Organization Defined Variables

00:00

So in less than 2.6, we're gonna talk a little bit more about organization to find variables. We looked at him already, but that's going a little more depth and see how they actually come into play in the security plan.

00:11

So this lesson you learn how to list the types of variables, discuss the reasons why we had the variables and then interpret some of the variable definitions.

00:21

It's an organization to find variable. There are multiple types. There's some technical based ones like we saw in a you control where it said You must have these controls are sorry. You must have these items within the audit log. There's some of the role based. We'll see there's policy based ones

00:40

again. This is your opportunity to tailor the

00:43

security controls to really fit your organization, and that's what this put them there for. So they don't want to say this thing's control must be given by monitor by the specific person that may not work in your organization.

00:58

And again we have the idea of the overlay template. So if you have some authority above you, for example, CNS s instruction or some other community of interest that you have these overlay templates and these templates will define those controls for you If you want to participate in that community interest

01:19

here's an example again, is a lot of text, But just focus on this is a a C one, and you can see this is access control policy. So if you look at the control, it says this or the organization and it goes into the bullets A develops documents and disseminates to

01:36

aye or organ organization to find personnel or roll. So they want you to fill that in because for whatever makes sense for your organization, so develops documents disseminates to isis. So our c i s o or something like that

01:49

again you would you define that beforehand? That's your control. And then the system must implement that. Or if this is a common control, the organization would already do that for you. And if I decide the policy,

02:01

thank you. Get down to be which says reviews and updates the current and then be one is access control policy organization defined frequency and two is access control procedures. Organizations find frequency. So you see here again

02:17

they want you to give you the ability to look at your own policy, develop your own policy. That says, How often am I gonna review and things document of this policy?

02:28

If you only update your policy every step of several years, it would make sense of this, says

02:32

look at it every quarter. Look at a month, a year, like I don't even updated that offense. Why am I looking at it again? This is detailing process of putting the best effort, and Bush Resource is into your