22. Train your People 22 People are the weakest link Everyone is different Goals and objectives don’t always align “Why” is important Not enough to know what the policy is Also need to know why it is in place Lots of examples help reinforce Train often People forget so they have to be reminded New threats everyday
24. David Barton, Principal UHY LLP Five Concourse Parkway Suite 2430 Atlanta, GA 30328 678-602-4490 24
Notas do Editor
Thank AITP for having me.
That means read, update, write, delete.
Everyone wants their data to be consistent. No one wants their checking account balance or their mortgage balance to fluctuate day to day unless they are writing checks. You don’t want your resume on Monster to change unless you change it.
You want your information and data to be there when you need it. Ever go to your favorite website only to be told “Under maintenance, please check back later”. Imagine you go to Gmail one day and ALL of your email is gone. You have a “welcome to Gmail” message and that’s it. That’s what happened to 144,000 gmail users a few months back.
I only put this slide up because this website is what got a lot of businesses and government agencies thinking about their information security.
would require companies to notify consumers in clear language when their data is being collected and oblige them to keep that information safe from hackers. The bill, if it becomes law, would require companies to tell consumers why data was being collected, whom it would be shared with and how it would be safeguarded. (GrahamLeachBliley?)Epsilon marketing data breach – how many got emails?RedflagProgram Clarification: The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program to detect the warning signs — or "red flags" — of identity theft in their day-to-day operations.Huge compliance implications particularly for large national or international organizations
As we have moved from agrarian to industrial to knowledge and service based economy, IP has become our most important asset collectivelyIP isn’t new but it’s importance and value may not be readily recognized by most companiesBig exception – Coca-Cola. The formula has remained secret for 125 years.
Employee is at son’s soccer game. Project team sends an email. If employee can access email via mobile device, question gets answered almost immediately – no delayIf employee cannot get email – decision is delayed until next business dayIf employee is hourly and is answering email after hours that employee may be eligible for overtime.
Easy to conceal – high capacity1 Gb894,784 pages of plaintext (1,200 characters) 4,473 books (200 pages or 240,000 characters) 341 digital pictures (with 3MB average file size) 256 MP3 audio files (with 4MB average file size)1 Tb916,259,689 pages of plaintext (1,200 characters) 4,581,298 books (200 pages or 240,000 characters) 349,525 digital pictures (with 3MB average file size) 262,144 MP3 audio files (with 4MB average file size) 1,613 650MB CD's 233 4.38GB DVD'sNot only for extraction of data – can also be used as keyloggers
WiFi is everywhereNow a theory that it is killing honey beesSure makes it easy to communicate
Social MediaDo your employees have the right to post whatever they want on Facebook, Twitter, etc.?Not a lot of legal precedentLabor law is biggest area of concernEmployee rights vs. employer rights – free speech, IP protection, etc.
Governance – you can’t walk down the hall and ask who has access. Can’t walk down the hall to get help. Where is your data? Is your data in USA? Europe? India? South America? Privacy laws are different in those countries..As CP grows, roles and resp. will change? Will you be aware of changes as they occur? Multi tenancy – virtualization means your data and infrastructure may be on shared physical devices. Processors, Disk drives, network segments. Complexity in virtualization increases risk of mistakes.Recent issue with major US bank whereby customers with similar last names were able to log in and see info for others due to database glitch. Easy for this to occur in the cloud as well.Commingling – SaaS works by sharing the app and infrastructure. How will your data be segregated? Separate database? Key database field? How will this impact your ability to move your data? Data deletion – change providers, transfer data to new provider, what happens to data at old provider. In many cases it may be mixed in with other customers (Salesforce.com, Bullhorn, etc.) Will CP really go to trouble to fully delete all your records? Or merely deactivate them? If you don’t pay your bill, can the CP delete your app, data, etc.?Legal-If your data is on a shared SAN with another customer whose data gets subpoenaed, will agency make copy for you to continue using your data? Probably not….. Will probably result in downtime.
Acceptance means you better have a good response and recovery programTransfer – cyber insurance becoming quite popularDifferent from business interuption insuranceMitigate – develop controls in line with risks using cost/benefit analysis
MSSP – think of it as “cloud based security” DLP – very complex systems intended to reduce the threat of wikileaksHighly process orientedHighly dependent on data classification and security architectureCyberinsuranceBusiness interuption insurance will not cover costs associated with data breachYou are still in businessCosts can be astronomicalPrivacy and security liabilityCrisis managementCyber extortionMedia or web content liability
These are the basics of information securityInexpensive, effective, largely ignoredNo silver bullet
- Without a written document all you really have is hearsay. If policies are formalized and integrated into organizational culture, then any non-compliance can be dealt with according to pre-established guidelines that the employee has signed off on. - Policies help ensure consistent behavior by clearly communicating what is acceptable, clearly assigning responsibility and, equally important, defining the consequences of non-compliance. - empower security staff to enforce management intent that may not be popular with system users. How many times have you thanked the security team for implementing firewall rules that don’t allow you to check Facebook several times a day? - Must be updated! does your organization have a formal policy regarding the use of internet data storage like Google docs or Microsoft Windows Live? What about a policy regarding the use of USB memory sticks? Does your company or organization have a formal policy regarding the use of unsecured wi-fi networks using your company laptop? All of these are examples of recent technology trends that have created new security threats. Most organizations have not updated their policies to address these new threats.
Defining data classifications allows relative value to be placed on different types of data. It also helps to reduce the likelihood of unauthorized theft or disclosure of data since confidential and secret data should be better protected.
It does not make economic sense to protect product marketing brochures that are available on the company website at the same level as draft merger and acquisition contracts.If you spend too little, you risk loss or disclosure of information as a result of inadequate security. If you spend too much, you are wasting money that could be spent in other areas such as updating plant and equipment or at the very least, having a negative impact on productivity as employees waste time navigating unnecessary security measures and recovering overly complex forgotten passwords.How much is the Coca-cola formula worth? How much would they spend to protect it?What is your company’s IP worth? What would a data breach cost your company?
People are different and have different goals and objectives, many of which are not concerned with maintaining the security of an organization’s data. If the CFO’s Administrative Assistant has been told that the auditors “have to have this spreadsheet in their email by 5pm”, but the corporate email system won’t allow the attachment because it is too large, he will use whatever means necessary to accomplish that objective. Security be damned. He may use his personal email that has no size restrictions on attachments. He may place the spreadsheet out on Google docs in order to share it with the auditor. He may place the spreadsheet on a USB memory stick and hand it to the auditor. All of these methods may be in direct violation of the security policies (if they exist). Security policies have to be constantly reinforced with training and real world examples in order to be effective. Otherwise they are soon forgotten, like the chemistry formulas memorized the night before a test.