This document discusses key topics relating to information security and risk management. It covers e-crime threats like viruses, worms and hacking. It also discusses information security laws and frameworks for compliance like SOX, HIPAA and GLBA. The document emphasizes the importance of information security policies, business continuity planning, electronic records management and the role of the chief information security officer in managing risks.
Physical security information management marketRishabhJain1113
Physical security information management (PSIM) is a type of software that provides platforms and applications created by middleware developers. It is designed to incorporate several unconnected security applications and devices and control them through one robust user interface.
This presentation will have been presenting you about my resume assignment one of book, The Complete Guide to Cybersecurity Risks and Controls. I've tried my best to create this presentation. Thank you
Information security management best practiceparves kamal
ISO 17799 is an internationally recognized Information Security Management Standard, first published by the International Organization for Standardization, or ISO (www.iso.ch), in December 2000.
Five principles for improving your cyber securityWGroup
Corporate assets have been shifting from physical assets to virtual assets over the past 20 years. This trend has been accompanied by a corresponding increase in the vulnerability of intangible assets, leading to a greater general awareness of corporate cyber security risks. The alteration or destruction of a company’s data can result in harm to reputation, loss of public confidence, disruption to infrastructure, and legal sanctions. The security risk can adversely impact a company’s stock price and competitive position in the marketplace. In this document, WGroup cites 5 principles that will help improve a business's cyber security. The 5 principles are risk identification, risk management, legal implications, technical expertise, and expectations.
In this presentation, we’ll be talking about the importance of your IBM i security for GDPR compliance and share three imperatives for your IBM I and complying with GDPR including:
Protecting data
Tracking activity/detecting violations
Assessing risks
Using international standards to improve US cybersecurityIT Governance Ltd
Understand the current cyber threat facing US businesses, President Obama's proposed data protection act and how you can implement international standards to get your business cybersecure in this informative webinar with expert Alan Calder.
What is information security management and its various components? What role does a CISO play in InfoSec management? To learn all this and more, take a look at these slides!
To learn more about the CCISO program, visit https://ciso.eccouncil.org/
Physical security information management marketRishabhJain1113
Physical security information management (PSIM) is a type of software that provides platforms and applications created by middleware developers. It is designed to incorporate several unconnected security applications and devices and control them through one robust user interface.
This presentation will have been presenting you about my resume assignment one of book, The Complete Guide to Cybersecurity Risks and Controls. I've tried my best to create this presentation. Thank you
Information security management best practiceparves kamal
ISO 17799 is an internationally recognized Information Security Management Standard, first published by the International Organization for Standardization, or ISO (www.iso.ch), in December 2000.
Five principles for improving your cyber securityWGroup
Corporate assets have been shifting from physical assets to virtual assets over the past 20 years. This trend has been accompanied by a corresponding increase in the vulnerability of intangible assets, leading to a greater general awareness of corporate cyber security risks. The alteration or destruction of a company’s data can result in harm to reputation, loss of public confidence, disruption to infrastructure, and legal sanctions. The security risk can adversely impact a company’s stock price and competitive position in the marketplace. In this document, WGroup cites 5 principles that will help improve a business's cyber security. The 5 principles are risk identification, risk management, legal implications, technical expertise, and expectations.
In this presentation, we’ll be talking about the importance of your IBM i security for GDPR compliance and share three imperatives for your IBM I and complying with GDPR including:
Protecting data
Tracking activity/detecting violations
Assessing risks
Using international standards to improve US cybersecurityIT Governance Ltd
Understand the current cyber threat facing US businesses, President Obama's proposed data protection act and how you can implement international standards to get your business cybersecure in this informative webinar with expert Alan Calder.
What is information security management and its various components? What role does a CISO play in InfoSec management? To learn all this and more, take a look at these slides!
To learn more about the CCISO program, visit https://ciso.eccouncil.org/
In today’s world of evolving threats and complex regulatory requirements, you must be confident that your IBM i system and data is secure – but this isn’t a one-and-done process. You must continuously monitor all system and database activity, identify security threats and compliance issues in real-time, and report on outcomes. With the growth of SIEM solutions, such as Splunk or IBM QRadar, you’ll also likely need to send IBM i security data to these platforms to enable a complete 360-degree view across the enterprise.
The good news is that IBM i log files and journals are rich sources of security-related system and database activity – if you know what to look for, and how to make sense of it.
View this webinar on-demand to learn best practices for capturing, monitoring, and reporting IBM i security data with SIEM solutions. During this webinar, we discuss topics such as:
• Key IBM i data and sources that must be monitored
• Automating real-time analysis of log files to identify threats to system and data
security
• Integrating IBM i security data into SIEM solutions for a clear view of security
across multiple platforms
Get Ready for Syncsort's New Best-of-Breed Security SolutionPrecisely
Since Syncsort's acquisition of security products from Cilasoft, Enforcive, Townsend Security and Trader's - we've been working hard to blend best-of-breed technology and create a powerful, integrated solution. We're happy to announce that the wait is almost over!
In just a few short weeks, Syncsort will announce the first release of this new security solution. We want partners like you on-board with all the latest information on how this great new product will meet your customers' needs to:
• Identify security vulnerabilities
• Pass audits for industry, state or governmental security regulations
• Detect and report on compliance deviations and security incidents
• Lock down access to systems and databases
• Ensure the privacy of sensitive data - both at rest and in motion
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideBlack Duck by Synopsys
Flight Amsterdam Presentation by Daniel Hedley and Georgie Collins, Partners, Irwin Mitchell looked at the intersection of the GDPR and open source software management and the laws which govern how organisations must respond to data breaches (including GDPR and NISD), how to prepare for a data breach, and what to do if the worst happens.
2013 Data Protection Maturity Trends: How Do You Compare?Lumension
In 2012 we found out that the BYOD environment and consumerization of the workplace had turned traditional notions of corporate IT upside down. The 2013 Data Protection Maturity Report will highlight how organizations have managed this trend over the last year and what steps are being taken in 2013 to further enhance data security. Find out how IT teams are developing a holistic model that encompasses policy, education, technology and enforcement.
Within this slide deck, we look at each of data protection trends, helping you define your organization’s best practice guide to address the top concerns. We will also be showing you how you can gauge the maturity of your security systems, allowing you to plug any holes before your valuable data starts to leak through them.
IBM i Security: Identifying the Events That Matter MostPrecisely
Making Sense of Critical Security Data
Today’s world of complex regulatory requirements and evolving security threats requires finding simple ways to monitor all IBM i system and database activity, identify security threats and compliance issues in real time and produce clear reports.
The IBM i operating system produces a wealth of security-related information but organizations still face hurdles
in terms of working with such large data volumes. Integrating IBM i security information into a SIEM (Security Information and Event Management) solution is becoming critical to enable early detection and quick response to security incidents.
In this webinar, we will discuss:
- Key IBM i log files and static data sources that must be monitored
- Automating real-time analysis of log files to identify threats to system and data security
- Integrating IBM i security data into SIEM solutions for a clear view of security across multiple platforms
New Ohio Cybersecurity Law RequirementsSkoda Minotti
Skoda Minotti’s Risk Advisory Services Group and Insurance Services Group are working closely with insurance industry licensees to meet the considerable requirements under the Ohio cybersecurity law. This presentation provides more detailed information about the law, and assists you with your understanding and implementation of the requirements.
Improve IT Security and Compliance with Mainframe Data in SplunkPrecisely
Avoid security blind spots with an enterprise-wide view.
If your organization relies on Splunk as its security nerve center, you can’t afford to leave out your mainframes.
They work with the rest of your IT infrastructure to support critical business applications–and they need to be
viewed in that wider context to address potential security blind spots.
Although the importance of including mainframe data in Splunk is undeniable, many organizations have left it out
because Splunk doesn’t natively support IBM Z® environments. Learn how Precisely Ironstream can help with a
straight-forward, powerful approach for integrating your mainframe security data into Splunk, and making it actionable
once it’s there.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Topic 6 -it_security
1. MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
1
INFORMATION SECURITY
Management Information Systems
2
Information Security
• Background
– Organizations face security threats from both
within and outside
– Traditional security measures have addressed
external threats
– Understanding the managerial aspects of
information security is important because of the
changing regulatory environment and the
potential risk exposure that some firms face
2. MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
3
E-Crime
• any criminal violation in which
a computer or e-media is used
in the commission of the crime
E-Crime
4
E-Crime
• Example of Credit card security breaches
– TJX
– CardSystems Inc.
Figure 16.1
3. MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
5
E-Crime
• Many Types of E-Crime
– All incur costs to organizations or individuals
Figure 16.2
6
E-Crime
• Some common ways computers are attacked
• A small unit of code embedded in a file or program that when executed will replicate itself and may
cause damage to infected computers
Virus
• A self-replicating virus
Worm
• A security-breaking program that is disguised as a legitimate program
Trojan horse
• A program, or code within a system that takes action when a certain even occurs
Logic bomb
• Occurs when a large number of messages are sent to a target computer simultaneously with the
purpose of disrupting the capability of the target
Denial of service attack
4. MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
7
E-Crime
• Other techniques used in E-Crime:
• Involves the solicitation of sensitive personal information from
users, commonly in the form of email and instant messages
Phishing
• The use of a fraudulent Web site mimics a legitimate one. Often
used in conjunction with phishing
Spoofing
8
E-Crime
• Hacker vs. Cracker
Hacker
• An individual with no malicious
intent who attacks computer
systems for the purpose of
highlighting security
vulnerabilities
Cracker
• An individual who attacks
computer systems to
intentionally steal information
or cause harm
5. MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
9
E-Crime
• All managers responsible for security
compliance should have an understanding of
the basics of security Technology
Security Basics (Figure 16.4)
• Firewall and Proxy Servers
• Encryption and VPNs
• Identity and Access Management Systems (IAM)
• Content-Filtering Tools
• Penetration-Testing Tools
10
Information Risk Management
• Steps in Risk Management
– Determine the organization’s information assets
and their values
– Decide how long can the organization function
without specific information assets
– Develop and implement security procedures to
protect these information assets
6. MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
11
Information Risk Management
• Steps in Risk Management
– Determine the organization’s information assets
and their values
– Example:
• One organization determined that corporate
information found on employee laptops is an important
asset
• The organization estimates that a loss of the
information on a single laptop may cost $50,000 on
average
12
Information Risk Management
• Calculation of the expected losses due to a
vulnerability can be calculated by the
following formula:
Annualized
Expected
Losses
(AEL)
Single Loss
Expectancy
(SLE)
Annual
Occurrence
Rate (AOR)
7. MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
13
Information Risk Management
• Quantitative example:
– Losing the corporate data from a single laptop has
an estimated value of $50,000
– The corporation identified three occurrences in
the last two years where a laptop had been lost
• This is an Annual Occurrence Rate of 1.5
Annualized
Expected
Losses
(AEL)
Single Loss
Expectancy
(SLE)
Annual
Occurrence
Rate (AOR)
14
Information Risk Management
• Quantitative example:
– Therefore, the Annualized Expected Losses (AEL)
amount to $75,000
Annualized
Expected
Losses
(AEL)
Single Loss
Expectancy
(SLE)
Annual
Occurrence
Rate (AOR)
$75,000 $50,000 1.5
8. MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
15
Information Risk Management
• After performing a quantitative risk analysis,
the Annualized Expected Losses (AEL) are used
to perform security cost-benefit analysis
• A quantitative analysis IS managers may perform to
examine the potential business benefits and the
intervention costs involved with mitigating security risks
Security Cost-Benefit Analysis
16
Information Risk Management
• Security Cost-Benefit Analysis
– Managers must estimate the costs of the actions
performed to secure the information asset
– The Return Benefit from the actions can be
estimated by the following formula:
Return
Benefit
Annualized
Expected
Losses
(AEL)
Annualized
Cost of
Actions
9. MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
17
Information Risk Management
• Security Cost-Benefit Analysis
– From the laptop example, the company estimates
that adding strong encryption to the corporate
data on the laptops will cost $100 per year for
each of the 200 laptops in the company
– Overall, a $20,000 annualized cost for this
intervention would be realized
Return
Benefit
Annualized
Expected
Losses
(AEL)
Annualized
Cost of
Actions
18
Information Risk Management
• Security Cost-Benefit Analysis
– After performing a the analysis, we find that this
action has an estimated return benefit of $55,000
per year
Return
Benefit
Annualized
Expected
Losses
(AEL)
Annualized
Cost of
Actions
$55,000 $75,000 $20,000
10. MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
19
Compliance with Current Security Laws
• Legal and Regulatory Environment
– Impacts information security practices
Figure 16.7
20
Compliance with Current Security Laws
• Sarbanes-Oxley Act of 2002 (SOX)
– Created as a response to the scandals at Enron,
Tyco, WorldCom, and others
– Applies to publically traded US companies
11. MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
21
Compliance with Current Security Laws
• Sarbanes-Oxley Act of 2002 (SOX)
"Sarbanes is the most sweeping legislation
to affect publicly traded companies since
the reforms during the Great Depression"
- Gartner Analyst John Bace
22
Compliance with Current Security Laws
• SOX affects IS leaders in two major ways:
– Records retention
• The act states that companies must retain electronic
communication such as email and instant messaging for
a period of at least five years
– IT audit controls
• Officers must certify that they are responsible for
establishing and maintaining internal controls
12. MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
23
Compliance with Current Security Laws
• Section 404 of SOX states that companies
must use an internal control framework such
as COSO
• COSO is an a framework for auditors to use when
assessing internal controls that was created by the
Committee of Sponsoring Organizations (COSO)
COSO
24
Compliance with Current Security Laws
• Internal controls are assurance processes
• COSO defines internal controls:
• COSO Definition of Internal Control: “a process,
effected by an entity’s board of directors, management
and other personnel, designed to provide reasonable
assurance regarding the achievement of objectives in
the following categories:
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations”
Internal Controls
13. MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
25
Compliance with Current Security Laws
• The COSO framework contains five
interrelated categories:
– Risk Assessment
– Control Environment
– Control Activities
– Monitoring
– Information and Communication
26
Compliance with Current Security Laws
• Gramm-Leach-Bliley Act of 1999 (GBLA)
– Mandates that all organizations maintain a high
level of confidentiality of all financial information
of their clients or customers
– The act gives federal agencies and states to
enforce the following rules:
• Financial Privacy Rule
• Safeguards Rule
14. MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
27
Compliance with Current Security Laws
• Gramm-Leach-Bliley Act of 1999 (GBLA)
– Financial Privacy Rule
• Requires financial institutions to provide customers
with privacy notices
• Organizations must clearly state their privacy policies
when establishing relationships with customers
• Organizations cannot disclose nonpublic personal
information to a third-party
– Safeguards Rule
28
Compliance with Current Security Laws
• Gramm-Leach-Bliley Act of 1999 (GBLA)
– Safeguards Rule
• Organizations must have a written security plan in place
to protect customer’s nonpublic confidential
information
15. MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
29
Compliance with Current Security Laws
• Health Insurance Portability and
Accountability Act (HIPAA)
– HIPPA requires organizations to secure nonpublic
confidential medical information
– Noncompliance can lead to serious penalties and
fines
30
Compliance with Current Security Laws
• Uniting and Strengthening America by
Providing Appropriate Tools Required to
Intercept and Obstruct Terrorism Act of 2001
(USA PATRIOT)
– Commonly called the PATRIOT Act
– Gives the US government greater ability to access
information
– Victims of computer hacking can now request law
enforcement assistance
16. MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
31
Compliance with Current Security Laws
• California Information Practices Act (Senate
Bill 1386)
– In the past, companies have often been silent
when information theft occurred
– This act requires organizations that store
nonpublic information on California residents to
report information theft within 96 hours
– Noncompliance may lead to civil or criminal
consequences
32
Developing and Information Security
Policy
• Information Security Policies
– Required by many regulations (e.g., SOX)
– Required to obtain insurance
• A written document describing what is, and is not,
permissible use of information in the organization
and the consequences for violation of the policy
Information Security Policy
17. MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
33
Developing and Information Security
Policy
• Who should develop the security policy?
– Representatives of all affected user groups and
stakeholders
– Must have support of managers who train and
enforce the policy
– Committee who develops policy should meet
regularly to ensure that security policy meets the
organization’s needs and satisfies current
regulations
34
Developing and Information Security
Policy
• What should be in the policy?
– Common Topics
• Access control policies
• External access policies
• User a physical policies
– Example Policies
• SANS Institute provides template of many policy types
18. MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
35
Developing and Information Security
Policy
• Policy should be appropriate to the estimated
risks of the organization
• They should be quickly modified when new
situations arise affecting security
• Organizations should make it easy for
employees to access the most recent policy
36
Planning for Business Continuity
• This is more than simple disaster recovery
• When an organization cannot resume
operations in a reasonable time frame, it leads
to business failure
• Putting specific plans in place that ensure that
employees and business processes can continue
when faced with any major unanticipated disruption
Business Continuity Planning (PCP)
19. MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
37
Planning for Business Continuity
• McNurlin & Sprague identified the following
components of BCP that were often
overlooked before the 9/11 terrorist attacks:
– Alternate workspaces for people with working
computers and phone lines
– Backup IT sites that are not too close, but not too
far away
– Up-to-date evacuation plans that everyone knows
and has practiced
38
Planning for Business Continuity
• McNurlin & Sprague identified the following
components of BCP that were often
overlooked before the 9/11 terrorist attacks:
– Backed-up laptops and departmental servers,
because a lot of corporate information is housed
on these machines rather than in the data center
– Helping people cope with a disaster by having
easily accessible phone lists, e-mail lists, and even
instant-messenger lists so that people can
communicate with loved ones and colleagues
20. MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
39
Planning for Business Continuity
• Creating a BCP begins with a business impact
analysis with the following steps:
1. Define the critical business processes and
departments
2. Identify interdependencies between them
3. Examine all possible disruptions to these
systems
4. Gather quantitative and qualitative information
on these threats
5. Provide remedies for restoring systems
40
Planning for Business Continuity
• Disruptions are usually ranked based on the
following categories:
Lower-
priority
• 30 days
Normal
• 7 days
Important
• 72 hours
Urgent
• 24 hours
Critical
• < 12 hours
21. MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
41
Planning for Business Continuity
• Electronic Records Management (ERM)
– Covers the retention of important digital
documents
– Grew out of the need to satisfy regulation such as
SOX and HIPAA
– May require a centralized approach
– eDiscovery amendments to rules for civil
procedures make ERM even more important
42
Planning for Business Continuity
• Electronic Records Management (ERM)
– ERM managers are responsible for the following
• Defining what constitutes an electronic record
• Analyzing the current business environment and
developing appropriate ERM policies
• Classifying specific records based upon their
importance, regulatory requirements, and duration
• Authenticating records by maintaining accurate logs
and procedures to prove that these are the actual
records, and that they have not been altered
• Managing policy compliance
22. MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
43
Planning for Business Continuity
• Electronic Records Management (ERM)
– Managers must realize that businesses may be
digitally liable for actions their employees have
taken when communicating electronically
– Electronic corporate information may reside on
computers external to the company (e.g. cached
email)
44
The Chief Information Security Role
• With increasing pressure to comply with laws
and regulations, many companies have added
a chief information security officer (CISO) to
there is organization
• Responsible for monitoring information
security risks and developing strategies to
mitigate that risk
23. MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
45
The Chief Information Security Role
• As it is impossible to eliminate all risk, the
CISO must balance the trade-offs between
risks and the costs of eliminating them
Cost of
Prevention
Risk