This presentation covers an overview of what a Policy Framework is, and why it is an essential part of any Information Security program; the various existing frameworks used across the industry, their strengths and limitations; a methodology to create a flexible framework, supported by a risk assessment and a strong understanding of the assets owned by the institution and the threats they are exposed to; and an approach to define an adequate control set and how to prioritise its implementation.
Visit https://www.jbbres.com/files/20190605-security-framework.html for the full transcript of this presentation.
2024 State of Marketing Report – by HubspotMarius Sescu
https://www.hubspot.com/state-of-marketing
· Scaling relationships and proving ROI
· Social media is the place for search, sales, and service
· Authentic influencer partnerships fuel brand growth
· The strongest connections happen via call, click, chat, and camera.
· Time saved with AI leads to more creative work
· Seeking: A single source of truth
· TLDR; Get on social, try AI, and align your systems.
· More human marketing, powered by robots
ChatGPT is a revolutionary addition to the world since its introduction in 2022. A big shift in the sector of information gathering and processing happened because of this chatbot. What is the story of ChatGPT? How is the bot responding to prompts and generating contents? Swipe through these slides prepared by Expeed Software, a web development company regarding the development and technical intricacies of ChatGPT!
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
The realm of product design is a constantly changing environment where technology and style intersect. Every year introduces fresh challenges and exciting trends that mold the future of this captivating art form. In this piece, we delve into the significant trends set to influence the look and functionality of product design in the year 2024.
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
Mental health has been in the news quite a bit lately. Dozens of U.S. states are currently suing Meta for contributing to the youth mental health crisis by inserting addictive features into their products, while the U.S. Surgeon General is touring the nation to bring awareness to the growing epidemic of loneliness and isolation. The country has endured periods of low national morale, such as in the 1970s when high inflation and the energy crisis worsened public sentiment following the Vietnam War. The current mood, however, feels different. Gallup recently reported that national mental health is at an all-time low, with few bright spots to lift spirits.
To better understand how Americans are feeling and their attitudes towards mental health in general, ThinkNow conducted a nationally representative quantitative survey of 1,500 respondents and found some interesting differences among ethnic, age and gender groups.
Technology
For example, 52% agree that technology and social media have a negative impact on mental health, but when broken out by race, 61% of Whites felt technology had a negative effect, and only 48% of Hispanics thought it did.
While technology has helped us keep in touch with friends and family in faraway places, it appears to have degraded our ability to connect in person. Staying connected online is a double-edged sword since the same news feed that brings us pictures of the grandkids and fluffy kittens also feeds us news about the wars in Israel and Ukraine, the dysfunction in Washington, the latest mass shooting and the climate crisis.
Hispanics may have a built-in defense against the isolation technology breeds, owing to their large, multigenerational households, strong social support systems, and tendency to use social media to stay connected with relatives abroad.
Age and Gender
When asked how individuals rate their mental health, men rate it higher than women by 11 percentage points, and Baby Boomers rank it highest at 83%, saying it’s good or excellent vs. 57% of Gen Z saying the same.
Gen Z spends the most amount of time on social media, so the notion that social media negatively affects mental health appears to be correlated. Unfortunately, Gen Z is also the generation that’s least comfortable discussing mental health concerns with healthcare professionals. Only 40% of them state they’re comfortable discussing their issues with a professional compared to 60% of Millennials and 65% of Boomers.
Race Affects Attitudes
As seen in previous research conducted by ThinkNow, Asian Americans lag other groups when it comes to awareness of mental health issues. Twenty-four percent of Asian Americans believe that having a mental health issue is a sign of weakness compared to the 16% average for all groups. Asians are also considerably less likely to be aware of mental health services in their communities (42% vs. 55%) and most likely to seek out information on social media (51% vs. 35%).
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
This article is all about what AI trends will emerge in the field of creative operations in 2024. All the marketers and brand builders should be aware of these trends for their further use and save themselves some time!
2024 State of Marketing Report – by HubspotMarius Sescu
https://www.hubspot.com/state-of-marketing
· Scaling relationships and proving ROI
· Social media is the place for search, sales, and service
· Authentic influencer partnerships fuel brand growth
· The strongest connections happen via call, click, chat, and camera.
· Time saved with AI leads to more creative work
· Seeking: A single source of truth
· TLDR; Get on social, try AI, and align your systems.
· More human marketing, powered by robots
ChatGPT is a revolutionary addition to the world since its introduction in 2022. A big shift in the sector of information gathering and processing happened because of this chatbot. What is the story of ChatGPT? How is the bot responding to prompts and generating contents? Swipe through these slides prepared by Expeed Software, a web development company regarding the development and technical intricacies of ChatGPT!
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
The realm of product design is a constantly changing environment where technology and style intersect. Every year introduces fresh challenges and exciting trends that mold the future of this captivating art form. In this piece, we delve into the significant trends set to influence the look and functionality of product design in the year 2024.
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
Mental health has been in the news quite a bit lately. Dozens of U.S. states are currently suing Meta for contributing to the youth mental health crisis by inserting addictive features into their products, while the U.S. Surgeon General is touring the nation to bring awareness to the growing epidemic of loneliness and isolation. The country has endured periods of low national morale, such as in the 1970s when high inflation and the energy crisis worsened public sentiment following the Vietnam War. The current mood, however, feels different. Gallup recently reported that national mental health is at an all-time low, with few bright spots to lift spirits.
To better understand how Americans are feeling and their attitudes towards mental health in general, ThinkNow conducted a nationally representative quantitative survey of 1,500 respondents and found some interesting differences among ethnic, age and gender groups.
Technology
For example, 52% agree that technology and social media have a negative impact on mental health, but when broken out by race, 61% of Whites felt technology had a negative effect, and only 48% of Hispanics thought it did.
While technology has helped us keep in touch with friends and family in faraway places, it appears to have degraded our ability to connect in person. Staying connected online is a double-edged sword since the same news feed that brings us pictures of the grandkids and fluffy kittens also feeds us news about the wars in Israel and Ukraine, the dysfunction in Washington, the latest mass shooting and the climate crisis.
Hispanics may have a built-in defense against the isolation technology breeds, owing to their large, multigenerational households, strong social support systems, and tendency to use social media to stay connected with relatives abroad.
Age and Gender
When asked how individuals rate their mental health, men rate it higher than women by 11 percentage points, and Baby Boomers rank it highest at 83%, saying it’s good or excellent vs. 57% of Gen Z saying the same.
Gen Z spends the most amount of time on social media, so the notion that social media negatively affects mental health appears to be correlated. Unfortunately, Gen Z is also the generation that’s least comfortable discussing mental health concerns with healthcare professionals. Only 40% of them state they’re comfortable discussing their issues with a professional compared to 60% of Millennials and 65% of Boomers.
Race Affects Attitudes
As seen in previous research conducted by ThinkNow, Asian Americans lag other groups when it comes to awareness of mental health issues. Twenty-four percent of Asian Americans believe that having a mental health issue is a sign of weakness compared to the 16% average for all groups. Asians are also considerably less likely to be aware of mental health services in their communities (42% vs. 55%) and most likely to seek out information on social media (51% vs. 35%).
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
This article is all about what AI trends will emerge in the field of creative operations in 2024. All the marketers and brand builders should be aware of these trends for their further use and save themselves some time!
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
A report by thenetworkone and Kurio.
The contributing experts and agencies are (in an alphabetical order): Sylwia Rytel, Social Media Supervisor, 180heartbeats + JUNG v MATT (PL), Sharlene Jenner, Vice President - Director of Engagement Strategy, Abelson Taylor (USA), Alex Casanovas, Digital Director, Atrevia (ES), Dora Beilin, Senior Social Strategist, Barrett Hoffher (USA), Min Seo, Campaign Director, Brand New Agency (KR), Deshé M. Gully, Associate Strategist, Day One Agency (USA), Francesca Trevisan, Strategist, Different (IT), Trevor Crossman, CX and Digital Transformation Director; Olivia Hussey, Strategic Planner; Simi Srinarula, Social Media Manager, The Hallway (AUS), James Hebbert, Managing Director, Hylink (CN / UK), Mundy Álvarez, Planning Director; Pedro Rojas, Social Media Manager; Pancho González, CCO, Inbrax (CH), Oana Oprea, Head of Digital Planning, Jam Session Agency (RO), Amy Bottrill, Social Account Director, Launch (UK), Gaby Arriaga, Founder, Leonardo1452 (MX), Shantesh S Row, Creative Director, Liwa (UAE), Rajesh Mehta, Chief Strategy Officer; Dhruv Gaur, Digital Planning Lead; Leonie Mergulhao, Account Supervisor - Social Media & PR, Medulla (IN), Aurelija Plioplytė, Head of Digital & Social, Not Perfect (LI), Daiana Khaidargaliyeva, Account Manager, Osaka Labs (UK / USA), Stefanie Söhnchen, Vice President Digital, PIABO Communications (DE), Elisabeth Winiartati, Managing Consultant, Head of Global Integrated Communications; Lydia Aprina, Account Manager, Integrated Marketing and Communications; Nita Prabowo, Account Manager, Integrated Marketing and Communications; Okhi, Web Developer, PNTR Group (ID), Kei Obusan, Insights Director; Daffi Ranandi, Insights Manager, Radarr (SG), Gautam Reghunath, Co-founder & CEO, Talented (IN), Donagh Humphreys, Head of Social and Digital Innovation, THINKHOUSE (IRE), Sarah Yim, Strategy Director, Zulu Alpha Kilo (CA).
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
A report by thenetworkone and Kurio.
The contributing experts and agencies are (in an alphabetical order): Sylwia Rytel, Social Media Supervisor, 180heartbeats + JUNG v MATT (PL), Sharlene Jenner, Vice President - Director of Engagement Strategy, Abelson Taylor (USA), Alex Casanovas, Digital Director, Atrevia (ES), Dora Beilin, Senior Social Strategist, Barrett Hoffher (USA), Min Seo, Campaign Director, Brand New Agency (KR), Deshé M. Gully, Associate Strategist, Day One Agency (USA), Francesca Trevisan, Strategist, Different (IT), Trevor Crossman, CX and Digital Transformation Director; Olivia Hussey, Strategic Planner; Simi Srinarula, Social Media Manager, The Hallway (AUS), James Hebbert, Managing Director, Hylink (CN / UK), Mundy Álvarez, Planning Director; Pedro Rojas, Social Media Manager; Pancho González, CCO, Inbrax (CH), Oana Oprea, Head of Digital Planning, Jam Session Agency (RO), Amy Bottrill, Social Account Director, Launch (UK), Gaby Arriaga, Founder, Leonardo1452 (MX), Shantesh S Row, Creative Director, Liwa (UAE), Rajesh Mehta, Chief Strategy Officer; Dhruv Gaur, Digital Planning Lead; Leonie Mergulhao, Account Supervisor - Social Media & PR, Medulla (IN), Aurelija Plioplytė, Head of Digital & Social, Not Perfect (LI), Daiana Khaidargaliyeva, Account Manager, Osaka Labs (UK / USA), Stefanie Söhnchen, Vice President Digital, PIABO Communications (DE), Elisabeth Winiartati, Managing Consultant, Head of Global Integrated Communications; Lydia Aprina, Account Manager, Integrated Marketing and Communications; Nita Prabowo, Account Manager, Integrated Marketing and Communications; Okhi, Web Developer, PNTR Group (ID), Kei Obusan, Insights Director; Daffi Ranandi, Insights Manager, Radarr (SG), Gautam Reghunath, Co-founder & CEO, Talented (IN), Donagh Humphreys, Head of Social and Digital Innovation, THINKHOUSE (IRE), Sarah Yim, Strategy Director, Zulu Alpha Kilo (CA).
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
The search marketing landscape is evolving rapidly with new technologies, and professionals, like you, rely on innovative paid search strategies to meet changing demands.
It’s important that you’re ready to implement new strategies in 2024.
Check this out and learn the top trends in paid search advertising that are expected to gain traction, so you can drive higher ROI more efficiently in 2024.
You’ll learn:
- The latest trends in AI and automation, and what this means for an evolving paid search ecosystem.
- New developments in privacy and data regulation.
- Emerging ad formats that are expected to make an impact next year.
Watch Sreekant Lanka from iQuanti and Irina Klein from OneMain Financial as they dive into the future of paid search and explore the trends, strategies, and technologies that will shape the search marketing landscape.
If you’re looking to assess your paid search strategy and design an industry-aligned plan for 2024, then this webinar is for you.
5 Public speaking tips from TED - Visualized summarySpeakerHub
From their humble beginnings in 1984, TED has grown into the world’s most powerful amplifier for speakers and thought-leaders to share their ideas. They have over 2,400 filmed talks (not including the 30,000+ TEDx videos) freely available online, and have hosted over 17,500 events around the world.
With over one billion views in a year, it’s no wonder that so many speakers are looking to TED for ideas on how to share their message more effectively.
The article “5 Public-Speaking Tips TED Gives Its Speakers”, by Carmine Gallo for Forbes, gives speakers five practical ways to connect with their audience, and effectively share their ideas on stage.
Whether you are gearing up to get on a TED stage yourself, or just want to master the skills that so many of their speakers possess, these tips and quotes from Chris Anderson, the TED Talks Curator, will encourage you to make the most impactful impression on your audience.
See the full article and more summaries like this on SpeakerHub here: https://speakerhub.com/blog/5-presentation-tips-ted-gives-its-speakers
See the original article on Forbes here:
http://www.forbes.com/forbes/welcome/?toURL=http://www.forbes.com/sites/carminegallo/2016/05/06/5-public-speaking-tips-ted-gives-its-speakers/&refURL=&referrer=#5c07a8221d9b
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
Everyone is in agreement that ChatGPT (and other generative AI tools) will shape the future of work. Yet there is little consensus on exactly how, when, and to what extent this technology will change our world.
Businesses that extract maximum value from ChatGPT will use it as a collaborative tool for everything from brainstorming to technical maintenance.
For individuals, now is the time to pinpoint the skills the future professional will need to thrive in the AI age.
Check out this presentation to understand what ChatGPT is, how it will shape the future of work, and how you can prepare to take advantage.
A brief introduction to DataScience with explaining of the concepts, algorithms, machine learning, supervised and unsupervised learning, clustering, statistics, data preprocessing, real-world applications etc.
It's part of a Data Science Corner Campaign where I will be discussing the fundamentals of DataScience, AIML, Statistics etc.
Time Management & Productivity - Best PracticesVit Horky
Here's my presentation on by proven best practices how to manage your work time effectively and how to improve your productivity. It includes practical tips and how to use tools such as Slack, Google Apps, Hubspot, Google Calendar, Gmail and others.
The six step guide to practical project managementMindGenius
The six step guide to practical project management
If you think managing projects is too difficult, think again.
We’ve stripped back project management processes to the
basics – to make it quicker and easier, without sacrificing
the vital ingredients for success.
“If you’re looking for some real-world guidance, then The Six Step Guide to Practical Project Management will help.”
Dr Andrew Makar, Tactical Project Management
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
During this webinar, Anand Bagmar demonstrates how AI tools such as ChatGPT can be applied to various stages of the software development life cycle (SDLC) using an eCommerce application case study. Find the on-demand recording and more info at https://applitools.info/b59
Key takeaways:
• Learn how to use ChatGPT to add AI power to your testing and test automation
• Understand the limitations of the technology and where human expertise is crucial
• Gain insight into different AI-based tools
• Adopt AI-based tools to stay relevant and optimize work for developers and testers
* ChatGPT and OpenAI belong to OpenAI, L.L.C.
More than Just Lines on a Map: Best Practices for U.S Bike Routes
This session highlights best practices and lessons learned for U.S. Bike Route System designation, as well as how and why these routes should be integrated into bicycle planning at the local and regional level.
Presenters:
Presenter: Kevin Luecke Toole Design Group
Co-Presenter: Virginia Sullivan Adventure Cycling Association
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...DevGAMM Conference
Has your project been caught in a storm of deadlines, clashing requirements, and the need to change course halfway through? If yes, then check out how the administration team navigated through all of this, relocating 160 people from 3 countries and opening 2 offices during the most turbulent time in the last 20 years. Belka Games’ Chief Administrative Officer, Katerina Rudko, will share universal approaches and life hacks that can help your project survive unstable periods when there seem to be too many tasks and a lack of time and people.
This presentation was designed to provide strategic recommendations for a brand in decline. The deck also incorporates a situational assessment, including a brand identity, positioning, architecture, and portfolio strategy for the Brand.
Presentation originally created for NYU Stern's Brand Strategy course. Design by Erica Santiago & Chris Alexander.
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellSaba Software
According to the latest State of the American Manager report from Gallup, employees who have regular meetings with their managers are almost three times as likely to be engaged as those who don’t. These regular check-ins keep managers and employees in sync and aligned. Want to see better manager/employee relationships in your organisation? Then make an all-in commitment to 1:1 meetings. Not sure how? You’ve come to the right place.
In this webinar with Jamie Resker, Founder and Practice Leader for Employee Performance Solutions (EPS), and Teala Wilson, Talent Management Consultant at Saba Software, you’ll get the inside track on how to hold effective 1:1 meetings, including tips for getting managers on board.
• Go beyond discussing the status of everyday work to higher level topics, including recognition, performance, development, and career aspirations
• Learn how to decide meeting frequency, what to cover, as well as roles and responsibilities of the manager and employee
• Understand how managers can build trust and make it comfortable for employees to provide upward feedback
• Unite your organisation with a unified approach to 1:1 meetings
Join us for this 1-hour webinar to get practical tips for building better manager-employee relationships with intention and purpose.
About the Speakers
Jamie Resker - Founder and Practice Leader for Employee Performance Solutions (EPS)
Jamie Resker, Practice Leader and Founder of Employee Performance Solutions, is a recognized innovator in performance management. She is the originator of the-the Performance Continuum Feedback Method® and Conversations to Optimize Employee Performance training program; tools and training that reshape communications between managers and employees to drive and align performance. Jamie is on the faculty for the Northeast Human Resources Association, is a contributor to Halogen Software's Talent Space Blog, and is an editorial advisory board member for HR Examiner.
Teala Wilson - Senior Consultant, Strategic Services, Saba Software
Teala is a Talent Management Consultant at Halogen Software, now a part of Saba Software. She has worked with teams on a national and global level supporting human resources in areas such as performance management, recruitment, employee benefit programs, training and talent development, workforce planning and internal communications. Teala also has a personal passion for visual arts and design.
Want to learn more? Join us for an upcoming Product Tour!
http://bit.ly/2yitfqu
This video by Simplilearn will explain to you Introduction to C Programming Language. Introduction to C Programming Language Tutorial For Beginners will explain to you the C language's history, C's importance, its features, real-world applications, and some of its advantages and disadvantages.
00:00 Introduction to C
1:42-History of C language
Dennis Ritchie, a computer scientist, could identify the gaps and tap out the best features from both B and BCPL languages to invent a new hybrid.
Hence, C was born in 1972 at Bell Laboratories. A remarkably simple and highly readable programming language resulted in groundbreaking advancements in the IT industry.
2:48-Importance and unraveling the powerful capabilities of C,
The widespread use of C started to take over the IT industry. Unraveling the potential of C, the designers began to discover new possibilities that led them to focus on the big picture.
3:56-C's cutting-edge features
The designers at Bell Laboratories ensured that their programming language solved the issues with B and BCPL and the ones they had foreseen.
6:35-The popular real-world applications of C
-UNIX operating system
-google file system
-Mozilla
-Graphical user interface
8:30-The advantages and disadvantages of C
10:34-The popular IT companies and their domains that employ C
· MasterCard
· IBM
· Flipkart
· Dell
· Twitter
· GitHub and twitch
11:09-First c program.
🔥 Explore our FREE courses with completion certificates: https://www.simplilearn.com/skillup-f...
✅Subscribe to our Channel to learn more about the top Technologies: https://bit.ly/2VT4WtH
⏩ Check out the C++ Programming training videos: https://www.youtube.com/playlist?list...
#IntroductiontoCProgrammingLanguage #CLanguage #CProgramming #CProgram #CProgrammingLanguage #LearnCProgramming #HowToCodeInCForBeginners #CTutorialForBeginners #LearnCProgramming #Simplilearn
Dennis Ritchie, a computer scientist, was able to identify the gaps and tap out the best features from both B and BCPL languages to invent a new hybrid.
Hence, C was born in 1972 at Bell Laboratories. A remarkably simple and highly readable programming language resulted in groundbreaking advancements in the IT industry.
✅What is C++ Programming?
C++ is an enhanced and extended version of C programming language, developed by Bjarne Stroustrup in 1979 as part of his Ph.D. project. Bjarne developed what he called ‘C with Classes’ (later renamed C++) because he felt limited by the existing programming languages that were not ideal for large scale projects. He used C to build what he wanted because C was already a general-purpose language that was efficient and fast in its operations.
✅C++ Career Prospects:
With just C++ programming expertise, you will have excellent job opportunities, salaries, and career prospects. However, for a career based on programming languages such as Java and Python (which are in more demand than C++) or for careers based on front-end, back-end, and full-stack
2. “An APRA-regulated entity must maintain an
information security policy framework
commensurate with its exposures to vulnerabilities
and threats”
CPS 234 (#18)
3.
4. WHAT IS A POLICY FRAMEWORK?
“Information security policy framework means the
totality of policies, standards, guidelines and
procedures pertaining to information security”
CPS 234 (#12.i)
5. WHAT IS A POLICY FRAMEWORK?
A set of practices, policies and
procedures
The details of the Information
Security Strategy
A calculated approach to determine
risk and reduce it through controls
A measurable and repeatable
methodology
6. PURPOSE OF THE POLICY FRAMEWORK
Educate people about Information
Security
Facilitate secure implementation and
maintenance of technology
Ensure processes are secured and
auditable
Create a common language
Provide a reference for designing
security mechanism
Ensure measurement and
benchmarking
7. WHY HAVE A POLICY FRAMEWORK?
It is a regulatory requirement
For public safety
To protect physical assets, digital
assets and information
To create a differentiation
8. A POLICY FRAMEWORK
• Provide the foundation for a
security program
• Require compliance from all
employees
• Is approved at a higher level
• Should stand the test of time
POLICIES
• Provide details of security controls
• Derive their authority from policies
• Require compliance from all
employees
STANDARDS
• Step-by-step instructions to perform
a security task
• May required compliance,
depending upon the organisation
and circumstances
PROCEDURES
• Provide security advice
• Align with industry good practices
• Are optional practices, not
mandatory
GUIDELINES
18. UNDERSTANDING THE ASSETS
Products
and Services
Critical
functions
Processes
Assets
Identify the products and services
offered by the organisation
Understand the processes required
within the critical functions, and
prioritise them
Determine the resources and assets
required to perform the processes
Identify the critical functions needed
to deliver the products and services
20. UNDERSTANDING THE THREATS
THREATS PROPERTIES
Spoofing Authentication
Tampering Integrity
Repudiation Non-repudiation
Information disclosure Confidentiality
Denial of Service Availability
Elevation of Privilege Authorisation
21. RISK ASSESSMENT
CONTINGENCY RISKS SIGNIFICANT RISKS
MINOR RISKS HIGH INCIDENCE RISKS
IMPACT
(resultingbusinessimpact)
LIKELIHOOD
(probability of occurrence)
22.
23. THE CORE SECURITY CONTROL SET
1. Give priority to common controls, that can support
multiple system efficiently and effectively as a common
capability
2. Use the result of the risk assessment to identify controls
that cover higher risks
3. Gather feedback from stakeholders
Measurable
UnderstoodAuditable
24. Jean-Baptiste Bres is Chief Information Security Officer at StatePlus (formerly State
Super Financial Services).
As the former Head of GPI at BNP Paribas CIB Australia and New Zealand, he led the
Security, Operational Risk and Governance teams of the Bank. His career in Financial
Institutions spans over 15 years and two continents, delivering excellence and driving
risk management in Information Technology.
Jean-Baptiste holds a Master in Computer Science from the University of Belfort-
Montbeliard in France.
https://www.linkedin.com/in/jbbres/ https://www.jbbres.com
Jean-Baptiste Bres
ABOUT THE SPEAKER
Editor's Notes
The Australian Prudential Regulation Authority (APRA) has published a new Prudential Standard CPS 234, enforceable by 1 July 2019. This prudential standard defines APRA expectations from Financial Institutions around Information Security. Among the fundamental requirements covered by the prudential standard, APRA clearly set the expectations that regulated institution must have a defined and maintained Information Security Policy Framework.
While the Prudential Standard does not define the expected capabilities and controls the framework should cover, it insists on 3 aspects:
Understanding the assets: a regulated institution is expected to identify and classify them by sensitivity and criticality.
Understanding the threats they are exposed to: having identified its assets, the regulated institution is expected to identify what threats they are exposed to. Due to the constantly changing nature of the threat landscape, a review of the threat exposure should be performed on a regular basis.
Ensuring the assets protection is commensurate with the threat: this means that the controls that composed the Security Framework need to be adapted to each case so the risks are adequately mitigated. It is a clear statement that generic controls (such as generic penetration testing) or single peripherical protections (such as firewall) are not considered as enough, and the overall framework need to cater for the complexity of the environment.
This presentation is designed to offer an understanding on how a regulated institution can fulfil these requirements, covering:
an overview of what a Policy Framework is, and why it is an essential part of any Information Security program;
the various existing frameworks used across the industry, their strengths and limitations;
a methodology to create a flexible framework, supported by a risk assessment and a strong understanding of the assets owned by the institution and the threats they are exposed to;
An approach to define an adequate control set and how to prioritise its implementation.
APRA offers a definition of the policy framework as “the totality of policies, standards, guidelines and procedures pertaining to information security”. This is a very functional definition of a framework and it makes much sense from a regulatory standard perspective.
However, organisations seeking maturity in their information security usually see their policy framework as a cornerstone of their security practice. It is, of course, a set of practices, policies and procedures, but it is also a calculated approach to determine information security risks and to reduce these risks through adequate controls.
As such, the policy framework is really the fleshed-out details of the overall Information Security Strategy, offering a measurable and repeatable methodology to achieve the goals defined by the organisation in that area.
A robust Policy Framework should serve multiple purposes:
Educate people and staff about information security;
Define responsibility of all stakeholders
Ensure processes are secured and auditable;
Facilitate secure implementation and maintenance of technology;
Create a common language around information security, ensuring efficient communication with leaders and with all users;
Provide a reference for designing security mechanisms; and
Ensure measurement and benchmarking of the security practices.
While it is now a regulatory requirement, there is also high value for any organisation to endorse and maintain such a framework. It of course offers a robust way to protect physical assets, digital assets and information. It is also a fundamental tool to demonstrate good corporate citizenship, as protecting information is now considered as a normal duty of every company and not an optional activity. Finally, it can also be used as a business differentiation, especially if aligned with some of the industry’s most recognised security frameworks, and can ensure certification to some of the industry standards, such as ISO 27001.
A standard policy framework is usually composed of 4 types of documents:
Policies are the highest level of the framework. They provide the foundation of the security program and are approved at the highest level of the organisation (ideally, the board of directors). All employees are required to comply with them. Their content needs to be carefully crafted and worded, and, in nature, should not dig into the technicality required for their execution. For example, a good policy would stand that “all sensitive information requires to be encrypted at rest and in motion” but should not define what technical encryption is required as the technology might change. By doing so, the policies will withstand the test of time and should not require to be updated as technologies evolve;
Standards provide the details of security controls expected within the organisation. They derive their authority from policies and should align with them. Their compliance is again mandatory for all employees. Standards are usually approved by executive managers or senior managers, such as the Chief Information Security Officer or the Head of Cyber Security. They contain some level of decision on the methodology and technology expected to enforce the controls. For example, a standard would define that AES-256 should be used for data encryption. Complex technology standards are often derived from industry standards, such as the Center for Internet Security (CIS) standards, that has provided detailed configuration settings for a large number of operating systems, network devices, applications and platforms;
Guidelines provide security advice and direction to staff. They align with the industry good practices and are usually optional. A guideline would suggest for example the usage of an encrypted wireless network when available. In cases where no encrypted wireless network is available, employee can still use alternative solutions, such as VPN;
Procedures are step-by-step instructions to perform a specific task. As an example, a forensic procedure will contain the step to investigate a system or device and clearly define how the information has to be isolated and which element to look at to ensure no tampering occurs during the investigation. Depending on the organisation and the type of procedure, compliance may be mandatory or optional.
While some organisations decide to amalgamate some of these documents, for example by combining policies and standards, or standards and guidelines, keep in mind that these documents serve very distinct roles, have different level of expected compliance and are designed for different audiences. When creating any document that will be part of your framework, it is usually recommended to first identify clearly its audience and their level of technological literacy.
Providing a “map” of the framework, that helps readers to navigate the various information available through a set of high-level categories, and easily identify which documents are of value for them, is also greatly beneficial. This can easily be done by offering a 2-line description of what the document is about, whether compliance is expected, and a simple rating of the level of technical details contained.
Creating a policy framework can be a daunting task. Information Security is a very large topic that covers many aspects around people, processes and technology. Creating a framework from scratch is a colossal effort and anybody attempting it is at risk of missing critical areas or topics. There are a number of well-recognised frameworks that can be used either as offered or as a starting point to create a more tailored and efficient framework that will fit the specifics of an organisation.
While selecting or creating an Information Security framework, an organisation must first have a clear understanding of what its requirements are, and what it is trying to achieve through this process. There are a few points to consider carefully prior to engaging in a selection or deciding what to include:
What are the compliance and regulatory requirements that the organisation is subject to?
What are the specific technical and non-technical areas that the framework is expected to cover? Depending on the organisation activities and infrastructure, not all aspects of a fully-scaled framework might be pertinent. An organisation not managing or accessing any Personally Identifiable Information (PII) will not require as many privacy controls as an organisation that stores and processes a large number of individual personal information. The standard around web development security might also vary if the organisation has a web portal allowing customers to perform straight-through financial transactions, or if the corporate website only displays publicly available information pertaining to company services.
Is there any certification objective for the organisation? Information Security can be a key differentiator in certain industries. For an organisation targeting ISO 27001 certification, it will be easier to adopt or align closely to the ISO 27001 framework, as it will facilitate the compliance demonstration and the acquisition of the certification.
What is the current maturity of security? Some frameworks facilitate adoption through a maturity cycle, while others are more monolithic. An organisation with low cyber-security maturity will struggle adapting a robust but inflexible framework, as it might represent too much of a step up. Adopting a framework that can be realistically implemented from the current maturity level will facilitate implementation.
Most commonly used Information Security frameworks are the Payment Card Industry Data Security Standard (PCI-DSS), the International Organisation for Standardisation 27001 Information Security Management (ISO 27001), the Center for Internet Security Benchmarks and Controls (CIS) and the National Institute of Standards and Technology Special Publication 800-53. While all these standards are of high quality and cover a large common ground of controls, they do have some difference. They are also not exclusive to each other, and many institutions use a combination of controls out of multiple frameworks to create their own.
PCI-DSS
12 requirements, 254 sub-requirements
Very focused on credit card data protection
Complexity varies with the number of credit card transactions processed
ISO 27001
10 sections, 114 controls
Broad coverage of all areas of security
Internationally recognized
Valued certification
Risk focused
CIS
20 security controls, multiple sub-controls
Technology oriented
Very flexible
Ideal of immediate, high impact results
Control focused
NIST 800-53
17 control families, 325 controls
Broad coverage of all areas of security
Good balance between Risk and Controls
Easy to build into a program
When selecting a framework, either as the fully-fleshed standard for an organisation or as a starting point for a bespoke framework, understanding the specificities of each of these industry frameworks is critical.
It is also essential to have a clear view of which local, regional and global regulations and legislations the organisation must comply with. Some frameworks might not be fully compatible with specific requirements. It is also important to understand how specific these expectations are. For example, most of the frameworks that offer a broad coverage of cyber security will mostly satisfy compliance with APRA CPS 234. But some very specific items, such as the requirement to notify APRA of a material incident within 10 business day (#36), will not be part of any default standard or procedure and as such will need to be inserted as a part of the incident response process.
A gap assessment to understand which requirements are already satisfied and which need to be developed or updated in the framework is then essential. The gap assessment is also a great tool to demonstrate future compliance in case of audit.
Despite their high quality and robustness, the industry frameworks can very often prove challenging to implement as is. They are designed to cover and protect all aspects of information and technology, and cover many elements that are not necessarily pertinent for all organisations, especially small and medium size companies. A company with a fully cloud-based infrastructure will for example find very little value in the numerous controls that ensure physical protection of in-house data centres. Local specificities and regulatory compliance items might also require alteration or additional controls that the industry standards might not cover. As an example, regulatory requirements might impose additional controls for data stored abroad, when an industry standard might not necessarily consider the data location as a potential risk.
In addition, while they are designed to be as generic and adaptable as possible, industry frameworks might not always easily embed within specific organisational structures and business strategies. As technology and threats evolve at a fast speed, some of the controls of these frameworks become less relevant, while new risks arise and lack available mitigations.
As such, creating a hybrid framework is very often an excellent way to ensure Information Security focus on what is important for the organisation, reduce waste and inefficiencies, and enable adaptation to a fast-changing technology and threat landscape.
The easiest and most efficient way to create a hybrid framework is still to rely on one of the industry frameworks as a starting point, using that framework’s area of focus (or families, or sections, depending on the framework’s naming convention) as a starting point. Once the overall structure is defined, the next step will be to select the adequate core set of controls to populate the content. The controls must be selected following a risk assessment process based on a good understanding of the organisation’s core activities, assets and threats.
The risk assessment is an essential step in the process of creating and defining the Information Security framework. It assists evaluation of the potential risks that may be involved in an undertaking. It helps measure components in consistent way across many different subject areas.
Multiple tools exist to assist in performing a risk assessment, covering multiple domains including security, but also IT, privacy, data security, and business resiliency. Both the CIS and NIST frameworks provide such risk assessment methodology for free, as well as industry recognised methodologies and tools, such as the Standardized Information Gathering (SIG) questionnaire.
Most organisations agree that a risk can be calculated as the factor of the impact that an event would have on the organisation and the likelihood of that event occurring.
RISK = IMPACT x LIKELIHOOD
When it comes to information security, the impact can be measured through the understanding of the assets affected and how much the organisation is reliant on these assets.
For the likelihood, it is in direct correlation with the threats faced by the organisation. Having a clear view of the security threats that the organisation faces is key to understanding which of these threats are likely to occur.
Understanding the assets of an organisation and the associated impact if these assets were to be made unavailable, corrupted or inadequately disclosed is a long process that requires a good understanding of the organisation as a whole. Assets can be people, information, buildings and facilities, IT systems, finances and even partner organisations and suppliers. In order to clearly identify their value, assets need to be classified, be part of a lifecycle or management process, and have a defined owner.
The asset identification process follows 4 specific steps:
The identification of the product and services offered by the organisation.
The identification of the critical functions needed to deliver the products and services
The understanding of processes required within the critical functions
The identification of assets (or resources) required to perform the processes
The asset identification process requires interaction with all departments and might require using various methods, including workshops, questionnaires and interviews. Strategic plans, annual reports, department plans, service level agreements (SLA) and previously performed risk assessments can also be a valuable source of information to assist in that exercise.
Once the assets have been identified and registered, the next step is to classify them. Classification helps users understand security requirements for different types of assets. The different security classifications used by an organisation determine what sort of storage, handling, and access are required for classified information. Asset classifications are assigned based on both the sensitivity of the information and the criticality of that information to the organisation. Classification categories vary from organisation to organisation, but most classification schemes have 3 to 5 levels used to segregate information:
Confidential or private information could be of high impact if disclosed inadequately, such as customers’ personal information, plans for new undisclosed products and board papers.
Sensitive information is not designed to be shared outside the organisation but would have limited to moderate impact if it was to make available to an unauthorised party. Example of sensitive information would be staff corporate email addresses or phone numbers, internal procedures or a list of suppliers; and
Public information is designed to be accessible by everybody. Examples of public information include advertising documentation, public disclaimer, list of available products…;
An efficient classification standard would include a methodology to assist in consistently determining the classification of an asset. That could be achieved by providing rules defining how assets should be classified based on the resulting monetary loss, image loss or management impact if the assets were to be compromised. As an asset ranges higher in the classification scheme, the impact associated with its disclosure or unavailability also increases.
Understand the threats that are targeting or that could target an organisation is essential to prepare, prevent, and identify security incidents. By gaining knowledge pertaining to the threats faced and having an understanding of their likeliness, the organisation can build effective defence mechanisms and focus its security investment on what is important.
Threat modelling can help in that exercise. The STRIDE model, developed by Microsoft, is a useful and simple starting point. It is derived from an acronym for the 6 following threat categories:
Spoofing (Authentication) | Impersonating something or someone else | Pretending to be an internal email address or a known domain
Tampering (Integrity) | Modifying data or code | Modifying an execution file, or a packet as it traverses the network.
Repudiation (Non-repudiation) | Claiming to have not performed an action. | “I didn’t send that email,” “I didn’t modify that file,” “I certainly didn’t visit that web site, dear!”
Information disclosure (Confidentiality) | Exposing information to someone not authorised to see it | Allowing someone to read sensitive information; publishing a list of customers to a web site.
Denial of Service (Availability) | Deny or degrade service to users | Making a website unavailable by sending too many requests, sending numerous packets to reduce network availability.
Elevation of Privilege (Authorisation) | Gain capabilities without proper authorisation | Allowing a limited user to run administrative commands on a server
Understanding the threats, including identifying how often these threats were realised in the past, allows their likelihood of future reoccurrence to be determined.
With a better understanding of the impact that a compromised corporate asset would create, and the likelihood of the threats faced by the organisation, creating a risk matrix is a simple mechanism to increase visibility of risks and assist in the decision on what controls are required and need to be implemented as a priority.
Categorising the impact and likelihood can facilitate further the process, especially if one or both factors cannot be measured efficiently. As an example, the impact can be categorised as: ‘catastrophic’, ‘high’, ‘moderate’ and ‘low’, and the likelihood as 'certain', 'likely', 'possible', 'unlikely' and 'rare’.
Once the risks are classified, the priority and the importance of the controls that will mitigate them become very quickly evident.
Significant risks have a high impact and a high likelihood. They are imminent threats to the organisation and as such should be remediated immediately. Controls associated with these risks are very important and need to be regularly reported, tested and measured for efficiency.
Contingency risks and high incidence risks have respectively high impact but low likelihood and low impact but high likelihood. These risks are the next priority to remediate. While not necessarily imminent, they are real threats for the organisation. Associated controls need to be carefully monitored and tested on a regular basis.
Minor risks have low impact and low likelihood and as such are less likely to be on the priority list. They should be addressed when possible, but their level of reporting and testing can remain limited.
Selecting an industry-recognised framework as a baseline and having a clear risk assessment are 2 major steps toward a fully fleshed Information Security policy framework. The final step is to select the set of controls that will compose the framework and will be described through the various documents comprising it.
As mentioned previously, industry recognised frameworks such as PCI-DSS, ISO or NIST offer a large set of controls that can be reused as part of a hybrid framework more aligned with an organisation’s needs and priorities. To select which controls will comprise the final framework, the risk assessment becomes an essential tool. By linking the controls to the risks they are designed to mitigate, it becomes easy to identify which controls remediate significant risks, contingency risks or high incidence risks. These controls should be part of the final framework. Controls remediating minor risks might or might not proceed to the final framework, depending on the organisation appetite toward security risk.
Keeping a documented linkage between risks and controls could also prove very valuable for future evolution of the framework. As the organisation and its environment evolve, the assets it uses and the threats it faces might change, resulting in a shift of risks. Some risks might disappear over time while new ones will surface. Some risks will increase as other decrease. As the organisation refreshes its risk matrix, it becomes easy to update the framework accordingly by deciding if controls are still pertinent or if they only remediate risks that are not of importance anymore, and as such can be removed.
Some controls, known as common controls, support multiple systems efficiently and effectively as a common capability. Ensuring that these controls are included as a priority facilitates the operational execution of the framework.
To be efficient, controls need to be well documented. That includes defining responsibility for implementation and execution (the control owner), frequency of execution and clear methodology to execute. A good control is measurable (its results can be quantified in a certain and repetitive way), auditable (the results can be demonstrated at any time) and understood (the team responsible for control execution must have a clear understanding of the intent of the control and its importance for the organisation).
Finally, gathering feedback from stakeholders, especially the control owners, is essential. A policy framework is as robust as its execution. A strong set of controls has no value if, in practice, they are not performed because they are too onerous, too complex or simply not well understood.
This article is not legal or regulatory advice. You should seek independent advice on your legal and regulatory obligations. The views and opinions expressed in this article are solely those of the author. These views and opinions do not necessarily represent those of StatePlus or its staff.