A6 Organization of Information Security

00:00

Listen, 11.2

00:02

a six. Organization of information security

00:09

in this lesson will cover an understanding of control, said a six

00:14

and look at some of the documentation that could be used to support your dismiss.

00:22

This control area is one that can assist in assure ensuring that there are structures in place to appropriately manage and support your information security program.

00:33

You're ordered specifically now. Your isom s certification ordered

00:38

will depend on which controls you have marked is applicable in your statement of applicability.

00:47

There are two control sets

00:49

that make up a six,

00:52

the first one being a 6.1 internal organization.

00:58

This consists of five controls

01:00

which are

01:02

a 6.1 point one

01:06

information security roles and responsibilities.

01:10

This control basically stipulates

01:11

that for your information security roles,

01:15

these are formally defined

01:17

and have explicit responsibilities defined

01:22

and allocated to personal.

01:25

A 6.1 point two

01:29

Segregation of duties

01:32

stipulates that appropriate segregation of duties between conflicting or sensitive roles within your organization

01:40

should be enforced.

01:44

A 6.1 point three contact with authorities

01:49

This control stipulates that were appropriate.

01:53

Sufficient contact with authorities

01:57

is in place.

01:59

For example,

02:00

police,

02:02

firefighters

02:07

forensic investigation units

02:10

Whoever needs to support you from a authoritative point of view

02:15

during a cyber security incident.

02:21

A 6.1 point four

02:23

contact with special interest groups.

02:28

This control pertains to maintaining

02:30

contact with groups or forums or other forms off information gathering specific to your industry and cybersecurity as a whole.

02:42

It is a way to use specialized information sources to ensure that you are on the top of your information security game.

02:52

A 6.1 point five

02:55

information security in project management.

03:00

This control stipulates

03:02

that regardless of the project type

03:06

information, security should be included in the project management process.

03:12

Different project projects work with different types of information

03:15

and many stakeholders, so ensuring that information security is appropriately included in your project management processes

03:23

is important.

03:25

The second control set is a 6.2

03:30

which relates to mobile devices and teleworking.

03:37

This consists of two controls,

03:38

the first one being a 6.2 point one.

03:45

The mobile device policy,

03:47

which is in essence a policy that stipulates how your organization manages mobile devices,

03:55

whether you have a company own device policy or a bring your own device policy,

04:01

whatever the case is

04:03

a 6.2 point two

04:06

pretends to teleworking

04:09

on this Control Said stipulates that if your company permits teleworking,

04:15

that the relevant policy and any supporting procedures and guidelines must be established

04:20

to ensure that teleworking is performed in a secure manner.

04:28

So your information security roles and responsibilities are normally documented in your job descriptions,

04:33

vacancy notices, various policies and contracts of employment.

04:43

You can also define roles and responsibilities in a racy matrix

04:47

for your contact with authorities and contact with special interest groups.

04:51

Have a formal document containing contact details,

04:56

business cards, membership certificates,

04:59

diaries of meetings and whatever. This can provide evidence of your professional contacts.