Uber Technologies Inc.

It is a U.S. company that provides its customers internationally with chauffeured

transportation vehicles (VTC), through its mobile application software (app), which
connects passengers with drivers of vehicles registered in its service, which offer a
transportation service to individuals. The company organizes pickups in hundreds of cities
around the world and is headquartered in San Francisco, California.
Uber is the leading app-based transportation service provider. Due to its great expansion
across the globe, it arrived in Latin America in 2013 and from the beginning it was
considered unfair competition by the cab sector.

Background

Uber Paid Hackers to Delete Stolen Data on 57 million People

Hackers stole the personal data of 57 million customers and drivers from Uber
Technologies Inc., a massive breach that the company concealed for more than a year. 
Compromised data from the October 2016 attack included names, email addresses and
phone numbers of 50 million Uber riders around the world, the company told Bloomberg
on Tuesday. The personal information of about 7 million drivers was accessed as well,
including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit
card information, trip location details or other data were taken, Uber said.
At the time of the incident, Uber was negotiating with U.S. regulators investigating
separate claims of privacy violations. Uber now says it had a legal obligation to report the
hack to regulators and to drivers whose license numbers were taken. Instead, the
company paid hackers to delete the data and keep the breach quiet. Uber said it believes
the information was never used but declined to disclose the identities of the attackers.
Assumptions

 They didn’t apply security policies or data responsible had no idea of these. 
 At outsourcing is important a clear document of what we want for services.
 They didn’t awareness at services.
 Fault of training about IT security.

INVOLVED

Travis Kalanick(Chief executive)

Travis was the co-founder and director of
UBER, in this case he is involved in the case
of Data Breach to the extent of firing the
Chief Security Officer of the company given
charges of complicity with the attack that the
company suffered in 2016, as if that were not
enough he had to authorize the payment of
$100,000 dollars for the attackers to delete
the copy they had of the more than 57 million users and drivers of Uber.

Joe Sullivan (Chief security officer)

Joe, was indicted on charges of complicity
there is that it is presumed that the
security team in charge of Sullivan,
learned of the hacking the year it
happened (2016), however the security
team did not warn the company and did
not pay attention to what was stolen,
therefore within an audit of the CSO team
via an external law firm that hired the
company came to this verdict and was
fired, note that Joe Sullivan was a resounding hiring since his previous job and
which left to be in the Uber team was Facebook. Inc. which was supposed to be
something beneficial since Facebook's security was recognized, however,
something went wrong, perhaps it was not the team he had in the other company
or simply overlooked a part, but that caused millions of users to distrust Uber and
now users are thinking that if this happened in Uber, it will have happened in
Facebook, and we do not even consider it.
Dara Khosrowshahi (New CEO)
Uber's new CEO since Travis Kalanick
was replaced from the company's
leadership after it was reported that the
attack suffered was a year ago and
therefore those in charge decided to
report it late, Khosrowshahi arrived
saying "will not make excuses" for the
incident"."

As for the equipment that was used to carry

out the attack, several media reports state
that the attackers were able to obtain the
login credentials of an Amazon Web
Services account of Uber using a private
GitHub site that was maintained by Uber's
engineers. With this being handled in the
different media, it is possible to say that it is
not so much the fault of the Ex-CSO or Ex-
CEO, although they were the ones who did
not report in due time of this attack, the engineers whose names are not mentioned, have
much of the blame, by not having good security measures, the fact that their credentials
were to some extent easy to steal, Although this should be controlled by the CSO and his
team to take care of the information and to follow the security measures and controls
established by the company, there are those who are clueless and leave everything at hand
or in plain sight and only harm the company in cases of this type.

What’s Happened
It was the year 2016, with Travis Kalanick as formal CEO of the company Uber and
counting in their ranks with Joe Sullivan CSO who along with his team carried out an
important work in the care of the data of the millions of users of the application, whether
drivers or customers looking for a car to move from one place to another, having the Ex-
CSO of Facebook. Inc, gave the world to understand that Uber was a safe and
uncomplicated application, however everything fell apart that year, as the company was
the victim of a Data Breach Attack, where the information of 57 million users was stolen
directly from its servers, between both already mentioned, it is worth mentioning that this
attack was carried out through a Ransomware implanted from an Amazon Web Service
server, since the two attackers, whose identity is unknown, managed to obtain the
credentials of some engineers to enter the server and implant the Ransomware.
The estimated amount to release and delete the copies of all these users, which included
emails, phone numbers, bank cards, user's address, among other things, was a total
amount of $100,000 dollars. However, Uber got into trouble and ended up paying more
money in fines, we are talking about $148 million for having reported this information theft
1 year late.
As consequences the aforementioned Joe Sullivan was fired a month after in August 2017
was revealed the theft of information suffered, as if that were not enough the CSO was
accused of complicity because his team detected the theft of information a month after this
happened in 2016, however they kept quiet, it was until the hackers threatened to spread
that the company realized now officially, the current CEO of that time commanded
externally investigate his security team and it was here when they learned that they knew
of this theft for a year.
Today it is known that Travis Kalanick was replaced by Dara Khosrowshahi as CEO of the
company and currently remains in that position, the media speak that the co-founder
Travis Kalanick could be equally involved however it is not known or rather not mentioned,
only that months later he was replaced by this situation, however in previous years had
mentioned the same problems in Uber, it can be said that they had no more patience for
Travis and it was here where it is decided by a change in the direction of the company.
These are some of the articles with more information about the incident at Uber (including
a case study):
https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-
exposed-57-million-people-s-data
https://techcrunch.com/2017/11/21/uber-data-breach-from-2016-affected-57-million-riders-
and-drivers/
https://www.cnbc.com/2018/09/26/uber-to-pay-148-million-for-2016-data-breach-and-
cover-up.html
https://www.nytimes.com/2017/11/21/technology/uber-hack.html
https://medium.com/golden-data/case-study-uber-technologies-inc-data-breach-
7261484d6471
https://medium.com/golden-data/case-study-uber-god-view-9157d10630e3

Involvement

The Uber company is characterized by its good travel options, however, also offers
food delivery service, earn money while driving around your city, improvement in
public transportation giving personalized attention to those who need it and offers a
service for companies, this means that you can hire Uber for company
transportation, and it would be a responsible service that your employees who ride
in trucks would appreciate and arrive early to work.
The second service is Uber Pool, a service where you can share a ride with
someone who goes near or to the same place and divide the fare between the
people in the Pool, for the third service is the Uber Comfort service, which has the
newest cars on the market and spacious to carry comfortable legs, the fourth
service is Uber Black, which are more expensive trips but with luxury cars, in which
you can find top cars, but the price will make you desist from this option and finally
there is the Uber WAV service, which is specialized for people who need to travel
in wheelchairs, with this we can say that Uber cares about food and gives the utility
of the service to all types of people.
The service is available in more than 10 thousand cities, in more than 600 airports
around the world and guarantees safety in your trip from start to finish, continuing
with the food service offered by Uber Eats, which is a service where you order from
a restaurant associated with the company and a delivery person takes your food to
your door, whether you pay with a credit card or pay the delivery person, it is a
single payment, there is no fee or tip for the delivery person, that is the
responsibility of the restaurant where you place the order.
On the other hand, we have the Uber Freight service, which consists of connecting
carriers and shippers. Consignors touch a button to instantly book the loads they
want to be transported. Thanks to the upfront fee, shippers always know the profit
they will make. And with Uber for Business that's basically rides for your
employees or for your customers: It gives you an easy way to manage your ground
transportation needs. Designed for the workplace, it provides a clear view of
employee travel activity and automates payments, expense rendering and
reporting.

For the part of risks that we can see in the application, it could be said that any
application is susceptible to a possible malware, likewise the service could suffer a
DDoS attack, which raises the flow of requests and makes the application collapse
for a while or as we saw in past years, may be susceptible to data theft, shortly we
will touch a little more in depth each type of risk discussed in this writing.
Malware: Malware or "malicious software" is a broad term that describes any
malicious program or code that is harmful to systems.
Hostile, intrusive and intentionally nasty malware attempts to invade, damage or
disable computers, computer systems, networks, tablets and mobile devices, often
taking partial control of a device's operations. Like the flu, it interferes with normal
operation.
The malware's intent is to illicitly extract money from the user. While malware
cannot damage systems hardware or network equipment with one known
exception (see Google's Android section), it can steal, encrypt or erase your data,
alter or hijack basic computer functions, and spy on your computer activity without
your knowledge or permission.
DDoS: A DDoS attack aims to disable a server, service or infrastructure. There are
several forms of DDoS attack: by saturating the server's bandwidth to make it
inaccessible, or by exhausting the machine's system resources, thus preventing it
from responding to legitimate traffic.
During a DDoS attack, multiple requests are sent simultaneously from different
points on the network. The intensity of this "crossfire" compromises the stability
and sometimes the availability of the service.
Development of a DDoS attack
1. The server is operational sending and receiving packets normally.
2. The DDoS attack is caused by bandwidth overload or exhaustion of
system resources.
The network becomes saturated, so the server is unable to process legitimate
packets among the mass of incoming information.

Data Breach: Is an incident where information is stolen or taken from a system

without the knowledge or authorization of the system’s owner. A small company or
large organization may suffer a data breach. Stolen data may involve sensitive,
proprietary, or confidential information such as credit card numbers, customer data,
trade secrets, or matters of national security.
The effects brought on by a data breach can come in the form of damage to the
target company’s reputation due to a perceived ‘betrayal of trust.’ Victims and their
customers may also suffer financial losses should related records be part of the
information stolen.
Uber
Number of employees: 26,900 (2019)
Number of users: It has more than 500,000,000 downloads in cell phones,
therefore, we can say that it has more than 500 million users now.
Why mention these aspects, easy because with the number of employees that the
company has it is impossible to take care of so many users, divided between
drivers and customers is too much information that the company handles, that is
why it is not enough when it suffers an attack, not for nothing the last massive
attack suffered were more than 600,000 users affected.
As a last point of view we go to the possible reputation problems in case of falling
into an attack, usually it is said that a company depends on its customers and it is
true, the more secure the customers or users feel about something they will be
loyal to you as a company, on the other hand if a company begins to be breached
start the issues with customers, if it will happen again, if the next failure will be in
trouble your account or your person, if for some reason the sensitive data that you
provided trusting the company are stolen that will happen, Many of these questions
or thoughts come to your mind, now if you find out after a year that your data was
stolen, as it happened with Uber, is where the image created by the company can
fall and it is difficult to keep the followers, However, if you act according to the law
and based on sacrifice and a good restructuring you can solve that it will not
happen again or at least you will notify when it happens immediately or within
hours, you can get ahead, at least it is our point of view and as a sample is that
today Uber is still used as the main transportation application in the world.
Implications
2017 FTC settlement:
In its complaint, the FTC alleged that the San Francisco-based firm failed to live up to its
claims that it closely monitored employee access to consumer and driver data and that it
deployed reasonable measures to secure personal information is stored on a third-party
cloud provider’s server.
The FTC’s 2017 complaint alleges that:
 Uber for more than nine months afterwards, rarely monitored internal access to
personal information about users and drivers.
 Despite Uber’s claim that data was “securely stored within our databases,” Uber’s
security practices failed to provide reasonable security to prevent unauthorized
access to consumers’ personal information in databases Uber stored with a third-
party cloud provider. As a result, an intruder accessed personal information
about Uber drivers in May 2014, including more than 100,000 names and
driver’s license numbers that Uber stored in a datastore operated by Amazon
Web Services.
The FTC alleges that Uber did not take reasonable, low-cost measures that could have
helped the company prevent the breach. For example:
 Uber did not require engineers and programmers to use distinct access keys to
access personal information stored in the cloud. Instead, Uber allowed them to use
a single key that gave them full administrative access to all the data and did not
require multi-factor authentication for accessing the data.
 Uber stored sensitive consumer information, including geolocation information, in
plain readable text in database back-ups stored in the cloud.
Under its 2017 consent decree with the FTC, Uber is:
 prohibited from misrepresenting how it monitors internal access to consumers’
personal information.
 prohibited from misrepresenting how it protects and secures that data.
 required to implement a comprehensive privacy program that addresses
privacy risks related to new and existing products and services and protects the
privacy and confidentiality of personal information collected by the company; and
 required to obtain within 180 days, and every two years after that for the next 20
years, independent, third-party audits certifying that it has a privacy program in
place that meets or exceeds the requirements of the FTC order.
2018 FTC settlement:
The FTC expanded the 2017 settlement with Uber based on the company’s failure to
disclose a breach that took place November 2016.
After the 2017 announcement, the FTC learned that Uber had failed to disclose a
significant breach of consumer data that occurred in 2016 — the breach took place
during the FTC’s investigation that led to the August 2017 settlement announcement.
In the revised complaint issued in 2018, the FTC alleged that Uber learned in November
2016 that intruders had again accessed consumer data the company stored on its
third-party cloud provider’s servers by using an access key an Uber engineer had
posted on a code-sharing website. This time, the intruders used the access key to
download from Uber’s cloud storage unencrypted files that contained more than 25 million
names and email addresses, 22 million names and mobile phone numbers, and
600,000 names and driver’s license numbers of U.S. Uber drivers and riders.
Uber paid the intruders $100,000 through its third-party “bug bounty” program and
failed to disclose the breach to consumers or the FTC until November
2017. However, a bug bounty program is created to provide financial rewards to parties
who responsibly disclose security vulnerabilities rather than those who maliciously exploit
vulnerabilities to access consumers’ personal information.
The FTC negotiated an expanded settlement with Uber. The new proposed provisions in
the revised proposed order include requirements:
 Compelling Uber to disclose certain future incidents involving consumer data
 Requiring Uber to submit to the FTC all the reports from the required third-
party audits of Uber’s privacy program rather than only the initial such report.
 Uber also must retain certain records related to bug bounty reports regarding
vulnerabilities that relate to potential or actual unauthorized access to consumer
data.
The FTC open the proposed settlement for comments.
The FTC received three comments on the revised settlement with Uber. The Commission
voted 4–0–1 to approve the final complaint and order as well as responses to the three
commenters. Commissioner Christine S. Wilson did not participate. Commissioners Rohit
Chopra and Rebecca Kelly Slaughter issued separate statements.
The FTC have given final approval to a settlement with Uber in 2018. Under the final
settlement:
 Uber could be subject to civil penalties if it fails to notify the FTC of certain
future incidents involving unauthorized access to consumer information, which
includes both driver and rider information.
 Uber was prohibited from misrepresenting how it monitors internal access to
consumers’ personal information and the extent to which it protects the privacy,
confidentiality, security, and integrity of personal information.
 In addition, Uber must implement a comprehensive privacy program and for 20
years obtain biennial independent, third-party assessments, which it must
submit to the Commission, certifying that it has a privacy program in place that
meets or exceeds the requirements of the FTC order.
State AG investigations and settlement ($148 million penalty):
Uber was investigated by multiple State AGs.
Eventually, Uber settled the case through an agreement that included all 50 states and the
District of Columbia, requiring Uber to adopt model data breach notification and data
security practices and a corporate integrity program for employees to report unethical
behavior, and hire an independent third party to assess its data security practices. It
also required Uber to pay a record penalty of $148 million.
NY: The NY AG also resolved the Uber’s 2014 data breach (notified to NY AG on
February 26, 2015) together with the Uber ‘God View’ investigation.
The settlement required Uber to:
 Maintain and store GPS-based location information in a password-protected
environment and encrypt the information when in transit.
 Limit access to geo-location information to designated employees with a
legitimate business purpose, and enforce this limitation through technical access
controls, and a formal authorization and approval process.
 Conduct annual employee training to inform employees who are responsible for
handling private information about Uber’s data security practices.
 Maintain a separate section in its consumer-facing privacy policy describing
its policies regarding location information collected from riders.
 Adopt leading data security protection practices to protect its riders’ personal
information; designate one or more employees to coordinate and supervise its
privacy and security program; and conduct regular assessments of the
effectiveness of Uber’s internal controls and procedures related to the securing of
private information and geo-location information and the implementation of updates
to such controls based on those assessments.
 Adopt multi-factor authentication that would be required before any employee
could access especially sensitive rider personal information, as well as other
leading data security practices.
 Pay a $20,000 penalty for failure to provide timely notice to drivers regarding the
data breach in September 2014.
Washington AG: In November 2017, the Attorney General of Washington State filed suit
against the ride-sharing technology company Uber for violating the state’s data breach
notification law. Uber allegedly failed to provide timely notice of a data breach that
occurred in November 2016. At the time, the company paid the hackers to destroy the data
and then failed to report the breach until a year later.
 The Attorney General claimed that each day that Uber failed to provide notice
of the breach to each of the 10,888 Washington-based drivers and the
Attorney General constituted a separate violation under Washington breach
notification law, which provided penalties of up to $2,000 per violation.
 The lawsuit did not cover Uber passengers because Washington’s breach
notification law only required notification where an individual’s name was disclosed
in combination with other sensitive data (such as financial account numbers,
 driver’s license number, or Social Security number). There was no indication that
such data was exposed with regards to the passengers.
These laws were on which the new Uber administration relied to try to solve its problems,
which include a fine for what happened in 2016, but in turn since that happened, we
believe that Uber has been able to comply with the statutes of the laws and frameworks to
stay safe from this type of attacks. On the other hand, we believe that the change of CEO
and CSO, was the best thing that could have happened, since then there has been no
more talk of cases of this type with the company, so far the participation of the new CEO
has been favorable, not to mention that today with the pandemic offered the trips well
cared for, sanitized, they did not get on if you did not bring protection of some kind(mask,
mask covers, etc.), with gel in the cars and always the driver following the prevention
measures. If we can say something is that this company learned from the mistake and is
now doing well, remote the initial values and put more security and training for their
employees on duty so that it does not happen again what happened in 2016.

What you consider not been done?

Least privilege possible, ensuring that employees have only the privileges necessary to
perform their activities. As we know this is a security measure widely used today, it helps
the security of systems and information in case of unauthorized access.
MFA security, having more than one security factor involving something you have,
something you know and who you are. Involving another measure to access the systems
remains a reliable source to ensure that there is no leakage of information by an external
party.
Strict policies about network use, use of data handled by the company, secure password
policies, a minimum of characters and with different characters. Also, that it should be
changed from time to time. Policies are important for all companies, the purpose of these
is to ensure the security of data and systems.
Training employees to identify certain threats. The correct use of security systems and
support for others. This for greater knowledge on what to do in the face of possible threat
or even in a real time attack.
Awareness of what to do and what not to do to keep enterprise data secure. This boils
down to best practices, contemplating that every action could impact the business,
employees' own data, customer data or even business secrets.
On the other hand, if the cloud service is worked by a third party, you must have a
contract, documents that make it clear that only authorized persons can enter the service,
how to know this? By monitoring how they access these systems, the real-time location of
these, and the actions that are carried out during the connection time. If something
irregular is detected, take immediate action.
What do you think should have been done?
Whereas Bloomberg reports that the two attackers gained access to the Uber data stored
on Amazon Web Services accounts using Uber software engineer credentials found on
GitHub.
"Two attackers accessed a private GitHub coding site used by Uber software engineers
and then used login credentials they obtained there to access data stored on Amazon Web
Services account that handled computing tasks for the company," Bloomberg reported.
Raise awareness among employees to maintain a secure password control, in which they
do not use the same password for everything and avoid as much as possible that it is
character data or company data, in other words that it is not an easy password to obtain
due to simple data.
Monitoring of what, when and where the employees do, in case they write certain words or
set of words notify about this action or take measures according to the security policies.
More security, by this we mean that credentials should not be the only means to access
the systems managed by the company. Use MFA and other means of authentication
necessary to ensure that unauthorized access to company systems is not opened,
remember that you can never be secure enough.
Constant training to ensure knowledge of company policies, do's and don'ts to ensure 3
things, integrity, accessibility and confidentiality of the data the company handles.
Finally, best practices are never too much as even systems can fail, human error is also a
constant threat. For this and more to ensure the wellbeing of the data depends on the
employees, manage policies that ensure the correct processing of passwords, the correct
use of the company's data and as in this case, avoid having passwords in plain text or use
the same passwords for other media.

Conclusion
As a conclusion to this case, we can say that it doesn't matter if you have the best CSO or
if you consider having a good IT or if you consider having a good IT or Security team, it is
clear to us that the most important thing that we have seen throughout the that we have
been seeing throughout the topics is that human error is a factor that is very important
when it comes to eradicating dangerous situations. when it comes to eradicating the
dangerous situations that surround a business, as we saw in this problem as we saw in
this problem presented in Uber, it started because a staff did not have the good practices
with which we have been the good practices we have been working with, they did not
follow the statutes imposed by the company, they were distracted by the statutes imposed
by the company, they were distracted and through that point of view and flanking was that
the attackers were able to enter, although it did not deal with some kind of engineering. to
always be vigilant, not to have weak passwords, not to underestimate the attackers who
are underestimate the attackers who seek to harm us and damage the company in which
we work. as recommendation is to continue with the trainings every 2 months at least, to
test our employees, especially the to our employees, especially to those that we see with a
low performance or with a low level of security, to test them at least safety level, test them
at least once every 2 weeks, this in order to give them the necessary knowledge and to
prevent them from continuing to and to avoid that they themselves continue to make
mistakes that could cost thousands or millions of pesos, and as we have seen, everything
falls to the as we have been seeing, everything falls on us, the human beings, just as we
should be the first line of defense, we are the first weakest link in the chain of defense. the
first weakest link in this defense, it is important to nourish ourselves with this type of
information to be able to of information to be able to notice anomalies or something that is
not well in our computer, without more than to computer, without but to refine those details
that will only come to the surface and disappear with the good practice of these simulated
practice of these simulated environments.

Support your conclusion

Given that most of the cases we have seen throughout the course and this course, we
have always been told that it is the system that is compromised when receiving an attack
of this type. we have always been told that it is the system that is compromised when
receiving an attack of this type. we realized that the main factor that gives rise to these
great thefts of information is the worker or rather the poor policies implemented by the
poor policies implemented by the company or the business for the treatment of customer
information from not having a complete inventory of the whole scheme of devices of the
organization, to not knowing how to implement how to implement campaigns of prevention
or exercises of fomentation of these attacks, the idea that should be had in the company is
to be able to implement exercises of prevention of these attacks. the company is to be
able to implement personalized training exercises in case it is required if an employee is
the one that always if an employee is the one who always makes the same mistake, try to
keep him/her under observation and help him/her to stop making it, focus on the If an
employee is the one who always makes the same mistake, try to keep him under
observation and help him to stop making it, focus on the 1 month and give him a test
attack once a week, so that he stops making the mistake, If it persists, it would be a
question of looking at the situation in detail and if you do not reach a good conclusion,
replace him, Although a little time was lost with him, but he takes with him a pleasant
experience and will be more aware of what he needs to reinforce if he wants to continue to
grow in the if he wants to continue to grow in a job, or to dedicate himself to something
else, since he cannot put at risk every company he is in every company in the firm for
being distracted or for not complying with the policies.

Final message
For Uber riders, the company says it doesn’t believe affected individuals need to act. “We
have seen no evidence of fraud or misuse tied to the incident,” its statement to riders said.
“We are monitoring the affected accounts and have flagged them for additional fraud
protection.”
While Uber states that there is no need for action, there are still things you should be on
the lookout for when breaches of this magnitude occur. When popular companies are
gaining major headlines in the mainstream media, scammers may attempt to take
advantage of the chatter around this incident.
Uber has stated that it’s notifying affected drivers whose driver’s license numbers were
accessed and are providing them with free credit monitoring and identity theft protection
service. The company is providing additional information for their drivers on their website.
Cybercriminals may attempt to launch phishing attacks, appearing to come from Uber,
hoping to trick unsuspecting customers into providing personal information, such as
account credentials or payment card information. In the case of a major security incident
like this, it’s always best to go straight to the source — the company’s official website, and
not click on any of the links in the email. Be sure to also check the actual email address to
ensure a message is from the company or person it appears to be from. Also, don’t click
on an emailed link or attachment without verifying the email’s authenticity.

Used and apply, as a support, topics we review in class

Due to what was learned in classes throughout the semester, it was possible to conduct
research on the 2016 Uber case.
Using what was learned in various topics such as:
Security Effectiveness: where we learned how to detect what type of threats such as
data exfiltration, infiltration and how to ensure continuous validation for security
effectiveness such as monitoring, rationalizing resources, optimizing systems, measuring
our business and prioritizing what is relevant to the business.
Security by Design: Getting the most out of your existing assets & how to defend
your attack surface: we learned about attack surface mapping and how to do risk
discovery, prioritization and management. How can an organization begin to reclaim its
attack surface? How can an organization reduce the parts of its Internet presence that
cause breaches? It all starts with discovering what your attack surface really is.
Organizations need to identify, track and manage more types of assets in different
locations than ever before.
Roadmap to Smarter Compliance and Policy Management: in this topic we learn to
Identify the risk: Uncover, recognize, describe risks that might impact your goals, develop
a risk register and record risks. Analyze the risk: Determine the likelihood and impacts of
each risk, understand how to measure the risk define risk indicators and key risk
indicators. Evaluate the risk Evaluate and ran the risks by magnitude, determine if the
magnitude is acceptable or if the risk needs treatment. And treat the risk Develop controls
or processes to minimize the impact of the risk magnitude to an acceptable level,
determine how frequently to monitor risk indicators. About compliance impact the benefits
due to cost.
Cybersecurity Heroes Aren't Born ... They're Made: implement awareness programs in
companies, invest in time and campaigns so that people are informed and know what to
do if they receive, for example, a phishing email, what to do if their company has just
suffered a cyber-attack.
Driving your Information Governance Programme with Data Classification:
Information governance is a holistic approach to managing corporate information by
implementing processes, roles, controls and metrics that treat information as a valuable
business asset.
Data classification, in the context of information security, is the classification of data based
on its level of sensitivity and the impact to the College should that data be disclosed,
altered, or destroyed without authorization. The classification of data helps determine what
baseline security controls are appropriate for safeguarding that data.