Hello and welcome back to Cy Berries Conti. A certified of van security practice nous certification. Preparation course.
This is marginal before and the title is applied photography.
These in fact are not known objectives which encompasses this particular module. We're gonna continue on this process by taking a look at understand requirements for photography.
This is actually set your number two.
These are objectives for this particular presentation here. We could begin by taking a look at Understand what crime is photography. We don't discuss data sensitivity, regulatory promise as well as your end user type training. This brings us to our first pre assessment question and is as follows
asymmetric key photography is used for Which of the following is it a encryption data, non repudiation or access control? Be non repudiation steganography or encryption of data? See encrypting the data access control of steganography or D non repudiation steganography and security of data.
If you said that the eight you're absolutely correct,
we look at a soccer model for business data classic ation. First thing that comes to manage, in fact, is a realization that some data is subject of areas, laws and regulations and requires notification event of disclosure
beyond their some data requires special handling,
especially particular to protect against Phillies. Identify theft,
financial laws, invasion of privacy or authorized access. Data should be assigned a level sensitivity baseball who has access to it and the risk of potential harm that's involved. This assignment of sensitivity is sometimes referred to as data classifications.
Then we look at policy standards, guidelines, procedure. Long time people tend to get them mixed up. Hopefully, what I'm gonna do is try to clarify that doing this particular presentation. So with that being said, when you think about a policy of policies are nothing more than former statement produce and their support by senior management
punishes the former statements, they can be organization, why they can be issued specific or system specific as well.
Then we have our standards. Standards are manager action or rules that give formal policy support and direction. One arm or difficult parts of writing standards for Infinity security program is getting the company white skin sisters or what standards need to be in place.
Then we have procedures. Procedures are detailed, step by step instructions to achieve a given goal or mandate.
They're typically intended for internal departments and should adhere to script change control tight processes.
Then we have guidelines. Guidelines, a recommendation to uses when specific standards do not apply. Guidelines designed to streamline certain processes according to what the best practices are. Guidelines by nature should be open to interpretation and do not need to be followed to the letter.
Some companies may have to comply what multiple tight regulations in such cases best to outline all the regulation that impact country first, and then that determines you could be made for which the critical chose implement that satisfy the requirements of all the regulation they need to comply with.
This process can reduce the amount of money the onus of spends on compliance efforts because what it does and it reduces duplication of effort and the likelihood that competing companies would be put into play, other were competing systems would be put in the place to certify the same regulatory tight requirement.
The upcoming slash What I'm going to briefly discuss the different regulations that are listed on this particular slide.
The first we're gonna kind of highlight is called hipper, which stands for the health insurance portability. Accountability at this Act is a two part bill. It protects the health care of people who are transitioning between jobs or laid off. Title, too, is meant to simplify
the health care process by shifting to what we call Elektronik data.
Also, it protects the privacy of individual patients.
The next one we're gonna discuss that So Burns actually act. This act requires countries have maintained financial records for seven years. It was implemented. Prevent another Enron pipe scandal.
Then we have the federal information security mantra. Akko fisma. This act recognized every security as a matter of national security. Thus that mandates all for 80 developed a method of protective information systems.
We have the Gramm Leach Bailey AC This act allow insurance companies, commercial banks and investment banks to be within the same company as the security. It mandates. That company secure that private information clients, as was that customers.
Then we have the Family Educational Right Privacy Act.
This act is concerned with protecting students, educational records,
any postsecondary institution, including universities. You, uh, you in various colleges and seminaries, Technical schools and vocation school have that here to this particular regulation.
We have the PC, our pavement cart in G Data security Standard is a set of twere regulatory regulations that designed to reduce fraud, protect the customer's credit card information. Other words any companies deal with handing credit card information has to here to this particular regulation.
Now fourth understand requirements. Photography, some data is subject of various laws and regulations requires notification in event of disclosure. Beyond that, some data across special handling especially particular to protect against again remember penalties, identity theft and so forth.
So data subject of various laws that that should be assigned a level cyst every based on who has access to it and the risks are potential harm that's involved.
Photography is valuable for protecting that sensitive data online, especially in a war in which all increasing number systems are connected and vulnerable to outside attack. It's also available to for authentication, allowing a used to verify his identity and statements using what we call a public key encryption type system.
So since then, that is the finest information that is protect against unwanted disclosure.
Access to sensitive data should be safeguarded, protection of said sister data may be required for legal or ethical reasons for issues pertaining to personal privacy or for proprietary type considerations.
Cryptography. What does encompass the protection? Probation by alternate to ensure there is integrity. Comforted chalice was integrity. Fundamental concepts on crime for the use of Qatar grow includes hashing, salting some metric, as with asymmetric encryption, digital signatures and so forth.
Pre was a couple of slides before we discuss again down declassification now data class cases used by governmental
civilians with military organizations. The purposes guidelines. This step is a framework for classifying institutional database on the level, sensitivity,
value and criticality to the organization, as required by the end of a security policy.
So it's positive applies to all facility staff and third party agents. Often, old, J says, was any other University of Philly who's authorized to access again Institution of data Now within the military or civilian, we have top secret. We have secret. These are the different data classifications
that you found out that deals specifically government, government, civilians as well as military type organizations.
Then we have this this Dow declassification here again,
going from the from we used for commercial organization from the highest to the lowest. We have sensitive. We have company jelly where private were proprietary and so forth. So these are the different ones here dealing with data clips for commercial organizations,
and you've probably training all individuals and organization maintain a level off security awareness. So basically, this will include the protections of security of corporate information. The release of Was Scripted Information May Incur finds openness to the organization. As a security practitioner,
you may be involved in communicating a proper action that must be taken to safeguard this information.
Various contractual obligations well as government regulation required that formal security awareness training be conducted throughout an organisation on an ongoing basis. All individual must attend such training and be assessed for their understanding of official protection requirements. Security awareness training may cover a number of topics
you could have Protection of classified of personal identifiable information may have also have training on authentication required to access classified a person identifiable information. We also address responsible for three parties, including contractors, clients and customers. We also you may want to discuss the proper handling of basic printed form and associate disposal. So again we look at in your trading that's paramount and that you may act. How often did it take place.
It should be at least annually
or as needed opinion or your organization. So we want to make sure that the following topics could be obviously be discussed doing your organisation's security, where this type training process
Let's take a look at a post assessment question.
What is available? What is valuable for protective sister data online, especially the world in which an increasing number of systems are connected and vulnerable ese to outside attacks? Isn't a photography be module addiction,
is it? See Steffy Hellman or D Key distribution?
If you said that you absolutely correct because come to jail is a concept we did what frequent in the real world. So we expect again this case that I don't just keep on medical records protected. So the target is a great method to ensure that process take place.
Doing this particular presentation, we discuss understanding requirements for photography
in our upcoming presentation will be taking a look at such and four understanding support. Secure Porter calls again. I look forward to seeing you in future training presentations