Information Security Program Stakeholders

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Most of this particular domain
00:00
has been about risk response.
00:00
When we talk about our risk response,
00:00
we're talking about how we're going to mitigate risks.
00:00
That's what it ultimately comes down to.
00:00
We have a certain degree of risk,
00:00
we need to bring it down and the question is, how?
00:00
Well, we talked about mitigation
00:00
and avoidance and transfer,
00:00
it's in all those different ideas.
00:00
But when it really comes down to the action,
00:00
that's where the information security program
00:00
comes into place.
00:00
With the information security program,
00:00
we have a desired outcome.
00:00
We've got to know where we're headed,
00:00
and that comes from our governing entities that give
00:00
us the broad term views.
00:00
They give us our goals and objectives from
00:00
a strategic perspective where we want to be long term,
00:00
and then they give us a broad
00:00
strategy on how to get there.
00:00
We have a desired state,
00:00
we know where we want to be.
00:00
Where are we now? That's where
00:00
we go in and we conduct our assessment.
00:00
We figure out what our risk profile is,
00:00
what are the areas where we have sufficient security,
00:00
what are the areas where we're still left
00:00
over with risk that's not acceptable?
00:00
That's our current state and we perform
00:00
a gap analysis because we want to figure
00:00
out how to close that gap between current desired.
00:00
I look at where the gaps are,
00:00
I develop a strategy to close those gaps.
00:00
Of course, conducting risk management
00:00
throughout the process,
00:00
and at the end of the day,
00:00
what does that give me?
00:00
An information security program.
00:00
That information security program provides us with the
00:00
how we're going to close
00:00
that gap between current state and desired state.
00:00
What's going to be in the security program?
00:00
Well, from ISACA and we always know anything that
00:00
comes in quotes from ISACA is worth really looking at.
00:00
ISACA says, this program is going to identify,
00:00
manage, and protect our assets.
00:00
Well, that sounds pretty good.
00:00
That's risk management.
00:00
They all identify your assets, manage,
00:00
protect them while aligning to
00:00
our security strategy and business goals,
00:00
shouldn't be anything new there,
00:00
we've heard this and
00:00
supporting an effective security posture.
00:00
Our security posture again,
00:00
is that amount of risk that we're
00:00
exposed to in relation to security incidents.
00:00
Now, another point here,
00:00
this is best coordinated by the chief operating officer.
00:00
That's a little tricky because most folks say, well,
00:00
it should go to your chief information officer
00:00
or your chief security officer. Here's the thing.
00:00
The chief operating officer
00:00
is high enough within the organization for one thing,
00:00
to have that bird's-eye view so that they
00:00
can determine what processes have the highest priority,
00:00
and that's the same as a CIO or CSO,
00:00
but the focus is on operations, the day-to-day business.
00:00
The idea is operations keep us going.
00:00
Security here's to enable operations.
00:00
It must be in conjunction with
00:00
providing support for operations,
00:00
but it's never security above operations.
00:00
It's the right amount of
00:00
security to facilitate operations.
00:00
If you allow the security program to be totally developed
00:00
by chief security officer
00:00
or even a chief Information Officer,
00:00
the idea is you're liable to have
00:00
too much security in the security program.
00:00
We've already talked about this idea
00:00
of too much, just enough security.
00:00
I never, ever mean
00:00
shortcut security when I
00:00
say the right amount of security.
00:00
But we also don't want too much because then that
00:00
brings our operations to a crawl and
00:00
we can't perform the work at the business.
00:00
By putting the operating officer
00:00
as a sponsor of the security program,
00:00
the idea is that they're
00:00
better focus to deliver the right amount of
00:00
security as opposed to all the security in the world,
00:00
if you know what I mean by that.
00:00
Now, the information security program is going to
00:00
specify our information security architecture.
00:00
As part of this architecture we're going to develop
00:00
artifacts of the details of the security program.
00:00
These are going to be our policies, procedures,
00:00
standards, guidelines, directives from leadership.
00:00
We're going to get some documentation together,
00:00
and the goal here,
00:00
we're going to make sure
00:00
that's what we talk about within architecture, anyway,
00:00
is we have all of
00:00
these disparate elements working
00:00
together for a common goal.
00:00
We want to make sure that our hardware,
00:00
software, firmware, people, departments,
00:00
organizations work together to accomplish
00:00
the business objectives and
00:00
we want them to work well together.
00:00
Another idea with architecture is we want to provide
00:00
documents that promote
00:00
consistency throughout the organization.
00:00
Again, we've already talked about the difficulty with
00:00
treating IT different than the rest of the company,
00:00
that we're not just the hired help but we're
00:00
part of the business operations,
00:00
we're there and we're necessary enablers.
00:00
Making sure that there's
00:00
consistency throughout the frameworks
00:00
we use in information technology,
00:00
as well as other elements of
00:00
the business to make sure that security is
00:00
implemented consistently so that
00:00
we don't have the spotty approach
00:00
to how things are going to work.
00:00
We want to make sure that our resources are
00:00
used effectively and efficiently.
00:00
Again, risk management gives us that
00:00
because it helps us prioritize the risks
00:00
so that we can direct our resources to
00:00
those risks with the lowest tolerance.
00:00
Then, of course,
00:00
we also want to promote
00:00
a scalable architecture where we
00:00
can handle upgrades or we can handle growth.
00:00
Can we scale up,
00:00
can we scale down depending on what the needs are?
00:00
But these elements are part
00:00
of an information security architecture.
00:00
Now, from there,
00:00
other pieces of this information security program
00:00
that we're developing,
00:00
you can sum it up by saying we have
00:00
to address three main elements.
00:00
We have to address our people,
00:00
our processes, and our technology.
00:00
If you look at this,
00:00
if I were to ask you,
00:00
what's the weak link here;
00:00
people, processes, technology?
00:00
I think most of us are going to say people.
00:00
Now, that's where your weak link
00:00
is in any security program,
00:00
in any organization and that's really true.
00:00
What can we do to strengthen that link?
00:00
Training. The critical nature
00:00
of training can sometimes be overlooked.
00:00
But when we talk about attacks,
00:00
like social engineering attacks,
00:00
when we talk about unintentional security incidents
00:00
created in-house by a well-meaning employee
00:00
or accidental security breaches,
00:00
training is the best way to mitigate those risks.
00:00
Now, there are other policies.
00:00
We think about onboarding and off-boarding employees,
00:00
making sure that we have a way to verify references,
00:00
verify skill sets and certifications.
00:00
We make clear that we have
00:00
a computer ethics policy in place and that's distributed.
00:00
We have clearly defined
00:00
expectations and job descriptions,
00:00
that's very much part of an information security program.
00:00
Acceptable use policies so that
00:00
employees know how to treat company resources.
00:00
Performance management is addressed when we talk about
00:00
reviewing employees and how
00:00
they perform within the organization.
00:00
These are controls that we can focus
00:00
around strengthening our people,
00:00
making them more security minded,
00:00
helping them make more security aware business decisions.
00:00
We have to start with
00:00
their people because if we don't have
00:00
the right people in
00:00
the right environment none of the other stuff matters,
00:00
so we start with their people.
00:00
The next element that the security program has to
00:00
address is going to be our processes.
00:00
Of course, our processes,
00:00
these are the operational activities,
00:00
the risk management processes,
00:00
and these are often documented through
00:00
policies or other artifacts.
00:00
But how do we address risks within an organization?
00:00
Who addresses risks?
00:00
What are the processes that we have in place?
00:00
How do we pull a risk team together?
00:00
How is risk addressed on projects?
00:00
What processes are there?
00:00
We need processes,
00:00
I've listed 10,
00:00
15 different processes that have to be addressed.
00:00
Hopefully, these should all make sense.
00:00
They're fairly self-explanatory,
00:00
I'll mention just a couple.
00:00
But our processes have to be clearly
00:00
defined and that's defined through our security program.
00:00
I will just mention change and configuration management,
00:00
go very closely hand-in-hand.
00:00
The idea is, we don't want changes
00:00
made to a baseline environment
00:00
without following a procedure.
00:00
We don't want users to be able to install
00:00
applications or make
00:00
configuration changes to the applications.
00:00
We don't want hardware
00:00
manipulated without going through a process.
00:00
With change and configuration management
00:00
and even patch management,
00:00
what we're looking to promote
00:00
is security through stability.
00:00
A consistent, stable environment is
00:00
much easier to secure
00:00
than one that's frequently changing.
00:00
That change management policy,
00:00
making sure that changes aren't arbitrarily made,
00:00
really critical. Data leak prevention.
00:00
Another one listed here,
00:00
I'll just mention that when we talk about data leakage,
00:00
a lot of times what we're considering is data
00:00
being ex-filtrated off the network.
00:00
What do we have in place to prevent sensitive data from
00:00
being exported up to the Cloud or to a device?
00:00
We have DLP systems in place.
00:00
Sometimes, you'll hear them called
00:00
data leak prevention systems,
00:00
they're more commonly known as
00:00
data loss prevention systems.
00:00
But what are our processes to prevent that ex-filtration?
00:00
Data classification is another critical one,
00:00
classifying data.
00:00
The idea behind classification
00:00
is that we have to provide the means for
00:00
determining how to protect data
00:00
in all of its states and all of its uses.
00:00
With classification, we start by
00:00
figuring out what's the value of the asset,
00:00
what classification should it be
00:00
assigned based on its value,
00:00
and then based on what classification it's assigned,
00:00
what controls should be implemented
00:00
to ensure the data is protected accordingly?
00:00
Like I said, I don't read all these out for you,
00:00
but those are a couple that I think
00:00
would be particularly important.
00:00
Now we have technology on the end.
00:00
I'm not going to spend a ton of time
00:00
here because of the fact that we're going
00:00
to cover technology in
00:00
depth in the final domain, domain 4.
00:00
You can just see some
00:00
of the areas that we need to make sure
00:00
that we have addressed in
00:00
our security policies for is the actual technology goes.
00:00
How were we going to detect breaches?
00:00
How are we going to ensure physical security?
00:00
How are we going to make sure we have
00:00
a secure software development life cycle?
00:00
Those pieces are part of technical controls.
00:00
At the end of the day,
00:00
what we want from our security program is we want
00:00
tangible controls that we can put in
00:00
place in order to protect those assets.
Up Next