Given organizations' increasing dependency on information technology (IT) to run their operations, business continuity planning (and its subset IT service continuity planning) covers the entire organization, while disaster recovery focuses on IT. Auditing documents covering an organization's business continuity and disaster recovery (BCDR) plans provides a third-party validation to stakeholders that the documentation is complete and does not contain material misrepresentations. == Overview == Often used together, the terms business continuity (BC) and disaster recovery (DR) are very different. BC refers to the ability of a business to continue critical functions and business processes after the occurrence of a disaster, whereas DR refers specifically to the IT functions of the business, albeit a subset of BC. == Metrics == The primary objective is to protect the organization in the event that all or part of its operations and/or computer services are rendered partially or completely unusable. === DR metrics === Minimizing downtime and data loss during disaster recovery is typically measured in terms of two key concepts: Recovery time objective (RTO), time until a system is completely up and running Recovery point objective (RPO), a measure of the ability to recover files by specifying a point in time the backup copy will restore to. == The auditor's role == Role of the Internal Auditor in Auditing a Disaster Recovery Plan (DRP): 1. Governance & Oversight - Confirm roles, responsibilities, and oversight are defined, and DRP aligns with risk appetite and continuity strategy. 2. Risk Assessment & BIA - Verify risk and impact assessments identify critical systems and define RTO/RPO. 3. Plan Design & Documentation - Ensure the DRP is current, complete, and includes key recovery procedures. 4. Testing & Validation - Confirm regular DRP testing occurs and results are used to improve the plan. 5. Backup & Recovery - Assess backup frequency and recovery capabilities against RTO/RPO targets. 6. Communication & Training - Verify staff are trained and communication protocols are in place for crises. 7. Maintenance & Improvement - Ensure the DRP is regularly updated and lessons learned are integrated. == Documentation == === Disaster recovery plan === A disaster recovery plan (DRP) is a documented process or set of procedures to execute an organization's disaster recovery processes and recover and protect a business IT infrastructure in the event of a disaster. It is "a comprehensive statement of consistent actions to be taken before, during and after a disaster". The disaster could be natural, environmental or man-made. Man-made disasters could be intentional (for example, an act of a terrorist) or unintentional (that is, accidental, such as the breakage of a man-made dam or even "fat fingers" - or errant commands entered - on a computer system). ==== Types of plans ==== Although there is no one-size-fits-all plan, there are three basic strategies: prevention, including proper backups, having surge protectors and generators detection, a byproduct of routine inspections, which may discover new (potential) threats correction The latter may include securing proper insurance policies, and holding a "lessons learned" brainstorming session. ==== Best practices ==== To maximize their effectiveness, DRPs are most effective when updated frequently, and should: be an integral part of all business analysis processes, be revisited at every major corporate acquisition, at every new product launch and at every new system development milestone. be thoroughly tested, not just unpracticed bureaucratic documentation Adequate records need to be retained by the organization. The auditor examines records, billings, and contracts to verify that records are being kept. One such record is a current list of the organization's hardware and software vendors. Such list is made and periodically updated to reflect changing business practices and as part of an IT asset management system. Copies of it are stored on and off site and are made available or accessible to those who require them. An auditor tests the procedures used to meet this objective and determine their effectiveness. === Relationship to BCPs === Disaster recovery is a subset of business continuity. Where DRP encompasses the policies, tools and procedures to enable recovery of data following a catastrophic event, BCP involves keeping all aspects of a business functioning regardless of potential disruptive events. As such, a business continuity plan is a comprehensive organizational strategy that includes the DRP as well as threat prevention, detection, recovery, and resumption of operations should a data breach or other disaster event occur. Therefore, BCP consists of five component plans: Business resumption plan Occupant emergency plan Continuity of operations plan Incident management plan Disaster recovery plan The first three components (business resumption, occupant emergency, and continuity of operations plans) do not deal with the IT infrastructure. The incident management plan (IMP) does deal with the IT infrastructure, but since it establishes structure and procedures to address cyber attacks against an organization's IT systems, it generally does not represent an agent for activating the DRP; thus DRP is the only BCP component of active interest to IT. == Testing == The overall categorization of tests are functional- and discussion-based. Types of tests include: tabletop exercises, checklists, simulations, parallel processing (testing recovery site while primary site is in operation), and full interruption (fail over) tests. These apply to both BC and DR. == Benefits == Like every insurance plan, there are benefits that can be obtained from proper business continuity planning, including: Studies have shown a correlation between higher spending on auditing fees and lower rates of Incidents. Minimizing risk of delays Guaranteeing the reliability of standby systems (even automating the failure detection and recovery in certain scenarios) Providing a standard for testing the plan Minimizing decision-making during a disaster Reducing potential legal liabilities Lowering unnecessarily stressful work environment === Planning and testing methodology === According to Geoffrey H. Wold of the Disaster Recovery Journal, the entire process involved in developing a Disaster Recovery Plan consists of 10 steps: Performing a risk assessment: The planning committee prepares a risk analysis and a business impact analysis (BIA) that includes a range of possible disasters. Each functional area of the organization is analyzed to determine potential consequences. Traditionally, fire has posed the greatest threat. A thorough plan provides for "worst case" situations, such as destruction of the main building. Establishing priorities for processing and operations: Critical needs of each department are evaluated and prioritized. Written agreements for alternatives selected are prepared, with details specifying duration, termination conditions, system testing, cost, any special security procedures, procedure for the notification of system changes, hours of operation, the specific hardware and other equipment required for processing, personnel requirements, definition of the circumstances constituting an emergency, process to negotiate service extensions, guarantee of compatibility, availability, non-mainframe resource requirements, priorities, and other contractual issues. Collecting data: This includes various lists (employee backup position listing, critical telephone numbers list, master call list, master vendor list, notification checklist), inventories (communications equipment, documentation, office equipment, forms, insurance policies, workgroup and data center computer hardware, microcomputer hardware and software, office supply, off-site storage location equipment, telephones, etc.), distribution register, software and data files backup/retention schedules, temporary location specifications, any other such lists, materials, inventories, and documentation. Pre-formatted forms are often used to facilitate the data gathering process. Organizing and documenting a written plan Developing testing criteria and procedures: reasons for testing include Determining the feasibility and compatibility of backup facilities and procedures. Identifying areas in the plan that need modification. Providing training to the team managers and team members. Demonstrating the ability of the organization to recover. Providing motivation for maintaining and updating the disaster recovery plan. Testing the plan: An initial "dry run" of the plan is performed by conducting a structured walk-through test. An actual test-run must be performed. Problems are corrected. Initial testing can be plan is done in sections and after normal business hours to minimize disruptions. Subsequent tests occur during normal business hours. === Caveats/controversie
Scenery generator
A scenery generator (or terrain generator) is a software used to create landscape images, 3D models, and animations. These programs often use procedural generation to generate the landscapes, or sometimes created and rendered by a 3D artist. These programs are often used in video games or movies. Basic elements of landscapes created by scenery generators include terrain, water, foliage, and clouds. The process for basic random generation uses a diamond square algorithm. == Common features == Most scenery generators can create basic heightmaps to simulate the variation of elevation in basic terrain. Common techniques include Simplex noise, fractals, or the diamond-square algorithm, which can generate 2-dimensional heightmaps. A version of scenery generator can be very simplistic. Using a diamond-square algorithm with some extra steps involving fractals, an algorithm for random generation of terrain can be made with only 120 lines of code. The program in example takes a grid and then divides the grid repeatedly. Each smaller grid is then split into squares and diamonds and the algorithm then makes the randomized terrain for each square and diamond. Most programs for creating landscapes also allow for adjustment and editing of the landscape. For example, World Creator allows for terrain sculpting, which uses a similar brush system as Photoshop, and allows for additional terrain enhancement with its procedural techniques such as erosion, sediments, and more. Other tools in the World Creator program include terrain stamping, which allows you to import elevation maps and use them as a base. The programs tend to also allow for additional placement of rocks, trees, etc. These can be done procedurally or by hand depending on the program. Typically the models used for the placement objects are the same as to lessen the amount of work that would be done if the user was to create a multitude of different trees. The terrain generated the computer does a generation of multifractals then integrates them until finally rendering them onto the screen. These techniques are typically done “on-the-fly” which typically for a 128 × 128 resolution terrain would mean 1.5 seconds on a CPU from the early 1990s. == Applications == Scenery generators are commonly used in movies, animations, 3D rendering, and video games. For example, Industrial Light & Magic used E-on Vue to create the fictional environments for Pirates of the Caribbean: Dead Man's Chest. In such live-action cases, a 3D model of the generated environment is rendered and blended with live-action footage. Scenery generated by the software may also be used to create completely computer-generated scenes. In the case of animated movies such as Kung Fu Panda, the raw generation is assisted by hand-painting to accentuate subtle details. Environmental elements not commonly associated with landscapes, such as ocean waves, have also been handled by the software. Scenery generation is used in most 3D based video-games. These typically use either custom or purchased engines that contain their own scenery generators. For some games they tend to use a procedurally generated terrain. These typically use a form of height mapping and use of Perlin noise. This will create a grid that with one point in a 2D coordinate will create the same heightmap as it is pseudorandom, meaning it will result in the same output with the same input. This can then easily be translated into the product 3D image. These can then be changed from the editor tools in most engines if the terrain will be custom built. With recent developments neural networks can be built to create or texture the terrain based on previously suggested artwork or heightmap data. These would be generated using algorithms that have been able to identify images and similarities between them. With the info the machine can take other heightmaps and render a very similar looking image to the style image. This can be used to create similar images in example a Studio Ghibli or Van Gogh art-style. == Software == Most game engines, whether custom or proprietary, will have terrain generation built in. Some terrain generator programs include, Terragen, which can create terrain, water, atmosphere and lighting; L3DT, which provides similar functions to Terragen, and has a 2048 × 2048 resolution limit; and World Creator, which can create terrain, and is fully GPU powered. === List of 3D terrain generation software ===
Cloud Security Alliance
Cloud Security Alliance (CSA) is a not-for-profit organization with the mission to "promote the use of best practices for providing security assurance within cloud computing, artificial intelligence and to provide education on the uses of cloud computing to help secure all other forms of computing." The CSA has over 80,000 individual members worldwide. The CSA gained significant reputability in 2011 when the American Presidential Administration selected the CSA Summit as the venue for announcing the federal government’s cloud computing strategy. == History == The CSA was formed in December 2008 as a coalition by individuals who saw the need to provide objective enterprise user guidance on the adoption and use of cloud computing. Its initial work product, Security Guidance for Critical Areas of Focus in Cloud Computing, was put together in a Wiki-style by dozens of volunteers. In 2014, the Chairman of the Board of the CSA was Dave Cullinane, VP of Global Security and Privacy for Catalina Marketing, St. Petersburg, Florida, and former CISO for eBay. Cullinane has said, "If you have an application exposed to the Internet that will allow people to make money, it will be probed." == Profile == In 2009, the Cloud Security Alliance incorporated in Nevada as a Corporation and achieved US Federal 501(c)6 non-profit status. It is registered as a Foreign Non-Profit Corporation in Washington. == Policy maker support == The CSA works to support a number of global policy makers in their focus on cloud security initiatives including the National Institute of Standards and Technology (NIST), European Commission, Singapore Government, and other data protection authorities. In March 2012, the CSA was selected to partner with three of Europe’s largest research centers (CERN, EMBL and ESA) to launch Helix Nebula – The Science Cloud. == Size == The Cloud Security Alliance employs roughly sixty full-time and contract staff worldwide. It has several thousand active volunteers participating in research, working groups and chapters at any time. == Membership == According to CSA, they are a member-driven organization, chartered with promoting the use of best practices for providing security assurance within Cloud Computing, and providing education on the uses of Cloud Computing to help secure all other forms of computing. === Individuals === Individuals who are interested in cloud computing and have experience to assist in making it more secure receive a complimentary individual membership based on a minimum level of participation. === Chapters === The Cloud Security Alliance has a network of chapters worldwide. Chapters are separate legal entities from the Cloud Security Alliance, but operate within guidelines set down by the Cloud Security Alliance In the United States, Chapters may elect to benefit from the non-profit tax shield that the Cloud Security Alliance has. Chapters are encouraged to hold local meetings and participate in areas of research. Chapter activities are coordinated by the Cloud Security Alliance worldwide. === International scope === There are separate legal entities in Europe and Asia Pacific, called Cloud Security Alliance (Europe), a Scottish company in the United Kingdom, and Cloud Security Alliance Asia Pacific Ltd, in Singapore. Each legal entity is responsible for overseeing all Cloud Security Alliance-related activities in their respective regions. These legal entities operate under an agreement with Cloud Security Alliance that give it oversight power and have separate Boards of Directors. Both are companies Limited By Guarantee. The Managing Directors of each are members of the Executive Team of Cloud Security Alliance. == Areas of research == The Cloud Security Alliance has 25+ active working groups. Key areas of research include cloud standards, certification, education and training, guidance and tools, global reach, and driving innovation. Security Guidance for Critical Areas of Focus in Cloud Computing. Foundational best practices for securing cloud computing. Top Threats to Cloud Computing. Helps organizations make educated risk management decisions regarding their cloud adoption strategies. GRC (Governance, Risk and Compliance) Stack. A toolkit for key stakeholders to instrument and assess clouds against industry established best practices, standards and critical compliance requirements. Cloud Controls Matrix (CCM). Security controls framework for cloud provider and cloud consumers. CloudTrust Protocol. The mechanism by which cloud service consumers ask for and receive information about the elements of transparency as applied to cloud service providers. Consensus Assessments Initiative Research. Tools and processes to perform consistent measurements of cloud providers. Software Defined Perimeter. A proposed security framework that can be deployed to protect application infrastructure from network-based attacks. It will incorporate standards from organizations such as OASIS and NIST and security concepts from organizations like the U.S. DoD into an integrated framework. == Working groups and initiatives == Mobile Working Group Big Data Working Group Security as a Service Working Group Trusted Cloud Initiative CloudAudit CloudCERT CloudSIRT Cloud Metrics Security, Trust and Assurance Registry (STAR) Cloud Data Governance Turbot (business) Blockchain/Distributed Ledger
Systems development life cycle
The systems development life cycle (SDLC) describes the typical phases and progression between phases during the development of a computer-based system. These phases progress from inception to retirement. At base, there is just one life cycle, but the taxonomy used to describe it may vary; the cycle may be classified into different numbers of phases and various names may be used for those phases. The SDLC is analogous to the life cycle of a living organism from its birth to its death. In particular, the SDLC varies by system in much the same way that each living organism has a unique path through its life. The SDLC does not prescribe how engineers should go about their work to move the system through its life cycle. Prescriptive techniques are referred to using various terms such as methodology, model, framework, and formal process. Other terms are used for the same concept as SDLC, including software development life cycle (also SDLC), application development life cycle (ADLC), and system design life cycle (also SDLC). These other terms focus on a different scope of development and are associated with different prescriptive techniques, but are about the same essential life cycle. The term "life cycle" is often written without a space, as "lifecycle", with the former more popular in the past and in non-engineering contexts. The acronym SDLC was coined when the longer form was more popular and has remained associated with the expansion, even though the shorter form is popular in engineering. Also, SDLC is relatively unique as opposed to the TLA SDL, which is highly overloaded. == Phases == Depending on the source, the SDLC is described as having different phases and using different terms. Even so, there are common aspects. The following attempts to describe notable phases using notable terminology. The phases are somewhat ordered by the natural sequence of development, although they can be overlapping and iterative. === Conceptualization === During conceptualization (a.k.a. conceptual design, system investigation, feasibility), options and priorities are considered. A feasibility study can determine whether the development effort is worthwhile via activities such as understanding user needs, cost estimation, benefit analysis, and resource analysis. A study should address operational, financial, technical, human factors, and legal/political concerns. === Requirements analysis === Requirements analysis (a.k.a. preliminary design) involves understanding the problem and determining what is needed. Often this involves engaging users to define the requirements and recording them in a document known as a requirements specification. === Design === During the design phase (a.k.a. detail design), a solution is planned. The plan can include relatively high-level information such as describing the major components of the system. The plan can include relatively low-level information such as describing functions, screen layout, business rules, and process flow. The design phase is informed by the requirements of the system. The design must satisfy each requirement. The design may be recorded in textual documents as well as functional hierarchy diagrams, example screen images, business rules, process diagrams, pseudo-code, and data models. === Construction === During construction (a.k.a. implementation, production), the system is realized. Based on the design, hardware and software components are created and integrated. This phase includes testing sub-components, components and the integration of some components, but typically does not include testing at the complete system level. This phase may include the development of training materials, including user manuals and help files. === Acceptance === The acceptance phase (a.k.a. system testing) is about testing the complete system to ensure that it meets customer expectations (requirements). === Deployment === The deployment phase (a.k.a. implementation) involves the logistics of delivery to the customer. Some systems are deployed as a single instance (i.e. in the cloud), and deployment may be ad hoc and manual. Some systems are built in quantity and are associated with manufacturing process and commissioning. This phase may include training users to use the system. It may include transitioning future development to support staff. === Maintenance === During the maintenance phase (a.k.a. operation, utilization, support) development is largely inactive, although this phase does include customer support for resolving user issues and recording suggestions for improvement. Fixes and enhancements are handled by returning to the first phase, conceptualization. For minor changes, the cycle may be significantly abbreviated compared to initial development. === Decommission === Decommission (a.k.a. disposition, retirement, phase-out) is when the system is removed from use, i.e., when it reaches end-of-life. == Practices == === Management and control === SDLC phase objectives are described in this section with key deliverables, a description of recommended tasks, and a summary of related control objectives for effective management. It is critical for the project manager to establish and monitor control objectives while executing projects. Control objectives are clear statements of the desired result or purpose and should be defined and monitored throughout a project. Control objectives can be grouped into major categories (domains), and relate to the SDLC phases as shown in the figure. To manage and control a substantial SDLC initiative, a work breakdown structure (WBS) captures and schedules the work. The WBS and all programmatic material should be kept in the "project description" section of the project notebook. The project manager chooses a WBS format that best describes the project. The diagram shows that coverage spans numerous phases of the SDLC, but the associated MCD (Management Control Domains) shows mappings to SDLC phases. For example, Analysis and Design is primarily performed as part of the Acquisition and Implementation Domain, and System Build and Prototype is primarily performed as part of delivery and support. === Work breakdown structured organization === The upper section of the WBS provides an overview of the project scope and timeline. It should also summarize the major phases and milestones. The middle section is based on the SDLC phases. WBS elements consist of milestones and tasks to be completed rather than activities to be undertaken, and have a deadline. Each task has a measurable output (e.g., an analysis document). A WBS task may rely on one or more activities (e.g., coding). Parts of the project needing support from contractors should have a statement of work (SOW). The development of an SOW does not occur during a specific phase of SDLC but is developed to include the work from the SDLC process that may be conducted by contractors. === Baselines === Baselines are established after four of the five phases of the SDLC, and are critical to the iterative nature of the model. Baselines become milestones. functional baseline: established after the conceptual design phase. allocated baseline: established after the preliminary design phase. product baseline: established after the detailed design and development phase. updated product baseline: established after the production construction phase. In the following diagram, these stages are divided into ten steps, from definition to creation and modification of IT work products:
ShowScoop
ShowScoop is a website and mobile app platform on which users can rate and review artists, concerts, and music festivals that they have seen/attended. The reviews and ratings are designed to be informative of how well such performances are live. This helps concert-goers decide which live music events they want to attend. == History == ShowScoop was founded in August 2012 by Micah Smurthwaite and is based out of San Diego, CA. In February 2013, ShowScoop launched its mobile app at the SF Music Tech Summit. The application is currently available on the iPhone, with plans to expand into the Android market in the future. == Services == ShowScoop uses crowdsourcing to provide accurate ratings of live concert experiences. In addition to viewing ratings, users are encouraged to rate and review concerts they have attended. The ShowScoop database includes nearly one million artists and over 2.5 million live music events. ShowScoop users can rate artists on four aspects of the performance: stage presence, crowd interaction, sound quality, and visual effects. The rating system uses an ascending scale from one to five in each of the aspects, with five being the highest score. In addition to the quantitative ratings, ShowScoop users are also free to write qualitative reviews in a provided comment section. This allows users to explain their ratings and add further insight or opinion. ShowScoop incorporates several facets of social media into its services. Users can create a user profile to share limited personal information and store their ratings and reviews. Users are also given the option of sharing their evaluations with their social networks on Facebook and Twitter. Users can "like" reviews, follow artists, and follow other ShowScoop users. The mobile app allows users to take photos, apply filters, and share the final image in conjunction with reviews and through Instagram. == Road Crew == ShowScoop's "Road Crew" is a group made up of top contributors within the ShowScoop community. The Road Crew assists in curating artist pages, assuring information quality and accuracy. In return, members of the Road Crew are given incentives, including free tickets to concerts and personal invitations to exclusive shows. Applicants to the Road Crew are judged on the number and quality of their reviews, the photos and videos they have posted, and their general engagement with the ShowScoop community in following and liking users and reviews.
Internet Security Awareness Training
Internet Security Awareness Training (ISAT) is the training given to members of an organization regarding the protection of various information assets of that organization. ISAT is a subset of general security awareness training (SAT). Even small and medium enterprises are generally recommended to provide such training, but organizations that need to comply with government regulations (e.g., the Gramm–Leach–Bliley Act, the Payment Card Industry Data Security Standard, Health Insurance Portability and Accountability Act, Sarbanes–Oxley Act) normally require formal ISAT for annually for all employees. Often such training is provided in the form of online courses. ISAT, also referred to as Security Education, Training, and Awareness (SETA), organizations train and create awareness of information security management within their environment. It is beneficial to organizations when employees are well trained and feel empowered to take important actions to protect themselves and organizational data. The SETA program target must be based on user roles within organizations and for positions that expose the organizations to increased risk levels, specialized courses must be required. == Coverage == There are general topics to cover for the training, but it is necessary for each organization to have a coverage strategy based on its needs, as this will ensure the training is practical and captures critical topics relevant to the organization. As the threat landscape changes very frequently, organizations should continuously review their training programs to ensure relevance with current trends. Topics covered in ISAT include: Appropriate methods for protecting sensitive information on personal computer systems, including password policy Various computer security concerns, including spam, malware, phishing, social engineering, etc. Consequences of failure to properly protect information, including potential job loss, economic consequences to the firm, damage to individuals whose private records are divulged, and possible civil and criminal law penalties. Being Internet Security Aware means you understand that there are people actively trying to steal data that is stored within your organization's computers. (This often focuses on user names and passwords, so that criminal elements can ultimately get access to bank accounts and other high-value IT assets.) That is why it is important to protect the assets of the organization and stop that from happening. The general scope should include topics such as password security, Email phishing, Social engineering, Mobile device security, Sensitive data security, and Business communications. In contrast, those requiring specialized knowledge are usually required to take technical and in-depth training courses. Suppose an organization determines that it is best to use one of the available training tools on the market, it must ensure it sets objectives that the training can meet, including confirming the training will provide employees with the knowledge to understand risks and the behaviors needed in managing them, actions to take to prevent or detect security incidents, using language easily understandable by the trainees, and ensuring the pricing is reasonable. Organizations are recommended to base ISAT training content on employee roles and their culture; the policy should guide that training for all employees and gave the following as examples of sources of reference materials: National Institute of Standards and Technology (NIST) Special Publication 800-50, Building an Information Technology Security Awareness and Training Program International Standards Organization (ISO) 27002:2013, Information technology—Security techniques—Code of practice for information security controls International Standards Organization (ISO) 27001:2013, Information technology — Security techniques — Information security management systems COBIT 5 Appendix F.2, Detailed Guidance: Services, Infrastructure and Applications Enabler, Security Awareness The training must focus on current threats specific to an organization and the impacts if that materializes as a result of user actions. Including practical examples and ways of dealing with scenarios help users know the appropriate measures to take. It is a good practice to periodically train customers of specific organizations on threats they face from people with malicious intentions. Coverage strategy for SAT should be driven by an organization's policy. It can help truly determine the level of depth of the training and where it should be conducted at a global level or business unit level, or a combination of both. A policy also empowers a responsible party within the organization to run the training. == Importance == Studies show that well-structured security awareness training can significantly reduce the likelihood of cyber incidents caused by human error. According to the Ponemon Institute, organizations that implement regular security training experience up to 70% fewer successful phishing attacks. Additionally, a 2023 Verizon Data Breach Investigations Report found that 74% of breaches involve the human element, highlighting the need for continuous education. Employees are key in whether organizations are breached or not; there must be a policy on creating awareness and training them on emerging threats and actions to take in safeguarding sensitive information and reporting any observed unusual activity within the corporate environment. Research has shown that SAT has helped reduce cyber-attacks within organizations, especially when it comes to phishing, as trainees learned to identify these attack modes and give them the self-assurance to take action appropriately. There is an increase in phishing attacks, and it has become increasingly important for people to understand how to these attacks work, and the actions required to prevent these and SAT has shown a significant impact on the number of successful phishing attacks against organizations. == Compliance Requirements == Various regulations and laws mandate SAT for organizations in specific industries, including the Gramm–Leach–Bliley Act (GLBA) for the financial services, the Federal Information Security Modernization Act of 2014 for federal agencies, and the European Union's General Data Protection Regulation (GDPR). === Federal Information Security Modernization Act === Employees and contractors in federal agencies are required to receive Security Awareness Training annually, and the program needs to address job-related information security risks linked that provide them with the knowledge to lessen security risks. === Health Insurance Portability and Accountability Act === The Health Insurance Portability and Accountability Act has the Security Rule, and Privacy Rule requiring the creation of a security awareness training program and ensuring employees are trained accordingly. === Payment Card Industry Data Security Standard === The Payment Card Industry Security Standards Council, the governing council for stakeholders in the payment industry, formed by American Express, Discover, JCB International, MasterCard, and Visa that developed the DSS as a requirement for the payment industry. Requirement 12.6 requires member organizations to institute a formal security awareness program. There is a published guide for organizations to adhere to when setting up the program. === US States Training Regulations === Some States mandate Security Awareness Training whiles other do not but simply recommend voluntary training. Among states that require the training for its employees include: Colorado (The Colorado Information Security Act, Colorado Revised Statutes 24-37.5-401 et seq.) Connecticut (13 FAM 301.1-1 Cyber Security Awareness Training (PS800)) Florida (Florida Statutes Chapter 282) Georgia (Executive Order GA E.O.182 mandated training within 90 days of issue) Illinois (Cook County) Indiana (IN H 1240) Louisiana (Louisiana Division of Administration, Office of Technology Services p. 52: LA H 633) Maryland (20-07 IT Security Policy) Montana (Mandatory cyber training for executive branch state employees) Nebraska Nevada (agency-by-agency state employee requirement - State Security Standard 123 – IT Security) New Hampshire New Jersey ( NJ A 1654) North Carolina Ohio (IT-15 - Security Awareness and Training) Pennsylvania Texas Utah Vermont Virginia West Virginia (WV Code Section 5A-6-4a) == Training Techniques == Below are some common training techniques, even though some can be blended depending on the operating environment: Interactive video training – This technique allows users to be trained using two-way interactive audio and video instruction. Web-based training – This method allows employees or users to take the training independently and usually has a testing component to determine if learning has taken place. If not, users can be allowed to retake the course and test to ensure there is a complete understanding
GeneTalk
GeneTalk is a web-based platform, tool, and database for filtering, reduction and prioritization of human sequence variants from next-generation sequencing (NGS) data. GeneTalk allows editing annotation about sequence variants and build up a crowd sourced database with clinically relevant information for diagnostics of genetic disorders. GeneTalk allows searching for information about specific sequence variants and connects to experts on variants that are potentially disease-relevant. == Application to diagnostics == Users can upload NGS data in Variant Call Format (VCF) onto the GeneTalk server into their accounts. All entries of the file are preprocessed and shown in the integrated VCF viewer. Filtering tools are set by the user to reduce the number of clinically non-relevant variants. After filtering and prioritization users can interpret relevant variants by retrieving information (annotations) about variants from the GeneTalk database. The communication platform allow users to contact experts about specific variants, genes, or genetic disorders, to exchange knowledge and expertise. === Analysis procedure === Steps required to analyze VCF files Upload VCF file Edit pedigree and phenotype information for segregation filtering Filter VCF file by editing the filtering options View results and annotations Add annotations === Filtering tools === The following filtering options may be used to reduce the non-relevant sequence variants in VCF files. Functional – filter out variants that have effects on protein level Linkage – filter out variants that are on specified chromosomes Gene panel – filter variants by genes or gene panels, subscribe to publicly available gene panels or create own ones Frequency – show only variants with a genotype frequency lower than specified Inheritance – filter out variants by presumed mode of inheritance Annotation – show only variants with a score for medical relevance and scientific evidence == Communication platform and expert network == Users can share VCF files with colleagues and coworkers. The integrated mailing systems allows users to contact experts easily. Users can create annotations and comments and rate annotations regarding medical relevance and scientific evidence, that is helpful for the community of users for diagnosis of genetic disorders. Registered users provide information about their field of knowledge in their profile and can be contacted by other users. == Potential applications == Developing diagnostics Genetic analysis Capturing data generated by community Communication and exchange of knowledge and expertise