Did you know Cybrary's video training is FREE? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
This segment looks as risk resulting from sharing data. Whether the shared data is internal or external to the organization, this discussion focus on privacy consideration, who owns the data, why risk awareness is important and the importance of establishing/following security procedures, policies, and remaining compliant. [toggle_content title="Transcript"] For privacy considerations, before organizations share data among themselves, they should be aware of the risks the sharing of data could pose so they need to understand what sort of data is being shared. Should it be personally identifiable data or not? Is it data that is trade secrets? So organizations before sharing data within or external to the organization, it is important to understand how the data privacy is essential. Is it health record, trade secrets or information that could give competitive advantage? Privacy is a strong requirement for some and it is not for others. So we have to understand the privacy considerations for such information that is being shared. We also need to do some risk awareness. Organizations have to be aware of the risks involved with dealing with other organizations. It involves being constantly informed about the detail of day to day operations. Day to day inter-operability between the two organizations or multiple organizations have to be understood such that we can properly be aware of all the risks as they emerge. It is always an emerging process for risk so yes we might be okay today and there are no risks but the introduction of another organization might bring some risks. We have to do proper risks management. Assessments have to be done periodically to see the overall security structure of organizations that are involved in these agreements. Unauthorized Data sharing, before any data is shared, any agreement must detail the data that is to be shared, to what entities they are to be shared. Regardless if the data is internal or external. If data is spilled from a department the individuals within that department should understand who and who should have access to such data. You could have multiple organizations involved in agreements. We need to understand how data should be properly shared so we don't end up with unauthorized data sharing. This could cause confidentiality breach and this could cause embarrassments to the organizations that are involved in the agreement. Data ownership, some entities especially with the recent use of cloud computing, yes we're using your infrastructure but who owns the data? The data belongs to the organizations. The organizations should clearly and carefully spell out all the data that belongs to them such that should some other entities eavesdrop or have unauthorized access to this data and somewhat use this in some business environment, it is possible that we have clearly spelt out who owns what. You have 3 or more organizations are even involved in sharing servers so the organizations want to clearly document what organizations own what data. Yes you might own the infrastructure but we own the data that sits on the infrastructure, or the data that is within the database. Organizations need to clearly spell out the data they own even if the media on which it sits does not belong to them. Data backup, backup is very critical. Without backups it is sometimes impossible to restore our data should the machines fail, the machines could have physical damage, they could have mechanical damage or they could even be compromised by some form of disaster. By having proper backup, it is possible to restore data even if they've been destroyed or corrupted and organizations that are responsible for the backup should put the proper procedures in place to ensure that the backup activities are carried out best practice. We need to follow security policies and procedures. Policies are high level statements declared by management. They are simply a set of rules. These rules are broken down into procedures. Within agreements that are created by organizations, if they follow procedures, that means they are following the policies because the policies emanate from the procedures. By following the procedures, we understand that the objectives of management are being properly fulfilled. Review the agreement requirements to verify compliance. Organizations form agreements. When 2 or 3 organizations are coming together, we have to properly review the agreements to verify compliance with best practice, to verify compliance with the agreements themselves. If we review the agreements, we can see some cases. Sometimes, you have to involve your legal department so that they can see the legal contexts of these agreements, to ensure that we are in compliance as an organization to all the agreements because sometimes some agreements can be very vague. Some policies within the agreements can be very vague or abstract. By having a careful review you know if you're in compliance or not. If you're not in compliance and you don't understand this, you could be facing a risk of maybe law suits so you want to see that you're in proper compliance to ensure the overall security of an organization. We also need to review these agreements to see the performance standards. Are we really performing as dictated by the agreements? By reviewing the agreement you can monitor your levels of performance. You can monitor your adherence to the policies. All these are steps we need to follow where one or more entities come together to work as multiple organizations, so we have to follow these steps to ensure an overall security of our business practices. [/toggle_content]