Data Security and Privacy (DS&P) Awareness

ERNST YOUNG Mercury

APR 2018

© 2009 IBM Corporation

  Objectives and Goals
 What is Data Security and Privacy?
 Why is DS&P Important?
 Client Responsibilities
 IBM Responsibilities
 Workplace and Workstation Security
 Workplace Security
 Workstation Usage
 Internet Security and E mail Security
 Data Protection / Backup
 Access Management
 Password Policy
 PI/SPI/BSI Data Protection / Back up
– Storing and Disposing of PI/SPI/BSI
– Transporting PI/SPI/BSI
– Using PI/SPI/BSI
 Security Incident Reporting
 Physical Security
 Essential Links
2 © 2009 IBM Corporation
Objectives

 Objectives
– To ensure that ERNST YOUNG Mercury Project Workforce Members are aware of IBM’s
Data Security and Privacy (DS&P) guidelines; and that they understand their project-
related responsibilities regarding DS&P.
 Goal:
– To ensure that there is an effective DS&P processes, designed to reduce the risk of data
loss and/or mismanagement to an acceptable and reasonable level for the
project/contract, business processes, and information systems environment.

3 © 2009 IBM Corporation

What is IBM’s Global Data Security & Privacy Definition?

Data Privacy: The ability of individuals to determine when, how, and to what extent information
about them is used or disclosed to others
 Sensitive personal information (SPI) could be misused to harm a person in a financial,
employment or social way. [The USA also focuses on information facilitating identity theft
(SSN, account code, PIN, etc.), and on medical information]
 Personally identifiable information (PI) includes any data element relating to identified or
identifiable individuals
 Business sensitive information (BSI) is information protected by a client or other company
as important to their business, the improper exposure or use of which could harm them.
*IBM’s definition of SPI can be found at: http://w3.ibm.com/ibm/privacy/practices_guidance.html
Security: The practices we employ through people, processes and technology to protect information
to minimize the potential of a data breach or security compromise

All IBM projects must follow foundational Data Security and

Privacy standards and policies.

© 2009 IBM Corporation

 Why is DS&P Important?
As a large public/global company, we need to manage critical
financial, operational, legal and compliance requirements

Benefits of execution
Critical Regulatory and Legal Requirements
 Business optimization
 Sarbanes-Oxley Act of 2002  Environmental  Solid reputation / industry
 Accounting Standards (SRV)  Open Source Software differentiation
 Export Regulations  Intellectual Property
 Immigration  Data Security & Privacy
 Tax
Consequences of
 FFIEC
insufficient execution

 Risk to Brand and

Critical Financial/Operational Requirements Reputation
 Delegation Letter Approvals  Pre-contract work  Financial Losses
 CRM and ADM processes  Labor Claim
 Project Financial Management  B&P  Disciplinary Actions
 Procurement/subcontractors  Fines/Personal Penalties

5 © 2009 IBM Corporation

Failures are big news

LOST OPPORTUNITY
50% of consumers avoid making purchases
online because they are afraid their financial
information will be stolen (Source: Cyber
Security Industry Alliance survey of
consumers, 2007)

LOST CUSTOMERS
33% of consumers notified of a security
breach will terminate their relationship with the
company they perceive as responsible
(Source: Ponemon Institute, 2007)

LOST REVENUE
The average cost per hour of unplanned
downtime = $42,000, per 1000 transactions
(Source: Alinen ROI Report)

© 2009 IBM Corporation

IBM’s Responsibilities Related to Data Security and Privacy

 To secure IBM assets: Comply with IBM corporate instructions such as ITCS300 and
ITCS104, which collectively covers topics such as:

–Protecting IBM confidential information

–Requirements for safe handling of data on different
mediums (such as portable media)
–Requirements for safe connectivity and network access
–Security Incident Reporting
–Access revocation and revalidation requirements
–Access monitoring and password rules

 To secure external client assets:

– Comply with client contracts and agreements; seek project specific
DS&P requirements if new to the project
– Comply with regulatory requirements which IBM is directly
accountable for
– Use corporate standards and instructions, GBS Good Practices, and
good business judgment to identify, mitigate and manage risks
– Engage the client throughout the sales and delivery lifecycle to
ensure joint clarity of the client's DS&P needs, client and IBM
responsibilities, and the value coming from IBM's DS&P approach
Glo 8 © 2009 IBM Corporation
bal
Workplace Security

Do’s
 Follow the clean desk policy.
 Collect printouts from printer trays promptly.
 All confidential documents/ literature/ information should be kept under lock
and key.
 At the end of your working day, lock all your papers in the storage
provided.
 Keep your drawer keys secure.
 All confidential documents should be shredded prior to disposal
 Activate the password protected keyboard/screen lock when leaving your
work area.

Don’ts
 Do not leave your drawer keys at insecure locations
 Do not leave Post-it Notes with confidential information at a place from
where it can be picked by anyone.
 Do not leave any papers on your workstation after you leave for the day.
 Do not leave any documents on the printer once you have printed them.
 Do not attempt to install/run any software/code/application without prior
approval from IBM or Client.
 Do not attempt to bypass any security controls
 Do not attempt to access any IBM or client information which you are not
permitted to, or which is not relevant or required in the current
responsibilities.

© 2009 IBM Corporation

Workstation Usage

Understand IBM policy and Additional workstation usage

In addition GBS contractors and
foundational Data Security & restrictions apply to
subcontractors who will access
Privacy (DS&P) controls related workstations that are used to
client PI/SPI/BSI must use
to workstation usage for perform privileged user
either:
example: activities, such as:
• Workstations used to perform • Use of an IBM workstation, • an IBM provided workstation
IBM business (including client which is used to perform registered in ISAM (as having
account delivery) must be privileged activities, should be access to SPI if applicable)
registered in the Workstation used for IBM business only OR
Asset Manager (WAM) or IBM • No personal use of a client • a client workstation
Standard Asset Manager provided workstation is
(ISAM) and regularly scanned allowed
to ensure the appropriate • No personally owned
securities are implemented workstations may be used to
(see control 00.2 ‘Workstation perform privileged activities;
Security Monitoring’). (no exceptions)
• All workstations must have • No personally owned storage
hard drive encryption installed device (external HD, USB
(see control 00.3 ‘Workstation stick) may be connected to a
Encryption’) . privileged user workstation
• IBM confidential information
may not be stored on a client
workstation

11 © 2009 IBM Corporation

Internet and E mail Security

Don’ts
 Do not post IBM or client specific/ proprietary information on
public sites.
 Do not access online music/ games sites, P2P software
(Kazaa, Napster, Skype etc.), chat sites and/or other
inappropriate forums through IBM or Client site. Do not
download or copy freeware and shareware software
from the Internet or any other source.
 Never send passwords or other personal information about
yourself to anyone.
 Do not auto forward emails from external addresses to your
official mail email id or vice versa
 Do not forward chain mails / spam while accessing IBM or
client mail systems.
 Never send inappropriate messages
 Do not use the client email infrastructure for communication
on non-client related IBM confidential matters.

Do’s
 Use Internet only for business related work.
Use only IBM provided licensed software.
 Report obscene emails Delete unsolicited advertising e-
mail without replying to it
Remove Photo, MP3, movies etc from laptop
Remove trial versions

© 2009 IBM Corporation

Data Protection / Backup

 If there is a valid business need to store PI/SPI/BSI on your

workstation. Usage of portable removable media such as
CD/DVD, removable HDD,a USB storage device or a data backup
tape is not allowed.

 The external storage media used for backing up data must be

physically secured in secure rooms or cabinets under lock and
key

 Activate a power on password and a password controlled time

out/lock out feature on all hand held devices containing backup
data

 IBM Confidential or other business sensitive data should not be

placed on a handheld device if there is no way to secure the
device
 Link:
http://w3-03.ibm.com/tools/it/ittools.nsf/main/security_fileencryptionsolutions

© 2009 IBM Corporation

General Responsibilities: Access Management

Manage Separation of Maintain a secure

Manage Access to
Manage User Accounts: Duties for the workplace and
Environments:
Engagement: workstation:
• Only use User IDs and • Only have access to • Generally, access to • For workstation
passwords that are functions and data development or testing, equipment assigned to
unique to you (especially PI/SPI/BSI) and production should you, physically protect it
• Do not share or which is required to be segregated. as appropriate, such as
disclose User IDs and perform your prescribe • Generally, access to by using a locking cable
passwords job function. promote code between • Never leave PI/SPI/BSI
• When changing • Should not place or use the environments unattended on your
assignments or roles, real or live PI/SPI/BSI in should be segregated screen, on your system,
cancel (in a timely test or development from duties related to or around your
fashion) User IDs that environments; this data development and workspace
are not needed must be masked, testing. • Shut down or use
scrambled, or otherwise • Generally, duties password-protected
ciphered to mitigate related to user screen savers at all
risks administration should times
• The use of Firefight IDs be segregated from • Secure printed material
should be properly duties related to and portable media in
restricted and development (dev, test, locked desks and
monitored. Associated code promotion) drawers
passwords should be • Generally, duties • Verify that your
changed periodically related to system admin workstation and any
and when individuals user admin, and equipment you control
who are privy to the development activities has the most current
password, leave the should be segregated. operating system,
project. • When exceptions exist, security, and antivirus
secondary controls are products and patch
required. Consult your levels installed
Project Manager and
Security Expert.

14 © 2009 IBM Corporation

Password Policy
Do’s
 Password set should be a minimum of 8 characters
 Change passwords every 90 days or less. If there is no technical
process to the password change, you must comply manually with
the password change requirement
 Passwords must contain a mix of alphabetics,special characters
and numbers. The use of a passphrase is advised.
 Change your password if you suspect its compromised
 Always change the default password
 When changing your password, you must select a new password,
i.e., do not change the password to one that you used in the past

Don’ts
 Personal details like DoB, Anniversary dates, Spouse/Children
names etc should not be used in the passwords.
 Avoid using names of places, or other common dictionary words as
your password.
 Don’t reveal your password to anyone.
 Don’t write down your password for the world to see.

© 2009 IBM Corporation

General Responsibilities: Storing and Disposing of PI/SPI/BSI

Avoid storing PI/SPI/BSI on portable devices and media:

• Laptops
• Floppy disks, CDs, and so on
• Hard copies

If you must use portable devices or media:

• Encrypt electronic data
• Store devices and media in a secure environment

Securely dispose of PI/SPI/BSI as soon as it is no

longer required:
• Shred physical media (printed copies, floppy disks,
CDs, and so on)
• Securely overwrite data stored on computers

Appropriately dispose of data when project ends and/or

workforce member leaves or transfers.

17 © 2009 IBM Corporation

General Responsibilities: Transporting PI/SPI/BSI

When electronically transferring PI/SPI/BSI:

• Encrypt PI/SPI/BSI data or use industry standard security protocols
• Do not send sensitive documents over email or unsecured lines without encryption
• Use VPN or SSL/TLS for communication
• Chat
• Email
• Webex

When physically transferring PI/SPI/BSI:

• Limit distribution to people on the access control list
• Use appropriate controls:
• Encryption
• Transportation over secure lines
• Hand delivery

When faxing PI/SPI/BSI:

• Use appropriate controls:
• Do not leave PI/SPI/BSI unattended
• Include a cover letter addressed to the receiver
• Verify that the receiving machine is in a secure location
• Inform the receiving party before faxing
• Confirm receipt of information with the receiving party

18 © 2009 IBM Corporation

General Responsibilities: Using PI/SPI/BSI

Data entered into Be careful not to include

supporting tools can PI/SPI/BSI data into
create issues with documents created in
PI/SPI/BSI that are not support of a project, for
obvious: example:
PI/SPI/BSI entered into Spreadsheets/Text
free-form text areas must Documents
comply with contractual
and regulatory Text documents
requirements, and should
be avoided if possible
Work Notes
People without
authorization to view data
may have access to all Emails
the data in a tool,
including the data in
question Screenshots

19 © 2009 IBM Corporation

GDPR - General Data Protection Regulation
Applies from 25 May 2018

 The new General Data Protection Regulation of the European Economic Area (EEA) which includes the
EU + Iceland, Liechtenstein, Norway. It establishes much more stringent data protection requirements
over personal data within its scope. Both the Data Controller and Data Processor (generally IBM) are
subject to fines under this new law of up to €20M or 4% of the organization’s global annual turnover
per incident.

 The Regulation applies to all organizations that process personal data within the EEA or that process
personal data outside the EEA when the processing activities are related to the offering of goods or
services to the individual physically located in the EEA or when the processing activities are related to
the monitoring of an individual's behavior as far as the behavior takes place in any EEA country.

 GDPR was published in May 2016 and will be in effect from May 25, 2018 (It will remain as national law
in the UK after Brexit).

 Data Controller is responsible to ensure and demonstrate that data processing is performed in
accordance to the Regulation

20

© 2009 IBM Corporation

© 2009 IBM Corporation
 GBS Europe GDPR Deployment – GBS as a Processor [Personal Data – Overview & Examples]
Extract from GDPR Guidance v 2.0

“The GDPR Regulation applies to the “’Personal Data’ means any information relating to an identified or identifiable
processing of Personal Data wholly or natural person (‘Data Subject’); an identifiable natural person is one who can be
partly by automated means and to the identified, directly or indirectly, in particular by reference to an identifier such as a
processing other than by automated name, an identification number, location data, an online identifier or to one or more
means of personal data which form part of factors specific to the physical, physiological, genetic, mental, economic, cultural or
a filing system or are intended to form part social identity of that natural person”
of a filing system.“

FAQ: Is this Personal Data? YES (these Direct identifiers: Data that can be used to identify a person without
are just some examples…) additional information (e.g. name, social security number or contact information)
Indirect identifiers: Data that does not uniquely identify an individual but may
• Email IDs, phone numbers, car reveal individual identities if combined with additional data points from other
registration numbers sources (e.g. birthday or location)

• Electricity/gas meters

• Any Personal Data that we process for Ensure there is a common Read more…
the Client, about their staff, end users, understanding with the Client on o IBM Data Privacy resources:
customers etc. which data are Personal Data!  Current PI definition
 "Mary presentation“: illustrates how
• Online identifiers and location data to handle personal information
Business Contact Information: about a Client contact – follow the
Any Personal Data that we at IBM link on this page
• Date of birth maintain about our business contacts – o External article with overview of the new
Clients, subcons, partners etc. – is also definition of Personal Data
• A picture of a person (they can be subject to GDPR. It falls under IBM’s
identified, and the photo may also responsibility as a Controller.
convey additional Personal Data)

© 2009 IBM Corporation

M
Security Incident Reporting
 If you suspect a security incident is in progress or has
occurred, it is important for you to act promptly by
contacting your location Security department / Project
Manager.

 Employees are not to attempt to investigate or take

action against the offender unless directed to do so by
Security personnel.

 If your workstation or portable media containing

PI/SPI/BSI is lot or stolen, or if you suspect that
somebody has compromised its security, you must
immediately report the security incident and specify
that sensitive information may have been exposed.

–Link: -- http://w3-03.ibm.com/security/secweb.nsf/ContentDocsByCtryTitle/Corporate~Incident+reporting?Open&Country=Global+Services

Contact your Team

Physical Security Leader, Local
Security Officer,
Incidents (IBM) PM, and the
DS&P Security Expert

IT Related Contact your Team

Leader and/or (IBM)
Incidents Project Manager

© 2009 IBM Corporation

Physical Security

Do’s
 When on IBM premises always carry your IBM ID card on
your person and display it prominently
 When on customer premises always carry the customer
given ID card and display it prominently
 Workstations should be physically locked (e.g. cable
locks) when unattended
 If any physical asset including ID badge/Portable
media/Laptops etc are lost or stolen, report to physical
security officer and manager immediately
 Keep System locked

Don'ts
 Do not tailgate
 Do not allow anyone to tailgate
 Do not loan your ID badge to another employee
 Do not leave your laptops unattended in your vehicle of in
any public place

© 2009 IBM Corporation

Essential Links

• http://w3.the.ibm.com/ecmweb/cybersecurity/recent
ITCS 300 IT Security Standard in use at IBM
_policy_updates.html

Business Conduct Guidelines – Mandatory for

• http://w3-
all employees to read, understand and
BCG 03.ibm.com/ibm/documents/corpdocweb.nsf/Conte
comply
ntDocsByTitle/IBM+Business+Conduct+Guidelines

• http://ams1.sby.ibm.com/as/as.nsf/content/as_data
Data Privacy GBS Data Security & Privacy Guidance
privacyguidance

Gateway to the whole lot of information about

IT Security portal IBM IT Security policies, guidelines, • http://w3.the.ibm.com/ecmweb/cybersecurity
standards, best practices

Virus Information Updates about virus threats, etc. • http://w3.ibm.com/virus

25 IBM Confidential © 2009 IBM Corporation

Thank You !

© 2009 IBM Corporation