This document provides an overview of a presentation on information assurance in a global context. It discusses why information assurance matters given increasing dependencies on accurate data. It also covers definitions of security, privacy and information assurance. Additionally, it outlines regulatory requirements, frameworks, technologies like IoT and cloud computing, and lessons from cross-border regions. The presentation agenda is included which covers these topics over several pages in more depth.
Rapid7 Report: Data Breaches in the Government SectorRapid7
Rapid7, the leading provider of security risk intelligence solutions, analyzed data collected and categorized by the Privacy Rights Clearinghouse Chronology of Data Breaches. Using this data, the company outlined patterns for government data breaches, including year, month, location and breach type patterns. This information and tips for protecting infrastructure can ensure that government IT environments stay protected against malicious attacks and unintended disclosure.
Protecting Patient Health Information in the HITECH EraRapid7
The American Healthcare system is getting a complete facelift thanks to incentives to adopt Health Information Technology introduced by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act contains tools for the enforcement of HIPAA regulations, as well as incentives to accelerate the adoption of information systems that reduce costs, gain efficiencies, and ultimately improve patient care while keeping patient health information secure. This paper examines the HITECH Act, the enforcement mechanisms the HITECH Act provides for HIPAA, and the key security challenges healthcare services face in order to protect patient health information as part of becoming HIPAA compliant.
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceRapid7
Cyber-attacks designed for financial gain are on the rise, targeting proprietary information including customer and financial information. With over 127 million records exposed in 2007 in the US alone, attacks are becoming increasingly more sophisticated. Learn more about best practices to protect the cardholder data environment and achieve PCI compliance.
According to Analysts, the Higher Education sector is the most breached of any industry. This white paper outlines key reasons why universities are more affected by security issues and how they can better prepare themselves to address IT security and vulnerability management challenges.
This Frost & Sullivan analyst report reveals how the legal and threat environment, combined with BYOD and cost factors, make multi-factor, risk-based authentication the logical approach to solving the security challenges posed by threat actors.
Rapid7 Report: Data Breaches in the Government SectorRapid7
Rapid7, the leading provider of security risk intelligence solutions, analyzed data collected and categorized by the Privacy Rights Clearinghouse Chronology of Data Breaches. Using this data, the company outlined patterns for government data breaches, including year, month, location and breach type patterns. This information and tips for protecting infrastructure can ensure that government IT environments stay protected against malicious attacks and unintended disclosure.
Protecting Patient Health Information in the HITECH EraRapid7
The American Healthcare system is getting a complete facelift thanks to incentives to adopt Health Information Technology introduced by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act contains tools for the enforcement of HIPAA regulations, as well as incentives to accelerate the adoption of information systems that reduce costs, gain efficiencies, and ultimately improve patient care while keeping patient health information secure. This paper examines the HITECH Act, the enforcement mechanisms the HITECH Act provides for HIPAA, and the key security challenges healthcare services face in order to protect patient health information as part of becoming HIPAA compliant.
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceRapid7
Cyber-attacks designed for financial gain are on the rise, targeting proprietary information including customer and financial information. With over 127 million records exposed in 2007 in the US alone, attacks are becoming increasingly more sophisticated. Learn more about best practices to protect the cardholder data environment and achieve PCI compliance.
According to Analysts, the Higher Education sector is the most breached of any industry. This white paper outlines key reasons why universities are more affected by security issues and how they can better prepare themselves to address IT security and vulnerability management challenges.
This Frost & Sullivan analyst report reveals how the legal and threat environment, combined with BYOD and cost factors, make multi-factor, risk-based authentication the logical approach to solving the security challenges posed by threat actors.
The study provides valuable insight into the change in agency investment, awareness, and support for cybersecurity – as well as the challenges and barriers faced in achieving these goals.
Notable Takeaways:
• Financial Risks: According to a 2016 BetaNews article, “the total average cost of a data breach is now put at $6.53M, which includes $3.72M in lost business. Forensic investigations can cost up to $2,000 an hour, and the average annual salary of a security engineer is $92,000. With these high costs, proper preventative attack measures and cybersecurity insurance are crucial for the financial safety of organizations
• Employee Risks: A sizeable percentage of local agencies responded to never having taken cybersecurity awareness training for citizens (71.4%), contractors (61.9%), and local elected officials (50.1%). Given that human error creates vulnerabilities for breaches through targeted attacks like spear-phishing – employee education, RBAC measures, and RMS are of critical importance for agencies.
• What Agencies Want: The top three actions that were recommended by the respondents of the study were (1) Higher funding for cybersecurity; (2) Better cybersecurity polices; and (3) Greater cybersecurity awareness among employees in their local governments.
User Privacy or Cyber Sovereignty Freedom House Special Report 2020MYO AUNG Myanmar
https://freedomhouse.org/report/special-report/2020/user-privacy-or-cyber-sovereignty?utm_source=Newsletter&utm_medium=Email&utm_campaign=SPOTLIGHTFRDM_072720
Special Report 2020
User Privacy or Cyber Sovereignty?
Assessing the human rights implications of data localization
WRITTEN BY-Adrian Shahbaz-Allie Funk-Andrea Hackl
https://freedomhouse.org/sites/default/files/2020-07/FINAL_Data_Localization_human_rights_07232020.pdf
USER PRIVACY OR CYBER SOVEREIGNTY?
Assessing the human rights implications of data localization
Identity theft remains a pernicious threat to consumers. While the federal government and private sector have done much to address this issue, it is important that legislators and regulators remain vigilant to protect consumers from this ever-evolving fraud.
Public Relations Campaign for SecureWorks for IMC 618: PR Concepts & Strategy. Campaign is focused on increasing brand awareness among both big and small businesses as well as potential investors.
Government Access Cards: A key to fraud and identity theft reduction?Robert Bromwich
Conference paper developed and presented at the Records Management Association of Australasia's 25th International Convention organised in Sydney Australia during September 2008.
Paper aims to provide a history of three government-sponosored identity programs in the USA (Real-ID), Australia (Health and Welfare Access Card) and the United Kingdom (identity Card) and gives an analysis of claims by proponents that implementing a compulsory national identity programs reduces fraud against the public purse and cases of identity theft
The paper concludes by asking the question - is having such a program worthwhile?
Identity Theft and Society: What's in it for me?Robert Bromwich
Paper aims to provide an overview of the problems of identity theft and its impacts on society coupled iwth potential solutions for individuals, corprorations and government agencies to mitigate and solve the issue.
PT.52 Gemilang Group adalah developer yang sudah lama berkencimpung di dunia property di surabaya dan bali ini dengan karya karyanya seperti Perum kalijudan,Ruko DST dan COFA, Ruko adamas,Medamas,MGR, The Jineng Villas (Bali), Harris Hotel (Bali) World Hotel Vilas (Bali) memperluas jaringannya di bali dengan membuka anak cabang baru mereka
PT.Lima Dua Uluwatu Gemilang
Dengan Proyek terbarunya Uluwatu Villa dan Studio Villa yang dirancang sempurna oleh Benny Gunawan dan Rekan villa ini begitu menarik bagi investor property disebabkan konsep yang unik dan desain artistiknya yang menjadi nilai Plus product ini.Terletak di Jl.Temu Dewi Pecatu 500-m dari gate Pecatu indah resort yang strategis dekat dengan destinasi wisata di kuta selatan seperti Dreamland,Blue point,dll dan lokasi ini juga di daerah dengan Villa ternama seperti Blgari,Alila,Semara Luxury Vila resort,dll berarti untuk capital gainnya kedepan dapat dipastikan bagus untuk anda berinvestasi di villa ini
The study provides valuable insight into the change in agency investment, awareness, and support for cybersecurity – as well as the challenges and barriers faced in achieving these goals.
Notable Takeaways:
• Financial Risks: According to a 2016 BetaNews article, “the total average cost of a data breach is now put at $6.53M, which includes $3.72M in lost business. Forensic investigations can cost up to $2,000 an hour, and the average annual salary of a security engineer is $92,000. With these high costs, proper preventative attack measures and cybersecurity insurance are crucial for the financial safety of organizations
• Employee Risks: A sizeable percentage of local agencies responded to never having taken cybersecurity awareness training for citizens (71.4%), contractors (61.9%), and local elected officials (50.1%). Given that human error creates vulnerabilities for breaches through targeted attacks like spear-phishing – employee education, RBAC measures, and RMS are of critical importance for agencies.
• What Agencies Want: The top three actions that were recommended by the respondents of the study were (1) Higher funding for cybersecurity; (2) Better cybersecurity polices; and (3) Greater cybersecurity awareness among employees in their local governments.
User Privacy or Cyber Sovereignty Freedom House Special Report 2020MYO AUNG Myanmar
https://freedomhouse.org/report/special-report/2020/user-privacy-or-cyber-sovereignty?utm_source=Newsletter&utm_medium=Email&utm_campaign=SPOTLIGHTFRDM_072720
Special Report 2020
User Privacy or Cyber Sovereignty?
Assessing the human rights implications of data localization
WRITTEN BY-Adrian Shahbaz-Allie Funk-Andrea Hackl
https://freedomhouse.org/sites/default/files/2020-07/FINAL_Data_Localization_human_rights_07232020.pdf
USER PRIVACY OR CYBER SOVEREIGNTY?
Assessing the human rights implications of data localization
Identity theft remains a pernicious threat to consumers. While the federal government and private sector have done much to address this issue, it is important that legislators and regulators remain vigilant to protect consumers from this ever-evolving fraud.
Public Relations Campaign for SecureWorks for IMC 618: PR Concepts & Strategy. Campaign is focused on increasing brand awareness among both big and small businesses as well as potential investors.
Government Access Cards: A key to fraud and identity theft reduction?Robert Bromwich
Conference paper developed and presented at the Records Management Association of Australasia's 25th International Convention organised in Sydney Australia during September 2008.
Paper aims to provide a history of three government-sponosored identity programs in the USA (Real-ID), Australia (Health and Welfare Access Card) and the United Kingdom (identity Card) and gives an analysis of claims by proponents that implementing a compulsory national identity programs reduces fraud against the public purse and cases of identity theft
The paper concludes by asking the question - is having such a program worthwhile?
Identity Theft and Society: What's in it for me?Robert Bromwich
Paper aims to provide an overview of the problems of identity theft and its impacts on society coupled iwth potential solutions for individuals, corprorations and government agencies to mitigate and solve the issue.
PT.52 Gemilang Group adalah developer yang sudah lama berkencimpung di dunia property di surabaya dan bali ini dengan karya karyanya seperti Perum kalijudan,Ruko DST dan COFA, Ruko adamas,Medamas,MGR, The Jineng Villas (Bali), Harris Hotel (Bali) World Hotel Vilas (Bali) memperluas jaringannya di bali dengan membuka anak cabang baru mereka
PT.Lima Dua Uluwatu Gemilang
Dengan Proyek terbarunya Uluwatu Villa dan Studio Villa yang dirancang sempurna oleh Benny Gunawan dan Rekan villa ini begitu menarik bagi investor property disebabkan konsep yang unik dan desain artistiknya yang menjadi nilai Plus product ini.Terletak di Jl.Temu Dewi Pecatu 500-m dari gate Pecatu indah resort yang strategis dekat dengan destinasi wisata di kuta selatan seperti Dreamland,Blue point,dll dan lokasi ini juga di daerah dengan Villa ternama seperti Blgari,Alila,Semara Luxury Vila resort,dll berarti untuk capital gainnya kedepan dapat dipastikan bagus untuk anda berinvestasi di villa ini
Continuity and Change in Agriculture in the Parish of Borrisoleighborrisoleighcommunity
The Borrisoleigh Historical Society hosted a lecture in the Community Centre, Borrisoleigh on 26th March 2014. The title of the Lecture was "Continuity and Change in Agriculture in the Parish of Borrisoleigh". It was delivered by Borrisoleigh native, Professor Gerry Boyle, Director of Teagasc. This lecture gave a great insight into the past and present methods of farming.
Le novità del programma che celebra le grandi marche, valorizza il loro storytelling di successo e certifica il percorso di crescita della loro brand reputation
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...Ted Myerson
Read our NTIA comment letter on ''Big Data'' Developments and How They Impact the Consumer Privacy Bill of Rights. Filed with the NTIA on August 5, 2014.
Anonos has been working for over two years on technology that transforms data at the data element level enabling de-identification and functional obscurity that preserves the value of underlying data. Specifically, Anonos de-identification and functional obscurity risk management tools help to enable data subjects to share information in a controlled manner, enabling them to receive information and offerings truly personalized for them, while protecting misuse of their data; and to facilitate improved healthcare, medical research and personalized medicine by enabling aggregation of patient level data without revealing the identity of patients.
Anonos FTC Comment Letter Big Data: A Tool for Inclusion or ExclusionTed Myerson
FTC Comment Letter Big Data: A Tool for Inclusion or Exclusion. Filed on August 21, 2014.
Anonos has been working for over two years on technology that transforms data at the data element level enabling de-identification and functional obscurity that preserves the value of underlying data. Specifically, Anonos de-identification and functional obscurity risk management tools help to enable data subjects to share information in a controlled manner, enabling them to receive information and offerings truly personalized for them, while protecting misuse of their data; and to facilitate improved healthcare, medical research and personalized medicine by enabling aggregation of patient level data without revealing the identity of patients.
Consumers rely on businesses to keep their personal information safe. Too few of those businesses are actively protecting that data. Here’s what’s gone wrong, and how businesses should be responding. Full blog here: http://bit.ly/1Jtzym5
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. The panel will also discuss the evolving regulatory approaches of the European Union, United States Federal government and significant developments in U.S. state regimes, including California. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2021/
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
NetIQ was a Platinum sponsor for “Plugging the Leaks: Finding and Fixing the IT Security Holes in Your Enterprise,” a virtual trade show (VTS) produced by Information Week Magazine and Dark Reading.
This was our presentation deck: "Proven Practices to Protect Critical Data" presented by Matt Mosley, Senior Product Manager, and Matt Ulery, Director of Product Management during a live presentation. They explored some of the most significant problems facing security teams tasked with protecting critical data. And, they will reveal some of the most effective approaches and technology that can be used to quickly identify real threats.
Al-Khouri, A.M. (2014) "Privacy in the Age of Big Data: Exploring the Role of Modern Identity Management Systems". World Journal of Social Science, Vol. 1, No. 1, pp. 37-47.
Review DNI WTAs for 2015 and 2016 (see attached). Compare and con.docxronak56
Review DNI WTA's for 2015 and 2016 (see attached). Compare and contrast all the threat[s] as the DNI saw them last year and what he sees this year? This is more than just a list.
* You may group ‘threats’ for simplicity.
* If you don’t understand how to compare and contrast – ask me.
Why the change? [Assume what’s addressed first is first priority and what’s addressed last is last].
Instructions: Your initial post should be at least 350 words.
Statement for the Record
Worldwide Threat Assessment
of the
US Intelligence Community
Senate Armed Services Committee
James R. Clapper
Director of National Intelligence
February 9, 2016
i
STATEMENT FOR THE RECORD
WORLDWIDE THREAT ASSESSMENT
of the
US INTELLIGENCE COMMUNITY
February 9, 2016
INTRODUCTION
Chairman McCain, Vice Chairman Reed, Members of the Committee, thank you for the invitation to offer
the United States Intelligence Community’s 2016 assessment of threats to US national security. My
statement reflects the collective insights of the Intelligence Community’s extraordinary men and women,
whom I am privileged and honored to lead. We in the Intelligence Community are committed every day to
provide the nuanced, multidisciplinary intelligence that policymakers, warfighters, and domestic law
enforcement personnel need to protect American lives and America’s interests anywhere in the world.
The order of the topics presented in this statement does not necessarily indicate the relative importance
or magnitude of the threat in the view of the Intelligence Community.
Information available as of February 3, 2016 was used in the preparation of this assessment.
ii
TABLE OF CONTENTS
Page
GLOBAL THREATS
Cyber and Technology
Terrorism
Weapons of Mass Destruction and Proliferation
Space and Counterspace
Counterintelligence
Transnational Organized Crime
Economics and Natural Resources
Human Security
1
4
6
9
10
11
12
13
REGIONAL THREATS
East Asia
China
Southeast Asia
North Korea
Russia and Eurasia
Russia
Ukraine, Belarus, and Moldova
The Caucasus and Central Asia
Europe
Key Partners
The Balkans
Turkey
Middle East and North Africa
Iraq
Syria
Libya
Yemen
Iran
16
16
17
17
17
17
19
19
20
20
20
21
21
21
22
23
23
24
iii
Lebanon
Egypt
Tunisia
25
25
25
South Asia
Afghanistan
Bangladesh
Pakistan and India
Sub-Saharan Africa
Central Africa
Somalia
South Sudan
Sudan
Nigeria
26
26
27
27
27
27
28
28
28
28
Latin America and Caribbean
Central America
Cuba
Venezuela
Brazil
28
28
29
29
29
1
GLOBAL THREATS
CYBER AND TECHNOLOGY
Strategic Outlook
The consequences of innovation and increased reliance on information technology in the next few years
on both our society’s way of life in general and h ...
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. The panel will also discuss the evolving regulatory approaches of the European Union, United States Federal government and significant developments in U.S. state regimes, including California. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
Part of the webinar series: CORPORATE & REGULATORY COMPLIANCE BOOTCAMP 2022 - PART I
See more at https://www.financialpoise.com/webinars/
Identity Theft ResponseYou have successfully presented an expaLizbethQuinonez813
Identity Theft Response
You have successfully presented an expanded Mobile Device Management Policy, which was approved by the CEO. He now wants you to work on a response plan for identity theft, which you proposed a few weeks earlier as part of a series of four cybersecurity projects.
The CEO says to you, "The Incident Response Plan will be our company's action plan to recover should the 'worst' occur. In our case, the 'worst' would be a breach of the company's security that could occur through the theft of customers' personally identifiable information, possibly through an individual's mobile device. Such a breach could compromise the integrity of the financial institution's data."
The CEO continues: “It is your responsibility to be fully prepared, and I want you to ask your team some ‘What if’ questions.”
“Specifically, I want you to ask: What if our customer information system is compromised internally by a misguided employee? What do we do? And, What if the system is breached by an external hacker and all our customer records are exfiltrated and/or deleted? How would we respond?”
You know that any stolen identity might be that of an employee and/or the identities within the customer information module, which would affect a large number of accounts. Either way, even the slightest breach would be serious, and not having an approved, executable plan of action would only compound the problem. Any lack of regulatory compliance by the organization could also be brought to light.
The CEO closes by saying, “A comprehensive plan for identity theft response is mandatory, and it will receive a lot of scrutiny from senior leadership. Everyone in the company realizes it is a critical component of our success and continued operation. I’m counting on you to do it well.”
Identity theft is becoming more common as technology continues to advance exponentially. Mobile devices, applications, and email make it more convenient for individuals to access records and financial accounts, but also increase the risk of identity theft.
As the CISO, you will be drafting an incident response plan to address identity theft for your financial organization.
Identity Theft Response is the second of four sequential projects in this course. The final plan will be about 10-12 pages in length. There are 16 steps in this project and it should take about 14 days to complete. Begin with Step 1, where you will identify types of cyberattacks in which personally identifiable information could be vulnerable.Competencies
Your work will be evaluated using the competencies listed below.
· 1.3: Provide sufficient, correctly cited support that substantiates the writer's ideas.
· 2.2: Locate and access sufficient information to investigate the issue or problem.
· 8.4: Design an enterprise cybersecurity incident response plan.
Project 2: Identity Theft Response
Step 1: Identify Potential PII Attacks
Since this project will require an enterprise cybersecurity incident response plan with ...
1
Annotated Bibliography
Tamika S. Bouldin
Liberty University
CJUS 540
Thesis Statement: Private companies engaged in commerce within the borders of the United States should (or should not) be compelled to provide “back doors” to law enforcement to circumvent proprietary encryption coding.
Annotated Bibliography
Castro, D., & McQuinn, A. (2016). Unlocking Encryption: Information Security and the
Rule of Law. Information Technology and Innovation Foundation.
In this scholarly article, Castro and McQuinn (2016) observes that the continued improvements information security practices, especially in the utilization of encryption to safeguard the confidentiality of information, can potentially improve the overall security of customers and business enterprises. However, as commodities get securer for customers and firms, it is getting harder for law enforcement agencies to easily access and oversee some data that can possibly help them to deter or investigate criminal activities such as terrorism. This problem has paved the way for one of the most challenging policy dilemmas of the information era, because encryption not only enhances security for customers and business organizations, but it also makes it more challenging for government authorities to protect them from other sophisticated forms of threat. According to Castro and McQuinn (2016), there is need to address this complex dilemma. Therefore, the government can make any choice engaging in a trade off with businesses.
Finklea, K. M. (2016). Encryption and the" going Dark" Debate. Congressional Research
Service.
In this scholarly work, Finklea (2016) notes that the constantly changing technology provides opportunities and challenges in equal measure for U.S law enforcement agencies. Different forms of technological revolutions have opened a treasure trove of information of knowledge for investigators and analysts. Others, opines the other hand, pose distinct challenges. Although some observers opine that law enforcers now enjoy access to more data than in the past, a group of scholars argue that law enforcement is being kept in the dark on matters of access to data. To them, this problem is primarily attributed to the fact that technological revolution has radically outpaced law enforcers’ speed of technological change. These challenges for law enforcers include strong, end-to-end encryption, providers’ limits on data retention, bounds on firms’ technological abilities to offer specific data points to law enforcement, and the tools that facilitate anonymity online. Therefore, law enforcers may not effectively perform investigations when they lack access to data.
Stein, J. (2017). Security versus security: balancing encryption, privacy, and national
Security (Thesis, University of Texas).
Debates on whether the government should access classified corporate data has been simmering over the last few decades. In this scholarly work, Stein (2017) analyzes the existing controversie ...
Data Privacy: What you should know, what you should do!
CSMFO Data Privacy in the Governmental Sector, Local Government. Data Privacy Laws, PCI, Breaches, AICPA – Generally Accepted Privacy Principles
Similar to WCIT 2014 Matt Stamper - Information Assurance in a Global Context (16)
Workshop at the WCIT 2014
Innovation & entrepreneurship ecosystem in Jalisco
Jaime Reyes Robles, Secretary of Innovation, Science and Technology, Government of the State of Jalisco
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
WCIT 2014 Matt Stamper - Information Assurance in a Global Context
1. Information Assurance in a Global Context:
Strategies for Security and Privacy for Cross-Border and
Multi-national Organizations
Matt Stamper, MPIA, MS, CISA, ITIL
VP of Services: redIT
President: ISACA San Diego Chapter
Co-Chair: InfraGard San Diego
Board of Advisors: Multiple
WCIT
Guadalajara, Jalisco
September 28th, 2014
2. Agenda
Why information assurance (IA) matters
Core Definitions: ILM, Security, Privacy, and IA
Regulatory Requirements
Frameworks & Approaches
New Technologies: IoT & Cloud
Lessons from Tijuana/San Diego
Questions & Comments
3. PAGE 3
Why Information Assurance Matters…
We rarely question the quality of information we use to make
decisions…putting our organizations, economies, and personal lives at
risk
Information is the most valuable asset in our economy and fuels
innovation & growth (data is the raw material of the global economy)
o Commerce
o Science
o Government
Our dependencies on accurate and timely information are increasing
exponentially
Massive asymmetries in IA practices
Gap between laws & regulations and practice
Critically, trust is at risk!
4. PAGE 4
Trust and Societies: Quantifiable Impact
“If you take a broad enough definition of trust, then it would explain basically all the
difference between the per capita income of the United States and Somalia,” ventures
Steve Knack, a senior economist at the World Bank who has been studying the economics
of trust for over a decade. That suggests that trust is worth $12.4 trillion dollars a year to
the U.S., which, in case you are wondering, is 99.5% of this country’s income (2006
figures). If you make $40,000 a year, then $200 is down to hard work and $39,800 is down
to trust” (http://www.forbes.com/2006/09/22/trust-economy-markets-tech_
cx_th_06trust_0925harford.html)
Trust is essential to maintaining the social and economic benefits that networked
technologies bring to the United States and the rest of the world” (Consumer Data Privacy
in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in
the Global Digital Economy, February, 2012: White House)
Trust is at the heart of today’s complex global economy. But, paradoxically, trust is also in
increasingly short supply in many of our societies, especially in our attitudes towards big
business, parliaments and governments. This decline threatens our capacity to tackle
some of today’s key challenges (http://www.oecd.org/forum/the-cost-of-mistrust.htm)
5. PAGE 5
The Impact of Lost Trust on Society
Financial Crisis
http://www.youtube.com/watch?v=uw_Tgu0txS0
6. International Data Flows: The Global Currency
“The Growth of the Internet and the ability to move data rapidly and globally has been a key building block of the
global economic order” (The Internet, Cross-Border Data Flows and International Trade, Joshua Meltzer, The
Brookings Institute, February, 2013)
“Exports (emphasis mine) of cloud computing services were estimated to be worth approximately $1.5b in 2010 (and
this is likely a conservative figure and the market for cloud computing services is anticipated to grow by up to 600
percent by 2015” (Policy Challenges of Cross-Border Computing” – Journal of International Commerce and Economics,
November 2012).
PAGE 6
Over 2 Billion Individual have access to the Internet
More devices will be connected than people – billions of devices
Nearly free transaction costs
The days of information arbitrage are over
Barriers to innovation & exploitation are equally low
Critical Shared Data Sets
Weather & Climate data
Census data
Healthcare and Disease Control data
Financial & Currency data
Trade data
A McKinsey Global Institute study estimated that the Internet contributed over 10 percent to GDP growth in the last
five years to the world’s top ten economies and for every job lost as a result of the Internet, 2.6 jobs have been
created.
7. Open Government Initiatives: Public Sector Data
PAGE 7
Governments across the globe recognize that information is both:
A national resource that requires protection
A public good that should be readily disseminated
Key areas of focus within the Open Government community include:
Transparency with budgets & procurement
Private/Public Sector data sharing
Innovation
“The original and essentially libertarian nature of the Internet is increasingly being challenged by
assertions by government of jurisdiction over the Internet or the development of rules that restrict
the ability of individuals and companies to access the Internet and move data across borders” (The
Internet, Cross-Border Data Flows and International Trade, Joshua Meltzer, The Brookings Institute,
February, 2013)
8. PAGE 8
Why Information Assurance is Critical Now!
Here’s just a quick sampling of what’s occurring on a daily basis. This is just the US public
sector.
Organized Criminals in Russia Steal 1b Passwords (8/5/2014)
http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-
stolen-internet-credentials.html?_r=0
JP Morgan Potentially Compromised (8/18/2014)
http://online.wsj.com/articles/fbi-probes-possible-computer-hacking-incident-at-j-p-morgan-
1409168480
Hospital Hacked – 4.5 Million Records Compromised (8/18/2014)
http://money.cnn.com/2014/08/18/technology/security/hospital-chs-hack/
Home Depot
http://www.forbes.com/sites/quickerbettertech/2014/09/22/why-the-home-depot-breach-is-worse-
than-you-think/
Target
http://online.wsj.com/news/articles/SB10001424052702304773104579266743230242538
The Car (2014 Moving Forward)
http://money.cnn.com/2014/06/01/technology/security/car-hack/
9. PAGE 9
The Assault on Healthcare & ePHI
According to a Ponemon Institute Study, criminal attacks on healthcare systems
have risen 100% since 2010 with an average cost of a breach is $2m (US)
Over 90% of healthcare organizations have had a breach in the last two years with
38% having had more than five incidents (down from 45% the previous year)
Risks with mandated health information exchanges (third-party considerations) /
weakest link despite security standards from HIPAA-HITECH
Bring Your Own Device (BYOD) - nearly 50% of breaches attributed to a lost or
stolen device and over 88% of organizations allow the use of BYOD
Fortunately, the number of records compromised has decreased based on earlier
detection and incident response – we’re getting better at handling security
breaches…practices makes perfect?
11. PAGE 11
Security - Defined
The easiest way to think about security is to think about the outcome of what good
security provides: confidentiality, integrity, and availability of information (CIA).
Confidentiality is the end-state of ensuring that information is only viewed and
acted upon by those individuals, organizations, or systems that are authorized to
see such information. “A loss of confidentiality is the unauthorized disclosure of
information” – FIPS 199.
Integrity is the end-state of information and its processing such that the
information is believed to be complete, accurate, valid and subject to restricted
access (CAVR)…essentially un tampered with or otherwise modified by
unauthorized activity. “A loss of integrity is the unauthorized modification or
destruction of information” – FIPS 199.
Availability is simply that…that the information is available for its required use
without delay or loss. “A loss of availability is the disruption of access to or use of
information or an information system” – FIPS 199.
Collectively, IT security is the set of processes that are involved with ensuring that
data and information meet the confidentiality, integrity, and availability objectives of
business.
12. PAGE 12
Privacy - Defined
Definitions of privacy are growing more nuanced over time.
Privacy is “the right to be left alone” (Samual Warren & Louis Brandeis: The Right to
Privacy, Harvard Law Review, 1890).
Privacy is “the right of the individual to be protected against the intrusion into his
(her) personal life or affairs, or those of his (her) family, by direct physical means or by
publication of information” (UK, Calcutt Committee: 1997)
Privacy has contextual considerations:
Information Privacy
Bodily Privacy
Territorial / Physical Privacy
Communications Privacy
(Foundations of Information Privacy and Data Protection, Swire, et. al., IAPP, 2012)
13. PAGE 13
Information Assurance: Three Perspectives
National Defense: Information Assurance as a concept is strongly
influenced by the defense and national security communities and the
concept of network centric warfare techniques:
“Measures that protect and defend information systems by ensuring their
availability, integrity, authentication, confidentiality, and non-repudiation.
This includes providing for restoration of information systems by
incorporating protection, detection, and reaction capabilities” (Department
of Defense Directive Number 8500.1: October 24, 2002)
Corporate View: Intellectual Property, Financial, Client & Partner Data,
is subject to appropriate governance & controlled – CAVR.
Consumer View: Personal Health, Financial and other UII Data is
controlled by the individual and disclosure is also controlled by the
individual.
14. PAGE 14
Data Classification
Given the regulatory and jurisdictional issues related to information and data flows,
organizations need to implement best practices to classify their data. There are a
number of approaches including:
National Security
• Top Secret
• Classified
• Unclassified:FOUO
Corporate Security
Confidential
Proprietary
Privileged / Restricted Access
Personal Data
• ePHI
• Financial Information
• Phone, Internet & Utility
15. PAGE 15
Information Lifecycle & IA
Tech Target: http://searchdatamanagement.techtarget.com/feature/Information-assurance-
Dependability-and-security-of-networked-information-systems
Cloud Security Alliance
16. Bringing It All Together: IA, Security, and Privacy
If we agree that information is the new global currency and that innovation and growth
are predicated on the quality of the information and data we use, it’s important that
we couple IA, Security and Privacy and make information governance a top priority for
our organizations.
PAGE 16
Let’s get to work!
17. Privacy Laws & Standards
By Country / Region
• Mexico
• Canada
• US
• EU
• APEC
By Industry
HIPAA-HITECH
Financial Services
18. PAGE 18
Laws & Regulations: Mexico, Canada and US
Mexico – National Privacy Law
http://www.diputados.gob.mx/LeyesBiblio/pdf/LFPDPPP.pdf
Canada – National Privacy Law
https://www.priv.gc.ca/index_e.asp
https://www.priv.gc.ca/leg_c/leg_c_p_e.asp
US – Sectoral Approach (Federal Trade Commission)
http://www.whitehouse.gov/sites/default/files/privacy-final.pdf
States
Massachusetts - http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf
California - http://oag.ca.gov/ecrime/databreach/reporting
Nevada - http://www.leg.state.nv.us/NRS/NRS-603A.html
19. PAGE 19
Laws & Regulations: Australia, APEC & Europe (EU)
Australia
http://www.oaic.gov.au/privacy/privacy-act/the-privacy-act
http://www.oaic.gov.au/privacy/privacy-resources/privacy-fact-sheets/
other/privacy-fact-sheet-17-australian-privacy-principles
APEC
http://www.apec.org/About-Us/About-APEC/Fact-Sheets/APEC-Privacy-
Framework.aspx
European Union
http://europa.eu/about-eu/countries/member-countries/index_en.htm
http://ec.europa.eu/dataprotectionofficer/legal_framework_en.htm
https://safeharbor.export.gov/list.aspx (Safe Harbor Registrants)
20. PAGE 20
Privacy & Security – Inextricably Linked
Security can exist without privacy but privacy
cannot exist without security. Consequently,
privacy frameworks offer insights into good
governance and security practices though many
standards and frameworks have been challenged
by recent events – notably the Payment Card
Industry – Data Security Standard (PCI-DSS).
21. PAGE 21
International Privacy Regimes: APEC & OECD
APEC - 2004 OECD - 1980
Preventing Harm Collection Limitation Principle
Notice Data Quality Principle
Collection Limitation Purpose Specification Principle
Uses of Personal Information Use Limitation Principle
Choice Security Safeguards Principle
Integrity of Personal Information Openness Principle
Security Safeguards Individual Participation Principle
Access and Correction Accountability
Accountability
22. PAGE 22
International Privacy (Cont.): FIPS & Madrid
FIPS (1973) Madrid Resolution (2009)
No Secret Repositories Principle of Lawfulness & Fairness
Individual Control Over Use Purpose Specification Principle
Individual Consent Proportionality Principle
Correction Data Quality
Precautions Against Misuse Openness Principle
Accountability
24. HIPAA-HITECT: Administrative, Physical & Technical
PAGE 24
Contingency Plan
164.308(a)(7)
Backup & Recovery
BC/DR Procedures & Testing
Applications and Data Criticality Analysis
Evaluation
164.308(a)(8)
Review of Systems
Business Associate Contracts and
Other Arrangements
164.308(b)(1)
Contractual Obligations with Service Providers
(Business Associates)
Cascading Liability
Facility Access Controls
164.310(a)(1)
Access Controls, Maintenance of Records,
Contingency Operations
Access Control
164.312(a)(1)
Encryption, Decryption, Log-off, Emergency
Access*
Audit Controls
164.312(b)
Evidence of Review
Transmission Integrity Controls (A)
Security 164.312(e)(1)
Security and Integrity
25. Gramm-Leach-Bliley (GLB) – FTC Enforcement
Financial Services Firms have an obligation to safeguard non-public information (NPI)
such as full account numbers, social security numbers (SSNs), etc.
PAGE 25
Obligations:
Privacy Notices
Non-Affiliated Third Parties & Opt Out
Ensure the Security & Confidentiality of Customer Records
Protect Against Anticipated Threats or Hazards
Protect Against Unauthorized Access
The FTC has established a clear expectation of security as a corporate
obligation.
27. PAGE 27
SANS Top 20 Security Controls
The SANS Top 20 is considered a good set of minimum necessary security controls.
The controls cover a broad suite of good control activity:
Critical Control 1: Inventory of Authorized and Unauthorized Devices
Critical Control 2: Inventory of Authorized and Unauthorized Software
Critical Control 3: Secure Configurations for Hardware and Software on
Mobile Devices, Laptops, Workstations, and Servers
Critical Control 4: Continuous Vulnerability Assessment and Remediation
Critical Control 5: Malware Defenses
Critical Control 6: Application Software Security
Critical Control 7: Wireless Device Control
Critical Control 8: Data Recovery Capability
Critical Control 9: Security Skills Assessment and Appropriate Training to
Fill Gaps
Critical Control 10: Secure Configurations for Network Devices such as
Firewalls, Routers, and Switches
28. PAGE 28
SANS Top 20 Security Controls
The SANS Top 20 is considered a good set of minimum necessary security controls.
The controls cover a broad suite of good control activity:
Critical Control 11: Limitation and Control of Network Ports, Protocols, and
Services
Critical Control 12: Controlled Use of Administrative Privileges
Critical Control 13: Boundary Defense
Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs
Critical Control 15: Controlled Access Based on the Need to Know
Critical Control 16: Account Monitoring and Control
Critical Control 17: Data Loss Prevention
Critical Control 18: Incident Response and Management
Critical Control 19: Secure Network Engineering
Critical Control 20: Penetration Tests and Red Team Exercises
29. PAGE 29
PCI-DSS: 3.0 – 12 Requirements
Requirement 1: Install and maintain a firewall configuration to protect cardholder
data
Requirement 2: Do not use vendor-supplied defaults for system passwords and
other security parameters
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public
networks
Requirement 5: Protect all systems against malware and regularly update anti-virus
software or programs
Requirement 6: Develop and maintain secure systems and applications
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
30. PAGE 30
PCI-DSS: 3.0 – 12 Requirements
Requirement 7: Restrict access to cardholder data by business need to know
Requirement 8: Identify and authenticate access to system components
Requirement 9: Restrict physical access to cardholder data
Requirement 10: Track and monitor all access to network resources and
cardholder data
Requirement 11: Regularly test security systems and processes.
Requirement 12: Maintain a policy that addresses information security for all
personnel.
Requirement A.1: Shared hosting providers must protect the cardholder data
environment
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
31. PAGE 31
ISO:27001, CSA & ISACA
There are three organizations that are driving good security standards and practices in
particular that should be part of an organization’s control design:
International Standards Organization (ISO)
http://www.iso.org/iso/home/standards/management-standards/iso27001.htm
Cloud Security Alliance (CSA)
https://cloudsecurityalliance.org/
Information Systems Audit and Control Association (ISACA)
https://www.isaca.org/Pages/default.aspx
32. PAGE 32
COBIT – Cloud Governance
ISACA’s “IT Control Objectives for Cloud Computing: Controls and
Assurance in the Cloud” provides a solid framework for assessing
controls in cloud environments and a reference for good governance.
“ISACA defines governance as the set of responsibilities and
practices exercised by the board and executive management with
the goal of providing strategic direction, ensuring that objectives
are achieved and ascertaining that risks are managed
appropriately.”
Leveraging cloud services requires controls and governance that
touch upon the following:
Plan and Organize (PO) Acquire and Implement (AI)
Deliver & Support (DS) Monitor & Evaluate (ME)
34. PAGE 34
Internet of Things
http://www.theregister.co.uk/2014/05/07/freescale_internet_of_things/
35. PAGE 35
On Site
Applications
Database
O/S
Hypervisors
Servers
Storage
Networks
Backups
Infrastructure
(as a Service)
Applications
Database
O/S
Hypervisors
Servers
Storage
Networks
Backups
Platform
(as a Service)
Applications
Database
O/S
Hypervisors
Servers
Storage
Networks
Backups
Software
(as a Service)
Applications
Database
O/S
Hypervisors
Servers
Storage
Networks
Backups
Service Demarcation & Information Assurance
Security, Monitoring & Governance: Critical Foundation
Roles & Responsibilities are Crucial Regardless of the Service Model
36. PAGE 36
Application
Application
Database
OS
Hypervisors
Servers
Storage
Network
Backups
S E C U R I T Y
M O N I T O R I N G
I T I L / S E R V I C E MA N G EMEN T
• Audit Trail
• Client
• SaaS
• Segregation of Duties
• What is logged?
• Who’s responsible for
the application is based
on the service model
• How is the application
impacted by other
layers?
• What information is
shared among layers?
• Shared administrative
D a t a C e n t e r accounts?
37. PAGE 37
Cloud Layers – Application Risk
Applications probably offer the widest array of risks to
organizations. One of the key reasons…think about who uses
applications…it’s us.
Applications – Typical Risks:
Human error / social networking exposure / APT attacks
Segregation of duties / elevated privileges
Database linkages / poor data validation
Session-hacking, man-in-the-middle attacks, cross-site scripting
Poor application coding
Poor passwords (complexity/aging)
Poor logging habits
Many firewalls are not application aware (just ports 80, 443)
Other considerations?
38. PAGE 38
Database
Application
Database
OS
Hypervisors
Servers
Storage
Network
Backups
S E C U R I T Y
M O N I T O R I N G
I T I L / S E R V I C E MA N G EMEN T
• Database activity
monitoring
• Time-stamping
transactions / logs
• Memory-based
databases…data living
in memory
• HADOOP and other
changing non-database
approaches to analytics
D a t a C e n t e r
39. PAGE 39
Service Provider Considerations
Contracts Matter – Wrap Around Agreements Present Risks to Organizations
Right to audit clause
Data location covenants
Compliance Reviews:
SSAE 16 SOC 1
ISAE 3402
SOC 2
Roles & Responsibilities
Statements of Work
40. PAGE 40
Common Themes
• Inventory of Information
• Inventory of Critical Assets
• Supply-Chain / Vendor assessments
• Risk Assessments
• Security Assessments
• Board of Directors
• Executive Responsibility
• Investment in Training & Competencies
41. PAGE 41
Tijuana – San Diego (Our IA Ecosystem)
Brier & Thorn – SOC in Tijuana
http://brierandthorn.com/
BridgeSTOR – Cloud Data Encryption
http://bridgestor.com/
CyberFlow Analytics – APT Solution
http://www.cyberflowanalytics.com/
CyberTECH & CyberHive
http://cybertechnetwork.org/
http://cyberhivesandiego.org/cybertech/
InfraGard
http://www.infragardsd.org/
ISACA – SD
http://isaca-sd.org/
42. PAGE 42
Quick Wins
Information Assurance begins with:
• Know Legal Obligations
• Data Classification
• Data Inventory
• Data Retention
• Privacy Impact Assessment
• Security / Vulnerability Assessment
• Keep The Board Informed – No Surprises
• Assume a Breach!