Introduction

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
14 hours 39 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:01
>> We've talked about big picture
00:01
for the CISM exam and for what
00:01
this course is going to provide
00:01
us with from an information standpoint.
00:01
Now we're going to go ahead and get into
00:01
the material of domain 1,
00:01
which is information security governance.
00:01
We're going to start off by defining
00:01
the learning objectives from this chapter.
00:01
We'll look at those in terms of
00:01
task and knowledge statements.
00:01
These task and knowledge statements,
00:01
ultimately, this is what ISACA says,
00:01
that at the completion of this chapter,
00:01
you should be comfortable discussing or working with.
00:01
We'll look at those pieces.
00:01
Then, of course, for the rest of the module,
00:01
we're going to sum up and really focus
00:01
on information security governance.
00:01
We'll talk about what our role
00:01
is in relation to governance.
00:01
As CISM's our job really is to
00:01
support the governance functions.
00:01
We're providing support to senior management.
00:01
We are providing risk management,
00:01
we are influencing the program in our strategies,
00:01
we are not performing the work,
00:01
we are advising, we are influencing policy.
00:01
But as far as me going downstairs
00:01
and disabling a user account,
00:01
that's not going to happen.
00:01
On the exam, you really want to stay
00:01
away from those action items.
00:01
A user leaves the organization,
00:01
what should you do upon termination?
00:01
Many people are going to choose, hey,
00:01
go downstairs and revoke his credentials.
00:01
But I don't do that.
00:01
I am a Risk Adviser,
00:01
I'm an Information Security Manager.
00:01
In that case, I'm not doing.
00:01
I may call the appropriate parties
00:01
that would be appropriate,
00:01
making sure that we have policies and procedures
00:01
in place to revoke credentials of employees.
00:01
Yes, but as far as actually going and doing,
00:01
that's not my role.
00:01
What are we going to do as a CISM?
00:01
How do we support governance?
00:01
I've already mentioned, we're going to be
00:01
influencing the security strategy in the program.
00:01
If we think about strategy,
00:01
it's a very high-level approach.
00:01
How am I ultimately going to get from here to there?
00:01
Whereas when we look at the program,
00:01
that's more of the how?
00:01
The strategy, let me say that a little bit better,
00:01
is broader and the program is more specific.
00:01
Ultimately, we want to improve security
00:01
through encrypting sensitive data
00:01
and providing multi-factor authentication to
00:01
ultimately receive such or such standard
00:01
in the field, that's strategy.
00:01
Now how we're going to do that,
00:01
that's going to be the security program.
00:01
That's going to be made up of the policies,
00:01
procedures, standards, and guidelines.
00:01
The strategy is more about what big picture?
00:01
The program is more, how?
00:01
Now I will tell you, we're going to cover this at
00:01
a pretty cursory view
00:01
because Chapter 3 or Domain 3
00:01
is much more in-depth about security program,
00:01
but we do need to talk about it a little in Domain 1.
00:01
Roles and responsibilities, really important.
00:01
Who does what?
00:01
If a difficult decision is to be made,
00:01
who has the priority?
00:01
Evaluating a security program,
00:01
you never want to implement
00:01
something without having expectations.
00:01
If I implement a new security program,
00:01
my important question to answer is,
00:01
was it effective? Did it work?
00:01
I can't know that
00:01
without determining metrics ahead of time.
00:01
What do I want from this security program?
00:01
Then when it comes down to evaluation,
00:01
our question becomes, did it meet its objectives?
00:01
Then reporting and compliance,
00:01
we talk about providing the information that's
00:01
necessary for us to determine
00:01
whether or not our program is effective.
00:01
Then last but not least,
00:01
we'll talk a little bit about ethics,
00:01
particularly, ISACA's code of ethics.
00:01
Getting started with our learning objectives.
00:01
This is for Chapter 1.
00:01
What we want to be able to do is understand and
00:01
support organizational governance specifically
00:01
in the realm of information security.
00:01
What we want to be able to do is to make
00:01
good business decisions on how
00:01
we implement security and what controls we put in place.
00:01
We're going to have to be able to justify that.
00:01
Now, one of the top priorities will always
00:01
be maintain legal and regulatory compliance.
00:01
Truth be told, I know that that's not
00:01
always a top priority for organizations.
00:01
I know sometimes organizations actually
00:01
choose to be out of compliance.
00:01
Can anybody think of a reason that I,
00:01
as an organization might choose to not
00:01
be in compliance with regulations and laws?
00:01
If you get this correct,
00:01
you may have thought about cost-benefit.
00:01
Sometimes it's actually more
00:01
expensive for me to be in compliance than it is
00:01
just for me to maintain
00:01
being non-compliant and paying the fine.
00:01
Now on this test, that'll never be the case.
00:01
Our primary focus will always be
00:01
maintain legal and regulatory compliance.
00:01
We don't want to be found out of compliance.
00:01
We don't want to be found liable,
00:01
but just little real-world test world.
00:01
We're going to talk about
00:01
prioritization within my organization.
00:01
How do I know which resources
00:01
get the top priority and who makes that decision?
00:01
We'll talk about things that influence our organization.
00:01
Every organization is a little bit different.
00:01
If some of you were in the military,
00:01
surely you can agree that
00:01
there's a separate culture in a way of doing things when
00:01
working for the government or the military
00:01
than how things are done in the private sector.
00:01
That's going to influence
00:01
our choices that we make about security.
00:01
We want to make sure that we understand
00:01
the different roles and
00:01
responsibilities within our organization.
00:01
We're going to look at that in
00:01
the context of separation of duties.
00:01
I know that many times in the workforce,
00:01
individuals have more roles,
00:01
more responsibilities than they should.
00:01
Somebody wears too many hats within the organization.
00:01
Well, that's a major problem for a lot of reasons.
00:01
One of those reasons is what if
00:01
that person is not available,
00:01
and all of a sudden there are
00:01
all these different responsibilities
00:01
dependent upon that one individual,
00:01
so we're missing functionality
00:01
across many different responsibilities.
00:01
But it's an even bigger problem
00:01
when we're looking at things like conflict of interest.
00:01
As a Network Administrator,
00:01
and I was a Network Administrator for a long time,
00:01
I knew I was doing a good job
00:01
when my phone wasn't ringing.
00:01
[NOISE] Everything is quiet.
00:01
Nobody's having problems.
00:01
People are accessing what they want.
00:01
But honestly, as a Security Administrator,
00:01
my phone should be ringing off the hook.
00:01
Ring, ring, " Hey Kelly,
00:01
I can't seem to change
00:01
the system date and time on my computer."
00:01
Oh, yeah, I know."
00:01
Click. "Hey Kelly, I can't access this resource."
00:01
Good. Click. As a Security Admin,
00:01
we're thinking in terms of being more
00:01
restrictive and less permissive.
00:01
We've got those two particular roles at cross-purpose.
00:01
Then sometimes we make
00:01
the mistake of having roles that could
00:01
really be a problem as far as reporting,
00:01
making sure that we report or have
00:01
a clear pathway to report.
00:01
For instance, if I'm a security auditor,
00:01
I may not want to report to
00:01
the Director of Security because
00:01
many times I'm auditing that individual's program.
00:01
It's going to be very difficult for
00:01
me to go to my supervisor and say,
00:01
" Yeah, this is a mess,
00:01
this is chaos on wheels."
00:01
We want to make sure that roles and responsibilities are
00:01
clearly defined and that
00:01
they're separated as appropriate.
00:01
We've already mentioned the importance of metrics.
00:01
Metrics go hand in hand with
00:01
determining if our policies and procedures,
00:01
if our security program is effective.
00:01
Well, the way we know is we have
00:01
expectations and we measure up against them.
00:01
That's what we're going to cover in Domain 1.
00:01
This is a very important domain because
00:01
everything flows down from governance.
00:01
When we do talk about governance,
00:01
I want you to think about
00:01
the upper elements of an organization,
00:01
our governing bodies would be Board of Directors,
00:01
would be senior managers,
00:01
steering committees generally are
00:01
considered part of governance.
00:01
Ultimately, everything flows downward.
00:01
Your role as a CISM is not
00:01
going to be as part of governance,
00:01
but as an influencer to governance.
00:01
We're almost in-between senior management
00:01
and functional managers,
00:01
essentially as CISM's,
00:01
and that can vary from organization to organization.
00:01
But my job is to influence,
00:01
provide risk management,
00:01
input on strategy, input on policy.
00:01
Again, I'm not a doer,
00:01
but I'm not the final decision-maker either.
00:01
Tasks, what should I be able to walk out
00:01
of this chapter and feel comfortable doing?
00:01
Now the reality of it is,
00:01
I'm not expecting you after
00:01
an hour's lecture to go back and write
00:01
a security policy for 10,000 employee organization.
00:01
But I do expect you to have
00:01
some ideas about what that policy
00:01
or what governance looks like in that type of
00:01
environment and where to go to learn more.
00:01
We want to get you on the pathway.
00:01
We'll talk about some frameworks
00:01
and governance as a whole.
00:01
We want to talk about integrating governance of
00:01
the organization and information security governance.
00:01
For a long time, here's how the company works,
00:01
here's how the IT Department works.
00:01
We want to combine those,
00:01
so that our organizational security policy is going to
00:01
include our information security policy
00:01
in that holistic approach.
00:01
I'm not going to read every one of these,
00:01
but I would like you at the end of the chapter,
00:01
maybe to even come back and review and make
00:01
sure that you're confident here,
00:01
just a couple of things,
00:01
develop a business case,
00:01
everything that we do is about the business.
00:01
If you want to sell security to senior management,
00:01
sell its impact on the business.
00:01
Don't walk into senior management and start spitting
00:01
out information security or IT acronyms,
00:01
go in and talk about cost-benefit analysis
00:01
because that's a language everyone understands.
00:01
Commitment from senior management,
00:01
that's what makes change within an organization work,
00:01
that's what drives culture and
00:01
ethics and compliance, basically.
00:01
We'll talk about the essential nature of getting buy-in.
00:01
Again, the importance of evaluating
00:01
and monitoring reporting metrics,
00:01
making sure we know if our program is
00:01
effective. What do we know?
00:01
Well, what we'll know is going to be very
00:01
much what our tasks are aligned with.
00:01
We're going to understand the strategy,
00:01
how to determine how security in the business align?
00:01
We'll look at some frameworks,
00:01
we'll talk about at a high-level budgetary planning
00:01
and prioritization and we'll figure out
00:01
the different roles within the organization.
00:01
[NOISE]
Up Next