Week 13 Security in Organisation Domain.pptx

Document Details

LikableHouston5762

Uploaded by LikableHouston5762

Tags

computer security organisational security information management

Full Transcript

CSF Lecture L Security in the E Organisation Domain C T U R E 8 Official (Closed) - Sensitive Official Learning Outcomes Normal Open  At the end of this topic, the students are expected to be able to demonstrate under...

CSF Lecture L Security in the E Organisation Domain C T U R E 8 Official (Closed) - Sensitive Official Learning Outcomes Normal Open  At the end of this topic, the students are expected to be able to demonstrate understanding of concepts in Security in the Organization Domain Last update: 7/23/24 01:23 AM CSF 2 Official (Closed) - Sensitive Official Normal Open Seven Security Domains Last update: 7/23/24 01:23 AM CSF 3 Official (Closed) - Sensitive Official Normal Learning Objectives Open This lecture is comprised of the following sections:  Organisational Security  Information Security Governance  Policies  Law and Regulations  Risk Management Last update: 7/23/24 01:23 AM CSF 4 Official (Closed) - Sensitive Official Organisational Security Normal Open What is Organisational Security? It is an appropriate level of security, working together in team communication and information management practices to achieve a goal. The purpose is to establish the minimum administrative, technical, and physical safeguards that will be utilized by organization to protect sensitive information from unauthorized access, disclosure, corruption, or destruction. Last update: 7/23/24 01:23 AM CSF 5 Official (Closed) - Sensitive Official Organisational Security Normal Open What is Organisational Security? mostly concerned with people, processes, and procedures. needs to ensure that employees know what to do in certain situations. Be it some sort of security incident or natural disaster, all employees need to understand their roles and responsibilities and the procedures they need to follow. Formalized policies and procedures - crucial in ensuring employees understand and follow the security guidelines. Last update: 7/23/24 01:23 AM CSF 6 Official (Closed) - Sensitive Official Organisational Security Normal Open What is Organisational Security? Information Security Governance Security Policies Law & Regulations Risk Management Last update: 7/23/24 01:23 AM CSF 7 Official (Closed) - Sensitive Official Information Security Governance Normal Open What is Information Security Governance? Information security governance is defined as “a subset of enterprise governance that provides strategic direction, ensures that objectives are achieved, manages risk appropriately, uses organizational resources responsibly, and monitors the success or failure of the enterprise security program” Last update: 7/23/24 01:23 AM CSF 8 Official (Closed) - Sensitive Official Normal Open Security Policies Information security policy is an aggregate of directives, rules, and practices that prescribes how an organization manages, protects, and distributes information. Information security policy is an essential component of information security governance---without the policy, governance has no substance and rules to enforce. Information security policy should be based on a combination of appropriate legislation, such as CMA; applicable standards, such as NIST Federal Information Processing Standards (FIPS) and guidance; and internal agency requirements. Without proper policies in place, it would be leaving ourselves at the mercy of cybercriminals. Last update: 7/23/24 01:23 AM CSF 9 Official (Closed) - Sensitive Official Policies, Standards, Guidelines and Procedures Normal Open Types of polices and documents in place: Policies Policy is a simple document stating that their particular high-level control objective is important to the organization’s success. (Mandatory compliance). Standards Standard documents are to ensure uniform application of a policy after approval (Mandatory compliance). Guidelines Intended to provide advice pertaining to how organizational objectives might be obtained in the absence of a standard. Guidelines are often non-Mandatory compliance. Procedures Good procedures include common troubleshooting steps in case the user encounters a known problem. Compliance with established procedures is mandatory to ensure consistency and accuracy. Last update: 7/23/24 01:23 AM CSF 10 Official (Closed) - Sensitive Official Law & Regulations Normal Open A variety of laws and regulations have surfaced over the past decade in an attempt to strengthen the security of information stored within the companies. As a results, various security control “standards” and “frameworks” have evolved to meet the requirement of the laws. Laws and regulations are developed at a higher “what needs to happen” level Standards and control frameworks are needed to ensure security is planned, organized, implemented, tested, and monitored. Last update: 7/23/24 01:23 AM CSF 11 Official (Closed) - Sensitive Official Law & Regulations Normal Open Many countries have their own national laws and regulations governing information security but movement of data across time zones and international boundaries has complicated the issue of legal jurisdiction. Relevant laws dealing with computer crime and security in Singapore include: Electronic Transactions Act 2010 - provide a legal foundation for electronic signatures and gives predictability and certainty to contracts formed electronically. Computer Misuse Act 1993 - defined a class of critical computer systems and provided them with greater protection. Personal Data Protection Act 2012 (amended Feb 2021) - Imposes a number of data protection obligations on organisations, in respect of personal data. Cybersecurity Act 2018 (amended 2024) - Sets out a framework for the monitoring of Critical Information Infrastructures (CII) including imposing obligations on owners of CIIs to report cybersecurity incidents and provides for the appointment of a Commissioner of Cybersecurity to, amongst others, oversee and promote the cybersecurity of computers and computer systems in Singapore. Last update: 7/23/24 01:23 AM CSF 12 Official (Closed) - Sensitive Official Risk Management Normal Open The risks modern organizations face have grown more complex, fueled by the rapid pace of globalization. New risks are constantly emerging, often related to and generated by the now- pervasive use of digital technology. Information security risk management – “process of identifying, evaluating, and treating risks around the organisation’s valuable information. It addresses uncertainties around those assets to ensure the desired business outcomes are achieved”. A successful risk management program helps an organization consider the full range of risks it faces. examines the relationship between risks and the cascading impact they could have on an organization's strategic goals. Last update: 7/23/24 01:23 AM CSF 13 Official (Closed) - Sensitive Official Summary Normal Open  Law & Regulations  IT Governance  Policies  Risk Management Last update: 7/23/24 01:23 AM CSF 14 Official (Closed) - Sensitive Official For Reference Only Normal Open  Personal Data Protection Act  For reference Last update: 7/23/24 01:23 AM CSF 15 Official (Closed) - Sensitive Official Singapore PDPA Law Normal Open What is Personal Data Protection Act? Any data that is about you may be considered personal data. Personal data under the PDPA may include the following:  Full name  NRIC, or passport number  Photograph or video image of an individual  Mobile telephone number  Personal email address  Thumbprint  Name and residential address Last update: 7/23/24 01:23 AM CSF 16 Official (Closed) - Sensitive Official PDPA – Providing Consent Normal Open Personal Data Protection Act Organisations will have to let you know why they are asking you for your personal data and obtain your consent before collecting, using or disclosing your personal data. If you willingly provide your personal data for a particular purpose, you may also be allowing organisations to collect, use or disclose your personal data. This is known as “deemed consent”. Last update: 7/23/24 01:23 AM CSF 17 Official (Closed) - Sensitive Official PDPA - Withdrawing Consent Normal Open Personal Data Protection Act You may tell an organisation to stop collecting, using or disclosing your personal data. The organisation should inform you of the likely consequences of your withdrawal before processing the request. However, the organisation is not required to delete or destroy your personal data and may retain it for as long as there are business or legal needs. Last update: 7/23/24 01:23 AM CSF 18 Official (Closed) - Sensitive Official PDPA - Requesting Access (1) Normal Open Personal Data Protection Act You may request to see the personal data that an organisation has about you. You can also check how your personal data has or may have been used or disclosed in the past year. Do note that organisations may levy an administrative fee for each access request or reject the request if it is considered frivolous. Last update: 7/23/24 01:23 AM CSF 19 Official (Closed) - Sensitive Official PDPA - Requesting Access (2) Normal Open Personal Data Protection Act Organisations also cannot grant access if giving you the personal data could:  Cause immediate or serious harm to your safety or physical/mental health;  Threaten the safety or physical/mental health of someone else;  Reveal someone else’s personal data;  Reveal the identity of the person who provided your personal data; or  Be contrary to the national interest. Last update: 7/23/24 01:23 AM CSF 20 Official (Closed) - Sensitive Official PDPA – Requesting Correction Normal Open Personal Data Protection Act You may request to correct an error or omission in your personal data held by the organisation. Unless the organisation has a valid reason not to make the correction, it should correct the data and send it to organisations which have received it in the past year; or if you agree, only to specific organisations to which the personal data was disclosed. Last update: 7/23/24 01:23 AM CSF 21 Official (Closed) - Sensitive Official Singapore Law – Data Retension Normal Open Data Retention Law (Singapore) You should keep proper records and accounts so that the income earned and expenses claimed can be readily determined. You are required to keep your records for 5 years. Examples of the records are Forms IR8A, business expense receipts, payslips, CPF statements How Long Should Company Records be Kept For? The records must be retained for at least 5 years from the end of the financial year in which the relevant transactions were made. Last update: 7/23/24 01:23 AM CSF 22

Use Quizgecko on...
Browser
Browser