This was a presentation I gave at the Information Week RMAA Seminar 2008. It was on the increasing problems of trying to control access within organisations, focusing on sensitive and classified information.
This document provides an overview of key information technology security topics for executives, including cloud computing, cyber insurance, passwords, mobile security, and network security. It discusses the business reasons for protecting an organization's data, assesses data sensitivity levels, outlines considerations for using cloud services and drafting cloud contracts, reviews types of cyber insurance coverage, and recommends password, mobile device, and network security best practices. The goal is to help executives understand current IT security challenges and strategies.
This document discusses various technologies used for information security, including cloud access security brokers, adaptive access control, virtual private networks, endpoint detection and response solutions, intrusion detection and analysis systems, interactive application security testing, antivirus software, firewalls, audit data reduction, network mapping, password cracking, public key infrastructure, and vulnerability scanning systems. It defines information security as protecting information and systems from unauthorized access, use, disclosure, destruction, modification, or disruption. The conclusion states that information security is an ongoing process involving training, assessment, protection, monitoring, detection, incident response, documentation, and review.
This document summarizes threats to databases in e-commerce. It discusses risks to customers like stolen credentials, dishonest merchants, and inappropriate use of transaction details. Merchants also face risks like disputed charges and insufficient customer funds. The main issue is implementing a secure payment scheme. It then outlines security levels from human to physical. Database threats include privilege abuse, database rootkits, and weak authentication. Different authorization levels are needed for different users. The document concludes protection requires access control, inference control, flow control, and encryption.
20110428 ARMA Amarillo IT for Records ManagersJesse Wilkins
This presentation at the ARMA Amarillo Spring Seminar described the technology knowledge base records managers should cultivate in order to remain relevant.
Security and Control Issues in Information SystemDaryl Conson
This document discusses information systems security. It defines an information system as a set of components for collecting, storing, processing, and delivering information and knowledge. Information systems play an important role in modern society and infrastructures. To protect against potential losses, it is crucial for information systems to have security measures from the outset. Information system security aims to establish policies and controls to guarantee the authenticity, confidentiality, availability, and integrity of information assets. It discusses the importance of controls to provide security and quality assurance for information systems.
LTS Secure offer PIM user activity monitoring provides flexible alert generation based on robust combinations of user profiles, key actions and client locations.
Because the biggest impact of cyber breach is data loss, data protection should be architected into the DNA of your cyber security solution. This means focusing security efforts around data from the very beginning, from initial risk assessment, to control design, to implementation and auditing.
Most cyber security solutions protect infrastructure, assuming that data stored within containers will be protected. This white paper explains why this assumption is no longer valid and outlines an approach to designing a cyber security solution directly around data.
Compliance Officers, Risk Managers, Security Professionals, and IT Leaders will understand
the goals and steps of data-centric solution design, as well as its potential benefits.
This document provides an overview of key information technology security topics for executives, including cloud computing, cyber insurance, passwords, mobile security, and network security. It discusses the business reasons for protecting an organization's data, assesses data sensitivity levels, outlines considerations for using cloud services and drafting cloud contracts, reviews types of cyber insurance coverage, and recommends password, mobile device, and network security best practices. The goal is to help executives understand current IT security challenges and strategies.
This document discusses various technologies used for information security, including cloud access security brokers, adaptive access control, virtual private networks, endpoint detection and response solutions, intrusion detection and analysis systems, interactive application security testing, antivirus software, firewalls, audit data reduction, network mapping, password cracking, public key infrastructure, and vulnerability scanning systems. It defines information security as protecting information and systems from unauthorized access, use, disclosure, destruction, modification, or disruption. The conclusion states that information security is an ongoing process involving training, assessment, protection, monitoring, detection, incident response, documentation, and review.
This document summarizes threats to databases in e-commerce. It discusses risks to customers like stolen credentials, dishonest merchants, and inappropriate use of transaction details. Merchants also face risks like disputed charges and insufficient customer funds. The main issue is implementing a secure payment scheme. It then outlines security levels from human to physical. Database threats include privilege abuse, database rootkits, and weak authentication. Different authorization levels are needed for different users. The document concludes protection requires access control, inference control, flow control, and encryption.
20110428 ARMA Amarillo IT for Records ManagersJesse Wilkins
This presentation at the ARMA Amarillo Spring Seminar described the technology knowledge base records managers should cultivate in order to remain relevant.
Security and Control Issues in Information SystemDaryl Conson
This document discusses information systems security. It defines an information system as a set of components for collecting, storing, processing, and delivering information and knowledge. Information systems play an important role in modern society and infrastructures. To protect against potential losses, it is crucial for information systems to have security measures from the outset. Information system security aims to establish policies and controls to guarantee the authenticity, confidentiality, availability, and integrity of information assets. It discusses the importance of controls to provide security and quality assurance for information systems.
LTS Secure offer PIM user activity monitoring provides flexible alert generation based on robust combinations of user profiles, key actions and client locations.
Because the biggest impact of cyber breach is data loss, data protection should be architected into the DNA of your cyber security solution. This means focusing security efforts around data from the very beginning, from initial risk assessment, to control design, to implementation and auditing.
Most cyber security solutions protect infrastructure, assuming that data stored within containers will be protected. This white paper explains why this assumption is no longer valid and outlines an approach to designing a cyber security solution directly around data.
Compliance Officers, Risk Managers, Security Professionals, and IT Leaders will understand
the goals and steps of data-centric solution design, as well as its potential benefits.
Audience – Sales and pre-sales audience selling to large enterprises and government.
Occasion – Annual channel partners of Thales – April 2010
Presenter – Tony Lock, Programme Director, Freeform Dynamics
Security And Ethical Challenges Of Infornation Technologyparamalways
This document discusses several security and ethical challenges of information technology. It identifies issues around employment, privacy, health, and more. It also describes different types of computer crimes like hacking, cyber theft, and software piracy. Additionally, it outlines security measures companies use like encryption, firewalls, email monitoring, and biometric controls to help manage security and privacy risks.
The document discusses security issues and solutions in web conferencing. It notes that the web conferencing market is growing rapidly but security is challenging to implement well. The key risks include unauthorized access, eavesdropping on communications, and data loss. Common solutions involve password protection, encryption, backups, and intrusion detection. However, real-time interactions pose unique challenges to implement security without degrading performance or user experience.
Controls are used to secure systems and reduce risks. They ensure policies are implemented and nonsensical data is not entered. A control system has objectives, performance standards, feedback, and a control center. It establishes standards, measures performance, compares actual to planned results, and takes corrective action. Features include early warnings, strategic focus, accurate and timely feedback, and information flow. Types of MIS controls are administrative, information system, procedural, physical facility, input, processing, output, storage, and software/hardware controls. MIS helps strategy with reports and data processing to save time.
Using Microsoft Dynamic Access Control to create Information Barriers for SEC...NextLabs, Inc.
Microsoft Server 2012 Dynamic Access Control (DAC) is a new authorization model that gives companies the ability to define central access policies to control access to files based on the classification of the data and attributes of the user. DAC greatly simplifies the administration of file server security and makes it easier to comply with SEC regulations for information barriers and protection of sensitive client data.
Attendees of this webinar will learn more about Windows Server 2012 DAC and see how it can be applied to improve compliance with SEC regulations.
In this webinar, Microsoft and NextLabs will:
• Introduce you to DAC, a powerful new security feature in Windows Server 2012.
• Map DAC functionality to critical SEC requirements for classification, access control, information barriers and record keeping.
• Demonstrate a solution where DAC is used to automate SEC compliance controls across Windows Server 2012, Microsoft SharePoint and email.
This webinar will be helpful for customers who need to meet SEC requirements, or who are interested in creating information barriers between project teams. It is also helpful for both Compliance and IT professionals looking for tools to help them reduce IT administration cost, enable information sharing, and improve corporate compliance.
Requirements for Implementing Data-Centric ABAC NextLabs, Inc.
Attribute Based Access Control (ABAC) has long been considered one of the few approaches to data-centric security that is robust enough to keep pace with today’s extended enterprise. However, organizations currently lack process and automation capabilities to supply critical inputs required for the ABAC approach.
This white paper explains how NextLabs Control Center leverages and manages identity and data attributes and dynamically evaluates information access events no matter where they occur. Security Professionals, IT Architects, and System Integrators will understand the requirements for implementing data-centric ABAC, as well as the benefits of NextLabs’ XACML-based approach.
This document discusses threats to databases in e-commerce. It introduces security issues in relational databases and mechanisms for enforcing multiple security levels. It discusses types of security threats like loss of integrity, availability, and confidentiality of data. Specific threats to e-commerce databases are unauthorized access and alteration of user data or product information. The document proposes countermeasures like access control, inference control, flow control, encryption, and backups to protect databases from these threats.
626 Information leakage and Data Loss Prevention ToolsSplitty
This document discusses information leakage and data loss prevention (DLP) tools. It begins by defining information leakage as any accidental or malicious access of unauthorized parties to non-public data. Examples of information leakage like data breaches at Sony and the NIH are provided. The document then discusses why executives should care about information leakage due to its high costs, and how DLP tools can help defend against it by managing, discovering, monitoring and protecting sensitive data across networks and devices. Lastly, it provides a checklist and best practices for implementing a successful DLP program.
The document discusses security issues related to cloud computing adoption in the financial services industry. It outlines two types of clouds - public clouds that offer scale and cost benefits but lack security controls, and private clouds that have better security but higher costs. The financial industry requires high data security and control due to regulations. Adopting cloud computing is challenging as financial institutions lose visibility and control over their data stored externally. The document urges financial firms to thoroughly understand security responsibilities and challenges before adopting cloud solutions.
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
Intelligent ID is an Endpoint Monitoring and Protection software that helps secure organizations by monitoring endpoints for data loss, compliance issues, and inefficient resource use. It collects more data from more sources than competitors with a single lightweight agent. Intelligent ID provides a holistic view of all endpoint data sources, including behavioral analytics, to identify suspect activity. It consolidates existing tools, offers measurable ROI, and provides investigation and compliance tools to help various departments. Key features include monitoring data loss prevention, user identity and activity, infrastructure management, and applying custom rules.
Security management involves tools like encryption, firewalls, email monitoring and biometric systems to protect information assets from unauthorized access and ensure the accuracy, integrity and safety of information systems. Some key goals of security management are to minimize errors, fraud and destruction while ensuring quality assurance. Common tools include encryption to make information unreadable, firewalls as devices to protect networks based on rules, and email monitoring for privacy, authentication, integrity and audit capabilities. Disaster recovery plans are also important to address threats from events like fires, floods and human errors.
This document provides an overview of chapter 5 from the CISA review course, which focuses on protecting information assets. It discusses the importance of information security management and outlines key elements like policies, procedures, monitoring and compliance. It also covers logical access exposures and controls, including identification and authentication, authorization issues, and audit logging. The chapter examines network infrastructure security risks for LANs, client-server environments, wireless networks and the internet.
The document discusses information security and ISO 27001. It summarizes some common security incidents organizations face, such as password sharing or unsecured devices. It then introduces ISO 27001 as a framework that can help organizations establish an Information Security Management System to achieve security and assure stakeholders. ISO 27001 specifies requirements around topics like policies, asset management, access control, and incident response to maintain the confidentiality, integrity and availability of information.
Technology Threats to Your Business and What to Do About Them - presentation to small business owners about how to protect themselves and their businesses. Includes 10 Tips to Protect Your Data
Distributed system for access control to physical resources based on qualific...Darshan Vithani
This document proposes a distributed system for access control to physical resources based on qualifications. The system would grant employees of a company access to certain machines according to their qualifications, which could be obtained through learning. It describes using programmable logic controllers and a web application to allow remote control and monitoring of industrial processes and equipment over the Internet. Further research is needed on security and testing the system with multiple machines and controllers. The advantage of integrating qualifications into the authorization process is that it could help with human resources processes.
The document provides an overview of information security concepts including confidentiality, integrity, availability, encryption, access control, classification labels, risk management, security policies, business continuity planning, operational security, intrusions and attacks, and cryptography. Key terms like encryption algorithms, internet key exchange, and types of intrusion detection systems are defined. A brief history of cryptography from ancient times to modern ciphers is also presented.
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseLance Peterman
This document discusses identity and access management (IAM) programs that can help secure data in modern enterprises. It outlines why identity has become central to security and notes that recent high-profile data breaches involved compromised credentials. The document recommends implementing IAM programs around user management, entitlement management, privileged access management and federation. It also discusses emerging standards like OAuth 2.0, SCIM and OpenID Connect that can help improve security and management of identities.
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
NetIQ was a Platinum sponsor for “Plugging the Leaks: Finding and Fixing the IT Security Holes in Your Enterprise,” a virtual trade show (VTS) produced by Information Week Magazine and Dark Reading.
This was our presentation deck: "Proven Practices to Protect Critical Data" presented by Matt Mosley, Senior Product Manager, and Matt Ulery, Director of Product Management during a live presentation. They explored some of the most significant problems facing security teams tasked with protecting critical data. And, they will reveal some of the most effective approaches and technology that can be used to quickly identify real threats.
Causes And Consequences Of Data LeakagePatty Buckley
Here are the key points from the case study:
- Pepperdine University has embraced BYOD for many years, allowing students, faculty, and guests to use personal devices on the campus network.
- The university implemented Bradford Networks' Network Sentry solution to provide secure network access for BYOD users while also detecting and responding to security threats.
- Network Sentry integrates with Sourcefire IDS to enable rapid identification and remediation of threats. When threats are detected, Network Sentry can isolate infected devices from the network.
- This approach allows the university to safely support BYOD without restricting access for the majority of devices that are not infected. The focus is on responding to threats rather than restricting devices based
Audience – Sales and pre-sales audience selling to large enterprises and government.
Occasion – Annual channel partners of Thales – April 2010
Presenter – Tony Lock, Programme Director, Freeform Dynamics
Security And Ethical Challenges Of Infornation Technologyparamalways
This document discusses several security and ethical challenges of information technology. It identifies issues around employment, privacy, health, and more. It also describes different types of computer crimes like hacking, cyber theft, and software piracy. Additionally, it outlines security measures companies use like encryption, firewalls, email monitoring, and biometric controls to help manage security and privacy risks.
The document discusses security issues and solutions in web conferencing. It notes that the web conferencing market is growing rapidly but security is challenging to implement well. The key risks include unauthorized access, eavesdropping on communications, and data loss. Common solutions involve password protection, encryption, backups, and intrusion detection. However, real-time interactions pose unique challenges to implement security without degrading performance or user experience.
Controls are used to secure systems and reduce risks. They ensure policies are implemented and nonsensical data is not entered. A control system has objectives, performance standards, feedback, and a control center. It establishes standards, measures performance, compares actual to planned results, and takes corrective action. Features include early warnings, strategic focus, accurate and timely feedback, and information flow. Types of MIS controls are administrative, information system, procedural, physical facility, input, processing, output, storage, and software/hardware controls. MIS helps strategy with reports and data processing to save time.
Using Microsoft Dynamic Access Control to create Information Barriers for SEC...NextLabs, Inc.
Microsoft Server 2012 Dynamic Access Control (DAC) is a new authorization model that gives companies the ability to define central access policies to control access to files based on the classification of the data and attributes of the user. DAC greatly simplifies the administration of file server security and makes it easier to comply with SEC regulations for information barriers and protection of sensitive client data.
Attendees of this webinar will learn more about Windows Server 2012 DAC and see how it can be applied to improve compliance with SEC regulations.
In this webinar, Microsoft and NextLabs will:
• Introduce you to DAC, a powerful new security feature in Windows Server 2012.
• Map DAC functionality to critical SEC requirements for classification, access control, information barriers and record keeping.
• Demonstrate a solution where DAC is used to automate SEC compliance controls across Windows Server 2012, Microsoft SharePoint and email.
This webinar will be helpful for customers who need to meet SEC requirements, or who are interested in creating information barriers between project teams. It is also helpful for both Compliance and IT professionals looking for tools to help them reduce IT administration cost, enable information sharing, and improve corporate compliance.
Requirements for Implementing Data-Centric ABAC NextLabs, Inc.
Attribute Based Access Control (ABAC) has long been considered one of the few approaches to data-centric security that is robust enough to keep pace with today’s extended enterprise. However, organizations currently lack process and automation capabilities to supply critical inputs required for the ABAC approach.
This white paper explains how NextLabs Control Center leverages and manages identity and data attributes and dynamically evaluates information access events no matter where they occur. Security Professionals, IT Architects, and System Integrators will understand the requirements for implementing data-centric ABAC, as well as the benefits of NextLabs’ XACML-based approach.
This document discusses threats to databases in e-commerce. It introduces security issues in relational databases and mechanisms for enforcing multiple security levels. It discusses types of security threats like loss of integrity, availability, and confidentiality of data. Specific threats to e-commerce databases are unauthorized access and alteration of user data or product information. The document proposes countermeasures like access control, inference control, flow control, encryption, and backups to protect databases from these threats.
626 Information leakage and Data Loss Prevention ToolsSplitty
This document discusses information leakage and data loss prevention (DLP) tools. It begins by defining information leakage as any accidental or malicious access of unauthorized parties to non-public data. Examples of information leakage like data breaches at Sony and the NIH are provided. The document then discusses why executives should care about information leakage due to its high costs, and how DLP tools can help defend against it by managing, discovering, monitoring and protecting sensitive data across networks and devices. Lastly, it provides a checklist and best practices for implementing a successful DLP program.
The document discusses security issues related to cloud computing adoption in the financial services industry. It outlines two types of clouds - public clouds that offer scale and cost benefits but lack security controls, and private clouds that have better security but higher costs. The financial industry requires high data security and control due to regulations. Adopting cloud computing is challenging as financial institutions lose visibility and control over their data stored externally. The document urges financial firms to thoroughly understand security responsibilities and challenges before adopting cloud solutions.
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
Intelligent ID is an Endpoint Monitoring and Protection software that helps secure organizations by monitoring endpoints for data loss, compliance issues, and inefficient resource use. It collects more data from more sources than competitors with a single lightweight agent. Intelligent ID provides a holistic view of all endpoint data sources, including behavioral analytics, to identify suspect activity. It consolidates existing tools, offers measurable ROI, and provides investigation and compliance tools to help various departments. Key features include monitoring data loss prevention, user identity and activity, infrastructure management, and applying custom rules.
Security management involves tools like encryption, firewalls, email monitoring and biometric systems to protect information assets from unauthorized access and ensure the accuracy, integrity and safety of information systems. Some key goals of security management are to minimize errors, fraud and destruction while ensuring quality assurance. Common tools include encryption to make information unreadable, firewalls as devices to protect networks based on rules, and email monitoring for privacy, authentication, integrity and audit capabilities. Disaster recovery plans are also important to address threats from events like fires, floods and human errors.
This document provides an overview of chapter 5 from the CISA review course, which focuses on protecting information assets. It discusses the importance of information security management and outlines key elements like policies, procedures, monitoring and compliance. It also covers logical access exposures and controls, including identification and authentication, authorization issues, and audit logging. The chapter examines network infrastructure security risks for LANs, client-server environments, wireless networks and the internet.
The document discusses information security and ISO 27001. It summarizes some common security incidents organizations face, such as password sharing or unsecured devices. It then introduces ISO 27001 as a framework that can help organizations establish an Information Security Management System to achieve security and assure stakeholders. ISO 27001 specifies requirements around topics like policies, asset management, access control, and incident response to maintain the confidentiality, integrity and availability of information.
Technology Threats to Your Business and What to Do About Them - presentation to small business owners about how to protect themselves and their businesses. Includes 10 Tips to Protect Your Data
Distributed system for access control to physical resources based on qualific...Darshan Vithani
This document proposes a distributed system for access control to physical resources based on qualifications. The system would grant employees of a company access to certain machines according to their qualifications, which could be obtained through learning. It describes using programmable logic controllers and a web application to allow remote control and monitoring of industrial processes and equipment over the Internet. Further research is needed on security and testing the system with multiple machines and controllers. The advantage of integrating qualifications into the authorization process is that it could help with human resources processes.
The document provides an overview of information security concepts including confidentiality, integrity, availability, encryption, access control, classification labels, risk management, security policies, business continuity planning, operational security, intrusions and attacks, and cryptography. Key terms like encryption algorithms, internet key exchange, and types of intrusion detection systems are defined. A brief history of cryptography from ancient times to modern ciphers is also presented.
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseLance Peterman
This document discusses identity and access management (IAM) programs that can help secure data in modern enterprises. It outlines why identity has become central to security and notes that recent high-profile data breaches involved compromised credentials. The document recommends implementing IAM programs around user management, entitlement management, privileged access management and federation. It also discusses emerging standards like OAuth 2.0, SCIM and OpenID Connect that can help improve security and management of identities.
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
NetIQ was a Platinum sponsor for “Plugging the Leaks: Finding and Fixing the IT Security Holes in Your Enterprise,” a virtual trade show (VTS) produced by Information Week Magazine and Dark Reading.
This was our presentation deck: "Proven Practices to Protect Critical Data" presented by Matt Mosley, Senior Product Manager, and Matt Ulery, Director of Product Management during a live presentation. They explored some of the most significant problems facing security teams tasked with protecting critical data. And, they will reveal some of the most effective approaches and technology that can be used to quickly identify real threats.
Causes And Consequences Of Data LeakagePatty Buckley
Here are the key points from the case study:
- Pepperdine University has embraced BYOD for many years, allowing students, faculty, and guests to use personal devices on the campus network.
- The university implemented Bradford Networks' Network Sentry solution to provide secure network access for BYOD users while also detecting and responding to security threats.
- Network Sentry integrates with Sourcefire IDS to enable rapid identification and remediation of threats. When threats are detected, Network Sentry can isolate infected devices from the network.
- This approach allows the university to safely support BYOD without restricting access for the majority of devices that are not infected. The focus is on responding to threats rather than restricting devices based
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...IRJET Journal
This document discusses data leakage prevention (DLP) systems and approaches to avoid data breaches in organizations. It begins with an abstract that outlines how sensitive data can be lost through unauthorized access or transfer. The introduction then discusses the need for DLP to control and monitor data access and usage. Key challenges for DLP implementations are also reviewed, such as protecting information, reducing unauthorized data transfers, and identifying internal and external threats. The document concludes with recommendations for future research on DLP, including using deep learning techniques to improve insider threat detection and monitoring encrypted communication channels.
This document discusses network security. It defines network security and outlines some of the key challenges, such as the increasing sophistication of hacking tools. It then covers security roles, issues, goals, and components. These include authentication, authorization, privacy, integrity, availability, and nonrepudiation. The document also discusses data classification for public/private organizations and controls like administrative, technical, and physical controls. It outlines how to prosecute security breaches and addresses legal liability issues. Finally, it provides recommendations for examining security across an organization's entire network.
Intelligent compliance and risk management solutions.
First, we understand ‘compliance’ can have different meanings to various teams across enterprise. Compliance is an outcome of continuous risk management, involving compliance, risk, legal, privacy, security, IT and often even HR and finance teams which requires integrated approach to manage risk.
Let's start with the base pillar Compliance Management: compliance management is all about simplify risk assessment and mitigation in more automated way, providing visibility and insights to help meet compliance requirements.
Information Protection and Governance: we believe there is a huge opportunity for Microsoft to help our customers to know their data better, protect and govern data throughout its lifecycle in heterogenous environment. This is often the key starting point for many of our customers in their modern compliance journey – knowing what sensitive data they have, putting flexible, end-user friendly policies for both security and compliance outcomes, using more automation and intelligence.
Internal Risk Management: Internal risks are often what keeps business leaders up at night – regardless of negligent or malicious, identifying and being able to take action on internal risks are critical. The ability to quickly identify and manage risks from insiders (employees or contractors with corporate access) and minimize the negative impact on corporate compliance, competitive business position and brand reputation is a priority for organizations worldwide.
Last but not least, Discover and Respond: being able to discover relevant data for internal investigations, litigation, or regulatory requests and respond to them efficiently, and doing so without having to use multiple solutions and moving data in and out of systems to increase risk – is critical.
The document summarizes a seminar on database security threats, challenges, and approaches. It discusses how database security aims to protect the confidentiality, integrity, and availability of data. It outlines several challenges to database security like complex access control policies, security for large distributed databases, and privacy-preserving techniques. The document also discusses approaches to database security including encryption, digital signatures, role-based access control policies, and both built-in database protections and third-party security solutions.
Discussion of information Security risks in current business and technology environments.
presented to ISSA Ireland conference attendees in Dublin on 12 May 2011.
Question 1Discuss why those in the human resource development po.docxmakdul
Question 1
Discuss why those in the human resource development positions are in a prime position to facilitate the change process. How can they develop employee trust in the change process?
Your response should be at least 200 words in length. References APA format
Question 2
Compare and contrast Lewin's change management model and Kotter's eight-step change model. Which do you believe is more effective? Why?
Your response should be at least 200 words in length. References APA format
Question 3
Although change can be positive overall, it can also end poorly. How can the obstacles of change be overcome? Explain using detail and examples.
Your response should be at least 500 words in length. References APA format
Question 4
Why is change so difficult to implement within an organization? What are the reasons people resist change, and what can an organization do to ensure change is well-received and permanent?
Your response should be at least 500 words in length. References APA format
Enterprise Security Plan
Riordan Manufacturing
Agenda
Riordan Manufacturing’s History
Physical Vulnerabilities and control Measures
Network Security and Control Measures
Data Security and Control Measures
System Integration
Current
Future
Implementation
Riordan Manufacturing History
Physical Vulnerabilities & Control Measures
Vulnerability – Weak Authentication
Risk- Identity theft, unauthorized access to confidential information
Vulnerability – Improper training
Risk- Back ups not accomplished, confidential emails or data sent without proper security measures, missed security patches
Vulnerability – Hardware
Risk- Loss of programs and data. Customer banking information becoming lost or permanently
deleted. Power loss, system timing problems.
Its very important to ensure that your company is safe and secure and in order to do that you have to look past the security cameras and door locks and look into your actual IT security plan. Weak authentication, improper training and a lack of proper hardware usage can cause major risks and issues within your system that can potentially take down your entire enterprise. In order to to help mitigate this issues a Roll Based Access Control System (RBAC) can be implemented. This system helps divide access to systems across the board not allow one person to have total control and making it possible to restrict access to certain individuals. Ensuring that a proper training plan is in place and revisited by employees semi-annually can help keep security measures and practices fresh in their memory. Hardware will always be an issue that has to constantly be revisited. Since hardware becomes outdated so fast its important to stay on top of all updates and ensure that the correct hardware is used like power banks and back-ups to guarantee zero loss of data during power outages and such.
4
Network Security & Control Measures
Two Teams: Network & Security
Roles & Responsibilities
Separation of Dutie ...
Information security involves protecting information and systems from unauthorized access, use, disclosure, disruption or destruction. It aims to ensure the confidentiality, integrity and availability of information through technical, administrative and physical controls. The most common principles of information security are confidentiality, integrity, availability, authenticity, non-repudiation and accountability. Access controls like identification, authentication and authorization help enforce security policies and protect information based on user roles and permissions. Cryptography also plays an important role through encryption to render data unusable without authorization. Information security requires an ongoing, layered approach to safeguard information throughout its lifecycle.
The document discusses data security and data management. It defines data security as processes and practices to protect critical IT systems and information. Effective data security uses controls, applications, and techniques to identify important data and apply appropriate security controls. Data security is important for organizations to protect user and customer data from unauthorized access. Common data security methods include access controls, authentication, backups, encryption, and data erasure. Data management techniques aim to ensure data quality, integrate data across systems, and govern data use and access. The document also discusses specific techniques for data cleansing, integration, and other aspects of data management.
1. The document summarizes a panel discussion on securing citizen-facing applications for government. It discusses challenges around involving business owners in security decisions, identifying citizens to access systems, and meeting different authentication standards.
2. The panelists debate centralized vs decentralized authentication approaches and discuss lessons around getting business support for security architecture.
3. In closing, the panel provides guidance to security architects, emphasizing identity as a service, database defense in depth, and conducting security health checks.
Flaws in Identity Management and How to Avoid ThemNetIQ
This document discusses common flaws in identity management and how to avoid them. It identifies three main flaws: 1) failing to properly de-provision employee access when they leave, 2) lacking centralized identity management across platforms, and 3) having no secure method of delegating privileges. To address these flaws, the document recommends tightly integrating identity management with HR, leveraging centralized directory services, reducing the number of administrators and more tightly controlling privileges, and automating workflows. It also provides two case studies of companies that implemented identity management solutions to help streamline administration, improve security and compliance, and reduce costs and vulnerabilities.
The IT security team was tasked with auditing the company's access control policies and system configurations to ensure least privilege access. Without proper access controls, employees could access data they have no valid need to see. The audit will analyze mandatory access controls, which classify data and restrict access based on security clearances. This helps prevent unauthorized access to sensitive information and helps the company comply with security regulations. The team aims to identify any weaknesses or misconfigurations that could be exploited, and to provide recommendations to strengthen access controls and security.
This document discusses security as a service (SECaaS) and security governance. It defines SECaaS as outsourcing cybersecurity such as data protection, network security, and database security to the cloud. Benefits of SECaaS include access to latest security software and qualified personnel at reasonable cost. The document also describes security governance as a set of tools, roles and processes for formal risk management, including access control policies, data classification, and password management. The main purpose of security governance is to oversee cybersecurity teams and prioritize risks according to business needs.
This document discusses data security challenges for water utilities and strategies to improve security. It notes that internal threats from employees pose a greater risk than external threats. It also summarizes the evolution of data management from paper to desktop applications to cloud-based software as a service. The document recommends tools to improve security, such as consolidating databases, automating data entry and review, controlling access, implementing backups and a disaster recovery plan. The goal is to make critical data accessible to decision makers while maintaining security.
This document discusses the importance of information security policies and processes. It defines information and explains that information can take many forms and must be appropriately protected. It then discusses the importance of information, what constitutes information security, and why information security is needed to protect organizations. Key risks like data breaches are outlined. The document emphasizes that information security is an organizational issue, not just an IT issue, and stresses the importance of people, processes, and technology in an information security program. It provides an overview of some common information security standards and regulations like ISO 27001 and HIPAA.
Similar to The Increasing Problems Of Controlling Access (20)
Navigating the world of forex trading can be challenging, especially for beginners. To help you make an informed decision, we have comprehensively compared the best forex brokers in India for 2024. This article, reviewed by Top Forex Brokers Review, will cover featured award winners, the best forex brokers, featured offers, the best copy trading platforms, the best forex brokers for beginners, the best MetaTrader brokers, and recently updated reviews. We will focus on FP Markets, Black Bull, EightCap, IC Markets, and Octa.
IMPACT Silver is a pure silver zinc producer with over $260 million in revenue since 2008 and a large 100% owned 210km Mexico land package - 2024 catalysts includes new 14% grade zinc Plomosas mine and 20,000m of fully funded exploration drilling.
[To download this presentation, visit:
https://www.oeconsulting.com.sg/training-presentations]
This PowerPoint compilation offers a comprehensive overview of 20 leading innovation management frameworks and methodologies, selected for their broad applicability across various industries and organizational contexts. These frameworks are valuable resources for a wide range of users, including business professionals, educators, and consultants.
Each framework is presented with visually engaging diagrams and templates, ensuring the content is both informative and appealing. While this compilation is thorough, please note that the slides are intended as supplementary resources and may not be sufficient for standalone instructional purposes.
This compilation is ideal for anyone looking to enhance their understanding of innovation management and drive meaningful change within their organization. Whether you aim to improve product development processes, enhance customer experiences, or drive digital transformation, these frameworks offer valuable insights and tools to help you achieve your goals.
INCLUDED FRAMEWORKS/MODELS:
1. Stanford’s Design Thinking
2. IDEO’s Human-Centered Design
3. Strategyzer’s Business Model Innovation
4. Lean Startup Methodology
5. Agile Innovation Framework
6. Doblin’s Ten Types of Innovation
7. McKinsey’s Three Horizons of Growth
8. Customer Journey Map
9. Christensen’s Disruptive Innovation Theory
10. Blue Ocean Strategy
11. Strategyn’s Jobs-To-Be-Done (JTBD) Framework with Job Map
12. Design Sprint Framework
13. The Double Diamond
14. Lean Six Sigma DMAIC
15. TRIZ Problem-Solving Framework
16. Edward de Bono’s Six Thinking Hats
17. Stage-Gate Model
18. Toyota’s Six Steps of Kaizen
19. Microsoft’s Digital Transformation Framework
20. Design for Six Sigma (DFSS)
To download this presentation, visit:
https://www.oeconsulting.com.sg/training-presentations
Zodiac Signs and Food Preferences_ What Your Sign Says About Your Tastemy Pandit
Know what your zodiac sign says about your taste in food! Explore how the 12 zodiac signs influence your culinary preferences with insights from MyPandit. Dive into astrology and flavors!
SATTA MATKA SATTA FAST RESULT KALYAN TOP MATKA RESULT KALYAN SATTA MATKA FAST RESULT MILAN RATAN RAJDHANI MAIN BAZAR MATKA FAST TIPS RESULT MATKA CHART JODI CHART PANEL CHART FREE FIX GAME SATTAMATKA ! MATKA MOBI SATTA 143 spboss.in TOP NO1 RESULT FULL RATE MATKA ONLINE GAME PLAY BY APP SPBOSS
Taurus Zodiac Sign: Unveiling the Traits, Dates, and Horoscope Insights of th...my Pandit
Dive into the steadfast world of the Taurus Zodiac Sign. Discover the grounded, stable, and logical nature of Taurus individuals, and explore their key personality traits, important dates, and horoscope insights. Learn how the determination and patience of the Taurus sign make them the rock-steady achievers and anchors of the zodiac.
3 Simple Steps To Buy Verified Payoneer Account In 2024SEOSMMEARTH
Buy Verified Payoneer Account: Quick and Secure Way to Receive Payments
Buy Verified Payoneer Account With 100% secure documents, [ USA, UK, CA ]. Are you looking for a reliable and safe way to receive payments online? Then you need buy verified Payoneer account ! Payoneer is a global payment platform that allows businesses and individuals to send and receive money in over 200 countries.
If You Want To More Information just Contact Now:
Skype: SEOSMMEARTH
Telegram: @seosmmearth
Gmail: seosmmearth@gmail.com
The APCO Geopolitical Radar - Q3 2024 The Global Operating Environment for Bu...APCO
The Radar reflects input from APCO’s teams located around the world. It distils a host of interconnected events and trends into insights to inform operational and strategic decisions. Issues covered in this edition include:
At Techbox Square, in Singapore, we're not just creative web designers and developers, we're the driving force behind your brand identity. Contact us today.
Building Your Employer Brand with Social MediaLuanWise
Presented at The Global HR Summit, 6th June 2024
In this keynote, Luan Wise will provide invaluable insights to elevate your employer brand on social media platforms including LinkedIn, Facebook, Instagram, X (formerly Twitter) and TikTok. You'll learn how compelling content can authentically showcase your company culture, values, and employee experiences to support your talent acquisition and retention objectives. Additionally, you'll understand the power of employee advocacy to amplify reach and engagement – helping to position your organization as an employer of choice in today's competitive talent landscape.
HOW TO START UP A COMPANY A STEP-BY-STEP GUIDE.pdf46adnanshahzad
How to Start Up a Company: A Step-by-Step Guide Starting a company is an exciting adventure that combines creativity, strategy, and hard work. It can seem overwhelming at first, but with the right guidance, anyone can transform a great idea into a successful business. Let's dive into how to start up a company, from the initial spark of an idea to securing funding and launching your startup.
Introduction
Have you ever dreamed of turning your innovative idea into a thriving business? Starting a company involves numerous steps and decisions, but don't worry—we're here to help. Whether you're exploring how to start a startup company or wondering how to start up a small business, this guide will walk you through the process, step by step.
The 10 Most Influential Leaders Guiding Corporate Evolution, 2024.pdfthesiliconleaders
In the recent edition, The 10 Most Influential Leaders Guiding Corporate Evolution, 2024, The Silicon Leaders magazine gladly features Dejan Štancer, President of the Global Chamber of Business Leaders (GCBL), along with other leaders.
Understanding User Needs and Satisfying ThemAggregage
https://www.productmanagementtoday.com/frs/26903918/understanding-user-needs-and-satisfying-them
We know we want to create products which our customers find to be valuable. Whether we label it as customer-centric or product-led depends on how long we've been doing product management. There are three challenges we face when doing this. The obvious challenge is figuring out what our users need; the non-obvious challenges are in creating a shared understanding of those needs and in sensing if what we're doing is meeting those needs.
In this webinar, we won't focus on the research methods for discovering user-needs. We will focus on synthesis of the needs we discover, communication and alignment tools, and how we operationalize addressing those needs.
Industry expert Scott Sehlhorst will:
• Introduce a taxonomy for user goals with real world examples
• Present the Onion Diagram, a tool for contextualizing task-level goals
• Illustrate how customer journey maps capture activity-level and task-level goals
• Demonstrate the best approach to selection and prioritization of user-goals to address
• Highlight the crucial benchmarks, observable changes, in ensuring fulfillment of customer needs
Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...Neil Horowitz
On episode 272 of the Digital and Social Media Sports Podcast, Neil chatted with Brian Fitzsimmons, Director of Licensing and Business Development for Barstool Sports.
What follows is a collection of snippets from the podcast. To hear the full interview and more, check out the podcast on all podcast platforms and at www.dsmsports.net
Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...
The Increasing Problems Of Controlling Access
1. The Increasing Problems of Controlling Access Presentation to RMAA Seminar 13 May 2008 Kylie Dunn Knowledge & Records Manager Department of State and Regional Development
Good afternoon everyone, today I’m going to examine how changes in the technology, systems and methods of recordkeeping and the communication of records require far more stringent access controls within an organisation, and how these requirements can be achieved through
I’m going to examine the policy requirements for this sort of activity, look at the issues around applying access controls within certain systems and how technology is introducing new and interesting methods of risk in trying to control the transmission and storage of records. So after the doom and gloom of the problems I’ll then look at how the organisation can help itself overcome these problems and what the role of the records staff is in supporting technology, defining policies and training staff.
But before we get into the nitty gritty of this a little divergence is probably in order. As ???? mentioned, I have only been in State government for a couple of months, after eight years with Defence – and after managing the records for an operational headquarters inside Defence for the last two years I’m enjoying the break. But I’m also very amused by the different attitudes within the two organisations towards controlling access to information, and my general feel at this point in time is that Defence was far better at sharing information within the organisation than my current department is, which I found very surprising – it would appear that the commercial nature of some of the work is seen as more problematic than national security. BUT I DIGRESS
Onto policy. The recordkeeping standard makes the following points about Access: It’s about internal and external controls within an organisation.
It’s applied to both elements – the records and the people. This can help an organisation establish who should have access and who shouldn’t, but can be problematic when you start discussing whether someone has a “need-to-know” – which is not as black and white as we would like it to be.
That managing access ensures that records are categorised according to their accessibility as it is at a particular point in time – since access can (and in many cases should) change over time.
And that the STAFF who are responsible for the business function are in the best position and should be given the responsibility of specifying the access.
The Australian National Audit Office report of 99-00 investigated the status of security classification systems within government in detail. Among other things they found…
That staff had a general lack of understanding about the classification system which resulted in incorrect classifications, or in the worst cases, no classifications.
That the most common error was to err on the side of caution and over-classify records – which causes all sorts of other issues that I will discuss a little later.
They also delivered a list of requirements for the organisation including creating policy, defining responsibilities, ensuring technological and physical securities are in place, developing procedures for policy implementation and developing and conducting training with staff.
The policies, procedures and training are all risk management activities – that’s what we’re really talking about here – how do we best limit the risks of people gaining inappropriate access to your organisation’s records??
Because you can’t be too risk averse in the development and implementation of your access control policies and procedures. This will result in policies that are unworkable or that make it very difficult for the staff to do their jobs, they can also be very expensive for the organisation to manage.
And risk aversion will generally result in technology aversion – since you don’t want to open up electronic access to records, you want to keep everything locked away and controlled by the records staff. Technology aversion can make it difficult to enhance the abilities for the staff to create, store, retrieve and share (both internally and externally) – and staff are creative, so they will find ways outside of the accredited systems to do it if you don’t provide systems to support them. So this is not a good approach to take with your policies.
Really, what we’re going to be talking about it developing policies, turning them into simple and easy to understand procedures and ensuring staff are adequately trained in them. These activities combined will formed a much more coherent and robust risk management strategy than aversion.
So, in the “good old days” there was usually only one copy of the record, which was kept physically within the records area, or maybe at someone’s desk. Records were generally created in one way
And could thus be far more easily access controlled, simply by applying physical restrictions the access – safes, locked cabinets, controlled registries.
However there were issues in being able to search for and retrieve information when it was created and managed in a purely physical sense – but I guess since there was far less information the issue was not as pronounced as it would be today.
In the digital age we create records in a variety of formats and in far greater volume than ever before. Electronic documents, emails, databases, websites, intranet sites all contain or need to be captured as records. And each of these systems can contain a variety of sensitive or classified information that needs to be controlled against inappropriate access. Just as the amount of information we deal with now has grown exponentially over the last decade – so to have the number of systems that we need to control access to that store that information. So what are these systems and what are the benefits and potential issues around trying to classify information within them and limit access to it?
I’m going to start with the controversial one, because you and I both know that using a shared drive is not an accredited recordkeeping system and should not be the sole repository for records in any organisation. However, the fact of the matter is that this is where staff place their documents (that is when they aren’t squirreling them away in their H drive) and very few of the “records” that are stored on the shared drive ever actually make it onto a physical file, or into an accredited recordkeeping system. Further to this, even if the records are making it onto the file, the fact remains that they will still exist in the shared drive where they were created, and so we need to be cognisant of the access controls that are being afforded to this information. Permissions within shared drives can be very time consuming to manage properly (especially in organisations like the ones I’ve worked in where staff come and go regularly, or shift to other positions for a few months and so on). As well as this, these permissions are usually controlled by the IT staff, as they will normally lock down the standard user from not only changing folder access but being able to see who has folder access as well. That brings us to the low fidelity of access inside this system. Audit logs can be set up fairly well for a lot of functions in a shared drive but even if they are established they aren’t readily available to staff. So not only can you not see who can access or change a document you can’t even see who has accessed it or changed it. And lastly, the application of security classifications within this system is not easily achieved. It is not a drop down list, there is little metadata available inside a shared drive, so organisations will come up with a process that will work around the limitation. Headers and footers for the printed document are a great indication to anyone who opens it, but what if I’m emailing it out of the system and I don’t check to see whether it has handling instructions or a classification first?? Our policy is to put it into the Comments field in the document properties – how many staff do you think bother to do that, and how many others do you think bother to look?
So we’ll move onto Electronic Document Management Systems – These fall into two categories – those that are part of a recordkeeping system like Objective or TRIM and those that are purely EDM systems like Hummingbird and Sharepoint. Either way both are a huge improvement on the shared drive, but the recordkeeping systems will generally offer greater metadata fidelity, management and control. They have far better auditing and usually have audit trails that are visible to the user – so not only does the system know exactly who did what and when they did it, but I can see it too. The application of privileges is usually easier, depending on how your organisation has it set up, and it can usually be devolved outside the IT administrators space, as it is usually not an “administrative privilege” as such. Users will often have the ability to see who has access privileges and what access they have, so staff can check the application of privileges in areas where they are placing sensitive information. It is also far easier to apply classifications (in all senses) as the document can have an often unlimited number of metadata fields assigned to it, which are searchable, reportable and displayable (if that’s a word). But there is still a major drawback with these systems, what happens when the record is taken out of it? What happens if I want to send it to Bob through the email, because I know Bob doesn’t have access to it inside the system. The metadata doesn’t stay with it, and depending on how I’ve taken it out of the system you may not know that I’ve done so. [by the way I have no advice or solution on how to solve that aspect of these systems, training staff how to do it correctly so the audit trail knows that it was emailed to Bob is one way, but as I’ve mentioned before - people are creative]
And then we have databases… These are becoming more and more of an issue, since we seem to use databases for capturing so many official records now (when you get right down to it, recordkeeping systems are just databases for storing files and documents). The biggest issue with the development of databases for capturing records is that the IT staff, project team and developers seldom include records staff in the design and development process to make sure that the recordkeeping requirements are being properly addressed.
As 01-02 ANAO report on recordkeeping states... these systems meant that there were gaps and these “Gaps in collection of recordkeeping information compromise an organisation’s ability to prove the authenticity, accuracy and integrity of their records and to manage their records efficiently and with appropriate protection.”
The existence of systems like TRIM and Objective prove that databases can be built to deal with the compliance aspects of the Recordkeeping Standard. But it’s up to the developer or the project staff to ensure that these requirements are included in the scope for systems that will be responsible for the capture of official records (like our financial databases, HR databases, leave databases or the client database in my current Department). Anything is possible in development terms, if you have enough time and money, which we usually don’t. You can create a database which allows staff to tag every field with a different security classification, so that a user logging into the system without the correct clearance will not see those fields – but that means adding a classification field to every other field in the database, ensuring that you can capture the users clearances, being able to identify the user and then creating pages that only retrieve the information that user is cleared to see. Whilst that would work in 95% of national security classification situations it is not easy to apply to the In-Confidence side of things – access is usually a lot more complex than just a person’s clearance – and so we run into the “need-to-know” phrase which I’ll discuss later.
And the last set of systems to examine are websites… Since a lot of websites (especially portal based technology) run on databases nowadays, we’ve already discussed some of the issues surrounding the technology, but we’ll go into this further. Pages and sometimes individual content or documents, can be locked down to limited sets of users through most content management systems, but that requires the database to know who you are. Without a content management system this becomes increasingly more difficult to achieve but technically anything is possible, as we’ve already discussed.
The major issue with all of these systems which overarches all of their benefits is that they are reliant on the user to apply the correct security classification in the first place – otherwise the smartest system in the world will not know that they have to limit the access. And for systems like a shared drive, it is more complex as it relies upon staff knowing who can access certain areas, or contacting the IT area to ensure that folders are locked down, thus limiting their accessibility. Overall, there are two general scenarios that you will end up with: Either the staff will find it too difficult to mark their documents with the correct handling instructions so they will lock everything away in their H drive so it is all safe. Or the staff will decide that it’s all too hard (working out when to apply handling instructions and who should have access and so on) so they will simply not apply any. This means that they have not limited access, or advised other staff on the potentially sensitive nature of a record
If controlling access to records inside your internal systems is this complex then what about when staff take that information and send it to someone else? This is becoming increasingly problematic as you lose a lot of control over a record when it leaves your recordkeeping system, and relinquish complete control when it leaves your organisation. So how can you guarantee that it is still being afforded the correct access controls?? In short, you can’t, but let’s look into it a little further…
I don’t know about you, but I would happily turn email off within an organisation – it is generally a poorly managed communication tool that is used inappropriately as an information storage device that heavily restricts the discoverability of information within the organisation and is an extremely inefficient form of collaboration and communication (often resulting in large amounts of duplication, redundancy and numerous back-and-forth to resolve something that a five minute phone call would have achieved just as well, if not better). It has a place, but most organisations don’t know what that place is… that’s my little rant for the day So what are the issues around communicating records through email… they all involve security of the records you have sent (and since we’re really talking about sensitive records here this is a major problem). Do you know who has access to the inboxes you have sent it to? Many people will open proxy access to their inbox up to other staff during their absence, or if they work in close teams. How do you know who ELSE has seen the document? And once it has left your space how do you ensure that they store it appropriately and afford the correct access controls within their space? How do you know they haven’t sent it on to someone else. And then there is the security aspect of some of these communications. Where is the email actually going? Gone are the days when you knew that Mary was sitting in her office on her PC when she opened your email, how do you know she isn’t Blackberry on a train, Starbucks wirelessly using their internet access to get her webmail, public machine at the airport accessing her Google Mail And all of these technologies carry inherent risks with them, even sending an email out to Mary sitting at her PC has an inherent risk, as you don’t know how good her firewall is, and who might be able to intercept the document. A photocopy was never as easy to intercept, not as easy to store in an inappropriate location and certainly not as easy to inadvertently send out to the world (Reply to All). It was still possible to send information on, to make it available to others (faxing to a heap of people and so on) but it was not as easy. Mention photocopying at Rank
The “Cloud” is that ethereal network, the world wide web, electronic communication through wireless technologies and so forth. The Cloud allows an organisation a huge amount of flexibility in the way they can conduct business – the cloud is also a security nightmare, for most of the reasons I mentioned in the last point about email.
Millions of records are compromised each year through the internet – in 2006 the reported figure was 20 million records – the incident referred to in this article helped bump the 2007 figure up to 74 million (or for other figures released from by Attrition.org 49 million up to 162 million). Regardless the figures are scary, and given that one of our websites suffered a hack attack on Monday night that took it offline for about eight hours – this is not hype.
However, according to the World Information Access website in a 2007 article - Excluding a particularly large security breach at Acxiom, hackers account for the largest volume of compromised records, some 45 percent, while 27 percent of the volume is attributed to organizational mismanagement and 28 remains unattributed. But in terms of incidents, 9 percent were an unspecified type of breach, 31 percent of the incidents involved hackers, and 60 percent of the incidents involved organizational mismanagement: personally identifiable information accidentally placed online, missing equipment, lost backup tapes, or other administrative errors.
Again it reinforces the need to be technologically aware of situations, ensure that your staff understand the inherent risks associated with communicating sensitive (and non-sensitive) records but to not become technologically averse as a risk management solution. In the end we need to accept that there will be a loss of control of these records, and hope that trust will not be misplaced with those people receiving them. Policies also need to state that staff must positively identify the handling requirements in the email, to try to stop the receiver from mismanaging the information – Federal government has the [SEC=XXX] subject line inclusion to identify the sensitivity or security of the enclosed information – but again it is up to staff to apply this appropriately.
So where do the organisational policies, individual skills and knowledge of the staff to appropriately mark information come into this, and what are the implications.
The ANAO provided the following insight in their 99-00 Report on classification: “Over-classification has the effect of increasing the costs of protection and restricting the flow of information within the organisation. In addition, there was sensitive material at each of the organisations that had not been classified when it should have been. This material was held in both hardcopy and electronic form. Furthermore, staff normally only classified work that they had created themselves, as there was little indication of classifications being applied to information received from external sources. Finally, documents not placed on official files were not generally classified.”
So the problems with Overclassifying are… That there are increased management burdens placed upon the organisation, which adds to the cost of storing and managing records as well. For instance, a SECRET file needs to be kept in a C class cabinet, which is basically a safe. Whereas a RESTRICTED file can be kept in a filing cabinet or even on someone’s desk if the building is appropriate. Thus they are far easier to store and manage. And when you think about the inactive files that need to be kept in a secure repository, the cost can be very significant. Also moving classified files requires accredited companies, whereas staff can easily carry unclassified files around (without the need for two staff, a briefcase and other physical protective requirements). And then there are the less obvious costs to the organisation. The inability to share information with staff because it has been classified outside of their access can impact the decision making within the organisation, and the efficiency of staff to be able to perform their duties. So what if I’ve inappropriately placed unclassified information on a classified file? What if I’ve classified it too high? The administrative assistant might have only been deemed to need a Confidential clearance, and I’ve just classified documents out of her access, which might be a pivotal part of her job.
But under-classifying information is just as dangerous to the organisation. It might not cost more in operational costs, but not affording the correct access to a record could have more serious impacts. Breaches of Privacy Acts, releasing commercial-in-confidence information or breaching national security requirements can all lead to a loss of reputation, court action or other such detrimental actions being taken against the organisation. A handling marking will ensure that any other staff that have been afforded access to that record will know how to deal with the information appropriately, if it has been under-classified or not classified at all then you are leaving it up to staff to make their own judgement decisions, which may perpetuate the non-legitimate access.
Just as we shouldn’t be technologically averse we also shouldn’t be guided by the opinion that technology can solve all of these problems. I hope that I have made enough of a point that this relies on people classifying the information, and people doing it right.
But, technology can certainly help an organisation protect information from unauthorised access and editing. This can be done in two main ways: the IT staff can group staff and apply access controls within databases, EDMs, shared drives and websites, and Staff can appropriately inform others of the security requirements surrounding the information by marking the document/data or by capturing the requirements in metadata. The problem with using metadata is that it can be foreign and unworkable for staff to assign the classification, and for other staff to look for and identify that one has been applied. At the end of the day, all systems are only as good as the people using them. Just as we are reliant on staff to put information in the right folder/file, apply the right keywords and so on, they are required to apply the correct classification.
And the more numerous and complex our systems become, the harder it is for people to maintain an overarching understanding of who has access to what, especially with so many staff movements in the workplace now. This is where the Access Model comes in as a way of positively managing the policies around access to records, defining and capturing the groupings of staff and trying to improve the understanding of the recordkeeping staff, other staff members and…
The poor IT helpdesk staff that usually end up with the bulk of the responsibility of looking after all of this stuff.
This is the basic anatomy of an access model. It should identify the system – what it does, who is responsible for the management and support of it and the software it sits on – importantly this needs to include the system owner, and any other persons that can approve alterations in a staff members access within the system what the security requirements of that system are (so what level of information can be placed into it) general policy overview (so things like, individuals will not be given access to folders only groups can be given access and individuals will belong to the groups) A list and definitions of the user groupings within the system – especially highlighting those that will have restricted access A list of exceptions to the rules defined in the policy area (as there are always exceptions) Definitions of what each of the permissions in the system means (read, write, create, delete etc. they don’t always mean the same thing) What permissions have been allocated to what groups against what folders/containers/records
As you can see from that list, these things are hard to maintain – which is why you do not include individuals in anything – your list of permissions is against GROUPS, which means that this document can remain a lot more static. In an appendix or working document you would maintain a list of who was in what group. It also helps to clearly define the process that staff must undertake when changing positions or leaving the organisation so you can ensure that their access is changed accordingly – smaller organisations are quite simple but once you get over a hundred staff there need to be formal processes.
So finally we get onto the staff – they need to be trained about their requirements in relation to the protection of records within the organisation. The only way to ensure that the staff are applying the appropriate controls on records, and that they understand what those controls actually mean is to train them. Since this sort of topic is about as interesting to staff as every other aspect of records management, this is not an easy job. It also has to be made very relevant to them and their information. Overall they need…
to understand the issues around why it is important to classify the information when they store it and how their failure to classify may allow unauthorised access, but if they over-classify they can hinder the organisation financially and operationally.
They need to understand the issues around electronic communication – what is safe and what isn’t – so they can adequately evaluate when they should and should not be doing it.
They need to understand the classification scheme, what needs to be afforded security protection and what doesn’t. They need to understand the difference between classifying inside and outside the organisation. For instance, within my Department we may place a Client’s information in a Commercial in Confidence file, because we are working on a business proposal with them that contains a lot of their financial information, business plans and other documents that are commercially sensitive. This marker helps people inside the agency know that they should not be openly discussing the contents of the file with personnel outside the organisation. BUT there are other agency staff that might have a need to know about this activity, and how it might affect competitiveness of a particular industry sector. So even though they are not working on the project itself they will need access to the information. The sensitivity of the information is really for external release, the markings limit releasability outside the Department, inside the Department the handling instructions (caveats) are an indicator to staff about how they should manage the information, not a way to hide it from them.
And then they need to understand that the “need-to-know” is not the overriding decider for all records within the system. It should be used sparingly, because as I just mentioned, they may not be aware of how much their current project will impact on other staff, and if they keep it too close hold then it can have as damaging an effect on the organisation as allowing too many people to know it. The good old military saying “loose lips sink ships” is important to remember in an organisation, but it should be tempered by the fact that you should be able to trust the staff within your organisation to do the right thing – and as long as you know that they’ve been trained as well as you then this should not be an issue.
LASTLY, it needs to be easy and intuitive, or else they won’t do it, and that really is the bottom line. We all know this, as records staff, that staff are seldom malicious in their negligence with managing their information – more often than not it’s apathy or laziness and the more difficult it is the less chance you have.
So what do I see as the role of the records staff in all of this, because this is a complex issue that requires input from a variety of skills within the organisation. Well I see that the records staff have…
an advisory role within the organisation in relation to access controls. The creation of labelling and handling policy will normally be done by an information security type role within the organisation, as it relates to a lot of other things, not just records security. So I’m not saying that records staff should be creating these policies, but they should be consulted to ensure that the decisions made are not going to have an adverse impact on the ability of staff to create and store records correctly or the records staff to be able to manage, retain or dispose of them. The advisory role should also extend to the development of any system within the organisation that will be treated as a records repository – be they the Records systems, EDM systems, databases, websites or even the dreaded shared drive. This will ensure that developers consider compliance issues around recordkeeping and don’t create systems that allow for gaps in the corporate record.
Records staff should ensure that the labelling and handling policy is incorporated in current recordkeeping procedures, or that new procedures are written to assist staff in understanding how to classify information correctly so that it can be more easily access controlled as required.
I also see that the Records staff have a strong training role with this… as with all aspects of records. This is probably the hardest part to achieve, since most people seem to consider recordkeeping training as painful as water torture, but it is a requirement. And as the ANAO reports indicate, this is something that staff generally do not do well due to a lack of understanding.
Lastly, I see that the records area should be responsible for the development and maintenance of access models for the recordkeeping systems within the organisation (and by this I mean that actual recordkeeping systems like Objective and TRIM). They should also be advising other elements of the organisation on the development of access models for systems that have a recordkeeping function (like the HR database), but since the retention of records is more of a secondary function for these systems I don’t believe that the records staff should be responsible for all Access Models.
So what am I hoping you will take away from this presentation? This is a complex area of recordkeeping that there is no quick fix to overcome (not that I think there are any quick fixes in recordkeeping unfortunately). It is made all the more complex by the constant enhancements to technology, lack of consultation with records staff about systems and that it relies on staff to understand and apply very dry policy.
Applying access control to records is a risk management activity that requires policy, procedures and training, not a culture adverse to technology and sharing.
Technology can assist records staff greatly, but it is not the silver bullet that will solve the problems (and sometimes it can make them worse)
With an ever increasing amount of complex systems coming into an organisation there is a distinct need to create and maintain access models for recordkeeping systems, as they are the best chance of maintaining positive control over access, and providing guidance to IT staff on how they can and cannot apply access within the system.
At the end of all of this, STAFF need to understand. And this is a double-edged statement: All staff in the organisation need to understand what the policies are in relation to confidential, sensitive or classified information, they need to understand and be trained in the procedures for evaluating records and applying the correct classifications to them and they need to be held accountable for getting it wrong. It also means that the records staff need to have the same level (if not slightly higher) of understanding about the policies and procedures, but more than this, they also need to understand how the “systems” work to support the policies. The requirement for records staff to have strong IT skills is becoming increasingly important in a world where a significant amount of records are retained in IT systems.