NIST SP 800-100: Information Security Handbook: A Guide for Managers
Video Transcript
Welcome back to Cybrary. Yes of course I'm your instructor, Brad Rhodes. We're going to talk now about NIST 800-1 :00the Information Security Handbook: A Guide for Managers. Don't have your managers go out and read this, they're going to be bored out of their skull. This however you need to know as an ISI, and if you're prepping for the ISI exam this is a good final walk-through. I have a printout of it in my office because it is such a great guide. In this lesson we're going to talk about information security governance components. We're going to talk about the key roles that you should be aware of that you're going to find in this NIST 800-100, we're going to talk about awareness and training.
Information security governance components. This is really focused on if you are going to work for a say, US government organization like the military, like the DoD; Department of Defense, or any federal government organization. You need to understand that in the executive branch, you are going to have to do governance and you're going to have to monitor all of those things here: strategic planning, planning guidance. In the implementation that's going to be monitored, but then the big thing I want you to remember here is that you got to do good governance because you're going to ultimately have to report out and have external oversight, whether it's the executive branch, the General Accounting Office, and the OMB: the Office of Management and Budget, which works for Congress. You need to understand that if you're doing federal government work, there's going to be governance required.
You're going to need to do continuous monitoring and implementation and then you're going to have to deal with external oversight. That's really not the best way to say. You're going to have the opportunity to interact with and collaborate with external oversight because that's just the way it works if you want to work in that space. There's some key roles you're going to find in this 800-100. One, the agency head. When you think of an agency, you think NASA; the National Aeronautics and Space Administration. The agency head there has a lot of responsibilities when it comes to the information systems. You have a chief information officer and/or a chief information security officer. Some agencies only have a CIO, some have both assembled and they have a CSO, but regardless those are key roles that you need to be aware of and that as an EC working as either a an actual government employer working as a contractor supporting these organization.
Those are key roles you're going to have to interact with. Then the last one there is the enterprise architect, and that's usually the chief designer of a significant enterprise system. In fact, many organizations in the US federal government will have multiple enterprise architects for different systems potentially, or maybe they only have one. It just depends on the agency, and the rules, and regulations, and laws that govern how that agency operates. Training and awareness. Remember this slide. You've got things that work all the way up from the very beginning of awareness to education, and so there's three levels here. There is security awareness, and that's something that every user should be aware of. Everybody should have at least annually do security awareness training then we get to the basics and literacy where all users that have IT systems are getting some real training on what it is that they do.
Then we get into functional roles where we're looking at, "Hey, maybe that person is going to help to acquire system, maybe that person is going to review and evaluate." Well, we have to provide beginning, intermediate, and advanced level training for that. One of the things that's interesting within the federal government is that they've already built a lot of those capabilities. They're just not well-known and sometimes they're not well used and so it's important to know that, and of course education. When you think about this in the commercial space, you still need to have awareness, training, and education. This flow still works. If you're an ISSE you might get robbed in to helping to train your users. Let me say something really important here at least something in my opinion anyways.
Users get a bad rap, they really do. Yes, do they click on stuff that they shouldn't? Absolutely. Do they try to install so efficient? Yes, absolutely. But a lot of times that's because they don't have awareness and training, or the awareness and training that was provided them was so well useless that they didn't even pay attention to it. We need to take a large stock in what we do in cybersecurity and InfoSec and make sure that we train our users. We make them aware of what they need to do. We need to turn them into users as a sensor. We want our users be our first-line of defense when it comes to cybersecurity, but at the same time we need to also train and educate our help desk and other folks and interact with users.
Not just ignore the users when they bring something up that they think is a problem. We need to validate our users and totally change that construct within the industry, or we're going to continue to see the problems that we do. In this lesson we talked about NIST 800-100, and we covered specifically information security governance components which are related to the key roles you should be aware of. We talked about awareness and training and that NIST 800-100 is a great study point for ISA as you're doing your final studies before you go sit for the concentration exam. We'll see you next time.
