Domain 1 Overview and Principles of Information Security

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:01
>> Let's go ahead and get started
00:01
>> with the actual material.
00:01
>> We're going to get started with domain 1,
00:01
which is information security and risk management.
00:01
This is a great topic to
00:01
start out with because it really lays
00:01
the groundwork for everything that we're going to
00:01
do in the rest of the course.
00:01
We're going to start off just by
00:01
talking about the basics,
00:01
the principles of information security.
00:01
What we're trying to bring to
00:01
the table is security administrators
00:01
and those that have
00:01
decision-making capabilities in the security world.
00:01
What are we trying to do?
00:01
Well, one of the things that we want to influence
00:01
within our organization is GRC.
00:01
GRC stands for governance,
00:01
risk, and compliance.
00:01
When you think of governance,
00:01
think senior leadership and we want to
00:01
have that influence over senior leadership.
00:01
We want to make sure our decisions are
00:01
made based on risk management,
00:01
and of course, we want to make sure that we're
00:01
in compliance with laws and regulations.
00:01
Well, the way that we do that is
00:01
we incorporate a security strategy.
00:01
We have broad long-term vision and
00:01
strategic direction that we want to have in.
00:01
We need to have a strategy of
00:01
accomplishing those goals and really
00:01
those goals are going to be accomplished
00:01
by choosing a security framework,
00:01
developing a security program,
00:01
and that program itself is going to be
00:01
where we incorporate policies,
00:01
procedures, standards, guidelines, and our controls.
00:01
Now, that's the first section
00:01
>> where we really just focus
00:01
>> on information security as
00:01
a whole from an enterprise perspective.
00:01
But because risk is so very significant,
00:01
we're going to have an entire section
00:01
devoted to risk management.
00:01
What we're going to do is we're going to look at
00:01
the risk management life cycle and talk
00:01
about what happens at each phase.
00:01
Risk identification, risk assessment, mitigation,
00:01
and of course, monitoring risk because you're
00:01
never done addressing risk within your organization.
00:01
Now that's going to bring us up to
00:01
considering regulations and other legal considerations,
00:01
things like liability,
00:01
and making sure that
00:01
we're using due care and due diligence.
00:01
Then last but not least,
00:01
a quick shout out to knowledge transfer.
00:01
Just that quick acknowledgment
00:01
of how important it is to train
00:01
our people ideally so that
00:01
>> we can modify their behavior.
00:01
>> Give people the tools that they need to make
00:01
good decisions based on
00:01
risk and its management fundamentals.
00:01
In our first section,
00:01
we're going to talk about the principles
00:01
of information security.
00:01
One of the main things
00:01
>> we'll talk about is the CIA triad,
00:01
>> confidentiality, integrity, and availability.
00:01
Then we'll talk about
00:01
the roles and responsibilities individuals have within
00:01
the organization so that we
00:01
can frame those various roles in relation to security.
00:01
What is security and
00:01
how does this work within an organization?
00:01
Well, we have three main elements we have to consider.
00:01
We've got our people,
00:01
our processes, and our technology.
00:01
Now, based on our earlier discussion,
00:01
technology comes and goes.
00:01
Technology is the icing on the cake, so to speak.
00:01
Technology comes after people and processes.
00:01
We have to start with people.
00:01
We've got to get the right people
00:01
in the right places at the right time,
00:01
with the right skills,
00:01
and the right tools.
00:01
The greatest weakness for
00:01
any organization comes from their people,
00:01
internal users,
00:01
and only a small fraction of
00:01
those threats are initiated
00:01
by people with malicious intent.
00:01
Most security incidents that stem
00:01
from internal users are purely accidental.
00:01
Maybe a user gives out too
00:01
>> much information on the phone
00:01
>> or they walk away from
00:01
>> their system without logging out,
00:01
>> they let somebody else in on a card swipe.
00:01
We call that piggybacking.
00:01
Those are all security issues.
00:01
We have to make sure our people are trained,
00:01
we have to be sure that we have
00:01
created a culture of security.
00:01
Just a little foreshadowing for what
00:01
comes later when we talk about governance,
00:01
culture comes from the top.
00:01
You cannot build culture from the bottom up.
00:01
It has to come top down.
00:01
If we really want a risk-minded,
00:01
security-minded organization,
00:01
we have to have that buy-in from senior management.
00:01
Then we have our processes.
00:01
Our processes are going to
00:01
control how the people interact with
00:01
technology and the rules and
00:01
regulations that really govern and enforce security.
00:01
We start out thinking about
00:01
big vision, strategic planning.
00:01
Then we come down to thinking about frameworks.
00:01
We'll talk about what frameworks
00:01
>> are and how they fit in.
00:01
>> But, your processes are going to
00:01
mandate how we approach security in our organization.
00:01
Then, and only then
00:01
after we have people and processes in place,
00:01
now we can think about the technology.
00:01
Because without those other two,
00:01
technology doesn't matter.
00:01
This brings us up to the information security triad.
00:01
We've got confidentiality, integrity, and availability.
00:01
The most important piece is to
00:01
realize you will always pay for security.
00:01
Security will always cost you something.
00:01
For instance, yeah, security costs money.
00:01
In a lot of cases,
00:01
you've got to buy equipment that's secure.
00:01
You have to install equipment,
00:01
you have to train your people on security,
00:01
principles and so on.
00:01
But that's just a small portion of what security costs.
00:01
I have to think about almost always the fact that
00:01
security creates a degradation in performance.
00:01
Secure environments are slower
00:01
to move through than unsecure environments.
00:01
It's easier for me to get in my house
00:01
if I don't lock the door.
00:01
I've got to figure out the degree
00:01
of trade-off I'm willing to make.
00:01
It's always that balance between the cost of
00:01
security and the need for performance, usability,
00:01
sometimes backwards compatibility is
00:01
a cost of security because
00:01
older devices may have to be
00:01
upgraded or they may not work in a secure environment.
00:01
Whatever your trade-offs are,
00:01
again, it's all about finding that balance.
00:01
Now when we do bring security into an environment,
00:01
confidentiality, integrity, and availability,
00:01
these are our concerns.
00:01
With confidentiality, we want
00:01
to prevent unauthorized disclosure.
00:01
Integrity, we want to prevent
00:01
>> unauthorized modification.
00:01
>> Then, of course, availability means we
00:01
need timely access to resources.
00:01
Now just when it comes to deciding whether or not
00:01
the security that I choose
00:01
is appropriate for an organization,
00:01
this is actually an older document.
00:01
It's NIST Special Publication 800-12,
00:01
used to be referred to
00:01
as generally accepted information security principles.
00:01
This document has actually been retired,
00:01
but there are several other documents that
00:01
have swallowed up some of these principles.
00:01
The bottom line is,
00:01
if we're going to implement security,
00:01
there needs to be a reason.
00:01
We don't do security for the sake of security.
00:01
We implement security to
00:01
support the mission of the organization.
00:01
Any security element we
00:01
implement should somehow in
00:01
some way benefit the business.
00:01
That's what it's all about.
00:01
We do that based on risk,
00:01
we do that based on the principles of
00:01
understanding what just enough security is.
00:01
Again, that comes down to
00:01
>> being based on risk management.
00:01
>> We make reasonable approaches to security by,
00:01
again, trying to walk that line
00:01
between security and performance.
00:01
These are the ideas
00:01
that we're going to focus on in this chapter.
00:01
Remember, with security, we
00:01
always come back to the CIA triad,
00:01
confidentiality, integrity, and availability.
00:01
Then in order to put everything in balance,
00:01
we have our people, processes,
00:01
and technology that have to
00:01
be really sorted out in that order.
00:01
Our people are the base.
00:01
If we don't have the right people,
00:01
none of the other stuff matters.
00:01
But once we bring the right people on board,
00:01
we train them and give them the right tools,
00:01
then we focus on the processes that
00:01
support our people and help them to make good,
00:01
risk aware business decisions.
00:01
Then, and only then does
00:01
technology play its rightful part.
00:01
We can't rely exclusively on technology.
00:01
The other two elements have to be in place first.
Up Next