Information Protection Awareness
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Information</strong> <strong>Protection</strong><br />
<strong>Awareness</strong>
Contents
<strong>Information</strong> Security Overview<br />
Safe Computing Habits<br />
Social Media<br />
1- Social Networking Regulations and behavior<br />
Saudi Aramco <strong>Information</strong> Security Policies, Resources and References<br />
4<br />
4<br />
6<br />
6<br />
11
<strong>Information</strong> Security
<strong>Information</strong> Security Overview<br />
<strong>Information</strong> security is the practice of preserving the integrity,<br />
availability, and confidentiality of information system resources<br />
(includes hardware, software, firmware, information/data, and<br />
telecommunications).<br />
Attack against<br />
Confidentiality<br />
Interception<br />
It allows unauthorized<br />
users to access our data<br />
or system<br />
Attack against<br />
Availability<br />
Interruption<br />
It allows unauthorized<br />
users to make the assets<br />
unavailable<br />
Confidentiality<br />
Availability<br />
DATA<br />
Integrity<br />
Attack against<br />
Integrity<br />
Modification<br />
It allows unauthorized<br />
users to change consistency,<br />
accuracy, and<br />
trustworthiness of data<br />
over its entire life cycle.<br />
4
Safe Computing Habits<br />
1- Protecting User Accounts & Passwords<br />
Users must:<br />
Access Control<br />
User credentials (such as accounts and<br />
passwords) are the keys to access Saudi<br />
Aramco IT resources. Therefore, these<br />
credentials must be protected.<br />
• Treat all passwords as confidential.<br />
• Safeguard their passwords (e.g. by not<br />
writing down their passwords).<br />
• Keep their passwords to themselves and<br />
not share them with anyone, including<br />
administrative assistants or secretaries.<br />
• Report to their Computer Security<br />
Liaison (CSL) or <strong>Information</strong> Security<br />
Analyst (ISA) any suspected breach to<br />
their accounts, and must change their<br />
passwords immediately.<br />
2- Multi-Factor Authentication<br />
3- Remote Access<br />
Users must only use company-approved<br />
remote connectivity for accessing the<br />
corporate network.<br />
Smart Cards, Tokens and SMS<br />
Pass-Phrases are examples of multi-factor<br />
authentication that must be protected,<br />
users must:<br />
• Ensure that their mobile number is<br />
updated and current in the corporate<br />
phone directory in order to use<br />
multi-factor authentication and SMS<br />
services (Pass-Phrase).<br />
• Safeguard their assigned Smart Cards<br />
and Tokens.<br />
•Immediately report lost smart cards or<br />
tokens to their CSL.<br />
5
Internet Use<br />
King Abdulaziz Center supplied Internet<br />
and email services are available for<br />
communication on matters directly<br />
concerned with the business.<br />
2- Monitoring Internet Access<br />
Users of the King Abdulaziz Center’s Internet<br />
services understand and accept that their use<br />
of the Internet is being monitored and that<br />
data relating to the sites they have visited will<br />
be retained within a central database, access<br />
to which will be strictly controlled.<br />
For more information, refer to GI-299.210<br />
(Saudi Aramco Internet Use).<br />
1- Prohibited Internet Activities<br />
Users must not under any circumstances<br />
use Company internet service for<br />
the following:<br />
• Browsing internet sites that contain<br />
pornographic, adult material, gambling,<br />
prohibited drugs, violence, discrimination,<br />
offensive, or hate-based web sites,<br />
and hacker or malicious and harmful web<br />
sites.<br />
• Unauthorized access or attempts to<br />
break into any computer (cracking,<br />
hacking, etc.), whether of King Abdulaziz<br />
Center or another entity<br />
• Interference with or disruption of the<br />
Center computer or communications<br />
systems such as consuming the company<br />
internet bandwidth by massive download<br />
of non-business materials<br />
• Conducting or promoting a personal<br />
business for commercial purposes.<br />
• Downloading or distribution of copyright<br />
material or software.<br />
• Unauthorized passing of any the Center<br />
sensitive information to external or<br />
internal sources<br />
• Non-work related ‘chatting’ or ‘blogging’<br />
• Establishing unauthorized connections<br />
to the corporate network that could allow<br />
users to gain access to King Abdulaziz<br />
Center’s systems and information<br />
6
1- Unacceptable E-Mail Use or behavior<br />
Examples of behaviors which are<br />
normally regarded as unacceptable:<br />
• Send non-business emails to large<br />
number of recipients or for the user’s<br />
gain.<br />
• Send any material in emails that is<br />
offensive or which is intended to or could<br />
have the impact of annoying, harassing<br />
or intimidating another person.<br />
• Represent (by email) personal opinions<br />
as those of the Company.<br />
• Transmit (by email) commercial or<br />
copyrighted materials belonging to<br />
parties outside of the Company, or the<br />
Company itself, without the express<br />
permission of the relevant party.<br />
• Reveal or publicize in emails any sensitive<br />
information which includes, but is<br />
not limited to financial information,<br />
databases and the information that<br />
include computer network access codes,<br />
customer information and business<br />
relationships.<br />
• Send unsolicited bulk email (SPAM) from<br />
Saudi Aramco’s email servers except as<br />
authorized to do so in the course of your<br />
work<br />
E-mail Use<br />
Use of email by King Abdulaziz<br />
Center’s employees is permitted and<br />
encouraged where such use is suitable<br />
for business purposes and supports<br />
the goals and objectives of the Center<br />
and its business divisions<br />
2- Monitoring E-Mail<br />
Users of King Abdulaziz Center’s email services<br />
understand and accept that their use of<br />
email is being monitored and that data<br />
relating to email will be retained within a<br />
central database, access to which will be<br />
strictly controlled. Details of specific email<br />
activity will only be disclosed to third parties<br />
as part of an ongoing and appropriately<br />
authorized investigation.<br />
7
1- Social Networking Regulations and<br />
behavior<br />
Social Media<br />
The Center staff must be aware that<br />
their actions captured through<br />
images, videos, blogs, or comments<br />
can affect our company’s image<br />
• <strong>Information</strong> published on social<br />
networking sites should not disclose<br />
Saudi Aramco’s intellectual property,<br />
trade secrets, or customer data and<br />
should comply with the company’s<br />
confidentiality and disclosure of proprietary<br />
data policies.<br />
• Personal blogs should have clear<br />
disclaimers that the views expressed by<br />
the author in the blog is the author’s<br />
alone and do not represent the views of<br />
the Center.<br />
• Discussions or comments must not<br />
contain negative remarks involving<br />
religion, politics, ethnic groups/cultures,<br />
family lifestyles, or the Government of<br />
Saudi Arabia.<br />
2- Monitoring E-Mail<br />
Users of King Abdulaziz Center’s email<br />
services understand and accept that their<br />
use of email is being monitored and that<br />
data relating to email will be retained<br />
within a central database, access to which<br />
will be strictly controlled. Details of<br />
specific email activity will only be<br />
disclosed to third parties as part of an<br />
ongoing and appropriately authorized<br />
investigation.<br />
8
1- Social Engineering – Phishing<br />
Phishing is an e-mail intended to<br />
convince you to handover personal<br />
details or perform an action in order to<br />
have control over your account or install<br />
spyware or other malicious software on<br />
your PC or network.<br />
2- Social Engineering – Pre-texting<br />
Social Engineering<br />
The purpose of social engineering<br />
is to secretly install spyware<br />
or other malicious software or<br />
trick you into handing over your<br />
passwords or other sensitive<br />
financial or personal information<br />
The attacker communicating over the<br />
phone or via e-mail would claim not to<br />
have time to go through normal channels<br />
because of an emergency or because he<br />
is afraid of getting in trouble. The attacker<br />
may also ask for help changing a<br />
password, claim to have forgotten the<br />
system password or claim to be a<br />
helpdesk or technical support agent who<br />
needs help getting an employee's user ID<br />
and password for a test or password reset.<br />
3- Social Engineering – Baiting<br />
The attacker leaves a malware infected<br />
on CD-ROM, DVD, or USB flash drive in a<br />
location sure to be found (bathroom,<br />
elevator, sidewalk, parking lot), gives it a<br />
legitimate looking and curiosity-piquing<br />
label, and simply waits for the victim to<br />
use the device.<br />
9
Proper responses<br />
• Never hand over information unless sure of whom<br />
it is going to.<br />
• Do not respond to suspicious e-mails<br />
• Do not click links or downloads in suspicious<br />
e-mails and do not forward to friends.<br />
• Do not connect suspicious USBs to The Center’s<br />
computer<br />
• Do not open found CDs or DVD on The Center’s<br />
computer<br />
• Report suspicious emails to anti-spam@aramco.com<br />
and the Center <strong>Information</strong> <strong>Protection</strong><br />
Group<br />
PHISHING<br />
Username<br />
Password<br />
10
Protected Sensitive <strong>Information</strong><br />
User Must:<br />
• Secure the Center information according to its classification.<br />
• Not duplicate, transmit, or disclose any sensitive information<br />
without authorization.<br />
• Encrypt sensitive information stored in removable media.<br />
• Encrypt emails that contain sensitive information.<br />
• Use secure information sharing mechanisms with any third party.<br />
• Securely dispose or sanitize electronic storage devices/media used<br />
for storing non-public information.<br />
• Securely destroy or shred paper records containing protected data.<br />
Data Types and <strong>Protection</strong>s<br />
All <strong>Information</strong> and data related to<br />
the operations and activities of King<br />
Abdulaziz Center and its employees,<br />
regardless of the form or media in<br />
which the information is recorded<br />
or maintained must be protected<br />
Data Classification<br />
and Handling of Sensitive<br />
<strong>Information</strong><br />
The Data Owner is responsible for<br />
classifying information or data<br />
and assigning it the appropriate<br />
classification in accordance with<br />
corporate policies<br />
11
Classification Categories Summary Table<br />
Classification level<br />
Non-Business Use<br />
information<br />
Public information<br />
Use And Rules<br />
<strong>Information</strong> that does not relate to the Company’s<br />
business or operation<br />
Company information approved by Public Relation<br />
Department (PRD) and intended for general distribution<br />
inside and outside the Company.<br />
Company General Use<br />
information<br />
Material designed for distribution to Company and<br />
contractor employees that will be used in Company-related<br />
business functions.<br />
Confidential information<br />
Company information intended for disclosure/release<br />
to limited Company and Contractor employees that<br />
will be used in Company related business function on<br />
a need-to-know basis.<br />
Government Confidential<br />
information<br />
Disclosure may impact the security of not only the<br />
Company but also the Kingdom; or may negatively<br />
impact the Kingdom’s political interests, foreign<br />
relations, income and/or the business environment<br />
generally.<br />
12
User Must:<br />
• Ensure that important business<br />
data in their workstations/laptops is<br />
backed up.<br />
• Exercise due diligence to protect<br />
backup data when stored in removable<br />
media (USB flash drive or External<br />
hard drive).<br />
Password<br />
Passwords are the primary means<br />
of security for computer users.<br />
Backup of Business<br />
Data<br />
All devices containing vital<br />
company information should be<br />
backed up regularly to minimize<br />
business disruption in the event<br />
of loss or physical damage<br />
User Must:<br />
• Use a lengthy password that is not less<br />
than seven characters and difficult to<br />
guess<br />
• Use a combination of numbers, characters<br />
and symbols (such as # or @)<br />
• Do not use personal information, such<br />
as a phone number or the name of a<br />
relative<br />
13
Proper Use and <strong>Protection</strong><br />
of IT Assets<br />
Users are responsible for taking<br />
all reasonable measures to<br />
appropriately use and secure all<br />
Company assets assigned for<br />
their use regardless of the<br />
location<br />
Reporting Security<br />
Incidents<br />
The reporting of a computing<br />
incident must be done promptly to<br />
ensure that the appropriate measures<br />
can be taken to protect King<br />
Abdulaziz Center resources.<br />
User Must:<br />
• Use IT assets for business only.<br />
• Store IT assets in a hidden location<br />
when left unattended in a vehicle.<br />
• Not leave mobile devices unsecured<br />
in any office overnight.<br />
• Use PIN codes to protect Company’s<br />
mobile devices.<br />
• Safeguard hardcopies of business<br />
documents according to their data<br />
classification.<br />
• Report lost or stolen IT assets to<br />
their CSL.<br />
If any user suspects a computer<br />
security incident, implicating<br />
an individual, they must<br />
contact the The Center <strong>Information</strong><br />
<strong>Protection</strong> Group (ISA<br />
and AISA)<br />
14
Mandatory E-Learning<br />
Training<br />
The e-learning courses are<br />
designed to assist all staff in<br />
understanding Saudi Aramco key<br />
information security policies,<br />
secure practices and the acceptable<br />
use of computer assets.<br />
In order to develop and raise the<br />
information security culture<br />
within the Center, two e-learning<br />
courses are mandated to be taken<br />
by all staff<br />
• Phishing Assessment (00005776)<br />
• <strong>Information</strong> Security Essentials<br />
(40059587)<br />
Include:<br />
Violations<br />
Users hold in violation to what is<br />
mentioned in this booklet will be<br />
subject to disciplinary actions<br />
• Suspending or revoking of access (e.g.<br />
internet access, extranet access,<br />
privilege access … etc.)<br />
• Removing of assigned IT assets (e.g.<br />
laptop, mobile device … etc.)<br />
• Forcing user to attend IT security<br />
training (e-learning)<br />
• Delivering an IT security related<br />
presentation<br />
• Corrective Guidance Report<br />
(SA2004-)<br />
• Warning Notice (SA3247-)<br />
• Dismissal Warning Notice (SA3248-)<br />
15
Saudi Aramco <strong>Information</strong> Security Policies,<br />
Resources and References<br />
The following documentations are also applicable to <strong>Information</strong><br />
<strong>Protection</strong> within Saudi Aramco:<br />
• Data <strong>Protection</strong> and Retention Policy (INT7-)<br />
• <strong>Information</strong> <strong>Protection</strong> General Instructions<br />
• <strong>Information</strong> <strong>Protection</strong> Manual<br />
• Process Automation Networks & Systems Security (SAEP99-)<br />
• Process Automation Networks Connectivity (SAES-Z010-)<br />
• Saudi Aramco Computer Use Policy (SA9595-)<br />
• Saudi Aramco Computer Use Agreement (Non-Employee)<br />
(SA9696-)<br />
16
<strong>Information</strong> <strong>Protection</strong><br />
<strong>Awareness</strong><br />
Technology Operation Support Division-<strong>Information</strong> <strong>Protection</strong> Group