Security at Sapient

At Sapient, Security is everybody’s responsibility.

We live in an amazing world today, with a vast amount of information at our fingertips.
However, with all these advances in technology, come new risks. Now that the world is so easily interconnected, it has become much easier for cyber threats to occur.

In this training, we will discuss the threats facing us, and how you should protect yourself, Sapient, and our Client’s sensitive information.

Introduction to Information Security

What is Information Security?
Information Security is the preservation of Confidentiality, Integrity and Availability of information assets & data.

Why is it important to secure information?
There are often legal, regulatory and contractual requirements with respect to the protection of information. Loss or unauthorized disclosure of sensitive information can lead to legal & financial liabilities.

Information loss or disclosure can damage Sapient’s reputation and competitiveness within the industry and may erode our market value.

Information Classification

Sapient classifies information as one of the following three types:

Public: Information intended for internal and/or external use, with minimal controls, whose disclosure would not impact the Sapient brand.

Examples: Press release, Marketing and awareness Posters etc.

Internal: Information intended only for distribution within Sapient, which might cause embarrassment to Sapient or damage the Sapient brand if it fell into the hands of an unauthorized third party.

Examples: Company polices and procedures, Sapient People Directory, Internal Communications, Project Plans, MoMs, etc.

Note: By default, all information is classified as internal, unless specified explicitly.

Confidential: Highly sensitive information, whose unauthorized disclosure can lead to damage to Sapient information. Information that is subject to specific access authorization and controlled distribution. Unauthorized disclosure of confidential information might damage the Sapient brand severely and/or lead to financial penalties for Sapient.

Examples: Passwords, Firewall Configurations, List of open security risks, Backup Media, Contracts, Customer Account Numbers, Salaries, Audit reports, Strategic plans or Undisclosed Financials, etc.

EXTRA CARE MUST BE GIVEN TO THE HANDLING AND PROTECTION OF CLIENT INFORMATION. EVEN CLIENT INFORMATION SUCH AS HOST NAMES MAY BE SEEN AS SENSITIVE INFORMATION BY THE CLIENT.

Personally Identifiable Information (PII) Protection

PII is information that, either alone or in combination with another piece of information, can identify a specific individual.

Some examples of PII include one or more of the following:

  • U.S. Social Security Number
  • U.K. National Insurance Number
  • India PAN
  • Credit Card Number
  • Health Information (prescriptions, treatment or payment for either)
  • Person’s name
  • Home or shipping address
  • Home phone number / mobile phone number
  • Email address
  • Customer ID # / Employee ID #

PII is a prime target for hackers & other criminals because it could lead to identity theft. Some countries have very strict regulations for the protection of PII. At Sapient we have to achieve & maintain compliance with various laws & Client contractual requirements. Some of the legal compliance requirements for Sapient may include:

  • UK Data Protection Act 1998
  • EU Data Protection Directive
  • Massachusetts Privacy Law (MA201)
  • IT Act 2000 (India), amended 2008 & 2011
  • HIPAA (North America)

If you develop a Web application that will collect, process or store any form of PII, then GSO must security test the solution and any high security risks must be mitigated before it goes to production.

If you develop a Web application that will collect, process or store any form of PII and Sapient will host the application, seek approval from GSO and Legal.

If you develop a Web application that will collect, process or store credit card data, then Sapient cannot host it. Seek guidance and approval from GSO and Legal.

If you need software or cloud services or hosting services for Sapient business, contact IT or ISST to initiate a request. Do not purchase these things on a company or personal credit card.

As a best practice we should never see or handle PII, particularly that of our Clients.

If PII handling is unavoidable, then;

  • Client should mask the PII. If Client cannot mask it, Sapient should mask it to remove the real data (a sample PII masking script is available on the Global Security Office People Portal page).
  • Avoid storing PII on your machine or any unauthorized devices including removable media such as Pen drive, CDs, DVDs etc.
  • Ensure you have full disk encryption software (e.g., Bitlocker or PGP/FiltVault) installed on your Sapient laptop or desktop. If your computer is ever lost or stolen, Sapient's risk is greatly reduced. Contact IT Local Support to schedule the installation of full disk encrption if you need it.
  • Teams that handle sensitive information (PII, Intellectual Property) may require Data Loss Prevention (DLP) technology. Contact GSO if your concerned about the sensitivity of the information your team handles to protect Sapient.
  • Only share it with people who have a need to know.
  • If you use a password to encrypt information, call the recipient to tell them the password (never send the password in the same way you sent the information).
  • Destroy the PII when it is no longer needed.

Consult the Global Security Office to ensure that best security practices are followed and Sapient is not taking on undue risk.

Breach Reporting

A PII breach is an unauthorized disclosure of PII.

Examples of a PII breach include:

  • Posting people’s names & account numbers on public websites
  • A lost or stolen laptop that contains sensitive Client data, or PII
  • Sharing PII or Client sensitive information with People who should not see it
  • A hacked computer that housed PII or Client sensitive information

You play an important role in helping us protect PII. If you know of or suspect a PII breach, report it immediately to the GSO leadership team.

Understanding and Reporting Security Incidents

A security incident may include a compromise of Sapient asset(s) or harm to Sapient people. Some examples of security incidents include:

  • Loss of facilities, people or critical business processes
  • Loss or theft of Sapient assets e.g. laptops
  • Loss of service or system malfunction
  • Using someone else’s access card to enter a Sapient office
  • Unauthorized access to a system
  • Malicious use of Sapient assets
  • Damage to Sapient property

Another form of security incident is a business continuity event that endangers Sapient people or disrupts our business operations (e.g., riots, tornado, earthquake, flu epidemic, transport strike, etc.)

How to Report a Security Incident

Everyone plays an active role in reporting incidents.
Please use the helpdesk category “Security Incident” and provide details.

If for some reason, the helpdesk is not accessible, or the situation demands urgent attention of the Incident Response Team, please call the Global Hotline.

Human life is more precious than anything else. Ensure first that you are safe during a disaster. Contact emergency services e.g. Police, Fire Department, and Hospital, if needed, before reporting an incident.

Sapient Business Continuity

The Global Security Office maintains Business Continuity Plans for key geographies. At a high level:

  • Business Continuity Plans include Call Tree information so the right people can be called to action when needed, and
  • Recovery plans to guide recovery of our critical operations.

You have a significant role to play in the event when “Business is not as Usual”. Ensure your readiness by taking the following steps:

  • Know your role within your team in the event of a business continuity incident.
  • Know how to reach other team members and necessary people during a business continuity incident and know what to do.
  • If you are responsible for maintaining your team’s Recovery Plans, keep them up to date. In particular be sure that your team’s call-trees are accurate.
  • Always remember to keep your contact details updated in Oracle. This will help Sapient to contact you during a Business Continuity incident.
  • Participate in the Business Continuity tests if asked to do so.

Security Best Practices

The world is full of security threats. You should be aware of them and take measures to protect any sensitive data that you may have in your possession or have access to whether in the office, at home or while travelling.

Common security issues and safeguards have been described in this section relate to:

  • Social networking
  • Browsing safely
  • Cloud computing
  • Sapient Box
  • Telecommuting and mobile device security
  • Wi-Fi security
  • Password security
  • E-mail, IM and telephone security
  • Protecting your desktop and laptop
  • Physical security

Social Networking

Never post any confidential or internal information about Sapient or our Clients on social networking sites or other public sites.

You should also be careful about what Personal Information you post on social networking sites as cyber criminals could use that information to guess your passwords and potentially access Sapient or Client information. By using the information you post about yourself or your colleagues, criminals may learn enough about you to launch an attack.

You may think information such as who your online ‘friends’ are, whether you are presently home or travelling, where you work, where you went to school, etc. is harmless, but criminals can use this information to attempt fraud or other crimes. A recent ‘social engineering’ exercise revealed that hackers are sometimes able to gain access to your personal email, Facebook, Twitter, and even online banking accounts by hijacking an alternate email account that you may have used to setup your primary email account.

For example, say an attacker learned that you attended Indiana University. Perhaps the password reset features in use there are weak enabling the attacker to guess your Indiana University email account password (that you may not even know is still active) by providing some piece of personal information that you’ve made ‘public’. The hacker then may use this email account to reset your current Gmail account password, then use your Gmail account to reset your current online banking account password. Scary but this has happened.

Be aware that some social networking sites offer privacy controls allowing you to control access to your information. The problem with privacy controls is that they do not always work as you expect, and therefore it is best to assume any information you do post will eventually become public, regardless of the privacy controls you use. If you do not want your information to become public, do not post it.

You must also be careful of what others post about you. Ask your friends to be considerate of your privacy. Be careful of 3rd-party applications that integrate with Social Networking sites. They may be infected with malware or attempt to access your personal information. Only install applications that are from the trusted sources.

If you have any questions about what you should or should not post, please contact the Global Security Office.

Browsing Safely

Cyber criminals have developed various techniques for attacking browsers. Commonly, cyber criminals use tools that attack and exploit your browser. They place these attack tools on websites and when you visit these websites, these malicious tools silently infect your browser. If your browser is vulnerable, cyber criminals will get control of your browser and your entire computer, with no indication this occurred. There is no simple way to tell if a website is safe or malicious. Even legitimate sites can be compromised and used to attack your computer.

However, most modern browsers maintain a list of known malicious websites. If you accidently visit one of these known malicious websites, your browser will post a warning. If you browser warns you against visiting a website, be sure you do not connect to it.

Below are some tips for safe browsing:

  • Use the most current and updated version of your browser.
  • Do not install plugins and add-ons into your browsers unless you absolutely need them. If you have plugins installed in your browser, keep them updated. Java is one of the largest sources of security threats; if you use Java, please keep it updated.
  • Disable pop-ups on unknown sites within your browser.
  • Scan downloaded files using your anti virus software.
  • Don’t accept offers of free PC scans that pop up when you use the Internet. Often they try to install malicious or tracking software on your PC. Close these pop-ups.
  • While it is convenient to save your passwords in your browser, it may be a security risk. Consider disabling the ‘Remember Password’ option.
  • Do not click on any link if you are not sure of its source.
  • Don’t download ‘Torrents’ or illegal pirated movies, software, etc on to a Sapient device.
  • Always look for secure session indicators like https:// and padlock on web sites that require personal information.

Do not use public sites to share Sapient or Client sensitive information. Use a Sapient provided secure file sharing tool such as Sapient Share.

Cloud Computing

People store many different types of information within 'Clouds'. Before you put any data within the Cloud, first consider who will be able to see it. How sure are you that only the right people can see the data you put there?

The information stored in the Cloud may be seen as valuable to individuals with malicious intent. You should be concerned with:

  • How will the Cloud provider protect your information?
  • Who will they share your information with?
  • How long will they hold on to your information?
  • Will they tell you if it’s been compromised?

No matter how careful you are with your information, by subscribing to a Cloud service you give some control of your information to external people. Avoid using general purpose public Clouds to house Sapient information, Client information or your personal information.

Sapient Box.com

Sapient Box.com is a file sharing and collaboration solution – powered by Box.com. This tool is a new way to share and store files, improving the way we collaborate on work at Sapient. While Box makes the file sharing and collaboration easy for Sapient and its clients, it also has some inherent risks that may lead to unauthorized access and data leakage.

Please do your part in helping us keep Sapient safe, and carefully follow the below do’s and don’ts.

  • Do email the Global Security Office if you have any questions about data security.
  • Don’t put Personally Identifiable Information (PII) in Box.com. This includes US Social Security Numbers, UK National Insurance Numbers, India PANs, German ID Numbers, credit card data, and Protected Health Information (PHI) that can be linked to an individual.
  • Don’t use Box.com for client materials if your client prohibits the use of third-party or cloud storage of its data (please contact the Legal team if you are unsure of your client’s requirements)
  • Don’t share confidential information of one client with another!
  • Don't allow non-Sapient employees or non Sapient’ contractors to own or co-own a Box folder
  • Don’t set a folder’s permission to 'open'. Files set to 'open' must use a password and cannot be confidential information.
  • Don't synchronize a folder with Box.com unless you are sure it meets all of these requirements.
  • Do contact the Helpdesk or IT Operations team if you have trouble using the Box.com solution.

Telecommuting and mobile device security

Technology has enabled us to work away from the office, either from home or while traveling. This provides great flexibility, but also has certain risks. Follow the below steps to work both effectively and securely when away from the office.

  • Be careful when using laptops, tablets or smartphones in public places. Avoid the risk of overlooking by unauthorized persons (shoulder-surfing).
  • Never leave laptops unlocked and unattended in public places. Cable locks should be used to physically secure laptops.
  • Laptops or tablets must not be checked-in while traveling and should be a part of the cabin luggage.
  • Consider disabling the Infrared and Bluetooth services if you don’t need them.
  • Avoid storing passwords of other systems (e.g. email, ATM card, network login, etc.) on mobile computing devices.
  • Only download apps from authorized ‘App Stores’
  • If you use home computer to connect to the Sapient network, ensure it has anti-virus software with updated signature files.
  • Immediately report a lost or stolen device. Submit a helpdesk ticket with details.

Wi-Fi Security

Wireless networks, also known as Wi-Fi, do not require a wire between a computer and the internet connection. It is possible for attackers to hijack or intercept an unprotected connection if they are within the wireless signal’s range. Consider following the below security best practices to protect yourself from attackers.

At home

  • Make your wireless network invisible (known as a closed network on an Apple wireless network). This is done by disabling your wireless router’s SSID broadcast (refer to your device manual or seek tech support from your vendor / ISP).
  • Change your default router ID. Choose a name that is not descriptive and tells people that it belongs to you.
  • Change your default router password. Use a strong password that is easy to remember but hard to guess (see the next topic on “Password Security” for details).
  • Ensure you are using WPA/2 security rather than WEP (which hackers can break) for wireless setup at your home.

In public places

Whether on a ‘secured’ (encrypted) Wi-Fi connection or an unsecured network, be mindful that such encryption stops at the Wireless Access Point (WAP) that you connected to. In other words, anyone managing that WAP could see your data, and anyone beyond that WAP (wherever you go on the Internet) may be able to see your data if your application session is not encrypted as well. A few things you should know:

  • Any time you access your Sapient email, it is encrypted from your laptop, tablet or phone all the way back to Sapient’s Exchange servers. The only exception to this is if when connecting to a WAP you see a certificate error appear. Be cautious drop the connection and go somewhere else! Someone may be intentionally watching and capturing your data.
  • If you need to use more than Sapient email, connect to Sapient securely using VPN or WebVPN.
  • If using any other applications, be sure that your application session is secure.
  • When joining a public Wi-Fi network, ensure any custom folder/file sharing you may have previously setup is disabled. This will prevent attackers from gaining access to your sensitive files while you are on these networks. Also, if you configured your device as a ‘hotspot’ you should turn it off.
  • Be aware of your surroundings. Check if others are using their computers in close proximity to you? Can others see your screen?

Password Security

Passwords are the most common means of authentication, but if you don't choose good passwords or keep them confidential they become ineffective.
To protect your passwords, follow the below best practices:

  • Never use your Sapient password for your personal accounts! If a criminal is able to hack the systems belonging to this other business where you have a personal login account, they can then use this to next breach Sapient’s network!
  • Use a password that is hard to guess. Don’t use dictionary words, or names of your family members/relatives, or Sapient domain name. Criminals have dictionaries too and they mine Social Networking sites for information.
  • Select a password with a minimum length of 8 characters consisting of at least one uppercase letter, one lowercase letter, one numeric character and one symbol.
  • Don’t reuse old passwords.
  • Never use a public computer to login to your bank account or to Sapient systems or network. Public computers may contain unseen ‘key loggers’ that capture every keystroke you type in.
  • Never communicate passwords via the same mechanism you used to send an encrypted file. Communicate passwords via ‘out of band’ methods such as SMS text, voice mail.
  • Never share your password with anyone. Change your password every 90 days and change it immediately if you feel it may have been compromised.

Email, IM and Telephone Security

Dear Sam,

Good morning, I am Jim; I look after the online features available to our customers.

We have recently upgraded our website and added a few more facilities. We request you to logon to your account and try out these additional options.

Use the link below to logon with your Internet user ID and password.

www.somebank/netbanking

We would appreciate it if you could then provide us with your feedback.

Thanks,

Jim Customer Executive

Criminals commonly use legitimate looking emails or Instant Messages in an attempt to deceive you by pretending to be someone you trust, such as an old friend or your bank. Such phishing attacks are now common. These criminals lure you in by gaining your trust then attempt to get you to divulge confidential information such as your password, credit card details, bank account numbers, etc.

Here is an example e-mail sent by a cyber criminal pretending to be a well-known bank.

Be aware that such emails may look extremely legitimate. The moment you click on the link in this email, you are taken to a website that is controlled by a cyber criminal. These websites are designed to appear legitimate, get your information, steal your money, and infect your computer so your system can be used to attack other computers and networks you attach to. Don’t automatically trust emails or Instant Messages. If your bank wants some information from you, then call them yourself using the phone number you know is legitimate.

Consider the following best practices:

  • Be skeptical of any email that requires immediate action or threatens to shut down your account.
  • Do not click on links. If you get an email from your bank, type your bank's website in your browser, then login to the website directly.
  • Just because an email message looks like it came from an old friend, bank, or family doesn't mean that it did.
  • Save and scan attachments before opening them and turn off the option to automatically download them.
  • Do not share Sapient or Client information over public email or IM and always remember to logout after use.

Also, if you receive a phone call from someone posing as your bank, a government official, or other person that you don’t know who requests information, first question the caller to ensure the caller is legitimate. Don’t be bullied into providing information that you suspect may be sensitive in nature without first ensuring the caller is legitimate. Get the person’s contact information and ask to call them back (after speaking with your manager).

If you receive a suspicious email, don’t open any attachments or click on any links. If you are suspicious about any communication directed at you, open a helpdesk ticket using the Security Incident category. Read more about Social Engineering (refer to Terms).

Securing Your Laptop and Desktop

Laptops and desktops are a prime target by cyber attackers. Follow the below best practices to protect your devices:

  • Don’t leave your laptop unattended or unlocked. If you are in a public place such as a hotel, airport, restaurant or bar, don’t leave your laptop behind. Make it your ‘restroom buddy’ if you need to.
  • DON’T LEAVE YOUR LAPTOP UNATTENDED IN YOUR CAR!
  • Do not check-in your laptop while traveling. Carry it by hand as cabin luggage.
  • Never leave your laptop on your desk overnight under any circumstances. If you need to leave it in a public place, for instance a conference, you can request a lock lead from IT.
  • Do not disable automatic patching. Keep your application and operating system patching up to date. Attackers can exploit old versions of applications.
  • Never share a folder on your machines with ‘everyone’.
  • Avoid storing PII, client sensitive information or Sapient confidential information on your local hard disk, or unencrypted device.
  • Shut down your laptop at the end of the day and take it home with you. If you cannot travel into the office the next work day due to closed roads or other problem at the office, you can still work remotely.
  • If your laptop is stolen, report it to the police immediately and log a Helpdesk ticket (using another machine or through someone) informing of the theft.

Physical Security

Physical security is integral part of Sapient’s overall security program. Here are some steps that you can take to protect yourself and Sapient against physical security threats:

  • Use your access cards to gain entry. Never tailgate or share access cards.
  • Do not prop open secured doors. This allows easy access to unauthorized people.
  • Use the emergency exits only in case of emergency.
  • Collect your printouts as soon as you send them for printing. In case there is an error in the printer and your document is stuck, delete it from the queue and try printing again later.
  • Collect any documents intended for you at the fax machine
  • Make sure the documents thrown in trash bins do not contain PII or Client sensitive information. Use the shredding bins instead. Criminals may later search through garbage looking for such information.
  • Make sure there is no removable media lying unattended around your workstation.
  • Any documents or media containing confidential information should be kept in the locked drawers/cabinets when unattended.
  • Destroy the old disks lying in your drawer if not in use. Log a helpdesk ticket to dispose of hard disk drives or other media securely. Search for ‘Data Destruction Standard’ on the People Portal for details.
  • If asked to participate in the fire evacuation drills, partcipate and follow the instructions of the drill organizers.
  • Do not leave your valuable personal belongings unattended or unsecured in the office.

How GSO Can Help You

We hope that you enjoyed reading security at Sapient training.

Sapient’s Global Security Office (GSO) team works closely with Project and GSS teams to address the security needs of Sapient and our Clients.

Contact GSO if you need assistance with the following:

  • Security testing of Sapient developed web solutions
  • Security architecture guidance
  • PII and sensitive information protection guidance
  • Assess security risks within your project team
  • Improve security awareness and education within your team
  • Participate in Client visits or audits and present our security capabilities
  • Respond to security questionnaires and applicable RFP responses
  • Provide tools and templates (e.g. data masking guidelines, business continuity templates, etc.)
  • Provide guidance as to security compliance requirements
  • Provide Business Continuity Planning guidance and implementation and testing
  • Provide Disaster Recovery Planning guidance, implementation and testing
  • Assess security risks within Sapient suppliers.

If you have competitors or vendors working within your project, reach out to Global Security Office for guidance.

If you are deciding to use any cloud or third-party technology solution, request the review with Global Securty Office to vet the solution from a security standpoint.

If you develop code for Sapient or our Clients, you should take the ‘Secure Coding Practices’ training, if you are part of recovery team take ‘Business Continuity Training’ available in the Learning Center.

Global Security Office develops and maintains Sapient’s Information Security Policies and procedures. Please visit our People Portal section to read the security policies and other security reference materials.

Terms

Confidentiality: Keep private stuff private (ensure that information is available to authorized people only).

Integrity: Prevent unauthorized changes to the information and ensure that it is complete and correct.

Availability: Ensure the information is available to authorized people when needed.

Social networking: Social networking websites and applications, such as Facebook, Linked-in, twitter, Path, Instagram, etc. are virtual online communities or tools that allow people to connect from around the world. You can create an account, post information about yourself and then share that information with people in your friends list.

Cloud: Cloud computing is a subscription-based service where you can obtain storage space and computer resources. One simple way of understanding cloud computing is your experience with personal email account, such as gmail, yahoo mail, hotmail etc. When you want to access your cloud based email you open your web browser, go to the email client, and log in. Your email is not housed on your physical computer; you access it through an internet connection, and you can access it anywhere. An email client is similar to how cloud computing works. Except instead of accessing just your email, you can choose the information, software, application etc. you want to access within the cloud. Your cloud provider can both own and house the hardware and software necessary to run your home or business applications.

Social engineering: Social engineering is one of the most common techniques used by attackers to gain access to sensitive information. In a social engineering attack, an attacker pretends to be someone you know or can trust such as your co-worker, friend, or your bank and tricks you into sharing confidential information. Here are few examples of social engineering attack.

  • You get an e-mail in which you are persuaded to advance sums of money to get significantly larger gain.
  • An attacker hacks your friend’s account and then emails you a link or an attachment. You trust the e-mail and open the link or attachment that has the malicious code that allows access of your personal information to the attacker.
  • Email received from a bank explaining there is some problem with your account, which needs you to logon immediately, usually to a fake site.

Below are the steps to avoid social engineering attacks.

  • Slow down and research the facts first. Don’t follow the links, instead type website URL in the search engine and check yourself.
  • If you receive an email from someone you know asking for help, contact them offline to ensure the request is legitimate.
  • Be suspicious of any unsolicited phone calls, visits, or email messages from individuals asking about internal/confidential information.
  • If an unknown individual asks for some information and claims to be from Sapient, ask pertinent questions to verify his identity. If in doubt, offer to call back.
  • Do not reveal sensitive information on blogs or social networking sites.
  • Don’t open the email attachments if were not expecting them or have any suspicion.

Email Global Security Office when in doubt.