Example of a Management Objective Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

3 hours 43 minutes
Video Transcription
Let's talk about an example of a management objective
in this video. We're going to talk about a P 0 13 management objective example, and we're going to talk about it with respect to process, organizational structures, information and people skills and competencies. We're also going to talk about how each component in the goals cascade contributes to the fulfillment of this management objective.
So let's take an example objective from the A p o Domain.
We'll talk about the 13th objective which has managed security.
The description of this objective is to ensure that an information security management system is implemented within an enterprise and done so efficiently.
The purpose of this objective is to minimize the impact and occurrence of security incidents well within the realm of the enterprises risk appetite levels.
The enterprise goals that support this management objective is to manage business risk and to allow for business service, continuity and availability of I T systems, re sources and information
This alliance with the alignment goals of the overall security of information I t infrastructure applications and privacy of data and processes.
Example metrics for the enterprise goal of manage security includes the number of customer service or business process interruptions.
An example metric oven alignment goal would be the number of confidentiality related cyber incidents that caused loss, business disruptions or public embarrassment.
Let's take a look at the first enabler or component of this objective, which is the process.
There are multiple processes within the A P 0. 13 objective. We'll take a look at the first process for this management objective a p 0. 13.1.
There are three different process components that relate to this objective.
The three processes are establishing and maintaining an information security management system, defining and managing, managing an information security and privacy risk treatment plan and monitoring and reviewing the information security management system.
This components management practice is to establish and maintain an information security management system.
This is to manage the risk of cyber security related incidents and ensure that this risk falls well within the risks that enterprises risk appetite.
It is to manage the security system and safeguard it against loss of confidentiality, availability, financial loss and public embarrassment or harm to the business's reputation.
The example metrics for this component can be the level of stakeholder satisfaction with the security plan.
For example, do stakeholders believe this plan will uphold the ideal risk and should it fall within the acceptable risk level defined by the business?
The activities for this component include defining the scope and boundaries of the SMS,
defining the management system, aligning it with the overall enterprise approach to the management of security, obtaining management authorization, preparing and maintaining a statement of applicability, describing the scope of this system,
defining and communicating security, management and the roles involved in it and communicating the overall approach.
It's important to note that the current capability level of the SMS and related activities
at what level is the organisation's I SMS already functioning
define the capability level and included in the governance program documentation.
The related guidance to this process is Eitel version three missed 853 Revision five and there is a section for detailed guidance on where to specifically defined guidance.
Let's talk about how organizational structures is a component of this management objective.
For the organ organizational structure, you will relay the key management practice which we discussed earlier in this process component.
The three process components are establishing and maintaining an I S M s defining and managing information, security and privacy risk treatment plan and monitoring and reviewing the SMS.
We will then relate that back to the organizational role and assign who was accountable and who was responsible
list at the organizational structures that will be included in this objective and key governance practices of evaluating, directing and monitoring risk management for overall insured risk optimization.
In this example, Chief information security officer is accountable for these management practices, and the chief information officer is the one responsible.
You'll also want a layout related guidance and detailed reference of where you can find what specifically relates to the accountability and responsibility of key governance practices
in the information, flows and items component of this management objective. We're referring back to the three management practice processes which are to evaluate and maintain an I. S. M s define and manage and information security and privacy treatment plan and monitoring and reviewing
correspondingly will have inputs and outputs of information and information flows.
The inputs for establishing and maintaining in I SMS, or a P 0 13.1, will be the enterprise security approach, and it's corresponding. Output will be the SMS scope statement, which defines what is in scope and what is out of scope for this security system
in regards to defining and managing and information security and privacy risk treatment plan. The input will be the gaps and changes required to get to a target capability that is within the risk appetite levels.
Then the output will be an information security risk treatment plan to mitigate those gaps and implement changes
in relation to monitoring and reviewing the SMS. The input will be prioritized incidents and service requests.
The output will be an SMS audit report that continually monitors and reviews Enterprise security
in this component will also talk about related guidance and detailed reference of where to find information that helps with this management objective.
Do you now see how management practices defined in the process Component affects the inputs and outputs that contribute to the overall objective of management information security.
Let's keep going with people, skills and competencies
in this component of the governance objective of managing information, security will address the skills needed to fulfill the objective.
The skills would be information security and information security, strategy, development.
As in other places, there's a related guidance listed here and the detailed reference
that should be included of where to find specific skills and competencies that relate to supporting this objective.
In this video, we talked about an overview of the management objective, a p 0 13 and how process, organizational structures, information and people skills and competencies allow for a P 0. 13 to be implemented.
Up Next