Welcome to the information security, one of one model off the I T. Security curse.
My name is 100 now, and I'll be your instructor for today's session.
Some learned our objectives for this module is to understand why information securities You have a holistic approach.
I understand that Mark parents are more solutions is it's not directly related to a bird information security program or solution on, and to identify the needs of a holistic in Passaic program and which players are actually in both and his process.
So when thinking about your information security program, you should think about a CE an inside out program, meaning that you have to start at the very core off the problem, which is your personnel if you don't. If you properly trained your personnel, you're basically
trying away all your solution. Are your features solutions
because you can implement any top notch firewall or, you know, on spiders? R I P s. I don't know. Whatever solution you're thinking off, you can implement it, but if you don't train your personnel, they will be hacked. I mean,
um, people use social engineering nowadays, and that's really easy to use
because that's a human being. We're trained to help people. So, you know, maybe I'm calling you
saying that I'm your CEO in there that I need. I know not to reset my body work, and people will believe that. And, you know, you will be happy. That's the point. So you have Thio develop awareness and Training program and who should be attending to this programs? Will everybody
everybody, I mean from Yonkers Thio, the CEO that you just have to keep in mind that you will have to develop different content for different people. For example, you will not be teaching the same content to rights to your department
on. Then you will be too. You're a finance department are your lawyers?
Um, you will have to develop different Carter, but the point is that you will have to train on develop awareness program for everybody.
So the second point or the second part of the next step is to have a governance, and that basically means to know what you have and how to control it.
And no one you have, you will have to develop inventory, assets,
you with that, knowing what you have, you can actually know how much it will hurt you in terms, in terms of money
to use the data. For example, let's say that you have some doubt of a server over here
and you know you have credit cards.
Uh, with that you know that you have to be compliance with P. C I
and or, for example, do you have medical records? So you have to be complaining. We haber, for example. But let's take credit cards on busy. I will charge you a fee Eve. Someone backs you database. But what will happen also to the customers?
Did your customers they will lose faith in your in your business so they may leave.
So that's another thing that will impact you a customer leavings less this revenue,
Um, and your business, the match that will also be impact. So knowing what you have and how much it will hurt you, then you know you can start having a good governance. So with those terms, you can start creating policies and procedures
to say a word. That information, by the way, what the difference between policy and procedure
policies, you know, more, more general document, tell you what to do
on the procedure is very detailed document telling you how to do it.
Uh, so you could policies and procedures. You know, you can create your business impact analysis, which is basically knowing how much I lose ups. You know, losing information will hurt you.
And with that, you can actually elements solutions.
The reason why is that knowing how much you you will impact you with the business impact analysis you can start, um, measuring the possibility of probability off event happening. For example, you have very old operating system,
uh, and you have it facing it to the Internet. I mean, in your d n g, for example, the chances that someone has you are very high because let's say you have really all from Enron 10 years old server facing the Internet. We're not. We're not firewall in the meal.
The chances are about
someone will have you. It is not. It's not a matter of when of how, but when. So having high
do you have to apply solutions to actually reduce that risk
to an acceptable level there's no such thing as a steer zero risk, unless you, of course, turn off your server. But otherwise you will have to have any remain risk, which, let's say, right here. So with solutions, where you're looking for is to reduce the highest risk
because you have to have a limited budget. You cannot apply all the country marshes
that crosses your mind. So they said, you have to play a fire. Walter, reduce that risk
With that, you can actually start measuring your solutions with key performers indicators and gear risk indicators. Um, keep performance indicators. How many times did your eyes be stopped providing the Internet for you? How many times where you take down by the rail service attack
that that's K P I. Okay, but came right is directly related to you. Risk. So you will have, uh, graphic to measure to risk,
Uh, whenever it comes up on down to your acceptable risk level
and that you can remedy it. I mean, let's say that I know a new will love. A little nobility was discovered yesterday so you can start applying remedy ations, which is, you know, maybe tighten
the solution or hardening the solutions. Maybe applying new rules to your firewalls, new new policies or actually buying new stuff.
Uh, the point remember here is that
knowing what? How much he will impact you right here with the business impact analysis ts you can start saying, you know what I don't want apply a solution that is worth
wise or four times what? What what a bout will have. For example, do after you considered the fees from the regulation losing customers losing business images. Did you say that the table will be, uh I think he,
uh and this is the possible solution to reduce that, to risk its worth
It doesn't make sense supply. You prefer to take the chances with the risk and end up paying that that the phase and end up, you know, observing the customer, leaving your business for them to actually pair for the reputation. But dual, you will only be able to take that decision to make the decision. If you know what you have in the governance, you know,
and after that, after knowing that you implemented the correct solution with the correct amount of money
that you want to invest in the solution. You're gonna start, you know, making your problem a second. Gina's improvement
on How do you How do you close the circle on this
information is getting inside out approach.
Uh, you know who should be involved in the world's problem or everybody? I said, as we say at the beginning, from the janitor's to CEO. Everybody.
How do we know how much we can spend in a name for *** solution? Uh, well, that depends on your business in Peckham embraces on your custom because benefits analysis
if his delusion is worth. I'm sorry if you end up losing 10 K as we put into it and the example before, and your solutions is worth 20 K, it doesn't make sense about you prefer to pay and to observe the risk for the 10 k loose,
uh, was the difference between policy and procedure. What policies are a real general document when you describe the what and the procedure is are really detailed document? Would you describe the how
and what's different between business? Continued plan and disaster recovery plant will Basically disaster recovery is focused on, um,
technology. How to help? Can you go back to, you know, selling cars over the Internet. How do you restore your webpages and BCP is how you can continue selling those cars without the need of the Web page
A. Ll introduce today's brief lecture with this car's interests intersect awareness and training programs,
governance policies and procedures, business impact analysis business continued planning disaster recovery plan and have to decide which is the best intersex solution for your company on metrics and continues in program.
You can start by checking the sun stop 20 as critical security controls. Carnegie Mellon has are excellent post about cyber security. One away
the county. Our security plus certification is also good
book to read. And, of course, all the ISA trips Vacations are always good in this case, that annex a off the
Looking forward, um, we'll see the three pillars off information security, which is confidentiality and terry and availability. Okay. Thank you, buddy. And thanks for watching