5.6 Introduction to Information Security Frameworks - ISO 27002
6 hours 30 minutes
all right. Now, I'm about to impress you all with my psychic abilities.
Every one of you watching this is thinking the exact same thing
you're thinking. But Kelly,
we haven't talked about frameworks yet.
And how can you have schism without talking about Aisa 27,000 won and co bit Will, you are. And look, we have come to the section where we're going to discuss I so in Copan.
So how does that play a context on our security program? Quite honestly, this really goes back to governments, right? And we did talk about it a little bit. So when we talk about the frameworks government, the governance chooses the frameworks that we use, and then we have to implement them.
ice or 27,000 co bit co So also comes from my sacha. And then there are many, many others. There's SAB's un's Ackman toga there. Are there other PC idea says they're just a ton of frameworks, right? So we've got to figure out how to implement.
So here's the deal. Ice for 27,000 is the framework in 27,002 is how to implement it.
Okay, so I would get certified 27,000 won
and one of the ways I could accomplish that is following the best practices outlined in 27,002.
But I could use Kobe it I could use other things. So just because they're both from ice so does not mean that they have to be exactly the same. And I see that that says I s that should be Aisa International Organization of Standards And they just decided that
I so would be kind of a universal acronym. Even though it's international organization of standard,
all right, most widely used standard in the world, that's testable.
It's all about the process to develop an information security management program. So when we're looking at that, this framework is gonna be
something that you can use regardless of your industry.
Where is methodologies air gonna be driven by your business? The methodology is the how
the framework is gonna provide the structure for the how if that makes sense. So when we look at is a 27,002 which again it's just but one way to accomplish the icy 27,000 won certification. Ultimately,
you know, they're gonna be certain element
risk analysis, increased security awareness by training your people, making sure we've got our eyes on continuous improvement. Looking at balancing the elements of a business that are so important to us maintaining compliance, reducing costs, we want to maintain or
gain a competitive advantage in the field.
And right there process, improvement. We can always get better.
So P C. I. D. S s hip socks. All of those other elements will fit on top of this framework whose ultimate purpose is to get us closer to implementing the C I A. Within our organization.
Now they're the codes of practice. These codes of practice will change from time to time. They'll add some. They might look at something that might use dated technology terminology. So if at the time that you're watching this, maybe they've added wanna removed one. It's not like they're gonna say on the exam. What are the 15 elements of the code of practice?
But, man, once again just using this like a checklist,
Do I really understand what it means? T work with risk assessment? What is a security policy? How's that different from a security strategy from a security program? So the policies, that broad statement from senior management that is ultimately driven by the vision
in the strategy
that makes it so. We start with strategy and vision, security policies, part of the security program. That's maybe a better way to say, All right, so we've got those elements. Co bit now is from my Sacha,
So we could probably feel like Kobe. It has a shot of showing up. But I'll tell you, Kobe, it's its own certification. Kobe. It is, um,
a really popular, very successful framework that's out there. Pros and cons of it, of course, and it'll kind of pecan have valleys. But right now we're on Kobe it five and again. Even if this version changes, you're going to find the heart and soul of Kobe being the same.
And it is exactly like what we've talked about
figuring out what the goals of the enterprise are first and then mapping those enterprise goals all the way down to actionable objectives that we can accomplish
for the purpose of further in the business. So Kobe five, has five million principles, 34 processes again, don't really see that going into huge in depth that says CO bit for this is an upgraded slide. So in sexually Corbett five.
But we're going to make sure that
stakeholders cannot just get value, but they can see that they're getting value,
right? We're gonna make that transparency to stakeholders. We're gonna figure out how we can satisfy their stakeholders name.
We're gonna integrate. We're gonna utilize. Resource is we're going to incorporate risk management to everything that we do. And this bottom point here connecting a line with other major frameworks. Let's have a common lexicon. Let's stop having
tomato over here. Tomato, potato, potato.
And we have frameworks that fit together so that I can be founded on co bit. But I can still use the pen box framework in order to manage a project right? Without having things be out of line and out of the norm. So once again, what? We're going towards standardization,
organization. Wide concepts stemming from the top.
now, Kobe, it's five principles meet the stakeholders need. There's no meets that there's no coincidence. That's the 1st 1 So that's in the back of our mind for everything we do. Delivering values, finding out what our stakeholders need now, not all stakeholders are created equal. I get that.
But being able to prioritize
and figure out what those needs are and kind of taken the needs and turning them into requirements cause stakeholders need a lot of things. But what are the actual requirements that we're gonna get sign off?
Covering the enterprise into end is gonna be a comprehensive approach to security. Like we've talked about. We're gonna make sure that this framework that we use is applied in I t in risk management in production in all of those elements,
applying the single integrated framework it can move from here to there.
It's built into the organization, holistic in nature.
And one of these pieces that's very interesting is separating out governance from management.
So making sure that governance sticks with their job and management sticks with, there's that the CEO isn't too hands on into the how that they have. The people in the process is in place, that they have confidence that what they need to happen at the governance level can be accomplished at the management level.
isolation, that going into separation of duties and making sure that we have roles and responsibilities that are clearly defined
Are you a Linux systems administrator seeking to learn the best practices for securing your ...
12 CEU/CPE Hours Available
Certificate of Completion Offered
ISACA Certified in Risk and Information Systems Control (CRISC)
Demonstrate your expertise in identifying and managing IT risk within an enterprise and in implementing ...