DO’s and DON’T’s

To be followed by Employees at BHEL PS:WR

TOPIC Page #

Physical & Environmental Security 2

Control against Malicious Code 2

Use of Desktops/Laptops 3

Using E-Mails 3

Password Selection and Handling 4

Internet Usage 6

Incident Reporting 7

Clear Desk and Screen Policy 8

Page 1 of 8
Physical & Environmental Security
1. Hazardous or combustible materials should not be stored in or nearby IT Section &
Server room.
2. Network cabling should be protected from damage.

Control against Malicious Code

1. Use of CDs brought from outside should be done only after scanning them for
viruses. The responsibility of this scanning is that of the owner of the PC at
workplace.
2. Do not install or play computer games on your Personal Computer. Games are the
most common carriers of computer viruses.
3. Do not boot your computer with a diskette that has not been scanned for viruses
even if you think the diskette only contains data. Never boot your computer from a
diskette created on another computer.
4. If you normally boot your computer from the hard drive, make sure that there isn't a
diskette in the diskette drive.
5. Many offensive sites are known to carry malware and if someone visits these sites,
malware are automatically installed in computer. Users are required to pay caution
while using Internet. They should visit only known sites. If some site asks to install
some program like ActiveX control, user should always click “No” or “Cancel”.
6. If you suspect that your computer is infected with virus or other malware, notify IT
Section as soon as possible. Do not attempt to remove the virus/malware unless
your antivirus software does it automatically for you. Stop using your computer and
make sure that the infected computer and any media used on it are isolated until the
problem is fixed.
7. Do not try to uninstall or change the settings of Antivirus software, as it may render
your PC vulnerable.
8. Do not share any folder with full access and without password.
9. Do not open e-mail from unknown sources. Do not open e-mail attachments if you
are not expecting an attachment from someone you know or trust. Many of the new
generation viruses, come as attached files and are designed to spread themselves
by opening PC’s address books and mailing themselves to all the addresses in the
address book.
10. Do not allow anybody from outside e.g. vendors/customers to plug their laptops into
the network as it may contain the virus. If connection is unavoidable, inform system
administrator for necessary actions.

Page 2 of 8
Use of Desktops/Laptops
1. All passwords should conform to the guidelines in password management. Users
should avoid storing passwords or other information that can be used to gain access
to other computing resources.
2. Users should not run any unauthorized or undocumented software on their desktops.
3. Users should not share the folder on their PC without password and in full access
mode as someone can delete or modify the existing files in shared directory. Cases
have been reported where someone has copied unwanted/objectionable files in
shared directory. Whenever required, sharing should be done in ‘READ ONLY’
mode. Sharing of folder should be removed immediately, when job is finished.
4. In case of more than one person share a PC, one of them should be named as in-
charge of the PC by the controlling officer. He will be responsible for software and
data contents of that PC.
5. User should not install and play computer games on PC/Laptop.
6. User should maintain following Guidelines while carrying any Laptop:
a. Important & sensitive business data in Laptop should be encrypted when it is
taken outside the organization.
b. Laptop should be carried as Cabin Baggage while traveling by Air.
c. Latest Patches & Updates of Antivirus software should be installed in the
Laptop.
7. Laptops from outside should be brought to IT Department which must ensure that
Antivirus Software is installed in it and is properly updated. And if not then machine
shall not be allowed to be connected to organizational network

Using E-Mails
1. Electronic mail services should not be used for unlawful activities, commercial
purposes, personal financial gain or uses that violate Company’s policies or
guidelines.
2. It is strictly prohibited to send or forward emails containing libelous, defamatory,
offensive, objectionable, racist or obscene messages. If user receives an e-mail of
this nature, he/she must promptly notify to their reporting officer to take necessary
action.
3. User should not use the service for chain letters, junk mail, Spam mail (that is, to
exploit list servers or similar broadcast systems for purposes beyond their intended
scope to amplify the widespread distribution of unsolicited email), letter bomb, (that
is, to re-send the same email repeatedly to one or more recipients to interfere with
the recipient's use of email), email forums or any distribution lists without specific
permission to be included in such process.
4. Confidential and proprietary material should not be sent through this service.

Page 3 of 8
 5. Copyright and IPR laws must be followed.
6. Email user should not forge or attempt to forge email messages.
7. Email User should not disguise or attempt to disguise their identity when sending
mail.
8. Email user should protect their email account password and it should not be shared,
as user should be responsible for message sent/received from his/her email
account.
9. Email User should not send email messages using another person’s email account
without acquiring specific permission from owner.
10. Incoming e-mail must be treated with utmost care due to its inherent Information
Security risks. Users are required to desist from opening mails or attachment
message received from unknown sender, as it may contain virus. Such attachments
should be scanned for possible viruses or other malicious code.
11. Directories of BHEL email addresses should not be made available to public outside
BHEL.
12. Electronic mail users should not give the impression that they are representing,
giving opinions, or otherwise making statements on behalf of the BHEL or any unit of
BHEL, unless appropriately authorized (explicitly or implicitly) to do so.
13. Users should desist from subscribing to a newsletter, mailing list or news group for
non-official use.
14. To efficiently use the disk space, email user should do the regular housekeeping of
their email directory by deleting permanently all old and unwanted mails. Ideally,
housekeeping should be done once in a quarter.
15. Users should delete email messages that are unnecessary.
16. Email users who have configured mail client software like Outlook Express,
Microsoft Outlook, Windows Mail on their PC, should take regular backup of their
important mail.

Password Selection and Handling

1. General rules to keep in mind:
a. The account owner should keep the password confidential and group account
password should be confidential within the group members.
b. The email account owner must change passwords once in 2 months.
c. Password should be changed immediately if there is suspicion that it could
have been revealed, e.g. during demonstration, or if an unauthorized access
has been made through account.
d. Default password should be changed immediately on putting system/account
into operation when first logging on. In case of systems/account/hardware,

Page 4 of 8
 which is supplied without passwords, password protection should be activated
on putting the system/account/hardware into operation.
e. All account should have password. However account for common application
like publicly available application may operate without password. Such
application owner should ensure that ISMS Policy Manual is being followed
and no unauthorized access is permitted through these accounts.
2. Password Selection
a. Use both uppercase and lowercase letters if the computer system considers
an uppercase letter to be different from a lowercase letter when the password
is entered.
b. Include digits and punctuation characters as well as letters.
c. Choose something easily remembered so it doesn't have to be written down.
d. The passwords must be of minimum eight (8) digits. Longer the
password the better. Password security is improved slightly by having long
passwords.
e. It should be easy to type quickly so someone cannot follow what was typed
by watching the keyboard.
f. Put together an acronym that has special meaning to you, like NOTFSW
(None Of This Fancy Stuff Works) or AVPEGCAN (All VAX Programmers Eat
Green Cheese At Night).
3. Password Handling
a. Never write down a password. You should not write your password on your
desk calendar, on a Post-It label attached to your computer terminal, or on
the pullout drawer of your desk.
b. If you really need to write down a password, follow a few precautions:
i. Do not identify the password as being a password
ii. Do not include the name of the account or the phone number of the
computer on the same piece of paper
iii. Do not attach the password to a terminal, keyboard, or any part of a
computer
iv. Mix in some "noise" characters or scramble the written version of the
password in a way that you remember, but make the written version
different from the real password
v. Never record a password on-line and never send a password to
another person via electronic mail
vi. Passwords belong to individuals and must never be shared with
anyone else

Page 5 of 8
Internet Usage
1. Users are prohibited from transmitting or downloading material that is offensive,
objectionable, obscene, pornographic, threatening, racially or sexually harassing.
Users are prohibited to visit gambling or on-line games sites.
2. Users are prohibited from distributing, disclosing or selling proprietary information or
advocating religious or political cause.
3. Browsing mails on other web based mailing systems like <hotmail.com> <rediffmail>
<yahoomail> etc. are allowed on specific permission basis.
4. Many offensive sites are known to carry malware and if someone visits these sites,
malware are automatically installed in computer. Users are required to pay caution
while using Internet. They should visit only known sites. If some site asks to install
some program like ActiveX control, user should always click “No” or “Cancel”.
5. Users are required to pay caution while giving their official email address, when
some website asks for it. Many sites collect these email addresses and sell it to
spammers.
6. Users are required to pay caution while giving their personal information like credit
card number. Now-a-days many forged emails come from supposedly known
banking sites and ask for user-id/password or credit card information.
7. Users are required to pay attention while typing web site addresses. Some web site
owners maintain similar spelled sites e.g. goggle.com and may infect your PCs.
8. User should not reply to offensive or threatening messages via e-mail , discussion
groups, newsgroups or other forums.
9. Users are required to be cautious about relying on information sourced from the
Internet, particularly in the case of medical or other health information. Not all the
information on the Internet is authoritative or reliable.
10. Do not click on popup intimidating windows like “Your Computer Clock is Wrong” or
“You have many spyware installed on your computer”. Simply close the window by
clicking X in the top right corner. Window XP (with SP2) has built-in popup blocker.
Users can use it to block annoying popups.

Page 6 of 8
 INCIDENT REPORTING MATRIX FOR THE USER COMPLAINTS

Any Employee can report the incidence using email ([email protected]) / help
desk phone (3048694/650/682/674)

Incidence must be reported along with following details such as - Date and time of
reporting, Date and time of incidence, Contact details, Description of incidence etc.

Sl Nature of Incident Initial Reporting Normal Escalation Escalation

no Covered in
emergency
1.1 IT related- Virus IT help desk HOD /IT HOD/IT
attacks, Hacking
attempts, Denial of Email Email
service, Unauthorized [email protected] [email protected]
copying / disclosure of PhoneNo: Phone No: 654
information, 674/682/650/694
Tampering,
Unauthorized
modification of
Information
1.2 IT related – S/w IT help desk HOD /IT HOD/IT
malfunctions such
as Alteration of Email Email
configuration of the [email protected] [email protected]
Operating System, or PhoneNo: Phone No: 654
any other observed 674/682/650/694
weaknesses
2 Theft of any BHEL Security Incharge HOD- HR HOF- HR
PS: WR Assets,
Sabotage, Wire-
tapping, Unauthorized
entry in to BHEL
PS:WR premises, or
any other observed
weaknesses
3 Natural disaster Executive-HR HOD- HR HOF- HR
such as Fire etc

Page 7 of 8
CLEAR DESK AND CLEAR SCREEN POLICY

Clear desk and clear screen policy used to reduce the risks of unauthorized access to, or loss
of, or damage to, information:

1) Users should keep the files in suitable locked cabinets when not in use or while not
at desk.
2) When printed, documents should be cleared from printers immediately.
3) Users should classify and label the documents/files.
4) Users should not leave PC Logged on when not in use.
5) User must ensure that a password-protected screensaver is activated when they
leave the PC unattended. Screen saver should initialize after 15 minutes of non-use.
6) User must not leave their PC switched on, unattended for prolonged periods of time
(overnight), unless there are specific system or service, reasons for doing so.
7) Users should keep only limited icons on their desktop screen.

Page 8 of 8