Information Security Program

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Now in the past,
00:00
we've talked about information security frameworks.
00:00
Like we said, those provide us with
00:00
some broad goals of what we want to
00:00
accomplish with our information security program.
00:00
We've got the what,
00:00
now we need the how,
00:00
and that's where information security program comes in.
00:00
This is how we accomplish our strategy.
00:00
This is the piece where we really close
00:00
that gap between current state and desired state.
00:00
What we're going to have in
00:00
our information security program
00:00
is this is going to be where we create our policies,
00:00
procedures, standards, and guidelines.
00:00
These are our administrative controls that are going to
00:00
close that gap that we've been talking about.
00:00
I'll implement good security policies and procedures and
00:00
guidelines that make sure
00:00
that we're adhering to best practices,
00:00
that make sure we're becoming in
00:00
alignment and we're coming into
00:00
alignment with our desired state.
00:00
Now, we'll also need controls and
00:00
our security controls are the ways that we mitigate risk,
00:00
the ways that we enforce these policies.
00:00
Our controls, again, can be
00:00
administrative, technical, or physical.
00:00
I'll also mention that when we determine our controls,
00:00
we also have to determine objectives for those controls.
00:00
We don't implement controls
00:00
just for the sake of implementing controls,
00:00
we implement controls with an end result in mind.
00:00
For instance, I don't go out and spend $50,000 on
00:00
a firewall without having
00:00
some expectations for how it will perform.
00:00
When I do look at mitigating risk,
00:00
I want to think about the degree to
00:00
which that risk needs to be mitigated.
00:00
I can't determine if a control is
00:00
working if I don't have objectives for that control.
00:00
Other elements that are
00:00
expressed in my security program,
00:00
I need to have well-defined roles and responsibilities.
00:00
We want to make sure that no one individual
00:00
has too much power within an organization.
00:00
That can happen.
00:00
Maybe the chain of command for reporting
00:00
might indicate some potential conflict of interest.
00:00
We may have one individual
00:00
that performs actions that can't be undone.
00:00
Separation of duties is
00:00
critically important within an organization.
00:00
By clearly defining roles and their responsibilities,
00:00
and making sure they're separated
00:00
accordingly, and again,
00:00
separation of duties as part of the policy,
00:00
but well-defined roles and
00:00
responsibilities are essential as well.
00:00
Our security program should also
00:00
provide for third-party governance,
00:00
so whether we're hiring vendors and we're outsourcing
00:00
work or maybe I
00:00
am migrating some resources to the Cloud,
00:00
and I have certain expectations
00:00
for that Cloud service provider's performance.
00:00
Third-party governance,
00:00
make sure that we have the right documentation,
00:00
the right contracts in place,
00:00
and that we have a way of rewarding those procurements.
00:00
We have to be able to monitor the procurements and
00:00
make sure that our vendors
00:00
are meeting their requirements.
00:00
When other big piece of our information security program
00:00
also is a means of
00:00
certifying and accrediting our products.
00:00
For instance, when I design s system,
00:00
I need to know, is it technically sound?
00:00
Does it provide the security features
00:00
that it's supposed to?
00:00
Does it work in a secure fashion
00:00
in a particular environment?
00:00
Now, certification is tied into
00:00
the security features of
00:00
the product in a specific environment.
00:00
If we can say that product does meet those requirements,
00:00
then the next logical step
00:00
would be to certify the product.
00:00
Now accreditation means that
00:00
senior management is going to
00:00
take on all risks associated with this product.
00:00
They choose to implement it.
00:00
That's a decision that has to be
00:00
made for implementation as well.
00:00
Before we implement a product,
00:00
it has to go through certification and accreditation.
00:00
I'll also tell you that sometimes
00:00
these terms change a little bit,
00:00
so certification could also
00:00
be referred to as assessment of
00:00
a product and then accreditation could
00:00
also be referred to as authorization of a product.
00:00
Just how we refer to
00:00
certain activities changes throughout the years.
00:00
Then the final step of
00:00
the information security program
00:00
is making sure that we have a way
00:00
to make sure people are following
00:00
the information security program
00:00
to make sure we have compliance.
00:00
Anytime you hear the word compliance,
00:00
we always think, do I have an audit strategy in place?
00:00
Do we have a means to ensure we're
00:00
in compliance with the policies?
00:00
Are the roles and responsibilities working as proper?
00:00
Do we have compliance with a third-party governance?
00:00
Auditing is going to come in at
00:00
the end here to make sure that we have compliance.
00:00
Ultimately, what we said is that
00:00
the information security program is going to
00:00
provide the means, the how,
00:00
that we close the gap between
00:00
our security strategy or our security goals,
00:00
it's going to be used to close the gap
00:00
between our current state and desired state,
00:00
where we are versus where we want to be.
Up Next