Domain 1: Security and Risk Management – Review
Information Security Governance, Administrative Controls, Risk Analysis: ALE, TCO, ROI (or ROSI), Legal Systems and Ethics
Slide Deck - CISSP Mentor Program Class Session 1FRSecure
This document summarizes a presentation given as part of a CISSP mentor program. It discusses the history and structure of the mentor program, as well as an introduction to the CISSP certification. Key points include:
- The mentor program started in 2010 with 6 students and has grown significantly. Classes follow a typical structure of recapping content, questions, quizzes, lectures, and homework assignments.
- The CISSP certification is maintained by ISC2 and tests knowledge across 8 security domains. Becoming certified requires passing the exam as well as relevant work experience.
- Presenter Evan Francen has over 20 years of security experience and emphasizes the importance of listening, not assuming expertise, and focusing on security
The document provides information about the Certified Information Systems Security Professional (CISSP) certification. It discusses how the CISSP certification demonstrates that individuals have the necessary skills and experience to build and manage security for organizations. It also outlines the requirements to obtain the CISSP certification, including having 5 years of relevant work experience in 2 or more security domains or 4 years with a degree, passing the exam, completing the endorsement process, and maintaining the certification through ongoing training requirements.
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
Organizations get penetration tests year after year, yet companies still get breached because they’re STILL missing the basics.Traditional penetration tests are failing to prepare organizations for the threats they actually face. They’ve become a commodity of compliance and box-checking. Remediation steps rarely include management objectives. General lack of excitement for Blue Team functions. Red team is sexy, but just a tool. Do you even have a JBOSS server? (Then why are you seeing alerts for it?)
Domain 1: Security and Risk Management – Review
Information Security Governance, Administrative Controls, Risk Analysis: ALE, TCO, ROI (or ROSI), Legal Systems and Ethics
Slide Deck - CISSP Mentor Program Class Session 1FRSecure
This document summarizes a presentation given as part of a CISSP mentor program. It discusses the history and structure of the mentor program, as well as an introduction to the CISSP certification. Key points include:
- The mentor program started in 2010 with 6 students and has grown significantly. Classes follow a typical structure of recapping content, questions, quizzes, lectures, and homework assignments.
- The CISSP certification is maintained by ISC2 and tests knowledge across 8 security domains. Becoming certified requires passing the exam as well as relevant work experience.
- Presenter Evan Francen has over 20 years of security experience and emphasizes the importance of listening, not assuming expertise, and focusing on security
The document provides information about the Certified Information Systems Security Professional (CISSP) certification. It discusses how the CISSP certification demonstrates that individuals have the necessary skills and experience to build and manage security for organizations. It also outlines the requirements to obtain the CISSP certification, including having 5 years of relevant work experience in 2 or more security domains or 4 years with a degree, passing the exam, completing the endorsement process, and maintaining the certification through ongoing training requirements.
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
Organizations get penetration tests year after year, yet companies still get breached because they’re STILL missing the basics.Traditional penetration tests are failing to prepare organizations for the threats they actually face. They’ve become a commodity of compliance and box-checking. Remediation steps rarely include management objectives. General lack of excitement for Blue Team functions. Red team is sexy, but just a tool. Do you even have a JBOSS server? (Then why are you seeing alerts for it?)
Welcome to the CISSP Mentor Program! What is the CISSP Mentor Program • History: 1st class was 2010; 6 students • Today’s class; 80 students. Why do we do it • Success Stories • Heck, it’s free! If you aren’t satisfied, we’ll refund everything you paid us. We need MORE good information security people!
This document discusses incident response and handling. It outlines the key steps in the incident response process: preparation, identification, containment, eradication, recovery, and lessons learned. Preparation involves forming a response team, developing procedures, and gathering resources. Identification involves determining the scope of an incident and preserving evidence. Containment focuses on limiting the damage of an incident through actions like quarantining systems, analyzing initial data, and making backups. Eradication aims to completely remove malicious software from affected systems.
Domain 3: Security Engineering
Virtualization and Distributed Computing
System Vulnerabilities, Threats and Countermeasures
Cornerstone Cryptographic Concepts
History of Cryptography
Types of Cryptography
Cryptographic Attacks
Implementing Cryptography
How to prepare for the CISSP Exam. A presentation created by the (ISC)2 Hellenic Chapter to assist and instruct those in Greece interested in pursuing the CISSP Certification.
The (ISC)2 Hellenic Chapter Team
This document provides an overview of security fundamentals including the CIA triad of confidentiality, integrity and availability. It discusses common security threats and countermeasures for each component. Additional concepts covered include identification, authentication, authorization, auditing, accountability, non-repudiation, data classification, roles in security management, due care/diligence, security policies, standards/guidelines, threat modeling and prioritization. The document is intended as a high-level introduction to fundamental security concepts.
This document provides an introduction to the CISSP certification. It outlines the (ISC)2 organization that issues the CISSP, details the 8 domains covered on the exam, and explains the requirements to earn the CISSP certification, which include passing a 250 question exam and having 5 years of relevant work experience. It also provides an overview of the exam format and process, resources for study, and new topics covered on the updated 2015 exam.
This document summarizes key topics from a CISSP mentor program session on Domain 1: Security and Risk Management. It outlines the agenda, which includes cornerstone security concepts, legal and regulatory issues, security and third parties, ethics, governance, access control, risk analysis, and types of attackers. It then defines important terms like CIA triad, identity, risk, annualized loss expectancy, and others. Finally, it discusses foundational security concepts such as the definition of information security, privacy, identity and authentication, authorization, accountability, subjects and objects, due care, and due diligence.
The document provides information about Leo Lourdes and his foundation in cyber security. Leo Lourdes has extensive training and certifications in IT management, project management, information security and service management. The objective of his cyber security foundation is to prevent harm to computer networks, applications, devices and data. The training covers topics such as the CIA triad, security governance, risk management and cyber threats.
This document discusses key concepts around classifying and protecting organizational assets and data. It covers common data labeling schemes used by governments and private organizations, as well as controls for determining user access to classified information including clearances, need-to-know, and formal access approval. The document also outlines different media types that store data and appropriate methods for cleaning or destroying storage media to prevent data remanence.
Presentation about insider threat ways of working, their impact on organizations and how technical and human indicators can be monitored to detect and neutralize insider threats. Professionals working in security operations should monitor these indicators to create profile of possible insider going rogue.
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Michele Chubirka
This document provides an overview of network security architectures and firewalls. It discusses challenges with current firewall models and compliance-focused approaches. Recommendations include establishing an information classification matrix to design network segmentation, focusing on containment and monitoring over rules, and integrating security into the overall enterprise architecture using frameworks like OSA and SABSA. References are provided for additional information on these topics.
Science of Security: Cyber Ecosystem Attack Analysis MethodologyShawn Riley
Shawn Riley presented on the science of security and cyber intelligence analysis. He discussed analyzing the cyber attack lifecycle using the cyber ecosystem model, which views cybersecurity as an interacting system of people, processes, and technology. Riley's threat intelligence method uses the OODA loop to observe attacks, orient on threat actors, decide on indicators, and act by disseminating intelligence reports. His active defense method applies the PDCA cycle to plan defenses based on intelligence, implement countermeasures, check their effectiveness, and provide feedback to improve security over time.
How to Build a Successful Incident Response ProgramResilient Systems
Building an incident response program can be a cumbersome task when done manually. From identifying incident types and severity to creating a response plan for each incident type, Co3 provides an easy to use, customizable solution for quickly assessing, responding to, and driving incidents to closure. Co3 customer, USA Funds, manages incidents in one tenth of the time that it took previously.
This webinar will guide security practitioners through the process of creating a basic incident response process using Co3's Security Incident Response module. Based on a list of accumulated best practices, this webinar will give team members a good start on creating a successful incident response program to use at their organization.
Our featured speakers for this timely webinar will be:
-Ted Julian, Chief Marketing Officer, Co3 Systems
-Tim Armstrong, Security Incident Response Specialist, Co3 Systems
This document provides an introduction to computer security and security trends. It discusses the need for security as information has become a strategic asset for organizations. The main aspects of security are prevention, detection, and reaction. It then covers key security concepts like confidentiality, integrity, availability, authentication, access control, and non-repudiation. The document also examines common security threats like viruses, worms, intruders, insiders, criminal organizations, terrorists, and information warfare and how they can attack systems.
Revised by Christian Reina
Version: 1.1
Date: September 18, 2009
Change log:
-Risk Based Audit approach
-Things to know
-Penetration Testing Stages
-OSI Model protocols
-Firewall generations
-Wireless
-Common Criteria ISO 15408
-Problem Management
-System Development Life Cycle
-Software Life Cycle
-Five rules of evidence
-Incident Response framework
-Evidence Lifecycle
-Fair Information Practices
The document discusses how to create an effective security response plan to avoid a corporate meltdown. It recommends identifying critical assets and an incident response team with clear roles. The plan should include components like an escalation matrix, formal incident reporting, communication protocols, and regular testing. It emphasizes identifying all response team members, communicating the plan to staff, and updating it over time to address changing security needs and technologies.
This document provides an overview of Chapter 1 of the CNIT 125 course on information security and CISSP preparation. Part 1 discusses security terms like the CIA triad of confidentiality, integrity and availability. It also covers security governance principles such as data classification, roles and responsibilities, and strategic/tactical/operational planning. Part 2 introduces several security control frameworks and standards for compliance, as well as legal/regulatory issues involving computer crime, liability, and intellectual property.
This document summarizes the seventh session of a CISSP mentor program. It reviews Domain 3 on security engineering, including perimeter defenses, site selection and configuration, and system defenses. It then provides a quiz on these topics. The session concludes with a review of Domain 4 on communication and network security, covering network architecture, secure network devices and protocols, and secure communications. Key terms are defined, such as the OSI and TCP/IP models, LANs/WANs, circuit switching vs. packet switching, and the layers of the OSI model.
Welcome to the CISSP Mentor Program! What is the CISSP Mentor Program • History: 1st class was 2010; 6 students • Today’s class; 80 students. Why do we do it • Success Stories • Heck, it’s free! If you aren’t satisfied, we’ll refund everything you paid us. We need MORE good information security people!
This document discusses incident response and handling. It outlines the key steps in the incident response process: preparation, identification, containment, eradication, recovery, and lessons learned. Preparation involves forming a response team, developing procedures, and gathering resources. Identification involves determining the scope of an incident and preserving evidence. Containment focuses on limiting the damage of an incident through actions like quarantining systems, analyzing initial data, and making backups. Eradication aims to completely remove malicious software from affected systems.
Domain 3: Security Engineering
Virtualization and Distributed Computing
System Vulnerabilities, Threats and Countermeasures
Cornerstone Cryptographic Concepts
History of Cryptography
Types of Cryptography
Cryptographic Attacks
Implementing Cryptography
How to prepare for the CISSP Exam. A presentation created by the (ISC)2 Hellenic Chapter to assist and instruct those in Greece interested in pursuing the CISSP Certification.
The (ISC)2 Hellenic Chapter Team
This document provides an overview of security fundamentals including the CIA triad of confidentiality, integrity and availability. It discusses common security threats and countermeasures for each component. Additional concepts covered include identification, authentication, authorization, auditing, accountability, non-repudiation, data classification, roles in security management, due care/diligence, security policies, standards/guidelines, threat modeling and prioritization. The document is intended as a high-level introduction to fundamental security concepts.
This document provides an introduction to the CISSP certification. It outlines the (ISC)2 organization that issues the CISSP, details the 8 domains covered on the exam, and explains the requirements to earn the CISSP certification, which include passing a 250 question exam and having 5 years of relevant work experience. It also provides an overview of the exam format and process, resources for study, and new topics covered on the updated 2015 exam.
This document summarizes key topics from a CISSP mentor program session on Domain 1: Security and Risk Management. It outlines the agenda, which includes cornerstone security concepts, legal and regulatory issues, security and third parties, ethics, governance, access control, risk analysis, and types of attackers. It then defines important terms like CIA triad, identity, risk, annualized loss expectancy, and others. Finally, it discusses foundational security concepts such as the definition of information security, privacy, identity and authentication, authorization, accountability, subjects and objects, due care, and due diligence.
The document provides information about Leo Lourdes and his foundation in cyber security. Leo Lourdes has extensive training and certifications in IT management, project management, information security and service management. The objective of his cyber security foundation is to prevent harm to computer networks, applications, devices and data. The training covers topics such as the CIA triad, security governance, risk management and cyber threats.
This document discusses key concepts around classifying and protecting organizational assets and data. It covers common data labeling schemes used by governments and private organizations, as well as controls for determining user access to classified information including clearances, need-to-know, and formal access approval. The document also outlines different media types that store data and appropriate methods for cleaning or destroying storage media to prevent data remanence.
Presentation about insider threat ways of working, their impact on organizations and how technical and human indicators can be monitored to detect and neutralize insider threats. Professionals working in security operations should monitor these indicators to create profile of possible insider going rogue.
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Michele Chubirka
This document provides an overview of network security architectures and firewalls. It discusses challenges with current firewall models and compliance-focused approaches. Recommendations include establishing an information classification matrix to design network segmentation, focusing on containment and monitoring over rules, and integrating security into the overall enterprise architecture using frameworks like OSA and SABSA. References are provided for additional information on these topics.
Science of Security: Cyber Ecosystem Attack Analysis MethodologyShawn Riley
Shawn Riley presented on the science of security and cyber intelligence analysis. He discussed analyzing the cyber attack lifecycle using the cyber ecosystem model, which views cybersecurity as an interacting system of people, processes, and technology. Riley's threat intelligence method uses the OODA loop to observe attacks, orient on threat actors, decide on indicators, and act by disseminating intelligence reports. His active defense method applies the PDCA cycle to plan defenses based on intelligence, implement countermeasures, check their effectiveness, and provide feedback to improve security over time.
How to Build a Successful Incident Response ProgramResilient Systems
Building an incident response program can be a cumbersome task when done manually. From identifying incident types and severity to creating a response plan for each incident type, Co3 provides an easy to use, customizable solution for quickly assessing, responding to, and driving incidents to closure. Co3 customer, USA Funds, manages incidents in one tenth of the time that it took previously.
This webinar will guide security practitioners through the process of creating a basic incident response process using Co3's Security Incident Response module. Based on a list of accumulated best practices, this webinar will give team members a good start on creating a successful incident response program to use at their organization.
Our featured speakers for this timely webinar will be:
-Ted Julian, Chief Marketing Officer, Co3 Systems
-Tim Armstrong, Security Incident Response Specialist, Co3 Systems
This document provides an introduction to computer security and security trends. It discusses the need for security as information has become a strategic asset for organizations. The main aspects of security are prevention, detection, and reaction. It then covers key security concepts like confidentiality, integrity, availability, authentication, access control, and non-repudiation. The document also examines common security threats like viruses, worms, intruders, insiders, criminal organizations, terrorists, and information warfare and how they can attack systems.
Revised by Christian Reina
Version: 1.1
Date: September 18, 2009
Change log:
-Risk Based Audit approach
-Things to know
-Penetration Testing Stages
-OSI Model protocols
-Firewall generations
-Wireless
-Common Criteria ISO 15408
-Problem Management
-System Development Life Cycle
-Software Life Cycle
-Five rules of evidence
-Incident Response framework
-Evidence Lifecycle
-Fair Information Practices
The document discusses how to create an effective security response plan to avoid a corporate meltdown. It recommends identifying critical assets and an incident response team with clear roles. The plan should include components like an escalation matrix, formal incident reporting, communication protocols, and regular testing. It emphasizes identifying all response team members, communicating the plan to staff, and updating it over time to address changing security needs and technologies.
This document provides an overview of Chapter 1 of the CNIT 125 course on information security and CISSP preparation. Part 1 discusses security terms like the CIA triad of confidentiality, integrity and availability. It also covers security governance principles such as data classification, roles and responsibilities, and strategic/tactical/operational planning. Part 2 introduces several security control frameworks and standards for compliance, as well as legal/regulatory issues involving computer crime, liability, and intellectual property.
This document summarizes the seventh session of a CISSP mentor program. It reviews Domain 3 on security engineering, including perimeter defenses, site selection and configuration, and system defenses. It then provides a quiz on these topics. The session concludes with a review of Domain 4 on communication and network security, covering network architecture, secure network devices and protocols, and secure communications. Key terms are defined, such as the OSI and TCP/IP models, LANs/WANs, circuit switching vs. packet switching, and the layers of the OSI model.
Slide Deck Class Session 10 – FRSecure CISSP Mentor ProgramFRSecure
This document summarizes session #10 of a CISSP mentor program. It reviews topics in domains 4 and 5, including network scanning tools, wireless LANs, remote access, access control concepts, authentication methods, single sign-on, and identity lifecycle processes. Quizzes are given on domain 4 topics. Discussions also cover protocols like RADIUS, Diameter, Kerberos, and TACACS/TACACS+, as well as single sign-on implementations and access review procedures.
Domain 4: Communication and Network Security - Review
Application Layer TCP/IP Protocols and Concepts, Layer 1 Network Cabling, LAN Technologies and Protocols, LAN Physical NetworkTopologies, WAN Technologies and Protocols, Network Devices and Protocols and Network Attacks
Domain 3: Security Engineering - Review (Part 2)
Virtualization and Distributed Computing, System Vulnerabilities, Threats and Countermeasures, Cornerstone Cryptographic Concepts, History of Cryptography, Types of Cryptography and Cryptographic Attacks
Domain 4: Communication and Network Security - Review
Network Architecture and Design, Fundamentals, OSI Model, TCP/IP Model and Encapsulation (speaking of which)
HHS Ransomware and Breach Guidance - Brad NighFRSecure
A recent U.S. Government inter-agency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000 daily ransomware attacks reported in 2015). Ransomware attack prevention from a healthcare perspective is vitally important due to recent changes in HHS guidance. To understand what this means practically, FRSecure offers some valuable resources that discusses what constitutes a ransomware breach, non-compliance consequences and easy steps that can be implemented to reduce organizational risk of a Ransomware breach.
Slide Deck Class Session 11 – FRSecure CISSP Mentor ProgramFRSecure
FRSecure has a goal of changing a broken industry. There are many ways to accomplish this endeavor such as setting high assessment standards, using proprietary reporting methods that are easy to understand to hiring expert talent just to name a few. However, one unique approach FRSecure uses to bring about change is our CISSP Mentor Program. By design the program is provided at no cost to anyone with an interest in the information security industry.
Slide Deck Class Session 8 – FRSecure CISSP Mentor ProgramFRSecure
Domain 4: Communication and Network Security -Review
•Network Architecture and Design
•Fundamentals
•OSI Model
•TCP/IP Model
•Encapsulation(speaking of which)
This document summarizes a CISSP mentor program session on security assessment and testing. It includes a 10 question quiz on topics like regression testing, fuzzing, static vs dynamic testing, and types of penetration testing. It also discusses a scenario about hiring a security firm to conduct a security assessment and penetration test of a bank's new web application. Key points covered include using a "flag" file instead of real data in a penetration test, the benefits of partial knowledge vs zero knowledge tests, and the proper response if an active compromise is discovered during a test.
Data Classification Guide | Nanonets Blog.pdfDhanashreeBadhe
"Read the complete blog: https://nanonets.com/blog/data-classification/Take a look at more blogs on AI and ML at https://nanonets.com/blog
Try Free Nanonets Tools
OCR for PDFs: https://nanonets.com/blog/pdf-ocr/
PDF to CSV converter - https://nanonets.com/convert-pdf-to-csv
PDF to Excel converter - https://nanonets.com/tools/pdf-to-excel
Online OCR - https://nanonets.com/online-ocr
Try Nanonets for free - https://app.nanonets.com/#/signup
Schedule a call - https://app.nanonets.com/call"
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessSirius
The EU Global Data Protection Regulation (GDPR) and New York State Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) represent a landmark change in the global data protection space. While they originate in different countries and apply to different organizations, their primary message is the same:
Protect your data, or pay a steep price. More specifically, protect the sensitive data you collect from customers.
With deadlines looming, is your organization ready?
The time to act is now. Read more to learn:
--Key mandates and minimum requirements for compliance
--Why a comprehensive data-centric security strategy is invaluable to all data protection and data privacy efforts
--How you can gauge your organization’s incident response capabilities
--How to extend your focus beyond the organization’s figurative four walls to ensure requirements are met throughout your supply chain
The first New York requirements deadline has arrived. With the next deadline of mandates only 6 months away, you don't want to fall behind and leave your organization at risk for potential penalties and fines.
Data Loss Prevention (DLP) - Fundamental Concept - ErykEryk Budi Pratama
This document discusses data loss prevention (DLP) concepts and implementations. It begins with an overview of data governance and the data lifecycle. It then defines DLP, explaining how DLP solutions protect data in motion, at rest, and in use. Sample DLP deployments are shown, outlining key activities and considerations for implementation such as governance, infrastructure, and a phased approach. Finally, examples of DLP use cases are provided for data in motion like email and data in use on workstations.
Perpetual Information Security - Driving Data Protection in an Evolving Compl...SafeNet
The document discusses evolving data protection and compliance challenges facing organizations. It outlines key threat drivers like cybercrime, cloud computing, and data loss that are pushing the need for improved security. The document provides lessons on developing an overarching security business model, mapping where sensitive data is located, understanding regulatory overlaps, and looking ahead to how security needs will continue to change. It advocates for centralized policy and key management to provide data tracking, control, and compliance.
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykEryk Budi Pratama
The document provides an overview of personal data protection regulations and technical aspects related to data privacy. It discusses key aspects of the draft Indonesian Personal Data Protection Bill, including rights of data owners and obligations of data controllers. It also covers technical topics like identity and access management, data loss prevention, and incident management. The presentation aims to provide a basic understanding of both regulatory requirements and technical controls for protecting personal data.
The document discusses how Acronis solutions help organizations comply with the GDPR through features that allow for privacy impact assessments, data access governance, secure backup storage, data breach response, and data deletion in accordance with data subject rights like access, rectification, erasure and portability. It outlines how Acronis Backup, Storage, Backup Cloud and Disaster Recovery Service provide control over data location, strong encryption, easy data access and modification, fast recovery, and logging to meet GDPR requirements.
The Constrained Method of Accessibility and Privacy Preserving Of Relational ...IJERA Editor
Now in organizations or companies maximum information or data available and that data are related to tabular
form means relational database. Sometimes organization wanted to distribute that particular information or data
in within organization or other organization in daily basis. Here the thing is that the organization faces the some
kind of problems of security related because they distributed that information for its purposes and here
sometimes organization wanted that particular information will be modified or upgraded, Now they can used
numbers of methods or technics for encryption and electronic signatures for given a security and protection of
that particular data in during transmission network. In that protection of that protection used various different
mechanisms and strong methods for accessing that specific that particular data or information. It is very well
known that current or today the proper data must take as access control polices. Also some kind of methods for
CIA towards database system must be adopted
The document discusses data security and data management. It defines data security as processes and practices to protect critical IT systems and information. Effective data security uses controls, applications, and techniques to identify important data and apply appropriate security controls. Data security is important for organizations to protect user and customer data from unauthorized access. Common data security methods include access controls, authentication, backups, encryption, and data erasure. Data management techniques aim to ensure data quality, integrate data across systems, and govern data use and access. The document also discusses specific techniques for data cleansing, integration, and other aspects of data management.
Keep Calm and Comply: 3 Keys to GDPR SuccessSirius
Recent surveys benchmarking the status of U.S. companies' efforts to meet the May 25 deadline for the EU Global Data Protection Regulation (GDPR) have revealed a startling lack of preparedness.
Companies not yet in compliance are likely to violate the directive if they don’t take immediate action, and fines can amount to 2-4 percent of a company’s annual gross revenue. Do you have the resources and information you need to comply?
View to learn:
--What GDPR means to your business
--Short, medium, and long-term actions you can take to protect regulated data and achieve compliance
--How you can streamline incident response and third-party risk management capabilities
--How to streamline the resources and technology needed to keep up with the evolving regulatory landscape
Don't fall behind on these compliance regulations. Take the steps needed to protect the data you collect.
This document discusses sensitive data and how to protect it. It begins by defining sensitive data as information that must be safeguarded against unwanted disclosure due to legal, privacy or proprietary reasons. It then lists examples of sensitive data and outlines three key aspects to measuring data sensitivity: confidentiality, integrity and availability. Next, it describes the types of sensitive data hackers may target from organizations. Finally, it recommends three steps to protect sensitive data: identify all sensitive data, promptly respond to and assess risks, and monitor and implement adequate security measures. The conclusion emphasizes the importance of protecting sensitive data to build strong business relationships and trust.
CSIA 310 Cybersecurity Processes & TechnologiesCase Study #2 T.docxannettsparrow
CSIA 310: Cybersecurity Processes & TechnologiesCase Study #2: Technology & Product Review for Identity Governance & AdministrationCase Scenario:
For this case study, our focus shifts to technologies and products used to implement the Identity Governance & Administration (IGA) business process and related security controls.
IGA is used to manage and mitigate insider threat. Insiders, because of their access to information and information resources (e.g. workstations, servers, networks), potentially have the opportunity and the means by which to steal intellectual property, commit fraud, and perform other types of mischief and mayhem (ranging from pranks to deliberate sabotage).
For our focus firm, Sifers-Grayson, access control and identity management have not been a serious concern ... or so their executives and managers thought. The majority of employees and managers are from the local area where there is a strong sense of community. The founders of the company belong to families who were among the original settlers for the county. They contribute heavily to local charities and youth organizations. They rely upon these connections to family and community when hiring and have a strong tradition of promoting from within.
The problem is that Sifers-Grayson's operations and sales have taken them into the vast geographies of the Internet and cyberspace. There is an emerging awareness among the engineering staff of the potential for outsiders to attack the company through its Internet connections. The thought that an insider might cause trouble for the firm is still hard for them to accept.
The company can no longer afford to depend upon social morays and norms to protect it against the possibility of insider threats. The new contracts specifically require proper labeling of information ("data classification") and require control over access to government furnished information ("GFI"). This means that the company needs to change its culture and change its management processes.
The primary means for protecting against insider threats is to control insider access to information, information systems, and the information infrastructure. The two most basic processes used to protect against insider threat are (a) identity management and (b) access controls. Data classification is also an important protective process since it enables the use of the value or sensitivity of information when determining how and when to grant access. Privilege management is a third protective process, which is used to protect against the misuse of permissive access to software applications and operating system functions. The principle of least privilege is an important control over this permissive access. Finally, separation of duties is a key business process, which is used to prevent insiders from abusing access to information and information resources. Research:
1. Review the weekly readings.
2. Choose an Identity Governance & Administration product which was mentioned.
The document provides guidelines for securely managing human subject data in research. It defines key terms related to anonymity, confidentiality, and de-identification of data. The core guidelines recommend password protecting devices and files, limiting access to identifiers, encrypting data stored on portable devices, and deleting identifiers as soon as possible. Researchers should follow institutional standards for tools, cloud services, and third party vendors when handling sensitive data. Maintaining appropriate anonymity, confidentiality or de-identification is important to protect participants and ensure low risk.
This document discusses protecting the security of assets and information. It covers identifying and classifying sensitive data and assets, determining appropriate security controls, and establishing ownership roles and responsibilities. The goal is to properly handle information throughout its lifecycle to prevent unauthorized disclosure and data breaches. Key steps include marking, handling, storing, and destroying assets based on their classification.
In this work we highlighted some of the concepts of data privacy, techniques used in data privacy, and some techniques used in data privacy in the cloud plus some new research trends.
Protecting Data Privacy Beyond the Trusted System of RecordCor Ranzijn
Data Privacy Passports is a new IBM capability that can help businesses maintain data privacy and protection when sensitive data leaves a trusted system of record. It works by encrypting data into trusted data objects (TDOs) and controlling access to the encrypted data through a central Passport Controller. This allows businesses to enforce access policies, revoke access remotely, and more easily audit who has accessed data. The document discusses how Data Privacy Passports addresses key data privacy concerns and provides benefits like reduced risk, lower administrative costs, and an estimated 300% return on investment over five years.
Information asset classification involves assigning appropriate labels to information based on its sensitivity. There are three parties responsible - the owner who creates the information, the custodian who implements security, and the user who accesses the information. Common classification systems label information as top secret, secret, confidential, and unclassified (government) or confidential, sensitive, restricted, and public (commercial). The classification level determines who can access the information and the damage potential if it's disclosed without authorization.
The Rise of Data Ethics and Security - AIDI WebinarEryk Budi Pratama
The document discusses the rise of data ethics and security. It begins with an introduction of the speaker and their background. It then covers various topics related to data ethics including the data lifecycle, implementation of data ethics through vision, strategy, governance and more. Big data security is also discussed as it relates to data governance, challenges, and approaches to building a security program. Regulatory requirements and their impact on data scientists is covered as it relates to privacy. Techniques for privacy control like data masking and tokenization in ETL processes are presented.
Module 02 Performance Risk-based Analytics With all the advancemIlonaThornburg83
Module 02 Performance Risk-based Analytics
With all the advancements in technology and encryption levels, some methods are faster or slower than others. In most cases a cybersecurity professional must weigh cost, performance, and security. Risk is a powerful tool used by all cybersecurity professionals to assist in making these decisions, and in influencing appropriate stakeholders by providing appropriate information with regard to these three elements.
Risk analysis or risk base analytics helps determine the level of risk to an organization. The first step in this process is to determine the sensitivity of the data being processed. The example below is a common data classification for many organizations; however, depending on how the data will be used, these data fields may vary due to classification levels.
· Public: Data available to the general public and approved for distribution outside the organization.
· Examples: press releases, directory information (not subject to a government regulations or blocks), product catalogs, application and request forms, and other general information that is openly shared. The type of information an organization would choose to post on its website offers a good example of Public data.
· Internal: Data necessary for the operation of the business and generally available to all internal users, users of that particular customer, and potentially interested third-parties if appropriate and when authorized.
· Examples: Some memos, correspondence, and meeting minutes; contact lists that contain information that is not publicly available; and procedural documentation that should remain internal.
· Confidential: Data generally not made available outside the organization and the unauthorized access, use, disclosure, duplication, modification, or destruction of which could adversely impact the organization and/or customers. All confidential information is sensitive in nature and must be restricted to those with a legitimate business need to know.
· Examples:
· Information covered by the Family Educational Rights and Privacy Act (FERPA), which requires protection of records for current and former students. This includes pictures of students kept for official purposes.
· Personally identifiable information entrusted to the organization’s care that is not restricted use data, such as information regarding applicants, donors, potential donors, or competitive marketing research data.
· Information covered by the Gramm-Leach-Bliley Act (GLB), which requires protection of certain financial records.
· Individual employment information, including salary, benefits and performance appraisals for current, former, and prospective employees.
· Legally privileged information.
· Information that is the subject of a confidentiality agreement.
· Restricted: Data that MUST be specifically protected via various access, confidentiality, integrity and/or non-repudiation controls in order to comply with legislative, regulatory, con ...
This document provides an overview of the Information Security Governance and Risk Management domain covered by the CISSP certification. It discusses key topics in this domain including information security concepts, risk management, policies, standards, procedures, data classification, risk assessment, and security controls. The document is divided into sections that define learning objectives, reference materials, and describe topics covered within the domain such as information security management, governance, classification, and the role of planning, policies, guidelines, standards, procedures, security training, and risk management practices and tools.
2020 FRSecure CISSP Mentor Program - Class 10FRSecure
This document summarizes a CISSP mentor program session covering various topics:
1. The session reviewed chapters 1-3 of the curriculum and asked participants how many had read them and if they had any questions.
2. The presentation covered security models, incident response methodology, operational preventive and detective controls like IDS, honeypots, and asset/configuration management.
3. A quiz was given covering topics like appropriate responses during a penetration test and types of security tests. The session concluded with a discussion of vulnerability management and asset management principles.
2020 FRSecure CISSP Mentor Program - Class 5FRSecure
The document summarizes key points from a CISSP mentor program session on April 29, 2020. It provides instructions for participating in an online study group and feedback forum. It also previews the agenda for covering symmetric encryption, cryptographic concepts and attacks as part of the security engineering domain. Sample questions are asked to check understanding of topics like cryptographic models, cloud service levels and nonrepudiation.
2020 FRSecure CISSP Mentor Program - Class 4FRSecure
This document summarizes a CISSP mentor program session on April 22, 2020. It discusses housekeeping for the online chat, reviews material covered in previous chapters, and begins covering the topic of security engineering from the CISSP common body of knowledge. Specific technical concepts summarized include computer bus architecture, the central processing unit components, and pipelining. The session includes a short quiz on memory types.
2020 FRSecure CISSP Mentor Program - Class 3 FRSecure
This document summarizes the third session of a 2020 CISSP Mentor Program. It provides housekeeping reminders for the online chat, checks in with participants, and reviews content from the previous sessions. The session then discusses risk analysis in more depth, including qualitative vs. quantitative analysis, risk choices, and risk management processes. The document concludes with a quiz to test participants' knowledge.
2020 FRSecure CISSP Mentor Program - Class 2FRSecure
This document summarizes the key points from session two of a CISSP mentor program. It covers cornerstone information security concepts such as the CIA triad, identity and authentication using the three factors of something you know, something you have, something you are. It also discusses legal systems, risk analysis, types of attackers, and introduces some terms and definitions that are important to memorize for the CISSP exam. The session aims to get participants ready for the journey towards CISSP certification.
2020 FRsecure CISSP Mentor Program - Class 1FRSecure
The document summarizes a CISSP mentor program session. It introduces the instructors and their backgrounds. It discusses the severe talent shortage problem in cybersecurity, with estimates of over 1 million unfilled jobs in the US currently. It notes that while some claim the shortage is overhyped, most experts agree there is a real shortage. The document aims to help address this problem through the free CISSP mentor program.
2019 FRSecure CISSP Mentor Program: Class ElevenFRSecure
The document summarizes the notes from session 11 of a 2019 CISSP mentor program. It includes quizzes on topics like incident response backups, disaster recovery planning goals, and backup types. It also covers lectures on executive succession planning, disaster recovery plan approval, backups and availability options, software escrow, disaster recovery plan testing, and different types of disaster recovery plan tests.
2019 FRSecure CISSP Mentor Program: Class TenFRSecure
The document summarizes a CISSP mentor program session that included:
- An instructor-led class discussing questions from chapters 1-7 and covering 115 slides.
- A quiz with 6 multiple choice questions about penetration testing procedures and types of security tests.
- A lecture on incident response methodology, operational preventative and detective controls like IDS/IPS, continuous monitoring, DLP, and honeypots. Asset management and configuration management were also discussed.
2019 FRSecure CISSP Mentor Program: Class NineFRSecure
This document summarizes a CISSP mentor program session from May 13, 2019. It discusses assessing access control and software testing methods. The session covers penetration testing methodology and tools, vulnerability testing, and security assessments. Penetration testing involves planning, reconnaissance, scanning, vulnerability assessment, exploitation, and reporting. Vulnerability scanning checks for issues like missing patches and configuration errors. Security assessments take a holistic approach to evaluating multiple controls across domains.
2019 FRSecure CISSP Mentor Program: Class EightFRSecure
This document summarizes an 8th session of a 2019 CISSP Mentor Program. It includes an agenda for the Identity and Access Management domain, covering authentication methods, access control technologies, and models. A quiz is given on firewalls, WAN protocols, wireless security, and Bluetooth restrictions. Lectures then cover the three basic authentication methods (something you know, have, are), and passwords in further detail such as hashing, cracking, and dictionary attacks.
2019 FRSecure CISSP Mentor Program: Class SevenFRSecure
This document contains notes from a CISSP mentor program session on May 1, 2019. It discusses the agenda for the session, which includes finishing chapter 5 of the book and covering network architecture and design topics like WAN technologies and protocols. A quiz with multiple choice questions is also included to test participants' knowledge.
2019 FRSecure CISSP Mentor Program: Class SixFRSecure
This document summarizes a CISSP mentor program session from April 29, 2019. It discusses completing chapters 1-4 of the curriculum, switching to questions from other sources, and covering network architecture and design topics like network defense in depth, fundamental network concepts of simplex/half-duplex/full-duplex communication, baseband/broadband, analog/digital, LANs/WANs/MANs/GANs/PANs, and circuit-switched vs. packet-switched networks. The session included quizzes and 134 slides to go over these topics.
2019 FRSecure CISSP Mentor Program: Class FourFRSecure
This document summarizes a CISSP mentor program session covering security engineering concepts. It discusses the session agenda which included security models, evaluation methods, secure system design concepts like layering and abstraction, the ring model, and secure hardware architecture like system units, motherboards, CPUs and memory addressing. It also included a quiz to test knowledge of topics covered so far in the first three chapters.
2019 FRSecure CISSP Mentor Program: Class Three FRSecure
This document summarizes session 3 of a 2019 CISSP mentor program. It discusses risk analysis, including qualitative and quantitative approaches. Key terms like asset value, exposure factor, single loss expectancy, and annualized loss expectancy are defined. Examples of risk analysis calculations are provided. The session also covered risk management processes, risk choice options, and included a quiz to test understanding.
This document summarizes the second session of a CISSP mentor program held on April 10, 2019. The session covered several topics related to CISSP Domain 1 including security concepts like confidentiality, integrity, and availability. It defined key terms like risk, annualized loss expectancy, and return on investment. It also discussed identity and access management concepts such as identity, authentication, authorization, and accountability. The session aimed to help students understand and memorize these foundational information security principles.
it describes the bony anatomy including the femoral head , acetabulum, labrum . also discusses the capsule , ligaments . muscle that act on the hip joint and the range of motion are outlined. factors affecting hip joint stability and weight transmission through the joint are summarized.
This slide is special for master students (MIBS & MIFB) in UUM. Also useful for readers who are interested in the topic of contemporary Islamic banking.
A Strategic Approach: GenAI in EducationPeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
The simplified electron and muon model, Oscillating Spacetime: The Foundation...RitikBhardwaj56
Discover the Simplified Electron and Muon Model: A New Wave-Based Approach to Understanding Particles delves into a groundbreaking theory that presents electrons and muons as rotating soliton waves within oscillating spacetime. Geared towards students, researchers, and science buffs, this book breaks down complex ideas into simple explanations. It covers topics such as electron waves, temporal dynamics, and the implications of this model on particle physics. With clear illustrations and easy-to-follow explanations, readers will gain a new outlook on the universe's fundamental nature.
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
Main Java[All of the Base Concepts}.docxadhitya5119
This is part 1 of my Java Learning Journey. This Contains Custom methods, classes, constructors, packages, multithreading , try- catch block, finally block and more.
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...PECB
Denis is a dynamic and results-driven Chief Information Officer (CIO) with a distinguished career spanning information systems analysis and technical project management. With a proven track record of spearheading the design and delivery of cutting-edge Information Management solutions, he has consistently elevated business operations, streamlined reporting functions, and maximized process efficiency.
Certified as an ISO/IEC 27001: Information Security Management Systems (ISMS) Lead Implementer, Data Protection Officer, and Cyber Risks Analyst, Denis brings a heightened focus on data security, privacy, and cyber resilience to every endeavor.
His expertise extends across a diverse spectrum of reporting, database, and web development applications, underpinned by an exceptional grasp of data storage and virtualization technologies. His proficiency in application testing, database administration, and data cleansing ensures seamless execution of complex projects.
What sets Denis apart is his comprehensive understanding of Business and Systems Analysis technologies, honed through involvement in all phases of the Software Development Lifecycle (SDLC). From meticulous requirements gathering to precise analysis, innovative design, rigorous development, thorough testing, and successful implementation, he has consistently delivered exceptional results.
Throughout his career, he has taken on multifaceted roles, from leading technical project management teams to owning solutions that drive operational excellence. His conscientious and proactive approach is unwavering, whether he is working independently or collaboratively within a team. His ability to connect with colleagues on a personal level underscores his commitment to fostering a harmonious and productive workplace environment.
Date: May 29, 2024
Tags: Information Security, ISO/IEC 27001, ISO/IEC 42001, Artificial Intelligence, GDPR
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: ISO/IEC 27001 Information Security Management System - EN | PECB
ISO/IEC 42001 Artificial Intelligence Management System - EN | PECB
General Data Protection Regulation (GDPR) - Training Courses - EN | PECB
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
How to Build a Module in Odoo 17 Using the Scaffold MethodCeline George
Odoo provides an option for creating a module by using a single line command. By using this command the user can make a whole structure of a module. It is very easy for a beginner to make a module. There is no need to make each file manually. This slide will show how to create a module using the scaffold method.
How to Add Chatter in the odoo 17 ERP ModuleCeline George
In Odoo, the chatter is like a chat tool that helps you work together on records. You can leave notes and track things, making it easier to talk with your team and partners. Inside chatter, all communication history, activity, and changes will be displayed.
This presentation was provided by Steph Pollock of The American Psychological Association’s Journals Program, and Damita Snow, of The American Society of Civil Engineers (ASCE), for the initial session of NISO's 2024 Training Series "DEIA in the Scholarly Landscape." Session One: 'Setting Expectations: a DEIA Primer,' was held June 6, 2024.
2. CISSP Mentor Program Session #3
Domain 1: Security and Risk Management - Review
• Information Security Governance
• Administrative Controls
• Risk Analysis
• ALE, TCO, ROI (or ROSI)
• Legal Systems
• Ethics
3. CISSP Mentor Program Session #3
Domain 1: Security and Risk Management – Quiz Review
4. CISSP Mentor Program Session #3
Domain 1: Security and Risk Management –
Current Events
Privacy; Apple vs. FBI (http://www.apple.com/privacy/government-
information-requests/)
http://www.scmagazine.com/federal-court-bucks-trend-rules-
general-liability-insurance-covers-data-breach/article/489320/
http://www.zdnet.com/article/singapore-penalises-firms-for-data-
breaches/
5. CISSP Mentor Program Session #3
Domain 2: Asset Security (Protecting Security of Assets)
• Classifying Data
• Ownership
• Memory and Remanence
• Data Destruction
• Determining Data Security Controls
6. CISSP Mentor Program Session #3
Classifying Data (or Data Classification)
Labels
Objects have labels – Subjects have clearances
• Data classification scheme
• Executive Order 12356 (http://www.archives.gov/federal-register/codification/executive-
order/12356.html) - Top Secret, Secret, and Confidential
• Company/Private Sector – Confidential, Internal Use Only, Public
• Security Compartments; documented need to know and clearance
7. CISSP Mentor Program Session #3
Classifying Data (or Data Classification)
Clearance
Objects have labels – Subjects have clearances
• Formal approval/authorization to specific levels of information
• Not really used as much in the private sector
• “All About Security Clearances” from the US Department of State;
http://www.state.gov/m/ds/clearances/c10978.htm
• Standard Form 86 is a 127 page questionnaire!
8. CISSP Mentor Program Session #3
Classifying Data (or Data Classification)
Formal Access Approval
• Documented
• Access requests should be approved by the owner, not the manager and
certainly not the custodian (more to follow)
• Approves subject access to certain objects
• Subject must understand all rules and requirements for access
• Best practice is that all access requests and access approvals are auditable
9. CISSP Mentor Program Session #3
Classifying Data (or Data Classification)
Data Classification Policy (Sample)
• Three roles; data owner, data custodian, and data user
• Three classifications; Confidential, Internal Use, and Public
• In real life; easy to document and hard to implement
• Data Classification defines sensitive information data handling
requirements data storage requirements and in some cases data retention
requirements
10. CISSP Mentor Program Session #3
Classifying Data (or Data Classification)
Data Classification Policy (Sample)
Data Owner:
The Data Owner is normally the person responsible for, or dependent upon the business process associated with
an information asset. The Data Owner is knowledgeable about how the information is acquired, transmitted,
stored, deleted, and otherwise processed.
The Data Owner determines the appropriate value and classification of information generated by the owner or
department;
The Data Owner must communicate the information classification when the information is released outside of the
department and/or FRSecure Sample;
The Data Owner controls access to his/her information and must be consulted when access is extended or
modified; and
The Data Owner must communicate the information classification to the Data Custodian so that the Data
Custodian may provide the appropriate levels of protection.
11. CISSP Mentor Program Session #3
Classifying Data (or Data Classification)
Data Classification Policy (Sample)
Data Custodian:
The Data Custodian maintains the protection of data according to the
information classification associated to it by the Data Owner.
The Data Custodian role is delegated by the Data Owner and is usually
Information Technology personnel.
12. CISSP Mentor Program Session #3
Classifying Data (or Data Classification)
Data Classification Policy (Sample)
Data User:
The Data User is a person, organization or entity that interacts with data for the
purpose of performing an authorized task. A Data User is responsible for using
data in a manner that is consistent with the purpose intended and in compliance
with policy.
13. CISSP Mentor Program Session #3
Classifying Data (or Data Classification)
Data Classification Policy (Sample)
Confidential Data:
Confidential data is information protected by statutes, regulations, company policies or contractual language.
Data Owners may also designate data as Confidential.
Confidential Data is sensitive in nature, and access is restricted. Disclosure is limited to individuals on a “need-to-
know” basis only.
Disclosure to parties outside of the company must be authorized by Executive Management, approved by the
Information Security Committee, or be covered by a binding non-disclosure or confidentiality agreement.
Examples of Confidential Data include Protected Health Information (“PHI”)/Medical records, Financial
information, including credit card and account numbers, Social Security Numbers, Personnel and/or payroll
records, Any data identified by government regulation to be treated as confidential, or sealed by order of a court
of competent jurisdiction, and any data belonging to a customer that may contain personally identifiable
information
14. CISSP Mentor Program Session #3
Classifying Data (or Data Classification)
Data Classification Policy (Sample)
Minimum Protection Requirements for Confidential Data
When stored in an electronic format must be protected with a minimum level of authentication to
include strong passwords, wherever possible.
When stored on mobile devices and media, protections and encryption measures provided through
mechanisms approved by FRSecure Sample IT Management must be employed.
Must be stored in a locked drawer, room, or area where access is controlled by a guard, cipher lock,
and/or card reader, or that otherwise has sufficient physical access control measures to afford
adequate protection and prevent unauthorized access by members of the public, visitors, or other
persons without a need-to-know.
Must be encrypted with strong encryption when transferred electronically to any entity outside of
FRSecure Sample (See FRSecure Sample Encryption Policy).
15. CISSP Mentor Program Session #3
Classifying Data (or Data Classification)
Data Classification Policy (Sample)
Minimum Protection Requirements for Confidential Data
When sent via fax, must be sent only to a previously established and used address or one that has been verified as using a
secured location
Must not be posted on any public website
Must be destroyed when no longer needed subject to the FRSecure Sample Data Retention Policy. Destruction may be
accomplished by:
“Hard Copy” materials must be destroyed by shredding or another approved process that destroys the data beyond either
recognition or reconstruction as per the FRSecure Sample Data Destruction and Re-Use Standard.
◦ Electronic storage media that will be re-used must be overwritten according to the FRSecure Sample Data Destruction and Re-Use
Standard.
◦ Electronic storage media that will not be re-used must be physically destroyed according to the FRSecure Sample Data
Destruction and Re-Use Standard.
◦ Deleting files or formatting the media is NOT an acceptable method of destroying Confidential Data.
16. CISSP Mentor Program Session #3
Classifying Data (or Data Classification)
Data Classification Policy (Sample)
Minimum Protection Requirements for Confidential Data
The FRSecure Sample Information Security Committee must be
notified in a timely manner if data classified as Confidential is lost,
disclosed to unauthorized parties or is suspected of being lost or
disclosed to unauthorized parties, or if any unauthorized use of
FRSecure Sample information systems has taken place or is
suspected of taking place.
17. CISSP Mentor Program Session #3
Classifying Data (or Data Classification)
Data Classification Policy (Sample)
Minimum Labeling Requirements for Confidential Data
If possible, all Confidential Data must be marked, regardless of the
form it takes. Confidential Data will be marked using the word
“Confidential” in bold, italicized, red font (i.e. Confidential). The
marking should be placed in the right corner of the document
header or footer.
18. CISSP Mentor Program Session #3
Classifying Data (or Data Classification)
Data Classification Policy (Sample)
Internal Data:
Internal Data is information that must be guarded due to proprietary, ethical, or privacy
considerations and must be protected from unauthorized access, modification,
transmission, storage or other use. This classification applies even though there may
not be a civil statute requiring this protection. Internal Data is information that is
restricted to personnel designated by the company, who have a legitimate business
purpose for accessing such data.
Examples of Internal Data include Employment data, Business partner information
where no more restrictive non-disclosure or confidentiality agreement exists, Internal
directories and organization charts, Planning documents, and Contracts
19. CISSP Mentor Program Session #3
Classifying Data (or Data Classification)
Data Classification Policy (Sample)
Minimum Protection Requirements for Internal Data
Must be protected to prevent loss, theft, unauthorized access and/or unauthorized disclosure
Must be protected by a non-disclosure or confidentiality agreement before access is allowed
Must be stored in a closed container (i.e. file cabinet, closed office, or department where physical controls are in place
to prevent disclosure) when not in use
Must be destroyed when no longer needed subject to the FRSecure Sample Data Retention Policy. Destruction may be
accomplished by:
◦ “Hard Copy” materials must be destroyed by shredding or another approved process which destroys the data beyond either
recognition or reconstruction as per the FRSecure Sample Data Destruction and Re-Use Standard.
◦ Electronic storage media shall be sanitized appropriately by overwriting or degaussing prior to disposal as per the FRSecure Sample
Data Destruction and Re-Use Standard.
Is the “default” classification level if one has not been explicitly defined.
20. CISSP Mentor Program Session #3
Classifying Data (or Data Classification)
Data Classification Policy (Sample)
Minimum Labeling Requirements for Internal Data
If possible, all Internal Data should be marked, regardless of the form it takes.
Internal Data will be marked using the word “Internal” in bold, italicized, blue
font (i.e. Internal). The marking should be placed in the right corner of the
document header or footer.
21. CISSP Mentor Program Session #3
Classifying Data (or Data Classification)
Data Classification Policy (Sample)
Public Data:
Public data is information that may or must be open to the general public. It is defined
as information with no existing local, national, or international legal restrictions on
access or usage. Public data, while subject to FRSecure Sample disclosure rules, is
available to all FRSecure Sample employees and all individuals or entities external to the
corporation.
Examples of Public Data include Publicly posted press releases, Publicly available
marketing materials, Publicly posted job announcements, Disclosure of public data must
not violate any pre-existing, signed non-disclosure or confidentiality agreements.
22. CISSP Mentor Program Session #3
Classifying Data (or Data Classification)
Data Classification Policy (Sample)
Minimum Protection Requirements for Public Data
There are no specific protection requirements for Public Data.
Minimum Labeling Requirements for Internal Data
If possible, all Public Data should be marked, regardless of the form it takes.
Public Data will be marked using the word “Public” in bold, italicized, black font
(i.e. Public). The marking should be placed in the right corner of the document
header or footer.
23. CISSP Mentor Program Session #3
Classifying Data (or Data Classification)
Ownership
• Business Owners
• Data Owners
• System Owners
• Owner responsibilities must be documented and owners must be trained
• Segregation of duties
24. CISSP Mentor Program Session #3
Memory and Remanence
• Data Remanence
• Memory
• Cache Memory; fast and close to CPU
• register file (contains multiple registers); registers
are small storage locations used by the CPU to
store instructions and small amounts of data
• Level 1 cache; located on the CPU
• Level 2 cache; connected to (but not on) the CPU
• SRAM (Static Random Access Memory)
25. CISSP Mentor Program Session #3
Memory and Remanence
Memory
• RAM (Random Access Memory)
• Volatile
• Modules installed in slots on motherboard (traditionally)
• DRAM (Dynamic Random Access Memory)
• Slower and cheaper
• Small capacitors to store bits (data)
• Capacitors leak charge and must be continually refreshed
• SRAM (Static Random Access Memory)
• Fast and expensive
• Latches called “flip-flops” to store bits (data)
• Does not require refreshing
26. CISSP Mentor Program Session #3
Memory and Remanence
Memory
• ROM (Read Only Memory)
• Can be used to store firmware; small programs that don’t change much and configurations
• PROM (Programmable Read Only Memory) – written to once; usually by the manufacturer
• EPROM (Erasable Programmable Read Only Memory) – can be “flashed”; usually with ultraviolet light
• EEPROM (Electrically Erasable Programmable Read Only Memory) – can be “flashed”; electrically
• PLD (Programmable Logic Device) – field-programmable device; EPROMs, EEPROMs, and Flash Memory are
all PLDs
• Flash Memory
• Can be a security nightmare
• Specific type of EEPROM
• Written in larger sectors (or chunks) than other EEPROMs
• Faster than other EEPROMS, but slower that magnetic drives
27. CISSP Mentor Program Session #3
Memory and Remanence
Memory
• Solid State Drives (SSDs)
• Combination of EEPROM and DRAM
• Sanitization can be a challenge
• Garbage collection - working in the background, garbage collection systematically identifies
which memory cells contain unneeded data and clears the blocks of unneeded data during
off-peak times to maintain optimal write speeds during normal operations.
• TRIM command - (known as TRIM in the ATA command set, and UNMAP in the SCSI
command set) allows the operating system to inform a solid-state drive (SSD) which blocks
of data are no longer considered in use and can be wiped internally.
• ATA Secure Erase can be used to remove data securely
28. CISSP Mentor Program Session #3
Data Destruction
◦ Deleting data and/or formatting a hard drive is not a viable/secure
method for destroying sensitive information.
◦ Deleting a file only removes the entry from the File Allocation Table
(FAT) and marks the block as “unallocated”. The data is still there and
often times it’s retrievable.
◦ Reformatting only replaces the old FAT with a new FAT. The data is still
there and often times it’s retrievable.
◦ Data that is left over is called remnant data, or “data remanence”.
29. CISSP Mentor Program Session #3
Data Destruction
◦ Data that is left over is called
remnant data, or “data
remanence”.
◦ Hundreds of data recovery tools
available, one good resource to
check out is ForsensicsWiki.org
(http://www.forensicswiki.org/w
iki/Tools:Data_Recovery)
30. CISSP Mentor Program Session #3
Data Destruction
Overwriting
◦ Also called shredding or wiping
◦ Overwrites the data and removes the FAT entry
◦ Secure overwriting/wiping overwrites each sector of a hard drive (or media).
31. CISSP Mentor Program Session #3
Data Destruction
Overwriting
◦ One pass is enough (as long as each sector is
overwritten).
◦ Tools include Darik's Boot And Nuke (DBAN),
CBL Data Shredder, HDDErase, KillDisk and
others.
◦ Windows built-in cipher command.
32. CISSP Mentor Program Session #3
Data Destruction
Deguassing
◦ Destroys the integrity of magnetic media using a
strong magnetic field
◦ Most often destroys the media itself, not just the
data
33. CISSP Mentor Program Session #3
Data Destruction
Destruction (Physical)
◦ The most secure method of destroying data.
◦ Physical destruction of the media.
◦ Incineration, pulverization, shredding, and acid.
◦ A hammer to the spindle works, and so does a
rifle.
◦ Pretty cheap nowadays. Look for a National
Association of Information Destruction (NAID)
certified vendor and get a certificate of
destruction.
◦ Onsite vs. offsite
34. CISSP Mentor Program Session #3
Data Destruction
Shredding
◦ Most people think of paper.
◦ Strip-cut vs. Cross-cut
◦ A determined attacker can defeat (maybe)
◦ Easy to audit
◦ Many breaches attributed to poor document
disposal
◦ Dumpster diving
35. CISSP Mentor Program Session #3
Determining Data Security Controls
Certification and Accreditation
• Two related but entirely different terms.
• Certification is the validation that certain (owner-specified) security
requirements have been met.
• Accreditation is a formal acceptance of the certification by the owner.
• In an ideal world, certification and accreditation would be required before
production deployment.
36. CISSP Mentor Program Session #3
Determining Data Security Controls
Standards and Control Frameworks
PCI-DSS
• Payment Card Industry Data Security Standard
• Maintained by Payment Card Industry Security Standards Council (PCI-SSC)
• Comprehensive security standard originally sanctioned/developed by the
major card brands (VISA, MasterCard, Discover, etc.)
• Applies to payment card (credit and debit) security
• QSAs, ASVs, CDE, etc.
37. CISSP Mentor Program Session #3
Determining Data Security Controls
Standards and Control Frameworks
PCI-DSS
• PCI-DSS only applies to the Cardholder Data Environment (CDE), so scope is really important
• Core principles of the PCI-DSS include:
• Build and Maintain a Secure Network and Systems
• Protect Cardholder Data
• Maintain a Vulnerability Management Program
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy
• Version 3.2 just released, see
https://www.pcisecuritystandards.org/security_standards/index.php
• Major breaches include Target, Home Depot, Heartland Systems, Dairy Queen, etc.
38. CISSP Mentor Program Session #3
Determining Data Security Controls
Standards and Control Frameworks
OCTAVE®
• Operationally Critical Threat, Asset, and Vulnerability Evaluation(sm)
• Risk management framework developed by Carnegie Mellon University (see:
http://www.cert.org/resilience/products-services/octave/)
• Three phase process for managing risk (latest version actually has four, but for the
test three is good):
• Phase 1 – staff knowledge, assets and threats
• Phase 2 – identify vulnerabilities and evaluate safeguards (or controls)
• Phase 3 – risk analysis and risk mitigation strategy
39. CISSP Mentor Program Session #3
Determining Data Security Controls
Standards and Control Frameworks
ISO 17799 and 27000 Series
• Broad and flexible information security standards maintained by the International
Organization for Standardization (ISO) – based in Geneva
• Derived from the British Standard (BS) 7799 Part 1, renamed to ISO/IEC 27001 to
align with the 27000 series of standards.
• There are more than 30 ISO/IEC 27000 standards, the main ones being:
• ISO 27001 (Information technology - Security Techniques)
• ISO 27002 (Code of practice for information security management)
• ISO 27005 (Information security risk management)
• ISO 27799 (Information security management in health using ISO/IEC 27002)
40. CISSP Mentor Program Session #3
Determining Data Security Controls
Standards and Control Frameworks
ISO 17799 and 27000 Series
• ISO 27002:2005 is mentioned in the book as
the latest; however, ISO 27002:2013 is actually
the latest
• Copyrighted and licensed standard
• See:
http://www.iso.org/iso/home/standards/mana
gement-standards/iso27001.htm
41. CISSP Mentor Program Session #3
Determining Data Security Controls
Standards and Control Frameworks
COBIT
• Control Objectives for Information and related Technology, current version is v5
• Developed and maintained by the Information Systems Audit and Control
Association (ISACA; www.isaca.org)
• 34 Information Technology Processes across four domains
• Four domains:
• Plan and Organize
• Acquire and Implement
• Deliver and Support
• Monitor and Evaluate
42. CISSP Mentor Program Session #3
Determining Data Security Controls
Standards and Control Frameworks
ITIL
• Information Technology Infrastructure Library
• Best services in IT Service Management (ITSM)
• See: www.itil-officialsite.com
• Five “Service Management Practices – Core Guidance” publications:
• Service Strategy
• Service Design
• Service Transition
• Service Operation
• Continual Service Improvement
43. CISSP Mentor Program Session #3
Determining Data Security Controls
Standards and Control Frameworks
NIST CSF
• National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)
• Probably not testable, but certainly applicable
• Result of Executive Order (EO) 13686, Improving Critical Infrastructure Cybersecurity
• Gaining in popularity. See: http://www.nist.gov/cyberframework/
• Core, Implementation Tiers, and Framework Profile
• Core is comprised of five Functions (Identify, Protect, Detect, Respond, and Recover),
Categories, and Subcategories
• Major frameworks and standards are represented
• Voluntary
44. CISSP Mentor Program Session #3
Determining Data Security Controls
Standards and Control Frameworks
NIST SP 800-53
• Not mentioned in the book yet, but this is a big deal for FISMA and
government systems.
• Usually goes hand-in-hand with FIPS 199, FIPS 200, and NIST SP 800-60
• Just mentioning now, more later
45. CISSP Mentor Program Session #3
Determining Data Security Controls
Standards and Control Frameworks
Scoping and Tailoring
• Not really standard terminology
• Scoping – which portions of the standard will be employed
• Tailoring – customization of the standard to fit the organization
46. CISSP Mentor Program Session #3
Determining Data Security Controls
Protecting Data in Motion & Data at Rest
Encryption and Physical Security
• Rule of thumb… If I cannot be assured of physical security, I should consider
encryption.
• Data in transit – if I cannot be assured of physical security (routers, switches, firewalls,
transmission media, etc.), I should consider encryption
• Data at rest – if I cannot be assured of physical security (flash drives, laptops, poorly
secured datacenters, insecure office spaces, backup tapes, etc.), I should consider
encryption
• Encryption is your friend!
47. CISSP Mentor Program Session #3
Introduction to Domain 3: Security Engineering (Engineering and
Management of Security)
Theoretical & Conceptual
• Security Models
• Evaluation Methods, Certification and Accreditation
• Secure System Design Concepts
• Secure Hardware Architecture
• Secure Operating System and Software Architecture
• Virtualization and Distributed Computing
• System Vulnerabilities, Threats, and Countermeasures
48. CISSP Mentor Program Session #3
Introduction to Domain 3: Security Engineering (Engineering and Management of
Security)(cont.)
Encryption
• Cornerstone Cryptographic Concepts
• History of Cryptography
• Types of Cryptography
• Cryptographic Attacks
• Implementing Cryptography
Physical Security
• Perimeter Defenses
• Site Selection, Design, and Configuration
• System Defenses
• Environmental Controls
49. Questions?
We made it through Class #3!
Quiz Forthcoming
Homework for Thursday (5/5)
◦ Start reading Chapter 4/Domain 3: Security Engineering (Engineering and
Management of Security) – We will cover everything up to encryption
(Cornerstone Cryptographic Concepts on page 147)
◦ Complete the quiz, starting on page 98 for now. I will try to create another
supplemental quiz too. Can I trust you to not look at the answers on page 100
yet?
◦ Come with questions!
Have a great evening, talk to you Thursday!