SlideShare une entreprise Scribd logo

Data Privacy Introduction

G
G Prachi

Data Privacy Introduction

Technologie
1  sur  89
UNIT 1 INTRODUCTION
INDEX  Fundamental Concepts  Data Privacy Attacks  Access control models
Data Privacy Fundamentals
What is Data Privacy?  The aspect of information technology (IT) that deals with the ability an organization or individual has to determine what data in a computer system can be shared with third parties.  The challenge of data privacy is to utilize data while protecting individual's privacy preferences and their personally identifiable information.  The fields of computer security, data security and information security design and utilize software, hardware and human resources to address this issue.
 As the laws and regulations related to Privacy and Data Protection are constantly changing, it is important to keep abreast of any changes in the law and continually reassess compliance with data privacy and security regulations.  Privacy concerns exist wherever personally identifiable information or other sensitive information is collected, stored, used, and finally destroyed or deleted in digital form or otherwise.  Improper or non-existent disclosure control can be the root cause for privacy issues. What is Data Privacy?
Data privacy issues can arise in response to information from a wide range of sources, such as:  Healthcare records  Criminal justice investigations and proceedings  Financial institutions and transactions  Biological traits, such as genetic material  Residence and geographic records  Ethnicity  Privacy breach  Location-based service and geo-location  Web surfing behavior or user preferences using persistent cookies What is Data Privacy?
Data Security Vs. Data Privacy  Data security is commonly referred to as the confidentiality, availability, and integrity of data.  Data privacy is suitably defined as the appropriate use of data.  When companies and merchants use data or information that is provided or entrusted to them, the data should be used according to the agreed purposes.  Companies need to enact a data security policy for the sole purpose of ensuring data privacy or the privacy of their consumers' information.
Data Security Vs. Data Privacy  Companies must ensure data privacy because the information is an asset to the company.  A data security policy is simply the means to the desired end, which is data privacy.  No data security policy can overcome the willing sell or soliciting of the consumer data that was entrusted to an organization.
Need Of Data Privacy  Every time we use a service, we have to hand over some of our personal information.  Even without our knowledge, information is being generated and captured by companies and agencies we are likely to have never knowingly interacted with. “The only way citizens and consumers can have confidence in both government and business is through strong data protection practices, with effective legislation to help minimize needless monitoring by officialdom and regulate surveillance by companies.”
Need Of Data Privacy  Data protection rules need to be enforced by a regulator or authority, often called a Privacy Commissioner.  The strength of the powers invested in these authorities varies from country to country and so does its independence from Government.  These powers can include the ability to conduct investigations, act on complaints and impose fines when they discover an organization has broken the law.
Data Protection Laws  As of August 2014, over 100 countries around the world have enacted comprehensive data protection legislation, and several other countries are in the process of passing such laws.  The strongest and most comprehensive laws are in the countries of the European Union and European Economic Area that have implemented the 1995 Data Protection Directive.  Canada is another leading example with two separate pieces of legislation applying at the national level to government and industry.
Data Protection Laws  Data protection law has become not only a vehicle for protecting citizens and consumers, it has became a gateway to trade.  The OECD Guidelines on the Protection of Privacy, first agreed in 1980 and revised in 2013, were the pioneer in establishing the data protection principles, adopted by many countries in their legislation.  The EU's 1995 Directive standardized laws to some extent across European Union member states, partly to enable trade within the European market.
Data Protection Act Principles The Data Protection Act is the law that protects us against illegal and inappropriate use of our personal information without our consent, and the same applies to us using the information of others Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:  Fairly and lawfully processed  Processed for limited purposes  Adequate, relevant and not excessive  Accurate and up to date  Not kept for longer than is necessary  Processed in line with your rights  Secure  Not transferred to other countries without adequate protection
State of Data Privacy in 2015  According to a recent survey by Dimensional Research, 93% of businesses are challenged by data privacy.  It estimated that by 2018, more than 9 billion U.S. dollars will be lost due to payment card fraud, 6.4 billion due to CNP (card not present) transactions.
Figure 1. Smartphone vs. Other cell owners on mobile data security [2]
Figure 1I. Percentage data protection risk on regulated data [3]
State of Data Privacy in 2015  Another increasing worry in the online medium is malicious use of personal information intended to humiliate, harass or in other ways damage someone’s reputation.  Especially among youth, internet bullying is one of the biggest fear parents have when it comes to their children’s online safety.
Data Privacy Attacks
Introduction  Advancements in information technology (IT) have raised concerns about the risks to data associated with weak IT security.  Inadequate IT security may result in compromised confidentiality, integrity, and availability of the data due to unauthorized access.  To ensure that individual privacy remains carefully protected, local and state education agencies should implement state-of-the-art information security practices.  Staying ahead of the ever-evolving threat of a data breach requires diligence on the part of the education community in understanding and anticipating the risks.
Technical Threats
Non-existent Security Architecture  Some organizations do not have an established security architecture in place, leaving their networks vulnerable to exploitation and the loss of personally identifiable information (PII).  Inadequate network protection results in increased vulnerability of the data, hardware, and software, including susceptibility to malicious software.
Non-existent Security Architecture  If the network contains sensitive information or PII, it is critical that even in a very limited resource environment, minimal user, network and perimeter security protection mechanisms (such as anti-virus) are implemented.  Mitigation: If an organization does not have the appropriate personnel to design a security architecture, it is recommended that a third party be brought in to consult with the IT team.
Un-patched Client Side Software and Applications  Computers run a variety of software applications, including older versions of that may sometimes contain vulnerabilities that can be exploited by malicious actors.  Mitigation: To reduce the ability of malicious actors to compromise or destroy an organization’s security system, implement a robust patch management program that identifies vulnerable software applications and regularly updates the software security to ensure ongoing protection from known threats.
Phishing and Targeted Attacks (“Spear Phishing”)  One way malicious individuals or criminals (e.g., hackers) target individuals and organizations to gain access to personal information is through emails containing malicious code this is referred to as phishing. Once infected emails are opened, the user’s machine can be compromised. Mitigation:  To reduce vulnerability to phishing and other e-mail security scams, organizations should install professional enterprise- level e-mail security software.
Figure I. Stages in Spear Phishing Attacks
Phishing and Targeted Attacks (“Spear Phishing”)  It is recommended that this software check both incoming and outgoing messages to ensure that spam messages are not being transmitted if a system becomes compromised.  In addition, organizations should provide regular internet security training to staff to ensure user-awareness about e-mail scams.
Internet Websites  Malicious code can be transferred to a computer through browsing webpages that have not undergone security updates.  Simply browsing the internet and visiting compromised or unsecured websites could result in malicious software being downloaded to an organization’s computers and network.  Mitigation: To prevent threats from compromised websites, employ firewalls and antivirus software to help identify and block potentially risky web pages.
Poor Configuration Management  Any computer connected to the network, whether at work or at home, that does not follow configuration management policy, is vulnerable to an attack.  Weak data security protection measures that do not restrict which machines can connect to the organization’s network make it vulnerable to this type of threat.
Poor Configuration Management Mitigation:  Establish a configuration management policy for connecting any hardware to the network.  The policy should specify security mechanisms and procedures for various types of hardware, including computers, printers, and networking devices.  It is also recommended to implement a Network Access Control solution to enforce configuration policy requirements.
Mobile Devices  Use of mobile devices, such as laptops or handheld devices, including smartphones, is exploding; however, the ability to secure them is lagging behind.  Data breaches can occur in a number of ways: devices can be lost, stolen, or their security can be compromised by malicious code invading the operating system and applications.
Mobile Devices Mitigation:  To promote data security in case a device is lost or stolen, encrypt data on all mobile devices storing sensitive information.  Until more data encryption, user authentication, and anti- malware solutions become available for mobile devices, the best protection strategy is to implement a strict mobile device usage policy and monitor the network for malicious activity.
Cloud Computing  In cloud computing large amounts of customer data are stored in shared resources, which raises a variety of data encryption and availability issues.  Further, the cloud provider faces the same data security responsibilities and challenges as the organization that owns the data, including patching and managing their applications against malicious code. Mitigation:  Conduct an assessment to compare benefits from adopting cloud computing, including cost savings and increased efficiency, against associated security risks.
Cloud Computing  It is critical to ensure that solutions offered by the cloud provider effectively comply with the organization’s information system security requirements, including operational and risk management policies.
Removable media  The use of removable media on an organization’s network poses a significant security threat.  Without proper protection, these types of media provide a pathway for malware to move between networks or hosts.  Following proper security measures when using removable media devices is necessary to decrease the risk of infecting organization’s machines or the entire network.
Removable media Mitigation:  To minimize the security risks, apply simple preventative steps. These include disabling the “auto run” feature of the operating system on the organization’s machines and training users to scan removable media for viruses before opening the files.
Botnets  Botnets are networks of compromised computers used by hackers for malicious purposes, usually criminal in nature.  Clean up efforts resulting from botnet infestation may be costly and damaging to an organization’s reputation. Mitigation:  Since there are many ways computers can become compromised, having a strong security architecture is critical to defending against a malicious botnet attack.
Figure II. Botnet Attack [2]
Botnets  Strategies for botnet detection involve analyzing patterns of data sent over the network, and monitoring computer resources usage and external connections.
Zero-day Attacks  A zero-day attack is a threat aimed at exploiting a software application vulnerability before the application vendor becomes aware of it and before the vulnerability becomes widely known to the internet security community.  These attacks are among the hardest to mitigate and leave computers and networks extremely vulnerable.
Figure III. Timeline of a Zero-day attack [3]
Figure IV. Zero-day Malware Attack on Adobe Flash Player [4]
Zero-day Attacks Mitigation:  Unless an organization has access to IT analysts who are highly experienced in technical vulnerability assessment, a frequently recommended approach to mitigation is to wait for the vendor to release a patch that fixes the vulnerability.  The organization should keep abreast of the latest software patches and deploy the fix as soon as it is distributed by the developer.
Non-technical Cyber Security Threats to Information Systems
Insider Threats  An insider is defined as someone with legitimate access to the network.  Because information accessed by insiders can be easily stolen, copied, deleted, misfiled, or changed, insider threats can be some of the most damaging, regardless of whether they occur due to user carelessness or malicious attempts.
Insider Threats Mitigation:  To mitigate this type of threat, establish and enforce a well- defined privilege rights management system.  Audit programs are useful in enforcing access controls and monitoring suspicious activity.
Poor Passwords  Implementing a policy on strong user passwords is critical to data protection.  Modern password-cracking programs can easily break weak passwords, such as those containing common words or word groups found in a dictionary.  For this reason, user-selected passwords are generally considered to be weaker than randomly-generated passwords.
Poor Passwords Mitigation:  Use a professional password-generating program as an enterprise-level solution.  In addition to implementing procedures for generating strong passwords, train users on how to maintain the security of their passwords.  For enhanced security, consider implementing more advanced authentication capabilities, such as multi-factor authentication.
Physical Security  Physical security is essential to preventing unauthorized access to sensitive data as well as protecting an organization’s personnel and resources.  A Physical safety measures include securing access to dedicated computers, server rooms, routers, printers, and any areas that process or store sensitive data.
Physical Security Mitigation:  Establish and enforce a physical security system.  Strong physical security includes access control policies and procedures; physical barriers surveillance and alarm systems; and security breach notification, response, and system recovery procedures.
Insufficient Backup and Recovery  Lack of a robust data backup and recovery solution puts an organization’s data at risk and undermines the effectiveness of its IT operations.  Data and system recovery capabilities allow an organization to reduce the risk of damage associated with a data breach.
Insufficient Backup and Recovery Mitigation:  Establish an organizational policy and specify procedures for data backup, storage, and retrieval.  Many advanced data and system backup and recovery tools are available on the market.
Improper Destruction  Discarded electronic devices, such as computers or portable drives, that have been used in processing and storing sensitive data, remain vulnerable unless the data are erased properly.  A data breach can occur if recovery tools are used to extract improperly erased or overwritten data.
Improper Destruction Mitigation:  Establish a policy for protecting or destroying no longer needed IT assets and media that may contain sensitive data.  Several standards organizations offer guidelines that outline best practices for ensuring data are discarded properly, including recommendations published by the National Institute of Standards and Technology (NIST) titled NIST SP 800-88, “Guidelines for Media Sanitization.”
Social Media  Using organization’s devices and network resources to access social media websites poses a high data security threat.  Social networking sites are often targeted by malware, receive a high degree of spam, and are frequently used to gain information for identity theft. Mitigation:  Introduce and reinforce a policy forbidding access to some social media websites while using an organization’s resources and equipment.
Social Media  Train users about the security threats generated by visiting these sites.  Organizations that allow access to social media websites should deploy a strong anti-virus and spam filtering solution.
Conclusion  Understanding the vast array of threats is the first step in ensuring adequate protection of sensitive data.  All networks are vulnerable to cyber security threats.  A comprehensive data security program is essential for mitigating these threats and preventing a data breach.  A holistic approach to data security begins with understanding the network, its architecture, user population, and mission requirements.  Consistent implementation of the security plan will reduce susceptibility to cyber threats and increase the overall security of an organization’s data.
Access Control
Introduction 58  “Access control” is where security engineering meets computer science.  Its function is to control which (active) subject have access to a which (passive) object with some specific access operation. subject Access Operation object Figure I. Access Control Model
Introduction  Access Controls: The security features that control how users and systems communicate and interact with one another.  Access: The flow of information between subject and object  Subject: An active entity that requests access to an object or the data in an object  Object: A passive entity that contains information
Security Principles  The three main security principles also pertain to access control:  Availability  Integrity  Confidentiality
Identification, Authentication, and Authorization  Identification, Authentication, and Authorization are distinct functions.  Identification  Authentication  Authorization  Identity Management: A broad term to include the use of different products to identify, authenticate, and authorize users through automated means
Identification  Method of establishing the subject’s identity  User, Program, Process  Use of username or other public information  Identification component requirements  Each value should be unique  Follow a standard naming scheme  Non-descriptive of the user’s position or tasks  Must not be shared between users
Authentication  Method of proving the identity  Something you know (Passwords, OTP, Passphrase)  Something you have (Smart Card, Token, Document)  Something you are (Fingerprints, Retina Scan)  Use of passwords, token, or biometrics other private information  What is two factor authentication?  Strong authentication
Authorization Figure II. Authorization Mechanism
Types of Access Controls  Administrative controls  Define roles, responsibilities, policies, and administrative functions to manage the control environment.  Technical controls  Use hardware and software technology to implement access control.  Physical controls  Ensure safety and security of the physical environment.
Administrative controls  Policies and procedures  Security awareness training  Asset classification and control  Employment policies and practices (background checks, job rotations, and separation of duties)  Account administration  Account, log monitoring  Review of audit trails
Technical controls  Encryption  Biometrics  Smart cards  Tokens  Access control lists  Violation reports  Audit trails  Network monitoring and intrusion detection
Physical controls  HVAC  Fences, locked doors, and restricted areas  Guards and dogs  Motion detectors  Video cameras  Fire detectors  Smoke detectors
Categories of Access Controls Control Type Description Preventive Avoid incident Deterrent Discourage incident Detective Identify incident Corrective Remedy circumstance/mitigate damage and restore controls Recovery Restore conditions to normal Compensating Alternative control
Access Control Threats  Insiders  Countermeasures include good policies and procedures, separation of duties, job rotation  Dictionary Attacks  Countermeasures include strong password policies, strong authentication, intrusion detection and prevention  Brute Force Attacks  Countermeasures include penetration testing, minimum necessary information provided, monitoring, intrusion detection, clipping levels  Spoofing at Logon  Countermeasures include a guaranteed trusted path, security awareness to be aware of phishing scams, SSL connection
Access Control Monitoring  Intrusion Detection Systems  Network Based (NIDS)  Host Based (HIDS)  HIDS and NIDS can be:  Signature Based  Statistical Anomaly Based  Protocol Anomaly Based  Traffic Anomaly Based  Rule Based
Access Control Monitoring  Intrusion Prevention Systems  Preventative and proactive technology, IDS is a detective technology.  Network Based (NIPS)  Host Based (HIPS)  Honeypots  An attractive offering that hopes to lure attackers away from critical systems  Network sniffers  A general term for programs or devices that are able to examine traffic on a LAN segment.
Access Control Models  Organizations use access control mechanisms to mitigate the risks of unauthorized access to their data, resources, and systems. Several access control models exist.  In some cases, the more complicated models expand upon and enhance earlier models, while in other cases they represent a rethinking of the fundamental manner in which access control should be done.  In many cases, the newer, more complicated models arose not from deficiencies in the security that earlier models provide, but from the need for new models to address changes in organizational structures, technologies, organizational needs, technical capabilities, and/or organizational relationships.
Access Control Models ACL RBAC ABAC PBAC RAdAC IncreasingPolicyBasisfor AccessControlDecision Increasingly Finer Granularity of Access Control
Access Control Lists (ACL)  The concept of an ACL is very simple: each resource on a system to which access should be controlled, referred to as an object, has its own associated list of mappings between the set of entities requesting access to the resource and the set of actions that each entity can take on the resource.  Some applications also maintain access control lists to determine which users are able to view certain data elements.
Access Control List (ACL) 76  Matrix is stored by column.  Each object is associated with a list  Indicate for each subject the actions that the subject can exercise on the object
Access Control Lists: Limitations  The ACL for a particular file, process, or other resource must be checked every time the resource is accessed, and this can be an inefficient means of providing access control.  ACLs control not only user access to system resources; they also control application and system access as well.  ACLs can also be difficult to manage in an enterprise setting where many people need to have different levels of access to many different resources.  Selectively adding, deleting and changing ACLs on individual files, or even groups of files, can be time-consuming and error- prone.
Role-based Access Control (RBAC)  RBAC determines access based on roles.  More than one person can have the same role.  RBAC allows for the grouping of individuals into categories of people who fulfill a particular role.  One set of access control permissions on a particular resource.  The source code tree for a new piece of software can be set once for all members of the software engineering department.
Role-based Access Control (RBAC)
Role-based Access Control: Limitations  One of the most significant is the fact that dividing people into categories based on roles makes it more difficult to define granular access controls for each person.  It is often necessary to create more specific versions of roles or devise other mechanisms to exclude specific individuals who fall into a particular role, but do not necessarily need to have the full rights accorded to other members of a group.
Attribute Based Access Control (ABAC)  Access control decisions are made based on a set of characteristics, or attributes.  Associated with the requester, the environment, and/or the resource itself.  Each attribute is a discrete, distinct field that a policy decision point can compare against a set of values to determine whether or not to allow or deny access.  Attributes do not necessarily need to be related to each other.  A  ttributes that go into making a decision can come from disparate, unrelated sources.
Attribute Based Access Control: Limitations  One limitation of the ABAC model is that in a large environment with many resources, individuals, and applications, there can be disparate attributes and access control mechanisms among the organizational units.  It is often necessary to harmonize access control across the enterprise in order to meet enterprise governance requirements.
Policy-based Access Control (PBAC)  Emerging model that seeks to help enterprises address the need to implement concrete access controls based on abstract policy and governance requirements.  PBAC can be said to be a harmonization and standardization of the ABAC model at an enterprise level in support of specific governance objectives.  PBAC combines attributes from the resource, the environment, and the requester with information on the particular set of circumstances under which the access request is made  It uses rule sets that specify whether the access is allowed under organizational policy for those attributes under those circumstances.
Policy-based Access Control: Limitations  In contrast to the other access control models, PBAC requires not only complicated application-level logic to determine access based on attributes, but also a mechanism to specify policy rules in unambiguous terms.
Risk-Adaptive Access Control (RAdAC)  Devised to bring real-time, adaptable, risk-aware access control to the enterprise.  RAdAC represents a fundamental shift in the way access control is managed.  It extends upon other earlier access control models by introducing environmental conditions and risk levels into the access control decision process.
Risk-Adaptive Access Control: Limitations  RAdAC faces a variety of non-technical challenges, including those of policy and law:  Does deploying RAdAC in certain environments violate the law?  Who is accountable if a security breach were to occur?  Are the system owners, the RAdAC implementers and administrators, and/or the RAdAC system designers ultimately responsible if a breach were to occur?
Conclusion  The business-to-business (B2B) relationships that enable organizations to successfully execute their missions, for example, sometimes require users or systems from one business to access resources from business partners.  Simpler access control models often cannot adequately meet the complex access control requirements that such relationships require, and so more granular, powerful, dynamic models and mechanisms are needed to address these new realities.  In short, increasingly complex data access and sharing requirements drive the need for increasingly complex access control models and mechanisms.
[1] Data Protection Principles in the Personal Data (Privacy) Ordinance – from the Privacy Commissioner’s perspective (2nd Edition), pdf available at: www.pcpd.org.hk. Last accessed August , 2016. [2] Pew Research Center, Anonymity, Privacy, and Security Online, available at: http://www.pewinternet.org/2013/09/05/anonymity-privacy-and-security-online/. Last accessed August , 2016. [3] Survey, Mobile, cloud computing are source of most healthcare security worries, available at: http://mobihealthnews.com/23519/survey-mobile-cloud-computing-are-source-of-most-healthcare- security-worries/. Last accessed August , 2016. [4] Privacy Technical Assistance Center USA, “Data Security: Top Threats to Data Protection ”, pdf available at: http://ptac.ed.gov/sites/default/files/issue-brief-threats-to-your-data.pdf, Last accesssed: August 2016. HelpSec, “Malware-infected home routers used to launch DDoS attacks”, available at: http://www.helpsec.net/malware-infected-home-routers-used-to-launch-ddos-attacks, Last accesssed: August 2016. InfoSec, “Wrong response to zero day attacks exposes serious risks”, available at: http://www.infosecisland.com/blogview/22600-Wrong-response-to-zero-day-attacks-exposes- serious-risks.html, Last accesssed: August 2016. References
References [5] Trend Micro, “Malicious Ads Redirect to Flash Zero-Day Exploit, Affects Top Video-Sharing Site”, available at: http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital- threats/malicious-ads-redirect-to-flash-zero-day-exploit-affects-top-video-sharing, Last accesssed: August 2016. [6] BCS, “Top 10 database attacks”,available at: http://www.bcs.org/content/ConWebDoc/8852, Last accesssed: August 2016. [7] Muhammad Wajahat Rajab, “Access Control”, Available at: http://www.slideshare.net/wajraj/access- control-presentation-23717821, Last accessed : August 2016. [8] EECS, “Access Control ”, Available http://www.web.eecs.umich.edu/~aprakash/security/handouts/ AccessModel_040112_v2.ppt, Last accessed : August 2016.

Recommandé

Data Privacy and Protection Presentation
Data Privacy and Protection PresentationData Privacy and Protection Presentation
Data Privacy and Protection Presentationmlw32785
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & SecurityEryk Budi Pratama
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
Privacy and Data Protection
Privacy and Data ProtectionPrivacy and Data Protection
Privacy and Data ProtectionDirectorate of Information Security | Ditjen Aptika
 
Data Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethicsData Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethicsAT Internet
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protectionsp_krishna
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber securityAnimesh Roy
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Securitychauhankapil
 

Recommandé

Data Privacy and Protection Presentation
Data Privacy and Protection PresentationData Privacy and Protection Presentation
Data Privacy and Protection Presentationmlw32785
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & SecurityEryk Budi Pratama
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
Privacy and Data Protection
Privacy and Data ProtectionPrivacy and Data Protection
Privacy and Data ProtectionDirectorate of Information Security | Ditjen Aptika
 
Data Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethicsData Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethicsAT Internet
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protectionsp_krishna
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber securityAnimesh Roy
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Securitychauhankapil
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Radar Cyber Security
 
Ethics in IT Security
Ethics in IT SecurityEthics in IT Security
Ethics in IT Securitymtvvvv
 
“Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation “Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation tomasztopa
 
Data Protection and Privacy
Data Protection and PrivacyData Protection and Privacy
Data Protection and PrivacyVertex Holdings
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to securityMostafa Elgamala
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy Amiit Keshav Naik
 
Data & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny LeroyData & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny LeroyThoughtworks
 
Operating system security
Operating system securityOperating system security
Operating system securityRamesh Ogania
 
Privacy , Security and Ethics Presentation
Privacy , Security and Ethics PresentationPrivacy , Security and Ethics Presentation
Privacy , Security and Ethics PresentationHajarul Cikyen
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingWilliam Mann
 
Data protection ppt
Data protection pptData protection ppt
Data protection pptgrahamwell
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 
Information privacy and Security
Information privacy and SecurityInformation privacy and Security
Information privacy and SecurityAnuMarySunny
 
Information security
Information securityInformation security
Information securityavinashbalakrishnan2
 
Introduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityIntroduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityJisc Scotland
 
Information Security
Information SecurityInformation Security
Information SecurityDhilsath Fathima
 
Cyber crime
Cyber crimeCyber crime
Cyber crimeSanket Gogoi
 
Privacy issues and internet privacy
Privacy issues and internet privacyPrivacy issues and internet privacy
Privacy issues and internet privacyvinyas87
 
Cyber crime ppt
Cyber crime pptCyber crime ppt
Cyber crime pptMOE515253
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guideAdilsonSuende
 

Contenu connexe

Tendances

Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Radar Cyber Security
 
Ethics in IT Security
Ethics in IT SecurityEthics in IT Security
Ethics in IT Securitymtvvvv
 
“Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation “Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation tomasztopa
 
Data Protection and Privacy
Data Protection and PrivacyData Protection and Privacy
Data Protection and PrivacyVertex Holdings
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 
Data & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny LeroyData & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny LeroyThoughtworks
 
Operating system security
Operating system securityOperating system security
Operating system securityRamesh Ogania
 
Privacy , Security and Ethics Presentation
Privacy , Security and Ethics PresentationPrivacy , Security and Ethics Presentation
Privacy , Security and Ethics PresentationHajarul Cikyen
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingWilliam Mann
 
Data protection ppt
Data protection pptData protection ppt
Data protection pptgrahamwell
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 
Information privacy and Security
Information privacy and SecurityInformation privacy and Security
Information privacy and SecurityAnuMarySunny
 
Introduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityIntroduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityJisc Scotland
 
Privacy issues and internet privacy
Privacy issues and internet privacyPrivacy issues and internet privacy
Privacy issues and internet privacyvinyas87
 
Cyber crime ppt
Cyber crime pptCyber crime ppt
Cyber crime pptMOE515253
 

Tendances (20)

Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025
 
Ethics in IT Security
Ethics in IT SecurityEthics in IT Security
Ethics in IT Security
 
“Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation “Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation
 
Data Protection and Privacy
Data Protection and PrivacyData Protection and Privacy
Data Protection and Privacy
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to security
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy
 
Data & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny LeroyData & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny Leroy
 
Operating system security
Operating system securityOperating system security
Operating system security
 
Privacy , Security and Ethics Presentation
Privacy , Security and Ethics PresentationPrivacy , Security and Ethics Presentation
Privacy , Security and Ethics Presentation
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Data protection ppt
Data protection pptData protection ppt
Data protection ppt
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 
Information privacy and Security
Information privacy and SecurityInformation privacy and Security
Information privacy and Security
 
Information security
Information securityInformation security
Information security
 
Introduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityIntroduction to Data Protection and Information Security
Introduction to Data Protection and Information Security
 
Information Security
Information SecurityInformation Security
Information Security
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Privacy issues and internet privacy
Privacy issues and internet privacyPrivacy issues and internet privacy
Privacy issues and internet privacy
 
Cyber crime ppt
Cyber crime pptCyber crime ppt
Cyber crime ppt
 

Similaire à Data Privacy Introduction

Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guideAdilsonSuende
 
How to Secure Data Privacy in 2024.pdf
How to Secure Data Privacy in 2024.pdfHow to Secure Data Privacy in 2024.pdf
How to Secure Data Privacy in 2024.pdfV2Infotech1
 
How to Secure Data Privacy in 2024.pptx
How to Secure Data Privacy in 2024.pptxHow to Secure Data Privacy in 2024.pptx
How to Secure Data Privacy in 2024.pptxV2Infotech1
 
Ensuring Data Protection Compliance.docx.pdf
Ensuring Data Protection Compliance.docx.pdfEnsuring Data Protection Compliance.docx.pdf
Ensuring Data Protection Compliance.docx.pdfvincular1
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4stevemeltzer
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4stevemeltzer
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4stevemeltzer
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Don Grauel
 
How to secure information systemsSolutionAnswerInformation.pdf
How to secure information systemsSolutionAnswerInformation.pdfHow to secure information systemsSolutionAnswerInformation.pdf
How to secure information systemsSolutionAnswerInformation.pdfrohit219406
 
Information System Security Policy Studies as a Form of Company Privacy Prote...
Information System Security Policy Studies as a Form of Company Privacy Prote...Information System Security Policy Studies as a Form of Company Privacy Prote...
Information System Security Policy Studies as a Form of Company Privacy Prote...Editor IJCATR
 
The New Massachusetts Privacy Rules (February 2, 2010)
The New Massachusetts Privacy Rules (February 2, 2010)The New Massachusetts Privacy Rules (February 2, 2010)
The New Massachusetts Privacy Rules (February 2, 2010)stevemeltzer
 
Ethical and security issues on MIS inte 322 assignment.docx
Ethical and security issues on MIS inte 322 assignment.docxEthical and security issues on MIS inte 322 assignment.docx
Ethical and security issues on MIS inte 322 assignment.docxGogoOmolloFrancis
 
The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1stevemeltzer
 
Privacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishPrivacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishRSIS International
 
Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?Druva
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessSirius
 
Cyber security guide
Cyber security guideCyber security guide
Cyber security guideMark Bennett
 
Top Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfTop Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfCareerera
 

Similaire à Data Privacy Introduction (20)

Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
 
How to Secure Data Privacy in 2024.pdf
How to Secure Data Privacy in 2024.pdfHow to Secure Data Privacy in 2024.pdf
How to Secure Data Privacy in 2024.pdf
 
How to Secure Data Privacy in 2024.pptx
How to Secure Data Privacy in 2024.pptxHow to Secure Data Privacy in 2024.pptx
How to Secure Data Privacy in 2024.pptx
 
Ensuring Data Protection Compliance.docx.pdf
Ensuring Data Protection Compliance.docx.pdfEnsuring Data Protection Compliance.docx.pdf
Ensuring Data Protection Compliance.docx.pdf
 
Cyber security
Cyber securityCyber security
Cyber security
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
 
How to secure information systemsSolutionAnswerInformation.pdf
How to secure information systemsSolutionAnswerInformation.pdfHow to secure information systemsSolutionAnswerInformation.pdf
How to secure information systemsSolutionAnswerInformation.pdf
 
Information System Security Policy Studies as a Form of Company Privacy Prote...
Information System Security Policy Studies as a Form of Company Privacy Prote...Information System Security Policy Studies as a Form of Company Privacy Prote...
Information System Security Policy Studies as a Form of Company Privacy Prote...
 
The New Massachusetts Privacy Rules (February 2, 2010)
The New Massachusetts Privacy Rules (February 2, 2010)The New Massachusetts Privacy Rules (February 2, 2010)
The New Massachusetts Privacy Rules (February 2, 2010)
 
Ethical and security issues on MIS inte 322 assignment.docx
Ethical and security issues on MIS inte 322 assignment.docxEthical and security issues on MIS inte 322 assignment.docx
Ethical and security issues on MIS inte 322 assignment.docx
 
The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1
 
Privacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishPrivacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or Perish
 
Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
 
Cyber security guide
Cyber security guideCyber security guide
Cyber security guide
 
Top Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfTop Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdf
 

Plus de G Prachi

The trusted computing architecture
The trusted computing architectureThe trusted computing architecture
The trusted computing architectureG Prachi
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security modelsG Prachi
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software securityG Prachi
 
Network defenses
Network defensesNetwork defenses
Network defensesG Prachi
 
Network protocols and vulnerabilities
Network protocols and vulnerabilitiesNetwork protocols and vulnerabilities
Network protocols and vulnerabilitiesG Prachi
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02G Prachi
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01G Prachi
 
Basic web security model
Basic web security modelBasic web security model
Basic web security modelG Prachi
 
Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system securityG Prachi
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy codeG Prachi
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzingG Prachi
 
Control hijacking
Control hijackingControl hijacking
Control hijackingG Prachi
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security conceptsG Prachi
 
Administering security
Administering securityAdministering security
Administering securityG Prachi
 
Database security and security in networks
Database security and security in networksDatabase security and security in networks
Database security and security in networksG Prachi
 
Protection in general purpose operating system
Protection in general purpose operating systemProtection in general purpose operating system
Protection in general purpose operating systemG Prachi
 
Program security
Program securityProgram security
Program securityG Prachi
 
Elementary cryptography
Elementary cryptographyElementary cryptography
Elementary cryptographyG Prachi
 
Information security introduction
Information security introductionInformation security introduction
Information security introductionG Prachi
 

Plus de G Prachi (20)

The trusted computing architecture
The trusted computing architectureThe trusted computing architecture
The trusted computing architecture
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
 
Network defenses
Network defensesNetwork defenses
Network defenses
 
Network protocols and vulnerabilities
Network protocols and vulnerabilitiesNetwork protocols and vulnerabilities
Network protocols and vulnerabilities
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
 
Basic web security model
Basic web security modelBasic web security model
Basic web security model
 
Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system security
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy code
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
 
Control hijacking
Control hijackingControl hijacking
Control hijacking
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
 
Administering security
Administering securityAdministering security
Administering security
 
Database security and security in networks
Database security and security in networksDatabase security and security in networks
Database security and security in networks
 
Protection in general purpose operating system
Protection in general purpose operating systemProtection in general purpose operating system
Protection in general purpose operating system
 
Program security
Program securityProgram security
Program security
 
Elementary cryptography
Elementary cryptographyElementary cryptography
Elementary cryptography
 
Information security introduction
Information security introductionInformation security introduction
Information security introduction
 

Dernier

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Dernier (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 

Data Privacy Introduction

  • 2. INDEX  Fundamental Concepts  Data Privacy Attacks  Access control models
  • 4. What is Data Privacy?  The aspect of information technology (IT) that deals with the ability an organization or individual has to determine what data in a computer system can be shared with third parties.  The challenge of data privacy is to utilize data while protecting individual's privacy preferences and their personally identifiable information.  The fields of computer security, data security and information security design and utilize software, hardware and human resources to address this issue.
  • 5.  As the laws and regulations related to Privacy and Data Protection are constantly changing, it is important to keep abreast of any changes in the law and continually reassess compliance with data privacy and security regulations.  Privacy concerns exist wherever personally identifiable information or other sensitive information is collected, stored, used, and finally destroyed or deleted in digital form or otherwise.  Improper or non-existent disclosure control can be the root cause for privacy issues. What is Data Privacy?
  • 6. Data privacy issues can arise in response to information from a wide range of sources, such as:  Healthcare records  Criminal justice investigations and proceedings  Financial institutions and transactions  Biological traits, such as genetic material  Residence and geographic records  Ethnicity  Privacy breach  Location-based service and geo-location  Web surfing behavior or user preferences using persistent cookies What is Data Privacy?
  • 7. Data Security Vs. Data Privacy  Data security is commonly referred to as the confidentiality, availability, and integrity of data.  Data privacy is suitably defined as the appropriate use of data.  When companies and merchants use data or information that is provided or entrusted to them, the data should be used according to the agreed purposes.  Companies need to enact a data security policy for the sole purpose of ensuring data privacy or the privacy of their consumers' information.
  • 8. Data Security Vs. Data Privacy  Companies must ensure data privacy because the information is an asset to the company.  A data security policy is simply the means to the desired end, which is data privacy.  No data security policy can overcome the willing sell or soliciting of the consumer data that was entrusted to an organization.
  • 9. Need Of Data Privacy  Every time we use a service, we have to hand over some of our personal information.  Even without our knowledge, information is being generated and captured by companies and agencies we are likely to have never knowingly interacted with. “The only way citizens and consumers can have confidence in both government and business is through strong data protection practices, with effective legislation to help minimize needless monitoring by officialdom and regulate surveillance by companies.”
  • 10. Need Of Data Privacy  Data protection rules need to be enforced by a regulator or authority, often called a Privacy Commissioner.  The strength of the powers invested in these authorities varies from country to country and so does its independence from Government.  These powers can include the ability to conduct investigations, act on complaints and impose fines when they discover an organization has broken the law.
  • 11. Data Protection Laws  As of August 2014, over 100 countries around the world have enacted comprehensive data protection legislation, and several other countries are in the process of passing such laws.  The strongest and most comprehensive laws are in the countries of the European Union and European Economic Area that have implemented the 1995 Data Protection Directive.  Canada is another leading example with two separate pieces of legislation applying at the national level to government and industry.
  • 12. Data Protection Laws  Data protection law has become not only a vehicle for protecting citizens and consumers, it has became a gateway to trade.  The OECD Guidelines on the Protection of Privacy, first agreed in 1980 and revised in 2013, were the pioneer in establishing the data protection principles, adopted by many countries in their legislation.  The EU's 1995 Directive standardized laws to some extent across European Union member states, partly to enable trade within the European market.
  • 13. Data Protection Act Principles The Data Protection Act is the law that protects us against illegal and inappropriate use of our personal information without our consent, and the same applies to us using the information of others Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:  Fairly and lawfully processed  Processed for limited purposes  Adequate, relevant and not excessive  Accurate and up to date  Not kept for longer than is necessary  Processed in line with your rights  Secure  Not transferred to other countries without adequate protection
  • 14. State of Data Privacy in 2015  According to a recent survey by Dimensional Research, 93% of businesses are challenged by data privacy.  It estimated that by 2018, more than 9 billion U.S. dollars will be lost due to payment card fraud, 6.4 billion due to CNP (card not present) transactions.
  • 15. Figure 1. Smartphone vs. Other cell owners on mobile data security [2]
  • 16. Figure 1I. Percentage data protection risk on regulated data [3]
  • 17. State of Data Privacy in 2015  Another increasing worry in the online medium is malicious use of personal information intended to humiliate, harass or in other ways damage someone’s reputation.  Especially among youth, internet bullying is one of the biggest fear parents have when it comes to their children’s online safety.
  • 19. Introduction  Advancements in information technology (IT) have raised concerns about the risks to data associated with weak IT security.  Inadequate IT security may result in compromised confidentiality, integrity, and availability of the data due to unauthorized access.  To ensure that individual privacy remains carefully protected, local and state education agencies should implement state-of-the-art information security practices.  Staying ahead of the ever-evolving threat of a data breach requires diligence on the part of the education community in understanding and anticipating the risks.
  • 21. Non-existent Security Architecture  Some organizations do not have an established security architecture in place, leaving their networks vulnerable to exploitation and the loss of personally identifiable information (PII).  Inadequate network protection results in increased vulnerability of the data, hardware, and software, including susceptibility to malicious software.
  • 22. Non-existent Security Architecture  If the network contains sensitive information or PII, it is critical that even in a very limited resource environment, minimal user, network and perimeter security protection mechanisms (such as anti-virus) are implemented.  Mitigation: If an organization does not have the appropriate personnel to design a security architecture, it is recommended that a third party be brought in to consult with the IT team.
  • 23. Un-patched Client Side Software and Applications  Computers run a variety of software applications, including older versions of that may sometimes contain vulnerabilities that can be exploited by malicious actors.  Mitigation: To reduce the ability of malicious actors to compromise or destroy an organization’s security system, implement a robust patch management program that identifies vulnerable software applications and regularly updates the software security to ensure ongoing protection from known threats.
  • 24. Phishing and Targeted Attacks (“Spear Phishing”)  One way malicious individuals or criminals (e.g., hackers) target individuals and organizations to gain access to personal information is through emails containing malicious code this is referred to as phishing. Once infected emails are opened, the user’s machine can be compromised. Mitigation:  To reduce vulnerability to phishing and other e-mail security scams, organizations should install professional enterprise- level e-mail security software.
  • 25. Figure I. Stages in Spear Phishing Attacks
  • 26. Phishing and Targeted Attacks (“Spear Phishing”)  It is recommended that this software check both incoming and outgoing messages to ensure that spam messages are not being transmitted if a system becomes compromised.  In addition, organizations should provide regular internet security training to staff to ensure user-awareness about e-mail scams.
  • 27. Internet Websites  Malicious code can be transferred to a computer through browsing webpages that have not undergone security updates.  Simply browsing the internet and visiting compromised or unsecured websites could result in malicious software being downloaded to an organization’s computers and network.  Mitigation: To prevent threats from compromised websites, employ firewalls and antivirus software to help identify and block potentially risky web pages.
  • 28. Poor Configuration Management  Any computer connected to the network, whether at work or at home, that does not follow configuration management policy, is vulnerable to an attack.  Weak data security protection measures that do not restrict which machines can connect to the organization’s network make it vulnerable to this type of threat.
  • 29. Poor Configuration Management Mitigation:  Establish a configuration management policy for connecting any hardware to the network.  The policy should specify security mechanisms and procedures for various types of hardware, including computers, printers, and networking devices.  It is also recommended to implement a Network Access Control solution to enforce configuration policy requirements.
  • 30. Mobile Devices  Use of mobile devices, such as laptops or handheld devices, including smartphones, is exploding; however, the ability to secure them is lagging behind.  Data breaches can occur in a number of ways: devices can be lost, stolen, or their security can be compromised by malicious code invading the operating system and applications.
  • 31. Mobile Devices Mitigation:  To promote data security in case a device is lost or stolen, encrypt data on all mobile devices storing sensitive information.  Until more data encryption, user authentication, and anti- malware solutions become available for mobile devices, the best protection strategy is to implement a strict mobile device usage policy and monitor the network for malicious activity.
  • 32. Cloud Computing  In cloud computing large amounts of customer data are stored in shared resources, which raises a variety of data encryption and availability issues.  Further, the cloud provider faces the same data security responsibilities and challenges as the organization that owns the data, including patching and managing their applications against malicious code. Mitigation:  Conduct an assessment to compare benefits from adopting cloud computing, including cost savings and increased efficiency, against associated security risks.
  • 33. Cloud Computing  It is critical to ensure that solutions offered by the cloud provider effectively comply with the organization’s information system security requirements, including operational and risk management policies.
  • 34. Removable media  The use of removable media on an organization’s network poses a significant security threat.  Without proper protection, these types of media provide a pathway for malware to move between networks or hosts.  Following proper security measures when using removable media devices is necessary to decrease the risk of infecting organization’s machines or the entire network.
  • 35. Removable media Mitigation:  To minimize the security risks, apply simple preventative steps. These include disabling the “auto run” feature of the operating system on the organization’s machines and training users to scan removable media for viruses before opening the files.
  • 36. Botnets  Botnets are networks of compromised computers used by hackers for malicious purposes, usually criminal in nature.  Clean up efforts resulting from botnet infestation may be costly and damaging to an organization’s reputation. Mitigation:  Since there are many ways computers can become compromised, having a strong security architecture is critical to defending against a malicious botnet attack.
  • 37. Figure II. Botnet Attack [2]
  • 38. Botnets  Strategies for botnet detection involve analyzing patterns of data sent over the network, and monitoring computer resources usage and external connections.
  • 39. Zero-day Attacks  A zero-day attack is a threat aimed at exploiting a software application vulnerability before the application vendor becomes aware of it and before the vulnerability becomes widely known to the internet security community.  These attacks are among the hardest to mitigate and leave computers and networks extremely vulnerable.
  • 40. Figure III. Timeline of a Zero-day attack [3]
  • 41. Figure IV. Zero-day Malware Attack on Adobe Flash Player [4]
  • 42. Zero-day Attacks Mitigation:  Unless an organization has access to IT analysts who are highly experienced in technical vulnerability assessment, a frequently recommended approach to mitigation is to wait for the vendor to release a patch that fixes the vulnerability.  The organization should keep abreast of the latest software patches and deploy the fix as soon as it is distributed by the developer.
  • 43. Non-technical Cyber Security Threats to Information Systems
  • 44. Insider Threats  An insider is defined as someone with legitimate access to the network.  Because information accessed by insiders can be easily stolen, copied, deleted, misfiled, or changed, insider threats can be some of the most damaging, regardless of whether they occur due to user carelessness or malicious attempts.
  • 45. Insider Threats Mitigation:  To mitigate this type of threat, establish and enforce a well- defined privilege rights management system.  Audit programs are useful in enforcing access controls and monitoring suspicious activity.
  • 46. Poor Passwords  Implementing a policy on strong user passwords is critical to data protection.  Modern password-cracking programs can easily break weak passwords, such as those containing common words or word groups found in a dictionary.  For this reason, user-selected passwords are generally considered to be weaker than randomly-generated passwords.
  • 47. Poor Passwords Mitigation:  Use a professional password-generating program as an enterprise-level solution.  In addition to implementing procedures for generating strong passwords, train users on how to maintain the security of their passwords.  For enhanced security, consider implementing more advanced authentication capabilities, such as multi-factor authentication.
  • 48. Physical Security  Physical security is essential to preventing unauthorized access to sensitive data as well as protecting an organization’s personnel and resources.  A Physical safety measures include securing access to dedicated computers, server rooms, routers, printers, and any areas that process or store sensitive data.
  • 49. Physical Security Mitigation:  Establish and enforce a physical security system.  Strong physical security includes access control policies and procedures; physical barriers surveillance and alarm systems; and security breach notification, response, and system recovery procedures.
  • 50. Insufficient Backup and Recovery  Lack of a robust data backup and recovery solution puts an organization’s data at risk and undermines the effectiveness of its IT operations.  Data and system recovery capabilities allow an organization to reduce the risk of damage associated with a data breach.
  • 51. Insufficient Backup and Recovery Mitigation:  Establish an organizational policy and specify procedures for data backup, storage, and retrieval.  Many advanced data and system backup and recovery tools are available on the market.
  • 52. Improper Destruction  Discarded electronic devices, such as computers or portable drives, that have been used in processing and storing sensitive data, remain vulnerable unless the data are erased properly.  A data breach can occur if recovery tools are used to extract improperly erased or overwritten data.
  • 53. Improper Destruction Mitigation:  Establish a policy for protecting or destroying no longer needed IT assets and media that may contain sensitive data.  Several standards organizations offer guidelines that outline best practices for ensuring data are discarded properly, including recommendations published by the National Institute of Standards and Technology (NIST) titled NIST SP 800-88, “Guidelines for Media Sanitization.”
  • 54. Social Media  Using organization’s devices and network resources to access social media websites poses a high data security threat.  Social networking sites are often targeted by malware, receive a high degree of spam, and are frequently used to gain information for identity theft. Mitigation:  Introduce and reinforce a policy forbidding access to some social media websites while using an organization’s resources and equipment.
  • 55. Social Media  Train users about the security threats generated by visiting these sites.  Organizations that allow access to social media websites should deploy a strong anti-virus and spam filtering solution.
  • 56. Conclusion  Understanding the vast array of threats is the first step in ensuring adequate protection of sensitive data.  All networks are vulnerable to cyber security threats.  A comprehensive data security program is essential for mitigating these threats and preventing a data breach.  A holistic approach to data security begins with understanding the network, its architecture, user population, and mission requirements.  Consistent implementation of the security plan will reduce susceptibility to cyber threats and increase the overall security of an organization’s data.
  • 58. Introduction 58  “Access control” is where security engineering meets computer science.  Its function is to control which (active) subject have access to a which (passive) object with some specific access operation. subject Access Operation object Figure I. Access Control Model
  • 59. Introduction  Access Controls: The security features that control how users and systems communicate and interact with one another.  Access: The flow of information between subject and object  Subject: An active entity that requests access to an object or the data in an object  Object: A passive entity that contains information
  • 60. Security Principles  The three main security principles also pertain to access control:  Availability  Integrity  Confidentiality
  • 61. Identification, Authentication, and Authorization  Identification, Authentication, and Authorization are distinct functions.  Identification  Authentication  Authorization  Identity Management: A broad term to include the use of different products to identify, authenticate, and authorize users through automated means
  • 62. Identification  Method of establishing the subject’s identity  User, Program, Process  Use of username or other public information  Identification component requirements  Each value should be unique  Follow a standard naming scheme  Non-descriptive of the user’s position or tasks  Must not be shared between users
  • 63. Authentication  Method of proving the identity  Something you know (Passwords, OTP, Passphrase)  Something you have (Smart Card, Token, Document)  Something you are (Fingerprints, Retina Scan)  Use of passwords, token, or biometrics other private information  What is two factor authentication?  Strong authentication
  • 65. Types of Access Controls  Administrative controls  Define roles, responsibilities, policies, and administrative functions to manage the control environment.  Technical controls  Use hardware and software technology to implement access control.  Physical controls  Ensure safety and security of the physical environment.
  • 66. Administrative controls  Policies and procedures  Security awareness training  Asset classification and control  Employment policies and practices (background checks, job rotations, and separation of duties)  Account administration  Account, log monitoring  Review of audit trails
  • 67. Technical controls  Encryption  Biometrics  Smart cards  Tokens  Access control lists  Violation reports  Audit trails  Network monitoring and intrusion detection
  • 68. Physical controls  HVAC  Fences, locked doors, and restricted areas  Guards and dogs  Motion detectors  Video cameras  Fire detectors  Smoke detectors
  • 69. Categories of Access Controls Control Type Description Preventive Avoid incident Deterrent Discourage incident Detective Identify incident Corrective Remedy circumstance/mitigate damage and restore controls Recovery Restore conditions to normal Compensating Alternative control
  • 70. Access Control Threats  Insiders  Countermeasures include good policies and procedures, separation of duties, job rotation  Dictionary Attacks  Countermeasures include strong password policies, strong authentication, intrusion detection and prevention  Brute Force Attacks  Countermeasures include penetration testing, minimum necessary information provided, monitoring, intrusion detection, clipping levels  Spoofing at Logon  Countermeasures include a guaranteed trusted path, security awareness to be aware of phishing scams, SSL connection
  • 71. Access Control Monitoring  Intrusion Detection Systems  Network Based (NIDS)  Host Based (HIDS)  HIDS and NIDS can be:  Signature Based  Statistical Anomaly Based  Protocol Anomaly Based  Traffic Anomaly Based  Rule Based
  • 72. Access Control Monitoring  Intrusion Prevention Systems  Preventative and proactive technology, IDS is a detective technology.  Network Based (NIPS)  Host Based (HIPS)  Honeypots  An attractive offering that hopes to lure attackers away from critical systems  Network sniffers  A general term for programs or devices that are able to examine traffic on a LAN segment.
  • 73. Access Control Models  Organizations use access control mechanisms to mitigate the risks of unauthorized access to their data, resources, and systems. Several access control models exist.  In some cases, the more complicated models expand upon and enhance earlier models, while in other cases they represent a rethinking of the fundamental manner in which access control should be done.  In many cases, the newer, more complicated models arose not from deficiencies in the security that earlier models provide, but from the need for new models to address changes in organizational structures, technologies, organizational needs, technical capabilities, and/or organizational relationships.
  • 74. Access Control Models ACL RBAC ABAC PBAC RAdAC IncreasingPolicyBasisfor AccessControlDecision Increasingly Finer Granularity of Access Control
  • 75. Access Control Lists (ACL)  The concept of an ACL is very simple: each resource on a system to which access should be controlled, referred to as an object, has its own associated list of mappings between the set of entities requesting access to the resource and the set of actions that each entity can take on the resource.  Some applications also maintain access control lists to determine which users are able to view certain data elements.
  • 76. Access Control List (ACL) 76  Matrix is stored by column.  Each object is associated with a list  Indicate for each subject the actions that the subject can exercise on the object
  • 77. Access Control Lists: Limitations  The ACL for a particular file, process, or other resource must be checked every time the resource is accessed, and this can be an inefficient means of providing access control.  ACLs control not only user access to system resources; they also control application and system access as well.  ACLs can also be difficult to manage in an enterprise setting where many people need to have different levels of access to many different resources.  Selectively adding, deleting and changing ACLs on individual files, or even groups of files, can be time-consuming and error- prone.
  • 78. Role-based Access Control (RBAC)  RBAC determines access based on roles.  More than one person can have the same role.  RBAC allows for the grouping of individuals into categories of people who fulfill a particular role.  One set of access control permissions on a particular resource.  The source code tree for a new piece of software can be set once for all members of the software engineering department.
  • 80. Role-based Access Control: Limitations  One of the most significant is the fact that dividing people into categories based on roles makes it more difficult to define granular access controls for each person.  It is often necessary to create more specific versions of roles or devise other mechanisms to exclude specific individuals who fall into a particular role, but do not necessarily need to have the full rights accorded to other members of a group.
  • 81. Attribute Based Access Control (ABAC)  Access control decisions are made based on a set of characteristics, or attributes.  Associated with the requester, the environment, and/or the resource itself.  Each attribute is a discrete, distinct field that a policy decision point can compare against a set of values to determine whether or not to allow or deny access.  Attributes do not necessarily need to be related to each other.  A  ttributes that go into making a decision can come from disparate, unrelated sources.
  • 82. Attribute Based Access Control: Limitations  One limitation of the ABAC model is that in a large environment with many resources, individuals, and applications, there can be disparate attributes and access control mechanisms among the organizational units.  It is often necessary to harmonize access control across the enterprise in order to meet enterprise governance requirements.
  • 83. Policy-based Access Control (PBAC)  Emerging model that seeks to help enterprises address the need to implement concrete access controls based on abstract policy and governance requirements.  PBAC can be said to be a harmonization and standardization of the ABAC model at an enterprise level in support of specific governance objectives.  PBAC combines attributes from the resource, the environment, and the requester with information on the particular set of circumstances under which the access request is made  It uses rule sets that specify whether the access is allowed under organizational policy for those attributes under those circumstances.
  • 84. Policy-based Access Control: Limitations  In contrast to the other access control models, PBAC requires not only complicated application-level logic to determine access based on attributes, but also a mechanism to specify policy rules in unambiguous terms.
  • 85. Risk-Adaptive Access Control (RAdAC)  Devised to bring real-time, adaptable, risk-aware access control to the enterprise.  RAdAC represents a fundamental shift in the way access control is managed.  It extends upon other earlier access control models by introducing environmental conditions and risk levels into the access control decision process.
  • 86. Risk-Adaptive Access Control: Limitations  RAdAC faces a variety of non-technical challenges, including those of policy and law:  Does deploying RAdAC in certain environments violate the law?  Who is accountable if a security breach were to occur?  Are the system owners, the RAdAC implementers and administrators, and/or the RAdAC system designers ultimately responsible if a breach were to occur?
  • 87. Conclusion  The business-to-business (B2B) relationships that enable organizations to successfully execute their missions, for example, sometimes require users or systems from one business to access resources from business partners.  Simpler access control models often cannot adequately meet the complex access control requirements that such relationships require, and so more granular, powerful, dynamic models and mechanisms are needed to address these new realities.  In short, increasingly complex data access and sharing requirements drive the need for increasingly complex access control models and mechanisms.
  • 88. [1] Data Protection Principles in the Personal Data (Privacy) Ordinance – from the Privacy Commissioner’s perspective (2nd Edition), pdf available at: www.pcpd.org.hk. Last accessed August , 2016. [2] Pew Research Center, Anonymity, Privacy, and Security Online, available at: http://www.pewinternet.org/2013/09/05/anonymity-privacy-and-security-online/. Last accessed August , 2016. [3] Survey, Mobile, cloud computing are source of most healthcare security worries, available at: http://mobihealthnews.com/23519/survey-mobile-cloud-computing-are-source-of-most-healthcare- security-worries/. Last accessed August , 2016. [4] Privacy Technical Assistance Center USA, “Data Security: Top Threats to Data Protection ”, pdf available at: http://ptac.ed.gov/sites/default/files/issue-brief-threats-to-your-data.pdf, Last accesssed: August 2016. HelpSec, “Malware-infected home routers used to launch DDoS attacks”, available at: http://www.helpsec.net/malware-infected-home-routers-used-to-launch-ddos-attacks, Last accesssed: August 2016. InfoSec, “Wrong response to zero day attacks exposes serious risks”, available at: http://www.infosecisland.com/blogview/22600-Wrong-response-to-zero-day-attacks-exposes- serious-risks.html, Last accesssed: August 2016. References
  • 89. References [5] Trend Micro, “Malicious Ads Redirect to Flash Zero-Day Exploit, Affects Top Video-Sharing Site”, available at: http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital- threats/malicious-ads-redirect-to-flash-zero-day-exploit-affects-top-video-sharing, Last accesssed: August 2016. [6] BCS, “Top 10 database attacks”,available at: http://www.bcs.org/content/ConWebDoc/8852, Last accesssed: August 2016. [7] Muhammad Wajahat Rajab, “Access Control”, Available at: http://www.slideshare.net/wajraj/access- control-presentation-23717821, Last accessed : August 2016. [8] EECS, “Access Control ”, Available http://www.web.eecs.umich.edu/~aprakash/security/handouts/ AccessModel_040112_v2.ppt, Last accessed : August 2016.