While seemingly related is users' behavior, users could be implementing new behaviors with the tools that are currently at their disposal. Let's say as an example a company has Microsoft or Google office productivity suite which both include email and instant messaging capabilities. It is way more convenient to send someone an instant message than to send them an email, instant messaging applications are a swipe away or even constantly running in the background or open on another screen. If users start relying on instant messaging and move away from the traditional email method for communication this introduces another avenue of risk that must be analyzed. This is why user behavior should be monitored and analyzed, we must put ourselves in the shoes of the users that way we can expect how certain items of technology will be used. Once we have the information we can use this to come up with training materials or even security policies.
Terms: Code Escrow
Code Escrow is, in essence, a third party that will keep source code available in the change that the software vendor goes out of business and is no longer able to keep providing the product and/or support. Clauses in the contract would decide when the code would be handed over to the customer.
New or Changing Business Practices/Strategies
Not only does technology and products change with time, but the
practicices and stratgies that businesses emply change
as well. Those changes in the processes and procedures pose a
risk. Changes to these strategies and procedures need
to go through a formal risk analysis process.
Partnerships would be a reason that these practicies and
strategies change over time, not only do busisnesses merge and create
partneerships other times a demerger occurs and once again
practicies and strategies must change.
TERM: TCA or third-party connect aggrement details the exact
secuirty measures that must be taken when handling data exchange between
these companies. There are other businesses documents that touch
on the subject of data exchange between entitines. The
Expecation is that if there is any form of data exchange a TCA or
other type of similar docuemtn will be used.
Outsourcing
Outsourcing is nothing new in our times and we have all heard of
it, we need to treat these outsourcing partners with similar fashion as we do mergers. If there is data that is being
exchanged we must ensure that all legal and regulatory requirements are fulfilled when it comes to the data not only on
our servers and services but also while the data is in the hands of our partners. Not only do we have to worry about the data while it is the hands of the vendor that we contracted with, but we also need to verify if they are using vendors to subcontract some of their duties.
While outsourcing we need to keep in mind that if the vendor is in another country then we might not be able to do business with them based on the regulations of the data. Let's take a country that has less stringent rules for privacy, we might not want to do business with that country because of what they would be able to do with our data while it is in their hands.
Cloud: With AWS being here and GCP and Azure competing for business it is difficult to outweigh the benefits that these platforms bring to the table. With the cloud as an option there are different types of risks that we must analyze and understand. The cloud operators work on a shared responsability model, which means that they will secure everything up to the point where you take over as a customer. We as a the customer must secure what we build configure and deploy. What it means is that we can not blame the cloud provider for leaving a system unpatched, or for not password protecting a page.
If there are regulatory requirements that we must meet, if we do decide to go with a cloud or hosted solution we must ensure that the vendor is able to ot only comply but show that they are protecting our data as required.
These provders are huge and they recycle/reuse resources thrhougth their customer base. Once I shutdown a server a different customer might be able to use the same CPU or the same Hard Drive Sectores that I was previously using, this is dangerious because it would be possible to scrape dta if not properly sanitized after we dispose.
Terms:
Private Cloud
Public Cloud
Hybrid Cloud
While outsourcing we need to keep in mind that if the vendor is in another country then we might not be able to do business with them based on the regulations of the data. Let's take a country that has less stringent rules for privacy, we might not want to do business with that country because of what they would be able to do with our data while it is in their hands.
Cloud: With AWS being here and GCP and Azure competing for business it is difficult to outweigh the benefits that these platforms bring to the table. With the cloud as an option there are different types of risks that we must analyze and understand. The cloud operators work on a shared responsability model, which means that they will secure everything up to the point where you take over as a customer. We as a the customer must secure what we build configure and deploy. What it means is that we can not blame the cloud provider for leaving a system unpatched, or for not password protecting a page.
If there are regulatory requirements that we must meet, if we do decide to go with a cloud or hosted solution we must ensure that the vendor is able to ot only comply but show that they are protecting our data as required.
These provders are huge and they recycle/reuse resources thrhougth their customer base. Once I shutdown a server a different customer might be able to use the same CPU or the same Hard Drive Sectores that I was previously using, this is dangerious because it would be possible to scrape dta if not properly sanitized after we dispose.
Terms:
Private Cloud
Public Cloud
Hybrid Cloud
