The document discusses security policy development and data classification methods. It covers developing a security policy that aligns with business objectives, is understandable, uniform, and legally compliant. It also discusses classifying data into public, sensitive, private and confidential categories and having data owners and custodians define appropriate access controls for each classification. The document recommends implementing security awareness training tailored for senior management, staff and technical employees.
This document provides an overview of an employee's responsibilities regarding information security as a government of Canada employee. It discusses classifying documents as protected or classified based on the potential harm if compromised. It also covers marking documents with security classifications, appropriate storage and handling of sensitive materials, distributing information on a need-to-know basis, removing classifications when no longer needed, and destroying materials securely. The document aims to ensure employees are aware of proper processes for managing sensitive information throughout its lifecycle within the government.
Manage your Information Security Management System (ISMS) with OdooMaxime Chambreuil
1) The document discusses managing an ISO27001-certified information security management system (ISMS) using Odoo.
2) It provides background on how Savoir-faire Linux implemented an ISMS using EBIOS methodology for information security analysis to meet requirements for new markets and projects.
3) Key terms are defined including primary asset, supporting asset, threat source, controls, vector, and feared event as part of risk analysis in the EBIOS process.
How to write an IT security policy guide - Tareq HanayshaHanaysha
This document provides guidance on writing an effective network security policy. It explains that writing security policies is challenging and requires understanding what should be included and who is responsible. The author developed a Network Security Policy Manual (NSPM) based on standards from ISF and ISO to provide an example. When writing policies, it is important to transform standard language into enforceable policy statements, avoid defining specific technologies, and ensure all sections work together cohesively. Maintaining and updating the security policy is crucial to protecting organizational assets and data.
This document discusses information security management systems (ISMS). It defines information and its lifecycle, including how information can be created, stored, processed, transmitted, used, lost, corrupted, etc. It then defines the key aspects of information security - integrity, availability, and confidentiality. It emphasizes that information is a valuable asset for organizations that needs to be protected. The document outlines some of the main components of establishing an ISMS, including risk management, policies, training, and processes. It also discusses ISO 27001 as the international standard for ISMS and its various control areas.
This document discusses securing customer privacy and computer security. It proposes a database model that incorporates principles of Hippocratic databases by adding privacy metadata to data collection, querying, retention, and access controls. The model aims to lawfully collect and maintain accurate data, securely store data for specified retention periods, and disclose data only to authorized users according to specified purposes and retention times. This type of fine-grained access control and data restriction is intended to build customer confidence in the company.
This document outlines various strategic management and planning frameworks including the rational model, PESTEL analysis, Porter's five forces, scenario planning, SWOT analysis, the value chain, product life cycle analysis, benchmarking, and stakeholder mapping. It also discusses corporate strategy topics such as developing a global business, portfolio analysis, methods of growth, and organizational structure types. Key performance metrics and supply chain management strategies are mentioned as well.
This document outlines questions to consider from four different lenses: world, industry, organization, and leader. The world lens focuses on understanding the global context and its implications. The industry lens examines how global trends impact the relevant industry. The organization lens looks at how industry changes affect the specific organization. The leader lens considers what the organization needs from its leaders and the legacy they hope to leave behind.
The document discusses various threats to information systems and the need for controls to protect systems. It describes common threats like accidents, natural disasters, sabotage, theft, and unauthorized access. It then discusses different strategies for information security controls, including containment, deterrence, obfuscation, and recovery. It also outlines specific types of controls like physical, biometric, telecommunications, failure, and auditing controls. Finally, it discusses techniques for controlling information systems, such as security policies, passwords, encryption, procedures, user validation, and backup protocols.
This document provides an overview of an employee's responsibilities regarding information security as a government of Canada employee. It discusses classifying documents as protected or classified based on the potential harm if compromised. It also covers marking documents with security classifications, appropriate storage and handling of sensitive materials, distributing information on a need-to-know basis, removing classifications when no longer needed, and destroying materials securely. The document aims to ensure employees are aware of proper processes for managing sensitive information throughout its lifecycle within the government.
Manage your Information Security Management System (ISMS) with OdooMaxime Chambreuil
1) The document discusses managing an ISO27001-certified information security management system (ISMS) using Odoo.
2) It provides background on how Savoir-faire Linux implemented an ISMS using EBIOS methodology for information security analysis to meet requirements for new markets and projects.
3) Key terms are defined including primary asset, supporting asset, threat source, controls, vector, and feared event as part of risk analysis in the EBIOS process.
How to write an IT security policy guide - Tareq HanayshaHanaysha
This document provides guidance on writing an effective network security policy. It explains that writing security policies is challenging and requires understanding what should be included and who is responsible. The author developed a Network Security Policy Manual (NSPM) based on standards from ISF and ISO to provide an example. When writing policies, it is important to transform standard language into enforceable policy statements, avoid defining specific technologies, and ensure all sections work together cohesively. Maintaining and updating the security policy is crucial to protecting organizational assets and data.
This document discusses information security management systems (ISMS). It defines information and its lifecycle, including how information can be created, stored, processed, transmitted, used, lost, corrupted, etc. It then defines the key aspects of information security - integrity, availability, and confidentiality. It emphasizes that information is a valuable asset for organizations that needs to be protected. The document outlines some of the main components of establishing an ISMS, including risk management, policies, training, and processes. It also discusses ISO 27001 as the international standard for ISMS and its various control areas.
This document discusses securing customer privacy and computer security. It proposes a database model that incorporates principles of Hippocratic databases by adding privacy metadata to data collection, querying, retention, and access controls. The model aims to lawfully collect and maintain accurate data, securely store data for specified retention periods, and disclose data only to authorized users according to specified purposes and retention times. This type of fine-grained access control and data restriction is intended to build customer confidence in the company.
This document outlines various strategic management and planning frameworks including the rational model, PESTEL analysis, Porter's five forces, scenario planning, SWOT analysis, the value chain, product life cycle analysis, benchmarking, and stakeholder mapping. It also discusses corporate strategy topics such as developing a global business, portfolio analysis, methods of growth, and organizational structure types. Key performance metrics and supply chain management strategies are mentioned as well.
This document outlines questions to consider from four different lenses: world, industry, organization, and leader. The world lens focuses on understanding the global context and its implications. The industry lens examines how global trends impact the relevant industry. The organization lens looks at how industry changes affect the specific organization. The leader lens considers what the organization needs from its leaders and the legacy they hope to leave behind.
The document discusses various threats to information systems and the need for controls to protect systems. It describes common threats like accidents, natural disasters, sabotage, theft, and unauthorized access. It then discusses different strategies for information security controls, including containment, deterrence, obfuscation, and recovery. It also outlines specific types of controls like physical, biometric, telecommunications, failure, and auditing controls. Finally, it discusses techniques for controlling information systems, such as security policies, passwords, encryption, procedures, user validation, and backup protocols.
Statistical database, problems and mitigationBikrant Gautam
The document discusses techniques for securing statistical databases from inference attacks. It defines statistical databases and inference, and outlines the problem of inference where individual records can be inferred from aggregate statistics. It then formalizes statistical queries and defines what comprises a compromised database. Common techniques for preventing compromise are described, including query restriction, data perturbation, output perturbation, and conceptual approaches. Specific inference control systems are outlined, such as approximate data swapping, random sample queries, fixed perturbation, and query-based perturbation. Metrics for evaluating technique effectiveness are discussed. The document concludes that no generally applicable solution can fully provide both security and unbiased statistics, and relaxation of goals or tailoring to specific database types may be needed.
The document discusses three lenses for viewing strategy development: strategy as design, strategy as experience, and strategy as ideas. Strategy as design views strategy as a rational, analytic process. Strategy as experience sees strategies developing gradually from existing strategies. Strategy as ideas views strategy emerging from variety and diversity within and around organizations. The document also discusses implications of strategy development such as incremental development and the difference between intended and realized strategies.
The document discusses reading and writing data files in Arena simulation software. It covers reading entity arrivals from text files, as well as reading and writing Microsoft Access and Excel files. It also discusses using ActiveX and Visual Basic for Applications (VBA) to customize and integrate Arena simulations, including creating modules and programming events.
Designing With Lenses (UxLx, CHIFOO, BigD)Bill Scott
Given CHIFOO in Portland OR (4/7/2010), UxLx in Lisbon, Portugal (May 2010) & BigD in Dallas, TX (May 2010)
In any field of design, designers can enhance their craft by studying the work of others. Through the careful exercise of breaking down real-world solutions into their underlying principles and patterns, previous lessons can be applied to new sets of problems we encounter. Designing for web interfaces is no different. By necessity we are constantly searching for inspiration and practical guidance in solving the problems we face as designers each day. A powerful approach is to capture these lessons into “design lenses”. A design lens allows you to view the user experience through the eyes of a single design principle. Lenses were originally created for game design but are just as powerful for user experience design.
In this talk, Bill introduces the idea of design lenses and discuss several lenses inspired from fields of study as diverse as theater, magic, game & car design, Shaker furniture, motion graphics, and comics for inspiration in designing rich, interactive interfaces. By teasing out some of the key takeaways from each of these disciplines, a fresh light can be shed on our own corner of the design universe.
FellowBuddy.com is an innovative platform that brings students together to share notes, exam papers, study guides, project reports and presentation for upcoming exams.
We connect Students who have an understanding of course material with Students who need help.
Benefits:-
# Students can catch up on notes they missed because of an absence.
# Underachievers can find peer developed notes that break down lecture and study material in a way that they can understand
# Students can earn better grades, save time and study effectively
Our Vision & Mission – Simplifying Students Life
Our Belief – “The great breakthrough in your life comes when you realize it, that you can learn anything you need to learn; to accomplish any goal that you have set for yourself. This means there are no limits on what you can be, have or do.”
Like Us - https://www.facebook.com/FellowBuddycom
The document summarizes a simulation study conducted on a restaurant called "Canes" to analyze customer waiting times. The original scenario showed long wait times when customers decided orders at the counter. An alternative scenario assumed customers pre-decided orders. Simulation results showed the alternative scenario significantly reduced average wait time, time in system, and queue length while increasing customers served. It was recommended the restaurant display menus by the queue to help customers pre-decide orders.
Strategic planning plays roles in communicating and controlling strategy, rather than formulating it. Strategy often emerges informally based on experience within an organization's culture. Planning draws together emerging strategy and provides structure, but does not direct its development. Intended strategy results from formal planning, but emergent strategy develops through everyday activities. Both routes influence realized strategy.
Simulation of SM Paints production facility using ARENA simulation software. Making improvements using OptQuest software, and data analysis of current state simulation, to suggest recommendations for achieving desired level of productivity.
This document summarizes a simulation project to optimize the process at a university campus Subway outlet. The current process leads to long wait times during lunch hours. The simulation models the current process and a proposed process with additional resources. Model 2, which adds one employee each to the order counter and billing counter, reduces average wait times and total time in the system based on the simulation results and statistical analysis. Therefore, hiring two new employees is recommended to improve customer experience and satisfaction.
The document discusses developing effective information security policies through a multi-step process. It begins with defining different types of policies like enterprise, issue-specific, and systems-specific policies. It then outlines the key phases to developing policies which include investigation, analysis, design, implementation, and maintenance. Specific guidance is provided for each phase, such as conducting a risk assessment in investigation and specifying enforcement in design. Effective policy development requires planning, funding, participation from stakeholders, and periodic reviews.
The document introduces perturbation methods as a way to solve functional equations that describe economic problems. It presents a basic real business cycle model as an example problem that can be solved using perturbation methods. Specifically, it:
1) Defines the real business cycle model as a functional equation system that is difficult to solve directly.
2) Proposes using perturbation methods by introducing a small perturbation parameter (the standard deviation of technology shocks) and solving the problem when this parameter equals zero.
3) Expands the decision rules as Taylor series in terms of the state variables and perturbation parameter to build a local approximation around the deterministic steady state. This leads to a system of equations that can be solved order-by-order for
1. Generalized audit software is a common computer-assisted audit tool that mines and analyzes data to identify anomalies, errors, and omissions.
2. It provides auditors with direct access to computerized records and the ability to efficiently deal with large quantities of data.
3. Generalized audit software packages can perform tasks like footings and balancing of files, selecting and reporting data, statistical sampling, and comparing files to identify differences.
This document discusses deadlocks in database systems. It explains that deadlocks occur when two or more competing actions get stuck waiting on each other to finish. It then provides an example of a deadlock between two dogs, Tony and Jake, fighting over bones. It demonstrates how to detect and debug deadlocks using MySQL status commands and log files. Finally, it offers best practices like defining proper indexes to avoid deadlocks and handling them through retry logic or manual locking.
The document outlines the key concepts to be covered in the BUSM 3200 Strategic Management course, including defining strategy, different levels of strategy, the exploring strategy model, and strategic choices and positioning. Students are required to purchase the specified textbook to complete assignments, case studies, and exam preparation. The course will examine strategy from multiple perspectives and how strategies are formulated and implemented at different organizational levels.
An international strategy involves selling goods or services outside a company's domestic market to access new opportunities. A global strategy unifies a company's approach worldwide with limited variations. While global strategies offer benefits like economies of scale, they also involve substantial costs to implement worldwide brands, production, and management coordination. Whether and how to pursue a global strategy depends on balancing these benefits and costs for a company's specific products and industries.
This document provides an overview of access control concepts and topics relevant to the CISSP certification. It defines access control as the mechanisms that grant or revoke the right to access data or perform actions on an information system. The document outlines key access control topics like identification, authentication, authorization, accountability, access control models, and monitoring. It also discusses access control principles such as least privilege and separation of duties.
This document discusses strategic management concepts related to international business strategies. It covers several key points:
1. It outlines learning outcomes related to assessing international market potential, identifying sources of competitive advantage, distinguishing international strategy types, and evaluating market entry options.
2. It introduces frameworks for international strategy and the difference between international versus global strategies.
3. It discusses strategic motives for entering foreign markets such as accessing new customers, exploiting core competencies, achieving lower costs, and spreading business risk.
The document discusses information security management systems (ISMS) and the ISO 27001 standard. It provides an overview of ISMS, describing their role in systematically managing information security. It then outlines the key aspects of ISO 27001, including its 11 domains that cover information security areas like policies, asset management, access control, and compliance. The document emphasizes that ISO 27001 certification provides organizations benefits like increased credibility, assurance for partners and authorities, and a competitive advantage.
This document discusses globalization and international strategy. It defines globalization and discusses its levels, features, drivers, approaches, stages, benefits, and ill effects. It also discusses globalization policy suggestions from the UNDP, India's strengths and challenges for globalization, and entry strategies for international business. The document is a lecture on globalization and international strategy presented by Prof. S P Das.
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)Biswajit Bhattacharjee
This document discusses information system security and controls. It begins by defining an information system as the organized collection, processing, transmission, and spreading of information according to defined procedures. Security policies, procedures, and technical measures are used to prevent unauthorized access, alteration, theft, or damage to information systems. Controls ensure the safety of organizational assets, accuracy of records, and adherence to management standards. The document then examines principles of security including confidentiality, integrity, and availability. It also discusses system vulnerabilities, threats, and various security measures.
Information Security 365 -- Policies, Data Classification, Employee Training ...Nicholas Davis
This is a sample of a lecture from the Information Security 365/765 semester long course, which I am teaching at the University of Wisconsin-Madison, this Fall.
Information systems 365 lecture three - Performing an IT Security Risk AnalysisNicholas Davis
Lecture 3 slides for the Information Systems 365/765 class I teach at UW-Madison. If you ever had the urge to perform a 5 step quantitative IT Security Risk Analysis, then this is for you!
Statistical database, problems and mitigationBikrant Gautam
The document discusses techniques for securing statistical databases from inference attacks. It defines statistical databases and inference, and outlines the problem of inference where individual records can be inferred from aggregate statistics. It then formalizes statistical queries and defines what comprises a compromised database. Common techniques for preventing compromise are described, including query restriction, data perturbation, output perturbation, and conceptual approaches. Specific inference control systems are outlined, such as approximate data swapping, random sample queries, fixed perturbation, and query-based perturbation. Metrics for evaluating technique effectiveness are discussed. The document concludes that no generally applicable solution can fully provide both security and unbiased statistics, and relaxation of goals or tailoring to specific database types may be needed.
The document discusses three lenses for viewing strategy development: strategy as design, strategy as experience, and strategy as ideas. Strategy as design views strategy as a rational, analytic process. Strategy as experience sees strategies developing gradually from existing strategies. Strategy as ideas views strategy emerging from variety and diversity within and around organizations. The document also discusses implications of strategy development such as incremental development and the difference between intended and realized strategies.
The document discusses reading and writing data files in Arena simulation software. It covers reading entity arrivals from text files, as well as reading and writing Microsoft Access and Excel files. It also discusses using ActiveX and Visual Basic for Applications (VBA) to customize and integrate Arena simulations, including creating modules and programming events.
Designing With Lenses (UxLx, CHIFOO, BigD)Bill Scott
Given CHIFOO in Portland OR (4/7/2010), UxLx in Lisbon, Portugal (May 2010) & BigD in Dallas, TX (May 2010)
In any field of design, designers can enhance their craft by studying the work of others. Through the careful exercise of breaking down real-world solutions into their underlying principles and patterns, previous lessons can be applied to new sets of problems we encounter. Designing for web interfaces is no different. By necessity we are constantly searching for inspiration and practical guidance in solving the problems we face as designers each day. A powerful approach is to capture these lessons into “design lenses”. A design lens allows you to view the user experience through the eyes of a single design principle. Lenses were originally created for game design but are just as powerful for user experience design.
In this talk, Bill introduces the idea of design lenses and discuss several lenses inspired from fields of study as diverse as theater, magic, game & car design, Shaker furniture, motion graphics, and comics for inspiration in designing rich, interactive interfaces. By teasing out some of the key takeaways from each of these disciplines, a fresh light can be shed on our own corner of the design universe.
FellowBuddy.com is an innovative platform that brings students together to share notes, exam papers, study guides, project reports and presentation for upcoming exams.
We connect Students who have an understanding of course material with Students who need help.
Benefits:-
# Students can catch up on notes they missed because of an absence.
# Underachievers can find peer developed notes that break down lecture and study material in a way that they can understand
# Students can earn better grades, save time and study effectively
Our Vision & Mission – Simplifying Students Life
Our Belief – “The great breakthrough in your life comes when you realize it, that you can learn anything you need to learn; to accomplish any goal that you have set for yourself. This means there are no limits on what you can be, have or do.”
Like Us - https://www.facebook.com/FellowBuddycom
The document summarizes a simulation study conducted on a restaurant called "Canes" to analyze customer waiting times. The original scenario showed long wait times when customers decided orders at the counter. An alternative scenario assumed customers pre-decided orders. Simulation results showed the alternative scenario significantly reduced average wait time, time in system, and queue length while increasing customers served. It was recommended the restaurant display menus by the queue to help customers pre-decide orders.
Strategic planning plays roles in communicating and controlling strategy, rather than formulating it. Strategy often emerges informally based on experience within an organization's culture. Planning draws together emerging strategy and provides structure, but does not direct its development. Intended strategy results from formal planning, but emergent strategy develops through everyday activities. Both routes influence realized strategy.
Simulation of SM Paints production facility using ARENA simulation software. Making improvements using OptQuest software, and data analysis of current state simulation, to suggest recommendations for achieving desired level of productivity.
This document summarizes a simulation project to optimize the process at a university campus Subway outlet. The current process leads to long wait times during lunch hours. The simulation models the current process and a proposed process with additional resources. Model 2, which adds one employee each to the order counter and billing counter, reduces average wait times and total time in the system based on the simulation results and statistical analysis. Therefore, hiring two new employees is recommended to improve customer experience and satisfaction.
The document discusses developing effective information security policies through a multi-step process. It begins with defining different types of policies like enterprise, issue-specific, and systems-specific policies. It then outlines the key phases to developing policies which include investigation, analysis, design, implementation, and maintenance. Specific guidance is provided for each phase, such as conducting a risk assessment in investigation and specifying enforcement in design. Effective policy development requires planning, funding, participation from stakeholders, and periodic reviews.
The document introduces perturbation methods as a way to solve functional equations that describe economic problems. It presents a basic real business cycle model as an example problem that can be solved using perturbation methods. Specifically, it:
1) Defines the real business cycle model as a functional equation system that is difficult to solve directly.
2) Proposes using perturbation methods by introducing a small perturbation parameter (the standard deviation of technology shocks) and solving the problem when this parameter equals zero.
3) Expands the decision rules as Taylor series in terms of the state variables and perturbation parameter to build a local approximation around the deterministic steady state. This leads to a system of equations that can be solved order-by-order for
1. Generalized audit software is a common computer-assisted audit tool that mines and analyzes data to identify anomalies, errors, and omissions.
2. It provides auditors with direct access to computerized records and the ability to efficiently deal with large quantities of data.
3. Generalized audit software packages can perform tasks like footings and balancing of files, selecting and reporting data, statistical sampling, and comparing files to identify differences.
This document discusses deadlocks in database systems. It explains that deadlocks occur when two or more competing actions get stuck waiting on each other to finish. It then provides an example of a deadlock between two dogs, Tony and Jake, fighting over bones. It demonstrates how to detect and debug deadlocks using MySQL status commands and log files. Finally, it offers best practices like defining proper indexes to avoid deadlocks and handling them through retry logic or manual locking.
The document outlines the key concepts to be covered in the BUSM 3200 Strategic Management course, including defining strategy, different levels of strategy, the exploring strategy model, and strategic choices and positioning. Students are required to purchase the specified textbook to complete assignments, case studies, and exam preparation. The course will examine strategy from multiple perspectives and how strategies are formulated and implemented at different organizational levels.
An international strategy involves selling goods or services outside a company's domestic market to access new opportunities. A global strategy unifies a company's approach worldwide with limited variations. While global strategies offer benefits like economies of scale, they also involve substantial costs to implement worldwide brands, production, and management coordination. Whether and how to pursue a global strategy depends on balancing these benefits and costs for a company's specific products and industries.
This document provides an overview of access control concepts and topics relevant to the CISSP certification. It defines access control as the mechanisms that grant or revoke the right to access data or perform actions on an information system. The document outlines key access control topics like identification, authentication, authorization, accountability, access control models, and monitoring. It also discusses access control principles such as least privilege and separation of duties.
This document discusses strategic management concepts related to international business strategies. It covers several key points:
1. It outlines learning outcomes related to assessing international market potential, identifying sources of competitive advantage, distinguishing international strategy types, and evaluating market entry options.
2. It introduces frameworks for international strategy and the difference between international versus global strategies.
3. It discusses strategic motives for entering foreign markets such as accessing new customers, exploiting core competencies, achieving lower costs, and spreading business risk.
The document discusses information security management systems (ISMS) and the ISO 27001 standard. It provides an overview of ISMS, describing their role in systematically managing information security. It then outlines the key aspects of ISO 27001, including its 11 domains that cover information security areas like policies, asset management, access control, and compliance. The document emphasizes that ISO 27001 certification provides organizations benefits like increased credibility, assurance for partners and authorities, and a competitive advantage.
This document discusses globalization and international strategy. It defines globalization and discusses its levels, features, drivers, approaches, stages, benefits, and ill effects. It also discusses globalization policy suggestions from the UNDP, India's strengths and challenges for globalization, and entry strategies for international business. The document is a lecture on globalization and international strategy presented by Prof. S P Das.
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)Biswajit Bhattacharjee
This document discusses information system security and controls. It begins by defining an information system as the organized collection, processing, transmission, and spreading of information according to defined procedures. Security policies, procedures, and technical measures are used to prevent unauthorized access, alteration, theft, or damage to information systems. Controls ensure the safety of organizational assets, accuracy of records, and adherence to management standards. The document then examines principles of security including confidentiality, integrity, and availability. It also discusses system vulnerabilities, threats, and various security measures.
Information Security 365 -- Policies, Data Classification, Employee Training ...Nicholas Davis
This is a sample of a lecture from the Information Security 365/765 semester long course, which I am teaching at the University of Wisconsin-Madison, this Fall.
Information systems 365 lecture three - Performing an IT Security Risk AnalysisNicholas Davis
Lecture 3 slides for the Information Systems 365/765 class I teach at UW-Madison. If you ever had the urge to perform a 5 step quantitative IT Security Risk Analysis, then this is for you!
Roger Walker, REGFORM, Safe(r) Communications, Missouri Water Seminar, Septem...Kevin Perry
Roger Walker will present on "SAFE(R) Communications" at the REGFORM Water Conference in Columbia, Missouri on September 10-11, 2015. As an environmental attorney and executive director of REGFORM, Walker will discuss how the modern means of communication like email have changed and can no longer be assumed to be private. He will provide guidance on writing defensively to avoid potential issues and educate attendees on legal tools like attorney-client privilege and work product doctrine to protect sensitive business information.
During week 6 we develop the theory and application of capital bud.docxjacksnathalie
During week 6 we develop the theory and application of capital budget analysis. The theory was robust, the calculations mathematically and logically defined, and many of the real-world problems, likely to be encountered, were addressed. As capital budgeting essentially re-invents the company through major long-term expenditures it is arguably one of the most critical functions that financial management performs. However, based on my personal experiences, extensive empirical data, and antidotal data - many firms routinely experience significant failures in their selection of capital projects.
The assignment for this topic consists if two parts:
1) For your first topic in this conference I would like for you to briefly review either your personal experiences and/or the financial literature to identify and present a description of one actual capital project/product failure and the reasons attributed to the failure. For those of you who do not have personal experiences the following are some illustrated examples of failed projects/products over the last 50 years you may want to look up and consider: -New Coke,- The Iridium Satellite Communication,- the Edsel automobile, Beta (vs. VHS), the Concord SST, and various Dot Coms. Feel free to research others.
In your response please provide financial information regarding the project (what is available): initial outlay, projected cash flows, final dollar losses.
Remember this is a one to two paragraph exercise - do not go overboard - a few hours research and summation is all that’s required. I am interested only in your short, concise description of the project and the major reasons you believe it failed.
2) Synthesize your one-paragraph position on what 3-5 specific factors you believe most likely to contribute to capital project analysis failure.
CDC
IT Security Staff BCP Policy
[
CSIA 413,
Professor Last Name:
Policy Document
IT
Business Continuity Plan Policy
Document Control
Organization
Center for Disease and Control (CDC)
Title
CDC IT Security Staff BCP Policy
Author
Owner
IT Security Staff Manager
Subject
Business Continuity Plan Policy
Review date
Revision History
Revision Date
Reviser
Previous Version
Description of Revision
No Revisions
Document Approvals
This document requires the following approvals:
Sponsor Approval
Name
Date
Approved
Document Distribution
This document will be distributed to:
Name
Job Title
Email Address
All CDC Security Staff
Information Security Specialist
Contributors
Development of this policy was assisted through information provided by the following organization:
· CDC and Department of Defense, Health and Homeland Security
Table of Contents
Policy Statement4
1Purpose4
2Objective4
3Scope5
4Compliance5
5Terms and Definitions7
6Risk Identification and Assessment7
7Policy8
Policy Statement
The Center for Disease and Control mission is to protect America from health, safety and security threats, both foreign and in the ...
CLE Presentation: Brian Kaveney, Litigation Partner at Armstrong Teasdale
The choice of a lawyer is an important decision and should not be based solely on this presentation. All rights are reserved and content may not be reproduced, disseminated or transferred, in any form or by means, except with the prior written consent of Armstrong Teasdale.
Rollits Education Focus Newsletter - Autumn 2014 Pat Coyle
The document discusses the Education Funding Agency's (EFA) new Investigation Publishing Policy, which aims to increase transparency by publishing investigation reports where the EFA has lead responsibility. While the policy seeks to be more open, it also gives the EFA some discretion in publishing decisions. Reports will be evaluated on a case-by-case basis, considering factors like potential harm to individuals or prejudice of other investigations. The policy may concern education providers under investigation but could also help providers learn from other investigations.
The document discusses how ego and popular trends often drive people's behavior more than logic and consciousness, contributing to the creation of systems and organizations with insufficient long-term strength. It also examines how understanding psychological forces, ethics, technical issues, policies, procedures, and change management is important for effectively managing complex industries and organizations. Leaders must ensure technical capabilities align with products, processes, marketing, and customer satisfaction to support the company vision.
This document provides information about multiple security education courses offered by ASIS International, including:
- APC I: Concepts and Methods, a foundational course covering fundamentals of assets protection held in November 2009 in Philadelphia.
- APC II: Practical Applications, a more advanced course applying security principles through case studies and strategies, held in May 2009 in San Francisco.
- APC III, focusing on leadership and management skills for senior security professionals, held in June 2009.
The document outlines the goals, benefits, schedules, locations, costs and registration details for each course. It promotes the courses as opportunities for security professionals to expand their knowledge and networks.
The document summarizes the key findings of the 2011 Global Information Security Workforce Study conducted by Frost & Sullivan. Some of the main points from the summary include:
1) Application vulnerabilities were reported as the number one threat to organizations, with over 20% of security professionals reporting involvement in software development.
2) Mobile devices were the second highest security concern, despite most professionals having policies and tools in place to defend against mobile threats.
3) A skills gap exists as new technologies like cloud computing and social media are being adopted without sufficient security training for professionals. Over 70% needed new skills for cloud security.
4) The information security workforce is projected to grow significantly from 2.28 million in 2010
IT 549 Milestone Four Guidelines and Rubric One of the .docxvrickens
IT 549 Milestone Four Guidelines and Rubric
One of the most important aspects of information assurance is ensuring that proper policies and procedures are established within an organization . Without
proper policies and procedures, there would be no order. By implementing appropriate statements of policy and developing effective procedures, IT
administrators ensure that incidents can be appropriately responded to, and that individuals within the organization understand their roles within the
information assurance plan. Individuals in an organization would not be able to adequately understand their roles without the establishment of these statements
of policy.
Prompt: In Module Seven, you will submit your plan pertaining to statements of policy. You will establish protocols and mitigating factors to the organization.
Justify how the disaster response protocols will mitigate the threats to and vulnerabilities of the organization. You will fo cus on disaster and incident response
protocols as well as access control. Assess your proposed method for maintaining the success of the plan going forward. Justify how your method will ensure the
ongoing effectiveness of the information assurance plan.
Specifically, the following critical elements must be addressed:
IV. Statements of Policy
a) Develop appropriate incident response protocols to respond to the various threats and vulnerabilities identified within the organization.
b) Justify how the incident response protocols will mitigate the threats to and vulnerabilities of the organization. Support your justification with
information assurance research and best practices.
c) Develop appropriate disaster response protocols to respond to the various threats and vulnerabilities identified within the organization.
d) Justify how the disaster response protocols will mitigate the threats to and vulnerabilities of the organization. Support your justification with
information assurance research and best practices.
e) Develop appropriate access control protocols that provide an appropriate amount of protection while allowing users to continue to operate
without denial of service.
f) Justify your access control protocols. Support your justification with information assurance research and best practices.
g) Recommend a method for maintaining the information assurance plan once it has been established.
h) Justify how your maintenance plan will ensure the ongoing effectiveness of the information assurance plan. Support your justification with
information assurance research and best practices.
Rubric
Guidelines for Submission: Your paper must be submitted as a three - to four-page Microsoft Word document with double spacing, 12-point Times New Roman
font, one-inch margins, and at least three sources cited in APA format.
Critical Elements Proficient (100%) Needs Improvement (75%) Not Evident (0%) Value
Incident Response
Protocols
Devel ops appropri ate i nci d ...
People in health and safety roles are increasingly expected to act like leaders, whatever their level. But what does this really mean? KIRSTIN FERGUSON suggests some approaches.
Alfred B Phillips presented at HRMATT's 9th Biennial Conference to debunk common safety myths and increase companies' bottom lines. He discussed that safety is more than just manuals, accidents can be prevented, and the safety department is not solely responsible for safety. Phillips also defined safety terms, outlined applicable safety laws and standards, and the strategic approach of plan-do-check-act. Additionally, he explained developing a proactive safety culture, modes of accident control, investigating all incidents, management's responsibility for safety, and HR's role in qualifying safety professionals and building accountability.
Signs of Safety - 10 pilots, 10 lessonsJo Moriarty
The document summarizes the findings of a study evaluating the implementation of Signs of Safety, a child protection practice framework, across 10 pilot local authorities in the UK. The key findings include:
1) High levels of organizational commitment are needed to achieve whole system change when implementing a new practice framework. Training and ongoing support are important but challenges remain around establishing direct contact time with families.
2) Managers and social workers were overwhelmingly positive about the benefits of Signs of Safety but it did not significantly influence expenditure patterns and not solve all issues.
3) Signs of Safety aimed to improve relationships between workers and parents but some families still felt social workers did not understand their goals. Progress was made in align
Security Guard Services Best Practices by JMSupan 2019JOEL JESUS SUPAN
This presentation will provide tips on how Security Agencies can differentiate themselves from their competitors to gain competitive advantage and provide the best quality services to their client by providing professional guards. it will provide guidelines for clients on how to chose the ideal security agency.
The document discusses the role of project management offices (PMOs) in supporting reviews and assurance. It states that unnecessary project failure occurs when people lack full, validated information about project status and issues. The role of reviews and assurance is to provide this important information to project and portfolio managers. PMOs can help establish effective review processes to gather and disseminate this information.
The Business Continuity Conference, 25th October 2023 in Riyadh - Abdulrahma...Continuity and Resilience
Lessons from a Chief Continuity Officer-
A Chief Continuity Officer (CCO) is responsible for ensuring that an organization's critical operations continue despite any disruptions or crises.
1. Build a robust business continuity plan.
2. Foster a culture of preparedness.
3. Establish clear roles and responsibilities.
4. Develop strong partnerships.
5. Implement robust technology systems.
6. Continuously assess and mitigate risks.
7. Communicate effectively.
8. Learn from incidents.
Remember, flexibility and adaptability are key in the ever-changing landscape of continuity management. As a CCO, it's essential to stay proactive, be prepared for unexpected events, and continuously improve the organization's ability to recover and thrive in the face of disruptions.
This document provides information about the MSc in Compliance program offered jointly by the Institute of Banking (IOB) and the Association of Compliance Officers in Ireland (ACOI). The one-year, part-time program is aimed at compliance professionals and provides 8 modules covering topics like ethics, financial crime prevention, and data protection. Successful graduates will qualify for the FCOI designation from ACOI. The program is delivered through UCD and involves lectures, case studies, and a final compliance project. Testimonials highlight the relevance of the curriculum and benefits of the network for professionals.
A Gamer S Nightmare An Analysis Of The Sony PlayStation Hacking CrisisAngela Shin
This document analyzes Sony's 2011 PlayStation Network hacking crisis using the Anticipatory Model of Crisis Management (AMCM) framework. The AMCM focuses on crisis prevention by assessing potential triggers and response plans. In April 2011, Sony's PlayStation Network suffered a breach exposing 100+ million user accounts. Sony shut down the network but waited a week to disclose the hacking. The analysis found that Sony could have handled the crisis better by following AMCM principles of expectations, enactment, and control to anticipate and prevent the crisis.
This document provides an overview of safety management practices and concepts. It discusses the evolution of safety management from focusing on technology, to humans, to organizations and systems. It also covers accident causation models, priority hazards, legislative frameworks like the WHS Act and regulations, key terms, health and safety duties of different parties, and offences and penalties. Overall, the document presents essential information on understanding and applying safety management principles.
Similar to Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls (20)
Conducting a NIST Cybersecurity Framework (CSF) AssessmentNicholas Davis
In today's ever-evolving cybersecurity landscape, organizations face an increasing number of threats. Conducting a NIST Cybersecurity Framework (CSF) assessment can be a valuable tool to identify, manage, and mitigate these risks. Let's explore how it can benefit your organization.
A NIST CSF assessment is not just about compliance; it's about proactively managing your cybersecurity posture. By identifying and addressing your vulnerabilities, you can reduce the likelihood and impact of cyberattacks. Additionally, the framework can help you communicate your security efforts effectively to internal and external stakeholders.
UW-Madison, Information Systems 371 - Decision Support SystemsNicholas Davis
Today, is Information Systems 371, I am lecturing about Decision Support Systems. In addition to covering the basics at a conceptual level, I am trying to get the students to think about the impact of IoT, 5G, and Artificial Intelligence, in terms of how Decision Support Systems are changing and what the new demands placed upon them will be.
This document summarizes a university lecture on blockchain and bitcoin. It begins with an overview of how the term "blockchain technology" can refer to different things like the Bitcoin blockchain, other cryptocurrencies, or smart contracts. It then defines what a blockchain is, including that it usually contains financial transactions, is replicated across peer-to-peer networks, and uses cryptography to prove identity and enforce access rights. The document contrasts public and private blockchains and how they differ in terms of who can write to the ledger. It also discusses key concepts like how blockchains achieve consensus when multiple blocks are created simultaneously and how network rules and upgrades are handled.
During the Spring semester, I teach a 3 credit survey course in software development, at UW-Madison (IS 371), which is the first in the series of courses in the Information Systems major track. As part of this course, I devote an entire lecture to discussing different types of software development (Agile, Waterfall, Extreme, Spiral, etc.) I hope it helps the students better understand the different types of software development styles, as well as the benefits and drawbacks of each. In my opinion, they need to learn early on that there is more than one way to go about a software development challenge, and they need to figure out which style works best for them.
Information systems 365 - Cloud and BYOD SecurityNicholas Davis
Today, in class, I will be covering the topics of Cloud and BYOD Information Security. The intent of the lecture is to introduce students to the general issues surrounding information security in these two areas.
Information Security Awareness: at Work, at Home, and For Your Kids Nicholas Davis
This is the security awareness presentation which I will be giving to Quartz Health Solutions, on October 24, 2018. If focuses in on three areas: information security best practices for work, at home, and also contains some tips for kids. Topics include: PHI, ePHI, HIPAA, Identity Theft, Social Engineering, phishing, password management, malware, insider threats, social networks, and mobile devices.
Information Systems 371 -The Internet of Things OverviewNicholas Davis
The document discusses the Internet of Things (IoT) including its history, definition, applications, trends and challenges. It provides details on the key concepts of IoT such as connecting physical devices to exchange data over the internet, examples of consumer and industrial applications, and issues regarding data privacy, security and device obsolescence. The document also outlines the exam schedule for the upcoming Information Systems 371 course.
A presentation about cyberwar basics, the past, present and future directions of cyberwar and some needed changes in technology and long standing societal attitudes, to combat this escalating threat
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...Nicholas Davis
This document summarizes the key points from a university lecture on information security. It discusses topics covered during the semester including a guest speaker from the FBI, security controls, CIA triad, categories of controls, ingredients of security, technical weaknesses, defense in depth, risk analysis, hiring and termination practices, security policies, cloud security, BYOD, and more. The document recaps the various assignments and presentations given throughout the course.
Bringing the Entire Information Security Semester Together With a Team ProjectNicholas Davis
Absorbing information does no good, unless you are able to apply what you have learned. Each semester, I give my information security students a team project, in which they must use all the knowledge acquired during the semester, in combination with their ability to do Internet research, to deliver an overall information security assessment of a company of their choosing. To make it a challenge, I make them grade all the other teams in the class, but only give them enough points to distribute so that the average is 90. In grading their peers, they must make decisions about which presentations are excellent, and which are not.
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...Nicholas Davis
This presentation provides an overview of the deep web and discusses some of the dangers it poses. It defines the deep web and explains how it differs from the surface web. The presentation notes that the deep web is much larger than the surface web and contains dynamic, unlinked, private, and restricted content that search engines cannot access. It describes how tools like Tor can be used to anonymously access dark web sites ending in .onion and discusses some of the illegal activities that occur on the deep web, like drug trafficking, weapons sales, and hiring criminals. The presentation aims to educate information security professionals about the deep web so they can help address illegal activities occurring there.
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Nicholas Davis
The final assignment in the Information Security 365/765 course I teach at UW-Madison, is for teams of students to put together company focused IT security presentations, in which they take the concepts learned in class throughout the entire semester, and apply them to a real company. Here is a sample from Team Netflix! I am proud of the students, and feel that they have gained a solid foundation in the field of information security. Another semester come and gone!
Information Security Fall Semester 2016 - Course Wrap Up SummaryNicholas Davis
This presentation is a summary, for the students of the IS 365/765 course I teach, at the University of Wisconsin-Madison, providing a 104 slide reminder of the most important topics in Information Security, which we covered throughout the semester. Today is the last day of course material. We have 4 days of student team presentations, to follow.
A general education presentation, created to teach employees of an organization about Phishing, what it is, how to recognize it, avoid becoming a phishing victim, how to recognize common social engineering techniques, and what to do if you think you have been phished.
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Nicholas Davis
Today's topic in the Information Security 365/765 class, which I teach at the University of Wisconsin-Madison.
Computer crimes and computer laws, Motives and profiles of attackers, Various types of evidence, Laws and acts to fight computer crime, Computer crime investigation process, Incident handling procedures, Ethics and best practices
As a guest speaker, I gave this presentation, last night, to the Association of Information Systems Professionals (AISP), an Information Systems student group at the University of Wisconsin-Madison. Demystifying Professional Certifications provides an overview of what professional certifications are, why they matter, how to choose which ones to pursue, how to get certified and how to keep the certifications is good standing.
Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls
1. Information Security 365/765, Fall Semester, 2014
Course Instructor, Nicholas Davis
Lecture 4, Security Policy Development, Data
Classification Methods, Workplace Controls
2. NNeexxtt TTiimmee
Security policies
Information classification
Security awareness training
09/11/14 UNIVERSITY OF WISCONSIN 2
3. SSeeccuurriittyy PPoolliiccyy
An overall general statement, produced
by senior management, which dictates
the role which security management
plays in the organization
Made up of goals and responsibilities
Shows strategic and tactical value of the
policy
Outlines how enforcement should be
carried out
09/11/14 UNIVERSITY OF WISCONSIN 3
4. SSeeccuurriittyy PPoolliiccyy CCoommppoonneennttss
BBuussiinneessss OObbjjeeccttiivveess
Business objectives should drive the
policy’s creation, implementation,
enforcement. The policy should not
dictate business objectives
09/11/14 UNIVERSITY OF WISCONSIN 4
5. SSeeccuurriittyy PPoolliiccyy CCoommppoonneennttss
MMaakkee IItt LLeeggiibbllee
The document should be written in plain
language, which all the employees can
easily understand the portions which
apply to them, without question
09/11/14 UNIVERSITY OF WISCONSIN 5
7. SSeeccuurriittyy PPoolliiccyy
LLeeggaall CCoonnffoorrmmiittyy
It should support all legislation and
regulations which apply to the company,
local, national and international
09/11/14 UNIVERSITY OF WISCONSIN 7
8. SSeeccuurriittyy PPoolliiccyy
AA LLiivviinngg DDooccuummeenntt
It should be re-visited on a regular basis
and updated as necessary, as changes
occur within the company.
Make certain that all changes are
documented and changes are recorded
09/11/14 UNIVERSITY OF WISCONSIN 8
9. SSeeccuurriittyy PPoolliiccyy
AAddaappttaabbiilliittyy
It should be written in such a way as to
make it useful for several years at a time,
under normal circumstances, and
flexible enough to deal with minor
changes, as they occur.
09/11/14 UNIVERSITY OF WISCONSIN 9
10. SSeeccuurriittyy PPoolliiccyy
LLaanngguuaaggee
The tone of the policy must be certain
and strong. Avoid using the word
“should”, as it leaves room for
interpretation. Instead, use the words
“shall”, “will” and “must”, throughout
the document
09/11/14 UNIVERSITY OF WISCONSIN 10
12. WWhhyy iiss IITT SSeeccuurriittyy PPoolliiccyy
SSoo IImmppoorrttaanntt??
Helps identify company’s valuable assets
Provides authority to the security team
and their activities
Provides a reference to review when
conflicts pertaining to security arise
States clearly the company’s goals and
objectives in the area of security
Outlines personal responsibility
09/11/14 UNIVERSITY OF WISCONSIN 12
13. WWhhyy iiss IITT SSeeccuurriittyy PPoolliiccyy
SSoo IImmppoorrttaanntt??
Helps prevent unanticipated events
from occurring
Defines the scope and boundaries for the
security team and its functions
Outlines incident response
responsibilities
Outlines the company’s response to legal
and regulatory requirements
09/11/14 UNIVERSITY OF WISCONSIN 13
14. TThhrreeee TTyyppeess ooff
SSeeccuurriittyy PPoolliicciieess EExxiisstt
Regulatory
Advisory
Informative
09/11/14 UNIVERSITY OF WISCONSIN 14
15. SSeeccuurriittyy PPoolliiccyy TTyyppeess
RReegguullaattoorryy
Ensures that the company is following
standards set by specific industry
regulations. It is very detailed and
specific to a type of industry:
Finance
Healthcare
Government
09/11/14 UNIVERSITY OF WISCONSIN 15
16. SSeeccuurriittyy PPoolliiccyy TTyyppee
AAddvviissoorryy
Tells employees which types of behaviors
and activities shall and shall not take place
within the organization
How to handle:
Medical information
Financial transactions
Confidential information
Outlines ramifications for non-compliance
09/11/14 UNIVERSITY OF WISCONSIN 16
17. SSeeccuurriittyy PPoolliiccyy TTyyppee
IInnffoorrmmaattiivvee
Informs employees on generalities of
certain topics, but is not enforceable.
It teaches about issues important to the
company, such as how the company
would like employees to interact with
business partners, the company’s goal
and mission, or the corporate reporting
structure
09/11/14 UNIVERSITY OF WISCONSIN 17
18. SSeeccuurriittyy PPoolliiccyy
DDuuee DDiilliiggeennccee FFoorrwwaarrdd
Due Diligence, is the act of investigating
and understanding the risks the
company faces
09/11/14 UNIVERSITY OF WISCONSIN 18
19. SSeeccuurriittyy PPoolliiccyy
DDuuee CCaarree
Is a statement which demonstrates that
the company has accepted and taken
responsibility for activities which take
place in the organization
09/11/14 UNIVERSITY OF WISCONSIN 19
20. HHooww DDuuee DDiilliiggeennccee
DDuuee CCaarree aarree RReellaatteedd
Due diligence is the understanding of
the threats and risks, while due care is
the countermeasures which the
company has put in place to address the
threats and risks
09/11/14 UNIVERSITY OF WISCONSIN 20
21. IInnffoorrmmaattiioonn CCllaassssiiffiiccaattiioonn
In the field of data management, data
classification is defined as a tool for
categorization of data to enable/help
organization to effectively answer following
questions:
What data types are available?
Where are certain data located?
What access levels are implemented?
What protection level is implemented and
does it adhere to compliance regulations?
09/11/14 UNIVERSITY OF WISCONSIN 21
22. DDaattaa CCllaassssiiffiiccaattiioonn
Commercial Enterprise
Military
You are business students, so we will
focus on commercial enterprise data
classification terminology
09/11/14 UNIVERSITY OF WISCONSIN 22
24. DDaattaa CCllaassssiiffiiccaattiioonn
PPuubblliicc
Definition: Disclosure is not welcome,
but it would not cause an adverse impact
or damage to the company or its
employees
Examples:
How many people work at the company
Current job positions posted on the
website
09/11/14 UNIVERSITY OF WISCONSIN 24
25. DDaattaa CCllaassssiiffiiccaattiioonn
SSeennssiittiivvee
Definition: Requires special precautions to
ensure the integrity and confidentiality of
the data, by preventing it from
unauthorized modification or deletion.
Requires higher than normal assurance of
accuracy and completeness
Example:
Financial information
Details of projects
Profit earnings and forecasts
09/11/14 UNIVERSITY OF WISCONSIN 25
26. DDaattaa CCllaassssiiffiiccaattiioonn
PPrriivvaattee
Definition: Personal information, for use
only within the company. Unauthorized
disclosure could adversely affect
employees, the company, its business
partners or customers
Examples:
Work history
HR information
Medical information
09/11/14 UNIVERSITY OF WISCONSIN 26
27. DDaattaa CCllaassssiiffiiccaattiioonn
CCoonnffiiddeennttiiaall
Definition: For use within the company
only. Exempt from disclosure under the
Freedom of Information Act. Unauthorized
disclosure could seriously affect a company
Examples:
Trade secrets
Programming software code
Information that keeps the company
competitive
09/11/14 UNIVERSITY OF WISCONSIN 27
28. DDaattaa CCllaassssiiffiiccaattiioonn
PPrroocceedduurreess
1. Define classification levels
2. Specify the criteria by which data will
be classified
3. Have the data owner indicate the
classification level for their data
4. Identify the data custodian, who will
be responsible for maintaining the
data and its security level
5. Indicate the controls to be applied at
each classification level
09/11/14 UNIVERSITY OF WISCONSIN 28
29. DDaattaa CCllaassssiiffiiccaattiioonn
PPrroocceedduurreess
6. Document any exceptions in detail
7. Indicate the methods which are used
to transfer data custody to a different
owner
8. Create a procedure to periodically
review the data’s classification and
ownership
9. Indicate declassification procedures
10. Integrate this knowledge into a
security awareness program
09/11/14 UNIVERSITY OF WISCONSIN 29
30. IIff YYoouu CChhoooossee ttoo CCrreeaattee
YYoouu OOwwnn DDaattaa CCllaassssiiffiiccaattiioonn SSyysstteemm
Too many levels will make classification
complex and confusing
Too few levels will encourage sloppy
data classification
There should be no overlap between
classification levels
Classification levels should be developed
for both data and the systems housing
the data, and they should match
09/11/14 UNIVERSITY OF WISCONSIN 30
31. HHiirriinngg PPrraaccttiicceess
Job skill screening
Reference check
Non-disclosure agreement (NDA) signed
Education verification
Criminal background check
Credit report check
Sex offender check
Drug screening
Professional license check
Immigration status check
Social Security Number trace to ensure validity
09/11/14 UNIVERSITY OF WISCONSIN 31
32. EEmmppllooyyeeee CCoonnttrroollss
RRoottaattiioonn ooff DDuuttiieess
No one person should stay in one
position for an uninterrupted period of
time, as this may enable them to have
too much control over a segment of
business
Mandatory vacation policy
09/11/14 UNIVERSITY OF WISCONSIN 32
33. EEmmppllooyyeeee CCoonnttrroollss
SSeeppaarraattiioonn ooff DDuuttiieess
Split knowledge system: No single
employee has the knowledge to do a task
by themselves
Example
Dual control: No single employee has
the physical ability to do a task by
themselves
Example
09/11/14 UNIVERSITY OF WISCONSIN 33
34. TTeerrmmiinnaattiioonn PPrraaccttiicceess
Each company needs a set of pre-defined
termination procedures
Example:
Once terminated, the employee must be
escorted out of the facility by their manager
Employee must immediately surrender keys,
employee badge, etc.
Employee must be asked to complete an exit
interview and return company property
The terminated employee’s online accounts
must be disabled immediately upon
termination
09/11/14 UNIVERSITY OF WISCONSIN 34
36. SSeeccuurriittyy AAwwaarreenneessss
TTrraaiinniinngg PPrrooggrraamm
One for senior management
One for staff
One for technical employees
Responsibilities
Liabilities
Expectations
09/11/14 UNIVERSITY OF WISCONSIN 36
37. SSeeccuurriittyy AAwwaarreenneessss
SSeenniioorr MMaannaaggeemmeenntt
Focus on: corporate assets, financial
gains and losses which can occur due to
information security incidents. They are
the leaders, they must demonstrate the
proper mindset to the rest of the
company
09/11/14 UNIVERSITY OF WISCONSIN 37
38. SSeeccuurriittyy AAwwaarreenneessss
MMiidd--MMaannaaggeemmeenntt
Focus on: policies, standards and
guidelines and how they map to
individual departments, responsibility
for ensuring their employees adherence
to the security policies, and how the
managers will be held accountable for
enforcement
09/11/14 UNIVERSITY OF WISCONSIN 38
39. SSeeccuurriittyy AAwwaarreenneessss
EEmmppllooyyeeeess
Focus: on the operational aspects of
information security, proper system
usage, how to recognize a security issue
and how to properly handle and report a
suspected information security incident
09/11/14 UNIVERSITY OF WISCONSIN 39