This document discusses a lecture on data classification and data loss prevention. It begins by discussing readings and a video on cyberwarfare. It then covers the topics of data classification levels (e.g. top secret, confidential), how to handle different classification levels, and data loss prevention technologies like encryption, content scanning, and enterprise management tools to protect data at rest and in transit according to its classification. The goal is to classify data appropriately and then protect it using both technical and administrative controls.
Securing Your Digital Files from Legal ThreatsAbbie Hosta
Get ready to learn some immensely powerful tips and management approaches designed to safeguard your digital files firm from today’s growing cyber threats. Dive into Worldox technology and how it helps clients ensure compliance with ABA rules and protect your documents. We’ll offer practical guidance and strategies for Worldox users, law firm administrators, and IT managers looking to secure their documents and protect their sensitive client, business and employee information.
Slides for a college CISSP prep course. Instructor: Sam Bowne
Taught online for Coastline Community College and face-to-face at City College San Francisco.
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372.
More information at https://samsclass.info/125/125_F17.shtml
Securing Your Digital Files from Legal ThreatsAbbie Hosta
Get ready to learn some immensely powerful tips and management approaches designed to safeguard your digital files firm from today’s growing cyber threats. Dive into Worldox technology and how it helps clients ensure compliance with ABA rules and protect your documents. We’ll offer practical guidance and strategies for Worldox users, law firm administrators, and IT managers looking to secure their documents and protect their sensitive client, business and employee information.
Slides for a college CISSP prep course. Instructor: Sam Bowne
Taught online for Coastline Community College and face-to-face at City College San Francisco.
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372.
More information at https://samsclass.info/125/125_F17.shtml
Cyber Security Overview for Small BusinessesCharles Cline
Defining cyber security
Identifying information that your small business should secure
Identifying the types of cyber threats against small businesses
Small business risk management
Small business best practices for guarding against cyber threats
Slides for a college CISSP prep course. Instructor: Sam Bowne
Taught online for Coastline Community College and face-to-face at City College San Francisco.
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372.
More information at https://samsclass.info/125/125_F17.shtml
The presentation explains about Data Security as an industrial concept. It addresses
its concern on Data Loss Prevention in detail, from what it is, its approach, the best practices and
common mistakes people make for the same. The presentation concludes with highlighting
Happiest Minds' expertise in the domain.
Learn more about Happiest Minds Data Security Service Offerings
http://www.happiestminds.com/IT-security-services/data-security-services/
For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372
Rev. Oct. 13, 2017
The Presentation is about the Basic Introduction to Cybersecurity that talks about introduction and what is security means. Also the presentation talks about CIA Triad i.e confidentiality, integrity and availability
Learning about Security and Compliance in Office 365Aptera Inc
You will learn:
The type of businesses that are well suited for a move to the cloud
How to decide when you should make the move to the cloud
Ways the cloud can help your business meet government compliance recommendations
How storing your data in the cloud can be even more secure than storing them on premises
Why Microsoft's datacenter can be more secure than your companies datacenter
A unified discovery center for all of the following:
E-mail (Exchange)
Documents (SharePoint)
IM/Chat (Lync)
Cyber Security Overview for Small BusinessesCharles Cline
Defining cyber security
Identifying information that your small business should secure
Identifying the types of cyber threats against small businesses
Small business risk management
Small business best practices for guarding against cyber threats
Slides for a college CISSP prep course. Instructor: Sam Bowne
Taught online for Coastline Community College and face-to-face at City College San Francisco.
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372.
More information at https://samsclass.info/125/125_F17.shtml
The presentation explains about Data Security as an industrial concept. It addresses
its concern on Data Loss Prevention in detail, from what it is, its approach, the best practices and
common mistakes people make for the same. The presentation concludes with highlighting
Happiest Minds' expertise in the domain.
Learn more about Happiest Minds Data Security Service Offerings
http://www.happiestminds.com/IT-security-services/data-security-services/
For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372
Rev. Oct. 13, 2017
The Presentation is about the Basic Introduction to Cybersecurity that talks about introduction and what is security means. Also the presentation talks about CIA Triad i.e confidentiality, integrity and availability
Learning about Security and Compliance in Office 365Aptera Inc
You will learn:
The type of businesses that are well suited for a move to the cloud
How to decide when you should make the move to the cloud
Ways the cloud can help your business meet government compliance recommendations
How storing your data in the cloud can be even more secure than storing them on premises
Why Microsoft's datacenter can be more secure than your companies datacenter
A unified discovery center for all of the following:
E-mail (Exchange)
Documents (SharePoint)
IM/Chat (Lync)
How do we separate hype from useful information in Cyber Security? As Congress is debating a National privacy law, and several states have privacy and breach reporting laws, how will that impact our workload? Privacy starts with good cyber-hygiene. We will look at how we can leverage the focus on Privacy to address standards for:
Firewall and network Configs,
Cloud security
Protocols and ports that need attention
Authentication best practices
Server and network rights
Password rules
What Does a Full Featured Security Strategy Look Like?Precisely
In today’s IT world, the threats from bad actors are increasing and the negative impacts of a data breach continue to rise. Responsible enterprises have an obligation to handle the personal data of their customers with care and protect their company’s information with all the tools at their disposal.
For IBM i customers, this includes system settings, company-wide security protocols and the strategic use of additional third-party solutions. These solutions should include things like multi factor authentication (MFA), auditing and SEIM features, access control, authority elevation, and more. In this presentation, we will help you understand how all these elements can work together to create an effective, comprehensive IBM i security environment.
Watch this on-demand webinar to learn about:
• taking a holistic approach to IBM i Security
• what to look for when you consider adding a security product to your IBM i IT infrastructure.
• the components to consider a comprehensive, effective security strategy
• how Precisely can help
How do we separate hype from useful information in Cyber Security? As Congress is debating a National privacy law, and several states have their own privacy and breach reporting laws including Georgia, how will that impact our workload? Privacy starts with good cyber-hygiene. We will look at how we can leverage the focus on Privacy to address standards for:
Firewall and network setups
Cloud security
Protocols and ports that need attention
Authentication best practices
Server and network rights
Password rules
Cloud based IT services are touted as a big money saver. They offer flexibility and scalability, enabling users to pool and allocate IT resources as needed by using a minimum amount of physical IT infrastructure to service demand. Cloud based IT services also offer the convenience of being able to work remotely and access data from anywhere in the world.
Sometimes businesses move to the cloud too fast, and fail to conduct a rigorous risk analysis and evaluation of its return on investment. When planning a cloud deployment it pays to look past the hype and to compare the trade-offs between the different types of cloud environments.
Regulatory compliance mandates have historically focused on IT & endpoint security as the primary means to protect data. However, as our digital economy has increasingly become software dependent, standards bodies have dutifully added requirements as they relate to development and deployment practices. Enterprise applications and cloud-based services constantly store and transmit data; yet, they are often difficult to understand and assess for compliance.
This webcast will present a practical approach towards mapping application security practices to common compliance frameworks. It will discuss how to define and enact a secure, repeatable software development lifecycle (SDLC) and highlight activities that can be leveraged across multiple compliance controls. Topics include:
* Consolidating security and compliance controls
* Creating application security standards for development and operations teams
* Identifying and remediating gaps between current practices and industry accepted "best practices”
Dr Flavio Villanustre, VP Technology & Product for LexisNexis, presents at Georgia Tech on understanding the connection between an organization’s Information and Risk Management strategy and policy and data analytics, including how implementation, pricing and ethics fit.
Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...acemindia
With the adoption of public cloud services, a large part of your network, system, applications, and data will move under third-party provider control.
For this :
What security controls must the customer provide over and above the controls inherent in the cloud platform, and
How must an enterprise’s security management tools and processes adapt to manage security in the cloud.
Conducting a NIST Cybersecurity Framework (CSF) AssessmentNicholas Davis
In today's ever-evolving cybersecurity landscape, organizations face an increasing number of threats. Conducting a NIST Cybersecurity Framework (CSF) assessment can be a valuable tool to identify, manage, and mitigate these risks. Let's explore how it can benefit your organization.
A NIST CSF assessment is not just about compliance; it's about proactively managing your cybersecurity posture. By identifying and addressing your vulnerabilities, you can reduce the likelihood and impact of cyberattacks. Additionally, the framework can help you communicate your security efforts effectively to internal and external stakeholders.
UW-Madison, Information Systems 371 - Decision Support SystemsNicholas Davis
Today, is Information Systems 371, I am lecturing about Decision Support Systems. In addition to covering the basics at a conceptual level, I am trying to get the students to think about the impact of IoT, 5G, and Artificial Intelligence, in terms of how Decision Support Systems are changing and what the new demands placed upon them will be.
During the Spring semester, I teach a 3 credit survey course in software development, at UW-Madison (IS 371), which is the first in the series of courses in the Information Systems major track. As part of this course, I devote an entire lecture to discussing different types of software development (Agile, Waterfall, Extreme, Spiral, etc.) I hope it helps the students better understand the different types of software development styles, as well as the benefits and drawbacks of each. In my opinion, they need to learn early on that there is more than one way to go about a software development challenge, and they need to figure out which style works best for them.
Information systems 365 - Cloud and BYOD SecurityNicholas Davis
Today, in class, I will be covering the topics of Cloud and BYOD Information Security. The intent of the lecture is to introduce students to the general issues surrounding information security in these two areas.
Information Security Awareness: at Work, at Home, and For Your Kids Nicholas Davis
This is the security awareness presentation which I will be giving to Quartz Health Solutions, on October 24, 2018. If focuses in on three areas: information security best practices for work, at home, and also contains some tips for kids. Topics include: PHI, ePHI, HIPAA, Identity Theft, Social Engineering, phishing, password management, malware, insider threats, social networks, and mobile devices.
A presentation about cyberwar basics, the past, present and future directions of cyberwar and some needed changes in technology and long standing societal attitudes, to combat this escalating threat
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...Nicholas Davis
Last day of lecture, a summary presentation of everything the students learned this semester, in the information security class I teach at the University of Wisconsin-Madison
Bringing the Entire Information Security Semester Together With a Team ProjectNicholas Davis
Absorbing information does no good, unless you are able to apply what you have learned. Each semester, I give my information security students a team project, in which they must use all the knowledge acquired during the semester, in combination with their ability to do Internet research, to deliver an overall information security assessment of a company of their choosing. To make it a challenge, I make them grade all the other teams in the class, but only give them enough points to distribute so that the average is 90. In grading their peers, they must make decisions about which presentations are excellent, and which are not.
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...Nicholas Davis
Horrible things happen on the Deep Web. It is important for information security professionals to know about this topic, so that we can help to stop the problem. Silence is acquiescence----If you see something horribly wrong, you have got to speak up and be part of the solution to stop it. Contact the FBI or local law enforcement.
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Nicholas Davis
The final assignment in the Information Security 365/765 course I teach at UW-Madison, is for teams of students to put together company focused IT security presentations, in which they take the concepts learned in class throughout the entire semester, and apply them to a real company. Here is a sample from Team Netflix! I am proud of the students, and feel that they have gained a solid foundation in the field of information security. Another semester come and gone!
Information Security Fall Semester 2016 - Course Wrap Up SummaryNicholas Davis
This presentation is a summary, for the students of the IS 365/765 course I teach, at the University of Wisconsin-Madison, providing a 104 slide reminder of the most important topics in Information Security, which we covered throughout the semester. Today is the last day of course material. We have 4 days of student team presentations, to follow.
A general education presentation, created to teach employees of an organization about Phishing, what it is, how to recognize it, avoid becoming a phishing victim, how to recognize common social engineering techniques, and what to do if you think you have been phished.
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Nicholas Davis
Today's topic in the Information Security 365/765 class, which I teach at the University of Wisconsin-Madison.
Computer crimes and computer laws, Motives and profiles of attackers, Various types of evidence, Laws and acts to fight computer crime, Computer crime investigation process, Incident handling procedures, Ethics and best practices
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Lecture Data Classification And Data Loss Prevention
1. Information Systems 365/765
Information Systems Security and Strategy
Lecture 3
Data Classification and Data Loss Prevention
2. Today’s Agenda
• Discuss Frontline
video,
“Cyberwar” and
assignment #1
• Discuss readings,
Cyberwar,
Chinese Hackers,
Vendor Liability
• Lecture, Data
Classification and
Data Loss
Prevention
3. Readings Are Now Online
• We are going to save some trees!
• Readings are all at:
mywebspace.wisc.edu/ndavis1/365
• Readings are placed in the folders
for each class session. For
example, readings for Thursday,
September 11, are in the
September 11 folder
• Link to Cyberwar video is in
September 4 folder
4. Cyberwar Video
• Overall, what did you think of the
premise that both government
and the private sector are at risk
for cyber-attack?
• Can you think of specific
businesses which should be
concerned about cyber-attack?
5. The CIA Triad
• Confidentiality
• Integrity
• Availability
• The goals of a
secure
information
system
7. Confidentiality
• Confidentiality is
assurance of data
privacy
• Only the intended
and authorized
recipients:
individuals,
processes or
devices, may read
the data
• Disclosure to
unauthorized
entities must be
avoided
• Examples - Rayovac
8. Ensuring Confidentiality
• Encryption of data
• Protecting the data with some type
of authentication such as
username/password
• Data handling policies
• Data storage policies
• Data retention policies
• Which of these are technical
controls? Which are administrative
controls?
9. Integrity
• Integrity is assurance of data
and/or source non-alteration.
• Data integrity is having
assurance that the information
has not been altered in
transmission, from origin to
reception.
11. Source Integrity
• Source integrity
is the assurance
that the sender
of information is
who it is
supposed to be.
• Source integrity
is compromised
when an agent
spoofs its identity
and supplies
incorrect
information to a
recipient.
12. Spoofing Data and Source
Integrity
• Data integrity can be
compromised when
information has been
corrupted or altered, willfully
or accidentally, before it is
read by its intended recipient.
• We will study ways to avoid
such spoofing
13. Ensuring Data Integrity
• Digitally sign
the document
• Digital
signature uses
a checksum to
ensure data
integrity
14. How a Check Digit/Checksum
Works
• A check digit consists of a single
digit computed from the other
digits in the message.
• This is accomplished with a simple
formula
• More complex messages require
the use of a checksum
15. Check Digit Example
• UW-Madison ID Card
• The last digit is a check digit
• Let’s use example “524” with a check
digit of “3”, so your student ID might be
“524 3”
• Formula example, check digit = first
digit + second digit – third digit. In this
case, 5 + 2 – 4 = check digit of 3
• Equipment reading your card can be
programmed to make use of the check
digit if it knows the formula for
computing the check digit
16. Availability
• Availability is
assurance in
the timely and
reliable access
to data
services for
authorized
users. It
ensures that
information or
resources are
available when
required.
17. C&I Are Nothing Without the A
• Confidentiality and integrity
can be protected, but an
attacker causes resources to
become less available than
required, or not available at
all.
• Denial of Service (DoS)
• Do you remember the DoS
discussion on the video?
18. Ensuring Data Availability
• Fully redundant network
architectures and system
hardware without any single
points of failure ensure
system reliability and
robustness.
• Virus scanning / malware
scanning
• Striping of data across hot
swappable disks, mirroring
data, remote live site.
19. CIA Summary
• To secure data,
you must
ensure
confidentiality,
integrity and
availability
• Be careful not
to compromise
confidentiality
and integrity as
you seek to
provide
availability
20. How Do We Know If Data
Should Be Protected?
• Before we build
a system to
protect
business data,
we need to
understand
how to rate the
sensitivity of
business data
• This is done
through data
classification
21. Data Classification
• Data
Classification is
the conscious
decision to assign
a level of
sensitivity to data
as it is being
created,
amended,
enhanced, stored,
or transmitted.
22. Data Classification Levels
• Top Secret
• Highly Confidential
• Proprietary
• Internal Use Only
• Public Documents
• Terminology varies by
organization
23. Top Secret
• Highly sensitive internal
documents e.g. pending mergers
or acquisitions; investment
strategies; plans or designs
• Information classified as Top
Secret has very restricted
distribution and must be protected
at all times. Security at this level is
the highest possible.
24. Top Secret - Handling
• Must sign in to gain access to
the data
• Must be supervised while
viewing the data
• Must not remove the materials
from the secure viewing area
• May not copy the data or even
be in possession of devices
which could copy the data,
including pens and paper
25. Highly Confidential
• Information that, if made
public or even shared around
the organization, could
seriously impede the
organization’s operations and
is considered critical to its
ongoing operations.
26. Highly Confidential – Handling
• May only be shared with a
specific list of people
• May not be copied
• May not leave the company’s
physical location
• More administrative control
here than with Top Secret
27. Proprietary
• Information of a proprietary
nature; procedures,
operational work routines,
project plans, designs and
specifications that define the
way in which the organization
operates.
28. Proprietary - Handling
• May only be shared with a
specific list of people
• Copying is permitted but not
encouraged
• May be taken off-site
• May not be shared with
anyone outside the company
29. Internal Use Only
• Information not approved for
general circulation outside the
organization where its loss
would inconvenience the
organization or management
but where disclosure is
unlikely to result in financial
loss or serious damage to
credibility.
30. Internal Use Only - Handling
• Does not necessitate an
authorization list
• May be copied without
reservation
• May be taken off-site
• May not be shared with the
public
31. Public Documents
• Information in the public
domain; annual reports, press
statements etc.; which has
been approved for public use.
Security at this level is
minimal.
32. Public Documents - Handling
• No distribution list required
• May be copied at will
• May be taken off-site
• May be shared with anyone
and even promoted
33. Data Loss Prevention (DLP)
Technologies
• First classify your data
• Now, protect it appropriately
• Control the environment
• Control access to the data
• Protect while in transit
• Protect while in storage
34. Next Generation Compliance
Filters
• Content filters for HIPAA, GLB,
SOX and other regulations
automatically scan emails for
protected financial and health
information. Easily extensible
lexicons allow companies to
customize these rules to meet
specific requirements.
36. Host Based Software
• Virus Scanning on your
workstation
• Personal software firewalls
37. Appliances vs. Host Based DLP
• Both provide some protection
• Host based is usually more
configurable, but harder to
manage, especially at remote
locations
• Appliances are more rigid
38. Encryption
• Protects confidentiality
• Ensures recipient
authentication (Only the
intended recipient can decrypt
the message)
• We will spend an entire
lecture on email encryption
and YOU will send encrypted
email
39. Content Scanning
• Can be hardware or software
based
• HTTP traffic, viruses, malware
• Phishing attempts
• Peer to Peer applications
• Instant Messaging
• Key loggers
40. Enterprise Management Tools
• The ability to know exactly
what your users have been
doing, in a form which can be
audited. Web, email, etc.
• The ability to control the
sending and receiving of
specific content.
• Websense