According to Bleacher Report, Pres. Donald Trump has cancelled a deal set in place last December that would allow MLB to sign Cuban Players - similar to the deals in place to draft players from Japan and South Korea. The reasoning is that trade with Cuba is currently banned and the Cuban Baseball Federation is part of the Cuban government... thus nullifying the deal.
 The higher education is not free from data threats and risks whose primary target is their financial security followed by student retention. Adoption of mobile technologies by colleges and universities has contributed to increased malicious attacks.
Your institution should, therefore, learn and implement information security lessons from the recent security breaches affecting the other institutions. Security Breaches in Higher Education How Multi-factor Authentication Safeguards Admission Records Hamilton, Grinnell, and Oberlin are the three colleges whose admissions records fell in the unauthorized hands of cybercriminals on March 7, 2019. The cybercriminals used the students’ nonpublic personally identifiable details like hostage and birth date to send applicant emails. Though used by over 800 colleges globally, the violation linked to Slate; software used to manage applicants’ information in the institutions of higher learning. The software sends new applications, texts, and emails. In its defense, slate attributed the unauthorized access to illegal entry into the colleges’ password reset system. The criminals took advantage of the lack of multifactor authentication for individual sign-on systems to break into the platform. The cyberattack incident placed the student's admission at risk. If you are a tech-savvy student who is conscious of information security, join colleges and universities with efficient, reliable cybersecurity practices. Why Protecting Email Matters On October 19th, 2018, the Florida Keys Community College detected a data breach which happened between May 5th and November 5th, 2018. On 27th February 2019, the college announced the breach whose root cause was an unauthorized collection of workers emails. The announcement followed confirmation of compromised employees’ identities on January 7th, 2019. Some of the stolen information comprised of the nonpublic personally identifiable information. Such as passport information, username, password, date of birth, social security number and medical information. The 2018 Ponemon Cost of a Data Breach Report stated that 197 and 69 days as the average time taken to identify a breach and manage it respectively. However, the Florida Keys Community College outdid the record by detecting the breach in 167 days while the response happened in 7 days hence earning a C+ in the identification and an A- for their immediate response. Though the grading is a positive one, the affected parties; faculty, students, and staff had nothing to smile about due to the compromise of their sensitivity, personal information which ended up with the cybercriminals. To make the cyberattack successful, the criminals manipulated the weaknesses in the IP and domain configurations. The hackers also used the vulnerabilities on the number of connections to servers, SMTP authentication measures, coupled with a myriad of other network security problems. How Vendor Risk Management Protects Student Records The Stanford Daily reported that a campus student identified a vulnerability in the third-party content management system called NolijWeb. The vulnerability allowed Stanford applicants to view their Common Application forms. Later In 2015, NolijWeb let students access their files using the identification numbers as part of the records' URL. By altering a few characters, you could quickly obtain the information. Stanford discovered that the system was posing as a potential point of attack. After the realization, Stanford disabled entry to the software and put on hold online student’s access to the application documents. The documents were under the care of the Family Educational Rights and Privacy Act (FERPA). All you needed to access the site was a valid student login. Later the vendor got cleared by the regular audits. Unfortunately, neither the NolijWeb nor Stanford could identify how long the vulnerabilities lived in the application. Stanford is however not new to data breaches. Recently in 2017, permission to access a university-wide file sharing system directed all the Andrew File System (AFS) users to view files meant for preparing a sexual assault case. In the month that followed, Stanford was at it again, but now the weakness was in the Business Graduate School site. The website leaked sensitive workers records. The primary focus of all these information breaches was weaknesses tied to third-party vendors and those related to permission issues. Four Steps to Securing Your Higher Education Data Identify Risk Cybercriminals will manipulate data irrespective of the stage in which the information is. The data cycle has different stages such as collection, storage, and transmission. Despite knowing the sensitive nature of data they handle, the universities and colleges still fail to perform a risk review. Instead, the institutions convert traditional data into digital data using Software-as-a-Solution enablement without caring if the platform is updated or from a new vendor. Stanford is a perfect example because six years after 2009 it still used NojiWeb application for its scanned document needs despite NojiWeb’s vulnerability. All this time the application denied the students access to information stored online. Stanford was, however, exposed to vulnerabilities associated with either an upgrade or installation of a new system. For enhanced safety of your students records irrespective of whether using an updated or newly integrated provider, identify and guard all points at which information gets stored, collected or transmitted. Secure Networks Even with the increased use of mobile devices and the complex network architecture ranging from email servers, guest wireless and library domains, apply due diligence to secure networks and all your data by developing strong controls. Focus on User Access and Authentication Upon graduation, you should deny alumni access to your systems, networks, and software. Giving the graduates access magnifies the authentication threats. Additionally, enforce the multi-factor authentication in your college or university. Cybercriminals can quickly gain access from a misplaced laptop of Smartphone which is left open thus increasing malicious activities on your information. Increased use of mobile technologies by students call for the establishment of additional measures and procedures. Monitor Vendor Risk How proficient is your third-party vendor in matters of information security? Use strict standards such as those you use in the admission of first years to gauge the suitability of your vendor. Analyze your third-party service provider especially upon identifying a threat to see if they pose further danger to your records. If you are working with a SaaS provider who aids you in the collection, storage, or transmission of staff, student or faculty's information, make sure they do it per your institution's risk tolerance. Also, ensure you sign Service-level agreements with your vendors. The contracts should document the adequate, standard controls as well as resultant consequences for failure to enforce and maintain the set controls. Bottom Line What can you learn from higher education security breaches? From their nasty experiences, learn to employ robust control systems for your organization's information system and leverage tools for higher-education that help monitor and maintain your infrastructure’s data security.  How does your tool rate? Is your project management app or service the best or newest available? Let’s tell millions daily! Let's include it in the next PM feature article like this one...
http://www.bradegeland.com/blog/looking-to-improve-project-performance-check-out-these-pm-tools-and-services-for-better-results This feature will get hundreds of views daily and several thousand views per month - usually about 2-3k - and daily promotion from me to the PM masses so that everyone knows about your product or favorite tool or service (PMP prep, podcast, development, CRM, SEO, security, etc...). Whether you are the end user or the creator, I want to hear from you. Send me an email or send me a message through the contact form on my site and tell me about it. To be included, I will need...
Hurry - I'd like to get this next feature posted and promoted in April so timing is critical. I look forward to hearing from you!  Today, businesses are increasingly relying on data for their day to day operations. Therefore, it is crucial for organizations to have systems built on infrastructure that is not only secure but also cost-effective and scalable.
The storage and retrieval of data from traditional servers can be archaic and insecure. To address the increasingly complex requirements for data transmission, storage, and analysis, organizations should consider cloud infrastructure. Traditional IT Systems vs. Cloud Data Systems What are Traditional IT Systems? The IT infrastructure of the typical organization comprises of hardware devices that are connected to on-premise servers. The entity’s data is stored on the servers. One of the benefits of storing data on a traditional server is that you have greater security control. This means that you can easily secure your cyber data since you have primary access to the server. As your data storage capacity needs increase, you will have to upgrade the IT infrastructure with additional physical on-site hardware. These infrastructures can be quite expensive. What are Cloud IT Systems? Cloud IT systems refer to a set of infrastructures connected to each other over the internet for the purposes of holding data. The infrastructure is hosted and maintained by a cloud services provider, who is also in charge of security controls. There are three main categories of cloud IT systems: Public Cloud Most organizations use public cloud in their daily operations. Examples of public cloud services include Microsoft Azure, Amazon Web Services (AWS), and Google Cloud platforms. Public cloud services are usually designed as Infrastructure-as-a-Service (IaaS) to allow scalability. However, since public cloud environments are used to store huge amounts of data, they are often the target of malicious parties. A 2018 report by McAfee shows that about 25 percent of companies that use public cloud have suffered data breaches. Private Cloud Private cloud environments are largely safe from the security issues that affect the public cloud. With a private cloud, a company has full access and control of its data centers and security compliance. However, this also means massive costs associated with running and maintaining the private cloud environment. According to an article by SearchCIO, the costs of running and maintaining a private cloud can easily reach over $1 million, which is way out of the financial capability of many organizations. Hybrid Cloud Hybrid cloud arrangements provide the best value for organizations looking to secure their data and manage scalability costs. With hybrid cloud computing, organizations use both public and on-premise private servers to store their data. A private server could be used to store the most crucial data while the other public servers could be used for other data. For example, payment information could be stored on the on-premise server while other non-personal identifiable data could be stored on the PaaS environment. Difference Between Cloud and Traditional Security? With traditional servers, data is stored on on-premise hardware and can be directly accessed by the relevant parties. On the other hand, with cloud servers, the data is stored on the cloud provider’s servers. To access the data, you must configure your applications to communicate with the servers through the providers’ APIs (application programming interfaces). When your system connects to the servers through the API, you can get various important security information such as the number of connections made, where the connections are originating from, etc. However, since the API is provided by the company, your applications’ connection to the server will only be as secure as the API has been configured. Tips for Preventing Hybrid Cloud Security Threats If you wish to store your data in a hybrid cloud environment, you must think more broadly about security. You can control the information that you share with the cloud services. However, it is not always possible to control who can access the information. Here are some steps you should take to mitigate cybersecurity threats to your data in a hybrid cloud environment. Review the data stored in the cloud While you may not have total control of everything within the cloud environment, you should carry out a regular review of the data you store there. As data is transferred and stored every day in the cloud, it is easy for outdated information to get forgotten in the servers. You should regularly audit the data stored in the cloud to ensure its integrity. Outdated data should be removed to keep server costs down. Work with security-focused vendors Before signing up with a cloud service provider, check their security protocols for protecting your data. The company should have robust and updated infrastructure that will always ensure the availability of your data. If you are using any APIs from the service providers, work out proper controls and service level agreements to ensure data integrity.' Monitor threats continuously Stay abreast of cloud security threats and make sure your provider has the latest patches and mitigation measures to counter intrusions. Choose a cloud provider that regularly assesses its security measures to mitigate the evolving threats targeting cloud environments. Meet your compliance obligations If you must adhere to the General Data Protection Regulation (GDPR), you’ll need to store your customer’s data in a local data center. Some regulatory compliance laws require companies to report data breaches. Make sure the service provider will keep you informed of breaches to avoid noncompliance. The above is an overview of the differences between traditional and cloud security systems. Author Bio Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity's success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com. Interested in having me discuss my Real PM book and concepts at your conference, webinar or podcast or a Q & A article - contact me.  Need Your Great Project Management, Business Strategy or Technology Article Published - Contact Me3/19/2019 Do you have a great article or even a good article that you want the world to see? If it is anywhere close to these topics: project management, business strategy, new or current technology, SEO, cybersecurity, agile, scrum, devops, digital transformation, machine learning, artificial intelligence, IoT, the cloud, mobile technology, PMP certification, etc. - I'll look at it and probably run it on my blog for you. And I will promote it to a MILLION+ potential readers DAILY. Your new article will get 300 to 500 views daily (and climbing). Contact me through the contact form on this site or just email me - either way works great.
 Presently, there is no greater priority than the prevention of a data breach. One must keep alert for the effectiveness of the security controls so that they don’t change in a split of a second. An ideal way to ensure this is by having a risk management plan so that you can avoid a data breach, which will ruin your IT supply chain up and down. Risk Management Planning What is the Risk Management Process? First, you must identify the risk before you can move to analyze and establish the proper risk mitigation steps. So, most times you can expect to make lots of lists to keep up with the entire process. To put this into perspective, you will need to follow a set of steps to draw up an adequate risk management plan. You will need to conduct a risk assessment so that you can identify where you will reserve, transmit, and distribute information. Then, examine to see if there could arise any potential risks of accessibility, confidentiality, and integrity to it. Once you have accomplished that, you will need to make a second list that will help you rate the significance of the data as well as to let you examine if there any chances of data endangerment. Finally, using the second list, you will have to create a third one which will illustrate whether you choose to transfer, mitigate, refuse, or accept the risk. Keep in mind that you also mustrecord your basis for supporting your decision and the steps you followed through on the decision. How to Analyze Potential Impact of a Risk Event Several categories of risk events occur within the information security background. But when well-informed about the probable events and statistics promoting data invasions costs, you can bet you will reflect over the risks and estimate the impact adequately. • Vendor Data Breach Such a breach can wreck you. According to a report issued by the Ponemon Institute in 2017, 56% of data invasions originated from third-party vendors. The report also revealed that the standard payout for data invasion was $ 7,350,000 including customer loss, fines, and remediation. • Malicious Attacks According to the Verizon Data Breach Insights 2018’s report, 73% of cyber-attacks emanated from nefarious organized groups, nation-state or nation-state related malicious actors. Out of 53,308 security incidents, 2,216 comprised of data breaches, of which 21, 409 of the events cropped up due to hacking attacks. • Insider Issues The same report by Verizon gave insights on the effects of internally evoked risk events. In it were a startling number of internal breach activities emanating from system administrators and end-users. Out of the 277 insider issues reported, 134 incidents arose from these two categories. Concurrently, social engineering accounted for 1,450 incidents, of which 381 affirmed to data disclosure. Why You Need A Risk Assessment Matrix The greatness of qualitative risk reviews is that they give you estimates. They let you determine responses adequately not just to identify the probability of an incident’s occurrence but also to help you understand the impact it might have. At times, the event may be unlikely to occur, though its impact could strain your financial stance. Thus, distorting your math plans. But when you have a risk assessment matrix, you will easily track data security risks across the field, permitting you to concentrate on the essential and impactful risks first before moving on to attend to other probable events suitably. How To Apply A Project Management Approach To A Cybersecurity Risk Management Plan Project management and taking a security-first approach to cybersecurity tasks go together. With that in mind, you ought to start by laying out the risks and formulating projects that permit you to test, develop, and operate your data guards. WBS- Work Breakdown Structure use offers an excellent example of how to design a cybersecurity risk management plan while employing a project management approach. As a project manager, it will be your duty to ensure that both internal and external stakeholders are in unity so that everyone can understand what they ought to do to meet goals. Likewise, the chief information officer (CIO) needs to mobilize the c-suite and department managers initiating various tasks integrated into cybersecurity monitoring and vendor management. The WBS is responsible for providing internal stakeholders with information on the tasks and subtasks they need to do. Furthermore, as part of information security compliance, you need to analyze standards and regulations for their unit and subparts. Using Project Management to Create Cyber Security Risk Mitigation Strategies The risk mitigations will always remain the same, whether you choose to bring a new Software-as-a-Service vendor or want to become compliant with a new regulation or standard to scale the business.  While active hardware and software development strives to ensure continuous monitoring of the product through its life cycle, cybersecurity risk management helps you to track hazards to the data environment to secure controls effectiveness.
Having risk management plans guarantees your data safety. Without it, it will be easy for a malicious actor to sight a vulnerable spot to exploit leading to a data breach. So, be vigilant and secure your business the right way. "Capital is not so fundamental in business; neither is an experience since you can easily acquire them. Ideas are what is important because when you have ideas, you possess the asset needed to pursue limitless achievements in your business and your life."
— Harvey Firestone A compliance project must have a concrete plan. You may put all fringe and vigor into your project, but without a solid base, you’ll end up with nothing but offscourings that will lead you back to the drawing board. Going beyond the Planning Phase to Delve into the Project itself When you decide to go beyond the planning phase of your compliance project to start the execution process, you are demonstrating your proficiency. You exemplify the fact that you’re psyched up for the task, have your resources gathered, and a sound plan in place for project consummation. Rushing the project without adequate planning risks failure. Delaying its execution could result in loss of resources, overage budgeting, and delayed milestones. For successful outcomes on your compliance project, ensure that you roll out your project at the right time. When carrying out the execution phase of your project, there’s no definitive cut-off point. This is the time when you put your strategies on course. The period of confirming resources and verifying the scope of the reviews and objectives is over, and it's time to deploy your resources. You’ll venture into the assessment of the competency and efficacy of your outlined plan and procedures. At this point, you must be assertive of your project plan and the laid procedures as you batten down for any contingencies that may emerge. Sharing Information with All Project Stakeholders Communication is essential, especially now that many people are involved in the execution phase. The project’s effectiveness should start with you holding a meeting with your team to review all the outcomes of the planning process and contrive a way of relaying the project details to your audience. This will also help to identify any flaws or risks that that may not have been mitigated. It’s a great way of streamlining your entire planning process. Communicating the project’s scope, timeline, and your team to stakeholders will highlight your expertise, conscientiousness and the ideas you infused into the project. Your announcement officially introduces your compliance project to your company, and it goes beyond the people involved in planning your project. It is an added victory, though small, indicating the milestone of your project. Whether you’re conveying your annunciation via email or open meeting, your message should incorporate the following:
Doing the Heavy Lifting – Working on the Project For the whole of the execution phase, you’ll be busy working on your project. This includes taking an analysis of all transactions for possible noncompliance occurrences, testing the red alerts if any, and interviewing stakeholders of the compliance process, among other tasks. The following standard components are a must have for any properly-managed compliance project:
The nature of compliance projects in our careers vary. This post is intended to guide all types of compliance projects regardless of their scope or style. The best practices for executing compliance projects may take numerous forms. But one theme remains mandatory for any project - the need to develop and retain successful project execution evidence. The form taken by such evidence will depend on the project and the required work input. Here are the execution components that every compliant project requires:
Whether the objective of your compliance project is to augment PCI compliance or strengthen the KYC procedures of your AML program, a concrete execution based on an impregnable plan is needed for successful fruition. As Harvey Firestone said, having an idea is the only asset you need to develop a plan that will be solidly executed. With a well-calculated idea, the subsequent activities of the project will fall in place without many risks and wastes on deliverables. Implementing the project will be a smooth process considering that you have all the tools at your disposal to keep you within the budget and schedule of completion. I want to feature 5 to 7 Project Management related software or service offerings as new, unheard of or best in class to try out for u2019. I will feature them in an article similar to these past popular features I’ve put together:
14 Project Management Tools You May Not Know About 5 Project Management Tools and Services to Check Out in June 2018 6 SEO Tools Social Media Marketers Must Try Four Top Project Management Tools and Services to Check Out in May 2018 12 Project Management Related Tools to Consider for 2016 Project Management Related Tools And Services To Consider For 2016 And Beyond 5 Cybersecurity Tools and Services to Consider for 2016 and Beyond If you have one or want to suggest one for inclusion please contact me ASAP. I will need to discuss it with you and gather a few things from you or the vendor: - product description - screen shots - desired links - testimonials that you’d like to include Target go-live date is 3/25 - please let me know if you’re interested. I’ve written more than 6,000 PM, Cybersecurity, business strategy, SEO and related articles, ebooks, white papers and videos for clients and independent sites world wide and have been named “#1 Provider of Project Management Content in the World” so I have a good following and traffic to my content. Let’s make this a great feature! Thanks! I want to feature 5 to 7 Project Management related software or service offerings as new, unheard of or best in class to try out for u2019. I will feature them in an article similar to these past popular features I’ve put together:
14 Project Management Tools You May Not Know About 5 Project Management Tools and Services to Check Out in June 2018 6 SEO Tools Social Media Marketers Must Try Four Top Project Management Tools and Services to Check Out in May 2018 12 Project Management Related Tools to Consider for 2016 Project Management Related Tools And Services To Consider For 2016 And Beyond 5 Cybersecurity Tools and Services to Consider for 2016 and Beyond If you have one or want to suggest one for inclusion please contact me ASAP. I will need to discuss it with you and gather a few things from you or the vendor: - product description - screen shots - desired links - testimonials that you’d like to include Target go-live date is 3/25 - please let me know if you’re interested. I’ve written more than 6,000 PM, Cybersecurity, business strategy, SEO and related articles, ebooks, white papers and videos for clients and independent sites world wide and have been named “#1 Provider of Project Management Content in the World” so I have a good following and traffic to my content. Let’s make this a great feature! Thanks! |
Search this entire blog:
Authors:
Brad Egeland
Use code BRADCCPM for 10% off training
Archives
April 2019
|
RSS Feed
