Home > SAQ ‘The minimum numberof questions tobe correct answered in each modules listed in the table below 1 ‘Computer Security oy e 2 Secure Usage of Internet and Email 10 ? 3 Infouye Poleies ane Procedures 5 4 4 Security within Premises and Outside 4 5 Business Continuty Management 5 6 Intellectual Property Rights 5 7 Prvacy and Data Protection ” e 8 [Ant bribery and ant-comruption module | ‘ ° DNA Security Awareness Module 6 1" 0 PEOPLE SECURITY AND ASHI AWARENESS 6 " Privacy and Data Protection for Delivery 5 2 CConfet of interest Disclosure and Code Certification 5 ‘ Grand Total 95 nCOMPUTER SECURITY 1- AIP-Client name & future project details shared with manager. . . Ans: [A]-Confidential 2- Call from Unknown number. . . Ans: [C}-Vishing 3- Infosys has the right to monitor, investigate, erase and wipe data. . . Ans: [A]-Yes 4-Information security to be considered in which phase of SDLC?. . . Ans: [D}- All of the above 5-Colleague tells you about vulnerability in one of the internal applications. . . What will you do? Ans; [D}- Report to ISG via AHD 6-Which of the following passwords meets the Infosys requirement and would be easy to remember? Ans: [C}- InFy4Evrs. 7-External auditor seeks your credentials. .. What would be your response?. . Ans: [B] Politely decline it. . . 8-Can username and password be hardcoded? Ans; [B]-No 9-Emergency leave. . manager seeks credentials to avoid impact of service. . .what would be most appropriate to do. . .? Ans; [B] Inform manager that this will be violation. . . Alternate user ID with similar privileges. 10-Accidentally find appraisal information in a shared folder. . . what will you do. .. ? Ans: [E] Notify Manager 11-Very useful and free utility tool that can be easily downloaded from the internet. . . Will you go ahead. . .? Ans: [C] No, Since this could lead to Downloading of Malware. 12-Match the malware: Ans: [8] Worm: Self replicating. . . Virus: Needs user to launch the files© computer Security (© Secure Usage of Internet and Emait > © infosys Policies and Procedures © Security within Premises and Outside © Business Continulty Management © intellectual Property Rights © Privacy and Data Protection © anti bribery and anti-corruption module | © DNA Security Awareness Module © PEOPLE SECURITY AND ASHI ‘AWARENESS. © Privacy and Data Protection for Delivery ‘Secure Usage of Internet and Email 11. Under which circumstances you are permitted to download and use a trial version of a software for developing Client code? Qa. The deadine ofthe project ls nearng and there would be an impact on business if the software's nat downloaded and installed Ob trthere iss writen approval ram the Cent and reporting manager at Infosys (Oct trial version has been used for past deliverables but ona different computer @4. Not under any circumstances, Options such a, alternative icensed software's or request forthe aurchase ofthe required software must be explored ¥ Oc. options a &e Correct Answer You should not download and use the tral version of any software even if itis suggested by your manager and even if you have reached the deadline. You «an politely decline doing the same and refer them to the Information Security policy which states that only authorized and licensed software shall be installed and used in our work environment. You can try an alternative software in Software house or Software Security Validation Portal (S8vP}. You willbe held emnaeiaa teeth2. You receive an email that appears to be from the Infosys Finance team, with [** External Email **] tag, requesting you to click on a link and share your email ID, password and login credentials etc. What action would you take? Oa. Since this is from the Finance department, you will access the site by clicking on the link given in the email and update the requested details Ob. Ignore the email @c. Notify Information security Group (ISG) by sending an email to [email protected] or report suspicious mail in Outlook by selecting ‘Phishing’ under ‘Report Message’ tab v Od. Log an AHD (Advanced Help Desk) request with IS(Information Systems) team seeking further clarity on the email Correct Answer Phishing emails appear to be sent from legitimate sources/businesses, but are actually created and distributed by hackers who. are after your personal / official information, Also no department/company will ask you to share your credentials directly, Further, be vigilant about mails tagged as [**External Mail**] as they always originate from an external sender. If you a receive such an email, the correct action would be to report the same to ISG via email/helpdesk number or by forwarding the mail to [email protected]. Quick ‘acton on such suspicious:3. You would like to leave one hour before the scheduled close of business hours. While you are ready to leave for the day, an urgent deliverable crops up that needs to be submitted to the client immediately, and would need about 20 minutes of your time. What would you do? Oa. in the client network, save the documents in drafts ‘Correct Anewer- folder in your personal email 1D, download and work on them from home Client confidential information must not be Ob. Send the document from Client email ID to personal sent outside the Client email ID network to either Infosys ID, personal email ID or @c. Reprioritize your commitments to complete the work in Uploaded to publicaliy hand so that the client submission is done in time, and sjvailableisites and technical before the close of the official business hours. Y_ Sine Od. Files can be sent from Client to Infosys network , hence authorized by the Client, you will send them to Infosys email ID and then forward the same to your personal email ID4. You are working on a critical development project and facing difficulty in coding for a particular feature. Which of the following actions of yours would be compliant to Infosys and Client Security Policies? Oa. You seek help from an ex-Infoscion over a WebEx session —_—Correct Answer Ob. You upload the code in GitHub to seek help from the Sharing Client confidential developer community data including source code with unauthorized users via @c. You seek help of your manager who in turn connects you enaallp nderriektonitnd) to a senior developer in the team to assist W ieceaaaneseeinnaadl Od. You seek help from a fellow Infoscion who was WebEx ete. is against the previously in the same project however now works for a Infosys and Client different Client Information Security Policies and could result in an Information Security Breach - When in doubt, seek assistance from your manager.5. You are not connected to Infosys network and suddenly receive an authentication call on your mobile for validating MFA(Multi-Factor Authentication) for a session not initiated by you. What action will you take? Oa. You enter the MFA pin as it is going to expire soon Ob. You do not enter the MFA PIN and decline the call immediately. @c. You do not enter the MFA PIN and decline the call, You notify ISG about the incident by writing to \[email protected] or log an AHD under ISG or call the Global Helpdesk number informing that you have received an authentication call without having initiated a session to connect to the Infosys network. W_ Oo. You enter the MFA pin and keep your manager posted. Correct Answer You do not enter the MFA PIN and decline the call. You notify ISG about the incident by writing to [email protected] or log an AHD under ISG or call the Global Helpdesk number informing that you have received an authentication call without having initiated a session to connect to the Infosys network.6. You are facing a technical issue with your official laptop. How will you rectify the issue immediately as you have to respond to the client on certain urgent deliverables? Oa. Tweet about the issue/share screenshots on social media seeking a solution to fix the issue @b. Call Helpdesk and reach out to CCD/raise an AHD with CCD under Laptop Issues Category “_ Oc. Try troubleshooting the issue yourself to find a solution 7. Which of the following is the correct medium to report an Information Security Incident? Oa, Sending an email to [email protected] @®b. Raising an AHD (Advanced Help Desk) with ISG ( Information Security Group) team or calling the global help desk number and selecting the relevant option Oc. Report the incident to CCD team Odake Correct Answer Call Helpdesk and reach out to CCD/raise an AHD with CCD under Laptop Issues Category Correct Answer Information Security Incident (even if suspected) should be reported via raising AHD (Advanced Help Desk) , sending an email to [email protected] or calling the global helpdesk number and choosing the option 2,8. While browsing the Internet via Infosys network, you accidentally come across a site which seems malicious but is not blocked as per Infosys Internet Access Policy. What action would you take? Oa. Explore the site further because it is not blocked as per Gncnkoweer | policy Infosys employees are @b. Exit from the site immediately and notify CCD required to use Internet (Computers and Communication Division) and !SG appropriately and below are (Information Security Group) team through AHD (Advanced ‘few examples of Help Desk) 7 unacceptable usage as per Infosys Internet access Oc. Ask your team member to explore it instead of yourself policy: 1. Visit sites that contain obscene, hateful or other objectionable materials. 2. Make or post indecent remarks, proposals, or materials on the Internet. 3, Download or upload of any obscene, political, racist or religious material. 4. Download of music and video files from Internet Even if such sites are accidently not blocked, it does not imply that you can explore them. You have to exit from the site Od. Exit from the site immediately and notify |S (Information Systems) team about it|. You are planning to take up an online personal certification which will help you in better time management at work. You need to register on the website by providing an email ID for further communication, What would you do? Oa. It is preferable to use personal email ID and the password of your Infosys ID so that you don’t lose track of any important notifications @b. itis preferable to use personal email ID and unique password so that you don’t lose track of any important notifications YW Oc. For the ease of use, give Infosys email ID and credentials for your registration, so that you don’t lose track of the notifications Correct Answer Do not use your Infosys email address / password in Internet programs, online feedback/suggestion forms, newsgroups or other discussion forums etc. as such actions can invite unsolicited spam emails or even targeted phishing campaigns for the organization and you.10. You have been working on piece of code for a Client project. Now that it is complete, you want to forward it to your Infosys ID so that you can refer to it for future projects. Is this permitted? Oa. Yes, this will benefit Infosys for other projects @b. No, Client code shall not be sent to Infosys email ID or personal email ID as this can result in an Information Security Breach W Oc. Yes, you will ensure to remove any mention of client name, IP addresses and credentials etc. before you reuse it Next Section] Correct Answer Client data including confidential source code must not be sent to Infosys ID or reused unless authorized explicitly by the Client team. Further, uploading Client confidential information over publically available sites and technical forums etc. is strictly prohibited as it can lead to data leakage.© computer Security © Secure Usage of internet and Email ‘© nfosys Policies and Procedures >> © security within Premises and Outside © Business Continuity Management © intellectual Property Rights © Privacy and Data Protection © nti bribery and anti-corruption module | © DNA Security Awareness Module Infosys Policies and Procedures 11. Where can you find the Information Security Policy (ISP)? Oa. this available in Lex. Ob. Itis accessible only by the Information Security group, (ISG) and is available in their SharePoint. Oc. Its accessible by all employees and is published in InfyMe Web under World of Infosys -> Business Units and Subsidiaries > Business Enabler Functions > Information security Group (\SG)-> Repository-> Policies ¥ Od. itis accessible by all employees and can be accessed in InfyMe Web under the ‘Policy’ section within the Information Systems (IS) portal (InfyMe web -> World of Infosys -> Business Units and Subsidiaries -> Information Systems > Repository -> Policies) We. Option c and d ® Incorrect Answer Information Security Policy is available to all Infosys employees under the policy section of ISG Portal and also in the Policy Portal of Sparsh3. Who is responsible for Information Security at Infosys? Oa. Information Security Group (ISG) Ob. Infosys IT Team Oc. Employees @d. Every individual for the information within their capacity Correct Answer The responsibility of securing Information in all forms lies with every individual (e.g.: Infoscions / Third parties) for the information within their capacity2. Which of the following matching of Information to its Classification Level is correct? Oa. Source Code : Confidential; User Passwords: Highly Confidential; Organization Chart : Internal; and Press Release : Public Ob. Source Code : Highly Confidential; User Passwords: Internal; Organization Chart : Highly Confidential; and Press Release: Public Oc. Source Code : Internal; User Passwords: Confidential; Organization Chart: High!y Confidential; and Press Release Public @d. source Code : Highly Confidential; User Passwords Highly Confidential; Organization Chart: Internal; Press Release : Public ¥ Correct Answer Information asset owner is responsible for classifying and safeguarding the information that is created by them. Documents which contain customer or infosys Intellectual property, source code, user passwords are classified as 'Highly Confidential’, Internal and external project status report, Documents such as SOW (Statement of Work) and MSA (Master Service Agreements) with our customers, Security vulnerability, audit reports, Contracts or agreements with the customer are classified as Confidential, Organization charts, company policies and training material are to be classified as Internal and Public press releases, marketing brochures and4, You find a printed document marked as ‘Confidential’ on the desk of your colleague who has left for the day, What action would you take? Oa Leave the document on the desk since the work area is Dive Anmeae access controlled Leaumngithie document unattended even in an access controlled area or Oc. Take the document home with you so that you can safely taking it home, can lead to. hand it over to your colleague the next day datajleakage. Sensitive documents if found lying unattended should be shredded or dropped in the nearest locked drop box for shredding. Ob. Ignore it, as it doesn't concern you @d, Shred the document or drop it in the nearest locked drop box for shredding5. The project that you were working on is now completed. What would be the most appropriate way to ensure secure disposal of any electronic copies of the client project plans, trackers, design documents etc. that you have on your system? Oa. Delete the data on your own Ob. You keep the data as it can be reused for another Client project @c. Check with your manager on any client mandated secure data disposal requirements that need to be adhered to and accordingly raise an AHD request with Computers and Communications Division (CCD) for secure disposal of data in you system. Od. Since the data you were handling was not very sensitive in nature, you do not take any action. Correct Answer All client data must be securely erased or returned back to the client as per the contract. Post getting the required confirmation from the manager you can raise an AHD request with Computers and Communication Division (CCD) for secure disposal of the Client data on your system. A simple delete may result in improper disposal and data disclosure, Furthermore, no Client data must be reused for another Client as it would be a breach of the contract and confidentiality terms.© Computer Security © Secure Usage of Internet and Email © infosys Policies and Procedures “© Security within Premises and Outs © Business Continuity Management © intellectual Property Rights ‘© Privacy and Data Protection © Anti bribery and anti-corruption module | © DNA Security Awareness Module ‘© PEOPLE SECURITY AND ASHI ‘AWARENESS. © privacy and Data Protection for Delivery © Conflict of Interest Disclosure and Code Certification ‘Security within Premises and Outside 1. Infosys is hosting a conference in one of its Development Centers (DCs) which would be attended by delegates from various companies. Which of the following actions are NOT in compliance with the Infosys Security Policies? Oa Since these are senior industry leaders, you will ask for them to be allowed in without too many entry/exit logging and restrictions on the type of devices they are carrying, however you will escort the visitors forthe time he/she is in the campus Ob. Inform and seek permission from relevant groups including physical security group, CCO (Computers and Communications Division) and IS6 (Information Security Group) including permission for any laptops and other devices that they may carry, ensure their physical entry/exit is logged properly and they are escorted at all times Qc norm your manager and take thern for an imprompt visit to a secure ODC (Offshore Development Centers) to show them the security controls implemented fora Client @d.aandeY Oc. aandb Correct Answer ‘The Physical Security team provides clearance for any official visitor. Along with providing the necessary details of any personal ‘computing devices being carried by the visitor, ‘escorting them for the course of their visits mandatory Visitors must not be taken to secure areas ‘such as Client ODCS (Offshore Development Center) unless approved by the Client. Further, you should not share your Infosys system or ‘redentials with anyone as it may lead to loss of accountability in case of a security breach,2. You are assigned to an Offshore Development Center (ODC), which Is a restricted area. Your access is not yet enabled but you need to attend a meeting inside. What will you do? Oa. Borrow the badge from a person who is authorized to enter Ob. Tailgate behind an authorized person entering the ODC (Offshore Development Center] Oc. Convince the security guard to let you enter as you expect the access to be enabled in a couple of days @d, Get an explicit Client and Delivery Manager (DM) approval and ensure proper recording of physical entry and exit at the entrance of the ODC. ~ Correct Answer Any ODC (Offshore Development Centers) access must be approved by the Client, the Delivery Manager (DM) and periodically reviewed, In cases of delayed access, explicit Client approval must be sought and physical entry/exit audit trail should be maintained for the interim period.3, You are travelling back home and you get a call from your Client manager who needs to discuss some confidential and urgent official matters with you. What would you do? Oa Since it is a call from the Client manager and it is an icisvect-Aneiear urgent matter, start conversing while travelling, Whén you are at a public Ob. Start discussing the confidential matter only if you are in _— Place, your conversations company provided transport may be overheard by someone who does not @c. Explain the situation to the Client manager and request nave’a needsto-know, Whe for a call at an alternate time ¥ information is confidential, then its disclosure may harm the company, Hence, it is advisable to discuss the matter in person or ask for an alternative time to discuss the matter when you are alone. Od. You find a seat where there are fewer people, less background noise so that you can hear more clearly and continue the conversation4. Which of the following are security risks associated with removable media such as USB flash drives and hence not allowed as per Infosys policies? Oa They are expensive as compared to their storage Gorvectianewss capa) No removable devices are @b. They may carry malware ¥ allowed in Infosys offices as per the Infosys policy due to Oc. They are safe to use as they are encrypted the tek of maNeate'sAd alto: USB flash drives are not encrypted by default. All the Oc. bande USB ports have also been disabled for the same. In case of any valid business requirement an exceptional approval has to be availed from the Client, project DM and ISG. Basis the approval, CCD will allow the use of removable media for a defined time frame, Od. They are not suitable for storing photos5. Which of the following are NOT security incidents? a. Tailgating; b. Sending your Pay slip to your personal email ID; c. Uploading Client source code in GitHub; and d. Basis approval, sharing access controlled Infosys process document with the Client manager Oa.aandb @b.bandd ~ Oc.candd Od.a,bandd Oe. None of the above Correct Answer Information Security Incidents are real or suspected events that result in the loss of confidentiality, integrity or availability of Information, leading to adverse consequences like financial losses or harm to the brand image. Sending personal information's like pay slip, form16 etc, to personal mail ID or basis approval sharing access controlled process documents with authorized Client manager will not result in an Information Security Incident. However, sharing of Client/Infosys confidential, internal data i© computer Security Business Continuity Management Sse ne eee re 1. You are getting ready for office, and have an important ‘meeting in office today. However, you get to know of some unpleasant incidents, like weather related or safety issue in the locality, What should be your course of action? © Infosys Policies and Procedures © Security within Premises and utsi ‘Oa. You ignore the news and get started for office as you Correct Answer have some important deliverables to be met In case you hear about Ob. You call up your colleagues to find out what they are rlots/strike/westher doing related/ safety isue while sill you are at home you should cal the reception jusiness Continuity Management >> © Intellectual Property Rights ‘Oc. You call up a friend working in a media house to check © Privacy and Data Protection the situation near your office before coming to office. ©c. You call up the reception before coming tothe ofice ¥ © Anti bribery and anti-corruption. module © DNA Security Awareness Module 2. There is an emergency /disaster situation In Infosys. Media approached you to know about the situation, What wil you ‘© PEOPLE SECURITY AND ASHI do in this case? AWARENESS Oa. You will provide the needed information boas ‘© Privacy and Data Protection for ‘Ob. You will provide the information on the promise of In case there's an Delivery anonymity emergency situation in Infosys and media fles © GicWSG asco Biebeore onl @c. You wil politely ask to contact infosys Spokesperson Y —_ Sopreach yau to know Code Certification Oui Ntoneat the above about the situation, please politely ask to contact the Infosys Spokesperson for eee3. You are supposed to travel to a country for work, where a pandemic scenario is prevalent. You will Oa. ignore the travel advisory issued and continue with the travel Ob. Ignore symptoms of the disease contracted by traveling to or through affected areas. @©c. Follow guidelines issued by Infosys which align to the entry and exit regulations of a country. “ Od. Both a and b Oc. None of the above Correct Answer In case you are travelling to a country which is affected by a pandemic, please follow the Infosys guidelines which align to the entry and exit regulations of that country. 4. You have noticed suspicious object inside the office/campus, you will: Oa. ignore it and walk away @b. Be vigilant, stay away and also prevent others in being close proximity to the suspicious or unwarranted movement, activity or abject that comes to your notice and report to nearest security/DRR. “ Oc. Speak to friends about the suspicious object Od. Pick up and check the suspicious object Correct Answer In case you notice any suspicious object within/around the infosys office/campus, please stay away and report the same to the nearest security/DRR5. The BCMS policy is applicable to Oa, Infosys employees working from client locations @b. infosys employees including contractual staff and consultants % Oc. Employees working in the Infosys office/campus only Od. Contractual staff and Consultants working from Infosys office only Oc. Botha andb ¥ Incorrect Answer The Infosys BCMS policy is applicable to all Infoscions including contractual staff and consultants and Infosys employees working from client locations. 6. If you have recently changed the mobile number. What should you do? Oa. You circulate the mobile number to all your colleagues through email/message @b. You update the mobile number in the Infosys Telephone Directory ~ Oc. You update the mobile number in the common team folder where the team’s contact details are stored Od. You update the mobile number in the Social Media Correct Answer You must update the mobile number in the Infosys Telephone Directory, so that the Infosys® team can contact you in time of emergencies, Note : The Infosys Telephone Directory has the below said features a) The Public Mobile number 1/2- Official/Personal mobile number visible to all b) The Private Mobile number —Home > SAQ © computer Security © Secure Usage of Internet and Emall @ Infosys Policies and Procedures ‘© Security within Premises and Outside © Business Continuity Management ‘intellectual Property Rights PP ‘© Privacy and Data Protection © Anti bribery and anti-corruption mechile B) View Turon ‘You have scored 100% in ‘Intellectual Property Rights! @ Completed © In Progress @ Not Stat Intellectual Property Rights 1. Can you incorporate open-source code from a GitHub forum Into an infosys proprietary tool? Oa. Yes, since itis freely available, itis assumed safe for use In proprietary tools. Ob. No, infosys does not allow use of open-source components in proprietary software. Oc. No. Since Open-Source usage will render the entire product available for Open-source Community. ©. Yes, provided the code is in compliance with the Infosys FOSS policy and license obligations of such open-source code. ¥ Correct Answer While incorporating open source software in proprietary applications, fone must always ensure that the license permite such use and the obligations are complied with such as attribution, et.2. You have developed an automation tool while creating a deliverable for Client A. Can the automation tool be reused for a similar engagement for Client B? Oa. Yes, since it is developed by Infosys, it owns everything developed during an engagement. Ob. No, Client A owns everything developed during an engagement. @c. Yes, provided the automation tool is identified as Infosys IP in the contract with client A. ~ Od. No, Develop the automation tool from scratch again for Client 8. Correct Answer Review the master service agreement with customer A to understand the ownership rights. If ownership lies with Customer A, it cannot be reused. If ownership lies with Infosys, it can be reused for customer 8.3. You are using an approved third-party tool in your client project and find a bug in it. This is causing severe delays. Can you decompile the third-party code to remedy the bug? Oa. Yes, | can decompile the code as the delay may result in an escalation by the client. Ob. Yes, | can decompile the code after obtaining my project manager's approval, without approaching the third-party tool owner. @©c. No, Decompilation of the code is violation of the third party's intellectual property rights. “ Od. Since we have approval to use the third-party tool, it is ok to decompile it. ‘Correct Answer You are not permitted to decompile or reverse engineer third party code without their express approval. This amounts to breach of third party intellectual property.4. You have successfully delivered a client project which was very critical for Infosys. The learnings can help other team in Infosys in similar engagements. You want to put together a case study. What steps should you take? Osa, Prepare the case study with specific details of how the project was handled and circulate it to known contacts within the organization. @©b. Prepare a case study ensuring that client specific data is not included. Subsequently submit it for verification through publication portal for DMs approval. Oc. Case study about client projects should not be prepared. Od. Circulate an email amongst project team members highlighting the details and ask them to pass it to anyone interested. Correct Answer Client specific data is confidential information and using it in a case study will amount to IP leakeage, Case study can be prepared excluding client specific information and subsequently submitted for verification through publication portal.Ob. Employer v Ahly 'r createa oy alt employee belongs to the Oc. Both employee & employer Eploveras pec the employee agreement signed during the joining Od. Government formalities 6. Your team is introducing a new product from your unit to the market. Which of the below is true for mitigating IP risks? Oa. You can perform analysis of patents in the technology ‘Epa kanes domain and decide for yourself. ip Teantnenreenends @b. Approach |? team for guidance on IP and initiate Pre following checks before commercialization checks for approval. ¥ commercialization to mitigate any IP risks. 1. IP Oc. There are no IP risks, so no action is required. Gontantuationsl Recacd Od. None of the above. Open Source Usage compliance 3, Self declaration on certain criterion, 4. Trademark check . This is carried out by the IP team using a process flow tool called Safefort Lite© computer Security @ Secure Usage of Internet and Email © infosys Policies and Procedures © security within Premises and Outside ‘© Business Continuity Management © intellectual Property Rights ‘© Privacy and Data Protection > © Anti bribery and anti-corruption module | © DNA Security Awareness Module © PEOPLE SECURITY AND ASHI AWARENESS. Privacy and Data Protection 1. While exploring your file server path, in the internal network, you find that you have access to a folder of ‘another Infoscion. This folder has a scanned copy of his passport, his salary statements, etc. apart from his project documents. Which is the appropriate action that you should be taking? ‘Oa. You assume that you are authorized to access this folder. 0 you may, not only, browse the contents but also share them with friends if you want. Ob. You assume that you are authorized to access this folder. So you may browse the contents, save them onto your ‘machine for your reference, But you will not share them with others Oc. immediately report this vulnerability to CCD @ 4. Do not access the contents and immediately inform the concerned Infoscion so that the unauthorized access can bbe revoked ¥ Correct Answer Browsing someone else's personal data without prior consent of the data owner is a data breach. Hence Viewing the contents is net acceptable.Informing the data owner will help him / her put the right controls in place to prevent any further lunauthorized access in future.2. Which of the following Personal Information of an employee need NOT be protected? Oa. Photographs Correct Answer Ob. Health Information Although name is personal, it is considered as public information and hence it @d. Name ~ need not be protected, Oc. Bank Account number 3. Each Infoscion is expected to respect Privacy and protect personal data, of which of the following individuals? Oa. Employees Seared Aeon Ob. Sub-contractors Infosys collects personal data from all individuals who are associated with @©q. ll of the above ¥ Infosys for business purpose(s) - including employees, sub-contractors, customers, visitors, interns, etc, Every Infoscion, by virtue of them working for Infosys, is expected to respect privacy and help in protecting the personal data of these individuals. Oc. Customers4, Onan intranet site, you find that you can download or copy photographs of employees. Which of the following actions is appropriate? Oa. | will download the photographs onto my personal Correct Answer desktop for reference in future. If the option to save is Photograph is personal available, there is no problem in downloading the information, It is not meant Photographs. to be copied, transmitted, in Ob. | will download the photographs, upload them onto my any form, uploaded / personal secure internet site and delete- them from my downloaded or shared, personal desktop. without prior consent of the photograph owner. Oc. | will mail the photographs to my close friends, who also happen to know these employees, but who do not have their latest photographs. @©4. None of the above ¥ 5. Why should we protect personal information of our colleagues and partners? Oa. Infosys respects privacy of those associated with Infosys- Correct Answer such as employees, customers, vendors, shareholders, The driver for Privacy & visitors, interns ete Data protection is both from Ob. Privacy & Data protection laws in certain countries compliance to Internal require us to do so. Policies & regulatory obligations. Oc. Neither a nor b @d, Both aandb ¥6. Which of the following regarding Privacy is true? Oa. Privacy is about giving employees, complete control on what information about them may be collected by the company, even though such information may be required contractually. Ob. Privacy is about protecting personal data of my colleagues from becoming public, but within the company such information may be disclosed. Oc. Monitoring and Surveillance using cameras, for security reasons is a violation, as it intrudes into privacy of an individual. @d. Privacy is about providing ability to employees to have control or knowledge on what information about them, is being collected and how it will be used. Correct Answer Employee's consent is taken where information is not mandatory : where optional, consent is normally obtained before collecting or processing information. 7. Which of the following Is most likely to be an acceptable data processing activity on personal information? Oa. Deciding on recruiting a candidate by considering religion or ethnic origin, as one of the criteria. Ob. Using knowledge about employee's health information in performance assessment for that employee. @c. Retaining employee's travel claim expense details for few years after separation. VW Od. Seeking password of your team member on leave, to ensure that emails are accessed and work is not affected. Correct Answer This will be allowed since there is a legitimate need to retain such information for a certain period of time, as pet statutory taxation purposes.8, What is the most appropriate action that you should take when you encounter a data breach? Oa, Assess the impact of the breach, and then decide whether to notify DPO or not Ob. As it does not pertain to your personal information, you can ignore @©c, immediately reach out to your manager informing him about the breach ® Od. Promptly Notify DPO using AHD since there are regulatory implications “ Incorrect Answer Personal data breach means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. In case you encounter any data privacy breach, it should be notified to DPO via AHD, irrespective of whether the breach directly9. Your friend, a non Infoscion, is looking for contact numbers of all Infosys employees whom you know in your location. He wants to approach them for a social cause. What should you do? Oa. Download the contact numbers from Infosys’ telephone directory and mail it to your friend. As it is for a social cause, Infosys will appreciate your gesture towards CSR (Corporate Social Responsibility) Correct Answer Contact information is considered personal and must not be disclosed Ob, To ensure that our employees are aware before their without the consent of contact numbers are shared, you should inform the concerned employee. employees by mail. You will then assume their consent, as you have done your part by sending them an e-mail, and will send the employees' contact numbers to your friend @c. Since the contact number is a personal data, you should not share this data with your friend without written consent of those whose data are to be shared W Oa, You should download the contact numbers from the telephone directory. Then you should upload the information onto 2 public internet site and share the link with your friend.10. You happen to know performance assessment results of an employee such as appraisals, disciplinary actions, etc. Which of the following is true? Oa. Infosys is the owner of such information and hence it Coriect Anewer may be freely shared within the organization. So! will post his information is personel Eanes and must not be shared, @©b. It is someone else’s personal information and may not except with those who have be shared in any form with others, who do not have a a business need to know, business need to know. Besides, this information is also €.g., Manager, Consultant confidential from Infosys’ perspective. V and reviewer of that employee. Oc. Since this is someone else’s personal information therefore | will take his / her consent and then | will circulate it freely. Od. The information may be shared by me, in the next quarter.11. Which of the following is NOT true with regard to handling of Pll (Personally Identifiable Information)? @a, Pil collected from the employee must not be processed by the employer. ~ Ob, When Pil is collected, from the employee, employee must be notified by the employer about the purpose for which it is being collected. Oc. The employer must restrict collection of Pll to the minimum extent possible, from its employees. Od. Employee’ Pll collected by the employer must not be retained when it is no longer required. Correct Answer Employer may process Pll of an employee as agreed during collection of the same.© computer Security (© secure Usage of Internet and Email © infosys Policies and Procedures © Security within Premises and Outside © Business Continuity Management © intellectual Property Rights © Privacy and Data Protection © Anti bribery and anti-corruption >> module | © DNA Security Awareness Module Sida ii al Anti bribery and anti-corruption module | 11. What are the pre-requisites of a bribe? Oa. Anything of value that may be seen as an attempt to influence an action or a decision in order to obtain or retain business or acquire an improper advantage. Ob, Abribe could include money, gifts, favors, Oc. it involves use of company resources, entertainment or other items of value. © 4. All the options are correct. ~ Correct Answer Infosys has zero tolerance for bribes, kickbacks or facilitation payments which Include any direct or Indirect exchange of anything of value, any form of gift or entertainment to any government official, commercial partners including customers which is made with a view to influence a third party to ‘obtain or retain business. A bribe is anything of value offered that may be elliiiedus an chenetw2. Which of the following statements with regard to charitable contributions made on behalf of Infosys are correct? Oa. Beneficiaries of charitable contributions should not be related to the person who has requested for the donation. Ob. The purpose of the charitable contribution is accurately recorded in our books and records. Oc. We should undertake a check into the background of the beneficiary, @a. All of these statements are correct. “ Correct Answer In the course of business, you may receive requests for charitable contributions to be made by Infosys to certain entities. Such requests must be considered very carefully, as they may be seen as a route for corrupt payments and violation of the FCPA, the UK Bribery Act and other anti-corruption legislation. Infosys’ Code of Conduct and Ethics permits charitable contributions or donations for a variety of reasons by Infosys, subject to requisite diligence and approvals. Business teams that bring such proposals are required to carry out a due diligence on the proposed recipient to ensure that donations are being made to a legitimate charitable institution and the donation does not3. It has come to my notice that, one of my colleagues was offered a bribe, What course of action should | take? Oa. | do not need to do anything as this is not my problem. Ob. | will not report this, because | could ask him to split the proceeds with me. Oc. As long as business does not suffer, | do not need to report this, @4. | will immediately raise a concern with the Office of Integrity and Compliance through the whistleblower hotline or portal. ~ Correct Answer Infosys strongly condemns any direct or indirect exchange of anything of value, any form of gift or entertainment to any government official, commercial partners including customers . Infosys also has a zero retaliation policy against it's whistleblowers. When you notice a violation of your values, you have a multitude of options to raise your concern, including the Whistleblower Helpline, the whistleblower mailbox and ‘other channels. Consult the Code of Conduct and Ethics.4, My customer has sent me his son's Curriculum Vitae and has said that if he gets a job at Infosys, then they will sign anew deal with us. How should | proceed? Oa. This is a great opportunity for infosys, so | will send his CV to HR to process for an offer of employment. Ob. | will pretend that | do not know that the new deal with the customer could be impacted by the client's son getting a job with Infosys. Oc. Iwill send this to my friend and ask him to send the CV to me. That way no one will know that I referred the clients’ son's CV to Infosys. @d. | will upload the CV on Connectinfy/Reppify, where | will complete the additional due diligence and follow company processes for recruitment. ~ Correct Answer A candidate who is a relative or friend of a Government Official/ Client, must undergo additional due diligence to ensure that hiring him does not construes to appear to be ‘anything of value! offered to the Government Official/Client. Hiring for full-time employment, part- time employment or internships must be based solely on the merit, qualifications and capabilities of the candidate, The approved process for qualifying and selecting candidates must always be followed. Employment/Internships nen hier hin ehlavedt ar5. What measures should be taken if a vendor is required to interface with government authorities on behalf of Infosys? Oa. The credentials of such a vendor should be verified before hand. Due Diligence must be conducted and red flags noted as a result must be assessed and addressed. Ob. A detailed written contract defining the scope of services of such vendors should be executed before commencement of the engagement, Oc. A copy of the Supplier Code of Conduct must be provided to all vendors for their acknowledgement and acceptance. @q. All the options are correct. ¥ working on our behalf. Correct Answer We do not allow vendors acting on our behalf to make any illegal payments. Vendors that interact on our behalf with government officials or agencies are considered as high risk vendors, While managing these relationships, we must be on the watch for any actions relating to bribery, kickbacks, improper payments or other corrupting influences. We can and will be held responsible for the conduct of our vendors if they violate the law while6. My client is visiting Infosys Bangalore DC for the first time for business negotiations. What can | offer him as a memento? Oa. Since this is his first visit, | should offer something expensive; preferably the latest Bose Bluetooth speaker. Ob. The latest iPhone is an appropriate gift to offer clients. @c. Mementos are covered under Gifts of our ABAC Policy. Gifts offered to clients shall be within the gift limits defined under ABAC Policy. “ Od. Since | am not sure what my client's preferences are, | will offer an expensive Rolex watch will always be appreciated. Correct Answer Gifts offered to clients shall be only for bona fide business purposes and shall not exceed the gift limits of ABAC Policy which is USD 100 per person per fiscal year for US/Canada/Europe/UK/Australi Zealand/ Japan/Singapore/Russia/Hong. Kong/UAE, and USD 50 for the remaining countries (limits are applicable in the country in which such gift is being received). Giving money or cash equivalents such as gift cards, gift certificates or vouchers is never permitted, Gifts offered must be in compliance with the policies of the recipient.7. My client has come from Stockholm to Bangalore to discuss business. We propose to take him out for dinner after extensive meetings all day. What is the maximum permissible limit of the meals expense under the Anti- Bribery Policy? Oa. We can claim upto USD 250 per person as the client is from Europe, and the limits prescribed in the Anti-Bribery Policy for meals incurred in Europe (USD 250 per person) will apply. @b. We can claim upto USD 150 per person, as the dinner expense was incurred in India, and the limit for meals in India will apply. “ Oc. Any amount that is spent will be reimbursed. It is a legitimate expense after all! Od. We will swipe two cards as we will definitely not be able to ensure that the limit is adhered to. Correct Answer Offering meals in the course of business is permitted subject to the expense not exceeding prescribed limits and subject to acceptance of the recipient that the entertainment is in compliance with the recipient’s policies. The country in which the expense is incurred is considered for the application of the limit. For clarity, if you are based in the US and you have entertained a client in India, the limit for India is applicable.8. My wife has started a small business engaging in supply of home made confectionary items, and has asked me to be a director in the company. Can | do this? Oa. No, as Infosys does not allow you to hold directorships in other companies while you are employed. @b. Yes, as long as | disclose this on the Conflict of Interest Module on the SAQ and follow the recommendations, | can proceed. ~ Oc. Yes, as this is a private family business run by my wife, and I cannot say no to her. Od. Yes, since | checked with my friend and colleague and he is also pursuing a similar personal venture, while employed with Infosys. Correct Answer When the interests or benefits of an individual conflict with the interests or benefits of the Company, conflict of interest is said to occur. With prior approal of the Office of Integrity and Compliance, Company policy allows for employees to serve on the Boards of two other business entities, provided such entities do not compete with Infosys.© computer Security © Secure Usage of Internet and Emil © infosys Policies and Procedures © Security within Premises and Outside © Business Continuity Management © intlisctual Property Rights ‘© Privacy and Data Protection © Anti bribery and anti-corruption module! © DNA Security Awareness Module > DNA Security Awareness Module 11. You have accass to production customer data. This accass Is restricted to a few people in the team. Some of your colleagues want to see production data to analyze the critical incident. What you would NOT do Oa. Login 1D and password seem to be generic and hence can be used by anybody. | will go ahead and share the credentials Ob. | will not give credentials but | will login on individual's machine and let them use the production data Oc. twill login on my machine and share my screen with them so that they can see the production data O4. | will pull the relevant data and will share with them for their analysis ®e, Allof the Above ¥ Correct Answer Sharing credentials or client data isa security breach and should not be done under any circumstances,2. You have been issued a client e-mail ID for business communication purpose and hence you are allowed to send ‘e-mails to external mail domains. Which of the following actions Is appropriate?: Oa. You can send personal mails to client and non-client email IDs. Ob. You can share client email !Ds with friends to be used for non-business purpose Oc. You can send official e-mails to non-client e-mail IDs with client confidential information without client approval @4d. You can not send official e-mails to non client e-mail IDs without prior approval from client manager “ Oe. Allof the Above Correct Answer Use your client e-mail ID for official purposes only. If any e-mail has to be sent outside client network (e.g. third party, product vendor etc,), ensure to obtain prior approval from client3. You are currently in client project and will be moving to other engagement. Since you have created some excellent scripts and reference material, you would like to save them for future reference. What would you do? Oa, Send the data to your personal e-mail ID for future reference as these are created by you. Ob. You can get an approval from your Infosys manager to officially get this data out of client network. Oc. You can upload the data to a cloud sharing site where you have an account. @d. None of the above ¥ Correct Answer Anything you created in client network is owned by client and should not be used for future references outside client network4, You are assigned to a development project for a client where most of the documents are in non-English language. You need a translated version of the document for your project. Which one should be the right action? Oa. Highlight the language constraint to the client and do not take up the project Ob. Upload the document to an online translate website on internet and get the translated document Oc. Hire an agency to translate the document and use it @d. Request client to share the document in English and highlight the dependency of the work, Correct Answer You are not supposed to share client artifacts to anyone outside the project without client consent.5. In your previous project, you had write access to production database. Now you are working in a different project for the same account and you came to know that your write access to production database is still not revoked. During post implementation review of your recent enhancement of the current project, you found out that some reference data has been set incorrectly which would result in job failure. What will you do ? Oa. | will use my write access to update the reference data in production. Ob. | will discuss the situation with my TL/PM and get their approval. Post that | will use my write access to update the reference data in production Oc. First | will do the changes in test environment and if it is working fine, | will use my write access to update the production data accordingly @d. No | will not use my write access to get the data as it i unauthorized. ~ Correct Answer Having an access to previous project's system is considered as unauthorized access and shall not be used by the user. If found, it must be revoked immediately,6. You have recently learned a new reporting tool - "QlikView" and you have practiced enough on test data but you still don't know how would it behave on production data. As part of your work, you have access to client's production database. Will you extract the data from client's DB to test the tool on production data? Oa. Yes | will, after ensuring that data is not shared with anyone else outside Infosys Ob. Yes | will extract and will delete the files after the use Oc. Yes | can extract and send production data securely with a password protected zip file to my Infosys ID @d. No. This will be a serious policy breach if | extract client's production data outside client network without client approval. ¥ Correct Answer Production data shall not be extracted from production environment without client approval and shall not be used for testing purpose without masking it.7. Is it a good practice to have generic IDs to production databases for read only access ? Oa. Yes. Since the generic ID has ready only access, no one can update or change the production data Ob. Yes. Since it’s a generic |D, it will save effort of creating multiple user profiles @c. No, this isa insecure way of protecting production data v Oo. None of the above Correct Answer Having a generic ID is not a good practice because actions associated with a generic ID will not be traceable to the individual8. While working at onsite, you were allowed to work from home by accessing client network from internet using Citrix. You have just returned from onsite and realized that your Citrix access from internet is still not revoked. What will you do? Oa. will only use my Citrix access to work from home in Comeucli ame emereen Gy senor. Access shall be revoked Ob. | will only use my Citrix access when | am out of station. when not required. @c. Nol can never use my Citrix access when | am not in client location. | will raise a request to client for revoking my Citrix access as | am at offshore and should not be having it anymore. “ Od. None of the above9. Acritical batch job in your production environment in which you have access has failed. The standard process of restarting the job is to raise a ticket to operations team, but this might lead to a SLA breach in the given situation. Is it ok to run the batch job yourself since you have access to do so? Oa. Yes. This will help in meeting the SLA and my team will contest Acawer get an appreciation that we have bypassed an unnecessary The access rights must not process and met the SLA be used other than the work Ob. twill quickly call up my TL/PM to check if | can do this which you are authorized to do. @c. No. | cannot do this since it is a policy breach that | production system is being altered without raising a ticket and involving operations team Od. None of the above10. As part of your project deliverables, you need to send the data file to another team. You have an option to send the data either via e-mail or via secure FTP. Which is a correct way to send the data file? Oa. | will send the data using e-mail as it will reach faster. Ob. To give an additional security, | will password protect the file and send it via e-mail @©c. |will send the data file via secure FTP as it is more secure channel to transfer the information. ~ | Correct Answer Data sent through e-mail can be sniffed. Secure FTP shall be used to send the data in a secure way,11. You are in production support team for a bank's financial data warehouse system. One of the client's senior managers asks you to check his bank account details as he is unable to access his internet banking account. What will you do? Oa. He is a client manager and | cannot have a better opportunity to showcase that | understand the system very well. | will pull out the required details from the system and will share it with him Ob. | will pull out only last one transaction details and will share it with him @c, Having an access to production support team doesn't authorize me to share details with anyone including client managers. | will polity decline the request and will request him to give a call to Bank's help desk and they will be able to assist him ¥ Odd. None of the Above ‘Correct Answer It will be a security policy breach if | share any customer related information with anyone, even with the people who work in the same bank12. You have come across a run time error related to the work done in client project. It is ok to post the details of client project and the error in the public forum on internet to find speedy resolution, True or False? Oa. True @b. False V Correct Answer Do not post client information on internet. You can provide generic problem statements without revealing any client or application information13. You have an authorized access to production database tool. Due to some urgent work, you need to login into the tool. You realize that your password of the tool is expired. What would be your next course of action? Oa. can use password of my offshore team member as! won't be doing any changes in production. @b. | cannot use other's password to login to production. As per defined process, | will take necessary action to reset my password. 14. You are an onsite lead and have access to production environment for validation of production migration components. Your offshore team has discovered that some setting changes were not done and the wrong code has moved to production. What would you do? @a. Inform the client and migration team about this issue. Initiate the defined exception process to move this code alone in the immediate migration window. “ Ob. Since you have production access, directly make the setting changes in the code in production. Oc. Since you have production access, take the fixed code from lower environment and move to production environment Od. Don't inform anyone and let the code fail in production and come as a defect in system to be fixed. Oe. None of the above Correct Answer One should never use other's password for login asit is a violation of the information security policy Correct Answer Always follow the defined migration process and channels to move code to. production environment, Do not use your ID for purposes other than to review the migrated code components15. Your customer has reported a bug In production and you have made some changes to fix it. You want to ensure that the changes are tested thoroughly in UAT before production release. You also have privileges to create user IDs in UAT. How do you plan to test the changes? @a. Test the application using designated ID and authorized ieverk: rman data set. If you require additional people to do the testing, obtain appropriate approvals from the customer manager to provide access to the identified team members ¥ Obtain appropriate approvals from the client manager to provide access Ob. Give access to all team members in your project (onsite to the identified team | and offshore) for testing the same members and use designated ID and authorized data set for testing Oc. Give access to some more colleagues who are not in your project but working for the same customer | Od. Run some random queries on the database to ensure that changes deployed are fine Oe. All of the Above eas re)Home > SAQ’ © Computer Security © Secure Usage of Internet and Email © infosys Policies and Procedures and ‘© Business Continuity Management © Intellectual Property Rights ‘© Privacy and Data Protection © ant bribery and ant-corruption module! ‘DNA Security Awareness Module © PEOPLE SECURITY AND ASHI >> WW) view tuto ‘You have scored 100 % in PEOPLE SECURITY AND ASHIAWARENESS’ © Complaled © In Progress © Not Si PEOPLE SECURITY AND ASHI AWARENESS 1. What is Infosys' philosophy on the Anti Sexual Harassment Initiative (ASHI)? Oa, Zero Tolerance against unlawful harassment Ob. confdentity nd non-retaiaton Oc. a gender neutral approach ©. allot the above ¥ Correct Answer Infosys is an equal ‘employment opportunity ‘employer and is committed to creating a healthy ‘working environment free ‘of any form of harassment. Infosys believes that every person has the right to be treated with dignity and respect and to be free from all forms of harassment in the workplace and assures ‘employees of confidentiality, and non-retaliation towards the complaint raised. Infosys2. What is an Internal committee (IC)? Oa. IC is a forum where an employee can report any complaint of harassment Ob. IC handles code of conduct violations @c. Ic is set up in all our india DCs, to investigate and recommend action on sexual harassment concerns raised by women employees. Correct Answer In India, as per the Sexual Harassment of Women at the Workplace (Prevention, Prohibition and Redressal) Act, 2013, Internal Committees (ICs) have been formed in all the India offices. Each IC has an external woman member, whois either from an NGO or is working for women’s welfare. A senior woman employee is the Presiding Officer of each location IC. IC looks into concerns of sexual harassment raised by Women in india DCs.3. It has come to your notice that a fellow colleague has made sexually explicit comments about you on social media. What would your next steps be? Oa. React and respond to your colleague on social media Gat ineeen @b. Report the matter to the Grievance Redressal Body An extended workplace (GRB) ~ includes client or vendor premises or any place Oc. Talk to your manager regarding the same ialedty neta lovee arising out of or during the course of employment including project parties, other official gatherings, company-provided transport, work from home, social media etc. Employees are bound by the Organization's policies while they are at an extended workplace, that includes interactions with fellow Infoscions on social media. Od, Ignore the issue4. Which of the given scenario will NOT be considered as sexual harassment? Oa. Public Display of Affection @b. Manager- subordinate being in a consensual romantic relationship. ~ Oc. Cracking off-colored jokes using social media Oc. Repeatedly pressurizing someone for a date. Oc. Exchange of sexual favours for employment benefits Correct Answer Consensual romantic relationship between a Manager-subordinate will not be construed as Sexual Harassment unless one of the parties or a coworker complains. However personal relationships and romantic liaisons between employees who are ina manager-employee reporting structure may lead to team management challenges and reduced morale, As per the Company's Code of Conduct this is considered as conflict of interest. Such relationships must be disclosed to a senior manager & HR immediately for appropriate corrective action.5. How can an Infoscion raise a complaint for sexual harassment? Oa. By writing to [email protected] @b. By writing to grb @infosys.com (Grievance Redressal Body) “ Oc. By sending an email to the reporting manager Oa. By sending an email to your HR Correct Answer Infosys is committed to providing an environment free of unlawful harassment. If an individual believes that he/she has been unlawfully harassed, the concern should be reported to GRB (Grievance Redressal Body) by writing to grb@infosys,com at the earliest.6. Ata project party outside the office premises, your colleague Mr. A has had a lot to drink and is making sexual gestures and comments, at one of your other female colleagues, Ms. B who is sitting next to you. She looks visibly upset. What should you do? Oa. Ignore and let Ms. B handle the situation at hand @b. Become a supportive bystander and intervene to stop the inappropriate behaviour, with help from a senior staff at the pub, Subsequently, report this matter to [email protected] ~ Oc. Only Ms.B can report such a complaint. Hence, there is no action required from your end. Od. Since the incident happened at the pub, there is no need to report it further to the organization. Correct Answer Bystanders play a crucial role in the dynamics of workplace misconduct because they have the power to end it by standing up to the perpetrator and reporting it immediately. a. Call out the negative behavior and ask the person to stop b. If you don’t feel comfortable or safe to speak up, then get someone else to step in c. Approach the aggrieved and encourage them to seek help by reporting the matter d. You should report the matter to the HR manager or the Grievance Redressal Body (GRB). Further note: Any place you are in with a group of Infoscions will be construed as an Extended work place. Extended7. GRB (Grievance Redressal Body) considers cases that are reported by women only. Oa. True akiack Anew @b. False ASHI is a gender neutral policy and caters to everyone equally. The Grievance Redressal Body is the custodian of the ASHI initiative. As per the law in India, Internal Committees (IC) are set up in all our DCs and ICs look into the complaints raised by women only. In India, GRB directs the relevant complaints to Internal Committees. All other complaints (raised by men; same gender harassment etc) are handled by the GRB office.8. A Group Project Manager (GPM) has no direct supervisory responsibilities over Mr. M. One day, she asks Mr. M out on a date. After she asks him, she says, | don't know if you know this, but I have a lot of influence on who gets promotions around here, Mr. M declined her request. When his manager recommended him for a promotion, the GPM does not approve citing Mr. M's recent decline in performance. Mr.M Is a victim of Quid Pro Quo harassment. Please validate this statement as True or False. @a. true Ob. False Correct Answer The GPM ensured that Mr. M was not promoted because he declined her request for a date. Quid Pro Quo harassment occurs when decisions regarding employment such as promotions and other work specific benefits or ‘opportunities are promised, threatened or given, based on whether or not an employee submits to sexually oriented conduct and action is taken to fulfill that threat or promise,Privacy and Data Protection for Delivery 1. You just discovered a data breach caused by our employee pertaining to client data, What among the following would not be an immediate step you would be taking? Oa. Immediately inform the client, if it pertains to client data Ob. immediately inform the DPO @c. immediately inform the DP Authority of the country “ Od. Do immediate damage control, e.g., remove file where it got disclosed. Correct Answer DP Laws in many countries have stringent requirement on breach notification (to DPA and sometime affected individuals), but such determination will have to be done by Client assisted by DPO (Infosys Data Privacy Office).2. As part of project execution if you have to process client data for a purpose relevant for delivering the service but not originally stated by client, what would you do? Oa. As long as the processing is relevant for delivering the comer: Kaeo service, we may decide on how to process When Infosys is data | @b. We have to obtain client permission before processing, processor, it is mandatory to even if it is relevant for the service “ have permission of client, who is the data controller, before any new processing involved. Oc. We may outsource such processing in which case we will no longer be liable Ou, If we can pseudonymize such personal data, we do not have inform or take client approval3. Which of the following is not likely to be personally identifiable information? Oa. Contact number of client manager with whom Infosys engages as part of project delivery @b. Client provided personal financial information of its customers, that has been anonymized “ Oc. Contact number of a prospective client with whom Infosys is engaging for business opportunity Od. Personal information processed by Infosys as part of project execution Correct Answer Effective anonymization of Personal data, such that re- identification of individuals is not possible, will be exempted from data privacy laws4, You are about to receive personal information from client as part of project execution. Which of the following is most appropriate about international data transfers? Oa. If you will have it transferred to offshore team using | citrix client so that only data is viewed but cannot be copied to local machine, then you don’t have to inform Correct Answer Even viewing data froma Country location other than client the client Location(where @b. We have a duty to inform client about location of data is collected) is processing, and let them determine and prescribe considered as Cross Border appropriate safeguards to be deployed by us “ | Data Flow Oc. If you deploy appropriate safeguards such as encryption and data masking, data may be stored anywhere in the world, Od. In the internet era, any data may be accessed from anywhere in the world, and since client knows we are a global organization, we don't have to inform client about location of processing> In a client project while working in client work environment you would like to process certain client Personal data which requires certain approved tools which you are not able to access since the credentials are available only for your colleague who is on leave today. What would be the acceptable action? @a, Inform client and request them for access to the tool, and then carry out processing “ Ob. Since client work can’t be impacted, upload data into a reasonable safe publicly available tool and process them Oc. Send the data to your Gmail and from your personal machine do the processing by uploading data into e reasonable safe publicly available tool and process them Od. Take approval of your offshore Manager and proceed with uploading data into a reasonable safe publicly available tool and process them Correct Answer Uploading client Pll into any unapproved 3rd party sites is prohibited.Conflict of Interest Disclosure and Code Certification 1, What is conflict of interest? Oa. When the interests or benefits of an individual conflict with the interests or benefits of Infosys. Ob. When your family members receive improper personal benefits as a result of your position. Oc. When preferential treatment is given to your family member as a result of your position. @d. All of the above ¥ Correct Answer Conflict of interest is a situation in which a person is in a position to derive personal benefit from actions or decisions made in their official capacity, Remember that you may not use your official position, infosys time, property or other resources for personal gain.2. What should you do if you anticipate potential conflict of interest? Oa. Refer to the Code of Conduct and Ethics and Write to Office of Integrity and Compliance in case of any doubt Ob. Approach your manager, disclose and discuss the matter. Oc. Disclose the conflict in Conflict-of-interest disclosure form and the COI module of Security Awareness Quiz (SAQ) @d. All of the above ¥ 3, lam planning to start a small business for delivering lunch boxes for employees of several companies in my neighborhood including Infosys. The business will not compete with Infosys.Can | go ahead with this Oa. Yes, since it does not relate to the business that Infosys is engaged in, this is fine. Ob. Yes, since this engagement is not making use of the company's assets or resources Oc. Yes, it also does not have any impact on my working hours. @d. No. The nature of the work is necessarily of full time which has the ability to affect your role and time to the Company. “ Correct Answer One can face potential conflict of interest situations during the course of work, but failure to disclose it will be a violation of the Code of Conduct and Ethics, Correct Answer Infoscions should avoid employment or outside interests that may create, or give the appearance of creating, 2 conflict of interest. We should avoid side business in order to remain fair and dedicate the requisite time to Infosys.4, The contract with our catering company is up for renewal. You are in charge of selecting the new vendor and awarding the contract. However, one of the potential vendors is ABC Caterers, run by your nephew. Is this permitted? Oa. Yes, ABC is experienced and the quality of the food will be better. @b. No. Your relationship with ABC Caterers will be considered to have influenced your decision to select ABC. Oc. Yes, you can award the contract as you have followed due process and are in charge of selecting caterer. Correct Answer To avoid conflicts of interest, it is most important to avoid even the appearance of a conflict. It is important that all such transactions be fully disclosed and conducted with no preferential Od. Yes, select the vendor and remain silent about the treatment. relationship 5. | have written a book on Digital Web Enablement. Can | go ahead and publish it? Oa. Yes, provided no proprietary/confidential information of Cibraek Anais Infosys/ or its client is contained in the book. Ob. Yes, provided proper approvals are obtained through publication portal prior to publication of material. Oc. No, this will directly compete with the organization and create opportunity to transfer organizational IP to personal business. @u. Yes, if option 1 & 2 are satisfied VW The intellectual property (IP) of the Company must be protected as a vital business asset. Our IP portfolio includes copyrights, patents, trademarks, service marks, trade secrets, design rights, logos, brands and know- how. We must use our IP A aComputer Security Secure Usage of Internet and Email Infosys Policies and Procedures Security within Premises and Outside Business Continuity Management Intellectual Property Rights Privacy and Data Protection Anti bribery and anti-corruption module | DNA Security Awareness Module PEOPLE SECURITY AND ASHI AWARENESS Privacy and Data Protection for Delivery Conflict of Interest Disclosure and Code Certification Total Percentage ‘Your Awareness level is Excellent. Note: Your attempt is registered. peel eer eases 100 100 80 100 83 400 90 100 400 100 100 100 97 " 10 5 5 " 15