E-Book, Englisch, 286 Seiten
Gonzalez Managing Online Risk
1. Auflage 2014
ISBN: 978-0-12-420060-9
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: 6 - ePub Watermark
Apps, Mobile, and Social Media Security
E-Book, Englisch, 286 Seiten
ISBN: 978-0-12-420060-9
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: 6 - ePub Watermark
In recent years, building a corporate online presence has become nonnegotiable for businesses, as consumers expect to connect with them in as many ways as possible. There are benefits to companies that use online technology, but there are risks as well. Managing Online Risk presents the tools and resources needed to better understand the security and reputational risks of online and digital activity, and how to mitigate those risks to minimize potential losses. Managing Online Risk highlights security and risk management best practices that address concerns such as data collection and storage, liability, recruitment, employee communications, compliance violations, security of devices (in contexts like mobile, apps, and cloud computing), and more. Additionally, this book offers a companion website that was developed in parallel with the book and includes the latest updates and resources for topics covered in the book. - Explores the risks associated with online and digital activity and covers the latest technologies, such as social media and mobile devices - Includes interviews with risk management experts and company executives, case studies, checklists, and policy samples - A website with related content and updates (including video) is also available
Deborah Gonzalez, Esq. is the founder of Law2sm, LLC, a legal consulting firm focusing on helping its clients navigate the legal issues relating to the new digital and social media world.Deborah graduated from New York Law School and is licensed to practice law in New York and Georgia.Deborah began her career in the corporate arena working in various positions in the information technology area - from network administrator to manager of the IS department for a top-6 CPA firm in New York City. During her tenure she managed day-to-day IT operations; designed and implemented IT-related training for employees, managers, and IT staff; developed policies and protocols for IT-corporate use; and monitored emerging trends for IT business strategies and management. Deborah used this foundation as a starting point with her legal practice, which is now transporting her beyond the Internet to the social space where the physical and digital dimensions of her clients co-exist and where she can leverage her legal expertise to their benefit. Deborah enjoys engaging with those around her - so social media is a natural fit. But it is her skill in being able to connect the dots to understand the next big paradigm shift in global communication and legal application that makes her a leader in social media and online law. Deborah serves as Chair of the GA Bar Association's Annual Program on Social Media and the Law and serves as a social media legal liaison for social media marketing companies and their clients.In addition, Deborah speaks on legal issues relating to intellectual property, social media and online legal trends and practices, and online risk management in various venues throughout the United States and abroad.Follow her on Twitter: @DGOnlineSec and @Law2sm, or visit www.managingonlinerisk.com or www.law2sm.com.
Autoren/Hrsg.
Weitere Infos & Material
1;Front Cover;1
2;Managing Online Risk;4
3;Copyright;5
4;Contents;6
5;About the Author;8
6;Online Resources;10
7;Introduction;12
8;CHAPTER 1 - RISK MANAGEMENT DIGITAL STYLE;16
8.1;RISK MANAGEMENT MODELS;18
8.2;BEST PRACTICES FOR INCIDENT RESPONSE;37
8.3;BONUS: TEN IT SECURITY MYTHS;37
8.4;SECURITY/RISK MANAGEMENT APPS;38
9;CHAPTER 2 - INTERNAL AND EXTERNAL RISKS;40
9.1;INTERNAL RISKS;41
9.2;INTERNAL RISK 1: SECURITY PERCEPTION, PRIORITY, AND BUDGET;41
9.3;INTERNAL RISK 2: TRADITIONAL AND SHADOW IT;42
9.4;INTERNAL RISK 3: MOBILE;44
9.5;INTERNAL RISK 4: PEOPLE;53
9.6;EXTERNAL RISKS;55
9.7;EXTERNAL RISK 1: TECHNOLOGY ADVANCES;56
9.8;EXTERNAL RISK 2: CLOUD STORAGE;57
9.9;EXTERNAL RISK 3: HACKING;59
9.10;EXTERNAL RISK 4: REGULATION;63
9.11;EXTERNAL RISK 5: NATURAL DISASTERS AND SQUIRRELS;67
10;CHAPTER 3 - REPUTATION AND IDENTITY;68
10.1;REPUTATION;68
10.2;REPUTATIONAL RISKS;69
10.3;DEFINING IDENTITY;70
10.4;DIGITAL IDENTITY;71
10.5;LEGAL IDENTITY;74
10.6;EXECUTIVE IDENTITY;74
10.7;CORPORATE IDENTITY: THE BRAND;79
10.8;VALUE AND WORTH OF IDENTITY;82
10.9;IDENTITY VERSUS REPUTATION;86
10.10;PROTECTING IDENTITY;89
10.11;PROTECTING REPUTATION;91
11;CHAPTER 4 - THE NEW WORKFORCE;94
11.1;EMPLOYMENT CYCLE;95
11.2;WHO IS THE WORKFORCE?;96
11.3;MILLENNIALS;98
11.4;RECRUITMENT;99
11.5;HIRING;103
11.6;EMPLOYMENT;105
11.7;TERMINATION;111
11.8;OTHER;113
12;CHAPTER 5 - BIG DATA;116
12.1;DATA CYCLE;118
12.2;DATA MANAGEMENT PLANS;120
12.3;DATA CLASSIFICATION;121
12.4;DATA ACCESS;123
12.5;DATA ANALYTICS;125
12.6;PROTECTING DATA: BACKUP;127
12.7;LOSING DATA;129
12.8;DATA RECOVERY;130
12.9;PRIVACY: TO USE OR NOT TO USE DATA DILEMMA;132
12.10;PROTECTING AGAINST LIABILITY FOR DATA/PRIVACY LOSS;135
12.11;DATA SURVEILLANCE;138
12.12;DICTATORSHIP OF DATA;139
13;CHAPTER 6 - APPROACHES TO CONTENT;142
13.1;CONTENT MARKETING VERSUS CONTENT MANAGEMENT;143
13.2;DIFFERENT AUDIENCES, DIFFERENT CONTENT;143
13.3;MYTHS OF CONTENT MARKETING AND CONTENT MANAGEMENT;144
13.4;BENEFITS OF THE CONTENT APPROACH;145
13.5;INTELLECTUAL PROPERTY RIGHTS, RISKS, AND CONTENT;146
13.6;IP CYCLE;147
13.7;COPYRIGHTS;149
13.8;DIGITAL MILLENNIUM COPYRIGHT ACT;150
13.9;FAIR USE DOCTRINE;151
13.10;INTERNATIONAL IP CONCERNS;153
13.11;CREATIVE COMMONS LICENSE;154
13.12;A COUPLE OF DIGITAL CONCERNS FOR COPYRIGHTS;155
13.13;TRADEMARKS;156
13.14;TRADEMARK AND GRIPE SITES;159
13.15;TRADEMARK AND REPUTATIONAL RISKS;161
13.16;TRADE SECRETS;161
13.17;PATENTS;162
13.18;TECHNOLOGY DEVELOPMENT;163
13.19;IP OTHER RISKS;164
13.20;IP VALUATION;166
13.21;IP LEGISLATION;166
14;CHAPTER 7 - COMPLIANCE;168
14.1;WHO NEEDS TO BE COMPLIANT?;170
14.2;GENERAL COMPLIANCE: DISCLOSURES;172
14.3;GENERAL COMPLIANCE: DISCLAIMERS;175
14.4;GENERAL COMPLIANCE: HUMAN RESOURCES;177
14.5;FINANCIAL INSTITUTIONS;179
14.6;HEALTH CARE AND MEDICAL INSTITUTIONS;185
14.7;HIGHER EDUCATION (FERPA);189
14.8;PROFESSIONAL TRADE OVERSIGHT AND ORGANIZATIONS: MOBILE;190
14.9;OTHER FEDERAL AGENCIES;191
14.10;FEDERAL LEGISLATION;192
14.11;STATE LEGISLATION;195
14.12;COMPLIANCE OVERSIGHT;197
14.13;COMPLIANCE TRAINING;199
15;CHAPTER 8 - CURRENCY AND CAMPAIGNS;200
15.1;ONLINE BANKING;202
15.2;E-PAYMENTS CONVERT TO M-PAYMENTS;205
15.3;VIRTUAL CURRENCY;206
15.4;DIGITAL CURRENCY;207
15.5;BITCOIN;208
15.6;BEYOND BITCOINS;213
15.7;CROWDFUNDING;214
15.8;ONLINE MICROFINANCING;218
15.9;ONLINE CHARITABLE DONATIONS AND FUNDRAISING;219
15.10;FUTURE OF MONEY;219
15.11;DIGITAL POLITICAL CAMPAIGNS;221
15.12;DIGITAL ADVOCACY;223
15.13;DIGITAL LOBBYING;225
15.14;RISK AND SECURITY OF ONLINE POLITICS;226
16;CHAPTER 9 - DIGITAL SUCCESSION;228
16.1;SUCCESSION PLANNING;230
16.2;INFORMATION TECHNOLOGY SECURITY SHORTAGE;233
16.3;THE NEXT GENERATION OF INFOSEC PRO;234
16.4;WOMEN IN INFOSEC;238
16.5;CYBERSECURITY SIMULATIONS;240
16.6;DIGITAL LEGACY;241
16.7;DIGITAL ASSETS;242
16.8;DIGITAL AFTERLIFE;243
16.9;DIGITAL EXPIRATION;246
16.10;DIGITAL IMMORTALITY;249
17;CHAPTER 10 - THE FUTURE OF ONLINE SECURITY;252
17.1;THE FUTURE: UNPREDICTABLE;255
17.2;THE FUTURE: FOUR SCENARIOS;257
17.3;MONITORED MAN;267
17.4;BICENTENNIAL MAN REVISITED;269
17.5;CREDENTIAL VERIFICATION;270
17.6;BIG DATA;270
18;Index;274
18.1;A;274
18.2;B;274
18.3;C;275
18.4;D;276
18.5;E;278
18.6;F;278
18.7;G;279
18.8;H;279
18.9;I;279
18.10;J;280
18.11;K;280
18.12;L;281
18.13;M;281
18.14;N;281
18.15;O;282
18.16;P;282
18.17;Q;283
18.18;R;283
18.19;S;284
18.20;T;285
18.21;U;286
18.22;V;286
18.23;W;286
18.24;Y;286
18.25;Z;286
Chapter 1 Risk Management Digital Style
Abstract
This introductory chapter lays out the context of the book by giving an overview of risk management concepts and how they apply in a digital environment. It goes over risk management models and the risk management process. Keywords
BlueWave computing; Critical security controls; Incident response; Models; Risk analysis; Risk assessment; Risk identification; Risk level; Risk management; Risk management apps; Risk mitigation; Risk remediation; Risk response; SANS; Security; Socially legal audit; Threat Which risks are relevant? Those that impact business goals. Which risks impact business goals? They all do.
Did you hear the one about the IT security officer who “resigned” after it was discovered that a data breach at its retail operations headquarters that affected millions of customers could have been avoided if only one of over 60,000 alerts had been heeded?1 Or the one about a security consultant who leaked information about a government surveillance program, bringing world leaders to the defense, who ended up exiled in Russia but had a great turnout at South by Southwest?2 Or how about the one of computer engineers who lost their life savings and their jobs in the misplacement of digital currency?3 Or the one about the employee who left a company laptop connected to public Wi-Fi at the coffee shop that led to insider trading violations and criminal penalties?4 Or the one… I think you get the point. There have been a lot of “ones” in the news and even more not in the spotlight. In 2011, Verizon reported “855 incidents and 174 million compromised records.”5 To update that, the Online Trust Alliance (OTA) released their report in January 2014, which indicated that of over 500 data breaches in the first half of 2013 “31 percent of incidents were due to insider threats or mistakes; 21 percent resulted from the loss of computers, hard drives, and paper documents; 76 percent were due to weak or stolen account logins and passwords; and 29 percent of compromises resulted from social engineering.”6 What do these have in common? They all dealt with information technology in the online digital environment. As we begin our exploration of online risk and security, it is useful to make sure we are on the same page. Defining the lexicon of the landscape allows us to define risk management and security in the context of the digital environment and determine whether they are different because of this new context or because they have they just been expanded. Therefore, we begin with standard definitions of risk management, risk, security, and threat. You may have your own favorite you use, but we will stick with these as we head out. Risk management The identification, analysis, assessment, control, and avoidance, minimization, or elimination of unacceptable risks.7 Risk A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action.8 Security The prevention of and protection against assault, damage, fire, fraud, invasion of privacy, theft, unlawful entry, and other such occurrences caused by deliberate action; the extent to which a computer system is protected from data corruption, destruction, interception, loss, or unauthorized access.9 Threat Indication of an approaching or imminent menace; negative event that can cause a risk to become a loss, expressed as an aggregate of risk, consequences of risk, and the likelihood of the occurrence of the event. A threat may be a natural phenomenon such as an earthquake, flood, or storm, or a man-made incident such as fire, power failure, sabotage, etc.; action or potential occurrence (whether or not malicious) to breach the security of the system by exploiting its known or unknown vulnerabilities.10 Most of those definitions should seem familiar to you. However, there are some key words within them that bear special consideration as we look at online security and risk management. First, risk management brings up the issue that there are acceptable and unacceptable risks—what would be an acceptable risk has long been debated by security professionals. One school of thought is that any risk is unacceptable. The other believes it is a return-on-investment (ROI) question—how much does it cost to mitigate the risk versus how much will the risk impact cost if left alone? Second, notice that the definitions of risk and threat are symbiotic with two main differences: a threat is indicated as something that can be foreseen and is imminent; a risk is just a probability. But both indicate that they can be avoided to a certain extent—excluding natural disasters. Third, security is presented to offer a safety net around property—whether tangible or intangible, such as online data. And last, risk management is about looking at risk and threats and setting up procedures to answer some specific questions to give a sense of security: 1. What are the real, material risks and threats? 2. What are we doing about them? 3. Is what we are doing actually working? Risk management models
Companies cannot eliminate all risks for two reasons. First the internal and external threats that cause risk are very dynamic. Second, control investments eventually result in diminishing returns.11 There are quite a few risk management models out there. Just Google “risk management” and you will have, as I did in July 2013, over 388,000,000 results come up. But most of the models concur on a series of steps that make the process viable and effective. Step 1: risk identification
Identifying what risks may actually exist in a company’s online infrastructure and digital activity is where it all begins. There are a number of tools to assist the internal risk management professional to complete this on their own, as well as a number of third-party companies that offer auditing and risk assessment services for a price. The gathering and compilation of this information should go beyond a report. It should be looked at as a dynamic and changing set of factors that need to be understood and dealt with in a strategic way, meaning in the best interests of the company (legally of course). Many companies use a series of security and risk management questions to help guide their collection of the needed data. One good resource is a paperback called The Ultimate Security Survey by James L. Schaub and Ken D. Biery. It is in its second edition and a bit on the expensive side ranging from $625 to over $1000 on Amazon.com.12 But it is very comprehensive. At a minimum, an audit to gather risk information relating to online and digital activity security should include: • The mission and demographics of the company • Inventory of the current online footprint of the company (social media platforms, Web sites, intra and internets, blogs, etc.) • Inventory of digital and mobile devices accessing company data (laptops, tablets, smartphones, etc.) • Inventory of access points into and out of company data systems • Review of current online and digital activity security and risk management strategies and plans • Review of online/digital employee roles, responsibilities, and liabilities (social media managers, mobile directors, app developers, etc.) • Review of current IT-related policies and procedures (including social media, IT, privacy, passwords, e-mail, etc.) • Review of online digital disclaimers and disclosures • Review of online digital assets (including copyrights, trademarks, trade secrets, content contracts, development contracts, etc.) • Review of company terms of use and service agreements with third-party vendors • Review of online and digital content/document retention policies and procedures (including cloud-related legal concerns) • Review of data collection, data security, authentication, and access • Review of online crisis and reputation management • Review of federal and state laws, and industry regulations and compliances that the company is subject to regarding online and digital activity • Review of human resources’ use of online data for the employment cycle (including recruitment, interviewing, performance evaluation, and termination) • Review of marketing’s use of online and digital resources to ensure compliance with specific regulations (such as contest and promotion rules, gaming laws, truth-in-advertising requirements, etc.) • Review of cyber-risk insurance and coverage For an example of an audit specifically focused on social media risk and liability, see the Socially Legal Audit sidebar. SOCIALLY LEGAL AUDIT® http://sociallylegalaudit.com The Socially Legal Audit™ (SLA) tool is an instrument developed by Law2sm, LLC (www.law2sm.com)...
