Data

Security &
Privacy
Internal
 1 7

2 6

Table of
3 Contents 5

Data Privacy 2
Internal
 Data or Information Security Basics

Raw, unorganized facts that need to be processed

Data Example: A day’s temperature, humidity, wind speed as recorded are data

When data is processed, organized, structured or presented in a given context so as it make it useful.
Information
Example: Percentage of weather as cold or warm is an information

What is data or information security

Data
Data or Information security is the protection of data or information
assets from a wide range of threats in order to safeguard business and
personal interest in order to achieve:
Processing • Confidentiality
• Integrity
• Availability

In terms of security
Information

Data or Information is an asset which like other important business

assets, has value to an organization and consequently needs to be
suitably protected.

Internal
 Three Pillars of Data or Information security

Confidentiality Integrity Availability

The property that data or information

is not made available or disclosed to
unauthorized individuals, entities , or
processes.
The property of being accessible and
The property of safeguarding the
usable upon demand by an authorized
accuracy and completeness of assets
entity.

Data or Information can be

Verbal Stored Processed Verbal

Created Destroyed Lost/Stolen Corrupt

Internal
 Understanding the basics
Assets Any tangible or intangible thing or characteristics that has value to the organization

Asset categories Threat

Hurricane
An unwanted incident, which may cause
Software harm to the system by utilizing the
vulnerabilities in it

Information Vulnerability Not having a disaster

recovery plan in place and
physical assets gets
People A weakness of an asset or group of assets damaged as a result of the
that can be exploited by one or more threats hurricane

services
Risk
Loss of Data or
Hardware information and
Risk is commonly defined as exposure to disruption in business as a
harm or loss resulting from breaches or result
attacks on information systems

Internal

DoS and DDoS Attack
DoS attack is to overwhelm the
resources of a target system and
cause it to stop functioning, denying
access to its users.
Distributed denial of service (DDoS)
is a variant of DoS in which attackers
compromise a large number of
computers or other devices and use
them in a coordinated attack against
the target system
Common Threats
Phishing Attack Juice Jacking
Phishing is a technique by which
cybercriminals craft emails to fool a
Juice jacking is a type of cyber attack
target into taking some harmful
involving a charging port that
action. The recipient might be tricked
doubles as a data connection,
into downloading malware that’s
typically over USB. This often
disguised as an important document,
involves either installing malware or
for instance, or urged to click on a link
surreptitiously copying sensitive data
that takes them to a fake website
from a smart phone , tablet, or other
where they will be asked for sensitive
computer device.
information like bank usernames and
passwords.
Internal
 How to Identify Phishing Emails

• Seem to be from legitimate companies like banks, internet service providers, credit
card companies, etc.

• Are unsolicited (you didn't ask for it; they just sent it to you)

• Ask for things like usernames, passwords, account numbers, etc.

• Offer something seemingly valuable, like a prize or discount - Use poor spelling
and grammar

• Have strange email addresses or typos in the email address - Have crazy titles

Internal
 Common Phishing Email Examples

Phishing:- A seemingly trustworthy entity asks for sensitive information such as SSN, credit card numbers, login IDs or passwords via
email.

Internal
 Tips for Avoiding Phishing Scams

First, don't click on suspicious links in your email, especially those that ask for personal
information. If you're not sure whether an email is legitimate, don't open it...and
definitely don't click on its links.

If possible, contact the company or organization directly through a known and trusted
channel before responding to any emails asking for personal information

Finally, pay attention to the tone and content of the email. Is it unusually urgent? Are
there misspelled words? Is there an offer that seems too good to be true? If it seems
"phishy", it probably is.

Internal
 Malware
Any program or file that is harmful to a computer user

Symptoms: Best practices:

• Change to your browser homepage/start page

• Ending up on a strange site when conducting a search
• System-based firewall is turned off automatically
• Lots of network activity while not particularly active
• Excessive pop-up windows
• New icons, programs, favorites which you did not add
• Frequent firewall alerts about unknown programs when
trying to access the internet
• Poor system performance
• Use licensed software
• Updated OS or software version
• Updated anti-virus / anti-malware
• Security patches
• Be selective on web visits and app downloads

Internal
 Ransomware
Ransomware is a form of malware designed to encrypt files on a device, rendering any files and systems that
rely on them unusable. Malicious actors then demand ransom in exchange for decryption.

Best practices:

• Back up your files and keep it offline

• Update your OD and scan your computer /device daily/weekly
• Use anti-virus software and update it frequently
• Scan thumb drive accessing
• Educate user
• Don’t click unknown links/open attachment from unknown user
• Don’t connect to public or free WIFI
• Don’t install unauthorized software

Internal
 Consequences of Data security breach

Organization: Individual:

• Direct and indirect financial loss • Breach of bank account or credit card information
• Competitive edge in the industry jeopardized • Legal ramification
• Business disruption • Damage to reputation
• Damage to reputation • Compromise of personal information and credentials
• Legal or regulatory penalty or fine • Financial loss
• Loss of market and customer confidence • Lead to non material damage
• Loss of intellectual property
• Loss of customer, employee data

Internal
 Data Security Strategy

Identify Protect Detect Recover

Understand and Implement Ensure you can Ensure you can

document the appropriate quickly spot actions quickly restore data
cybersecurity risks security controls to and events that and services
to your data, protect your most could pose a risk to impacted by a
systems, people critical assets your data security security incident
and capabilities against cyber
threats.

Data Privacy 13
Internal
 How do organizations protect data?

Authentication Access control Encryption Data erasure Data masking

Data masking conceals
Authenticated Encrypting sensitive When data is no
Multifactor specific data so that
users should be information ensures longer needed, it
authentication databases can be used
able to access only that even if should be
(MFA), for testing, analytical
the data and other unauthorized access deleted in way
biometrics or other purposes
IT resources they occurs, the data is that prevents its
without compromising
need to do their unreadable recovery.
data privacy.
jobs

Data Privacy 14
Internal
 Secure Password

 Make passwords easy to remember but hard to guess

 Must not contain the user’s name /part of the user’s name or
dictionary words

 Must not contain easily accessible or guessable personal information

about the user or user's family, such as birthday, children’s name,
addresses.

 Change passwords periodically

 Don’t repeat the recent passwords
 Use passphrases to easy to remember (Ex: !T$miLE@JbJ )

Internal
 This includes safeguarding data
against various risks such as
What is Data Privacy? hacking, data breaches, identity
theft, and unauthorized
surveillance

• Individuals should have the right to

give or withhold consent for the
collection, processing, and sharing of
their personal data
• Organizations should be transparent
about their data practices, including
what data is collected, how it is used,
Data privacy refers to the protection of sensitive information from and with whom it is shared
unauthorized access, use, disclosure, alteration, or destruction. It • Limiting data collection helps reduce
encompasses the policies, procedures, and practices put in place to ensure the risk of unauthorized access and
that individuals have control over their personal data and that misuse
organizations handle it responsibly. • Implement robust security measures to
protect personal data from
unauthorized access, misuse, or
breaches.
• Organizations are responsible for
complying with data protection laws
and regulations,

Data Privacy 16
Internal
 Why is Data Privacy Important?

Protection of Personal
Ethical Data Practices
Information

Trust and Confidence Data-driven Innovation

Legal and Regulatory

Risk Mitigation
Compliance

Data Privacy 17
Internal
 Data Privacy vs Data Protection

Data Privacy Data Security

Refers to the proper handling of sensitive data, including when and Focuses on protecting data from unauthorized access, theft, or
how personal data can be collected and shared. It's about the corruption. It encompasses tools and practices like encryption,
ethical and responsible use of data. password management, and network monitoring..

Data Privacy 18
Internal
 Key takeaways – Do’s
Sign off or lock your screen when you leave
1 your desk
2 Use all information assets appropriately
Report any unknown or suspected
3 security violations to appropriate
management
4
Take the same care in protecting
information even when you are travelling
5 Use good password protection
Internal
Only use organization email for business
6 purpose
Keep your laptop in your possession at all
7 times
Immediately remove all copies of
8 information from fax machine, printer,
meeting rooms, whiteboard etc
Be careful what you communicate
9 verbally, over email, fax and mobile
phones
Participate in organization information security
10
awareness programs
 Key takeaways – Don’ts

Do not leave the computer or laptop Access any information that you do not
1 unattended or unsecured 5 have a need to know

Usage of software unless it is required

Usages of information assets illegally to furnish your job
2 6

Unauthorized access to any resources Sharing password is strictly prohibited

3 7

No abusive, unethical or inappropriate

Disable any security controls use of internet
4 8

Internal
Internal
Internal