00:04
now, before we get too much deeper in what the role of a chief information security officer is and what they do. Let's just talk about some basic principles of security on when we discuss the principles of security, most people will understand. We're talking about the C I A. Confidentiality, integrity
00:23
and availability, and we'll talk more about this in the next section. But ultimately with confidentiality,
00:29
we want to prevent unauthorized disclosure of information. We want to protect our secrets. We want to keep them secret.
00:36
Then we have integrity, which means if there's any type of modification, whether it's intentional or unintentional, we want to be able to detect that.
00:46
And then last but not least, we want availability. Timely access to resource is so what we want to do from a governance perspective is to be able to outline goals in relation to CIA and then ultimately the objectives that will help us attain those goals.
01:03
And anytime we do talk about objectives, we want those objectives to be smart,
01:08
specific, measurable, attainable, realistic and timely. So when we talk about specific, we don't want to go or an objective rather of improving security,
01:22
because that's very broad. That's very nebulous, right? We want to specifically increase applications security. Well, that's a good, you know. That's something that's good to plan for and want.
01:37
But how do I know when I get there? What does it mean to improve applications? Security? Well, that's where the next element
01:42
measurable comes in. I have to know when I've gotten there s so to speak, If I have this sort of the direction, how will I ever know my destination or when I've gotten there if I don't have something tangible?
01:57
So when we talk about our objectives being measurable, there needs to be a way of verifying steps along the way and verifying when we've obtained those goals.
02:07
So we want to decrease malware infestations as detected by our any virus software. We want a decrease of 5% something like that. So it's specific to what we're looking for. And it's also measurable now, attainable and realistic.
02:25
Is it something that we can do?
02:29
Is that within our reach where we, as an organization, are right now or is it just unrealistic and unattainable? Those two really go pretty closely together. Is it something we can achieve is it something that can be achieved within our realm of possibility
02:46
and then timely would want to set a time frame,
02:49
you know, improving security by 5% as noted by a decrease in malware infections. That's great. But by win, you know, the end of this year, the end of this month, the end of this decade. So we want those objectives to be smart, measurable, attainable,
03:09
and timely. And ultimately, what we want to do is we want to think about the threats that would compromise
03:17
confidentiality, integrity and availability, and that's coming up in the next section.
