This document provides an overview of key concepts from Chapter 2 of CNIT 125: Information Security Professional (CISSP Preparation) regarding asset security. It discusses classifying and labeling data according to sensitivity, as well as concepts like clearance, access approval, and need-to-know. It also covers data ownership models and the different types of data storage media and their memory capabilities. Determining appropriate data security controls is discussed, including standards, certification and accreditation processes, and protecting data at rest and in motion.
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesSam Bowne
These are slides from a college course. For more info see https://samsclass.info/125/125_S16.shtml
This chapter is from an awful (ISC)2 book I abandoned. All further chapters use a much better textbook.
Slides for a college CISSP prep course. Instructor: Sam Bowne
Taught online for Coastline Community College and face-to-face at City College San Francisco.
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372.
More information at https://samsclass.info/125/125_F17.shtml
Slides for a college CISSP prep course. Instructor: Sam Bowne
Taught online for Coastline Community College and face-to-face at City College San Francisco.
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372.
More information at https://samsclass.info/125/125_F17.shtml
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesSam Bowne
These are slides from a college course. For more info see https://samsclass.info/125/125_S16.shtml
This chapter is from an awful (ISC)2 book I abandoned. All further chapters use a much better textbook.
Slides for a college CISSP prep course. Instructor: Sam Bowne
Taught online for Coastline Community College and face-to-face at City College San Francisco.
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372.
More information at https://samsclass.info/125/125_F17.shtml
Slides for a college CISSP prep course. Instructor: Sam Bowne
Taught online for Coastline Community College and face-to-face at City College San Francisco.
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372.
More information at https://samsclass.info/125/125_F17.shtml
For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372
For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372
Rev. Oct. 13, 2017
CNIT 125 7. Security Assessment and TestingSam Bowne
For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372
For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372
For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372
For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372
Rev. Oct. 13, 2017
CNIT 125 7. Security Assessment and TestingSam Bowne
For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372
For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372
Key Concepts for Protecting the Privacy of IBM i DataPrecisely
The continuous news of personal information stolen from major retailers and financial institutions have driven consumers and regulatory bodies to demand that more action be taken to ensure data protection and privacy. Regulations such as PCI DSS, HIPAA, GDPR, and FISMA require that personal data be protected against unauthorized access using technologies like encryption, tokenization, masking, secure file transfer and more.
With all the options available for securing IBM i data at rest and in motion, how do you know where to begin? View this webinar on-demand to get up to speed on the key concepts you need to know about assuring data privacy for your customers, business partners and employees. Topics include:
• Protecting data with encryption and the need for strong key management
• Use cases that are best for tokenization
• Options for permanently de-identifying data
• Securing data in motion across networks
Encryption: Who, What, When, Where, and Why It's Not a PanaceaResilient Systems
Encryption is a crucial and powerful tool in any organization's data protection / privacy arsenal. But to be effective, it must be applied properly. And even then it's not a silver bullet, including from a privacy breach disclosure perspective.
This webinar will discuss:
- Encryption vs. hashing: what is it, and when might you want to use one over the other?
- Practical considerations: implementation options and their merits
- Legal considerations: encryption requirements, benefits and restrictions
- Legal limitations: situations in which encryption is not enough
Our featured speakers for this webinar will be:
- Suhna Pierce, Associate, Morrison Foerster
- Gant Redmon, Esq. CIPP/US, General Counsel & VP of Business Development, Co3 Systems
Are you a CIPP holder? (CIPP/US, CIPP/C, CIPP/E, CIPP/G and CIPP/IT) Attend this webinar for CPE credit.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Complete coverage of CISSP 7th Chapter - Security Operations. I have made sure to cover all topics from three books in this presentation. For corrections, clarifications, please feel free to reach me.
In this 45 minute webinar ControlCase will discuss the following in the context of PCI DSS and PA DSS
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
- Q&A
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
A Strategic Approach: GenAI in EducationPeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Acetabularia Information For Class 9 .docxvaibhavrinwa19
Acetabularia acetabulum is a single-celled green alga that in its vegetative state is morphologically differentiated into a basal rhizoid and an axially elongated stalk, which bears whorls of branching hairs. The single diploid nucleus resides in the rhizoid.
4. Labels
• Governments
• Confidential, Secret, Top Secret
• Threats to national necurity
• SBU (Sensitive But Unclassified)
• Sensitive but not a matter of national
security, like employee health records
• For Official Use Only (FOUO)
• Private Sector
• "Internal Use Only", "Company Proprietary"
5. Security Compartments
• Sensitive Compartmented Information
(SCI)
• Highly sensitive information
• Examples (not testable)
• HCS, COMINT (SI), GAMMA (G),
TALENT KEYHOLE (TK)
• Compartments require a documented
and approved need to know in additional
to a normal clearance such as top secret
6. Clearance
• Formal determination whether a user can be
trusted with a specific level of information
• Considers both current and future
potential trustworthiness
• Issues: debt, drug or alcohol abuse,
personal secrets
• Most common reasons for denying
clearance
• Drug use and foreign influence
7. Formal Access Approval
• Documented approval from the data
owner for a subject to access certain
objects
• Requires the subject to understand all
the rules and requirements for accessing
data
• And consequences if the data is lost,
destroyed, or compromised
8. Need to Know
• Most systems rely on least privilege
• Rely on users to police themselves by
following policy and only attempting to
access information they need to know
9. Sensitive Information/Media Security
• Sensitive Information
• Requires protection
• Resides on media
• Primary storage and backup storage
• Policies must cover
• Handling
• Storage
• Retention
11. Business or Mission Owners
• Senior management
• Create information security program
• Ensure that it is properly staffed, funded,
and given organizational priority
• Responsible for ensuring that assets are
protected
12. Data Owners
• Also called "information owner"
• Management employee responsible for
ensuring that specific data is protected
• Determine sensitivity labels and frequency of
backup
• Data owner does management
• Custodians perform actual hands-on
protection of data
• NOTE: this is different from the "Owner" in a
Discretionary Access Control system
13. System Owner
• Manager responsible for the physical
computers that house data
• Hardware, software, updates, patches,
etc.
• Ensure physical security, patching,
hardening, etc.
• Technical hands-on responsibilities are
delegated to Custodians
14. Custodian
• Provides hands-on protection of data
• Perform backups, patching configuring
antivirus software, etc.
• Custodian follows detailed orders
• Does not make critical decisions on
how data is protected
15. Users
• Must comply with policies, procedures,
standards, etc.
• Must not write down passwords or
share accounts, for example
• Must be made aware of risks,
requirements, and penalties
16. Data Controller and Data Processors
• Data Controllers
• Create and manage sensitive data
• Human Resources employees are often
data controllers
• Data Processors
• Manage data on behalf of data
controllers
• Ex: outsourced payroll company
20. Data Remanence
• Data that remains on storage media after
imperfect attempts to erase it
• Happens on magnetic media, flash
drives, and SSDs
21. Memory
• None of these retain memory for long
after power is shut off
• RAM is main memory
• Cache memory
• Fast memory on the CPU chip (level 1
cache) or
• On other chips (Level 2 cache)
• Registers
• Part of the CPU
22. RAM and ROM
• RAM is volatile
• Data vanishes after power goes off
• ROM is not volatile
• Cold Boot Attack
• Freezing RAM can make the data last
longer without power, up to 30 min. or
so
23. DRAM and SRAM
• Static Random Access Memory (SRAM)
• Fast and expensive
• Dynamic Random Access Memory
(DRAM)
• Slower and cheaper
24. Firmware
• Small programs that rarely change
• Ex: BIOS (Basic Input-Output System)
• Stored in ROM chips
25. Types of ROM Chips
• PROM (Programmable Read Only Memory) --
write-once
• Programmable Logic Device (PLD)
• Field-programmable
• Types include
• EPROM (Erasable Programmable Read
Only Memory)
• EEPROM (Electrically Erasable
Programmable Read Only Memory)
• Flash Memory
26. Flash Memory
• USB thumb drives
• A type of EEPROM
• Written by sectors, not byte-by-byte
• Faster than EEPROMs
• Slower than magnetic disks
27. Solid State Drives (SSDs)
• Combination of EEPROM and DRAM
• SSDs use large block sizes
• Blocks are virtual; the computer doesn't
know the physical location of the blocks
• Bad blocks are replaced silently by the
SSD controller
• Empty blocks are erased by the
controller in a "garbage collection"
process
28. Cleaning SSDs
• Overwriting data from the computer is
ineffective
• Cannot access all the blocks
• The SSD controller may have an ATA
Erase command
• But there's no way to verify its work
• It makes no attempt to clean "bad"
blocks
29. Two Ways to Securely Erase an SSD
• Physically destroy the drive
• Turn on encryption before the drive is
ever used
• That ensures that even the bad blocks
are encrypted
• To erase it, delete the key
• iPhones work this way
• Proven effective in practice
31. Overwriting
• Deleting a file does not erase its contents
• You must write on top of the sectors it
used
• Also called shredding or wiping
• A single pass is enough for a magnetic
hard drive
32. Degaussing
• Exposing a magnetic disk or tape to high
magnetic field
• Can be a secure erase if performed
properly
36. Certification and Accreditation
• Certification
• A system meets the requirements of
the data owner
• Accreditation
• Data owner accepts the certification
37. Standards and Control Frameworks
• PCI-DSS
• OCTAVE
• Operationally Critical Threat, Asset,
and Vulnerability Evaluation
• From Carnegie Mellon U
• ISO 27000 Series
• Used to be ISO 17799
• International standard, very detailed
and expensive to implement
38. Standards and Control Frameworks
• COBIT
• Control Objectives for Information and
related Technology
• From ISACA (Information Systems Audit
and Control Association)
• A governance model
• ITIL
• Information Technology Infrastructure
Library
• Framework for IT service management
39. Scoping and Tailoring
• Scoping
• Determining which portions of a standard
an organization will use
• If there's no wireless, wireless is "out of
scope"
• Tailoring
• Customizing a standard for an organization
• Controls selection, scoping, and
compensating controls
40. Protecting Data in Motion
and Data at Rest
Determining Data Security Controls
41. Drive and Tape Encryption
• Protect data at rest, even after physical
security is breached
• Recommended for all mobile devices and
mobile media
• Whole-disk encryption is recommended
• Breach notification laws exclude lost
encrypted data
42. Media Storage and Transportation
• Store backup data offsite
• Use a bonded and ensured company for
offsite storage
• Secure vehicles and secure site
• Don't use informal practices
• Like storing backup media at an
employee's house
43. Protecting Data in Motion
• Standards-based end-to-end encryption
• Like an IPSec VPN