Welcome to the Data and Account Security module. A definition or understanding of data is reasonably straightforward. Data is a collection of information, facts, recorded observations, and or statistics collected together for analysis or planning. Information is king and is the lifeblood for individuals, small shops, startups, and large organizations. If you're organization collects and processes information, it must adequately protect that data and must consider how to meet compliance requirements. It is important that security of this information or data always be a top priority. When we are training new staff members, purchasing a new security system, or installing new software the security and protection of our data must be our top priority. Threats to data are always changing and organizations must stay current and keeps staff members educated on new attack methods. You interact with your organization's information constantly. Do you ever stop and wonder how safe is our information? Or am I putting my organization's data at risk? Most individuals and organizations do not believe they will be targeted. However, hackers do not discriminate when there is value in your data. In this module, we will learn about some of the ways that data can be organized and regulated. This could be by the person in charge of the data, the level of risk involved, or the point the data may be within its life cycle. Through best practices regarding data organization we can ensure tighter security and we'll learn many ways you can safeguard yourself and your company. Listed on screen are some important terms to familiarize yourself with as we learn about how to keep your user accounts safe. A credential is the pairing of a user's account ID, typically an email or number, an unknown secret such as a password. Authentication is the activity by which someone or something validates their identity by providing a form of proof or evidence. When you type in your username and password, you are providing proof to a system that you are who you say you are. This proof of identity can be in the form of something you know such as a password or secret, something you have such as a token or badge, or something you are such as a fingerprint or void signature. Authorization is the access granted to an account on a system to perform a specific task or function. Account privileges are a goldmine for hackers. Criminals look for users that have privileged or access to sensitive information such as credit card numbers, social security numbers, or sensitive personal or organization information. Any authentication using two or more factors is considered multi-factor authentication. Users are required to provide two or more independent credentials before they are allowed access to a network or system. These credentials fall under three categories; something you know such as a PIN number, something you have such as an ID badge, or something you are such as a fingerprint. Single sign-on, SSO is a centralized access control method that allows the user to authenticate once on a system and gain access to multiple resources that they have rights to without having to authenticate again. As such, SSO is not only convenient for users, but also increased the security as users are less likely to write down a single password compared to multiple usernames and passwords. SSO also reduces the number of accounts required for user which eases account administration tasks. Organizations publish corporate policies to establish the standards for the proper use, handling, and marking of data. This is to ensure the protection of the data. Data policies also define roles and responsibilities that include; data access, retrieval, storage, retention, backup, and destruction of organizational data. Establish clear lines of accountability and ownership over data. Defined procedures and best practices for data management and protection. Protect data confidentiality from both internal and external threats. Ensure the organization is following applicable standards, regulations, and laws. Establish an accounting and audit trail for access to data. Create data marking and handling procedures for different data classifications. Organizations must define the roles and responsibilities around their data. Many organizations use different names and titles, but the roles are typically focused around the same areas. Information security professionals define and describe these roles in different ways and in different contexts. But it's simply boils down to the responsibilities around information. It is likely that you do not have anyone in your organization with the following titles, but you will have individuals who perform the roles function. Organizations may also choose to combine or split these roles. But ultimately, responsibility falls into the following five categories. A data owner is accountable for an overall data set. These individuals are typically senior people within the organization. For example, you may have a sales director who is responsible for lead and customer data. Data owners are likely to be supported by data stewards. A data steward manages the data from day to day. Think of them as overseers of the data. They manage data quality, rules, definitions, integrity, and proper data entry. Data stewards typically report to data owners when decisions need to be made. A data custodian controls access to the data. They safeguard, audit, and maintain the integrity of the data. Someone in IT usually performs this role. They are responsible for backing up, transporting, and storing data. Data producers create and capture data. They follow the rules set by the data owner and must produce data that meets the consumer's needs. A data consumer makes use of the data. The data needs to be the right quality for them to perform their role. Data classification is an extremely important part in protecting your organization's data. Classifying data is the process of categorizing data based on its value and sensitivity. Classification allows organizations to use their data in an effective and efficient way. Data classification systems are going to vary greatly from one organization to another. Certain organizations may have many classifications, while others may only have two or three. A well-thought-out classification system is important for compliance and security reasons, and so that important data can be found and retrieved easily. Your organization likely has written procedures and guidelines for data classification. This should include what categories and criteria the organization will use to classify data. Organizations may include categories such as sensitive, secret, confidential, and many others. Since categories vary widely, we will cover classifications in terms of risk. High risk data is information that would have severe impacts if it gets disclosed, or gets into the wrong hands. This data is considered to be sensitive, confidential, and secret. Examples of high risk data would be: financial records, personally identifiable information; PII, account names and passwords, regulated data. Medium risk data is information that would not cause material harm if it is disclosed. This data is considered to be restricted, internal, and protected and therefore must still be adequately protected. Some examples of medium-risk data would be: contracts, sales numbers, budgets. Low-risk data is information that can be given to any individual, or distributed internally or externally with minimal or no risk. This data is considered to be public, declassified, and not restricted. Some examples of low-risk data would be: marketing materials, job postings, customer policies, product offerings. Staff plays a crucial role in protecting the organization's critical data. How you access data, where you access it from, and what data you are accessing can all have an impact on data security. It is important to understand your organization's policies around data security. How can I ensure data security? There are many ways you can assist in improving your organization's data security. Properly classify your data, and know the rules around the use of each type. Be aware of your surroundings and shoulder surfers when sensitive documents are open. Immediately notify appropriate staff if a device containing data is lost. Take extra precautions to secure your data if working remotely. Do not leave devices containing data exposed and where they can be easily stolen. Only transfer data via business provided or approved secure transfer systems. Do not play sensitive data on removable devices, and if you must, make sure it is encrypted. Research the local laws and regulations regarding encryption if you travel internationally. Data exists as part of a lifecycle. When working with data most of us only consider two or three stages of the data lifecycle, such as creating, consuming, or presenting the data. Different models exist for explaining data lifecycles. Some have as few as four stages, and others have as many as ten. Most of these stages fall on a timeline between creation, and when the data no longer has value. Most lifecycles can be summarized as follows: one, gather the data. Two, transform it into something useful. Three, present and interpret your data. Four, maintain and protect your data. Five, securely archive or delete the data. The data lifecycle is important to understand, because not all data is created in the same way and certain data may outlive its usefulness before others. Following best practices helps your organizations stay more secure, and helps you better manage your data. User accounts are the most fundamental component for protecting data and information systems. All though it is foundational, it is also the most critical. We realize just how critical it is in the instant that a username and password is stolen. It's important to follow best practices in order to safeguard both your personal and professional data. This is especially true in regard to your E-mail and social media accounts. E-mail accounts are prime targets for hackers. Strategies to safeguard your E-mail accounts are discussed in the passwords module. The rise of social media has made it easy to connect with friends and family and share parts of our lives with them. As fun as they can be however, there are some precautions you should take when utilizing social media. Don't allow personal details such as your phone number and email address to be viewed publicly. Restrict access to your friends only, or don't include it at all. Don't accept friend requests from people you don't know, these may be social engineers looking to get information about you from your profile and then lure you into a scam. Avoid posting about times you may be away from home on vacation or otherwise. Don't send sensitive or confidential information through social media. Limit use of social media to personal topics rather than writing about work issues. In this module, we discussed some of the ways that data can be organized and regulated as we strive to keep it secure. In the roles and responsibilities section, we learnt about some of the basic types of data users both within a company, and outside of it. We categorized the risk level of types of data and learned about the life cycle that data follows. Using classification systems such as these, we can ensure the confidentiality, integrity, and availability of our critical data. You have now concluded this lesson.
