This document discusses information security governance and risk management. It covers several topics:
- The roles and responsibilities of various information security positions such as the security officer, system administrators, and end users.
- Security policies, standards, procedures, and frameworks that organizations can implement to formalize security practices.
- Compliance with regulations and how to map different compliance frameworks.
- Managing risks from third parties, acquisitions, and other organizational changes.
- Ensuring proper information security governance through activities like risk analysis, security awareness training, and oversight from executive management.
Complete coverage of CISSP 7th Chapter - Security Operations. I have made sure to cover all topics from three books in this presentation. For corrections, clarifications, please feel free to reach me.
FIRST 2006 Full-day Tutorial on Logs for Incident ResponseAnton Chuvakin
Outline:
Incident Response Process
Logs Overview
Logs Usage at Various Stages of the Response Process
How Log from Diverse Sources Help
Log Review, Monitoring and Investigative processes
Standards and Regulation Affecting Logs and Incident Response
Incident Response vs Forensics
Case Studies
Log Analysis Mistakes
Complete coverage of CISSP 7th Chapter - Security Operations. I have made sure to cover all topics from three books in this presentation. For corrections, clarifications, please feel free to reach me.
FIRST 2006 Full-day Tutorial on Logs for Incident ResponseAnton Chuvakin
Outline:
Incident Response Process
Logs Overview
Logs Usage at Various Stages of the Response Process
How Log from Diverse Sources Help
Log Review, Monitoring and Investigative processes
Standards and Regulation Affecting Logs and Incident Response
Incident Response vs Forensics
Case Studies
Log Analysis Mistakes
Cryptography is both an art and a science – the use of deception and mathematics, to hide, transmit, and receive data. This short course covers Cryptography as it relates to the CISSP certification. The full video course is located here: http://resources.infosecinstitute.com/cryptography-CISSP-use-of-cryptography
The SlideShare 101 is a quick start guide if you want to walk through the main features that the platform offers. This will keep getting updated as new features are launched.
The SlideShare 101 replaces the earlier "SlideShare Quick Tour".
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
Part 1 of this webinar series provided an overview of cybersecurity and explained the cyber risks and legislation affecting nonprofits. In part 2 of the series, Imran Ahmad of Miller Thomson, LLP returns to answer your questions on cybersecurity and to delve deeper into cybersecurity maintenance and best practices to avoid data breaches. This includes the implementation of measures to prevent data breaches in the pre-attack phase, to the implementation of security best practices in the event of a cyber attack or breach.
What you will learn:
· How to develop key cybersecurity-related documents;
· How to maintain an internal matrix of when to notify affected individuals;
· How to review contracts from a cybersecurity compliance perspective.
In the first part of the Flash Friday webcast series, we talk about the importance of Data Quality for GDPR compliance. Enforcement of the General Data Protection Regulation (GDPR) begins in May of 2018.
View this webcast on demand to learn why Data Quality is critical for GDPR compliance and how Data Quality simultaneously benefits GDPR compliance and business growth.
This webcast and all related materials are provided for informational purposes only, and are not intended to provide, and should not be relied on for, legal advice pertaining to the subject matter. If you have specific questions on how this may affect your organization you should consult your legal advisor.
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
The importance of role management in information security. In today's world, information security and management of information security is an important aspect. Therefore, it is very important to understand the importance of role assignment and role management while considering the implementation of security policies and standards.
Information security is often misunderstood, undervalued and often tackled as an afterthought. This presentation was given in 2014 during an ISACA educational event.
This is about the lessons in Information, Assurance and Security. Complete module 3of lesson 7 are there so you could learn more about it. And may found helpful with your assignments, activities or etc.
GDPR is bringing the biggest change to Data Protection Law in Europe, ClicQA as an Independent Software Testing company with is security testing services wants to help organizations in journey of data protection and be compliant with GDPR.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Welocme to ViralQR, your best QR code generator.ViralQR
Welcome to ViralQR, your best QR code generator available on the market!
At ViralQR, we design static and dynamic QR codes. Our mission is to make business operations easier and customer engagement more powerful through the use of QR technology. Be it a small-scale business or a huge enterprise, our easy-to-use platform provides multiple choices that can be tailored according to your company's branding and marketing strategies.
Our Vision
We are here to make the process of creating QR codes easy and smooth, thus enhancing customer interaction and making business more fluid. We very strongly believe in the ability of QR codes to change the world for businesses in their interaction with customers and are set on making that technology accessible and usable far and wide.
Our Achievements
Ever since its inception, we have successfully served many clients by offering QR codes in their marketing, service delivery, and collection of feedback across various industries. Our platform has been recognized for its ease of use and amazing features, which helped a business to make QR codes.
Our Services
At ViralQR, here is a comprehensive suite of services that caters to your very needs:
Static QR Codes: Create free static QR codes. These QR codes are able to store significant information such as URLs, vCards, plain text, emails and SMS, Wi-Fi credentials, and Bitcoin addresses.
Dynamic QR codes: These also have all the advanced features but are subscription-based. They can directly link to PDF files, images, micro-landing pages, social accounts, review forms, business pages, and applications. In addition, they can be branded with CTAs, frames, patterns, colors, and logos to enhance your branding.
Pricing and Packages
Additionally, there is a 14-day free offer to ViralQR, which is an exceptional opportunity for new users to take a feel of this platform. One can easily subscribe from there and experience the full dynamic of using QR codes. The subscription plans are not only meant for business; they are priced very flexibly so that literally every business could afford to benefit from our service.
Why choose us?
ViralQR will provide services for marketing, advertising, catering, retail, and the like. The QR codes can be posted on fliers, packaging, merchandise, and banners, as well as to substitute for cash and cards in a restaurant or coffee shop. With QR codes integrated into your business, improve customer engagement and streamline operations.
Comprehensive Analytics
Subscribers of ViralQR receive detailed analytics and tracking tools in light of having a view of the core values of QR code performance. Our analytics dashboard shows aggregate views and unique views, as well as detailed information about each impression, including time, device, browser, and estimated location by city and country.
So, thank you for choosing ViralQR; we have an offer of nothing but the best in terms of QR code services to meet business diversity!
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
5. IT Governance
● Governance must be informed about information
security
● Set direction to drive policy and strategy
● Provide resources to security efforts
● Assign management responsibilities
● Set priorities
● Support Changes required
● Insist that security investments are made
measurable and reported on for program
effectiveness
6. Impact from organizational changes
● Acquisitions and mergers
● Divestitures
● Spin-offs
● Governance Committees
7. Acquisitions and Mergers
● Friendly VS Hostile
● New staff and roles require new security
awareness and training
● Threats from former employees or threats that
the new company will face due to the merger
● Vulnerabilities when systems are merged
● New regulations/compliance
● External business partner review and
assessment
8. Divestitures and Spin-offs
● Data Loss/data leak due to employees
leaving
● System ports/protocols/connections left open
after systems were removed
● Loss of visibility into systems if both
organizations didn't keep security monitoring
tools
● New threats from laidoff employees
● Revision of policies, procedures, and
standards for new governance/compliance
9. Governance Committee Changes
● Ensure the committee understands at a
high level the importance of information
security and risk management
● Ensure someone on the committee has
security and risk aptitude
● Maintain working relationship with
committee and be aproachable
11. End User
● End user is responsible for protecting
information assets on a daily bases through
adherence to the security policies
● End user compliance failures include:
● Downloading unauthorized software
● Opening attachments from unknown senders
● Visiting malicious websites
● End user can be turned into human security
sensors with proper training
13. Executive Management
● EM maintains the overall responsibility for
protection of the information assets.
● EM must be aware of the risks they are
accepting on behalf of the organization
● Risk must be identified through risk
assessment so management can make
informed decisions
14. Security Officer
● Directs, coordinates, plans, and organizes
information security activities throughout the
organization
● Responsible for the design, implementation,
management, and review of the
organization's security policies, standards,
procedures, baselines, and guidelines
15. Information Systems Security
Professional
● Drafting of security policies, standards, and
supporting guidelines and procedures
● Baselines
● Guidance on technical security issues and
emerging threats
● Interpretation of regulations
● Analysis of vendor solutions
16. Data/Information/Business Owners
● Classify information assets
● Ensure business information is protected
● Review access rights
● Approve access to information
● Determine criticality, backups, and
safeguards for data
18. Information Systems Auditor
● Verifies compliance with security policies,
procedures, standards, baselines, designs,
architectures, management direction, and
other requirements
● Provide independent assurance to
management on appropriateness of security
controls
19. Business Continuity Planner
● Develop contingency plans to prepare for
disasters
● Ensures business processes can continue
during and after:
● Earthquakes, tornadoes, hurricanes, blackouts,
political change, terrorist activities, fires, floods,
etc
21. Security Administrator
● Manages user access requests and
ensures privileges are provided to
authorized users
● Manages privileges needs over time
● Removes access upon user termination
22. Network/Systems Administrator
● Configures network and server
hardware/operating system to insure
information is available and accessible
● Manages patching and vulnerability
management
23. Physical Security
● Monitors physical locations with cameras,
alarms, card readers, etc.
● Verifies physical breaches do not occur and
mitigates damage if breach does occur
24. Administrative Assistant/Secretaries
● First line of defense at most companies:
● Greets visitors
● Signs for packages
● Screens phone calls for executives
● Very prone to social engineering attacks
● Friendly for a living
25. Help Desk Administrator
● Fields technical questions from users
● Likely going to hear about security issues before
anyone else
● Viruses
● Systems freezing
● Wierd popups**
● Help desk usually responsible for identifying threats
and notifying the incident response (CIRT) team
26. Purposes for roles
● Increased efficiency by reducing confusion on who does
what
● Lowers risk to company reputation/brand
● Personal accountability
● Support of disciplinary actions for security violations
● Demonstratable compliance with applicable laws and
regulations
● Shielding of management from liability and negligence
● Roadmap for auditors
● Segregation by role is useful for determining the level of
security training required
27. Legal Negligence
● A failure to behave with the level of care
that someone of ordinary prudence would
have exercised under the same
circumstances. The behavior usually
consists of actions, but can also consist of
omissions when there is some duty to act
28. Gross Negligence
● carelessness which is in reckless disregard for
the safety or lives of others, and is so great it
appears to be a conscious violation of other
people's rights to safety. It is more than simple
inadvertence, but it is just shy of being
intentionally evil. If one has borrowed or
contracted to take care of another's property,
then gross negligence is the failure to actively
take the care one would of his/her own property.
If gross negligence is found by the trier of fact
(judge or jury), it can result in the award of
punitive damages on top of general and special
damages.
29. Legislative and Regulatory
Compliance
● As a general rule, laws and regulations represent a “moral
minimum” which must be adhered to and should never be
considered wholly adequate.
● Regulations often offer specific actions which must be met
for compliance.
● Some have a “Safe Harbor” provision which is a set of
“good faith” conditions which if met may temporarily or
indefinitely protect the organization from penalties of a new
law or regulation.
31. Privacy Requirements
● Personally identifiable information (PII) is a
valuable commodity for marketers and
attackers
● Storing the data can become a liability.
Certain data falls under privacy regulations
which if not followed come with steep fines or
jail time.
● International exposure increases the risk. US
privacy laws are much less strict compared to
European laws (See the EDPD regulations)
32. Security and privacy control
frameworks
● Must be:
● Consistent – if approach and application is not consistent
then stakeholders will become confused and loose faith in
the program
● Measurable – Must be able to determine progress and
set goals.
● Standardized – Departments/companies must be able to
be compared against each other
● Comprehensive – Must cover regulatory requirements of
the organization and be able to accommodate new
requirements or organizational mandates
● Modular – Must be adaptable and able to withstand
organizational changes
33. NIST SP 800-53
● Over 300 controls in 17 families and 3 classes
● Government agencies build Acceptable Risk Standard
(ARS) documents based on FISMA requirements
which are based on NIST 800-53.
● An update to the underlying layers propagates up
through several security departments and agencies
before being implemented across all federal systems
● Federal system owners are expected to re mediate
before being mandated based on risk so long as the
remediation does not conflict with current regulations
(without approval)
34. ISO 27001
● Designed to work with organizations of all
sizes and types (vs just federal systems)
35. Compliance Mapping
● Different compliance frameworks can be
mapped together for ease of identifying
additional controls or conflicting controls
● If a control conflicts the organization
generally sides on the most restrictive control
for high security or does a risk assessment to
identify the risk to production stability vs risk
of breach
37. Due Care
● Legal Definition
● The conduct that a reasonable man or woman will
exercise in a particular situation, in looking out for
the safety of others
● What is your legal obligation in a situation?
● Depends on laws
● Depends on who is defining “reasonable”
● Check the laws and precedence to measure your legal
exposure
38. Due Diligence
● Pre-emptive cousin of Due Care
● Attempts to avoid situations which can lead to
harm/require due care to be exercised
● Examples:
● Background checks
● Credit checks
● Pen tests
39. Confidentiality
● Definitions reminders
● Least Privilege: The level of access an
individual has is just what's necessary to do
their job
● Need-To-Know
● Data classification
40. Integrity
● Definitions reminders
● Info is protected from unauthorized or
accidental changes
● Segregation of duties
● Approval checkpoints
● Testing
41. Availability
● Definitions reminders
● Info is available and accessible to users when
needed
● Denial of Service
● Loss of Service (due to disaster, etc)
●
42. Security Policy Introduction
● Life without policy
● Employees has no guidance so they act based
on their view of what is right or wrong for the
company
● Might use past decisions and try to stick to the
status quo
● Many small companies operate this way
because it's cheap and easy. But it's dangerous
43. Security Policy Introduction
● Procedures
● Step-By-Step instructions
● Standards
● Specific Hardware and Software
● Baselines
● Consistent Level of Security
● Guidelines
● Recommendations
44. Security Policy Introduction
● Security policy is implemented with
Standards, Procedures, Baselines, and
Guidelines
● Without this implementation, the policy can't
be enforced
● Both policy and the implementation are
usually crafted by Security Officers
45. Security Policy Introduction
● The policy crafting process should be collaborative
and include
● HR
● Legal
● Compliance
● Various IT areas
● Business representatives
● When everyone is involved, it's easier to catch
everything and get buy-in from everyone
46. Security Policy Introduction
● Once policy is documented, it's important to
make it readily available to everyone
● Share documents, either on paper or in shared
folders
● Make and distribute forms & checklists
● Training
47. Security Policy Defined
● In essence, a security policy formalizes
what a company expects from employees
● Defines roles and responsibilities
● Assigns authority for security/compliance
● Policy-making is old. Therefore, the path to
making them is well-traveled. Lots of
guidelines!!!
48. Security Policy Guidelines
● Guidelines
● Formally define a process for making and
maintaining new policy
● Policies should survive for 2-3 years
– Should be reviewed annually, eventually rewritten
● Policies shouldn't be too specific
– Technology, personnel, and markets change
● Use forceful, directive wording
49. Security Policy Guidelines
● Guidelines
● Leave out technical implementation details
– Policy must be independent of tech
● Keep as short as possible (2-3 pages)
● Provide references to supporting documents
● Thoroughly review before publishing
● Management review/sign-off
● Employee acknowledgement
50. Security Policy Guidelines
● Guidelines
● Do not use tech jargon
– Nontechnical people won't understand if you do
● Adjust policy based on incidents
– Regular reviews of incidents
● Review policy periodically
● Define exemption rules
● Develop sanctions for noncompliance
– Disciplinary actions/punishment/termination
51. Security Policy Types
● Organizational or Program Policy
● Issued by senior management
● Scoped to entire org or division
● High-level authority to define sanctions
● Example:
● “If a computer is unplugged, leave it alone”
52. Security Policy Types
● Functional or Issue-Specific Policy
● Scoped to particular technology or domain
● Example:
● Acceptable Use Policy for company internet
53. Security Policy Types
● System-specific Policy
● Targeted for specific application/platform
● Greater control for specific area
● Example:
● “Only Accounting and HR can input information
into the check-writing application”
54. Standards
● Policy defines what an org needs
● Standards define the requirements
● Lay out the hardware & software mechanisms
● Provide consistency of implementation
● Permit interoperability
● Can save money and time
● Standard is to use Windows desktops – don't have to
support and train for OSX or Linux
● May be external – NIST, ANSI, IEEE, ISO, NSA
55. Baselines
● Baselines describe how to best implement
standards, especially in software
● More technical and specific
● Example:
● “Disable the Telnet service on all servers”
● Also can be external – DISA STIGS, CIS
56. Procedures
● Step-by-step instructions
● By documenting procedures, a company can more easily
assure that they are implementing policy consistently
● Ensures nothing gets left out
● Minimizes liability
● Documenting procedures can help break down
interdepartmental walls and assumptions
● Easier to see duplicate work or missing work
58. Documentation
● Do not combine policies with other
documentation!
● Documentation can be edited by employees
whereas only management should change
policies
● Also a good idea to keep standards separate
59. Analogy Time!
● Hammer Policy...
● “All boards must be nailed
together using company-issued
hammers to ensure end-product
consistency and worker safety”
● Policy is flexible – allows
company to define hammer
types and change the hammers
if a safer hammer emerges
60. Analogy Time!
● Hammer Standard
● “Eleven-inch fiberglass hammers will be used.
Only hardened-steel nails will be used with the
hammers. Automatic hammers are to be used
for repetitive jobs only that are > 1 hour.”
● Clearer, more specific
61. Analogy Time!
● Hammer Guidelines
● “To avoid splitting the wood, a pilot hole may be
drilled first.”
● Optional suggestion. May not apply in all cases,
depending on the wood being hammered
62. Analogy Time!
● Hammer Procedure
● “Position nail in upright position on board. Strike
nail with full swing of hammer. Repeat until nail
is flush with board.”
● Process for using the hammer and nail to get
the best results
63. Manage the Information Life Cycle
● When information is created, someone must
be responsible for it
● Determine impact
● Understand info replacement costs
● Determine who in and outside of the org needs
the info/when it should be released
● Know when the info is inaccurate/unneeded
and should be destroyed
64. Manage the Information Life Cycle
● Data classification can make the job easier
● Everyone knows how to treat it
● Data categorization too
● Helps define impact of loss and exposure
● A data retention schedule can help
● Mandate destruction of info after a certain date,
period, or period of inactivity
65. Third-Party Governance
● Types of third-parties
● IaaS – Infrastructure as a Service
– Provides “bare metal” hardware resources
– Example: Co-Lo servers
● PaaS – Platform as a Service
– Provides OS or DB
– Example: Amazon EC2
● SaaS – Software as a Service
– Provides full tool, company just provides the data
66. Third-Party Governance
● SLA – Service Level Agreement
● Defines levels of performance and
compensation/penalties between providers and customers
● Due Diligence
● On-site inspections
● Third-party policy reviews
● Document exchanges
● Independent inspections
● Legal review – legal exposure, international concerns
67. To Be Continued, next week...
Check the Syllabus! It's been updated!