Information Security Program Basics

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
14 hours 39 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> As an experienced IT leader,
00:00
getting team members certified has
00:00
always been a broken process.
00:00
Expensive training, high failure rates,
00:00
expensive retakes, that's why
00:00
we built Cybrary for business.
00:00
Training labs, practice test software
00:00
and transparency all in one place.
00:00
We built the solution to fix a broken industry.
00:00
Thanks for being a valued member of Cybrary.
00:00
>> Information security program concepts.
00:00
Here we're going to talk a little bit
00:00
about what is a security program,
00:00
what its purpose is,
00:00
and how we use that to implement security on our network.
00:00
Like we've said anytime you see something by "ISACA",
00:00
I would probably know that definition pretty well.
00:00
The goal of this domain we're going to figure out how to
00:00
develop and maintain information security program,
00:00
but here's where we get what a security program does.
00:00
It's going to identify, manage,
00:00
and protect the organization's assets.
00:00
That shouldn't be anything new
00:00
because we've talked about that with risk management;
00:00
start with the assets,
00:00
while aligning to information security strategy and
00:00
business goals we're hearing
00:00
some repetition thereby supporting
00:00
an effective security posture.
00:00
Just reading that makes me want to
00:00
sit up a little straighter,
00:00
but when we talk about
00:00
our effective security posture that's what are
00:00
we exposed to in relation to risks.
00:00
Chief operating officer is
00:00
a good individual to oversee that.
00:00
That just sounds like
00:00
a testable question because doesn't it seem like
00:00
your chief information officer
00:00
or your information security officer,
00:00
but the idea is we need to make sure that we're
00:00
satisfying the needs of the business
00:00
and not just thinking IT security.
00:00
We also want to make sure that we have a clear path of
00:00
reporting in such a manner
00:00
that we wouldn't feel a conflict of interests,
00:00
so that chief operating officer is going to be
00:00
a good owner of developing signing off.
00:00
They're not going to develop,
00:00
they're not the ones writing out the policy per se.
00:00
They're going to take input from steering
00:00
committee from functional managers,
00:00
but ultimately they sign off.
00:00
That information security program is going
00:00
to balance for us people,
00:00
technology, and processes.
00:00
If you think about it,
00:00
how people access our technology
00:00
and we manage that is through our processes.
00:00
This is going to be process focus,
00:00
but we're also going to look at the technology as well.
00:00
We're not going to get deep;
00:00
this is not a technical exam,
00:00
but we have to examine
00:00
these elements and we have to remember that
00:00
the greatest weakness and
00:00
our weakest link in our organization is our people.
00:00
How these three elements are going to
00:00
come together and how we're going
00:00
to allow our people to access our technologies
00:00
through our processes is
00:00
exactly what we're trying to work on here.
00:00
When we talk about technology,,
00:00
we're talking about our network structure.
00:00
We're talking about where we put our firewalls.
00:00
We're talking about penetration testing,
00:00
vulnerability assessments.
00:00
We're talking about secure data disposable,
00:00
our system event managers,
00:00
all that technology just a piece though.
00:00
We have to look at training, awareness.
00:00
Well, those are administrative policies,
00:00
those are set up in place to deal with our people.
00:00
Then our processes, risk management training,
00:00
data classification, those elements that
00:00
are going to regulate what
00:00
our people can do with their technology.
00:00
Best practices and I'm
00:00
not going to read all these to you,
00:00
but I'll tell you anytime you have best practices
00:00
this is the stuff you want to look
00:00
for when you're getting a multiple-choice question.
00:00
Sometimes there's something that you don't
00:00
know exactly the right answer to,
00:00
so you're trying to figure out which
00:00
one is more ISACA-ish.
00:00
I'll tell you best practices,
00:00
making sure senior management is onboard and supportive.
00:00
I can't tell you how essential that is because if
00:00
senior management is only paying
00:00
lip service to your security programs,
00:00
you'll never get off the ground.
00:00
You'll find that it's a half-hearted approach.
00:00
We've talked about risk management,
00:00
change management, nothing happens on the fly.
00:00
All changes have a process
00:00
before they would be implemented.
00:00
Change management and configuration management
00:00
go hand-in-hand
00:00
because configuration management is
00:00
that documentation piece.
00:00
Continuous audit and we're always looking.
00:00
We're monitoring, we're reviewing our logs,
00:00
we're looking for improper access.
00:00
We're looking for violation of privileges,
00:00
but we're also just monitoring
00:00
the day-to-day activities and
00:00
making sure that our controls are
00:00
working as they're supposed to.
00:00
Pen testing and vulnerability assessments,
00:00
so how's that different than an audit?
00:00
Audit is monitoring the process
00:00
and measuring compliance to the process.
00:00
Vulnerability assessments in pen test, does it work?
00:00
Because I could be following policy to
00:00
IT and we can still be compromised.
00:00
Once you audit, policies are being followed.
00:00
Now we're going to test to see if they're effective,
00:00
and that includes the network,
00:00
devices, applications, all of those pieces.
00:00
Then the last bullet point here, secure development,
00:00
design software, the building,
00:00
the facility, design your network infrastructure,
00:00
secure by default, nothing gets through
00:00
except what we're specifically allowing.
00:00
If that's appropriate it depends on
00:00
the organizational needs and
00:00
then integrating security into the design.
00:00
All important pieces.
Up Next