iso 27001 information security awareness · information security awareness: iso 27001 for lingo24...
TRANSCRIPT
Information Security Awareness:ISO 27001For Lingo24 suppliers, internal use onlySelf-training version
ProtectedCommercial in Confidence
01 Introduction to Information Security, ISO 27001 and GDPR
02 Common security threats
03 Password Policy
04 Secure communications and encryption
05 Breach reporting
06 GDPR summary
07 Document handling and labelling
08 Language Services Agreement
Training objectives
01 - Information Security, ISO 27001 and GDPR
🄫 Randy Glasbergen
What is the ISO/IEC 27001 Standard?
● ISO/IEC 27001 the international standard that helps organisations manage their information security by setting up an Information Security Management System (ISMS).
● Created in 2005, increasingly adopted globally.● Organisations can be certified by an external auditing body.● Certification provides credible evidence that an ISMS is in place.● An ISMS consists of a set of policies and clearly defined
responsibilities and management processes.
What does it protect?
3Availa
bility
We guarantee to
our clie
nts easy
and
unfettere
d access
to their o
wn data.
2Inte
grity
Client c
ontent (e.g. S
egments, Tra
nslatio
n
Memory, Term
inology etc.
) will
not be
altere
d, destr
oyed or o
therw
ise m
odified
without t
he explic
it conse
nt of th
e client
1Confidentia
lity
Client D
ata and Content is co
nsidere
d
confidentia
l and pro
tected by d
efault and
it will
not be sh
ared w
ith any t
hird parti
es
Information Security Management System
“What does ISO27001 mean to me?”
▸ Information Security is non-negotiable and critically important in this day and age.
▸ Information Security Management is core to our day-to-day activity.
▸ It is applied by all Lingo24 suppliers.▸ Not abiding by it can trigger an investigation
and result in corrective actions or even contract termination.
The term comes from "fishing for information", and generally involves an
email / web page (sometimes even other
communication channels) designed to trick you into
giving up information.
As we get larger as a company, we become
more of a target for these types of attacks.
02 - Common security threats
🄫 Randy Glasbergen
As you see, there are many types of security threats out there. You probably heard of most of them.
We have security measures in place to prevent and manage these (antivirus, firewall, VPN, passwords etc). As long as you don’t go disabling these or installing dodgy software and so on, you should be fine.
However, contrary to popular belief, most successful attacks are not targeting our hardware or security measures, but our employees. Yes, you.
Therefore, we will focus on these types of threats. You surely heard of them, they are called social engineering scams.
Social Engineering
Contrary to popular belief most successful and common type of attacks are not those which exploit technical/security weaknesses but those which exploit human weaknesses.
Social engineering is the “art” of exploiting human psychology to make you give access to information, money, systems, other people or perform other detrimental actions.
Social engineering is not about exploiting human weaknesses (of which you have none, of course). It uses your natural inclination to trust those you know and/or exploits your needs, common fears, desire for gain etc.
Social Engineering comes in many forms and it is not limited to email and websites, it uses all channels of communication (social media, chat and web pages, sms, phone etc).
You really don’t need to remember any of these social engineering techniques, but you should be able to tell the signs of a social engineering scam.
ExerciseFishing for phishing
See if you can spot at least two signs that the emails on the next slides are not quite what they appear to be
Hover the link to see where it actually takes you. Look for misleading domains (e.g. googie.com, gooogle.com, google.somethingelse.com etc).
You should not open attachments that you don’t recognise. Sometimes they are inside an archive. Microsoft office documents may contain viruses.
How to identify phishing emails
Look for one or more of the following tell-tale signs
● Unexpected / Unusual / Not the normal process or procedure
● They ask you to do one of the following:○ open an attachment○ click on a link○ give some information
● Imply urgency and/or importance● Imply loss, danger, threat, shaming, gain,
promises● Restrict channels of communication● May contain grammar errors, typos, graphical
inaccuracies, factual errors
Exercise“Seemed like a good idea at the time…”
Do you spot anything strange in the following web-page? (this page is real)
Honey-traps
What a great website! You just enter your credit card information, and it'll helpfully tell you if it's been stolen or not. Of course, as soon as you enter the details, your credit card information has in fact been stolen.
Phishing attacks vary from easy to spot “Nigerian Prince” emails to very carefully crafted ones. But you don't even have to send emails to people, sometimes you can just lay a trap and people will gladly provide you with information instead.
But it has that nice "Verified Secure", with the padlock and green tick, so it must be OK, right?
Note: this particular example (ismycreditcardstolen.com) is a safe educational website, but there are plenty malicious ones out there.
Phishing, honeytraps and other scams will aim to get one or more types of information from you.
While it’s obvious you have to protect some of these types of information, it may not make sense why someone would want to steal something like your system configuration. Why would anyone want to know stuff like what fonts I like, what time I usually login and my wallpaper settings? Well, through a technique called fingerprinting, someone can create a profile of all those hundreds of settings you have and use it to connect your work and personal accounts with your web-browsing activity, Facebook, Linkedin and Youtube profiles and sell it to advertisers or even shadier groups.
How to spot social engineering scams
Self security check
Exercise - “I’ve never been hacked...…or have I?”
Hacks happen...
Every couple of months you may see news of a major data leak, where millions of passwords from major websites have been stolen. Chances are you have an account with one of them too, and your password may well be public as we speak.
2012, 2016
Linkedin, 165 million user accounts
2014
eBay, 145 million users
2016
multiple FriendFinder websites, 412.2 million accounts
2013
Adobe, 153 million user records
2013, 2014
Yahoo, 3 billion accounts
2019
Canva, 137 million user accounts
2017
Equifax, 147.9 million consumers
2014, 2018
Mariott, 500 million customers
Password leak check-up
There are a few tools available to check whether your password has been made public. The one that monitors the largest number of data leaks is haveibeenpwned.com
Go there now and check whether your password for your lingo24 email has ever been leaked.If it looks like this:
please change your password after this course, following the Password policy guidelines from the next section.
If you want more details about what exactly has been made public you can use the Identity Leak Checker.Note: Some of the breaches recorded by haveibeenpwned may not be available here.Note: You can use these later for your personal account(s) as well.
Security recommendations
● Don’t disable your firewall / antivirus● We encourage you to use only licenced software and avoid downloading unknown programs
or apps● Please be aware that many browser add ons (plugins) present security risks and may not be
what they seem● Wireless networks should be secured using WPA2 encryption. WEP and WPA should not be
used when working from public places and even when working from home. This is unlikely unless you are using a very old router (pre-2006), but if you’re unsure contact our Helpdesk.
03 - Password Policy
● Resources:Password Policy
Lingo24 Password policy summary
● Do not use the same password for multiple systems! When using third party systems you do not know what steps they are taking to securely store those passwords.
○ One of the most common ways accounts can be accessed is by hackers using the leaked username and passwords from one system to try and access another system.
● Make passwords long. A long password created as a phrase or string of words offers more protection than a short password containing letters, numbers and special characters.
● Do not share your passwords with others! That includes your most trusted colleagues, best friends, Dave, Neil, Andrew, your close family and … you get the point.
○ Where password sharing is unavoidable (e.g an external system where only a single account has been granted to Lingo24 by the administrators) the the following rules should be followed:
■ Only share the password with the smallest possible group■ Change the password after a member of the group no longer requires access, or leaves the organisation
Lingo24 Password policy summary
● Use a password generator. It can be difficult to think of ways to create new passwords, and humans are generally bad at creating random data. Using a password generator is an easy way to quickly create new passwords which meet required policies.
Example: https://www.lastpass.com/password-generator
● Use a password manager. Managing multiple passwords is difficult, especially when they are generated randomly. Using a password manager to store passwords removes the need to remember passwords, or create a personal “scheme” for meeting password requirements (e.g. replace E with 3, S with 5 etc), which doesn’t offer much additional security.
● Use multi-factor authentication when available.
If the system you are using supports multi-factor authentication then you should consider turning it on. Additional authentication factors reduce the ability of unauthorised access to your accounts.
Password rules
The standard password policy for Lingo24 systems is defined below. When managing Lingo24 accounts for any system (internal or external) you must follow these rules (unless the system you are using actively stops you), even if the system does not enforce this policy.
● Password length: no less than 12 characters.● Password complexity: should include an uppercase letter, lowercase letter, and one number or special
character.
● Password reuse: do not use the same password for multiple systems, do not reuse old or expired passwords.
● Password expiry: no requirement to change passwords after a set period, however passwords should be changed if the user believes an account has been compromised, the administrators of the system ask the user to change the password, or if the password has been knowingly shared with others.
04 - Secure communicationsand encryption
🄫 Randy Glasbergen
Secure communications
You should not send files via email or other unsecured channels.
In the odd case you need to, please use encryption.
The image shows you how to do that using 7zip:
(You can use any other archiving software that has this option).
Encryption helps secure confidential and sensitive data by converting it into a form that cannot be understood by third parties.
05 - Breach reporting
🄫 Dilbert
Key points
If you are aware of or suspect a security breach report it on security.lingo24.com by selecting “Application Security Investigation”
Similarly, if you are aware of or suspect a data protection (GDPR) breach, report it by selecting “Data Protection Investigation”.
Report any breach, even if you think someone has already reported it. We’d rather have a breach reported 100 times than not at all.
06 - Data protection (GDPR) summary
- Do you know any good GDPR
consultants?
- Yes
- Can you give me his email?
- No...
GDPR Recap
What data is covered by GDPR requirements?
All personal and sensitive data covered by the definitions outlined in the GDPR must be kept private and protected, or in some cases, should not even be collected.
This includes all personally identifiable information like name, address, phone number, birthdate, national identification number, driver’s license number, financial information, social security numbers, health indexes, health records, demographics, web cookies etc.
It also includes less commonly mentioned personal information like race, gender identity, political affiliation, and religious beliefs, among others.
What is considered personal data?
Key takeaways
Know what data we hold and why
It is OK to have, hold and process personal data but we need to know what we hold and why we have it to ensure we have a legal basis.
We need to ensure all data transfers are controlled.
Personal data is required to be handled with care.
Breaching can have a massive impact.
Fines are up to €20m or 4% of global annual turnover (whichever is greater).
If you think we have breached data, raise a ticket on the ISM Service Desk.
We have 72 hrs to respond, every second counts. The ticket starts our counter and lets the key responsible officer know.
07 - Document labeling and handling
Document labelling (FYI)
PUBLIC
PROTECTED
RESTRICTED
CONFIDENTIALHighly sensitive or valuable information, both proprietary and personal.
Information whose unauthorised disclosure would be serious and likely result in significant embarrassment to the organisation and possibly legal consequences.Information whose unauthorised disclosure, particularly outside the organisation, would be inappropriate and inconvenient.Information that may be broadly distributed without causing damage to the organisation, its employees and stakeholders.
You are not required to label documents yourself, but you may encounter our labels on various documents. This is what they mean:
Document handling
Must not be shared with third parties
Must be be handled securely
Must not be saved on external media (USB drives, external hard-drives, memory sticks, CDs, etc.)
Must be deleted after use
Must not be printed
All client content you receive from Lingo24:
08 - Language Services Agreement
Contractual obligations on Information Security (for individual translators)
● The Supplier must have installed, and maintain, up-to-date antivirus software in The Supplier’s local environment used to access Lingo24 systems.
● The Supplier must follow Lingo24’s password policy when using any Lingo24 system or service - e.g. Coach or Port.
● When working outside of Lingo24’s translation platform, The Supplier must not share data provided to them to third party services. This includes third-party:
○ Hosted Machine Translation Services - such as Google Translate or Microsoft Translator, even if the Supplier has a paid account for such services
○ Hosted Translation Memories○ Hosted Translation Platforms.
● The Supplier must not share information shared with them by Lingo24 with any other party without Lingo24’s prior written approval. This includes but is not limited to:
○ Source and Target Files○ Query Management Sheets○ Client Related Email Correspondence○ Client Glossaries and Style Guides.
Contractual obligations on Information Security (for individual translators)
● When working outside of Lingo24’s translation platform, The Supplier must not retain client data beyond the duration of the project.
● The Supplier must delete any client specific data following the successful completion of the project - i.e. it is marked as ready to invoice in Port. This includes:
○ Source and Target Files○ Translation Memory Data.
● The Supplier should review this training at least every six (6) months
● Where The Supplier stores Lingo24 client data locally, it should be encrypted, either through full disk encryption, or as part of a secure container.
Contractual obligations on Information Security (for agencies)
● The Supplier must adhere to Lingo24’s core Supplier Security Policy documented here.
● The Supplier must not share data provided to them to third party services without prior written approval from Lingo24. This includes third-party:
○ Hosted Machine Translation Services - such as Google Translate or Microsoft Translator, even if the Supplier has a paid account for such services
○ Hosted Translation Memories○ Hosted Translation Platforms.
● The Supplier must delete any client specific data following the successful completion of the project or task. This includes:
○ Source and Target Files○ Translation Memory Data.
Thank you Gracias Благодаря ти Vielen Dank
谢谢 Hvala vam Dank je ਤੁਹਾਡਾ ਧੰਨਵਾਦMulțumesc Grazie Obrigado ありがとうございました
Спасибо Köszönöm Merci Takk skal du ha