Information Security e-Learning (Module 1)

ISO 27001 is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in Leighton's information risk management processes.


ISO 27001 is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in Leighton's information risk management processes.

Physical Security

All visitors to Leighton must report to Reception to sign the visitors book and be issued with a visitor pass.

The person they are visiting must go to Reception to meet them and show them to their meeting room or desk

If this is the first visit of many, the visitor must be asked to read and sign the Information Security Guidelines for 3rd Party Suppliers.

Physical Security (Section 2)

Dont be afraid to query anyone acting suspiciously - even if they appear to be business like.......

Be aware of tailgating - ensure everyone accesses the building using their own key fob, and if a visitor is entering the building at the same time, politely ask them to be seen and signed in through reception.

Who would you hold the door open to without query?

  • A business dressed male?
  • A well dressed female?
  • A Policeman?
  • A male in a hooded top?
  • None?

Physical Security (Section 3)

Don't allow anyone who you don't know to enter without using their own security fob, and if they are a visitor direct them to Reception and ask them to sign in.  They will then be issued with a visitor pass.

You must always have your security fob with you, to open the access doors to your business area.

Physical Security (Section 4)


Logout when you leave your computer or use a screen saver with a password.

Clear your desk at the end of the day and lock up your cabinets and drawers. 

Protect your laptop and information from theft, damage and misuse.

Familiarise yourself with emergency procedures.



Leave printouts lying around - collect these immediately. 

Connect non-Leighton controlled equipment to the network.

Can you share your security fob with anyone?

  • Yes
  • No
  • Don't Know

How do you access the Information Security Handbook? Select all that apply

  • PeopleHR
  • Don't Know
  • My Documents
  • SharePoint

Which policy provides guidance on physical security?

  • Information Security Handbook?
  • Leighton Employee Handbook?
  • Clear Desk and Screen Policy?
  • All?

What must all visitors to Leighton do on arrival?

  • Go straight to the meeting room?
  • Report to Reception?
  • Wander around until they find the right person they are meeting?

Information Security


Auto-forward e-mail to a non-Leighton e-mail account.

Let others use your Leighton company computer equipment.

Enable file sharing on your laptop.


Ensure your laptop is protected by antivirus software and up to date virus patterns.  Always notify IT if you suspect of any issues.

Information Security (Section 2)

Users are responsible for the practicing of strict security control when travelling.  Laptops must not be left unattended and exposed to situations where there is an increased risk of theft, such as being left in a parked car.  When boarding a plane, laptops should be transported in the cabin under the control of the user.

Information Security (Section 3)


Exploit weaknesses of any Leighton system - it will be treated as misuse and subject to Leighton's disciplinary action.


Report any suspicious or unusual system behaviour to the IT Service Desk.

Information Security (Section 4)

Examples of other types of information security incidents are:

  • Any breach of Leighton information security management systems related policies.
  • Ay unusual behaviour of persons or visitors to Leighton's offices.

Examples of technical security incidents are:

  • Lost of stolen IT equipment.
  • Computer virus or malware.
  • Software and systems which don't operate as expected.

Non-Compliance with the Information Security Handbook and any other Leighton information security policies ad procedures may result in? Please tick the ones which you think are correct.

  • Suspension to Leighton system access?
  • Disciplinary actions?
  • Potential termination of employment?
  • Potential legal action?

Information Security (Section 5)

Leighton act in accordance with the Data Protection principles governing the processing of personal data which are listed below:

It will be processed fairly and lawfully;

It will be obtained only for specified and lawful purposes and will not be processed in any manner incompatible with those purposes;

It will be adequate, relevant and not excessive in relation to the purposes for which it is processed;

It will be accurate and, where necessary, kept up to date;

It will be kept for no longer than is necessary for the purpose for which it is processed;

It will be processed in accordance with the rights of data subjects under the Act;

It will be subject to appropriate technical and organisational measures to protect against unauthorised or unlawful processing and accidental loss, destruction or damage;

It will not be transferred to a country or territory outside the European Economic Area unless adequate levels of data protection exist. 

Which are examples of technical security incidents? Please tick all answers you believe to be correct.

  • Lost or stolen IT equipment?
  • Computer virus or malware?
  • Software of systems which don't operate as expected?
  • All?

Which are examples of other types of information security incidents? Please tick all answers you believe to be correct.

  • Any breach of Leighton Information security management system related policies
  • Any unusual behaviour of persons or visitors to Leighton's offices

Who do you report information security incidents to?

  • Information Security Manager
  • Line Manager
  • IT Service Desk
  • All

Information Systems Security

An official account on any social media website may only be set up with written consent from a line manager.

Leighton operates a number of accounts on social media sites for the promotion of activities and events, and as a communication method.  The following outlines the limits of their use:

Copyright laws must be respected, with references or sources cited appropriately.

Any employee who becomes aware of social networking activity that would be deemed distasteful should make their manager aware as soon as possible.

All information published on the Internet must comply with the Group's confidentiality and data protection policies.

Only authorised staff may use these accounts to post online and access to the account should be strictly limited.

Information Systems Security - Section 2

Users must not use their Web access privilege to:

Engage in either viewing or communicating material of an obscene, hateful discriminatory or harassing nature.

Engage in or solicit any private business for personal gain or profit. 

Engage in any illegal activities, including gambling, uploading or downloading of software in violation of its copyright and/or software that may be subject to export controls.  This includes downloading music, film or other types of copyrighted electronic media.

Download and install software from the web even if this will not infringe intellectual property rights of third parties.  Users who have a business requirement for downloading software must contact the IT Service Desk for guidance.

Attempt to gain unauthorised access to another site.

Engage in any activity that violates other company policies or that would be in conflict with Leighton's best interest.

Use so-called 'tickers' or other active sites (to obtain stock information, news etc), interactive media (e.g chat rooms) and audio and video streaming.

Answer external web-based surveys representing Leighton, unless such surveys were authorised by Leighton management.

Information Systems Security - Section 3

If you receive an email with a suspect attachment, do not open it.  You must report it to the Network Manager so that any viruses are not imported in the system.

Whenever a user receives a junk email, so called Spam, Scam or chain letter, he/she shall delete it and by not means forward it to other users.

A user receiving an email with illegal or otherwise improper content, or an email which could contain malicious software, shall promptly inform the IT  Service Desk, wait for instructions and not forward it under any circumstances.

The user shall not be tempted to reply to the above emails with 'remove' if this is offered; this merely confirms that the email address is active and makes it more valuable.

Information Systems Security - Section 4


Use Leighton information systems for the purpose intended.

Be aware of where Leighton's information security policies are stored and make sure you are aware of their contents.

Information Systems Security - Section 5


Download unauthorised software or applications to Leighton controlled equipment without prior approval from the Information Security Manager and IT.

Use private or unauthorised copies of software.

Use Leighton computers and information for personal benefit - Leighton computers and information are for company use only.

Copy software or information for personal use.

Information Systems Security - Section 6


Keep you passwords secret and change them regularly.

Create and use strong passwords.

Information Systems Security - Section 7

Passwords should never be disclosed; users are made accountable for any action undertaken with one of their user accounts.

Passwords must not be kept on paper or any computer media, unless these can be stored securely. Passwords should not be distributed via unencrypted email.

Passwords must not be included in any automated log-on process, e.g. stored in a macro or function key. When asked by the computer whether a password should be remembered for later use, always answer 'No'.

Passwords used for access to Leighton assets must not be re-used for any non-Leighton usage (e.g. for access to a private mailbox, a private computer or access to any website on the internet).



Users must comply with the following rules regarding passwords:

Information Systems Security - Section 8

To generate strong passwords the following rules apply:

  • Minimal length is 8 characters 

Passwords must consist of at least 

  • One upper case and
  • One lower case and 
  • One number

Passwords must not be re-used.  This is enforced by the system.

Passwords must not be based on anything personal.  Somebody else could easily guess or obtain personal related information. e.g. names of spouse and children, telephone numbers, address, dates of birth etc.

Information Systems Security - Section 9


Download and store unauthorised media such as music files and videos on your Leighton controlled equipment.

Auto forward email to non Leighton email account.

Send email with content adverse to Leighton business interest.

Send personal sensitive or commercially sensitive information via unencrypted email.

Reply to Spam - replying confirms a valid receipt.

Download and install software from the internet - contact the IT Service Desk for guidance.

Information Systems Security - Section 10

General guidelines for use of email:

The company will not tolerate use of the email system for any message which may constitute any of the prohibited electronic communications listed below which include, but are not limited to:

  • Sending documents in violation of copyright laws.
  • Sending defamatory materials about the company or individuals.
  • Sending libellous, offensive, discriminatory, racially, religious or sexually offensive; obscene, pornographic, bullying, threatening or abusive language material.
  • Intentionally sending a virus or any form or malware.
  • Sending 'chain letters'.
  • Sending information that is illegal or contrary to Leighton's interest.

Who should you share passwords with? Please tick all answers you believe to be correct.

  • Work colleagues
  • IT Service Desk
  • No-one
  • Family Members

What should strong passwords contain? Please tick all answers you believe are correct.

  • Date of birth
  • telephone numbers
  • Upper case
  • Lower Case
  • Numbers
  • Symbols
  • All

When is it ok to discuss passwords by phone?

  • Only with IT Service Desk?
  • Only when requested?
  • Never?

When sending password protected documents by email do you?

  • Send the document with the password in the same email?
  • Send the document and the password in separate emails?
  • Ensure document is encrypted before sending via email