Learning Center
Plans & pricing Sign in
Sign Out

ESP - Amazon Web Services


									Copyright     First Legion Consulting Pvt. Ltd.

License       This work is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 2.5 India Licen

Version       1
Released on   14-Jun-10
                 Change History
mercial-Share Alike 2.5 India License. To view a copy of this license, visit or send a
censes/by-nc-sa/2.5/in/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.
sco, California, 94105, USA.
                                                                           ESP (Expected Security Practices with
No:                                 ESP                                                        Awareness Measurement
                                                                              Awareness Criterion
 1    Information classification practices                   the company information classification policies

                                                             Customer information classification policies
      Access control practices                               Essential password protection

 2    Email security practices                               DO's and DON't's with corporate email ID

 3    Malware security                                       Is aware of atleast 4 different types of malware

      Clear screen/ desk / printer/ white board/ thrash
 4    practices                                              Aware of what each clear policy means

 5    Backup practices                                       Securing the company information
 6    Incident reporting practices                           Incident reporting procedures
                                                             Distinguish security incidents from IT incidents

 7    Internet security practices                            Aware of internet security policy, DO's and DON't's

 8    Intellectual property protection practices             Aware of what IP, IPR and copyright protection is

 9    Social engineering detection and aviodance practices   Understands the term social engineering

                                                             Understands the channels of social engineering
10 Physical security practices                               Access control policies (location, access)

11 Secure disposal of information practices                  Aware of secure disposal policy

12 Portable/mobile computing security practices              Aware of policy regarding external personal devices
13 Information disclosure practices                         Aware of information disclosure policy

                                                            Is aware of dangers of posting business info in
                                                            personal blogs, Is aware of dangers of posting business
14 Safe blogging and social networking security practices   info in social networks

                                                            Is aware of dangers of connceting to open access
15 Wireless security practices                              points
                                                            Is aware of procedured to be followed in case of
16 Information recovery practices                           system crash or data loss

                                                            Aware that the company data must not be copied or
                                                            synchronized with mobile devices

17 External workforce (contractor) access practices         Is aware of DO's and DON't's as an external employee

18 Emergency response practices                             Aware of emergency evacuation/ fire drill
curity Practices with assessment guidance)
ess Measurement                                                                   Behavior Measurement
              Suggested mode of assessment                     Behavior Criterion
           Interview                         Ability to classify documents during creation
                                             Ability to store classified documents in the correct
           Interview                         location
           Interview                         Does not share password under duress
                                             Does not accept password of colleagues
           Interview                         Does not forward inappropriate emails
                                             Does not download suspicious attachments nor clicks
                                             on it
                                             Report any inappropriate mail
                                             Does not subscribe to sites (personal content) using
                                             official ID
           Interview                         Does not click on suspicious links
                                             Does not click on suspicious pop-ups

           Interview                         Locks screen/ desk while leaving the work station
                                             Takes paper out as soon as it is printed
                                             Wipes boards after meeting
                                             Tears documents or shreds it while disposing
                                             Correct storage of important information in backup
           Interview                         server
           Interview                         Reports a visible incident

           Interview                         Avoids suspicious pop-ups
                                             Avoids inappropriate sites

           Interview                         Does not store or install illegal copyrighted content.
                                             IPR of different client codes
                                             Does not download illegal copyrighted content
                                             Does not provide the company information to
           Interview                         anonymous callers
                                             Does not responds to suspicious emails asking for
           Interview                         business info
           Interview                         Access card is worn properly
                                             Access cards are not shared
                                             Does not allow piggy backing

                                             Reports people without visible ID inside the facility
           Interview                         Disposes sensitive documents properly
                                             Does not connect external personal devices to
           Interview                         company systems
                                             Does not copy the company business info into
                                             personal devices
            Does not disclose official and classified business
Interview   information

            Does not post the company business info in personal
            blogs, Does not post the company business info in
Interview   social networks
            Does not respond to queries on personal blogs asking
            for company business info

Interview   Does not connect to open Wi-Fi access points

Interview   Reports data loss or system crash

            Does not copy or synchronize data from the company
Interview   computers with personal mobile device
            Check of adherence to information security policies
Interview   of the company

Interview   Has attended fire drill
            Demonstrates exit procedures for evacuation
ior Measurement
              Suggested Mode of assessment

           Social Engineering
           Social Engineering
           Social Engineering

           Social Engineering

           Data mining from web
           Social Engineering
           Social Engineering


           Social Engineering/ Observation

           Social Engineering
           Proxy log review

           Desktop audit

           Social Engineering

           Social Engineering

           Social Engineering
           Observation/ Social Engineering
           Observation/ Social Engineering

           Social Engineering
           Social Engineering test

           Review from ADS logs
Social engineering

Data mining from web

Social engineering and Data Mining

System audit/ Wireless NIC properties
Remedy log review and comparison
with data loss reports

System audit


Review of records

To top