Finto Thomas is an Information Technology Security Consultant with over 8.5 years of experience advising large businesses and Fortune 500 companies. He has expertise in network and security architectural design, implementation, and review. Some of his skills include cyber threat intelligence, penetration testing, firewall configuration, and cloud/mobile security. He is certified in CISSP, several Cisco certifications, ITIL, and IBM Qradar. He has worked as a Project Manager at IBM India and held security roles at Wipro and Trimax Data Centre.
The security awareness and training program has several objectives: 1) ensure employees understand their role in protecting company information assets; 2) educate employees on the value of information security; and 3) teach employees how to recognize and report potential violations. The program covers topics such as security policies, user responsibilities, and incident reporting. It aims to provide ongoing training for existing employees and raise security awareness through less formal methods. The success of the program requires long-term commitment of resources and funding.
William Grollier - CHU Nice - IT Governance in hospitalsRoald Sieberath
This document summarizes an IT governance presentation at CHU-Nice University Hospital Center in France. It discusses:
- CHU-Nice's IT infrastructure which includes 5 hospitals, 1700 beds, 8000 employees, and 240 servers supporting 100 healthcare applications.
- The principles of IT governance at CHU-Nice which aim to reduce legal and operational risks by continuously monitoring IT systems for compliance, security, performance and quality of service.
- How CHU-Nice is implementing initiatives to monitor PC standardization, security policy compliance, healthcare application compliance, and quality of service. This is helping improve infrastructure management and support while reducing costs and risks.
Information Security Officer Internet Resume Leon Blum CopyLblum1234
Leon Blum has over 20 years of experience in information security, technical support, and help desk management. He has worked for international banks and software companies. His experience includes managing user security administration, developing security monitoring systems, and implementing automated help desk systems. He has strong skills in operating systems, applications, networking, and security tools.
This document is a resume for Muneer Awadh Balqadi summarizing his career experience and qualifications. It outlines his 14+ years of experience managing IT operations and infrastructure projects for universities and other organizations in Saudi Arabia. Key skills and responsibilities included IT strategy, network management, project management, and leading teams to implement systems like IP telephony, data centers, and security solutions.
Iia 2012 Spring Conference Philly V FinalDanny Miller
Presentation given to the IIA 2012 Spring Conference on Emerging Technology Challenges for Internal Auditors. Includes discussion on Cloud Security,Mobile Device Security, PCI, Data Governance and Privacy.
This document summarizes a security awareness training presentation that covered topics such as why security training is important, 21st century security threats, PCI compliance, security objectives and challenges, data classification, and security responsibilities. It provided examples of security incidents, the costs of data breaches, PCI DSS requirements, and outlined the company's security framework including defenses, controls, and challenges around excessive data retention, vulnerable infrastructure, lack of documentation and logging.
How to Take Cut IT Costs and Boost Productivity WITHOUT Exposing Your Company to Security Breaches, Damaging Litigation and Rogue (or Careless) Employee
Finto Thomas is an Information Technology Security Consultant with over 8.5 years of experience advising large businesses and Fortune 500 companies. He has expertise in network and security architectural design, implementation, and review. Some of his skills include cyber threat intelligence, penetration testing, firewall configuration, and cloud/mobile security. He is certified in CISSP, several Cisco certifications, ITIL, and IBM Qradar. He has worked as a Project Manager at IBM India and held security roles at Wipro and Trimax Data Centre.
The security awareness and training program has several objectives: 1) ensure employees understand their role in protecting company information assets; 2) educate employees on the value of information security; and 3) teach employees how to recognize and report potential violations. The program covers topics such as security policies, user responsibilities, and incident reporting. It aims to provide ongoing training for existing employees and raise security awareness through less formal methods. The success of the program requires long-term commitment of resources and funding.
William Grollier - CHU Nice - IT Governance in hospitalsRoald Sieberath
This document summarizes an IT governance presentation at CHU-Nice University Hospital Center in France. It discusses:
- CHU-Nice's IT infrastructure which includes 5 hospitals, 1700 beds, 8000 employees, and 240 servers supporting 100 healthcare applications.
- The principles of IT governance at CHU-Nice which aim to reduce legal and operational risks by continuously monitoring IT systems for compliance, security, performance and quality of service.
- How CHU-Nice is implementing initiatives to monitor PC standardization, security policy compliance, healthcare application compliance, and quality of service. This is helping improve infrastructure management and support while reducing costs and risks.
Information Security Officer Internet Resume Leon Blum CopyLblum1234
Leon Blum has over 20 years of experience in information security, technical support, and help desk management. He has worked for international banks and software companies. His experience includes managing user security administration, developing security monitoring systems, and implementing automated help desk systems. He has strong skills in operating systems, applications, networking, and security tools.
This document is a resume for Muneer Awadh Balqadi summarizing his career experience and qualifications. It outlines his 14+ years of experience managing IT operations and infrastructure projects for universities and other organizations in Saudi Arabia. Key skills and responsibilities included IT strategy, network management, project management, and leading teams to implement systems like IP telephony, data centers, and security solutions.
Iia 2012 Spring Conference Philly V FinalDanny Miller
Presentation given to the IIA 2012 Spring Conference on Emerging Technology Challenges for Internal Auditors. Includes discussion on Cloud Security,Mobile Device Security, PCI, Data Governance and Privacy.
This document summarizes a security awareness training presentation that covered topics such as why security training is important, 21st century security threats, PCI compliance, security objectives and challenges, data classification, and security responsibilities. It provided examples of security incidents, the costs of data breaches, PCI DSS requirements, and outlined the company's security framework including defenses, controls, and challenges around excessive data retention, vulnerable infrastructure, lack of documentation and logging.
How to Take Cut IT Costs and Boost Productivity WITHOUT Exposing Your Company to Security Breaches, Damaging Litigation and Rogue (or Careless) Employee
Martin Leroux has over 18 years of experience in network and IT security roles. He is currently a Senior IT Security Specialist at Shared Services Canada, where he provides advice on security policies and procedures, investigates security incidents, and maintains knowledge of emerging threats. Prior to his current role, he held several senior security positions at Entrust, Industry Canada, and the Department of National Defence, where he was responsible for securing networks, conducting vulnerability assessments, and responding to security incidents.
Data security in a big data environment swedenIBM Sverige
This document discusses data security challenges in big data environments. It notes that data breaches are common and costly for organizations. Several examples of recent breaches are provided that impacted companies like Target, a Canadian government agency, and healthcare providers. The document advocates for the IBM Guardium suite of data security products to help secure sensitive data across different systems and platforms through discovery, monitoring, masking, encryption and other techniques. It argues these tools are needed to reduce risks, costs, and protect brand reputation for organizations working with big data.
Himss 2011 securing health information in the cloud -- feisal nanjiFeisal Nanji
The document discusses securing health information in the cloud. It describes the advantages of cloud computing for healthcare providers and identifies major security and privacy concerns when storing health information in the cloud. These concerns include loss of physical visibility and control of data and difficulty determining who can access data. The document recommends expressing security policies across cloud environments, maintaining separation of duties, and delivering security controls in a virtualized form to help overcome these issues.
The document discusses smart security strategies for smart mobile devices. It defines smart mobile devices and outlines their business benefits, including increased productivity and improved customer service. However, it also notes risks like data breaches and issues around network security and managing devices. The document recommends strategies like implementing policies and standards, providing education, reviewing security regularly through audits, and recognizing that security is only as strong as its weakest link.
Mobile Payments: Protecting Apps and Data from Emerging RisksIBM Security
This document summarizes a presentation about protecting mobile payments applications and data from security risks. It discusses the growing mobile payments landscape and threats from criminals attacking mobile apps. It then outlines techniques used by criminals to easily attack mobile banking apps, particularly focusing on reverse engineering apps to steal crypto keys and sensitive data. The presentation concludes by describing comprehensive protection techniques including application hardening, obfuscation, tamper detection, and cryptographic key protection like white-box cryptography.
Don’t Just Trust Cloud Providers - How To Audit Cloud ProvidersMichael Davis
This document discusses how to audit cloud providers to verify security and compliance. It begins by explaining the challenges of auditing cloud providers and what SSAE16 reports are and are not. It then provides tips on what aspects of a cloud provider to audit, such as encryption, certifications, and vulnerability scanning. The document recommends performing technical audits and assessments that go beyond just legal contracts or questionnaires. It emphasizes the importance of transparency and following the data when auditing cloud providers.
This document summarizes a presentation on preventing data leakage. It defines data leakage and data loss prevention. It identifies gaps in the company's current security measures, including a lack of mechanisms to capture sensitive data. It evaluates vendors that could address this gap, selecting Vontu. It discusses Vontu products that could protect data in motion and meet pricing estimates. It recommends additionally implementing Blue Coat Proxy to handle network loads and provide URL filtering to support the Vontu solution.
IGSS is a systems integrator and consulting firm specializing in information security, infrastructure, and enterprise business solutions. It provides consulting, solutions, and technologies to government agencies and private sector clients. IGSS employs expertise in areas like cybersecurity, information management, infrastructure engineering, and business process optimization to develop cost-effective and mission-focused solutions.
The document discusses selling security solutions to IT departments. It introduces a panel of experts in security and IT fields. It then outlines common IT pain points around bandwidth utilization, data security, and manageability of security systems. It provides tips for designing security solutions with the IT department, such as involving them early, understanding networking requirements, discussing bandwidth needs, ensuring remote access is addressed, and working with IT on security audits of DVRs/NVRs. Finally, it briefly mentions addressing return on investment with IT.
Irfan Ur Rehman has over 10 years of experience in information technology and information security, including expertise in networking, firewalls, routing protocols, and risk management. He is currently serving as the Head of Juniper Solutions at Access Communication Solutions, where he is responsible for designing infrastructure solutions and providing technical support to customers. Previously, he worked at Tameer Microfinance Bank as a Senior Manager of Information Security, developing security policies and procedures to comply with standards. He has skills in areas like project management, team leadership, and strategic planning.
Cisco's Smart Net Total Care Service is a proactive support service that provides visibility into a company's Cisco products and installed base through a secure web portal. It helps manage risks to business continuity by providing service coverage management, alerts management, product lifecycle management, and streamlining technical support interactions. The service delivers actionable information and reports to support managing Cisco network devices.
Clay Ramsey is seeking an opportunity to leverage his MBA in Cyber Security and CISSP certification. He has over 15 years of experience in information security, including expertise in backup/recovery, Microsoft networks/servers, TCP/IP, DNS, DHCP, VMware, Active Directory, Exchange, SQL Server, IIS, and CRM systems. He is proficient in security concepts, risk assessment, security controls, cryptography, security architecture/design, operations security, business continuity/disaster recovery planning, and legal/regulatory compliance. Ramsey holds an MBA with a focus on cyber security and is CISSP certified.
Trend Micro announced new data protection features for several of its security products in September 2011. New versions of ScanMail for Exchange, PortalProtect for SharePoint, and InterScan Messaging Security added data loss prevention capabilities to help organizations comply with regulations and prevent data breaches across email servers, collaboration platforms, and messaging gateways. Trend Micro positioned itself as uniquely able to provide integrated data protection across the enterprise from endpoints to the cloud.
Valuendo cyberwar and security (okt 2011) handoutMarc Vael
This document discusses cybersecurity threats to critical infrastructure organizations. It notes that cyberattacks can come from criminals, malware, phishers, spammers, negligent or unethical employees, hackers, and nation states. The document also summarizes that cyberattacks are difficult to execute but governments have the resources to conduct them, and that cyberattacks are a real danger that many organizations are unprepared for. It concludes by outlining various cyberattack mitigation strategies organizations can implement including governance, policies, education, funding, and incident management.
ITC provides various information technology services including project management, staffing and recruiting, managed IT services, software development, courseware development and training, and helpdesk support. They work with both corporate and government clients. ITC aims to deliver the right solutions and people to meet clients' IT needs on time and within budget.
This document discusses how traditional data loss prevention solutions alone are not effective or efficient at preventing data leakage in today's distributed environments. It advocates for a data-centric security approach that focuses on identifying and classifying sensitive information at the point of creation. This enables sensitive data to be automatically protected with information rights management policies as it moves across systems and locations. The document outlines how such an approach based on flexible, dynamic classification policies and embedded protections can effectively and efficiently secure sensitive information throughout its lifecycle, regardless of where the data resides.
Marie-Michelle Strah gave a presentation on managing and securing mobile devices in healthcare. She discussed building productivity while reducing risk through mobile device encryption, access control, and policy versus technical controls. Her presentation covered conceptualizing "mobile health" and applying governance, risk, and compliance frameworks to consumerization of IT. She provided best practices around security risk analysis, stakeholder involvement, and defining a minimum set of technical requirements for mobile devices in healthcare.
The document discusses strategies for complying with the EU's General Data Protection Regulation (GDPR). It outlines five critical strategies: 1) Know all personal data stored, 2) Carefully manage access to personal data, 3) Encrypt as much data as possible, 4) Monitor changes affecting sensitive data and prevent critical changes, and 5) Investigate potential breaches. It also discusses how the software company Quest can help customers strengthen data protection, ensure compliance, and avoid fines through solutions that secure and manage data, modernize infrastructure, and provide insights.
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.IGN MANTRA
ISO 27001:2013 Awareness, Seminar & Workshop Indonesia Honeynet Project IHP, Badan Siber dan Sandi Negara BSSN, Universitas Syiah Kuala Unsyiah, 23-24 Oktober 2018
Martin Leroux has over 18 years of experience in network and IT security roles. He is currently a Senior IT Security Specialist at Shared Services Canada, where he provides advice on security policies and procedures, investigates security incidents, and maintains knowledge of emerging threats. Prior to his current role, he held several senior security positions at Entrust, Industry Canada, and the Department of National Defence, where he was responsible for securing networks, conducting vulnerability assessments, and responding to security incidents.
Data security in a big data environment swedenIBM Sverige
This document discusses data security challenges in big data environments. It notes that data breaches are common and costly for organizations. Several examples of recent breaches are provided that impacted companies like Target, a Canadian government agency, and healthcare providers. The document advocates for the IBM Guardium suite of data security products to help secure sensitive data across different systems and platforms through discovery, monitoring, masking, encryption and other techniques. It argues these tools are needed to reduce risks, costs, and protect brand reputation for organizations working with big data.
Himss 2011 securing health information in the cloud -- feisal nanjiFeisal Nanji
The document discusses securing health information in the cloud. It describes the advantages of cloud computing for healthcare providers and identifies major security and privacy concerns when storing health information in the cloud. These concerns include loss of physical visibility and control of data and difficulty determining who can access data. The document recommends expressing security policies across cloud environments, maintaining separation of duties, and delivering security controls in a virtualized form to help overcome these issues.
The document discusses smart security strategies for smart mobile devices. It defines smart mobile devices and outlines their business benefits, including increased productivity and improved customer service. However, it also notes risks like data breaches and issues around network security and managing devices. The document recommends strategies like implementing policies and standards, providing education, reviewing security regularly through audits, and recognizing that security is only as strong as its weakest link.
Mobile Payments: Protecting Apps and Data from Emerging RisksIBM Security
This document summarizes a presentation about protecting mobile payments applications and data from security risks. It discusses the growing mobile payments landscape and threats from criminals attacking mobile apps. It then outlines techniques used by criminals to easily attack mobile banking apps, particularly focusing on reverse engineering apps to steal crypto keys and sensitive data. The presentation concludes by describing comprehensive protection techniques including application hardening, obfuscation, tamper detection, and cryptographic key protection like white-box cryptography.
Don’t Just Trust Cloud Providers - How To Audit Cloud ProvidersMichael Davis
This document discusses how to audit cloud providers to verify security and compliance. It begins by explaining the challenges of auditing cloud providers and what SSAE16 reports are and are not. It then provides tips on what aspects of a cloud provider to audit, such as encryption, certifications, and vulnerability scanning. The document recommends performing technical audits and assessments that go beyond just legal contracts or questionnaires. It emphasizes the importance of transparency and following the data when auditing cloud providers.
This document summarizes a presentation on preventing data leakage. It defines data leakage and data loss prevention. It identifies gaps in the company's current security measures, including a lack of mechanisms to capture sensitive data. It evaluates vendors that could address this gap, selecting Vontu. It discusses Vontu products that could protect data in motion and meet pricing estimates. It recommends additionally implementing Blue Coat Proxy to handle network loads and provide URL filtering to support the Vontu solution.
IGSS is a systems integrator and consulting firm specializing in information security, infrastructure, and enterprise business solutions. It provides consulting, solutions, and technologies to government agencies and private sector clients. IGSS employs expertise in areas like cybersecurity, information management, infrastructure engineering, and business process optimization to develop cost-effective and mission-focused solutions.
The document discusses selling security solutions to IT departments. It introduces a panel of experts in security and IT fields. It then outlines common IT pain points around bandwidth utilization, data security, and manageability of security systems. It provides tips for designing security solutions with the IT department, such as involving them early, understanding networking requirements, discussing bandwidth needs, ensuring remote access is addressed, and working with IT on security audits of DVRs/NVRs. Finally, it briefly mentions addressing return on investment with IT.
Irfan Ur Rehman has over 10 years of experience in information technology and information security, including expertise in networking, firewalls, routing protocols, and risk management. He is currently serving as the Head of Juniper Solutions at Access Communication Solutions, where he is responsible for designing infrastructure solutions and providing technical support to customers. Previously, he worked at Tameer Microfinance Bank as a Senior Manager of Information Security, developing security policies and procedures to comply with standards. He has skills in areas like project management, team leadership, and strategic planning.
Cisco's Smart Net Total Care Service is a proactive support service that provides visibility into a company's Cisco products and installed base through a secure web portal. It helps manage risks to business continuity by providing service coverage management, alerts management, product lifecycle management, and streamlining technical support interactions. The service delivers actionable information and reports to support managing Cisco network devices.
Clay Ramsey is seeking an opportunity to leverage his MBA in Cyber Security and CISSP certification. He has over 15 years of experience in information security, including expertise in backup/recovery, Microsoft networks/servers, TCP/IP, DNS, DHCP, VMware, Active Directory, Exchange, SQL Server, IIS, and CRM systems. He is proficient in security concepts, risk assessment, security controls, cryptography, security architecture/design, operations security, business continuity/disaster recovery planning, and legal/regulatory compliance. Ramsey holds an MBA with a focus on cyber security and is CISSP certified.
Trend Micro announced new data protection features for several of its security products in September 2011. New versions of ScanMail for Exchange, PortalProtect for SharePoint, and InterScan Messaging Security added data loss prevention capabilities to help organizations comply with regulations and prevent data breaches across email servers, collaboration platforms, and messaging gateways. Trend Micro positioned itself as uniquely able to provide integrated data protection across the enterprise from endpoints to the cloud.
Valuendo cyberwar and security (okt 2011) handoutMarc Vael
This document discusses cybersecurity threats to critical infrastructure organizations. It notes that cyberattacks can come from criminals, malware, phishers, spammers, negligent or unethical employees, hackers, and nation states. The document also summarizes that cyberattacks are difficult to execute but governments have the resources to conduct them, and that cyberattacks are a real danger that many organizations are unprepared for. It concludes by outlining various cyberattack mitigation strategies organizations can implement including governance, policies, education, funding, and incident management.
ITC provides various information technology services including project management, staffing and recruiting, managed IT services, software development, courseware development and training, and helpdesk support. They work with both corporate and government clients. ITC aims to deliver the right solutions and people to meet clients' IT needs on time and within budget.
This document discusses how traditional data loss prevention solutions alone are not effective or efficient at preventing data leakage in today's distributed environments. It advocates for a data-centric security approach that focuses on identifying and classifying sensitive information at the point of creation. This enables sensitive data to be automatically protected with information rights management policies as it moves across systems and locations. The document outlines how such an approach based on flexible, dynamic classification policies and embedded protections can effectively and efficiently secure sensitive information throughout its lifecycle, regardless of where the data resides.
Marie-Michelle Strah gave a presentation on managing and securing mobile devices in healthcare. She discussed building productivity while reducing risk through mobile device encryption, access control, and policy versus technical controls. Her presentation covered conceptualizing "mobile health" and applying governance, risk, and compliance frameworks to consumerization of IT. She provided best practices around security risk analysis, stakeholder involvement, and defining a minimum set of technical requirements for mobile devices in healthcare.
The document discusses strategies for complying with the EU's General Data Protection Regulation (GDPR). It outlines five critical strategies: 1) Know all personal data stored, 2) Carefully manage access to personal data, 3) Encrypt as much data as possible, 4) Monitor changes affecting sensitive data and prevent critical changes, and 5) Investigate potential breaches. It also discusses how the software company Quest can help customers strengthen data protection, ensure compliance, and avoid fines through solutions that secure and manage data, modernize infrastructure, and provide insights.
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.IGN MANTRA
ISO 27001:2013 Awareness, Seminar & Workshop Indonesia Honeynet Project IHP, Badan Siber dan Sandi Negara BSSN, Universitas Syiah Kuala Unsyiah, 23-24 Oktober 2018
Dave Davis: Infrastructure Projects – What Makes then Different and Difficult?Edunomica
This document discusses the unique challenges of infrastructure projects. It notes that infrastructure projects involve changing an existing environment to a new one through upgrades or migrations. This must be done in a live environment without a full staging area. Infrastructure connects people to devices, devices to other devices, and provides monitoring and control. The document outlines what infrastructure projects do, including securing assets, connecting devices to networks, building technology rooms, and ensuring proper cabling and switches. It acknowledges challenges such as high costs, limited agility, and delays to other projects when doing infrastructure work. The document emphasizes that infrastructure work allows people, devices, and things to properly communicate and ensures optimized network capacity.
Dave Davis: Infrastructure Projects – What Makes then Different and Difficult...Lviv Startup Club
Dave Davis: Infrastructure Projects – What Makes then Different and Difficult? (EN)
Ukraine Online PMO Day 2022 Autumn
Website - https://pmday.org/pmo
Youtube - https://www.youtube.com/startuplviv
FB - https://www.facebook.com/pmdayconference
The document discusses cloud security from the perspective of Wen-Pai Lu, a technical leader at Cisco. It defines cloud security as security products and solutions deployed within cloud computing environments ("in the cloud") or targeted at securing other cloud services ("for the cloud"). It also discusses security services delivered by cloud computing services ("by the cloud"). The document outlines many considerations for cloud security, including infrastructure security, applications and software, physical security, human risks, compliance, disaster recovery, threats, and perspectives from both enterprises and service providers.
This document discusses cyber security from past, present, and future perspectives. It notes that cyber security has evolved from an immature field to one that will become more scientific and technology-centric over time. The document outlines key cyber threats such as botnets, targeted attacks, and the underground economy that supports them. It also summarizes India's cyber security strategy, noting the importance of legal frameworks, incident response, capacity building, research and development, and international collaboration to enhance cyber security.
A service oriented architecture (SOA) organizes software into business services that are network accessible and executable. Key characteristics include quality of service specifications, discoverable services and data catalogs, and use of industry standards. A SOA breaks up monolithic systems into reusable components called services that can be more easily maintained and replaced. Implementing a SOA requires organizing infrastructure, data, security, computing, communication, and application services to maximize reuse across the enterprise.
Securing and Modernizing Technology in the Commonwealth: Better TogetherEOTSS
This presentation provides an IT review and rationale for Article 87 legislation along with an overview of the legislative framework, proposed implementation and its impact.
The document discusses cloud security and compliance. It defines cloud computing and outlines the essential characteristics and service models. It then discusses key considerations for cloud security including identity and access management, security threats and countermeasures, application security, operations and maintenance, and compliance. Chief information officer concerns around security, availability, performance and cost are also addressed.
The document discusses cloud security and compliance. It defines cloud computing and outlines the essential characteristics and service models. It then discusses key considerations for cloud security including identity and access management, security threats and countermeasures, application security, operations and maintenance, and compliance. Chief information officer concerns around security, availability, performance and cost are also addressed.
Schneider Electric provides a comprehensive approach to cyber security for critical infrastructure. They recognize cyber attacks have expanded from disrupting IT systems to endangering physical assets and human life. The document outlines Schneider's investments in security technologies and services to protect customers across industries. It describes their defense-in-depth strategy including secure product design, testing, compliance with standards, and security services to monitor, detect, and respond to threats. The goal is to help customers comply with regulations and mitigate risks through an integrated portfolio.
The document discusses using funds from PERKESO, a Malaysian social security organization, to get certified in cloud computing skills in order to get back to work after being retrenched. It provides details on certification programs that are eligible for funding, as well as other benefits available from PERKESO like allowance payments and career counseling. The second part of the document introduces the trainer, Leo Lourdes, and his qualifications and experience in areas like IT service management, project management, and security.
This document discusses considerations for migrating from time-division multiplexing (TDM) to internet protocol (IP) networks. It begins with an overview of TDM and how IP networks are more scalable and flexible. Decentralizing components and implementing redundancy improves disaster preparedness. Failover and load balancing ensure continuity of operations. Software-defined networking allows portability and remote access. Standards-based protocols simplify integration and enable support of new technologies over time. The largest obstacles to migration are often time, budget, or security concerns. Migrating to IP improves network resilience and prepares critical infrastructure for the future.
2011 IIA Pittsburgh Grant Thornton LLP Presentation (Nov 2011)Danny Miller
This document discusses emerging technology challenges and solutions for internal audit and compliance. It covers the current technology landscape of on-premise hardware and software and contrasts it with emerging technologies like cloud computing, mobile computing, and data analytics. These emerging technologies can potentially increase complexity for internal audit through issues around availability, security, privacy, and auditability. However, the document provides solutions for addressing these challenges such as encrypting data, implementing security architectures, and conducting security audits. It concludes by discussing future trends around distributed computing, cybersecurity, analytics tools, and new data standards.
July 9 ssc_gc_net_wan_service_industry_day_slidesKBIZEAU
Shared Services Canada held an industry day to discuss its plans to transform the government's IT infrastructure, with the objectives of reducing costs, improving security, and providing better service. SSC outlined its strategy to consolidate the government's 4,999 data centers and 50 wide area networks, and standardize infrastructure and operations. The transformation will be carried out in phases through 2020, with SSC engaging industry to help develop sourcing strategies and achieve the goals of generating savings, increasing security, and improving service levels across the government.
CDS is an IT services company with a mission to become a premier global IT services provider. It offers a range of IT services including database administration, application development and testing, network management, data processing, and corporate trainings. CDS aims to deliver superior services and become the most preferred IT services provider through expertise, cost-effectiveness, and complete solutions. It has experience in various technologies and industries globally.
Similar to Afac device-security-july-7-2014v7-2 (20)
Review of the Collaborative Procurement ProcessKBIZEAU
The document provides an overview of an upcoming review of the collaborative procurement process used by Shared Services Canada (SSC). The review will identify opportunities for improvement and present findings to the Information Technology Infrastructure Roundtable in May 2015 and the Departmental Audit and Evaluation Committee in September 2015. The objectives of the collaborative procurement process are to maintain public procurement values while engaging with industry early in the process to co-develop requirements and ensure optimal solutions. The review will focus on processes and design, alternatives, SSC's relationship with industry, and effectiveness. Interviews, surveys, literature review, and case studies from January to March 2015 will inform the findings.
Shared Services Canada is working to deliver innovative public services that meet Canadians' evolving expectations for a modern, accessible government. This includes collaborating on initiatives like Canada Digital 150 and open data through data.gc.ca. SSC aims to provide innovative digital services to both citizens and public servants. SSC sees innovation as generating new ideas that add practical value. It plans to harness innovation to improve services and value for money through approaches like partnering earlier with the private sector, exploring agile procurement, and public-private partnerships. Potential innovation options discussed include a pilot-to-enterprise procurement process, building on programs like BCIP, and partnering with organizations like CANARIE on research.
Leveraging Procurement for Socio-Economic Benefits - Presentation by Acting C...KBIZEAU
The document summarizes a presentation about leveraging government procurement of information and communications technology (ICT) to achieve socio-economic benefits. It discusses how Shared Services Canada (SSC) considers policies around supporting small businesses, indigenous groups, innovation, and the environment in its $1.2 billion annual ICT procurement. The presentation outlines SSC's plan to establish tools and engagement strategies to better select socio-economic objectives and stakeholders for each large procurement. It poses questions about balancing direct and indirect benefits, prioritizing objectives, industry needs, and tracking progress toward objectives.
Shared Services Canada's $398 million contract with Bell Canada to consolidate the federal government's 63 email systems into a single system has faced significant delays, disappointing SSC. The project was supposed to start transitioning departments in March 2014 but has yet to begin. SSC blames Bell for missing deadlines but will not provide specifics. The delay raises concerns about potential lack of transparency and outsourcing expertise currently existing within the public service. There are also questions about how the private sector will handle sensitive government information and whether the needs of Canadians are being prioritized over corporate profits.
Shared Services Canada's transformation aims to streamline IT infrastructure across the Canadian government. Key elements include consolidating data centers, networks, and security services. The transformation is an ongoing process with milestones over several years, including establishing additional data centers, migrating departments to shared telecom and workplace services, and improving cybersecurity capabilities through releases of a new Security Operations Centre. Maintaining focus on the transformation plan and ensuring all necessary capabilities are in place will be important for successful implementation.
The document summarizes a report from the Smart Sourcing Advisory Committee (SSAC) on developing an analytical framework to inform decisions about insourcing versus outsourcing IT services at Shared Services Canada (SSC). The SSAC includes representatives from SSC, government organizations, unions, and private sector IT companies. It outlines SSC's context and mandate to transform government IT infrastructure. The report proposes categories and criteria for the framework but the union representative disagreed with outsourcing assumptions and said evidence was not provided showing outsourcing SSC's skills is appropriate. It aims to balance public and private delivery to achieve savings, service, security and sustainability.
This document provides an overview and summary of Shared Services Canada's (SSC) 2014-2015 Integrated Business Plan. The plan outlines SSC's mandate to modernize and consolidate the Government of Canada's IT infrastructure through initiatives in five key areas: email, data centers, networks, cyber and IT security, and workplace technology devices. In 2014-2015, SSC will focus on implementing its transformation plan, including rolling out a new email solution, closing additional data centers, awarding contracts for networks, and developing strategies for workplace devices. SSC will balance managing current legacy systems with establishing new enterprise services to generate savings and improve service across government.
Information Technology Infrastructure Roundtable Meeting June 11th, 2014: Transformation Initiatives Update given by Grant Westcott of Shared Services Canada.
Information Technology Infrastructure Roundtable Meeting on June 11th, 2014: Update on priorities and activities presentation given by Liseanne Forand, President of Shared Services Canada.
Shared Services Canada - Reports on Plans and Priorities 2014-2015KBIZEAU
Shared Services Canada's (SSC) 2014-15 Report on Plans and Priorities outlines its priorities and plans for the upcoming fiscal year. SSC was created to transform and standardize how the Government of Canada manages its IT infrastructure. Key priorities include consolidating email, data center, and telecommunications services while improving security and generating savings. SSC will continue establishing data centers and consolidating networks to reduce costs and improve performance. The report provides details on SSC's strategic outcome, programs, planned expenditures, and contributions to government priorities.
Pablo sobrino smart-dps presentation to itac - march 4-2014 - englishKBIZEAU
The document summarizes Canada's new Defence Procurement Strategy (DPS). The DPS aims to 1) deliver equipment to the Canadian Armed Forces and Coast Guard in a timely manner, 2) leverage defence procurements to create jobs and economic growth in Canada, and 3) streamline defence procurement processes. Key elements of the strategy include early and ongoing engagement with industry, establishing governance structures like a Defence Procurement Secretariat, applying a weighted Value Proposition to bids, identifying and developing Key Industrial Capabilities, and creating a Defence Analytics Institute to provide analysis. The DPS marks a shift to focus procurement on improving economic outcomes through investments in Canadian industry.
This document outlines Shared Services Canada's Procurement Strategy for Aboriginal Business. It establishes multi-year performance objectives to increase contracting opportunities for Aboriginal businesses. The objectives are to award contracts valued at $24.76 million or 3.8% of forecasted spending in 2013/14. Responsibilities are defined for management committees and procurement divisions to identify opportunities, approve objectives, track spending, and report progress regularly to ensure targets are met.
The Justice Canada pilot will test a hybrid sourcing model for providing Workplace Technology Device support services. The pilot will involve approximately 5,850 end user devices across National Capital Region offices and regional locations in Canada. It will evaluate providing Level 1 service desk support, Level 2 deskside support in the NCR, and Level 3 engineering support through a vendor, while maintaining Level 2 deskside support in regional locations using Government of Canada employees. The pilot aims to help inform the enterprise-wide WTD business case and gather information on requirements for regional and remote service delivery.
GTEC Presentation: “Future Role of the CIO” delivered by Sharon Squire, Executive Director, Service and GC 2.0 Policy and Community Enablement Division, Chief Information Officer Branch, Treasury Board Secretariat.
QA or the Highway - Component Testing: Bridging the gap between frontend appl...zjhamm304
These are the slides for the presentation, "Component Testing: Bridging the gap between frontend applications" that was presented at QA or the Highway 2024 in Columbus, OH by Zachary Hamm.
"Choosing proper type of scaling", Olena SyrotaFwdays
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham
Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
ScyllaDB is making a major architecture shift. We’re moving from vNode replication to tablets – fragments of tables that are distributed independently, enabling dynamic data distribution and extreme elasticity. In this keynote, ScyllaDB co-founder and CTO Avi Kivity explains the reason for this shift, provides a look at the implementation and roadmap, and shares how this shift benefits ScyllaDB users.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Conversational agents, or chatbots, are increasingly used to access all sorts of services using natural language. While open-domain chatbots - like ChatGPT - can converse on any topic, task-oriented chatbots - the focus of this paper - are designed for specific tasks, like booking a flight, obtaining customer support, or setting an appointment. Like any other software, task-oriented chatbots need to be properly tested, usually by defining and executing test scenarios (i.e., sequences of user-chatbot interactions). However, there is currently a lack of methods to quantify the completeness and strength of such test scenarios, which can lead to low-quality tests, and hence to buggy chatbots.
To fill this gap, we propose adapting mutation testing (MuT) for task-oriented chatbots. To this end, we introduce a set of mutation operators that emulate faults in chatbot designs, an architecture that enables MuT on chatbots built using heterogeneous technologies, and a practical realisation as an Eclipse plugin. Moreover, we evaluate the applicability, effectiveness and efficiency of our approach on open-source chatbots, with promising results.
The Microsoft 365 Migration Tutorial For Beginner.pptxoperationspcvita
This presentation will help you understand the power of Microsoft 365. However, we have mentioned every productivity app included in Office 365. Additionally, we have suggested the migration situation related to Office 365 and how we can help you.
You can also read: https://www.systoolsgroup.com/updates/office-365-tenant-to-tenant-migration-step-by-step-complete-guide/
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving
Manufacturing custom quality metal nameplates and badges involves several standard operations. Processes include sheet prep, lithography, screening, coating, punch press and inspection. All decoration is completed in the flat sheet with adhesive and tooling operations following. The possibilities for creating unique durable nameplates are endless. How will you create your brand identity? We can help!
"What does it really mean for your system to be available, or how to define w...Fwdays
We will talk about system monitoring from a few different angles. We will start by covering the basics, then discuss SLOs, how to define them, and why understanding the business well is crucial for success in this exercise.
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...Fwdays
Direct losses from downtime in 1 minute = $5-$10 thousand dollars. Reputation is priceless.
As part of the talk, we will consider the architectural strategies necessary for the development of highly loaded fintech solutions. We will focus on using queues and streaming to efficiently work and manage large amounts of data in real-time and to minimize latency.
We will focus special attention on the architectural patterns used in the design of the fintech system, microservices and event-driven architecture, which ensure scalability, fault tolerance, and consistency of the entire system.
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving
What began over 115 years ago as a supplier of precision gauges to the automotive industry has evolved into being an industry leader in the manufacture of product branding, automotive cockpit trim and decorative appliance trim. Value-added services include in-house Design, Engineering, Program Management, Test Lab and Tool Shops.
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillLizaNolte
HERE IS YOUR WEBINAR CONTENT! 'Mastering Customer Journey Management with Dr. Graham Hill'. We hope you find the webinar recording both insightful and enjoyable.
In this webinar, we explored essential aspects of Customer Journey Management and personalization. Here’s a summary of the key insights and topics discussed:
Key Takeaways:
Understanding the Customer Journey: Dr. Hill emphasized the importance of mapping and understanding the complete customer journey to identify touchpoints and opportunities for improvement.
Personalization Strategies: We discussed how to leverage data and insights to create personalized experiences that resonate with customers.
Technology Integration: Insights were shared on how inQuba’s advanced technology can streamline customer interactions and drive operational efficiency.
High performance Serverless Java on AWS- GoTo Amsterdam 2024Vadym Kazulkin
Java is for many years one of the most popular programming languages, but it used to have hard times in the Serverless community. Java is known for its high cold start times and high memory footprint, comparing to other programming languages like Node.js and Python. In this talk I'll look at the general best practices and techniques we can use to decrease memory consumption, cold start times for Java Serverless development on AWS including GraalVM (Native Image) and AWS own offering SnapStart based on Firecracker microVM snapshot and restore and CRaC (Coordinated Restore at Checkpoint) runtime hooks. I'll also provide a lot of benchmarking on Lambda functions trying out various deployment package sizes, Lambda memory settings, Java compilation options and HTTP (a)synchronous clients and measure their impact on cold and warm start times.
"NATO Hackathon Winner: AI-Powered Drug Search", Taras KlobaFwdays
This is a session that details how PostgreSQL's features and Azure AI Services can be effectively used to significantly enhance the search functionality in any application.
In this session, we'll share insights on how we used PostgreSQL to facilitate precise searches across multiple fields in our mobile application. The techniques include using LIKE and ILIKE operators and integrating a trigram-based search to handle potential misspellings, thereby increasing the search accuracy.
We'll also discuss how the azure_ai extension on PostgreSQL databases in Azure and Azure AI Services were utilized to create vectors from user input, a feature beneficial when users wish to find specific items based on text prompts. While our application's case study involves a drug search, the techniques and principles shared in this session can be adapted to improve search functionality in a wide range of applications. Join us to learn how PostgreSQL and Azure AI can be harnessed to enhance your application's search capability.
Must Know Postgres Extension for DBA and Developer during MigrationMydbops
Mydbops Opensource Database Meetup 16
Topic: Must-Know PostgreSQL Extensions for Developers and DBAs During Migration
Speaker: Deepak Mahto, Founder of DataCloudGaze Consulting
Date & Time: 8th June | 10 AM - 1 PM IST
Venue: Bangalore International Centre, Bangalore
Abstract: Discover how PostgreSQL extensions can be your secret weapon! This talk explores how key extensions enhance database capabilities and streamline the migration process for users moving from other relational databases like Oracle.
Key Takeaways:
* Learn about crucial extensions like oracle_fdw, pgtt, and pg_audit that ease migration complexities.
* Gain valuable strategies for implementing these extensions in PostgreSQL to achieve license freedom.
* Discover how these key extensions can empower both developers and DBAs during the migration process.
* Don't miss this chance to gain practical knowledge from an industry expert and stay updated on the latest open-source database trends.
Mydbops Managed Services specializes in taking the pain out of database management while optimizing performance. Since 2015, we have been providing top-notch support and assistance for the top three open-source databases: MySQL, MongoDB, and PostgreSQL.
Our team offers a wide range of services, including assistance, support, consulting, 24/7 operations, and expertise in all relevant technologies. We help organizations improve their database's performance, scalability, efficiency, and availability.
Contact us: info@mydbops.com
Visit: https://www.mydbops.com/
Follow us on LinkedIn: https://in.linkedin.com/company/mydbops
For more details and updates, please follow up the below links.
Meetup Page : https://www.meetup.com/mydbops-databa...
Twitter: https://twitter.com/mydbopsofficial
Blogs: https://www.mydbops.com/blog/
Facebook(Meta): https://www.facebook.com/mydbops/
Must Know Postgres Extension for DBA and Developer during Migration
Afac device-security-july-7-2014v7-2
1. CYBER AND IT SECURITY
Architecture Framework Advisory Committee
Meeting
SESSION 1
JULY 7, 2014
2. 2
Agenda
TIME TOPICS PRESENTERS
9:00 – 9:10
Opening Remarks Benoît Long, Chair
9:10 – 9:30
Cyber and IT Security
Transformation
Raj Thuppal
9:30 – 10:15 Discussion Period
Moderator: Chair
Participants: All
10:15 – 10:30 Health Break
10:30 – 11:50
Device Security
Presentation &
Discussion Period
Raj Thuppal
Moderator: Chair
Participants: All
11:50 – 12:00 Closing Remarks Benoît Long, Chair
3. Objective for Today
• Setting the Context on Shared Services Canada Cyber and IT Security
Program
• Proposed Device Security Plan for an enterprise procurement scope
• Seek Feedback and Input
• Questions/Discussion
3
4. 4
Today
Complex
Government of
Canada (GC) IT
Infrastructure
IT Security
as an
“add-on”
Reactive, Slow
& Siloed Response
to Cyber Threats
Transforming
the Government
of Canada
Future
Rationalized,
Standardized
and Consolidated
IT Security
Integrated into
the Design
Coordinated
Proactive
Rapid Response
& Recovery
Cyber and other IT security threats are constantly evolving
and on-going effort is required to keep up
Context
5. 5
Dept …
• IT Security controls based on ITSG-33 (Technical, Operational and Management)
incorporated as part of end to end IT service management of target state GC IT Services
• IT security controls established based on domain security control profile, context and GC
threat assessment and IT risk management
• Standardized, consolidated and transformed Cyber and IT Security Services
IT Security Target StateIT Security Current State
Dept …
Dept …
Dept … GCNet
Data in
Use
Data at
Rest
Data at
Rest
Data in
Transit
Unified ICAM
Standardized
SOC
Multiple Identities
Multiple ICAMs
Consolidated
Back office
Apps
Mission
Specific
Apps
Mission
Specific
Apps
Data at
Rest
Mission
Specific
Apps
Mission
Specific
AppsBack office
Apps
Back office
Apps
Multiple
Access
Controls
Multiple
SOCs
Data in
Transit
Data in
Use
Cyber and IT Security Transformation
Multiple IdentitiesMultiple Network
Security Controls
Unified Network
Security
Multiple IdentitiesMultiple Device
Security
Unified Device
Security
Multiple Identities
Fragmented SIEMs Unified SIEM
6. 6
Cyber and IT Security Framework
INFRASTRUCTURE
& DATA
• Aligned to Canada’s Cyber
Security Strategy (CCSS)
• Security built-in as part of
end-to-end service design
• Partnership with Treasury
Board Secretariat (TBS),
Communications Security
Establishment (CSE) Canada
and Public Safety
SSC is mandated to protect the
infrastructure and associated data-in-
transit, storage, and use.
OPERATE EVOLVE TRANSFORM
7. 7
Conceptual End State (updated July 2013)
Service
Management
• ITIL ITSM Framework
• Standardized Service
Levels/Availability Levels
• Inclusive of Scientific and
special purpose computing
• Standardized Application
and Infrastructure Lifecycle
Management
• Smart Evergreening
• Full redundancy – within
data centres, between
pairs, across sites
Enterprise
Security
• All departments share one
Operational Zone
• Domains and Zones where
required
• Classified information
below Top Secret
• Balance security and
consolidation
• Consolidated, controlled,
secure perimeters
• Certified and Accredited
infrastructure
Virtualized Platforms
Off-line / Backup
Archive
Near-line
Tier 3
Tier 2
On-line Tier 1
SAN NAS
Virtualized Storage
IP PBX App. Email
WAN
Node
Data Centre Core Network
Domains & Zones
V.Conf.
Bridge
Web
File/
Print
Database
Th.Client
VDI
Internet
PoP
Business Intent
• Business to Government
• Government to Government
• Citizens to Government
Sys. z
App / DB Containers
z/OS
Any
Special Purpose / Grid / HPC
Operating System
Consolidation
Principles
1. As few data centres as
possible
2. Locations determined
objectively for the long
term
3. Several levels of resiliency
and availability
(establish in pairs)
4. Scalable and flexible
infrastructure
5. Infrastructure transformed;
not ‘’fork-lifted’’ from old
to new
6. Separate application
development environment
7. Standard platforms which
meet common
requirements
(no re-architecting of
applications)
8. Build in security from the
beginning
x86
Web / App / DB Containers
Windows
x86
Web / App / DB Containers
Linux
Enterprise
Security
GC Private Domain
Application Migration
• Standard platforms and
product versions
• Migration guidance
• Committed timeline for
product evolution
Workload Mobility
Service
Level
… Service
Level
Application
Service Levels
Standard
Enhanced
Mission Critical
Regional
Carriers
International
CarriersGCNet
(3,580 buildings)
Public
Cloud
Services
Internet
B2G
C2G
G2G
Regional WAN
Accelerators
Virtual
Private
Cloud
Several, highly-
secure Internet
access points
Stand-alone centre for GC super-
computing (HPC) – e.g. Weather
Development
Dev1 Dev2
Production
Prod3
B
U
U
Prod4
C
U
U
Production
Prod1
S
A
B
Prod2
S
B
U
Service
Management
Virtualized Services
Classified Data
Confidential
Secret
C
S
Protected Data
A Protected A
B Protected B
C Protected C HPC
Sci1
8. 8
Top Secret
Secret
Confidential
Protected C
Protected B
Protected A
Unclassified
Policy on Government
Security (PGS)
Classified
Designated
National
Interest &
Security
Corporate
or Personal
Interest
Non-Sensitive Information
(Requires Integrity & Availability)
Caveats
Official
CEO (Canadian Eyes Only)
Unofficial
For Official Use Only (FOUO)
GC Data Classification
Extremely Grave Injury – e.g., widespread loss of life,
loss of continuity of government, etc.
Serious injury – e.g., political tension (int’l or fed-prov.),
damage to critical infrastructure, civil disorder, etc.
Injury – e.g., damage to relations (e.g. public, industry,
diplomatic, etc.), limited loss of public confidence, etc.
Extremely Grave Injury – e.g., serious physical injury/
loss of life, financial loss affecting viability, etc.
Serious injury – e.g., substantial duress to individuals,
loss of competitive advantage, etc.
Injury – e.g., inconvenience, damage to Departmental
relationships, degradation of public confidence
9. 9
PREVENTION
• Trusted infrastructure
products and services
through supply chain
integrity
• Cyber and IT Security
Policies and Standards
• Security awareness and
training
• Infrastructure Protection
Services
• Data Protection Services
• Identity, Credentials and
Access Management
Services
• Secret Infrastructure
Service
• Business Continuity and
Emergency Management
DETECTION
• Coordination of GC-wide
monitoring, detection,
identification,
prioritization, and
reporting of IT Security
incidents
• Automated, real-time
threat monitoring,
security information and
event management and
analysis
• Log analysis and
investigations
• Security Assessment
• Vulnerability
assessments
RESPONSE
• GC-wide coordination
and remediation of IT
security incidents
• Threat assessment and
situational reporting
• Coordination and
distribution of GC
product alerts, warnings,
advisories
• Forensics
• Software integrity
through security
configuration or
replacement
• Infrastructure integrity
through configuration or
replacement
RECOVERY
• Highly specialized IT
security incident recovery
services
• Mitigation advice and
guidance
• Vulnerability Remediation
• Post Incident Analysis
Cyber and IT Security Functions
10. 10
Transformation Principles
• Trusted equipment and services through supply chain integrity
• Security by design to ensure that all aspects of security are addressed
as part of design, balancing service, security and savings
• Gradual transition from a network-based security model to data-centric
security model
• Privileged access to data will be maintained and multi-tenancy will be
built into systems where data owned by one partner cannot be seen
by another partner or by unauthorised individuals
• Security breaches in one part of the infrastructure are quickly detected
and contained without spreading to other parts of the infrastructure
• Maintain and improve the security posture as part of moving to
enterprise services (i.e., don’t reduce security).
11. 11
1. Does the Cyber and IT Security Framework, transformation
principles and associated functions sufficiently address the Cyber
and IT Security challenges associated with moving from
department specific networks to a cloud infrastructure?
Question
13. AFAC Consultation Roadmap
STRATEGY KEY ACTIVITIES
2014–15
AFAC INPUT
Recommendations
for Strategic
Questions
Guiding Principles/
Best Practices
Experience/Case
Studies
Risks/Success
Factors
Common
Requirements/
Service Strategy
Service Bundles
and Delivery
Model
Licensing models
and Solutions
End-state Service
Strategy
Enterprise
Software
Procurement
Functional
Direction
• Meetings
• Demos
• Written
Submissions
Formal
Industry
Engage-
ment
July 7
TBD
13
14. Device Security Defined
What is Device Security?
• Device security refers to the protection of Government of Canada (GC)
devices that are used to store and process data through the use of
various information technology (IT) safeguard services.
What GC Devices are we looking to Protect?
• Backend devices (Data Server Infrastructure)
• Frontend devices (Traditional personal computers, laptops, Thin-
Clients/Virtual Deployments)
• Mobile Devices (Smartphones, Tablets)
• ~569,000 devices (~100,000 data centre devices, ~469,000 workplace
technology devices)
Why do we need Device Security?
• Safeguard GC devices and data from various forms of malware and
intrusion
• Maintain the confidentiality, integrity and availability of infrastructure
information assets
14
15. Strategic Context
15
• Enhance security services required to mitigate from evolving
threats
• Support for security service integration with new cloud and
mobile technologies
• Support Treasury Board’s IT Policy Implementation Notice
(ITPIN) implementation regarding the secure use of portable
data storage devices within the Government of Canada
• Lack device security software enterprise procurement vehicle
• Existing device security software licenses renewal to maintain
operations (e.g. Keeping the Lights On)
• Multiple device security disparate solutions and policy
application
• Standardization to drive efficiencies and cost savings across
the GC
Increase Security
Improve Service
Generate Savings
16. Proposed Device Security Services
Security Service Description
Antivirus Is protective software designed to defend your computer against
malicious software (viruses)
Antispyware Software that controls advertisements (called adware) or software that
tracks personal or sensitive information
Host Intrusion Detection
/ Prevention Systems
Software package which monitors a single host for suspicious activity by
analyzing events occurring
Data Loss Prevention Network/endpoint services that control what data end users can transfer
in/out of the network
Application Firewall Firewall which controls input, output and/or access from, to, or by an
application or service
Application Whitelisting Software programs that operate up to the Application Layer of the OSI
Model; and protect the integrity of the system by filtering the requests for
application-based information.
Encryption A technology which protects information by converting it into unreadable
code that cannot be deciphered easily by unauthorized people.
16
Questions:
1. Have all essential functions covered? Should other functions be considered?
2. Should these functions be bundled separately or combined ?
17. Device Security Strategy
Current-State Distributed
• Multiple disparate management systems
and products/technologies across depts.
• Network-Centric Security
End-State Centralized
• Reduced management infrastructure
leveraging SSC Community Cloud
• Data-Centric Security
17
Questions:
1. Should the same service set be used for both the legacy environment and the new
SSC enterprise cloud service?
2. Given vendor specific signatures, should multi-vendor procurement be
considered?
3. Should the scope of the procurement cover both data center devices and
workplace technology devices?
19. 19
INFRASTRUCTURE
& DATA
Technical, physical, personnel,
management and other
security controls to proactively
protect the confidentiality,
integrity and availability of
information and IT assets
Continuous monitoring of
systems to rapidly detect IT
incidents after or as they occur
Corrective controls to respond to
IT incidents and to exchange
incident-related information with
designated lead departments in a
timely fashion
PDRR & PPSI Models
Security Frameworks
Governance, Risk
Management, Compliance
(GRC)
Corrective controls to restore
essential capabilities within agreed
time constraints and availability
requirements in a manner that
preserves the integrity of evidence
Aligned with NIST Framework
Competencies, roles &
responsibilities, culture,
org. chart, and capacity
Supply Chain Integrity, Security
Assessment & Authorization, Security-
by-Design, IT Service Management
Privilege Management Infrastructure
(PMI), GC Secret Infrastructure
(GCSI), Network and Device Security,
Security Operations Centre (SOC)
Policies and instruments,
information repository,
Approved Security Products
List (ASPL)
20. GC ESA Focus Areas
20
Awareness & Training
PhysicalSecurity
Security in
Contracting
PersonnelSecurity
Business
Continuity
Strengthen
Defensive
Capabilities
Strengthen
Defensive
Capabilitie
s
C
onsolidation
Standardization
Transform
ation
M
odernization
End User Device
Security
Compute and
Storage Services
Security
Network and
Communications
Security
Security
Operations
Policy and
Compliance
Monitoring
Application
Security
Data Security
Identity,
Credential and
Access
Management
Strengthen
Defensive
Capabilities
ESA Focus Areas
helps to:
Manage the
complex problem
space
Promotes a
defense-in-depth
layered security
approach
Considers both
technical and non-
technical aspects