SlideShare a Scribd company logo

Security Awareness Training

Daniel P Wallace
Daniel P Wallace

Security awareness training presentation for a large retail organization

TechnologyEducation
1 of 24
Security Awareness Training July, 2007 Dan Wallace Program Manager Information Security & PCI Compliance
Agenda • Why? Why Now? • 21st Century B&E • PCI DSS • Security Objectives, Framework, Challenges • Data Classification • Security Responsibilities • Q&A July 2007 2
21st Century B&E Reference: NRF “Navigate the World of Loss Prevention” Organized Crime Internal Staff July 2007 3
Security Incident What is an incident?* • Denial of Service • Malicious Code • Unauthorized Access • Unauthorized Access (Extortion) • Inappropriate Usage • Inappropriate Usage (harassment) An incident can be thought of as a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practice. * List taken from NIST Special Publication 800-61, Computer Security Incident Handling Guide July 2007 4
Cost of Breach 2006 Ponemon Institute Report • Average cost per lost record = $182 (Gartner says $300) • Direct Costs = $54/record • Lost productivity = $30/record • Loss of good will = $98/record • Average total cost = $4.8M per breach • Range of total cost = $226K -> $22M • TJX up to $1B Knowledge – Action = Negligence Safe Harbor requires validation of compliance at the time of the compromise. Reference: NRF Seminar on 2/22/07 -- Managing the PCI Lifecycle – “Meeting the Challenge of Security Breach Notice Laws” by Philip L. Gordon, Littler Mendelson, P.C. and “PCI DSS Assessment Process” by Rick Dakin, Coalfire July 2007 5
May BGI Security Incident • On 5/3 disabled anti-malware and multiple infections were identified on a BGI PC containing a large amount of cardholder data • The scope of the possible breach expanded to investigating store systems, 11 additional PCs, file servers, and application servers • Remediation tasks included re-imaging the PCs, scanning and cleaning the PCs with multiple anti-malware tools, changing user and administrator account passwords, emphasizing the BGI policy of not visiting potentially harmful websites and not downloading any unauthorized software • Six weeks of forensic investigation concluded the incident was contained and no cardholder data was compromised • No customer notification was required, however the card associations were provided with the potentially at-risk account information for monitoring July 2007 6
NRF PCI DSS Update • Manage Scope • Restrict access to cardholder data • Isolate and limit storage of cardholder data • Educate systems developers and business areas on the proper handling of cardholder data • Maintain a good audit trail – build in auditability with centralized logging and event management • Ensure 3rd Party contracts have appropriate terms to address PCI requirements, indemnification, and IRM • Implement a Privacy Breach CIRT (Critical Incident Response Team) Plan Reference: NRF Seminar on 2/22/07 -- Managing the PCI Lifecycle – “PCI – A Retailer’s Perspective on Compliance and Governance” by Teri Mieritz, JCPenny and “PCI – An Internal Audit Perspective” by Ken Askelson, JCPenny July 2007 7
PCI DSS Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholderdata 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security July 2007 8
Security Objectives The five security objectives: 1. Confidentiality (of data and system information) 2. Integrity (of data and systems) 3. Availability (of data and systems for intended use only) 4. Accountability (to the individual level) 5. Assurance (the other four objectives have been adequately met) Goal: Adaptive, integrated security. “Let the good guys in, keep the bad guys out.” July 2007 9
Security Framework Defenses & Controls Defense in Depth Management Layer • Risk/Control Framework & Assessment Network Layer (including Wireless) • Network Diagram • Data Classification Hardware Layer / Operating System Layer w/HW, OS, DB, and data flow for • Policies & Procedures, Application Layer all sensitive data enforcement & audit • Network Database Layer segmentation • Security Awareness & Training Customer • Access Control • Access Control • Access Control • Access Control • Access Rights (IAM, Identity (Privacy) • User • User • User • User RBAC, SOD) & Reviews Credit Card (PCI) • Admin • Admin • Admin • Admin Enterprise • DBA • Developers • Operators • Engineers Financial (SOX) • Super User • Super User Legal (Litigation) Competitive • Change Control • Change Control • Change Control • Change Control • Reviews & Approvals Employee Identity (Privacy) • Physical Access • Physical Access • Physical Access PHI (HIPAA) Control Control Rights Compensation Performance • Table / Field • Application • Patch Mgmt. / • Vulnerability • Security Architecture Minimize Controls, incl. Controls, incl. app Config Mgmt. Controls (FW, AM, encryption FW, security dev IDS / IPS, Config.) capture, use, • Monitoring, incl. • Monitoring • Monitoring • Monitoring (SIEM, • IRM, Reviews & Action transmission, file integrity p. scans, pen test) Plans retention • Disaster Recovery • Disaster Recovery • Disaster Recovery • Disaster Recovery • Business Continuity Planning Goal: Minimize risk of loss due to inadvertent or intentional misuse of sensitive data and / or technology. July 2007 10
Key Security Challenges • Excessive retention, storage, access to unprotected data • Vulnerable infrastructure: • complex – multiple app versions, multiple builds • outdated patches – clients (desktops, laptops, registers) • unsupported OS – NT, 98, DOS • old software versions – MVS, Peoplesoft • Limited current documentation on data stores and flow • De-centralized, inconsistent logging / monitoring July 2007 11
Data Classification Corporate Office Handbook: 1. Confidential Information 2. Business Records 3. Information Classification Privacy Committee – Privacy Policy: 1. A specific privacy policy addressing protection of sensitive customer data. 2. Provisions in the company's Employee Handbook that prohibit the disclosure of sensitive employee data. 3. Ongoing efforts to comply with the Payment Card Industry (PCI) Data Security Standard, which sets forth key security requirements for controlling internal and external access to sensitive customer data. 4. Awareness programs for employees at all levels of the organization regarding the proper handling of sensitive data*. *"Sensitive Data" is defined by Borders Group as: (i) personally identifiable information including, address, telephone, birth date number and email address with the associated name; (ii) social security number with or without the associated name; (iii) mother's maiden name with the associated name; (iv) driver's license, state or federal ID # or other government issued identification card numbers with the associated name; (v) credit, debit card or financial account numbers with the associated name and any required PIN or access code; (vi) personally identifiable health information; or personally identifiable payroll/financial information including employee identification numbers. July 2007 12
Security Responsibilities Know: computer system usage policies and procedures loss prevention policies and procedures classification and appropriate handling of information privacy policy (The Beat, coming soon to Corp Info) actions required to report a potential incident Sources: Corp Info Corporate Office Handbook July 2007 13
Security Responsibilities Protect sensitive information by: Being aware of phishing, pharming, DoS, spyware, and social engineering. Not using email or fax to exchange sensitive information, unless encrypted. Not replying or clicking on links in any message requesting personal or financial information. Not downloading or installing any applications and contacting the Service Desk for all software requests. Not storing sensitive information on portable devices such as laptops, PDAs and USB drives or on remote/home systems unless there is appropriate authorization and the information is encrypted and properly deleted in a timely manner. Appropriately securing and deleting secondary data stores – i.e. Access databases, Excel spreadsheets, etc. July 2007 14
Phishing Phishers attempt to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. The damage caused by phishing ranges from loss of access to email to substantial financial loss. July 2007 15
Pharming Pharming is a cracker's attack aiming to redirect a website's traffic to another, bogus website. A Geocities web page duplicating the Yahoo! login page. July 2007 16
Denial of Service (DoS) A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to, motives for and targets of a DoS attack may vary, it generally comprises the concerted, malevolent efforts of a person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. One common method of attack involves saturating the target (victim) machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. In general terms, DoS attacks are implemented by: • forcing the targeted computer(s) to reset, or consume its resources such that it can no longer provide its intended service • obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately July 2007 17
Security Responsibilities Cooperate fully to support incident response management by: Following procedures for incident notification in a timely manner. Providing detailed information to assist in the investigation. Complying immediately with all actions requested. Procedures for incident notification: 1. Corporate: * IRTeam@bordersgroupinc.com (Incident Response Team) * Corp Info – Home / BGI Policies / Employee Complaint Procedures (866) 356-4636 (U.S. Domestic employees) * Service Desk – IT Security Incident (734) 477-4357 2. Stores: * Store Hot Line – Shrink Link (888) 273-9546 July 2007 18
Security Responsibilities Manage information wisely by: Minimizing acquisition, storage, transmission, access, and retention to only what is absolutely required for business use. Knowing where and how sensitive information for which I am responsible is acquired, stored, transmitted, accessed, retained, and disposed of. Ensuring that information is appropriately secured at all times and accessible to only those with a need to know. Properly discarding / disposing of information that is no longer needed, taking care to use locked recycle bins and proper deletion tools for sensitive information. July 2007 19
Security Responsibilities Keep my computer secure by: Maintaining proper security settings and program patches. Maintaining appropriate security applications (i.e. anti- spyware, anti-virus). Maintaining screensaver password protection at 15 minutes of inactivity. Shutting down the PC at the end of the day. July 2007 20
Security Responsibilities Practice safe access by: Being conscious of the existence, dangers, and symptoms of malware. Being careful about opening any email attachments. Using only your account or authorized accounts for application or data access. Abiding by the password policy and using strong password controls, including not sharing or writing down the password. Accessing only the applications and information required by my job responsibilities, and requesting change of such access as required. July 2007 21
Security Responsibilities Avoid Internet dangers by: Being suspicious about the trustworthiness of all Internet use, and alert to potential misuse. Restricting the sharing of information to “need to know” for business reasons only, and using proper security to protect sensitive information. Be responsible about Internet surfing -- i.e. avoid gaming sites, free download sites, etc. July 2007 22
Security Responsibilities Key points: Protect sensitive information Cooperate fully to support incident response management Manage information wisely Keep my computer secure Practice safe access Avoid Internet dangers July 2007 23
Q&A Organized Security July 2007 24

Recommended

Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Dmitriy Scherbina
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
William Mann
 
End-User Security Awareness
End-User Security AwarenessEnd-User Security Awareness
End-User Security Awareness
Surya Bathulapalli
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Stephen Cobb
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by FortinetAtlantic Training, LLC.
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee Training
Paige Rasid
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
SnapComms
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
Cristian Mihai
 

Recommended

Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Dmitriy Scherbina
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
William Mann
 
End-User Security Awareness
End-User Security AwarenessEnd-User Security Awareness
End-User Security Awareness
Surya Bathulapalli
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Stephen Cobb
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by FortinetAtlantic Training, LLC.
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee Training
Paige Rasid
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
SnapComms
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
Cristian Mihai
 
Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Program
davidcurriecia
 
Security Awareness & Training
Security Awareness & TrainingSecurity Awareness & Training
Security Awareness & Training
novemberchild
 
IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeAtlantic Training, LLC.
 
Security awareness
Security awarenessSecurity awareness
Security awareness
Josh Chandler
 
Information security awareness - 101
Information security awareness - 101Information security awareness - 101
Information security awareness - 101
mateenzero
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information Security
Ken Holmes
 
Information Security Awareness for everyone
Information Security Awareness for everyoneInformation Security Awareness for everyone
Information Security Awareness for everyone
Yasir Nafees
 
Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalAtlantic Training, LLC.
 
Information Security Awareness Training Open
Information Security Awareness Training OpenInformation Security Awareness Training Open
Information Security Awareness Training OpenFred Beck MBA, CPA
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness Training
Jen Ruhman
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@R_Yanus
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
Net at Work
 
Information security awareness
Information security awarenessInformation security awareness
Information security awareness
CAS
 
Basic Security Training for End Users
Basic Security Training for End UsersBasic Security Training for End Users
Basic Security Training for End Users
Community IT Innovators
 
Physical security
Physical securityPhysical security
Physical security
Tariq Mahmood
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
OoXair
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
New Hire Information Security Awareness
New Hire Information Security AwarenessNew Hire Information Security Awareness
New Hire Information Security Awareness
hubbargf
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
Krutarth Vasavada
 
Security Awareness
Security Awareness Security Awareness
Security Awareness
Dedi Dwianto
 
Information Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityInformation Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityAtlantic Training, LLC.
 

More Related Content

What's hot

Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Program
davidcurriecia
 
Security Awareness & Training
Security Awareness & TrainingSecurity Awareness & Training
Security Awareness & Training
novemberchild
 
IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeAtlantic Training, LLC.
 
Security awareness
Security awarenessSecurity awareness
Security awareness
Josh Chandler
 
Information security awareness - 101
Information security awareness - 101Information security awareness - 101
Information security awareness - 101
mateenzero
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information Security
Ken Holmes
 
Information Security Awareness for everyone
Information Security Awareness for everyoneInformation Security Awareness for everyone
Information Security Awareness for everyone
Yasir Nafees
 
Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalAtlantic Training, LLC.
 
Information Security Awareness Training Open
Information Security Awareness Training OpenInformation Security Awareness Training Open
Information Security Awareness Training OpenFred Beck MBA, CPA
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness Training
Jen Ruhman
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@R_Yanus
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
Net at Work
 
Information security awareness
Information security awarenessInformation security awareness
Information security awareness
CAS
 
Basic Security Training for End Users
Basic Security Training for End UsersBasic Security Training for End Users
Basic Security Training for End Users
Community IT Innovators
 
Physical security
Physical securityPhysical security
Physical security
Tariq Mahmood
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
OoXair
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
New Hire Information Security Awareness
New Hire Information Security AwarenessNew Hire Information Security Awareness
New Hire Information Security Awareness
hubbargf
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
Krutarth Vasavada
 

What's hot (20)

Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Program
 
Security Awareness & Training
Security Awareness & TrainingSecurity Awareness & Training
Security Awareness & Training
 
IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community College
 
Security awareness
Security awarenessSecurity awareness
Security awareness
 
Information security awareness - 101
Information security awareness - 101Information security awareness - 101
Information security awareness - 101
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information Security
 
Information Security Awareness for everyone
Information Security Awareness for everyoneInformation Security Awareness for everyone
Information Security Awareness for everyone
 
Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn Hospital
 
Information Security Awareness Training Open
Information Security Awareness Training OpenInformation Security Awareness Training Open
Information Security Awareness Training Open
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness Training
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
Information security awareness
Information security awarenessInformation security awareness
Information security awareness
 
Basic Security Training for End Users
Basic Security Training for End UsersBasic Security Training for End Users
Basic Security Training for End Users
 
Physical security
Physical securityPhysical security
Physical security
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
New Hire Information Security Awareness
New Hire Information Security AwarenessNew Hire Information Security Awareness
New Hire Information Security Awareness
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 

Viewers also liked

Security Awareness
Security Awareness Security Awareness
Security Awareness
Dedi Dwianto
 
Information Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityInformation Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityAtlantic Training, LLC.
 
Penjelasan pengertian makna arti tugas avsec (aviation security)
Penjelasan pengertian makna arti tugas avsec (aviation security)Penjelasan pengertian makna arti tugas avsec (aviation security)
Penjelasan pengertian makna arti tugas avsec (aviation security)
Pspp Penerbangan
 
Trustwave Cybersecurity Education Catalog
Trustwave Cybersecurity Education CatalogTrustwave Cybersecurity Education Catalog
Trustwave Cybersecurity Education Catalog
Trustwave
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 
PCI-DSS Security Awareness
PCI-DSS Security AwarenessPCI-DSS Security Awareness
PCI-DSS Security AwarenessElsye Sutanawi
 
Practical Advantages of a Security Educated Workforce
Practical Advantages of a Security Educated WorkforcePractical Advantages of a Security Educated Workforce
Practical Advantages of a Security Educated Workforce
Keyaan Williams
 
Providing a Flexible Approach to the Inflexible World of Information Security...
Providing a Flexible Approach to the Inflexible World of Information Security...Providing a Flexible Approach to the Inflexible World of Information Security...
Providing a Flexible Approach to the Inflexible World of Information Security...
gemmarie1
 
The Business Of Information Security V2.0
The Business Of Information Security V2.0The Business Of Information Security V2.0
The Business Of Information Security V2.0
theonassiokas
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
Jason Clark
 
Perpetual Information Security - Driving Data Protection in an Evolving Compl...
Perpetual Information Security - Driving Data Protection in an Evolving Compl...Perpetual Information Security - Driving Data Protection in an Evolving Compl...
Perpetual Information Security - Driving Data Protection in an Evolving Compl...
SafeNet
 
Information Security in a Compliance World
Information Security in a Compliance WorldInformation Security in a Compliance World
Information Security in a Compliance World
Evan Francen
 
Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...
Maxime CARPENTIER
 

Viewers also liked (14)

Security Awareness
Security Awareness Security Awareness
Security Awareness
 
Information Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityInformation Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier University
 
Penjelasan pengertian makna arti tugas avsec (aviation security)
Penjelasan pengertian makna arti tugas avsec (aviation security)Penjelasan pengertian makna arti tugas avsec (aviation security)
Penjelasan pengertian makna arti tugas avsec (aviation security)
 
Trustwave Cybersecurity Education Catalog
Trustwave Cybersecurity Education CatalogTrustwave Cybersecurity Education Catalog
Trustwave Cybersecurity Education Catalog
 
Information security management
Information security managementInformation security management
Information security management
 
PCI-DSS Security Awareness
PCI-DSS Security AwarenessPCI-DSS Security Awareness
PCI-DSS Security Awareness
 
Patrolling
PatrollingPatrolling
Patrolling
 
Practical Advantages of a Security Educated Workforce
Practical Advantages of a Security Educated WorkforcePractical Advantages of a Security Educated Workforce
Practical Advantages of a Security Educated Workforce
 
Providing a Flexible Approach to the Inflexible World of Information Security...
Providing a Flexible Approach to the Inflexible World of Information Security...Providing a Flexible Approach to the Inflexible World of Information Security...
Providing a Flexible Approach to the Inflexible World of Information Security...
 
The Business Of Information Security V2.0
The Business Of Information Security V2.0The Business Of Information Security V2.0
The Business Of Information Security V2.0
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
 
Perpetual Information Security - Driving Data Protection in an Evolving Compl...
Perpetual Information Security - Driving Data Protection in an Evolving Compl...Perpetual Information Security - Driving Data Protection in an Evolving Compl...
Perpetual Information Security - Driving Data Protection in an Evolving Compl...
 
Information Security in a Compliance World
Information Security in a Compliance WorldInformation Security in a Compliance World
Information Security in a Compliance World
 
Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...
 

Similar to Security Awareness Training

Pci Req
Pci ReqPci Req
Pci Req
Namrata Arora
 
Enterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityEnterprise Strategy for Cloud Security
Enterprise Strategy for Cloud Security
Bob Rhubart
 
Infosec policies to appsec standards ed final
Infosec policies to appsec standards ed finalInfosec policies to appsec standards ed final
Infosec policies to appsec standards ed final
eadams2330
 
Information systems security(1)
Information systems security(1)Information systems security(1)
Information systems security(1)Sandeep Agarwal
 
Consumerization of IT: Mobile Infrastructure, Support and Security
Consumerization of IT: Mobile Infrastructure, Support and SecurityConsumerization of IT: Mobile Infrastructure, Support and Security
Consumerization of IT: Mobile Infrastructure, Support and Security
Marie-Michelle Strah, PhD
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
n|u - The Open Security Community
 
Privacy audittalkfinal
Privacy audittalkfinalPrivacy audittalkfinal
Privacy audittalkfinal
Alan Hartman
 
8 Access Control
8 Access Control8 Access Control
8 Access Control
Alfred Ouyang
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
Skoda Minotti
 
Risk Management Methodology
Risk Management MethodologyRisk Management Methodology
Risk Management Methodology
laurahees
 
Key Policy Considerations When Implementing Next-Generation Firewalls
Key Policy Considerations When Implementing Next-Generation FirewallsKey Policy Considerations When Implementing Next-Generation Firewalls
Key Policy Considerations When Implementing Next-Generation Firewalls
AlgoSec
 
4 Operations Security
4 Operations Security4 Operations Security
4 Operations Security
Alfred Ouyang
 
How to evaluate data protection technologies - Mastercard conference
How to evaluate data protection technologies - Mastercard conferenceHow to evaluate data protection technologies - Mastercard conference
How to evaluate data protection technologies - Mastercard conference
Ulf Mattsson
 
1 Info Sec+Risk Mgmt
1 Info Sec+Risk Mgmt1 Info Sec+Risk Mgmt
1 Info Sec+Risk Mgmt
Alfred Ouyang
 
Guardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level ExecutivesGuardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level Executives
Camilo Fandiño Gómez
 
Web Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN TestingWeb Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN Testing
Robert Grupe, CSSLP CISSP PE PMP
 
Tänased võimalused turvalahendustes - Tarvi Tara
Tänased võimalused turvalahendustes - Tarvi TaraTänased võimalused turvalahendustes - Tarvi Tara
Tänased võimalused turvalahendustes - Tarvi Tara
ORACLE USER GROUP ESTONIA
 
Meletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information security
Meletis Belsis MPhil/MRes/BSc
 
Data security in the cloud
Data security in the cloud Data security in the cloud
Data security in the cloud
IBM Security
 

Similar to Security Awareness Training (20)

Pci Req
Pci ReqPci Req
Pci Req
 
Enterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityEnterprise Strategy for Cloud Security
Enterprise Strategy for Cloud Security
 
Infosec policies to appsec standards ed final
Infosec policies to appsec standards ed finalInfosec policies to appsec standards ed final
Infosec policies to appsec standards ed final
 
Information systems security(1)
Information systems security(1)Information systems security(1)
Information systems security(1)
 
Consumerization of IT: Mobile Infrastructure, Support and Security
Consumerization of IT: Mobile Infrastructure, Support and SecurityConsumerization of IT: Mobile Infrastructure, Support and Security
Consumerization of IT: Mobile Infrastructure, Support and Security
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
 
Privacy audittalkfinal
Privacy audittalkfinalPrivacy audittalkfinal
Privacy audittalkfinal
 
8 Access Control
8 Access Control8 Access Control
8 Access Control
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
 
Risk Management Methodology
Risk Management MethodologyRisk Management Methodology
Risk Management Methodology
 
Key Policy Considerations When Implementing Next-Generation Firewalls
Key Policy Considerations When Implementing Next-Generation FirewallsKey Policy Considerations When Implementing Next-Generation Firewalls
Key Policy Considerations When Implementing Next-Generation Firewalls
 
4 Operations Security
4 Operations Security4 Operations Security
4 Operations Security
 
How to evaluate data protection technologies - Mastercard conference
How to evaluate data protection technologies - Mastercard conferenceHow to evaluate data protection technologies - Mastercard conference
How to evaluate data protection technologies - Mastercard conference
 
Who will guard the guards
Who will guard the guardsWho will guard the guards
Who will guard the guards
 
1 Info Sec+Risk Mgmt
1 Info Sec+Risk Mgmt1 Info Sec+Risk Mgmt
1 Info Sec+Risk Mgmt
 
Guardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level ExecutivesGuardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level Executives
 
Web Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN TestingWeb Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN Testing
 
Tänased võimalused turvalahendustes - Tarvi Tara
Tänased võimalused turvalahendustes - Tarvi TaraTänased võimalused turvalahendustes - Tarvi Tara
Tänased võimalused turvalahendustes - Tarvi Tara
 
Meletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information security
 
Data security in the cloud
Data security in the cloud Data security in the cloud
Data security in the cloud
 

Recently uploaded

The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
Fwdays
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 

Recently uploaded (20)

The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 

Security Awareness Training

  • 1. Security Awareness Training July, 2007 Dan Wallace Program Manager Information Security & PCI Compliance
  • 2. Agenda • Why? Why Now? • 21st Century B&E • PCI DSS • Security Objectives, Framework, Challenges • Data Classification • Security Responsibilities • Q&A July 2007 2
  • 3. 21st Century B&E Reference: NRF “Navigate the World of Loss Prevention” Organized Crime Internal Staff July 2007 3
  • 4. Security Incident What is an incident?* • Denial of Service • Malicious Code • Unauthorized Access • Unauthorized Access (Extortion) • Inappropriate Usage • Inappropriate Usage (harassment) An incident can be thought of as a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practice. * List taken from NIST Special Publication 800-61, Computer Security Incident Handling Guide July 2007 4
  • 5. Cost of Breach 2006 Ponemon Institute Report • Average cost per lost record = $182 (Gartner says $300) • Direct Costs = $54/record • Lost productivity = $30/record • Loss of good will = $98/record • Average total cost = $4.8M per breach • Range of total cost = $226K -> $22M • TJX up to $1B Knowledge – Action = Negligence Safe Harbor requires validation of compliance at the time of the compromise. Reference: NRF Seminar on 2/22/07 -- Managing the PCI Lifecycle – “Meeting the Challenge of Security Breach Notice Laws” by Philip L. Gordon, Littler Mendelson, P.C. and “PCI DSS Assessment Process” by Rick Dakin, Coalfire July 2007 5
  • 6. May BGI Security Incident • On 5/3 disabled anti-malware and multiple infections were identified on a BGI PC containing a large amount of cardholder data • The scope of the possible breach expanded to investigating store systems, 11 additional PCs, file servers, and application servers • Remediation tasks included re-imaging the PCs, scanning and cleaning the PCs with multiple anti-malware tools, changing user and administrator account passwords, emphasizing the BGI policy of not visiting potentially harmful websites and not downloading any unauthorized software • Six weeks of forensic investigation concluded the incident was contained and no cardholder data was compromised • No customer notification was required, however the card associations were provided with the potentially at-risk account information for monitoring July 2007 6
  • 7. NRF PCI DSS Update • Manage Scope • Restrict access to cardholder data • Isolate and limit storage of cardholder data • Educate systems developers and business areas on the proper handling of cardholder data • Maintain a good audit trail – build in auditability with centralized logging and event management • Ensure 3rd Party contracts have appropriate terms to address PCI requirements, indemnification, and IRM • Implement a Privacy Breach CIRT (Critical Incident Response Team) Plan Reference: NRF Seminar on 2/22/07 -- Managing the PCI Lifecycle – “PCI – A Retailer’s Perspective on Compliance and Governance” by Teri Mieritz, JCPenny and “PCI – An Internal Audit Perspective” by Ken Askelson, JCPenny July 2007 7
  • 8. PCI DSS Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholderdata 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security July 2007 8
  • 9. Security Objectives The five security objectives: 1. Confidentiality (of data and system information) 2. Integrity (of data and systems) 3. Availability (of data and systems for intended use only) 4. Accountability (to the individual level) 5. Assurance (the other four objectives have been adequately met) Goal: Adaptive, integrated security. “Let the good guys in, keep the bad guys out.” July 2007 9
  • 10. Security Framework Defenses & Controls Defense in Depth Management Layer • Risk/Control Framework & Assessment Network Layer (including Wireless) • Network Diagram • Data Classification Hardware Layer / Operating System Layer w/HW, OS, DB, and data flow for • Policies & Procedures, Application Layer all sensitive data enforcement & audit • Network Database Layer segmentation • Security Awareness & Training Customer • Access Control • Access Control • Access Control • Access Control • Access Rights (IAM, Identity (Privacy) • User • User • User • User RBAC, SOD) & Reviews Credit Card (PCI) • Admin • Admin • Admin • Admin Enterprise • DBA • Developers • Operators • Engineers Financial (SOX) • Super User • Super User Legal (Litigation) Competitive • Change Control • Change Control • Change Control • Change Control • Reviews & Approvals Employee Identity (Privacy) • Physical Access • Physical Access • Physical Access PHI (HIPAA) Control Control Rights Compensation Performance • Table / Field • Application • Patch Mgmt. / • Vulnerability • Security Architecture Minimize Controls, incl. Controls, incl. app Config Mgmt. Controls (FW, AM, encryption FW, security dev IDS / IPS, Config.) capture, use, • Monitoring, incl. • Monitoring • Monitoring • Monitoring (SIEM, • IRM, Reviews & Action transmission, file integrity p. scans, pen test) Plans retention • Disaster Recovery • Disaster Recovery • Disaster Recovery • Disaster Recovery • Business Continuity Planning Goal: Minimize risk of loss due to inadvertent or intentional misuse of sensitive data and / or technology. July 2007 10
  • 11. Key Security Challenges • Excessive retention, storage, access to unprotected data • Vulnerable infrastructure: • complex – multiple app versions, multiple builds • outdated patches – clients (desktops, laptops, registers) • unsupported OS – NT, 98, DOS • old software versions – MVS, Peoplesoft • Limited current documentation on data stores and flow • De-centralized, inconsistent logging / monitoring July 2007 11
  • 12. Data Classification Corporate Office Handbook: 1. Confidential Information 2. Business Records 3. Information Classification Privacy Committee – Privacy Policy: 1. A specific privacy policy addressing protection of sensitive customer data. 2. Provisions in the company's Employee Handbook that prohibit the disclosure of sensitive employee data. 3. Ongoing efforts to comply with the Payment Card Industry (PCI) Data Security Standard, which sets forth key security requirements for controlling internal and external access to sensitive customer data. 4. Awareness programs for employees at all levels of the organization regarding the proper handling of sensitive data*. *"Sensitive Data" is defined by Borders Group as: (i) personally identifiable information including, address, telephone, birth date number and email address with the associated name; (ii) social security number with or without the associated name; (iii) mother's maiden name with the associated name; (iv) driver's license, state or federal ID # or other government issued identification card numbers with the associated name; (v) credit, debit card or financial account numbers with the associated name and any required PIN or access code; (vi) personally identifiable health information; or personally identifiable payroll/financial information including employee identification numbers. July 2007 12
  • 13. Security Responsibilities Know: computer system usage policies and procedures loss prevention policies and procedures classification and appropriate handling of information privacy policy (The Beat, coming soon to Corp Info) actions required to report a potential incident Sources: Corp Info Corporate Office Handbook July 2007 13
  • 14. Security Responsibilities Protect sensitive information by: Being aware of phishing, pharming, DoS, spyware, and social engineering. Not using email or fax to exchange sensitive information, unless encrypted. Not replying or clicking on links in any message requesting personal or financial information. Not downloading or installing any applications and contacting the Service Desk for all software requests. Not storing sensitive information on portable devices such as laptops, PDAs and USB drives or on remote/home systems unless there is appropriate authorization and the information is encrypted and properly deleted in a timely manner. Appropriately securing and deleting secondary data stores – i.e. Access databases, Excel spreadsheets, etc. July 2007 14
  • 15. Phishing Phishers attempt to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. The damage caused by phishing ranges from loss of access to email to substantial financial loss. July 2007 15
  • 16. Pharming Pharming is a cracker's attack aiming to redirect a website's traffic to another, bogus website. A Geocities web page duplicating the Yahoo! login page. July 2007 16
  • 17. Denial of Service (DoS) A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to, motives for and targets of a DoS attack may vary, it generally comprises the concerted, malevolent efforts of a person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. One common method of attack involves saturating the target (victim) machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. In general terms, DoS attacks are implemented by: • forcing the targeted computer(s) to reset, or consume its resources such that it can no longer provide its intended service • obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately July 2007 17
  • 18. Security Responsibilities Cooperate fully to support incident response management by: Following procedures for incident notification in a timely manner. Providing detailed information to assist in the investigation. Complying immediately with all actions requested. Procedures for incident notification: 1. Corporate: * IRTeam@bordersgroupinc.com (Incident Response Team) * Corp Info – Home / BGI Policies / Employee Complaint Procedures (866) 356-4636 (U.S. Domestic employees) * Service Desk – IT Security Incident (734) 477-4357 2. Stores: * Store Hot Line – Shrink Link (888) 273-9546 July 2007 18
  • 19. Security Responsibilities Manage information wisely by: Minimizing acquisition, storage, transmission, access, and retention to only what is absolutely required for business use. Knowing where and how sensitive information for which I am responsible is acquired, stored, transmitted, accessed, retained, and disposed of. Ensuring that information is appropriately secured at all times and accessible to only those with a need to know. Properly discarding / disposing of information that is no longer needed, taking care to use locked recycle bins and proper deletion tools for sensitive information. July 2007 19
  • 20. Security Responsibilities Keep my computer secure by: Maintaining proper security settings and program patches. Maintaining appropriate security applications (i.e. anti- spyware, anti-virus). Maintaining screensaver password protection at 15 minutes of inactivity. Shutting down the PC at the end of the day. July 2007 20
  • 21. Security Responsibilities Practice safe access by: Being conscious of the existence, dangers, and symptoms of malware. Being careful about opening any email attachments. Using only your account or authorized accounts for application or data access. Abiding by the password policy and using strong password controls, including not sharing or writing down the password. Accessing only the applications and information required by my job responsibilities, and requesting change of such access as required. July 2007 21
  • 22. Security Responsibilities Avoid Internet dangers by: Being suspicious about the trustworthiness of all Internet use, and alert to potential misuse. Restricting the sharing of information to “need to know” for business reasons only, and using proper security to protect sensitive information. Be responsible about Internet surfing -- i.e. avoid gaming sites, free download sites, etc. July 2007 22
  • 23. Security Responsibilities Key points: Protect sensitive information Cooperate fully to support incident response management Manage information wisely Keep my computer secure Practice safe access Avoid Internet dangers July 2007 23
  • 24. Q&A Organized Security July 2007 24