Okay, so we've talked about sort of big picture for the schism examined for what this course is gonna provide us with from an information standpoint. So now we're gonna go ahead and get into the material of domain one, which is information, security, governance.
So we're gonna start off by defining the learning objectives from this chapter.
Um, and we'll look at those in terms of task and knowledge statements. So if the's task and knowledge statements ultimately this is what I Sacha says that at the completion of this chapter, you should be comfortable discussing or working with. So we'll look at those pieces.
And then, of course, for the rest of the module, we're going to sum up and really focus on
information, security, governance. We'll talk about what our role is in relation to governance as schism czar, job released to support the governance function. So we're providing support to senior management.
We are providing risk management. We are influencing the program and our strategies.
We are not performing the work we are advising. We are influencing policy. But as far as me going downstairs and disabling a user account, that's not gonna happen. So on the exam. You really want to stay away from those action items?
You know, a user leaves the organization. What should you do upon termination?
Many people are going to choose Hey, go downstairs and revoke his credentials.
But I don't do that. I am a risk advisor. I'm in information security manager.
So in that case, I'm not doing I may call the appropriate parties that would be appropriate.
Making sure that we have policies and procedures in place to revoke credentials of employees. Yes, this far is actually going in doing That's not my role. Okay, so what are we going to do? Is this is, um And how do we support governance?
I've already mentioned we're gonna be influencing the security strategy and the program.
So if we think about strategy, it's a very high level approach. How am I ultimately going to get from here to there?
Where? As when we look at the program, that's more with how s O? So the strategy. Let me let me say that a little bit better. The strategy is broader,
and the program is more specific. So ultimately we want to improve security through encrypting sensitive data and providing multi factor authentication to ultimately receive such a such standard in the field. Right, That's strategy.
Now, how we're going to do that,
that's gonna be the security program that's gonna be made up. But the policies, procedure, standards and guidelines. That strategy is more what big picture the program is more how?
All right, Um, now I will tell you, we're gonna cover this at a pretty cursory view because chapter three or domain three is much more in depth about security program. But we do need to talk about it a little and main one. Roles and responsibilities really important. Who does what?
And you know, if a difficult decisions to be made,
who has the priority
evaluating a security program, you never wanna implement something without having expectations, right? So if I implement a new security program, my important question to answer is, Was it effective? Did it work? And I can't know that without conflict or determining metrics ahead of time.
What do I want from this security program?
And then when it comes down to evaluation, our question becomes, did it meet its objectives and then reporting in compliance? We talk about providing the information that's necessary for us to determine whether or not our program is effective. And then last but not least, we'll talk a little bit about ethics,
ice Acas code of ethics.
All right, so getting started with our learning objectives. So this is for chapter want. What we want to be able to do is understand and support organisational governance specifically in the realm of information security.
And what we want to be able to do is to make good business decisions on how we implement security and what controls we put in place. So we're gonna have to be able to justify that.
Now. One of the top priorities will always be maintained. Legal and regulatory compliance.
Truth be told, I know that that's not always a top priority for organizations. And I know sometimes organizations actually choose to be out of compliance. Can anybody think of a reason that I, as an organization, might choose to not be in compliance with regulations and laws?
And if you get this correct, you may have thought about
Sometimes it's actually more expensive for me to be in compliance than it is just for me to maintain being non compliant and paying the fine.
Now, on this test, that will never be the case. Our primary focus will always be maintained. Legal and regulatory compliance. We don't want to be found out of compliance. We don't wanna be found.
Okay, but, you know, just a little real world test world. All right? We're gonna talk about prioritization within my organization. How do I know which resource is? Get the top priority. And who makes that decision?
We'll talk about things that influence our organization. Every organizations a little bit different. So if some of you are in the military, surely you can agree that there's, ah, separate culture in a way of doing things when working for the government or
the military. Then there, then how things were done in the private sector,
right? So that's gonna influence our choices that we make about security.
We want to make sure that we understand that, understand the different roles and responsibilities within our organization. And we're gonna look at that in the context of separation of duties. I know that many times in the workforce
individuals have more roles, more responsibilities than they should write. Somebody wears too many hats within the organization. Well, that's a major problem for a lot of reasons. One of those reasons is what if that poor it person is not available,
and all of a sudden they're all these different responsibilities dependent upon that one individual.
So we're missing functionality across many different responsibilities.
But it's an even bigger problem when we're looking at things like conflict of interest. You know, if, as a network administrator and that was a network administrator for a long time, Um, I knew I was doing a good job when my phone wasn't ringing.
Nobody's having problems. People are accessing what they want.
But honestly, as a security administrator, my phone should be ringing off the hook.
Ring ring. Hey, Kelly, I can't seem to change the system dating time on my computer. Oh, yeah, I know.
Hey, Kelly, I can't access this resource. Good
right is a security admin. We're thinking in terms of being more restrictive and less permissive. So we've got those two particular roles at cross purpose.
And then sometimes, you know, we make the mistake of having roles that could really, um,
uh, really be a problem as faras reporting, making sure that we report or have a clear pathway to report. So, for instance, if I'm a security auditor may not want to report to the director of security because many times I'm implementing that individuals probe. I'm auditing that individuals program,
It's gonna be very difficult for me to go to my supervisor and say, Yeah, this is a mess. This is chaos on wheels.
So we want to make sure that roles and responsibilities air clearly defined and that they're separated as appropriate.
All right, we've already mentioned the importance of Metrix Metrix go hand in hand with determining if our policies and procedures of our security program is effective. Well, the way we knows, we have expectations and we measure up against them. So that's what we're gonna cover in domain one.
And this is a very important domain because everything flows down from governance.
And when we do talk about governance, I want you to think about The upper elements of an organization are governing bodies. Would be board of directors would be senior managers. Steering committees generally are considered part of governance, so ultimately everything flows downward.
Your role is a schism is not going to be
as part of governance but as an influencer to governance. We're almost in between senior management and functional managers, essentially as systems, and that can vary from organization organization. But my job is to influence, provide risk management,
input on strategy and put on policy
again. I'm not a do ER, but I'm not the final decision maker, either.
Okay, tasks. What should I be ableto walk out of this chapter and feel comfortable doing now? The reality of it is
I'm not expecting you after an hour's left shirt to go back and write a security policy for a 10,000 employees organization.
But I do expect you to have some ideas about what that policy or what governments looks like in that type of environment and where to go to learn more right. We want to get you on the pathway so we'll talk about some frameworks and governance as a whole.
Um, we want to talk about integrating governance
of the organization and information security governments for a long time. Here's how the company works. Here's how the I t works I t department works and we want to combine those. So their organizational security policy is going to include our information security policy
In kind of that holistic approach.
I'm not gonna read every one of the's, but I would like you at the end of the chapter. Maybe they even come back and review and make sure that you're confident here. Just a couple of things
develop a business case. Everything that we do is about the business. So if you want to sell security to senior management, sell its impact on the business, don't walk into senior management, starts spitting out information security or I t acronyms go in and talk about cost benefit analysis
because that's a language
All right, um, commitment from senior management. That's what makes change within an organization work.
That's what drives culture and ethics.
So in compliance, basically. So we'll talk about the essential nature of getting by in
again the importance of evaluating and monitoring, reporting metrics, making sure we know if our program is affected.
All right, so what do we know? Well, what will know is gonna be very much what our tasks are aligned with, right? We're gonna understand the strategy, how to determine how security in the business a line will look at some frameworks. We'll talk about a high level budgetary planning
and prioritization, and we'll figure out the different roles
within the organization.