Now let's move on and talk a little bit about management controls for protecting our data and keeping it private. So when we talk about management controls things like separation of duties separation cuties ensures that instead of having one individual that's all powerful in the network,
that we divide up the various responsibilities into smaller and more discreet rolls,
and they're really shouldn't be that overlap training of our personnel Very, very important. It's part of Duke hair and ensuring that the people that are protecting our data no the appropriate steps to take how we handle a breach, having a program incident response team
as well as a security team to put preventive and protective mechanisms in place.
Action an authorization. Usually, when we talk about access control, we talk about the Triple eight
identity. Identify, authenticate, authorized and then oddity. So when we talk about authentication, that's getting an assurance of the identity of the user. And then authorization is making sure that that user is granted the appropriate rights and permissions,
vulnerability, assessments and penetration testing.
So we put the controls in place, but we have to make sure that controls are working and that they're in plate that they've been installed properly. So vulnerability assessments pen tests will give us that assurance, backup and recovery again. Business continuity
water our plans in the event of a loss of the device and loss of data.
A loss of power. Show me your continuity steps.
Ah, logging. Making sure that auditing is done and the correct information is being loved. And also that our logs are managed in such a way that we don't have that needle in a haystack syndrome. You know, I've heard instances of organizations having just thousands and thousands of entries in their logs
and in trying to sift through that for something meaningful that can very much be a challenge.
Ah, data retention control. How long do we keep our information? What do we do with it when we're done? Is there a minimum length is their maximum length What drives those retention policies we've got to address? And then once again, we keep going back to secure disposal. Now, on the next slide, we talk a little bit about
data rights management
sometimes refer to his IRA information rights managements. So the idea with data rights management, that's what I'm gonna call it. That's what I've always called. It is we're going to a thick A fixed certain rights or commissions to the object, regardless of the context of that object. So,
for instance, if I give you read access to a file in my system, that really only applies within the context of that system
fun mail. You that file, there's rights essentially drop off. So what we're doing here is we're embedding the permissions into the file. So regardless of whether the data resides, then the rights and permission state this a lot of time. It's used to protect intellectual property as it should be.
Um, if you've gone to a website and you couldn't copy and paste certain information, that would be an example. All right, So
if this is the goal, if this is something we're gonna implement for those people that do have access, we have to make sure that they have, ah, the correct access. They need have keys if necessary, to access the information of the user, accounts are gonna have to be created with access policies. Um, it
this could be something you can generate with active directory
or across a Federated Trust. So when we cut that trust federation's my organization to yours there, you know, as we're moving to a point in time and this will be much more strain one. But still, there are a lot of challenges to get today. Most likely,
the users are gonna have to have certain software that would act as an I r M R D r in client
and then depending on what type of data you have and whether the format is consistent with information that I have stored with the rights and permissions were still at the point where there are some more logistical issues with
data rights management.
Now our retention policies. Like I said, things like, how long we keep it. We have a minimum length of maximum length.
Um, the biggest driver for that is gonna be What does the law say? Certain organizations based on their field or based on their line of work? I have to keep data for a certain length of time. That needs to be well documented. Employees need to know. We need to make sure that our solution in the cloud follows that.
So are we gonna archive?
Ah, and if we do. That's all fine, but making sure that we can extricate that archived information when necessary. Ah, we also have to think about retaining placidity, classified or sensitive information, and again, making sure that is, these files are archived, the security requirements are maintained
again, going back to the idea that just because we move something to the cloud doesn't give us justification for bypassing policy.