So after talking about the difference between governance and management, let's go back and focus a little bit on governance. So when we talk about governance, we've already said that's the responsibility of the board under the direction of a chair person. And it's it's their responsibility of setting the tone of the organization
and determining the framework on which the company's gonna operate. The best way to look at this is
the frameworks provide the structure for the organization, the foundation. But every organization implements these frameworks a little bit differently. Now, out of all these, the one that I think is gonna be testable is questions on ice. 0 27,001 in 27,002. Okay,
there could be a just a quick reference to Kobe and Co. So
but that's where the organization called us. Sokka, there are exams on both of those framework. So I wouldn't really spend a lot of time there. I till maybe just a buzz word or two. So, as a matter of fact, let's look at the next couple of slides, what you need to know. So if they were gonna ask you anything about co bit and Co So?
So Kobe Control objectives for I t. And then co so committee of sponsoring organizations think about those in relation to the word goals. OK, goals. When you see that, that's gonna be Kobe Turco. So goals fry t is Kobe goals for the organization as a whole is co so
and basically what Kobe it does is it takes stakeholders needs and maps it all the way down toe I t related goats.
You know, this is how to understand what we're striving for, But when we come to something like an eye to or I so 27,001 and two this is more of the how and accomplishing the phrase you'll always herewith I till I t service management. That's just a dead giveaway
and their five basic service management publications that are listed here, not testable. Honestly, I would know a buzzword for Kobe and Co. So that buzz word being goals
for I till I would know I t service management octave, I would have the phrase self directed risk assessment. Ah, this is a program that essentially allows risk assessment to happen from the inside out, because the folks on the inside of organization.
I understand the risks, the best. That would be the theory, at least,
and you'll find identify assets, identify vulnerabilities, risk analysis and mitigation down at the bottom.
I mean, that's exactly what we've already talked about this point in time with risk management. But where I do think you'll see a question or two from is what formally was the British standard? 7799 By the way, That's what B s stands for. And I'm sure many of you may have some other ideas,
but it actually stands for British Standard B s 77991 and two.
I so sort of absorbed that, uh rather than having it be British Standard. The International Organization of Standard said it was pretty good. Let's make some modifications, will bring it in and make it an international standard. 17799 and then renamed it
once again to I su 27,002. Because, uh,
of the 27,000 Siri's, it fit right into that sort of speak. So they make the number of match ultimately what this is is it is direction on how to ah plan for set up organized, manage, implement and improve. And I s
M s and information security management system.
It's very much driven by model called the Plan Do Check Act model. If you're familiar, that will look that in just a second.
Ah, and it references the C I A. Triad confidentiality, integrity and availability and has a Siri's of domains of focus things like business continuity, asset management, physical security and, as a matter of fact, a lot of the domains.
Ah, from the 27,002 I so standard you'll see it's part of the I s C. Square C I S s P exam. Once again there are two that you would be specific What there that you would want to know specifically to 27,001 and two.
So 27,002 is really the best practices. This is the
the how to 27,001 sort of the introduction describing the implementation and the control you'll notice up here. The plan do check act is mentioned several others in the 27,000 Siri's. Out of these,
I would know 27,005 simply knowing that as an approach to risk
management don't go any deeper.
Okay, so, um honestly, what's right here? You know that it's the guidelines and international guideline on setting up information security management system, practical advice, where as Kobe and come. So give us the what we're trying to accomplish.
I said 27,000 won. And to give us
that how wouldn't go a whole lot deeper than that?
Now here's the plan. Do Check Act model that I mentioned and this was made popular by dimming
and you can see plan do check Act. So the idea is where a series of processes were not. It's a security Management is not a one and done kind of thing. So, for instance, I asked people, Is security management a project
The security management of project? Well, it depends on how you define the word project and the official. The proper definition of project is it set has something that is fine, and it has a beginning and an end.
Hey, it produces something unique, whether that's a service of product or result. So the fact that
in order to call it a project, it has to have a specific start in a specific Ende than security management is definitely not a project. When are you done managing security?
Risk management, not a project
business Continuity Planning is not a project.
Riding a business continuity plan is a project.
Developing a piece of software is a project, so hopefully you see the difference. There could be something that could be asked O. R. Referenced. So plan Do Check Act.
The bottom line here is we're in a continual state of planning, you know, When are you planning? When you're doing security management? All the time, then we act upon our plans. We check to see if they work, and then we respond. So ultimately and you'll you'll see this plan to check out model in relation to quality assurance. Absolutely,
but certainly very appropriate with security and risk management as well.
All right, so when we are looking at our approach to security management, there really two basic approaches. There's top down in there's bottom off. Well, top down is the environment, which you wanna work in a top down environment. That means senior management gets it.
They understand they've bought into the security function they lead the way rather than following. The bottom up approach is when senior management views the IittIe staff as a necessary evil, Um, you know, in those environments exist.
And when does an organization go from bottom up to top down,
often after they've had a breach in a compromise? And until senior management does understand the power that I ke has to support an organization? And if I t isn't supported properly the great amount of damage and loss that can occur with
gotta start prioritizing 19. We need our senior executives to get on board.
Speaking of those senior executives, who are they? What did they do? So our senior executives, Air senior managers Ah, these head, the management functions. So these are the folks folks with sees in their job title C E O C I ose chief risk officer, chief financial officer, whatever that would be.
Usually under the leadership of the chief executive officer,
they're the ones ultimately responsible for what? So watch for that question. Who is responsible for security within an organization? Ultimately, senior management. They're the ones that are held liable. They're the ones who are the ultimate decision makers.
Their job is to develop and support the policies. Our job is to follow the policy. Senior management's responsible for supporting the creation. The approval of policies. AH, decisions based on risk. Remember, governance will determine our risk appetite. Senior management. Make sure that we operate within that risk appetite.
Also, senior management's gonna help us prioritize the various business functions. You know, I'm an I. T. I've always been an I T. Therefore, I know that I t is the most important business process with an organization. But other people may mistakenly believe their departments. Air is important.
So it gets senior management who has that bird's eye view of the organization as a whole.
And when it You know, when we talk about senior management, I mentioned there ultimately responsible. They're the ones with whom liability lies. Let's talk about liability just for a second.
So let me ask you questions about going into the details of the slide. Let me just ask you if, um, let's say that you have a system
that's connected to the Internet.
Let's say that that system is compromised by an attacker and is used to launch a downstream attack on another organization.
And then my question becomes, Are you liable?
connected to the Internet.
It's compromised by an attacker launches a downstream attack, another organization causing thousands of dollars worth of damage. Are you responsible?
The answer is maybe and honestly, in this class, when I ask you questions there, three really good answers. Answer. One is senior management answer to his cost benefit analysis and answer. Three is. Maybe you pretty much can't go wrong if you're answering from one of those three with what I ask in the class. So the answer here is maybe
Could I be held liable? Sure,
and my guarantee to be held liable. Uh, there are no guarantees, but here's the point I want to make. If I ask you if it's possible to secure system in such a way that no possible security breach can happen, it's impossible. There would be no security breach.
Is that even? Is that possible? No, it's not possible.
Well, what do I do? Them?
What can I do? Well, what I can do is I can do what's right.
I can follow industry standards. I can follow best practices. I can educate myself. I can implement the appropriate security controls, as I'm advised to do long story short, I can use what's called due care and due diligence. Do care in due diligence.
Now, don't take this the wall school with you This kind of a cheapie definition.
But due diligence is the research do care is the action
Okay, your diligence is the research do cares the action. So if I have show that I've used due diligence and do care if I've done what's right If I've done what's expected,
I may be able to avoid being held liable. And one of the things I tell you you'll never hear me say this is this legally and this is not Laws are frequently changing. There's so much about interpretation, so much a judge's discretion. So it's very difficult for me to say that. But best practices you can't go wrong by following
And if they ever ask you a question about culpable negligence, meaning that's a legal term that essentially means it's your fault.
Culpable negligence has decided on Duke here. Have you done the right things and if not, you're culpable Negligence. Another term here, the prudent man rule,
um actually did used to be called the Prudent Man rule. It's been renamed because we're very politically correct society. It's been renamed The Prudent Person,
and it was eventually gonna be named the prudent gender, non specific individual room.
But prudent person rule essentially means that you've acted responsibly and cautiously as a prudent person would based on judges discretion. Okay, so again, there's a lot in the air there. But the bottom line is ah, lot of this class is gonna focus on implementing the best practices
because ultimately we do not want to be found culpable negligence.
We want to make sure that we protect the resource is that air entrusted to us.