The document provides legal disclaimers and information about sustainable cybersecurity practices. It discusses starting cybersecurity at the administration level by making it cultural rather than technical, based on needs rather than vendor features, iterative and continuous. It also discusses establishing a data protection steering committee and reducing reliance on people by ensuring responsibilities are understood and policies and processes are documented. The document provides recommendations on cybersecurity frameworks, controls, and best practices.
There are 7 categories of concern to a Cryptobanker that are already being modeled with physical systems in place in every Pawn Shop;
CUSTODY of the real goods and the cash held at the counter and in a safe in the back office
CLEARANCE risk policies in place, often ONLY accepting Cash for payment on loans and for some even real goods.
Trusted Communications systems established to price the market value of items collateralizing Fiat Cash loans.
COMPLIANCE protocols and documentation procedures in place to verify identity of both Sellers and Borrowers.
CREDIT licensing in place as providing lending services is one of the main market drivers for profits
Physical SECURITY systems with alarms and bars on the windows and doors with staff armed and trained in defense applications, all mirroring tactics needed for Crypto or Cyber security operations
OTC operational security protocols already established to verify proof of control of the assets and authenticity of assets to be collateralized.
As strategists, we find inspiration everywhere.. Every month, people on our team share their muse - someone or something that is a guiding light for their work. So instead of another trend report this time of year, this is our Barkley muse report.
Digital Signature, Electronic Signature, How digital signature works, Confidentiality of digital signature, Authenticity of digital signature, Integrity of digital signature, standard of digital signature, Algorithm of digital signature, Mathematical base of digital signature, parameters of digital signature, key computation of digital signature, key generation of digital signature, verification of of digital signature
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...Cellebrite
As mobile device manufacturers improve device and operating system security measures in a bid to protect user data, the forensic process becomes more complex. In this hands-on demo, learn how UFED rises to the challenge with advanced technology, including advanced bootloaders enabling physical extractions and enhanced logical extraction enabling app file system extractions even within logical examinations.
Modern block ciphers are widely used to provide encryption of quantities of information, and/or a cryptographic checksum to ensure the contents have not been altered. We continue to use block ciphers because they are comparatively fast, and because we know a fair amount about how to design them.
A very clear presentation on Crytographic Alogotithms DES and RSA with basic concepts of cryptography. This presented by students of Techno India, Salt Lake.
This PPT covers the following concepts:
What is Block Chain?
Brief History of Block Chain
Bitcoins
Distributed Ledger
Describing a Block
Example of Block Chain
Proof-of-Work
Peer-to-Peer Network
Recent Developments of Block Chain
DeFi uses open protocols and decentralized applications powered by smart contracts to enforce agreements, facilitate trades and immutably record transactions on the Blockchain. Aggregating DeFi protocols via a secure and compliant interface with integration into enterprise systems provides an institutional gateway into decentralized finance markets. Zero Trust cybersecurity, self-custody multi-sig wallets together with integration into select existing financial systems provides a secure and compliant way for institutions and consumers to participate in this new emerging world of decentralized finance.
How do we separate hype from useful information in Cyber Security? As Congress is debating a National privacy law, and several states have their own privacy and breach reporting laws including Georgia, how will that impact our workload? Privacy starts with good cyber-hygiene. We will look at how we can leverage the focus on Privacy to address standards for:
Firewall and network setups
Cloud security
Protocols and ports that need attention
Authentication best practices
Server and network rights
Password rules
How do we separate hype from useful information in Cyber Security? As Congress is debating a National privacy law, and several states have privacy and breach reporting laws, how will that impact our workload? Privacy starts with good cyber-hygiene. We will look at how we can leverage the focus on Privacy to address standards for:
Firewall and network Configs,
Cloud security
Protocols and ports that need attention
Authentication best practices
Server and network rights
Password rules
There are 7 categories of concern to a Cryptobanker that are already being modeled with physical systems in place in every Pawn Shop;
CUSTODY of the real goods and the cash held at the counter and in a safe in the back office
CLEARANCE risk policies in place, often ONLY accepting Cash for payment on loans and for some even real goods.
Trusted Communications systems established to price the market value of items collateralizing Fiat Cash loans.
COMPLIANCE protocols and documentation procedures in place to verify identity of both Sellers and Borrowers.
CREDIT licensing in place as providing lending services is one of the main market drivers for profits
Physical SECURITY systems with alarms and bars on the windows and doors with staff armed and trained in defense applications, all mirroring tactics needed for Crypto or Cyber security operations
OTC operational security protocols already established to verify proof of control of the assets and authenticity of assets to be collateralized.
As strategists, we find inspiration everywhere.. Every month, people on our team share their muse - someone or something that is a guiding light for their work. So instead of another trend report this time of year, this is our Barkley muse report.
Digital Signature, Electronic Signature, How digital signature works, Confidentiality of digital signature, Authenticity of digital signature, Integrity of digital signature, standard of digital signature, Algorithm of digital signature, Mathematical base of digital signature, parameters of digital signature, key computation of digital signature, key generation of digital signature, verification of of digital signature
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...Cellebrite
As mobile device manufacturers improve device and operating system security measures in a bid to protect user data, the forensic process becomes more complex. In this hands-on demo, learn how UFED rises to the challenge with advanced technology, including advanced bootloaders enabling physical extractions and enhanced logical extraction enabling app file system extractions even within logical examinations.
Modern block ciphers are widely used to provide encryption of quantities of information, and/or a cryptographic checksum to ensure the contents have not been altered. We continue to use block ciphers because they are comparatively fast, and because we know a fair amount about how to design them.
A very clear presentation on Crytographic Alogotithms DES and RSA with basic concepts of cryptography. This presented by students of Techno India, Salt Lake.
This PPT covers the following concepts:
What is Block Chain?
Brief History of Block Chain
Bitcoins
Distributed Ledger
Describing a Block
Example of Block Chain
Proof-of-Work
Peer-to-Peer Network
Recent Developments of Block Chain
DeFi uses open protocols and decentralized applications powered by smart contracts to enforce agreements, facilitate trades and immutably record transactions on the Blockchain. Aggregating DeFi protocols via a secure and compliant interface with integration into enterprise systems provides an institutional gateway into decentralized finance markets. Zero Trust cybersecurity, self-custody multi-sig wallets together with integration into select existing financial systems provides a secure and compliant way for institutions and consumers to participate in this new emerging world of decentralized finance.
How do we separate hype from useful information in Cyber Security? As Congress is debating a National privacy law, and several states have their own privacy and breach reporting laws including Georgia, how will that impact our workload? Privacy starts with good cyber-hygiene. We will look at how we can leverage the focus on Privacy to address standards for:
Firewall and network setups
Cloud security
Protocols and ports that need attention
Authentication best practices
Server and network rights
Password rules
How do we separate hype from useful information in Cyber Security? As Congress is debating a National privacy law, and several states have privacy and breach reporting laws, how will that impact our workload? Privacy starts with good cyber-hygiene. We will look at how we can leverage the focus on Privacy to address standards for:
Firewall and network Configs,
Cloud security
Protocols and ports that need attention
Authentication best practices
Server and network rights
Password rules
Regulatory compliance mandates have historically focused on IT & endpoint security as the primary means to protect data. However, as our digital economy has increasingly become software dependent, standards bodies have dutifully added requirements as they relate to development and deployment practices. Enterprise applications and cloud-based services constantly store and transmit data; yet, they are often difficult to understand and assess for compliance.
This webcast will present a practical approach towards mapping application security practices to common compliance frameworks. It will discuss how to define and enact a secure, repeatable software development lifecycle (SDLC) and highlight activities that can be leveraged across multiple compliance controls. Topics include:
* Consolidating security and compliance controls
* Creating application security standards for development and operations teams
* Identifying and remediating gaps between current practices and industry accepted "best practices”
Presentation by Soumya Mondal, on "Information Security: Importance of having definded policy & process" at "Braindigit 9th National ICT Conference 2013" organized by Information Technology Society, Nepal at Alpha House, Kathmandu, Nepal on 26th January, 2013
The GDPR requires organizations — both “data controllers” and “data processors” — to strengthen their data protection and security measures to protect the personally identifiable information (PII) of EU citizens, and to demonstrate their compliance at any time. See how Quest solutions can help make it easier to ensure that your customer on-premises, cloud or hybrid environment meets GDPR compliance requirements.
It's a Who, What, Where and Why behind cyber risk in today's modern era - how data breaches happen, why they happen, and what you can do to address them.
With the increasing number of data breaches and cyber attacks, it's becoming clear that traditional security measures are no longer sufficient. Zero Trust security is an approach that assumes no user, device, or network is trustworthy by default. This seminar will explore the concept of Zero Trust and its application to data security.
During this seminar, we will cover a range of topics related to Zero Trust and data security, including the history and evolution of Zero Trust, the key principles of Zero Trust, and the different applications of Zero Trust in data security. We will also discuss the impact of Zero Trust on the job market and the skills required to work effectively with this approach.
Through a combination of lectures, case studies, and interactive discussions, attendees will gain a comprehensive understanding of the potential benefits of implementing a Zero Trust approach to data security. They will leave the seminar with practical insights and strategies to effectively leverage Zero Trust to protect their organization's data.
Learning Objectives:
Upon completion of this seminar, participants will be able to:
1. Understand the history and evolution of Zero Trust and its application to data security.
2. Gain insights into the key principles of Zero Trust and the different applications of this approach in data security.
3. Learn about the potential benefits and challenges of implementing a Zero Trust approach to data security.
4. Develop practical strategies for effectively leveraging Zero Trust to protect their organization's data.
5. Network with other industry professionals to share insights and best practices.
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
A quick summary of the current state of big data technology and data science approaches used in cyber / network defender security analytics including summary use cases, a walk through of a reference architecture and breakdown of the required skills. Focus is on the knowledge needed to run a proof of concept and establish a programme for early benefits. Will then also include a view on the future of extending the platforms and capabilities of security analytics to cover performance metrics and data-driven security management approaches.
Seattle Tech4Good meetup: Data Security and PrivacySabra Goldick
12/7/2016 - It's difficult to avoid news stories about hacks and misused databases. For our Q4 meetup, we will discuss what nonprofits can do to protect their systems and data. Each panelist will outline best practices for protecting your own data as well as constituent data.
PANELISTS
* Mary Gardner, Chief Information Security Officer at Seattle Children's Hospital.
* Ralph Johnson, Chief Information Security and Privacy Officer, King County
* Peter Kittas, Web and IT Consultant, Revelate LLC
Security Fundamentals and Threat ModellingKnoldus Inc.
This session will take you through the basic fundamentals and terminologies of security in our applications along with the latest security and threat trends. We will also discuss what is Threat Modelling and how we can perform it on our architectures without being an actual expert.
Protecting the Crown Jewels – Enlist the BeefeatersJack Nichelson
Protecting the Crown Jewels – Enlist the Beefeaters
In the wake of a constant stream of high-profile breaches, data is not only becoming a highly valued commodity, it’s becoming an organization’s crown jewels. Who better to protect your crown jewels than the Beefeaters? Tapping into the iconic London Guard’s reputation, Jack Nichelson, with the support of the FBI and PwC, has developed an elite force to defend his organization’s most valuable assets from even trusted insiders. Providing insights into his companies data identification, classification and security initiative, sharing best practices for creating consensus, and engaging and aligning multiple business units to better protect the organization's crown jewels.
IT Staff NDA Template Employee Confidentiality AgreementErnest Staats
This is a sample IT Staff NDA or "Employee Confidentiality Agreement" It has more power to educate staff on what they should or should not do with their power & Access.
What does the current research say about the positive and negative influence of emerging technologies on our ministries, our families, and ourselves? It's imperative we comprehend how media impacts our mental and spiritual health. Technology is changing our lives, how we relate to and understand each other.
How to use technology in ministry & parentingErnest Staats
Engaging with technology beyond the level of experience. We need to understand how technology is changing us so we can ensure we are modeling wise habits. There are some good ways we can use technology to understand and shape its use. Suggestions will be given for what we can start doing today that will make positive impacts on our lives and ministries.
Idwg bimonthly security exchange cyber only sectionErnest Staats
Had a great time sharing with OSAC today on Cyber Security trends, We went over some practical steps organizations, and their staff can take to secure their information and privacy better.
Why security is the kidney not the tail of the dog v3Ernest Staats
Security is sometimes thought of being the tail that wags the Dog. A better analogy is that Cyber Security should be the Kidneys of the organization taking out the waste while allowing the useful information to pass.
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
Compiled some Open source and other tools that I that I have used for BEC/EAC protection, security, & training. I had a great time sitting on the panel with other members.
Border crossing mobile social media life-saving security tipsErnest Staats
This practical talk focused on steps one can take which could save them or someone else while traveling internationally or even around town. The focus was on the information that is “leaked” by mobile devices and social media, along with some of the most-overlooked steps that could lower risk.
Oprah Winfrey: A Leader in Media, Philanthropy, and Empowerment | CIO Women M...CIOWomenMagazine
This person is none other than Oprah Winfrey, a highly influential figure whose impact extends beyond television. This article will delve into the remarkable life and lasting legacy of Oprah. Her story serves as a reminder of the importance of perseverance, compassion, and firm determination.
Artificial intelligence (AI) offers new opportunities to radically reinvent the way we do business. This study explores how CEOs and top decision makers around the world are responding to the transformative potential of AI.
Modern Database Management 12th Global Edition by Hoffer solution manual.docxssuserf63bd7
https://qidiantiku.com/solution-manual-for-modern-database-management-12th-global-edition-by-hoffer.shtml
name:Solution manual for Modern Database Management 12th Global Edition by Hoffer
Edition:12th Global Edition
author:by Hoffer
ISBN:ISBN 10: 0133544613 / ISBN 13: 9780133544619
type:solution manual
format:word/zip
All chapter include
Focusing on what leading database practitioners say are the most important aspects to database development, Modern Database Management presents sound pedagogy, and topics that are critical for the practical success of database professionals. The 12th Edition further facilitates learning with illustrations that clarify important concepts and new media resources that make some of the more challenging material more engaging. Also included are general updates and expanded material in the areas undergoing rapid change due to improved managerial practices, database design tools and methodologies, and database technology.
The Team Member and Guest Experience - Lead and Take Care of your restaurant team. They are the people closest to and delivering Hospitality to your paying Guests!
Make the call, and we can assist you.
408-784-7371
Foodservice Consulting + Design
W.H.Bender Quote 65 - The Team Member and Guest Experience
A guide to Sustainable Cyber Security
1. Ernest Staats MSIA, CISSP, CEH…
estaats@Networkpaladin.org
https://networkpaladin.org
https://tinyurl.com/y5jx76cw
2. LEGAL DISCLAIMER:
Nothing in this handout or presentation constitutes legal advice.
The information in this presentation was compiled from sources
believed to be reliable for informational purposes only. Any and
all information contained herein is not intended to constitute
legal advice. You should consult with your own attorneys when
developing programs and policies.
We do not guarantee the accuracy of this information or any
results and further assume no liability in connection with this
publication including any information, methods or safety
suggestions contained herein.
3. SUSTAINABLE
CYBERSECURIT
Y
Starts at Administration &
is:
Cultural not technical
Based on need not vendor
features
Iterative & Continuous
Built around accountability
Repeatable & scalable
Balanced – cost/risk vs
reward
Documented & auditable
4. DATA PROTECTION
STEERING
COMMITTEE
See TOR & Policy Templates
Treasury
Legal
Compliance
HR
Marketing
IT/InfoSec
Departments / Missions affected
Who will lead the security and the
privacy elements
5. 5
Reduce reliance
and burden on
people
Responsibilities Must
be understood
Policies Set the Framework to align People, Process and Technology
Processes
Reflect need of
People in relation to
policies
& Technology
SUSTAINABILITY RELIES ON:
Process
People
Technology
6. LESS IS MORE
50% of organizations use
anywhere from 6 to 20 security
vendors
Gaps in detections are largely
due to an "overabundance of
alerts”
Look for overlaps and eliminate
7.
8. CART BEFORE …
Rather than evaluating the
solution provided by vendors,
leaders should assess the value
of a product in relation to their
People, Process & Risk.
Build your list of needs /
requirements and evaluate all
venders based on your needs
not their special sauce
Prioritize security in the context
of Ministry enablement,
financial costs, & risk mitigation
to justify investments
9. NO BUSINESS VALUE = NO VALUE
• Know what business value
you have had in the last 6
months
• What have you done that has
impacted how a department
works
• Not Maintenance or security
value
10. A-I-C ORDER MATTERS
Availability a guarantee of reliable access
to the information by authorized people
Integritythe assurance that the information is
trustworthy and accurate
Confidentialitya set of rules that limits access to
information
11. THE
ANSWER
A Standard & Drills
(verification)
National Institute of Standards and Technology (NIST)
NIST Cybersecurity Framework, NIST Risk Management Framework
http://www.nist.gov/
1
Center for Internet Security (CIS)
CIS Critical Security Controls
http://www.cisecurity.org/
2
International Organization for Standardization (ISO)
ISO 27000-series publications
http://www.iso.org/
3
CySAFE
Combines NIST, CIS, and ISO taking best of each without duplication
Edits:
https://drive.google.com/drive/folders/12UWZiE2JGLeM86t_4ddvXmxz5U810q07?usp=sharin
g
4
12. YOUR
FRAMEWORK
Support Mission – Business Goals
Sufficient detail to support
regulation & compliance
requirements
Be implementable
Be measurable
Be documentable
Be defensible (auditable)
13. CIS FRIST 6
Prevent up to 90% of attacks
Control 1: Inventory and Control of
Hardware Assets
Control 2: Inventory and Control of
Software Assets
Control 3: Continuous Vulnerability
Management
Control 4: Controlled Use of
Administrative Privilege
Control 5: Secure Configuration for
Hardware and Software on Mobile Devices,
Laptops, Workstations, and Servers
Control 6: Maintenance, Monitoring and
Analysis of Audit Logs
14. SELF ASSESSMENT: “CYSAFE” OR CIS TOP 20
CySafe: https://drive.google.com/drive/folders/12UWZiE2JGLeM86t_4ddvXmxz5U810q07?usp=sharing
CIS Top 20 https://drive.google.com/drive/folders/1QSU4WyBrpg4DFzGhwUS4eIPjFckzv3Nh
15. RISK MANAGEMENT SHOULD:
• Support the strategic objectives
• Enhance institutional decision-making
• Create a “risk-aware” culture
• Reduce operational surprises and losses
• Assure greater business continuity
• Improve use of funding by aligning resources with objectives
• Bridge departmental silos
Observe:
Identify Risk
Orient:
Categorize &
Prioritize
Decide:
Select &
Implement
Controls
Act:
Manage,
Assess, &
Monitor
16. FACTORS THAT CAN CAUSE FAILURE
Complexity
(Overlapping Solutions)
Focus on Technology
(Bright Shiny Object Disease)
Lack of Understanding of Risk
(Fear vs Reality)
Lack of Cyber Security Staff
17. CONTROLS TO
BUILD YOUR
FRAMEWORD
• HAVE A Plan &
Document your plan
• Change Management
Example
https://tinyurl.com/yyq6feyz
• Freedcamp
• Reading ideas
“Phoenix Project”
“Extreme Ownership”
“Radical Candor”
18. 1. No business impact when determining courses of
action
2. Lack cross-organizational considerations
3. Limited data classification
4. Ill-defined processes (aka “pre-thought use cases”)
5. No defined step-by-step procedures
6. No defined event terminology between responders
7. No defined thresholds between events and incidents
8. No pre-determined (aka “pre-canned”) external
communications
9. Lack of exercise of “memory muscle”
Top Cyber Incident Pain Points
19. MY TYPICAL RECOMMENDATIONS
• Password / Privilege Access Management
• Train Users
• Monitor and Log Everything
• Pick a frame work (NIST OR CIS OR CySAFE)
• Check Firewall ports (Outgoing)
• Assess & Document your world
• Server Vulnerability (SVA) & a Network Vulnerability (NVA)
Assessments
• Know what is being leaked IoT & Shadow IT
https://drive.google.com/file/d/1_irHSd7pgY_ciP8Sjg51YOcd1S8mjciZ/view?usp=shar
ing
20. BETTER
LEADERSHIP
• Empower through
conversations
• Use mission terminology
• Define metrics
• Find Root (Toyota “5-Whys”)
• Tech is a TOOL, not a
purpose
• Try device-free meetings
• Control interruptions
• Find time to daydream
21. DELIVERABLES
Firewall & Network setups
https://drive.google.com/drive/folders/1FDKjOi8MPxXTuBZ4MtJZQMf9tcfPkz44?usp=
sharing
Cloud security
https://drive.google.com/drive/folders/1MOe15AjF_WRN9IZ10yQefpXDOYfvd8VK?usp
=sharing
Protocols and ports that need attention
https://drive.google.com/file/d/1_irHSd7pgY_ciP8Sjg51YOcd1S8mjciZ/view?usp=shar
ing
Authentication best practices: https://drive.google.com/file/d/1TyMTbghiOSqtuZv7c-
CqmurPiqcPdRpV/view?usp=sharing
Server and network rights
https://drive.google.com/file/d/130tcLpGBPE2Q4aYjknG7xaiIkK0CJPsq/view?usp=sha
ring
Servers:
https://drive.google.com/file/d/197jsrcHo4Izx9pWw7nv3dj01BIf0LiNl/view?usp=shari
22. TOOL TIME:
Root Folder on G-Drive
https://drive.google.com/drive/folders/1t4zZbe3bZb7yuZFNRZnSYOpfru_uzHpP?usp=s
haring
Throughput Testing
https://drive.google.com/drive/folders/1qcGAwBGfRB8-BV34kZjY6uPE-
_gK9qL6?usp=sharing
Network Mapping resources
https://drive.google.com/drive/folders/1FDKjOi8MPxXTuBZ4MtJZQMf9tcfPkz44?usp=s
haring
CySafe:
https://drive.google.com/drive/folders/12UWZiE2JGLeM86t_4ddvXmxz5U810q07?usp=
sharing
CIS top 20
https://drive.google.com/drive/folders/1QSU4WyBrpg4DFzGhwUS4eIPjFckzv3Nh
3rd Party Vendor Vetting:
https://drive.google.com/drive/folders/1MOe15AjF_WRN9IZ10yQefpXDOYfvd8VK?usp=
23. PERSONAL DATA PRIVACY HANDOUT
https://tinyurl.com/DataPri
TIPS FOR HOTEL SECURITY
https://www.youtube.com/watch?v=M0GGHIjShh4
24. HOW TO LEAD LIKE A SUPERHERO
• Listen harder than normal people do
• Help people even if you do not know them
• Focus on the needs of others more than your own
• Be creative in your efforts to save the day
• Be relentlessly optimistic
• Maintain a great sense of urgency
• Never tolerate bullies
• Don't stop trying until the job is done
• Know your Achilles Heel
25. “LIVING OFF THE
LAND”
• “Living off the land”
• Windows 10 PowerShell,
WMI, the Windows
Scripting Host
• Microsoft Office
“macros”
31. DESIGN: DATA PRIVACY (1/2)
•Impact of GDPR on
financial services –
•PCI FAQ –
•Reading level
calculator – (also
MS Office tools)
Additional resourcesWhere should I go to understand critical regulation?
How can I check whether my disclosures work?
•Industry
•Local
•Multinational
•Ask them
•Reading level calculator
32. DATA PRIVACY (2/2)
What does “good” look like when it comes to data privacy?
Overall Best
Practices
Capture Usage Retention & Erasure
Be extremely transparent
People don’t typically read
disclosures
• Always obtain consent to access
and use personal data
• When obtaining consent, think of
the people – easy to read, jargon-
free, mobile friendly
• Share how providing data helps
the them –
• High-level and detailed versions
• Tell customers what data will be
retained, for how long, and in
what form:
- De-identified vs. identified
- Single data pull vs. ongoing
feed
- Physical vs. electronic
Keep all data confidential
Especially with personal data,
maintaining confidentiality
preserves trust
• Check personal disclosures of
data acquired from partners
• Highlight confidentiality when
acquiring data
• Be particularly careful with identity
• Proactively notify people when
sharing their data with 3rd parties
• Only use the data for its intended
purpose –
• Upon erasure, ensure data is
completely deleted across where
it’s stored – incl. with partners,
redundant servers, etc.
Let customers “own” their data
Whether or not this is legally
the case. To maintain their
trust, act as if their data is
their own
• Where possible, allow people to
opt-out of specific data access
• Where possible, allow people to
opt-out of specific data uses –
• Have a process for people to
request updates to, correction of,
or erasure of their information
• Have a process to withdraw
consent
Take, keep, and use only
what’s valuable
All data carries risk,
• Don’t collect all data for all people
– identify the pieces which drive
the most value, and don’t collect
the rest
• Be particularly conscious of
regulation when using sensitive
classifications
• “Sunshine test”
• Set a retention policy for customer
data –
• Have a “what data should we
keep” process
33. SOFTWARE SECURITY
•OWASP Top 10 2017
•Balancing speed &
security
•Security 101 for
startups
•Security testing types
•Security fatigue
Additional resources
How do I balance speed and security?
What types of security testing should I be
using?
•Focus on the right level of technical security for
your stage
•See “Balancing Speed & Security” article
•Automated – before you deploy
•Black box 2x/year
•White box every 2years
What are the most common & dangerous software
security risks?
•See OWASP Top 10 article
34. INFRASTRUCTURE SECURITY (1/2)
•Full Infrastructure
Checklist
•AWS security features
and AWS security
best practices
whitepaper
•Azure security
features
•Cisco Checklist
•OWASP Top 10 2017
Additional resourcesIs outsourcing infrastructure or insourcing
more secure?
If I do outsource how can I ensure I’m
protected?
•Often, outsourcing will be best
•Specific situations may change this
•Cloud providers offer:
-Logging and monitoring with controls
-Identity & access management
-Encryption of data at-rest
•See the “AWS Security features”
35. INFRASTRUCTURE SECURITY (2/2)
What are some general best-practices for infrastructure security?
General
infrastructu
re
• Enable cloud infrastructure default security options
• Back up data at minimum daily, but limit redundancies
• Encrypt data while at rest and while in-transit
• Periodically purge data
• Have a BC/DR technology solution and plan
• Implement patches for known vulnerabilities as soon as possible
Passwords
& network
access
• Use a password manager
• Password reset
• Tiered access levels
• Require a secure VPN
Scanning &
monitoring
• Implement a simple logging function
• Include relevant data
• Create lockout thresholds
36. PARTNER MANAGEMENT
•Best practices to reduce
third-party cybersecurity
risk
•Approaching data
security in a fintech-
friendly world
•Steps to mitigate 3rd
party cybersecurity
threats
Additional resourcesSteps for partner vetting
•Pre-contract checks
-What are their encryption practice?
-Have they ever had a breach?
-Service-level agreements (SLAs)
-SLAs should be included in data policy
-Ability to audit & request specific security
standardsHow do I ensure my partner management is
successful?
•Learn from partners’ suggestions
•Continuous monitoring & review
Vendor Industry Templates:
https://drive.google.com/drive/folders/1MOe15AjF_WRN9IZ10yQefpXDOYfvd8VK?usp
=sharing
37. CULTURE
What does a best in class data protection culture look like?
Key beliefs Practices to reinforce
All of users need to
be aware and
careful of Security
issues
• Data protection newsletter –
- Current events – share one article and how it relates to the
company
- Employee highlight – public recognition for those who surface
issues
• Accountable executive for data protection is not just responsible for
technology
- Have non-technical (i.e. not IT) people train employees on data
protection
Be open and
transparent
• Celebrate employees who surface issues – publicly recognize people
• Don’t punish people
Data protection is
an ongoing effort
• Blame-free post-mortems
• Ongoing “security tracker”
More sharing =
more risk
• Limit partner integrations
38. DATA MANAGEMENT
•Security 101 for
startups
•What is social
engineering?
Additional resources
What are some best practice processes for data
protection?
Development • Regular penetration testing (3-6mo black
box, 12mo white box)
• Security review as part of SDLC
Hiring and
firing
• Do reference checks on developers and
employees
• Ensure digital “locks changed” when
employees leave
Reviews • Hold regular data protection reviews
(quarterly)
Miscellaneous • Do not use USB drives
• Encourage auto-lock of laptops (after 5
minutes)
• Have automatic locks on your office doors
and server rooms
• Train employees to not use risky websites
39. TRAINING
What content should I include in my data protection trainings?
All staff
• Our data security culture
- Why it’s important
- Key processes to prevent + report
issues
- Key components of the data policy
- Role-based guidelines
- Initial data privacy training
• Types of threats and how we mitigate
• Key data elements
• To be conducted on a regular basis
• Regular trainings:
• After a breach:
- Cover post-mortem of breach's
- Opportunity for Q&A
Engineerin
g, IT, Data
science
In addition to the above:
• Legislative & regulatory environment
• Communication & feedback loops
• Where security sits in all processes
• Roles & responsibilities
• Monitoring and maintenance
• Updates to data architecture and
procedures
• Changing Data security procedures
• Legislative or regulatory changes
ONBOARDING ONGOING
40. Identification &
Risk Assessment
Containment &
Resolution
Evaluation &
Improvement
BREACH RESPONSE (1/3)
•Data breaches 101
•Detailed guide for
cybersecurity event
recovery
Additional resourcesWhat is a data security breach?
What should be included in a security breach response
plan?
• Understand
extent of breach
• Assess risks from
breach
• Form team to lead
resolution
• Contain breach,
limit damage
• Review causes of
breach
• Understand
consequences
• Make process,
tech changes
Communication
• Plan and execute communication to employees and external
parties
21
4
3
•What is a Breach?
•Can be done locally or remotely
41. Identification &
Risk Assessment
Containment & Resolution Evaluation & Improvement
BREACH RESPONSE (2/3)
• Understand extent of
breach
- What personal data
- What was the cause
- How many people
• Assess risks from breach
- What potential for
harm
- Strategic & financial
risks?
- Legal or compliance
risks?
- Reputational risks?
- Financial risks?
• Form team to lead resolution
- Who will be accountable
- Employees needed?
- How often will the team
meet?
• Contain breach, limit
damage
- Are we still vulnerable?
- What systems changes?
- What process changes
- How to recover data?
• Review causes of breach – “post-
mortem”
- Vulnerabilities enabled the breach
- What other similar vulnerabilities?
• Understand consequences
- What consequences occurred
• Make process, tech changes
- Tech solutions or process changes
- Need to modify our data policy
- What training is needed?
- What is the cost to make these
changes
• Initial identification of
severity may be
incomplete, so be
thorough
• Key people to include on
team:
- Executive
- Legal counsel
• Don’t limit evaluation and
improvements
• Blame-free post-mortems
• Include people from across the
What are best practices in each phase of a breach response?
Best
practices
21 3
Keyquesitons
42. BREACH RESPONSE (3/3)
What communication is appropriate at each stage of breach response?
External
Intern
al
4
Identification &
Risk Assessment
Containment & Resolution Evaluation & Improvement
• Understand extent of
breach
• Assess risks from breach
• Form team to lead
resolution
• Contain breach, limit
damage
• Review causes of breach
• Understand consequences
• Make process, tech changes
• Notify groups who interact
with external parties;
• Include critical teams
- C-Suite, Legal,
Technology, PR (if
applicable)
- Board of directors
• Communicate to employees
• Provide regular updates to
leadership, legal until
issues are resolved
• Post-mortem is non-
punitive
• Include description of what
happened
• Communicate about
process and technology
changes
• Be careful about what you
communicate
• Speak to all relevant
external parties
• Always review with legal
• When you communicate,
include all key information
- Data involved
- Action taken
- Specific and clear advice
• Provide ongoing