September 15, 2022

Sarbanes-Oxley Act of 2002 2. Solar Winds Both reports should be written with a word count of 70-105 words(not more than the count provided) and should provide a URL reference link

Need to present a research reports on

1. Sarbanes-Oxley Act of 2002

2. Solar Winds

Both reports should be written with a word count of 70-105 words(not more than the count provided) and should provide a URL reference link too .

Note : NO PLAGIARISM

Should have minimum of 3 statements which describes the information about the report.

Tips: Should be in simple own words and no usage of critical words and attached the file to know in detail to write on it. This question is from a cyber security subject so that the matter should relate to cyber security for sure and should connect to readers.

Deadline Sep16, 2022 12:00Pm.Cst

Security in Computing, Fifth Edition

Chapter 9: Privacy

Chapter 9 Objectives

Define privacy and fundamental computer-related privacy challenges

Privacy principles and laws

Privacy precautions for web surfing

Spyware

Email privacy

Privacy concerns in emerging technologies

What Is Privacy?

Privacy is the right to control who knows certain aspects about you, your communications, and your activities

Types of data many people consider private:

Identity

Finances

Health

Biometrics

Privileged communications

Location data

Subject: person or entity being described by the data

Owner: person or entity that holds the data

Computer-Related Privacy Problems

Data collection

Advances in computer storage make it possible to hold and manipulate huge numbers of records, and those advances continue to evolve (new cyber warfare technique)

Notice and consent

Notice of collection and consent to allow collection of data are foundations of privacy, but with modern data collection, it is often impossible to know what is being collected

Control and ownership of data

Once a user consents to provide data, the data is out of that user’s control. It may be held indefinitely or shared with other entities.

Fair Information Practices

Data should be obtained lawfully and fairly

Data should be relevant to their purposes, accurate, complete, and up to date

The purposes for which data will be used should be identified and that data destroyed if no longer necessary for that purpose

Use for purposes other than those specified is authorized only with consent of data subject or by authority of law

Procedures to guard against loss, corruption, destruction, or misuse of data should be established

It should be possible to acquire information about the collection, storage, and use of personal data systems

The data subjects normally have a right to access and challenge data relating to them

A data controller should be designated and accountable for complying with the measures to effect these principles

Based on a 1973 study led by Willis Ware.

U.S. Privacy Laws

The 1974 Privacy Act embodies most of the principles above but applies only to data collected by the U.S. government

Other federal privacy laws:

HIPAA (healthcare data)

GLBA (financial data)

COPPA (children’s web access)

FERPA (student records)

State privacy law varies widely

Non-U.S. Privacy Principles

European Privacy Directive (1995)

Applies the Ware Committee’s principles to governments and businesses

Also provides for extra protection for sensitive data, strong limits on data transfer, and independent oversight to ensure compliance

General Data Protection Regulation (GDPR)

Europeans will be able to tell companies to stop profiling them, they’ll have much greater control over what happens to their data, and they’ll find it easier to launch complaints about the misuse of their information. What’s more, the companies on the receiving end of those complaints face serious fines if they don’t toe the line.

A list of other nations’ privacy laws can be found at http://www.informationshield.com/intprivacylaws.html

Privacy-Preserving Data Mining

Removing identifying information from data doesn’t work

Even if the overtly identifying information can be removed, identification from remaining data is often possible

Data perturbation (probability or value distribution)

As discussed in Chapter 7, data perturbation can limit the privacy risks associated with the data without impacting analysis results

Data mining often focuses on correlation and aggregation, both of which can generally be reliably accomplished with perturbed data

Precautions for Web Surfing

Cookies (EU Cookie Law update 2017)

Cookies are a way for websites to store data locally on a user’s machine

They may contain sensitive personal information, such as credit card numbers

Third-party tracking cookies

Some companies specialize in tracking users by having numerous popular sites place their cookies in users’ browsers

This tracking information is used for online profiling, which is generally used for targeted advertising

Web bugs

A web bug is more active than a cookie and has the ability to immediately send information about user behavior to advertising services

Spyware

Spyware is code designed to spy on a user, collecting data

General spyware:

Advertising applications, identity theft

Hijackers:

Hijack existing programs and use them for different purposes, such as reconfiguring file sharing software to share sensitive information

Adware

Displays selected advertisements in pop-up windows or the main browser window

Often installed in a misleading way as part of other software packages

Where Does Email Go?

When Janet sends an email to Scott, the message is transferred via simple mail transfer protocol (SMTP)

The message is then transferred through multiple ISPs and servers before it arrives at Scott’s post office protocol (POP) server

Scott receives the email when his email client logs into the POP server on his behalf

Any of the servers in this chain of communication can see and keep Janet’s email

Demonstrate

Anonymous or Disappearing Email

Disposable email addresses from sites like mailinator.com

Remailers are trusted third parties that replace real addresses with pseudonymous ones to protect identities in correspondence

Multiple remailers can be used in a TOR-like configuration to gain stronger anonymity

Disappearing email

Because email travels through so many servers, it cannot be made to truly disappear

Messaging services like Snapchat, which claims to make messages disappear, cannot guarantee that recipients will not be able to save those messages

The TOR-like configuration: The sender selects three remailers; he encrypts the message with each of their public keys in succession; he then sends the message through them in the reverse of that order, with each one’s public key being able to open only one layer of message.

Radio Frequency Identification (RFID)

RFID tags are small, low-power wireless radio transmitters

When a tag receives a signal on the correct frequency, it responds with its unique ID number

Privacy concerns:

As RFID tags become cheaper and more ubiquitous, and RFID readers are installed in more places, it may become possible to track individuals wherever they go

As RFID tags are put on more items, it will become increasingly possible to discern personal information by reading those tags

Other Emerging Technologies

Electronic voting

Among other issues, research into electronic voting includes privacy concerns, such as maintaining privacy of who has voted and who each person voted for

Voice over IP (VoIP)

While VoIP adds the possibility of encryption to voice calls, it also allows a new set of service providers to track sources and destinations of those calls

Cloud computing

Physical location of information in the cloud may have significant effects on privacy and confidentiality protections

Cloud data may have more than one legal location at a time

Laws could oblige cloud providers to examine user data for evidence of criminal activity

Legal uncertainties make it difficult to assess the status of cloud data

Summary

What data is considered private is subjective

Privacy laws vary widely by jurisdiction

Cookies and web bugs track user behavior across websites

Spyware can be used to track behavior for targeted advertising or for much more nefarious purposes

Email has little privacy protection by default

Emerging technologies are fraught with privacy uncertainties, including both technological and legal issues

Security in Computing, Fifth Edition

Chapter 10: Management and Incidents

Chapter 10 Objectives

Study the contents of a good security plan

Learn to plan for business continuity and responding to incidents

Outline the steps and best practices of risk analysis

Learn to prepare for natural and human-caused disasters

Contents of a Security Plan

A security plan identifies and organizes the security activities for a computing system.

The plan is both a description of the current situation and a map for improvement.

The plan is both an official record of current security practices and a blueprint for orderly change to improve those practices.

Contents of a Security Plan

Policy, indicating the goals of a computer security effort and the willingness of the people involved to work to achieve those goals

Current state, describing the status of security at the time of the plan

Requirements, recommending ways to meet the security goals

Recommended controls, mapping controls to the vulnerabilities identified in the policy and requirements

Accountability, documenting who is responsible for each security activity

Timetable, identifying when different security functions are to be done

Maintenance, specifying a structure for periodically updating the security plan

Security Policy

A high-level statement of purpose and intent

Answers three essential questions:

Who should be allowed access?

To what system and organizational resources should access be allowed?

What types of access should each user be allowed for each resource?

Should specify

The organization’s security goals (e.g., define whether reliable service is a higher priority than preventing infiltration)

Where the responsibility for security lies (e.g., the security group or the user)

The organization’s commitment to security (e.g., defines where the security group fits in the corporate structure)

Security Policy

Security policies and plans can and often should exist at the level of systems or groups of systems.

An organization-wide security policy can address users and systems only in the context of fairly general roles, which, for many purposes, is not specific enough.

Whereas the organization as a whole may be primarily focused on maintaining confidentiality of data, certain systems in that organization may rightfully focus on maintaining availability as a top priority.

Assessment of Current Security Status

A risk analysis—a systemic investigation of the system, its environment, and what might go wrong—forms the basis for describing the current security state

Defines the limits of responsibility for security

Which assets are to be protected

Who is responsible for protecting them

Who is excluded from responsibility

Boundaries of responsibility

We look at risk analysis in more detail later in this chapter.

Security Requirements

Security requirements are functional or performance demands placed on a system to ensure a desired level of security

Usually derived from organizational business needs, sometimes including compliance with mandates imposed from outside, such as government standards

Characteristics of good security requirements:

Correctness

Consistency

Completeness

Realism

Need

Verifiability

Traceability

Security Requirements

Correctness: Are the requirements understandable? Are they stated without error?

Consistency: Are there any conflicting or ambiguous requirements?

Completeness: Are all possible situations addressed by the requirements?

Realism: Is it possible to implement what the requirements mandate?

Need: Are the requirements unnecessarily restrictive?

Verifiability: Can tests be written to demonstrate conclusively and objectively that the requirements have been met? Can the system or its functionality be measured in some way that will assess the degree to which the requirements are met?

Traceability: Can each requirement be traced to the functions and data related to it so that changes in a requirement can lead to easy reevaluation?

Responsibility for Implementation

A section of the security plan will identify which people (roles) are responsible for implementing security requirements

Common roles:

Users of personal computers or other devices may be responsible for the security of their own machines. Alternatively, the security plan may designate one person or group to be coordinator of personal computer security.

Project leaders may be responsible for the security of data and computations.

Managers may be responsible for seeing that the people they supervise implement security measures.

Database administrators may be responsible for the access to and integrity of data in their databases.

Information officers may be responsible for overseeing the creation and use of data; these officers may also be responsible for retention and proper disposal of data.

Personnel staff members may be responsible for security involving employees, for example, screening potential employees for trustworthiness and arranging security training programs.

Timetable and Plan Maintenance

As a security plan cannot be implemented instantly, the plan should include a timetable of how and when the elements in it will be performed

The plan should specify the order in which controls are to be implemented so that the most serious exposures are covered as soon as possible

The plan must be extensible, as new equipment will be acquired, new connectivity requested, and new threats identified

The plan must include procedures for change and growth

The plan must include a schedule for periodic review

Inputs to the Security Plan

This is a conceptual model of how the previous slides fit together.

Security Planning Team Members

Security planning touches every aspect of an organization and therefore requires participation well beyond the security group

Common security planning representation:

Computer hardware group

System administrators

Systems programmers

Applications programmers

Data entry personnel

Physical security personnel

Representative users

Assuring Commitment to a Security Plan

A plan that has no organizational* commitment collects dust on a shelf

Three groups of people must contribute to making the plan a success:

The planning team must be sensitive to the needs of each group affected by the plan.

Those affected by the security recommendations must understand what the plan means for the way they will use the system and perform their business activities. In particular, they must see how what they do can affect other users and other systems.

Management must be committed to using and enforcing the security aspects of the system.

Business Continuity Planning

A business continuity plan documents how a business will continue to function during or after a computer security incident

Addresses situations having two characteristics:

Catastrophic situations, in which all or a major part of a computing capability is suddenly unavailable

Long duration, in which the outage is expected to last for so long that business will suffer

The next slide addresses the specific tasks involved in business continuity planning.

Continuity Planning Activities

Assess the business impact of a crisis

What are the essential assets?

What could disrupt use of these assets?

Develop a strategy to control impact

Investigate how the key assets can be safeguarded

Develop and implement a plan for the strategy

Define:

Who is in charge when an incident occurs

What to do when an incident occurs

Who does what tasks when an incident occurs

Incident Response Plans

A security incident response plan tells the staff how to deal with a security incident

In contrast to a business continuity plan, the goal of incident response is handling the current security incident without direct regard for the business issues

An incident response plan should

Define what constitutes an incident

Identify who is responsible for taking charge of the situation

Describe the plan of action

Incident Response Teams

The response team is charged with responding to the incident. It may include

Director : The person in charge of the incident, who decides what actions to take

Technicians: People who perform the technical part of the response

Advisors: Legal, human resources, or public relations staff members as appropriate

Matters to consider when identifying a response team:

Legal issues

Preserving evidence

Records

Public relations

CSIRTs

Computer Security Incident Response Teams (CSIRT) are teams trained and authorized to handle security incidents

CSIRTs are closely related to Security Operations Centers (SOC), which perform day-to-day monitoring of a network and may be the first to detect an incident.

Responsibilities of a CSIRT include

Reporting: Receiving reports of suspected incidents and reporting as appropriate to senior management

Detection: Investigation to determine if an incident occurred

Triage: Immediate action to address urgent needs

Response: Coordination of effort to address all aspects in a manner appropriate to severity and time demands

Postmortem: Declaring the incident over and arranging to review the case to impr

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.

Sarbanes-Oxley Act of 2002 2. Solar Winds Both reports should be written with a word count of 70-105 words(not more than the count provided) and should provide a URL reference link

Related Posts

To complete this assignment, review the prompt and grading rubric in the Final Project Milestone Guidelines and Rubric. When you have finished your work, sub

To begin this assignment, review the prompt and grading rubric in the Module Five Short Response Guidelines and Rubric. You will be working through Breach An

Review aspects of UX psychology Submit a diagram in which you assess UX physiology principles and your vision of an application used to create an effectiv