Do you have government contracts or are looking to broaden your portfolio? Aggravated by acronyms like FISMA, DFARS or NIST? A new class was defined in 2015 as Controlled Unclassified Information (CUI) to add to the list of acronyms and as of January 1, 2018 its protection will be an integral piece of government contracts. In this session we'll cover the three steps to be complaint, and overview of the technologies required.
Presentation to Nov 2015 "Chicago Security Intelligence with SIEM" meetup.
Overview of SIEM as part of Continuous Monitoring in the NIST CyberSecurity framework.
This infocast introduces four professional designations related to IT governance that are the most prevalent and recognized in today’s corporate world. Each of these certifications are discussed with respect to their disciplines of knowledge area and analyze the value created for their employers.
From Target to Equifax, we're learning just how expensive data breaches can be. And the cost isn't just financial - it's a hit to reputation as well. Learn how to avoid putting your organization at risk by identifying the three pitfalls of data security...and how to navigate around them.
Presentation given by Arvind Mehrotra, Designation - Executive Vice President & Head – Global Strategic Initiatives, NIIT Technologies Ltd. on August 3rd, 2011 at eWorld Forum (www.eworldforum.net) in the session Information Management and Security
The Consensus Audit Guidelines (CAG) provide critical U.S. Federal government infrastructures with a proactive cyber-security framework to prioritize critical IT security concerns. The goal of applying CAG is not simply to become compliant with regulations, but rather to provide a template for making security best practices an integral part of system design and operation so that Federal agencies can ensure their systems are capable of withstanding the more frequent and in-depth attacks found in an increasingly complex threat landscape. This compliance guide will provide readers with an overview of the requirements as well as suggested steps in achieving CAG compliance.
Learn about the mandate for NIST Special Publication 800-171 and the upcoming deadline for compliance of December 31, 2017. Get answers to questions such as: what is NIST, who needs to comply, what are the requirements, and how do I know if I’m already compliant?
All government agencies, government contractors, and organizations that exchange data directly with government systems must be FISMA compliant. This may include such diverse entities as data clearinghouses, state government departments, and government military subcontractors if data is exchanged directly with Federal government systems. Coverage may expand to include public and private sector entities that utilize manage or run critical infrastructures if FISMA security controls are combined with the Consensus Audit Guidelines as part of the new U.S. Information and Communications Enhancement (ICE) Act.
Presentation to Nov 2015 "Chicago Security Intelligence with SIEM" meetup.
Overview of SIEM as part of Continuous Monitoring in the NIST CyberSecurity framework.
This infocast introduces four professional designations related to IT governance that are the most prevalent and recognized in today’s corporate world. Each of these certifications are discussed with respect to their disciplines of knowledge area and analyze the value created for their employers.
From Target to Equifax, we're learning just how expensive data breaches can be. And the cost isn't just financial - it's a hit to reputation as well. Learn how to avoid putting your organization at risk by identifying the three pitfalls of data security...and how to navigate around them.
Presentation given by Arvind Mehrotra, Designation - Executive Vice President & Head – Global Strategic Initiatives, NIIT Technologies Ltd. on August 3rd, 2011 at eWorld Forum (www.eworldforum.net) in the session Information Management and Security
The Consensus Audit Guidelines (CAG) provide critical U.S. Federal government infrastructures with a proactive cyber-security framework to prioritize critical IT security concerns. The goal of applying CAG is not simply to become compliant with regulations, but rather to provide a template for making security best practices an integral part of system design and operation so that Federal agencies can ensure their systems are capable of withstanding the more frequent and in-depth attacks found in an increasingly complex threat landscape. This compliance guide will provide readers with an overview of the requirements as well as suggested steps in achieving CAG compliance.
Learn about the mandate for NIST Special Publication 800-171 and the upcoming deadline for compliance of December 31, 2017. Get answers to questions such as: what is NIST, who needs to comply, what are the requirements, and how do I know if I’m already compliant?
All government agencies, government contractors, and organizations that exchange data directly with government systems must be FISMA compliant. This may include such diverse entities as data clearinghouses, state government departments, and government military subcontractors if data is exchanged directly with Federal government systems. Coverage may expand to include public and private sector entities that utilize manage or run critical infrastructures if FISMA security controls are combined with the Consensus Audit Guidelines as part of the new U.S. Information and Communications Enhancement (ICE) Act.
MobileIron shares the benefits of using Tripwire's File Integrity Monitoring solution in their environment, and the "Golden Rules" for building an effective enterprise information security program.
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityTripwire
Too often, organizations purchase SIEM and log management solutions to check a compliance checkbox. These organizations miss a huge opportunity to improve security while meeting compliance requirements. In this white paper, security and compliance eWPxpert Dr. Anton Chuvakin explains how to take advantage of this opportunity.
Whitepaper here: http://www.tripwire.com/register/a-pragmatic-approach-to-siem-buy-for-compliance-use-for-security/
Achieving Effective IT Security with Continuous ISO 27001 ComplianceTripwire
The Tripwire Enterprise solution provides organizations with powerful configuration control through its configuration assessment and change auditing capabilities. In this white paper, learn how with Tripwire Enterprise, organizations can quickly achieve IT configuration integrity by proactively assessing how their current configurations measure up to specifications as given in ISO 27001. This provides immediate visibility into the state of their systems, and through automating the process, saves time and effort over a manual efforts.
White Paper here: http://www.tripwire.com/register/effective-security-with-a-continuous-approach-to-iso-27001-compliance/
Application security Best Practices FrameworkSujata Raskar
“Making web applications safe is in the best interest of all organizations and the general economy. Providing a clearly defined set of web application security best practices will advance security professionals’ ability to anticipate and rapidly address potential threats to their enterprise.” -Yuval Ben-Itzhak, CTO and Co-Founder KaVaDo
ControlCase discusses the following:
• About the different Regulations
• Components for Continuous Compliance Monitoring within IT Standards/Regulations
• Recurrence Frequency and Calendar
• Challenges in Continuous Compliance Monitoring
GDPRvs ISO
The similarities in Privileged Access Management (PAM) requirements
This mapping table aims to highlight the similarities in Privileged Access Management (PAM) requirements that exist between the General Data Protection Regulation (GDPR) and the international standard ISO/IEC 27001:2013. It should help readers understand how a ubiquitous privileged access management solution can be used to answer several compliance regulations without disrupting users’ and administrators’ daily activities. This mapping table distinguishes the direct and indirect values brought by PAM to help
companies comply with both these regulations.
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...festival ICT 2016
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati attraverso i servizi gestiti. - by Hitachi Systems - festival ICT 2015
Relatore: Denis Cassinerio
Security Business Unit Director di Hitachi Systems CBT
The Cloud is both compelling and alluring, offering benefits that entice many organizations into rapid adoption. But caution should be taken. Leveraging cloud technologies can offer tremendous opportunities, with the caveat of potentially introducing new security problems and business risks. Presented are strategic recommendations for cloud adoption to a community of application and infrastructure developers.
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftOSIsoft, LLC
As the need for facility equipment and asset data grows, serious cybersecurity risk are revealed, including inadequate security architecture, lack of process and controls the use of contractors and vendors. We need to be able to to identify risks and develop mitigation strategy. This presentation will provide insights, answers and tips. It will identify the value of IT/OT integration in solving facilities cybersecurity threats.
Agenda
Introduction
Administrative Controls
Physical Controls
Technical Controls
Security Policies
Legislation/Regulations or industry standards
Network Security Tools
Conclusion
7/28/19
Emerging Threats and Counter Measures (ITS-834-23)
1
1.Introduction (Swapna Mallireddy)
Business transactions have been made easier through IT and Technology has made it possible for people to infiltrate organizations and steal their secrets.
Data security is important because any form of data breaches may lead to serious consequences such as data loss.
To mitigate the possible treats unauthorized use, deleting of the data, service provider checks through a third party, control data access to its employees based on project role and position are needed.
Though, hardware and software are expensive, they are the best way to counter all the attacks.
Solomon's business should control the virtual users using the remote access as it increases the chances of cyber attackers. To minimize this educating the employees in terms of how it happens and the right measures to undertake in case of an attack.
All devices should be up to date with all the safety measures put in place such as updated antivirus.
Need to ensure appropriate access rights are given to access the data for effective data protection.
To minimizes the chances of password cracking, ensure to use strong passwords and changing the passwords often thus making it hard to be cracked by hackers.
Protection has, therefore become a necessity for any organization.
7/28/19
Emerging Threats and Counter Measures (ITS-834-23)
2
2.Administrative Control (Harshavardhan Dasara)
Updating its widows and operating systems- using outdated operating systems and widows exposes Solomon's business to adverse data bleaches threats.
First, there are no more supports from provider meaning the systems a re much exposed to hacking and other data bleaches and second, it is faced with a lot of compatibility issues.
This can be achieved through ensuring that it establishes access rights and only the right person is around to access certain data from the organization.
To minimize chances of data cyber-attacks, the organization should ensure to educate its employee about cyber-attacks in terms of how it happens and the right measures to undertake in case of an attack.
7/28/19
Emerging Threats and Counter Measures (ITS-834-23)
3
3.Physical Controls (Vikram Goud)
4
Emerging Threats and Counter Measures (ITS-834-23)
7/28/19
CCTV
Biometric
Motion Sensors
Security Alarms
Guards
4. Technical Controls (Kalyan Koppolu )
Classic model of information security defines in three objectives
Confidentiality
Integrity
Availability
Tools
Authentication
Access control
Encryption
Password security
Backups
Firewalls
Intrusion Detection System (IDS)
7/28/19
Emerging Threats and Counter Measures (ITS-834-23)
5
5.Security policies (Vijay Cherukupalli)
Three main types of policies exist
Organizational (or Master) Policy.
System- ...
MobileIron shares the benefits of using Tripwire's File Integrity Monitoring solution in their environment, and the "Golden Rules" for building an effective enterprise information security program.
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityTripwire
Too often, organizations purchase SIEM and log management solutions to check a compliance checkbox. These organizations miss a huge opportunity to improve security while meeting compliance requirements. In this white paper, security and compliance eWPxpert Dr. Anton Chuvakin explains how to take advantage of this opportunity.
Whitepaper here: http://www.tripwire.com/register/a-pragmatic-approach-to-siem-buy-for-compliance-use-for-security/
Achieving Effective IT Security with Continuous ISO 27001 ComplianceTripwire
The Tripwire Enterprise solution provides organizations with powerful configuration control through its configuration assessment and change auditing capabilities. In this white paper, learn how with Tripwire Enterprise, organizations can quickly achieve IT configuration integrity by proactively assessing how their current configurations measure up to specifications as given in ISO 27001. This provides immediate visibility into the state of their systems, and through automating the process, saves time and effort over a manual efforts.
White Paper here: http://www.tripwire.com/register/effective-security-with-a-continuous-approach-to-iso-27001-compliance/
Application security Best Practices FrameworkSujata Raskar
“Making web applications safe is in the best interest of all organizations and the general economy. Providing a clearly defined set of web application security best practices will advance security professionals’ ability to anticipate and rapidly address potential threats to their enterprise.” -Yuval Ben-Itzhak, CTO and Co-Founder KaVaDo
ControlCase discusses the following:
• About the different Regulations
• Components for Continuous Compliance Monitoring within IT Standards/Regulations
• Recurrence Frequency and Calendar
• Challenges in Continuous Compliance Monitoring
GDPRvs ISO
The similarities in Privileged Access Management (PAM) requirements
This mapping table aims to highlight the similarities in Privileged Access Management (PAM) requirements that exist between the General Data Protection Regulation (GDPR) and the international standard ISO/IEC 27001:2013. It should help readers understand how a ubiquitous privileged access management solution can be used to answer several compliance regulations without disrupting users’ and administrators’ daily activities. This mapping table distinguishes the direct and indirect values brought by PAM to help
companies comply with both these regulations.
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...festival ICT 2016
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati attraverso i servizi gestiti. - by Hitachi Systems - festival ICT 2015
Relatore: Denis Cassinerio
Security Business Unit Director di Hitachi Systems CBT
The Cloud is both compelling and alluring, offering benefits that entice many organizations into rapid adoption. But caution should be taken. Leveraging cloud technologies can offer tremendous opportunities, with the caveat of potentially introducing new security problems and business risks. Presented are strategic recommendations for cloud adoption to a community of application and infrastructure developers.
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftOSIsoft, LLC
As the need for facility equipment and asset data grows, serious cybersecurity risk are revealed, including inadequate security architecture, lack of process and controls the use of contractors and vendors. We need to be able to to identify risks and develop mitigation strategy. This presentation will provide insights, answers and tips. It will identify the value of IT/OT integration in solving facilities cybersecurity threats.
Agenda
Introduction
Administrative Controls
Physical Controls
Technical Controls
Security Policies
Legislation/Regulations or industry standards
Network Security Tools
Conclusion
7/28/19
Emerging Threats and Counter Measures (ITS-834-23)
1
1.Introduction (Swapna Mallireddy)
Business transactions have been made easier through IT and Technology has made it possible for people to infiltrate organizations and steal their secrets.
Data security is important because any form of data breaches may lead to serious consequences such as data loss.
To mitigate the possible treats unauthorized use, deleting of the data, service provider checks through a third party, control data access to its employees based on project role and position are needed.
Though, hardware and software are expensive, they are the best way to counter all the attacks.
Solomon's business should control the virtual users using the remote access as it increases the chances of cyber attackers. To minimize this educating the employees in terms of how it happens and the right measures to undertake in case of an attack.
All devices should be up to date with all the safety measures put in place such as updated antivirus.
Need to ensure appropriate access rights are given to access the data for effective data protection.
To minimizes the chances of password cracking, ensure to use strong passwords and changing the passwords often thus making it hard to be cracked by hackers.
Protection has, therefore become a necessity for any organization.
7/28/19
Emerging Threats and Counter Measures (ITS-834-23)
2
2.Administrative Control (Harshavardhan Dasara)
Updating its widows and operating systems- using outdated operating systems and widows exposes Solomon's business to adverse data bleaches threats.
First, there are no more supports from provider meaning the systems a re much exposed to hacking and other data bleaches and second, it is faced with a lot of compatibility issues.
This can be achieved through ensuring that it establishes access rights and only the right person is around to access certain data from the organization.
To minimize chances of data cyber-attacks, the organization should ensure to educate its employee about cyber-attacks in terms of how it happens and the right measures to undertake in case of an attack.
7/28/19
Emerging Threats and Counter Measures (ITS-834-23)
3
3.Physical Controls (Vikram Goud)
4
Emerging Threats and Counter Measures (ITS-834-23)
7/28/19
CCTV
Biometric
Motion Sensors
Security Alarms
Guards
4. Technical Controls (Kalyan Koppolu )
Classic model of information security defines in three objectives
Confidentiality
Integrity
Availability
Tools
Authentication
Access control
Encryption
Password security
Backups
Firewalls
Intrusion Detection System (IDS)
7/28/19
Emerging Threats and Counter Measures (ITS-834-23)
5
5.Security policies (Vijay Cherukupalli)
Three main types of policies exist
Organizational (or Master) Policy.
System- ...
Federal Webinar: Best Practices and Tools for Reducing Insider ThreatsSolarWinds
Our presenter discussed and demonstrated best practices to help detect and combat insider threats, including information about implementing the right tools, along with continuous monitoring of systems and networks to aid in mitigation and prevention. Monitoring data can help agencies make informed decisions, safeguard against insider threats, and quickly identify and fix vulnerabilities. He also suggested ideas that we believe will help to enforce good information security habits within your organization to help improve your agency’s security posture.
During this interactive webinar, attendees learned:
How event monitoring, performance monitoring, and log management can be utilized to help detect and prevent threats, and help ensure that devices are operating and being used properly
How configuration management can be leveraged to help prevent errors and reduce vulnerabilities
How the implementation of Security Incident and Event Management (SIEM) tools can better equip agencies to quickly detect and respond to security threats
How to track devices and users on your network, and maintain historic data for forensics
Ideas about building security into your IT community with daily activities and conversations
How an approach styled after a secure development lifecycle can lead to improved security practices
Defending Critical Infrastructure Against Cyber AttacksTripwire
In our increasingly connected world, networks of machines help critical infrastructure run more efficiently and prevent downtime. However, systems which were once isolated are now being exposed to digital security threats that operators never considered.
Joseph Blankenship of Forrester Research and Gabe Authier of Tripwire discuss the evolving threat landscape and how we can protect these critical assets from cyber threats.
Topics covered include:
-Examples of some of the most recent cyber-attacks to critical infrastructure
-Why traditional IT security approaches won't work
-Recommended approaches for securing critical infrastructure
This is the eighth Chapter of Cisco Cyber Security Essentials course Which discusses the safeguarding the cyber security domains and steps to become a cyber security professional.
A practical data privacy and security approach to ffiec, gdpr and ccpaUlf Mattsson
With sensitive data residing everywhere, organizations becoming more mobile, and the breach epidemic growing, the need for advanced data privacy and security solutions has become even more critical. French regulators cited GDPR in fining Google $57 million and the U.K.'s Information Commissioner's Office is seeking a $230 million fine against British Airways and seeking $124 million from Marriott. Facebook is setting aside $3 billion to cover the costs of a privacy investigation launched by US regulators.
This session will take a practical approach to address guidance and standards from the Federal Financial Institutions Examination Council (FFIEC), EU GDPR, California CCPA, NIST Risk Management Framework, COBIT and the ISO 31000 Risk management Principles and Guidelines.
Learn how new data privacy and security techniques can help with compliance and data breaches, on-premises, and in public and private clouds.
[Webinar] Supercharging Security with Behavioral AnalyticsInterset
In this presentation, special guest Joseph Blankenship, principal analyst at Forrester, joined Interset CTO Stephan Jou and Security Strategist Paul Reid for a discussion on how to practically and effectively boost the IQ of your security arsenal with behavioral analytics so you can find threats faster than ever.
Learn more at Interset.AI
GDPR and NIS Compliance - How HyTrust Can HelpJason Lackey
GDPR (EU 2016/679) and NIS are intended to strengthen data protection for people in the EU, replacing Directive 95/46/EC. Learn how HyTrust can help with compliance.
Proactive Risk Management and Compliance in a World of Digital DisruptionMike Wons
Is the CISO the new CEO. Proactive Risk Management and Compliance in a World of Digital Disruption presentation at annual Information Technology Security and Audit (CACS) event in Chicago...as GDPR becomes a reality!
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docxchristiandean12115
ISE 510 Final Project Scenario Background Limetree Inc. is a research and development firm that engages in multiple research projects with the federal government and private corporations in the areas of healthcare, biotechnology, and other cutting-edge industries. It has been experiencing major growth in recent years, but there is also a concern that information security lapses are becoming rampant as the company grows. Limetree Inc. is working to establish a strong reputation in the industry, and it views a robust information security program as part of the means to achieving its goal. The company looks to monitor and remain compliant to any regulation impacting its operations.
Limetree Inc. recently experienced a security breach; it believes confidential company data has been stolen, including personal health information (PHI) used in a research study. Limetree Inc. believes the breach may have occurred because of some security vulnerabilities within its system and processes.
Limetree Inc.’s virtual environment is presented in the Agent Surefire: InfoSec educational video game. The rest of the environment is presented via an interview with the security manager, Jack Sterling.
Highlight of Interview with Jack Sterling
Interview with Jack Sterling revealed the following about Limetree Inc.’s system and processes:
Hardware/Software:
Desktop Apps: Internet Explorer, Firefox, Google Chrome, MS Office, Adobe Flash, Adobe Acrobat
Applications/Databases:
Browser – Browser in use is Internet Explorer and browser security setting was set to low. Browsers allow remote installation of applets, and there is no standard browser for the environment.
Virus Software – MacAfee is deployed locally on each user's machine and users are mandated to update their virus policy every month.
SQL Database – Ordinary users can escalate privilege via SQL Agent. Disk space for SQL database log is small and is overwritten with new information when it is full. Limetree Inc. is not using any encryption for sensitive data at rest within the SQL server environment.
Network:
The network comprises the following: three web/applications servers, three email servers, five file and printer servers, two proxy servers, seven remotely manageable Cisco switches, 250 desktops, three firewall devices, one gateway (router) device to the internet, and three wireless access points.
Configuration Highlights:
Wireless – Wireless network is available with clearly advertised SSID, and it is part of the local area network (LAN). There is no segmentation or authentication between the wireless and wired LAN. Visitors are provided access code to the wireless network at the front desk to use the internet while they wait to be attended to.
Managed switches – There is no logging of network activities on any of the switches.
Web server – Public-facing web server is part of the LAN. This is where internet users get needed information on the company. The web servers are running the f.
Data centric security key to digital business success - ulf mattsson - bright...Ulf Mattsson
With the exponential growth of data generation and collection stemming from new business models fueled by Big Data, cloud computing and the Internet of Things, we are potentially creating a cybercriminal's paradise where there are more opportunities than ever for that data to end up in the wrong hands. The biggest challenge in this interconnected world is merging data security with data value and productivity. If we are to realize the benefits promised by these new ways of doing business, we urgently need a data-centric strategy to protect the sensitive data flowing through these digital business systems. In this webinar, Ulf Mattsson explores these issues and provides solutions to bring together data insight and security to safely unlock the power of digital business.
GrowFL: Improve Employee and Customer Experience in a Hybrid Work EnvironmentAdam Levithan
It is a time for transition as organizations not only balance working remotely and in-office, but your clients will also want a combination of in-person and remote experiences. How does a growing organization manage productivity and collaboration, while providing continued customer service in this scenario? The answer is automation, allowing you to utilize your human capital to it's optimum. Join us as Adam Levithan, Principal of Product Management at Withum and a Microsoft MVP, walks through the process and options readily available to your business.
What's New in Stream - Victoria Office 365 Users Group 11/2020Adam Levithan
What's New and on the Roadmap for Stream within Microsoft 365. The improvements of storing documents within SharePoint and OneDrive, Security, convenience, and EXTERNAL SHaring. Presented to the Victoria Office 365 User Group
SP Summit - SharePoint as the Gateway to Microsoft 365Adam Levithan
Join Microsoft MVP Adam Levithan as he discusses how to increase user adoption and organizational efficiency by leveraging SharePoint as your gateway into Office 365 – enabling employees to maximize productivity, keep organized, and easily collaborate with their peers.During this webinar, you will learn how to leverage SharePoint to:
Provide a bridge between on-premises and cloud environments while improving Office 365 adoption.
Ensure content is accessible whenever and wherever your users need it, without compromising your information security.
Personalize the employee experience, keeping them engaged with your organization and with each other.
Best Practices for Effective Remote Work - Microsoft 365Adam Levithan
After working over 10 years remotely, we share best practices of keeping productive during this time of forced 'work from home'. Utilizing chat and video conference it is possible to keep the same culture and work levels as before.
Microsoft 365 Adoption Tips and Tricks - SharePoint and Microsoft Teams togetherAdam Levithan
With special guest Mark Kashman, we discuss Microsoft 365 Tips and Tricks to meet people where they want to work. The Land of Knowledge (SharePoint) and the Hub of Teamwork (Teams). Withum Announces a Teams web part where you can view conversations on a page, and an Microsoft Teams app where your intranet can live within Teams.
SharePoint 2019 in Context: What this New Release Will Mean to YouAdam Levithan
Presented at SharePoint Saturday Twin Cities April 6, 2019
There was mystery surrounding a release after 2016, but it was confirmed at Microsoft Ignite 2017 that a series of servers would be released in 2019. The main theme continues to be "Born from the Cloud" with a set of features coming directly from Office 365. Living through the SharePoint 2019 TAP program Jill and Adam will review the available features and the evolving roadmap of SharePoint. Whether you're a decision maker, developer, IT Pro, or power user we will discuss how SharePoint 2019 is continuing an on-premises paradigm shift. During this session we will propose what you lose, what you gain, and strategies to decide whether or not SharePoint Server 2019 is right for you.
Top 8 must haves for your office 365 intranetAdam Levithan
You’re all in. Whether you just have Office 365 – or the whole suite of Microsoft 365: Windows 10, Office 365, Enterprise Mobility + Security, you’re likely using an intranet built on Office 365, or are planning on it. Over the last 15 years we’ve seen what employees MUST HAVE to continually rely on a corporate Intranet.
In this session, Microsoft MVP, Adam Levithan, discusses the most important pieces that your Intranet can have to build culture, centralize knowledge and help employees be productive.
Mobility, flexibility, Content Creation & Internal Collaboration rely on an individual’s ability to access and share their content from anywhere at any time. OneDrive for Business is the solution provided by Office 365, and mobile apps, to meet these unwavering end-user goals. However, there are dependencies on Operating system features and a balance to meet the expectations of the end-user while ensuring the need of IT security & compliance. In this session we'll take a look at the key considerations when building your adoption plan of OneDrive, migration methods for moving your end-users' content, how to manage the content as users join and leave your organization.
Office 365 Turns 5! Does Modern Equal Mature?Adam Levithan
This year Office 365 turns 5. Has it really been that long? Never before in our technical language has one word "Modern" taken on so many different meanings! Starting in 2013, Office 365 took on the basic form we know today. Through these 5 years Office 365 has seen many changes, with one of the latest being Modern pages, sites, framework etc. Yes, Modern is not only about look and feel but how Office 365 is being built and how it can simplify how your employees collaborate and communicate.
In this session, Microsoft MVP Adam Levithan look at the major differences between classic vs modern experiences, what modern means to an everyday employee, and future roadmap of Office 365 features.
SharePoint 2019 in Context: What this New Release Will Mean to YouAdam Levithan
It was questionable if there’d be another on-premises release of SharePoint after 2016, but here it is and Microsoft’s renewed commitment to on-premises is keeping it relevant for organizations. If your strategy is to remain on-premises, what does the SharePoint 2019 release mean to you? The main theme continues to be "Born from the Cloud" with a set of features coming directly from Office 365. Living through the SharePoint 2019 TAP program Jill and Adam will review the available features and the evolving roadmap of SharePoint. Whether you're a decision maker, developer, IT Pro, or power user we will discuss how SharePoint 2019 is continuing an on-premises paradigm shift. During this session we will propose what you lose, what you gain, and strategies to decide whether or not SharePoint Server 2019 is right for you.
History of Content Security: Take 2 - ShareCloudSummit HoustonAdam Levithan
We're currently living Take 1 of the Content Security Journey and now we've reached a critical juncture where technologies have evolved to support Take 2. Our journey to reach the a secure digital workplace includes understanding users, their roles, what devices they're working on, and how to protect that content at rest and flying across the network. Based on real-life use cases in the Aerospace & Defense and Life Sciences industries you will walk away with an understanding of the technologies available to you, and a clear way to communicate with business stakeholders.
Office 365 Turns 5: Does "Modern" Equal Mature?Adam Levithan
This year Office 365 turns 5. Has it really been that long? Never before in our technical language has one word "Modern" taken on so many different meanings!
Starting in 2013, Office 365 took on the basic form we know today. Through these 5 years Office 365 has seen many changes, with one of the latest being Modern pages, sites, framework etc. Yes, Modern is not only about look and feel but how Office 365 is being built and how it can simplify how your employees collaborate and communicate.
Adam Levithan, Microsoft MVP, and a guest speaker as they look at:
- Major differences between Classic vs. Modern experiences
- What modern means to an everyday employee
- Future roadmap of Office 365 features
Importance of Identity Management in Security - Microsoft Tech Tour @TowsonAdam Levithan
The evolution of Cyber security is complete and no longer is the outer perimeter the key to successful system security. Identity Access Management is the new key to your success. Here is a model to talk to anyone about security and why Identity is the new area to focus on.
SpTechCon OneDrive Success Part 1: Planning the Leap to the Cloud Adam Levithan
Moving your employees' personal files to OneDrive for Business sounds like a great idea. Reducing the storage overhead and access from anywhere on any device are great benefits. However, there's a lot of content to move, and each individual relies on their personal files in a different way. In this session, Adam Levithan (MVP) will discuss the 5 key areas that assist in overcoming common OneDrive for Business deployment obstacles.
We will cover: • Analysis of current personal files usage
• Options for data migration
• Technical preparation for synchronization
• Adoption and user engagement
• Best practices for long-term operation
SPTechCon - Securing Your SharePoint & OneDrive Online ConfigurationAdam Levithan
OneDrive for Business and SharePoint Online enable agile collaboration and increase the device and application flexibility for distributed users. This enables dramatically increased efficiency and multi-dimensional content sharing. But, no two users are identical – so, however they share or collaborate, how confident are you in doing it without introducing risk into the organization? To ease your mind, and lower your risk, this session will focus on the security controls within SharePoint Online and ODB that can lower your heart rate.
Mobility, flexibility, Content Creation & Internal Collaboration rely on an individuals ability to access and share their content from anywhere at anytime. OneDrive for Business is the solution provided by Office 365, and mobile apps, to meet these unwavering end-user goals. However, there are still questions if the current solution does meet the expectations of the end-user while balancing the need of IT governance. In this session we'll take a look at the key considerations when building your adoption plan of OneDrive, migration methods for moving your end-users' content, how to manage the content as users join and leave your organization.
Office 365 Groups? Microsoft Teams? … Confused? Here's some help.Adam Levithan
With the recent launch of Microsoft Teams, you now have more apps than ever to improve team collaboration. So, which one do you choose?
The great thing about Office 365 is all of the apps that are available to be productive. The bad thing about Office 365 is that just as you get using one, a new app arrives. On top of these choices, you also have other collaboration apps like Slack.Reserve your spot on this webinar to learn more about many of the apps teams are finding useful, which Microsoft apps are good in which situations, and which will help your organization collaborate more productively.
We'll cover:
The features within Office 365 Groups
The features within Microsoft Teams and how they compare to Slack
When to use which app
SharePoint Migration Series: Success Takes Three ActionsAdam Levithan
Your successful migration to SharePoint 2016 takes three actions: analysis, optimization and planning. It also takes a lot of questions that require answers. What do you have? What do you move? What do you archive? What problems might occur? What do users expect? From identifying content sprawl, deciding what to archive, understanding potential security risks, ending performance issues and creating an environment that meets end-user expectations, requires many questions that need good answers. In this session, you’ll learn what to ask and how to find answers: Understand your current environment
Maximizing SharePoint 2016 features
Accurately plan your migration
Reduce risk in your SharePoint migration
SharePoint 2016 Migration Success Takes Three StepsAdam Levithan
Your successful migration to SharePoint 2016 takes three actions: analysis, optimization and planning.
It also takes a lot of questions that require answers. What do you have? What do you move? What do you archive? What problems might occur? What do users expect? From identifying content sprawl, deciding what to archive, understanding potential security risks, ending performance issues and creating an environment that meets end-user expectations, requires many questions that need good answers.
In this session, you’ll learn what to ask and how to find answers: Understand your current environment
Maximizing SharePoint 2016 features
Accurately plan your migration
Reduce risk in your SharePoint migration
With SP2016, IT Pros face the question - Where does my content belong, Azure, O365, or on-premises?
We will examine a real-life scenario where an organization divided content across O365/SP2013 workloads, and how SP2016’s search, profile, and team sites could be used.
From business stakeholders, power users, to IT Pros, this session will examine key considerations and technology that apply to setting up a hybrid Azure, SP2016/O365 environment.
Key benefits of attending your webinar?
- Overview of Hybrid SharePoint 2016 Features
- Understanding what hybrid choices are available in 2016 (the year)
- Learn a practical approach to dividing content
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
3. A little bit of Federal IT Security History
Three Steps to Compliance in the Cloud for the non-
security professional
Office 365 & Azure through the lens of NIST 800-171
(On-Premises Too)
Copyright 2018 Exostar LLC | All Rights Reserved 4
Agenda
4. The Federal Information Security Management Act (FISMA) is a United
States federal law passed in 2002 that made it a requirement for federal
agencies to develop, document, and implement an information security
and protection program.
Copyright 2018 Exostar LLC | All Rights Reserved 5
FISMA
5. Copyright 2018 Exostar LLC | All Rights Reserved 6
FISMA
NIST 800-53
This publication provides a catalog of security and privacy controls for
federal information systems and organizations to organizational
operations and assets, individuals, other organizations, and the Nation
from a diverse set of threats including hostile attacks, natural disasters,
structural failures, human errors, and privacy risks. The controls are
and customizable and implemented as part of an organization-
wide process to manage risk. … Addressing both functionality and
assurance ensures that information technology products and the
information systems that rely on those products are sufficiently
trustworthy.
6. Copyright 2017 Exostar LLC | All Rights Reserved 7
Time Out – What’s a Security Control?
Security controls are technical or administrative safeguards or counter
measures to avoid, counteract or minimize loss or unavailability due to
threats acting on their matching vulnerability, i.e., security risk.
Controls are referenced all the time in security, but they are rarely defined.
Stephen Northcutt , SANS Institute
https://www.sans.edu/cyber-research/security-laboratory/article/security-controls
7. Third Revision
A simplified, six-step risk management framework;
Additional security controls and enhancements for advanced cyber threats;
Organization-level security controls for managing information security programs;
Fourth Revision
Insider threats;
Software application security (including web applications);
Social networking, mobiles devices, and cloud computing;
Fifth Revision
Making the security and privacy controls more outcome-based by changing the structure of the controls;
Eliminating the term information system and replacing it with the term system so the controls can be
applied to any type of system including, for example, general-purpose systems, cyber-physical systems,
industrial/process control systems, and IoT devices;
De-emphasizing the federal focus of the publication to encourage greater use by nonfederal organizations;
Clarifying the relationship between security and privacy
Copyright 2018 Exostar LLC | All Rights Reserved 8
NIST 800-53 Over Time https://en.wikipedia.org/wiki/NIST_Special_Publication_800-53
8. Copyright 2018 Exostar LLC | All Rights Reserved 9
FISMA
NIST 800-53 - High, Medium, Low
FedRAMP
The Federal Risk and Authorization Management Program (FedRAMP)
is a government-wide program that provides a standardized approach
to security assessment, authorization, and continuous monitoring for
cloud products and services.
9. Copyright 2018 Exostar LLC | All Rights Reserved 10
FISMA
NIST 800-53 - High, Medium, Low
FedRAMP – High, Medium, Low
NIST 800-171
The protection of Controlled Unclassified Information (CUI)
resident in nonfederal systems and organizations is of
paramount importance to federal agencies and can directly
impact the ability of the federal government to successfully
conduct its assigned missions and business operations.
10. Defense Federal Acquisition Regulations Supplement (DFARS) 252.204-
7012, Safeguarding Covered Defense Information and Cyber Incident
Reporting requires contractors to implement NIST 800-171 to safeguard
covered defense information that is processed or stored on their internal
system or network.
Contractors self-attest to meeting these requirements.
Copyright 2018 Exostar LLC | All Rights Reserved 11
For Defense . . .
12. 100% Complete with Security Assessment
• Gap Analysis using NIST 800-171 controls (3.12.1)
• Plan of Action & Milestones (POA&M) (3.12.2)
• System Security Plan (SSP) (3.12.3)
Conduct Subcontractor Flow Down
Comply with Incident Reporting Requirement
Copyright 2018 Exostar LLC | All Rights Reserved 13
To be NIST 800-171 compliant
13. Cloud
Track
Everything
Know Your
Users
Protect Your
Content
14
Example Cloud Boundaries for NIST 800-171
CloudOn Premises
Control Families
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Physical Protection
- Personnel Security
- System and Communications Protection
- System and Information Integrity
Documents on Endpoints
Control Families
- Access Control
- Awareness and Training
- Audit and Accountability
- Incident Response
- Media Protection
- Personnel Security
- Risk Assessment
- Security Assessment
- System and Information
Integrity
Documents Stored in Cloud
Copyright 2018 Exostar LLC | All Rights Reserved
System and Communications Protection
Before you can build a house you must have roads, sewers, and electricity in place. The System and Communications Protection control family focuses on all the external infrastructure connections that will support the functions of your information system. Bringing this infrastructure to “code” for NIST 800-171 means that content is encrypted in transit, and at rest, using FIPS validated encryption. (See validated algorithms http://csrc.nist.gov/groups/STM/cavp/validation.html )
Most likely you are already using one of these cryptographic methods to secure inter-system communication. This requirement is so important that it repeats itself throughout several of the controls. After you’ve created the infrastructure, this section focuses on controlling inter-system communication by requiring a set time period for “terminating sessions.” By requiring systems to re-authenticate you reduce the risk of data leakage.
Access Control
When you design a house, you must decide where the doors and windows will be. If security is a top requirement, you must consider how to control access, and who gets the keys. When protecting Covered Defense Information (CDI) or Covered Technical Information (CTI) information the door is for both internal and external processes. The Access Control family focuses on separating the access of standard users vs. administrators within your network, and ensuring that these accounts have “least privilege.” This has been a standard for many years, so it should only require that you document your processes.
Additionally this control family requires appropriate privacy notices to users entering the system, and limits both the number of logon attempts and the time a user can be connected within a session. Finally, you must encrypt your communications with the outside world, whether via internet, Wi-Fi, or on a wireless device.
Physical Protection
Once your home is built, you’ll need to protect it. A complete security system logs when doors open and close, alerts you when motion sensors are triggered, and has security cameras for additional monitoring. Similarly, the Physical Protection control family tracks visitors, restricts physical access to sensitive areas, and monitors all community space. Yes, servers do exist, so it’s recommended that you have a method to track access to their data center, racks, and the servers themselves. Digital keycards, video cameras, and controlled access to each section of the facility are highly recommended.
Media Protection
Even with your doors locked and security system running, you should still keep valuables and important documents in a safe. Similarly, NIST 800-171 recognizes that not all content in your system is created equal. The Media Protection control family requires that CDI is marked at the document level, and if it is stored on any external media. Media includes both physical servers that need to be protected as well as printed materials, and the controls cover how they’re stored and destroyed when no longer needed.
Encryption of CDI content is reinforced on digital transport methods, CD/DVD to thumb drive, and within back-up systems. Another key concern is the ability to use removable devices to download and store CDI data. While turning off all USB ports on laptops might solve that issue, users should also be trained not to transport CDI on external devices.
Configuration Management
Now that your house is built and secure, let’s talk about decorating. How do you decide where to put your furniture and decorations? The Configuration Management control family is focused on the detailed software level and is about the processes and procedures you take to make sure logical security is in place. It again reaffirms access restrictions from the Access Control family.
Do you restrict what software is installed on servers and/or on staff’s laptops? Record it here, and describe the process that you take to make sure any new software that is added does not affect security and stability of your information system.
System & Information Integrity
When you have a new home, you want to fill it with safe, high-quality materials. This is similar to the System and Information Integrity control family, which focuses squarely on your information system, and even more specifically on the code within it. You should monitor, identify, and take action if you find flaws in the system, or malicious code from outside parties.
What process do you have in place for responding to these errors? If you have one, formalize it and you are one step closer to fulfilling the NIST 800-171 System Security Plan (SSP).
Maintenance
Your house, or information system, is no good without constant upkeep. Follow best practices to make sure the hardware and software supporting your information system is in good shape. Make sure you know who is working on your system and what tools (physical or digital) they’re using when performing maintenance. Make sure your processes are in place for internal and external personnel to keep the system at its best.
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
Use non-privileged accounts or roles when accessing non-security functions.
Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems.
Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
Provide security awareness training on recognizing and reporting potential indicators of insider threat.
Personnel Security
3.9.2
Ensure that CUI and information systems containing CUI are protected during and after personnel actions such as terminations and transfers.
Physical Protection
3.10.3
Escort visitors and monitor visitor activity.
Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
Supervise the maintenance activities of maintenance personnel without required access authorization.
Protect (i.e., physically control and securely store) information system media containing CUI, both paper and digital.
Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.
Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.
Review and update audited events.
Alert in the event of an audit process failure.
Use automated mechanisms to integrate and correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity.
Provide audit reduction and report generation to support on-demand analysis and reporting.
Provide an information system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
Protect audit information and audit tools from unauthorized access, modification, and deletion.
Limit management of audit functionality to a subset of privileged users.
Risk Assessment
3.11.1
Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of CUI.
Security Assessment
3.12.4
Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
Identify, report, and correct information and information system flaws in a timely manner.
Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
Track, review, approve/disapprove, and audit changes to information systems.