3. Protection of Information Assets (25%) 12/01/1999 - Proteksi Of Information Assets Pertemuan 4
12/01/1999 3. Protection of Information Assets (25%) 3. Protection of Information Assets
3. Protection of Information
Assets (25%)
Protecting Personal & Institutional Information Assets & DataExtra Credit Project Jack Mason & July James
3. Protection of Information Assets
(25%)
- 3. Protection of Information Assets • (Content Area, Approximately 25% of exam)
- 3.1 Evaluate the design, implementation, and monitoring of logical access controls to ensure the integrity, confidentiality, and availability of information assets.
- 3.2 Evaluate network infrastructure security to
ensure integrity, confidentiality, availability and
authorized use of the network and the information transmitted.
3. Protection of Information Assets
3. Protection of Information Assets 2
- 3. Protection of Information Assets • 3.3 Evaluate the design, implementation, and monitoring of environmental controls to prevent and/or minimize potential loss.
- 3.4 Evaluate the design, implementation,
and monitoring of physical access controls
to ensure that the level of protection for assets and facilities is sufficient to meet the organization's business objectives.
3. Protection of Information Assets
Knowledge Statements 1
- 3.01 Knowledge of the processes of design,
implementation, and monitoring of security
(e.g. gap analysis, baseline, tool selection) - 3.02 Knowledge of encryption techniques (e.g. DES, RSA)
• 3.03 Knowledge of public key infrastructure
(PKI) components (e.g. certification authorities (CA), registration authorities)- 3.04 Knowledge of digital signature techniques
3. Protection of Information Assets
Knowledge Statements 2
- 3.05 Knowledge of physical security practices (e.g. biometrics, card swipes)
- 3.06 Knowledge of techniques for identification, authentication, and restriction of users to authorized functions and data (e.g. dynamic passwords, challenge/response, menus, profiles)
3. Protection of Information Assets
Knowledge Statements 3 • 3.07 Knowledge of security software (e.g.
single sign-on, intrusion detection systems
(IDS), automated permissioning, network address translation)- 3.08 Knowledge of security testing and assessment tools (e.g. penetration testing, vulnerability scanning)
- 3.09 Knowledge of network and Internet security (e.g. SSL, SET, VPN, tunneling)
3. Protection of Information Assets
Some Possible Threats
- Email Interception • Email Spoofing • Web Data Interception • Network & Volume Invasion • Marketing Data / Spam & Junk Mail • Viruses, Worms, Trojan Horses • Password Cracking
3. Protection of Information Assets
More Possible Threats
- Mail bomb
- Denial of Service (DoS)
- Piracy of Intellectual Property
3. Protection of Information Assets
- Script Monitor – Running a script on a server that receives email traffic, monitoring
- Digital Certificates – Digital certificates authenticate you as the sender and are extremely difficult to forge. Allows very strong encryption of email communications.
- PGP – “Pretty Good Privacy” allows strong encryption of your text.
- Account Emulation – Stealing someone’s user id and password to gain access to their email account.
3. Protection of Information Assets
Email Interception
Methodsemails for certain keywords or number patterns. (I.E. “bomb + president” or credit card number patterns)
Defenses
Can be incorporated easily into any text oriented program. Standard Encryption
- Text is encrypted and sent by the originator
- Ciphertext is decrypted by recipient
- Same key is used for encryption and decryption
• If key is intercepted or deciphered, encryption becomes useless
– This is how WWII was won...
3. Protection of Information Assets
Strong Cryptography
• “There are two kinds of cryptography in this world: cryptography that
will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files. This book is about the latter.” -- Bruce Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C.
- 40 bit cryptography is considered weak. This can be intercepted and deciphered in seconds using today’s tools.
- By contrast, 128 bit cryptography is considered technically infeasible
to crack. Most banks require a 128 bit browser for online banking.
3. Protection of Information Assets
Dual Key Cryptography
- Key pair is generated - public and private key.
- Public key is sent to server and exchanged with others
- Private key is guarded by the user
3. Protection of Information Assets
Dual Keys Continued
- Encrypted message is generated using
recipients public key and your private key.
- Only the intended recipient with the corresponding private key will be able to decrypt.
- NSA hates this to be in the hands of the general public… but you have the right to privacy.
3. Protection of Information Assets
What is a Digital Certificate?
(X.509)- Acts as a virtual signature
- Very hard to forge
- Can be used for encryption or authentication
- Resides in the Browser/Email Client/OS
- Free digital certificates are available
- PGP Freeware is available
3. Protection of Information Assets
What is PGP?
- Created by Phil Zimmerman
- – PGP is now a subsidiary of Network Associates
- Secures e-mail and files
- Based on “Public Key” Cryptography • Users whom have never met can exchange encrypted documents.
- Freeware
3. Protection of Information Assets
- Obtain and install a certificate using the step by step instructions at the issuing website. Clicking on the Security button in Netscape Communicator opens the Security Window below:
3. Protection of Information Assets
How To Encrypt a Message (1)
This will describe how to encrypt a message using Digital Certificates with Netscape Communicator.
How To Encrypt a Message (2)
An email that has adigital certificate
- Users must exchange icon in Communicator. attached will display this “public keys”. icon to examine the cert. You can click on the<
- Can be done via Certs emailed to you are automatically added to LDAP directory or database. Communicator’s email exchange. You can search for public directories certificates on Communicator from within (LDAP) directly
- Once keys have been exchanged, address an email to the other party.
- Click on the Security button and select the option for encrypting message.
- That’s it!
- Happens when someone impersonates an email user, sending messages that appear to be from the victim’s email address.
- Spoofing can be prevented by using your Digital Certificate or PGP to “Digitally Sign” your email message.
- Even Certificates can be spoofed, although
difficult. Check the “Certificate Fingerprint” of
the message to be sure it’s authentic. - You should never input sensitive info such as Credit Card numbers into a non- secure website.
- Make sure website is certified by a trusted Certificate Authority List of default trusted CA’s in Communicator (CA)
- When you enter a secure site, Communicator’s Security icon will change as shown:
- Click on the Security Note: Attempting to enter a secure button to examine default CA will result in a site that is not signed by a valid or which CA asserts that cautionary error message.
• DSL and Cable internet access means round
the clock connections of home and small business computers to the Internet.- Greatly increases the chance of attack.
- Physical access is always a danger, too.
- Hackers can gain access to your personal files, Quicken data, etc.
- Encrypt your sensitive files!!! – PGP, all platforms.
- – Mac OS 9 Built-In Encryption Feature
- Don’t give out your passwords to anyone!
- Use difficult passwords - not simple dictionary style words.
• Simple words out of a dictionary make bad
passwords.• Use mixed upper and lower case characters.
- Use non-alphanumeric characters such as: ~!@#$%^&*()_+=-{}[]|\:;”’/?.>,<`
• Avoid sharing passwords, even with friends
and family.- Using a simple passphrase such as “coffee” is
simple to hack, takes about 40 minutes to break.
• Using random alphanumerics is significantly more
difficult: A passphrase such as “bR1a9Az” takes about 22 years to crack.- Using the full range of the keyboard with truly random characters is totally infeasible to crack. A passphrase like “,ThX1pD<V+” would take 3.8 x 8 10 years to crack.
- Most browsers ship with a default of 40 bit encryption capabilities.
- You must upgrade to a 128 bit encryption capable browser for most online banking.
- Netscape Communicator is freely available for all platforms with 128 bit encryption capability and full features.
• 128 bit capable version of Microsoft Internet
Explorer is available for Windows and- You may have to install additional plug ins to get 128 bit capabilities out of MSIE.
- Computer viruses are 100% man made.
- Can be transmitted via email, disk, network, etc…
• Most are harmless
experiments.- Some are intended to
wreak havoc on
individuals and networks. • Get a virus protection package and install it
on your computer.- Check the vendor’s website for downloadable updates and alerts on new viruses.
- Don’t open email or attachments from unknown sources.
- Ensure security and confidentially of customer records and information.
- Protect against any anticipated threats or hazards to the security of the records.
- Protect against unauthorized access or use of records or information which could result in harm or inconvenience to customer.
- Written to insure security and confidentiality of
non-public customer financial information (NPI).
• Protect against any anticipated threats and hazards.
- Protect against unauthorized access or use.
- Credit card numbers
- Social Security numbers
- Drivers license numbers
- Student loan data
- Income information
- Credit histories
- Customer files with NPI
- NPI Consumer information
- The Family Education Rights and Privacy Act addresses the privacy of student information.
- Gramm- Leach-Bliley Act addresses the security of
- Committee meets regularly to review and insure compliance with the act.
- Performs risk assessment and regular testing.
- Oversees service providers and contracts.
- Trains staff to maintain security and confidentially.
- 1. Credit Card Fraud 2,350 -- 49%
- 2. Phone or Utilities Fraud 867--18%
- 3. Bank Fraud 669 --14%
- 4. Government Documents/Benefits Fraud 396 --8%
- 5. Loan Fraud 356 --7%
- 6. Employment-Related Fraud 260 -- 5%
- 7. Attempted Identity Theft 477 --10%
- 8. Other 710 -- 15%
- Under ID Theft Act, identity theft is defined very broadly as:
- Stealing files from places where you work, go to school, shop, get medical services, bank, etc.
- Stealing your wallet or purse.
- Stealing information from your home or car.
• Stealing from your mailbox or from mail in transit.
- Sending a bogus email or calling with a false promise or fraudulent purpose.
- For example: pretending to be from a bank, creating a false website, pretending to be a real company, fake auditing letters.
- Obtains Credit Cards in your name or makes charges on your existing accounts (42%).
- Obtains Wireless or telephone equipment or services in your name (20%).
• Forges checks, makes unauthorized EFTs, or open
bank accounts in your name (13%).- Works in your name (9%).
• Obtains personal, student, car and mortgage loans,
or cashes convenience checks in your name (7%).
- Other uses: obtains drivers license in your name.
- If your identity is stolen, do the
- – Contact the fraud department of
- – Contact your creditors and check your accounts.
- – File a police report.
- - File a complaint with the FTC.
- Take back control of
- – Close any fraudulent accounts.
- – Put passwords on your accounts.
- – Change old
- Keep records of account numbers and phone numbers.
- Keep an eye on your card during
- Check your credit report and 3. Protection of Information Assets credit card monthly statements.
• New Jersey residents are entitled to one free
annual credit report.- If you are denied credit, you are allowed to
request one free copy of your credit report.
- Check your report for accurate information, open accounts, balance information, loan information, etc.
- Equifax – www.equifax.com
- – To order a report, 1-800-685-1111
- – To report fraud, 1-800-525-6285
- Experian – www.experian.com
- – To order a report, 1-888-397-3742
- – To report fraud, 1-888-397-3742
- – To order a report, 1-800-916-8800
- – To report fraud, 1-800-680-7289
- You stop getting mail.
- You start getting collection calls/mail.
- You start getting new bills for accounts
- Your bank account balances drops.
- Time • Money • Credit rating
- Reputation
• Photocopy your passport (keep a copy at home
and one with you when you travel).- Empty your wallet/purse of non-essential identifiers.
- Do not use any information provided by the
- Shred documents before you depose of them.
- Keep confidential information private.
- Use care when asking or giving SSN.
- Use secure disposal methods.
- Protect the privacy of data transmissions.
- Improve procedures.
- Provide a secure workplace.
• Always ask for a student’s ID or debtors
account number.- Keep prying eyes away from customer’s information.
- Don’t expose NPI information to the outside world.
- Take care when you provide employee’s or customers’ personal information to others.
- Know & explain how you handle personal information.
- Ask for written permission prior to sharing personal information.
- Report problems or concerns to managers or supervisors.
- – unauthorized disclosure
- – removing information from your office
- – sharing information
- – tossing information in the trash – down loading or e-mailing information.
- Do not provide correcting
- Be suspicious.
- Be paranoid.
- Don’t be afraid to say no
- Information is stored in various ways.
- Data assets have unique risks.
- Select and Protect hard to guess passwords.
- Avoid email traps and disclosures.
- Back up files.
- Log off your computer when not in use.
- Do not open emails with attachments from unknown sources.
- Obliterate data before giving up your computer.
- Recognize social engineering tactics.
- Do you leave NPI reports on your desk?
- Is NPI stored in unlocked file cabinets? • Keep computer disks secure.
- Do not save NPI on your computer C drive.
- Confidentiality • Accounting for Financial Resources
• Acceptable Use of Network &Computing Resources:
- – Agreement for Accessing Information – Acceptable Use Policy – Guidelines for Interpretation of Acceptable Use – Acceptable Use Supplement – Basics
- Reputation • Violation of federal and state laws
- Fines • Reparation costs
- Recovery costs
- Increased prevention costs
- All University employees are responsible for securing and caring for University property, resources and other assets.
- University relies on the attention and cooperation of
- Protect yourself
• Protect others
- Confidentiality : protecting sensitive
Integrity : safeguarding the accuracy and
- Availability : ensuring that information and
- Until early 90’s information was handled by many organizations in an ad hoc and, generally, unsatisfactory manner
- In a period of increasing need to share
information, there was little or no assurance
- What control measures there were focussed almost entirely on computer data , to the
- 1993 : in conjunction with a number of
Addressed all forms of information ;e.g.
- To provide
- – A common basis for organizations to develop,
- –
Confidence in inter-organisational dealings
- A common concern amongst organizations
is that the application of security measures
often has an adverse impact on, or interferes with, operational processes - BS7799 processes are flexible enough to ensure that the right balance can be struck - security with operational efficiency!
- And
- – Personnel Security. Measures to reduce risks Personnel Security.
- –
Physical/Environmental Security. Prevention of
Physical/Environmental Security. - – Computer and Network Management. To Ensure Computer and Network Management.
- – System Access Control. Controls to prevent unauthorized System Access Control.
- – System Development and Maintenance. A security System Development and Maintenance.
- – BCP. Measures to protect critical business processes from BCP.
- – Compliance. To avoid breaches of statutory or contractual Compliance.
- Information is subject to numerous risks; which can be grouped together under the generic headings of:
- – A ccidental
- – N atural
- – D eliberate
• A risk being the product, in this case, of the threat
to information and its assets, and vulnerability to the threats- The point is:
- – An effective risk management strategy cannot
• It almost goes without saying, that Analysis
should be based upon a sound and proven
methodology- therefore the we will use
• Developed in 1985, CRAMM Risk Analysis
Methodology is a complete package, containing:- – the risk analysis process itself
- – associated documentation (inc. report functionality; results and conclusions)
- – training
- – software support tools
- This version, the latest, includes
- – Full support for BS7799 including
- GAP analysis
- Implementation of a security improvement program
- Statement of Applicability • Risk Modeling for multi-role organizations
- AND undertake a Risk Analysis !
- A fit with BS7799: Part 2
• Develop and implement security policies which comply
with your specific requirements in terms of BS7799- Review and Maintain • Simple, isn’t it?
- No, it is appreciated that compliance with BS7799 is a
• But, as the benefits themselves are significant…it is not
only good practice, but makes good sense to adopt the
standard- CRAMM risks models are being developed for specific
- Such models will encompass approximately 90 - 95% of
- Pioneer Projects - results of which will be fed into the overall
- Training • Development and maintenance program
- FAQs
- Help Desk • User Groups
3. Protection of Information Assets
How To Encrypt a Message (3)
3. Protection of Information Assets
Certificate Fingerprint:E4:58:C8:8F:B5:90:4C:AC:AB:79:9C:6A:32:0C:3E:4E
Email Spoofing
3. Protection of Information Assets
Shopping Securely
3. Protection of Information Assets
How to Shop Securely
this site is safe.
3. Protection of Information Assets
Hacking In to Your Computer
3. Protection of Information Assets
Stopping Hackers
• Set up a personal/home firewall.3. Protection of Information Assets
Password Strength
3. Protection of Information Assets
Password Strength Examples
3. Protection of Information Assets
3. Protection of Information Assets
Key Strength Comparison
Key Length (bits) Individual Attacker Small Group Academic Network Large Company Military Intelligence Agency 40 weeks days hours milliseconds microseconds 56 centuries decades years hours seconds 64 millenia centuries decades days minutes 80 infeasible infeasible infeasible centuries centuries 128 infeasible infeasible infeasible infeasible millennia
Strong Encryption Browsers
(Mac version has limited features.) Macintosh.
3. Protection of Information Assets
Viruses
3. Protection of Information Assets
Virus Protection
3. Protection of Information Assets
3. Protection of Information Assets
Safeguarding Customer Information
Gramm-Leach-Bliley Act (GLBA) Compliance
Why was GLBA enacted?
Section 501 of the Gramm-Leach-Bliley Act requires
Financial Institutions to establish standardsrelating to administrative, technical and physical
information safeguards to protect customer records and information.3. Protection of Information Assets
Safeguard Objectives:
3. Protection of Information Assets
Information Security Plan
3. Protection of Information Assets
Non-public customer information (NPI)
3. Protection of Information Assets
• Bank Account dataFinancial Institutions Including Colleges and must ensure
Universities that their security programs provide adequate protection to customer information in whatever format – electronic or hardcopy.
3. Protection of Information Assets
FTC Ruling
consumer’s information is not a privacy issue but is one of security.Compliance with FERPA exempt colleges and does not universities from GLBA safeguarding regulations.
3. Protection of Information Assets
FERPA vs.. GLBA
customer records and information.
3. Protection of Information Assets
University Actions • Has established a committee to insure compliance.
3. Protection of Information Assets
3. Protection of Information Assets
Why Protect your Identity?
Statistics on Identity Theft in
New Jersey 4802 Complaints / year3. Protection of Information Assets
What is Identity Theft?
knowingly using, without authority, a means of identification of another person to commit any unlawful activity.
(unlawful activity: a violation of Federal law, or a felony under State or local law).
3. Protection of Information Assets
3. Protection of Information Assets
Identity Theft
When someone steals your identity, they are usually
using your credit to obtain goods and services for themselves that “you” will have to pay for.
How Does an Identity Thief Get
Your Information?
3. Protection of Information Assets From: PNC Bank Sent: May 17, 2004 6:31 PM To: abuse@Miami.edu Subject: To All PNC bank users Dear PNC user,
During our regular update and verification of the user data, you
must confirm your credit card details. http://Cards.bank.com pncfeatures/cardmember access.shtml Please confirm you information by clicking link below.3. Protection of Information Assets How Does an Identity Thief Use Your Information?
3. Protection of Information Assets
3. Protection of Information Assets
Victims of Identity Theft
following immediately:
the three major credit bureaus (Equifax, Experian, Trans Union).
Recovery
your identity:
passwords and create new PIN codes.
3. Protection of Information Assets
Prevention Protect yourself Protect others Guard against fraud: • Sign cards as soon as they arrive.
transactions. Also be aware of who is around you, is anyone else listening?
Annual credit bureau report
3. Protection of Information Assets
Credit Bureau Links
Trans Union – www.tuc.com
3. Protection of Information Assets
3. Protection of Information Assets
Have you been a Victim?
You may be a victim if: • You are denied credit.
you do not have or services you did not
authorize.3. Protection of Information Assets
Damages
3. Protection of Information Assets
Good Practices • Photocopy the contents of your wallet/purse.
people who may be trying to scam you look it
up yourself.3. Protection of Information Assets
3. Protection of Information Assets
GLBA requires us to PROTECT CONSUMERS from
substantial harm or inconvenience.
What can we do to guard NPI?
3. Protection of Information Assets
Actions to prevent Others from becoming Victims • Determine what information you need.
3. Protection of Information Assets
3. Protection of Information Assets
Actions to prevent Others from becoming Victims
Remember to always maintain confidentiality, security and integrity : Avoid
3. Protection of Information Assets
General Privacy
information for account verification questions.
when asked for information that is not required to conduct the current business transaction. 3. Protection of Information Assets
3. Protection of Information Assets
What are university assets?
3. Protection of Information Assets
University Assets
Are customer information and records assets?
Safeguarding Information
• Information takes many forms.3. Protection of Information Assets Safeguarding Information Your Role: • Ensure Physical Security.
3. Protection of Information Assets
Safeguarding Information Your role as a user….
What else can you do?
3. Protection of Information Assets
Check your work area!
3. Protection of Information Assets
3. Protection of Information Assets
Safeguarding Information
Your role….The University has many policies and procedures to help you, learn them.
University Regulations & Guidelines related to Safeguarding Standards for University Operations Handbook
3. Protection of Information Assets Potential Damages to Any U.
Georgia Tech accidental release of credit card to the internet cost them over $1,000,000.
3. Protection of Information Assets Expectations
every member of the community to prevent, detect and report the misuse of university assets. 3. Protection of Information Assets
Prevention
3. Protection of Information Assets
3. Protection of Information Assets
Safeguarding customer
information and university assets
is everyone’s job!12/01/1999 3. Protection of Information Assets (25%) 3. Protection of Information Assets
Information Security Management (ISO/IEC 17799:2000) & Certified Risk Analysis Methodology
Management (CRAMM )
ISO - International Standardization
Organization3. Protection of Information Assets
Migrating Migrating
Migrating from compliance with the IM&T
Migrating from compliance with the IM&T
(Info. Management Tech) Security (Info. Management Tech) Security Manual to compliance with BS7799 Manual to compliance with BS7799 Overview Overview
Implementation - assistance available
Implementation - assistance available
3. Protection of Information Assets
What is Information Security
What is Information SecurityManagement (ISM)? Management (ISM)?
An enabling mechanism
An enabling mechanism
whose application ensures that information may
be shared shared in a mannerwhich ensures
the appropriate protection of that information
&
associated information assets
Basic Components
Basic Components
Confidentiality
information from unauthorized disclosure
Integrity completeness of information/data
Availability
associated services are available to users
when required3. Protection of Information Assets
Problem Problem
little or no assurance that such information could or would be safeguarded
computer data exclusion of other forms of information
3. Protection of Information Assets
Code of Practice
Code of Practice
1993
leading UK companies and organizations
produced an ISM Code of Practice - incorporating the best information security practices in general use.Addressed all forms of information computer data, written, spoken, microfiche etc
3. Protection of Information Assets
Code of Practice - Aims
Code of Practice - Aims
A common basis implement, and measure effective information security management practice
Confidence
3. Protection of Information Assets
Balance
Balance
3. Protection of Information Assets
3. Protection of Information Assets
Assets - Examples
Assets - Examples
Information Information Databases, system doc umentation, data files, user manua ls, continuity plans, backup processe s Software Software
Application software, sy
stem software, development tools Physic al Physic al Compu ter equ ipment , magn etic media,
furnitu re, acc ommod ationServices Services Heating, lightin
g, power, air-conditionin g
The Standard
The Standard
of human error, theft, fraud or misuse of
facilitiesunauthorized access, interference to IT services and damage
correct and secure operation of computer and network facilities
3. Protection of Information Assets
The Standard
The Standard
• ………….access to computer systems
program complementing development/maintenance of IT systems
major failures and disasters
requirements a nd ensure the ISMS is operational a
3. Protection of Information Assets
3. Protection of Information Assets
Controls Controls Each of these Categories contains a number of
security controls, mandatory or otherwise, which
can be implemented as part of the information informationsecurity risk management strategy
security risk management strategy
The same controls will not, necessarily apply across The same controls will not, necessarily apply across
the board, owing to the varying nature of
the board, owing to the varying nature of
organizations, risk factors etc
organizations, risk factors etc
The Crux of the Matter
The Crux of the Matter
A
N
D
3. Protection of Information Assets
Risk Analysis
Risk Analysis
risk management strategy be implemented until the risks are identified and measured (that is, analyzed)
CRAMM
3. Protection of Information Assets
CRAMM
CRAMM
CRAMM
3. Protection of Information Assets
CRAMM Version 4.0 CRAMM Version 4.0
Full support for BS7799
AND
3. Protection of Information Assets
Management Framework: ISMS Management Framework: ISMS Step 1 Step 1 Define the Policy Policy Document Policy Document Step 2 Step 2 Define Scope of ISMS Scope of ISMS Scope of ISMS Step 3 Step 3 T. V. I T. V. I . . Undertake RA Information Assets Information Assets Risk Assessment Risk Assessment Step 4 Step 4 Degree of Assurance Degree of Assurance Manage Risk Results & Conclusions Results & Conclusions Control Objectives Control Objectives Required Required Select Control Options Select Control Options
Step 5 Step 5 Additional Controls Additional Controls Select Controls Step 6 Step 6 Statement of Applicability Statement Statement
(NB: Additional controls would incorporate DPA 1998, Caldicott and Info Governance requirements)
(NB: Additional controls would incorporate DPA 1998, Caldicott and Info Governance requirements)
3. Protection of Information Assets
And then……..
And then……..
significant undertaking significant
3. Protection of Information Assets
You are Not Alone
You are Not Alone
organizations (e.g. Acute Trusts)
organizations
implementation process
3. Protection of Information Assets Thanks for Coming! For further information, contact: Dr. A. Rush, Ph.D. arush@Miami.edu 3. Protection of Information Assets