CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesSam Bowne
These are slides from a college course. For more info see https://samsclass.info/125/125_S16.shtml
This chapter is from an awful (ISC)2 book I abandoned. All further chapters use a much better textbook.
In today’s business environment, organizations have a responsibility to their employees, clients, and customers to ensure the confidentiality, integrity and availability of the critical data that is entrusted to them. Every network is vulnerable to some form of attack. However it is not enough to simply confirm that a technical vulnerability exists and implement countermeasures; it is critical to repeatedly verify that the countermeasures are in place and working properly throughout the secured network. During this webinar, David Hammarberg, Principal, IT Director, and leader of McKonly & Asbury’s Cybersecurity Practice will be joined by Partner, Michael Hoffner and they will lead a discussion on a Cybersecurity Risk Management Program including what it is and how it can prepare your organization for the future.
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesSam Bowne
These are slides from a college course. For more info see https://samsclass.info/125/125_S16.shtml
This chapter is from an awful (ISC)2 book I abandoned. All further chapters use a much better textbook.
In today’s business environment, organizations have a responsibility to their employees, clients, and customers to ensure the confidentiality, integrity and availability of the critical data that is entrusted to them. Every network is vulnerable to some form of attack. However it is not enough to simply confirm that a technical vulnerability exists and implement countermeasures; it is critical to repeatedly verify that the countermeasures are in place and working properly throughout the secured network. During this webinar, David Hammarberg, Principal, IT Director, and leader of McKonly & Asbury’s Cybersecurity Practice will be joined by Partner, Michael Hoffner and they will lead a discussion on a Cybersecurity Risk Management Program including what it is and how it can prepare your organization for the future.
ISO27001 standard was revised and a new version was published in 2013. ISO27001 is also becoming more common Information Security standard among service providers. This presentation focuses on the recent changes in 2013 version and also the process for implementing and getting certified for ISO27001.
Following are the key objectives of this presentation:
Provide an introduction to ISO27001 and changes in 2013 version
Discuss the implementation approach for an Information Security Management System (ISMS) framework
Familiarize the audience with some common challenges in implementation
Information technology is a complex business, at best. While IT can provide amazing benefits, it still requires vigilance and diligence to ensure it is running correctly and that it is secure. A security framework can be an excellent tool to evaluate what you might be missing and confirm that what you are already doing is spot-on correct. This session will discuss the importance of using security frameworks and walk attendees through the NIST Cyber Security Framework to review how the framework functions, how to use a framework, and most importantly, how the use of a framework can and will benefit their organization.
01Introduction to Information Security.pptit160320737038
A distributed system is a collection of computer programs that utilize computational resources across multiple, separate computation nodes to achieve a common, shared goal. Distributed systems aim to remove bottlenecks or central points of failure from a system.
Information systems in the digital age are complex and expansive, with attack vectors coming in from every angle. This makes analyzing risk challenging, but more critical than ever.
There is a need to better understand the dynamics of modern IT systems, security controls that protect them, and best practices for adherence to today’s GRC requirements.
These slides are from our webinar covering topics like:
· Threats, vulnerabilities, weaknesses – why their difference matters
· How vulnerability scanning can help (and hinder) your efforts
· Security engineering and the system development lifecycle
· High impact activities - application risk rating and threat modeling
Building an effective Information Security RoadmapElliott Franklin
As company information security functions continue to grow each year with increasing attacks and regulations, how are you handling the
pressure? Are you constantly battling to run the business projects and reacting to customer requests? Have you blocked off a few hours each week
on your calendar to close your email, turn off your phone and try to build, assess and maintain an effective vision for your security team? This
presentation will discuss a cascading approach to creating such a roadmap that is easily understood by executives and has helped gain quick buy
in for multiple enterprise wide security projects.
Information security officers will need to become involved in privacy issues to maintain relevance in the future. This session will provide the fundamentals of information privacy and building of a privacy program, touching on US, EU, Canadian and other global privacy laws to provide a foundation to begin to intelligently discuss the privacy issues.
(Source: RSA Conference USA 2017)
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Palestine last event orientationfvgnh .pptxRaedMohamed3
An EFL lesson about the current events in Palestine. It is intended to be for intermediate students who wish to increase their listening skills through a short lesson in power point.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
Embracing GenAI - A Strategic ImperativePeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
2. Topics in Part 1
• Introduction to Information Security
Governance
• Reason for Security Governance
• Security Governance Activities and
Results
• Business Alignment
• Roles and Responsibilities
3. Topics in Part 1
(continued)
• Introduction to Information Security
Governance (continued)
• Monitoring Responsibilities
• Information Security Governance Metrics
• The Security Balanced Scorecard
• Business Model for Information Security
4. Topics in Part 2
• Security Strategy Development
• Strategy Objectives
• Control Frameworks
• Risk Objectives
• Strategy Resources
• Strategy Development
• Strategy Constraints
11. COBIT
• Control Objectives for Information and Related
Technologies
• Developed by IT Governance Institute and
ISACA
• Four domains
• Plan and Organize
• Acquire and Implement
• Deliver and Support
• Monitor and Evaluate
12. • An IT process framework
• Not primarily a security framework
• 37 processes, including these security- and
risk-related ones
COBIT
13. ISO/IEC 27001
• International standard for information
security and risk management
• Two sections: Requirements and Controls
• Highly respected
• Costs $117 for standards documents
• Costs thousands and takes up to 12
months to achieve
17. ISO/IEC 38500
• Governance of IT for the Organization
• International standard for corporate
governance of information technology
18. ITIL / ISO/IED 20000
• IT Infrastructure Library (ITIL)
• Framework of processes for IT service
delivery and IT service management
• Developed by the UK
19. HIPAA
• Health Insurance Portability and
Accountability Act
• Protection of Electronic Protected Health
Information (EPHI)
• Requirements for
• Administrative safeguards
• Physical safeguards
• Technical safeguards
20. NIST SP 800-53
• From US National Institute for Standards
and Technology
• NIST Special Publication (SP) 800-53
• "Security and Privacy Controls for Federal
Information Systems and Organizations"
• Well-known, widely adopted
• Required for all US gov't systems
• And others handling gov't information
25. Center for Internet Security
Critical Security Controls
• CSC framework from the Center for
Internet Security (CIS)
• From SANS 20 Critical Security Controls
28. PCI-DSS
• Payment Card Industry Data Security
Standard
• From the PCI Standards Council
• Consortium of credit card brands
• Visa, MasterCard, AmEx, Discover, and
JCB
40. Standards
• Detailed methods, specifications, brands,
and configurations to use throughout the
organization
• Similar concerns as policy, but also
• How were standards developed?
• Often from NIST or such groups
• How good are they?
41. Guidelines
• Many organizations don't get further than
creating policies and standards
• Proper guidelines indicate maturity
• Guidance how to adhere to policy
42. Processes and Procedures
• Documents indicate maturity
• Interviews of personnel required to assess
effectiveness
• And whether processes are carried out as
designed
43. Architecture
• Layout of infrastructure
• Technical debt
• Poor design
• Outdated and unsupported components
44. Controls
• Controls may be only on paper, not
practice
• Examine:
• Control owners
• Purpose and scope
• May be part of a control framework
• ISO27001, NIST 800-53, HIPAA, PCI
46. Metrics
• Guide long-term effectiveness of controls
• Consider target audience
• See if metrics were delivered
• If they were used to make tactical or
strategic changes
48. Risk Ledger
• History and findings from risk
assessments, threat assessments,
vulnerability assessments, incidents, etc.
• Lack of a risk ledger indicates
• Compliance-based security, or
• Asset-based or ad hoc
• Both low maturity states
51. Critical Data
• Most organizations don't know well where
their data is or how it's used
• Especially on cloud services
• BYOD
52. Business Impact Analysis
• Determining Maximum Tolerable Downtime
• For processes and resources
• Cornerstone of Business Continuity and
Disaster Recovery planning
• Presence of BIA indicates good maturity
53. Security Incident Log
• May be sparse in immature, compliance-
based organizations
• Mature organizations will have post-
mortem analysis and direct changes
• Lack of/deficient SIEM
• Training personnel to recognize a security
incident
54. Outsourced Services
• Most business apps moving to the cloud
• IaaS, PaaS, Saas
• Most important: amount of due care
• Third-party risk
• Up-front due diligence
• Relationship risk assessment
• Ongoing due diligence
55. Audits
• Internal and external
• Audit features:
• Objective
• Scope
• Qualifications of auditors
• Audit methodologies
56. Culture
• People are absolutely key
• Technology cannot compensate for bad
culture
• Aspects:
• Leadership
• Accountability
• Empowerment
• Security awareness
63. Gap Assessment
• Difference between current and desired state
• Must understand starting point
• Existing/previous strategy
• Security charter, policy, standards, procedures,
guidelines, controls
• Risk assessments
• Internal and external audit results
• Security metrics
• Risk ledger
64. Gap Assessment
• Must understand starting point (continued)
• Risk treatment decision records
• Security incident program and records
• Third-party risk
• Business continuity and disaster recovery
program
• Security awareness training program
• IT and security projects
65. Examining a Security
Program
• Absence of evidence is not evidence of
absence
• Freshness, usefulness, and window
dressing
• Scope, turf, and politics
• Reading between the lines
• Off the books
• Regulatory requirements
69. Maturity Models
• Level 5 is not the ultimate objective
• For most organizations, levels 2.5 to 3.5
is good enough
• Each control or process may have its own
maturity level
70. Road Map Development
• Steps required to achieve a strategic
objective
• Next page shows an example for identity
and access management
75. Standards Development
• Policies define what is to be done
• Standards define how policies are carried
out
• Policies are unspecific but long-lasting
• Standards are specific but change more
frequently
77. Examples of Standards
• Protocol
• Vendor
• Configuration
• Programming language
• Methodology
• Such as FAIR risk analysis, OCTAVE security
assessments, and SMART for objectives
• Control frameworks
• Such as NIST SP800-53, PCI-DSS, HIPAA,
COBIT, and ISO 27002
78. Processes and Procedures
• Identify undocumented processes and
procedures and document them
• Develop procedures and standards so
there is consistency among processes,
procedures, and documents
• Consistent development and review
83. Establishing Communications
and Reporting
• Board of directors meetings
• Governance and steering committee
meetings
• Security awareness
• Security advisories
• Security incidents
• Metrics
84. Obtaining Management
Commitment
• Executives are often unaware of potency of
modern threats
• Mistakenly believe they are an unlikely
target
• Security strategist must inform
management
• Without using FUD (Fear, Uncertainty, and
Doubt)
87. • Basic Resistance to Change
• Culture
• Strong or healthy
• Weak
• Culture of fear
Strategy Constraints
88. • Organizational Structure
• Staff Capabilities
• Budget and Cost
• Time
• Legal and Regulatory Obligations
• Acceptable Risk
Strategy Constraints
89. Organizational Inertia
• Operational people performing changes
• Must work slowly and carefully to
maintain operational and quality levels
• Learning curve
• Human resistance to change