NIST SP 800-100: Information Security Handbook: A Guide for Managers
5 hours 58 minutes
Welcome back to CyberRays. This, of course. I'm your instructor, Brad Roads. So we're gonna talk now about missed 801 100 the Information Security handbook. A guide for managers. So
don't don't have your managers go out and read this. They're gonna be bored out of their school.
This however you need to know as an ISI. And if you're prepping for the ESOP exam, this is a good final sort of walk through. I have a print out of it in my office because it's such a great guide.
So in this lesson, we're gonna talk about information, security, governance, components. We're gonna talk about the key roles that you should be aware of that you're gonna find in this in this 801 100. We're gonna talk about awareness and training.
So information security, governance components. Right. So this is really focused on if you are going to work for, say, a U. S. Government organization, like the military, like the D o d department defense or any federal government organization. You need to understand
that in the executive branch, right, you are going to have to do
governance, and you're gonna have to monitor all of those things here. Strategic planning, planning guidance, right in the implementation that's gonna be monitored. Right? But then the big thing I want you to remember here is that if you you gotta do good governments because you're gonna ultimately have to report out and have external oversight, whether it's the executive branch
theme, General Accounting Office and the O. M. B the Office of Management Budget, which works for Congress,
right. You need to understand that if you're doing federal government work, there's gonna be governance required. You're gonna need to do continuous monitoring and implementation, and then you're gonna have toe deal with external oversight. And that's really not the rest way to say you're going to have the opportunity to interact with and collaborate with external oversight,
because that's just the way it works. If you want to work in that space,
so there's some key roles you're gonna find in this 801 101 the agency head eso. When you think of an agency, think NASA, the National Aeronautics and Space Administration, the agency head there has a lot of responsibilities when it comes to the information systems. You have a chief information officer or and or a chief information security officer, right?
Some agencies only have a CEO. Somehow,
both someone they have a c so right. But regardless those air key roles that you need to be aware of and that as an ISI working as either a an actual government employer, working as a contractor supporting these organizations, those are key roles you're gonna have to interact with. And then the last one. There is the enterprise architect, and that's usually the chief designer of a significant
enterprise system. And in fact,
many organizations in the say the U. S. Federal government will have multiple enterprise architects for different systems. Potentially or maybe they only have one. It just depends on the agency and the rules and regulations and laws that govern how that agency operates
Training and awareness. Remember this line, right? You've got you've got things that work all the way up from the very beginning of awareness to education. And so there's three levels here, right there, Security awareness, right? And that's something that every user should be aware. They everybody should have a T least annually do security awareness training.
Then we get to the basics and literacy, where all users right that have i t systems right? Are getting Cem Cem riel training on what it is that they do. Then we get into functional roles right where we're looking at. Hey, maybe that person is gonna help to acquire system. Maybe that person is going to review and to violate. Well, we have to provide, you know,
beginning intermediate and advanced level training for that. And one of the things that's interesting within the federal government
is that they've already built a lot of those capabilities right there. They're just not well known. And sometimes they're not well used. And so it's important to know that. And of course, the education. When you think about this in the commercial space, you still need to have awareness, training and education. Right? You this flow still works. Um, if you're an ISI, right, you might get roped into helping to train
your users and let me say something really important here. At least something in my opinion. Anyways,
users right get a bad rap. They really do. Um, yes. Do they click on stuff that they shouldn't? Absolutely. Um
they try to install stuff. They should. Yes, absolutely.
But a lot of times that's because they don't have awareness and training
right or the awareness and training that was provided them was so well useless that they didn't even pay attention to it. So
we need to take, ah, large stock and what we do in cybersecurity and info sec and make sure that we train our users. We make them aware of what they need to do on. We need to turn them into, like sent users as a sensor, right. We want our users to be our first line of defense when it comes to cybersecurity, but at the same time, right. We need to also train and
educate our help deaths and other folks that interact with users, right.
So not just ignore the users when they bring something up that they think is a problem, right? We need to validate our users and totally change that construct within the industry, right, or we're going to continue to see the problems that we do.
So in this lesson, we talked about missed 801 100. Um, that's the way we covered specifically information security governance components which are related to the key roles you should be aware off, right? We talked about awareness and training and that missed 801 100 is a great study point for us up as you're doing your final studies before you go sit for the concentration exam,
we'll see you next time.