tag:blogger.com,1999:blog-15241514806364262842024-03-14T03:09:04.496-05:00InfoSecExec.comRandom writings of an Information Security Executive in Chicago. <br>I provide security leadership for various companies in the Chicagoland area.<br><br><br><br><br><br><br><br>
Thomas Johnsonhttp://www.blogger.com/profile/14858551872104879594noreply@blogger.comBlogger22125tag:blogger.com,1999:blog-1524151480636426284.post-6088460996479501852017-09-27T09:04:00.002-05:002017-09-27T09:42:29.158-05:00A Data Classification Project<div class="MsoNormal">
In another post, I mentioned organizations not having a data
classification standard and associated policy will have a difficult time
implementing many information security related controls such as DLP and rights
management. Data classification can also
help with DR optimization, justifying spend on technology, and may be a
cyber-insurance requirement. Since many security projects rely on proper
classification of data, we have seen an up-tick in requests related to helping clients
in this regard. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<h3>
<span class="MsoIntenseEmphasis">What does a Data Classification Project look
like?</span><span class="MsoIntenseEmphasis"><o:p></o:p></span></h3>
<div class="MsoNormal" style="line-height: 110%; margin-bottom: 3.0pt; margin-left: 0in; margin-right: 0in; margin-top: 6.0pt;">
A Data Classification Project assesses an organization’s
digital assets to determine criticality, sensitivity, privacy requirements, and
to determine a naming taxonomy to categorize the data.<br />
<br />
A typical project consists of a series of
interviews, research, and tools based discovery to establish the following
regarding the data:<o:p></o:p></div>
<div class="MsoListParagraphCxSpFirst" style="margin-left: 38.25pt; mso-add-space: auto; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal; line-height: normal;">
</span></span><!--[endif]-->Location <o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-left: 38.25pt; mso-add-space: auto; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal; line-height: normal;">
</span></span><!--[endif]-->Criticality to the organization (using the typical CIA Triad)<o:p></o:p></div>
<div class="MsoListParagraphCxSpLast" style="margin-left: 38.25pt; mso-add-space: auto; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal; line-height: normal;">
</span></span><!--[endif]-->Regulations relevant to data</div>
<br />
While a full blown Data Classification Exercise could fill a book, I'll attempt to condense it down in this post.<br />
<br />
<h3>
Location of Data and its Risk</h3>
<div class="MsoNormal">
Interviews with business unit managers as well as the
technical staff are coupled with a tools based discovery effort to identify all
of the repositories containing data.
These repositories will start with physical data containers such as hard
drives, SANs, NAS devices, cloud providers, etc., and will ultimately identify files, databases and applications.
Once there is a mapping of the data locations, we will start to group
the data by risk to the organization.<o:p></o:p><br />
<br /></div>
<div class="MsoNormal">
The following table illustrates an example of the risk each discovered data element has to the organization and how it might be calculated: <o:p></o:p></div>
<div align="center">
<table border="0" cellpadding="0" cellspacing="0" class="MsoNormalTable" style="border-collapse: collapse; mso-padding-alt: 0in 5.4pt 0in 5.4pt; mso-table-layout-alt: fixed; width: 625px;">
<tbody>
<tr style="height: 13.0pt; mso-yfti-firstrow: yes; mso-yfti-irow: 0;">
<td style="border-right: none; border: solid black 1.0pt; height: 13.0pt; mso-border-bottom-alt: solid black .5pt; mso-border-left-alt: solid black .5pt; mso-border-top-alt: solid black .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 224.75pt;" width="300"><div align="center" class="MsoNormal" style="layout-grid-mode: char; text-align: center;">
<br /></div>
</td>
<td style="border-right: none; border: solid black 1.0pt; height: 13.0pt; mso-border-bottom-alt: solid black .5pt; mso-border-left-alt: solid black .5pt; mso-border-top-alt: solid black .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 81.0pt;" width="108"><div align="center" class="MsoNormal" style="text-align: center;">
<b><span style="line-height: 107%; mso-bidi-font-family: Arial; mso-bidi-font-size: 10.0pt;">Data
Element 1<o:p></o:p></span></b></div>
</td>
<td style="border-right: none; border: solid black 1.0pt; height: 13.0pt; mso-border-bottom-alt: solid black .5pt; mso-border-left-alt: solid black .5pt; mso-border-top-alt: solid black .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 81.0pt;" width="108"><div align="center" class="MsoNormal" style="layout-grid-mode: char; text-align: center;">
<b><span style="line-height: 107%; mso-bidi-font-family: Arial; mso-bidi-font-size: 10.0pt;">Data Element 2<o:p></o:p></span></b></div>
</td>
<td style="border: solid black 1.0pt; height: 13.0pt; mso-border-alt: solid black .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 82.05pt;" width="109"><div align="center" class="MsoNormal" style="layout-grid-mode: char; text-align: center;">
<b><span style="line-height: 107%; mso-bidi-font-family: Arial; mso-bidi-font-size: 10.0pt;">Data Element 3<o:p></o:p></span></b></div>
</td>
</tr>
<tr style="height: .2in; mso-height-rule: exactly; mso-yfti-irow: 1;">
<td style="background: #DEEAF6; border-bottom: solid black 1.0pt; border-left: solid black 1.0pt; border-right: none; border-top: none; height: .2in; mso-background-themecolor: accent5; mso-background-themetint: 51; mso-border-bottom-alt: solid black .5pt; mso-border-left-alt: solid black .5pt; mso-height-rule: exactly; padding: 0in 5.4pt 0in 5.4pt; width: 224.75pt;" width="300"><div class="MsoNormal">
<b><span style="line-height: 107%; mso-bidi-font-family: Arial; mso-bidi-font-size: 10.0pt;">Confidentiality<o:p></o:p></span></b></div>
</td>
<td style="background: #DEEAF6; border-bottom: solid black 1.0pt; border-left: solid black 1.0pt; border-right: none; border-top: none; height: .2in; mso-background-themecolor: accent5; mso-background-themetint: 51; mso-border-bottom-alt: solid black .5pt; mso-border-left-alt: solid black .5pt; mso-height-rule: exactly; padding: 0in 5.4pt 0in 5.4pt; width: 81.0pt;" width="108"><div align="center" class="MsoNormal" style="layout-grid-mode: char; text-align: center;">
<br /></div>
</td>
<td style="background: #DEEAF6; border-bottom: solid black 1.0pt; border-left: solid black 1.0pt; border-right: none; border-top: none; height: .2in; mso-background-themecolor: accent5; mso-background-themetint: 51; mso-border-bottom-alt: solid black .5pt; mso-border-left-alt: solid black .5pt; mso-height-rule: exactly; padding: 0in 5.4pt 0in 5.4pt; width: 81.0pt;" width="108"><div align="center" class="MsoNormal" style="layout-grid-mode: char; text-align: center;">
<br /></div>
</td>
<td style="background: #DEEAF6; border-top: none; border: solid black 1.0pt; height: .2in; mso-background-themecolor: accent5; mso-background-themetint: 51; mso-border-bottom-alt: solid black .5pt; mso-border-left-alt: solid black .5pt; mso-border-right-alt: solid black .5pt; mso-height-rule: exactly; padding: 0in 5.4pt 0in 5.4pt; width: 82.05pt;" width="109"><div align="center" class="MsoNormal" style="layout-grid-mode: char; text-align: center;">
<br /></div>
</td>
</tr>
<tr style="height: 13.0pt; mso-yfti-irow: 2;">
<td style="background: #F4B083; border-bottom: solid black 1.0pt; border-left: solid black 1.0pt; border-right: none; border-top: none; height: 13.0pt; mso-background-themecolor: accent2; mso-background-themetint: 153; mso-border-bottom-alt: solid black .5pt; mso-border-left-alt: solid black .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 224.75pt;" valign="bottom" width="300"><div class="MsoNormal" style="layout-grid-mode: char; text-indent: 12.45pt;">
<span style="line-height: 107%; mso-bidi-font-family: Arial; mso-bidi-font-size: 10.0pt;">Data
Leakage, Theft, Disclosure<o:p></o:p></span></div>
</td>
<td style="background: #F4B083; border-bottom: solid black 1.0pt; border-left: solid black 1.0pt; border-right: none; border-top: none; height: 13.0pt; mso-background-themecolor: accent2; mso-background-themetint: 153; mso-border-bottom-alt: solid black .5pt; mso-border-left-alt: solid black .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 81.0pt;" valign="bottom" width="108"><div align="center" class="MsoNormal" style="layout-grid-mode: char; text-align: center;">
<span style="line-height: 107%; mso-bidi-font-family: Arial; mso-bidi-font-size: 10.0pt;">5<o:p></o:p></span></div>
</td>
<td style="background: #F4B083; border-bottom: solid black 1.0pt; border-left: solid black 1.0pt; border-right: none; border-top: none; height: 13.0pt; mso-background-themecolor: accent2; mso-background-themetint: 153; mso-border-bottom-alt: solid black .5pt; mso-border-left-alt: solid black .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 81.0pt;" valign="bottom" width="108"><div align="center" class="MsoNormal" style="layout-grid-mode: char; text-align: center;">
<span style="line-height: 107%; mso-bidi-font-family: Arial; mso-bidi-font-size: 10.0pt;">2<o:p></o:p></span></div>
</td>
<td style="background: #F4B083; border-top: none; border: solid black 1.0pt; height: 13.0pt; mso-background-themecolor: accent2; mso-background-themetint: 153; mso-border-bottom-alt: solid black .5pt; mso-border-left-alt: solid black .5pt; mso-border-right-alt: solid black .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 82.05pt;" valign="bottom" width="109"><div align="center" class="MsoNormal" style="layout-grid-mode: char; text-align: center;">
<span style="line-height: 107%; mso-bidi-font-family: Arial; mso-bidi-font-size: 10.0pt; mso-bidi-font-weight: bold;">9<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-height-rule: exactly; mso-yfti-irow: 3;">
<td style="background: #DEEAF6; border-bottom: solid black 1.0pt; border-left: solid black 1.0pt; border-right: none; border-top: none; height: .2in; mso-background-themecolor: accent5; mso-background-themetint: 51; mso-border-bottom-alt: solid black .5pt; mso-border-left-alt: solid black .5pt; mso-height-rule: exactly; padding: 0in 5.4pt 0in 5.4pt; width: 224.75pt;" width="300"><div class="MsoNormal">
<b><span style="line-height: 107%; mso-bidi-font-family: Arial; mso-bidi-font-size: 10.0pt;">Integrity<o:p></o:p></span></b></div>
</td>
<td style="background: #DEEAF6; border-bottom: solid black 1.0pt; border-left: solid black 1.0pt; border-right: none; border-top: none; height: .2in; mso-background-themecolor: accent5; mso-background-themetint: 51; mso-border-bottom-alt: solid black .5pt; mso-border-left-alt: solid black .5pt; mso-height-rule: exactly; padding: 0in 5.4pt 0in 5.4pt; width: 81.0pt;" width="108"><div align="center" class="MsoNormal" style="layout-grid-mode: char; text-align: center;">
<br /></div>
</td>
<td style="background: #DEEAF6; border-bottom: solid black 1.0pt; border-left: solid black 1.0pt; border-right: none; border-top: none; height: .2in; mso-background-themecolor: accent5; mso-background-themetint: 51; mso-border-bottom-alt: solid black .5pt; mso-border-left-alt: solid black .5pt; mso-height-rule: exactly; padding: 0in 5.4pt 0in 5.4pt; width: 81.0pt;" width="108"><div align="center" class="MsoNormal" style="layout-grid-mode: char; text-align: center;">
<br /></div>
</td>
<td style="background: #DEEAF6; border-top: none; border: solid black 1.0pt; height: .2in; mso-background-themecolor: accent5; mso-background-themetint: 51; mso-border-bottom-alt: solid black .5pt; mso-border-left-alt: solid black .5pt; mso-border-right-alt: solid black .5pt; mso-height-rule: exactly; padding: 0in 5.4pt 0in 5.4pt; width: 82.05pt;" width="109"><div align="center" class="MsoNormal" style="layout-grid-mode: char; text-align: center;">
<br /></div>
</td>
</tr>
<tr style="height: 13.0pt; mso-yfti-irow: 4;">
<td style="background: #F4B083; border-bottom: solid black 1.0pt; border-left: solid black 1.0pt; border-right: none; border-top: none; height: 13.0pt; mso-background-themecolor: accent2; mso-background-themetint: 153; mso-border-bottom-alt: solid black .5pt; mso-border-left-alt: solid black .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 224.75pt;" valign="bottom" width="300"><div class="MsoNormal" style="layout-grid-mode: char; text-indent: 12.45pt;">
<span style="line-height: 107%; mso-bidi-font-family: Arial; mso-bidi-font-size: 10.0pt;">Data
Compromise, Manipulation<o:p></o:p></span></div>
</td>
<td style="background: #F4B083; border-bottom: solid black 1.0pt; border-left: solid black 1.0pt; border-right: none; border-top: none; height: 13.0pt; mso-background-themecolor: accent2; mso-background-themetint: 153; mso-border-bottom-alt: solid black .5pt; mso-border-left-alt: solid black .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 81.0pt;" valign="bottom" width="108"><div align="center" class="MsoNormal" style="layout-grid-mode: char; text-align: center;">
<span style="line-height: 107%; mso-bidi-font-family: Arial; mso-bidi-font-size: 10.0pt;">5<o:p></o:p></span></div>
</td>
<td style="background: #F4B083; border-bottom: solid black 1.0pt; border-left: solid black 1.0pt; border-right: none; border-top: none; height: 13.0pt; mso-background-themecolor: accent2; mso-background-themetint: 153; mso-border-bottom-alt: solid black .5pt; mso-border-left-alt: solid black .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 81.0pt;" valign="bottom" width="108"><div align="center" class="MsoNormal" style="layout-grid-mode: char; text-align: center;">
<span style="line-height: 107%; mso-bidi-font-family: Arial; mso-bidi-font-size: 10.0pt;">8<o:p></o:p></span></div>
</td>
<td style="background: #F4B083; border-top: none; border: solid black 1.0pt; height: 13.0pt; mso-background-themecolor: accent2; mso-background-themetint: 153; mso-border-bottom-alt: solid black .5pt; mso-border-left-alt: solid black .5pt; mso-border-right-alt: solid black .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 82.05pt;" valign="bottom" width="109"><div align="center" class="MsoNormal" style="layout-grid-mode: char; text-align: center;">
<span style="line-height: 107%; mso-bidi-font-family: Arial; mso-bidi-font-size: 10.0pt; mso-bidi-font-weight: bold;">8<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-height-rule: exactly; mso-yfti-irow: 5;">
<td style="background: #DEEAF6; border-bottom: solid black 1.0pt; border-left: solid black 1.0pt; border-right: none; border-top: none; height: .2in; mso-background-themecolor: accent5; mso-background-themetint: 51; mso-border-bottom-alt: solid black .5pt; mso-border-left-alt: solid black .5pt; mso-height-rule: exactly; padding: 0in 5.4pt 0in 5.4pt; width: 224.75pt;" width="300"><div class="MsoNormal">
<b><span style="line-height: 107%; mso-bidi-font-family: Arial; mso-bidi-font-size: 10.0pt;">Availability<o:p></o:p></span></b></div>
</td>
<td style="background: #DEEAF6; border-bottom: solid black 1.0pt; border-left: solid black 1.0pt; border-right: none; border-top: none; height: .2in; mso-background-themecolor: accent5; mso-background-themetint: 51; mso-border-bottom-alt: solid black .5pt; mso-border-left-alt: solid black .5pt; mso-height-rule: exactly; padding: 0in 5.4pt 0in 5.4pt; width: 81.0pt;" width="108"><div align="center" class="MsoNormal" style="layout-grid-mode: char; text-align: center;">
<br /></div>
</td>
<td style="background: #DEEAF6; border-bottom: solid black 1.0pt; border-left: solid black 1.0pt; border-right: none; border-top: none; height: .2in; mso-background-themecolor: accent5; mso-background-themetint: 51; mso-border-bottom-alt: solid black .5pt; mso-border-left-alt: solid black .5pt; mso-height-rule: exactly; padding: 0in 5.4pt 0in 5.4pt; width: 81.0pt;" width="108"><div align="center" class="MsoNormal" style="layout-grid-mode: char; text-align: center;">
<br /></div>
</td>
<td style="background: #DEEAF6; border-top: none; border: solid black 1.0pt; height: .2in; mso-background-themecolor: accent5; mso-background-themetint: 51; mso-border-bottom-alt: solid black .5pt; mso-border-left-alt: solid black .5pt; mso-border-right-alt: solid black .5pt; mso-height-rule: exactly; padding: 0in 5.4pt 0in 5.4pt; width: 82.05pt;" width="109"><div align="center" class="MsoNormal" style="layout-grid-mode: char; text-align: center;">
<br /></div>
</td>
</tr>
<tr style="height: 13.0pt; mso-yfti-irow: 6;">
<td style="background: #F4B083; border-bottom: solid windowtext 1.0pt; border-left: solid black 1.0pt; border-right: none; border-top: none; height: 13.0pt; mso-background-themecolor: accent2; mso-background-themetint: 153; mso-border-bottom-alt: solid windowtext .5pt; mso-border-left-alt: solid black .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 224.75pt;" valign="bottom" width="300"><div class="MsoNormal" style="layout-grid-mode: char; text-indent: 12.45pt;">
<span style="line-height: 107%; mso-bidi-font-family: Arial; mso-bidi-font-size: 10.0pt;">Failure
of system, Comms, Deletion<o:p></o:p></span></div>
</td>
<td style="background: #F4B083; border-bottom: solid windowtext 1.0pt; border-left: solid black 1.0pt; border-right: none; border-top: none; height: 13.0pt; mso-background-themecolor: accent2; mso-background-themetint: 153; mso-border-bottom-alt: solid windowtext .5pt; mso-border-left-alt: solid black .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 81.0pt;" valign="bottom" width="108"><div align="center" class="MsoNormal" style="layout-grid-mode: char; text-align: center;">
<span style="line-height: 107%; mso-bidi-font-family: Arial; mso-bidi-font-size: 10.0pt;">2<o:p></o:p></span></div>
</td>
<td style="background: #F4B083; border-bottom: solid windowtext 1.0pt; border-left: solid black 1.0pt; border-right: none; border-top: none; height: 13.0pt; mso-background-themecolor: accent2; mso-background-themetint: 153; mso-border-bottom-alt: solid windowtext .5pt; mso-border-left-alt: solid black .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 81.0pt;" valign="bottom" width="108"><div align="center" class="MsoNormal" style="layout-grid-mode: char; text-align: center;">
<span style="line-height: 107%; mso-bidi-font-family: Arial; mso-bidi-font-size: 10.0pt;">6<o:p></o:p></span></div>
</td>
<td style="background: #F4B083; border-bottom: solid windowtext 1.0pt; border-left: solid black 1.0pt; border-right: solid black 1.0pt; border-top: none; height: 13.0pt; mso-background-themecolor: accent2; mso-background-themetint: 153; mso-border-bottom-alt: solid windowtext .5pt; mso-border-left-alt: solid black .5pt; mso-border-right-alt: solid black .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 82.05pt;" valign="bottom" width="109"><div align="center" class="MsoNormal" style="layout-grid-mode: char; text-align: center;">
<span style="line-height: 107%; mso-bidi-font-family: Arial; mso-bidi-font-size: 10.0pt; mso-bidi-font-weight: bold;">5<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 13.0pt; mso-yfti-irow: 7; mso-yfti-lastrow: yes;">
<td style="background: #8EAADB; border-bottom: solid black 1.0pt; border-left: solid black 1.0pt; border-right: none; border-top: none; height: 13.0pt; mso-background-themecolor: accent1; mso-background-themetint: 153; mso-border-bottom-alt: solid black .5pt; mso-border-left-alt: solid black .5pt; mso-border-top-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 224.75pt;" valign="bottom" width="300"><div class="MsoNormal">
<b><span style="line-height: 107%;">Risk Score</span></b><b><span style="line-height: 107%; mso-bidi-font-family: Arial; mso-bidi-font-size: 10.0pt;"><o:p></o:p></span></b></div>
</td>
<td style="background: #8EAADB; border-bottom: solid black 1.0pt; border-left: solid black 1.0pt; border-right: none; border-top: none; height: 13.0pt; mso-background-themecolor: accent1; mso-background-themetint: 153; mso-border-bottom-alt: solid black .5pt; mso-border-left-alt: solid black .5pt; mso-border-top-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 81.0pt;" valign="bottom" width="108"><div align="center" class="MsoNormal" style="layout-grid-mode: char; text-align: center;">
<b><span style="line-height: 107%; mso-bidi-font-family: Arial; mso-bidi-font-size: 10.0pt;">4<o:p></o:p></span></b></div>
</td>
<td style="background: #8EAADB; border-bottom: solid black 1.0pt; border-left: solid black 1.0pt; border-right: none; border-top: none; height: 13.0pt; mso-background-themecolor: accent1; mso-background-themetint: 153; mso-border-bottom-alt: solid black .5pt; mso-border-left-alt: solid black .5pt; mso-border-top-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 81.0pt;" valign="bottom" width="108"><div align="center" class="MsoNormal" style="layout-grid-mode: char; text-align: center;">
<b><span style="line-height: 107%; mso-bidi-font-family: Arial; mso-bidi-font-size: 10.0pt;">5<o:p></o:p></span></b></div>
</td>
<td style="background: #8EAADB; border-top: none; border: solid black 1.0pt; height: 13.0pt; mso-background-themecolor: accent1; mso-background-themetint: 153; mso-border-alt: solid black .5pt; mso-border-top-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 82.05pt;" valign="bottom" width="109"><div align="center" class="MsoNormal" style="layout-grid-mode: char; text-align: center;">
<b><span style="line-height: 107%; mso-bidi-font-family: Arial; mso-bidi-font-size: 10.0pt;">7<o:p></o:p></span></b></div>
</td>
</tr>
</tbody></table>
</div>
<div class="MsoNormal">
<br /></div>
<h3>
<span class="MsoIntenseEmphasis">Data Labels and Classification</span><span class="MsoIntenseEmphasis"><o:p></o:p></span></h3>
<div>
<span class="MsoIntenseEmphasis"><br /></span></div>
<div class="MsoNormal">
Once the data is identified and ranked, a naming taxonomy will
need to be decided upon. This is when <i>data labels </i>will be used to mark data so
the appropriate controls can be applied – whether they are automatic or manual,
technical or otherwise. Most people have at least heard of one of the
federal government’s data labels – “Top Secret” - a very high level of
sensitivity of information, only allowed to be viewed by individuals with a
“Top Secret” clearance, or higher clearance.
The “Top Secret” designation is the data label, which is applied to
documents, emails, etc. and the classification is the understanding of what
information falls into this category. While
regulated entities such as healthcare and banking already have data protections
defined, an organization will still need to come up with a labeling
scheme. Carnegie Mellon University has a
great example of how their data is labeled and classified:<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
<b>Restricted Data</b> – <span style="background: white;">Data
should be classified as Restricted when the unauthorized disclosure, alteration
or destruction of that data could cause a significant level of risk to the
University or its affiliates. Examples of Restricted data include data
protected by state or federal privacy regulations and data protected by
confidentiality agreements. The highest level of security controls should
be applied to Restricted data.</span><o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<b><br /></b>
<b>Private Data</b> - <span style="background: white;">Data
should be classified as Private when the unauthorized disclosure, alteration or
destruction of that data could result in a moderate level of risk to the
University or its affiliates. By default, all Institutional Data that is
not explicitly classified as Restricted or Public data should be treated as
Private data. A reasonable level of security controls should be applied
to Private data.</span> <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<b><br /></b>
<b>Public Data</b> - <span style="background: white;">Data
should be classified as Public when the unauthorized disclosure, alteration or
destruction of that data would result in little or no risk to the University
and its affiliates. Examples of Public data include press releases,
course information and research publications. While little or no controls
are required to protect the confidentiality of Public data, some level of
control is required to prevent unauthorized modification or destruction of
Public data.</span><o:p></o:p></div>
<div class="MsoNormal" style="margin-left: 2.25pt;">
<br /></div>
<div class="MsoNormal" style="margin-left: 2.25pt;">
Once a project like this is
completed, it will become much easier to implement effective protective
controls on the appropriate data. I
usually find the exercise also sheds light on the sheer expanse of data an
organization maintains. When management
is given visibility into the amount of data, backed up by numbers showing the risk
the data poses to an organization, decisions can be made and budgets can be
created to ensure the protection of data is appropriate.<o:p></o:p></div>
<br />
[1] <a href="http://www.cmu.edu/iso/governance/guidelines/data-classification.html" style="background-color: white; box-sizing: border-box; color: #ff8e5e; font-family: "PT Sans", Arial, Helvetica, sans-serif; font-size: 15px; text-decoration-line: none;">http://www.cmu.</a><a href="http://www.cmu.edu/iso/governance/guidelines/data-classification.html" style="background-color: white; box-sizing: border-box; color: #ff621c; font-family: "PT Sans", Arial, Helvetica, sans-serif; font-size: 15px; text-decoration-line: none;">edu/iso/governance/guidelines/data-classification.html</a><br />
<div class="MsoNormal" style="margin-left: 2.25pt;">
<br /></div>
Thomas Johnsonhttp://www.blogger.com/profile/14858551872104879594noreply@blogger.com0tag:blogger.com,1999:blog-1524151480636426284.post-56129605990711050402017-08-04T17:01:00.000-05:002017-08-04T17:01:08.366-05:00Starting the Azure Information Protection ConversationWhile Azure Information Protection (AIP) may not be the most popular product in the EM+S product suite offered by Microsoft, it is certainly gaining ground because of its tracking and control capabilities over the movement of confidential and sensitive information externally and within an organization. Many organizations own EMS E3 or E5, which come with AIP, thus giving them the ability to manage the rights of documents and email, but the majority of them aren’t using this technology.<br />
<br />
Demonstrations of AIP’s technology are amazing, and it’s exciting to see the possibilities with tight control over organizational data. In the haste to turn on the technology however, many AIP implementations stall, fail or just don’t get utilized. Why? It’s simple – the business conversations get bypassed.<br />
<br />
Introducing rights management concepts and capabilities that AIP brings to an organization is a challenge because of the prerequisites necessary before getting started with AIP – namely Data Classification and Data Labeling. Since conversations surrounding these two areas are business oriented, communication tends to break down because IT is focused on the technology, and there is nobody to broker the conversation with the business.<br />
<br />
Since data classification and data labeling are two keys to understanding how AIP will be architected let’s take a look into how these conversations will set the stage for making an AIP roll out as smooth as possible.<br />
<br />
<h3>
Data Classification and Data Labels </h3>
When I think of data classification, I think of one of the federal government’s highest classification schemes – Top Secret. Most people have at least heard this phrase or have seen references to this in the movies. Do you know what Top Secret means? You likely have a really good idea – it’s a very high level of sensitivity of information, only allowed to be viewed by individuals with a “Top Secret” clearance, or higher clearance. The “Top Secret” designation is the data label, which is applied to documents, emails, etc. and the classification is the understanding of what information falls into this category. Regulated entities typically have classification schemes already defined. Healthcare has PHI (Protected Health Information) and banks have NPI (Non-Public Information). Each of these labels have regulations and standards defining what falls within those classifications and how to handle the data.<br />
<br />
Another good example of classification is “Internal Use Only”. The classification indicates that documents with this label are to only be used internally and viewed by individuals within the organization.<br />
<br />
I’ve been involved in many data classification projects with my clients, where we help them determine sensitivity of a particular data set and what protections should be placed on them. Most regulated organizations understand what data classification is, but even unregulated companies have an understanding of what data constitutes the “crown jewels” and we likely know where it resides. This is certainly a prerequisite for an AIP implementation.
<br />
<br />
In a typical AIP alignment workshop, the workflow looks as follows:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN51cOOaTfJu-3NArN7YcU_U8-vH01r8aJ0pT_YEm7Y9j_3fS5ckjTZuXQ4jAT-vc6mNEu15SnznvzZTzY0f6NW_hVXkiYi7EhFaqqZDPds5MxKF6aywTY9Pi0rP76-rMzeSqrPAJqMkU/s1600/AIP1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="323" data-original-width="539" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN51cOOaTfJu-3NArN7YcU_U8-vH01r8aJ0pT_YEm7Y9j_3fS5ckjTZuXQ4jAT-vc6mNEu15SnznvzZTzY0f6NW_hVXkiYi7EhFaqqZDPds5MxKF6aywTY9Pi0rP76-rMzeSqrPAJqMkU/s400/AIP1.png" width="400" /></a></div>
<br />
Within this workflow, we start by looking at any existing corporate data classification methodologies currently in place. We can either discover this by doing a data analysis and strategy session with management, or it can start by exploring the regulatory requirements placed on the organization. As pointed out earlier, most regulated organizations have data classification standards already defined, but, as we will see, some of them may need to be enhanced and there may be cases for adding additional labels.<br />
<br />
The next step is to look at the controls AIP can place on documents, email, SharePoint and OneDrive repositories. As we explore the AIP control-set, there will inevitably be additional ideas on how information can be protected. Here is a breakout of possible controls within AIP:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPdAgPTHpqiCdElEfxXwO1JcCN8nyGDYG2gHaccTz7OG9DXn4_aix2yXNOfTuaHQe-3bcWsvy99PSmE5RGHaxWSEATLwmzjlMyFNDbry5bCR1mvI7eQVMLvbd90sXNdMAmTTN_oV5GjFQ/s1600/AIP2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="403" data-original-width="618" height="260" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPdAgPTHpqiCdElEfxXwO1JcCN8nyGDYG2gHaccTz7OG9DXn4_aix2yXNOfTuaHQe-3bcWsvy99PSmE5RGHaxWSEATLwmzjlMyFNDbry5bCR1mvI7eQVMLvbd90sXNdMAmTTN_oV5GjFQ/s400/AIP2.png" width="400" /></a></div>
<br />
<br />
<br />
A common question we are asked with projects like this is: What we do with all of the other controls we have over data and how they will be used as a complimentary control-set, or as back-stop controls.
Once AIP is implemented with the data labeling and categorization defined, there will never be 100% adoption unless you are on the P2 licensing where you can automate the classification and labeling of documents meeting certain criteria. With the P1 license, you will be relying on the user population to take the necessary steps to label each of their emails and files accordingly. This supports the need to keep many of the backstop controls listed below, in place:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNnxw_HJLRp6oY-ZsaFNaPN4boTstaDONZ11Hs0M5_wrSNHZrNE-rTMXCwID6Rn36hqz6A_SgZqKrmR_-KeF_CzCupL3K1Oyd0Rs3ugHb0x91n7HNbuZkbCP_bf8b9oRcr17wL9fHN8lk/s1600/AIP3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="347" data-original-width="729" height="190" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNnxw_HJLRp6oY-ZsaFNaPN4boTstaDONZ11Hs0M5_wrSNHZrNE-rTMXCwID6Rn36hqz6A_SgZqKrmR_-KeF_CzCupL3K1Oyd0Rs3ugHb0x91n7HNbuZkbCP_bf8b9oRcr17wL9fHN8lk/s400/AIP3.png" width="400" /></a></div>
<br />
Implementing AIP is not as easy as flipping the switch. A real AIP project will consist of pre-implementation planning and road-mapping. AIP is usually piloted at an organization, and training for the new capabilities is essential for the project to be a success. If you are thinking about AIP, or other components of the EM+S product suite, let me know how I can help!Thomas Johnsonhttp://www.blogger.com/profile/14858551872104879594noreply@blogger.com0tag:blogger.com,1999:blog-1524151480636426284.post-15054725103324258942017-05-01T13:00:00.000-05:002017-07-21T13:06:52.402-05:00Migrating email to the cloud as a security strategyI feel like this article was actually written about 5 years ago, but there are still many organizations that aren’t leveraging a security rich cloud-based email system such as Office 365. Let’s face it, notwithstanding hard-dollar cost reduction, rarely is there a business need to switch email systems or email providers. Migrating email to the cloud is no different – unless the cloud has a compelling story.
<BR><Br>
In the recent past, I have found that it has been consistently difficult to find financial justification for moving email services to the cloud. Many times, it is hard to prove that the investment will pay off and quite often, it ends up simply being more expensive. While soft costs are something that should be considered, many small businesses don’t put as much weight in soft costs as they do hard dollar savings, so gaining any traction on these types of projects are tough.
<BR><BR>
Why then, should we be considering such a move? Risk Reduction! <BR>
<BR>
I have seen many implementations of email systems - they typically consist of a cluster of servers with a disk array attached. Redundancy is accomplished with a combination of application features and tools based replication. … and, don’t forget about backup. Disk-to-disk and tape still exist to supplement grandfathering retention requirements. Add on the requirements the need for eDiscovery and true mailbox archiving, and you have yourself quite a robust system that likely grew incrementally over the years. Considering the already large footprint of your typical email system, we haven’t even started discussing email encryption, data loss protection, mobile access, storage sprawl, and the various spam and malware mitigation that is attached to most systems. When it comes right down to it, the on-premises email eco-system is huge, has a lot of moving parts and is difficult to manage, which makes it clear that it poses a major risk to the organization.
<BR><BR>Many IT folks still running in-house email systems might call it heresy to suggest that we should entertain a cloud-based a strategy to enhance security and reduce risk, but when you take an objective look at the email mess that exists in many organizations, it only makes sense.
<BR><BR>
Cloud advocates like to tout the many benefits of the cloud, whether it be the elastic nature of cloud services or the availability of immense computing power at your fingertips, but lately its becoming a conversation of capability and simplicity – two very important components of a security strategy.<BR><BR>
Some of my duties as a consultant have me tasked with running cost/benefit analyses, forecasting spend and justifying capital expenditures. As cloud technologies continued to mature, it became clear that there are many features offered in cloud-based email offerings that are either not available with in-house email or that those features will add cost and complexity to the already complex environment.
<BR><BR>
Here are some examples of what can be accomplished (or consolidated) with Office 365 and Microsoft’s offering in Azure:<BR>
• Self Service Password reset <BR>
• Data Loss Protection (DLP)<BR>
• Mobile Device Management (MDM)<BR>
• Email Encryption<BR>
• Multi-factor Authentication (MFA)<BR>
• Archiving, eDiscovery & Retention<BR>
• Rights Management (RMS)<BR>
<BR><BR>
How many of the technologies above do you have in your on-premises email deployment? How many vendors does this represent?
<BR><BR>
Don’t get me wrong, cloud-based offerings aren’t for everyone. Like any initiative, a healthy risk based review should be incorporated into any potential project, or corporate initiative. There are also challenges with the cloud and hybrid environments, but understanding these challenges and exploring opportunities (reducing risk by reducing complexity, taking advantage of advanced security solutions and consolidating vendors), will likely lead you toward identifying cloud based email, such as Office 365 as a great approach for your organization.
Thomas Johnsonhttp://www.blogger.com/profile/14858551872104879594noreply@blogger.com0tag:blogger.com,1999:blog-1524151480636426284.post-51014385028523912662017-03-17T16:12:00.000-05:002017-03-17T16:12:02.057-05:00Manufacturing meets Security<span style="font-family: Arial, Helvetica, sans-serif;">If you are a government defense contractor and you receive controlled unclassified information, you must comply with NIST SP800-171.<br /><br /> In April of 2015, NIST published the first public draft of something called SP800-171 which described requirements for protecting controlled unclassified information on non-federal information systems and organizations. The government also published regulation (DFARS 252.204-7012) that states that any entity that collects, develops, receives, transmits, uses, or stores defense information in support of a government contract must abide by the guidance in SP800-171 – with a deadline of compliance to happen by December of 2017. That’s right around the corner!<br /><br /><i><b> What does all of this mean?</b></i><br /><br /> There are 14 categories of compliance and each one has numerous objectives that must be achieved. This means that there are various processes, procedures and probably systems that you will have to implement to achieve compliance with this mandate. There is a lot of guidance on the internet on how to comply, but much of this information is obscure and difficult to read. Putting together a game plan for compliance can be a daunting task – especially if you don’t know how to comply with items such as Performing a Risk Assessment or Create a Vulnerability Program.<br /><br /> Let me know if I can help - I'm continually working with organizations that have compliance challenges and helping put together strategies for understanding where the gaps are and executing projects to close those gaps.</span>Thomas Johnsonhttp://www.blogger.com/profile/14858551872104879594noreply@blogger.com0tag:blogger.com,1999:blog-1524151480636426284.post-72099286784459538502017-03-01T09:30:00.000-06:002017-03-01T09:30:14.889-06:00Examinations focusing on Cyber for brokerage and securities firms<div class="MsoNormal">
The banking industry has traditionally been the poster child
of regulation. I’ve been dealing with federal and state regulators since I
started in the industry back in the early 90’s. I can remember one of my
first “IT Examinations” back in 1995 - The examiners at the time were more
interested in getting up to speed on the rapidly evolving technology than they
were with being able to provide direction to the bank. Those days are
definitely over and many very talented and skilled examiners now exist at every
agency that regulates banking.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Review of technical controls back then may have been a bit
of a joke, but nowadays, it’s no laughing matter, which is evident by the
ramping up of cyber-security by the examination body that regulates brokerage
and securities firms – the OCIE. While the OCIE has always been in place
as an examining body of the SEC, the effort spent on IT was marginal at best -
That is about to change.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Last year around this time, the OCIE came out with a Risk
Alert that stated that they were going to be focusing their efforts on
cyber-security and published a document that illustrates what they will be
looking for (<a href="http://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf" target="_blank">https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf</a>).
Additionally, the SEC came out with a document illustrating their Examination
Priorities for 2017. (<a href="http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2017.pdf" target="_blank">https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2017.pdf</a>)<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Glancing through the appendix of the first document, the
traditional banker wouldn’t bat an eye, but if you are a small securities firm,
this is something that will likely give you pause. It discusses such
topics as periodic assessments, vulnerability scans, and policies. These
are not typically a problem and can be put in place rather quickly, but what
about nebulous areas like data mapping, data classification, risk management,
vendor management and incident response? That’s a heavy weight on the shoulders
of a small IT staff – especially if most of those terms are unfamiliar!<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The company I work for can help you put together a strategy
for understanding where the gaps are and executing the project to close those
gaps. Compliance initiatives are something we work with continually across
many industries. Contact me for more information or if I can help in any
way.<o:p></o:p></div>
<br />
<div class="MsoNormal">
<br /></div>
Thomas Johnsonhttp://www.blogger.com/profile/14858551872104879594noreply@blogger.com0tag:blogger.com,1999:blog-1524151480636426284.post-34751355068176680542017-02-22T16:10:00.000-06:002017-02-24T08:40:41.375-06:00So, you want to be a consultant?If you would have told me that I was eventually become a consultant, I wouldn't have believed you. For years, I have been known as a banker. I started out working in a bank when I was just 16 years old and have been involved in various aspects of technology, security and compliance within banking ever since.<br />
<div>
<br />
... that is, ever since I quit back in 2012!</div>
<div>
<br />
That's right, I left the banking industry and went into consulting. <br />
<br /></div>
<div>
Its been my experience that most individuals go into consulting in pursuit of experience, eventually moving to the enterprise space. The move I made was quite the opposite. I had a successful career in technology and security and was looking for a change. Most banks had emerged from the banking crisis, but the one I was working for was continuing to struggle. </div>
<div>
<br /></div>
<div>
In the spring of 2012, I started in consulting and I never looked back. Quite frankly, its hard to believe its been 5 years already (as of this writing).</div>
<div>
<br /></div>
<div>
Since I've been in consulting, I have had many folks ask me how I feel about it. The vast majority of conversations I have on the subject find that people are intrigued about my move into consulting and are considering it for themselves, sparking interest and ultimately asking: How do you like it?</div>
<div>
<br /></div>
<div>
As with anything, there are pros and cons, so I took a moment to jot down some of them. I'll add to the list as I think of more, but for the most part, I think I have them all covered. Thankfully, the pros out weigh the cons in my mind by a long shot. Keep in mind that this has been my experience with working at only two small consulting firms in Chicago. Also note, I didn't include points that are firm specific like expense accounts or larger issues such as travel. I kept it focused on pros and cons to the actual practice of consulting versus enterprise. Finally, understand that I am a pure consultant. I am not a managing director, or higher level that has responsibility for revenue - I'm on the execution side.</div>
<div>
<br /></div>
<div>
<b>Pros</b></div>
<div>
<ul>
<li><b>Expanded Network</b> - While I was in banking, I made a lot of contacts - so I thought. I was locked in to the small world that I knew - and I didn't realize it. Once I moved into consulting, I worked with so many companies in various verticals, my network grew 10-fold in just a few years.</li>
<li><b>Diversification</b> - Working at the bank, I knew just about everything about everything in banking - specifically related to the bank I worked at. Looking back, I was really a one-trick-pony. In consulting, I am working with health care, manufacturing, professional services organizations... the list goes on. Learning how various industries function has enriched my understanding of the realm of IT, InfoSec and compliance. </li>
<li><b>Learning opportunities</b> - I'm not talking about training, I am talking about learning about how different industries work! Similar to diversification, I am gaining quite an understanding of how companies interpret regulation, how its applied, and the multitude of technologies in use out there. Sometimes I feel like I've touched it all - then we get a new client with a different flavor of technology, process and procedures.</li>
<li><b>Politics</b> - If you don't like the people you work with, you're pretty much stuck with them until they quit... or you do. In consulting, you know that all projects have a timeline - that is an oddly comforting metric. Don't get me wrong, there are certainly politics that need to be dealt with internally, but if you are typically client facing, these issues aren't as much of a big deal. </li>
<li><b>Budget</b> - I remember the days of not being able to move initiatives forward because of no budget. Not any more! If the client doesn't have budget, we move on to the next client. Granted, there are plenty of engagements that I work on where we try to help the client meet certain budget benchmarks, but its nice not to be fully responsible. Conversely - see "Budget" in the "cons" section.</li>
<li><b>Helping</b> - Lets face it, most of the time you are being called in to help. You are wanted. It feels good to help people and this is probably my biggest "pro". Its hard to get this feeling while being a cost center to an internal IT or InfoSec Department.</li>
<li><b>Profit center</b> - Speaking of cost center - You are now a profit center for your company - you are a valuable asset. IT and InfoSec is typically a cost center. While the IT and InfoSec folks in the enterprise have a lot of value and are often underrated, the business still looks at them as a liability.</li>
<li><b>Sales/Account Managers</b> - These folks are responsible for bringing revenue to the company, and there are challenges with that as you will see in the "cons" section below. The best part about their role is that they have to clean up complication, discuss overages, and all of the many sticky situations that may come up. They have a tough job in this respect and I am glad I don't have to do it.</li>
</ul>
<b>Cons</b></div>
<div>
<ul>
<li><b>Ownership</b> - As a consultant, for the most part, you will be brought in to solve part of a puzzle, or document a road map or strategy for doing so. Most of the time, you will never see this fully play out. Its hard putting a lot of effort into a game plan, strategy or road map and not seeing how it all works out in the end. Your sense of ownership will be missing and will need to be filled in other ways.</li>
<li><b>Disposable </b>- I've done some of my best work as a consultant. I've worked for hours on a client deliverable to make sure it is perfect only to realize that it won't be executed on. There are times where you may get pulled from an engagement by a client - They either lost funding, or something else happened. They can pull the plug on a consulting engagement at any moment. I remember one engagement - I was doing security leadership work at a medical center and making major progress on a number of initiatives when they hired a new medical director. We were pulled in favor of another consulting group that was close with the new director.</li>
<li><b>You have to be "ON" </b>- Sure, there are moments where you get a break or are between engagements, but for the most part, you need to be studied up on the latest stuff, and have to be able to talk about it with authority. If you are not able to deliver information with strength or don't exude confidence, you will fail as a consultant. While there is certainly room for the occasional "let me check on that", by in large, if you are called in as the expert, you need to have the answers. This is pressure some aren't ready for. Imagine being called into the board room every day to explain something / your position / etc. That maybe an extreme example, but not far from the truth. This goes for pre-sales motions as well as actual consulting.</li>
<li><b>Going in cold </b>- You have to go into an environment - some of them quite complex - and quickly slice and dice your way through the information being thrown at you. You will often be required to make decisions quickly on that information and start executing on that plan. Some people thrive on this, some are intimidated and can't operate in this manner.</li>
<li><b>Budget</b> - There are times when a project gets scoped incorrectly. Sometimes projects are just a complete disaster and the client holds your feet to the fire to get the project done in the budgeted time. These are difficult situations that you will be in the middle of. You just have to try to make lemonade with lemons and do what you can without risking your reputation. </li>
<li><b>Tracking Time - </b>You are a billable resource. You will be required to track your time - every day. Sometimes this feels like being micromanaged, but if you look at it - the only way to get paid is to send an invoice that has your time and notes attached. Its a necessary evil. If you ever worked with a lawyer and got a bill from them - time tracking for a consultant is the exact same thing. The up-side to this is that management never asks what you are up to and in reality, you aren't micromanaged. Reports fly by my manager's desk and if he sees anyone that is less than a certain percentage of billing, that's when conversations happen - Those conversations typically happen with the Project Managers and Sales Staff.</li>
<li><b>Sales folks</b> - You will come to realize, that most sales people are great folks. Your observations from outside the consulting practice will also be confirmed: They are driven to make sales - that is their number one objective. It may be accomplished in any number of ways, and some of these ways may not mesh with how you think the client should be approached. In some cases, you may even have to do some "clean up" because of a poorly sold solution. </li>
</ul>
</div>
Thomas Johnsonhttp://www.blogger.com/profile/14858551872104879594noreply@blogger.com0tag:blogger.com,1999:blog-1524151480636426284.post-9598439683776625782017-02-09T11:35:00.003-06:002017-02-09T11:35:54.277-06:00Ransomware - Should I pay?<h1>
Ransomware – Should I pay?<o:p></o:p></h1>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The “right” answer is – No, you shouldn’t pay the
ransom. This is similar to the stance the government takes when dealing
with hostages. In principle, not paying ransom diffuses the whole process
– the bad guys don’t get funded and the effort is for nothing.<o:p></o:p></div>
<div class="MsoNormal">
<span class="MsoIntenseEmphasis"><i><span style="color: #0b5394;"><br /></span></i></span></div>
<div class="MsoNormal">
<span class="MsoIntenseEmphasis"><i><span style="color: #0b5394;">… but, does it ever make
sense to pay the ransom? </span></i><o:p></o:p></span></div>
<div class="MsoNormal">
Consider this - I just read an article by Armor (<a href="http://www.armor.com/resources/ransomware-service-fuels-explosive-growth/" target="_blank"><span style="color: windowtext; text-decoration: none; text-underline: none;">https://www.armor.com/resources/ransomware-service-fuels-explosive-growth/</span></a>)
that said the average ransomware demand is about $679. Depending on the
size of the company, downtime, and number of employees affected, recovering
from a ransomware attack could easily take a day. We need to ask
ourselves, does the cost in time, effort, loss of productivity, and possible
loss of work for a day exceed the ransom demand? At a low, low price of $679, <i>it may</i> be a no-brainer.</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
While it is great to take a stand and not let the hackers
get away with this, it is ultimately a business decision – one that <i>may </i>make sense.<o:p></o:p></div>
<div class="MsoNormal">
<span class="MsoIntenseEmphasis"><i><span style="color: #0b5394;"><br /></span></i></span></div>
<div class="MsoNormal">
<span class="MsoIntenseEmphasis"><i><span style="color: #0b5394;">What if they don’t give you the
unlock key? </span></i><o:p></o:p></span></div>
<div class="MsoNormal">
Depending upon the ransom demand, the decision to give it a
try may be relatively simple, but you must decide whether the roll of the dice
is worth it. <o:p></o:p></div>
<div class="MsoNormal">
I'm willing to bet they will give up the key. Why?
Because if hackers get a reputation for not producing the key, guess what –
nobody is going to pay the ransom demand and the hackers aren’t going to like
that very much. They want to keep this party going for as long as possible!<o:p></o:p></div>
<div class="MsoNormal">
In short, you need to make a business decision. If the
dollar figure is small enough - Pay the demand, chock it up to payment for
lesson learned, and tighten up your organization. The amount of money
required to restore operations and the cost of downtime may easily usurp the
dollar figure for the ransom. Not sure if you have all of the correct
security implementations in place? Do you know how Bit Coin works? Do
you have a game plan for when it happens? I work for a great company that
can help you with that.<o:p></o:p></div>
<br />
<div class="MsoNormal">
<br /></div>
Thomas Johnsonhttp://www.blogger.com/profile/14858551872104879594noreply@blogger.com0tag:blogger.com,1999:blog-1524151480636426284.post-213993263192300072017-01-10T21:51:00.001-06:002017-01-10T21:54:47.068-06:00Disaster Recovery - Is that the same as Business Continuity?<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;">IT departments across the globe discuss Disaster Recovery
all the time. What happens when a system
goes down, how fast can we get it back up and running, and how do we handle the
data.<o:p></o:p></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b><br /></b></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Technology - is that all we need to worry about?</b></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;">The answer is no, there is a lot more. What about the other aspects of recovering the business? As of recent, it appears that Business Continuity Planning is
getting the spotlight, especially since IT systems are getting more resilient
and the ability for workers to access systems outside of the office is becoming
commonplace – IT is no longer the biggest problem when it comes to planning for
contingencies.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Disaster Recovery & Business Continuity Planning</b></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;">The way I approach Disaster Recovery and Business Continuity
Planning is to look closely at the following:<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpFirst" style="margin-left: 20.25pt; mso-add-space: auto; mso-list: l0 level1 lfo1; text-indent: -.25in;">
</div>
<ul>
<li><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: 7pt; font-stretch: normal; line-height: normal; text-indent: -0.25in;"> </span><span style="font-family: "arial" , "helvetica" , sans-serif; text-indent: -0.25in;">People</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: 7pt; font-stretch: normal; line-height: normal; text-indent: -0.25in;"> </span><span style="font-family: "arial" , "helvetica" , sans-serif; text-indent: -0.25in;">Process</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: 7pt; font-stretch: normal; line-height: normal; text-indent: -0.25in;"> </span><span style="font-family: "arial" , "helvetica" , sans-serif; text-indent: -0.25in;">Data</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: 7pt; font-stretch: normal; line-height: normal; text-indent: -0.25in;"> </span><span style="font-family: "arial" , "helvetica" , sans-serif; text-indent: -0.25in;">Technology</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: 7pt; font-stretch: normal; line-height: normal; text-indent: -0.25in;"> </span><span style="font-family: "arial" , "helvetica" , sans-serif; text-indent: -0.25in;">Facility</span></li>
</ul>
<!--[if !supportLists]--><br />
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;">As you can probably guess, “Data” and “Technology” are likely
covered in the DR plan that the technical folks are writing, but what about the
rest? Those are part of the Business Continuity Plan.</span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Typically, DR and Business Continuity typically fall on the shoulders
of the IT department, which is not necessarily appropriate. If we dissect the remaining categories from
above, let’s look at why this is really a business problem:<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpFirst" style="margin-left: 20.25pt; mso-add-space: auto; mso-list: l1 level1 lfo2; text-indent: -.25in;">
</div>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-stretch: normal; line-height: normal; text-indent: -0.25in;"></span><br />
<ul>
<li><span style="font-family: "arial" , "helvetica" , sans-serif; text-indent: -0.25in;">P</span><span style="font-family: "arial" , "helvetica" , sans-serif; text-indent: -0.25in;">eople – What individuals are necessary to keep
the business running?</span><span style="font-family: "arial" , "helvetica" , sans-serif; text-indent: -0.25in;"> </span><span style="font-family: "arial" , "helvetica" , sans-serif; text-indent: -0.25in;">This isn’t referring to the technical staff that keeps the systems up and running, it has
to do with the folks actually doing the work to process payroll, input
payables, service the customers, etc.</span></li>
<li>Process – What are the employees going to do? Do
they know how to do their job when operating remotely? Or with limited
resources?</li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif; text-indent: -0.25in;">Facility – Where are our employees going to go?</span><span style="font-family: "arial" , "helvetica" , sans-serif; text-indent: -0.25in;"> </span><span style="font-family: "arial" , "helvetica" , sans-serif; text-indent: -0.25in;">Can you fit all the employees required to
perform a job function at the location you picked out?</span><span style="font-family: "arial" , "helvetica" , sans-serif; text-indent: -0.25in;"> </span><span style="font-family: "arial" , "helvetica" , sans-serif; text-indent: -0.25in;">Do you have a location picked out?? </span><span style="font-family: "arial" , "helvetica" , sans-serif; text-indent: -0.25in;">Can people work from home?</span></li>
</ul>
<br />
<ul><span style="font-family: "arial" , "helvetica" , sans-serif; font-stretch: normal; line-height: normal; text-indent: -0.25in;">
</span></ul>
<ul><span style="font-family: "arial" , "helvetica" , sans-serif; font-stretch: normal; line-height: normal; text-indent: -0.25in;">
</span></ul>
<ul><span style="font-family: "arial" , "helvetica" , sans-serif; font-stretch: normal; line-height: normal; text-indent: -0.25in;">
</span></ul>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-stretch: normal; line-height: normal; text-indent: -0.25in;">
</span><span style="font-family: "arial" , "helvetica" , sans-serif;">This is just a little insight on how I approach Disaster Recovery and Business Continuity Planning.</span><br />
<span style="color: rgba(0 , 0 , 0 , 0.701961); font-family: "arial" , "helvetica" , sans-serif; font-size: 11pt; text-indent: -0.25in;"><br /></span>
<br />
<div style="text-indent: 0px;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: x-small; text-indent: -0.25in;"><as published on LinkedIn></span></div>
Thomas Johnsonhttp://www.blogger.com/profile/14858551872104879594noreply@blogger.com0tag:blogger.com,1999:blog-1524151480636426284.post-86819609150656429962016-09-14T22:00:00.001-05:002016-09-14T22:23:09.321-05:00Email encryption? Who really cares!<div dir="ltr">
So, I finally took advantage of the low mortgage rates I've seen advertised all over the place and refinanced my house. I was excited! The bank I applied for the mortgage through was able to do just about everything online, using a combination of Adobe PDF delivery mechanisms and a portal to upload documents required for the mortgage. </div>
<div dir="ltr">
<br /></div>
<div dir="ltr">
In typical fashion, something broke with their portal and I needed to send one last document to the bank. My options were to either drop it off at the local branch or send it to them via email.</div>
<div dir="ltr">
<br /></div>
<div dir="ltr">
As it is, with my job, I have many tools at my disposal in order to send messages encrypted through email, but I decided that I really didn't want to use any of our systems at work since I like to maintain a separation between personal business and work.</div>
<div dir="ltr">
<br /></div>
<div dir="ltr">
Hmm, what should I use within my personal email account to encrypt this stuff? Should I zip it and password protect the file? That sounded like a good idea, but then I started to think of the risk involved with me just sending the stupid PDF. Do I really care? I mean, what could happen? Is there a chance that some hackers are a just standing by at Comcast headquarters with one of the switches port mirrored, looking for stuff coming off of the residential backbone? I guess it's possible, but what are the chances? Are we really going overboard with this email encryption stuff? Do we REALLY need it?</div>
<div dir="ltr">
<br /></div>
<div dir="ltr">
Unfortunately, in reality, the answer is yes... We do need it. The biggest problem is that you don't know what's happening between the two endpoints. You can't put your faith in a gut feeling that there won't be any evil happening once the data hits he Internet or that the infrastructure is somehow too big or obscured enough to even allow the capture of your "one in a billion" packets that pass through in a nanosecond. Since you don't have any control or visibility of what happens between the originator and he receiver, you just can't take that chance with sensitive data assets.</div>
<div dir="ltr">
<br /></div>
<div dir="ltr">
I teach at a college here in Chicago and one of the assignments I have the students in my Information Security course complete is research on something called Room 641A. Google it... You'll have fun.<br />
<br />
(As posted on LinkedIN)</div>
Thomas Johnsonhttp://www.blogger.com/profile/14858551872104879594noreply@blogger.com0tag:blogger.com,1999:blog-1524151480636426284.post-24237345080473862902016-09-01T10:13:00.003-05:002016-09-14T22:22:30.855-05:00Data Classification - Who needs it?As an information security practitioner, there are times when you look at the security landscape for your organization and think, wow, there are definitely some areas we can improve on. Many of these areas are not necessarily easy to tackle and execution may even seem impossible!<br />
<br />
One thing I had always struggled with when working in banking, was data classification. We did have data classification defined, to an extent, but it was really basic and didn’t allow us to make real decisions on investing in technology and security controls. The bulk of what we really needed to protect was customer information, but was that good enough?<br />
<br />
In banking there is a defined segmentation of data that needs protection – customer data. Putting forth the minimum required effort from a compliance standpoint is really a shortsighted view of a larger data classification need, because there are so many other groups of data that fit into a grey area. In this grey area lives large quantities of private information, such as the information that human resources maintains on our employees (salary, health care info, etc.), information relating to mergers and acquisitions, employee lists, schedules, bank access codes, combinations to vaults, minimum cash limits… The list goes on.<br />
<br />
How do we classify the sensitivity of this data? It certainly doesn’t fall into the larger category of customer information, but it definitely needs to be protected from exposure. What’s more, this inadequacy will start to expose itself when looking at initiatives such as DLP, rights management, DR optimization, justifying spend on technology, and now – cyber-insurance requirements.<br />
<br />
Take the time to look at how you are classifying data, what types of data labels you are using, and how data classification feeds into larger initiatives. You may be surprised at how many areas this touches and how it may help with some of the initiatives listed above.<br />
<br />
If you need help understanding how Data Classification can help you, or if you are in need of building out a more comprehensive Data Classification scheme, let me know.<br />
<br />
(as posted on LinkedIn)Thomas Johnsonhttp://www.blogger.com/profile/14858551872104879594noreply@blogger.com0tag:blogger.com,1999:blog-1524151480636426284.post-28920378953831901942015-03-01T10:19:00.000-06:002016-09-01T10:20:47.429-05:00Bankers - Cloud Apprehension?Lately, I've been talking to a lot of banks about Office 365, but there is still fear and apprehension in the banking industry about the "cloud". It has long been held in the banking industry that the cloud is bad and I, myself, have also held that same stance on public cloud services in general.<br />
<br />
One day last week, I was performing SSAE16 reviews of critical vendors for a financial institution and I realized something: Their core service provider is essentially a cloud offering.<br />
<br />
Some may scoff at this idea, but take a closer look:<br />
<br />
<ul>
<li>You are on a shared system – Shared disk, processor, memory (Unless you are a large bank)</li>
<li>You rely on third-party audits (and possibly site visits) to validate controls</li>
<li>You receive an SSAE16 SOC1 – Type II report from them</li>
<li>There is no on premises equipment</li>
<li>Telecom circuits are relied upon for availability</li>
<li>You don't really know exactly what is going on behind the scenes</li>
</ul>
<br />
… and this is for the core processor, <b>where all of the super-sensitive data resides.</b> We are talking customers, addresses, balances and account numbers!<br />
<br />
I started to ask myself: Are bankers living by a double standard?<br />
<br />
If I looked at Office 365 objectively, performed a proper vendor risk assessment and evaluated the risks, I couldn't imagine that an email system would be ranked nearly as high in Confidentiality Risk as the Core.<br />
<br />
Consider Availability Risk Reduction when it comes to Office 365: <i>The number of systems Microsoft has dedicated to keeping the system available is ridiculous.</i><br />
<br />
Service providers for banking? They typically have a warm site backup on the other side of the country.<br />
<br />
My experience in working with Office 365 over the past year has been enlightening. I've received SSAE16 reports, data center tours and have access to the Microsoft trust center which allows me to understand the security controls better. After working through some of the details - using information from a processor that I used to utilize - Microsoft has more visibility and controls built around the protection of data than my processor did.Thomas Johnsonhttp://www.blogger.com/profile/14858551872104879594noreply@blogger.com0tag:blogger.com,1999:blog-1524151480636426284.post-704252052339066122014-12-24T10:43:00.000-06:002014-12-24T10:43:02.442-06:00The Big Move - Part 1 - Setting up your custom domain to work with Office 365!To say that I did a big move would be a complete lie. I have a couple of domains that I have email addresses attached to as well as two POP3 accounts (from my college days) that I would like to aggregate into one place. Gmail was able to do this for me for many years, but I have since wanted to explore the Office 365 offering by Microsoft a lot deeper, so I started the process of moving over some of my "lesser used" domain /email combinations. When I say "move", I don't mean that I migrated the mailbox - I just simply configured everything so that any future email would flow into my Office 365 account. I figured this would be easier and safer in case I wanted to switch back quickly -- especially considering I probably get one or two email messages per week in my lesser used accounts. I did eventually do a mailbox move, but I will cover this in another blog post.<br />
<br />
Again, this is an additional domain and email address that is being added to my already established Office 365 account. The intent is to have all of my various email accounts aggregate into one mail box. I will also show how to get POP3 email into this one account as well as some tips I used to make mail management a lot easier in another blog post.<br />
<br />
So, here is what I did:<br />
<br />
First, I logged into my freshly new Office 365 tenant and went to Admin / Office 365:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0oC1Zmo44egC9TBMh1qu-F1UxhN8H_oJr27FQlwD7WmrvIAF4bily_wfoXIJghm7qqJa4AWF1zRRM535zTgAZYIrBIQaBpd-vrGNOXIaI_W8VWvxXLZBqNwq5E8ffDufjXPDnHi36J3M/s1600/Step+1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0oC1Zmo44egC9TBMh1qu-F1UxhN8H_oJr27FQlwD7WmrvIAF4bily_wfoXIJghm7qqJa4AWF1zRRM535zTgAZYIrBIQaBpd-vrGNOXIaI_W8VWvxXLZBqNwq5E8ffDufjXPDnHi36J3M/s1600/Step+1.PNG" height="301" width="320" /></a></div>
<br />
Then on the left side of the screen you will see a place for you to click on called "Domains":<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicKIbiahevFAcGEl6Qb6Emg-XFqwLErrui2XBDApC-dyILxkGfLGcV_XQ_LntIs6wv7s6W6J619Lh1qnb29VUsiStnvN2_-jTt6aclSHqVZFjj2HJosDJpWujICgRF88ipKQjzFjvAUJM/s1600/step+2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicKIbiahevFAcGEl6Qb6Emg-XFqwLErrui2XBDApC-dyILxkGfLGcV_XQ_LntIs6wv7s6W6J619Lh1qnb29VUsiStnvN2_-jTt6aclSHqVZFjj2HJosDJpWujICgRF88ipKQjzFjvAUJM/s1600/step+2.PNG" height="320" width="210" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
You will then be presented with the following screen. These are the three steps you need to take in order to get your domain set up.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKFPJjySSjt7Jyt04N2ebmzVOtcPBq7A1_ivyO6Z5gmk7acZc-NuiKmFLXbeSV780zPYNFt2tOo_ayu_kvx6AE2gfWapKlIvH6dJnyLvfgROd0fXg6IJfG4f0VEchi5Oh2kQ13f2koKyg/s1600/Step+3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKFPJjySSjt7Jyt04N2ebmzVOtcPBq7A1_ivyO6Z5gmk7acZc-NuiKmFLXbeSV780zPYNFt2tOo_ayu_kvx6AE2gfWapKlIvH6dJnyLvfgROd0fXg6IJfG4f0VEchi5Oh2kQ13f2koKyg/s1600/Step+3.PNG" height="307" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Once Step 1 is selected, you will be presented with the following dialog. Enter the domain name you want to start to use with Office 365. I used a domain of a business I used to have but still get email through:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHtxeH79RyluqXOtzwqjGSltlPOMuSCMw3f5jJauQZmEOVwczsi4tO8JoX2ISe3qEmPn4a41H13aKSpna2GcM-aAG5O86tqse7UL3StUCqYKBYy7vAcbyM7bhBPUbkMPiclGl3TtmpSLA/s1600/Step+4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHtxeH79RyluqXOtzwqjGSltlPOMuSCMw3f5jJauQZmEOVwczsi4tO8JoX2ISe3qEmPn4a41H13aKSpna2GcM-aAG5O86tqse7UL3StUCqYKBYy7vAcbyM7bhBPUbkMPiclGl3TtmpSLA/s1600/Step+4.PNG" height="221" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
Office 365 will interface with most registrars to make your DNS modifications to allow email to flow to Office 365. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWOM4OVs0CpDovRjdYnnW4HUViFwH9JxsnmHTCANEyxLPPbILbu8GVcQT4ok7Z-nPQgZdYz_x6DNSschlfrOwv5dgUUav4mjTa8F2P470WyYyjeYKpzG3K61jX82VRc3axj7t3sEx2Gd0/s1600/Step+5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWOM4OVs0CpDovRjdYnnW4HUViFwH9JxsnmHTCANEyxLPPbILbu8GVcQT4ok7Z-nPQgZdYz_x6DNSschlfrOwv5dgUUav4mjTa8F2P470WyYyjeYKpzG3K61jX82VRc3axj7t3sEx2Gd0/s1600/Step+5.PNG" height="241" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Once you continue, you will see a dialog box that is generated by GoDaddy (my registrar and where I maintain my DNS):</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4cJbVx2ptIwEMbdC41i3jLcT_rxFL_n65gR8W4L9etvLmMwFCo0UQ1To9zzPFyNLkAbSd8UkwJABwsFblQOr6a9SLQfyEySyALTzAbOBUB8zQJB7OnHEcG3FU2Ih558KmMxs7jyZ2qEk/s1600/Step+6.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4cJbVx2ptIwEMbdC41i3jLcT_rxFL_n65gR8W4L9etvLmMwFCo0UQ1To9zzPFyNLkAbSd8UkwJABwsFblQOr6a9SLQfyEySyALTzAbOBUB8zQJB7OnHEcG3FU2Ih558KmMxs7jyZ2qEk/s1600/Step+6.PNG" height="270" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Just click ACCEPT and voila:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIDtQX8-ERmqrTFzOL5h-lnBGVSiEBqLMplQDzbVt183OyHHw94u4Z53m680xgozAZFtOCGPCj2OyW8QhUXUyY6jotEb08bt1sywJb1bIJPDuvR0nosAyGc6LGMLdwDvMMCA_beOyX4NQ/s1600/Step+7.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIDtQX8-ERmqrTFzOL5h-lnBGVSiEBqLMplQDzbVt183OyHHw94u4Z53m680xgozAZFtOCGPCj2OyW8QhUXUyY6jotEb08bt1sywJb1bIJPDuvR0nosAyGc6LGMLdwDvMMCA_beOyX4NQ/s1600/Step+7.PNG" height="202" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now, what you can do is start adding user accounts. BUT... I chose not to - Keep reading:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuXye3gF6A0A3YQWQliLLHMl9kmaprUIVj64WYpXVRw3-u_twL2lrZQleRaBgIFcjEnx-NAhfIxtSElCX9Bh_4g5D_0OYu8uiXwjlGs7yvkI0daM9v_lm4i5TFf2NBcCgmtppcZUTZhrY/s1600/Step+8.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuXye3gF6A0A3YQWQliLLHMl9kmaprUIVj64WYpXVRw3-u_twL2lrZQleRaBgIFcjEnx-NAhfIxtSElCX9Bh_4g5D_0OYu8uiXwjlGs7yvkI0daM9v_lm4i5TFf2NBcCgmtppcZUTZhrY/s1600/Step+8.PNG" height="257" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Because I just have one mailbox license for Office 365 and I have it configured with another email address with another domain, I will choose not to add any users. What I will do instead is configure Office 365 to direct all inbound email to this domain to my primary email account. This will become apparent later in this post.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
This step sets up the DNS information properly. It will want to know how you want to use Office 365 with this domain and then make the appropriate DNS modifications - see the next three screen shots:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5PBZ69igX5wwrz3xeoWPQ1EX2cwIYUJJ4Tlyrh8z76t_PisRSsModwlnfTJQ4f8Bv2ih4sylQWovhfvje8u13a2pHY63UP0mR62X4JVgyS0UMj3eDVyMoT6iOS_mycpJUHc3tXxSqysY/s1600/Step+9.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5PBZ69igX5wwrz3xeoWPQ1EX2cwIYUJJ4Tlyrh8z76t_PisRSsModwlnfTJQ4f8Bv2ih4sylQWovhfvje8u13a2pHY63UP0mR62X4JVgyS0UMj3eDVyMoT6iOS_mycpJUHc3tXxSqysY/s1600/Step+9.PNG" height="227" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfNMWacpvV60W-crvcuoECDkYBVZNKRD8UwMa58N3dfR10NYpPpQN0qlyWDfqvsWf_LzhO-Pjm60xer7ZAgAJmTEB7iMzck0bp852TWyxvOEGPcWShAJ9dl7LYjCZ_GFnaHlBgMtmizMY/s1600/Step+10.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfNMWacpvV60W-crvcuoECDkYBVZNKRD8UwMa58N3dfR10NYpPpQN0qlyWDfqvsWf_LzhO-Pjm60xer7ZAgAJmTEB7iMzck0bp852TWyxvOEGPcWShAJ9dl7LYjCZ_GFnaHlBgMtmizMY/s1600/Step+10.PNG" height="246" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZPkxAhMch_MtzscrpeYA-fgW1wV8H1nEQ7_sP8o_maJkdxAuwstyYszHktwpsn1Y9sbUCxnKAIhNxuaJAeYAt1UqDJMWrJ4Eg09L_uKYeewq94boQmBv_Gsx_UPjwYAwWAYsMXUIJ-1w/s1600/Step+11.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZPkxAhMch_MtzscrpeYA-fgW1wV8H1nEQ7_sP8o_maJkdxAuwstyYszHktwpsn1Y9sbUCxnKAIhNxuaJAeYAt1UqDJMWrJ4Eg09L_uKYeewq94boQmBv_Gsx_UPjwYAwWAYsMXUIJ-1w/s1600/Step+11.PNG" height="426" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
There you have it - Now your domain is configured to be used with Office 365!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
You will now have to configure Office 365 to be able to accept inbound email from this new domain and then determine what happens to the email. Additionally, you will need to configure Office 365 to be able to send from this domain as well. I will be covering all of this in my NEXT blog post, so stay tuned!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
** Remember, this is a second domain and email address that is being added to my already established Office 365 account. The intent is to have all of my various email accounts aggregate into one mail box. I will also show how to get POP3 email into this one account as well as some tips I used to make mail management a lot easier. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />Thomas Johnsonhttp://www.blogger.com/profile/14858551872104879594noreply@blogger.com0tag:blogger.com,1999:blog-1524151480636426284.post-6167523498410410272014-11-12T07:56:00.001-06:002014-12-24T09:49:27.738-06:00Office 365 Mailbox De-ClutterSince I was a Gmail user for so long, I got used to some of the features and subsequently took them for granted. One of those features was the automatic classification of email on perceived "importance".<br />
<div>
<br />
<div>
Gmail took it a step further and started to break out email into multiple groups such as: Social, Forum, Updates and Promotions. This made it nice to really de-clutter my mailbox within Gmail and I started to miss this once I migrated over to Office 365. </div>
</div>
<div>
<br /></div>
<div>
Well, apparently just a few days ago, the <i>Clutter</i> feature came out. This feature learns your behavior and will classify certain inbound email as clutter. I enabled it, and it is starting to actually learn my behavior within two days. </div>
<div>
<div>
<br /></div>
<div>
If you want to enable it in your Office 365 mailbox, launch OWA, (http://portal.office.com - Click on "OUTLOOK") click on the GEAR icon, and click OPTIONS:</div>
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-aCQsEDMeH6UejQsaQcytXuKKKBlosLaeW3dlxS7Y-I54-xfUVEerDl2Waf6TpBXkAmat3VWVVrZsRRxTIvV8cv_ac_lEG4o2nwIb81CKCdKHU1CHuRlcItiNN4aqeVvzHAv_6-IEDfQ/s1600/clutter+1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-aCQsEDMeH6UejQsaQcytXuKKKBlosLaeW3dlxS7Y-I54-xfUVEerDl2Waf6TpBXkAmat3VWVVrZsRRxTIvV8cv_ac_lEG4o2nwIb81CKCdKHU1CHuRlcItiNN4aqeVvzHAv_6-IEDfQ/s1600/clutter+1.PNG" height="307" width="320" /></a></div>
<br />
<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
You will then be presented with the options under Mail / Automatic Processing. Select the option "Separate items identified as Clutter":</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFv-LTm52mpEqOdibMBQLmny3CXaSCY4QgTBdOIi7LDYaaH4lBk0M_EbkkHY1OIOinimiEBoV9bm0YjO7dOOkXtcWXK1OIxypMEUHiS9ERMCBcUbB-WdoyaymT7mWqsolG9qjfsQAQYBk/s1600/clutter+2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFv-LTm52mpEqOdibMBQLmny3CXaSCY4QgTBdOIi7LDYaaH4lBk0M_EbkkHY1OIOinimiEBoV9bm0YjO7dOOkXtcWXK1OIxypMEUHiS9ERMCBcUbB-WdoyaymT7mWqsolG9qjfsQAQYBk/s1600/clutter+2.PNG" height="201" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="" style="clear: both; text-align: left;">
... and that's it. You will notice a new folder in your inbox called <i>Clutter</i>. This is where all of the newly classified email will be directed.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjysAWjwgT_1uaRnaD-d-M-TN6QTrYtP_88wKkBMwiQGE-TwHndLOBXLiAnxAcqlasMl6AprKNv6vjY0ltXmBo3V87FGm0d134JNt_K5VE3oIKi0hWaWFr_mAQ59ljQOgdMhL-IY-I_PD0/s1600/clutter+3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjysAWjwgT_1uaRnaD-d-M-TN6QTrYtP_88wKkBMwiQGE-TwHndLOBXLiAnxAcqlasMl6AprKNv6vjY0ltXmBo3V87FGm0d134JNt_K5VE3oIKi0hWaWFr_mAQ59ljQOgdMhL-IY-I_PD0/s1600/clutter+3.PNG" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
If you want to learn more about this feature and how it really works, this is a great blog article put out by Microsoft: </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://blogs.office.com/2014/11/11/de-clutter-inbox-office-365/">http://blogs.office.com/2014/11/11/de-clutter-inbox-office-365/</a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
<br /></div>
Thomas Johnsonhttp://www.blogger.com/profile/14858551872104879594noreply@blogger.com0tag:blogger.com,1999:blog-1524151480636426284.post-85639018301631467552014-11-10T13:39:00.001-06:002014-11-10T13:44:57.404-06:00Leaving Gmail - Hello Office 365!I've been a Gmail user for years and consequently, I've found myself quite embedded in the Google line products. I have an Android and also use the connected products (like this blog), but Gmail has always been on my list of products to migrate away from.<br />
<br />
Notwithstanding the privacy issues that are continually raised on the Google platform, I wanted to untangle the complex web I had to create in order to make everything work for me on the Gmail platform. This was further prompted by my renewal at GoDaddy that was topping $200 annually. (More on this later...)<br />
<br />
Granted, I don't have a ton of email, and nothing I am doing is enterprise class, but I do have my personal account (a vanity domain), a business type of personal account (also a vanity domain), a couple of POP3 accounts that my alma maters have set up for me, and an exchange account that I have to use to communicate to my students (I teach at a local college). Quite a mess if you have to keep track of email from a number of different interfaces...<br />
... and how would this all work with mobile access??<br />
<br />
Well, Gmail was here to save the day - Kind of...<br />
I did get everything to work pretty well, but I had to do a number of workarounds to make everything click. Gmail gave me a lot of space (I'm currently using 7GB of my 15GB mailbox) and I absolutely fell in love with the Archive function.<br />
<br />
Over time, some of the Gmail shortcomings started to bother me, and with my last GoDaddy bill, my "<i>want"</i> to start to consolidate everything (from GoDaddy, to Gmail, to Exchange) prompted me to start to look at Office 365 is a viable alternative to my Gmail mailbox - a central repository for all of my mail.<br />
<div>
</div>
What were some of the issues with my current setup? Godaddy's SMTP Relay limits and Gmail's "On behalf of" problem. A description of this is clipped here from Wikipedia:<br />
<blockquote>
"... any email sent through the Gmail interface included the Gmail.com address as the "sender", <b>even if it was sent with a custom email address as "from".</b> For example, an email sent with an external "from" address using Gmail could be displayed to a receiving email client user as <i>From user@gmail.com on behalf of user@OtherDomainEmailAddress.com</i> (the display used by versions of Microsoft Outlook). By exposing the Gmail address, Google claimed that this would "help prevent mail from being marked as spam..."</blockquote>
This was unacceptable to me, so I signed up for SMTP Relay accounts with GoDaddy and routed my mail through them instead of the Gmail servers. GoDaddy would only allow 50 messages per day with their SMTP relay service, which would also pose a problem for me at times.<br />
<br />
Since I work for a Microsoft Gold Partner, I started to see first-hand the functionality Office 365 had, and was moving closer and closer to setting up a "tenant" to do some testing. The features that get added to Office 365 are staggering - You can see the road map <a href="http://office.microsoft.com/en-us/products/office-365-roadmap-FX104343353.aspx" target="_blank">here.</a><br />
<br />
One evening, I decided to flip the switch. I've successfully made the switch over to Office 365, and it was a piece of cake. I'm starting to assemble some of the steps I've taken to make Office 365 a great way to consolidate all of my email and the use of some of the functions Office 365 offers to make my consolidated email box something that is functional and not overwhelming. Look for those notes to appear here over the next couple of weeks - Including setting up websites in Azure!<br />
<br />
<br />Thomas Johnsonhttp://www.blogger.com/profile/14858551872104879594noreply@blogger.com0tag:blogger.com,1999:blog-1524151480636426284.post-2940293976167317472014-11-05T20:54:00.000-06:002015-02-06T07:49:28.224-06:00An ISACA volunteer<div dir="ltr">
<div class="MsoNormal" style="background: white; line-height: 15.6pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #333333; font-family: "Arial",sans-serif; mso-fareast-font-family: "Times New Roman";">Twice a year, I
disappear for about 3 days to participate in a question writing and proofing
exercise for <a href="http://www.isaca.org/"><span style="color: #771100; text-decoration: none; text-underline: none;">ISACA</span></a>, a non-profit
organization charged with leading the information security, risk and assurance
certification as well as education. They are most notable for their CISA
and CISM certifications.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.6pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="background: white; line-height: 15.6pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #333333; font-family: "Arial",sans-serif; mso-fareast-font-family: "Times New Roman";">I earned my CISM a
number of years ago and over the course of time, I've always had a little bit
of a challenge obtaining CPE (Continuing Professional Education) credits. A
minimum number of credits is required to maintain the certification. I
was working for a failing financial institution, and it was nearly impossible
for me to get funds to take courses or attend events that would allow me to
obtain credits.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.6pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="background: white; line-height: 15.6pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #333333; font-family: "Arial",sans-serif; mso-fareast-font-family: "Times New Roman";">Luckily, there are a
number of other ways to obtain CPE credits: <o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.6pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #333333; font-family: "Arial",sans-serif; mso-fareast-font-family: "Times New Roman";"> - Answer
questions in the back of the monthly journal<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.6pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #333333; font-family: "Arial",sans-serif; mso-fareast-font-family: "Times New Roman";"> - Write articles
for the journal<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.6pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #333333; font-family: "Arial",sans-serif; mso-fareast-font-family: "Times New Roman";"> - Write test
questions for a certification pool<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.6pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #333333; font-family: "Arial",sans-serif; mso-fareast-font-family: "Times New Roman";"> - Mentor others
toward a certification<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.6pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="background: white; line-height: 15.6pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #333333; font-family: "Arial",sans-serif; mso-fareast-font-family: "Times New Roman";">I always thought it
would be fun to try to attempt writing test questions for the CISM exam, so one
day I did!<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.6pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="background: white; line-height: 15.6pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #333333; font-family: "Arial",sans-serif; mso-fareast-font-family: "Times New Roman";">Shortly after
submitting my attempt at creating about 15 questions, ISACA and I launched a
fantastic relationship, to which I am thankful to have with this organization
to this day.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.6pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="background: white; line-height: 15.6pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #333333; font-family: "Arial",sans-serif; mso-fareast-font-family: "Times New Roman";">My involvement in
writing test questions lasted only one year when I was then asked to be part of
a committee called the Test Enhancement Subcommittee, which not only writes
questions for the exams, but is in charge of proofing all of the questions that
get submitted. Better yet, I get all of my CPE for the year just by
participating!<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.6pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="background: white; line-height: 15.6pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #333333; font-family: "Arial",sans-serif; mso-fareast-font-family: "Times New Roman";">In the beginning, I
was more excited about being able to obtain all of my CPE easily, but as I
continued to get involved in the TES with ISACA, it was clear to me that I was
part of something amazing - a continually refining exercise that produces
relevant questions to test an applicant's base of knowledge!<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.6pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="background: white; line-height: 15.6pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #333333; font-family: "Helvetica",sans-serif; mso-fareast-font-family: "Times New Roman";">Working on creating
and modifying questions for the CISM certification is a rewarding experience,
but it is the relationships with the other volunteers and the wonderful staff
at ISACA that make me proud to be a volunteer and to be part of the process.</span><span style="color: #333333; font-family: "Arial",sans-serif; mso-fareast-font-family: "Times New Roman";"><o:p></o:p></span></div>
<br />
<div class="MsoNormal">
<br /></div>
</div>
Thomas Johnsonhttp://www.blogger.com/profile/14858551872104879594noreply@blogger.com0tag:blogger.com,1999:blog-1524151480636426284.post-15622163686783796392014-10-09T12:43:00.001-05:002014-10-09T12:52:05.538-05:00Mobile Device Management - and then some...Looking at the many Mobile Device Management systems out there, it doesn't seem that any one of them have it all.
Sure, some of them do a particular function very well, but there always seems to be something lacking with the whole package.
When it comes to MDM, I am definitely thinking about more than managing the device. Managing the identity and protecting the data are equally as important.
<BR><BR>
The following diagram is put together by Microsoft, so there is an obvious bend to it, but it clearly shows how each product ranks. At this point, it looks like EMS has a complete package and at about 7 bucks per month, its attractively priced: <BR>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSNJY6w1aPD_YQ7JG9M0YUwE0fzBOEvF6tRD8rkIaKHq8gB31ToZZ_zx3LApWFWPre9RhjhPVtZLAXl_5D5lWoqv8CjNoB0iDeUnQRDuP0vHM54pJVHWSch9G713ph6DLW0z788LrBAK0/s1600/ems.PNG" imageanchor="1" ><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSNJY6w1aPD_YQ7JG9M0YUwE0fzBOEvF6tRD8rkIaKHq8gB31ToZZ_zx3LApWFWPre9RhjhPVtZLAXl_5D5lWoqv8CjNoB0iDeUnQRDuP0vHM54pJVHWSch9G713ph6DLW0z788LrBAK0/s400/ems.PNG" /></a>Thomas Johnsonhttp://www.blogger.com/profile/14858551872104879594noreply@blogger.com0tag:blogger.com,1999:blog-1524151480636426284.post-3986764782277894092014-01-27T16:13:00.000-06:002014-01-27T16:13:05.314-06:00HIPAA ChecklistWith all of the compliance associated with HIPAA and the new rules coming down, not being in compliance is very risky.<br />
<br />
One of our businesses was a little behind on the formalities associated with HIPAA compliance and needed to create a scorecard to assess where they are and where they need to be. Not wanting to re-invent the wheel, I reached out to some of my colleagues, of which, an acquaintance at Grant Thornton pointed me to HIPAACOW.<br />
<br />
While they DO have a mascot of a cow, the actual term is an acronym that stands for the Collaborative Of Wisconsin. While the logo is whimsical, the group is not to be dismissed. There is a wealth of information, checklists, templates, etc.<br />
<br />
Check it out:<br />
http://www.hipaacow.org<br />
<br />
<br />Thomas Johnsonhttp://www.blogger.com/profile/14858551872104879594noreply@blogger.com0tag:blogger.com,1999:blog-1524151480636426284.post-6926184547793459722011-07-01T11:28:00.003-05:002011-07-01T11:28:00.269-05:00NIST - Patch Management ProgramSpecial Publication SP800-40 version 2 is 75 pages of creating a very robust Patch and Vulnerability Management program.<br />
<br />
Not to fear, the last 25 pages of it are Appendix. Glossary, Index, and...<br />
Appendix D - A great list of resources with websites!<br />
<br />
http://csrc.nist.gov/publications/nistpubs/800-40-Ver2/SP800-40v2.pdfUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-1524151480636426284.post-90533385523320022062011-06-30T10:26:00.004-05:002011-07-08T08:09:30.444-05:00PCI ComplianceIve been going through PCI Compliance training for the last few weeks. Interesting stuff - kind of.<br />
All of it is just basic "good information security" practices. Antivirus on your workstations, periodic scanning of your environment and dont transmit people's card information over the internet unencrypted. While these are just a few items looked at in an assessment, they sound pretty straight forward to me.<br />
<br />
Talking to a QSA (Qualified Security Assessor) for PCI, there are so many merchants out there that are a literal train wreck. Kind of scarey.<br />
<br />
The latest PCI Security Standards can be found <a href="https://www.pcisecuritystandards.org/security_standards/documents.php">HERE</a>.<br />
<br />
Depending upon how many transactions the merchant performs in a 12 month period, a QSA might not be needed. This would then require a self assessment to determine if the merchant is in compliance. I am assuming that the merchant provider would be helping their customers through all of this.<br />
<br />
Another standard to make sure people are doing the right thing...Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1524151480636426284.post-56477301849712030702011-04-02T19:15:00.000-05:002017-02-24T08:52:58.937-06:00Twitter and FacebookI attended a seminar a few weeks ago in order to get some CPE for my CISSP and CISM certificates.<br />
<br />
The presenter displayed his contact information with references to Facebook, Twitter, and Linked IN. He asked how many people were on twitter, and only about ten out of about 200 people raised their hand.<br />
<br />
After talking with an information security practitioner that I really respect, she said that she doesn't do Facebook or Twitter. They are just not secure for so many reasons.<br />
<br />
I started to think - are the majority of information security professionals out there NOT using social media?<br />
Is LinkedIn really that evil? <br />
<br />
Ive been using various social media outlets for a number of years now and have been careful what I put out there and who I associate with. Maybe that is the key.<br />
<br />
The only thing I really worry about is twitter to see who is following ME! That could be a daunting task if my follower list grows into the thousands. Somehow, I don't think I will ever have that problem though.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1524151480636426284.post-55933319228755506602011-03-27T15:40:00.000-05:002011-06-30T11:07:47.726-05:00VisibilityA dear friend of mine practices surgery, handling cases where people need surgical reconstruction because of traumatic injury - an automotive accident - or a cancer diagnosis - commonly breast cancer. Always interested in the medical field, I enjoy hearing stories of cases he is currently working on.<br />
<br />
One day he said something very profound in response to a question I had about a basic case he was working on: "They need to see me more than I need to see them."<br />
<br />
This definitely could be correlated to leadership and management.<br />
<br />
Ive noticed over the years that some managers are reluctant to give their people the face time that they need. I'm sure they don't even know the are doing it!<br />
<br />
Lets face it - most of the time when your employee wants to talk, there is a problem. Who wants to hear about a problem?? That's human nature at work! <br />
<br />
I've found that having regular conversations with your people will allow them to get things off of their chest as they come up. These conversations are a lot easier to manage and talk through than a conversation prompted by them - wrapped in built-up tension over the past few weeks.<br />
<br />
Next time you realize that you havent had a casual conversation with an employee of yours, go have one! Im certain that you will dig up some issues that you dont really feel like dealing with, but look at it this way - they will be delivered to you a lot smoother than if they have to approach you - dripping in emotion!<br />
<br />
Think you dont have time to be this proactive? Well, Im sure you wont when an employee calls with: "um... do you have a minute...?"<br />
<br />
Try to be as visible as possible to your people. You will be more approachable and will probably get a sense of things that are about to come up anyway.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1524151480636426284.post-4298320628996665992011-03-09T22:22:00.002-06:002011-03-10T13:31:13.834-06:00Leader or ManagerI love interview questions that cause the applicant to really dig deep for an answer. I dont think the question "Are you a Leader or a Manager" is one of those questions. Any applicant would more than likely say "Leader" whether they are or arent really a leader.<br />
<br />
This caused me to think - from an employer standpoint: Are we necessarily looking for a leader in this position?<br />
<br />
As far as I am concerned, if you are hiring for some kind of management or supervisory position, you always want a leader in that position. Now, the real question is: Do you hire a manager and groom them to be a leader? or just hire the leader?Unknownnoreply@blogger.com0