Hey, guys, Welcome to another episode of the S S C P Exam prep series. I'm your host, Peter Simple in
This is the seventh lesson in the second. Do me
so far in the second don't mean we've looked at the code of ethics, which is the standard behavior for all practitioners the C I A triangle, which is the foundation of cybersecurity.
We're thinking a look at security architectures,
which is a framework for building security within systems and look how to control that architecture through managerial, operational and technical controls.
We've looked at system security plans which are detailed documents describing security into given system.
And we've looked at how to build systems securely through secure development.
We've looked at how secure development reduces system vulnerabilities and we looked at how to manage, encrypt and dispose off data and secure proper manner. We've also looked at data of leakage preventive strategy.
Finally, in the second demean in this lesson, we will take a look at management the process off
doing different steps and how to do them properly and security awareness and training. How the more aware you are to a particular security situation, the better off you and your organization will be.
Management is the process of controlling actions of a system.
There are four main different types of management which will be looking at here. These are very important aspects of the system and it's very, very important that each one goose right and smooth
the same way every single time.
The most important kinds of management are released management, which is the release of software from the testing environment to the production
change control management, which determines whether or not controls are still effective and, if not updates the controls so that they are effective
This is the management of configuring software release changes from one version to another.
The last one is patch management, which is the process off handling vulnerabilities by downloading a patch and applying it to your system. For more security.
Management is implemented through the use of policies and procedures off which need to be updated regularly.
Let's take a closer look at release management
released management controls, the release of applications, updates and patches to the production and barb.
This seems to ensure timeliness goals, minimize disruption and issue all proper documentation.
The way. The Ruiz management worse is that it starts out in the testing environment.
Once of release is been configured and put together properly. It is then tested. It is tested to make sure that there are no problems, that all bugs have been found and just to make sure that it does not interfere with any other systems in production.
Once that has been tested, it is now ready for user acceptance. Certain users will get a special version off the release immediately to ensure that it's worth well to ensure that all of the requirements have been there and that it satisfies the problem.
accomplished, it is then packaged up.
Once it is packaged, it is released to the production environment, where it takes over and replaces the old system.
Change controlled management.
So talk about change control management. We need talk about system insurance.
System assurance is the process of validating that existing controls are functioning as expected.
If they are not, then change control comes into play. Change control is the form procedures
that are adopted by an organization to ensure all changes are subject to the appropriate level of management control
What this does is that once
controls are determined to be unsatisfactory, change control happens, which will then update the controls to make them satisfactory. Once again,
change control management seeks to eliminate unauthorized changes and any type of defects if a hacker or someone breaks into the system makes him authorize changes. Change control management will handle that.
If, for whatever reason, security controls are out of date because he system grows and expands, then change control Management can update the security controls to best help. This is the
These are the steps for change controlled management process.
The first step is request submission.
Once a problem has been noticed,
our request for change has been submitted.
Next step is the recording step. All the details are the recording are written down and so they're all in one central location.
the details of this change are analyzed.
They are looked at. They are decided, you know, How will this help or hurt the current system or the way it is now?
Once that want once that is done,
a decision is determined
based on all the information. Ah, yes or no is given
if the approval is through, then the change is granted.
Once the change is done, the changes tracked through completion to ensure that the request has been fulfilled and that the problem has been solved.
There's different operational aspects of the change management process. Now. These are not necessarily official steps in the change man can commit process, but rather these air different things which should be examined and looked at different things that the S s C P practitioner should be aware of.
The first, obviously is request
requests are proposed to a change committee or a group of people who decide the change.
After that, the impact has been assessed. The committee members talk amongst themselves and to determine how this will help or hurt thesis acuity system
and they give an approval or disapproval. So the committee comes together and they most likely take a boot
and that will determine whether or not the change goes through or not.
Once the change goes through, it needs to be built and tested
once it had built and tested.
All security impact assessment risks are determined. This is important step for the SS CP practitioner and that it is their responsibility to ensure that all the security risks
are handled or mitigated in such a way that is not a detriment to the system.
Once the impact assessment has been done, system used users are notified that a change is coming
once they have been notified. The change comes out and little steps the changes not all pushed into the production environment at once, but in a little steps in case there is a bug. Or if a part of the change doesn't work well with the current system configuration
after the change has been implemented, it is then validated. Does the change that has been pushed into production
fulfill the issue that I'll be that originally started the request?
If that is true, then dot and step goes to documentation.
Documentation is the written form a log of the outcome of the system change?
Who's involved in the change mansion process? Well, there's a lot of people involved. Actually, the first and foremost is the change manager.
This is the man who is in charge of updating all of the policies and procedure off change management.
Next is the change control port. This is the group of people who are responsible for approving or disapproving system changes. This is usually upper management.
Next is the project manager. This is the man who
is responsible for the change itself. He manages the budget. The resource is sets at the tasks and find the people who can implement the change.
People who could, in people who can implement the change. Our architects which build
thesis a curettage context and design, and then the engineers and security analysts who develop, build and test all of the system changes.
Once this is done, the change goes back to the customer or whoever is in charge of the system, and they approved the functional changes
that are about to be implemented.
But as person involved in the change controlled management process is the system security officer,
this man is insurers that changes do not have security impacts to the present level of security off the cyst.
In today's lecture, we looked at two different kinds of man released management, which is the process of releasing a new software into the production system
and change management how to update the controls of a security system when the controls are no longer effect.
the process of validating that existing security controls are configured and functioning as expected, both during initial implementation and on an ongoing basis are a system assurance
or D change management.
If you pick a, then you weren't correct. Remember, system assurance is the process that determines whether or not security controls are still effective.
Thanks for watching guys. I really hope you learned a lot in this video, and I'll see you next time.