Governance and Enterprise Risk Management

00:02

in this module, we're gonna cover materials and domain to governance and enterprise risk management. We're gonna be talking about higher level, more abstract ways of looking at the business structures Risks,

00:17

liabilities, way to extend governance. Not so much looking at things from a technical lens. So put on your business hat. If you have a suit and tie, break it out. If this isn't your cup of tea, please hang on because it is important information in the CCS K. And you never know when it may be valuable. If you're at a

00:37

smaller employer that needs

00:39

your input on some of the bigger picture thinking. Certainly, if you're a manager or director higher level type individual, this stuff is going to be very pertinent to what you're thinking about. Specifically, we'll talk about governance, basics, tools of cloud governance, how cloud effects, enterprise risk management,

00:58

the effect of service and deployment models, those cloud service in deployment models. How do they affect risk management

01:03

cloud risk tradeoffs And they will look at different tools from the Cloud Security Alliance that you can use yourself to help assess and manage risk for the remainder of this video. I'm going to give you an introduction of governance will talk about its relationship to enterprise risk management, the relationship

01:22

to information risk management and information security.

01:26

Then we'll spend a moment with story time going through a real world example showing why liability cannot be outsourced

01:34

before diving deeper into the content of this section. I have to give you a disclaimer. This is not legal advice. The material is not intended to be legal advice. This section is going to provide you with an overview of a variety of considerations, including legal matters.

01:49

However, you should still contact a license determining whenever you're negotiating a legally binding agreement

01:56

or if you expect you're going to get pulled into civil or criminal proceedings. And, of course, the CCS K itself is not any sort of a legal credential.

02:06

With that out of the way, let's continue

02:08

when you think about risk and governments imagine it and hierarchy at the very top is the corporate governance. This is word from the leaders, right? The mission statement is often pivotal to governance and how they go about structuring policies and other mechanisms internally within the company.

02:28

Sometimes I read these really

02:30

stuffy business books about corporate finance and agendas and establishing things. And in 2010 I remember a book from McKinsey very prominent business consulting firm, and the title was Valuation Measuring and managing the Value of Companies.

02:46

This was the first time that my eyes were really opened

02:50

to a different way of thinking about a company's governance and its agenda being raised in the US I had come to believe that the function of a corporation really was to maximize shareholder value by professional experience was that and what I had seen growing up?

03:07

But this book noted that the Netherlands, Germany and a lot of other countries they place emphasis broader than that

03:15

looking at a broader set of stakeholders, including the employees and the local community. In fact, in 2018 group of about 200 CEOs from the U. S. Came together Amazon, Apple, General Motors and so forth, and they joined a business roundtable. They all signed a statement, and it was a purpose around that

03:34

of extending the goal to bring value to employees,

03:37

customers, suppliers, communities and the environment. Time will tell if the traditional American outlook on just focusing on shareholders and shareholder value gets transformed to meet some of these lofty aspirations that they committed to in the Business Roundtable. But

03:55

this is the kind of thing that is really tenement and cornerstone to governments at the TA highest level. Also, things are gonna be driven by laws, regulations, standards and so forth applicable toe the company in the products and makes I've worked in the healthcare. So obviously regulatory risk, patient safety.

04:14

These are cornerstone pieces of governance and guidance,

04:16

just the underlying ethical moral code that the company is going to navigate forward on.

04:25

So that's at the very top. Below that we have enterprise risk management. So that's the ways we manage the overall risk for the organization. And it gets aligned with the organization's governance and risk tolerance, right? So the things at the top are going to guide the enterprise risk management and then below that we have information risk management, so that covers

04:43

managing the risk to obviously information, including information. Technology

04:47

organizations face all sorts of risks from financial to physical and information is one of the many kinds off risk areas that they need to manage at these lower levels within the Enterprise and then below that We have information security, right? These are the tools and practices to manage the information.

05:05

Security isn't the be all and all of managing information risks.

05:10

Policies, contracts, insurance and other mechanisms also play a major role,

05:15

as can include information security in a digital sense, but also in the physical sense records, physically printed documents, contracts, reports and so forth.

05:26

However, the primary role of information security in the modern days is really focused on the process and controls to protect Elektronik based information and the systems we use to manage and access that information.

05:39

So while we're on the topic of cloud governance,

05:42

one of the key things in the C s a exam and it's something that I personally believe in as well

05:46

is that liability cannot be outsourced.

05:50

So we're gonna talk about other ways to mitigate in, to enforce governance in the complex relationship with the cloud provider and cloud customer. Here I have a few pictures of the recent, fairly recent 2018 scandal all have you regarding Cambridge Analytica and Facebook, right?

06:10

Cambridge Analytica harvested information about a variety of Facebook users and used that information in ways to target those users and

06:18

and invoked them to certain actions, which some say ultimately affected the outcome of the United States presidential election.

06:29

Facebook did not do this directly, however. They were a conduit in which Cambridge Analytica used and the lack of governance within Facebook. The lack of oversight of the vendors that were using the Facebook platform to collect information. Put Facebook in a very bad situation. And so

06:46

you can see by the look on Mark Zuckerberg's faces. He's sitting in front of the Senate committee that he truly realized

06:53

that liability could not be outsourced. He could have stood up there and said it wasn't us, it was Cambridge Analytica and they did start with that tone. But ultimately they had to turn the corner and deal with liability. So this is an important point, and it's a theme that's gonna come up over and over

07:12

as you're working with your companies and you're contemplating Cloud extending the use of cloud looking at new cloud providers, right? And keep in mind we're talking about cloud providers.

07:20

I'm not just talking about aws azar gz p. We're talking about any sass providers to those SAS sapper applications that are so popular, so easy to set up and get using. It's gonna be a similar situation there. So carry this mentality with you as we proceed through the materials and the remainder of this module.

07:40

So in this video you were introduced to governance mission statement, corporate underlying motivations, how that relates to enterprise risk management, the appetite to assume or or less risk it's gonna be different. Different companies, different industries and then how that further decomposes into information, risk management and information security.

07:59

We closed out talking about Facebook,