Information Security Program Basics

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

12 hours 25 minutes
Video Transcription
as an experienced leader. Getting team member certified has always been a broken process. Expensive training, high failure rates, expensive retakes. That's why we built Cyberia for business training, labs, practice test software and transparency all in one place. We built these solution to fix a broken industry.
Thanks for being a valued member of Cyberia
Information security program concept. So here we're gonna talk a little bit about what is a security program, what its purposes and how we use that to implement security on our network.
So, like we've said, anytime you see something by I Sacha in quotes, I would probably know that definition pretty well.
So the goal of this domain, we're gonna figure out how to develop and maintain information security program. But here's where we get what a security program does. It's gonna identify, manage and protect
the organization's assets. That shouldn't be anything new, right? Because we've talked about that with risk management. Start with the assets. Wow. Aligning to information, security strategy and business goals. Right? We're hearing some repetition,
thereby supporting an effective security posture, just reading that makes me want to sit up a little straighter. But when we talk about our effective security posture. That's what are we exposed to in relation to risks?
Chief operating officer is a good individual to oversee that. That just sounds like a testable question, cause doesn't it seem like you're chief information officer or your information security officer? But the idea is we need to make sure that we're satisfying the needs of the business
and not just thinking
I t security I t security. We also want to make sure that we have a clear path of reporting in such a manner that we wouldn't feel a conflict of interest. So that chief operating officer is gonna be a good owner of developing signing off now They're not gonna develop. They're not the ones writing out
the policy
per se there to take input from steering committee from functional managers, but ultimately, the sign off.
So that information security program is gonna balance for us people, technology and processes. So if you think about it, how people access our technology
and we manage, that is through our process is so this is gonna be processed focused.
But we're also gonna look at the technology as well. We're not going to get deep. This is not a technical exam, but we have to kind of examine these elements. And we have to remember that the greatest, the greatest weakness, their weakest link in our organization is our people.
So how these three elements are gonna come together,
and how we're gonna allow our people to access our technologies through our processes is exactly what we're trying to work on here.
So when we talk about technology, yeah, we're talking about our network structure. We're talking about where we put our firewalls. We're talking about penetration, test and vulnerability assessments were talking about secure data disposal, our system event managers, right?
All that technology,
Just the piece, though
we have to look at training awareness. Will those air administrative policies those air set up in place to deal with our people,
and then our processes risk management, training,
data classification, those elements that are going to regulate what are people could do with their technology?
All right, best practices. And I'm not gonna read all these to you. But I'll tell you, any time you have best practices, this is the stuff you want to look for when you're getting a multiple gas question. I'm sorry. A multiple choice question.
Sometimes there's something that you don't know exactly the right answer to. So you're trying to figure out which one is more ice aka ish
and I'll tell you best practices. Making sure senior management is on board and supportive. I can't tell you how essential that is because it's senior management's only playing lip service to your security programs. You'll never get off the ground right. You'll find that it's 1/2 hearted approach.
We've talked about risk management,
change management.
Nothing happens on the fly.
All changes have a process before they would be implemented
and change management configuration management go hand in hand because configuration management's kind of that documentation piece
continuous audit. And we're always looking. We're monitoring we're reviewing Our logs were looking for improper access. We're looking for violation of privileges, but we're also just monitoring the day to day activities and making sure that our controls were working as a CZ. They're supposed to
pen testing and vulnerability assessments. So how's that different than an audit?
Audit? Is monitoring the process and measuring compliance to the process.
Vulnerability assessments in PIN test Does it work
because I could be following policy to A T, and we could still be compromised. So once you're auditing yet, policies were being followed. Now we're gonna test to see if their effect
okay, And that includes the network devices applications. All of those pieces. And in the last bullet point here, secure development
design software.
The building The facility designed your network infrastructure secured by default.
Nothing gets through except what were specifically allowing,
if that's appropriate, right? It depends on the organizational needs and then integrating security into the design
all important pieces.
Up Next