Security Implications of Integrating Systems (part 2)

Video Activity

This segment looks as risk resulting from sharing data. Whether the shared data is internal or external to the organization, this discussion focus on privacy consideration, who owns the data, why risk awareness is important and the importance of establishing/following security procedures, policies, and remaining compliant. toggle_content title="Tra...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
3 hours 47 minutes
Difficulty
Beginner
CEU/CPE
3
Video Description

This segment looks as risk resulting from sharing data. Whether the shared data is internal or external to the organization, this discussion focus on privacy consideration, who owns the data, why risk awareness is important and the importance of establishing/following security procedures, policies, and remaining compliant. [toggle_content title="Transcript"] For privacy considerations, before organizations share data among themselves, they should be aware of the risks the sharing of data could pose so they need to understand what sort of data is being shared. Should it be personally identifiable data or not? Is it data that is trade secrets? So organizations before sharing data within or external to the organization, it is important to understand how the data privacy is essential. Is it health record, trade secrets or information that could give competitive advantage? Privacy is a strong requirement for some and it is not for others. So we have to understand the privacy considerations for such information that is being shared. We also need to do some risk awareness. Organizations have to be aware of the risks involved with dealing with other organizations. It involves being constantly informed about the detail of day to day operations. Day to day inter-operability between the two organizations or multiple organizations have to be understood such that we can properly be aware of all the risks as they emerge. It is always an emerging process for risk so yes we might be okay today and there are no risks but the introduction of another organization might bring some risks. We have to do proper risks management. Assessments have to be done periodically to see the overall security structure of organizations that are involved in these agreements. Unauthorized Data sharing, before any data is shared, any agreement must detail the data that is to be shared, to what entities they are to be shared. Regardless if the data is internal or external. If data is spilled from a department the individuals within that department should understand who and who should have access to such data. You could have multiple organizations involved in agreements. We need to understand how data should be properly shared so we don't end up with unauthorized data sharing. This could cause confidentiality breach and this could cause embarrassments to the organizations that are involved in the agreement. Data ownership, some entities especially with the recent use of cloud computing, yes we're using your infrastructure but who owns the data? The data belongs to the organizations. The organizations should clearly and carefully spell out all the data that belongs to them such that should some other entities eavesdrop or have unauthorized access to this data and somewhat use this in some business environment, it is possible that we have clearly spelt out who owns what. You have 3 or more organizations are even involved in sharing servers so the organizations want to clearly document what organizations own what data. Yes you might own the infrastructure but we own the data that sits on the infrastructure, or the data that is within the database. Organizations need to clearly spell out the data they own even if the media on which it sits does not belong to them. Data backup, backup is very critical. Without backups it is sometimes impossible to restore our data should the machines fail, the machines could have physical damage, they could have mechanical damage or they could even be compromised by some form of disaster. By having proper backup, it is possible to restore data even if they've been destroyed or corrupted and organizations that are responsible for the backup should put the proper procedures in place to ensure that the backup activities are carried out best practice. We need to follow security policies and procedures. Policies are high level statements declared by management. They are simply a set of rules. These rules are broken down into procedures. Within agreements that are created by organizations, if they follow procedures, that means they are following the policies because the policies emanate from the procedures. By following the procedures, we understand that the objectives of management are being properly fulfilled. Review the agreement requirements to verify compliance. Organizations form agreements. When 2 or 3 organizations are coming together, we have to properly review the agreements to verify compliance with best practice, to verify compliance with the agreements themselves. If we review the agreements, we can see some cases. Sometimes, you have to involve your legal department so that they can see the legal contexts of these agreements, to ensure that we are in compliance as an organization to all the agreements because sometimes some agreements can be very vague. Some policies within the agreements can be very vague or abstract. By having a careful review you know if you're in compliance or not. If you're not in compliance and you don't understand this, you could be facing a risk of maybe law suits so you want to see that you're in proper compliance to ensure the overall security of an organization. We also need to review these agreements to see the performance standards. Are we really performing as dictated by the agreements? By reviewing the agreement you can monitor your levels of performance. You can monitor your adherence to the policies. All these are steps we need to follow where one or more entities come together to work as multiple organizations, so we have to follow these steps to ensure an overall security of our business practices. [/toggle_content]

Video Transcription
00:03
for privacy considerations before organizations share data amongst themselves. They should be aware off the risks the sharing of that cooled pose. So they need to understand what sort of that has been shared should be personally identifiable data or not. Is it that straight secret
00:24
no so organizations before sharing that are within or external to the organization?
00:28
It is important to understand how did that? Our privacy is essential,
00:32
you know, is it helped record trade secrets or information that could give competitive advantage. Privacy is a strong requirement for some, and it is not for order. So we have to understand the privacy considerations for such information that is being shared.
00:50
We also need to do some risk awareness. Organizations have to be aware off the risks involved with dealing with other organizations. It involves being constantly informed about the detail of day to day operations
01:03
did today interoperability between the two organizations or more multiple organizations. After we understood such that we can properly be aware of all the risks as they emerge,
01:15
it is always an emerging process for risk on. So, yes, we might be okay today and there are no risks. But the introduction of another organization might bring some risks. So we have to do proper risk management assessments. Have Toby don't periodically to see
01:34
you borrow security statue
01:36
off organizations that are involved in these agreements
01:40
unauthorized that I share it
01:42
before any data is shared. Any agreements? Most detailed data that is to be shared
01:49
toe what entities there to be shared.
01:51
So regardless, Eve the dead guy's internal or external. So if that I spilled from the department,
01:57
you know, from a department, the individuals within that department should understand who and who should have access to such data. You could have multiple organizations involved in agreement, So we need to understand how that I shall be properly shared so we don't end up with unauthorized
02:16
that I sharing the school cause
02:19
confidentiality breach on disco courts and embarrassments. Tow the organizations that are involved in the agreements
02:27
that our own issue
02:29
some entities, especially with the resent user's cloud computing.
02:34
Yes, we're using your infrastructure. But who owns the data? The data belongs toa the organization's, so the organization should clearly and carefully spell out all the data that belongs to them. Said that sure, some other entities eavesdrop or
02:52
have unauthorized access to these daughter
02:55
somewhat used this in some business environment. It is possible that we have clearly spelled out wounds. What?
03:05
So you have three or more organizations I even involved in sharing servers. So the organization's wantto clearly document
03:13
what organizations own. What data? Yes, you might only infrastructure, but we own the data that sits on the infrastructure or the data that is within the diabetes. So organizations need toe clearly spell out the data they own. Even Eve. The media on which is seats does not belong to them.
03:32
Data bucko
03:34
buffet is very critical.
03:36
Without backup, it is sometimes impossible to restore. Our data show. The machines feel
03:43
the machines could have physical damage, you could have mechanical damage or they could even be compromised by some form of disaster. So by having proper tobacco, it is possible to restore that even if they've bean destroyed or corrupted on organizations that are responsible for the bob back. Oh,
04:00
she'll put the proper procedures in place
04:03
to ensure that the backup activities are carried out. Best practice.
04:08
We need to follow security policies and procedures. Policies are high level statement dictated by management. They are simply a set of rules.
04:15
These rules are broken down in tow procedures, so within agreements that are created by organizations, if they follow procedures, that means they are following the policies because the policies emanate from the procedures. So by following the procedures, we understand that
04:35
the objectives off management are being properly fulfilled.
04:40
Review the agreement requirement to verify complaints so organizations form agreements
04:46
went toe. Three organizations are coming together. We have to properly review the agreements to verify compliance with best practice, to verify complaints with the agreements themselves. So if we review the agreements, we can see some cases. Sometimes you have to involve your legal department
05:05
so that they can see the legal contacts off this agreements
05:09
to ensure that we are in compliance as an organization toe all the the agreement because sometimes some agreements can be very vague. Some policies within the agreements can be very vague or abstract. So by having a careful review, you know, if you are in compliance or not
05:27
on, If you're not in compliance and you don't understand this,
05:30
you could be facing a risk off, maybe
05:33
lawsuits, so you want to see that you're improper compliance. To ensure the overall security off an organization,
05:42
we also need to review these agreements to see the performance standards. Are we really performing as dictated by the agreements? By reviewing the agreement, you can monitor your levels off performance. You can monitor your adherence to the policies. So all these
06:02
steps we need to follow where one or more entities together to work as multiple organizations. So we have to follow these steps toe ensure on overall security off our business practices.
Up Next
IT Security Governance

IT Security Governance is a type of risk management process that can be applied to business operations, identifying critical information and protecting that information from enemies

Instructed By