Skip to main content

Home/ WPPS C-Suite News/ Group items tagged training

Rss Feed Group items tagged

Filter: All | Bookmarks | Topics Simple Middle
sandy ingram

Welcome to VTE - 0 views

www.vte.cert.org/vteweb

CERT VTE training online On Demand DoD8570

shared by sandy ingram on 12 Feb 09 - No Cached
  • sandy ingram on 12 Feb 09
     
    The CERT Virtual Training Environment (VTE) - A revolutionary resource for information assurance, incident response and computer forensic training, with over 500 hours of material available. VTE blends the best of classroom instruction and self-paced online training, delivering training courses, anytime access to answers, and hands-on training labs all through a standard Web browser.
sandy ingram

Security awareness: Helping employees really 'get' company policy - CSO Online - Securi... - 0 views

www.csoonline.com/...yees-really-get-company-policy

security awareness Privacy Best Practice employees training

shared by sandy ingram on 30 Nov 10 - Cached
  • Employee awareness of their companies' security policies is high—if you ask the employees. In a survey of 2,000 office workers, software security company Clearswift found almost three quarters, 74 percent, felt 'confident' that they understand their employers' Internet security policies. That is, policy designed to safeguard data and IT security, as well as maintain productivity.
  • But the confidence is misplaced, Clearswift suggests in their summary of the findings, because a third of those surveyed have not received any training on IT security since joining their firm. And more than two thirds of those who have not had recent training joined their organization more than five years ago—a 'technological lifetime,' notes Clearswift.
  • "When security is kept in the shadows and not discussed openly, and only referred to when things go wrong, it is all too easy for office 'folk-law' to become perceived as official policy very quickly. If employees are not aware of when they have broken policies—in some cases because the policy is not even enforced—it can lead to a false sense of security or a belief that what they are doing is actually in line with the corporate policy."
  • ...1 more annotation...
  • The research raises a question that is frequently discussed, but very rarely measured, among organizations: What kind of awareness training is effective? Is it regular and incremental? Is it most effective when done through courses, formal sessions or informal discussions? And how does an organization gauge its effectiveness?
  • sandy ingram on 30 Nov 10
     
    "Research finds while most employees believe they understand their company's security policies, a large number have never received any formal policy education or training. How can an organization really ensure people understand risk?"
sandy ingram

Organisations fail to meet security awareness and compliance training best practices - ... - 0 views

www.scmagazineuk.com/...208893

SC organisations security awareness compliance best practices UK

shared by sandy ingram on 12 Oct 11 - No Cached
  • “If this assessment demonstrates anything, it's that IT and security departments have got to gain greater visibility over all of their security and compliance activities and take steps to better understand and manage them.”
  • sandy ingram on 12 Oct 11
     
    A survey of high-risk organisations has found that more than three quarters fail to perform quarterly security and compliance training. According to a survey by enterprise key and certificate management solutions provider Venafi and IT security research provider Echelon One, 77 per cent of respondents failed to perform quarterly security and compliance training while 64 per cent failed to encrypt all of its data in the cloud. However 90 per cent did use encryption throughout the organisation. The survey of 420 enterprises and government agencies also found that almost 100 per cent of respondents had some degree of unquantified or unmanaged risk. When asked if their organisations encrypted data stored in public clouds such as Google Apps, Salesforce.com and Dropbox, 40 per cent said they did not know.
sandy ingram

Integrating Ethics and Compliance Into the Entire Organization - 0 views

tfoxlaw.wordpress.com/...e-into-the-entire-organization

Privacy Security compliance ethics integrating SMB Best Practice

shared by sandy ingram on 28 Nov 10 - No Cached
  • There’s no point investing in and implementing an ethics and compliance program unless the time is spent integrating the program into every aspect of an organization. The need for companies to develop effective ethics and compliance programs has been acknowledged by several government agencies- examples are the SEC in the US and the government in the United Kingdom. Both groups have recently passed legislation or made amendments to existing guidelines, focusing heavily on the importance of ethics and compliance at all levels of an organization- especially at the top.
  • Employees at each level contribute to the success of a company’s ethics and compliance program. Integrating ethics and compliance at each level helps ensure the message from the top makes it all the way down to the lower levels of the organization. Training, messages and other ethics and compliance initiatives must be developed to evolve with employees as they move through the company. That being said, employees at various levels need to be prepared to address different ethical issues they may encounter based on the role they play in the organization.
  • Integrating Ethics in the Middle  In many companies, employees report that the middle level is where ethics and compliance commitments break down. Since many of the lower level employees report directly to those in the middle, a commitment to ethics and compliance from middle managers is equally as important as it is at the top.
  • ...4 more annotations...
  • Top level managers can use a number of techniques to assist mid-level managers in understanding the role they play in creating an ethical workplace.
  • Integrating Ethics at Lower Levels Lower level employees are usually the ones on the frontlines acting as ambassadors for a company/brand. Ensuring the commitment to ethics and compliance is as strong at the bottom as it is at the top is critical to the success of a fully integrated ethics and compliance program.
  • One of the easiest ways to begin implementing ethics and compliance within lower levels is to provide new hires with extensive training on company expectations and ethics and compliance. During the interview process, ask questions related to ethical situations and decision making. This can be used as a way to ensure new hires are a proper fit with the existing corporate culture.
  • It’s important to remember that ethics training and implementation doesn’t stop here- this is just the beginning.
  • sandy ingram on 28 Nov 10
     
    "One of the easiest ways to begin implementing ethics and compliance within lower levels is to provide new hires with extensive training on company expectations and ethics and compliance"
sandy ingram

SANS Institute - Special Webcast: Cyber Terrorism: Fact or Fiction - 0 views

www.sans.org/...show.php

cyber Terrorist webcast event Privacy Security Sans

shared by sandy ingram on 06 Jul 09 - No Cached
  • The topic of Cyber Terrorism has been a subject of many debates as to the reality of a significant event-taking place at the click of the button. In recent media coverage we've seen the London & Spain train bombings being triggered remotely using one of the most world's most adopted technologies, a cell phone. Who would ever think that someone would use a cell phone as a trigger point for detonating a bomb? Additionally, who would ever think that a terrorist organization would realize that all cell phones on the same cellular network receives their time/date from the same network timeserver so everyone has the correct time. This has allowed them to conduct simultaneous attacks via sms or speed dial on their phone.
  • sandy ingram on 06 Jul 09
     
    The topic of Cyber Terrorism has been a subject of many debates as to the reality of a significant event-taking place at the click of the button. In recent media coverage we've seen the London & Spain train bombings being triggered remotely using one of the most world's most adopted technologies, a cell phone. Who would ever think that someone would use a cell phone as a trigger point for detonating a bomb? Additionally, who would ever think that a terrorist organization would realize that all cell phones on the same cellular network receives their time/date from the same network timeserver so everyone has the correct time. This has allowed them to conduct simultaneous attacks via sms or speed dial on their phone.
sandy ingram

SURVEY: Data-breach costs rising, 84% repeat offenders - 0 views

voices.washingtonpost.com/...breaches_more_costly_than.html

Survey breach

shared by sandy ingram on 03 Feb 09 - Cached
  • The study measured the direct costs of a data breach, such as hiring forensic experts; notifying consumers; setting up telephone hotlines to field queries from concerned or affected customers; offering free credit monitoring subscriptions; and discounts for future products and services.
    • sandy ingram
      sandy ingram on 03 Feb 09
       
      THE COST OF A DATA BREACH The study measured the direct costs of a data breach, such as hiring forensic experts; notifying consumers; setting up telephone hotlines to field queries from concerned or affected customers; offering free credit monitoring subscriptions; and discounts for future products and services. Company's stock price, which in some cases can be substantial. CASE STUDY when the nation's sixth largest credit and debit card processor -- Heartland Payment Systems -- disclosed a breach that could affect millions of customers, the company's stock price took a nosedive. Shares of Heartland's stock lost 42 percent of their value the day after that disclosure, closing at a 52-week low of $8.18. INTELLECTUAL PROPERTY A breach often exposes proprietary data that can jeopardize millions of dollars invested in research and development.
    • sandy ingram
      sandy ingram on 03 Feb 09
       
      COST TO YOUR BRAND "The first thing companies say when they have a breach is 'Well, we'll implement encryption and data leak prevention technologies, and maybe do more training'," Dunkelberger said. "That's great, but what amount of brand damage has to occur in these public disclosures before we see changes made to the way companies handle not just consumers' personal information, but also the intellectual property that drives their businesses?"
  • "The first thing companies say when they have a breach is 'Well, we'll implement encryption and data leak prevention technologies, and maybe do more training'," Dunkelberger said. "That's great, but what amount of brand damage has to occur in these public disclosures before we see changes made to the way companies handle not just consumers' personal information, but also the intellectual property that drives their businesses?"
  • Microsoft patched for the worm affecting Heartland 4 months ago.
  • sandy ingram on 03 Feb 09
     
    the Ponemon Institute, a Tucson, Ariz., based independent research company, found that companies spent roughly $202 per consumer record compromised. The same study put the total cost of a breach in 2007 at $6.3 million, and roughly $4.7 million in 2006.
sandy ingram

Amended SB1386 - Health care data security breach explained - 0 views

www.scmagazineus.com/...120069

hipppa SB1386 health training breaches

shared by sandy ingram on 01 Nov 08 - Cached
  • Health care data security breaches in the U.S.
  • New laws and regulations regarding data security breaches and disclosure laws affect the way in which health care organizations do business
  • Notifications can be delayed if law enforcement determines it could hinder a criminal investigation
  • ...11 more annotations...
  • he disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
  • Any agency that maintains computerized data that includes personal information that the agency does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
  • They need to implement proper security measures, like encryption,” Booz says. In addition, the law will require a new level of investment in training for customer service, sales, and other externally facing operations.
  • Individuals affected by data breaches that meet the personal information definition and notification requirements must be notified by using one of three methods: written notice, electronic notice with customer's consent, or substitute notice
  • A new California law requiring that customers be notified of a breach involving their medical information is likely to influence legislation in other states.
  • The new law requires all state agencies and companies that conduct business in California to notify residents when a breach of their medical information occurs.
  • The purpose of this rule is to secure personally identifiable information (PII) as it travels through the healthcare system. Healthcare organizations, including providers, payers, and clearinghouses, must comply with the Privacy Rule.
  • Between 2000 and 2007, nearly half of all health care security incidents that occurred in the U.S. were associated with hospitals.
  • Between 2000 and 2007, 40 percent of publicly known security incidents at health care organizations are classified as data breaches
  • Although data breaches (hackers, malicious employees, social engineering, etc.) only constitute 40 percent of incidents, they account for 57 percent of all records compromised, nearly two and a half times the next closest category.
  • This again speaks to the need for strong policies and procedures. If organizations did not allow sensitive data to leave their facility without being encrypted (for electronic data) or disposed of properly (for physical data), it could eliminate nearly a quarter of the incidents they would face.
  • sandy ingram on 01 Nov 08
     
    Notifications can be delayed if law enforcement determines it could hinder a criminal investigation
  • sandy ingram on 01 Nov 08
     
    A new California law requiring that customers be notified of a breach involving their medical information is likely to influence legislation in other states.
sandy ingram

Saving Money Through Cloud Computing - 0 views

www.brookings.edu/...0407_cloud_computing_west.aspx

cloud economics

shared by sandy ingram on 08 Apr 10 - Cached
  • sandy ingram on 08 Apr 10
     
    I found that the agencies generally saw between 25 and 50 percent savings in moving to the cloud. For the federal government as a whole, this translates into billions in cost savings, depending on the scope of the transition. Many factors go into such assessments, such as the nature of the migration, a reliance on public versus private clouds, the need for privacy and security, the number of file servers before and after migration, the extent of labor savings, and file server storage utilization rates. Based on this analysis, I recommend five steps be undertaken in order to improve efficiency and operations in the public sector: the government needs to redirect greater resources to cloud computing in order to reap efficiencies represented by that approach, the General Services Administration should compile data on cloud computing applications, information storage, and cost savings in order to determine possible economies of scale generated by cloud computing, officials should clarify procurement rules to facilitate purchasing through measured or subscription cloud services and cloud solutions appropriate for low, medium, and high-risk applications, countries need to harmonize their laws on cloud computing to avoid a "Tower of Babel" and reduce current inconsistencies in regard to privacy, data storage, security processes, and personnel training, and lawmakers need to examine rules relating to privacy and security to make sure agencies have safeguards appropriate to their mission.
sandy ingram

How long can CISO's avoid Cloud Computing? | CISO - 0 views

ciso.in/...567

security Privacy compliance Best Practice cloud computing workplace ipad tablets windows

shared by sandy ingram on 23 Feb 12 - No Cached
  • Network & Systems delivering the cloud service How does the authentication to access the network devices and operating system implemented? Does it use any two factor authentication? About the availability of the network and security infrastructure? does it implement load balancing or high availability solutions for the critical infrastructure components like firewalls, IPS, reverse proxies etc… Is the underlying cloud systems are secured? Do they have a baseline configuration implemented? How does the configuration managed? Does the cloud computing provider got a plan and/or policy to perform configuration management, patch management, anti-malware etc. Does the network undergoes periodic penetration testing? Does it undergo internal vulnerability assessment periodically? How is it ensuring that a compromised client with privileged access to the operating system is separated internally? Does it undergo periodic audits against standards like ISO27001, SAS70 etc? How is the customer data separated from one another? What are the security controls implemented to ensure this separation? What are the protection and response controls against the Denial of Service attacks?
  • Cloud Applications & Data Protection What are the security controls in the application development process? Does it include security code reviews of the code being developed or used? Is there a documented change and configuration management process? How does the application servers patched and what frequency? What are the mechanisms for managing the access control? How is the database protected from unauthorized access? How are they identifying the access reset requests are from the actual user. How do they create and delete/disable user accounts? what are the procedures for these activities. IS the data encrypted? If encrypted, how is the encryption keys are protected? What is key management process being followed? How is the data loss prevention ensured? Details of the DLP controls implemented? Is there a backup mechanism established? How is the data protected in the backups? Does the cloud service provider meets the regulatory requirements? For example, if the service is a ecommerce service then the cloud service could become part of the card holder environment and thus the PCI DSS regulation as there are potential card data being processed. Similarly, if the health information is processed, it can be HIPAA and similar other regulations. Is the cloud computing service provider meets the compliance requirements? Where is your data being hosted? Is it within your country or its jurisdiction? Is your organization comfortable with the legal system in the country where your data resides? How about cloud computing service provider who has a network of data centres across the globe and your data is scattered across these data centres? Can it limit the countries where the data is stored?
  • What are the conditions / scenarios where the data is revealed without the consent / approval of the organization? Does the application provide enough audit trials to review the incidents? Does it corporate with local legal system? Often the local law authorities require access to the processing computers, how is it support those requests?
  • ...1 more annotation...
  • Security Management What are the information security management policies and procedures implemented and documented? Are all employees required to undergo the security awareness training and acknowledge their acceptance to the policies and procedures at least annually? Is the cloud computing service provider has a dedicated information security professional? What are the network security capabilities established by the service provider? Are these personal technical qualified and certified? How is the insider threats within the cloud service provider being addressed? What is the background verification process being followed by the cloud service provider? Is there a privileged activity monitoring of systems and databases? How is the security incidents and violations are handled? Does it have a documented policy? How is the log integrity ensured? What are the mechanisms implemented to ensure that the logs cannot be altered and / or stopped. How long the logs are kept online and on the backup? What are the business continuity and disaster recovery capabilities of the cloud service provider? Many organization look at cloud as a BCM solution. Does the underlying cloud service provider is capable of delivering a BCM aware cloud service?
sandy ingram

CERT's Podcast Series - 0 views

www.cert.org/...20090120pethia.html

Cert podcast

shared by sandy ingram on 12 Feb 09 - Cached
sandy ingram liked it
  • sandy ingram on 12 Feb 09
     
    CERT'S PODCASTS: SECURITY FOR BUSINESS LEADERS: SHOW NOTES Tackling Tough Challenges: Insights from CERT's Director Rich Pethia Key Message: Rich Pethia reflects on CERT's 20-year history and discusses how he is positioning the program to tackle future IT and security challenges. Executive Summary CERT's vision is a securely connected world. CERT's mission is to enable informed trust and confidence in the use of information technology. To achieve this vision and mission, CERT has broadened its perspective to include the full system/software engineering and operations life cycle and is reaching out to thought leaders in the global IT and security community. In this podcast, Rich Pethia, director of the CERT Program at Carnegie Mellon University's Software Engineering Institute, discusses the past, current, and future state of Internet security and CERT's role in tackling future challenges as CERT celebrates its 20th anniversary. PART 1: LOOKING BACK, LOOKING FORWARD: THE GOOD, THE BAD, AND THE UGLY CERT's Vantage Point CERT's vision is a securely connected world, supported by CERT's mission of enabling informed trust and confidence in the use of information technology. As the director of CERT, Pethia has unique access to government, commercial, and industry leaders. The Good News Internet use continues to grow, not just in size (number of people, volume of traffic) but also in utility, for example: * the increasing amount of real government and business operations * the introduction of new applications * the growing use of new mobile appliances User awareness of the need to address security is increasing along with increasing attention from service providers (firewalls, virus protection, anti-spyware, data backup). Developers are paying more attention to building security into their products. Vendors have more mature processes for providing cost-effective, timely updates for software vulnerabilities. Users are more willing
sandy ingram

Picking an anti-fraud team » Adotas - 0 views

www.adotas.com/...picking-an-anti-fraud-team

Privacy Fraud Advertising Best Practices

shared by sandy ingram on 27 Jan 09 - Cached
  • Individuals in areas such as sales and marketing will absorb fraud identification, reporting, and prevention responsibilities.
  • This will prove to be ineffective for the following reasons:
  • 1. The sales and marketing staffs are not trained to identify fraud and they cannot keep up with the ever-changing tactics
  • ...7 more annotations...
  • 2. Associates are conflicted when faced with a fraud incident. They are not motivated to report fraud and their compensation structure dissuades them from reporting incidents.
  • 3. Business goals are not aligned appropriately, which naturally moved fraud last on the priority list for the associates assigned the additional responsibilities.
  • 4. While the internal attempt is made, no time is spent on partner due diligence and monitoring.
  • Organizations will benefit in the long term by hiring dedicated staff.
  • This tactic is one component of my company’s Best Practice approach to doing business.
  • When recruiting for your team, expect to receive a small number of resumes compared to the average you may receive for other positions
  • Do not worry about where to post the job description, just get it posted.
1 - 11 of 11
Showing 20 items per page