Every company handles data of several kinds. We'll start with a look at the company's own data. In general terms, data falls into four categories. The first two focus on companies, information assets. Data whoes damager disclosure might injure the company itself. The second two involve information about others involved in our work. Sometimes they're companies, sometimes they're people, but they're not employees or people of the company. So if we're careful with their information, it might not directly injure the company, but it might injure them. Modern privacy regulations affect how we manage that data. The rest of this course will examine data protection in these terms. This video focuses on company data. First we look at company secrets. Here are five examples. Proprietary information is information that provides the business with an advantage over its competitors, or at least a reason for its existence. A classic example would be a photo of whatever iPhone model hasn't been officially announced. Financial disclosures are another type of secret. If a company is publicly held at must announce its financial performance on a regular schedule, usually four times a year. The details remained completely secret and are announced to everyone at the same time. If someone uses the information before it's made public, they could be charged with the crime of insider trading. But that's not the only type of insider information. Companies and individuals for that matter have to keep security information secret. There hackers with online sales sites where they are for collections of usernames and corresponding passwords. If the company produces recorded performances like video or music tracks. They try only to release those performances in a copy protected form, unprotected digital performances are too easy to share. Finally, many companies handle private information belonging to customers and clients. We mentioned that briefly, in the other part, we're going to skip that for now during this lecture, but will get back to it later. And how much secrecy is the right amount? That's up to the company's management, and it plays a major role in the company's culture. We've talked about this before. Example is famously secret, but it is an extreme case. Many companies focus on keeping things secret that are worth the trouble of keeping secret data covered under laws and industry standards, along with product and marketing data. Some companies are extremely other way. Some companies in the open source community place much of their operation online and even share video conferences of low level team meetings. Your defense is we talked about in the previous course, first three or classic protections dating back to humanity's earliest efforts at money management. The last two are, of course, computer oriented defenses. Indirect protection don't put up barricades, but they make it harder for attacks to succeed without getting caught. Though people started paying attention to computer intrusions in the 1980s. Real progress had to wait until sites seriously monitored their behavior for possible attacks. To be honest, it was hard to detect an attack in the early days since abnormalities were most often caused by software bugs. The Morris worm of 1988 was perhaps the most dramatic security breach from the early days. It was intended as an unobtrusive experiment. A software flaw caused it to run out of control and it disabled about 10% of the hosts on the Internet. Its success in penetrating computers was because it relied on well known bugs, and people had never patched. Software patching remains a source of vulnerabilities. Access controls are tricky because the system appears to work correctly whether the controls are there or not. Recent data thefts from cloud systems were too often traced back to missing access controls. The smart strategy is to put the controls in place and to regularly test them to ensure they actually block attacks. Now we'll look at protecting company money. [COUGH] We protect it for the owners of course. You've got the usual suspects who who are depending on the company for success, either because they make money front well in just about all cases because people make money from it. Or they need the service or a little above. And then we're protecting it from the usual Fraud and embezzlement dangers. Centuries of fraud. Trickery to get money is as old as money itself. Here are some historic examples. We start with what today we call insurance fraud. Move on to selling things we can't deliver. Then to spending money we should be investing. And exploiting secret information about market changes. These things just keep happening. In 2002, fraud by senior executives of Enron and WorldCom destroyed both of those companies and helped precipitate a world wide economic crash. Embezzlement rarely causes economic crashes, but it can seriously damage a company. One of the worst examples was the benefits manager for a labor unions local office who stole $42,000,000 over a seven-year period from the benefits accounts. She handled all the money and handled all the reporting, and nobody else had any real oversight role to make sure she was doing her job properly. That's simply asking for trouble. Koss, the headphone manufacturer, lost half of their net profits over a five-year period when the Vice President of finance working with another employee stole customers' payments. And spread the loss across other customer accounts. A bank Vice President in Montana solved a personal financial crisis by creating several credit card accounts with very high limits. One of the credit card companies noticed suspicious transactions and uncovered the fraud. A mid level administrator at an Art Center in Atlanta created a bogus company and submitted invoices for nonexistent services. This administrator actually had nothing to do with finance. Just submitted invoices for services. The embezzlement was found out after the employee quit, and some of the suspicious invoices were still in the system waiting payment. Here in the United States, criminal laws work traditionally at the state level. Murder, burglary and arson are usually local matters handled by local officials. States also enforce laws against fraud and embezzlement. And each state regulates banks a little differently. There's a lot of commonality, but there is still just little differences from one state to the next. Most states also establish and enforce accounting and auditing requirements for companies that are incorporated in that state or for regulated businesses. Some crimes could only be enforced at the federal level, mail fraud being an early example. Improved trains and automobiles made interstate crime a bigger problem, especially around the turn of the 20th century. And now there's the Internet. It wasn't until the Great Depression that federal laws were directed at investments in publicly held companies in a major way. A successful Wall Street investor named Joseph P Kennedy set up the Securities and Exchange Commission or SEC. And once he took control, he outlawed many of the dubious practices that had made him and many others rich on Wall Street at the expense of other investors. SEC investment regulations required that stock and bond offerings thoroughly and accurately describe the offering to the potential investors. SEC rules also are applied to publicly held companies to make it more difficult for officials to benefit themselves at the investors' expense. This includes regular audits. Deposit Insurance was another depression innovation. Banks could ensure their customers deposits as long as the banks complied with detailed federal regulations, including audit requirements. Governments lack resources to police every industry and author every standard. Companies in a particular industry often collaborate to develop standards for their mutual benefit. The accounting community was established thatgenerally accepted accounting principles or GAAP. These are similar to the international financial reporting standards used outside the US. Companies performing audits are expected to comply with GAAP. The American Institute of Certified Public Accountants, the AICPA, has developed a series of reports on system and organization controls called the SOC, 1, 2, and 3 reports. These provide a standard way of describing a companies data protections. The payment card industry Association, or PCI a developed a set of data security standards. The PCI DSS used by every company. An organization that handles payment card information. The past two decades have spawned new finance in cyber security laws at the US Federal level. The 1990s saw the Internet become a major business tool. It also saw the flourishing of computer assisted financial fraud in a privacy abuses. Companies regularly sold their customer lists to almost anyone willing to pay. The Gramm-Leach Bliley Act required basic consumer privacy protections of data access controls. During the 1990s, security teams called Red Teams tested US government computers by trying to break into them. This success rate hovered around 100%. Fisma tried to reduce that success rate. 2002 saw the crash of Enron and world com an the first major recession of the of the new century. The Sarbanes Oxley Act rose from those Ashes. After a dozen years of Fisma critics complained that instead of promoting government cybersecurity, it really just promoted cybersecurity planning. The 2014 update address these shortcomings. Now I will take a brief dive into security requirements arising from particular laws and standards. Financial institutions covered by GLBA must protect customer data and it gives customer certain rights and controls over their information. The information rule gives customers the right to opt out if they don't want their information shared with certain third parties. Under the privacy rule, any company that gives financial advice extends credit or arranges financing must notify customers about the information they collect and who they share it with. Under the safeguards rule, financial institutions must protect the customer information they collect. The Sarbanes-Oxley Oxley Act implemented wide ranging reforms on company reporting an internal controls. One of the one of the things that was added was criminal penalties for company officials responsible for internal corporate fraud. Two sections in particular address cyber security requirements. Section 302 requires an internal company controls ensure accurate and timely financial disclosures. The controls must ensure that data remains secret until it's disclosed and that the data is accurate. It also requires company officials to have evaluated those controls when making a regular report. Section 404, requires internal controls to protect financial information and ensure proper reporting. Many companies outsource financial activities and often rely on nests on the SOC reports to show compliance. We'll talk about SOC reports in a minute. Fisma established to set a cyber security standards and guidance for US government computing systems. Standard standards tied to Fisma include the risk management framework RRMF. We use the common vulnerability scoring system, or it CVSS in the previous course to categorize the impacts of security vulnerabilities. That's part of the process for categorizing systems. Categorization identifies minimum security requirements and guides the selection of security controls. And the framework closes the loop by monitoring and verifying system security measures. As said earlier, Sock reports document accompanies internal security controls. They generally are produced by independent auditors, not by the company's own people. Under use SOC reports to independently vouch for the quality of security measures. External auditors may also use them to verify internal security as part of a financial audit. More specifically, the SOC1 report focuses on financial controls and is targeted at financial auditors. These aren't usually shared outside a company. The SOC2 report focuses on general cybersecurity controls. These are almost always proprietary report. Some vendors will grant you access to their SOC2 reports if you are an established customer. For example,. People who sign up for Amazon or Google Cloud services may download and review the corresponding SOC2 reports. The SOC3 report, as a publicly released version of SOC2. It addresses the same cybersecurity topics, but it omits details that would be withheld from competitors. The payment card industry standard. Payment card industry data security standard for tax company transactions as well as personal financial data. It addresses security for debit and credit cards as well as the server's point of sale terminals and transmission security. PCIDSS applies a whole range of security measures, but major ones include encryption in motion and encryption at rest. Many companies delegate financial responsibilities to other vendors. Here are some examples. When accompanied delegates financial activities, they need to protect themselves as well as comply with the company. Comply with the vendors requirements. 1st when we delegate, we want to review. A copy of the vendors, SOC2 report, SOC2 report. Do they have reasonable protections in place? We can compare them with competitors if we're seriously considering them. Your company system should also include checking logic to ensure it sends sensible and syntactically correct information to a vendor. If the system is sending a complex transaction, check the transaction for internal consistency. Also use a standard encryption technique. Probably take TLS or more commonly called SSL while exchanging data with the vendor. Also, monitor your accounts at the vendor and reconcile the information against the transactions you perform. Ensure that transactions were all completed and that all payments match up with legitimate transactions. [MUSIC]
