NIST SP 800-100: Information Security Handbook: A Guide for Managers

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Sign up with Google
Sign up with Apple
Sign up with Microsoft
View all SSO options

Already have an account? Sign In »

Information Systems Security Engineering Professional (ISSEP)
Course
Time
5 hours 58 minutes
Difficulty
Intermediate
Video Transcription
00:00
>> Welcome back to Cybrary.
00:00
Yes of course I'm your instructor, Brad Rhodes.
00:00
We're going to talk now about NIST 800-100:
00:00
the Information Security Handbook: A Guide for Managers.
00:00
Don't have your managers go out and read this,
00:00
they're going to be bored out of their skull.
00:00
This however you need to know as an ISI,
00:00
and if you're prepping for the ISI exam this
00:00
is a good final walk-through.
00:00
I have a printout of it in
00:00
my office because it is such a great guide.
00:00
In this lesson we're going to talk about
00:00
information security governance components.
00:00
We're going to talk about the key roles
00:00
that you should be aware of that you're going to
00:00
find in this NIST 800-100,
00:00
we're going to talk about awareness and training.
00:00
Information security governance components.
00:00
This is really focused on if you are
00:00
going to work for a say,
00:00
US government organization like
00:00
the military, like the DoD;
00:00
Department of Defense,
00:00
or any federal government organization.
00:00
You need to understand that in the executive branch,
00:00
you are going to have to do
00:00
governance and you're going to have to
00:00
monitor all of those things
00:00
here: strategic planning, planning guidance.
00:00
In the implementation that's going to be monitored,
00:00
but then the big thing I want you to remember
00:00
here is that you got to do
00:00
good governance because you're going to ultimately have
00:00
to report out and have external oversight,
00:00
whether it's the executive branch,
00:00
the General Accounting Office,
00:00
and the OMB: the Office of Management and Budget,
00:00
which works for Congress.
00:00
You need to understand that if
00:00
you're doing federal government work,
00:00
there's going to be governance required.
00:00
You're going to need to do continuous
00:00
monitoring and implementation and
00:00
then you're going to have to deal
00:00
with external oversight.
00:00
That's really not the best way to say.
00:00
You're going to have the opportunity
00:00
to interact with and collaborate with
00:00
external oversight because that's
00:00
just the way it works if you want to work in that space.
00:00
There's some key roles you're going to
00:00
find in this 800-100.
00:00
One, the agency head.
00:00
When you think of an agency, you think NASA;
00:00
the National Aeronautics and Space Administration.
00:00
The agency head there has a lot of
00:00
responsibilities when it comes
00:00
to the information systems.
00:00
You have a chief information officer
00:00
and/or a chief information security officer.
00:00
Some agencies only have a CIO,
00:00
some have both assembled and they have a CSO,
00:00
but regardless those are
00:00
key roles that you need to be aware of and that as an EC
00:00
working as either a an actual
00:00
government employer working as
00:00
a contractor supporting these organization.
00:00
Those are key roles you're going to
00:00
have to interact with.
00:00
Then the last one there is the enterprise architect,
00:00
and that's usually the chief designer
00:00
of a significant enterprise system.
00:00
In fact, many organizations in
00:00
the US federal government will have
00:00
multiple enterprise architects for
00:00
different systems potentially,
00:00
or maybe they only have one.
00:00
It just depends on the agency, and the rules,
00:00
and regulations, and laws that
00:00
govern how that agency operates.
00:00
Training and awareness. Remember this slide.
00:00
You've got things that work
00:00
all the way up from
00:00
the very beginning of awareness to education,
00:00
and so there's three levels here.
00:00
There is security awareness,
00:00
and that's something that every user should be aware of.
00:00
Everybody should have at least annually do
00:00
security awareness training then we get to the basics and
00:00
literacy where all users that have
00:00
IT systems are getting
00:00
some real training on what it is that they do.
00:00
Then we get into functional roles
00:00
where we're looking at, "Hey,
00:00
maybe that person is going to help to acquire system,
00:00
maybe that person is going to review and evaluate."
00:00
Well, we have to provide beginning,
00:00
intermediate, and advanced level training for that.
00:00
One of the things that's interesting within
00:00
the federal government is that they've
00:00
already built a lot of those capabilities.
00:00
They're just not well-known
00:00
and sometimes they're not well
00:00
used and so it's important to
00:00
know that, and of course education.
00:00
When you think about this in the commercial space,
00:00
you still need to have
00:00
awareness, training, and education.
00:00
This flow still works.
00:00
If you're an ISSE you might get robbed in
00:00
to helping to train your users.
00:00
Let me say something really important here
00:00
at least something in my opinion anyways.
00:00
Users get a bad rap, they really do.
00:00
Yes, do they click on stuff that they shouldn't?
00:00
Absolutely. Do they try
00:00
to install so efficient? Yes, absolutely.
00:00
But a lot of times that's
00:00
because they don't have awareness and training,
00:00
or the awareness and training that was provided them was
00:00
so well useless that
00:00
they didn't even pay attention to it.
00:00
We need to take a large stock in what we do in
00:00
cybersecurity and InfoSec and
00:00
make sure that we train our users.
00:00
We make them aware of what they need to do.
00:00
We need to turn them into users as a sensor.
00:00
We want our users be
00:00
our first-line of defense
00:00
when it comes to cybersecurity,
00:00
but at the same time we need to also train
00:00
and educate our help desk
00:00
and other folks and interact with users.
00:00
Not just ignore the users when they
00:00
bring something up that they think is a problem.
00:00
We need to validate our users and
00:00
totally change that construct within the industry,
00:00
or we're going to continue to see
00:00
the problems that we do.
00:00
In this lesson we talked about NIST 800-100,
00:00
and we covered
00:00
specifically information security governance components
00:00
which are related to the key
00:00
roles you should be aware of.
00:00
We talked about awareness and training and that NIST
00:00
800-100 is a great study point for
00:00
ISA as you're doing your final studies before you go
00:00
sit for the concentration exam. We'll see you next time.
Up Next
View All
Instructed By
Brad Rhodes

Brad Rhodes

Head of Cybersecurity, zvelo & Lieutenant Colonel, Cyber Warfare

Instructor
Similar Content
Certified Information Systems Security Professional (CISSP) 2021
Course
Certified Information Systems Security Professional (CISSP) 2021
4.77
CISSP is the basis of advanced information assurance knowledge for information security professionals. Often referred ...
16CEUs
ISC2 CISSP Practice Test: Certified Information Systems Security Professional
Practice Test
ISC2 CISSP Practice Test: Certified Information Systems Security Professional
4.17
There is a growing need for information security leaders who possess the depth of expertise ...
Penetration Testing and Ethical Hacking
Course
Penetration Testing and Ethical Hacking
4.7
To assess the strength of your organization’s cybersecurity posture, you need to gather information, perform ...
7CEUs