Information Security Program

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> In the past, we've talked
00:00
about information security frameworks.
00:00
Like we said, those provide us with
00:00
some broad goals of what we want to
00:00
accomplish with our information security program.
00:00
We've got the what,
00:00
now we need the how,
00:00
and that's where information security program comes in.
00:00
This is how we accomplish our strategy.
00:00
This is the piece where we really close
00:00
that gap between current state and desired state.
00:00
What we're going to have in our information
00:00
security program is,
00:00
this is going to be where we create our policies,
00:00
procedures, standards, and guidelines.
00:00
These are our administrative controls that are going to
00:00
close that gap that we've been talking about.
00:00
So I'll implement
00:00
good security policies and procedures and
00:00
guidelines that make sure
00:00
that we're adhering to best practices,
00:00
that make sure we're coming into
00:00
alignment with our desired state.
00:00
We'll also need controls,
00:00
and our security controls are
00:00
the ways that we mitigate risk,
00:00
the ways that we enforce these policies.
00:00
Our controls, again,
00:00
can be administrative,
00:00
technical, or physical.
00:00
I'll also mention that when we determine our controls,
00:00
we also have to determine objectives for those controls.
00:00
We don't implement controls
00:00
just for the sake of implementing controls,
00:00
we implement controls with an end-result mind.
00:00
For instance, I don't go out and spend $50,000 on
00:00
a firewall without having
00:00
some expectations for how it will perform.
00:00
When I do look at mitigating risk,
00:00
I want to think about the degree to
00:00
which that risk needs to be mitigated.
00:00
I can't determine if a control is
00:00
working if I don't have objectives for that control.
00:00
Other elements that are
00:00
expressed in my security program,
00:00
I need to have well-defined roles and responsibilities.
00:00
We want to make sure that no one individual
00:00
has too much power within an organization,
00:00
and that can happen.
00:00
Maybe the chain of command for reporting
00:00
might indicate some potential conflict of interest.
00:00
We may have one individual
00:00
that performs actions that can't be undone.
00:00
Separation of duties is
00:00
critically important within an organization,
00:00
so by clearly defining roles and their responsibilities,
00:00
and making sure they're separated accordingly.
00:00
Again, separation of duties as part of a policy,
00:00
but well-defined roles and
00:00
responsibilities are essential as well.
00:00
Our security program should also
00:00
provide for third party governance.
00:00
Whether we're hiring vendors and we're outsourcing work,
00:00
or maybe I am migrating some resources to the Cloud and I
00:00
have certain expectations for
00:00
that Cloud service providers' performance.
00:00
Third party governance makes
00:00
sure that we have the right documentation,
00:00
the right contracts in place,
00:00
and that we have a way of awarding those procurements.
00:00
We have to be able to monitor the procurements and
00:00
make sure that our vendors
00:00
are meeting their requirements.
00:00
One other big piece of
00:00
our information security program also,
00:00
is a means of certifying an accrediting our products.
00:00
For instance, when I design a system,
00:00
I need to know, is it technically sound?
00:00
Does it provide the
00:00
security features that it's supposed to?
00:00
Does it work in a secure fashion
00:00
in a particular environment?
00:00
Certification is tied into
00:00
the security features of
00:00
the product in a specific environment.
00:00
If we can say that product does meet those requirements,
00:00
then the next logical step
00:00
would be to certify the product.
00:00
Accreditation means that senior management is going to
00:00
take on all risks associated with this product.
00:00
They choose to implement it.
00:00
That's a decision that has to be
00:00
made for implementation as well.
00:00
So before we implement a product,
00:00
it has to go through certification and accreditation.
00:00
Also tell you that sometimes
00:00
these terms change a little bit.
00:00
Certification could also be
00:00
referred to as assessment of a product,
00:00
and then accreditation could also be
00:00
referred to as authorization of a product;
00:00
just how we referred to
00:00
certain activities changes throughout the years.
00:00
Then the final step of
00:00
the information security program is making
00:00
sure that we have a way to make sure people are
00:00
following the information security program,
00:00
to make sure we have compliance.
00:00
Anytime you hear the word compliance,
00:00
we always think, do I have an audit strategy in place?
00:00
Do we have a means to ensure we're
00:00
in compliance with the policies?
00:00
Are the roles and responsibilities working as proper?
00:00
Do we have compliance with a third party governance?
00:00
Auditing is going to come in at
00:00
the end here to make sure that we have compliance.
00:00
Ultimately, what we said is that
00:00
the information security program
00:00
is going to provide the means,
00:00
the how that we close the gap between
00:00
our security strategy or our security goals.
00:00
It's going to be used to close the gap
00:00
between our current state and desired state,
00:00
where we are versus where we want to be.
Up Next