Скоро материал придет на указанную электронную почту. Также подписывайте на нас в Facebook
Second year with working remotely: ICL’ experience in coping with information security
All ICL Services staff, regardless of their position, experience or the format in which they work, must abide by the following rules:
a) notify the company of any phishing messages or information security incidents as quickly as possible;
2) ensure information security in accordance with applicable laws and regulations;
3) get access to confidential information and corporate equipment strictly on a need-to-know/need-to-use basis;
5) notify customers of any business continuity incidents in a timely manner;
6) irrevocably destroy any confidential documents if such documents need to be disposed of;
7) refrain from repairing corporate equipment on their own;
8) in the event of the theft/loss of hardware that contains confidential information, an employee must immediately contact the appropriate services;
9) in order to prevent any leak of information stored on desktops or on physical media sitting on open surfaces in the office or elsewhere, all employees are to follow an empty desk/empty screen policy.
ICL Services has introduced a policy of holding corporate events during which it is explained to every team member that it is vital and necessary to abide by the information security requirements designed to ensure the confidentiality, integrity and accessibility of data. Such information security seminars look at specific information security incidents that happened at the company or highly publicised information security breaches that happened somewhere else (for example the script for Star Wars Episode 9 that was put up for sale on eBay or the conflict between Rambler and the developer of Nginx).
Security induction is a corporate information security procedure that all new hires must complete as part of their probationary period. As part of the security induction, new hires independently identify the link between specific cases and information security rules and then go on to offer their own solutions. This allows them to understand the requirements of the company's information security policies in practice and see how they apply to their own duties. During the security induction, a new hire answers questions such as what the correct way to destroy confidential information is, why is it important to transmit information over secure channels, how information about partners can damage stakeholders if it gets disclosed to third parties or others — allowing them to identify the relevant cause and causal relationships on their own. At the end of the security induction, all the participants are sent an email with links to corporate resources with useful information and a request for feedback to help update and improve the contents of the procedure to improve its effectiveness in the future.
After the company transitioned to remote work en masse, some changes were made to the security induction procedure. First, a section has been added on why it is vital that information security rules be followed while working remotely, which emphasises that corporate information security is the responsibility of all the staff with no exceptions. Second, the format in which the security induction is conducted has changed. While in the past, the number of participants was limited by the capacity of the conference room where the induction was held, it is now held as an online seminar with far more participants connecting to it in the ways that are most convenient for them (from a PC, a smartphone etc.). The online training features interactive sessions with staff such as surveys, discussions, stories told by the participants and others. In order to increase the engagement of the online participants, the content used for security induction has been revised: the presentation now features memes and short videos, which work very well in the context of the mostly visual presentation delivered as a sequence of slides.
New hires also complete information security courses, learn about the rules of using passes to access company premises, complete a test of their knowledge of the passwords policy and media interaction policy, as well as the policy for handling confidential information, the non-disclosure agreement and various workarounds.
Having completed all the stages of the security induction by the end of their probationary period, the new hire is able to join the company’s business processes as a full-fledged team member and identify potential information security incidents in both work-related and day-to-day activities. Meanwhile, our customers can rest assured that their data are handled by staff who are well-versed in information security.
- 4 September
Talking about ways to maintain a culture of information security among employees during the period of mass removal