL,

Rediffmail etc?YES NO

4d Does anyone other than you also access your email? YES NO

DATA SECURITY

4e Are you aware of the problems of unauthorised use of email system? YES NO

4f Do you access your official email from Internet? YES NO

4g Do you have same password for two mailing account? YES NO

5 Are you concerned about your Data? YES NO

6 Can you differentiate between Critical Data and Non-Critical Data? YES NO

7 Do you use usb in office and use the same outside? YES NO

8 If you receive an e-mail from an unknown person with attachment will you open that attachment? YES NO

9 Do you know about “Disaster Recovery Plan” of your organisation? YES NO

10 Do you know about Phishing? YES NO

11 Do you know about “Social Engineering” YES NO

12 Have you heard about “Data Security”? YES NO

13If Yes, Have you heard about any data security standards? Name One ………………………………………………………..

YES NO

14 Have you ever attended seminar on data security? YES NO

Total i have taken a 30 samples in INDIAN OIL CORPORATION LIMITED-PATNA. On the basis of that i get the graphs.

This graph shows that many employees were not even aware of their active directory login id and password.

DATA SECURITY

DATA SECURITY

FINDINGS:- LACK OF I.T SECURITY AWARENESS:- Many employees in the “Indian oil

corporation limited were not aware of I.T SECURITY. Many of them are not aware of threats like phishing, social engineering.

PASSWORD MANAGEMENT:- The password used by the employees in the organisation is of eight digit but it is not a combination of letters. numbers and symbols. So it is easy for the hacker to hack their password.

USE OF COMMUNICATION MEDIUM:- INDIAN OIL CORPORATION LIMITED- PATNA OFFICE uses LOTUS as their mailing portal but some of the employees uses

DATA SECURITY

mailing system like gmail, rediffmail, yahoomail as their maiing medium. This activity broaden the chance of data loss.

DISPOSAL OF MEDIA :- The media that are no longer required are not disposed off securely and safely. They are just placed.

ACCESS CONTROL POLICY:- The Access control policy does address the rules and rights for each User or a group of user but it is not strictly implemented.

DIGITAL SIGNATURE:- Digital signatures were not used to protect the authenticity and integrity of electronic documents.

DISASTER RECOVERY PLAN:- Many employees were not aware of the disaster recovery plan of the organisation. They don’t know whom to consult at the time of disaster.

WHAT SHOULD BE DONE TO PROTECT DATA:-

STEP-1 UNDERSTAND HOW SERIOUS THE PROBLEM IS:- The first step that decision makers may want to take to solve the data breach problem is to audit the current state of electronic communication and file management in the organization. Doing so will reveal the extent of the risks that an organization faces and will help to make real the problem to IT management, as well as senior line-of-business decision makers. In many cases, this will help an organization to realize that the risks and problems it faces are not merely a potential, theoretical problem, but are instead a real and present business danger that it must address. While this is not always a necessary step given the abundance of evidence that exists for the data breach problem, it may be required by some organizations in order to convince senior managers of the extent of their own organization’s problems.

Audits of communication and file management tools can be conducted in a variety of ways. For example:

Monitoring tools can be used to archive email communication, instant messages, blog posts and other employee communications. Searches can then be conducted on this content to look for credit card numbers, Social Security numbers, emails that are sent to competitors’ domains, specific violations of statutes or corporate policies and other information.

Another method is to draw a random sample of emails and then search the content for similar types of information. The purpose of such an audit is to identify and to quantify the problem of unmanaged communication so that senior management, legal counsel, HR and others can understand the extent of the risk the organization faces.

DATA SECURITY

STEP-2 ESTABLISH POLICIES FOCUSED ON STOPPING BREACHES:- After the audit has been completed and digested by senior managers, an organization should establish very detailed and thorough corporate policies that focus on all of the issues related to the use of electronic communication and file management capabilities, including:

Appropriate and inappropriate use of email by employees and what constitutes inappropriate use. This should include not only the content of emails, but also parties to whom email should not be sent, the types of content that should be encrypted, how email should be used on mobile devices, whether or not email should be checked from home, and so forth.

The extent to which corporate systems may be employed for personal use. Use of personal Webmail accounts over company-owned networks and/or use of

these accounts during work hours. The types of information that should be sent through various media. The types of communications that constitute business records, how long business

records should be preserved, and when and how they should be deleted. Limits on the type of tools that may be used. For example, a company may want to

prevent the installation and use of consumer-oriented instant messaging clients, or it may want to limit use only to a particular client.

Organizations must understand any regulations that govern monitoring polices, particularly in countries that place restriction on how monitoring practices may be carried out.

STEP-3 DEPLOY RIGHT TOOLS:- The critical next step is to deploy the technologies that will enforce the corporate policies that have been established. While policies are necessary to establish what an organization needs to protect, they will be ineffective at solving all of the data breach problems an organization might experience.

Identify the leak pointsFocus on the potential leak points that are important to the organization, including email, instant messaging systems, Web-based systems, removable storage, laptops, FTP systems and other potential sources of data leaks.

Include capabilities to meet current and future requirementsIt is important to deploy a technology that will meet the large and growing number of potential data leaks an organization might encounter. This includes inspecting for file metadata, industry-specific keywords and phrases, regular expressions (e.g., email)

Deploy systems that will take appropriate actionBased on the suspected level of data breach, the systems that monitor outbound communication should take the appropriate action. For example, an employees’ instant message that contains what looks like a Social Security number may warrant nothing more than a popup window on the sender’s display that reminds them of a corporate policy against sending this information through an instant messaging client. On the other hand, an email that contains an attachment with proprietary information sent through an employee’s

DATA SECURITY

personal Webmail account may warrant immediate redirection of the message to a compliance officer or supervisor for further review before the message is sent. In short, suspected data breaches should trigger only the appropriate actions of discarding messages, quarantining them for further review, copying them to a supervisor, requiring encryption, archiving them, etc. Incident management is a key component of any system, since each suspected data breach should be handled with the right level of enforcement. For example, in a large organization it would be impractical to route every suspect email to a compliance officer or supervisor for review.

Promote appropriate employee handling of dataFor example, if an employee sends an inappropriate message to a co-worker or a confidential document to a competitor’s domain, a monitoring system should remind employees of corporate policies that may exist regarding the appropriateness of the communications vehicle they have chosen or other corporate policies. Copying of sensitive documents to removable storage devices should be monitored because of the high risk of DATA THEFT from these devices.

Perform the appropriate level of inspectionBased on corporate policies, the role of the employee in the organization and other factors, content should be inspected based on the appropriate policies. For example, certain employees may require different levels of outbound content inspection and data retention than others – a broker/dealers email to a client may trigger a different set of policies compared to a clerical staff member’s email to the same client. Certain recipients of an email may trigger different policies based on the company’s history with those recipients. A CEO’s email to an external auditor should trigger different inspection and retention requirements than those triggered by a marketing staff member’s email. It is important to expend the appropriate level of computing resources necessary to satisfy corporate and other policies in order to maximize the performance of electronic communication and management systems. For example, performing very deep content inspection on every message that flows through the corporate network is simply not necessary in many cases. However, inspecting content flowing through key threat vectors, such as removable storage or encrypted Webmail channels, is critical.

Train and make employees aware of corporate policiesEmployees should receive regular training on corporate policies and good data management practices and should continually be made aware of appropriate ways to send information.

Implement forensics capabilitiesOrganizations may want to implement forensics capabilities in order to check on how data has been handled after it has been sent, either for legal purposes or simply to understand how its data is being managed. The ability to learn about how outbound content was sent and processed is just as important in many cases as monitoring this content prior to its being

DATA SECURITY

sent. It is also useful to retain copies or actual email, attachments, or files being copied to USB devices.

Implement a sender authentication schemeWhile not an outbound content scanning mechanism, it is important for any organization to implement an authentication mechanism, such as SPF or DKIM, to ensure that recipients of its emails are given some level of assurance that the sending organization is valid.

Tight integration with existing infrastructureIn order to speed reduce costs, organizations should consider solutions that are well integrated with their IT infrastructure whenever possible. This approach will also speed implementation and lower on-going administration costs.

WHO ARE THE ENEMIES OF DATA SECURITY

HACKERS - This generic and often over-romanticized term applies to computer enthusiasts who take pleasure in gaining access to other people’s computers or networks. Many hackers are content with simply breaking in and leaving their “footprints,” which are joke applications or messages on computer desktops. Other hackers, often referred to as “crackers,” are more malicious, crashing entire computer systems, stealing or damaging confidential data, defacing Web pages, and ultimately disrupting business. Some amateur hackers merely locate hacking tools online and deploy them without much understanding of how they work or their effects.

UNAWARE STAFFS - As employees focus on their specific job duties, they often overlook standard network security rules. For example, they might choose passwords that are very simple to remember so that they can log on to their networks easily. However, such passwords might be easy to guess or crack by hackers using simple common sense or a widely available password cracking software utility. Employees can unconsciously cause other security breaches including the accidental contraction and spreading of computer viruses. One of the most common ways to pick up a virus is from a floppy disk or by downloading files from the Internet. Employees who transport data via floppy disks can unwittingly infect their corporate networks with viruses they picked up from computers in copy centres or libraries. They might not even know if viruses are resident on their PCs. Corporations also face the risk of infection when employees download files, such as PowerPoint presentations, from the Internet. Surprisingly, companies must also be wary of human error. Employees, whether they are computer novices or computer savvy, can make such mistakes as erroneously installing virus protection software or accidentally overlooking warnings regarding security threats.

DISGRUNTLED STAFFS- Far more unsettling than the prospect of employee error causing harm to a network is the potential for an angry or vengeful staff member to

DATA SECURITY

inflict damage. Angry employees, often those who have been reprimanded, fired, or laid off, might vindictively infect their corporate networks with viruses or intentionally delete crucial files. This group is especially dangerous because it is usually far more aware of the network, the value of the information within it, where high-priority information is located, and the safeguards protecting it.

SNOOPS - Whether content or disgruntled, some employees might also be curious or mischievous. Employees known as “snoops” partake in corporate espionage, gaining unauthorized access to confidential data in order to provide competitors with otherwise inaccessible information. Others are simply satisfying their personal curiosities by accessing private information, such as financial data, a romantic e-mail correspondence between co-workers, or the salary of a colleague. Some of these activities might be relatively harmless, but others, such as previewing private financial, patient, or human resources data, are far more serious, can be damaging to reputations, and can cause financial liability for a company

RECOMMENDATIONS:-

SOME IMPORTANT TIPS CAN BE USED

Encourage or require employees to choose passwords that are not obvious. Require employees to change passwords every 90 days. Make sure your virus protection subscription is current. Educate employees about the security risks of e-mail attachments. Implement a complete and comprehensive network security solution. Assess your security posture regularly. When an employee leaves a company, remove that employee’s network access

immediately. If you allow people to work from home, provide a secure, centrally managed server

for remote traffic. Update your Web server software regularly. Do not run any unnecessary network services.

NETWORK SECURITY:- Network connected to the internet is protected by firewall.

DATA SECURITY

All dial in access into the internal network is properly controlled with authentication and logs

Administration to network components is done by authorized staff Only. Controls are put on the use of network recourses such as file sharing, Printing etc. to

allow only authorized and authenticated users to use. Organization implements encryption to protect information on handheld devices. Organization implements VPN software for handheld devices, for remote network

connections. Unapproved software and applications should be removed.

Do Not Auto-Connect to Open Wi-Fi Networks- Connecting to an open Wi-Fi network such as a free wireless hotspot or your neighbour’s router exposes your computer to security risks. Although not normally enabled, most computers have a setting available allowing these connections to happen automatically without notifying you (the user). This setting should not be enabled except in temporary situations.

Developing an Awareness and Training Strategy and Plan: - Completion of the needs assessment allows an agency to develop a strategy for developing, implementing, and maintaining its IT security awareness and training program.

Existing national and local policy that requires the awareness and training to be accomplished;

Scope of the awareness and training program; Roles and responsibilities of agency personnel, who should design, develop,

implement, and maintain the awareness and training material, and who should ensure that the appropriate users attend or view the applicable material.

Goals to be accomplished for each aspect of the program (e.g., awareness, training, education, professional development [certification]);

Target audiences for each aspect of the program; Mandatory (and if applicable, optional) courses or material for each target audience; Learning objectives for each aspect of the program; Topics to be addressed in each session or course; Deployment methods to be used for each aspect of the program; Documentation, feedback, and evidence of learning for each aspect of the program; Evaluation and update of material for each aspect of the program

Establishing Priorities: - Once the security awareness and training strategy and plan have been finalized, an implementation schedule must be established. If this needs to occur in phases (e.g., due to budget constraints and resource availability), it is important to decide the factors to be used in determining which initiative to schedule first and in what sequence. Key factors to consider are:

Availability of Material/Resources—if awareness and training material and necessary resources are readily available, key initiatives in the plan can be scheduled

DATA SECURITY

http://compnetworking.about.com/od/wirelesshotspots/qt/noautoconnect.htm

early. However, if course material must be developed and/or instructors must be identified and scheduled, these requirements should be considered in setting priorities.

Role and Organizational Impact—It is very common to address priority in terms of organizational role and risk. Broad-based awareness initiatives that address the enterprise wide mandate may receive high priority because the rules of good security practices can be delivered to the workforce quickly. Also, it is common to look at high trust/high impact positions (e.g., IT security program managers, security officers, system administrators, and security administrators whose positions in the organization have been determined to have a higher sensitivity) and ensure that they receive high priority in the rollout strategy. These types of positions are typically commensurate with the type of access (and to what system) these users possess.

State of Current Compliance – This involves looking at major gaps in the awareness and training program (e.g., gap analysis) and targeting deficient areas for early rollout.

Critical Project Dependencies – If there are projects dependent upon a segment of security training in order to prepare the necessary requirements for the system involved.

Funding the Security Awareness and Training Program: - Approaches used to express the funding requirement may include:

Percent of overall training budget; Allocation per user by role (e.g., training for key security personnel and system

administrators will be more costly than general security training for those in the organization not performing security-specific functions);

Percent of overall IT Budget.

Sources of Awareness Material

There are a variety of sources of material on security awareness that can be incorporated into an awareness program. The material can address a specific issue, or in some cases, can describe how to begin to develop an entire awareness program, session, or campaign. Sources of timely material may include:

E-mail advisories issued by industry-hosted news groups, academic institutions, or the organization’s IT security office;

Professional organizations and vendors;

Online IT security daily news websites;

Periodicals; and Conferences, seminars, and courses.

CHECKLISTS SHOULD BE USED TO PROTECT DATA:-

DATA SECURITY

Information security policy document:- Whether there exists an Information security Policy, which is approved by the management, published and communicated as appropriate to all employees. Whether it states the management commitment and set out the organisational approach to managing information security.

Review and evaluation:- Whether the Security policy has an owner, who is responsible for its maintenance and review according to a defined review process. Whether the process ensures that a review takes place in response to any changes affecting the basis of the original assessment, example: significant security incidents, new vulnerabilities or changes to organisational or technical infrastructure.

Identification of risks from third party:- Whether risks from third party access are identified and appropriate security controls implemented. Whether the types of accesses are identified, classified and reasons for access are justified. Whether security risks with third party contractors working onsite was identified and appropriate controls are implemented.

Security requirements in outsourcing contracts:- Whether security requirements are addressed in the contract with the third party, when the organisation has outsourced the management and control of all or some of its information systems, networks and/ or desktop environments. The contract should address how the legal requirements are to be met, how the security of the organisation’s assets are maintained and tested, and the right of audit, physical security issues and how the availability of the services is to be maintained in the event of disaster.

Inventory of assets:- Whether an inventory or register is maintained with the important assets associated with each information system. Whether each asset identified has an owner, the security classification defined and agreed and the location identified.

Classification guidelines:- Whether there is an Information classification scheme or guideline in place; which will assist in determining how the information is to be handled and protected.

Information labelling and handling:- Whether an appropriate set of procedures are defined for information labelling and handling in accordance with the classification scheme adopted by the organisation.

Including security in job responsibilities:- Whether security roles and responsibilities as laid in Organisation’s information security policy is documented where appropriate. This should include general responsibilities for implementing or maintaining security policy as well as specific responsibilities for protection of particular assets, or for extension of particular security processes or activities.

Personnel screening and policy:- Whether verification checks on permanent staff were carried out at the time of job applications. This should include character reference, confirmation of claimed academic and professional qualifications and independent identity checks.

DATA SECURITY

Confidentiality agreements:- Whether employees are asked to sign Confidentiality or non-disclosure agreement as a part of their initial terms and conditions of the employment. Whether this agreement covers the security of the information processing facility and organisation assets.

Terms and conditions of employment:- Whether terms and conditions of the employment covers the employee’s responsibility for information security. Where appropriate, these responsibilities might continue for a defined period after the end of the employment.

Information security education and training:- Whether all employees of the organisation and third party users (where relevant) receive appropriate Information Security training and regular updates in organisational policies and procedures.

Reporting security incidents:- Whether a formal reporting procedure exists, to report security incidents through appropriate management channels as quickly as possible.

Reporting security weaknesses:- Whether a formal reporting procedure or guideline exists for users, to report security weakness in, or threats to, systems or services.

Reporting software malfunctions:- Whether procedures were established to report any software malfunctions.

Disciplinary process:- Whether there is a formal disciplinary process in place for employees who have violated organisational security policies and procedures. Such a process can act as a deterrent to employees who might otherwise be inclined to disregard security procedures.

Physical Security Perimeter:- What physical border security facility has been implemented to protect the Information processing service. Some examples of such security facility are card control entry gate, walls, manned reception etc.,

Physical entry Controls:- What entry controls are in place to allow only authorised personnel into various areas within organisation.

Equipment sitting protection:- Whether the equipment was located in appropriate place to minimise unnecessary access into work areas. Whether the items requiring special protection were isolated to reduce the general level of protection required.

Power Supplies:- Whether the equipment is protected from power failures by using permanence of power supplies such as multiple feeds, uninterruptible power supply (ups), backup generator etc.,

Cabling Security:- Whether the power and telecommunications cable carrying data or supporting information services are protected from interception or damage.

Equipment Maintenance:- Whether the equipment is maintained as per the supplier’s recommended service intervals and specifications. Whether the maintenance is carried out only by authorised personnel.

DATA SECURITY

Secure disposal or re-use of equipment:- Whether storage device containing sensitive information are physically destroyed or securely over written.

Clear Desk and clear screen:- Whether automatic computer screen locking facility is enabled. This would lock the screen when the computer is left unattended for a period.

Documented Operating procedures:- Whether the Security Policy has identified any Operating procedures such as Back-up, Equipment maintenance etc., Whether such procedures are documented and used.

Control against malicious software:- Whether there exists any control against malicious software usage. Whether the security policy does address software licensing issues such as prohibiting usage of unauthorised software. Whether there exists any Procedure to verify all warning bulletins are accurate and informative with regards to the malicious software usage. Whether Antivirus software is installed on the computers to check and isolate or remove any viruses from computer and media. Whether this software signature is updated on a regular basis to check any latest viruses. Whether all the traffic originating from un-trusted network in to the organisation is checked for viruses. Example: Checking for viruses on email, email attachments and on the web, FTP traffic.

Information back-up:- Whether Back-up of essential business information such as production server, critical network components, configuration backup etc., were taken regularly. Example: Mon-Thu: Incremental Backup and Fri: Full Backup. Whether the backup media along with the procedure to restore the backup are stored securely and well away from the actual site. Whether the backup media are regularly tested to ensure that they could be restored within the time frame allotted in the operational procedure for recovery.

Some of the more common techniques that agencies can employ include:

Interactive video training (IVT) – IVT is one of several distance-learning techniques available for delivering training material. This technology supports two-way interactive audio and video instruction. The interactive feature makes the technique more effective than non-interactive techniques, but it is more expensive.

Web-based training – This technique is currently the most popular for distributed environments. “Attendees” of a web-based session can study independently and learn at their own pace. Testing and accountability features can be built in to gauge performance. Training models incorporating this technique are beginning to provide the additional benefit of interaction between instructor and student or among students.

Non-web, computer-based training – This technique continues to be popular even with web availability. It can still be an effective method for distribution of training material, especially if access to web-based material is not feasible. Like web-based training, this technique does not allow for interaction between the instructor and students or among students.

DATA SECURITY

Onsite, instructor-led training (including peer presentations and mentoring) – This is one of the oldest, but one of the most popular techniques for delivering training material to an audience. The biggest advantage of the technique is the interactive nature of the instruction. This technique, however, has several potential disadvantages. In a large organization, there may be difficulty in scheduling sufficient classes so that all of the target audience can attend. In an organization that has a widely distributed workforce, there may be significant travel costs for instructors and students. Although there are challenges for distributed environments, some learners prefer this traditional method over other methods.

DATA SECURITY

Chapter 3 - Learning experiences on Business / Technology:-

1. Why data security is so important in all organisation

In simple terms, data security is the practice of keeping data protected from corruption and unauthorized access. The focus behind data security is to ensure privacy while protecting personal or corporate data is the raw form of information stored as columns and rows in our databases, network servers and personal computers. This may be a wide range of information from personal files and intellectual property to market analytics and details intended to top secret. Data could be anything of interest that can be read or otherwise interpreted in human form. However, some of this information isn't intended to leave the system. The unauthorized access of this data could lead to numerous problems for the larger corporation or even the personal home user. Having your bank account details stolen is just as damaging as the system administrator who was just robbed for the client information in their database. There has been a huge emphasis on data security as of late, largely because of the internet. There are a number of options for locking down your data from software solutions to hardware mechanisms. Computer users are certainly more conscious these days, but are your data really secure? If you're not following the essential guidelines, your sensitive information just may be at risk.

Information is one of a petroleum institution’s most important assets. Protection of information assets is necessary to establish and maintain trust between the petroleum institution and its customers, maintain compliance with the law, and protect the reputation of the institution. Timely and reliable information is necessary to process transactions and support petroleum institution and customer decisions. A petroleum institution’s earnings and capital can be adversely affected if information becomes known to unauthorized parties, is altered, or is not available when it is needed. Information security is the process by which an organization protects and secures its systems, media, and facilities that process and maintains information vital to its operations. On a broad scale, the petroleum institution industry has a primary role in protecting the nation’s petroleum services infrastructure. The security of the industry’s systems and information is essential to its safety and soundness and to the privacy of customer petroleum information. Individual petroleum institutions and their service providers must maintain effective security programs adequate for their operational complexity. These security programs must have strong board and senior management level support, integration of security activities and controls throughout the organization’s business processes, and clear accountability for carrying out security responsibilities. This booklet provides guidance to examiners and organizations on assessing the level of security risks to the organization and evaluating the adequacy of the organization’s risk management. Organizations often inaccurately perceive information security as the state or condition of controls at a point in time. Security is an ongoing process, whereby the condition of a petroleum institution’s controls is just one indicator of its overall security posture. Other indicators include the ability of the institution to continually assess its posture and react appropriately in the face of rapidly changing threats,

DATA SECURITY

technologies, and business conditions. A petroleum institution establishes and maintains truly effective information security when it continuously integrates processes, people, and technology to mitigate risk in accordance with risk assessment and acceptable risk tolerance levels. Petroleum institutions protect their information by instituting a security process that identifies risks, forms a strategy to manage the risks, implements the strategy, tests the implementation, and monitors the environment to control the risks. While a great deal of attention has been given to protecting companies’ electronic assets from outside threats – from intrusion prevention systems to firewalls to vulnerability management – organizations must now turn their attention to an equally dangerous situation: the problem of data loss from the inside. In fact, in many organizations there’s a gaping hole in the controlled, secure environment created to protect electronic assets. This hole is the now ubiquitous way businesses and individuals communicate with each other – over the Internet. Whether it’s email, instant messaging, webmail, a form on a website, or file transfer, electronic communications exiting the company still go largely uncontrolled and unmonitored on their way to their destinations – with the ever-present potential for confidential information to fall into the wrong hands. Should sensitive information be exposed, it can wreak havoc on the organization’s bottom line through fines, bad publicity, loss of strategic customers, loss of competitive intelligence and legal action. Given today’s strict regulatory and ultra-competitive environment, data loss prevention is one of the most critical issues facing CIOs, CSOs and CISOs. For those creating and implementing a DATA SECURITY strategy, the task can seem daunting. Fortunately, effective technical solutions are available. This report presents best practices that organizations can leverage as they seek solutions for preventing leaks, enforcing compliance, and protecting the company’s brand value and reputation.

MANAGEMENT STRUCTUREInformation security is a significant business risk that demand engagement of the Board of Directors and senior business management. It is the responsibility of everyone who has the opportunity to control or report the institution’s data. Information security should be supported throughout the institution, including the board of directors, senior management, information security officers, employees, auditors, service providers, and contractors. Each role has different responsibilities for information security and each individual should be accountable for his or her actions. Accountability requires clear lines of reporting, clear communication of expectations, and the delegation and judicious use of appropriate authority to bring about appropriate compliance with the institution’s policies, Standards, and procedures.

RESPONSIBILITY AND ACCOUNTABILITYThe board of directors, or an appropriate committee of the board, is responsible for overseeing the development, implementation, and maintenance of the institution’s information security program, and making senior management accountable for its actions. Oversight requires the board to provide management with guidance; approve information security plans, policies and programs; and review reports on the effectiveness of the information security program. The board should provide management with its expectations and requirements and hold management accountable for

Central oversight and coordination,

DATA SECURITY

Assignment of responsibility, Risk assessment and measurement, Monitoring and testing, Reporting Acceptable residual risk.

2. Consequences of data loss:- Loss of intellectual property

Email systems, file transfer systems, instant messaging systems, blogs, wikis, Web tools, Thumb drives and other tools can be used to send confidential information in violation of corporate policy, common sense and the law. The result is that trade secrets, designs, proprietary processes and other knowledge assets can all be compromised if not adequately protected.

Loss of reputation

If an electronic communication system is used in violation of corporate policy, an organization can suffer serious damage to its reputation..

Harmful legal judgments

Unfettered use of email by employees can lead to significant and adverse legal judgments. For example, several years ago employees of British insurance company Norwich Union sent rumors using the corporate email system that falsely claimed that a competitor, Western Provident Association, was undergoing a government investigation and was experiencing petroleum problems. After Western Provident filed suit, Norwich Union publicly apologized for its employees’ behavior and paid a judgment of £450,000 (~US$780,000) in court costs and damages.

Compromise of corporate securityA failure to properly monitor outbound communications can lead to a variety of security-related problems, including compromised PCs acting as zombies for sending spam and consumer instant messaging clients that can spread worms and malware. There are a variety of tools commonly used in the workplace that bypass conventional security defences, including Skype, peer-to-peer file-sharing software and chat tools.

IMPORTANCE OF NETWORK SECURITY:-

The Internet has undoubtedly become the largest public data network, enabling and facilitating both personal and business communications worldwide. The volume of traffic moving over the Internet, as well as corporate networks, is expanding exponentially every day. More and more communication is taking place via e-mail; mobile workers, telecommuters, and branch offices are using the Internet to remotely connect to their

DATA SECURITY

corporate networks; and commercial transactions completed over the Internet, via the World Wide Web, now account for large portions of corporate revenue. While the Internet has transformed and greatly improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats from which corporations must protect themselves. Although network attacks are presumably more serious when they are inflicted upon businesses that store sensitive data, such as personal medical or financial records, the consequences of attacks on any entity range from mildly inconvenient to completely debilitating—important data can be lost, privacy can be violated, and several hours, or even days, of network downtime can ensue. Despite the costly risks of potential security breaches, the Internet can be one of the safest means by which to conduct business. For example, giving credit card information to a telemarketer over the phone or a waiter in a restaurant can be more risky than submitting the information via a Web site, because electronic commerce transactions are usually protected by security technology. Waiters and telemarketers are not always monitored or trustworthy. Yet the fear of security problems can be just as harmful to businesses as actual security breaches. General fear and suspicion of computers still exists and with that comes a distrust of the Internet. This distrust can limit the business opportunities for companies, especially those that are completely Web based. Thus, companies must enact security policies and instate safeguards that not only are effective, but are also perceived as effective. Organizations must be able to adequately communicate how they plan to protect their customers. As with any type of crime, the threats to the privacy and integrity of data come from a very small minority of vandals. However, while one car thief can steal only one car at a time, a single hacker working from a basic computer can generate damage to a large number of computer networks that wreaks havoc around the world. Perhaps even more worrisome is the fact that the threats can come from people we know. In fact, most network security experts claim that the majority of network attacks are initiated by employees who work inside the corporations where breaches have occurred. Employees, through mischief, malice, or mistake, often manage to damage their own companies’ networks and destroy data. Furthermore, with the recent pervasiveness of remote connectivity technologies, businesses are expanding to include larger numbers of telecommuters, branch offices, and business partners. These remote employees and partners pose the same threats as internal employees, as well as the risk of security breaches if their remote networking assets are not properly secured and monitored. Whether you want to secure a car, a home, a nation, or a computer network, a general knowledge of who the potential enemies are and how they work is essential.

DATA SECURITY

Chapter 4 - CONCLUSION:

Data loss prevention is a serious issue for companies, as the number of incidents (and the cost to those experiencing them) continues to increase. Whether it’s a malicious attempt, or an inadvertent mistake, data loss can diminish a company’s brand, reduce shareholder value, and damage the company’s goodwill and reputation. By leveraging best practices, companies can seek out a data loss prevention solution that best suits their particular needs. For compliance with regulations such as HIPAA and PCI, protection of intellectual property, and enforcement of appropriate use policies, a best-of-breed Data security solution for data in motion will help address one of the most significant vectors for data loss: electronic communications. Combined with data at rest and data at endpoint solutions (which protect file systems, databases and data on various portable devices), a data in motion solution helps protect companies across the board from the risk of data loss. Organizations that proactively embrace this challenge will reap the benefit of deeper compliance with regulatory policies and greater protection for valuable intellectual assets. After the potential sources of threats and the types of damage that can occur have been identified, putting the proper security policies and safeguards in place becomes much easier. Organizations have an extensive choice of technologies, ranging from anti-virus software packages to dedicated network security hardware, such as firewalls and intrusion detection systems, to provide protection for all areas of the network Anti-virus PackagesVirus protection software is packaged with most computers and can counter most virus threats if the software is regularly updated and correctly maintained. The anti-virus industry relies on a vast network of users to provide early warnings of new viruses, so that antidotes can be developed and distributed quickly. With thousands of new viruses being generated every month, it is essential that the virus database is kept up to date. The virus database is the record held by the anti-virus package that helps it to identify known viruses when they attempt to strike. Reputable anti-virus software vendors will publish the latest antidotes on their Web sites, and the software can prompt users to periodically collect new data. Network security policy should stipulate that all computers on the network are kept up to date and, ideally, are all protected by the same anti-virus package—if only to keep maintenance and update costs to a minimum. It is also essential to update the software itself on a regular basis. Virus authors often make getting past the anti-virus packages their first priority.Security PoliciesWhen setting up a network, whether it is a local area network (LAN), virtual LAN (VLAN), or wide area network (WAN), it is important to initially set the fundamental security policies. Security policies are rules that are electronically programmed and stored within security equipment to control such areas as access privileges. Of course, security policies are also written or verbal regulations by which an organization operates. In addition, companies must decide who is responsible for enforcing and managing these policies and determine how employees are informed of the rules and watch guards.

DATA SECURITY

What are the policies?The policies that are implemented should control who has access to which areas of the network and how unauthorized users are going to be prevented from entering restricted areas. For example, generally only members of the human resources department should have access to employee salary histories. Passwords usually prevent employees from entering restricted areas, but only if the passwords remain private. Written policies as basic as to warn employees against posting their passwords in work areas can often preempt security breaches. Customers or suppliers with access to certain parts of the network, must be adequately regulated by the policies as well.

Who will enforce and manage the policies?The individual or group of people who police and maintain the network and its security must have access to every area of the network. Therefore, the security policy management function should be assigned to people who are extremely trustworthy and have the technical competence required. As noted earlier, the majority of network security breaches come from within, so this person or group must not be a potential threat. Once assigned, network managers may take advantage of sophisticated software tools that can help define, distribute, enforce, and audit security policies through browser-based interfaces.

How will you communicate the policies?Policies are essentially useless if all of the involved parties do not know and understand them. It is vital to have effective mechanisms in place for communicating the existing policies, policy changes, new policies, and security alerts regarding impending viruses or attacks.

IdentityOnce your policies are set, identity methods and technologies must be employed to help positively authenticate and verify users and their access privileges.PasswordsMaking sure that certain areas of the network are “password protected”—only accessible by those with particular passwords—is the simplest and most common way to ensure that only those who have permission can enter a particular part of the network. In the physical security analogy above, passwords are analogous to badge access cards. However, the most powerful network security infrastructures are virtually ineffective if people do not protect their passwords. Many users choose easily remembered numbers or words as passwords, such as birthdays, phone numbers, or pets’ names, and others never change their passwords and are not very careful about keeping them secret. The golden rules, or policies, for passwords are:

Change passwords regularly Make passwords as meaningless as possible Never divulge passwords to anyone until leaving the company

Digital CertificatesDigital certificates or public key certificates are the electronic equivalents of driver’s licenses or passports, and are issued by designated Certificate Authorities (CAs). Digital certificates

DATA SECURITY

are most often used for identification when establishing secure tunnels through the Internet, such as in virtual private networking (VPN).

Access ControlBefore a user gains access to the network with his password, the network must evaluate if the password is valid. Access control servers validate the user’s identity and determine which areas or information the user can access based on stored user profiles. In the physical security analogy, access control servers are equivalent to the gatekeeper who oversees the use of the access card.FirewallsA firewall is a hardware or software solution implemented within the network infrastructure to enforce an organization’s security policies by restricting access to specific network resources. In the physical security analogy, a firewall is the equivalent to a door lock on a perimeter door or on a door to a room inside of the building—it permits only authorized users, such as those with a key or access card, to enter. Firewall technology is even available in versions suitable for home use. The firewall creates a protective layer between the network and the outside world. In effect, the firewall replicates the network at the point of entry so that it can receive and transmit authorized data without significant delay. However, it has built-in filters that can disallow unauthorized or potentially dangerous material from entering the real system. It also logs an attempted intrusion and reports it to the network aministrators.EncryptionEncryption technology ensures that messages cannot be intercepted or read by anyone other than the authorized recipient. Encryption is usually deployed to protect data that is transported over a public network and uses advanced mathematical algorithms to “scramble” messages and their attachments. Several types of encryption algorithms exist, but some are more secure than others. Encryption provides the security necessary to sustain the increasingly popular VPN technology. VPNs are private connections, or tunnels, over public networks such as the Internet. They are deployed to connect telecommuters, mobile workers, branch offices, and business partners to corporate networks or each other. All VPN hardware and software devices support advanced encryption technology to provide the utmost protection for the data that they transport.Intrusion DetectionOrganizations continue to deploy firewalls as their central gatekeepers to prevent unauthorized users from entering their networks. However, network security is in many ways similar to physical security in that no one technology serves all needs—rather, a layered defences provides the best results. Organizations are increasingly looking to additional security technologies to counter risk and vulnerability that firewalls alone cannot address. A network-based intrusion detection system (IDS) provides around-the-clock network surveillance. An IDS analyzes packet data streams within a network, searching for unauthorized activity, such as attacks by hackers, and enabling users to respond to security breaches before systems are compromised. When unauthorized activity is detected, the IDS can send alarms to a management console with details of the activity and can often order other systems, such as routers, to cut off the unauthorized sessions. In the physical analogy, an IDS is equivalent to a video camera and motion sensor; detecting unauthorized or

DATA SECURITY

suspicious activity and working with automated response systems, such as watch guards, to stop the activity.

ExpertiseWhile electronic scanning tools can be very thorough in detecting network security vulnerabilities, they may be complemented with a security assessment by professional security consultants. A security assessment is a concentrated analysis of the security posture of a network, highlighting security weaknesses or vulnerabilities that need to be improved. Periodic assessments are helpful in ensuring that, in the midst of frequent changes in a network, the security posture of the network is not weakened. In the physical security analogy, a periodic security assessment such as scanning is like a guard periodically patrolling the entire secured area, checking locks on doors and windows, reporting any irregularities that might exist, and providing guidance for correction.

DATA SECURITY

DATA SECURITY

BIBLIOGRAPHY:-

Allen, Julia H. (2001). The CERT Guide to System and Network Security Practices. Boston, MA: Addison-Wesley. ISBN 0-201-73723-X.

Peltier, Thomas R. (2002). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Boca Raton, FL: Auerbach publications. ISBN 0-8493-1137-3.

http://www.cisco.com/go/security

Peltier, Thomas R. (2001). Information Security Risk Analysis. Boca Raton, FL: Auerbach publications. ISBN 0-8493-0880-1.

www.google.com

DATA SECURITY

http://www.google.com/

http://en.wikipedia.org/wiki/Special:BookSources/0-8493-0880-1

http://en.wikipedia.org/wiki/International_Standard_Book_Number

http://www.cisco.com/go/security

http://en.wikipedia.org/wiki/Special:BookSources/0-8493-1137-3


http://en.wikipedia.org/wiki/Special:BookSources/0-201-73723-X


DATA SECURITY

COLLEGE INTERNS REPORT

Documents

Transcript of COLLEGE INTERNS REPORT