CISM

Course
Time
8 hours 39 minutes
Difficulty
Intermediate
CEU/CPE
9

Video Transcription

00:00
is a researcher for the U S. D. O d. We'd send our team members to training and have little to no proof that they had actually learned anything. That's why we built Cyberia for business. We believe that security leaders needed full tracking and transparency and what their team is learning and how well they learned it. We've built the solution to fix a broken industry.
00:18
Thanks for being a valued member of cyber eri
00:22
authentication.
00:24
When we talk about authentication or authenticity, we want to verify the origin.
00:31
So if I go to download a file, I want to be able to verify that file is from who it purports to be. I'm gonna download something from Apple and application and app from Apple. I want to know that it's from a legitimate provider.
00:48
So authentication essentially says You said your apple now prove it. So prove it is the authentication piece.
00:56
Anybody can make a claim. I can claim to be administrator on Lee with authenticity. Do I prove it?
01:03
Hey,
01:03
access control
01:06
now. Earlier, I said things like availability. Make sure the proper the proper people or re sort
01:14
entities on your network have access in a timely fashion.
01:19
Well, it's this idea of the proper people that's regulated by access control, because what we want to make sure of is the proper people have the access they need and the improper people have no access at all
01:33
right, so there's several parts of that.
01:34
Proper people need access,
01:38
what they need access to. But even proper people will get done denied access based on things like Lise privilege and need to know.
01:47
And then we want the wrong people kept out altogether. So that's access control and one of the things that we use for access control. One of the first aspect is often a authentication, like we just talked about a second
02:00
privacy.
02:01
Like we said, privacy and confidentiality may be used together. You'll hear privacy and in regulations. For instance, HIPPA and one of the things about privacy that's included here is that the owner of the information determines how the information is distributed.
02:22
So as a health care patient
02:24
at a doctor's office, it's up to me to determine where my health care information goes. Does it get disclosed to my family to another doctor? So that's tied in with confidentiality. But we would look at that as being sort of that extra piece, really stressing ownership and determining distribution of information
02:44
to go with privacy.
02:46
Okay,
02:46
Not a whole lot of testable differentiation between those terms. Okay, Alright. Non repudiation. Non repudiation really combines authenticity and integrity.
03:00
Okay, so you have to have authenticity and integrity. And when you do, you get non repudiation. And ultimately, what that means is cinder can't dispute having sent the message nor the contents of the message.
03:15
The sender can't dispute having sent the message nor the contents of the message.
03:21
All right? And yeah, I'm thinking about that. In terms of email, it can apply in other situations, toe actions and and, you know, other ideas. But we'll think about it in terms of email. So I can't say, Oh, that message didn't come from me. It must have been spoofed
03:38
or yeah, the message came from a but it's been modified, right? Non repudiation says no. We get proof of origin and a guarantee against modification, non repudiation
03:50
and then last but not least, compliance. And it's almost interesting to me that compliance is here. It's kind of on the very last piece and I'm gonna leave it. There is the last piece simply because it's important and it's a good idea to close on. Compliance
04:05
usually is in regard to compliance with company policy
04:11
complaints with processes, compliance with legislation, regulations applicable. Wall
04:18
auditing determines compliance.
04:23
So when you think compliance, the way I know you're within compliance is I audit. And that's an important piece, right?
04:30
Um, now, would it be possible that you're in compliance with policy,
04:38
but you're still not going to be successful?
04:41
And by that I mean, let's say that our network security team has laid out the configurations for various devices. I configure those devices exactly as they have dictated exactly according to policy.
04:56
Is it still possible that I would have a compromise?
04:59
Well, of course it is.
05:00
Does auditing tell me that? Not really, auditing tells me, Am I following policy and my compliance? I would actually have to do penetration, testing or vulnerability assessments. Probably pen testing to determine if policy is successful,
05:18
because I could see a type of question. You know, you want to make sure that your network is configured to appropriately re buff and attack.
05:27
Do you audit or do you pin test?
05:30
Well, you pen test.
05:31
If the question instead Waas, you want to determine if your network is configured according to policy,
05:38
then you do it.
05:39
I hope that makes sense, because that is a difference. You want to understand, You audit for compliance, But the on leeway You really know if you're gonna be successful if you carry out a test,
05:50
All right. Other aspects of information, security, accountability. Like I said before, if you want to see company culture change, start enforcing policy and holding people accountable for their actions. I'm not saying start firing people, but you're opening up files that aren't digitally signed.
06:11
Congratulations.
06:12
You get four hours of social engineering training. I'm holding you accountable for what you do,
06:17
right. So I have to enforce policy. I have to review audits and then I have to act upon
06:26
all right. And how we act upon it is more driven by your organization. But we really do need that enforcement policy. Well, we need oversight. We need support from senior management. We've talked about it. We need the determination of standards we need to understand metrics.
06:43
So ultimately, when we talk about oversight when we talk about prioritization,
06:47
that usually comes from senior management, which are those elements that benefit the organization as a whole?
06:57
A lot of times we in I t we don't see that right. We just think about technology, technology, technology. But I need someone up the business level that will help me determine priorities. Because I t. And I s are just about supporting the business.
07:15
Now that's an idea that's gonna come through this course
07:17
all the way, all the way from beginning to end. We serve the customer,
07:24
and the customer in our case is the business.
07:28
So what that means is our role is to carry out the work that the business determines is necessary.
07:34
So even if there's a conflict in what I think is necessary to protect information, the information older still makes the final decision because they're ultimately the one that's accountable.
07:49
I'm responsible for following what they've determined
07:55
again that accountability and responsibility. That's hard for us because many times we have that idea. You could never have too much security. My job is to secure the organization to minimize threats as much as possible, but the real truth of it is my goal
08:13
is to secure the organization
08:16
in such a way that it aligns with business objectives and supports the mission of the organization.
08:24
That's a big mouthful. Let me summon up by saying the business is my customer.
08:28
They have the ultimate authority.
08:31
Okay, so sometimes we may disagree with what the information owner says, or the system owner or the database owner there. The owner were there. There are customers.
08:43
All right,
08:45
we'll see that multiple times. All right, risk management. Everything starts with risk management. Risk management is the basis for sound decision making.
08:56
Identify your assets. Look, ATT, threats and vulnerabilities.
09:01
Look a controls. Or actually, even before that, look at the, um,
09:05
the potential for los identified controls. Look, ATT. Lost potential versus cost of the control. Give a cost benefit analysis. Make the choice to select a control that has more benefit than cost. Okay, that's what the entire domain to is about. It's about risk management,
09:26
so risk management needs to be incorporated into all our decision making.
09:31
That's up to governments to ensure that risk management is a part of our day to day existence.
09:37
And then, of course, we've got to be in compliance, and that's always gonna be a priority, Usually the top priority for us. So these ideas that were saying here, this all comes from senior management. These elements are all part of information security, governance.
09:54
Okay, so when we talk about governance, we're talking about
09:58
those upper level ideas within my organization that supports the business.
10:05
Senior management determines our general philosophy where we're going, what walls we have to be in compliance with,
10:13
how we're gonna manage risk where our priorities are howto oversee these processes because senior management has the ultimate accountability.
10:22
All right, I get very common idea throughout this course.
10:28
All right? Some additional considerations. When we do, say, information security. Once again, we think about technology. We think about digital information being stored on systems. But remember, information has more than digital formats, right? It could be written. It can be verbal.
10:46
Um, it can be, you know, stored on micro fi *** can be. You know, information exists in all sorts of states.
10:54
So it's every bit as much of an information security breach to have somebody discussing top secret information in a public lounge or a public lobby right That's a huge violation. So we can't just think of things in relation to technical breaches.
11:11
Information security says we're going to secure. We're gonna provide that C I A Triad
11:16
across all areas.
11:18
All right,
11:22
So here's the thing.
11:24
If senior management buy in
11:26
is what's essential to making this whole thing work,
11:31
then how do I get senior management buy in?
11:33
Well, of course, in your management's gonna have buy in. They all understand the importance of information security, and they get the benefit of it.
11:43
I gotta tell you the truth.
11:45
Um, store that's known for selling hardware
11:50
was presented with A with the results from a penetration test performed by third party
11:56
and multiple vulnerabilities were brought to the attention of senior management at this hardware store. And you know what their response was. Essentially,
12:07
we just sell hammers.
12:09
Look, I just sell hammers.
12:11
I don't want to know all of these acronyms. I'm not spending all this time and, you know, ah, bunch of system precautions and a lot of technical devices because technical security can be very expensive. You get a firewall out there 60 $70,000.
12:30
That's tough for CEO
12:31
to swallow because, really,
12:33
if a firewall does its job, senior management probably isn't talking about that firewall every day, right? So we have this money going out, a senior managers, and we may not see that direct return
12:46
right. If nobody's talking about security, that's probably good,
12:52
right? Nobody's aware of security. It's just magically happening and we're protected. It's when everybody's talking about security and how this data breach happened. And what are we missing and all those pieces?
13:03
That's when security's a problem, right? So it's hard for senior management to see that return on investment.
13:11
It's hard for senior management to understand technology that they really want no part off.
13:18
You know, when you have a senior manager senior officer saying, We just sell hammers, they truly do not understand. Nobody sells hammers today without taking money for those hammers. Most of the money that we deal with today has some digital aspect. We're paying with credit.
13:37
We're past the time where we're paying for hammers with
13:39
chains, right? We're paying via credit card. We're paying, you know, with some form of money. And if we don't protect that information, our customer databases are account numbers, then we're gonna get to the point where we can no longer sell hammers because nobody wants to buy from us, I says. A very short sighted view.
14:00
So the question becomes, Well, how do you sell security?
14:03
Two senior officers that don't want to talk about technology or information security. We do that. Stopping the discussion, revolving around acronyms So many times. Technical people like to talk technical stuff. We use a lot of jargon.
14:20
We like the sound smart. So we threw out a lot of acronyms.
14:24
We talk in terms of technology. Senior management understands cost versus benefits.
14:33
They understand return on investment.
14:35
They understand moving things from a capital expenditure to an operational expenditure. And what the pros and cons of that our senior management understands business. Or of course, they should, Right? So when we stopped talking about technology
14:54
and start talking about
14:56
impact to the business now we have seen your management's here, which means we need to talk about things in relation to Okay, we had the security breach, you know. 100 million credit cards were compromised. Our stock dropped by 16% in the quarter following that breach.
15:16
Now, all of sudden, I have seen your management's ear
15:18
because security breaches impact the organization and they do provide a loss. Sometimes if we don't see that immediate return on what we pay out, it's difficult to make the decision. It's upto us asses ums and information security professionals to sell the necessity of information security to senior management.
15:39
Okay, so part of our priority of what we do, we've got to get it right. We've gotta understand this, that information security is on Lee relevant
15:52
as it impacts the business.
15:56
Okay, well, say that again, Information security is on Lee relevant as it impacts the business.
16:03
So all these security breaches wouldn't be a big deal if they didn't impact the business
16:08
customers finding out their information's been breached. They're no longer customers. We have finds that we have to pay for failure to use due care and due diligence. We have loss of confidence. That's how it impacts the business. So I'm not saying information security is an important,
16:27
but I'm saying we have to understand that it's importance comes
16:30
from how it impacts the business. So as Schism Sze, our goal is to develop a strategy and how we're gonna implement
16:41
Hey, so strategy is broad and long term. But once we get to that plan of action, we start getting more and more specific. And that's our role as systems
16:52
first priority.
16:56
And you're gonna see this repeated.
16:57
Understand? We're business driven.
17:00
We're on Lee here to support the organization, and I alluded to this. I want to take just a second, made sure that I was totally clear.
17:11
Cost and benefit.
17:12
There is always a trade off for security.
17:17
There's always a cost. It might be money. Like I said, firewalls might cost you $60,000. That's a lot of money,
17:23
but you're almost assuredly when you change security and you upgrade security, you're going to see things go a little slower. So a decrease in performance with technology. As you add security, you may lose some backwards compatibility
17:40
because the more secured protocols often are not compatible with the less secure protocols.
17:45
Okay, so usability performance, backwards compatibility, user acceptance users hate change.
17:56
So when they were able to do something very quickly without any security checks, and now I come and say it's gonna take you two more minutes to authenticate and to provide the credentials and all these pieces were gonna be met with resistance. That doesn't mean that the payoff
18:14
worth the trade off isn't worth
18:17
the benefit. But it does mean I need to examine,
18:19
because when I get to the point where people are so locked down by security, they can't do their jobs. Or we can't keep people on our staff because we're too difficult environment to work with them
18:33
again, no longer supporting the business. So our first priority is to influence senior management to influence or develop policy and strategy. Really, strategy than your security program, which will include policy, will cover all that
18:49
to provide a means for enforcing. But all of this really should begin in risk management. You can think of a schism. Sze First priority is understanding the business itself and then finding that benefit
19:08
that is worth
19:10
the potential cost cost benefit analysis

Up Next

CISM

Cybrary's Certified Information Security Manager (CISM) course is a great fit for IT professionals looking to move up in their organization and advance their careers and/or current CISMs looking to learn about the latest trends in the IT industry.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor