NIST SP 800-100: Information Security Handbook: A Guide for Managers

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 58 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Welcome back to Cybrary.
00:00
Yes of course I'm your instructor, Brad Rhodes.
00:00
We're going to talk now about NIST 800-100:
00:00
the Information Security Handbook: A Guide for Managers.
00:00
Don't have your managers go out and read this,
00:00
they're going to be bored out of their skull.
00:00
This however you need to know as an ISI,
00:00
and if you're prepping for the ISI exam this
00:00
is a good final walk-through.
00:00
I have a printout of it in
00:00
my office because it is such a great guide.
00:00
In this lesson we're going to talk about
00:00
information security governance components.
00:00
We're going to talk about the key roles
00:00
that you should be aware of that you're going to
00:00
find in this NIST 800-100,
00:00
we're going to talk about awareness and training.
00:00
Information security governance components.
00:00
This is really focused on if you are
00:00
going to work for a say,
00:00
US government organization like
00:00
the military, like the DoD;
00:00
Department of Defense,
00:00
or any federal government organization.
00:00
You need to understand that in the executive branch,
00:00
you are going to have to do
00:00
governance and you're going to have to
00:00
monitor all of those things
00:00
here: strategic planning, planning guidance.
00:00
In the implementation that's going to be monitored,
00:00
but then the big thing I want you to remember
00:00
here is that you got to do
00:00
good governance because you're going to ultimately have
00:00
to report out and have external oversight,
00:00
whether it's the executive branch,
00:00
the General Accounting Office,
00:00
and the OMB: the Office of Management and Budget,
00:00
which works for Congress.
00:00
You need to understand that if
00:00
you're doing federal government work,
00:00
there's going to be governance required.
00:00
You're going to need to do continuous
00:00
monitoring and implementation and
00:00
then you're going to have to deal
00:00
with external oversight.
00:00
That's really not the best way to say.
00:00
You're going to have the opportunity
00:00
to interact with and collaborate with
00:00
external oversight because that's
00:00
just the way it works if you want to work in that space.
00:00
There's some key roles you're going to
00:00
find in this 800-100.
00:00
One, the agency head.
00:00
When you think of an agency, you think NASA;
00:00
the National Aeronautics and Space Administration.
00:00
The agency head there has a lot of
00:00
responsibilities when it comes
00:00
to the information systems.
00:00
You have a chief information officer
00:00
and/or a chief information security officer.
00:00
Some agencies only have a CIO,
00:00
some have both assembled and they have a CSO,
00:00
but regardless those are
00:00
key roles that you need to be aware of and that as an EC
00:00
working as either a an actual
00:00
government employer working as
00:00
a contractor supporting these organization.
00:00
Those are key roles you're going to
00:00
have to interact with.
00:00
Then the last one there is the enterprise architect,
00:00
and that's usually the chief designer
00:00
of a significant enterprise system.
00:00
In fact, many organizations in
00:00
the US federal government will have
00:00
multiple enterprise architects for
00:00
different systems potentially,
00:00
or maybe they only have one.
00:00
It just depends on the agency, and the rules,
00:00
and regulations, and laws that
00:00
govern how that agency operates.
00:00
Training and awareness. Remember this slide.
00:00
You've got things that work
00:00
all the way up from
00:00
the very beginning of awareness to education,
00:00
and so there's three levels here.
00:00
There is security awareness,
00:00
and that's something that every user should be aware of.
00:00
Everybody should have at least annually do
00:00
security awareness training then we get to the basics and
00:00
literacy where all users that have
00:00
IT systems are getting
00:00
some real training on what it is that they do.
00:00
Then we get into functional roles
00:00
where we're looking at, "Hey,
00:00
maybe that person is going to help to acquire system,
00:00
maybe that person is going to review and evaluate."
00:00
Well, we have to provide beginning,
00:00
intermediate, and advanced level training for that.
00:00
One of the things that's interesting within
00:00
the federal government is that they've
00:00
already built a lot of those capabilities.
00:00
They're just not well-known
00:00
and sometimes they're not well
00:00
used and so it's important to
00:00
know that, and of course education.
00:00
When you think about this in the commercial space,
00:00
you still need to have
00:00
awareness, training, and education.
00:00
This flow still works.
00:00
If you're an ISSE you might get robbed in
00:00
to helping to train your users.
00:00
Let me say something really important here
00:00
at least something in my opinion anyways.
00:00
Users get a bad rap, they really do.
00:00
Yes, do they click on stuff that they shouldn't?
00:00
Absolutely. Do they try
00:00
to install so efficient? Yes, absolutely.
00:00
But a lot of times that's
00:00
because they don't have awareness and training,
00:00
or the awareness and training that was provided them was
00:00
so well useless that
00:00
they didn't even pay attention to it.
00:00
We need to take a large stock in what we do in
00:00
cybersecurity and InfoSec and
00:00
make sure that we train our users.
00:00
We make them aware of what they need to do.
00:00
We need to turn them into users as a sensor.
00:00
We want our users be
00:00
our first-line of defense
00:00
when it comes to cybersecurity,
00:00
but at the same time we need to also train
00:00
and educate our help desk
00:00
and other folks and interact with users.
00:00
Not just ignore the users when they
00:00
bring something up that they think is a problem.
00:00
We need to validate our users and
00:00
totally change that construct within the industry,
00:00
or we're going to continue to see
00:00
the problems that we do.
00:00
In this lesson we talked about NIST 800-100,
00:00
and we covered
00:00
specifically information security governance components
00:00
which are related to the key
00:00
roles you should be aware of.
00:00
We talked about awareness and training and that NIST
00:00
800-100 is a great study point for
00:00
ISA as you're doing your final studies before you go
00:00
sit for the concentration exam. We'll see you next time.
Up Next