CISO Conclusion

00:04

Okay, so we have finished all eight mantra. Lt's of

00:08

the chief information security officer course. And just in reviewing a little bit, we started out with bond one that was very much just overview of what we're trying to do, what we're trying to accomplish. Why what is this is Oh, and why do we need one? So we talked

00:26

You

00:29

Instances is our most valuable asset, and we're seeing instances of that theft that a compromise in on and the tax rates are thes compromises to the tunes of not just millions of dollars. 1,000,000,000

00:49

Shawn to there's losses. Effectively,

00:51

we're gonna need someone from work in the, um, the senior management team in order to be sort of a champion for the world of security. So we need a scissors. Oh, we need information, security at the executive level. Otherwise,

01:08

we'll find that we don't have the support that we need.

01:12

Now we do talk about that senior executive level. We're talking about information, security, governance and making sure that our executives do glee and that they lead by example that they get the security function they develop.

01:27

But processes and procedures will talk about their strategy and their policies in just a few minutes,

01:33

but that senior management is actively involved and has active by and into the security function. And they're gonna, uh, essentially set the tone for the organization. And they're gonna send our direction for how we feel about information, security and what we do about.

01:53

All right, So in understanding information, security, governance, one of the biggest considerations that the governing agencies and the governing individuals were gonna look to is there gonna look to wrists and risk management really is, um, you know, security management really is risk management,

02:12

and we follow the same processes and procedures,

02:15

regardless of the risks. So we start by identifying our assets and figuring out what they're worth.

02:22

Then we look at the potential for loss through qualitative and quantitative analysis and quantitative analysis, ideally, will give us kind of an objective number that we can work with because ultimately what we're gonna do with that value from quantitative analysis is we're gonna let that value in that figure

02:39

goddess inner mitigation strategies.

02:43

We want to make sure that when we implement mitigation strategies, of course that they're cost effective

02:49

now with those mitigation strategies um we look at the potential for loss and then module for we go into developing that strategy where we think about the goals and objectives, What do we want to accomplish? Where do we want to be?

03:05

Right. We talked about that idea of a desire to state What are we ultimately gonna do to get there? And that's where the policies come in. So the policies, they're gonna help us accomplish our stretch

03:16

and look at policies and procedures and standards. And we talked about how these air management directives are. Policies are They're kind of broad in nature, but the standards fill in the details of the policy we talked about how procedures or step by step instructions and then guidelines

03:34

or suggestions for best practices.

03:37

All right, Module six. We went in and talk about some of the technology. And again, a scissor doesn't have to be highly technical, but they do have need to have sort of a working understanding of some of the technologies that are out there in the realm of security as well as some of the principles.

03:53

I like the idea of separation of trust, trusted network from untrusted security mechanisms, that we use within the domain for isolation, like firewalls and routers and screening devices and network address translation will talk about all those different types of technologies.

04:11

We then moved into incident management.

04:14

What happens if we do have these incidents materialize? Well, ideally, were were well prepared. And then we move through the steps of the incident Response life cycle, where we start with preparation and then we move all the way through lessons learned and where we document our results.

04:33

Then finally, we look at our final model, which was business continuity and disaster recovery.

04:40

If you'll recall when we talked earlier about the security Triad, we said confidentiality, integrity and a favorability and that availability element is really gonna be protected by disaster recovery, business continuity, no matter what, we have the means to continue,

05:00

and that's always our goal in supporting the business.

05:02

So I certainly appreciate you taking the time to go through this course with me. We welcome any of your feedback. We always appreciate that. And I hope this was helpful in, uh, for those of you that are looking to move into the management field just to give you a good idea

05:19

of what it's like and what the requirements are for chief information security officers