information security program concept. So here we're gonna talk a little bit about what is a security program, what its purposes and how we use that to implement security on our network.
So, like we've said, anytime you see something by I Sacha in quotes, I would probably know that definition pretty well.
So the goal of this domain, we're gonna figure out how to develop and maintain information security program. But here's where we get what a security program does. It's gonna identify, manage and protect the organization's assets.
That shouldn't be anything new, right? Because we've talked about that with risk management. Start with the asset.
Wow. Aligning to information, security strategy and business goals, right? We're hearing some repetition,
thereby supporting an effective security posture. Just reading that makes me want to sit up a little straighter. But when we talk about our effective security posture, that's what are we exposed to in relation to risks?
Chief operating officer is a good individual to oversee that. That just sounds like a testable question, cause doesn't it seem like you're chief information officer or your information security officer? But the idea is we need to make sure that we're satisfying the needs of the business
and not just thinking
I t security I t security. We also want to make sure that we have a clear path of reporting in such a manner that we wouldn't feel a conflict of interest. So that chief operating officer is gonna be a good owner off developing signing off now they're not gonna develop. They're not the ones writing out
per se there to take input from steering committee from functional managers, but ultimately, the sign off.
So that information security program is gonna balance for us
people, technology and processes. So if you think about it, how people access our technology
and we manage, that is through our process is so this is gonna be processed focused. But we're also gonna look at the technology as well. We're not going to get deep. This is not a technical exam, but we have to kind of examine these elements. And we have to remember that the greatest,
the greatest weakness, their weakest link
in our organization is our people. So how these three elements are gonna come together and how we're gonna allow our people to access our technologies through our processes is exactly what we're trying to work on here.
So when we talk about technology, yeah, we're talking about our network structure. We're talking about where we put our firewalls. We're talking about penetration, test and vulnerability Assessments were talking about secure data disposal, our system event managers, right?
All that technology,
Just a piece, though
we have to look at training awareness. Will those air administrative policies those air set up in place to deal with our people
and then our processes risk management, training,
data classification, those elements that are going to regulate what are people could do with their technology?
best practices. And I'm not going to read all these to you. But I'll tell you, any time you have best practices, this is the stuff you want to look for when you're getting a multiple. Guess question. I'm sorry. A multiple choice question. Sometimes there's something that you don't know exactly the right answer to.
So you're trying to figure out which one is more
and I'll tell you best practices. Making sure senior management is on board and supportive. I can't tell you how essential that is because It's senior management's only playing lip service to your security programs. You'll never get off the ground right. You'll find that it's 1/2 hearted approach.
We've talked about risk management,
Nothing happens on the fly.
All changes have a process before they would be implemented
and change management configuration management go hand in hand because configuration management's kind of that documentation piece
continuous audit. And we're always looking. We're monitoring we're reviewing Our logs were looking for improper access. We're looking for violation of privileges, but we're also just monitoring the day to day activities and making sure that our controls were working as a CZ. They're supposed to
pen testing and vulnerability assessments. So how's that different than an audit?
Audit is monitoring the process and measuring compliance to the process.
Vulnerability assessments in PIN test Does it work
because I could be following policy to A T, and we could still be compromised.
So once you're auditing yet, policies were being followed. Now we're gonna test to see if their effect
hey, and that includes the network devices applications, all of those pieces. And in the last bullet point here, secure development
The building the facility designed your network infrastructure secured by default.
Nothing gets through except what were specifically allowing.
If that's appropriate, right, it depends on the organizational needs
and then integrating security into the design
all important pieces.