How does security compliance translate into the sharepoint world? Presentation outlines security basics, specific compliance requirements, and real-time application of that compliance to sharepoint.
Learning about Security and Compliance in Office 365Aptera Inc
This document discusses security and compliance capabilities in Office 365. It begins with an overview of common compliance regulations businesses face regarding transparency, privacy, and legal issues. It then outlines how Office 365 can meet requirements of regulations in healthcare, high-tech, and finance. Specific Office 365 security features are presented such as multi-factor authentication and encryption of email and files. The presentation concludes with a recommended action plan for organizations to evaluate their compliance needs and Office 365's capabilities to address them.
Security as an Enabler for the Digital World - CISO PerspectiveApigee | Google Cloud
A successful API strategy requires a strong partnership between the business, IT, and security functions. Rather than as a hindrance, security increasingly is viewed as a business enabler, with CISOs and CSOs playing a critical role in implementing “guardrails” for safe, secure and compliant API services and security architectures free of unnecessary complexity.
Ultimately, a secure API platform enables developers and DevOps to focus on innovation—by improving the mobile user experience and deploying apps in the cloud, with appropriate security controls built-in. In this webcast, Apigee’s Subra Kumaraswamy and Saba Software CSO Randy Barr will explore how CISOs and CSOs partner with IT and business leaders for a safe and secure journey to cloud, SaaS, and mobile services.
Join to learn about:
- The role of the security officer in helping IT and business meet objectives
- How smart and secure API guardrails remove friction in consuming APIs while protecting sensitive data exposed via APIs.
- Best practices that work for an API centric enterprise
Download podcast: http://bit.ly/1B6h3TR
AWS Enterprise Summit London 2013 - Stephen Schmidt - AWSAmazon Web Services
1) AWS provides universal cloud security capabilities that are the same for all customers and can be customized for specific business needs.
2) AWS allows customers to have full visibility of their entire cloud infrastructure through monitoring tools.
3) AWS undergoes regular third-party audits to ensure security controls and compliance standards are being met, and makes audit reports and certifications transparent.
apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...apidays
This document discusses strategies for addressing the OWASP top 10 security risk of insufficient logging and monitoring of APIs. It begins with an overview of OWASP A10 and challenges related to monitoring APIs, as attackers rely on a lack of monitoring. It then provides recommendations for logging from OWASP, which can be complex and costly to implement. The document outlines challenges to logging APIs and proposes best practices like combining logging with DevSecOps culture and using purpose-built API logging tools. It argues that API monitoring is key to security, continuous improvement, and resisting attacks on APIs as they increase in usage.
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Ruby Meditation
Speech of Dmytro Shapovalov, Infrastructure Engineer at Cossack Labs, at Ruby Meditation #25 Kyiv 08.12.2018
Next conference - http://www.rubymeditation.com/
Making secure applications is not easy, especially when encryption tools are difficult and incomprehensible. We will talk about typical data security problems in web apps and how to implement encryption properly. We will review cryptographic approaches and exact tools that ensure that no sensitive data leaks from the application or database.
Announcements and conference materials https://www.fb.me/RubyMeditation
News https://twitter.com/RubyMeditation
Photos https://www.instagram.com/RubyMeditation
The stream of Ruby conferences (not just ours) https://t.me/RubyMeditation
Salesforce Security with Visibility, Control & Data ProtectionCipherCloud
Privacy regulations and corporate data governance issues continue to block many enterprises from realizing the full business benefits of Salesforce. CipherCloud helps remove these barriers by providing tools to detect compliance violations, provide strong protection for sensitive data, and monitor your Salesforce user activity for anomalous behavior. With CipherCloud for Salesforce you can:
- Discover what your users are doing in the cloud and prevent data loss with detailed and precise visibility over all activity in Salesforce.
- Protect your cloud data with strong encryption (FIPS 140-2 validated), tokenization, and malware protection to ensure that no unauthorized users can access sensitive information.
- Monitor cloud usage with complete visibility over user activity and alerting on user behavior anomalies
Seguridad: sembrando confianza en el cloudNextel S.A.
Presentación de Oscar Lopez, de Nextel S.A., durante la XV Jornada de Seguridad TI de Nextel S.A. en la Alhóndiga de Bilbao el jueves 27 de junio de 2013.
apidays LIVE New York 2021 - Securing access to high performing API in a regu...apidays
apidays LIVE New York 2021 - API-driven Regulations for Finance, Insurance, and Healthcare
July 28 & 29, 2021
Securing access to high performing API in a regulated environment
Subhabrata Chatterjee, Architect and Chapter Lead - Cloud at Danske IT Services
Learning about Security and Compliance in Office 365Aptera Inc
This document discusses security and compliance capabilities in Office 365. It begins with an overview of common compliance regulations businesses face regarding transparency, privacy, and legal issues. It then outlines how Office 365 can meet requirements of regulations in healthcare, high-tech, and finance. Specific Office 365 security features are presented such as multi-factor authentication and encryption of email and files. The presentation concludes with a recommended action plan for organizations to evaluate their compliance needs and Office 365's capabilities to address them.
Security as an Enabler for the Digital World - CISO PerspectiveApigee | Google Cloud
A successful API strategy requires a strong partnership between the business, IT, and security functions. Rather than as a hindrance, security increasingly is viewed as a business enabler, with CISOs and CSOs playing a critical role in implementing “guardrails” for safe, secure and compliant API services and security architectures free of unnecessary complexity.
Ultimately, a secure API platform enables developers and DevOps to focus on innovation—by improving the mobile user experience and deploying apps in the cloud, with appropriate security controls built-in. In this webcast, Apigee’s Subra Kumaraswamy and Saba Software CSO Randy Barr will explore how CISOs and CSOs partner with IT and business leaders for a safe and secure journey to cloud, SaaS, and mobile services.
Join to learn about:
- The role of the security officer in helping IT and business meet objectives
- How smart and secure API guardrails remove friction in consuming APIs while protecting sensitive data exposed via APIs.
- Best practices that work for an API centric enterprise
Download podcast: http://bit.ly/1B6h3TR
AWS Enterprise Summit London 2013 - Stephen Schmidt - AWSAmazon Web Services
1) AWS provides universal cloud security capabilities that are the same for all customers and can be customized for specific business needs.
2) AWS allows customers to have full visibility of their entire cloud infrastructure through monitoring tools.
3) AWS undergoes regular third-party audits to ensure security controls and compliance standards are being met, and makes audit reports and certifications transparent.
apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...apidays
This document discusses strategies for addressing the OWASP top 10 security risk of insufficient logging and monitoring of APIs. It begins with an overview of OWASP A10 and challenges related to monitoring APIs, as attackers rely on a lack of monitoring. It then provides recommendations for logging from OWASP, which can be complex and costly to implement. The document outlines challenges to logging APIs and proposes best practices like combining logging with DevSecOps culture and using purpose-built API logging tools. It argues that API monitoring is key to security, continuous improvement, and resisting attacks on APIs as they increase in usage.
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Ruby Meditation
Speech of Dmytro Shapovalov, Infrastructure Engineer at Cossack Labs, at Ruby Meditation #25 Kyiv 08.12.2018
Next conference - http://www.rubymeditation.com/
Making secure applications is not easy, especially when encryption tools are difficult and incomprehensible. We will talk about typical data security problems in web apps and how to implement encryption properly. We will review cryptographic approaches and exact tools that ensure that no sensitive data leaks from the application or database.
Announcements and conference materials https://www.fb.me/RubyMeditation
News https://twitter.com/RubyMeditation
Photos https://www.instagram.com/RubyMeditation
The stream of Ruby conferences (not just ours) https://t.me/RubyMeditation
Salesforce Security with Visibility, Control & Data ProtectionCipherCloud
Privacy regulations and corporate data governance issues continue to block many enterprises from realizing the full business benefits of Salesforce. CipherCloud helps remove these barriers by providing tools to detect compliance violations, provide strong protection for sensitive data, and monitor your Salesforce user activity for anomalous behavior. With CipherCloud for Salesforce you can:
- Discover what your users are doing in the cloud and prevent data loss with detailed and precise visibility over all activity in Salesforce.
- Protect your cloud data with strong encryption (FIPS 140-2 validated), tokenization, and malware protection to ensure that no unauthorized users can access sensitive information.
- Monitor cloud usage with complete visibility over user activity and alerting on user behavior anomalies
Seguridad: sembrando confianza en el cloudNextel S.A.
Presentación de Oscar Lopez, de Nextel S.A., durante la XV Jornada de Seguridad TI de Nextel S.A. en la Alhóndiga de Bilbao el jueves 27 de junio de 2013.
apidays LIVE New York 2021 - Securing access to high performing API in a regu...apidays
apidays LIVE New York 2021 - API-driven Regulations for Finance, Insurance, and Healthcare
July 28 & 29, 2021
Securing access to high performing API in a regulated environment
Subhabrata Chatterjee, Architect and Chapter Lead - Cloud at Danske IT Services
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...dsapps
The document discusses introducing a new data security model using APIs and AI pattern recognition. It notes that data breaches cost enterprises millions of dollars and new regulations like GDPR and CCPA have increased data security urgency. The proposed model uses minimal human touch, APIs to access data, and AI to learn, detect, and flag abnormalities in data access patterns to better secure sensitive enterprise data.
The document discusses an OWASP meetup on application security topics. It summarizes key areas like the top 10 security risks, cyber laws in India and internationally, governing bodies in India, and how application security maps to compliance standards like HIPAA and PCI DSS. It also provides an overview of Rapid7 solutions that can help test and remediate vulnerabilities related to firewalls, passwords, encryption, and application security best practices.
My session on (advanced) data governance in #Office365 for #ExpertsLiveNL. Learn all about labels, automatic labeling and more. See also the other presentations :-)
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentAlgoSec
How we think about and architect network security has stayed fairly constant for quite some time.
Until we moved to the cloud.
Things may look the same on the surface, but dig a little deeper and you quickly realize that network security for cloud computing and hybrid networks requires a different mindset, different tools, and a new approach. Hybrid networks complicate management, both in your data center and in the cloud. Each side uses a different basic configuration and security controls, so the challenge is to maintain consistency across both, even though the tools you use – such as your nifty next generation firewall – might not work the same (if at all) in both environments.
Presented by AlgoSec and Rich Mogull, Analyst and CEO at Securosis, this webinar explains how cloud network security is different, and how to pragmatically manage it for both pure cloud and hybrid cloud networks. We will start with some background material and Cloud Networking 101, then move into cloud network security controls, and specific recommendations on how to use and manage them in a hybrid environment.
Digital Consent: Taking UMA from Concept to RealityForgeRock
This document discusses digital consent and the User-Managed Access (UMA) standard. It argues that current "post-compliance" consent tools like OAuth are limited and that customers need "Consent 2.0" solutions that provide context, control, choice and respect regarding personal data sharing. The UMA standard uses federated authorization on top of OAuth to enable party-to-party sharing driven by policy rather than requiring direct user involvement. The document demonstrates how UMA works in action and notes that ForgeRock will deliver two key OpenUMA components by the end of 2015 to help realize Consent 2.0.
Now that your data is in the Cloud, you need to make sure you secure it. Office 365 covers encryption, redundancy & other important items, but your users are still your biggest risk! Learn the basics to help determine who can share documents, how to receive notifications about specific messages that leave your firm, & more!
Azure Information Protection - Taking a Team ApproachJoanne Klein
This document summarizes the key steps for taking a team approach to adopting Azure Information Protection in an organization:
1. Planning involves defining labels, protection controls, and pilot users.
2. Configuration includes setting up classification, labeling, and protection policies.
3. Adoption requires training users through materials like labeling wizards and an AIP bot.
4. Demos showcase how AIP provides persistent protection of files across apps like Word, SharePoint, and mobile devices.
This document summarizes a presentation on microservices security. It begins with the speaker's qualifications and experience in software architecture. It then defines microservices as small, autonomous services that work together. Key benefits of microservices include technology heterogeneity, resilience, scaling, ease of deployment, and organizational alignment. Common design patterns are proxy, chained, and asynchronous messaging. The presentation discusses security approaches for microservices including HTTPS, SAML, OAuth, and API keys. It provides an example use case and discusses microservices principles and deployment considerations.
Office 365 Security: How to Safeguard Your DataBitglass
Greg Schaffer, CISO at FirstBank and Rich Campagna, VP of Products at Bitglass, provide practical cloud security advice that you can apply immediately in your organization.
Focusing on O365 but offering a broad view, Greg and Rich will cover top concerns, mitigating controls and give examples of how your peers have responded to the cloud security challenge.
(SACON) Suhas Desai - The Power of APIs – API Economy Trends & Market Drivers...Priyanka Aash
The session will focus on delivering the key trends in APIs, API Management Platform technologies and how it is driving the API economy. We will also discuss the key drivers for digital transformation initiatives which include wide acceptance of APIs in Industry 4.0, Connected Devices, Cloud and Payments industry. Next, we will talk about the top 10 security risks in APIs, API Management Platforms, APIs integrations with cloud platforms, IoT/OT devices integrations with third-party applications. Lastly, we will uncover the need for implementing the API security governance framework and how to measure the API security programme’ s success through this governance framework.
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...PECB
This document provides an agenda and introduction for a presentation on separating and defining the roles of Chief Information Security Officer (CISO), Data Protection Officer (DPO), and Auditor.
It begins with introductions of the presenters and their relevant experience. It then discusses why role separation is important and challenges organizations may face in separating roles. It considers different CISO roles and hierarchy options and highlights recent issues in the news regarding CISOs, DPOs, and auditors.
The document outlines the basics of information security management (CISO role), data protection management and the DPO role under GDPR, and information security auditing. It discusses challenges for the DPO role under GDPR and considerations for
CipherCloud for Salesforce - Solution OverviewCipherCloud
The document summarizes CipherCloud's security solutions for Salesforce. It discusses how CipherCloud enhances Salesforce security by protecting sensitive data from leaks, extending data loss prevention to the cloud, preventing unauthorized access, and monitoring user activity. Key features include encryption, tokenization, malware detection, activity monitoring, and anomaly detection to secure data and detect threats. The document provides an overview of CipherCloud's capabilities and customer case studies.
This document discusses key considerations for achieving Restricted (IL3) accreditation for cloud services. It outlines that reviewing solutions against security standards, maintaining current ISO 27001 certification, addressing the OWASP Top Ten risks, and locking down configurations are important. It also recommends keeping support in the UK at Restricted levels, using secure protocols, and considering hosting in a pre-accredited environment. Common issues that can arise include ensuring adequate staff clearances, obtaining key material for approved products, having recent penetration tests, and single vulnerabilities allowing network connections.
Dos and Don’ts for Managing External Connectivity to/from Your NetworkAlgoSec
In today’s global market place your organization needs network connectivity with external entities – suppliers, credit card processing companies, business partners, data feeds etc. But are you really sure these connections are secure and compliant? Are you really sure they are not inadvertently creating holes in your network and exposing your organization to cyber criminals? The Target breach – and many others like it – should at least make you double check your practices.
Presented by the renowned industry expert Professor Avishai Wool, this technical webinar will cover best practices for managing external connectivity lifecycle to and from your network, including:
• Defining the right infrastructure, network segmentation, security controls and additional security protections
• Managing changes to connectivity for third party applications or data feeds
• Routing partner traffic through your network
• Auditing and compliance challenges for both you and your partner
• Technical considerations for managing the business and ownership aspects of third party connectivity
CIO's Guide to Enterprise Cloud AdoptionCipherCloud
The document discusses trends in enterprises adopting cloud applications and the risks this poses. It outlines 9 steps for enterprises to manage cloud application usage and security, including discovering all cloud apps in use, assessing their risks, enabling secure apps, enforcing data loss prevention policies, monitoring user activity, understanding compliance needs, encrypting sensitive data, and preserving business functionality while applying security. The goal is for enterprises to understand cloud usage, gain visibility over data, and protect information across locations.
O365 security and privacy de_novo_event_july2014Alexey Vlasenko
Office 365 provides security best practices like penetration testing and defense-in-depth protections against cyber threats. It offers physical and data security with access controls, encryption, and authentication. The platform is also designed with privacy and compliance features, including tools to meet regulations and enable organizations to control data access and sharing according to their needs.
This webinar discusses how SharePoint administrators can ensure compliance with the General Data Protection Regulation (GDPR) using SPDocKit. The webinar agenda includes an introduction to GDPR and its core pillars, recommendations for how SharePoint can comply with GDPR, and specific action steps that can be taken using SPDocKit tools. These include tagging objects containing personal data, enforcing security rules and auditing settings, auditing permission changes, and using reports and permissions management to understand who has access to what data. A demo then shows SPDocKit features for these compliance tasks.
Zero Trust security is a new strategy for keeping enterprise data secure, rooted in the idea that you can no longer rely on the network perimeter to assess trust. Instead, people are the new perimeter, and identity is the core for maintaining a secure environment.
The Future of CASBs - A Cloud Security Force AwakensBitglass
By now you are likely familiar with Cloud Access Security Brokers (CASBs) and understand how they fit into your broader security and cloud strategy. What should organizations be looking for in a CASB? What capabilities are here or on the horizon that can provide improved data protection in the cloud?
Bitglass and (ISC)2 presents the final episode of the CASB series where we will examine where cloud security is headed, discussing agentless and agent-based solutions, the growing number of cloud apps in use and the importance of easy deployment. Learn why cross-app security will become increasingly valuable as organizations look to third-party solutions for deep visibility, behavior analytics, and more.
The must have tools to address your HIPAA compliance challengeCompliancy Group
A panel of experts from the companies that were chosen as “5 Key tools to help your organization achieve HIPAA compliance” In this webinar we will highlight ways for you and your organization to use tools to help make the task of HIPAA compliance easier and more effective.
Panelist:
Bob Grant ex HIPAA auditor and CCO of Compliancy Group LLC
Andy Nieto, Health IT Strategist at DataMotion
April Sage Director of Healthcare IT at Online Tech
Asaf Cidon CEO and co-founder of Sookasa
Daryl Glover Exec VP Strategic Initiatives of qliqSOFT
Regulatory compliance mandates have historically focused on IT & endpoint security as the primary means to protect data. However, as our digital economy has increasingly become software dependent, standards bodies have dutifully added requirements as they relate to development and deployment practices. Enterprise applications and cloud-based services constantly store and transmit data; yet, they are often difficult to understand and assess for compliance.
This webcast will present a practical approach towards mapping application security practices to common compliance frameworks. It will discuss how to define and enact a secure, repeatable software development lifecycle (SDLC) and highlight activities that can be leveraged across multiple compliance controls. Topics include:
* Consolidating security and compliance controls
* Creating application security standards for development and operations teams
* Identifying and remediating gaps between current practices and industry accepted "best practices”
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...dsapps
The document discusses introducing a new data security model using APIs and AI pattern recognition. It notes that data breaches cost enterprises millions of dollars and new regulations like GDPR and CCPA have increased data security urgency. The proposed model uses minimal human touch, APIs to access data, and AI to learn, detect, and flag abnormalities in data access patterns to better secure sensitive enterprise data.
The document discusses an OWASP meetup on application security topics. It summarizes key areas like the top 10 security risks, cyber laws in India and internationally, governing bodies in India, and how application security maps to compliance standards like HIPAA and PCI DSS. It also provides an overview of Rapid7 solutions that can help test and remediate vulnerabilities related to firewalls, passwords, encryption, and application security best practices.
My session on (advanced) data governance in #Office365 for #ExpertsLiveNL. Learn all about labels, automatic labeling and more. See also the other presentations :-)
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentAlgoSec
How we think about and architect network security has stayed fairly constant for quite some time.
Until we moved to the cloud.
Things may look the same on the surface, but dig a little deeper and you quickly realize that network security for cloud computing and hybrid networks requires a different mindset, different tools, and a new approach. Hybrid networks complicate management, both in your data center and in the cloud. Each side uses a different basic configuration and security controls, so the challenge is to maintain consistency across both, even though the tools you use – such as your nifty next generation firewall – might not work the same (if at all) in both environments.
Presented by AlgoSec and Rich Mogull, Analyst and CEO at Securosis, this webinar explains how cloud network security is different, and how to pragmatically manage it for both pure cloud and hybrid cloud networks. We will start with some background material and Cloud Networking 101, then move into cloud network security controls, and specific recommendations on how to use and manage them in a hybrid environment.
Digital Consent: Taking UMA from Concept to RealityForgeRock
This document discusses digital consent and the User-Managed Access (UMA) standard. It argues that current "post-compliance" consent tools like OAuth are limited and that customers need "Consent 2.0" solutions that provide context, control, choice and respect regarding personal data sharing. The UMA standard uses federated authorization on top of OAuth to enable party-to-party sharing driven by policy rather than requiring direct user involvement. The document demonstrates how UMA works in action and notes that ForgeRock will deliver two key OpenUMA components by the end of 2015 to help realize Consent 2.0.
Now that your data is in the Cloud, you need to make sure you secure it. Office 365 covers encryption, redundancy & other important items, but your users are still your biggest risk! Learn the basics to help determine who can share documents, how to receive notifications about specific messages that leave your firm, & more!
Azure Information Protection - Taking a Team ApproachJoanne Klein
This document summarizes the key steps for taking a team approach to adopting Azure Information Protection in an organization:
1. Planning involves defining labels, protection controls, and pilot users.
2. Configuration includes setting up classification, labeling, and protection policies.
3. Adoption requires training users through materials like labeling wizards and an AIP bot.
4. Demos showcase how AIP provides persistent protection of files across apps like Word, SharePoint, and mobile devices.
This document summarizes a presentation on microservices security. It begins with the speaker's qualifications and experience in software architecture. It then defines microservices as small, autonomous services that work together. Key benefits of microservices include technology heterogeneity, resilience, scaling, ease of deployment, and organizational alignment. Common design patterns are proxy, chained, and asynchronous messaging. The presentation discusses security approaches for microservices including HTTPS, SAML, OAuth, and API keys. It provides an example use case and discusses microservices principles and deployment considerations.
Office 365 Security: How to Safeguard Your DataBitglass
Greg Schaffer, CISO at FirstBank and Rich Campagna, VP of Products at Bitglass, provide practical cloud security advice that you can apply immediately in your organization.
Focusing on O365 but offering a broad view, Greg and Rich will cover top concerns, mitigating controls and give examples of how your peers have responded to the cloud security challenge.
(SACON) Suhas Desai - The Power of APIs – API Economy Trends & Market Drivers...Priyanka Aash
The session will focus on delivering the key trends in APIs, API Management Platform technologies and how it is driving the API economy. We will also discuss the key drivers for digital transformation initiatives which include wide acceptance of APIs in Industry 4.0, Connected Devices, Cloud and Payments industry. Next, we will talk about the top 10 security risks in APIs, API Management Platforms, APIs integrations with cloud platforms, IoT/OT devices integrations with third-party applications. Lastly, we will uncover the need for implementing the API security governance framework and how to measure the API security programme’ s success through this governance framework.
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...PECB
This document provides an agenda and introduction for a presentation on separating and defining the roles of Chief Information Security Officer (CISO), Data Protection Officer (DPO), and Auditor.
It begins with introductions of the presenters and their relevant experience. It then discusses why role separation is important and challenges organizations may face in separating roles. It considers different CISO roles and hierarchy options and highlights recent issues in the news regarding CISOs, DPOs, and auditors.
The document outlines the basics of information security management (CISO role), data protection management and the DPO role under GDPR, and information security auditing. It discusses challenges for the DPO role under GDPR and considerations for
CipherCloud for Salesforce - Solution OverviewCipherCloud
The document summarizes CipherCloud's security solutions for Salesforce. It discusses how CipherCloud enhances Salesforce security by protecting sensitive data from leaks, extending data loss prevention to the cloud, preventing unauthorized access, and monitoring user activity. Key features include encryption, tokenization, malware detection, activity monitoring, and anomaly detection to secure data and detect threats. The document provides an overview of CipherCloud's capabilities and customer case studies.
This document discusses key considerations for achieving Restricted (IL3) accreditation for cloud services. It outlines that reviewing solutions against security standards, maintaining current ISO 27001 certification, addressing the OWASP Top Ten risks, and locking down configurations are important. It also recommends keeping support in the UK at Restricted levels, using secure protocols, and considering hosting in a pre-accredited environment. Common issues that can arise include ensuring adequate staff clearances, obtaining key material for approved products, having recent penetration tests, and single vulnerabilities allowing network connections.
Dos and Don’ts for Managing External Connectivity to/from Your NetworkAlgoSec
In today’s global market place your organization needs network connectivity with external entities – suppliers, credit card processing companies, business partners, data feeds etc. But are you really sure these connections are secure and compliant? Are you really sure they are not inadvertently creating holes in your network and exposing your organization to cyber criminals? The Target breach – and many others like it – should at least make you double check your practices.
Presented by the renowned industry expert Professor Avishai Wool, this technical webinar will cover best practices for managing external connectivity lifecycle to and from your network, including:
• Defining the right infrastructure, network segmentation, security controls and additional security protections
• Managing changes to connectivity for third party applications or data feeds
• Routing partner traffic through your network
• Auditing and compliance challenges for both you and your partner
• Technical considerations for managing the business and ownership aspects of third party connectivity
CIO's Guide to Enterprise Cloud AdoptionCipherCloud
The document discusses trends in enterprises adopting cloud applications and the risks this poses. It outlines 9 steps for enterprises to manage cloud application usage and security, including discovering all cloud apps in use, assessing their risks, enabling secure apps, enforcing data loss prevention policies, monitoring user activity, understanding compliance needs, encrypting sensitive data, and preserving business functionality while applying security. The goal is for enterprises to understand cloud usage, gain visibility over data, and protect information across locations.
O365 security and privacy de_novo_event_july2014Alexey Vlasenko
Office 365 provides security best practices like penetration testing and defense-in-depth protections against cyber threats. It offers physical and data security with access controls, encryption, and authentication. The platform is also designed with privacy and compliance features, including tools to meet regulations and enable organizations to control data access and sharing according to their needs.
This webinar discusses how SharePoint administrators can ensure compliance with the General Data Protection Regulation (GDPR) using SPDocKit. The webinar agenda includes an introduction to GDPR and its core pillars, recommendations for how SharePoint can comply with GDPR, and specific action steps that can be taken using SPDocKit tools. These include tagging objects containing personal data, enforcing security rules and auditing settings, auditing permission changes, and using reports and permissions management to understand who has access to what data. A demo then shows SPDocKit features for these compliance tasks.
Zero Trust security is a new strategy for keeping enterprise data secure, rooted in the idea that you can no longer rely on the network perimeter to assess trust. Instead, people are the new perimeter, and identity is the core for maintaining a secure environment.
The Future of CASBs - A Cloud Security Force AwakensBitglass
By now you are likely familiar with Cloud Access Security Brokers (CASBs) and understand how they fit into your broader security and cloud strategy. What should organizations be looking for in a CASB? What capabilities are here or on the horizon that can provide improved data protection in the cloud?
Bitglass and (ISC)2 presents the final episode of the CASB series where we will examine where cloud security is headed, discussing agentless and agent-based solutions, the growing number of cloud apps in use and the importance of easy deployment. Learn why cross-app security will become increasingly valuable as organizations look to third-party solutions for deep visibility, behavior analytics, and more.
The must have tools to address your HIPAA compliance challengeCompliancy Group
A panel of experts from the companies that were chosen as “5 Key tools to help your organization achieve HIPAA compliance” In this webinar we will highlight ways for you and your organization to use tools to help make the task of HIPAA compliance easier and more effective.
Panelist:
Bob Grant ex HIPAA auditor and CCO of Compliancy Group LLC
Andy Nieto, Health IT Strategist at DataMotion
April Sage Director of Healthcare IT at Online Tech
Asaf Cidon CEO and co-founder of Sookasa
Daryl Glover Exec VP Strategic Initiatives of qliqSOFT
Regulatory compliance mandates have historically focused on IT & endpoint security as the primary means to protect data. However, as our digital economy has increasingly become software dependent, standards bodies have dutifully added requirements as they relate to development and deployment practices. Enterprise applications and cloud-based services constantly store and transmit data; yet, they are often difficult to understand and assess for compliance.
This webcast will present a practical approach towards mapping application security practices to common compliance frameworks. It will discuss how to define and enact a secure, repeatable software development lifecycle (SDLC) and highlight activities that can be leveraged across multiple compliance controls. Topics include:
* Consolidating security and compliance controls
* Creating application security standards for development and operations teams
* Identifying and remediating gaps between current practices and industry accepted "best practices”
Webinar - Compliance with the Microsoft Cloud- 2017-04-19TechSoup
Everyone throws around the word compliance but how do you actually achieve that? In this free, 60-minute webinar Sam Chenkin from Tech Impact discusses achievable goals for the nonprofit community to keep their data safe with the Microsoft Cloud. We explore account security like two-factor authentication, data security like encryption, and how to make sure only compliant devices can access your data.
The document discusses key concepts in information security including the security trinity of confidentiality, integrity, and availability. It outlines the four As of security - account management, authentication controls, authorization/access controls, and audit controls. The document then explains how various security controls protect confidentiality, integrity, and availability. It concludes with outlining a risk-driven security process of identifying assets, risks, impacts, and controls to defend assets within an organization's security budget and objectives.
Seattle Tech4Good meetup: Data Security and PrivacySabra Goldick
12/7/2016 - It's difficult to avoid news stories about hacks and misused databases. For our Q4 meetup, we will discuss what nonprofits can do to protect their systems and data. Each panelist will outline best practices for protecting your own data as well as constituent data.
PANELISTS
* Mary Gardner, Chief Information Security Officer at Seattle Children's Hospital.
* Ralph Johnson, Chief Information Security and Privacy Officer, King County
* Peter Kittas, Web and IT Consultant, Revelate LLC
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)Precisely
The document discusses protecting sensitive data on IBM i systems. It provides an agenda for a webcast covering key concepts for protecting IBM i data privacy including encryption, tokenization, and secure file transfer. It will also introduce the Assure Security solution from Precisely for IBM i compliance and security. The webcast includes segments on protecting data privacy, demonstrating Assure Security, and a question and answer period.
What Does a Full Featured Security Strategy Look Like?Precisely
In today’s IT world, the threats from bad actors are increasing and the negative impacts of a data breach continue to rise. Responsible enterprises have an obligation to handle the personal data of their customers with care and protect their company’s information with all the tools at their disposal.
For IBM i customers, this includes system settings, company-wide security protocols and the strategic use of additional third-party solutions. These solutions should include things like multi factor authentication (MFA), auditing and SEIM features, access control, authority elevation, and more. In this presentation, we will help you understand how all these elements can work together to create an effective, comprehensive IBM i security environment.
Watch this on-demand webinar to learn about:
• taking a holistic approach to IBM i Security
• what to look for when you consider adding a security product to your IBM i IT infrastructure.
• the components to consider a comprehensive, effective security strategy
• how Precisely can help
Office 365 : Data leakage control, privacy, compliance and regulations in the...Edge Pereira
The document discusses various topics related to governance, risk management, and compliance (GRC) tools in Microsoft Office 365. It begins with an agenda that includes data loss prevention, eDiscovery, auditing, document fingerprinting, and encrypted emails. It then provides background on why organizations invest in GRC and the types of records commonly exposed in data breaches. The document goes on to explain key GRC capabilities in Office 365 like data loss prevention, eDiscovery tools, auditing features in SharePoint, and options for encrypting emails. It emphasizes the importance of controls and policies for customers to maintain compliance. Overall, the document provides an overview of GRC solutions in Office 365 and how customers can leverage built-in tools and
The document discusses system integration and single sign-on benefits. It provides an overview of topics like single sign-on using SAML 2.0, the data integration process, and the single sign-on integration process. It outlines the steps in a SAML 2.0 single sign-on workflow. The document also discusses recent updates to Comply365 like implementing a unified agent, parallel processing to speed up refresh times, and developing an API. It encourages questions from attendees.
Its Not You Its Me MSSP Couples CounselingAtif Ghauri
This document summarizes a presentation given by an executive from a managed security services provider (MSSP) about engaging an MSSP for security services. It begins with a poll asking about current and past MSSP usage. The presentation then discusses why organizations use MSSPs, focusing on lack of internal skills, resources, and scale. It uses a case study of "Bob and Alice" to illustrate common struggles between MSSPs and clients around communication and expectations. The rest of the presentation outlines key areas for MSSPs to focus on, including technical capabilities, onboarding process, managing alerts and investigations, and defining service level agreements and contract terms.
How do we separate hype from useful information in Cyber Security? As Congress is debating a National privacy law, and several states have privacy and breach reporting laws, how will that impact our workload? Privacy starts with good cyber-hygiene. We will look at how we can leverage the focus on Privacy to address standards for:
Firewall and network Configs,
Cloud security
Protocols and ports that need attention
Authentication best practices
Server and network rights
Password rules
Understanding Zero Trust Security for IBM iPrecisely
As security threats continue to evolve and increase, companies need to also adapt their approach to IT security. One important concept that is gaining in popularity and adoption is zero trust security. The main concept behind the zero trust security model is "never trust, always verify,” which means that devices should not be trusted by default, even if they are connected to a permissioned network such as a corporate LAN and even if they were previously verified.
Zero Trust means moving beyond a perimeter security strategy. As companies offer customers and business partners new digital experiences and processes, networks can be local, in the cloud, or a combination or hybrid with resources anywhere as well as workers in any location. This dynamic is impacting IBM i customers and zero trust security is an important element of a modern security strategy.
Join us for this webcast to hear about:
• Understanding zero trust security concepts
• Zero trust security in the real world
• Zero trust security for IBM i environments
Security architecture best practices for saas applicationskanimozhin
This document discusses security best practices for Software as a Service (SaaS) applications. It recommends adopting a holistic governance framework to manage operational risks, using standards like COBIT 5. Key aspects covered include tenant data isolation, role-based access control, preventing common web attacks, and implementing robust security auditing of events, transactions, and user actions. The goal is to establish trust with customers by providing protection of information, access controls, data security, and audit capabilities.
Security Architecture Best Practices for SaaS ApplicationsTechcello
Gartner has predicted 18-20% growth in SaaS market, and expects it to hit US $22.1 billion by the year 2015. They have also measured that SaaS adoption rate has increased many fold in the last few years (almost 71% of enterprises use SaaS solutions).
Heureka Webinar – Security, the Growth Engine for eDiscovery ProfessionalsHeureka Software
Cybersecurity threats and data breaches cost companies millions of dollars in lost intellectual property, trade secrets and fines from mishandled privacy information.
Even worse, hackers increasingly see law firms as an easy target to acquire valuable data on clients.
And yet, many security folks still need the expertise gained from the legal/ediscovery world.
Heureka and special guest Donald A. Wochna, Esq. discuss the shift from eDiscovery to Security and back again!
Key Concepts for Protecting the Privacy of IBM i DataPrecisely
The continuous news of personal information stolen from major retailers and financial institutions have driven consumers and regulatory bodies to demand that more action be taken to ensure data protection and privacy. Regulations such as PCI DSS, HIPAA, GDPR, and FISMA require that personal data be protected against unauthorized access using technologies like encryption, tokenization, masking, secure file transfer and more.
With all the options available for securing IBM i data at rest and in motion, how do you know where to begin? View this webinar on-demand to get up to speed on the key concepts you need to know about assuring data privacy for your customers, business partners and employees. Topics include:
• Protecting data with encryption and the need for strong key management
• Use cases that are best for tokenization
• Options for permanently de-identifying data
• Securing data in motion across networks
Why do many managed services relationships fail? And fail again? Both organizations need to be aligned up front and hold hands during onboarding. This presentation covers the top five focus areas. Many MSSP relationships are doomed at the onboarding stage when an organization first becomes a customer. Given how critical these early stage activities are to your partnership, it's imperative to understand the top five areas of focus: technology deployment (the easy part, getting the tech running); the call tree (who do I wake up at 3 a.m.?); process sync (the fun part: mutual synchronization on who does what and when); access, access, access (you need access to do something); and the context of technology (the need to understand your shop).
What you’ll take away:
Understand proven success criteria for successful outsourcing of security operations
Learn how to align security technologies to security processes, and the key focus areas of security operations
Access to key checklists and charts to drive onboarding of managed services
An understanding of specific terms and conditions that need to be included in data-related contracts under applicable laws
Discover how other organizations have succeeded and failed in MSSP relations
In the ever-evolving, fast-paced Agile development world, application security has not scaled well. Incorporating application security and testing into the current development process is difficult, leading to incomplete tooling or unorthodox stoppages due to the required manual security assessments. Development teams are working with a backlog of stories—stories that are typically focused on features and functionality instead of security. Traditionally, security was viewed as a prevention of progress, but there are ways to incorporate security activities without hindering development. There are many types of security activities you can bake into your current development lifecycles—tooling, assessments, stories, scrums, iterative reviews, repo and bug tracking integrations—every organization has a unique solution and there are positives and negatives to each of them. In this slide deck, we go through the various solutions to help build security into the development process.
Secure Your Web Applications and Achieve Compliance Avi Networks
Security breaches are on the rise. According to the Verizon Data Breach Investigations Report 2018, web application attacks are the number one source of breaches, but web application security—especially as web applications are increasingly deployed outside of traditional on-premise environments—is lagging.
As a result, regulations and compliance needs are increasingly reinforcing the need for web application security. This webinar will focus on regulations such as GDPR, PCI DSS, and HIPAA and their impact on what you need to do for web security.
You will learn how advances in Web Application Firewalls and application insights can help you achieve your security and compliance goals.
Watch the full webinar: https://info.avinetworks.com/webinars-secure-web-applications-and-achieve-compliance
Similar to SharePointlandia 2013: SharePoint and Compliance (20)
Things to Consider When Choosing a Website Developer for your Website | FODUUFODUU
Choosing the right website developer is crucial for your business. This article covers essential factors to consider, including experience, portfolio, technical skills, communication, pricing, reputation & reviews, cost and budget considerations and post-launch support. Make an informed decision to ensure your website meets your business goals.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
OpenID AuthZEN Interop Read Out - AuthorizationDavid Brossard
During Identiverse 2024 and EIC 2024, members of the OpenID AuthZEN WG got together and demoed their authorization endpoints conforming to the AuthZEN API
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceIndexBug
Imagine a world where machines not only perform tasks but also learn, adapt, and make decisions. This is the promise of Artificial Intelligence (AI), a technology that's not just enhancing our lives but revolutionizing entire industries.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
2. Agenda
Permissions
o About
o Security Redux
o Permissions
o Authentication
o Content/Access Control
o Compliance
o Alphabet Soup
o The road to Compliance
o Compliance Specifics
o Review
Security
Complianc
e
3. Matt Barrett
Senior Solutions Engineer - Axceler
- 6 years in security, 2 in
SharePoint
- Worked on the Metasploit project
- Security Evangelist
- Compliance Expert
Twitter: @mrbarrett
LinkedIn: www.linkedin.com/mrb08
Obligatory Self Promotion
4. Axceler Overview
liberating collaboration in the social enterprise
through visibility and control
• - Have been delivering award-winning administration and migration
software since 1994
• - 3000 Customers Globally
Dramatically improve SharePoint Management
• - Innovative products that improve security and scalability
• - Making IT more effective and efficient and lower the total cost of
ownership
• 3000 Customers Globally
Focus on solving specific SharePoint problems
• - Coach enterprises on SharePoint best practices
• - Give administrators the most innovative tools available
• - Deliver “best of breed” offerings
5. Security Redux
Governance
How are you using SharePoint?
• Document Repo vs. Core Business
• Few select users or everybody?
What secure content do you
have?
• Where is it?
Permissions
11. Security Redux
Security
Typical Best Practices vs.
Compliance Best Practices
• Sites, Lists, Libraries share most
permissions
• Sensitive data is separated from
normal data (typically this is all
you need)
Compliance
13. Compliance – Alphabet Soup
HIPAA
o Sarbanes-Oxley Act (SOX
Compliance)
o Healthcare Services (HIPAA)
o GLBA
o California Senate Bill No. 1386
o NERC Cyber Security Standards
o Financial Services (GLBA)
o Visa Cardholder Information Security
Program
o MasterCard Site Data Protection
Program
o American Express Data Security
Standard
SOX
PCI
14. Compliance Fact Sheet
HIPAA
SOX
PCI
• 45 states (including CA) have
some form of data breach law
• All different, but require protection
of PII (Personally Identifyable
Information)
15. What is PII?
HIPAA
SOX
PCI
• Full Name
• National ID number
• IP address (in some cases)
• License Plate Number
• Driver’s License Number
• Face, Fingerprints or Handwriting
• Credit Card Numbers!!
• Date of Birth
• Birthplace
• Genetic information
16. Where Does This Come From?
NIST
NIST (National Institute of
Standards and Technology)
• Access Enforcement
• Separation of Duties
• Least Privilege
• Limitign Remote Access
• Protecting information at rest
through the use of encryption
SP800-53
17. Breaches are Costly!
HIPAA
SOX
PCI
• Sony – 77 million credit numbers
(april, 2011), cost $171m to fix
• Fortune 50 leader in Aerospace –
fined $75m for leaking helicopter
part information
• Breaches are on average $6m+*
Source: Ponemon institute
19. Step 1: Define Your (forced) Compliance
Goals!
Security
Efficiency
Verify
• Security vs. Effeciency
Paradox
• Trust but Verify
20. Step 1: Define Your Compliance
Goals!
Benchmarks
Ripples
Compliant?
Understand your Benchmarks
• What current business processes
could potentially be affected?
• Optimization ”ripples”
• Effeciency theories
• Collaboriation? Is it compliant?
21. Step 1: Define Your Compliance
Goals!
Breaches
Are
Sad
Quickest is not always best
• Take your time
• Far cheaper in the long run
• Shortcuts lead to breaches
• Breaches lead to sad
26. Step 3: Assimilate
Test
Once You’re Sure...
• After Gap Analysis
• Dev to Staging
• Typically single-server
• Introduce Pilot Users (try to break it)
• Penetration Test
• Production
Verify
27. Step 4: Maintain
Server
SharePoint
Users
Compliance one day doesn’t
guarantee compliance the next...
• Monitor
• Service Packs
• User Activity
• Confirmation of Permissions
• Monitor Regulations
• They Change!
30. Compliance Specifics: HIPAA
Data must always be encrypted
• In transit, at rest
• SSL
Data must never be lost
• DR Plan
Data must only be accessible by authorized
personnel
• Access Control/Authentication
• User Security
• Password Policies
• New Employee Procedures
31. Compliance Specifics: HIPAA
Data must never be tampered with or altered
• Audit controls/integrity
• Unauthorized modification prevention
Data should be encrypted if being
stored/archived
• Transparent SQL DB encryption
Can be permanenty disposed of when no longer
needed
• Remember: Heath records must be stored for 6
years
• Document retention policies
32. Compliance Specifics: SOX
All data must be...
• Stored
• Retained
• Secured
• Audited
Proof of internal controls
• Plans
• Framework
Disclosure
33. Compliance Specifics: PCI
“if it touches something that stores or processes
credit cards, it falls into the compliance”
• Pen Testing
• External environment scanning
• Gap Analysis (PCI DSS)
• Document management system