Now we've just finished with our section on risk domain to and I cannot stress enough. That risk is the foundation for your security program.
The type of program I implement is gonna be driven by the amount of risks you know, the risk context in which my organization operates. Figuring out what my assets are, What are the threats? What are the vulnerabilities and then implementing of mitigating strategy that makes sense
based on probability and impact.
And, of course, as we continue along, we have to make sure that we monitor risks because the threat landscape is changing all the time.
All right, so that brings us to remain three where we're gonna base, take what we learned in risk, and we're gonna develop our security program, and we're gonna work with managing that. So the security program is really kind of you know, that idea of where the rubber meets the road. So we've talked about concepts we've talked about
a strategy big, long term vision, sort of a road map, if you will.
And now we're gonna take that road map, and we're gonna map it to tangible things that we could do implementations, policies, procedures but then also how that's going to drive our technology. All right, so in this chapter, you can see we get a lot of information to cover. Um, some of the security concepts
not going so basic is the C I. A. Try it,
but talking a little bit about some of the pieces that were trying to address.
All right, then we have our information security frameworks, and we're not gonna look at the time. There are a zillion frameworks, but we will look for just a minute. About 27,000 won. And Kobe.
All right, then. Our information security, architecture. And that's all the elements within our program that interact
that lead us towards a secure environment.
We'll talk about the operations of the security program. There's things we do day in and day out.
Third party governance and third party governance. Now that we're in a world where everything's feels like it's going to the cloud, we really have to understand at a high level cloud functionality. But even more importantly, the essential nature of things like a service level agreement in our contracts.
All right, Well, look at I t service management briefly, You know, we're not gonna get into ite ill, but just kind of some high level stuff.
Control, integration, building security into your designs,
policies, procedure, standards, guidelines mentioned. We're gonna talk about those and those air controls that we consider to be administrative controls because they are the controls that are thus saith the management.
Okay, Um, ultimately, we're looking for certification in accreditation of the elements of our security program so that we could move those into production. And, of course, once they're in production, we're still not done. We've got to continue on with metrics and monetary.