SlideShare una empresa de Scribd logo

Data Safety And Security

Constantine Karbaliotis
Constantine Karbaliotis
Tecnología
1 de 20
Descargar para leer sin conexión
Data Safety and Security: What Is the Test and How Can I Meet It? A guide to understanding data security issues, and what counsel can do about them. Constantine Karbaliotis, LL.B., CIPP1 Introduction In the Internet age, a degree of familiarity with technology is assumed, simply because of the pervasiveness of technology. What professional today does not have a cell phone capable of taking pictures, receiving e-mails or text messages? What lawyer does not have a computer at home from which to do work, connect to the office, and do research? Unfortunately, technology has become commonplace without a corresponding education for technology users on how to secure data. Anyone in doubt of this can simply consider some interesting statistics about home users: of those having broadband (high speed) connections, fully two-thirds are without a n effective firewall, software or hardware which helps to insulate their computer from invasive scanning from the Internet. Fully two-thirds are still without up-to-date antivirus protection, and one in seven has no anti-virus at all, leaving their computers open to infection by destructive viruses and worms. Four in five users has spyware or adware programs on their computers, but most are unaware of this2. Home users are more likely to being ‘taken over’ and turned into ‘zombies’ which are then used to launch secondary 1 Canadian Senior Compliance Business Specialist, Symantec (Canada) Corporation 2 “Largest In-Home Study of Home Computer Users shows Major Online Threats, Perception Gap”, Joint AOL/NCSA Online Study, www.staysafeonline.org, (2004). ©Symantec (Canada) Corp.
Page 2 attacks on other computer systems; it is estimated that over 4 million computers connected to the Internet have been turned into ‘zombies.’3 While this illustrates the gap of knowledge most computer users have about data security fundamentals, the reality is that many enterprises, of all sizes, suffer a similar inability to control their computing environment. In many cases, such as with small and medium businesses, the issue simply is that they do not have dedicated information technology (IT) staff with knowledge of the environmental risks. But in many cases, even in large enterprises and even when IT staff are fully aware and have advised management of the risks, management has failed to make the appropriate investment to adequately safeguard the environment. This paper is directed towards lawyers advising organizations, to provide some guidance about the types of risks which clients are facing, the test against which organizations will be measured under applicable privacy legislation, and some strategies for counsel to help their clients in moving to a better security posture and thus mitigate potential liability through the use of security standards. Positions affecting Data Security Lack of understanding of the connected world that we now live in is a key risk in the area of data security. Seeking counsel, whether it is as to the law, or to technology, is the only remedy to this situation, as it is difficult for most people to become educated to the risks affecting their business. 3 Symantec Internet Threat Report, Vol. X, September 2006, p. 18 (hereafter “ITRX”). The Symantec Internet Threat Report is available on-line for download at http://www.symantec.com/enterprise/threatreport/index.jsp, is updated on a regular basis, and is a valuable resource to understand where current threats exists in the online world. ©Symantec (Canada) Corp.
Page 3 Security, unfortunately, is not as ‘sexy’ as on-line shopping sites for consumers, or business-to-business portals, which increase revenue for the organization. Security is typically seen simply as a cost, and therefore, minimized. Particularly in the privacy arena, where most privacy breaches arise from security breaches, there are three thought- processes justifying this stance: 1. “We haven’t had an issue yet.” 2. “Let’s take a wait-and-see approach.” 3. “The consequences are not serious enough to justify the investment.” These thought processes are based on two faulty assumptions: that the past will provide a good guide to the future, and the enterprise has had no security issues. The past is not a good guide to the future. The Internet is evidence that not only are threats evolving, they are evolving more rapidly that most organizations can handle if they rely on traditional tools to respond. Whereas in the early days of the Internet, attacks were primarily made by those seeking reputation for infecting the largest number of machines possible, today attacks are profit-oriented, with organized crime often behind the attacks4. Both the purpose and mechanism of attacks changes on “Internet time,” which is to say rapidly. The ‘zero-day exploit’ – the attack which occurs on or before the day that a vulnerability is identified, and before software makers can issue patches to remedy the vulnerability – is a further example of why the past is not a good guide to the future. The targets of attacks have changed: rather than being ‘everyone,’ attacks are increasingly are very targeted. In the past, viruses have been created with a view to creating reputation 4 ISTRX, page 4 ©Symantec (Canada) Corp.
Page 4 – by infecting as many machines as possible, causing embarrassment or actual destruction of data. Anti-virus software makes have responded, and reduced the opportunities for such massive waves of destruction. Now, ‘malware’ authors are targeting customers of specific enterprises, such as banks, in order to obtain personal information such as credit card data, with the ultimate goal to commit fraud or identity theft5. The second fallacy, “We have been okay up to now,” has often been the response to IT staff seeking better security. Most organizations which have inadequate security safeguards, also have no capacity to know if they have had a security breach. The risk here is that losses of personal information have taken place without the organization knowing for sure – or worse, that it may still be happening. Technologies exist which provide for intrusion detection and monitoring, and audit systems’ compliance with security and private policies: examples include testing for whether passwords are long enough, whether the latest operating system patches applied or whether each system has up-to-date antivirus protection. These systems provide auditable evidence of compliance. Not enough organizations in Canada have made the investment in these technologies, which is increasingly less defensible given the number of areas in addition to privacy where organizations are obliged to provide evidence of compliance with security standards – SOX/Bill 198, PCI, and critical infrastructure protection requirements, to name a few. It is only when a breach occurs, and some exposure, whether through publicity, law suits or regulators, that money is made available to address security and privacy concerns. This 5 ISTRX, page 9 ©Symantec (Canada) Corp.
Page 5 becomes a rushed expenditure that rarely is well spent – reacting to the immediate problem rather than putting in place security and privacy solution that fits into the overall business. ‘Firefighting’ highlights yet another risk associated with not having determined a data security strategy in calmer moments. Finally, as to the third fallacy, the risk of consequences is indeed changing. The Privacy Commissioner of Canada has announced that her office will be conducting audits where there is on reasonable grounds to be concerned over the privacy practices of an organization. Public issuers in Canada subject to Sarbanes-Oxley and Bill 198 are subject to an increased level of audits concerning their information management – and in turn are also conducting audits known as CICA 5970 audits to review the information practices of their sub-contractors and outsourcing partners, to ensure that they are handling information in an appropriate manner, since the public issuer remains liable for any problems associated with the safeguarding of the information being processed by the subcontractor or outsourcer. Finally, the Payment Card Industry Security Standards provide for serious consequences for companies who fail to adhere to the standards, including fines by the credit card issuers, or termination of their contract to process credit cards. (Attached as Appendix A is the PCI Security Standard). Compliance is increasingly a corporate topic inclusive of privacy, as well as a host of other regulatory and contractual requirements. A weakness in security affects compliance in all arenas. Apart from regulatory sanctions or law suits, it is increasingly obvious, both within Canada and in the US, that security breach stories are never good for the reputation of the organization. Finally, while there are not yet many cases in Canada arising from security breaches, it would be expected that lawyers would consider not only regulatory action, but the likelihood that civil damage claims would ultimately be made in an appropriate case. ©Symantec (Canada) Corp.
Page 6 Because such security breaches often involve databases, and thus the exposure of the personal and financial information of large numbers of individuals, these types of claims are ideally suited to become class proceedings. Threats and Attacks This is not intended to be exhaustive, but to supply some basic knowledge about current threats and attacks, as much as the language relating to it, and how they operate to threaten an enterprise6. Malicious code refers to the variety of types of software that has evil intent – regardless of the mechanism with which they spread or operate. Viruses were the first of this type, but now include as well worms, trojans, bots, and adware or spyware. Malicious code has one thing in one common – it involves installation of software which causes harm, either without the consent of the computer user, or by deception. Risks from these types of programs are increasing in response to the improved defences supplied by anti-virus technologies; now malicious software is often modular, which downloads other software after the initial infection, and is thus able to update itself with new potentially more damaging code. A computer virus is a small program written to alter the way a computer operates, without the permission or knowledge of the user. Some viruses are programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk. Others are not designed to do any damage, but simply to replicate themselves and make their 6 The definitions are taken from a variety of Symantec sources; see http://www.symantec.com/enterprise/library/index.jsp for enterprise related information, and http://www.symantec.com/en/ca/home_homeoffice/library/index.jsp for home and home office related information. ©Symantec (Canada) Corp.
Page 7 presence known by presenting text, video, and audio messages. Even these benign viruses can create problems for the computer user. They typically take up computer memory used by legitimate programs. As a result, they often cause erratic behavior and can result in system crashes. In addition, many viruses are bug-ridden, and these bugs may lead to system crashes and data loss. Polymorphic viruses are becoming more prevalent: these alter their own code during replication to avoid detection by traditional antivirus software. Worms are programs that replicate themselves from system to system without the use of a host file. This is in contrast to viruses, which requires the spreading of an infected host file. Although worms generally exist inside of other files, often Word or Excel documents, there is a difference between how worms and viruses use the host file. Usually the worm will release a document that already has the "worm" macro inside the document. The entire document will travel from computer to computer, so the entire document should be considered the worm. Trojan horses are impostors—files that claim to be something desirable but, in fact, are malicious. A very important distinction between Trojan horse programs and true viruses is that they do not replicate themselves. Trojan horses contain malicious code that when triggered cause loss, or even theft, of data. For a Trojan horse to spread, you must invite these programs onto your computers; for example, by opening an email attachment or downloading and running a file from the Internet. Bots (short for “robots”) are programs that are covertly installed on a targeted system. They allow an unauthorized user to remotely control the compromised computer for a wide variety of malicious purposes. Attackers often coordinate large groups of bot-controlled systems known as bot networks. These networks can be used to perform distributed attacks, including denial-of-service (DoS) attacks, against organizations’ systems. ©Symantec (Canada) Corp.
Page 8 A rootkit is a collection of trojan horses that replace system binaries in an attempt to allow attackers to retain access to systems while hiding their activity. Often, the script used to install the rootkit will remove evidence of the compromise and rootkit installation to further cloak the intrusion. Spam has been a pervasive problem over the past few years; enterprises have had to invest significant efforts and money in technologies to prevent the onslaught of invitations to invest, expand various parts of the human anatomy, buy drugs, or participate in get-rich- quick schemes. Spam now makes up 54% of all monitored e-mail traffic. As instances of spam climb, so does the complexity of the techniques used. Over the past couple of years, “phishing” has become a common phenomenon. Phishing generally employs clever fakes designed to lure the unwitting into revealing confidential information such as passwords, account information, and other forms of sensitive personal information. Spam is also becoming a conduit for malicious code, such as Trojans, which may be used to turn recipients’ computers into ‘zombies’ that can be remotely controlled by hackers to attack Web servers, collect personal information, or send spam emails. On average, 172,000 users lose control of their machines each day, and zombie networks account for about 50 to 80% of all spam according to various industry reports7. Adware and spyware are also becoming a prevalent source of problems8. Adware and spware are software which has been installed, often deliberately by a user of the home computer, but was ‘hidden’ in an otherwise innocent-looking download of a browser toolbar, utility, game or screensaver. Spyware or adware is often included in apparently desirable or useful software downloaded from the Internet, and may be even mentioned in 7 Getting Tough on the Growing Spam Problem (June 21, 2005), Symantec Enterprise Library 8 Spyware: How can it be removed? (June 15, 2005), Symantec Home and Home Office ©Symantec (Canada) Corp.
Page 9 the licence agreement that most users simply click to accept. Spyware can include software which search for and send sensitive data, record the user entering passwords or credit card information, and send it surreptitously to the creator’s web site. Adware often installs other, pernicious software which redirects the user to web sites to drive up usage statistics, on which web sites are often paid by advertisers, or imposes advertising on the home user. Often, the content of these sites or advertising can be uncomfortable or embarrassing for adult users, and are inappropriate and harmful to children., Adware typically also monitors the user’s patterns of usage and behaviour on the Internet and provides this valuable ‘meta-data’ to the authors who resell it – whether or not the meta-data is anonymous, to others for directed and further intrusive unsolicited advertising. A Sampling of Data Security Issues and Mitigations Data security breaches can occur in a number of ways; and can impact many different types of information in the organization. While loss of business confidential information can also be devastating to an organization, the focus here will be the likely ways in which the personal information in the custody of the organization can go astray. This is not intended to be an exhaustive list of potential data security risks, but ones that focus on ways in which lawyers work on a day-to-day basis, and are applicable to the law firm environment. ©Symantec (Canada) Corp.
Page 10 1. Portable information Information is increasingly portable – and given that most people seem to work more than forty hours in a week, often from the road or at home, this is a tremendous convenience. . It is fairly common to use these devices to copy information from the corporate network, and take it home to work on. Laptops and other portable devices that can carry tremendous amounts of data, such as USB drives or iPods, are pervasive, useful and commonly used by professionals and organizations’ executives and staff. But there are many public examples of the loss of this portable information; the ones that have recently received considerable attention is the loss of laptops. One strategy is to encrypt the data on the device. However, few organizations make the effort to ensure that the information on these devices is encrypted so as to mitigate against the risk of the loss of the device. This is often due to the administrative difficulty in managing the keys required to encrypt data – this requires some central management, and thus effort and labour, simply to ensure that the data can be recovered when (inevitably) the user forgets their password. Another strategy is to not allow personal information to get onto the laptop or device in the first place. With web-enabled applications, most information can be offered remotely to users, and securely – and loss of the laptop means little if there is no information actually stored there. This requires however an investment in web-based security and in making the information needed to do one’s work available remotely. ©Symantec (Canada) Corp.
Page 11 2. Endpoint Security: Working from home and the web cafe Many knowledge workers work from home – after all, with high-speed access, and the never-ending work week, this is quite practical. But there are, as noted above, few homes that have adequate security around their home networks and computers, and this is ultimately the organization’s problem. Home users are the most highly targeted group of users for targeted attacks – 86% according the latest Symantec Internet Security Threat Report9. This is likely because they remain a fertile source of personal information, in combination with inadequate measures to secure home computing resources. The risks that home working creates arise in part from the lack of even basic protections on home computers, that are nonetheless used to connect to corporate networks. To address this, many companies are making anti-virus software available to their employees, specifically for their home computers, as well as firewall software. Another common approach is to create a ‘virtual private network’ (VPN) that allows home users to communicate through a secure, encrypted ‘tunnel’ directly to the corporate environment, ensuring that the content of the communications cannot be intercepted. As well, secure web applications can be utilized to encrypt the connection between the remote user and the web application. The problem with both these approaches is that it assumes that there is protection against malicious code at the endpoint – the user’s computer. 9 ISTRX, page 9 ©Symantec (Canada) Corp.
Page 12 Web ‘café’s’ where there are public terminals available for use and paid for by the hour, as well as wireless connections for those using their own laptops, present another set of challenges. These web café computers may be infected with malware, or viruses, through the usual mechanism of people visiting sites and downloading software, or by deliberate actions on the part of those seeking to harvest personal information. Web cafes, as well as home users, often utilize the convenience of wireless connections. These present their own challenges, simply because they are so convenient, and commonplace, yet so typically inadequately protected. An estimated 75% of wireless networks are either insecure (not utilizing encryption) or are configured with ‘default’ administrator passwords and setup, well known and available by simply downloading user manuals from the Internet. (Typically, they are set up for user ‘admin’ with password ‘admin’). Because of their convenience and ease to set up, corporate IT administrators have to be on the look-out for users who have simply connected a wireless access point to the corporate network. This poses a tremendous risk, because users typically fail to turn on even rudimentary security; such a connection opens the whole network up to exposure, defeating the often tremendous investment in setting up firewalls and other security through the corporate network’s connection to the Internet. An additional area of concern lies i in monitoring communications between users and the corporate LAN through unencrypted communications, ‘eavesdropping’ on the transfer of confidential information. Often this can happen quite accidentally – many laptops come with wireless networking built in, and are turned on by users so they can connect at home, but who fail to turn it off when returning to work. While connected to the wired, corporate ©Symantec (Canada) Corp.
Page 13 network the wireless connection provides an access point into the network to anyone in the vicinity10. “Wardriving” refers to the hobby of locating and accessing such available access points. Below is a map from 2004 indicating, in green, insecure access points in downtown Toronto; blue indicates ‘default’ set-ups, and the red, those utilizing WEP (wireless encryption protocol) for security. Even WEP has been demonstrated to be easily cracked, and new more defensible standards such as WPA have evolved; however, it may be that the only way to secure wireless connections containing confidential or personal information effectively, is to use a VPN and encrypt the communications11. 10 ISTRX, page 34 11 ISTRX, page 36 ©Symantec (Canada) Corp.
Page 14 12 In a 2003 story in Toronto, police arrested a man driving the wrong way down a one-way street, and found him half-naked with a laptop utilizing an insecure wireless connection from a home network to download child pornography. This highlights the risk to individuals and businesses, who might be called to explain why their IP address was being used to access inappropriate materials. 12 Source: www.wirelessbandit.nerdsunderglass.com ©Symantec (Canada) Corp.
Page 15 3. Malicious Code Protection What can be done about malicious code? It is now an expectation that organizations will have up-to-date antivirus software installed on computers, and will scan e-mail attachments as well as most other forms of electronic communication – instant messaging being the latest battleground – to ensure malicious code does note enter the organization. Organizations which do not have this, must be viewed as falling below an acceptable standard of care. But it goes beyond this. One of the greatest problems in this area is of course the ‘unmanaged device’ such as the home computer, or the USB drive, or even the old floppy, that requires the enterprise to actively monitor and defend itself from the risks associated with malicious code entering through the day-to-day activities of users accessing the corporate network. Technology to support remote users on a variety of platforms exist; sod do technologies which monitor, or disable USB devices that are not approved, or simply automatically run scans and isolate devices which do not meet corporate security standards exists; as does access control technology that ensures that only permitted devices should be able to access information over the corporate network. These are all available, and must be viewed as essential elements in the toolkit to meet the obligations of the corporation’s stewardship over personal information. Education is also critical to help prevent infection; users must be taught not to open attachments that are not from trusted sources, or that they are not expecting. Most successful malicious code attacks are in combination with ‘social engineering’ techniques, which require the user to be fooled into opening an attachment or running a program. Given that outbreaks can often be attributed to poor information security practices on the ©Symantec (Canada) Corp.
Page 16 part of users, a security awareness program should be considered not a best practice, but a minimum requirement. Considering the consequences of a virulent outbreak, the organization must devote an appropriate amount of resources to deal with the consequences of a potential exposure of confidential and personal information to those seeking to use it for fraudulent purposes, which includes considering it from the perspective of business continuity planning (such as use of archiving and retrieval technologies.) Best Practice = Best Defence? It is against the standard of reasonableness that most actions are measured, including data security. The tendency is to confuse this with ‘what everyone else is doing.’ This is not a helpful way to determine an appropriate course of action with regards to data safety and security, and represents the fourth and final fallacy: what everyone is doing may be wrong. Best practices are identified by practitioners in the information security field, and it is against these that organizations will be measured, in terms of how far or how closely, the organization’s practices measure against them. With this in mind, the following enterprise best practices13 are suggested as the being ‘the test’ for data security and safeguarding in the privacy arena: 1. Enterprises should first of all have a security strategy and policy, which involves multiple, overlapping, and mutually supportive systems to guard against a single point of failure in any specific technology or protection method. This should include the 13 ISTRX, page 99 ©Symantec (Canada) Corp.
Page 17 deployment of regularly updated antivirus, firewalls, intrusion detection, and intrusion protection systems on client systems. 2. Enterprises should assess their systems against their enterprise security policy, and turn off and remove services that are not needed. 3. If malicious code or some other threat exploits one or more network services, the enterprise must have the capacity to disable or block access to those services until a patch is applied. 4. The enterprise must always keep patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as web, file transfer, mail, and directory or domain services. 5. Enterprises should implement network compliance solutions that will help keep infected mobile users out of the network (and clean them up before entering). 6. Enterprises must enforce an effective password policy. Ensure that passwords are a mix of letters and numbers. Do not use dictionary words. Change passwords often. 7. Enterprises should configure mail servers to block or remove email that contains file attachments that are commonly used to spread viruses. 8. Enterprises must have the capacity to Isolate infected computers quickly to prevent the risk of further infection within the organization, and thereafter perform a forensic analysis and restore the computers using trusted media. ©Symantec (Canada) Corp.
Page 18 9. Employees should be trained to not open attachments unless they are expected and come from a known and trusted source, and to not execute software that is downloaded from the Internet unless it has been scanned for viruses. 10. Enterprises must ensure that emergency response procedures are in place. This includes having a backup-and-restore solution in place in order to restore lost or compromised data in the event of successful attack or catastrophic data loss. 11. Enterprises must educate management on security budgeting needs. 12. Enterprises should regularly and routinely test security to ensure that adequate controls are in place – and document the results. 13. Enterprises should ensure that only applications approved by the organization are deployed on the desktop and laptop, to prevent loss of information through malicious code. Conclusion This can only be a brief introduction for counsel wishing to understand the risks associated with data security, and to begin the conversation needed with IT staff in client organizations. Mature organizations understand that there must be an ongoing conversation between counsel and IT staff, in order to ensure that the legal obligations of the organization in respect to compliance, including data security, are met. The facilitator and implementer of that effort, and the tools appropriate to the task, is the IT department; it is only with the assistance of the IT department that the goals of the enterprise in data security can be ©Symantec (Canada) Corp.
Page 19 met. However, the requirements for data security, as well as a full assessment of the risks to the business, and the potential for harm, must involve the business side, and of course, legal counsel. ©Symantec (Canada) Corp.
Page 20 Appendix A: The PCI Security Standard Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security ©Symantec (Canada) Corp.

Recomendados

EC-Council Certified Network Defender
EC-Council Certified Network DefenderEC-Council Certified Network Defender
EC-Council Certified Network DefenderITpreneurs
 
Data Security
Data SecurityData Security
Data SecurityAkNirojan
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awarenessJason Murray
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protectionsp_krishna
 
Cyber security awareness for students
Cyber security awareness for students Cyber security awareness for students
Cyber security awareness for studentsAkhil Nadh PC
 
Data security
Data securityData security
Data securityAbdulBasit938
 
Social network privacy & security
Social network privacy & securitySocial network privacy & security
Social network privacy & securitynadikari123
 

Recomendados

EC-Council Certified Network Defender
EC-Council Certified Network DefenderEC-Council Certified Network Defender
EC-Council Certified Network DefenderITpreneurs
 
Data Security
Data SecurityData Security
Data SecurityAkNirojan
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awarenessJason Murray
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protectionsp_krishna
 
Cyber security awareness for students
Cyber security awareness for students Cyber security awareness for students
Cyber security awareness for studentsAkhil Nadh PC
 
Data security
Data securityData security
Data securityAbdulBasit938
 
Social network privacy & security
Social network privacy & securitySocial network privacy & security
Social network privacy & securitynadikari123
 
Cybersecurity - Webinar Session
Cybersecurity - Webinar SessionCybersecurity - Webinar Session
Cybersecurity - Webinar SessionKalilur Rahman
 
Data Privacy Introduction
Data Privacy IntroductionData Privacy Introduction
Data Privacy IntroductionG Prachi
 
Data Privacy and Protection Presentation
Data Privacy and Protection PresentationData Privacy and Protection Presentation
Data Privacy and Protection Presentationmlw32785
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security AwarenessRamiro Cid
 
Big Data & Privacy
Big Data & PrivacyBig Data & Privacy
Big Data & PrivacyAbzetdin Adamov
 
Checklist for SMEs for GDPR compliance
Checklist for SMEs for GDPR complianceChecklist for SMEs for GDPR compliance
Checklist for SMEs for GDPR complianceSarah Fox
 
Information security
Information securityInformation security
Information securityAlaaMahmoud108
 
INFORMATION ASSURANCE AND SECURITY 1.pdf
INFORMATION ASSURANCE AND SECURITY 1.pdfINFORMATION ASSURANCE AND SECURITY 1.pdf
INFORMATION ASSURANCE AND SECURITY 1.pdfEarlvonDeiparine1
 
Data security
Data securityData security
Data securitySoumen Mondal
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 ChallengesLeandro Bennaton
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity AuditEC-Council
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
Cia security model
Cia security modelCia security model
Cia security modelImran Ahmed
 
Cyber Security Best Practices
Cyber Security Best PracticesCyber Security Best Practices
Cyber Security Best PracticesEvolve IP
 
Cyber Security Threats in the Financial Sector
Cyber Security Threats in the Financial SectorCyber Security Threats in the Financial Sector
Cyber Security Threats in the Financial SectorFarook Al-Jibouri
 
Presentation on Cyber Security
Presentation on Cyber SecurityPresentation on Cyber Security
Presentation on Cyber SecurityBalwantBesra
 
Module 2 Threat Management and Cybersecurity Resources (1).pptx
Module 2 Threat Management and Cybersecurity Resources (1).pptxModule 2 Threat Management and Cybersecurity Resources (1).pptx
Module 2 Threat Management and Cybersecurity Resources (1).pptxtahreerbassam2014
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 
Introduction to cyber security amos
Introduction to cyber security amosIntroduction to cyber security amos
Introduction to cyber security amosAmos Oyoo
 
Zero Trust Model Presentation
Zero Trust Model PresentationZero Trust Model Presentation
Zero Trust Model PresentationGowdhaman Jothilingam
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141sraina2
 
IBM X-Force.PDF
IBM X-Force.PDFIBM X-Force.PDF
IBM X-Force.PDFBan Selvakumar
 

Más contenido relacionado

La actualidad más candente

Cybersecurity - Webinar Session
Cybersecurity - Webinar SessionCybersecurity - Webinar Session
Cybersecurity - Webinar SessionKalilur Rahman
 
Data Privacy Introduction
Data Privacy IntroductionData Privacy Introduction
Data Privacy IntroductionG Prachi
 
Data Privacy and Protection Presentation
Data Privacy and Protection PresentationData Privacy and Protection Presentation
Data Privacy and Protection Presentationmlw32785
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security AwarenessRamiro Cid
 
Checklist for SMEs for GDPR compliance
Checklist for SMEs for GDPR complianceChecklist for SMEs for GDPR compliance
Checklist for SMEs for GDPR complianceSarah Fox
 
INFORMATION ASSURANCE AND SECURITY 1.pdf
INFORMATION ASSURANCE AND SECURITY 1.pdfINFORMATION ASSURANCE AND SECURITY 1.pdf
INFORMATION ASSURANCE AND SECURITY 1.pdfEarlvonDeiparine1
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 ChallengesLeandro Bennaton
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity AuditEC-Council
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
Cia security model
Cia security modelCia security model
Cia security modelImran Ahmed
 
Cyber Security Best Practices
Cyber Security Best PracticesCyber Security Best Practices
Cyber Security Best PracticesEvolve IP
 
Cyber Security Threats in the Financial Sector
Cyber Security Threats in the Financial SectorCyber Security Threats in the Financial Sector
Cyber Security Threats in the Financial SectorFarook Al-Jibouri
 
Presentation on Cyber Security
Presentation on Cyber SecurityPresentation on Cyber Security
Presentation on Cyber SecurityBalwantBesra
 
Module 2 Threat Management and Cybersecurity Resources (1).pptx
Module 2 Threat Management and Cybersecurity Resources (1).pptxModule 2 Threat Management and Cybersecurity Resources (1).pptx
Module 2 Threat Management and Cybersecurity Resources (1).pptxtahreerbassam2014
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 
Introduction to cyber security amos
Introduction to cyber security amosIntroduction to cyber security amos
Introduction to cyber security amosAmos Oyoo
 

La actualidad más candente (20)

Cybersecurity - Webinar Session
Cybersecurity - Webinar SessionCybersecurity - Webinar Session
Cybersecurity - Webinar Session
 
Data Privacy Introduction
Data Privacy IntroductionData Privacy Introduction
Data Privacy Introduction
 
Data Privacy and Protection Presentation
Data Privacy and Protection PresentationData Privacy and Protection Presentation
Data Privacy and Protection Presentation
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
 
Big Data & Privacy
Big Data & PrivacyBig Data & Privacy
Big Data & Privacy
 
Checklist for SMEs for GDPR compliance
Checklist for SMEs for GDPR complianceChecklist for SMEs for GDPR compliance
Checklist for SMEs for GDPR compliance
 
Information security
Information securityInformation security
Information security
 
INFORMATION ASSURANCE AND SECURITY 1.pdf
INFORMATION ASSURANCE AND SECURITY 1.pdfINFORMATION ASSURANCE AND SECURITY 1.pdf
INFORMATION ASSURANCE AND SECURITY 1.pdf
 
Data security
Data securityData security
Data security
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 Challenges
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity Audit
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
Cia security model
Cia security modelCia security model
Cia security model
 
Cyber Security Best Practices
Cyber Security Best PracticesCyber Security Best Practices
Cyber Security Best Practices
 
Cyber Security Threats in the Financial Sector
Cyber Security Threats in the Financial SectorCyber Security Threats in the Financial Sector
Cyber Security Threats in the Financial Sector
 
Presentation on Cyber Security
Presentation on Cyber SecurityPresentation on Cyber Security
Presentation on Cyber Security
 
Module 2 Threat Management and Cybersecurity Resources (1).pptx
Module 2 Threat Management and Cybersecurity Resources (1).pptxModule 2 Threat Management and Cybersecurity Resources (1).pptx
Module 2 Threat Management and Cybersecurity Resources (1).pptx
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
 
Introduction to cyber security amos
Introduction to cyber security amosIntroduction to cyber security amos
Introduction to cyber security amos
 
Zero Trust Model Presentation
Zero Trust Model PresentationZero Trust Model Presentation
Zero Trust Model Presentation
 

Similar a Data Safety And Security

InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141sraina2
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForcePatrick Bouillaud
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousEthan S. Burger
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfThe Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfProtected Harbor
 
For digital media companies, effective cybersecurity programs a must
For digital media companies, effective cybersecurity programs a mustFor digital media companies, effective cybersecurity programs a must
For digital media companies, effective cybersecurity programs a mustGrant Thornton LLP
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperCMR WORLD TECH
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecuritySpark Security
 
managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991Jim Romeo
 
Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Erik Ginalick
 
5 network-security-threats
5 network-security-threats5 network-security-threats
5 network-security-threatsReadWrite
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCybAnastaciaShadelb
 
Ways To Protect Your Company From Cybercrime
Ways To Protect Your Company From CybercrimeWays To Protect Your Company From Cybercrime
Ways To Protect Your Company From Cybercrimethinkwithniche
 
Cyber liability and cyber security
Cyber liability and cyber securityCyber liability and cyber security
Cyber liability and cyber securityHelen Carpenter
 
Top 3 security concerns for enterprises
Top 3 security concerns for enterprisesTop 3 security concerns for enterprises
Top 3 security concerns for enterprisesTaranggg11
 

Similar a Data Safety And Security (20)

InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141
 
IBM X-Force.PDF
IBM X-Force.PDFIBM X-Force.PDF
IBM X-Force.PDF
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-Force
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
 
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfThe Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
 
For digital media companies, effective cybersecurity programs a must
For digital media companies, effective cybersecurity programs a mustFor digital media companies, effective cybersecurity programs a must
For digital media companies, effective cybersecurity programs a must
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for Cybersecurity
 
managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991
 
Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112
 
5 network-security-threats
5 network-security-threats5 network-security-threats
5 network-security-threats
 
Cybersecurity After WannaCry: How to Resist Future Attacks
Cybersecurity After WannaCry: How to Resist Future AttacksCybersecurity After WannaCry: How to Resist Future Attacks
Cybersecurity After WannaCry: How to Resist Future Attacks
 
Window of Compromise
Window of CompromiseWindow of Compromise
Window of Compromise
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCyb
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCyb
 
Ways To Protect Your Company From Cybercrime
Ways To Protect Your Company From CybercrimeWays To Protect Your Company From Cybercrime
Ways To Protect Your Company From Cybercrime
 
Cyber liability and cyber security
Cyber liability and cyber securityCyber liability and cyber security
Cyber liability and cyber security
 
Top 3 security concerns for enterprises
Top 3 security concerns for enterprisesTop 3 security concerns for enterprises
Top 3 security concerns for enterprises
 

Más de Constantine Karbaliotis

Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015
Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015
Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015Constantine Karbaliotis
 
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumImpact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumConstantine Karbaliotis
 
Canadian Response to the Draft EU Regulation - May 2013
Canadian Response to the Draft EU Regulation - May 2013Canadian Response to the Draft EU Regulation - May 2013
Canadian Response to the Draft EU Regulation - May 2013Constantine Karbaliotis
 
The Value of Personal Information - IAPP Canada 2011
The Value of Personal Information - IAPP Canada 2011The Value of Personal Information - IAPP Canada 2011
The Value of Personal Information - IAPP Canada 2011Constantine Karbaliotis
 
International Perspectives on Data Breach
International Perspectives on Data BreachInternational Perspectives on Data Breach
International Perspectives on Data BreachConstantine Karbaliotis
 
Update on enterprise social media risks
Update on enterprise social media risks Update on enterprise social media risks
Update on enterprise social media risks Constantine Karbaliotis
 

Más de Constantine Karbaliotis (9)

Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015
Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015
Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015
 
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumImpact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
 
Canadian Response to the Draft EU Regulation - May 2013
Canadian Response to the Draft EU Regulation - May 2013Canadian Response to the Draft EU Regulation - May 2013
Canadian Response to the Draft EU Regulation - May 2013
 
The Value of Personal Information - IAPP Canada 2011
The Value of Personal Information - IAPP Canada 2011The Value of Personal Information - IAPP Canada 2011
The Value of Personal Information - IAPP Canada 2011
 
International Perspectives on Data Breach
International Perspectives on Data BreachInternational Perspectives on Data Breach
International Perspectives on Data Breach
 
Privacy issues in the cloud
Privacy issues in the cloudPrivacy issues in the cloud
Privacy issues in the cloud
 
Update on enterprise social media risks
Update on enterprise social media risks Update on enterprise social media risks
Update on enterprise social media risks
 
Data Loss During Downsizing
Data Loss During DownsizingData Loss During Downsizing
Data Loss During Downsizing
 
Privacy Access Letter I Feb 5 07
Privacy Access Letter I Feb 5 07Privacy Access Letter I Feb 5 07
Privacy Access Letter I Feb 5 07
 

Último

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 

Último (20)

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 

Data Safety And Security

  • 1. Data Safety and Security: What Is the Test and How Can I Meet It? A guide to understanding data security issues, and what counsel can do about them. Constantine Karbaliotis, LL.B., CIPP1 Introduction In the Internet age, a degree of familiarity with technology is assumed, simply because of the pervasiveness of technology. What professional today does not have a cell phone capable of taking pictures, receiving e-mails or text messages? What lawyer does not have a computer at home from which to do work, connect to the office, and do research? Unfortunately, technology has become commonplace without a corresponding education for technology users on how to secure data. Anyone in doubt of this can simply consider some interesting statistics about home users: of those having broadband (high speed) connections, fully two-thirds are without a n effective firewall, software or hardware which helps to insulate their computer from invasive scanning from the Internet. Fully two-thirds are still without up-to-date antivirus protection, and one in seven has no anti-virus at all, leaving their computers open to infection by destructive viruses and worms. Four in five users has spyware or adware programs on their computers, but most are unaware of this2. Home users are more likely to being ‘taken over’ and turned into ‘zombies’ which are then used to launch secondary 1 Canadian Senior Compliance Business Specialist, Symantec (Canada) Corporation 2 “Largest In-Home Study of Home Computer Users shows Major Online Threats, Perception Gap”, Joint AOL/NCSA Online Study, www.staysafeonline.org, (2004). ©Symantec (Canada) Corp.
  • 2. Page 2 attacks on other computer systems; it is estimated that over 4 million computers connected to the Internet have been turned into ‘zombies.’3 While this illustrates the gap of knowledge most computer users have about data security fundamentals, the reality is that many enterprises, of all sizes, suffer a similar inability to control their computing environment. In many cases, such as with small and medium businesses, the issue simply is that they do not have dedicated information technology (IT) staff with knowledge of the environmental risks. But in many cases, even in large enterprises and even when IT staff are fully aware and have advised management of the risks, management has failed to make the appropriate investment to adequately safeguard the environment. This paper is directed towards lawyers advising organizations, to provide some guidance about the types of risks which clients are facing, the test against which organizations will be measured under applicable privacy legislation, and some strategies for counsel to help their clients in moving to a better security posture and thus mitigate potential liability through the use of security standards. Positions affecting Data Security Lack of understanding of the connected world that we now live in is a key risk in the area of data security. Seeking counsel, whether it is as to the law, or to technology, is the only remedy to this situation, as it is difficult for most people to become educated to the risks affecting their business. 3 Symantec Internet Threat Report, Vol. X, September 2006, p. 18 (hereafter “ITRX”). The Symantec Internet Threat Report is available on-line for download at http://www.symantec.com/enterprise/threatreport/index.jsp, is updated on a regular basis, and is a valuable resource to understand where current threats exists in the online world. ©Symantec (Canada) Corp.
  • 3. Page 3 Security, unfortunately, is not as ‘sexy’ as on-line shopping sites for consumers, or business-to-business portals, which increase revenue for the organization. Security is typically seen simply as a cost, and therefore, minimized. Particularly in the privacy arena, where most privacy breaches arise from security breaches, there are three thought- processes justifying this stance: 1. “We haven’t had an issue yet.” 2. “Let’s take a wait-and-see approach.” 3. “The consequences are not serious enough to justify the investment.” These thought processes are based on two faulty assumptions: that the past will provide a good guide to the future, and the enterprise has had no security issues. The past is not a good guide to the future. The Internet is evidence that not only are threats evolving, they are evolving more rapidly that most organizations can handle if they rely on traditional tools to respond. Whereas in the early days of the Internet, attacks were primarily made by those seeking reputation for infecting the largest number of machines possible, today attacks are profit-oriented, with organized crime often behind the attacks4. Both the purpose and mechanism of attacks changes on “Internet time,” which is to say rapidly. The ‘zero-day exploit’ – the attack which occurs on or before the day that a vulnerability is identified, and before software makers can issue patches to remedy the vulnerability – is a further example of why the past is not a good guide to the future. The targets of attacks have changed: rather than being ‘everyone,’ attacks are increasingly are very targeted. In the past, viruses have been created with a view to creating reputation 4 ISTRX, page 4 ©Symantec (Canada) Corp.
  • 4. Page 4 – by infecting as many machines as possible, causing embarrassment or actual destruction of data. Anti-virus software makes have responded, and reduced the opportunities for such massive waves of destruction. Now, ‘malware’ authors are targeting customers of specific enterprises, such as banks, in order to obtain personal information such as credit card data, with the ultimate goal to commit fraud or identity theft5. The second fallacy, “We have been okay up to now,” has often been the response to IT staff seeking better security. Most organizations which have inadequate security safeguards, also have no capacity to know if they have had a security breach. The risk here is that losses of personal information have taken place without the organization knowing for sure – or worse, that it may still be happening. Technologies exist which provide for intrusion detection and monitoring, and audit systems’ compliance with security and private policies: examples include testing for whether passwords are long enough, whether the latest operating system patches applied or whether each system has up-to-date antivirus protection. These systems provide auditable evidence of compliance. Not enough organizations in Canada have made the investment in these technologies, which is increasingly less defensible given the number of areas in addition to privacy where organizations are obliged to provide evidence of compliance with security standards – SOX/Bill 198, PCI, and critical infrastructure protection requirements, to name a few. It is only when a breach occurs, and some exposure, whether through publicity, law suits or regulators, that money is made available to address security and privacy concerns. This 5 ISTRX, page 9 ©Symantec (Canada) Corp.
  • 5. Page 5 becomes a rushed expenditure that rarely is well spent – reacting to the immediate problem rather than putting in place security and privacy solution that fits into the overall business. ‘Firefighting’ highlights yet another risk associated with not having determined a data security strategy in calmer moments. Finally, as to the third fallacy, the risk of consequences is indeed changing. The Privacy Commissioner of Canada has announced that her office will be conducting audits where there is on reasonable grounds to be concerned over the privacy practices of an organization. Public issuers in Canada subject to Sarbanes-Oxley and Bill 198 are subject to an increased level of audits concerning their information management – and in turn are also conducting audits known as CICA 5970 audits to review the information practices of their sub-contractors and outsourcing partners, to ensure that they are handling information in an appropriate manner, since the public issuer remains liable for any problems associated with the safeguarding of the information being processed by the subcontractor or outsourcer. Finally, the Payment Card Industry Security Standards provide for serious consequences for companies who fail to adhere to the standards, including fines by the credit card issuers, or termination of their contract to process credit cards. (Attached as Appendix A is the PCI Security Standard). Compliance is increasingly a corporate topic inclusive of privacy, as well as a host of other regulatory and contractual requirements. A weakness in security affects compliance in all arenas. Apart from regulatory sanctions or law suits, it is increasingly obvious, both within Canada and in the US, that security breach stories are never good for the reputation of the organization. Finally, while there are not yet many cases in Canada arising from security breaches, it would be expected that lawyers would consider not only regulatory action, but the likelihood that civil damage claims would ultimately be made in an appropriate case. ©Symantec (Canada) Corp.
  • 6. Page 6 Because such security breaches often involve databases, and thus the exposure of the personal and financial information of large numbers of individuals, these types of claims are ideally suited to become class proceedings. Threats and Attacks This is not intended to be exhaustive, but to supply some basic knowledge about current threats and attacks, as much as the language relating to it, and how they operate to threaten an enterprise6. Malicious code refers to the variety of types of software that has evil intent – regardless of the mechanism with which they spread or operate. Viruses were the first of this type, but now include as well worms, trojans, bots, and adware or spyware. Malicious code has one thing in one common – it involves installation of software which causes harm, either without the consent of the computer user, or by deception. Risks from these types of programs are increasing in response to the improved defences supplied by anti-virus technologies; now malicious software is often modular, which downloads other software after the initial infection, and is thus able to update itself with new potentially more damaging code. A computer virus is a small program written to alter the way a computer operates, without the permission or knowledge of the user. Some viruses are programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk. Others are not designed to do any damage, but simply to replicate themselves and make their 6 The definitions are taken from a variety of Symantec sources; see http://www.symantec.com/enterprise/library/index.jsp for enterprise related information, and http://www.symantec.com/en/ca/home_homeoffice/library/index.jsp for home and home office related information. ©Symantec (Canada) Corp.
  • 7. Page 7 presence known by presenting text, video, and audio messages. Even these benign viruses can create problems for the computer user. They typically take up computer memory used by legitimate programs. As a result, they often cause erratic behavior and can result in system crashes. In addition, many viruses are bug-ridden, and these bugs may lead to system crashes and data loss. Polymorphic viruses are becoming more prevalent: these alter their own code during replication to avoid detection by traditional antivirus software. Worms are programs that replicate themselves from system to system without the use of a host file. This is in contrast to viruses, which requires the spreading of an infected host file. Although worms generally exist inside of other files, often Word or Excel documents, there is a difference between how worms and viruses use the host file. Usually the worm will release a document that already has the "worm" macro inside the document. The entire document will travel from computer to computer, so the entire document should be considered the worm. Trojan horses are impostors—files that claim to be something desirable but, in fact, are malicious. A very important distinction between Trojan horse programs and true viruses is that they do not replicate themselves. Trojan horses contain malicious code that when triggered cause loss, or even theft, of data. For a Trojan horse to spread, you must invite these programs onto your computers; for example, by opening an email attachment or downloading and running a file from the Internet. Bots (short for “robots”) are programs that are covertly installed on a targeted system. They allow an unauthorized user to remotely control the compromised computer for a wide variety of malicious purposes. Attackers often coordinate large groups of bot-controlled systems known as bot networks. These networks can be used to perform distributed attacks, including denial-of-service (DoS) attacks, against organizations’ systems. ©Symantec (Canada) Corp.
  • 8. Page 8 A rootkit is a collection of trojan horses that replace system binaries in an attempt to allow attackers to retain access to systems while hiding their activity. Often, the script used to install the rootkit will remove evidence of the compromise and rootkit installation to further cloak the intrusion. Spam has been a pervasive problem over the past few years; enterprises have had to invest significant efforts and money in technologies to prevent the onslaught of invitations to invest, expand various parts of the human anatomy, buy drugs, or participate in get-rich- quick schemes. Spam now makes up 54% of all monitored e-mail traffic. As instances of spam climb, so does the complexity of the techniques used. Over the past couple of years, “phishing” has become a common phenomenon. Phishing generally employs clever fakes designed to lure the unwitting into revealing confidential information such as passwords, account information, and other forms of sensitive personal information. Spam is also becoming a conduit for malicious code, such as Trojans, which may be used to turn recipients’ computers into ‘zombies’ that can be remotely controlled by hackers to attack Web servers, collect personal information, or send spam emails. On average, 172,000 users lose control of their machines each day, and zombie networks account for about 50 to 80% of all spam according to various industry reports7. Adware and spyware are also becoming a prevalent source of problems8. Adware and spware are software which has been installed, often deliberately by a user of the home computer, but was ‘hidden’ in an otherwise innocent-looking download of a browser toolbar, utility, game or screensaver. Spyware or adware is often included in apparently desirable or useful software downloaded from the Internet, and may be even mentioned in 7 Getting Tough on the Growing Spam Problem (June 21, 2005), Symantec Enterprise Library 8 Spyware: How can it be removed? (June 15, 2005), Symantec Home and Home Office ©Symantec (Canada) Corp.
  • 9. Page 9 the licence agreement that most users simply click to accept. Spyware can include software which search for and send sensitive data, record the user entering passwords or credit card information, and send it surreptitously to the creator’s web site. Adware often installs other, pernicious software which redirects the user to web sites to drive up usage statistics, on which web sites are often paid by advertisers, or imposes advertising on the home user. Often, the content of these sites or advertising can be uncomfortable or embarrassing for adult users, and are inappropriate and harmful to children., Adware typically also monitors the user’s patterns of usage and behaviour on the Internet and provides this valuable ‘meta-data’ to the authors who resell it – whether or not the meta-data is anonymous, to others for directed and further intrusive unsolicited advertising. A Sampling of Data Security Issues and Mitigations Data security breaches can occur in a number of ways; and can impact many different types of information in the organization. While loss of business confidential information can also be devastating to an organization, the focus here will be the likely ways in which the personal information in the custody of the organization can go astray. This is not intended to be an exhaustive list of potential data security risks, but ones that focus on ways in which lawyers work on a day-to-day basis, and are applicable to the law firm environment. ©Symantec (Canada) Corp.
  • 10. Page 10 1. Portable information Information is increasingly portable – and given that most people seem to work more than forty hours in a week, often from the road or at home, this is a tremendous convenience. . It is fairly common to use these devices to copy information from the corporate network, and take it home to work on. Laptops and other portable devices that can carry tremendous amounts of data, such as USB drives or iPods, are pervasive, useful and commonly used by professionals and organizations’ executives and staff. But there are many public examples of the loss of this portable information; the ones that have recently received considerable attention is the loss of laptops. One strategy is to encrypt the data on the device. However, few organizations make the effort to ensure that the information on these devices is encrypted so as to mitigate against the risk of the loss of the device. This is often due to the administrative difficulty in managing the keys required to encrypt data – this requires some central management, and thus effort and labour, simply to ensure that the data can be recovered when (inevitably) the user forgets their password. Another strategy is to not allow personal information to get onto the laptop or device in the first place. With web-enabled applications, most information can be offered remotely to users, and securely – and loss of the laptop means little if there is no information actually stored there. This requires however an investment in web-based security and in making the information needed to do one’s work available remotely. ©Symantec (Canada) Corp.
  • 11. Page 11 2. Endpoint Security: Working from home and the web cafe Many knowledge workers work from home – after all, with high-speed access, and the never-ending work week, this is quite practical. But there are, as noted above, few homes that have adequate security around their home networks and computers, and this is ultimately the organization’s problem. Home users are the most highly targeted group of users for targeted attacks – 86% according the latest Symantec Internet Security Threat Report9. This is likely because they remain a fertile source of personal information, in combination with inadequate measures to secure home computing resources. The risks that home working creates arise in part from the lack of even basic protections on home computers, that are nonetheless used to connect to corporate networks. To address this, many companies are making anti-virus software available to their employees, specifically for their home computers, as well as firewall software. Another common approach is to create a ‘virtual private network’ (VPN) that allows home users to communicate through a secure, encrypted ‘tunnel’ directly to the corporate environment, ensuring that the content of the communications cannot be intercepted. As well, secure web applications can be utilized to encrypt the connection between the remote user and the web application. The problem with both these approaches is that it assumes that there is protection against malicious code at the endpoint – the user’s computer. 9 ISTRX, page 9 ©Symantec (Canada) Corp.
  • 12. Page 12 Web ‘café’s’ where there are public terminals available for use and paid for by the hour, as well as wireless connections for those using their own laptops, present another set of challenges. These web café computers may be infected with malware, or viruses, through the usual mechanism of people visiting sites and downloading software, or by deliberate actions on the part of those seeking to harvest personal information. Web cafes, as well as home users, often utilize the convenience of wireless connections. These present their own challenges, simply because they are so convenient, and commonplace, yet so typically inadequately protected. An estimated 75% of wireless networks are either insecure (not utilizing encryption) or are configured with ‘default’ administrator passwords and setup, well known and available by simply downloading user manuals from the Internet. (Typically, they are set up for user ‘admin’ with password ‘admin’). Because of their convenience and ease to set up, corporate IT administrators have to be on the look-out for users who have simply connected a wireless access point to the corporate network. This poses a tremendous risk, because users typically fail to turn on even rudimentary security; such a connection opens the whole network up to exposure, defeating the often tremendous investment in setting up firewalls and other security through the corporate network’s connection to the Internet. An additional area of concern lies i in monitoring communications between users and the corporate LAN through unencrypted communications, ‘eavesdropping’ on the transfer of confidential information. Often this can happen quite accidentally – many laptops come with wireless networking built in, and are turned on by users so they can connect at home, but who fail to turn it off when returning to work. While connected to the wired, corporate ©Symantec (Canada) Corp.
  • 13. Page 13 network the wireless connection provides an access point into the network to anyone in the vicinity10. “Wardriving” refers to the hobby of locating and accessing such available access points. Below is a map from 2004 indicating, in green, insecure access points in downtown Toronto; blue indicates ‘default’ set-ups, and the red, those utilizing WEP (wireless encryption protocol) for security. Even WEP has been demonstrated to be easily cracked, and new more defensible standards such as WPA have evolved; however, it may be that the only way to secure wireless connections containing confidential or personal information effectively, is to use a VPN and encrypt the communications11. 10 ISTRX, page 34 11 ISTRX, page 36 ©Symantec (Canada) Corp.
  • 14. Page 14 12 In a 2003 story in Toronto, police arrested a man driving the wrong way down a one-way street, and found him half-naked with a laptop utilizing an insecure wireless connection from a home network to download child pornography. This highlights the risk to individuals and businesses, who might be called to explain why their IP address was being used to access inappropriate materials. 12 Source: www.wirelessbandit.nerdsunderglass.com ©Symantec (Canada) Corp.
  • 15. Page 15 3. Malicious Code Protection What can be done about malicious code? It is now an expectation that organizations will have up-to-date antivirus software installed on computers, and will scan e-mail attachments as well as most other forms of electronic communication – instant messaging being the latest battleground – to ensure malicious code does note enter the organization. Organizations which do not have this, must be viewed as falling below an acceptable standard of care. But it goes beyond this. One of the greatest problems in this area is of course the ‘unmanaged device’ such as the home computer, or the USB drive, or even the old floppy, that requires the enterprise to actively monitor and defend itself from the risks associated with malicious code entering through the day-to-day activities of users accessing the corporate network. Technology to support remote users on a variety of platforms exist; sod do technologies which monitor, or disable USB devices that are not approved, or simply automatically run scans and isolate devices which do not meet corporate security standards exists; as does access control technology that ensures that only permitted devices should be able to access information over the corporate network. These are all available, and must be viewed as essential elements in the toolkit to meet the obligations of the corporation’s stewardship over personal information. Education is also critical to help prevent infection; users must be taught not to open attachments that are not from trusted sources, or that they are not expecting. Most successful malicious code attacks are in combination with ‘social engineering’ techniques, which require the user to be fooled into opening an attachment or running a program. Given that outbreaks can often be attributed to poor information security practices on the ©Symantec (Canada) Corp.
  • 16. Page 16 part of users, a security awareness program should be considered not a best practice, but a minimum requirement. Considering the consequences of a virulent outbreak, the organization must devote an appropriate amount of resources to deal with the consequences of a potential exposure of confidential and personal information to those seeking to use it for fraudulent purposes, which includes considering it from the perspective of business continuity planning (such as use of archiving and retrieval technologies.) Best Practice = Best Defence? It is against the standard of reasonableness that most actions are measured, including data security. The tendency is to confuse this with ‘what everyone else is doing.’ This is not a helpful way to determine an appropriate course of action with regards to data safety and security, and represents the fourth and final fallacy: what everyone is doing may be wrong. Best practices are identified by practitioners in the information security field, and it is against these that organizations will be measured, in terms of how far or how closely, the organization’s practices measure against them. With this in mind, the following enterprise best practices13 are suggested as the being ‘the test’ for data security and safeguarding in the privacy arena: 1. Enterprises should first of all have a security strategy and policy, which involves multiple, overlapping, and mutually supportive systems to guard against a single point of failure in any specific technology or protection method. This should include the 13 ISTRX, page 99 ©Symantec (Canada) Corp.
  • 17. Page 17 deployment of regularly updated antivirus, firewalls, intrusion detection, and intrusion protection systems on client systems. 2. Enterprises should assess their systems against their enterprise security policy, and turn off and remove services that are not needed. 3. If malicious code or some other threat exploits one or more network services, the enterprise must have the capacity to disable or block access to those services until a patch is applied. 4. The enterprise must always keep patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as web, file transfer, mail, and directory or domain services. 5. Enterprises should implement network compliance solutions that will help keep infected mobile users out of the network (and clean them up before entering). 6. Enterprises must enforce an effective password policy. Ensure that passwords are a mix of letters and numbers. Do not use dictionary words. Change passwords often. 7. Enterprises should configure mail servers to block or remove email that contains file attachments that are commonly used to spread viruses. 8. Enterprises must have the capacity to Isolate infected computers quickly to prevent the risk of further infection within the organization, and thereafter perform a forensic analysis and restore the computers using trusted media. ©Symantec (Canada) Corp.
  • 18. Page 18 9. Employees should be trained to not open attachments unless they are expected and come from a known and trusted source, and to not execute software that is downloaded from the Internet unless it has been scanned for viruses. 10. Enterprises must ensure that emergency response procedures are in place. This includes having a backup-and-restore solution in place in order to restore lost or compromised data in the event of successful attack or catastrophic data loss. 11. Enterprises must educate management on security budgeting needs. 12. Enterprises should regularly and routinely test security to ensure that adequate controls are in place – and document the results. 13. Enterprises should ensure that only applications approved by the organization are deployed on the desktop and laptop, to prevent loss of information through malicious code. Conclusion This can only be a brief introduction for counsel wishing to understand the risks associated with data security, and to begin the conversation needed with IT staff in client organizations. Mature organizations understand that there must be an ongoing conversation between counsel and IT staff, in order to ensure that the legal obligations of the organization in respect to compliance, including data security, are met. The facilitator and implementer of that effort, and the tools appropriate to the task, is the IT department; it is only with the assistance of the IT department that the goals of the enterprise in data security can be ©Symantec (Canada) Corp.
  • 19. Page 19 met. However, the requirements for data security, as well as a full assessment of the risks to the business, and the potential for harm, must involve the business side, and of course, legal counsel. ©Symantec (Canada) Corp.
  • 20. Page 20 Appendix A: The PCI Security Standard Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security ©Symantec (Canada) Corp.