Governance Overview

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:01
>> Let's begin our next section where we really jump
00:01
into the specific CRISC domains,
00:01
and Domain 1 is governance.
00:01
In this domain, we're going to talk a little bit
00:01
about what governance is,
00:01
really understanding the role of
00:01
governance and who the governing entities are.
00:01
Then we'll look at GRC,
00:01
which stands for governance,
00:01
risk, and compliance.
00:01
You hear a lot about GRC today because it provides us
00:01
with a set of standards and
00:01
principles for effective corporate governance.
00:01
Now, one of the things
00:01
that your governing entities are going to be
00:01
responsible for is setting
00:01
the direction of the organization,
00:01
the organizational vision and mission,
00:01
and then they're going to help us determine
00:01
a strategy to accomplish our mission.
00:01
That's up at the top,
00:01
that's the responsibility of governance.
00:01
Then also usually the
00:01
way governance determines that we're going to
00:01
accomplish our strategy is
00:01
we're going to follow a particular framework.
00:01
Whether it's NIST framework or the COBIT framework,
00:01
or whatever the framework is,
00:01
senior leadership is going to
00:01
choose the framework that we're going to adhere to.
00:01
Then we need a security program that
00:01
will help us accomplish or will fill in the details,
00:01
if you will, and will describe to us
00:01
how we're going to accomplish
00:01
the goals set out in the framework.
00:01
The strategy is very broad,
00:01
here's how we get from point A to point B.
00:01
The framework is going to say, in order to do that,
00:01
you need to accomplish these goals,
00:01
and then the program is going to say, well,
00:01
we're going to accomplish those goals
00:01
through specific types of controls,
00:01
whether they're policies, procedures,
00:01
or administrative controls, technical controls,
00:01
and physical controls are going to be spelled
00:01
out for us in the information security program.
00:01
Along with that, we need
00:01
management for our policies and we
00:01
need to talk about what
00:01
a policy procedure standard guideline is,
00:01
and the relevance because that's
00:01
really the foundation for
00:01
our information security program.
00:01
We'll also talk a little bit about
00:01
the roles and responsibilities because not
00:01
every organization implements roles
00:01
and responsibilities the same way.
00:01
Some organizations may have a SISO, some may not.
00:01
Some organizations may have the SISO report to the CIO,
00:01
other organizations may have that as
00:01
a separate upper tier role as a peer of the CIO.
00:01
We're going to go through and just talk about them in
00:01
relation to the standards,
00:01
whether those standards come from NIST or ISO,
00:01
but the standards that CRISC is going to expect.
00:01
Then of course, ethics and ethical behavior.
00:01
We can sum up ethics by
00:01
saying they have to come from the top.
00:01
If we want to talk about changing the ethics of
00:01
individual employees in our organization,
00:01
changes to ethics,
00:01
changes to company culture, they are top-down.
00:01
We'll talk about the ways that we
00:01
can influence corporate ethics.
00:01
Then all of these pieces are going to come
00:01
together to give us
00:01
a foundation for our information security program.
00:01
The information security program
00:01
really provides us with
00:01
the means of accomplishing our strategy,
00:01
maybe it's a good way to think about that.
00:01
That's what we're going to cover.
00:01
Let's go ahead and jump into governance.
00:01
If we first start off by
00:01
talking about corporate governance.
00:01
I'd like some of the points
00:01
that I made here on this slide.
00:01
Obviously, we'd like ethical corporate behavior,
00:01
that's always important,
00:01
but the idea of governance is to create
00:01
value for all stakeholders ideally.
00:01
Not every stakeholder is created equally,
00:01
but the prioritization of stakeholders,
00:01
determining stakeholder needs, again,
00:01
determining the strategy for how to deliver
00:01
that value all goes to corporate governance.
00:01
You can describe corporate governance as the rights and
00:01
responsibilities among
00:01
different participants in the corporation.
00:01
Everybody has rights and responsibilities,
00:01
but primarily, we're going be focusing with governance,
00:01
the role of the board of directors,
00:01
senior leadership, which is going to
00:01
be those C-suite executives,
00:01
as well as maybe steering committees,
00:01
and we're going to focus on
00:01
that upper level direction of the organization.
00:01
Down below OECD, which
00:01
is the Organization for Economic
00:01
Cooperation and Development,
00:01
and we're going to be hearing from them quite a bit,
00:01
but the corporate governance
00:01
gives us a set of relationships.
00:01
Again, here we go, company's management,
00:01
board of directors, shareholders,
00:01
and other stakeholders gives us the structure.
00:01
I don't like to read slides,
00:01
but I did just want to read some of these key pieces.
00:01
I think if you're looking for
00:01
a great definition of corporate governance,
00:01
it comes to us from the OECD down at the bottom.
00:01
Relationships between a company's management board,
00:01
stakeholders, and shareholders,
00:01
providing the structure through which
00:01
the objectives of the company are set.
00:01
How do we determine those objectives?
00:01
They come from stakeholder needs,
00:01
shareholder needs, customer needs,
00:01
client needs, but it's
00:01
up to the governing entities to determine
00:01
what those needs are and how
00:01
we'll develop objectives to accomplish those needs.
00:01
Here we're talking about
00:01
the upper level of an organization.
00:01
Again, they make those decisions by talking to
00:01
our stakeholders and figuring out
00:01
what does value mean to each of these stakeholders.
00:01
These are our business goals,
00:01
and goals need objectives.
00:01
Objectives help us accomplish our goals.
00:01
It's up to senior leadership to choose
00:01
those based on value delivery to our stakeholders.
00:01
Now, governance is going to
00:01
require support, funding, communication,
00:01
setting up a company culture
00:01
or developing a company culture,
00:01
it's going to require oversight
00:01
and make it ideally transparency.
00:01
Governing entities are responsible
00:01
for the direction of
00:01
the organization and how we function.
00:01
Now, if we have good,
00:01
effective corporate governance,
00:01
then we're ideally going to have
00:01
good effective security governance
00:01
because security governance is upper-level.
00:01
Anything with governance in it is
00:01
going to go to those senior leaders.
00:01
Anything with the word governance, senior leaders,
00:01
always think board of directors,
00:01
think C-suite executives, think steering committees.
00:01
Security governance needs to
00:01
be in the align with corporate governance.
00:01
Once again, we come back to
00:01
the idea that before we can go
00:01
in and start directing
00:01
the security department and the security function,
00:01
we have to first understand the business.
00:01
I got to tell you, on the exam,
00:01
expect numerous questions to focus on ideas like,
00:01
what's the first thing you need to do when
00:01
developing a security program?
00:01
Talk to senior leadership and understand the business,
00:01
understand the goals and objectives of the business.
00:01
It always starts with the business.
00:01
When it comes down to security governance, our job,
00:01
understand the business and make sure that
00:01
our security strategy is in
00:01
alignment with our corporate strategy.
00:01
>> Then risk management,
00:01
making sure you know what risk management does.
00:01
Risk management helps us
00:01
apply our resources in an appropriate fashion.
00:01
We've only got so much money,
00:01
so much time, so many employees.
00:01
We've only got so much we can do
00:01
to implement security in this environment.
00:01
Risk management helps us understand
00:01
what our high-value assets are,
00:01
what the threats and vulnerabilities
00:01
are that exist, and then,
00:01
how to protect those assets from the threats and
00:01
enhance or show up
00:01
the weaknesses or the vulnerabilities,
00:01
so that we can make good business decisions.
00:01
We spend our resources appropriately.
00:01
We don't spend too much or too little,
00:01
we don't impact the function of
00:01
the business anymore than we
00:01
have to focus on that trade off,
00:01
and that's how we deliver value to the organization.
00:01
The security team isn't going to bring in profit.
00:01
We don't get to charge tickets.
00:01
Hey guys, come in and look at our firewall setting.
00:01
Everybody tickets or five
00:01
bucks a piece, come take a look.
00:01
We don't bring profit in,
00:01
but the way we develop or we deliver value
00:01
with security is we reduce loss.
00:01
What we have to do is we have to start
00:01
out with thinking of loss in terms of the business.
00:01
Documenting prior losses,
00:01
looking at our new security endeavors,
00:01
and examining the reduction
00:01
in loss that we're going to offer.
00:01
Basically what I'm trying to say there is
00:01
that we need to be able to demonstrate value delivery.
00:01
A lot of times in IT we take on
00:01
an endeavor to take on an endeavor.
00:01
Well, we need to do this we need to upgrade
00:01
our existing infrastructure and we
00:01
need to bring in a new firewall or new configurations,
00:01
and that all may be true.
00:01
But until we start presenting our projects in relation
00:01
to how we deliver value to the organization, then,
00:01
it's going to continue to appear
00:01
that weird department that spends
00:01
money without bringing money in,
00:01
again we don't bring money in,
00:01
but we do reduce loss.
00:01
That's value to the business.
00:01
So we need to do a better job
00:01
in IT governance, particularly.
00:01
When we talk about IT governance, security governance,
00:01
these governing entities in relation here need to
00:01
focus on value delivery and proof of value delivery.
00:01
Again, we'll get there. We got to manage our resources so
00:01
we don't put too much money
00:01
in an area that doesn't warrant it,
00:01
based on vulnerabilities or threats.
00:01
We also need to measure performance;
00:01
the performance of the
00:01
security controls that we put in place.
00:01
We put everything in place for a reason.
00:01
What is it? I go out and spend $65,000 on a firewall,
00:01
was that a good purchase? I don't know.
00:01
It seems to be working.
00:01
That's not good enough.
00:01
That's not something we can
00:01
take to our stakeholders and say,
00:01
''Look what a great job we did.''
00:01
We look at the controls, for instance,
00:01
that we implement in terms of value to the business.
00:01
Instead of saying,
00:01
we want to reduce external threat we can talk about,
00:01
the goal of this firewall is
00:01
we're going to save the company money,
00:01
and we're going to do so by
00:01
reducing the number of man-hours
00:01
lost due to security issues from external threat,
00:01
so just something like that.
00:01
But we need goals and objectives for
00:01
the controls that we create,
00:01
and we have to measure to determine if
00:01
our controls are meeting those goals and objectives.
00:01
Then integration, we'd like
00:01
seamless integration with the organization.
00:01
We don't want security to be thought of as something
00:01
clunky that everybody has to jump through hoops,
00:01
we want it to be a part of normal business operations.
00:01
Now, this next slide again
00:01
focuses on what I was just talking about,
00:01
performance, and the need to have measuring,
00:01
monitoring, controlling,
00:01
and reporting in relation to our security controls,
00:01
and those security controls should have objectives,
00:01
where they satisfy a particular business need.
00:01
High availability, reduction in man-hours lost.
00:01
Any of those business enablers
00:01
that we associate with security.
00:01
Measuring, when we talk about measuring,
00:01
we're collecting data,
00:01
and when we're collecting data,
00:01
we're just recording facts.
00:01
CPU utilization is at 25 percent with
00:01
a peak of 45 percent
00:01
and a low of eight percent during these times,
00:01
whatever, I'm just documenting.
00:01
Now, monitoring is taking
00:01
that data and examining
00:01
them into relation to the objectives.
00:01
Maybe when I measure,
00:01
I see that my web server
00:01
has 97 percent up-time, that's measuring.
00:01
But looking at the goal and say, oh,
00:01
it should have 99.9995 or seven percent up-time.
00:01
We're actually not meeting
00:01
our objectives, that's monitoring,
00:01
that's our expectation versus actual,
00:01
sometimes we call that variance analysis.
00:01
Now controlling says, let's make
00:01
some changes to get back in
00:01
alignment with where we are supposed to be,
00:01
and then of course, reporting is we
00:01
present that information in a readable,
00:01
easy to understand format to senior leadership.
00:01
Now, with all of that,
00:01
the benefits should be pretty self-explanatory and again,
00:01
it's a reduction in loss more than it is a profit,
00:01
which is another reason sometimes
00:01
it's hard to get senior management to
00:01
invest a lot of money because it's not about profit.
00:01
We'd like to see those dollars coming in,
00:01
but reducing loss,
00:01
compliance, cost saving,
00:01
reduced risk, better oversight,
00:01
every one of these benefits
00:01
we're going to discuss throughout.
00:01
Now, I also wanted to mention COBIT,
00:01
and this will be the first time,
00:01
but not the only time I'm going to mention COBIT.
00:01
COBIT stands for Control Objectives for IT.
00:01
With COBIT, this
00:01
is a framework that ISACA has developed,
00:01
and it's been around for a long time,
00:01
there have been many iterations of COBIT,
00:01
but right now they focus on six principles.
00:01
Notice the first provide stakeholder value.
00:01
That's why we're here; customers,
00:01
clients, board of director,
00:01
stockholder, stakeholders, whatever.
00:01
The idea of a holistic approach,
00:01
we treat the organization as
00:01
an integrated system or set of integrated systems maybe,
00:01
as a way to say that,
00:01
but we're all working towards a common goal.
00:01
We no longer think of IT over here,
00:01
and then production over there,
00:01
and then governance,
00:01
we are part of a body as a whole.
00:01
Rather than having one department do one framework and
00:01
this organization has
00:01
different frameworks and this department,
00:01
or use information security,
00:01
here's business security;
00:01
we're integrated, we're
00:01
all one working towards a common goal.
00:01
Governance needs to be dynamic.
00:01
We need to be able to adapt to
00:01
existing circumstances as they
00:01
change because the only thing constant is change.
00:01
Governance being distinct from management,
00:01
meaning your governing entities focus on value delivery.
00:01
They focus on what we're trying to do.
00:01
Management provides the how
00:01
and that's a big difference
00:01
in the two should be separate.
00:01
Governance needs to be tailored for each enterprise.
00:01
There are no one-size-fits-all solutions, of course.
00:01
Then end to end governance means,
00:01
what our governing entities do,
00:01
the policies they develop,
00:01
the strategy that they
00:01
choose should cover the entire organization.
00:01
Should be sufficient to
00:01
provide direction and directives to
00:01
all elements of the enterprise. That's COBIT.
00:01
I probably would know those six principles.
00:01
We're not going to get deep into COBIT,
00:01
there's another exam for that, if you'd like.
00:01
But I would know COBIT as one of the frameworks,
00:01
particularly because it comes from ISACA.
00:01
In this section, just an understanding and
00:01
an idea about what governance is,
00:01
who provides the governance,
00:01
senior leadership of the organization,
00:01
and they give us the mission,
00:01
the vision, the strategy.
00:01
This information security program is going to
00:01
fill in the details on how we accomplish that.
Up Next