31 Oct INFORMATION GOVERNANCE
ITS 833 – INFORMATION GOVERNANCE
Chapter 11 – Information Governance and Privacy and Security Functions
Dr. Sandra J. Reeves
Copyright@Sandra J. Reeves 2018
1
1
CHAPTER GOALS AND OBJECTIVES
Copyright@Sandra J. Reeves 2018
2
Things To Know:
Sources of Threats to protection of data
Solutions to threats to protection of data
Identify some privacy laws that apply to securing an organization’s data
What is meant by redaction
What are the limitations on perimeter security?
What is IAM?
What are the challenges of securing confidential e-documents?
What are the limitations on an repository-based approach to securing confidential e-documents?
Things to Know:
What are some solutions to securing confidential e-documents?
What is stream messaging?
How is a digital signature different from an electronic signature?
What is DLP Technology?
What are some basic DLP methods?
What are some of the limitations of DLP?
What is IRM?
What are some key characteristics or requirements for effective IRM?
What are some approaches to security data once it leaves the organization?
2
Cyberattack Proliferation
Who are the victims?
Government
Corporations
Banks
Schools
Defense Contractors
Private Individuals
Copyright@Sandra J. Reeves 2018
3
Who are the perpetrators?
Foreign Governments
Domestic and foreign businesses
Individual Hackers/Hacking societies
Insiders
3
INSIDER THREATS
Copyright@Sandra J. Reeves 2018
4
Some malicious/some not malicious
Insider threats can be more costly than outside threats
Nearly 70% of employees have engaged in IP theft
Nearly 33% have taken customer contact information, databases and customer data
Most employees send e-documents to their personal email accounts
Nearly 60% of employees believe this is acceptable behavior
Thieves who are insiders feel they are somewhat entitled as partial ownership because they created the documents or data
58% say the would take data from their company if terminated and believe they could get away with it
4
SOLUTION?
Security – including document life cycle security
Risk Education
Employee Use Policy
IG Training and Education
Enforcement and Prosecution – Make an example!
Monitoring
Copyright@Sandra J. Reeves 2018
5
5
PRIVACY LAW THAT MAY APPLY
Federal Wire Tapping Act
Prohibits the unauthorized interception and/or disclosure of wire, oral or electronic communications
Electronic Communications Privacy Act of 1986
Amended Federal Wire Tapping Act
Included specifics on email privacy
Stored Communications and Transactional Records Act
Part of ECPA
Sometimes can be used to protect email and other internal communications from discovery
Computer Fraud and Abuse Act
Crime to intentionally breach a “protected computer”
Used extensively in the banking industry for interstate commerce
Freedom of Information Act
Citizens ability to request government documents – sometimes redacted
Copyright@Sandra J. Reeves 2018
6
6
LIMITATIONS ON SECURITY
“Traditional Security Techniques”
Perimeter Security
Firewalls
Passwords
Two-factor authentication
Identity verification
Limitations to traditional techniques
Limited effectiveness
Haphazard protections
Complexity
No direct protections
Security requires a change in thinking about security
Secure the document itself, in addition to traditional techniques that secure “access” to the document
Copyright@Sandra J. Reeves 2018
7
7
DEFENSE IN DEPTH TECHNIQUES TO SECURITY
Use Multiple Layers of Security Mechanisms
Firewall
Antivirus/antispyware software
Identity and Access Management (IAM)
Hierarchical passwords
Intrusion Detection
Biometric Verification
Physical Security
What is IAM?
Goal is to prevent unauthorized people from accessing a system
Effective IAM included:
Auditing
Constant updating
Evolving roles
Risk reduction
Copyright@Sandra J. Reeves 2018
8
8
LIMITATIONS OF REPOSITORY-BASED APPROACHES TO SECURITY
Traditionally, we have applied “repository-based” solutions which have not been effective. We have document repositories that reside in databases and email servers behind a firewall.
Once Intruder breaches firewall and is inside the network, they can legitimately access data
Knowledge workers tend to keep a copy of the documents on their desktop, tablet, etc.
We operate in an Extended Enterprise of mobile and global computing comprising sensitive and confidential information
Copyright@Sandra J. Reeves 2018
9
9
SOLUTION?
Better technology for better enforcement in the extended enterprise
Basic security for the Microsoft Windows Office Desktop-protection of e-documents through password protection for Microsoft Office files
Good idea but passwords can’t be retrieved if lost
Consider that “deleted” files actually aren’t.
Wipe the drive clean and completely erased to ensure that confidential information is completely removed
Lock Down: Stop all external access to confidential documents.
Take computer off network and block use to ports
Secure Printing
Use software to delay printing to network printers until ready to retrieve print
Erase sensitive print files once they have been utilized
Copyright@Sandra J. Reeves 2018
10
10
SOLUTION…continued
E-mail encryption
Encryption of desktop folders and e-docs
Use Stream messages when appropriate
Use of Digital Signatures —not the same thing as an electronic signature
Use Data Loss Prevention (DLP) software to ensure that sensitive data does not exit through the firewall
(Three techniques for DLP-Scanning traffic for keywords or regular expressions, classifying documents and content based upon predefined set, and tainting) This method has weaknesses!
IRM Software/ERM Software-provides security to e-documents in any state (persistent security)
Copyright@Sandra J. Reeves 2018
11
11
SOLUTION…continued
Device Control Methods –example blocking ports
Use of “thin clients”
Compliance requirements by different organizations
Hybrid Approach: Combining DLP and IRM technologies
Copyright@Sandra J. Reeves 2018
12
12
More on irm
Transparently – no user intervention required
Remote control of e-documents
Provides for file-level protection that travels with file even if stolen
Includes cross-protection for different types of documents
Allows for creation and enforcement of policies governing access and use of sensitive/confidential e-documents
Decentralized administration
Good IRM software provides useful audit trail
Integration with other enterprise systems
Provides embedded protection that allows the files to protect themselves
Key Characteristics of IRM
Security
Transparency – can’t be more difficult to use than working with unprotected documents
Easy to deploy and manage
Copyright@Sandra J. Reeves 2018
13
13
SECURING DATA ONCE IT LEAVES THE ORGANIZATION
REMEMBER – CONTROL DOES NOT REQUIRE OWNERSHIP!
Consider new architecture where security is built into the DNA of the network using 5 data security design patterns
Thin Client
Thin Device-remotely wipe them
Protected Process
Protected Data
Eye in the Sky
Document Labeling
Document Analytics
Confidential Stream Messaging
Copyright@Sandra J. Reeves 2018
14
14
THE END
Copyright@Sandra J. Reeves 2018
15
15
Our website has a team of professional writers who can help you write any of your homework. They will write your papers from scratch. We also have a team of editors just to make sure all papers are of HIGH QUALITY & PLAGIARISM FREE. To make an Order you only need to click Ask A Question and we will direct you to our Order Page at WriteDemy. Then fill Our Order Form with all your assignment instructions. Select your deadline and pay for your paper. You will get it few hours before your set deadline.
Fill in all the assignment paper details that are required in the order form with the standard information being the page count, deadline, academic level and type of paper. It is advisable to have this information at hand so that you can quickly fill in the necessary information needed in the form for the essay writer to be immediately assigned to your writing project. Make payment for the custom essay order to enable us to assign a suitable writer to your order. Payments are made through Paypal on a secured billing page. Finally, sit back and relax.
About Writedemy
We are a professional paper writing website. If you have searched a question and bumped into our website just know you are in the right place to get help in your coursework. We offer HIGH QUALITY & PLAGIARISM FREE Papers.
How It Works
To make an Order you only need to click on “Order Now” and we will direct you to our Order Page. Fill Our Order Form with all your assignment instructions. Select your deadline and pay for your paper. You will get it few hours before your set deadline.
Are there Discounts?
All new clients are eligible for 20% off in their first Order. Our payment method is safe and secure.