Professional Documents
Culture Documents
Information Security Awareness Presentation M March 2016 v2.0
Information Security Awareness Presentation M March 2016 v2.0
Information Security Awareness Presentation M March 2016 v2.0
in Nokia
Uvais Momin
March 2016
1 © Nokia 2016
Nokia Internal Use
Information
• All regulatory compliance requirements that impact business either specify protection of information
Legal / assets or are dependent upon protected assets
Regulatory • Information regulation (any regulation that affects information assets) creates dependencies upon
Compliance effective privacy and security for most, if not all, critical business processes and functions
• Increased awareness amongst the end customers about their privacy rights.
• Increased demand for focus on information security practices.
Customer • Increased focus on audits to control flow of organizations information.
• Inclusion of penalty clauses in the contract agreements.
3 © Nokia 2016
Nokia Internal Use
Nokia Information security functions
Monitor industry practices
Strategy
Testing, logs,
Metrics & incident Monitor Awareness Training &
management communication
Implement
5 © Nokia 2016
Nokia Internal Use
Nokia Information security policy
Nokia Group’s Information Security aims to:
Objective • Protect and Safeguard Nokia’s sensitive information and business processes
• Enable and Enhance the security features of our solutions provided to the customers
The Nokia Security Policy and its standards cover information, data, software, hardware and
Scope networks used globally by all Nokia Group businesses and all the subsidiaries and affiliates
of Nokia Corporation.
Any exception to the above described Security Policy principles is evaluated as per case,
Exceptions using the organizational risk assessment methodology.
6 © Nokia 2016
Nokia Internal Use
Nokia Information classification
Strategy plans, financial information
Secret before release, Merger & Acquisition
(M&A) information etc. Controlled
For named recipients only Information:
• Intellectual
property
Confidential Product design & specifications, financial
data, project plan, budget plan etc.. • Regulated
Information
Limited distribution within a group • Customer
Information
• Competitor
Nokia Internal Use Organization chart, phone directory,
Internal policy documents, internal Collaboration
Within Nokia Group / Partners with communication etc.
NDA
7 © Nokia 2016
Nokia Internal Use
Nokia Information classification – Customer Information
Nokia Group processes or manages a lot of customer information in various forms, which could be
segregated into three sub-categories.
1. Customer operational data: infrastructural systems including elements, networks and platforms, as
well as benchmarks and performance data used by Nokia Group to assess, deliver, manage and
support Nokia Group solutions that are owned or contracted by the customer.
2. Customer business data: includes any customer’s business operations related information,
excluding the Customer operational data. Customer business data comprises protected customer
employee information that is related to the internal business operations of the customer. It also
includes any data that a customer might require to be separated from other Nokia Group customers.
3. Customer Subscriber data: includes all the information related to the customer’s mobile or other
service subscribers. This data is the “data of our customer’s customers” and therefore it is the most
sensitive data we may come into contact with. This type of data is extremely important and needs to
be protected due to the possible market, regulatory and punitive ramifications of breaches.
All categories of customer related data must be treated as “Confidential”.
8 © Nokia 2016
Nokia Internal Use
Privacy and information types
Example 1: Privacy sensitive
information types e.g. race and sexual
orientation are classified secret if they
are connected to information through
which an individual could be
identified.
9 © Nokia 2016
Nokia Internal Use
Intellectual property
• Intellectual property is any information that provides a competitive economic advantage to Nokia
Group. The term Intellectual property comprises business and professional secrets alike and any
other confidential information that Nokia Group wishes to protect.
• Revealing Intellectual property information without proper approval from the relevant authorities, could
cause financial loss to Nokia Group or to our business or cooperation partner.
• The value of Intellectual Property Rights (IPR) can be determined by using methodologies like
Business Impact Analysis (BIA), Risk Assessment (RA) etc.
• Examples of intellectual property:
• Trade secrets, patents, copyrights, trademark etc.
• Innovations and possible products before they are officially commercialized (up to local management to define
the limits, e.g. university collaboration).
• Strategies until they are communicated widely to all employees.
• Special security measures (e.g. additional access controls to files or premises) that are in place to protect
information or e.g. Fraud prevention methodologies and system configurations.
• Financial information that has not been published, including insider information.
• Software source code: source codes developed for Nokia Group products.
10 © Nokia 2016
Nokia Internal Use
Nokia Incident management
Based on the inputs from all stakeholders relevant action is taken for the incident
Action This may also lead to initiation of HR / IT disciplinary process
Learning from all critical incidents are captured & published as a case study for
Learning relevant stakeholders to avoid future instances.
11 © Nokia 2016
Nokia Internal Use
Nokia Information security violation disciplinary action policy
The objective of the policy is to define and provide guidelines for taking the necessary
disciplinary action by the company to protect Nokia confidentiality of information against
Objective illegal activities, human error, abuse, data leakage, non compliance to Information Security
policy and other forms of criminal activities.
The Policy is applicable to all regular employees of Nokia including full-time, fixed term and
Scope part-time employees, externals (accessing Nokia network and/or infrastructure) involved in
employment or other activities on behalf of the Nokia.
Minor: Unlicensed software installation for local use, unauthorized entry to information
processing facilities, virus incident(s).
Significant: Unauthorized disclosure of confidential information, Peer to peer client
installation with malicious intent, Non adherence to Nokia IT security policy, violation of
electronic communication policy, misappropriation of email services, non adherence to
Categories country specific regulations, multiple instance of Botnet connections, repeated virus
incidents
Major: Hacking or intrusion into Nokia IT systems/applications, unauthorized change
management of IT systems, disclosure of Nokia & customer sensitive information, more
than one incident of spam mail(s) and/or P2P client installation, sensitive personal
information disclosure, disclosure/misuse of IPR, unauthorized use of accounts or access
privileges.
Team Representation from HR, IT, HSS, Line manager, Legal & compliance.
12 © Nokia 2016
Nokia Internal Use
Information Security – Do’s & Don’ts
Follow Nokia
Use Licensed USE ‘RME’ password policy.
Software solution for USB Use strong
encryption passwords
13 © Nokia 2016
Nokia Internal Use