Acceptable Use and Data Security

CGZ919-a80en
System ID: 80492

Lang: en

Date of Export: Apr 5, 2024

Course Version Number: 1.0

Course Description:
We live up to our client and business demands. Our commitment to doing business ethically
includes respecting privacy, protecting information, and safeguarding assets. The volume of
information that our business receives, creates, and stores is significant and increasing. With
the increase in ransomware attacks, phishing attempts, and data protection regulations,
Cognizant has been refreshing and strengthening its approach to security. A key component
to that is better data privacy and management across the company.

Course Objective(s):
TBD
Table of Contents
1 . Landing Page
2 . Tile Menu
3 . Introduction
1 . Preventing a Data Breach
2 . Security Is Everyone's Responsibility
3 . You Are a Steward of Company Assets
4 . Acceptable Use
1 . Corporate Assets
2 . Personal Use
3 . Asset and Software Security
4 . Reporting Incidents and Getting Help
5 . Data Protection
1 . Cognizant Confidential Information
2 . Client and Competitor Confidential Information
3 . How Is Information Lost?
4 . Passwords
5 . Password Protection
6 . Data Classification
1 . Classifying Data
2 . Classification Approach
3 . Sensitive Data
7 . Data Storage
1 . Secure Storage
2 . Unauthorized Storage
8 . Data Sharing
1 . You Know Me So Well
2 . Sharing Data: Do They Need to Know?
3 . Sharing Data Internally
4 . Sharing Data Externally
9 . Insider Threat
1 . Insider Threat
2 . Social Engineering: A Related Risk
3 . Executing Insider Threat Attacks
10 . Phishing, Ransomware, and Malware
1 . Phishing
2 . What Threat Actors Want You to Do
3 . Safeguard Against a Phishing Attack
4 . Phishing Example
5 . Business Email Compromise (BEC)
6 . Malware and Ransomware
7 . Common Signs of Phishing
8 . Summary
11 . Approved Tools and Technology
1 . Email
2 . Collaboration, Instant Messaging, and Social Media
3 . Cloud Usage
4 . Cloud Software Repositories
 5 . Summary
12 . Additional and Targeted Security Training
1 . Ongoing Supplementary Trainings
13 . Security Tips and How to Report
1 . Security Incidents and Policy Exceptions
2 . Security Tips
3 . Acceptable Use Policy
Knowledge Check
Disclosure
 Landing Page

Course Name: Acceptable Use and Data Security

Course Duration: 45

Supported Devices

 Desktop
 Tablet
 Smartphone
 Tile Menu

1. Welcome Message
Salutation: Hello!
Message
Welcome! Select an active tile to begin.

2. Completion Message
Salutation: Congratulations!
Message
You've successfully completed the course. Select the Exit (x) button to close the window and
receive completion.

Exploratory or linear lesson navigation? Linear

Do you want to skip the tile menu the first time the learner opens the course? No

Tile Design
Name Type Tile Content
Assessment Assessment

Introduction Linear

Acceptable Use Linear

Data Protection Linear

Data Classification Linear

Data Storage Linear

Data Sharing Linear

Insider Threat Linear

Phishing, Ransomware, and Malware Linear

Approved Tools and Technology Linear

Additional and Targeted Security Training Linear

Security Tips and How to Report Linear

Knowledge Check Knowledge Check

Disclosure Disclosure
 Page Number: 1

Lesson 1: Introduction

Video Template

Page Title:
Preventing a Data Breach

Page Content:
Panel Content
1 Data breaches can be scary and have long-lasting effects on customer
trust. To prevent a breach, it's important to educate ourselves on how
they occur. Breaches can happen in various ways, such as network
hacks, phishing emails, stolen laptops, or even an office intruder. It
only takes one person to overhear a conversation, or one piece of
paper left unattended. Therefore, it's crucial to understand the
importance of both physical and digital security. When we know our
role in maintaining data security and take responsibility for preventing
a breach, we can work with integrity.Suspicious charges to a credit
card, telemarketing calls, spam emails. When our personal information
is compromised, it can be terrifying. But imagine that on a company-
wide scale.
No matter how quickly a data breach is patched, customer trust takes
much longer to heal. Sometimes that breach of trust is irreparable. The
best way to prevent a breach is education.
Know how breaches occur, from a network hack to a phishing email, a
stolen laptop, an office intruder. It only takes one person overhearing a
conversation, or one piece of paper left unattended.
Remember—physical security is just as important as digital security.
When we know our role in maintaining the security of the data we
hold, and take responsibility for preventing a data breach, we can work
with integrity.

Alternative Text for Panel

 Page Number: 2

Lesson 1: Introduction

Text and Graphic Template / LTR

Page Title:
Security Is Everyone's Responsibility

Page Content:
As engineers of modern businesses, we manage a vast amount of confidential data, which
means we have a business-critical responsibility to do the right thing, the right way when it
comes to protecting that data. Our clients, shareholders, go-to-market partners, and fellow
associates expect each of us to safeguard the confidential data we interact with every day.
That protection starts with a security-first mindset and continues with proactiveinitiative-
taking actions that safeguard data and minimize the risk of a data breach or security
incident.
A data incident can damage our reputation, disrupt business operations, negatively impact
our growth, lead to regulatory penalties or fines, make us an easy target for hackers, and
result in the loss of client trust and relationships.
This course is intended aims at to familiarizinge you with how to protect company and client
data, assets, and networks. Subject to local laws and regulations, a violation of these
directives or potential involvement in a data breach incident could result in disciplinary
action, up to and including termination and possible legal action.

Bulletin Title:

Bulletin Text:

As employees of Cognizant, it's our responsibility to adhere to the best security practices to
safeguard both Cognizant and client information. Good data security involves understanding
some basic principles, applying common sense, and being constantly aware of the risks our
company faces and their consequences.

This course will teach you how to classify and protect confidential and sensitive information,
minimize, and avoid the risk of data loss, and navigate any security issues that may arise.
You will discover that most of what is necessary and required to keep sensitive data and
information safe is already familiar to you.

As Cognizant employees, it is our responsibility to follow the security best practices to

safeguard Cognizant/client information. Good data security is mostly a matter of
understanding a few basic principles, applying your common sense, and constant awareness
of the risks our company faces and their consequences.
In this course, you'll learn how to classify and protect Confidential and Sensitive
Information, how you can minimize and avoid the risk of data loss, and how to navigate
security issues that may arise.
You'll discover that you already know most of what is necessary and required of you to
keep sensitive data and information safe.
 Page Number: 3

Lesson 1: Introduction

Carousel Template / Full Screen Image

Page Title:
You Are a Steward of Company Assets

Screen Name: Screen 1

 Title:

You Are a Steward of Company Assets

o Cognizant has a responsibility to clients, shareholders, regulators, and other
stakeholders to safeguard data and assets against loss, damage, fraud, waste, and abuse.
We can all help do this by:

 Taking reasonable care to protect Cognizant assets and information from

unauthorized or improper use.
 Using approved corporate assets and software for legitimate business
purposes only.
 Only using Cognizant-approved collaboration, communications, and
messaging platforms unless alternative channels (e.g., Zoom, WebEx) are
required by clients.
 Ensuring we only use Cognizant-approved Generative AI tools. Remember
the use of public Generative AI tools, such as ChatGPT, is not permitted
without obtaining an exception approval from Corporate Security.
 Only storing data on Cognizant-approved platforms such as OneDrive.
o
o
o
 Alternate Text:
 Image Description:
 AutoPlay: OFF

Screen Name: Screen 2

 Title:

You Are a Steward of Company Assets - Cont'd

o
 Never uploading or posting sensitive Cognizant/client data, including source
code, sample proposals, or project artifacts on social media or other public
platforms
  Keeping our software and system security policies up to date by connecting
Cognizant assets/devices to the Cognizant network (not client VPNs) for at
least a few hours per week
 Ensuring that software or devices procured for a particular client are not
used for another client project
 Never moving client data to non-client networks, including the Cognizant
network, without explicit client approval
 Remaining vigilant against and reporting suspected social engineering
attacks whether they are conducted over email (phishing), SMS/messaging
apps (Smishing), voice communications (Vishing), or other vectors such as
social mediamedia.
o
o
o
 Alternate Text:
 Image Description:
 AutoPlay: OFF

Screen Name: Screen 3

 Title:

You Are a Steward of Company Assets - Cont'd

o
 Staying alert and vigilant of our surroundings and promptly reporting any
concerns about the use, abuse, or endangerment of company assets to the
Corporate Security team
 Following all the necessary steps and guidelines to return Cognizant/client-
provided assets when leaving CognizantCognizant.

Being responsible stewards of our information assets and data is essential to

the profitability and success of our company over the long term. It should
become second nature to us all.

o
o
o
 Alternate Text:
 Image Description:
 AutoPlay: OFF

Screen Name: Screen 4

 Title:

Good Stewardship: Why It's Important

o Cognizant and our clients trust us to always safeguard their data and
information. We need to be vigilant against cyberattacks and other security incidents to
ensure that company or client data, assets, systems, and/or resources are not abused,
damaged, misused, or lost.
The most basic way to be a good steward of Cognizant and client data and
systems is to comply with Cognizant's Acceptable Use Policy. This policy
provides guidance on the appropriate use of information and information
technology resources. Specifically, it provides guidance on topics such as:

 Use of Cognizant/client assets

 Use of personal assets
 Social media use
 Asset and network access travel restrictions
 Physical security and tailgating
 Phishing, malware, and ransomware attacks incident reporting
 Protection of confidential company and client information
 Sharing of information on a need-to-know basis for valid business reasons
with verified and legitimate usersusers.
o
o
o
 Alternate Text:
 Image Description:
 AutoPlay: OFF

Screen Name: Screen 5

 Title:

Remember
o Protecting your assets also means that Cognizant may restrict an associate's
ability to travel between certain regions with company assets and/or access company data
and/or networks from those same regions (using both Cognizant and personal assets). Refer
to the list of specific countries and regions where you are prohibited from bringing, or are
required to obtain prior approval to bring Cognizant/client assets or access Cognizant/client
networks for either business or personal travel.
o
o
o
 Alternate Text:
 Image Description:
 AutoPlay: OFF
 Page Number: 4
Lesson 2: Acceptable Use

Select and Reveal Template / LTR / Random

Page Title:
Corporate Assets

Page Content:
Corporate assets take many forms, and we must be good stewards of all assets that are
accessible to us. Let's consider what these are.
Select each image to find out more.
Reveal Content for Desktop:
Image Alternate
Interaction Title Interaction Description
Description Text
Informational Informational assets include any data
relating to the company's business,
regardless of how that data is created,
distributed, used, stored, or purged.
Example: Services such as email, the
Internet, chat transcripts, voicemail,
networks, and applications
Financial Financial assets include the company's
money, financial instruments, and anything
that can be converted to money.
Examples: Bank accounts, bank deposits,
transaction invoices, and corporate credit
cards
Tangible Tangible (or physical) assets include anything
that the company provides to help us
perform our jobs.
Examples: Servers, desktops, laptops, access
card readers, and mobile devices (such as
smartphones, mobile phones, or tablets)
Intangible Intangible assets are assets that are not
physical.
Examples: Software, trade secrets,
innovations, trademarks, patents, and our
reputation
Reveal Content for Mobile:
Interaction Title Interaction Description Image Description Alternate Text
Bulletin Title:
Our Offices and Facilities Are Company Assets

Bulletin Text:
Remember that the office itself is a physical company asset, and we should never enter
unauthorized work areas or provide unauthorized access to the office to visitors or
colleagues. It is critical for each associate to display their ID badge and use only their own
associate ID badge to enter and exit facilities, even if a colleague offers to open a door or
tailgate behind them.
Visitors may enter Cognizant facilities only after verification of their identity, and they must
be always accompanied.
 Page Number: 5

Lesson 2: Acceptable Use

Sidebar Template / LTR

Sidebar Type: CUSTOM

Page Title:
Personal Use

Page Content:
Our information and communication devices and systems are provided for business
purposes, to enable us to be effective and productive when doing our jobs.
Changing work patterns mean that the workforce has become much more mobile, and the
boundaries between our work lives and personal lives have become blurred. Accordingly,
some personal usage of company devices and networks, including the Internet, wireless
networks, and mobile phones, is inevitable. Limited and occasional personal use is
permitted as long as it is not malicious or does not interfere with an associate's job duties.
We must also never use personal email accounts for business purposes, send any business
information to personal email accounts, or upload Cognizant/client confidential data to
unauthorized external cloud solutions such as Google Drive or Dropbox. Similarly, we should
not bring personal devices to the office, and must not connect personal storage devices
(such as USB media) to the company or client-provided assets and networks.
If you are authorized to remotely access company or client data through personal mobile
devices, you must use only authorized Cognizant/client applications, and you must never
attempt to bypass, circumvent, modify, disable, or remove security controls or settings on
these devices.
Sidebar Title:

Unacceptable Personal Usage

Personal usage of company devices, systems, and the Internet is never acceptable if it
involves:

 Pornographic, obscene, offensive, harassing, or discriminatory content

 Downloading, installation, sharing, or distribution of unauthorized software
 Online gambling, auctions, or games
 Unauthorized mass distributions
 Violation of others' intellectual property rights
 Malicious software or instructions for compromising the company's securitysecurity.
 Photography or video recording inside workplaces
 Sending client information to non-client networks (including Cognizant networks) without
prior client approval

Bulletin Title:

Bulletin Text:
Given the potential risk of theft, loss, or damage, appropriate precautions must be taken to
protect company-provisioned mobile devices such as laptops and mobile phones. These
devices must never be left unattended in a non-secure environment (e.g., a locked car).
Also, be mindful of what you are working on when you are around your family or others
with whom you share space while working remotely. This is especially true if you have
access to proprietary Cognizant information; client information; personal information of our
associates, clients, or their customers; or material non-public information about Cognizant
or any other publicly traded company. Whether it is a telephone conversation, a video chat,
or images on your laptop screen, inadvertently sharing or exposing such information could
result in severe repercussions for you and the company.
 Page Number: 6

Lesson 2: Acceptable Use

Text and Graphic Template / RTL

Page Title:
Asset and Software Security

Page Content:
You may think it'sit is easier and more convenient to install software yourself. However, all
software installations must be done by the appropriate authorized Cognizant IT department.
Associates are not allowed to install unapproved software on Cognizant devices and all
installed software must be strictly for business use only.

 Associates must have a valid request for installation of software that has not previously been
approved for corporate use.
 All software installations must comply with Cognizant software license requirements,
patents, copyrights, trademarks, and the protection of intellectual property rights.
 Associates must only use the software according to client instructions and must comply with
the respective software publisher/vendor's End User License Agreement (EULA)
requirements.
 Software procured for use on one project should not be used on another project. If you are
moving roles, ensure you request the release of the software and ensure the software is
uninstalled from your Cognizant device.

For more information on asset security and software installation, read the Asset Security
Policy and Software Installation and Maintenance Acceptable Use Standard.
 Page Number: 7

Lesson 2: Acceptable Use

Text and Graphic Template / LTR

Page Title:
Reporting Incidents and Getting Help

Page Content:
As Cognizant employees, it is our responsibility to follow Cognizant Security policies and
report all security violations/incidents to Corporate Security immediately.
Please review our Acceptable Use Policy (AUP), and other security-related policies and their
associated standards as identified in this course. These policies apply in all places where
Cognizant and client information and associated technology is accessed—not only at
Cognizant premises or client sites, but also at hotels, airports, and homes, and when you are
on the move.
All suspected violations of the AUP should be reported, regardless of whether the conduct
occurred at a Cognizant location, at a client location, or at some other location where
Cognizant's or Cognizant client information technology was utilized or affected. In addition,
if any Cognizant/client-supplied equipment is lost, damaged, misused, or stolen,
immediately inform Corporate Security.

 Report security incidents online by raising a request in MyService Portal or email

([email protected]).
 Security exceptions can be requested by raising a request on MyService Portal.

Please visit the Corporate Security page on Be.Cognizant and email

[email protected] for more information.
 Page Number: 8

Lesson 3: Data Protection

Text and Graphic Template / RTL

Page Title:
Cognizant Confidential Information

Page Content:
Confidential information includes but is not limited to Sensitive and Personal Information,
trade secrets or intellectual property, strategy and business operations, client project details
or proprietary information, software code developed for Cognizant, clients and/or partners,
network or site diagrams, inventory details, or unannounced financial results or projections.
Cognizant associates are not permitted to remove, copy, or use sensitive and/or confidential
Cognizant/client data outside of their work environments or computing assets, or across
different client projects—doing so may subject you to disciplinary action, including
termination.
Protect and secure confidential company and client information with secure usernames and
passwords. Confidential information should never be shared with others without verifying
the identity of the requestor and the business need for the request. Confidential data
should not be left on printers or whiteboards, in meeting or conference rooms, or anywhere
else in printed or written form where others may have uncontrolled access to it. Lock your
computers when you step away from them.

Bulletin Title:
Personal Information

Bulletin Text:
Personal Information is a primary focus for cybercriminalscybercriminals.
Personal Information as defined in the Global Privacy Definitions: means any information or
combination of information, in any form or medium, that can be used to identify an
individual. Common examples include name, employee ID, date of birth, age, gender, job
title, grade, etc.
Cognizant uses the term "Personal Information"”, but this information can sometimes be
referred to by other terms such as:

 Personally identifiable information (PII),

 Personal data, or
 Personal health information (PHI).

Sensitive Personal Information means Personal Information, which if lost, compromised, or

disclosed without authorization, could result in substantial harm, embarrassment,
inconvenience, or unfairness to an individual. This category of PI requires an enhanced level
of care and control. Common examples (not meant to be all-inclusive) include genetic data,
biometric data, national ID, racial or ethnic origin, political opinions, religious or
philosophical beliefs, etc.
Personal Information and Sensitive Personal Information are covered in the privacy module
in the Code of Ethics course. Additional privacy resources can be found on the Global
Privacy page.

You can also take the opportunity to further your understanding of Cognizant's Global
Privacy program by registering for the "Introduction to Privacy Fundamentals at Cognizant"
course available to all associates in Cognizant LEARN.
 Page Number: 9

Lesson 3: Data Protection

Hotspot Image Template / Full Screen Graphic / Random

Page Title:
Client and Competitor Confidential Information

Page Content:

Content Description:
We are committed to fair competition and acting ethically when it comes to our clients' and
competitors' information. To compete fairly in the marketplace, we must show respect for
the confidential and commercially sensitive information of our clients and competitors. This
obligation arises in a multitude of contexts.
Select each hotspot below to learn more.
Hotspot Content :Content:
We do not use our access to client systems or locations to find
commercially sensitive information, or other information that can be
Text used to obtain a competitive edge, without proper authorization. When
our clients give us access to their environments, we must protect their
data as if it is our own. As custodians of our clients' data, we are trusted
to protect that data and meet contractual obligations in doing so.

Text We cannot use confidential or proprietary material from our prior

employers in our work at Cognizant.
We are not permitted to remove or use confidential Cognizant/client
data outside of our work environment or computing assets.
Text Confidential Cognizant and client information cannot be used at, or for,
new client projects (when moving from one client project to another)
or new external employment opportunities.

Bulletin Title:
Speak Up

Bulletin Text:
Generally, information that is publicly available is safe to use. Speaking up when non-public
information is being used inappropriately is equally important. If someone shares client or
competitive information with you that is not publicly available, you should speak up and
immediately report such incidents to Corporate Security via email or phone.

 Email: [email protected]
 Phone: Toll Free Numbers - U.S.: 1-866-822-2024 | UK: 0800-678-1616 | India: 1800-572-
0473 (select option 0)
 Page Number: 10

Lesson 3: Data Protection

Text and Graphic Template / RTL

Page Title:
How Is Information Lost?

Page Content:
Information loss doesn't just happen in computer databases or through outsiders hacking
into systems or networks. Most often, it occurs in ordinary situations, such as:

 Lack of adherence to document disposal and storage procedures and processes

 Improper data or information disclosure through emails, attachments, text messages, social
media posts, or phone calls
 Writing Sensitive Information on whiteboards and leaving it visible
 Leaving printouts of restricted or Sensitive Information unattended at a printer or your work
desk
 Lost or stolen computing and mobile devices
 Compromise due to inadvertent downloading of malware on computers or mobile
devicesdevices.
 Inadvertent copying of data to a public server or code repository
 Audible and unguarded sensitive conversations in public areas
 Page Number: 11

Lesson 3: Data Protection

Binary List Template

Page Title:
Passwords

Content:

Content Description:
Passwords are an effective way to protect company information. Which of the following
statements about passwords are true?
Select the correct option for each statement.
No of Masking: 6

Choice Question or Statement

False Passwords should be easy for the creator to recall and
should include personal details, such as name and year
of birth.
False Passwords made up of repeated words, such as
"passpass", are hard to crack.
True Good passwords use a combination of uppercase and
lowercase letters, numbers, and special characters.
True Using the maximum number of characters allowed
increases the strength of a password.
False Passwords should only be changed once a year.
True Never share your password with anyone, not even your
most trusted colleague.

Choice 1:
True

Choice 2:
False

Question or Statement 1:
Passwords should be easy for the creator to recall and should include personal details, such
as name and year of birth.

Correct Choice ID:

Choice 2
Question or Statement 2:
Passwords made up of repeated words, such as "passpass", are hard to crack.

Correct Choice ID:

Choice 2

Question or Statement 3:
Good passwords use a combination of uppercase and lowercase letters, numbers, and
special characters.

Correct Choice ID:

Choice 1

Question or Statement 4:
Using the maximum number of characters allowed increases the strength of a password.

Correct Choice ID:

Choice 1

Question or Statement 5:
Passwords should only be changed once a year.

Correct Choice ID:

Choice 2

Question or Statement 6:
Never share your password with anyone, not even your most trusted colleague.

Correct Choice ID:

Choice 1
 Page Number: 12

Lesson 3: Data Protection

Text and Graphic Template / LTR

Page Title:
Password Protection

Page Content:
Passwords are our primary defense against computer hackers being able to access
confidential data stored on various systems, applications, and networks. They are the keys
to the castle, and if not properly protected, they can easily be exposed to, and used by,
threat actors for criminal/nefarious reasons.
It is therefore important to use strong and complex passwords with at least 12twelve
characters, comprising of a combination of lowercase and uppercase letters, numbers, and
special symbols. The letters must not be repeated, easily guessed, or reverse-
engineeredreverse engineered. It is also critical to keep them secure. Never share your
Cognizant/client credentials with others no matter what the circumstances, or who is
requesting that you do so. Additionally, you should never share passwords to perform client
work in an unauthorized manner. Change your password immediately if you suspect your
password has been compromised. For more details, please read the Global Password
Security Standard.

Bulletin Title:
Microsoft's Multifactor Authentication (MFA)

Bulletin Text:
Two-factor authentication adds an important layer of security when you access Cognizant
systems and applications. The safest way to complete your multifactor authentication is by
using the MS Authenticator application. Start by downloading and registering Microsoft
Authenticator. Visit this article on Be.Cognizant to know more.
 Page Number: 13

Lesson 4: Data Classification

Text and Graphic Template / LTR

Page Title:
Classifying Data

Page Content:
Let's get more specific. What exactly is the information we need to protect?
Simply put, we manage large amounts of data ranging from highly confidential to publicly
available. Because it's not created equally, we have a responsibility to:

 Understand what it is, how it is being used, and what individual elements it
includesincludes.
 Classify (label) it properly because the label communicates how important and sensitive the
data is to anyone interacting with it—much like a "handle with care" label on a
packagepackage.
 Protect it by enabling the necessary data security controls and permissions to ensure
confidentiality, integrity, and availabilityavailability.
 Page Number: 14

Lesson 4: Data Classification

Select and Reveal Template / Full Screen Graphic / Random

Page Title:
Classification Approach

Page Content:
At Cognizant, we have a four-category data classification approach.
Select each image to find out more.
Reveal Content for Desktop:
Image Alternate
Interaction Title Interaction Description
Description Text
C1 – Restricted Client and Cognizant business information that
is critical to protect due to its high value or
sensitive nature.
Access to all information classified as
restricted must be based on a "need to know"
basis and follow role-based access controls.
Examples include business contact
information, trade secrets (e.g., design
diagrams, competitive information, etc.),
financial information, etc.
C2 – Confidential Client or Cognizant business information that
is highly sensitive and whose level of
protection may have additional obligations
due to law, regulation, and/or contractual
requirements.
It is for "internal use" and access must be
limited to Cognizant's workforce members on
a "need-to-know" basis. Examples include
training reports, employee data, internal
policy documents, etc.
C3 – Private Default classification level for all client or
Cognizant information until a classification is
assigned.
It may be shared with specific associates,
clients, contractors, and business partners
who have a business need, but may not be
released to the public due to the negative
impact it may have on our business.
 C4 – Public Client and Cognizant information for which no
legal or contractual obligation to restrict
disclosure exists and that includes information
that has been approved for release to the
public. Examples of public information include
information on employment opportunities,
marketing material, press releases, etc.
Reveal Content for Mobile:
Interaction Title Interaction Description Image Description Alternate Text
 Page Number: 15

Lesson 4: Data Classification

Text and Graphic Template / Full Screen Graphic

Page Title:
Sensitive Data

Page Content:
Sensitive data—such as personal information related to our associates, vendors, or clients,
or proprietary information that belongs to Cognizant or its clients—should be protected in
accordance with the Global Information Classification Standard. Information classified as
"Restricted" should always be encrypted (stored, in transit, or during access), and
"Confidential" information should be encrypted while at rest or in transit. It should be
shared only with authorized parties and should never be shared on any public forums such
as social media.

Bulletin Title:

Bulletin Text:
Simply put, confidential information is anything that is not known by the public or publicly
available.
All Cognizant associates should begin classifying (labeling) and protecting client and
Cognizant information they manage.
Classify it by adding one of the four classification labels discussed. Because much of our
work is done in email and Office applications, you should add the classification label in a
prominent location where you and others can easily see it. For example, add a classification
label to a file's cover page as well as the header or the footer of the document,
presentation, or Excel file.
If you are unsure or have questions about data classification, the best thing to do is ask. Talk
with your manager or the data owners to ensure you have classified the data appropriately
—especially when working with any client data or any Cognizant data classified as C1–C3.
Though all data is not created equal, as associates we all have an equal obligation to protect
our clients, Cognizant, and each other.
Additional Resources
Global Information Classification Standard (Examples and their Cognizant data classifications
can be found in Appendix A)
Global Information Protection Standard
Global Information Handling Standard
 Page Number: 16

Lesson 5: Data Storage

Text and Graphic Template / LTR

Page Title:
Secure Storage

Page Content:
Cognizant's OneDrive for Business and Cognizant-provisioned SharePoint Online are the only
Cognizant approved cloud-based data storage solutions.
Cognizant OneDrive for Business makes it easy to store, share, and collaborate on
documents from any Cognizant-approved device while also protecting client and company
information. OneDrive is available to all Cognizant associates and provides capabilities for:

 Anywhere access: Freedom to access, edit, and share your files on all your approved devices,
wherever you are.
 Backup protection: If you lose your device, you won't lose your files when they're saved in
OneDrive.
 Sharing and collaboration: Stay connected, share documents, and collaborate in real time
with approved tools.

Although OneDrive is approved for the storing of data, C1 and C2 data have additional
encryption requirements. Please refer to the Be.Cognizant page for more details.
Get started by viewing the quick setup guide or learn more about the tool's features by
watching videos on the OneDrive page.
If you have any questions, please contact the IT helpdesk through chat, MyService Portal, or
phone.
 Page Number: 17

Lesson 5: Data Storage

Text and Graphic Template / RTL

Page Title:
Unauthorized Storage

Page Content:
The use of any other external storage technology potentially puts our clients and Cognizant
at risk.
Unauthorized and high-risk storage solutions include:

 All USB storage devices, mass storage, or any removable media

 Personal network-attached storage
 External public cloud storage solutions like Google, Dropbox, personal OneDrive, iCloud, etc.

The use of unauthorized storage solutions exposes Cognizant to possible data loss, contract
non-compliance, and/or breach notification obligations. We need your help to protect
Cognizant and our clients' data—only use Cognizant-provisioned OneDrive for Business
and SharePoint Online.
 Page Number: 18

Lesson 6: Data Sharing

Video Template

Page Title:
You Know Me So Well

Page Content:
Panel Content
1 Jake, a regular customer at the coffee shop, walks up to the cashier
counter to order. Wendy, a barista, greets him.

Jake: Good morning, I'll have a—

Wendy: Double mocha soy latte, no whip?

Jake: You know me so well.

Wendy: You come in every other day and order the same thing, so…

Jake: Thanks for noticing...Wendy.

Wendy: No problem, Jake.

Jake: How do you—? Right, every other day.

2 Wendy: You got it.

He starts to turn away.

Wendy: Oh, by the way, Happy Birthday.

Jake: What?

Wendy: I'm off next week, so in case I don't see you, Happy Birthday.

She immediately turns and walks away. He stands perplexed.

Jake: Hmm, that's odd.

3 Jake walks by the condiment bar, noticing a lady fixing up her coffee
drink. A voice of a male barista calls out his drink order.

Barista: Got a soy latte for Jacob Emmanuel Young!

 Jake's eyes pop open wide. He is stunned.

Barista: Jacob Emmanuel Young of Lincoln, Nebraska!

Jake quickly grabs his drink.

Jake: Yeah, that's mine.

4 Shaking his head, he brings his drink over to the condiment bar and
starts to rip open a couple packets of sugar. The lady stops him.

Lady: Two sugars? Are you sure you want to do that with your
condition?

Jake looks at her with a raised eyebrow.

Lady: I mean, your doctor did just diagnose you as pre-diabetic.

She walks away and he pauses, dumbfounded, for a moment before

walking off.
5 Matt and Lisa are sitting at a table with their coffees. Lisa is on her
phone while Matt does the crossword puzzle in a newspaper.

Jake walks toward them as he leaves the coffee shop.

Matt: What's a five-letter word for traverse?

Lisa: That's easy. (Just as Jake walks by, she points at him) It's his
mother's maiden name.

Jake stops dead in his tracks.

Matt: Oh, Cross, of course. Duh.

Jake: I don't know you...people.

6 Jake, latte in hand, walks down the street, a little weirded out. Ned, a
random guy, walks up to him and stops him.

Ned: Hey, didn't you used to work for GeneriCo?

Jake: Uh, yeah, did we work together?

Ned: No, why do you ask?

Jake has a quizzical look like he's about to say something when his
phone rings.
 Jake: Excuse me. Hello?

Matt: Hey, Jake, it's me again. Can you help me out with a seven-letter
word for confidentiality?

Jake: I don't know you! How did you get this number?
7 Ned: You were pulling down about $80k at GeneriCo, right?

A homeless man wearing a "The End is Nigh" sandwich board walks

toward them in the background. He is shouting out a series of numbers.

Jake: Seriously?!

Homeless man: 2-3-4-2-4-1-5-1-6-2-3-4-2-4-1-5-1-6-2-3-4-2-4…

Jake: Wait. Those numbers. That, that, that's my—

Ned: —It's your Social Security number. Everybody knows that.

Jake starts walking away and dialing a number on his phone.

Jake: I'm sorry, stranger, I have to make a—Hey, Samantha, it's Jake.
Remind me again what we're doing to protect our employee and
customer information.

Alternative Text for Panel

Jake talking to Wendy
Wendy
Barista handing over coffee to Jake
Lady talking to Jake
Matt and Lisa sitting at a table
Ned talking to Jake
Jake on the phone
 Page Number: 19

Lesson 6: Data Sharing

Text and Graphic Template / LTR

Page Title:
Sharing Data: Do They Need to Know?

Page Content:
Now that we have learned more about the type of information we need to protect and
classify, let's learn how to securely share, transfer, and store data.
A first step is simply to be mindful of what data you share and who you share it with. At
Cognizant, we operate on the need-to-know principle: associates receive access to data only
if they need it to perform their jobs. This means checking to see what information others
need to know, based on their job role and providing only the information required. Resist
the temptation to provide the entire data set or file when the recipient only requires partial
information or select excerpts.
Remember: Granting or obtaining administrator access or handlingmanaging more data
than is required increases the scope and impact of a potential data breach and/or loss of
data.
 Page Number: 20

Lesson 6: Data Sharing

Carousel Template / Full Screen Image

Page Title:
Sharing Data Internally

Screen Name: Screen 1

 Title:

Sharing Data Internally

o Method 1: Microsoft Azure Information Protection (AIP)
When sending data internally using Outlook, please use labels and
permissions provided by Microsoft AIP (located in the ribbon of Microsoft
Office applications including Outlook, Word, PowerPoint, and Excel) to assign
the appropriate sharing permissions based on the classification of the data.
Depending on the version of Microsoft Office (O365 or Office 2016), the
ribbon location of these features may appear under the headings for
"Sensitivity" or "Permissions."

o
o
o
 Alternate Text:
 Image Description:
 AutoPlay: OFF

Screen Name: Screen 2

 Title:

Method 2: OneDrive or SharePoint

o Make use of Cognizant-authorized Microsoft Office 365 options such as
OneDrive for Business or SharePoint Online or a Cognizant-provisioned Box account for
sharing large files internally. Reminder: To get started with OneDrive, view the quick setup
guide or learn more about the tool's features by watching videos on the OneDrive page.
o
o
o
 Alternate Text:
 Image Description:
 AutoPlay: OFF
Screen Name: Screen 3

 Title:

Method 3: Microsoft Teams

o This is where it all comes together as Microsoft Teams interfaces with
SharePoint and OneDrive.
You can leverage Microsoft Teams to transfer files in private or group chat
conversations internally within Cognizant. Share data by navigating to the
chat page, click on Files → Share → OneDrive, or Upload from My Computer.
You can also set up a Microsoft Teams "Team," which allows for easy file
sharing, access, and collaboration.
Create a Microsoft Teams (group) or private channel only when there is a
specific project track that will have channel conversations and collaboration,
and ensure you add a minimum of two or three owners and five or six
members. A team or group must not be created for personal storage,
document or laptop backups, testing, or temporary file-sharing purposes.
Microsoft Teams must not be used for creating SharePoint sites for
customization or site-level activities.

o
o
o
 Alternate Text:
 Image Description:
 AutoPlay: OFF

Bulletin Title:

Bulletin Text:
To get more detailed additional guidance on data sharing, read here.
 Page Number: 21

Lesson 6: Data Sharing

Text and Graphic Template / RTL

Page Title:
Sharing Data Externally

Page Content:
Cognizant provides an approved process to facilitate external collaboration using Box.com
or SFTP accounts. Requests to use Cognizant-provisioned Box.com or SFTP should be
submitted through MyService Portal. Data-sharing solutions such as OneDrive & SharePoint
Online (i.e., incl. MS Teams sites) are not enabled for external sharing.
For guidance on how to share data externally in a secure manner, review the following
articles, and self-help user guides:

 Sharing Confidential Information Securely – Windows Users

 Sharing Confidential Information Securely – Mac Users
 Guidance on Sharing Associate Personal Information with Clients
 Privacy Data Transfer FAQs
 Data Transfer Management course [101-BASICS]
 Page Number: 22

Lesson 7: Insider Threat

Carousel Template / Full Screen Image

Page Title:
Insider Threat

Screen Name: Screen 1

 Title:

Insider Threat
o The risk and vulnerability posed by a person who had, or now has:
 Authorized/trusted access to information, facilities, networks, people, and
resourcesresources.
 Obtained unauthorized access to information, facilities, networks, people,
and resources wittingly or unwittinglyunwittingly.
 Committed acts in contravention of law or policy which results in harm
through the loss or degradation of company information, resources,
capabilities, or destructive acts, including harm to others in the
workplaceworkplace.

The mission of the Cognizant Insider Threat Office is to detect, deter,

mitigate, and respond to insider threats; ensure integration of its functions
and activities are adequately dispensed across Cognizant's enterprise; and
protect against corporate espionage and insider threat activities aimed at
Cognizant and its associates, clients, resources, technologies, intellectual
property, and facilities.

o
o
o
 Alternate Text:
 Image Description:
 AutoPlay: OFF

Screen Name: Screen 2

 Title:

Common Insider Threat BehaviorsBehaviours

o
 Failing to report high-risk traveltravel.
 Suspicious work hours, not consistent with the assigned project
  Taking proprietary material for personal use
 Unreported suspicious contacts
 Attempting to gain access without the need to knowknow.
 Excessive debt, alcohol, or drug abuse
 Disgruntled employee
 Workplace violence
 Unexplained affluence

Your role in combating a potential insider threat is to report suspicious

activity and behaviors to Corporate Security. You will learn how to report
and get help from Corporate Security in the Security Tips and How to Report
section of this course.

o
o
o
 Alternate Text:
 Image Description:
 AutoPlay: OFF

Screen Name: Screen 3

 Title:

Monitoring and Inspection

o Where permitted by local law, Cognizant may monitor and inspect its
company assets (including computers, telephones, fax machines, and data stored in the
cloud) and its networks (including intranet/Internet access, email, and applications) and the
activities of associates while accessing or using such office equipment or the Cognizant
network.
o
o
o
 Alternate Text:
 Image Description:
 AutoPlay: OFF
 Page Number: 23
Lesson 7: Insider Threat

Text and Graphic Template / RTL

Page Title:
Social Engineering: A Related Risk

Page Content:
As employees of Cognizant, we all have access to Confidential and Sensitive Information—
we are insiders with access to the company's physical and digital assets. Every one of us is a
potential insider risk—our goal is to prevent associates from becoming an "insider
threat." Most data breaches are due to unwitting or malicious insider threats. You may be
tricked into revealing sensitive information or providing unauthorized digital or physical
access. Social engineering methods (social media data harvesting, phishing, etc.),
carelessness, or simple mistakes can be leveraged by threat actors to gain access to valuable
data.
When threat actors pretend to be people or organizations you know or trust, such as fellow
employees, contractors, or well-known companies, they are trying to "engineer" you into
divulging important information.
Much like piecing together a puzzle, social engineers get what they need by gathering pieces
of information from many different sources. Often, the initial items of information help
them gain trust with their next victim as they attempt to acquire even more details. They
connect all the pieces to form a "picture" they can either use against a company or sell to
another party who desires the information.
Social engineering is a technique used by threat actors that often involves direct interaction
with an end user either in person, via phone, text, or email. This personal approach is
intended to trick you into providing company or personal data that can be used in nefarious
ways.
Social engineering is also often used by malicious insiders to achieve their goals. If you see
something, say something. Report any security-related incident—you are our first line of
defense.
 Page Number: 24

Lesson 7: Insider Threat

Hotspot Image Template / Full Screen Graphic

Page Title:
Executing Insider Threat Attacks

Page Content:

Content Description:
The insider will use their access to obtain company proprietary/confidential information or
to gain additional access to corporate assets, beyond their need to know, by interacting with
you. Sometimes this will occur over an extended period of time, in ways that can bypass
simple security or technology controls. In short, insiders prey on your desire to either be
helpful or prey on your fears. Though many attackers work alone, they may also engage in
coordinated attacks, using multiple cyber techniques, i.e., email scams, malware
installation, and hacking attempts on company systems.
Select each hotspot to learn more.
Hotspot Content :Content:

Mishandling Proprietary Information

Title Mishandling Proprietary Information

The proper handling and safeguarding of protected information are

crucial to combating many insider threats such as fraud, theft, and
Text espionage. Risk indicators include violations, unauthorized use or
disclosure, and any inappropriate efforts to view or obtain protected
information outside one's need to know.

Elicitation

Title Elicitation

Social opportunities provide excellent venues for insiders to exploit the

natural desire of people to overshare information in conversation.
Text Threat actors are adept at leveraging interpersonal and social skills
along with specific/personal knowledge to elicit sensitive information
from you, whether that data is proprietary corporate information or
personally identifiable information.

Malicious Insider

Title Malicious Insider

 The malicious insider involves an intention to do harm. The insider can
be an individual acting alone or with accomplices and is usually
motivated by either financial gain or retribution for perceived wrongs.
Other malicious insider situations may involve collusion, with an
Text external hostile party recruiting or coercing the insider. The insider may
intentionally delete, modify, or corrupt an organization's data or
provide access to an organization's network and IT systems. They
attempt to gain unauthorized access to physical or intangible assets for
the purpose of modifying, deleting, duplicating, disabling, destructing,
or removal of company assets.

Negligent Insider

Title Negligent Insider

The negligent insider results from complacency, negligence, or poor

judgment rather than from any intent to do harm. Losing a company
device, ignoring computer security notifications, accessing or discussing
sensitive data, and failing to verify the identities of facility visitors are
Text examples. Simple mistakes such as clicking on an unknown hyperlink or
leaving a confidential document at a shared printer are accidental
threats that are unintentional. They unwittingly violate our Acceptable
Use Policy (AUP) by downloading, storing, transmitting, or granting
access to corporate assets through negligence or a lax security posture.

Bulletin Title:
Safeguard Against Insider Threat Attacks

Bulletin Text:
We are trusted employees, privileged with access to proprietary and confidential corporate
information. It is our responsibility to protect that data. Be aware of your in-person and
online personas to decrease potential vulnerabilities. Know what can be learned about you
online, do not provide insights and vulnerabilities which can be exploited by a malicious
actor. Remain vigilant and:

 Be careful of what you say in public or onlineonline.

 Ignore or deflect intrusive inquiries or conversations about sensitive professional or personal
mattersmatters.
 Be on the lookout for suspicious emails, calls, SMSs/texts, and social media chatschats.
 Always store, maintain, and dispose of proprietary or confidential material in a secure
mannermanner.
 Do not publicize travel plans: limit this information to people who need to know and who
you trusttrust.
 Follow the Travel Security guidelines and do not travel with work devices without prior
approval. Refer to the Electronic Asset: Travel Restrictions and Limitations page for
additional information
 Keep hotel room doors locked; note how the room looks before you leaveleave.
 Page Number: 25

Lesson 8: Phishing, Ransomware, and Malware

Text and Graphic Template / LTR

Page Title:
Phishing

Page Content:
Phishing is a form of a social engineering attack and refers to techniques used by
cybercriminals to trick you into giving away sensitive information, such as usernames,
passwords, competitive intelligence, personal and/or banking information. They do this by
masquerading as a trustworthy entity in an electronic communication (email, SMS, voice
calls, websites, etc.)
Phishing attempts are successful because they often mimic real-world situations. Users are
presented with real-world requests that they often see in their professional and personal
lives. Action requests like update, change, confirm, review, revise, and track are used to
elicit an end-user response or action.
Hackers also know how to send an email that looks like it may have originated from your
manager or your co-workers. This is known as spear phishing. Verify by other means if you
receive an unusual (often urgent/time-sensitive) request by email ("Send me the Social
Security Numbers of this group") even from someone inside your company.
Always be mindful and vigilant to stop potential cyberattacks.

Bulletin Title:

Bulletin Text:
When you report an issue to MyService Portal, a member of the service desk will reach out
to you via a Cognizant-approved channel (MS Teams, email, or an Outlook calendar
invitation).
All service desk associates are required to provide their full name, position within the
company, and associate ID. Never share any sensitive information with anyone you have not
verified as a Cognizant associate.
 Page Number: 26

Lesson 8: Phishing, Ransomware, and Malware

Select and Reveal Template / LTR / Random

Page Title:
What Threat Actors Want You to Do

Page Content:
Phishers often pretend to be from legitimate organizations. Their emails, attachments, and
website links may read/sound/look genuine and remarkably close to real ones. But you may
be dealing with a phishing scam if the email asks you to:
Select each image to find out more.
Reveal Content for Desktop:
Image Alternate
Interaction Title Interaction Description
Description Text
Provide Your Credentials User IDs, passwords, bank
accounts, personally identifiable
information (PII), or any valuable
information that can be used for
malicious reasons
Download Files or Malware (viruses, Trojans,
Attachments worms, etc.) that can be used to
take over assets or used to spy
on your activities and steal
credentials
Visit Malicious Websites Infected sites (ex. watering holes)
that can leverage unpatched
browsers or other mechanisms to
infect your assets
Reveal Content for Mobile:
Interaction Title Interaction Description Image Description Alternate Text

Bulletin Title:
Why Is Phishing Effective?

Bulletin Text:

 Mimics real-world situations we confront in our work or personal lives. May include
keywords that ask you to act, such as update, change, check, confirm, review, revise, track,
switch, etc.
 Uses lures (email topics) that drive urgency to limit clear thinking and make users believe
that immediate action trumps caution. Keywords, such as should, must, now, and
immediate, are used to imply dire consequences if a user fails to act.
 Often leverages current events and topics that drive action or curiosity. Examples include
COVID, ransomware, end-of-year corporate actions (ex. promotions), tax issues, invoices, e-
commerce confirmations, etc.
 Page Number: 27

Lesson 8: Phishing, Ransomware, and Malware

Hotspot Image Template / Full Screen Graphic

Page Title:
Safeguard Against a Phishing Attack

Page Content:

Content Description:
You can defend yourself against most phishing attacks simply by understanding the common
techniques and staying on guard against them.
Select each hotspot at right to learn more.
Hotspot Content :Content:

Stop

Title Stop

Some phishing emails are easy to spot, while others are very
sophisticated and might appear like an actual Cognizant message. Be
particularly cautious of emails that ask you for your credentials or
Text request unusual actions to be carried out in an urgent manner.
Effective phishing emails often include lures that trigger both an
emotional response and drive urgency. If the email appears suspicious
—stop and discount the urgency.

Think

Title Think

If an email appears suspicious, inspect the email for any additional

identifiers that may indicate that it is a phishing attack. Ask yourself:

 Is it from an external untrusted sender?

 Does it contain the CAUTION: External Email banner/flag indicating it
is from an external sender?
Text  Does it link to unusual or non-Cognizant URLs?
 Does it contain standard Cognizant branding or signatures?

Evaluate every attachment and link before you take any action. Before
clicking on an attachment or link or before sharing sensitive
information, independently verify the sender, the request, and the
attachment.
Act

Title Act

Finally, if you think that you have been phished, report it to Corporate
Text Security by using the Report Phishing button. Refer to Report Phishing
guidance. You can also send the suspicious email as an attachment to
[email protected].
 Page Number: 28

Lesson 8: Phishing, Ransomware, and Malware

Text and Graphic Template / Full Screen Graphic

Page Title:
Phishing Example

Page Content:
Some phishing emails are easy to spot, while others are very sophisticated and appear like
an actual Cognizant message. However, there are often signs that should prompt you to
stop and think and then decide how to act.
The image on the screen shows an example of a phishing email asking you to update your
O365 profile.
Another example of a phishing email and the respective tell-tale signs that identify it as a
phish can be found here.
 Page Number: 29

Lesson 8: Phishing, Ransomware, and Malware

Text and Graphic Template / LTR

Page Title:
Business Email Compromise (BEC)

Page Content:
Did you know there's a special kind of phishing, Business Email Compromise (BEC), in which
criminals use social engineering techniques to steal funds or physical assets from
organizations? With BEC, bad actors pose as senior executives or individuals with
purchasing, payroll, or other financial transaction authority. They attempt to trick
employees, clients, or vendors into sending payments or equipment such as computers,
phones, and other valuable assets to fraudulent accounts or addresses.
Recently there have been reports of a new phishing campaign targeting executives,
assistants, and financial departments. The goal is to capture Office 365 (O365) credentials
and launch BEC attacks. In this type of attack, criminals lead targets to a spoofed Microsoft
notice and then to a fake O365 login page, where victims enter their credentials. In some
cases, attackers even used an O365 sign-in page that looked like the sign-in page of the
company they targeted.
The image on the screen shows a sample of the email with a spoofed Microsoft notice.

Bulletin Title:
It's Not Just Over Emails: Beware of Smishing and Vishing Attacks Too

Bulletin Text:
Phishing and social engineering attacks can also come from sources other than email—
cybercriminals use SMS/text messages, social media, and even voice calls to try to exploit
any vulnerability. We recently have seen an increase in SMS/text-based attacks, known as
smishing, in which threat actors impersonate a Cognizant sender or senior leader, including
our CEO, and use fraudulent SMS texts or WhatsApp messages to trick you into taking
action. An example can be found here. Remember to stay alert—these threats are not
limited to email.
 Page Number: 30

Lesson 8: Phishing, Ransomware, and Malware

Select and Reveal Template / Full Screen Graphic / Random

Page Title:
Malware and Ransomware

Page Content:
Information on your computer or on the company's network can be stolen or destroyed if
it's infected by a virus or other type of malware.
Select each image to find out more.
Reveal Content for Desktop:
Image Alternate
Interaction Title Interaction Description
Description Text
Malware Don't open any documents or execute
programs or click on links that come from
unverified sources. Suspicious emails should be
reported immediately to Corporate Security.
Even seemingly harmless attachments should
never be opened when received from
unknown parties. Finally, report suspicious
activity on your asset to Corporate Security via
[email protected].
Ransomware Ransomware is a form of malware that
prevents you from accessing files and folders in
your system. An innocent looking link or
attachment can insert a program in your
computer or network that encrypts the entire
system. The hackers then demand a significant
ransom to decrypt the system. Always check
an email's legitimacy before clicking any link or
opening any attachment. Remain aware, back
up your data regularly, avoid downloading
suspicious executable file(s), and keep your
operating system patched, and anti-malware
up to date.
Reveal Content for Mobile:
Interaction Title Interaction Description Image Description Alternate Text
 Page Number: 31

Lesson 8: Phishing, Ransomware, and Malware

Text and Graphic Template / Text Only

Page Title:
Common Signs of Phishing

Page Content:

 The sender's name or group may look familiar—but the email address doesn't look right.
That should be an immediate red flag.
 The email may be addressed to you personally or even contain your personal information, in
the hope that this will make you trust the message.
 The message may trigger an emotional response such as fear and anxiety or even your desire
to be helpful.
 The email may include an unusual request to reset or update login information or share
personally identifiable information through email. Do not interact with such requests.
 A message telling you that your mailbox is full, to verify your account, or to disclose your
username or password should always be treated with suspicion. Example: "Your account has
been locked."
 A phony message may appear to come from your boss or coworker. If the message has
unusual links or if it asks for PII (yours or someone else's), verify the message with the
sender before taking any other action.
 It may even offer you something of value. Examples: "You've just won!", "Here's a free
coupon!" Never engage with messages that appear too good to be true.
 May contain attachments that potentially are viruses or other malware. Never open an
attachment that you aren't expecting.
 The destination address of a link may not be obvious or may differ from a visible
address. Hover over the link with your mouse pointer to view the destination address to see
if it is suspicious. In general, never click a link in an email unless it's from someone you know
and trust, and you are expecting it.
 Page Number: 32

Lesson 8: Phishing, Ransomware, and Malware

Drag and Drop Template

Page Title:
Summary

Page Content:
To test your knowledge, drag and drop each item to a suitable category of your choice and
click Submit.
Note: On a desktop or tablet, drag each item to either the Safe or Risky box, then select
Submit.
On a smartphone, select each item, select your answer, then select Submit.
Category Line Item
Safe Stop and Thinkthink when you see a suspicious email.
Threat actors look to trick you to react to a sense of
urgency, fear, or greed. Example keywords or action
requests may include:

 Change, update, or review passwords or other

credentials, especially if required urgently.
 ALERT! Notice of suspicious activity or log-in
attempts
 Click here for a gift card, free iPad, or similar.

Always check for the legitimacy of such messages.

Risky Trust an email just because it seems to have been sent
by a well-known company or brand, instead of
reviewing the sender's address carefully.
Risky Open or download any files from sources that seem
suspicious.
Risky Send login IDs or other personal information through
email.
Risky Check any unusual items by opening them. You have to
open them to know what they are.
Risky Open unexpected attachments and click on unexpected
links in emails.
Risky Download or install programs that aren't authorized by
the company.

Feedback:
Email security is mostly a matter of common sense. Be skepticalsceptical of any email whose
source is unclear. Be skepticalsceptical if an email looks authentic but asks for your
credentials or PII about you or others.
Cognizant will not ask you to verify account numbers or passwords that the company
already knows. And remember: if something sounds too good to be true, it is!
 Page Number: 33

Lesson 9: Approved Tools and Technology

Text and Graphic Template / RTL

Page Title:
Email

Page Content:

 Only use Cognizant/client-approved email systems to communicate or send any

Cognizant/client related business information.
 Never use personal accounts for Cognizant/client-related business communications.
 Be cautious of phishing attacks and refer to Report Phishing guidance.
 Do not reply to any emails requesting credentials, sensitive information, gift cards/money,
etc., even if the email appears to be from a familiar source.
 Never retain or take any messages or copies of messages containing Cognizant business
information upon separation of employment.
 Always use the Microsoft Sensitivity button on Outlook to appropriately protect email while
sending sensitive information.

For more information on email acceptable use, read the Email, Instant Messaging and
Audio-Visual Acceptable Use Standard.

Bulletin Title:

Bulletin Text:
Never use personal accounts for business communications. Never send Cognizant/client
information or material to your personal email account. This includes, but is not limited to,
email service providers such as Gmail, Yahoo, Hotmail, and AOL.
 Page Number: 34

Lesson 9: Approved Tools and Technology

Text and Graphic Template / RTL

Page Title:
Collaboration, Instant Messaging, and Social Media

Page Content:

 Do not use personal collaboration tools, personal messaging applications, or personal social
media platforms to communicate Cognizant/client information.
 Adhere strictly to client requirements when operating in a client's network environment.
 Social media platforms should be treated like any public space. Information and data posted
on these sites are insecure and generally visible to the public. Do not upload or post
any sensitive Cognizant/client work-related data or information on these sites and avoid
downloading attachments and clicking on links. Refer to the External Communications &
Social Media Policy for more information.
 Public Generative AI tools such as ChatGPT are not permitted to be used within the
Cognizant environment without a Corporate Security exception approval. Business units or
project teams that have legitimate business reasons for using these platforms should raise a
request in the MyService Portal to obtain an exception approval. For more information on
the use of Generative AI at Cognizant, read the Generative AI Security Standard.
 Remember: Whether you're using Cognizant or personal devices, never share/upload, copy,
or paste sensitive, confidential, or non-public Cognizant/client information to publicly
accessible platforms. This includes, among other things, associate credentials or personal
PII/PHI information, source code, trade secrets and/or financial data, and client information
of any kind.

For more information on instant messaging acceptable use, read the Email, Instant
Messaging, and Audio-Visual Acceptable Use Standard.

Bulletin Title:

Bulletin Text:
Microsoft Teams and Yammer/Viva Engage are the approved collaboration, instant
messaging, or chat options.
Never use unapproved tools for sharing or distributing Cognizant/client information.
 Page Number: 35

Lesson 9: Approved Tools and Technology

Carousel Template / Full Screen Image

Page Title:
Cloud Usage

Screen Name: Screen 1

 Title:

Cloud Usage
o Cognizant utilizes cloud services delivered using different cloud service
delivery models, including Software as a Service (SaaS), Platform as a Service (PaaS), and
Infrastructure as a Service (IaaS) solutions, offered by Amazon Web Services (AWS),
Microsoft Azure (Azure), and Google Cloud Platform (GCP). These cloud service delivery
models offer unique business propositions that provide scalability, flexibility, and cost
efficiency. With the reliance on cloud solutions, risks to Cognizant/client data and
intellectual property also increase.
 Alternate Text:
 Image Description:
 AutoPlay: OFF

Screen Name: Screen 2

 Title:
o All cloud services must be approved and purchased through Cloud
Procurement. The preferred method of provisioning these services is Cognizant Cloud
Orchestration, formerly known as CloudBoost. Cognizant Cloud Orchestration is an
automated provisioning and security guardrail platform designed to provide a
foundationally secure cloud environment with the speed to meet business needs. Cognizant
Cloud Orchestration is required to request and provision Cognizant public cloud
environments (AWS, Azure, GCP). Additional details for Cognizant Cloud Orchestration are
provided in the ServiceNow Knowledge Articles, What is CloudBoost, Requesting and
Accessing a CloudBoost environment, and CloudBoost FAQ.
 Alternate Text:
 Image Description:
 AutoPlay: OFF

Screen Name: Screen 3

 Title:
o Regardless of the provisioning method, Cognizant associates must ensure the
cloud environments:
  Never use personal cloud-based services to store any form of
Cognizant/client-owned project-related information.
 Only Cognizant-approved Cloud Service Providers (CSPs) can be used for
storing or processing Cognizant and Cognizant client information.
 SaaS, PaaS, and IaaS cloud services must only be acquired through
Cognizant's procurement process.
 Never use cloud-based services in violation of the public cloud service
provider's terms and conditions related to the subscription.
 Never use the public cloud service provider to perform activities in violation
of Cognizant's policies, standards, and procedures.
 Alternate Text:
 Image Description:
 AutoPlay: OFF

Screen Name: Screen 4

 Title:
o
 Cognizant OneDrive for Business and Cognizant-provisioned SharePoint
Online are the only Cognizant-approved cloud-based data storage solutions.
 When using cloud environments for client deliverables, ensure you adhere
to the contractual security obligations set forth by the client.
 Do not store client data in cloud-based services without explicit written
permission from the client.
 All manually provisioned cloud environments are required to enable Prisma
Cloud compliance monitoring. Additional details on Prisma Cloud and the
request process are located in the following ServiceNow Knowledge Articles:
Prisma Cloud FAQ, Onboard Cloud Account(s) into Prisma Cloud, Request
User Access to Prisma Cloud Console. The Cloud Orchestration provisioning
configures Prisma Cloud monitoring as a foundational guardrail from day
one.
 Alternate Text:
 Image Description:
 AutoPlay: OFF

Screen Name: Screen 5

 Title:
o
 Cloud environments used for testing, lab environments, development, UAT,
and any other lower-level or non-production environments must follow the
same process as highlighted in the standard and must never contain
sensitive data and/or confidential intellectual property (IP). Any
environment containing sensitive data or accessible from the Internet must
be treated as a production environment.
 If you are currently the owner of an inactive or non-compliant cloud
subscription, please send an email to [email protected]
 If you are unsure whether your intended or current use of cloud solutions is
in violation of the policy, please reach out to [email protected]
 Remember, you are required to adhere to these as well as any other
applicable client cloud security standards when setting up cloud and virtual
environments. Review these resources and contact with any questions
[email protected]

 Alternate Text:
 Image Description:
 AutoPlay: OFF

Bulletin Title:

Bulletin Text:
The currently approved Infrastructure (IaaS) Cloud vendors can be verified on the Cloud
Security page at any time.
For more details on Cloud usage, see the Cloud Security Standard and Public Cloud
Acceptable Use Standard.
 Page Number: 36

Lesson 9: Approved Tools and Technology

Text and Graphic Template / RTL

Page Title:
Cloud Software Repositories

Page Content:
GitHub, GitLab, Bitbucket, Docker Hub are examples of cloud-based repositories used for
tracking software development tasks, storing program and application source code, and
collaborating on code changes during the development process. Many developers within
Cognizant use GitHub for various reasons.
While this section focuses on GitHub, the world's largest software development platform,
these best practices are applicable to other platforms that may be approved in the future
for use, such as GitLab, etc.
Cybercriminals monitor public activities on these platforms, seeking insights into
development processes, as well as potential secrets that may exist within the GitHub project
or source code hosted on the platform. They continuously poll and skim public GitHub
repositories for sensitive information, such as Cognizant credentials, API keys/tokens, and
other forms of sensitive data.
It is critically important that developers protect non-public information and treat all source
code as intellectual property to avoid security incidents and data breaches.
Developers who leverage GitHub and other repositories for their projects must understand
and follow the Cognizant Secure Source Code Repository Standard, as well as
Cognizant's Corporate Security Policies and Acceptable Use Policy.

Bulletin Title:

Bulletin Text:
Important guidelines to remember from our Secure Source Code Repository Standard:

 Require two-factor authentication on every contributor's GitHub account.

 Never share GitHub accounts/passwords.
 Repository administrators should manage team access to data.
 Only give contributors access to the data they need to do their work.
 Always use private repositories for client projects and client development work. Use of a
personal GitHub account for Cognizant projects is not only unsafe but also violates the
Cognizant Acceptable Use Policy.
 Don't include sensitive information within the source code and remove all revision history
for any sensitive information (e.g., passwords, keys, session codes, etc.) previously stored in
GitHub. For more information, see purging files from your repository's history
(https://help.github.com/en/github/authenticating-to-github/removing-sensitive-data-from-a-
repository).
Be sure to review the Secure Source Code Repository Standard and reach out to
[email protected] with any questions.
 Page Number: 37

Lesson 9: Approved Tools and Technology

Drag and Drop Template

Page Title:
Summary

Page Content:
To test your knowledge, drag and drop each item to a suitable category of your choice and
click Submit.
Note: On a desktop or tablet, drag each item to either the Approved or Not Approved box,
then select Submit.
On a smartphone, select each item, select your answer, then select Submit.
Category Line Item
Approved Microsoft Teams
Approved Microsoft Yammer/Viva Engage
Approved Cognizant Email (Microsoft O365)
Not Approved Slack
Not Approved Personal Email
Not Approved All USB storage or external hard drive
Not Approved Personal cloud storage (such as Google Drive)
Approved GitHub
Approved OneDrive for Business
Not Approved WhatsApp
Not Approved Personal social media platforms
Approved LinkedIn
Approved Google Workspace (in limited situations)
How many times do you want your learner to retry (maximum is set to 5 before the
learner is shown the correct answer)?:): 00.

Feedback:
Only use the tools and technology that Cognizant has approved for your work at the
company. It is how you can do your part to protect our company and the data entrusted to
us.

Bulletin Title:

Bulletin Text:
Developers who leverage GitHub and other repositories for their projects must understand
and follow the Secure Source Code Repository Standard.
For use of LinkedIn, adhere to the Social Media Acceptable Use Standard.
 Page Number: 38

Lesson 10: Additional and Targeted Security Training

Text and Graphic Template / RTL

Page Title:
Ongoing Supplementary Trainings

Page Content:
While this security training is mandatory and all Cognizant associates are required to
complete upon joining and then recertify once annually, Corporate Security continues
security training initiatives throughout the year through supplementary channels. To name a
few:

 Ongoing communications and campaigns via various intranet mediums such as Be.Cognizant
and Yammer/Viva Engage. To stay updated with the latest information on security, be on the
lookout for our posts and updates on the Corporate Security Be.Cognizant page and
Yammer/Viva Engage channel
 Supplementary security trainings for high-risk groups such as Sr. Executives (VP+), Privileged
Administrators, Vendor Managers, and Software Developers
 Ongoing simulation-based phishing training initiatives for global associates and high-risk
groups (Sr. Executives and Privileged Administrators)
 Ongoing New Joiner Security Awareness Training (conducted a few days after
associates' onboarding)
 Customized assessments and quizzes for specific industry verticals (i.e., Financial Services
Industry (FSI))

If you are an intended recipient of these trainings, you will receive notifications,
invites/email communications from Corporate Security. In case you have any questions or
need additional support on ongoing supplementary training activities, please contact your
Corporate Security – Business Information Security (BIS) team(s).
 Page Number: 39

Lesson 11: Security Tips and How to Report

Carousel Template / Full Screen Image

Page Title:
Security Incidents and Policy Exceptions

Screen Name: Screen 1

 Title:

Security Incidents and Policy Exceptions

o An incident is an event that may indicate a violation of security policies,
procedures, or acceptable use policies that could lead to loss of, or disruption to, an
organization's operations, services, or functions. It can be an attempt to steal data, launch a
malware or ransomware attack, share passwords, misuse email, use false, or alter, data on
company documents, etc.
o
o
o
 Alternate Text:
 Image Description:
 AutoPlay: OFF

Screen Name: Screen 2

 Title:
o Report suspected violations, raise exception requests, or submit any security-
related questions to the Corporate Security team via online, email, or phone. Report
security incidents via:
 Online by raising a request in MyService Portal
 Email ([email protected])
 Phone (toll-free numbers – select 0):
 U.S.: 1-866-822-2024
 UK: 0800-678-1616
 India: 1800-572-0473

Additionally, if you believe you are a target of a phishing attack, please report
the suspected phishing email by clicking the Report Phishing button in your
Outlook ribbon, or by sending the email as an attachment to
[email protected]. To help you remember what action to take
in case of an incident, please download and print the Security Incident Action
Card and keep it handy.
 Please visit the Corporate Security page on Be.Cognizant and email
[email protected] for more information.

o
o
o
 Alternate Text:
 Image Description:
 AutoPlay: OFF

Screen Name: Screen 3

 Title:

What Is Exception Management Process?

o Associates must adhere to Cognizant Security Policies and Standards.
However, there may be special circumstances where an exception might be necessary for
the effective functioning of business. Such exceptions to Security policies need to be
reviewed and assessed by the Corporate Security team through a formal exception
management process.
You must have a valid business reason for requesting an exception. Exception
requests must be submitted through MyService Portal.

o
o
o
 Alternate Text:
 Image Description:
 AutoPlay: OFF

Screen Name: Screen 4

 Title:

Responding to incidents
o All reports of suspected violations of the Acceptable Use Policy will be
reviewed in accordance with the company's internal investigation process.
Remember:

 Do not self-investigate—promptly report the matter to Corporate Security

and your manager.
 Do not modify or delete any information such as emails, system logs, and
files that may be related to a security incident or investigation.
 Do not get involved in client-initiated investigations directly without first
involving Corporate Security and Legal.

We all have a part to play in handling information security incidents, and

following these guidelines will ensure we can best protect Cognizant assets.
 Associates who are contacted by Corporate Security teams during the
process of handling incidents should respond promptly and accurately with
information to the best of their knowledge.

o
o
o
 Alternate Text:
 Image Description:
 AutoPlay: OFF

Screen Name: Screen 5

 Title:

Support
o If you ever have questions about security procedures—or if you're aware of a
possible security incident or loss of Sensitive Information—be sure to get help right away.
It's essential to act even if the situation feels embarrassing or you feel personally
responsible. Security incidents can usually be fixed or contained without much trouble if you
act quickly.
Cognizant is required to comply with the notification and assistance
obligations in our client contracts. In certain circumstances, this may require
action within one or two days. To ensure we can meet these obligations, it is
imperative that you notify CSIRT of a potential data incident as soon as you
become aware of it. For example, if you accidentally send an unencrypted
email to the wrong recipients, report it to CSIRT and your manager. The
Corporate Security team and our Chief Privacy Officer will determine how and
when we report it to the client, and if required, to regulators and media. You
will never face retaliation for making a report of a possible data incident, per
the Whistleblower and Non-Retaliation Policy.

o
o
o
 Alternate Text:
 Image Description:
 AutoPlay: OFF
 Page Number: 40
Lesson 11: Security Tips and How to Report

Text and Graphic Template / Text Only

Page Title:
Security Tips

Page Content:

 Never share your Cognizant or client credentials, even when asked.

 Never use your personal email account for sending/receiving Cognizant or client-related
communication.
 Never post Cognizant's or clients' sensitive information on public forums, such as on social
media.
 Never download files from unreliable Internet sources.
 Do not copy/store Cognizant or client data on storage devices like USB drives/External hard
drives.
 Never upload Cognizant or client data to public or social media Internet platforms, and/or
unauthorized storage platforms like Google Drive, Dropbox, Adobe, etc. Only use Cognizant-
approved cloud services for all business purposes.
 Lock your desktops and other portable computing devices such as laptops or mobile devices
when you are stepping away from your workstation and when they are not in use.
 Never share confidential information with anyone. You are allowed to access, use, or share
Cognizant/client confidential information only to the extent it is authorized and necessary to
fulfill your assigned job duties.
 Never respond to emails from unknown or untrusted senders. In case of doubt, use the
report phishing button for your various devices. Refer to Report Phishing
guidance. Alternatively, please send these emails as an attachment to
[email protected].
 Before deleting documents or records (including emails and other files), review the Record
Retention Schedule referenced in the Record Retention Policy. When in doubt, contact
[email protected] to confirm.

Bulletin Title:

Bulletin Text:
You're almost done! You will now be asked to complete a 10-question Knowledge Check
quiz.
 Page Number: 41

Lesson 11: Security Tips and How to Report

Consent Template

Page Title:
Acceptable Use Policy

Content:
By clicking ‘’I Acknowledge’’ below, I confirm that:

 I have reviewed and understand Cognizant’s Acceptable Use Policy and it’s implementing
standards and procedures, and agree to comply to acceptable usage of Cognizant and
Cognizant’s clients’ information and information technology resources.
 I have reviewed the Acceptable Use and Data Security e-learning course (this training) and
understand the expectations and security obligations that I have as a Cognizant associate.

Select the ‘’I Acknowledge’’ button, then select the Next arrow.
Button Label:
I Acknowledge

Mark Course Asas Complete:

false
 Knowledge Check
Do you want to customize the Knowledge Check configuration? Yes

Do you want to present the Knowledge Check questions in random order? Yes

Do you want to use question pooling? Yes

How many questions does the learner need to take? 10

Do you want pooling applied once per user? No

Do you want to limit the number of times that learners can attempt to pass the
Knowledge Check? No

Do you want to allow learners to retake only incorrectly answered questions? Yes

Questions

1. Question (Type: Learners can select only one answer Lesson: Data Protection):
Question Content:
What "Clean Desk" common sense security best practices should you adhere to?
Select the appropriate option.

Feedback: Always use the "Clean Desk" common sense best practices by locking your
device screen whenever you leave your work area and ensure you are securely storing
confidential Cognizant/client information always. Make sure you do not post or leave
confidential information where others may see it easily. Erase any Sensitive or Proprietary
Information from whiteboards or other visible media and lock your computer when
you'reyou are not using it. Exercise care in the handling of clients' Sensitive and
Confidential Information and do not make extra copies. Follow proper data storage and
disposal procedures to ensure data integrity and to avoid data loss.
1. Answer (Incorrect):
Avoid personalizing your workspace.
2. Answer (Correct):
Always keep your desk clean and never leave confidential information on printers,
whiteboards, or in meeting/conference rooms.
3. Answer (Incorrect):
Arrange all printouts neatly on your desk.
2. Question (Type: Learners can select only one answer Lesson: Data Classification):
Question Content:
What is the appropriate data classification label to use for high-value Cognizant and client
business information?
Select the appropriate option.
Feedback: At Cognizant, client or Cognizant business information that is critical to protect
due to its high value or sensitive nature must be classified as "C1 – Restricted." Access to
all information classified as restricted must be limited to "need-to-know" basis within
Cognizant and follow role-based access control. Examples include business contact
information, trade secrets (e.g., design diagrams, competitive information, etc.), financial
information, etc.
1. Answer (Incorrect):
C3 – Private
2. Answer (Correct):
C1 – Restricted
3. Answer (Incorrect):
C2 – Confidential
3. Question (Type: Learners can select only one answer Lesson: Data Storage):
Question Content:
Which of the following statement(s) is true when using Cloud storage services for
Cognizant or client work?
Select the appropriate option.

Feedback: Cognizant's OneDrive for Business and Cognizant-provisioned Box or SFTP

accounts are the only Cognizant-approved cloud-based data storage solutions. The use of
any external unauthorized storage solutions puts our clients and Cognizant at risk of
possible datadata loss, contract non-compliance, and/or breach of notification obligations.
1. Answer (Incorrect):
You can upload business-sensitive information to any cloud storage site (such as
Google, personal OneDrive, Dropbox, etc.).
2. Answer (Incorrect):
Upload documents on personal cloud storage so that you can access it later at home
or for another project.
3. Answer (Correct):
Upload and store data only on Cognizant's OneDrive for Business. For external data
transfer, use Cognizant-provisioned Box or SFTP accounts.
4. Question (Type: Learners can select only one answer Lesson: Data Sharing):
Question Content:
At Cognizant, what is the approved method to share data with clients, vendors, or other
approved parties in a secure manner?
Select the appropriate option.

Feedback: For sharing large files externally (with suppliers, vendors, and partners, for
example), use only Cognizant-authorized and -provisioned Box or SFTP accounts. Requests
to use Box.com or SFTP should be submitted through MyService Portal.
1. Answer (Incorrect):
 Google Drive
2. Answer (Correct):
Cognizant-provisioned Box or SFTP account
3. Answer (Incorrect):
Dropbox
5. Question (Type: Learners can select only one answer Lesson: Approved Tools and
Technology):
Question Content:
Can you use personal email accounts for Cognizant and client communications?
Select the appropriate option.

Feedback: Associates must never use personal accounts for business communications.
Associates should also never send Cognizant or client information or material to their
personal email accounts, such as Gmail, Yahoo, Hotmail, AOL, etc.
1. Answer (Correct):
Personal email accounts should never be used for business communications.
2. Answer (Incorrect):
Personal email accounts should be used only when you are unable to access your
Cognizant email ID.
3. Answer (Incorrect):
Personal email accounts should only be used when you are on vacation and need to
communicate with your team members.
6. Question (Type: Learners can select only one answer Lesson: Phishing, Ransomware,
and Malware):
Question Content:
Weimin is a Cognizant associate. He receives an email that appears to be from the NA
Benefits team, asking him to join a Zoom meeting to learn more about employee benefits
plan options. Upon clicking the link, he is taken to a Zoom login page and asked to enter his
Cognizant ID and password. He suspects that this may be a phishing attack. What should
Weimin do next?
Select the appropriate option.

Feedback: Always be cautious of emails that originate from unknown/unfamiliar sources.

STOP and THINK before you take any action on an email. Carefully scan the email for any
potentially malicious indicators, such as a sender email address from an external domain,
an external email alert, or an immediate call to action. Hover your cursor over any
hyperlink within the email to identify the actual destination. When in doubt, or if you feel
suspicious about an email, please report it using the Report Phishing button in your
Outlook ribbon or send it as an attachment to [email protected]. Do not click
on any links or provide your credentials.
1. Answer (Incorrect):
Ignore and delete the email.
 2. Answer (Incorrect):
Forward the phishing email to his Talent manager.
3. Answer (Correct):
Report the email immediately by clicking the Report Phishing button on the Microsoft
Outlook ribbon or by sending the email as an attachment to
[email protected].
7. Question (Type: Learners can select one or more answers Lesson: Phishing,
Ransomware, and Malware):
Question Content:
What tell-tale signs can help you identify a potential Phishing email?
Select all that apply.

Feedback: It is important to stop and think before you click on links in an email—especially
if something appears suspicious. Carefully scan the email for any malicious indicators such
as an untrusted sender email address, external email alert, embedded links to non-
Cognizant or non-Cognizant affiliated sites. If you are suspicious about an email, report it
using the Report Phishing button on your Outlook ribbon. You can also send the email as
an attachment to [email protected]. Do not click on any links or provide your
credentials.
1. Answer (Correct):
The email is from a non-Cognizant domain and contains an external email flag in the
header.
2. Answer (Correct):
The message is asking you to do something unusual in an urgent manner.
3. Answer (Correct):
The email may contain links to unrecognized sites or request you download
unexpected or untrusted files.
4. Answer (Incorrect):
The email was sent with a high-importance flag.
8. Question (Type: Learners can select only one answer Lesson: Insider Threat):
Question Content:
You _____ insider threats by _____.
Select the appropriate option.

Feedback: At a high level, detecting and mitigating insider threats comes down to two
basic steps: 1) be vigilant of your surroundings, and 2) report suspicious behaviors.
Assuming everyone is a potential risk is the best way to ensure proper scrutiny and detect
any threats.
1. Answer (Correct):
Mitigate, being vigilant and reporting suspicious behaviors.
2. Answer (Incorrect):
 Detect, assuming everyone isn'tis not a threat.
3. Answer (Incorrect):
Detect, assuming everyone is a threat.
9. Question (Type: Learners can select only one answer Lesson: Security Tips and How to
Report):
Question Content:
Who are the only authorities empowered to handle security incident(s)/investigation(s)
involving Cognizant associates, whether at a Cognizant or client location?
Select the appropriate option.

Feedback: Cognizant Corporate Security, Investigations, and Legal are the only teams
authorized to perform investigations involving Cognizant associates. Please note that
Cognizant does not allow clients to interview Cognizant associates directly. It is mandatory
that you notify these Cognizant teams on all client requests for information associated
with an incident or an investigation.
1. Answer (Correct):
Cognizant Corporate Security, Investigations, and Legal teams.
2. Answer (Incorrect):
Client security teams.
3. Answer (Incorrect):
Your supervisor.
10. Question (Type: Learners can select one or more answers Lesson: Security Tips and
How to Report):
Question Content:
What are the different ways you can report a security incident to Corporate Security?
Select all that apply.

Feedback: If you're aware of a possible security incident or loss of Sensitive Information,

report it immediately using any of the following channels: • Email: [email protected] •
Raise a request in MyService Portal • Phone: Toll Free Numbers – U.S.: 1-866-822-2024 |
UK: 0800-678-1616 | India: 1800-572-0473 (select option 0)
1. Answer (Correct):
Raise a request in MyService Portal.
2. Answer (Correct):
Send an email to [email protected].
3. Answer (Correct):
Call Toll Free – U.S.: 1-866-822-2024 | UK: 0800-678-1616 | India: 1800-572-0473
(select option 0).
4. Answer (Incorrect):
Call your HR Talent manager.
11. Question (Type: Learners can select one or more answers Lesson: Introduction):
Question Content:
What steps should you take to secure company/client confidential information at the
airport?
Select all that apply.

Feedback: While traveling, do not leave your device(s) unattended, discuss business
confidential information loudly over a mobile phone, or publish any travel information on
your social media account(s). Protecting your laptop and other electronic devices also
means that Cognizant may restrict an associate's ability to travel to certain regions with
company assets and/or access company data and/or networks from those regions (using
both Cognizant and personal assets). Refer to the list of specific countries and regions
where you are prohibited from bringing, or are required to obtain prior approval to bring,
Cognizant/client assets or access Cognizant/client networks for either business or personal
travel.
1. Answer (Correct):
Do not leave your electronic devices, including your laptop and mobile phone,
unattended.
2. Answer (Correct):
Do not discuss business confidential information loudly over a phone call.
3. Answer (Incorrect):
Publish your travel details on your social media account(s), so your colleagues and
friends can track you.
4. Answer (Correct):
Be aware of your surroundings, including strangers who may be watching your on-
screen activities/keystrokes or listening to your conversations to obtain secrets or
passwords.
12. Question (Type: Learners can select only one answer Lesson: Introduction):
Question Content:
What should you do if you see a person within the Cognizant space that doesn't look like
they belong there?
Select the appropriate option.

Feedback: Our office itself is a physical company asset, and we should never enter
unauthorized work areas or provide unauthorized access to visitors or colleagues. It is
critical for each associate to display their ID badge and use only their own associate ID
badge to enter and exit facilities, even if a colleague offers to open a door or tailgate
behind them. Visitors may enter Cognizant facilities only after verification of their identity,
and they must be accompanied.
1. Answer (Incorrect):
It's not my business—let someone else take care of it.
2. Answer (Incorrect):
Ask them if they want lunch.
 3. Answer (Correct):
When safe, engage the person and ask if they need assistance. If they're not supposed
to be there, ask them to leave and contact Corporate Security.
4. Answer (Incorrect):
Immediately contact local law enforcement.
13. Question (Type: Learners can select only one answer Lesson: Data Protection):
Question Content:
You have joined a new project and require client-supplied credentials to log in to client
applications. What should you do?
Select the appropriate option.

Feedback: Never share your Cognizant/client credentials with others or ask others to share
theirs with you no matter the circumstances, or who is requesting that you do so. Change
your password immediately if you suspect your password has been compromised.
1. Answer (Correct):
Request your supervisor to raise a request with the client for an individual username
and password for you.
2. Answer (Incorrect):
Use the credentials of an associate who has left the project.
3. Answer (Incorrect):
Obtain your supervisor's permission to use the credentials of another associate on the
team.
4. Answer (Incorrect):
Use your supervisor's credentials.
14. Question (Type: Learners can select only one answer Lesson: Acceptable Use):
Question Content:
If a software license has expired, are you allowed to use your admin rights to backdate the
system date and time to reuse the software?
Select the appropriate option.

Feedback: You may think it's easier and more convenient to manipulate the system
settings or install software by yourself. All software installations must be done by the
appropriate authorized Cognizant IT department. Associates are not allowed to install
software on Cognizant devices that have not been approved. All installed software must be
strictly for business use only.
1. Answer (Correct):
No, you never should manipulate the system settings, even if you have admin rights to
your system.
2. Answer (Incorrect):
Yes, if it is approved by the project managerthe project manager approves it.
3. Answer (Incorrect):
 Yes, if the client approves it.
4. Answer (Incorrect):
Yes, if you need access to the software to do your job.
15. Question (Type: Learners can select one or more answers Lesson: Introduction):
Question Content:
Safeguarding important informationvaluable information from corruption, compromise, or
loss is critical for our organization. Which of the following is/are the best practice(s) to
protect Cognizant and its clients' data?
Select all that apply.

Feedback: Being responsible stewards of our information assets and data is essential to
the profitability and success of our company. Data security is part of everyone's job and
should become second nature to all of us. Remember: Your Cognizant-/client-issued
credentials (Associate ID/ Username and Password) are your most valuable
corporate/client asset.
1. Answer (Correct):
Never share your Cognizant/client credentials or respond to emails received from
unknown senders, especially those from non-Cognizant networks. Report suspicious
emails by clicking the Report Phishing button on your Outlook ribbon or send them as
an attachment to [email protected].
2. Answer (Incorrect):
Send Cognizant/client information from your Cognizant account to your personal
email or social media account(s) so you can access it at home.
3. Answer (Correct):
Never send client information outside their network (including to the Cognizant
network) unless explicitly authorized by the client.
4. Answer (Correct):
Never use your personal email account (such as Yahoo mail, Gmail, etc.) for
sending/receiving Cognizant/client-related communications.
16. Question (Type: Learners can select only one answer Lesson: Data Protection):
Question Content:
Which of the following is not an example of Sensitive Personal Information?
Select the appropriate option.

Feedback: Personal Information is information or a combination of information, in any

form or medium, that can be used to identify an individual. Common examples include
name, employee ID, date of birth, age, gender, job title, grade, etc. Sensitive Personal
Information is Personal Information that, if lost, compromised, or disclosed without
authorization, could result in substantial harm, embarrassment, inconvenience, or
unfairness to an individual. This category of PI requires an enhanced level of care and
control. Common examples (not meant to be all-inclusive) include genetic data, biometric
data, national ID, racial or ethnic origin, political opinions, religious or philosophical beliefs,
etc.
 1. Answer (Incorrect):
Medical and genetic data
2. Answer (Correct):
Name
3. Answer (Incorrect):
Criminal history
4. Answer (Incorrect):
Racial or ethnic origin
17. Question (Type: Learners can select one or more answers Lesson: Insider Threat):
Question Content:
Insiders prey on your desire to be helpful or your fears to trick you into acting without
thinking and execute an insider threat attack. What are the best practices to safeguard
against these attacks?
Select all that apply.

Feedback: An insider will use their access to company proprietary/confidential information

and will also seek to gain additional access to corporate assets by interacting with you.
Sometimes this will occur over an extended period, in ways that can bypass simple security
or technology controls. As a trusted employee, you have privileged access to proprietary
and confidential corporate information. It is your responsibility to protect that data. Be
aware of your in-person and online personas to decrease potential vulnerabilities. Know
what can be learned about you online—do not provide insights and vulnerabilities that can
be exploited by a malicious actor.
1. Answer (Correct):
Be on the lookout for suspicious emails, calls, SMSs, and social media chats.
2. Answer (Correct):
Securely dispose of proprietary or confidential materials.
3. Answer (Incorrect):
Always allow unidentified personnel inside the office premises. Do not report security
violations unless you are directly involved.
4. Answer (Correct):
Never publicize travel plans, andplans and limit this information to people who need
to know. Follow the Travel Security guidelines and do not travel with work devices
without prior approval.
18. Question (Type: Learners can select only one answer Lesson: Data Classification):
Question Content:
What are the four defined data classification levels at Cognizant?
Select the appropriate option.

Feedback: As per Cognizant's Global Information Classification Standard, there are four (4)
defined information classification levels.1. Restricted – Classification Level C12.
Confidential – Classification Level C23. Private – Classification Level C34. Public –
Classification Level C4
1. Answer (Incorrect):
Critical(L1), High(L2), Medium(L3) and Low(L4)
2. Answer (Correct):
Restricted(C1), Confidential(C2), Private(C3) and Public(C4)
3. Answer (Incorrect):
Top Secret(S1), Secret(S2), Sensitive(S3) and Unclassified(S4)
 Disclosure

Disclosure Title: Role-Based Survey

Hide from Learners? No

Hide the disclosure numbers in the course? No

Instructions to Learner:

Intro Pages

1. Intro Page

Intro Page Title: Role-Based Survey

Intro Page Content:

You are almost done! Take this short role-based survey by clicking the next button below.
Once the survey is complete, your course completion will be recorded.
Objective of the Survey: Cognizant values appropriate training for all employees. The
objective of this short survey is to identify Application Developers and those involved in
Software Development Lifecycle (SDLC) for targeted role-specific training.
Estimated Survey Duration: 5 Minutes
Questions

1. Question (Type: Learners can select only one answer Responder to explain? No )No):
Question Content:
Do you write code to develop/maintain applications or software products that (1) are sold
as Cognizant products or (2) are deployed to production systems for internal or external
use?
1. Answer (Non-Variant):
Yes
1. Question (Type: Learners can select one or more answers Responder to
explain? Yes )Yes):
Question Content:
Specify the programming language(s) you write code in (be sure to check all that
apply):
1. Answer (Non-Variant):
HTML
2. Answer (Non-Variant):
JavaScript
3. Answer (Non-Variant):
 JavaScript Frameworks (Node.js/React.js/Hapi.js/Express.js/Angular.js)
4. Answer (Non-Variant):
.NET/C#
5. Answer (Non-Variant):
Java
6. Answer (Non-Variant):
PHP
7. Answer (Non-Variant):
Python
8. Answer (Non-Variant):
Mainframe/COBOL
9. Answer (Non-Variant):
C
10. Answer (Non-Variant):
C++
11. Answer (Non-Variant):
Golang
12. Answer (Non-Variant):
Ruby
13. Answer (Non-Variant):
Rust
14. Answer (Non-Variant):
Android
15. Answer (Non-Variant):
iOS
16. Answer (Variant):
Not listed here (Type your programming language(s) in the text box below)
2. Question (Type: Learners can select only one answer Responder to explain?
Yes )Yes):
Question Content:
Specify the primary language you write code in:
1. Answer (Non-Variant):
HTML
2. Answer (Non-Variant):
JavaScript
3. Answer (Non-Variant):
JavaScript Frameworks (Node.js/React.js/Hapi.js/Express.js/Angular.js)
 4. Answer (Non-Variant):
.NET/C#
5. Answer (Non-Variant):
Java
6. Answer (Non-Variant):
PHP
7. Answer (Non-Variant):
Python
8. Answer (Non-Variant):
Mainframe/COBOL
9. Answer (Non-Variant):
C
10. Answer (Non-Variant):
C++
11. Answer (Non-Variant):
Golang
12. Answer (Non-Variant):
Ruby
13. Answer (Non-Variant):
Rust
14. Answer (Non-Variant):
Android
15. Answer (Non-Variant):
iOS
16. Answer (Variant):
Not listed here (Type your primary programming language in the text box
below)
3. Question (Type: Learners can select one or more answers Responder to
explain? No )No):
Question Content:
Specify the type of development project(s) you work on (check all that apply):
1. Answer (Non-Variant):
Client engagements following client SDLC process
2. Answer (Non-Variant):
Client engagements following Cognizant SDLC process
3. Answer (Non-Variant):
Cognizant products that are sold to customers or delivered as BPaaS services
 4. Answer (Non-Variant):
Internal apps used by Cognizant staff or Partners
2. Answer (Non-Variant):
No
1. Question (Type: Learners can select only one answer Responder to explain?
No )No):
Question Content:
Are you involved in any other aspects of software development lifecycle (e.g.
Business Analyst, Software Architect, Software Tester, etc.)?
1. Answer (Non-Variant):
Yes
1. Question (Type: Learners can select one or more answers Responder
to explain? Yes )Yes):
Question Content:
Then please select all that apply from the following multi-select options:
1. Answer (Non-Variant):
Business Analysts
2. Answer (Non-Variant):
Software Architects
3. Answer (Non-Variant):
Software Testers
4. Answer (Non-Variant):
DevOps Engineers
5. Answer (Non-Variant):
Database Practitioners
6. Answer (Non-Variant):
Cloud Practitioners
7. Answer (Variant):
Not listed here (Type your SDLC role in the text box below)
2. Answer (Non-Variant):
No

Closing Message with Review Title: Certification Submitted

Closing Message with Review Content:

Thank you for your submission. An administrator will review your certification and may
contact you for more information.

Closing Message without Review Title: Certification Complete

Closing Message without Review Content:
Thank you for your submission, you have now completed the certification.