Threat intelligence in enterprises

A threat intelligence is a fairly new concept still evolving as product / service where the concept is to gather raw data about existing or emerging threats and threat actors from several sources, and then analyzes and filters that data to produce usable information in the form of management reports and data feeds for automated security control systems. Its primary purpose is to help organizations understand the risks of and better protect against major threats specifically zero-day threats. We can tune the service to deal with advanced persistent threats and exploits, especially those most likely to affect their specific environments.

Learning about relevant threats as soon as possible gives organizations the best chance to proactively block security holes and take other actions to prevent data losses, breaches or system failures.

Threat intelligence service models

Threat intelligence service companies like ITS, we are relative newcomers to this section of security industry, so there are still a lot of differences among the types of services each vendor delivers.

Some such services simply provide data feeds that have been cleansed of most false positives. The most common for-a-fee services provide aggregated and correlated data feeds (usually two or more), as well as customized alerts and warnings specific to a customer's risk landscape. Another type of threat intelligence service handles data aggregation and correlation; incorporates information automatically into security devices (firewalls, security information and event management, etc.); and provides industry-specific threat assessments and security consulting.

Many types of threat intelligence platforms are sold on a subscription basis, usually at two or three capability levels, and is delivered via a cloud platform. We at India Training Services offer managed services for delivery across on-premises systems. This comprises of training and a solution installed on cloud platform for the enterprise as one Threat Management solution.  

Threat intelligence platforms can dramatically improve the efficiency of security staff in proactively blocking security incidents, because subscription costs tend to run moderately high to very expensive, and because of the equipment needed for on-premises deployment, threat intelligence platforms are currently geared mainly toward larger midmarket organizations and enterprises. As the cloud continues to move down market, however, threat intelligence tools are bound to do likewise.

The history of threat intelligence

Threat intelligence solutions or platforms came into being mainly because of the plethora of data available, whether generated internally or acquired from external feeds, on current and emerging IT security threats. It takes considerable time, effort and expertise to sift through the data and transform it into information that's pertinent to an organization, however.

Security companies, such as Symantec, that make it their business to track threats and provide frequent updates to their antivirus products, have maintained global threat databases for years,  populated from software agents running on millions of client computers and other devices. Such data, along with feeds from other sources, is the foundation for the information provided by developed threat intelligence tools.

Understanding threat intelligence service data

Data from various threat intelligence sources differs in quality and structure, and must be validated. Validating data involves human and machine analysis for processing, sorting and interpreting.

Apparent threats are also correlated against the entire pool of threat data to identify patterns that indicate suspicious or malicious activity, and are also linked to technical indicators for categorization purposes. Finally, the data is converted into contextual information that provides insights about the tactics and behavior patterns of emerging or advanced threats and threat actors.

In the end, the threat information that's usable and actionable must be accurate, timely, relevant to the customer, align with the customer's security strategies and be easily incorporated into existing security systems.

Characteristic features of threat intelligence solutions

Now that we've understood the purposes and benefits of threat intelligence, let's look at the most common features found in these kinds of services.

• Data feeds: Many types of data feeds are available through threat intelligence platforms. Examples include IP addresses, malicious domains/URLs, phishing URLs, malware hashes and many more. A vendor's threat intelligence feeds should draw data from its own global database, as well as from open source data, information from industry groups and so on, to produce a pool of data that is both broad and deep.
• Alerts and reports: Most services provide real-time alerts, along with daily, weekly, monthly and quarterly threat reports. Intelligence may include information about specific types of malware, emerging threats, and threat actors and their motives.

Security analysts or IT security staff members are needed to manage data feed information. The data is either incorporated into proprietary equipment (typically from the same vendor that provides the feed), or the information may be available in standard file formats, such as XML, CSV, STIX or JSON, for use in a variety of security management tools and platforms.

Depending on the level of information in the data feeds, staff might need specialized or specific training from the vendor.

Some companies offer managed security services that offload most of the administrative burden associated with a proactive security approach. A managed service may include experts that provide threat intelligence reports, monitor an organization's assets 24/7 and provide threat mitigation and incident response.

The cost of threat intelligence platforms varies as much as the services themselves. Data feeds alone can cost thousands of dollars per month, and related expenses include the costs of maintaining a 24/7 security operations center staffed with technicians and analysts. By way of comparison, managed security services are typically tens of thousands of dollars per month, easily running into six or seven figures per year for larger environments.

As with most things in business, the least expensive services require more human time and effort on the customer side.

Because threat intelligence services vary widely, a key challenge in selecting such a service is knowing what the organization needs on what is the most critical information to maintain, how the information will be distributed / used and having the right staff in place to use that service appropriately.

There a large number of threat intelligence services out there, and they all deliver and collect data about emerging threats in different ways. Some are better at providing detailed global threat reports, while others are capable of drilling down and delivering reports to customers that are highly industry- or (even) company-specific. In addition, there are some services that better serve an organization with existing defense equipment, while others provide threat intelligence that's easily integrated into an organization's existing security controls -- no matter the equipment in place.

We deliver a range of training courses carefully designed to help people and organizations protect themselves against crippling data attacks. We can tailor a specific training module to meet your needs, or you can contact me at ravindrapande@gmail.com.

Also we have pre-developed modules on Threat Intelligence planning

·         Developer Security Training

·         QA Security Test Testing Training

·         Mobile Penetration Testing Training

·         Wireless Penetration Testing Training

·         Security Awareness Training

·         Web Application Penetration Testing Training

·         Infrastructure Penetration Testing Training

Visit us at www.indiatrainingservices.com

Smartness Progress IoT

Our smartphone is about to get smarter, thanks to artificial intelligence (AI) and machine learning (ML). And that has huge implications for enterprise support for mobility. We at India Training Services were analyzing the inherent risks & educate the enterprise as well as individuals to address security laps in such smart adoption. This is just a summery of our finding in last few months.

Enterprise mobility has long promised to allow workers to be productive wherever they are, to speed up business processes and to improve accuracy and efficiency by putting the most up-to-date data in the hands of workers in the field, says Kevin Burden, vice president of mobility research and data strategy at 451 Research. The addition of AI will help deliver on those promises.

The ways it will do that are multifaceted, with the effects seen in the areas of device management, user experience, security, applications and the very devices themselves. At the same time, new concerns about privacy are sure to arise as AI and ML become ever more efficient at gathering data points.

AI is going to mean new applications and even possibly new device types, primarily because AI will alter and improve the business logic within apps. Applications will be able to take advantage of advanced user interfaces with speech and visual gesture recognition. One element of enterprise mobility that will clearly benefit from AI is the organizational challenges that were created by having a disparate and mobile workforce. Application providers will apply ML to user activity streams, giving organizations insight into how end users spend their time, he says. As patterns of behavior are identified, organizations will be able to improve processes and the user experience.

Easier authentication is one example. Pattern recognition is an AI strength. Because AI can gather huge amounts of such data and recognize anomalies with ease, it can make authentication much more transparent for users..

Some of the more advanced algorithms detect how a user enters text and analyze their gait. Pair those distinctive patterns with information on the user’s active connections and GPS data. The number of layers of multi-factor authentication or constant requirements to enter passwords could be greatly reduced. Take this mobile device management course from India Training Services and learn how to secure devices in your company/ group/ homes without degrading the user experience.

Another AI/ML important improvement will be in speech-to-text capabilities, allowing that technology to replace smartphone data input in some situations. Verticals such as medical and others will use speech for data input for basic tasks such as records and workflow updates on regular basis.  The applications will become intuitive in whole new ways: ML will also be integrated more into mobile applications to enable quicker & intelligent decisions, responses and inputs to anticipate user actions, as opposed to requiring users to look for options in windows and drop downs.

It's not just IT will benefit from AI’s and ML’s assistance with device management. The technology can be used to scan all of the devices in an organization and proactively notify the administrator of issues, such as the discovery that 25% of the organization’s Android devices are two versions out of date. Even more helpful for IT organizations that are short of personnel is the potential to automate actions based on the information discovered by AI/ML. The technology will really pay off for IT once the systems can use AI to detect and remediate issues on the fly.

IT is also likely to appreciate many of the AI-fueled user-experience enhancements that are coming to email, contact and calendar tools as vendors add personal-assistant technology. It’s fairly common already for calendars to use AI to tell users when they should leave for an appointment. This is already started in many event management programs.

The advantage to IT isn’t direct, but many IT departments want users to stick to their company-provided email, contact and calendar tools when working, as a way to protect and segregate work data from personal and other needs. The new user-facing convenience features could make using those tools more appealing to users.

While it’s still getting clear day by day that how AI will impact the overall mobility market on a long-term basis, it is certain that the enterprise mobility management space is very crowded, without any real significant differentiation, so vendors will look to AI for new ways to innovate build more cost effective & time saving ways to to get results out of this technologies.

AI and security, perhaps the area with the greatest potential to get a boost from AI, and particularly its pattern-recognition chops, is security. Certainly many vendors are already incorporating AI/ML in their security offerings as a way to boost performance.

One area where vendors already have offerings is ML-based mobile threat detection. For example, major strategic game uses ML in its new immature Threat Defense mechanisms, which employs usage and behavioral analysis to detect suspicious behaviors in mobile apps or networks and then learns from the information it gathers to continuously improve its ability to detect malware and rogue networks.

Many new Mobile developers have integrated deep learning into its endpoint security products that provide what it calls “predictive security.” The company aims to extend this deep learning layer to all endpoints, including  mobile ones. It has also introduced an email protection tool that uses the same technology to intercept more threats before they can make it onto the endpoints.

Other vendors see an opportunity to use AI to help IT departments that are stretched thin to make sense of all the data that is gathered by their existing endpoint management tools. Among them is Citrix, whose unified endpoint management offering also manages all devices that enter the workplace, including laptops, mobile phones, tablets and wearable. The Citrix security analytics application monitors those devices and helps IT to apply security policies and ensure that the network remains secure.


Citrix Analytics also performs user-behavior analytics, applying machine learning to categorize users as high, medium or low risks and then adjusting the risk scores as more data comes into the system.
IBM, meanwhile, has developed MaaS360 with Watson, a cloud-based application designed to help IT administrators make sense of the massive amounts of data generated by endpoints and their users, apps and content. It applies cognitive technologies to security, end-user productivity, mobile app management and administration.

Enterprise mobility management users are inundated with more information than they can absorb about apps, configuration/policy best practices, productivity tools, and emerging threats and vulnerabilities, IBM explains. IBM MaaS360 delivers cognitive insights, embedded in the platform, to help organizations wade through the information they’re gathering and distill it into insights and recommendations that are relevant to their business. The core of MaaS360 is IBM Watson technology, which can index and annotate huge volumes of datasets to look for relevant data that applies contextually to each individual client deployment of MaaS360.

A privacy backlash? One dark cloud on the AI/ML front is data privacy.

Users have become more aware of the perils of their personal information ending up in the hands of companies such as Facebook and Google, etc. So the idea of an employer or other company retaining the outputs of their mobile devices, apps and data usage which some calls workplace analytics is sure to meet opposition from some users.

These concerns can’t be ignored, especially given the emergence of strict regulations such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018. These regulatory concerns could strip the utility from mobile offerings dependent on AI/ML. While user push back on data will not negate the value of AI/ML in mobile offerings, it could impede the collection of data for some or all users and without any data the results will be deteriorated. That, in turn, could make the data less useful for some groups of users or some regions, while still providing value to others.

To improve this, organizations must forthright in discussing what data they collect and how it will be used. May big IT players advises clients to illustrate the outcome and its benefit to users and take pains to note what won’t be collected or done with data. The list of what IT does not do with data should almost always be longer than the list of what it does or can do with data.

Feel free to contact me at ravindrapande@gmail.com in case need any further details.

Startup Failures

I have observed / worked with say few startups now and some are failures as far as planned business goals achievement concerned. Are they in  business yes only one moved away from software development.  I  am just trying to collect my thoughts on these failures. Don’t want to blame anyone in particular but try to review as a third party PMO stand point. PMO as I am a manager & leader tried my best to go and educate the CEO and other founders without much impact yes this is my short coming. This is my personal analysis so please don’t escalate to anyone or any business.

There is a clear difference between leadership and management. Leadership is of the spirit, management is of the mind. Managers are necessary, but leaders are essential. We must find managers who are not only skilled organizers, but inspired and inspiring leaders.

I’ve often said real leaders refuse to take the credit for success, but they will always accept responsibility for failures.  Yes; but it goes with the territory.  In this  blog I’m going to toss out the politically correct story-lines and reveal the top reasons that leaders fail

In the points listed below I’ll examine some of the more common reasons attributed to business failure, and I’ll likewise assess the roles and responsibilities of leadership as they pertain to said reasons being leadership failures:

 Lack of Vision: It is the role of the CEO to clearly define and communicate the corporate vision. If there is no vision, a flawed vision, or a poorly communicated vision, the responsibility falls squarely in the lap of executive leadership. Moreover, if the vision is not in alignment with the corporate values there will also be troubled waters ahead.

 Poor Branding: A poor brand generally means leadership has failed. Brands fall into decline for only one reason – leaders have abdicated their responsibility. They have allowed their brand equity to erode, and failed to deliver on the brand promise. Leaders who don’t steward their brand as one of the greatest corporate assets deserve the fate that awaits them. Branding is an inline activity you can’t wait for I will build then start bending, in my understanding branding start with vision, with idea inception.

Lack of Character: It doesn’t matter what your title is, if you don’t do the right things for the right reasons you will fail. Leaders who don’t display character won’t attract it or retain it in others. Leaders, who fail to demonstrate a constancy of character won’t create trust, won’t engender confidence and won’t create loyalty. Vision understanding builds a responsibility of execution so if the CEO is with visionary in most of the cases but if acts as external observer things start going in ”this was/ is his responsibility “ way & so the blame game and rectifications killing the schedules &  deliveries.

Lack of Execution: Everything boils down to execution, and ensuring a certainty of execution is job number one for executive leadership. Entrepreneurs or CEO s who don’t focus on deploying the necessary talent and resources to ensure that the largest risks are adequately managed, or that the biggest opportunities are exploited have a leadership team destined for failure. Or many CEO builds team stating this is not I will do but just observe for example initial sales left to technocrats which cripple everything. Sales is the art where mostly technocrats fail as they are more in love with the produce as creator than business angle understanding

 Flawed Strategy: A flawed strategy simply reveals weak leadership. While there are exceptions to every rule, companies tend to succeed by design and fail by default. Show me a company with a flawed strategy and I’ll show you an inept leader.  This is major killing point and there is no fixed formula only business augmentation understanding will take you to end.

Capital Shortages : I have witnessed well capitalized ventures fail miserably, and severely under-capitalized ventures eventually grow into category dominant brands. A lack of capital can provide a socially acceptable excuse for business failure, but it is not the reason businesses fail. Raising, deploying, and managing capital is ultimately the responsibility of leadership. The amount of capital required to run a business is based upon how the business is operated. Therefore if leadership operates the business without consideration for capital constraints, or irrespective of capital formation issues, then the blame should fall squarely on the shoulders of leadership. Moreover, if executive leadership squanders capital through irresponsible acts, there will also be severe consequences.  This is major issue with Indian executions but still

Poor Management: It is the job of leadership to recruit, mentor, deploy, and retain management talent. If the management team is not getting the job done, it’s not a management problem, it’s the fault of executive leadership. Show me a leader that blames his management team for failure to execute and I’ll show you a poor leader. 8. Lack of Sales: A lack of sales is ultimately attributable to a lack of leadership. Strategy, pricing, positioning, branding, distribution, compensation, or any number of other metrics tied to sales force productivity all rest with executive leadership. A lack of revenue is not someone else’s problem, it’s a leadership problem.

Toxic Culture: The truth is nothing stifles productivity and creates conflict like a toxic culture. That said, a toxic culture simply cannot exist where good leadership is present and engaged. If the lunatics have gained control over the asylum be sure to fit leadership for a straight-jacket as well.

No Innovation: Leaders create a culture of innovation or they kill it. Leaders who can’t stay in front of the market tend to get run over by it. Great leaders have a strong bias to action. They don’t rest upon past accomplishments, and are always seeking to improve through change and innovation. Those leaders who don’t openly embrace change will be doomed by their antiquated outlook.

Market Target miss: Good leadership pursues sound market opportunities. Pursuing the wrong market, or pursuing the right market improperly is also the fault of executive leadership. Scaling a business too fast, too slow, or worse yet, not designing a scalable business to begin with is a leadership issue. No market equals no leadership…

Poor Professional Association: Nobody has cornered the market on knowledge and wisdom. If leadership doesn’t seek out the best quality advice available to them, then they will likely not make the best decisions. All CEO s and entrepreneurs need top quality professional advisers. There is no excuse for C-level leaders to have blind spots.  When a leader has a “miss” or a blind-spot, he or she is simply showing the arrogance of operating within the limitations of their own thinking.

The Inability to Attract and Retain Talent: Great leaders surround themselves with great talent. They understand that talent be gets more talent. If your company doesn’t possess the talent it needs to achieve its business objectives no one is to blame but leadership.

Competitive Awareness: A business does not need to be the category dominant player to avoid failure. That being said, it is the leadership’s responsibility to understand the competitive landscape and navigate it successfully. If a company isn’t consistently winning, it’s not what the competition is doing, but rather poor leadership that creates the inability to compete.

Obsolescence or Market Changes: If executive leadership is in touch with the market it will be difficult to be caught by surprise. It is the responsibility of executive leadership to make sure that the proper attention is given to innovation, business intelligence and market research to manage the risk of obsolescence and market changes.

A few words on leaders & Team chemistry, Leaders develop guidelines with their team - they constantly enlarge the guidelines as the team becomes willing to accept more responsibility. This can be as a simple as coding standards or security guidelines at work.  Leaders change their role according to the demands of the team - for example they become more of a coach or facilitator. Leaders involve team members as working together or owning together - in finding new ways to achieve agreed-upon goals.  Leaders create the opportunity - for group participation and recognize that only team members can make the choice to participate. This need to happen otherwise we are moving towards doom.

Bottom line…businesses don’t fail – leaders do. The talent that it takes to operate at the C level is matched only by the amount of responsibility that goes with the territory. If it was an easy job everyone would be a CEO or entrepreneur. Thoughts ? wire me at ravindrapande@gmail.com happy to learn and grow @ India Training Services

Data Breach to GDPR

This the most basic breach that can be discussed and prevented up to great extent by simple measures like 80-20 rule so if you address 20% of prevention religiously you could stop 80% of these leaks.

Let’s define data breach, "A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so." Data breaches may involve financial information such as credit card or bank details, personal health information (PHI), Personally identifiable information (PII), trade secrets of corporations or intellectual property. Most data breaches involve overexposed and vulnerable unstructured data – files, documents, and sensitive information, it is the intentional or unintentional release of secure or private/confidential information to an untrusted environment. Other terms for this phenomenon include unintentional information disclosure, data leak and also data spill (source Wikipedia).

There are various Data Protection Regulation has been implanted worldwide but I personally believe the overall ignorance of users feeds the 99% of these Data Breach overall, so this is my humble effort to address such shortfalls.

Let’s consider simple data breach by an employee by wrong attachment, dissemination of wrong information by mistake can lead to major issue for the individual or cooperates. This can be prevented by checking the email before sending them. We could just queue the emails while composing and send them later to prevent any such nightmares.

Then there are

Then there are Malwares, a short for malicious software programs which is any software intentionally designed to cause damage to a computer, server or computer network. Malware does the damage after it is implanted or introduced in some way into a target's computer and can take the form of executable code, scripts, active content, and other software.

Now even, File-less malware is a huge security challenge for organizations today, and traditional email security controls aren't sufficient to meet the challenge.

Believe me, it’s really easy to do 100 variants of the same [malicious] document even if we are using the same code, the same document, but you're putting 100 different random characters that aren't even visible in the document. It's super easy to create these, and if you're relying on signatures, you're going to have to wait for every one of the 100 to catch a signature. the points to consider here are

•     How malicious attachments are infecting organizations;
•     Why traditional defenses fail to detect these payloads;
•     How to respond when infections do penetrate defenses.

Information management is critically important to all of us as employees, business and consumers. For that reason, various institutions has been tracking security breaches, looking for patterns, new trends and any information that may better help us to educate consumers and businesses on the need for understanding the value of protecting personal identifying information and business critical data.

To understand various data loss methods consider following points

1. Insider Theft
2. Unauthorized Access
3. Hacking / Computer Intrusion (includes Phishing, Ransomware/Malware and Skimming)
4. Data on the Move 
5. Physical Theft 
6. Employee Error / Negligence / Improper Disposal / Lost 
7. Accidental Web/Internet Exposure  
8. Stalking on social network

Let’s take a breath and understand how we could reduce these seven risks factors.

Insider theft is the act of stealing information stored on computers, servers, or other devices from an unknowing victim with the intent to compromise privacy or obtain confidential information. Data theft is a growing problem for individual computer users as well as large corporations and organizations.

Prevention for data breach are

1. Train yourself, employees, customers
2. Segregate & Secure sensitive information.
3. Build strong security policies
4. Periodically & Properly dispose of sensitive data.
5. Protect against malware
6. Control physical access to your business computers
7. Encrypt data communication
8. Build & plan  incident response teams
9. Review / update all account sittings once a week

1. Train your employees.

 According to the various reports, employees are the top cause of data breaches in small and mid-size businesses, accounting for 48 percent of all incidents. It’s usually due to an innocent mistake; employees often lack basic awareness of data security and how hackers work. Employee education is one of the most important things you can do to lower the potential of data theft.

Offer mandatory awareness training on the security risks employees face every day. Social engineering is a growing threat for small businesses whereby hackers pose as a trusted source in need of confidential data. Through phishing, employees are invited to click on a link that installs a virus on their computer without their knowledge. Ransomware will hold a computer hostage until the required ransom is paid.

To prevent employees from falling into these traps, advise them to:

•     Confirm the legitimacy of the source before giving out confidential information
•     Never open attachments from people they don’t know
•     Avoid suspicious links in emails, websites and online ads

2. Secure sensitive information.

 Sensitive data is the valued commodity that criminals seek to exploit for profit. It includes personally identifiable information (PII) for employees, customers and patients as well as business trade secrets, financial data and other company-confidential information. In the wrong hands, this information can damage your business, customers and reputation.

Limit access to online files based on an employee’s need to know. Store paper files and removable storage devices containing sensitive information in a locked drawer, cabinet, safe or other secure container when not in use.

3. Properly dispose of sensitive data.

Be equally vigilant when disposing of sensitive data. Shred documents containing confidential information prior to recycling. Remove all data from electronic devices—whether computers, tablets, smartphones or storage hardware—before disposing of them.

4. Use strong password protection.

Passwords are under constant attack and hackers use a number of different means to crack their code. To deter their efforts, password-protect your business computers, laptops and smartphones as well as access to your network and accounts. Require employees to change default passwords and set a strong, complex password with a variety of characters that must be changed at least quarterly.

5. Protect against malware.

Malware refers to “malicious” software, such as viruses and spyware, that is installed on a computer with the intent to access sensitive information or cause damage. Malware can be installed when an unsuspecting employee uses a malware-laden USB device or clicks on an infected link in an email or on a website.

To prevent a malware attack, install and use antivirus and anti-spyware software on all company devices and be sure your employees are on the lookout for suspicious links.

6. Control physical access to your business computers. 

Create user accounts for each employee to prevent unauthorized users from gaining access to your business computers. Laptops can be stolen easily; make sure they’re locked in place when unattended. Also limit network access on computers located in or around public spaces, such as the reception area.

7. Encrypt data.

Encryption encodes information, whether it is stored on a device, in the cloud or being transmitted over the Internet, and only the person or computer with the proper key can decode it. Encryption is highly recommended for all devices containing sensitive information, including laptops, mobile devices, USB drives, backup drives and email.

Most operating systems and many software applications have a built-in encryption option which you simply need to activate (instructions vary). You may also purchase encryption programs tailored to the needs of your business—whether for an entire drive or one or more files or folders. Secure Sockets Layer (SSL) certificates are the standard way for businesses to encrypt sensitive information, such as those containing credit card details, before it is transmitted over the Internet.

8. Keep your software and operating systems up to date.

Malware continuously evolves and software vendors continuously update or “patch” their programs in order to address new security vulnerabilities. For this reason, it’s vital to install updates to security, web browser, operating system and antivirus software as soon as they are released. They’re your first line of defense against online threats.

9. Secure access to your network. 

To prevent outsiders from gaining access to private information on your network, enable your operating system’s firewall or purchase reputable firewall software. Configure a Virtual Private Network (VPN) to provide workers with a secure means of accessing your network while working remotely. If you have a Wi-Fi network for your workplace, make sure it is secure and encrypted, and that your SSID (service set identifier) is hidden so that it can’t be picked up by the public. Also require a password for access.

10. Verify the security controls of third parties. 

Most businesses rely on third-party vendors for some aspect of their operation, whether for payroll, credit card processing or to manage their security functions. But there are security risks in doing so. If a breach occurs on the vendor’s watch, your data may be compromised and you could still be held responsible for the loss.

Before engaging the services of a third-party vendor, evaluate their security standards and best practices to ensure they meet your minimum requirements. Look for vendors that:

• Have strong security policies and procedures
• Regularly backup their data on a hard drive as well as the cloud
• Perform routine internal security audits
• Run background checks on employees with access to your data
• Require employees to complete data security training
• Keep up-to-date with the latest security patches and security software

    Have a comprehensive incident response plan for responding to and managing the effects of a security attack

Once you’ve vetted and selected a third-party service provider, put a service level agreement (SLA) in place that details your security expectations and give you the right to audit the vendor to confirm compliance with your policies.

Let me also include my take on General Data Protection Regulation (GDPR) universal guidelines (these address almost 80-87% of breaches by guiding users on what is critical )

                                                                                                                                                                                

Individuals have the right to:

• Access their personal data
• Correct errors in their personal data
• Erase their personal data
• Object to processing of their personal data
•  Export personal data

Online portals, companies will need to:

• Protect personal data using appropriate security
• Notify authorities of personal data breaches
• Obtain appropriate consents for processing data
• Keep records detailing data processing
• Provide clear notice of data collection
• Outline processing purposes and use cases
• Define data retention and deletion policies
• Train privacy personnel and employees
• Audit and update data policies periodically
• Employ a Data Protection Officer who can address grievances or queries
• Create, publish and manage compliant & non-compliant vendor contracts

Me and my group (India Training Services, ITS) already adopted GDPR guidelines and a big supporter from long time, now its enforced by law I would also recommend India government to completely support this great move.

Enhance your capabilities to support the privacy rights of individuals with tools and documents that help you respond to data subject requests (DSRs) and personal data breaches, as well as the information you need to create your own data protection impact assessments (DPIAs) , We at ITS can help you in this as we are committed to protect all user & companies rights for privacy. Feel free to contact me at rrpande@indiatrainingservices.in