This document discusses cybersecurity risks facing organizations and approaches to managing those risks. It begins by outlining common misunderstandings about cybersecurity. It then explains that cybersecurity is a risk that affects the entire organization, not just IT, and discusses how attacks are becoming more sophisticated. The document identifies the greatest threats as email, mobile devices, and the internet of things. It advocates adopting the NIST Cybersecurity Framework as a basis for sound security practices. Finally, it discusses developing a cybersecurity program through risk assessment, incident response planning, security metrics, employee awareness training, and testing security plans.
'Protecting Your Information Assets' is Nugget 2 in the series 'Cyber Security Awareness Month 2017'. You must have a clear understanding of the ideal security measure for protecting your Assets.....
'Determining The Ideal Security Measure' is Nugget 3 in the series 'Cyber Security Awareness Month 2017'. You must ensure that the best and cost effective measure applies...
'Protecting Your Information Assets' is Nugget 2 in the series 'Cyber Security Awareness Month 2017'. You must have a clear understanding of the ideal security measure for protecting your Assets.....
'Determining The Ideal Security Measure' is Nugget 3 in the series 'Cyber Security Awareness Month 2017'. You must ensure that the best and cost effective measure applies...
Combating Cyber Crimes 2 is the 6th Nugget in the series Cyber Security Awareness Month 2017. It is important to 'STOP, THINK before CONNECTing to the Internet Resources.
Simplifying the data privacy governance quagmire building automated privacy ...Avinash Ramineni
In this age of big data, AI, and machine learning, organizations collect vast amounts of data about their customers, processes, preferences, usage patterns, etc. Organizations intend to use the data and generate a sustained competitive advantage for their products/offerings.
With all the data they are collecting and storing, they also accumulate huge risks associated with storing and protecting the data. Balancing monetizing data with the risk puts a lot of the roles like CDO, CPO, CISO, CIO in a quagmire.
Privacy / Security leadership needs to influence the organization in adopting a privacy/security-first culture by establishing a robust privacy/security program. Most organizations need to be able to achieve that within a limited budget.
Ideally, at the end of the rollout of a privacy program, a company can tell:
Where every bit of sensitive data resides,
Who has access to which sensitive data,
All security controls to protect sensitive data, and
The retention times for every piece of sensitive data.
In this webinar, we will cover how to build a dynamic and automated privacy/security program that manages the data lifecycle from collection to deletion. This talk will also give a sneak peek into technologies that will influence the privacy, security, governance capabilities of the future and reshape the way organizations address challenges with current and emerging technologies.
What you’ll take away:
Basic concepts around understanding the risk around the personal information your organization is collecting
Building a method of mitigating the risk discussed above
how to incorporate an enterprise-wide ‘security-first’ culture
A practical approach to implementing a data privacy/security program from scratch.
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.IGN MANTRA
ISO 27001:2013 Awareness, Seminar & Workshop Indonesia Honeynet Project IHP, Badan Siber dan Sandi Negara BSSN, Universitas Syiah Kuala Unsyiah, 23-24 Oktober 2018
With more than 50,000 new malware created every day organisations can no longer afford to risk the financial and reputational impacts of a security or data breach, which can be too much for a business to recover from. Because of this, IT managers face increasing scrutiny and pressure from CEOs, managing directors and boards to prove that they are keeping the organisation secure.
The changing threat landscape means organisations need to be vigilant and smarter about security. While businesses still face threats from infected devices and malware, attackers have also moved beyond that. For example, there is an increasing number of targeted email attacks with cyber criminals spending time to monitor communications so they can imitate emails that are so sophisticated that even relatively savvy users will open them.
This webinar will explore the building blocks required to ensure you have the roadmap required to best protection against cyber attacks. We will provide you with a high level view of the following topics:
· Audit and discovery – What are your weaknesses and are you compliant?
· Education – Do your employees know when not to open that attachment?
· Policy – Do you have the right policies for your industry?
· Technology – Where to start and what has changed?
IT Security and Management - Prelim Lessons by Mark John LadoMark John Lado, MIT
Learning topics:
1. ACCESS CONTROL
2. ASSET MANAGEMENT
3. BUSINESS CONTINUITY
--------------------------------------------------
By the end of this chapter, learners will be able to;
Know about access control.
Differentiate the physical and logical access control.
Engage with different examples of access control.
Apply the role of access control in their future projects.
Recognize about asset management.
Distinguish the three goals of an asset management program.
Engage with different types of IT asset Management.
Elaborate about business continuity.
Engage with the types of business continuity.
Know about the steps for building and executing of business continuity.
Familiarize the business continuity strategy.
Combating Cyber Crimes 2 is the 6th Nugget in the series Cyber Security Awareness Month 2017. It is important to 'STOP, THINK before CONNECTing to the Internet Resources.
Simplifying the data privacy governance quagmire building automated privacy ...Avinash Ramineni
In this age of big data, AI, and machine learning, organizations collect vast amounts of data about their customers, processes, preferences, usage patterns, etc. Organizations intend to use the data and generate a sustained competitive advantage for their products/offerings.
With all the data they are collecting and storing, they also accumulate huge risks associated with storing and protecting the data. Balancing monetizing data with the risk puts a lot of the roles like CDO, CPO, CISO, CIO in a quagmire.
Privacy / Security leadership needs to influence the organization in adopting a privacy/security-first culture by establishing a robust privacy/security program. Most organizations need to be able to achieve that within a limited budget.
Ideally, at the end of the rollout of a privacy program, a company can tell:
Where every bit of sensitive data resides,
Who has access to which sensitive data,
All security controls to protect sensitive data, and
The retention times for every piece of sensitive data.
In this webinar, we will cover how to build a dynamic and automated privacy/security program that manages the data lifecycle from collection to deletion. This talk will also give a sneak peek into technologies that will influence the privacy, security, governance capabilities of the future and reshape the way organizations address challenges with current and emerging technologies.
What you’ll take away:
Basic concepts around understanding the risk around the personal information your organization is collecting
Building a method of mitigating the risk discussed above
how to incorporate an enterprise-wide ‘security-first’ culture
A practical approach to implementing a data privacy/security program from scratch.
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.IGN MANTRA
ISO 27001:2013 Awareness, Seminar & Workshop Indonesia Honeynet Project IHP, Badan Siber dan Sandi Negara BSSN, Universitas Syiah Kuala Unsyiah, 23-24 Oktober 2018
With more than 50,000 new malware created every day organisations can no longer afford to risk the financial and reputational impacts of a security or data breach, which can be too much for a business to recover from. Because of this, IT managers face increasing scrutiny and pressure from CEOs, managing directors and boards to prove that they are keeping the organisation secure.
The changing threat landscape means organisations need to be vigilant and smarter about security. While businesses still face threats from infected devices and malware, attackers have also moved beyond that. For example, there is an increasing number of targeted email attacks with cyber criminals spending time to monitor communications so they can imitate emails that are so sophisticated that even relatively savvy users will open them.
This webinar will explore the building blocks required to ensure you have the roadmap required to best protection against cyber attacks. We will provide you with a high level view of the following topics:
· Audit and discovery – What are your weaknesses and are you compliant?
· Education – Do your employees know when not to open that attachment?
· Policy – Do you have the right policies for your industry?
· Technology – Where to start and what has changed?
IT Security and Management - Prelim Lessons by Mark John LadoMark John Lado, MIT
Learning topics:
1. ACCESS CONTROL
2. ASSET MANAGEMENT
3. BUSINESS CONTINUITY
--------------------------------------------------
By the end of this chapter, learners will be able to;
Know about access control.
Differentiate the physical and logical access control.
Engage with different examples of access control.
Apply the role of access control in their future projects.
Recognize about asset management.
Distinguish the three goals of an asset management program.
Engage with different types of IT asset Management.
Elaborate about business continuity.
Engage with the types of business continuity.
Know about the steps for building and executing of business continuity.
Familiarize the business continuity strategy.
This training creates the awareness of the security threats facing individuals, business owner’s, and corporations in today’s society and induces a’ plan-protection’ attitude. It enriches individuals, students’, business owners’ and workers’ approach to handling these threats and responding appropriately when these threats occur.
History, What is Information Security?, Critical Characteristics of Information, Components of an
Information System, Securing the Components, Balancing Security and Access,
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...James Anderson
Are Cybersecurity threats increasing? Learn about protecting your business with a security program and understanding ransomware threats. Join us as Google's Biodun Awojobi and Wade Walters join us to discuss "Security Programs and Ransomware in the Cloud." We expect to have additional Cybersecurity events in future to cover security posture, Zero Trust, Google's Cybersecurity products & more!
#cybersecurity #ransomware #google #gdg #gdgcloudsouthlake
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Knoldus Inc.
The protection of applications against cyber threats is paramount. With hackers becoming increasingly sophisticated, organizations must prioritize robust security testing practices. In this informative session, we will unveil a comprehensive security testing checklist designed to fortify your applications against potential vulnerabilities and attacks.
Learn how to overcome security challenges, such as: identity theft, spoofed transactions, DDoS business disruption, criminal extortion and more. You'll learn how a security strategy promotes confidence in the cloud.
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Michele Chubirka
Nothing strikes fear into the heart of an engineer more than the installation of a firewall to achieve the laudable goal of defense-in-depth through network segmentation. Security teams demand the implementation of firewalls telling everyone, “It’s for compliance!” But the addition of firewalls and other security appliances (aka chokepoints) into an infrastructure infuriates network engineers who design to optimize speed and minimize latency. Sysadmins and DBAs are equally frustrated, because of the increased complexity in building and troubleshooting applications. So it’s down the rabbit hole we go trying to achieve the unachievable with everyone waxing rhapsodic for those bygone days when the end-to-end principle ruled the Internet. Is it really possible to have security coexist with operational efficiency? Organizations seem happy to throw money at technology and operations, but when it comes to policies and procedures, they fail miserably. This is the biggest problem with building a layered design. As engineers, if we don’t have clear policies as a set of requirements, how will we determine the appropriate network segmentation and protections to put in place? The answer lies in aligning network segmentation with an organizational data classification matrix and understanding that while compliance and security often overlap, they’re not the same.
This session provides a comprehensive overview of the latest updates to the Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (commonly known as the Uniform Guidance) outlined in the 2 CFR 200.
With a focus on the 2024 revisions issued by the Office of Management and Budget (OMB), participants will gain insight into the key changes affecting federal grant recipients. The session will delve into critical regulatory updates, providing attendees with the knowledge and tools necessary to navigate and comply with the evolving landscape of federal grant management.
Learning Objectives:
- Understand the rationale behind the 2024 updates to the Uniform Guidance outlined in 2 CFR 200, and their implications for federal grant recipients.
- Identify the key changes and revisions introduced by the Office of Management and Budget (OMB) in the 2024 edition of 2 CFR 200.
- Gain proficiency in applying the updated regulations to ensure compliance with federal grant requirements and avoid potential audit findings.
- Develop strategies for effectively implementing the new guidelines within the grant management processes of their respective organizations, fostering efficiency and accountability in federal grant administration.
Jennifer Schaus and Associates hosts a complimentary webinar series on The FAR in 2024. Join the webinars on Wednesdays and Fridays at noon, eastern.
Recordings are on YouTube and the company website.
https://www.youtube.com/@jenniferschaus/videos
Jennifer Schaus and Associates hosts a complimentary webinar series on The FAR in 2024. Join the webinars on Wednesdays and Fridays at noon, eastern.
Recordings are on YouTube and the company website.
https://www.youtube.com/@jenniferschaus/videos
Presentation by Jared Jageler, David Adler, Noelia Duchovny, and Evan Herrnstadt, analysts in CBO’s Microeconomic Studies and Health Analysis Divisions, at the Association of Environmental and Resource Economists Summer Conference.
Preliminary findings _OECD field visits to ten regions in the TSI EU mining r...OECDregions
Preliminary findings from OECD field visits for the project: Enhancing EU Mining Regional Ecosystems to Support the Green Transition and Secure Mineral Raw Materials Supply.
ZGB - The Role of Generative AI in Government transformation.pdfSaeed Al Dhaheri
This keynote was presented during the the 7th edition of the UAE Hackathon 2024. It highlights the role of AI and Generative AI in addressing government transformation to achieve zero government bureaucracy
Donate to charity during this holiday seasonSERUDS INDIA
For people who have money and are philanthropic, there are infinite opportunities to gift a needy person or child a Merry Christmas. Even if you are living on a shoestring budget, you will be surprised at how much you can do.
Donate Us
https://serudsindia.org/how-to-donate-to-charity-during-this-holiday-season/
#charityforchildren, #donateforchildren, #donateclothesforchildren, #donatebooksforchildren, #donatetoysforchildren, #sponsorforchildren, #sponsorclothesforchildren, #sponsorbooksforchildren, #sponsortoysforchildren, #seruds, #kurnool
Jennifer Schaus and Associates hosts a complimentary webinar series on The FAR in 2024. Join the webinars on Wednesdays and Fridays at noon, eastern.
Recordings are on YouTube and the company website.
https://www.youtube.com/@jenniferschaus/videos
4. Common misunderstandings
I have
antivirus
software, so
I’m good
Security is the IT
department‘s
problem
Security isn’t a problem
with Macs
https://support.apple.co
m/en-us/HT201222
I don’t have anything
on my computer
anyone would want
5. Cybersecurity is not an “IT problem”
It’s all about whether an organization can survive
11. Greatest organizational exposures
Where we think
the exposures
are
• Cloud-based Systems
• Network
• Applications
• Servers
Where the
greatest threats
lie
• E-Mail
• Mobile devices
• Internet of Things
2018 HIMSS Cybersecurity Survey
12. What is the greatest threat?
We need to align security with the organizational
culture and define acceptable working norms
13. Context of the threat
environment
Today’s threats are far more complex than most people realize
14.
15. Why antivirus software?
• Examines computer for infections
• Monitors computer activity
• Scans new files to ensure they do not have a virus
• Clean, quarantine, delete
16. How does it work?
• Static analysis
• Match
known virus
patterns
• Uses a virus
scanning
engine
• Database of
known virus
signatures
• Comparison of
signature to
file may
indicate an
infection
17. Why is it not enough?
• If not in real time, malware can get through
• Vendors must constantly search for new viruses
• Vendors cannot keep up with the sheer number of new attacks
• Signature files must be kept up to date
• Most attacks today are not “virus” based
28. IoT raises many issues
• Many devices have no ability to be updated
• Therefore, it is impossible to address security
vulnerabilities
• Often long gaps between security updates
• Difficulty of applying security updates
32. Security practice constantly is
evolving
1. Work0923
2. Th1s1s3as1lyGu3223dPassw0rd
3. Zr9@c&cRw!Ac
4. Would you like to know a secret?
5. Brown marble black flecks ick
44. Identify
Asset Management
(ID.AM)
•The data, personnel, devices, systems, and facilities that enable the
organization to achieve business purposes are identified and managed
consistent with their relative importance to business objectives and
the organization’s risk strategy.
Business Environment
(ID.BE)
•The organization’s mission, objectives, stakeholders, and activities are
understood and prioritized; this information is used to inform
cybersecurity roles, responsibilities, and risk management decisions.
Governance (ID.GV)
•The policies, procedures, and processes to manage and monitor the
organization’s regulatory, legal, risk, environmental, and operational
requirements are understood and inform the management of
cybersecurity risk.
Risk Assessment (ID.RA)
•The organization understands the cybersecurity risk to organizational
operations (including mission, functions, image, or reputation),
organizational assets, and individuals.
Risk Management
Strategy (ID.RM)
•The organization’s priorities, constraints, risk tolerances, and
assumptions are established and used to support operational risk
decisions.
Develop the organizational understanding to manage cybersecurity risk to systems,
assets, data, and capabilities
45. Protect
Access Control
(PR.AC)
• Access to assets and associated facilities is limited to
authorized users, processes, or devices, and to authorized
activities and transactions.
Awareness and
Training (PR.AT)
• Personnel are provided cybersecurity education and are
trained to perform their information security-related duties
and responsibilities consistent with related policies,
procedures, and agreements.
Data Security
(PR.DS)
• Information and records (data) are managed consistent with
the organization’s risk strategy to protect the confidentiality,
integrity, and availability of information.
Information
Protection Processes
and Procedures
(PR.IP)
• Security policies, processes, and procedures are maintained
and used to manage protection of information systems and
assets.
Maintenance
(PR.MA)
• Maintenance and repairs of industrial control and
information system components is performed consistent with
policies and procedures.
Protective
Technology (PR.PT)
• Technical security solutions are managed to ensure the
security and resilience of systems and assets, consistent with
related policies, procedures, and agreements.
Develop and implement the appropriate safeguards to ensure delivery of critical
infrastructure services
46. Detect
Anomalies and
Events (DE.AE)
• Anomalous activity is detected in a timely manner
and the potential impact of events is understood.
Security
Continuous
Monitoring
(DE.CM)
• The information system and assets are monitored
at discrete intervals to identify cybersecurity
events and verify the effectiveness of protective
measures.
Detection
Processes
(DE.DP)
• Detection processes and procedures are
maintained and tested to ensure timely and
adequate awareness of anomalous events.
Develop and implement the appropriate activities to identify the occurrence of a
cybersecurity event
47. Respond
Response
Planning (RS.RP)
• Response processes and procedures are executed and
maintained, to ensure timely response to detected
cybersecurity events.
Communications
(RS.CO)
• Response activities are coordinated with internal and
external stakeholders, as appropriate, to include
external support from law enforcement agencies.
Analysis (RS.AN)
• Analysis is conducted to ensure adequate response
and support recovery activities.
Mitigation (RS.MI)
• Activities are performed to prevent expansion of an
event, mitigate its effects, and eradicate the incident.
Improvements
(RS.IM)
• Organizational response activities are improved by
incorporating lessons learned from current and
previous detection/response activities.
Develop and implement the appropriate activities to take action regarding a
detected cybersecurity event
48. Recover
Recovery
Planning (RC.RP)
• Recovery processes and procedures are executed
and maintained to ensure timely restoration of
systems or assets affected by cybersecurity events.
Improvements
(RC.IM)
• Recovery planning and processes are improved by
incorporating lessons learned into future activities.
Communications
(RC.CO)
• Restoration activities are coordinated with internal
and external parties, such as coordinating centers,
Internet Service Providers, owners of attacking
systems, victims, other CSIRTs, and vendors.
Develop and implement the appropriate activities to maintain plans for resilience
and to restore any capabilities or services that were impaired due to a
cybersecurity event
49. Levels of adoption
Tier 1 - Partial
• Not formalized
• Ad hoc
• Often reactive
• Limited
awareness of
cybersecurity risk
management
Tier 2 – Risk-
Informed
• Organizational-
wide awareness
of risk
• Policies may exist
• Handles risk as
they happen
Tier 3 –
Repeatable
• A formal
organizational risk
management
process is
followed by a
defined security
policy
Tier 4 –
Adaptable
• Cybersecurity
policy adapts
based on lessons
learned and
analytics
• Constant learning
from the security
events that occur
• Information is
shared with a
larger network
54. Risk management is multi-tiered
Organization
• Strategic risk management
Mission/Business
• Tactical approach to risk
Information Systems
• Focus on integrity and recovery
55. Threat assessment
Malicious internal
• Disgruntled employees
Malicious external
• Hacker groups –
hactivists/cybercriminals
Nonmalicious
external
• Errors of suppliers and
vendors
Nonmalicious
internal
• Human errors of
commission and omission
56. Likelihood
• More than 80% likely to occurDefinite
• 60-80% chance of occurrenceLikely
• Near 50/50 probability of occuringOccasional
• Low probability of occurrence (10-
40%), cannot be ruled out completelySeldom
• Rare and exceptional risks, less than
10% chanceUnlikely
57. Impact
• Near negligible amount of damageInsignificant
• The extent of damage is not too significant,
unlikely to make much of a difference to overall
operations
Trivial
• Not a great threat, but likely moderately
disruptiveModerate
• Significant consequences, significant loss, or
disruptionCritical
• Could completely shutdown operations or
cause long-term disruptionCatastrophic
59. Risk control matrix
NAME OBJECTIVE
REF/ID RISK RISK IMPACT
RISK
LIKELIHOOD
TOTAL RISK
SCORE
1. Someone receives a phishing e-mail and clicks on the link
2. Someone downloads unauthorized software
3. A server administrator does not use unique passwords for
each server
4. An employee data file is accidently uploaded to a web server
60. How is risk addressed?
• Senior management involvement?
• IT understanding?
• Knowing the baseline
• Documenting the network
• Aligned technology
• Why is Xbox allowed on staff PCs?
• What is the organizational culture?
• High risk taking
63. Disruption scenarios
Damage to or breakdown of
systems or equipment
Physical damage to a
building
Interruption of the
supply chain
Restricted access to a
site or building
Utility outage
65. Prepare
Incident handling team should include security officers, system analysts and human
resources personnel
System backup plan should be in place
Personnel involved should be trained at an appropriate level.
• Basic business continuity principles
Contact information should be defined, available as hard copy
• Personnel that might assist in handling an incident
• Key partners who may need to be notified
• Business owners to make key business decisions
• Outside support analysts with security expertise
Supplies to assist the team in the event of an incident (jump bag)
• An empty notebook
• Boot media to analyze hard drives and recover passwords
• Petty cash (food, cabs, batteries as needed)
66. Identify
Issue identification can originate from many sources
• Staff
• End users
• External partners
Declare an adverse risk exists
• Assemble the team and implement the plan
• Save all key system files or records
• Start detailed documentation as soon as possible
Decide what the goals are in handling a particular incident
• Immediate business recovery
• Forensic examination
67. Contain
Basic procedures can contain many incidents
Specific procedures will depend on the nature of the incident
Basic steps to consider include
• Obtain and analyze as much system information as possible including key files and
possibly a backup of the compromised machine for later forensic analysis
• Powering off a machine might lose data and evidence.
• Disconnecting the network cable/disable wireless to facilitate containment and forensic
activity
If one machine has been exploited, others are likely vulnerable
• Download security patches from vendors
• Update antivirus signatures
• Close firewall ports
• Disable compromised accounts
• Change passwords as appropriate
68. Eradicate
Will frequently depend on the nature of the incident
Boot media should be used to access data on compromised machines
• Rootkits might affect basic system level utilities
If operating system has been compromised, it needs to be rebuilt
Test any backups prior to restore and monitor for a new incident
Document everything
69. Recover
Goal is to return safely to production
Specific actions depend on the nature of the incident
Retest the system
Consider timing of the return to production
Discuss customer notification and their concerns
Discuss media handling issues
Continue to monitor for security incidents
70. Worst case scenario
• Full data loss
• Don’t just focus on
recovery for the most
obvious "disasters"
71. Review
• To better handle future security incidents
• A final report describing the incident and how it
was handled
• Suggestions for handling future incidents
72. Testing the plan
Table-top exercise
Occurs in a conference room with
the team poring over the plan
Looking for gaps and ensuring that
all business units are represented
therein
Structured walk-through
Each team member walks through
his or her components of the plan
with a specific disaster in mind
Identify weaknesses
Can incorporate drills and disaster
role-playing into the structured
walk-through.
Weaknesses are identified,
corrected, and plan is updated
Disaster simulation testing
Create an environment that
simulates an actual disaster
All equipment, supplies and
personnel (including partners and
vendors) who would be needed
To determine if you can carry out
critical business functions during
the event
73. Table top exercise
• Set a scenario for discussion
• Developed in advance
• Not super technical
• Discuss vulnerabilities and possible scenarios
• Has representation from all areas
• Limit to about an hour
75. Typical KPIs
• Computer patching policy compliance
• Mean time to patch critical/urgent issues
• User security awareness training engagement
• Virus infection activity (real time notification)
• Disaster recovery test results
• Number of security policies
and standards that have been
fully implemented and adopted
• Network probing attempts
78. Actually kind of controversial
Security training is
ineffective and a
waste of time and
money
Security training is
our best offense
against a major
incident that could
easily be avoided
79. Required by law
• Security awareness training requirements for all
workforce members. New workforce member must be
trained within a reasonable time period. Must include
periodic security updates.
HIPAA
• Train staff to recognize and respond to schemes to
commit fraud or identity theft, such as guarding against
pretext calling; Provide staff members with instruction
about computer security; train staff to properly dispose of
customer information.
Gramm-Leach-Bliley
Act (GLBA)
• Requires training focused on reasonably foreseeable risks
to the security, confidentiality, and/or integrity of
personal information. Must be ongoing and for
permanent employees, temporary, and contract
employees.
Massachusetts’s Data
Security Law
• Requires federal agencies to establish a security
awareness training program. Must include contractors
and “other uses of information systems” that support the
agency.
Federal Information
Security Management
Act (FISMA)
80. Required by standards
• Developed by the credit card industry’s PCI council. PCI-DSS12.6
requires that organizations implement a formal security awareness
training program to make all personnel aware of the importance of
cardholder data security. Personnel must be trained upon hire and at
least annually.
Payment Card Industry
Data Security Standard
(PCI-DSS)
• Provides guidance on information security management in
organizations. Contains requirement that all employees receive data
security awareness training.
ISO/IEC 27002
• Federal agencies look to NIST 800-53 to guide their rulemaking and
enforcement. Security awareness training and security awareness
techniques based on the specific organizational requirements and the
information systems to which personnel have authorized access.
NIST Special
Publication 800-53
81. Basic topics security training
should cover
Phishing
Social
engineering
Malware
Passwords
Use of portable
devices
Physical access
Data destruction Encryption Data breach
85. Resources for training
HHS - http://irtsectraining.nih.gov/publicUser.aspx
SANS CyberAces -
http://www.cyberaces.org/courses/
FEMA -
https://www.firstrespondertraining.gov/ntecatalog
86. Resources for cybersecurity and
business continuity
• Small Business Information Security: The
Fundamentals
• https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf
• Baldrige Cybersecurity Excellence Builder (BCEB),
Version 1.1
• https://www.nist.gov/baldrige/products-services/baldrige-cybersecurity-initiative
• Two very useful worksheets
• BCEB Categories 1-7 Questions and Notes Only
• BCEB Self-Analysis Worksheet
• Professional Practices for Business Continuity
Professionals
• https://drii.org/resources/professionalpractices/EN
87. Web resource centers
CERT
http://www.cert.org/
Information on security vulnerabilities
Incident Response Consortium
https://www.incidentresponse.com/
Resource for creating security policies and
planning for incident response
IAPP
https://www.iapp.org
International Association of Privacy
Professionals