Managing Online Risk (eBook)

Apps, Mobile, and Social Media Security

Deborah Gonzalez (Autor)

eBook Download: EPUB

2014 | 1. Auflage
286 Seiten
Elsevier Science (Verlag)
978-0-12-420060-9 (ISBN)

In recent years, building a corporate online presence has become nonnegotiable for businesses, as consumers expect to connect with them in as many ways as possible. There are benefits to companies that use online technology, but there are risks as well. Managing Online Risk presents the tools and resources needed to better understand the security and reputational risks of online and digital activity, and how to mitigate those risks to minimize potential losses. Managing Online Risk highlights security and risk management best practices that address concerns such as data collection and storage, liability, recruitment, employee communications, compliance violations, security of devices (in contexts like mobile, apps, and cloud computing), and more. Additionally, this book offers a companion website that was developed in parallel with the book and includes the latest updates and resources for topics covered in the book. - Explores the risks associated with online and digital activity and covers the latest technologies, such as social media and mobile devices - Includes interviews with risk management experts and company executives, case studies, checklists, and policy samples - A website with related content and updates (including video) is also available

Deborah Gonzalez, Esq. is the founder of Law2sm, LLC, a legal consulting firm focusing on helping its clients navigate the legal issues relating to the new digital and social media world.Deborah graduated from New York Law School and is licensed to practice law in New York and Georgia.Deborah began her career in the corporate arena working in various positions in the information technology area - from network administrator to manager of the IS department for a top-6 CPA firm in New York City. During her tenure she managed day-to-day IT operations; designed and implemented IT-related training for employees, managers, and IT staff; developed policies and protocols for IT-corporate use; and monitored emerging trends for IT business strategies and management. Deborah used this foundation as a starting point with her legal practice, which is now transporting her beyond the Internet to the social space where the physical and digital dimensions of her clients co-exist and where she can leverage her legal expertise to their benefit. Deborah enjoys engaging with those around her - so social media is a natural fit. But it is her skill in being able to connect the dots to understand the next big paradigm shift in global communication and legal application that makes her a leader in social media and online law. Deborah serves as Chair of the GA Bar Association's Annual Program on Social Media and the Law and serves as a social media legal liaison for social media marketing companies and their clients.In addition, Deborah speaks on legal issues relating to intellectual property, social media and online legal trends and practices, and online risk management in various venues throughout the United States and abroad.Follow her on Twitter: @DGOnlineSec and @Law2sm, or visit www.managingonlinerisk.com or www.law2sm.com.

Front Cover 1
Managing Online Risk 4
Copyright 5
Contents 6
About the Author 8
Online Resources 10
Introduction 12
CHAPTER 1 - RISK MANAGEMENT DIGITAL STYLE 16
RISK MANAGEMENT MODELS 18
BEST PRACTICES FOR INCIDENT RESPONSE 37
BONUS: TEN IT SECURITY MYTHS 37
SECURITY/RISK MANAGEMENT APPS 38
CHAPTER 2 - INTERNAL AND EXTERNAL RISKS 40
INTERNAL RISKS 41
INTERNAL RISK 1: SECURITY PERCEPTION, PRIORITY, AND BUDGET 41
INTERNAL RISK 2: TRADITIONAL AND SHADOW IT 42
INTERNAL RISK 3: MOBILE 44
INTERNAL RISK 4: PEOPLE 53
EXTERNAL RISKS 55
EXTERNAL RISK 1: TECHNOLOGY ADVANCES 56
EXTERNAL RISK 2: CLOUD STORAGE 57
EXTERNAL RISK 3: HACKING 59
EXTERNAL RISK 4: REGULATION 63
EXTERNAL RISK 5: NATURAL DISASTERS AND SQUIRRELS 67
CHAPTER 3 - REPUTATION AND IDENTITY 68
REPUTATION 68
REPUTATIONAL RISKS 69
DEFINING IDENTITY 70
DIGITAL IDENTITY 71
LEGAL IDENTITY 74
EXECUTIVE IDENTITY 74
CORPORATE IDENTITY: THE BRAND 79
VALUE AND WORTH OF IDENTITY 82
IDENTITY VERSUS REPUTATION 86
PROTECTING IDENTITY 89
PROTECTING REPUTATION 91
CHAPTER 4 - THE NEW WORKFORCE 94
EMPLOYMENT CYCLE 95
WHO IS THE WORKFORCE? 96
MILLENNIALS 98
RECRUITMENT 99
HIRING 103
EMPLOYMENT 105
TERMINATION 111
OTHER 113
CHAPTER 5 - BIG DATA 116
DATA CYCLE 118
DATA MANAGEMENT PLANS 120
DATA CLASSIFICATION 121
DATA ACCESS 123
DATA ANALYTICS 125
PROTECTING DATA: BACKUP 127
LOSING DATA 129
DATA RECOVERY 130
PRIVACY: TO USE OR NOT TO USE DATA DILEMMA 132
PROTECTING AGAINST LIABILITY FOR DATA/PRIVACY LOSS 135
DATA SURVEILLANCE 138
DICTATORSHIP OF DATA 139
CHAPTER 6 - APPROACHES TO CONTENT 142
CONTENT MARKETING VERSUS CONTENT MANAGEMENT 143
DIFFERENT AUDIENCES, DIFFERENT CONTENT 143
MYTHS OF CONTENT MARKETING AND CONTENT MANAGEMENT 144
BENEFITS OF THE CONTENT APPROACH 145
INTELLECTUAL PROPERTY RIGHTS, RISKS, AND CONTENT 146
IP CYCLE 147
COPYRIGHTS 149
DIGITAL MILLENNIUM COPYRIGHT ACT 150
FAIR USE DOCTRINE 151
INTERNATIONAL IP CONCERNS 153
CREATIVE COMMONS LICENSE 154
A COUPLE OF DIGITAL CONCERNS FOR COPYRIGHTS 155
TRADEMARKS 156
TRADEMARK AND GRIPE SITES 159
TRADEMARK AND REPUTATIONAL RISKS 161
TRADE SECRETS 161
PATENTS 162
TECHNOLOGY DEVELOPMENT 163
IP OTHER RISKS 164
IP VALUATION 166
IP LEGISLATION 166
CHAPTER 7 - COMPLIANCE 168
WHO NEEDS TO BE COMPLIANT? 170
GENERAL COMPLIANCE: DISCLOSURES 172
GENERAL COMPLIANCE: DISCLAIMERS 175
GENERAL COMPLIANCE: HUMAN RESOURCES 177
FINANCIAL INSTITUTIONS 179
HEALTH CARE AND MEDICAL INSTITUTIONS 185
HIGHER EDUCATION (FERPA) 189
PROFESSIONAL TRADE OVERSIGHT AND ORGANIZATIONS: MOBILE 190
OTHER FEDERAL AGENCIES 191
FEDERAL LEGISLATION 192
STATE LEGISLATION 195
COMPLIANCE OVERSIGHT 197
COMPLIANCE TRAINING 199
CHAPTER 8 - CURRENCY AND CAMPAIGNS 200
ONLINE BANKING 202
E-PAYMENTS CONVERT TO M-PAYMENTS 205
VIRTUAL CURRENCY 206
DIGITAL CURRENCY 207
BITCOIN 208
BEYOND BITCOINS 213
CROWDFUNDING 214
ONLINE MICROFINANCING 218
ONLINE CHARITABLE DONATIONS AND FUNDRAISING 219
FUTURE OF MONEY 219
DIGITAL POLITICAL CAMPAIGNS 221
DIGITAL ADVOCACY 223
DIGITAL LOBBYING 225
RISK AND SECURITY OF ONLINE POLITICS 226
CHAPTER 9 - DIGITAL SUCCESSION 228
SUCCESSION PLANNING 230
INFORMATION TECHNOLOGY SECURITY SHORTAGE 233
THE NEXT GENERATION OF INFOSEC PRO 234
WOMEN IN INFOSEC 238
CYBERSECURITY SIMULATIONS 240
DIGITAL LEGACY 241
DIGITAL ASSETS 242
DIGITAL AFTERLIFE 243
DIGITAL EXPIRATION 246
DIGITAL IMMORTALITY 249
CHAPTER 10 - THE FUTURE OF ONLINE SECURITY 252
THE FUTURE: UNPREDICTABLE 255
THE FUTURE: FOUR SCENARIOS 257
MONITORED MAN 267
BICENTENNIAL MAN REVISITED 269
CREDENTIAL VERIFICATION 270
BIG DATA 270
Index 274
A 274
B 274
C 275
D 276
E 278
F 278
G 279
H 279
I 279
J 280
K 280
L 281
M 281
N 281
O 282
P 282
Q 283
R 283
S 284
T 285
U 286
V 286
W 286
Y 286
Z 286

Chapter 1

Risk Management Digital Style

Abstract

This introductory chapter lays out the context of the book by giving an overview of risk management concepts and how they apply in a digital environment. It goes over risk management models and the risk management process.

Keywords

BlueWave computing; Critical security controls; Incident response; Models; Risk analysis; Risk assessment; Risk identification; Risk level; Risk management; Risk management apps; Risk mitigation; Risk remediation; Risk response; SANS; Security; Socially legal audit; Threat

Which risks are relevant? Those that impact business goals.

Which risks impact business goals? They all do.

Did you hear the one about the IT security officer who “resigned” after it was discovered that a data breach at its retail operations headquarters that affected millions of customers could have been avoided if only one of over 60,000 alerts had been heeded?1 Or the one about a security consultant who leaked information about a government surveillance program, bringing world leaders to the defense, who ended up exiled in Russia but had a great turnout at South by Southwest?2 Or how about the one of computer engineers who lost their life savings and their jobs in the misplacement of digital currency?3 Or the one about the employee who left a company laptop connected to public Wi-Fi at the coffee shop that led to insider trading violations and criminal penalties?4 Or the one…

I think you get the point. There have been a lot of “ones” in the news and even more not in the spotlight. In 2011, Verizon reported “855 incidents and 174 million compromised records.”5 To update that, the Online Trust Alliance (OTA) released their report in January 2014, which indicated that of over 500 data breaches in the first half of 2013 “31 percent of incidents were due to insider threats or mistakes; 21 percent resulted from the loss of computers, hard drives, and paper documents; 76 percent were due to weak or stolen account logins and passwords; and 29 percent of compromises resulted from social engineering.”6 What do these have in common? They all dealt with information technology in the online digital environment.

As we begin our exploration of online risk and security, it is useful to make sure we are on the same page. Defining the lexicon of the landscape allows us to define risk management and security in the context of the digital environment and determine whether they are different because of this new context or because they have they just been expanded. Therefore, we begin with standard definitions of risk management, risk, security, and threat. You may have your own favorite you use, but we will stick with these as we head out.

Risk management

The identification, analysis, assessment, control, and avoidance, minimization, or elimination of unacceptable risks.7

Risk

A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action.8

Security

The prevention of and protection against assault, damage, fire, fraud, invasion of privacy, theft, unlawful entry, and other such occurrences caused by deliberate action; the extent to which a computer system is protected from data corruption, destruction, interception, loss, or unauthorized access.9

Threat

Indication of an approaching or imminent menace; negative event that can cause a risk to become a loss, expressed as an aggregate of risk, consequences of risk, and the likelihood of the occurrence of the event. A threat may be a natural phenomenon such as an earthquake, flood, or storm, or a man-made incident such as fire, power failure, sabotage, etc.; action or potential occurrence (whether or not malicious) to breach the security of the system by exploiting its known or unknown vulnerabilities.10

Most of those definitions should seem familiar to you. However, there are some key words within them that bear special consideration as we look at online security and risk management. First, risk management brings up the issue that there are acceptable and unacceptable risks—what would be an acceptable risk has long been debated by security professionals. One school of thought is that any risk is unacceptable. The other believes it is a return-on-investment (ROI) question—how much does it cost to mitigate the risk versus how much will the risk impact cost if left alone?

Second, notice that the definitions of risk and threat are symbiotic with two main differences: a threat is indicated as something that can be foreseen and is imminent; a risk is just a probability. But both indicate that they can be avoided to a certain extent—excluding natural disasters.

Third, security is presented to offer a safety net around property—whether tangible or intangible, such as online data. And last, risk management is about looking at risk and threats and setting up procedures to answer some specific questions to give a sense of security:

1. What are the real, material risks and threats?

2. What are we doing about them?

3. Is what we are doing actually working?

Risk management models

Companies cannot eliminate all risks for two reasons. First the internal and external threats that cause risk are very dynamic. Second, control investments eventually result in diminishing returns.11

There are quite a few risk management models out there. Just Google “risk management” and you will have, as I did in July 2013, over 388,000,000 results come up. But most of the models concur on a series of steps that make the process viable and effective.

Step 1: risk identification

Identifying what risks may actually exist in a company’s online infrastructure and digital activity is where it all begins. There are a number of tools to assist the internal risk management professional to complete this on their own, as well as a number of third-party companies that offer auditing and risk assessment services for a price.

The gathering and compilation of this information should go beyond a report. It should be looked at as a dynamic and changing set of factors that need to be understood and dealt with in a strategic way, meaning in the best interests of the company (legally of course).

Many companies use a series of security and risk management questions to help guide their collection of the needed data. One good resource is a paperback called The Ultimate Security Survey by James L. Schaub and Ken D. Biery. It is in its second edition and a bit on the expensive side ranging from $625 to over $1000 on Amazon.com.12 But it is very comprehensive.

At a minimum, an audit to gather risk information relating to online and digital activity security should include:

• The mission and demographics of the company

• Inventory of the current online footprint of the company (social media platforms, Web sites, intra and internets, blogs, etc.)

• Inventory of digital and mobile devices accessing company data (laptops, tablets, smartphones, etc.)

• Inventory of access points into and out of company data systems

• Review of current online and digital activity security and risk management strategies and plans

• Review of online/digital employee roles, responsibilities, and liabilities (social media managers, mobile directors, app developers, etc.)

• Review of current IT-related policies and procedures (including social media, IT, privacy, passwords, e-mail, etc.)

• Review of online digital disclaimers and disclosures

• Review of online digital assets (including copyrights, trademarks, trade secrets, content contracts, development contracts, etc.)

• Review of company terms of use and service agreements with third-party vendors

• Review of online and digital content/document retention policies and procedures (including cloud-related legal concerns)

• Review of data collection, data security, authentication, and access

• Review of online crisis and reputation management

• Review of federal and state laws, and industry regulations and compliances that the company is subject to regarding online and digital activity

• Review of human resources’ use of online data for the employment cycle (including recruitment, interviewing, performance evaluation, and termination)

• Review of marketing’s use of online and digital resources to ensure compliance with specific regulations (such as contest and promotion rules, gaming laws, truth-in-advertising requirements, etc.)

• Review of cyber-risk insurance and coverage

For an example of an audit specifically focused on social media risk and liability, see the Socially Legal Audit sidebar.

SOCIALLY LEGAL AUDIT®

http://sociallylegalaudit.com

The Socially Legal Audit™ (SLA) tool is an instrument developed by Law2sm, LLC (www.law2sm.com)...

Erscheint lt. Verlag	25.9.2014
Sprache	englisch
Themenwelt	Informatik ► Netzwerke ► Sicherheit / Firewall
	Mathematik / Informatik ► Informatik ► Web / Internet
	Wirtschaft ► Betriebswirtschaft / Management ► Unternehmensführung / Management
	Wirtschaft ► Betriebswirtschaft / Management ► Wirtschaftsinformatik
ISBN-10	0-12-420060-5 / 0124200605
ISBN-13	978-0-12-420060-9 / 9780124200609

Informationen gemäß Produktsicherheitsverordnung (GPSR)
Haben Sie eine Frage zum Produkt?

EPUB (Adobe DRM)

Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM

Dateiformat: EPUB (Electronic Publication)
EPUB ist ein offener Standard für eBooks und eignet sich besonders zur Darstellung von Belletristik und Sachbüchern. Der Fließtext wird dynamisch an die Display- und Schriftgröße angepasst. Auch für mobile Lesegeräte ist EPUB daher gut geeignet.

Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine Adobe-ID und die Software Adobe Digital Editions (kostenlos). Von der Benutzung der OverDrive Media Console raten wir Ihnen ab. Erfahrungsgemäß treten hier gehäuft Probleme mit dem Adobe DRM auf.
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine Adobe-ID sowie eine kostenlose App.
Geräteliste und zusätzliche Hinweise

Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.