This document discusses key aspects of operational and communications security. It covers developing standard operating procedures (SOPs) and change management processes. Other topics include patch management, malware protection, backup strategies, email security, log analysis, and oversight of service providers. Maintaining security across daily operations and when making changes is important to protect the network and data.
Data Protection Officer Dashboard | GDPRCorporater
Data Protection Officers (DPOs) have a very critical role to play in today's organizations, especially with the implementation of GDPR. Data Protection Officer dashboards are an essential aid to DPOs to stay on top of GDPR compliance activities, and to implement and monitor GDPR projects.
The presentation gives insight into the essentials of a DPO dashboard.
Data Protection Officer Dashboard | GDPRCorporater
Data Protection Officers (DPOs) have a very critical role to play in today's organizations, especially with the implementation of GDPR. Data Protection Officer dashboards are an essential aid to DPOs to stay on top of GDPR compliance activities, and to implement and monitor GDPR projects.
The presentation gives insight into the essentials of a DPO dashboard.
General Data Protection Regulation (GDPR) and ISO 27001Owako Rodah
The General Data Protection Regulation (GDPR) came into effect on May 25th 2018 and organisations and data subjects alike are mostly in the dark about what it means and how it affects them This is a summary of the regulation and how businesses can leverage the implementation of international standards such as ISO 27001 to meet the requirements of the regulation.
How to determine a proper scope selection based on ISO 27001?PECB
Meeting Clause 4 - Context of the Organization "generic" requirements of ISO 27001 in order to determine a proper Documented Scope statement that meets business requirements and gives value to products and/or services.
Main points that have been covered are:
• Interested Parties
• Interfaces & Dependencies
• Legal / Regulatory & Contractual Obligations (Risk of Non-Compliance)
• Documented Scope Statement (including locations within Scope)
Presenter:
Mr. David Anders has worked more than 20+ years in the risk management field managing a broad spectrum of consulting services and product solutions. David has worked in the consulting field for 16 years and is the founder / CEO of SecuraStar, LLC, a niche ISO 27001 consulting firm in the United States and founder / CEO of ISMS Manager Software, LLC.
Link of the recorded session published on YouTube: https://youtu.be/hSaAvKgAC2c
ControlCase discusses the following: - What is GDPR? - How will it impact me? - How can I become compliant? - What is the timeline? - What are consequences if not met?
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
Understand and apply concepts of confidentiality, integrity and availability, Apply security governance principles,
Understand legal and regulatory issues that pertain to information security in a global context, Develop and implement documented security policy, standards, procedures, and guidelines, Understand business continuity requirements
Contribute to personnel security policies, Understand and apply risk management concepts, Understand and apply threat modeling, Integrate security risk considerations into acquisition strategy and practice, Establish and manage information security education, training, and awareness
Shariyaz abdeen data leakage prevention presentationShariyaz Abdeen
Data leakage prevention is one of the key topics which we have been talking in present. Due to the organizations moving towards big data, financial systems.. which resides in cyber space, there is an increasing number of frauds associated with the technology revolution in the cyberspace.This post highlights the threats and the counter measures, so we can protect the sensitive personal data. I prefer the approach of “ Trust but verify model ”.
Complete coverage of CISSP 7th Chapter - Security Operations. I have made sure to cover all topics from three books in this presentation. For corrections, clarifications, please feel free to reach me.
Employee Awareness in Cyber Security - KloudlearnKloudLearn
The goal of employee awareness in cybersecurity is to make employees aware of the procedures, policies, guidelines, and practices for configuring, managing, and executing cybersecurity in the organization.
General Data Protection Regulation (GDPR) and ISO 27001Owako Rodah
The General Data Protection Regulation (GDPR) came into effect on May 25th 2018 and organisations and data subjects alike are mostly in the dark about what it means and how it affects them This is a summary of the regulation and how businesses can leverage the implementation of international standards such as ISO 27001 to meet the requirements of the regulation.
How to determine a proper scope selection based on ISO 27001?PECB
Meeting Clause 4 - Context of the Organization "generic" requirements of ISO 27001 in order to determine a proper Documented Scope statement that meets business requirements and gives value to products and/or services.
Main points that have been covered are:
• Interested Parties
• Interfaces & Dependencies
• Legal / Regulatory & Contractual Obligations (Risk of Non-Compliance)
• Documented Scope Statement (including locations within Scope)
Presenter:
Mr. David Anders has worked more than 20+ years in the risk management field managing a broad spectrum of consulting services and product solutions. David has worked in the consulting field for 16 years and is the founder / CEO of SecuraStar, LLC, a niche ISO 27001 consulting firm in the United States and founder / CEO of ISMS Manager Software, LLC.
Link of the recorded session published on YouTube: https://youtu.be/hSaAvKgAC2c
ControlCase discusses the following: - What is GDPR? - How will it impact me? - How can I become compliant? - What is the timeline? - What are consequences if not met?
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
Understand and apply concepts of confidentiality, integrity and availability, Apply security governance principles,
Understand legal and regulatory issues that pertain to information security in a global context, Develop and implement documented security policy, standards, procedures, and guidelines, Understand business continuity requirements
Contribute to personnel security policies, Understand and apply risk management concepts, Understand and apply threat modeling, Integrate security risk considerations into acquisition strategy and practice, Establish and manage information security education, training, and awareness
Shariyaz abdeen data leakage prevention presentationShariyaz Abdeen
Data leakage prevention is one of the key topics which we have been talking in present. Due to the organizations moving towards big data, financial systems.. which resides in cyber space, there is an increasing number of frauds associated with the technology revolution in the cyberspace.This post highlights the threats and the counter measures, so we can protect the sensitive personal data. I prefer the approach of “ Trust but verify model ”.
Complete coverage of CISSP 7th Chapter - Security Operations. I have made sure to cover all topics from three books in this presentation. For corrections, clarifications, please feel free to reach me.
Employee Awareness in Cyber Security - KloudlearnKloudLearn
The goal of employee awareness in cybersecurity is to make employees aware of the procedures, policies, guidelines, and practices for configuring, managing, and executing cybersecurity in the organization.
CYBER SECURITY and DATA PRIVACY 2022: Data Breach Response - Before and After...Financial Poise
You’ve received the dreaded call that your company has just suffered a data breach – what do you do next? Who do you call for help? What notification obligations do you have?
With proper preparation, you can mitigate the damage caused by this unfortunate event and put your business in a position to recover. Your company may have already implemented its information security program and identified the responsible parties, including applicable outside experts, to be contacted in the event of a breach. However, now you must call up your incident response team to investigate the extent of the breach, evaluate the possible damage to your company, and determine whether you must notify your clients, customers, or the public of the breach. This webinar will help prepare you to take action when the worst happens.
Part of the webinar series:
CYBER SECURITY and DATA PRIVACY 2022
See more at https://www.financialpoise.com/webinars/
The Cloud is both compelling and alluring, offering benefits that entice many organizations into rapid adoption. But caution should be taken. Leveraging cloud technologies can offer tremendous opportunities, with the caveat of potentially introducing new security problems and business risks. Presented are strategic recommendations for cloud adoption to a community of application and infrastructure developers.
The financial industry ranks 2nd behind the entertainment industry with 1,386 confirmed data breaches – 795 of those with confirmed data loss. To address this threat, the FFIEC Cybersecurity Assessment Tool (CAT) is compiled of a framework that is now becoming the industry cybersecurity standards. Although the CAT tool is not a 2017 requirement, passing your audit is.
In this webinar we’ll discuss: - Navigating your “must have” cybersecurity technology – keeping it lean like your team!
How to jump start compliance with FFIEC audits
Best practices for network access control & plugging potential cybersecurity gaps.
Building Digital Trust: The role of data ethics in the digital ageAccenture Technology
Data is the biggest risk that is unaccounted for by businesses today. In the past, the scope for digital risk was limited to cybersecurity threats but leading organizations must now also recognize risks from lackluster ethical data practices. Mitigating these internal threats is critical for every player in the digital economy, and cannot be addressed with strong cybersecurity alone.
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?AdvisorAssist, LLC
Cybersecurity is not a “big firm” problem. Every RIA firm has vulnerabilities that expose clients to the risk of loss from cyber threats. Regulators have taken notice and expect that all firms adopt policies and procedures that demonstrate clearly their efforts to protect clients.
Our discussion focuses on:
Dispelling three common myths about cybersecurity for RIAs
Addressing the regulatory requirements surrounding cybersecurity
Offering practical advice on how to protect clients from cyber threats
Building HIPAA Compliance in service delivery teamsGaurav Garg
If you work with healthcare providers, you need to weave HIPAA compliance in your DNA. In this presentation, I share my approach for building a consulting team focussed on Healthcare clients.
Similar to Chapter 8: Communications and Operations Security (20)
A Strategic Approach: GenAI in EducationPeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
Embracing GenAI - A Strategic ImperativePeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
Francesca Gottschalk - How can education support child empowerment.pptxEduSkills OECD
Francesca Gottschalk from the OECD’s Centre for Educational Research and Innovation presents at the Ask an Expert Webinar: How can education support child empowerment?
The Roman Empire A Historical Colossus.pdfkaushalkr1407
The Roman Empire, a vast and enduring power, stands as one of history's most remarkable civilizations, leaving an indelible imprint on the world. It emerged from the Roman Republic, transitioning into an imperial powerhouse under the leadership of Augustus Caesar in 27 BCE. This transformation marked the beginning of an era defined by unprecedented territorial expansion, architectural marvels, and profound cultural influence.
The empire's roots lie in the city of Rome, founded, according to legend, by Romulus in 753 BCE. Over centuries, Rome evolved from a small settlement to a formidable republic, characterized by a complex political system with elected officials and checks on power. However, internal strife, class conflicts, and military ambitions paved the way for the end of the Republic. Julius Caesar’s dictatorship and subsequent assassination in 44 BCE created a power vacuum, leading to a civil war. Octavian, later Augustus, emerged victorious, heralding the Roman Empire’s birth.
Under Augustus, the empire experienced the Pax Romana, a 200-year period of relative peace and stability. Augustus reformed the military, established efficient administrative systems, and initiated grand construction projects. The empire's borders expanded, encompassing territories from Britain to Egypt and from Spain to the Euphrates. Roman legions, renowned for their discipline and engineering prowess, secured and maintained these vast territories, building roads, fortifications, and cities that facilitated control and integration.
The Roman Empire’s society was hierarchical, with a rigid class system. At the top were the patricians, wealthy elites who held significant political power. Below them were the plebeians, free citizens with limited political influence, and the vast numbers of slaves who formed the backbone of the economy. The family unit was central, governed by the paterfamilias, the male head who held absolute authority.
Culturally, the Romans were eclectic, absorbing and adapting elements from the civilizations they encountered, particularly the Greeks. Roman art, literature, and philosophy reflected this synthesis, creating a rich cultural tapestry. Latin, the Roman language, became the lingua franca of the Western world, influencing numerous modern languages.
Roman architecture and engineering achievements were monumental. They perfected the arch, vault, and dome, constructing enduring structures like the Colosseum, Pantheon, and aqueducts. These engineering marvels not only showcased Roman ingenuity but also served practical purposes, from public entertainment to water supply.
2. Copyright 2014 Pearson Education, Inc. 2
Objectives
❑ Author useful standard operating procedures
❑ Implement change control processes
❑ Understand the importance of patch management
❑ Protect information systems against malware
❑ Consider data backup and replication strategies
❑ Recognize the security requirements of email and
email systems
❑ Appreciate the value of log data and analysis
❑ Evaluate service provider relationships
❑ Write policies and procedures to support operational
and communications security
3. Copyright 2014 Pearson Education, Inc. 3
Standard Operating Procedures
(SOPs)
❑ SOPs provide direction to improve
communication, reduce training time, and improve
work consistency
❑ SOPs should be documented to protect the
company from the pitfalls of institutional
knowledge
■ If a business process is only known by one employee,
and that employee becomes unavailable, how is this
process going to be performed successfully?
4. Copyright 2014 Pearson Education, Inc. 4
Standard Operating Procedures
Cont.
■ SOPs should be written in as simple a style
as possible for all to clearly understand the
procedures
■ SOPs should include all steps of a given
procedure
■ SOPs should not be overly detailed and
should remain clear
5. Copyright 2014 Pearson Education, Inc. 5
Standard Operating Procedures
Cont.
■ If a procedure contains less than 10 steps, it
should be presented in step format
■ If a procedure contains 10 steps or more, but
few decisions, it should be presented in a
graphical format or a hierarchical format
■ If a procedure requires many decisions, then
it should be presented as a flowchart
6. Copyright 2014 Pearson Education, Inc. 6
Standard Operating Procedures
Cont.
■ After a procedure has been researched,
documented, reviewed, and tested, it should
be authorized by the process owner
■ The integrity of the SOP documents must be
protected so that employees don’t follow
instructions that have been maliciously
tampered with
7. Copyright 2014 Pearson Education, Inc. 7
Standard Operating Procedures
Cont.
■ The change management process must be
defined so that the SOPs mirror the evolution
of the business processes
■ All revisions of the SOP documents must be
reviewed and approved by the process owner
8. Copyright 2014 Pearson Education, Inc. 8
Operational Change Control
■ Change control: Internal procedure by which only
authorized changes are made to software, hardware,
network access privileges, or business processes
■ Change control process
❑ Starts with a Request for Change (RFC)
❑ Description of the proposed change
❑ Justification why the change should be implemented
❑ Impact of not implementing the change
❑ Alternatives
❑ Cost
❑ Resource requirements and timeframe
❑ The change is then evaluated and if approved implemented
9. Copyright 2014 Pearson Education, Inc. 9
Operational Change Control Cont.
■ Change control plan
❑ Developed after the change is approved
❑ Components
■ Security review to ensure no new vulnerabilities are introduced
■ Implementation instructions
■ Rollback and/or recovery options
■ Post implementation monitoring
■ Change must be communicated to all relevant parties
❑ Two categories of messages
■ Messages about the change
■ Messages how the change will impact employees
■ All actions should be documented throughout the
implementation process
10. Copyright 2014 Pearson Education, Inc. 10
Why Is Patching Handled
Differently
■ Patch
❑ Software or code designed to fix a problem
■ Security patching is the primary method of fixing
security vulnerabilities
■ Patches need to be applied quickly
■ Patch management
❑ The process of scheduling, testing, approving, and
applying security patches
❑ Patching could be unpredictable and disruptive
❑ User should be notified of potential downtime
11. Malware Protection
■ Malware
❑ Short for malicious software
❑ Software designed to disrupt computer operation,
gather sensitive information, or gain unauthorized
access to computer systems and mobile devices
❑ It can be bundled with other programs or self-
replicated
❑ Typically requires user interaction
Copyright 2014 Pearson Education, Inc. 11
13. How Is Malware Controlled
■ Prevention controls
❑ Stop an attack before it occurs
■ Detection controls
❑ Identify the presence of malware, alert the user,
and prevent the malware from carrying out its
mission
Copyright 2014 Pearson Education, Inc. 13
14. What Is Antivirus Software?
■ Used to detect, contain, and in some cases
eliminate malicious software
■ Most AV software employs two techniques
❑ Signature-based recognition
❑ Behavior-based (heuristic) recognition
Copyright 2014 Pearson Education, Inc. 14
15. Copyright 2014 Pearson Education, Inc. 15
Data Replication
■ Data Replication
❑ The process of copying data to a second location that is available
for immediate or near-time use
■ Data backup
❑ The process of copying and storing data that can be restored to
its original location
■ Failure to back up threatens data availability and data
integrity
❑ Lost/corrupt data can also have a negative impact on the
company:
■ Financially
■ Legally
■ PR-wise
16. Copyright 2014 Pearson Education, Inc. 16
Is There a Recommended Backup or
Replication Strategy?
❑ The following aspects should be considered when
the strategy is designed:
■ Reliability
■ Speed
■ Simplicity
■ Ease of use
■ Security of the stored information
❑ Backed-up or replicated data should be stored at
an off-site location in an environment secured
from theft, the elements, and natural disasters
17. Copyright 2014 Pearson Education, Inc. 17
The Importance of Testing
❑ If the company relies on backup to protect data
integrity and availability, then it needs to be sure
that the information stored on the backup media is
restorable in case of an incident
❑ Just as it is important that a backup would take
place according to a set schedule, test restores
should also be officially scheduled
18. Copyright 2014 Pearson Education, Inc. 18
Securing Messaging
❑ E-mail is, by default, an insecure way to transmit
information
❑ Unless optional encryption is added to the e-mail
solution, no confidential information should EVER
be sent via e-mail
❑ Inherently, e-mail does not employ ANY
encryption, and all information sent is sent in clear
text
19. Copyright 2014 Pearson Education, Inc. 19
Securing Messaging Cont.
■ Employees should not commit any
information to email that they would not feel
comfortable writing on company letterhead
■ Employees must be trained to understand the
risks and responsibilities associated with
using e-mail as a business tool in a corporate
environment
20. Copyright 2014 Pearson Education, Inc. 20
Securing Messaging Cont.
■ Documents sent as e-mail attachments might
contain more information than the sender
intended to share
❑ Metadata
■ Details about a file that describes or identifies it, such as
title, author name, subjects, and keywords
■ E-mail is an effective method of distributing
malware
❑ Can be embedded in an attachment
❑ Sent as a hyperlink
21. Copyright 2014 Pearson Education, Inc. 21
Securing Messaging Cont.
■ Incoming attachments may contain a malicious
payload:
❑ Virus
❑ Worm
❑ Trojan
❑ Other malicious scripts
❑ Hoax
■ Users must be trained to be suspicious toward
attachments
■ Access to personal email accounts should not
be allowed from the corporate network
22. Copyright 2014 Pearson Education, Inc. 22
Securing Messaging Cont.
■ Common e-mail-related mistakes
❑ Hitting the wrong button: using “reply all” as
opposed to “reply” or “forward” instead of “reply”
❑ Sending an e-mail to the wrong e-mail address
because it is close to the intended recipient’s
❑ Leaving an entire string of replies in an e-mail
forwarded to a third person who should not have
been privy to some of the information discussed in
earlier e-mails
■ Training users is paramount to e-mail security
23. Copyright 2014 Pearson Education, Inc. 23
Are E-Mail Servers at Risk?
■ Compromising the e-mail server
❑ Relay abuse
■ Involves using the mail server to distribute spam and malware
❑ A denial of service attack against an e-mail is an
attack against the availability of the service
❑ The e-mail server should be set up so that it does not
allow an open relay of SMTP traffic. Failure do to so
implies two issues:
■ The e-mail server will be used by unscrupulous spammers
■ The domain name used for e-mail purposes will be blacklisted
24. Activity Monitoring and Log
Analysis
■ Log: A record of the vents occurring within an
organization’s systems and networks
■ Almost every device and application on the
network can log activity
■ Log management
❑ Configuring the log sources, including log generation,
storage, and security
❑ Performing analysis of log data
❑ Initiating appropriate responses to identified events
❑ Managing the long-term storage of log data
Copyright 2014 Pearson Education, Inc. 24
26. Service Provider Oversight
■ Service providers include vendors, contractors,
business partners and affiliates who store,
process, transmit, or access company
information on company information systems
■ Service providers internal controls should meet
or exceed those of the contracting organization
■ Due diligence is the process used to assess the
adequacy of service providers
■ SSAE16 audit reports are the most widely
accepted due diligence documentation
Copyright 2014 Pearson Education, Inc. 26
27. Copyright 2014 Pearson Education, Inc. 27
Summary
■ Day-to-day activities can have a huge impact on the security of the
network and the data it contains. SOPs are important in providing a
consistent framework across the company.
■ Change must be managed. Two mandatory components of a
change management process are RFC documents and a change
control plan.
■ Malware is becoming the tool of choice for criminals to exploit
devices, operating systems, applications, and user vulnerabilities.
Many types of malware exist and companies should protect against
them.
■ Sound backup strategies should be developed, tested, authorized
and implemented. E-mail, while being a fantastic business tool, is
also a double-edge sword because of its inherent lack of built-in
security and must be treated as such.
■ Operational security extends to service providers. Service provider
controls should meet or exceed those of the company.