All right, let's go ahead and get more into the meat of the material. We've kind of set up the stage for what the course is gonna be about what this particular domain is gonna be about. So let's go ahead and get into it. So we start off by looking at the priorities for the schism candidates. So what this is going to focus on is,
if you're going into an organization, maybe you've gotten a promotion in the organization. Or
if you're just trying to wrap your head around, what is a schism really supposed to do? That's what this next section is about. All right? So certified information security manager's probably a good place to start and define what information security is.
So if I were to ask you all just to take a second and think, what is information security, what does it mean to you?
You know, I'm guessing we'd have a lot of different answers, right? Some of you might talk about preventing leaks or breaches of information. Some of you might talk about making sure information doesn't modify, you know, making sure that's available to the right people at the right time
and if you've gone through any of those is kind of your answer,
that really is absolutely true.
And ultimately what we're looking at when we say information security, we generally tend to focus on what we call the CIA. Try it
confidentiality, integrity and availability.
So confidentiality is all about preventing unauthorized disclosure.
Prevent unauthorized disclosure. We keep things secret in private. Okay, A lot of times those words will be used interchangeably and then someone. Julia is like difference between privacy and confidentiality. That's OK for the purposes what we're doing here. Confidentiality were keeping our secrets secret.
Now integrity means that we want to make sure that our information doesn't get modified. They So I want to make sure my on it logs haven't been changed or if they do get changed. I'm notified, but also think about things like downloading a file from the Internet.
We want to make sure that what I download is with the author
intended that I gambler that hasn't gotten corrupted, that it hasn't gotten infected with some sort of malware, and that's integrity being able to detect a change
and then availability, which is the third leg of the C. I a triad means that resource is air available as appropriate in a timely fashion.
And a lot of times people don't think about availability. But let me tell you, that can make a break. An organization If you were to think about, you know, Twitter and what would happen to Twitter if they were unavailable for a day, for instance, right,
That would be a huge loss on their end, So availability is important as well.
Now, when we talk about protection of information, here's a word that I want to change here, where it says is a responsibility. If the board of directors I want you to put something to the effect of the board of directors and senior management is accountable. Okay.
You know, this this bullet point available protection of information is a responsibility of the board of directors.
I'd rather it say the board of directors is accountable for the protection of information and assets. Maybe because what we're gonna do a little later on is working a draw dividing line between accountability and responsibility. Of course, in the real world, we're gonna use those things interchangeably.
But ultimately, when we talk about it accountability,
I want you to think about
the buck. Stops there, right? So when I say you're accountable, if assets get compromised under your watch, you would be the one we find liable now. Responsibility. Everybody has responsibilities within the organization. And your responsibility might just be
follow policies, procedure, standards and guidelines
by senior management. Right. So just slaying that seat, planing that seat now for accountability versus responsibility.
All right. Now, in addition to the C I A Triad, none of this is any good. If we don't monitor if we don't enforce, If we don't develop policies, changing is so here we see oversight.
Well, if you don't oversee a program, if you write a policy and then wander off people don't follow that policy. Do you ever have that one place when you're driving on the highway that hit the brakes or driving in town and you slow down a little bit to 35 miles an hour is the speed limit.
And if there's that one space that you immediately think of, my guess is there's a speed trap there where you've gotten a ticket there,
right? So as much as I'd like to believe that all of us strive exactly the speed limit all the time
in the back of my mind. What I know is
every once in a while I'm a creep up one or two miles over the speed limit.
But the places where policies enforced, I make sure I slow down.
So you want to change the company culture within your organization. You want people to be mindful of policies, and you really want policies followed. You know what you have to do. You have to enforce those policies, and the moment enforcement starts, you will begin to see a change.
So ultimately, what effects culture? Senior management, thereby in in their enforcement
that effects culture. And then you know what culture effects, ethics and behavior.
Because company culture will drive what we do
so that one of the most important things you'll hear throughout this course senior management's involvement and buy in not just lip service but senior management, really getting it and enforcing it
that becomes essential.
so what I want you to kind of put in the back of your head is a policy is really only as good as its enforcement
and If you think about that, you probably will agree.
important. Pieces to consider with information security management. But then down in the little green box, we have a few other things. In addition to the CIA. Try it. We have to think about so confidentiality available e availability and integrity.