CISM

Course
Time
8 hours 39 minutes
Difficulty
Intermediate
CEU/CPE
9

Video Transcription

00:01
information security program concept. So here we're gonna talk a little bit about what is a security program, what its purposes and how we use that to implement security on our network.
00:15
So, like we've said, anytime you see something by I Sacha in quotes, I would probably know that definition pretty well.
00:23
So the goal of this domain, we're gonna figure out how to develop and maintain information security program. But here's where we get what a security program does. It's gonna identify, manage and protect the organization's assets.
00:38
That shouldn't be anything new, right? Because we've talked about that with risk management. Start with the asset.
00:44
Wow. Aligning to information, security strategy and business goals, right? We're hearing some repetition,
00:51
thereby supporting an effective security posture. Just reading that makes me want to sit up a little straighter. But when we talk about our effective security posture, that's what are we exposed to in relation to risks?
01:04
Chief operating officer is a good individual to oversee that. That just sounds like a testable question, cause doesn't it seem like you're chief information officer or your information security officer? But the idea is we need to make sure that we're satisfying the needs of the business
01:23
and not just thinking
01:25
I t security I t security. We also want to make sure that we have a clear path of reporting in such a manner that we wouldn't feel a conflict of interest. So that chief operating officer is gonna be a good owner off developing signing off now they're not gonna develop. They're not the ones writing out
01:45
policy
01:46
per se there to take input from steering committee from functional managers, but ultimately, the sign off.
01:53
So that information security program is gonna balance for us
01:57
people, technology and processes. So if you think about it, how people access our technology
02:05
and we manage, that is through our process is so this is gonna be processed focused. But we're also gonna look at the technology as well. We're not going to get deep. This is not a technical exam, but we have to kind of examine these elements. And we have to remember that the greatest,
02:22
the greatest weakness, their weakest link
02:24
in our organization is our people. So how these three elements are gonna come together and how we're gonna allow our people to access our technologies through our processes is exactly what we're trying to work on here.
02:38
So when we talk about technology, yeah, we're talking about our network structure. We're talking about where we put our firewalls. We're talking about penetration, test and vulnerability Assessments were talking about secure data disposal, our system event managers, right?
02:57
All that technology,
02:59
Just a piece, though
03:00
we have to look at training awareness. Will those air administrative policies those air set up in place to deal with our people
03:08
and then our processes risk management, training,
03:13
data classification, those elements that are going to regulate what are people could do with their technology?
03:20
All right,
03:21
best practices. And I'm not going to read all these to you. But I'll tell you, any time you have best practices, this is the stuff you want to look for when you're getting a multiple. Guess question. I'm sorry. A multiple choice question. Sometimes there's something that you don't know exactly the right answer to.
03:38
So you're trying to figure out which one is more
03:42
I sacha ish,
03:44
and I'll tell you best practices. Making sure senior management is on board and supportive. I can't tell you how essential that is because It's senior management's only playing lip service to your security programs. You'll never get off the ground right. You'll find that it's 1/2 hearted approach.
04:02
We've talked about risk management,
04:04
change management.
04:05
Nothing happens on the fly.
04:09
All changes have a process before they would be implemented
04:13
and change management configuration management go hand in hand because configuration management's kind of that documentation piece
04:20
continuous audit. And we're always looking. We're monitoring we're reviewing Our logs were looking for improper access. We're looking for violation of privileges, but we're also just monitoring the day to day activities and making sure that our controls were working as a CZ. They're supposed to
04:40
pen testing and vulnerability assessments. So how's that different than an audit?
04:46
Audit is monitoring the process and measuring compliance to the process.
04:54
Vulnerability assessments in PIN test Does it work
04:57
because I could be following policy to A T, and we could still be compromised.
05:01
So once you're auditing yet, policies were being followed. Now we're gonna test to see if their effect
05:09
hey, and that includes the network devices applications, all of those pieces. And in the last bullet point here, secure development
05:18
design software.
05:21
The building the facility designed your network infrastructure secured by default.
05:29
Nothing gets through except what were specifically allowing.
05:33
If that's appropriate, right, it depends on the organizational needs
05:38
and then integrating security into the design
05:42
all important pieces.

Up Next

CISM

Cybrary's Certified Information Security Manager (CISM) course is a great fit for IT professionals looking to move up in their organization and advance their careers and/or current CISMs looking to learn about the latest trends in the IT industry.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor