Project Management Data Security

𝐈𝐓 𝐆𝐞𝐧𝐞𝐫𝐚𝐥 𝐂𝐨𝐧𝐭𝐫𝐨𝐥𝐬 (𝐈𝐓𝐆𝐂) 𝐂𝐡𝐞𝐜𝐤𝐥𝐢𝐬𝐭 𝐀𝐜𝐜𝐞𝐬𝐬 𝐂𝐨𝐧𝐭𝐫𝐨𝐥𝐬 -User access provisioning and de-provisioning processes are established. -Access rights are assigned based on job responsibilities. -Segregation of duties (SoD) controls are in place. -Regular access reviews are conducted. -Strong password policies are enforced. 𝐂𝐡𝐚𝐧𝐠𝐞 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭 -Formal change management processes exist for all system changes. -Changes are documented, approved, and tested before implementation. -Segregation of duties between development, testing, and production environments. -Regular reviews of change management are conducted. 𝐁𝐚𝐜𝐤𝐮𝐩 & 𝐑𝐞𝐜𝐨𝐯𝐞𝐫𝐲 -Regular backups of critical systems and data are performed. -Backup integrity checks are regularly conducted. -Backup and recovery procedures are documented and tested. -Off-site storage of backups is maintained for disaster mitigation. 𝐈𝐧𝐜𝐢𝐝𝐞𝐧𝐭 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭 -Formal incident response plans are in place. -Procedures for reporting and documenting incidents are established. -Incident response teams are trained and ready. -Post-incident reviews are conducted for improvement. 𝐍𝐞𝐭𝐰𝐨𝐫𝐤 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 -Intrusion detection/prevention and antivirus are deployed. -Network segmentation minimizes breaches. -Regular vulnerability assessments and penetration testing are conducted. -Wireless network security controls prevent unauthorized access. 𝐃𝐚𝐭𝐚 𝐏𝐫𝐢𝐯𝐚𝐜𝐲 -Policies protect sensitive data. -Data encryption is used in transit and at rest. -Data classification policies categorize data by sensitivity. -Regular data privacy training for employees. 𝐌𝐨𝐧𝐢𝐭𝐨𝐫𝐢𝐧𝐠 & 𝐋𝐨𝐠𝐠𝐢𝐧𝐠 -Logging mechanisms record security-related events. -Regular review and analysis of logs for security incidents. -Monitoring of system performance and availability. -Intrusion detection systems monitor suspicious activity. 𝐕𝐞𝐧𝐝𝐨𝐫 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭 -Vendor risk assessments before engaging third parties. -Vendor contracts include security and compliance provisions. -Ongoing monitoring and oversight of vendor activities. -Procedures for terminating vendor access. 𝐂𝐨𝐦𝐩𝐥𝐢𝐚𝐧𝐜𝐞 & 𝐀𝐮𝐝𝐢𝐭 -Regular compliance assessments and audits. -Documentation of IT policies, procedures, and controls is maintained. -Remediation of control deficiencies or non-compliance issues. #kpmg #periodicreviews #cybersecurity #itgc #technology #learning

🚨Incoming: The Federal Zero Trust Data Security Guide Fresh off the presses - In alignment with M-22-09, the Federal CDO Council and Federal CISO Council gathered a cross-agency team of data and security specialists to develop a comprehensive data security guide for Federal agencies. Representatives from over 30 Federal agencies and departments worked together to produce the Federal Zero Trust Data Security Guide, which: 🔹Establishes the vision and core principles for ZT data security 🔹Details methods to locate, identify, and categorize data with clear, actionable criteria 🔹Enhances data protection through targeted security monitoring and control strategies 🔹Equips practitioners with adaptable best practices to align with their agency’s unique mission requirements Securing the data pillar in Zero Trust has been a challenging endeavor, but it’s foundational to a resilient cybersecurity posture. This guide lays out essential principles and a roadmap to embed security at the core of data management beyond traditional perimeters. Here are a few key takeaways: 🔐 Core ZT Principles: Adopting a data-centric approach with strict access controls, data resiliency, and integration of privacy and compliance from day one. 📊 Data Inventory and Classification: It is crucial to understand the data landscape, and the guide provides insights into cataloging and labeling sensitive data for targeted protection. 🤝 Managing Third-Party Risks: From privacy-preserving technologies to detailed vendor assessments, agencies can better secure shared data and protect it from supply chain threats. I had the privilege of attending a couple of these Working Group meetings before leaving CISA earlier this year, and I congratulate the group on this necessary release. This guide aligns closely with CISA's Zero Trust Maturity Model, providing agencies with a robust framework to secure federal data assets and advance a strong, data-centric ZT security model. #data #zerotust #cybersecurity #technology #informationsecurity #computersecurity #datascience #artificialintelligence #digitaltransformation #bigdata 

Your biggest cybersecurity threat might not be your employees — it might be your coffee machine. Everyone’s worried about employees clicking phishing emails… …but who’s worried about the smart thermostat leaking your sensitive data? (You should be.) When we talk about human cyber risk, it’s not just laptops and emails. It’s the people who plug in devices they don’t understand — or don’t think about — that open the backdoor. The truth is: The Internet of Things (IoT) is your weakest (and most ignored) security link. 📺 Smart TVs. 🏅 Fitness trackers. ☕ Coffee machines. 🔔 Video doorbells. 💡 Smart lighting. 🌡️ Even that “harmless” Wi-Fi-enabled fish tank thermometer in your lobby. (Yes, that actually happened to a casino in 2019 where the whole high roller database was exfiltrated through an IoT connected fish tank thermometer. Ouch.) If it connects to the internet, it can connect a threat actor to you. ACTIONABLE TAKEAWAYS: ✔️ Audit your IoT Devices: List everything in your business and home that’s internet-connected. If you don’t track it, you can’t protect it. ✔️ Segregate Networks: Keep IoT devices on a separate Wi-Fi network from business operations and sensitive information. ✔️ Change Default Credentials: Most IoT breaches happen because devices are left on factory settings. Change all passwords — immediately. ✔️ Update Firmware: Your smart devices need updates just like your computer does. Patch regularly or retire them if they’re no longer supported. ✔️ Train Your People: If they’re plugging it in, they’re opening a portal. Awareness matters. Train users to think before they connect. Bottom line: Human risk isn’t just about bad passwords and phishing clicks. It’s about our instinct to trust technology we don’t fully understand. If you employ humans, if you use IoT, you have risk. Manage your humans. Manage your tech. Or someone else will. #HumanRisk #Cybersecurity #IoTSecurity #InsiderThreat #CyberHygiene #Leadership #SecurityAwareness

🔐 ISO 27001 – RBAC vs ABAC: What’s the Difference? 📌 Theme: Access Control Models 📚 Control Reference: Clause 8.2 – Identity & Access Management 🎯 Why It Matters Choosing the right access control model is essential to: ✅ Limit unnecessary access ✅ Enforce least privilege ✅ Simplify audits and access reviews ✅ Adapt dynamically to changing contexts 🔸 RBAC – Role-Based Access Control Access is granted based on predefined job roles (e.g., HR, IT, Finance). Perfect for structured, stable environments. 🧾 Example: A Finance Officer can access accounting tools, but not dev environments. ✔️ Advantages: • Simple to implement • Scales well in static setups • Aligns with org charts 🔸 ABAC – Attribute-Based Access Control Access depends on dynamic attributes like device type, location, time, and user role. Ideal for modern, cloud-based, or zero-trust environments. 🧾 Example: Access to sensitive data is allowed only during work hours, from a company laptop, and within a specific geolocation. ✔️ Advantages: • Fine-grained, context-aware control • Greater flexibility • Supports dynamic policies for remote/cloud access 🛠️ Key Tools & Techniques • IAM Platforms: Okta, Azure AD, Ping Identity • ABAC Engines: Axiomatics, NextLabs • Policy Enforcement: CASBs, Secure Web Gateways • Monitoring: SIEMs, logs for anomaly detection and access reviews 💡 Pro Tip: Start with RBAC to set a solid foundation—then introduce ABAC policies to enhance flexibility and security as your environment grows more complex. #ISO27001 #AccessControl #RBAC #ABAC #IdentityAndAccessManagement #CyberSecurity #LeastPrivilege #ZeroTrust #InformationSecurity #IAM #Infosec #DataProtection #SecureAccess #ISMS #SecurityArchitecture #CloudSecurity #SIEM #Okta #AzureAD #Governance

Security can’t be an afterthought - it must be built into the fabric of a product at every stage: design, development, deployment, and operation. I came across an interesting read in The Information on the risks from enterprise AI adoption. How do we do this at Glean? Our platform combines native security features with open data governance - providing up-to-date insights on data activity, identity, and permissions, making external security tools even more effective. Some other key steps and considerations: • Adopt modern security principles: Embrace zero trust models, apply the principle of least privilege, and shift-left by integrating security early. • Access controls: Implement strict authentication and adjust permissions dynamically to ensure users see only what they’re authorized to access. • Logging and audit trails: Maintain detailed, application-specific logs for user activity and security events to ensure compliance and visibility. • Customizable controls: Provide admins with tools to exclude specific data, documents, or sources from exposure to AI systems and other services. Security shouldn’t be a patchwork of bolted-on solutions. It needs to be embedded into every layer of a product, ensuring organizations remain compliant, resilient, and equipped to navigate evolving threats and regulatory demands.

A new ICS/OT vulnerability? PATCH NOW! Wait... scratch that... Reverse it. Vulnerability management is VERY different in the ICS/OT world. In the IT world, a new patch comes out and it's off to the races! - We're patching servers. - We're rebooting servers. - We're patching workstations. - We're rebooting workstations. - We're patching everything we can get our hands on. You get the idea. In ICS/OT, just because a new vulnerability is announced, it does not mean we have to patch right away. We might not even have an option to patch a system until the next maintenance window. In six months. Or a year. If ever. When that new ICS/OT vulnerability is announced, we still have to take action though. It's just a different action than in IT. When a new ICS/OT vulnerability is announced: 1. Determine if it affects your environment. This is why having a current asset register is essential. 2. If the vulnerability exists in your environment, perform a risk assessment. Consider questions including, but not limited to: -> Which systems are impacted? -> Where do the impacted systems live? -> Do compensating controls exist to reduce the risk? -> Does the vulnerability put lives/physical safety at risk? -> Could the vulnerability affect the operations of the facility? -> What would be the impact if the vulnerability was exploited? NOTE: When assessing risk, get all of the right people in the room to help make an informed decision. Engineering, operations, maintenance, cyber security, etc. 3. Based on the risk assessment, and the owners risk tolerance: -> Do you need to take action? -> If so, how soon? IT and OT can have MANY similarities. But IT and OT can also be VERY different. Vulnerability management is one of the ways where they are very different. And each requires a different approach to maintain secure, and SAFE, environment. P.S. How does your vulnerability management process work?

🎉 How to Make Cybersecurity Awareness NOT Boring Cybersecurity awareness training can often be a snooze fest. 😴 Here are a few ways to make it engaging 🎮 1. Gamify the Training Who doesn't love a good game? Turn your cybersecurity training into a game or competition. Award points for correct answers and offer small prizes for winners. Trust me, people will pay attention. 🎥 2. Use Real-World Examples Skip the jargon and go straight to real-world examples that people can relate to. Show them news clips of high-profile cyber attacks and explain how basic awareness could have prevented them. 📱 3. Make It Interactive Interactive modules can make a world of difference. Use quizzes, flashcards, and even augmented reality apps to make the training hands-on. 🎭 4. Role-Playing Exercises Let your team act out different scenarios where they have to identify phishing emails or secure compromised accounts. It's a fun and effective way to test their knowledge. 🎤 5. Guest Speakers Invite cybersecurity experts to share their experiences and insights. A fresh perspective can make the training more engaging and offer valuable real-world advice. 📊 6. Track and Celebrate Progress Use metrics to track participation and performance. Celebrate the wins, no matter how small, to keep everyone motivated. Remember, the goal is not just to "get through" the training but to create a culture of continuous cybersecurity awareness. Have you tried any innovative methods to make cybersecurity training more engaging? Share your experiences in the comments below! 👇 #Cybersecurity #CyberAwareness #Training #Engagement #Innovation

𝗔𝗿𝗲 𝘆𝗼𝘂 𝗦𝗮𝗳𝗲𝗴𝘂𝗮𝗿𝗱𝗶𝗻𝗴 𝗣𝗲𝗿𝘀𝗼𝗻𝗮𝗹 𝗗𝗮𝘁𝗮 𝗶𝗻 𝘆𝗼𝘂𝗿 𝗘𝗥𝗣 𝗣𝗿𝗼𝗷𝗲𝗰𝘁? With the strong privacy laws in Australia, organizations must carefully manage personally identifiable information (PII) when converting data from legacy systems to new ERP, CRM, HR, and Payroll platforms. 𝗧𝗵𝗲 𝗗𝗮𝘁𝗮 𝗖𝗼𝗻𝘃𝗲𝗿𝘀𝗶𝗼𝗻 𝗖𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲 During data conversion, information typically moves from older systems into staging areas before migration to the new environment. This process creates potential security vulnerabilities that must be planned and addressed proactively. 𝗖𝗿𝗶𝘁𝗶𝗰𝗮𝗹 𝗣𝗜𝗜 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗤𝘂𝗲𝘀𝘁𝗶𝗼𝗻𝘀 Every digital transformation team should address these essential questions: 1️⃣ 𝗪𝗵𝗼 𝗵𝗮𝘀 𝗮𝗰𝗰𝗲𝘀𝘀 𝘁𝗼 𝘀𝗲𝗻𝘀𝗶𝘁𝗶𝘃𝗲 𝗱𝗮𝘁𝗮? Access should be strictly limited to necessary personnel. 2️⃣ 𝗔𝗿𝗲 𝘁𝗲𝗮𝗺 𝗺𝗲𝗺𝗯𝗲𝗿𝘀 𝗽𝗿𝗼𝗽𝗲𝗿𝗹𝘆 𝘁𝗿𝗮𝗶𝗻𝗲𝗱 𝗼𝗻 𝗣𝗜𝗜 𝗿𝗲𝗴𝘂𝗹𝗮𝘁𝗶𝗼𝗻𝘀? All staff handling sensitive data must understand their legal responsibilities and compliance requirements. 3️⃣ 𝗛𝗼𝘄 𝗶𝘀 𝗣𝗜𝗜 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗺𝗮𝗶𝗻𝘁𝗮𝗶𝗻𝗲𝗱 𝘁𝗵𝗿𝗼𝘂𝗴𝗵𝗼𝘂𝘁 𝘁𝗵𝗲 𝗽𝗿𝗼𝗰𝗲𝘀𝘀? Data must be transmitted and stored using encrypted methods at all times. 4️⃣ 𝗔𝗿𝗲 𝗽𝗿𝗼𝗽𝗲𝗿 𝗰𝗼𝗺𝗺𝘂𝗻𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗽𝗿𝗼𝘁𝗼𝗰𝗼𝗹𝘀 𝗶𝗻 𝗽𝗹𝗮𝗰𝗲? Never send PII through unsecured channels like standard email. 𝗦𝗲𝗰𝘂𝗿𝗶𝗻𝗴 𝗣𝗜𝗜 𝗗𝘂𝗿𝗶𝗻𝗴 𝗗𝗶𝗴𝗶𝘁𝗮𝗹 𝗧𝗿𝗮𝗻𝘀𝗳𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻 The key challenge is preventing unauthorized movement of sensitive data by: ❇️ Implementing strict access controls on the repository, ensuring no accidental inherited rights. ❇️ Disabling download capabilities where appropriate. ❇️ Enabling viewing or manipulation only by the Data Management team. ❇️ Establishing clear data handling protocols (e.g. no hard copies). 𝗥𝗲𝗰𝗼𝗺𝗺𝗲𝗻𝗱𝗲𝗱 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗦𝗼𝗹𝘂𝘁𝗶𝗼𝗻𝘀 Secure File Transfer Protocol (SFTP) should be used to move data at all times. SharePoint can be one the one of the most effective tools for protecting PII during digital transformation projects, offering finely controlled access and robust security features.

Planning for Unexpected IT Outages: Lessons from the Recent Microsoft Windows Outage The recent global Microsoft Windows outage, caused by a faulty CrowdStrike update, has highlighted the importance of robust incident response planning. Here are key takeaways to help your organization prepare: 1. Automated Remote Recovery and Backup: Implement automated procedures for remote recovery and backup using bespoke tools and scripts for kernel-level recovery when everything else fails. Transition from layered security to layered recovery. 2. Regular Backup and Recovery Drills: Ensure your backup and recovery procedures are tested regularly to minimize downtime during unexpected outages. 3. Comprehensive Incident Response Plans: Develop and maintain detailed incident response plans that include steps for rapid identification, isolation, and remediation of issues. 4. Communication Strategy: Establish clear communication channels to keep stakeholders informed during an incident. Transparency and timely updates are crucial. 5. Vendor Management: Regularly review and update vendor agreements to ensure quick support and resolution of issues caused by third-party updates. 6. Resilience and Redundancy: Invest in system redundancy and resilience to maintain critical operations even during partial system failures. Staying prepared and proactive can significantly mitigate the impact of such incidents on your business operations. #CyberSecurity #IncidentResponse #BusinessContinuity #ITOutage #Microsoft #CrowdStrike