14 hours 39 minutes
now examining the components of an information security framework. We've got your operational elements, these air, the types of things we do day today.
Ah, that would include redundancy and assessment. Lots of other ideas.
Management components that hands on,
um, from functional managers and then support from senior management,
administrative components, your policies and procedures and then educational components. Train your people.
Okay, so from operational components, like we said, you know this These are the day to day things, So identity and access management's really becoming huge, and we'll cover that more depth in just a little bit. But the idea of creating an account
managing that account, assigning rights and prevent privileges ensuring you've got single sign on capabilities in your network but now also integrated with cloud service providers becomes an even taller order.
Ah, security and event monitoring and analysis being ableto aggregate information from across your network, making sure we've got patches, but also not just patches, but that we have a patch management strategy and other changes go through change management processes and then configuration management
talked about the importance of metrics maintaining our security controls, which means change management if things need to change, but also going back and re evaluating on a regular basis are my controls. Working
incident, response, disposal of data. You know, redundancy isn't even on this list, but redundancies of pieces well, and we could really we've spent all day listening out operational components
now for the management components. That's the tie in between the business and information security, that senior management
getting it, understanding its supporting it,
um providing resource is and
making sure that the right
value is being delivered for the stakeholders by monitoring with the functional managers air doing Are they accomplishing what they've set to do?
Our roles clearly defined because roles often are not clearly defined within an organization. And we've talked about the necessity. It's separation of duties. I look at the rolls in the racing matrix in just a minute.
Ongoing communication with the business units. Feedback. Is it working? Did we make a good choice? And then what can we do about it?
This is a racy matrix and racy stands for responsible, accountable consult and informed.
So when we talk about responsible, these were the ones that have been assigned the task. You're responsible for accomplishing this task
accountable is actually a layer up. Almost wish it was called an Arky matrix just so we could keep it. You know, more together on Lee won accountable per task because they're the ones that have the ultimate accountability for that activity. That action, that task to get accomplished.
So maybe the VP of sales is ultimately accountable.
And they have business making. They have decision making power that the capabilities where sales managers and sales people are going to be responsible.
All right, Consulted
before I make a decision, I consult.
After I made the decision, I inform what the decision Waas. So that's how the elements of a racy matrix, I think that's that's important in management. So I would know this.
All right, administrated components. Okay, so we had operational. We had managerial. Now we have administrative components. These are,
you know, the elements that make the organization work. These are our processes and procedures. How we bring employees on how we terminate how we train. Not just training, but how we train. This encompasses third party governance, um, operational
desires versus security versus overhead,
figuring out total cost of ownership in roo. And I know I'm jumping around a little bit on the slide, but kind of what's coming to my mind. You know, when we talk about implementing security controls and we talk about speaking the business financial, that first bullet point man, that's the business right budget.
Make sure you can support your total cost of ownership as bringing value and a high return on investment to the organization.
And then last but not least, certainly the importance of education and more. More organizations are understanding this, which is why you're seeing such a push for certification. I'm not saying certification means you have everything, but I am saying it's hard to go through a certification program without learning right.
So educational components
and many organizations kind of have an educational structure for their employees. They take steps to make sure that awareness is elevated, and then employees know the right thing to do so. Educational components very important part of our security program