The document discusses an auditor's perspective on frameworks for information systems security in higher education. It provides an agenda for a session that will help attendees identify business goals and functions, understand critical success factors during an audit, evaluate internal control structures, and learn about available security standards and frameworks. The session guides will discuss challenges in auditing higher education from both a high and low level perspective. [END SUMMARY]
The document provides an overview of frameworks that can be used for information systems security in higher education. It discusses key frameworks like COBIT, ISO 27002, and NIST standards that define controls and best practices. The presentation aims to help attendees understand how to evaluate their internal control structures and security approaches based on recognized standards and frameworks.
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...PECB
Organizations need to implement a risk management strategy in order to mitigate, and whenever possible, eliminate cyber risks and threats.
ISO/IEC 27032 and ISO 31000 combined help you to manage cyber risks.
Amongst others, the webinar covers:
• ISO/IEC 27032 vs. ISO 31000
• IRTVH Assessment Framework
Presenters:
Sherifat Akinwonmi
Sherifat is a Cyber Security professional with over 12 years of experience across diverse industries including Agriculture, Oil & Energy Services, Pharmaceuticals, Financial and IT services.
She is part of the top 20 Canadian Women in Cybersecurity – ITWC. She is also a Business Information Security Officer (BISO) with one of the top banks in Northern America.
Sherifat is member of several boards including the Advisory Board for Canadian Women in Cybersecurity, Girls & Women Technological Empowerment Organization (GWTEO).
She has a great passion and interest in enabling women in their professional careers. She volunteers her time mentoring young people to launch their careers in Technology and supports the less privileged.
Geary Sikich
Geary Sikich is a Senior Crisis Management Consultant at Health Care Service Corporation (HCSC). Prior to joining HCSC, Geary was a Principal with Logical Management Systems, Corp., a management consulting, and executive education firm with a focus on enterprise risk management, contingency planning, executive education and issues analysis. Geary developed LMSCARVERtm the “Active Analysis” framework, which directly links key value drivers to operating processes and activities. LMSCARVERtm provides a framework that enables a progressive approach to business planning, scenario planning, performance assessment and goal setting.
Prior to founding Logical Management Systems, Corp. in 1985 Geary held a number of senior operational management positions in a variety of industry sectors. Geary served in the U.S. Army; responsible for the initial concept design and testing of the U.S. Army's National Training Center and other related activities. Geary holds a M.Ed. in Counseling and Guidance from the University of Texas at El Paso and a B.S. in Criminology from Indiana State University.
Geary has developed and taught courses for Norwich University, University of Nevada Reno, George Washington University and University of California Berkley. He is active in Executive Education, where he has developed and delivered courses in enterprise risk management, contingency planning, performance management and analytics. Geary is a frequent speaker on business continuity issues business performance management.
Date: October 12, 2022
BSIDES DETROIT 2015: Data breaches cost of doing businessJoel Cardella
Joel Cardella has over 20 years of experience in IT, including infrastructure operations, data centers, sales support, network operations, and security. He provides his email and Twitter contact information. The document discusses using a risk-based approach to cybersecurity and focusing on reducing risks to the business using positive return on investment. It provides examples of security strategies and a layered security model.
This presentation was discussed in a Webinar with MetricStream in September 2016. It is applicable for small, medium and large businesses when considering information and cyber security risk.
This document provides an overview of information security best practices for small businesses. It discusses the importance of information security for small businesses, common threats such as cybercrime and malicious software. It outlines the key components of information security as people, processes, and technology. It provides recommendations for security policies, backups, access controls, firewalls, software updates, and secure practices for email, wireless networks, and online activities. The document emphasizes establishing security as a foundational part of running a successful small business.
DeltaV Security - Don’t Let Your Business Be Caught Without ItEmerson Exchange
The document provides a framework for conducting a cybersecurity risk assessment for industrial control systems. It discusses assessing vulnerabilities and risks, determining likelihood and impact, and using a risk matrix to prioritize risks. The framework involves periodically assessing risks, updating protections, and maintaining security over time. It emphasizes tailoring assessments to individual business needs and gaining management support through a disciplined, business-focused approach.
Delivered at Trend Micro's Executive briefing events Sydney and Melbourne 5-6 June 2017 on Australia's new Mandatory Data Breach Notification legislation. YoutubeVideo available at https://youtu.be/j5nmY916H7k
Role of The Board In IT Governance & Cyber Security-Steve HowseCGTI
This document discusses I.T. strategy, risk management, and governance. It begins with an introduction of Steve Howse, the president of Millington & Associates, and his background. The document then discusses what I.T. strategy and governance entail and why they are important. It introduces the "20 questions" framework as a tool to assess I.T. strategy, risk, and governance. The questions are categorized into strategic issues, internal control issues, and risk issues. The document dives deeper into examples of risks and what organizations can do to address risks such as dedicating board members to I.T. committees and ensuring business continuity plans are tested.
The document provides an overview of frameworks that can be used for information systems security in higher education. It discusses key frameworks like COBIT, ISO 27002, and NIST standards that define controls and best practices. The presentation aims to help attendees understand how to evaluate their internal control structures and security approaches based on recognized standards and frameworks.
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...PECB
Organizations need to implement a risk management strategy in order to mitigate, and whenever possible, eliminate cyber risks and threats.
ISO/IEC 27032 and ISO 31000 combined help you to manage cyber risks.
Amongst others, the webinar covers:
• ISO/IEC 27032 vs. ISO 31000
• IRTVH Assessment Framework
Presenters:
Sherifat Akinwonmi
Sherifat is a Cyber Security professional with over 12 years of experience across diverse industries including Agriculture, Oil & Energy Services, Pharmaceuticals, Financial and IT services.
She is part of the top 20 Canadian Women in Cybersecurity – ITWC. She is also a Business Information Security Officer (BISO) with one of the top banks in Northern America.
Sherifat is member of several boards including the Advisory Board for Canadian Women in Cybersecurity, Girls & Women Technological Empowerment Organization (GWTEO).
She has a great passion and interest in enabling women in their professional careers. She volunteers her time mentoring young people to launch their careers in Technology and supports the less privileged.
Geary Sikich
Geary Sikich is a Senior Crisis Management Consultant at Health Care Service Corporation (HCSC). Prior to joining HCSC, Geary was a Principal with Logical Management Systems, Corp., a management consulting, and executive education firm with a focus on enterprise risk management, contingency planning, executive education and issues analysis. Geary developed LMSCARVERtm the “Active Analysis” framework, which directly links key value drivers to operating processes and activities. LMSCARVERtm provides a framework that enables a progressive approach to business planning, scenario planning, performance assessment and goal setting.
Prior to founding Logical Management Systems, Corp. in 1985 Geary held a number of senior operational management positions in a variety of industry sectors. Geary served in the U.S. Army; responsible for the initial concept design and testing of the U.S. Army's National Training Center and other related activities. Geary holds a M.Ed. in Counseling and Guidance from the University of Texas at El Paso and a B.S. in Criminology from Indiana State University.
Geary has developed and taught courses for Norwich University, University of Nevada Reno, George Washington University and University of California Berkley. He is active in Executive Education, where he has developed and delivered courses in enterprise risk management, contingency planning, performance management and analytics. Geary is a frequent speaker on business continuity issues business performance management.
Date: October 12, 2022
BSIDES DETROIT 2015: Data breaches cost of doing businessJoel Cardella
Joel Cardella has over 20 years of experience in IT, including infrastructure operations, data centers, sales support, network operations, and security. He provides his email and Twitter contact information. The document discusses using a risk-based approach to cybersecurity and focusing on reducing risks to the business using positive return on investment. It provides examples of security strategies and a layered security model.
This presentation was discussed in a Webinar with MetricStream in September 2016. It is applicable for small, medium and large businesses when considering information and cyber security risk.
This document provides an overview of information security best practices for small businesses. It discusses the importance of information security for small businesses, common threats such as cybercrime and malicious software. It outlines the key components of information security as people, processes, and technology. It provides recommendations for security policies, backups, access controls, firewalls, software updates, and secure practices for email, wireless networks, and online activities. The document emphasizes establishing security as a foundational part of running a successful small business.
DeltaV Security - Don’t Let Your Business Be Caught Without ItEmerson Exchange
The document provides a framework for conducting a cybersecurity risk assessment for industrial control systems. It discusses assessing vulnerabilities and risks, determining likelihood and impact, and using a risk matrix to prioritize risks. The framework involves periodically assessing risks, updating protections, and maintaining security over time. It emphasizes tailoring assessments to individual business needs and gaining management support through a disciplined, business-focused approach.
Delivered at Trend Micro's Executive briefing events Sydney and Melbourne 5-6 June 2017 on Australia's new Mandatory Data Breach Notification legislation. YoutubeVideo available at https://youtu.be/j5nmY916H7k
Role of The Board In IT Governance & Cyber Security-Steve HowseCGTI
This document discusses I.T. strategy, risk management, and governance. It begins with an introduction of Steve Howse, the president of Millington & Associates, and his background. The document then discusses what I.T. strategy and governance entail and why they are important. It introduces the "20 questions" framework as a tool to assess I.T. strategy, risk, and governance. The questions are categorized into strategic issues, internal control issues, and risk issues. The document dives deeper into examples of risks and what organizations can do to address risks such as dedicating board members to I.T. committees and ensuring business continuity plans are tested.
1) Many businesses are not properly leveraging IT controls and compliance, which could help mitigate financial risks from data loss or theft. Only 1 in 10 firms have strong IT controls in place.
2) Those with strong controls experience fewer disruptions to their business and data losses than companies with weak controls. Companies with weak controls can face declines in revenue, customers, and stock price due to data breaches.
3) Implementing proper IT controls is important for protecting a company's reputation and limiting liability. Controls can help prevent data theft and the high costs associated with it.
Addressing Future Risks and Legal Challenges of Insider ThreatsForcepoint LLC
Get an in-depth analysis of the framework of insider threats, its legal considerations and global privacy implications, and best practices to build an effective insider threat program.
5 Steps to Securing Your Company's Crown JewelsIBM Security
Today's critical business data is under constant threat, which is why enterprises must apply adequate data protection for their data security measures. Companies that fail to make data protection an everyday priority run the risk of losing money, losing business and destroying their reputations.
This document discusses effective cyber security risk management through protection beyond compliance. It begins by introducing Vikas Bhatia, the founder and CEO of Kalki, who has over 18 years of experience in information security management. It then discusses how to assess risk by considering likelihood and impact, and how to determine where an organization is least prepared. It provides findings from research on how breaches have influenced board attention on cybersecurity and perceptions of effectiveness. It suggests improving board understanding of cybersecurity issues and risks. Overall, the document advocates for moving beyond compliance to properly manage cybersecurity risks.
1.5 Pages are required
You have been hired as a security specialist by a company to provide methods and recommendations to create a more secure environment for company data.
Write a 1- to 2-page recommendation paper outlining methods the company should consider to protect access to data, including recommendations for policies to be enacted that will increase data security.
Submit your assignment using the Assignment Files tab.
Security Policies
Investing time and money needed to work on developing security policies to better protect information systems is a crucial aspect of business continuity, yet many companies attempt to cut corners and spend little time on this until a critical event occurs. In this scenario, data is compromised while key stakeholders begin to point fingers and blame others for lack of a solid security plan. Implementing security policies and procedures can increase data security thereby decreasing the threat of potential security breaches. This paper will highlight security policies that can help protect data and information systems.
Security Policy #1
The first recommended Security Policy to help protect access to data is to implement a requirements-based access control policy. Requirements-based access control helps specify the level of access a user has, and can control what he/she has access to. The easiest way of doing this for example, would be to create groups/group policies in Active Directory Domain Services that will specify the groups level of access. This way, when new employees are hired, once they are added in Active Directory, they can be assigned to the department or group they are in to have a basic level of access. Moving forward, a user can be modified to gain or have access removed on a user level, but will at least have a baseline of what they can access. This is a very important concept as this helps with keeping lower level users from accessing more confidential documents that they have no business accessing. The users will be able to login to the workstations by using a provided username and require that a complex passphrase be set up to gain access to the system.
Security Policy #2
To help better our data security, there will be limited access to the main server and equipment room. Access by key card will only be given to approved Network Engineers. This allows for better security rather than allowing all users with a card key the ability to access the room. Implementing a system that allows us to control user’s individual access to certain rooms from their card keys allows for better all-around security. This also helps prevent unauthorized users gaining access to rooms without a key card. Currently, the main server room remains unlocked during and after business hours. It is too accessible to unauthorized employees, visitors, vendors, and customers. While we do have video surveillance inside and outside of the building, the cameras currently do not record footage of any.
This document provides an overview of building a business case and selecting an environmental, health, and safety management information system (EHS MIS) platform. It discusses the 7 key steps in building a business case, including finding catalysts, knowing stakeholders, analyzing the current and future states, developing solutions, consolidating value, estimating financials, and presenting the case. It also outlines the 5 key stages and 12 key steps in selecting an EHS MIS platform, such as developing needs analysis, force ranking needs, separating wants from needs, requesting vendor information and demos, conducting sandbox trials, checking references, and working with internal IT.
The document provides tips for IT security professionals to effectively communicate security risks to the board of directors. It advises understanding the board's risk tolerance, identifying who owns the risks, exploring risk management frameworks, focusing presentations on solutions rather than problems, and emphasizing how risks impact business operations and the bottom line. The overall goal is to reassure the board that the company is protected while gaining their trust and support for security initiatives.
PCI. HIPAA. CFPB. We're KILLING small businesses with over-regulation in the name of security, while turning a blind eye to the fact that the cost of over-regulation is doing more harm than good, distracting business owners from realistically focusing on the risks that apply to their companies. It's time to have an open, honest conversation about a "common sense" security framework.
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your BusinessConnXus
This presentation is part of the ConnXus myCBC Webinar Series. Tom Moore, Process and Technology Innovation at Altabos, covers the essentials of cybersecurity and how to minimize risks. Tom covers how to identify risks, evaluate the solutions, and ensure your company is prepared.
Audit and Compliance BDR Knowledge TrainingTory Quinton
The document discusses challenges related to access governance, segregation of duties, change tracking, and litigation mitigation in organizations. It provides details on common access governance challenges, the importance of segregation of duties and change tracking, and the consequences of security events and importance of compliance policies.
Cybersecurity risk assessments help organizations identify.pdfTheWalkerGroup1
Cybersecurity risk assessments help organizations identify, manage and mitigate all forms of cyber risk. It is a critical component of any comprehensive data protection strategy.
A security policy should outline the key items in an organization that need to be protected. This
might include the company's network, its physical building, and more. It also needs to outline the
potential threats to those items. If the document focuses on cyber security, threats could include
those from the inside, such as possibility that disgruntled employees will steal important
information or launch an internal virus on the company's network.
Security policy
A security policy is a written document in an organization outlining how to protect the
organization from threats, including computer security threats, and how to handle situations
when they do occur.
A security policy is an overall statement of intent that dictates what role security plays within the
organization. Security policies can be organizational policies, issue-specific policies, or system-
specific policies, or a combination of all of these.
[https://www.sciencedirect.com/topics/computer-science/security-policy]
A security policy is a document that states in writing how a company plans to protect the
company's physical and information technology (IT) assets.
Why do you need a security policy?
A security policy contains pre-approved organizational procedures that tell you exactly what you
need to do in order to prevent security problems and next steps if you are ever faced with a data
breach. Security problems can include:
Confidentiality – people obtaining or disclosing information inappropriately
Data Integrity – information being altered or erroneously validated, whether deliberate or
accidental
Availability – information not being available when it is required or being available to
more users than is appropriate
At the very least, having a security ( ★★For making this content author used various online resources, it is share here only for those who want to know something about it. This content is not the full of author's primary/ own creating/ intellectual property. )
2015 LOMA Conference - Third party risk management - Session 20Marc S. Sokol
The document discusses implementing an effective third party risk management program. It notes diverse challenges companies face including low interest rates, economic issues, and growing cyber threats. It highlights common issues in third party risk management like lack of due diligence and oversight. The document outlines 12 categories of third party risk and presents a framework for assessing risk. It notes how many breaches originate with third parties and examples of companies impacted. The framework involves validating the risk appetite, evaluating inherent risks, controls, and determining the residual risk.
1. The document summarizes an interview with Malcolm Harkins, Chief Security and Trust Officer at Cylance, about preventing malware infections and how organizations struggle to keep up with prevention methods and identifying risks.
2. Harkins notes that organizations suffer from alert fatigue and are unable to keep up with the constant "whack-a-mole" of security issues. He suggests deploying lightweight prevention agents that can work both online and offline.
3. When asked about how customers struggle, Harkins says they need solutions to reduce risks, lower security costs, and decrease friction between security and business operations. Most organizations find it difficult to continuously manage all the new technologies, software, and third parties joining
This document provides information security recommendations and best practices for small businesses. It discusses identifying critical business assets, safeguarding people, processes, and technology. Specific recommendations include implementing policies, access controls, backups, antivirus software, firewalls, wireless security, software patching, and employee training. The document emphasizes establishing a strong security foundation through assessing risks and prioritizing asset protection based on confidentiality, integrity, and availability needs.
The document discusses organizational security and how human factors are often the weak link. It provides examples of common user errors that compromise security and shows that many breaches are still caused by internal sources like employees. While technology can help, the key is getting management buy-in and creating security awareness programs, policies, and response plans that involve the entire organization and account for human and technical aspects of security.
Week 8 discussion Maintenance Tasks – Operational and Maintenanc.docxhelzerpatrina
Week 8 discussion
Maintenance Tasks – Operational and Maintenance (O&M) costs make up a large portion of the total cost of ownership (TCO), regardless of system “size”. It is said that O&M costs make up the lion’s share of cost throughout the system’s life cycle, and ongoing expenses can determine the economic lifespan of a system. Maintenance tasks can be broken down into four (4) categories:
1. Corrective Maintenance
2. Adaptive Maintenance
3. Perfective Maintenance
4. Preventive Maintenance
The process of “racking & stacking” these maintenance tasks is no small feat; especially for a large system. This is why most firms implement a Change Control Board (CCB; or, you may have heard it referred to as a Configuration Control Board—they are synonymous in nature). Even though the lead systems analyst is typically on this board, they do not decide the priority of these maintenance tasks—however, it is imperative that they understand the nature of each maintenance category.
· For this discussion…..
1. Properly describe each of the maintenance categories
2. Give a specific example of each maintenance category, either using the class case study or a system that you are familiar with, and
3. Assign each example a specific priority (level 3 being the lowest; level 1 being the highest), based on your knowledge of the system—explain in detail “why” you would give it that specific priority.
INFORMATION
GOVERNANCE
Founded in 1807, John Wiley & Sons is the oldest independent publishing company in
the United States. With offi ces in North America, Europe, Asia, and Australia, Wiley
is globally committed to developing and marketing print and electronic products and
services for our customers’ professional and personal knowledge and understanding.
The Wiley CIO series provides information, tools, and insights to IT executives
and managers. The products in this series cover a wide range of topics that supply
strategic and implementation guidance on the latest technology trends, leadership, and
emerging best practices.
Titles in the Wiley CIO series include:
The Agile Architecture Revolution: How Cloud Computing, REST-Based SOA, and
Mobile Computing Are Changing Enterprise IT by Jason BloombergT
Big Data, Big Analytics: Emerging Business Intelligence and Analytic Trends for Today’s
Businesses by Michael Minelli, Michele Chambers, and Ambiga Dhiraj
The Chief Information Offi cer’s Body of Knowledge: People, Process, and Technology by
Dean Lane
CIO Best Practices: Enabling Strategic Value with Information Technology (Second
Edition) by Joe Stenzel, Randy Betancourt, Gary Cokins, Alyssa Farrell, Bill
Flemming, Michael H. Hugos, Jonathan Hujsak, and Karl Schubert
The CIO Playbook: Strategies and Best Practices for IT Leaders to Deliver Value by
Nicholas R. Colisto
Enterprise Performance Management Done Right: An Operating System for Your
Organization by Ron Dimon
Executive’s Guide to Virtual Worlds: How Avatars Are Transformin ...
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
The document discusses an interview with James Christiansen, VP of Information Risk Management for Optiv Security, which was formed from the merger of Accuvant and Fishnet Security. Christiansen discusses how the role of CISO is changing to focus more broadly on information risk management (CIRO). He emphasizes the importance of aligning cybersecurity spending with business objectives and risk exposure. In an ideal security program, there would be clear governance, reporting to the executive team, and balance between protective measures, visibility, and incident response capabilities. The document ends by discussing questions boards should ask executives about cybersecurity risks and oversight of the security program.
The document discusses the challenges faced by corporate privacy departments and how they can better align with other business functions. It recommends that privacy departments find synergies with information security, product development, legal and other teams. It provides examples of how privacy can collaborate with different departments on tasks like product analysis, incident response and metrics. The document also outlines good practices for privacy programs, such as using recognized frameworks, conducting privacy assessments and demonstrating value through objective metrics.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
1) Many businesses are not properly leveraging IT controls and compliance, which could help mitigate financial risks from data loss or theft. Only 1 in 10 firms have strong IT controls in place.
2) Those with strong controls experience fewer disruptions to their business and data losses than companies with weak controls. Companies with weak controls can face declines in revenue, customers, and stock price due to data breaches.
3) Implementing proper IT controls is important for protecting a company's reputation and limiting liability. Controls can help prevent data theft and the high costs associated with it.
Addressing Future Risks and Legal Challenges of Insider ThreatsForcepoint LLC
Get an in-depth analysis of the framework of insider threats, its legal considerations and global privacy implications, and best practices to build an effective insider threat program.
5 Steps to Securing Your Company's Crown JewelsIBM Security
Today's critical business data is under constant threat, which is why enterprises must apply adequate data protection for their data security measures. Companies that fail to make data protection an everyday priority run the risk of losing money, losing business and destroying their reputations.
This document discusses effective cyber security risk management through protection beyond compliance. It begins by introducing Vikas Bhatia, the founder and CEO of Kalki, who has over 18 years of experience in information security management. It then discusses how to assess risk by considering likelihood and impact, and how to determine where an organization is least prepared. It provides findings from research on how breaches have influenced board attention on cybersecurity and perceptions of effectiveness. It suggests improving board understanding of cybersecurity issues and risks. Overall, the document advocates for moving beyond compliance to properly manage cybersecurity risks.
1.5 Pages are required
You have been hired as a security specialist by a company to provide methods and recommendations to create a more secure environment for company data.
Write a 1- to 2-page recommendation paper outlining methods the company should consider to protect access to data, including recommendations for policies to be enacted that will increase data security.
Submit your assignment using the Assignment Files tab.
Security Policies
Investing time and money needed to work on developing security policies to better protect information systems is a crucial aspect of business continuity, yet many companies attempt to cut corners and spend little time on this until a critical event occurs. In this scenario, data is compromised while key stakeholders begin to point fingers and blame others for lack of a solid security plan. Implementing security policies and procedures can increase data security thereby decreasing the threat of potential security breaches. This paper will highlight security policies that can help protect data and information systems.
Security Policy #1
The first recommended Security Policy to help protect access to data is to implement a requirements-based access control policy. Requirements-based access control helps specify the level of access a user has, and can control what he/she has access to. The easiest way of doing this for example, would be to create groups/group policies in Active Directory Domain Services that will specify the groups level of access. This way, when new employees are hired, once they are added in Active Directory, they can be assigned to the department or group they are in to have a basic level of access. Moving forward, a user can be modified to gain or have access removed on a user level, but will at least have a baseline of what they can access. This is a very important concept as this helps with keeping lower level users from accessing more confidential documents that they have no business accessing. The users will be able to login to the workstations by using a provided username and require that a complex passphrase be set up to gain access to the system.
Security Policy #2
To help better our data security, there will be limited access to the main server and equipment room. Access by key card will only be given to approved Network Engineers. This allows for better security rather than allowing all users with a card key the ability to access the room. Implementing a system that allows us to control user’s individual access to certain rooms from their card keys allows for better all-around security. This also helps prevent unauthorized users gaining access to rooms without a key card. Currently, the main server room remains unlocked during and after business hours. It is too accessible to unauthorized employees, visitors, vendors, and customers. While we do have video surveillance inside and outside of the building, the cameras currently do not record footage of any.
This document provides an overview of building a business case and selecting an environmental, health, and safety management information system (EHS MIS) platform. It discusses the 7 key steps in building a business case, including finding catalysts, knowing stakeholders, analyzing the current and future states, developing solutions, consolidating value, estimating financials, and presenting the case. It also outlines the 5 key stages and 12 key steps in selecting an EHS MIS platform, such as developing needs analysis, force ranking needs, separating wants from needs, requesting vendor information and demos, conducting sandbox trials, checking references, and working with internal IT.
The document provides tips for IT security professionals to effectively communicate security risks to the board of directors. It advises understanding the board's risk tolerance, identifying who owns the risks, exploring risk management frameworks, focusing presentations on solutions rather than problems, and emphasizing how risks impact business operations and the bottom line. The overall goal is to reassure the board that the company is protected while gaining their trust and support for security initiatives.
PCI. HIPAA. CFPB. We're KILLING small businesses with over-regulation in the name of security, while turning a blind eye to the fact that the cost of over-regulation is doing more harm than good, distracting business owners from realistically focusing on the risks that apply to their companies. It's time to have an open, honest conversation about a "common sense" security framework.
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your BusinessConnXus
This presentation is part of the ConnXus myCBC Webinar Series. Tom Moore, Process and Technology Innovation at Altabos, covers the essentials of cybersecurity and how to minimize risks. Tom covers how to identify risks, evaluate the solutions, and ensure your company is prepared.
Audit and Compliance BDR Knowledge TrainingTory Quinton
The document discusses challenges related to access governance, segregation of duties, change tracking, and litigation mitigation in organizations. It provides details on common access governance challenges, the importance of segregation of duties and change tracking, and the consequences of security events and importance of compliance policies.
Cybersecurity risk assessments help organizations identify.pdfTheWalkerGroup1
Cybersecurity risk assessments help organizations identify, manage and mitigate all forms of cyber risk. It is a critical component of any comprehensive data protection strategy.
A security policy should outline the key items in an organization that need to be protected. This
might include the company's network, its physical building, and more. It also needs to outline the
potential threats to those items. If the document focuses on cyber security, threats could include
those from the inside, such as possibility that disgruntled employees will steal important
information or launch an internal virus on the company's network.
Security policy
A security policy is a written document in an organization outlining how to protect the
organization from threats, including computer security threats, and how to handle situations
when they do occur.
A security policy is an overall statement of intent that dictates what role security plays within the
organization. Security policies can be organizational policies, issue-specific policies, or system-
specific policies, or a combination of all of these.
[https://www.sciencedirect.com/topics/computer-science/security-policy]
A security policy is a document that states in writing how a company plans to protect the
company's physical and information technology (IT) assets.
Why do you need a security policy?
A security policy contains pre-approved organizational procedures that tell you exactly what you
need to do in order to prevent security problems and next steps if you are ever faced with a data
breach. Security problems can include:
Confidentiality – people obtaining or disclosing information inappropriately
Data Integrity – information being altered or erroneously validated, whether deliberate or
accidental
Availability – information not being available when it is required or being available to
more users than is appropriate
At the very least, having a security ( ★★For making this content author used various online resources, it is share here only for those who want to know something about it. This content is not the full of author's primary/ own creating/ intellectual property. )
2015 LOMA Conference - Third party risk management - Session 20Marc S. Sokol
The document discusses implementing an effective third party risk management program. It notes diverse challenges companies face including low interest rates, economic issues, and growing cyber threats. It highlights common issues in third party risk management like lack of due diligence and oversight. The document outlines 12 categories of third party risk and presents a framework for assessing risk. It notes how many breaches originate with third parties and examples of companies impacted. The framework involves validating the risk appetite, evaluating inherent risks, controls, and determining the residual risk.
1. The document summarizes an interview with Malcolm Harkins, Chief Security and Trust Officer at Cylance, about preventing malware infections and how organizations struggle to keep up with prevention methods and identifying risks.
2. Harkins notes that organizations suffer from alert fatigue and are unable to keep up with the constant "whack-a-mole" of security issues. He suggests deploying lightweight prevention agents that can work both online and offline.
3. When asked about how customers struggle, Harkins says they need solutions to reduce risks, lower security costs, and decrease friction between security and business operations. Most organizations find it difficult to continuously manage all the new technologies, software, and third parties joining
This document provides information security recommendations and best practices for small businesses. It discusses identifying critical business assets, safeguarding people, processes, and technology. Specific recommendations include implementing policies, access controls, backups, antivirus software, firewalls, wireless security, software patching, and employee training. The document emphasizes establishing a strong security foundation through assessing risks and prioritizing asset protection based on confidentiality, integrity, and availability needs.
The document discusses organizational security and how human factors are often the weak link. It provides examples of common user errors that compromise security and shows that many breaches are still caused by internal sources like employees. While technology can help, the key is getting management buy-in and creating security awareness programs, policies, and response plans that involve the entire organization and account for human and technical aspects of security.
Week 8 discussion Maintenance Tasks – Operational and Maintenanc.docxhelzerpatrina
Week 8 discussion
Maintenance Tasks – Operational and Maintenance (O&M) costs make up a large portion of the total cost of ownership (TCO), regardless of system “size”. It is said that O&M costs make up the lion’s share of cost throughout the system’s life cycle, and ongoing expenses can determine the economic lifespan of a system. Maintenance tasks can be broken down into four (4) categories:
1. Corrective Maintenance
2. Adaptive Maintenance
3. Perfective Maintenance
4. Preventive Maintenance
The process of “racking & stacking” these maintenance tasks is no small feat; especially for a large system. This is why most firms implement a Change Control Board (CCB; or, you may have heard it referred to as a Configuration Control Board—they are synonymous in nature). Even though the lead systems analyst is typically on this board, they do not decide the priority of these maintenance tasks—however, it is imperative that they understand the nature of each maintenance category.
· For this discussion…..
1. Properly describe each of the maintenance categories
2. Give a specific example of each maintenance category, either using the class case study or a system that you are familiar with, and
3. Assign each example a specific priority (level 3 being the lowest; level 1 being the highest), based on your knowledge of the system—explain in detail “why” you would give it that specific priority.
INFORMATION
GOVERNANCE
Founded in 1807, John Wiley & Sons is the oldest independent publishing company in
the United States. With offi ces in North America, Europe, Asia, and Australia, Wiley
is globally committed to developing and marketing print and electronic products and
services for our customers’ professional and personal knowledge and understanding.
The Wiley CIO series provides information, tools, and insights to IT executives
and managers. The products in this series cover a wide range of topics that supply
strategic and implementation guidance on the latest technology trends, leadership, and
emerging best practices.
Titles in the Wiley CIO series include:
The Agile Architecture Revolution: How Cloud Computing, REST-Based SOA, and
Mobile Computing Are Changing Enterprise IT by Jason BloombergT
Big Data, Big Analytics: Emerging Business Intelligence and Analytic Trends for Today’s
Businesses by Michael Minelli, Michele Chambers, and Ambiga Dhiraj
The Chief Information Offi cer’s Body of Knowledge: People, Process, and Technology by
Dean Lane
CIO Best Practices: Enabling Strategic Value with Information Technology (Second
Edition) by Joe Stenzel, Randy Betancourt, Gary Cokins, Alyssa Farrell, Bill
Flemming, Michael H. Hugos, Jonathan Hujsak, and Karl Schubert
The CIO Playbook: Strategies and Best Practices for IT Leaders to Deliver Value by
Nicholas R. Colisto
Enterprise Performance Management Done Right: An Operating System for Your
Organization by Ron Dimon
Executive’s Guide to Virtual Worlds: How Avatars Are Transformin ...
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
The document discusses an interview with James Christiansen, VP of Information Risk Management for Optiv Security, which was formed from the merger of Accuvant and Fishnet Security. Christiansen discusses how the role of CISO is changing to focus more broadly on information risk management (CIRO). He emphasizes the importance of aligning cybersecurity spending with business objectives and risk exposure. In an ideal security program, there would be clear governance, reporting to the executive team, and balance between protective measures, visibility, and incident response capabilities. The document ends by discussing questions boards should ask executives about cybersecurity risks and oversight of the security program.
The document discusses the challenges faced by corporate privacy departments and how they can better align with other business functions. It recommends that privacy departments find synergies with information security, product development, legal and other teams. It provides examples of how privacy can collaborate with different departments on tasks like product analysis, incident response and metrics. The document also outlines good practices for privacy programs, such as using recognized frameworks, conducting privacy assessments and demonstrating value through objective metrics.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
A Comprehensive Guide to DeFi Development Services in 2024Intelisync
DeFi represents a paradigm shift in the financial industry. Instead of relying on traditional, centralized institutions like banks, DeFi leverages blockchain technology to create a decentralized network of financial services. This means that financial transactions can occur directly between parties, without intermediaries, using smart contracts on platforms like Ethereum.
In 2024, we are witnessing an explosion of new DeFi projects and protocols, each pushing the boundaries of what’s possible in finance.
In summary, DeFi in 2024 is not just a trend; it’s a revolution that democratizes finance, enhances security and transparency, and fosters continuous innovation. As we proceed through this presentation, we'll explore the various components and services of DeFi in detail, shedding light on how they are transforming the financial landscape.
At Intelisync, we specialize in providing comprehensive DeFi development services tailored to meet the unique needs of our clients. From smart contract development to dApp creation and security audits, we ensure that your DeFi project is built with innovation, security, and scalability in mind. Trust Intelisync to guide you through the intricate landscape of decentralized finance and unlock the full potential of blockchain technology.
Ready to take your DeFi project to the next level? Partner with Intelisync for expert DeFi development services today!
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on automated letter generation for Bonterra Impact Management using Google Workspace or Microsoft 365.
Interested in deploying letter generation automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Dive into the realm of operating systems (OS) with Pravash Chandra Das, a seasoned Digital Forensic Analyst, as your guide. 🚀 This comprehensive presentation illuminates the core concepts, types, and evolution of OS, essential for understanding modern computing landscapes.
Beginning with the foundational definition, Das clarifies the pivotal role of OS as system software orchestrating hardware resources, software applications, and user interactions. Through succinct descriptions, he delineates the diverse types of OS, from single-user, single-task environments like early MS-DOS iterations, to multi-user, multi-tasking systems exemplified by modern Linux distributions.
Crucial components like the kernel and shell are dissected, highlighting their indispensable functions in resource management and user interface interaction. Das elucidates how the kernel acts as the central nervous system, orchestrating process scheduling, memory allocation, and device management. Meanwhile, the shell serves as the gateway for user commands, bridging the gap between human input and machine execution. 💻
The narrative then shifts to a captivating exploration of prominent desktop OSs, Windows, macOS, and Linux. Windows, with its globally ubiquitous presence and user-friendly interface, emerges as a cornerstone in personal computing history. macOS, lauded for its sleek design and seamless integration with Apple's ecosystem, stands as a beacon of stability and creativity. Linux, an open-source marvel, offers unparalleled flexibility and security, revolutionizing the computing landscape. 🖥️
Moving to the realm of mobile devices, Das unravels the dominance of Android and iOS. Android's open-source ethos fosters a vibrant ecosystem of customization and innovation, while iOS boasts a seamless user experience and robust security infrastructure. Meanwhile, discontinued platforms like Symbian and Palm OS evoke nostalgia for their pioneering roles in the smartphone revolution.
The journey concludes with a reflection on the ever-evolving landscape of OS, underscored by the emergence of real-time operating systems (RTOS) and the persistent quest for innovation and efficiency. As technology continues to shape our world, understanding the foundations and evolution of operating systems remains paramount. Join Pravash Chandra Das on this illuminating journey through the heart of computing. 🌟
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Tatiana Kojar
Skybuffer AI, built on the robust SAP Business Technology Platform (SAP BTP), is the latest and most advanced version of our AI development, reaffirming our commitment to delivering top-tier AI solutions. Skybuffer AI harnesses all the innovative capabilities of the SAP BTP in the AI domain, from Conversational AI to cutting-edge Generative AI and Retrieval-Augmented Generation (RAG). It also helps SAP customers safeguard their investments into SAP Conversational AI and ensure a seamless, one-click transition to SAP Business AI.
With Skybuffer AI, various AI models can be integrated into a single communication channel such as Microsoft Teams. This integration empowers business users with insights drawn from SAP backend systems, enterprise documents, and the expansive knowledge of Generative AI. And the best part of it is that it is all managed through our intuitive no-code Action Server interface, requiring no extensive coding knowledge and making the advanced AI accessible to more users.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
1. An Auditor's Perspective on
Frameworks for Information Systems
Security in Higher Education
Erwin “Chris” Carrow, University System of Georgia
Brian Markham, University of Maryland, College Park
Copyright Erwin L. Carrow & Brian Markham 2009. This work is the intellectual property of the author. Permission is granted for this
material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced
materials and notice is given that the copying is by permission of the author and other identified entities. To disseminate otherwise or
to republish requires written permission from the author. Videos and specific graphics presented are not for public distribution.
2. Session Agenda
Key Takeaways and Introductions
What Makes Higher Education Different
Business Risk and Functional Practices
Internal Controls: Quick Overview
Frameworks for Security
Specific Guidance and Standards
Additional Audit Considerations
Q&A
3. Key Takeaways
At the end of this session you should be able
to:
Identify business goals, functions, and
associated roles and risk;
Understand the critical success factors during
an audit;
Evaluate the internal control structure of your
environment;
Know the standards and frameworks available
for use in your environment;
4. Your Session Guides
Erwin “Chris” Carrow - IT Auditor,
University System of Georgia Board of Regents
High level
General focus
Brian Markham - IT Compliance Specialist,
University of Maryland at College Park
Low level
Specific focus
5. Auditing Higher Education: Challenges
and Business Requirements
Where are you at? Can seem like … HERDING CATS!
EDS “Cat Herding” 1:07 minutes
6. What Makes Higher Education
Similar and Yet Different?
Universities are not Corporations, but …
Herding Cats may be a common or predominate phenomena
Business functions and processes are similar
Objectives, rules and requirements are similar
Resources, e.g., people information, infrastructure, applications, etc.
Different set of risks, challenges, and regulatory mandates
“Open System” Attitude (moving target)! “Academic Freedom” is a
privilege, not a right!
Diversity of administrative operational requirements
Diversity of instructional and faculty requirements
Operational and Functional sides of the house not always in
agreement – leadership changes and challenges do exist!
Freedom of information
Difficulties in blocking or outlawing certain risky behaviors
Mandated safe guard information and information systems
Bottom-line: Environment must foster Learning and Research!
7. Auditors Ask the Question…
What High Criticality Risks Exist?
Categories of risk that may or may not apply:
Strategic : Affects the entities’ ability to achieve
goals and objectives
Compliance : Affects compliance with laws and
regulations, safety and environmental issues,
litigation, conflicts of interest, etc.
Reputational : Affects reputation, public
perception, political issues, etc.
Financial : Affects loss of assets, technology, etc.
Operational : Affects on-going management
processes and procedures
9. Threats and the Facts
Privacy Right Clearinghouse
Chronology of Data Breaches 2,500,000 since January 2005
that have been reported
[www.privacyrights.org/ar/ChronDataBreaches.htm]
Ponemon –HRH 2008 Privacy Breach Index Survey (Sept 2008)
Self evaluation of overall performance of organization: -- 9%
gave an “A” -- 31% gave a “B” -- 26% gave a ”C” -- 29% gave a
“D” – 5% gave a “F” [www.HRH.com/privacy]
80 % believed their organizations experienced information
system data breaches and loss of customer and personal
information
50% Negligence, -- 29% Third-Party, 3% Hacker, --1% other
criminal activity;
36% 1 to 4 breaches involving 100 or records; 32% 5 to 8; 31%
9 or more
11. Regulatory Standards
FERPA, FISMA, HIPAA, PCI DSS, SOX, NCAA, A-21,
A-133, PATRIOT, GLBA, ADA, CAA, CWA, OSHA,
FLSA, FMLA, EEO, and possibly many others!
State, Local, and University System and Institution
Guidelines
“Due Negligence” violations have cost institutions
financially, but few if any individuals have gone to
jail for lack of compliance
Reputational losses are the critical issue!
Avoid FUD – Fear, Uncertainty, and Doubt
12. Information Security and
Compliance Responsibilities
Know and comply with Federal, State, Local, and
University System and Institution Regulations
Talk to auditors, colleagues, peers, and
administrators about information and information
system regulatory compliance and security
Make the “alphabet soup” and security a top priority
when evaluating new systems and initiatives
Understand how the regulations trickle down to
through policies, standards, procedures, and the
people involved (in a practical method)
13. What should a Risk Assessment
identify about our environment?
What are the risks?
What are the impacts?
What is the likelihood it
will happen?
Who is involved?
Are we willing to accept
the risk?
What are we currently
doing to mitigate this
risk? Is it working like we
think it should?
14. Making the Lose/Lose Situation …
a Win/Win
A PERFECT information technology operational environment or risk
prevention assurance system does not exist (e.g., IT Trunk Monkey)!
Priority directed to likely threats for known vulnerabilities by:
Affirming good controls and practices
Uncovering unknown vulnerabilities or inappropriate
practices
Focus upon what is essential for the success of Your Institutions
“Business Functions.” Which comprise of:
Business Rules or Requirements: A statement that defines or
constrains some aspect of the business. It is intended to assert
business structure or to control or influence the behavior of the
business.
Business Standards or Practices: A related group of business
processes that support some aspects of the mission of an enterprise.
15. Doing Business and Dealing with the Nuts
The Old Way…! Assessing Risk?
20th Century FOX “Ice Age” 1:55 min/sec
16. Nuts Can Be Challenging
Business Process – Gathering and Storing NUTS and the Big Squeeze
Tasks of Dealing with
the NUTS–
1. Gather Nuts
2. Store Nuts
3. The Big Squeeze?
Operational versus
Functional needs!
What are the Associated
Risks?
20th Century FOX “Ice Age”
17. In Time, Nut Requirements Change
The New Way …! Risk Assessment?
20th Century FOX “Ice Age 2: The Meltdown” 55 sec
18. Different Nuts, Different Methods
History has a Way of Repeating Itself!
Old Ways can Influence
New Ways of …,
Different Business
Requirements – Use of
Different Methods
(Variety of NUTS)
Sometimes the NUTS
get Bigger and Harder
to CRACK
Risk may Change or
Increase!
20th Century FOX “Ice Age 2: The Meltdown”
19. Making Peanut Butter Out of Nuts
Moral: Life is Always Going to Be a Little Squirrelly
Business function Goals and
Objectives can make the IT
requirements a little NUTTY
Risk Implications associated
with IT Implementations are
NOT always CONSIDERED
Clearly Define the Task: Try
making PEANUT BUTTER
out of a difficult situation – it
is easier to Store
WHERE DO YOU START?
20th Century FOX “Ice Age 2: The Meltdown”
20. Know Yourself – Know Your Enemy!
The Art of War (Chinese: 孫子兵法; pinyin: Sūn Zǐ Bīng Fǎ) is a Chinese military
treatise that was written during the 6th century BC by Sun Tzu.
Two Possible not Recommended Responses to the Challenge
Freak Out: Embrace Hopelessness, Hide, Ignore, Deny, and Play
Computer games until the Inevitable Occurs
Idealistic and Unrealistic: Do the “Don Quixote (To Dream the
Impossible Dream and Fight the Impossible Fight)” - Wear yourself
out Fighting Windmills by shooting at whatever pops its head out!
Third Approach “How do you Eat the Elephant standing in the corner,
Instead of Avoid it?” Take ONE BITE at a time by…
Strategizing a Response
Create a deliberate Long term Plan
Identify Short term Objectives and Milestones
Gain Key Shareholder ownership of the challenges
Test and Monitor the process with Identifiable Outcomes
Start with Business Functions – Gathering and Storing of NUTS
21. Business Functions (other Nuts)
It still comes down to …, Business Needs and Outcomes
Goals or Objectives
Rules and Requirements
Identifying critical business functions
Finance and Accounting
Financial Aid
Human Resources
Registration
Student Services
Other administrative functions
Identify the departments and who are the key personnel,
e.g., Business owner, Trustees and Stewards?
Identify the systems that support these functions
How are the people and systems integrated into the
business process?
What internal controls exist to mitigate risk?
22. Business Function’s Objective,
Requirements, Resources, and Practices
YOU MUST
KNOW …
What Business
Principles are in
Operation?
Reasons -Why you
do things a certain
Way
Control Objectives for Information and related Technology (COBIT®)
23. Business Functions and their
Characteristics
Control Objectives for Information and related Technology (COBIT®)
24. Business Function Information
from Origin to Destination
Identify how the information travels and is managed
throughout the business function life cycle!
How packets of data are managed, provisioned,
formatted, and transferred throughout business
functions
How information is handled per its classification and
intended use
Assess information and information system security
from various perspectives
Who are the business owners, trustees, and stewards?
26. Risk Assessment Flow
The methodology for auditing the information and information systems
for compliance and security is a Top Down process
Business Goals to Standards and Practices
Business Function to Information System
Leadership (administrator) to Technician or Staff member (end user)
Assess Requirements, Resources, and Processes
The approach will focus on key business functions and their associated
Business Goals and Objectives as it relates to the audited entity e.g.,
Identity and Access Control Management (IAM), Perimeter and Network
Security (NETSEC), etc.
Once identified and agreed upon for each business function, the key
associated requirements, resources, and processes will be identified
and assessed to determine if high or critical risk is being managed.
Focus on Control Practices, Responsibility / Accountability,
associated with key activities with an expected CMMI level 3 criteria
for High Risk Critical processes.
27. Principles for Consideration
1st Top-down Risk Based identification of threats and
vulnerabilities for key Business processes and related IT
support processes, e.g., change management, access security,
operations, etc. (General Risk Assessment)
2nd Control of IT Risk that affect critical IT functionality in
financially significant applications and related data
(Particularized Risk Assessment)
3rd Layered Controls to mitigate risk for application
program code, databases, operating systems, and the
network (Operational processes that align with precedence of
Risk)
4th Risk mitigation based upon Business and Control
objectives (not the limitations of individual controls), have a
Framework, structure, and methodology to support your risk
strategy
28. When Assessing for Risk …
Risk assessment evaluates components of
information, information system security and
compliance as it relates to the business function
Assess Mitigate / Monitor Re-Assess
Ongoing risk management program must be in
place
Business owner or key shareholder must own the
process
Establish a standard for considering and negotiating
risk
Annual (periodic) risk assessment deliverable with
recommendations for corrective action
Clearly define and document accepted risk –
someone needs to sign off on the responsibility
29. Risk Mitigation
Once risks are identified, they must be mitigated via internal controls
Internal Controls: a practice approved by management to mitigate risk
or produce a desired outcome in a business process for implementing
and enforcing information security and compliance
Preventive - controls to stop the problem from occurring
Detective - controls to find the problem
Corrective - controls to repair the problem after detection
Administrative - policies, standards, guidelines, and procedures
Technical - controls using hardware or software for processing
and analysis
Physical - controls to implement barriers or deterrents
Document and retain artifacts.
Design Document Implement
Test the controls prior to implementation to validate expectations
Monitor results
Re-test controls periodically.
30. High Level IT Control Model
IT Services
OS/Data/Telecom/Continuity/Networks
Business
Process
Procurement
Business
Process
Accounts
Payable
Business
Process
Accounts
Receivable/
Claiming
Business
Process
Programs
and
Operations
Executive
Manag ement
Agency Level IT Considerations
IT General Controls
Application Controls
*End User Computing*
31. Re-Assess Risks
Risk Assessments are an on-going exercise;
Track mitigation strategies, did they work?
What “Framework(s)” are being applied?
Is there an identifiable “Structure” in place e.g., risk
management program?
Is the “Methodology” recognizable, e.g.,
documented and not arbitrary?
Are you using Tools to monitor, manage, and
validate the associated processes?
Test, re-test controls (Design and Effectiveness)
Document test results, corrective actions, changes
in business needs/requirements.
32. Better Controls =
Improved Security
IT Security comes down to presence and
effectiveness of internal controls;
Weak controls = weak security
Audits are an evaluation of controls, audits are
FREE consulting services!
All of the security practices that we utilize are really
just controls, from firewalls to IPS to virus
scanning.
How these controls come together ultimately
determines out overall control environment (and
our control gaps).
Framework?
33. Frameworks for IT Security
COBIT - High level business objectives and
outcomes
ISO & NIST - Standards and checklists for
consideration
Criteria - CMMI
CIS - Tools
ITIL - Process Models
Any framework is better than NO framework!
Frameworks map to structure which should produce
a consistent methodology for addressing risk
Be able to explain …!
How it was derived
Why your strategy makes sense
How it manages risk
34. COBIT
Developed by the ITGI (Current v4.1)
Value of IT, Risk, and Control
Links IT service delivery to business requirements
(already defined, right?)
A lifecycle; constantly adapting, improving, re-
adapting
Four Responsibility Domains:
Plan and Organize (PO)
Acquire and Implement (AI)
Deliver and Support (DS)
Monitor and Evaluate (ME)
Make a grocery list of needs and then go shopping
37. ISO 27002
Code of Practice for Information Security
Management
Divides IT Security into 11 Categories (Clauses)
Defines key controls over specific sub-categories
Defines implementation guidance for each key
control
39 Control Objectives with 139 Controls
Control objectives are generic functional
requirement specifications for an organization’s
information and information system security
management control architecture
39. ISO 27002
Benefits:
ISO 27002 is a very hands-on control guideline
DIY Framework, no consultants required
Proactive – not reactive.
Certification
Less stressful audits!
How do we get to ISO 27002?
Evaluate/Implement Key Controls;
This will require policies/processes/procedures;
Executive level buy-in;
Team effort, IT Security is EVERYONES responsibility.
40. NIST
NIST offers security guidance in many areas
Special Publications
Useful high level governance standards and
practices
Practically every IT security subject is covered here
Written for the Feds but very useful for any
organization
Current government agency 2007 self assessment
average grade is “C-”, e.g., Academic probation
http://csrc.nist.gov/publications/PubsSPs.html
42. Center for Internet Security (CIS)
CIS Benchmarks provide guidelines for operating
systems and databases;
User originated, widely accepted, and reflect the
consensus of expert users worldwide;
Compliance with these benchmarks will reduce
findings and lead to more secure computing
platforms
Some benchmarks include :
Windows Server
Solaris
Oracle
Exchange
43. Center for Internet Security (CIS)
Use benchmarks from CIS for standard builds of
servers, databases, and applications;
A self-appraisal/audit of current systems, builds;
Hardening guide to ward off attacks;
CIS certifies automated tools. Some providers
include:
Belarc
CA
ConfigureSoft
Symantec
Tenable
Tripwire
44. CMMI
An identifiable criteria by which you should
be evaluated!
Capability Maturity Model Integrated created
by the Software Engineering Institute (SEI)
Level 0 - 5 (Non-Existent to Optimized)
45. CMMI
Variants of the CMMI: CMM & ISO 15504
Identifies WHERE you are at in the application of IT risk
mitigation controls and HOW to get to the next level
Levels of Application
Level 0: No Recognizable Process, though one is needed
Level 1: Process is Ad-hoc and perform by key
individuals
Level 2: Process is Repeatable , but not controlled
Level 3: Process is Defined & Documented and
periodically Evaluated
Level 4: Managed & Measurable; effective Internal
Controls with Risk Management
Level 5: Optimized Enterprise wide risk and control
program
46. CMMI
Capability Maturity Model Integrated created by
the Software Engineering Institute (SEI)
Level 0 - 5 (Non-Existent to Optimized)
Auditors need to be able to do more than “take
someone's word for it”
Therefore … Level 3 is a minimum requirement
Defined processes
Documented processes to identify risk and
associate roles and responsibility to mitigate risk
Processes in place to periodically review and
evaluate controls
47. What Does Evidence Look Like?
Definition: Evidence must be Sufficient, Reliable and Relevant
The various types of audit evidence that the IS auditor consider using
include:
Observed processes and existence of physical items, e.g., A
computer room security system in operation
Documentary audit evidence, e.g., Activity and control logs,
System development documentation
Representations, e.g., Written policies and procedures, System
flowcharts, Written or oral statements
Analysis, e.g., Benchmarking IS performance against other
organizations or past periods; Comparison of error rates between
applications, transactions and users
Evidence gathering procedures considered are: Inquiry,
Observation, Inspection, Confirmation, Re-performance, and
Monitoring
Audit evidence should be useful to form an opinion or support the
findings and conclusions.
Evidence gathered should be appropriately documented and
organized to support the findings and conclusions.
48. ITIL - Process Modeling
When you don’t have a good understanding of “what
right looks like”
Models most “Industry Standard “ information and
information system technology processes
When in doubt “check it out and test it out”
Maps to COBIT
Complimentive to NIST and ISO
Helps to provide a starting place
Caution - can be overtly complicated
49. Example of IAM - Audited Entity to be
Assessed for Risk
IAM: Identity and Access Control Management
Identity Management; the management of user
credentials and the means by which users might log
onto and use various systems or resources, e.g.,
the provisioning and de-provisioning of student,
faculty, staff, and outside agencies identities
Access Control; the mechanisms in place to permit
or deny the use of a particular resource by a
particular entity, e.g., technical or administrative
controls to allow or deny access to file shares
50. Users Involved in Business Functions and Types of
System Information?
(Provisioning of High Risk or Critical Information)
Business Functional responsibility for assigning “Rights & Permissions” to
various roles within the organization
Business Owner: Responsible for the provisioning and delegation of the
processes or functions and associated privileges, e.g., Payroll, Registrar,
FinAid, HR, ConEd, etc.
Trustees: Responsible to maintain trust granted by Business owner, e.g.,
“Worker Bees” in the associated departments that conduct day to day
operations
Stewards: Responsible to service and support the business function,
typically provide a technical system or infrastructure to facilitate business
needs, e.g., Information Technology Services, etc.
Types of Information (Data Classification) per institution or university
system standards
Unrestricted / Public: No consequence typically general information
Sensitive: typically references’ legal or externally imposed constraints
that requires this restriction
Confidential: highest level of restriction, applies to the risk or harm that
may result from disclosure or inappropriate use, e.g., FERPA
51. Example associated Key Process –
Ecommerce e.g., One Card System
COBIT high level framework for controls relating to the Ecommerce
systems
Plan and Organize (PO) — Provides direction to solution delivery(AI) and
service delivery (DS): PO1, PO4, PO5, PO6, PO8, PO9, PO10, and PO11
Acquire and Implement (AI) —Provides the solutions and passes them to
be turned into services AI5 and AI4
Deliver and Support (DS) —Receives the solutions and makes them usable
for end users: DS1, DS5 and DS11
Map the requirements to your preferred checklist, e.g. NIST or ISO
Requirements for Ecommerce Compliment other Processes
Less work required for other system implementations
No duplication of effort if requirements are properly addressed
Identity Management applies to many different other process
requirements, e.g., Applications, Operating Systems, and Databases
52. Example: Identity and Access Control
Management (IAM) COBIT Slide 1
COBIT 4.1 DS5.3 Identity Management
Ensure that all users (internal, external and temporary) and their
activity on IT systems (business application, IT environment, system
operations, development and maintenance) are uniquely identifiable.
Enable user identities via authentication mechanisms.
Confirm that user access rights to systems and data are in line with
defined and documented business needs and that job requirements
are attached to user identities.
Ensure that user access rights are requested by user management,
approved by system owners and implemented by the security-
responsible person.
Maintain user identities and access rights in a central repository.
Deploy cost-effective technical and procedural measures, and keep
them current to establish user identification, implement
authentication and enforce access rights.
53. Example: Identity and Access Control
Management (IAM) COBIT Slide 2
Logical Didactic Approach - DS5.3 Identity Management (How it is
Evaluated)
Control over the IT process of Ensure systems security that satisfies the business
requirement for IT of maintaining the integrity of information and processing
infrastructure and minimizing the impact of security vulnerabilities and incidents
By focusing on
defining IT security policies, plans and procedures, and monitoring, detecting,
reporting and resolving security vulnerabilities and incidents
Is achieved by
Understanding security requirements, vulnerabilities and threats
Managing user identities and authorizations in a standardized manner
Testing security regularly
And is measured by
Number of incidents damaging the organization's reputation with the public
Number of systems where security requirements are not met
Number of violations in segregation of duties
54. How to Measure Success?
Maturity Model – CMMI DS5 Snapshoot (Criteria)
DS5 Ensure Systems Security - Management of the process of Ensure systems security that
satisfies the business requirements for IT of maintaining the integrity of
information and processing infrastructure and minimizing the impact of security
vulnerabilities and incidents is:
0 Non-existent when The organization does not recognize the need for IT security. Responsibilities and accountabilities are not assigned … There is a
complete lack of a recognizable system security administration process.
1 Initial/Ad Hoc when The organization recognizes the need for IT security. Awareness of the need for security depends primarily on the individual. IT
security is addressed on a reactive basis. IT security is not measured. Detected IT security breaches invoke finger-pointing responses, … to IT
security breaches are unpredictable.
2 Repeatable but Intuitive when Responsibilities and accountabilities for IT security are assigned to an IT security …, although the management
authority ... Awareness of the need for security is fragmented and limited. Although security-relevant information …, it is not analyzed. IT security is
seen primarily as the responsibility and domain of IT and the business does not see IT security as within its domain.
3 Defined when Security awareness exists and is promoted by management. IT security procedures are defined and aligned with IT security policy.
Responsibilities for IT security are assigned and understood, but not consistently enforced. An IT security plan and security solutions exist as
driven by risk analysis. Reporting on security does not contain a clear business focus. Ad hoc security testing (e.g., intrusion testing) is performed.
Security training is available for IT and the business, but is only informally scheduled and managed.
4 Managed and Measurable when Responsibilities for IT security are clearly assigned, managed and enforced. IT security risk and impact analysis is
consistently performed. Security policies and procedures are completed with specific security baselines. .... User identification, authentication
and authorization are standardized. Security certification is pursued for staff members ... . Security testing is completed using standard and
formalized processes, leading to improvements of security levels. …. IT security reporting is linked to business objectives. IT security training is
conducted …. IT security training is planned and managed in a manner that responds to business needs and defined security risk profiles. Goals and
metrics for security management have been defined but are not yet measured.
5 Optimized when IT security is a joint responsibility of business and IT management and is integrated with corporate security business
objectives. IT security requirements are clearly defined, optimized and included in an approved security plan. Users and customers are increasingly
accountable for defining security requirements, and security functions are integrated with applications at the design stage. Security
incidents are promptly addressed with formalized incident response procedures supported by automated tools. Periodic security assessments are
conducted to evaluate the effectiveness of the implementation of the security plan. Information on threats and vulnerabilities is systematically
collected and analyzed. Adequate controls to mitigate risks are promptly communicated ….
55. COBIT 4.01 Standards to NIST Mapping –Integration with
other Standards (Alignment of IT Controls to Mitigate Risk)
57. Additional Considerations
Develop a strong working relationship with your
auditors
Communicate with them even when not being
audited (typically the most lonely folks on campus)!
Challenge and question their defined and
documented processes for auditing (IIA)
Understand what auditors are looking for and why
Ask them where they see the risk and why
Run questions by them (VM Ware)
Some auditors are fallible, but …, NOT Brian or Chris
(joke)!
58. Call to Action & Challenge
“Birds of a Feather, Flock Together” or
“Life is For the Birds” Be Different?
PIXAR “For the Birds” 3:16 minutes
59. Thank you for your participation
- any questions?
Higher Education is Different!
Understanding Business Risk and
Functional Practices are critical
Internal Controls must be defined,
documented, and reviewed
Chose and apply a security Framework
that provides identifiable structure and
an effective methodology to address risk
Lots of Guidance Standards, tools and
modeled process to emulate
Internal Auditors can be a valuable
resource!
60. Helpful Resources
CIS Benchmarks - http://www.cisecurity.org/benchmarks.html
IIA - www.theiia.org
ISACA - www.isaca.org
ISC(2) - www.isc2.org
ISO - www.iso.org
ITGI - www.itgi.org
NIST - csrc.nist.gov
NSA - www.nsa.gov
IASE - iase.disa.mil
Web App Consortium - www.webappsec.org
EDUCAUSE - educause.edu/security
Univ. Austin Texas Sec. - security.utexas.edu
Univ. Cornell Sec. - www.cit.cornell.edu/security
Virginia Tech Sec. - security.vt.edu
Ga. Tech Info Sec. Center - www.gtisc.gatech.edu
61. Last minute additions…
Thanks to the feedback of some of our participants, we
wanted to add the following:
While CMMI is a maturity model, it is still primarily
aimed towards software delivery. You may want to look
into CMMI for service (SVC) and acquisition. Check
them out here. The maturity model in COBIT is
separate from CMM but is the same basic idea.
The ISO 27000 series in it’s entirety is worth a look.
Check them out here.
COBIT & ITIL are less technical/IT Security related,
NIST and ISO, more so. Keep this in mind when
selecting a framework.