Aug 27 2019

What the New NIST Privacy Framework Means to You

Category: Information PrivacyDISC @ 11:12 pm

Big news is coming when NIST takes the wraps off a new privacy framework. Thanks to the General Data Privacy Regulation (GDPR) of the European Union, which took full effect in May 2018, privacy is at center stage worldwide. Penalties are being meted out for violations, and organizations of all kinds need to understand and comply with the law. In addition, the California Consumer Privacy Act (CCPA) was enacted in June 2018, with many other states working on similar bills.

Source: What the New NIST Privacy Framework Means to You

Developing the NIST Privacy Framework – Part 1
httpv://www.youtube.com/watch?v=W-snx9jRFf4

Developing the NIST Privacy Framework – Part 2
httpv://www.youtube.com/watch?v=gZ7ED0t09zk

Developing the NIST Privacy Framework – Part 3


NIST Privacy Framework: An Enterprise Risk Management Tool


Tags: CCPA, gdpr

Aug 15 2019

Data Loss Prevention: Protect Yourself, Your Family, and Your Business

Category: data security,Security AwarenessDISC @ 2:30 pm

photo courtesy of Unsplash

By Jasmine Dyoco

Another day, another data breach. Lately, it seems like we can’t go more than a few days without hearing about another cyber attack. Data breaches have recently occurred at health insurance providers like Anthem, banks like Capital One, and even the Equifax credit bureau. If there’s anything these recent hacks have shown us, it’s that no industry is safe.
Social Security numbers, credit cards, and passwords are just some of the types of compromised data. Given the number of recent attacks, Bloomberg reports that some cybersecurity professionals now make millions of dollars per year.
Massive amounts of information have been stolen. According to The Week, “virtually everyone in the U.S. has been affected by a data breach in some way — even those who never go online.” If you’re worried a hacker might have your data, here’s how you can protect yourself and your family:

Malware and Viruses

Malware and computer viruses are common ways that scammers get sensitive information. Contrary to popular belief, Macs (and smartphones and tablets) can get viruses. Whether you use Mac, Windows, Linux, or an iPad, protecting your computer against viruses also protects your information.

According to Secure Data Recovery, proactive actions can help keep hackers and viruses from accessing your data. Use strong passwords that are hard to guess. A sentence or phrase is stronger than a single word, for example. You should also install a firewall and antivirus software. Save backups of your files to a device like an external hard drive. Alternatively, you could also save data to the cloud using Google Drive or similar.

Security and Compliance

Cyber threats are continually evolving. By having an information security (InfoSec) plan in place, you can protect data from falling into the wrong hands. InfoSec helps organizations maintain confidentiality while complying with industry regulations.  DISC help the organization to succeed in infosec and Privacy program by building and assessing Information Security Management System (ISMS) and Privacy Information Management System (PIMS) based on various standards and regulations.

For instance, Deura Information Security Consulting (DISC) can perform a risk assessment to identify the security risks. Based on those gaps, they’ll help you create a “safe, secure, and resilient cyber environment.” Additionally, they’ll help your organization comply with regional cyber laws. Those laws include Europe’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).

 

Protect Your Teens 

Nobody is safe from online attacks. Unfortunately, that includes children and teenagers. Some scams specifically target teens and young adults. One example is phishing, which tricks teens into revealing their social media passwords. Teens are also susceptible to phishing scams that include “urgent” subject lines. These scams often trick people into clicking a link to avoid missing a once-in-a-lifetime opportunity.

To protect your children, the InfoSec Institute advises telling them to keep their login information private and to never click on social media links via email. Teach them red flags, like email scams claiming they’ve won money or website URLs that have misspellings or extra letters. Your whole family can learn what to look for by practicing with a phishing simulator.

 

Credit Freezes and Monitoring

Many people believe cybercriminals only steal money. The reality is that many of them are interested in stealing data, identities, or intellectual property. In the event that you do experience data loss, whether due to a virus, malware, or online scam, it’s essential to take action.

According to the IRS, you should report identity theft to the FTC, your bank, and each of the credit bureaus. You might want to freeze your credit and place a one-year alert on your credit report. Credit monitoring companies can help you protect your credit score by alerting you of any fraudulent activity. If you follow the tips listed above, you can recover your data and protect yourself from future attacks.

How to report and protect yourself from credit card fraud

How to prevent credit card fraud amid coronavirus pandemic

The Secret to Cybersecurity: A Simple Plan to Protect Your Family and Business from Cybercrime



Aug 07 2019

Why do organizations need to conduct a penetration test?

Category: Pen TestDISC @ 11:01 pm

12 desirable reasons why an organization should carry out a penetration test:

  1.  Assess potential business and operational impacts of successful attacks and determine the feasibility of a particular set of attack vectors.
  2.  Identify higher-risk vulnerabilities resulting from lower-risk vulnerabilities exploited in a particular way.
  3. To comply with security regulations or standards, e.g. ISO 27001, NIST CSF, NIST 800-171HIPAAPCI DSS or the EU GDPR.
  4. To ensure the security of new applications or significant changes to business processes.
  5. To manage the risks of using a greater number and variety of outsourced services.
  6. To assess the risk of critical data or systems being compromised by an incident.
  7. In preparation for any upcoming external audits, such as FFIEC audits performed by third-party providers.
  8. To determine the weakness in the infrastructure (hardware), application (software) and people in order to develop controls.
  9. Save Remediation Costs and Reduces Network Downtime.
  10. To develop Efficient Security Measures.
  11. Provide evidence to support increased investments in security personnel and technology.
  12. At the end of the day, it’s basic due diligence, to find out about the vulnerability before someone else does.

I’ll Let Myself In: Tactics of Physical Pen Testers

#SANS Pen Test HackFest Summit

 

DISC InfoSec Recommended Pen Testing Titles


Penetration Testing Services Procurement Guide

Contact DISC InfoSec to discuss your information security assessment (pen test) requirements

Enter your email address:

Delivered by FeedBurner

Tags: #penetrationtesting #gdpr #pcidss #cybersecurity, #PenTest

Jul 30 2019

How to become a data protection officer

Category: GDPR,Information PrivacyDISC @ 3:28 pm

As you might have expected, the GDPR (General Data Protection Regulation) has created a spike in demand for data protection and privacy experts. Organisations are desperate to hire people who can guide them towards regulatory compliance and avoid large fines. In this latest blog discover what a DPO’s tasks are and how to become one.

For many organizations, this isn’t just a wish; they are legally required to find such a person and appoint them as DPO (data protection officer). 

The demand for DPOs makes it an ideal job role for those looking to advance their careerYou need plenty of experience, as well as demonstrable soft skills, but it provides an opportunity with plenty of room for growth. Let’s take a look at how you can get started. 

WHAT A DPO DOES 

It’s worth summarising exactly what a DPO’s tasks are because you’ll see that they are responsible for more than simply reviewing GDPR compliance. 

Yes, they are broadly tasked with advising organizations on how to comply with their legal requirements concerning data protection. But that doesn’t just include things like monitoring policies and looking into the need for DPIAs (data protection impact assessments). 

It also involves helping staff understand their data protection obligations and serving as a point of contact for individuals who contact the organization with data protection and privacy queries. 

This means that DPOs will be regularly discussing the GDPR to people who aren’t technically minded. As such, they must have strong communication skills and be capable of explaining complex issues without using jargon. 

It’s much harder to teach skills like that than to train someone on the ins and outs of the GDPR, but still eminently possible. 

 

SPECIALIST DPO TRAINING 

If you’re interested in becoming a DPO, you will benefit massively from taking a training course dedicated to the roleIt will help you understand the technical requirements of the GDPR and how they apply to each part of your job role and give you practical experience of the tasks you’re responsible for. 

For example, you can understand exactly what’s required when performing, say, a DPIA, but you need to be aware of your boundaries. DPOs must operate independently and without any conflict of interest. Taking too active a role in tasks like this jeopardize your status as an advisor and violate the GDPR’s requirements. 

Certified Data Protection Officer (C-DPO) Masterclass Training CourseIT Governance’s Certified Data Protection Officer (C-DPO) Masterclass Training Course gives you the technical and spatial expertise you need to become a DPO. 

Over four days, our expert trainers will help you hone your knowledge of the GDPR and show you how to use that knowledge appropriately while fulfilling your tasks as a DPO. 

 

 

Certified Data Protection Officer (C-DPO) Upgrade Training Course

If you already have a strong understanding of the GDPR, you might prefer our Certified Data Protection Officer (C-DPO) Upgrade Training Course. 

This two-day course builds on the knowledge you would have gained from passing the GDPR Practitioner exam, focusing on the practical application of the Regulation in the workplace.

 

Source: How to become a data protection officer

 

GDPR Training


Enter your email address:

Delivered by FeedBurner

Tags: data protection officer, DPO, GDPR Privacy

May 21 2019

Microsoft wants a US privacy law that puts the burden on tech companies

Category: Information PrivacyDISC @ 8:56 am

On the first anniversary of #GDPR, Microsoft calls for a similar privacy law in the US that puts the burden on the companies that collect and use sensitive data.

Europe’s privacy law went into effect nearly a year ago. It’s time for the US to catch up, the tech giant says.

Source: Microsoft wants a US privacy law that puts the burden on tech companies

 

 

 Subscribe in a reader

Tags: California Consumer Privacy Act, data privacy, GDPR Privacy

Apr 25 2019

Computer security training courses

Category: Security Awareness,Security Tools,Security trainingDISC @ 11:18 am

Computer security training courses – Online cyber security courses

Build your cyber security awareness and InfoSec career to keep your cyber security skills relevant. Learn how to protect your information assets against today’s cyber threats with best online cyber security training courses.

 

DISC InfoSec cyber security training curriculum includes specialized InfoSec training and general cyber security courses for all levels.

 

Security Penetration Testing (The Art of Hacking Series) LiveLessons

Security Penetration Testing (The Art of Hacking Series) LiveLessons

Linux Security and Hardening, The Practical Security Guide

Linux Security and Hardening, The Practical Security Guide

CISSP LiveLessons

CISSP LiveLessons

Red Hat Certified Engineer (RHCE) with Virtual Machines LiveLessons

Red Hat Certified Engineer (RHCE) with Virtual Machines LiveLessons, 2nd Edition

Fundamentals of nerc cip

Fundamentals of nerc cip

Cyber Security – Online Scams & How to Avoid Them

Cyber Security - Online Scams & How to Avoid Them

Disaster Recovery and Risk Management

Disaster Recovery and Risk Management

 

 

Penetration Testing

Kali Linux

ISO27001

Python

CISSP

GDPR

Linux

Identity Theft

Powershell Security

Programming Courses

Security Risk Management

Planning a Security Incident Respose

 AWS Security

Azure Security

Network Security

Wireless Security

RedHat Security

InfoSec eLearning

Social Engineering

Essentials of CyberSecurity

Azure Security & Compliance

Cyber Security Training Courses

Security Disaster Recovery

Cloud Security Computing 

 

 


 Subscribe in a reader

Tags: Chief security officer, information security awareness, information security guide, security awareness training

Sep 24 2018

Why your organisation should consider outsourcing its DPO

Category: GDPRDISC @ 2:47 pm

Why your organisation should consider outsourcing its DPO

By Laura Downes

Since the EU’s GDPR (General Data Protection Regulation) came into effect in May 2018, demand for DPOs (data protection officers) has increased. The Regulation stipulates that certain organisations must appoint a DPO to support their GDPR compliance. DPOs also have an essential role as intermediaries between relevant stakeholders, such as supervisory authorities, data subjects, and business units within an organisation. 

Your organisation will need to appoint a DPO if it:  

  • Is a public authority or body; 
  • Regularly and systematically monitors data subjects; or 
  • Processes special categories of data on a large scale. 

The GDPR does not stipulate the level of experience a DPO must have, meaning some organisations might appoint an internal team member who does not have the experience or qualifications required, leaving them wide open to error.  

Why you should consider outsourcing your DPO 

Suitably skilled and experienced DPO candidates are hard to find. Outsourcing the role not only satisfies the requirements of the GDPR but also ensures your organisation is employing proper data handling and privacy policies. Furthermore, there is no conflict of interest between the DPO and other business activities. 

An external DPO can work for your organisation on a fixed-fee or a per-hour basis. Signing up to a DPO service also means you can rely on several experienced DPOs rather than just one, which means more hands on deck should you ever suffer a breach. 

DPO as a service (GDPR) 

IT Governance’s annual subscription DPO service offers you hands-on support from one of our qualified DPOs, who will serve as independent data protection expert to your organisation. Your appointed DPO will: 

Find out more >> 


Sep 20 2018

Equifax fined by ICO over data breach that hit Britons

Category: Cyber Insurance,data security,GDPR,Security BreachDISC @ 10:02 am

Equifax

Credit rating agency Equifax is to be fined £500,000 by the Information Commissioner’s Office (ICO) after it failed to protect the personal data of 15 million Britons.

A 2017 cyber-attack exposed information belonging to 146 million people around the world, mostly in the US.

The compromised systems were also US-based.

But the ICO ruled Equifax’s UK branch had “failed to take appropriate steps” to protect UK citizens’ data.

It added that “multiple failures” meant personal information had been kept longer than necessary and left vulnerable.

Originally, Equifax reported that fewer than 400,000 Britons had had sensitive data exposed in the breach – but it later revealed that the number was nearly 700,000.

A further 14.5 million British records exposed would not have put people at risk, the company added last October.

The ICO, which joined forces with the Financial Conduct Authority to investigate the breach, found that it affected three distinct groups in the following ways:

  • 19,993 UK data subjects had names, dates of birth, telephone numbers and driving licence numbers exposed
  • 637,430 UK data subjects had names, dates of birth and telephone numbers exposed
  • Up to 15 million UK data subjects had names and dates of birth exposed

 

Guard let down

Equifax had also been warned about a critical vulnerability in its systems by the US Department of Homeland Security in March 2017, the ICO revealed.

And appropriate steps to fix the vulnerability were not taken, according to the ICO.

Because the breach happened before the launch of the EU’s General Data Protection Regulation (GDPR) in May this year, the investigation took place under the UK’s Data Protection Act 1998 instead.

And the fine of £500,000 is the highest possible under that law.

“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce,” said information commissioner Elizabeth Denham.

“This is compounded when the company is a global firm whose business relies on personal data.”

An Equifax spokesperson said the firm was “disappointed in the findings and the penalty”.

“As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.

“The criminal cyber-attack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk.”

By BBC.com


Aug 30 2018

4 bad things happening every minute on the Internet

Category: GDPRDISC @ 11:46 am

4 bad things happening every minute on the Internet

 by Alan Calder  

Risk IQ’s Evil Internet Minute infographic tells you the bad things happening every minute on the Internet:

  • 5 successful ransomware attacks
  • 9 phishing attacks
  • 1,274 new malware variants
  • 5,518 records compromised

Any data you look at shows that the scale of ‘Internet evil’ increases every year. The economic impact of cyber crime now exceeds $1.1 million per minute. This is a major corporate risk, irrespective of organisational size, and cyber insurance is an inadequate response – insurers will not pay out where you have been negligent.

The EU’s GDPR (General Data Protection Regulation) makes the tests for negligence pretty clear: absence of accountability, insufficient corporate governance and countermeasures that do not adequately respond to the frequency and virulence of today’s attacks.

In an environment where four potentially vulnerable web components are discovered every minute, an annual penetration test is only slightly better than not bothering at all. We run penetration tests about once a month; you should be doing them at least quarterly. However, even if you do this, you need to recognise that purely technical responses have limited benefits. Staff are the weakest of your links, particularly as phishing and ransomware attacks get smarter every day. And your supply chain may increasingly be your attackers’ fastest route into what passes for your secure environment. Staff awareness training only every year or two would be desperately short-sighted.

We’re going to see more and more organisations reporting data breaches – it’s now an offence to not report one, and you can be punished with significant fines. The costs don’t stop there. After you report a breach, and undergo investigation, fines and reputational damage, you still have to spend the money to get secure. It therefore probably works out less expensive in the long run to make comprehensive cyber security investments before you are breached (assuming that you haven’t already been breached, and you just don’t know it yet).


Tags: gdpr

Feb 28 2018

What is ‘privacy by design’?

Category: GDPR,Security and privacy LawDISC @ 9:50 am

What is ‘privacy by design’?

 By Annabelle Graham  

Privacy by design is a voluntary approach to projects that promotes privacy and data protection compliance, and helps you comply with the Data Protection Act 1998 (DPA).

The Information Commissioner’s Office (ICO) encourages organisations to seriously consider privacy and data protection throughout a project lifecycle, including when:

  • Building new IT systems to store or access personal data;
  • Needing to comply to regulatory or contractual requirements;
  • Developing internal policies or strategies with privacy implications;
  • Collaborating with an external party that involves data sharing; or
  • Existing data is used for new purposes.

Privacy by design and the GDPR

The upcoming EU General Data Protection Regulation (GDPR) will supersede the DPA. Article 25 of the GDPR, “[d]ata protection by design and default”, requires you to “implement appropriate technical and organisational measures” throughout your data processing project. As such, data must be considered at the design stage of any project, during which you must process and store as little data as possible, for as short a time as possible.

Under the GDPR, you are required to document your data processing activities. One way to do this is to map your organisation’s data flows. This method also enables you to assess the risks in your data processing activities and identify where controls are required, for example, assessing privacy and data security risks.

Organisations need to be aware of the personal data that they are processing, and that this data is being processed in compliance with the law. Organisations can often process significantly more data than they realise, so it is vital that they perform mapping exercises to keep track of them all.

Data flow mapping may seem daunting, but you can simplify the process with the Data Flow Mapping Tool.

The tool gives you a thorough understanding of what personal data your organisation processes and why, where it is held and how it is transferred.

IT Governance free green paper ‘Conducting a data flow mapping exercise under the GDPR’ will help you understand how to effectively map your data in compliance with the GDPR.

Steps to GDPR Compliance


Nov 19 2017

4 reasons you should get a cyber security qualification

Category: CISSP,cyber security,Information SecurityDISC @ 7:10 pm
 Luke Irwin

The dramatic rise in cyber attacks over the past few years has caught most businesses off guard. Their cyber security departments are severely understaffed, causing them to look desperately for qualified professionals to help tackle the threat.

There has never been a better time to get into cyber security, so if you’re looking to enter the field, or further your career in it, you could benefit massively from gaining a relevant qualification. Here are four reasons why:

  1. Cyber security professionals are well paid

Money isn’t everything when it comes to choosing your career, but it’s obviously a big factor for many people. We mentioned recently that people with a CISM®PCIor GDPR qualification could earn £60,000 or more a year.

Of these, the CISM (Certified Information Security Manager) qualification is the most versatile. It’s the globally accepted standard of achievement among information security, information systems audit and IT governance professionals.

According to ITJobsWatch, people with a CISM qualification earn £64,000 a year on average. This figure has grown by more than 9% in the past two years.

  1. There’s a high level of job security

The shortage of qualified cyber security professionals means that those in the field are less likely to be replaced or made redundant. Their skills are hard to find elsewhere, and the more someone gets to know the company, the more valuable they will become.

Additionally, because almost every organisation currently needs cyber security professionals, those with the relevant qualifications are more likely to find a position in a location or company that suits them.

  1. There’s room for career growth

For the same reason that cyber security is a safe career, it’s also one that offers plenty of room for growth. Qualifications plus experience is a powerful combination that can help you move into more senior positions.

As you gain experience, you’ll also get the opportunity to earn more advanced qualifications. For example, you must have at least three years’ experience in IT governance to be eligible for a Certified in Risk and Information Systems Control (CRISC) qualification, and five years’ experience to be eligible for a Certified in the Governance of Enterprise IT (CGEIT®) qualification.

  1. The work is rewarding

Cyber security is still a relatively young field, making it an exciting and prosperous place. The threats that organisations face are constantly evolving, so you’ll always have new challenges. Plus, you know that your hard work is for a good cause: to stop cyber criminals and keep your organisation safe.

What qualifications do I need?

The qualifications you need will depend on the career path you choose. If you’re interested in governance, risk management, and compliance, for instance, a CGEIT qualification is essential. If you’re interested in information security, you’ll need a CRISC qualification.

We’re currently running promotions on our CRISC, CGEIT, CISA and CISM training courses. If you book before 22 December, you’ll receive a 10% discount on the courses and a 5% discount on all reading materials.

Find out more about our:



Jul 25 2017

Fundamentals of Information Risk Management Auditing

Category: Risk AssessmentDISC @ 1:49 pm

New information and IT risks seem to be everywhere, so it is essential that organizations address these risks in the context of enterprise risk management (ERM).
ERM is a practice that has become increasingly popular. It’s important that an organization’s information risk management specialist or auditor understands this practice because much of their work will need to be in the context of ERM.
Kick-start your career in information risk management with introductory guidance.

Fundamentals of Information Risk Management Auditing

Provides insight and guidance into information risk management and ERM, ideal for those considering a career in information risk management, for non-specialist auditors, and for managers.
This book will give you an introduction to:
Risk and risk management
Information security and management risks
Concepts of application controls

Gain an insight into the risks and controls/mitigations that you might encounter when performing or managing an audit of information risk.
Buy Now >>>

 

Author Podcast: Fundamentals of Information Risk Management Auditing, with Christopher Wright

In the podcast Christopher discusses Lean, Agile, the EU General Data Protection Regulation (GDPR), and ERM.
Listen now >>



Apr 24 2017

Why is ISO 27001 so important for US technology firms?

Category: ISO 27kDISC @ 10:47 am

by Rob Freeman

At IT Governance, we have long known that compliance with the ISO 27001 information security management standard is essential for all US companies that wish to do business with the rest of the world. This requirement is fuelled by the ever growing threat of cybercrime and the increasing awareness of the data privacy rights of all individuals in target markets globally.

Win international business

To win and maintain international business, your firm needs to demonstrate that it takes cybersecurity and data privacy seriously, and fully complies with all of the relevant laws and regulations.

This is particularly true for US technology companies, many of which deliver services and products using online web-based channels. Modern Internet marketing and sales methodology demands the acquisition of large databases of customers’ personal data. In return for purchasing goods and services, these customers expect that their data will be secured, stored, and used in an appropriate manner. From the big guys like Microsoft or Salesforce.com to the little guys trading internationally on Ebay, ensuring the data security and privacy of customers is just as important as delivering a great product.

Although now a little dated, I can recommend that you view the August news release from InsideView, a CA-based market intelligence company, which announced “InsideView Expands ISO/IEC 27001:2013 Certification to Include ISO/IEC 27018”. This somewhat innocuous headline is hiding a really big message that is buried in the second paragraph:

A global priority

Protection of personal information has become a globally recognized priority. Emerging regulations and frameworks, such as European Union Data Protection Directive (GDPR) and the US Department of Commerce Privacy Shield, will require data processors to provide specific protections and rights of access regarding personal information.

“This extension of our ISO 27001 information security management system to include the ISO 27018 controls for personal data shows that InsideView is leading the market in preparation for new privacy regulations,” said Jenny Cheng, Chief Product Officer at InsideView.

If you are not aware of the importance of ISO 27001, I can recommend that you purchase and read this textbook: IT Governance – An International Guide to Data Security and ISO27001/ISO27002, Sixth Edition.

« Previous Page