Processes

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 58 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Welcome back to Cybrary ISSEP course,
00:00
I'm your instructor, Brad Rhodes.
00:00
Let's jump into the processes
00:00
and things that influence processes as an SE.
00:00
In this lesson, we're going to talk about
00:00
organizational authority,
00:00
we're going to talk about security policies
00:00
because those are influenced process,
00:00
we're going to about software assurance
00:00
briefly, because that's very important,
00:00
and we're going to talk about
00:00
the Cybersecurity Maturity Model Certification,
00:00
CMMC.
00:00
This is one that if you're going to work supporting
00:00
a US government or
00:00
Department of Defense type organization,
00:00
CMMC is becoming something
00:00
you have got to understand as a PC.
00:00
A thorough organizational authority is interesting.
00:00
When you create a system, at some point,
00:00
somebody has to approve that
00:00
that system is good to operate.
00:00
Let's go back to our smartphone example.
00:00
You build a smartphone, very complex system.
00:00
It operates 24/7/365.
00:00
It has security requirements.
00:00
It's got user interface requirements.
00:00
It's got to connect to a cell number.
00:00
Think of a smartphone
00:00
as one of the ultimate systems engineering problem sets.
00:00
Well, at some point,
00:00
somebody in that organization has to approve
00:00
for that particular model smartphone to go to market.
00:00
An organizational authority,
00:00
what I want you to remember,
00:00
is someone of that approves
00:00
that system to go into operations,
00:00
and somebody had to make that call.
00:00
In the commercial world and in the industry,
00:00
that varies by organization.
00:00
The decision-makers could be your CEO,
00:00
it could be a CIO, a CSO,
00:00
an auditing officer, or a privacy officer.
00:00
It just depends on the organization.
00:00
It's really interesting today how many will call them
00:00
C-suite people think that they have a stake in
00:00
decisions on systems and putting them into operations.
00:00
When we go and then look at,
00:00
say, government systems,
00:00
if you're talking about, say, the US government,
00:00
that system is very formalized.
00:00
There are formal roles that we'll talk about
00:00
in a later lesson that you're going
00:00
to need to understand and know
00:00
because when we put the system into operations,
00:00
say for the US Federal Government,
00:00
that system has to have an ATO,
00:00
an authorization to operate.
00:00
That ATO is only going to last for so long and has to be
00:00
reassessed regularly and re-approved
00:00
by the organizational authority.
00:00
From a process perspective,
00:00
that's one of your jobs as an SE,
00:00
is doing those work to track, say, ATOs.
00:00
Security policies, while security policies drive us
00:00
out into the types of processes we need to put in place.
00:00
We're going to talk a lot throughout
00:00
the course of our time together about change management.
00:00
Change management is a huge thing.
00:00
If you build a complex system,
00:00
then you just willing and change something and
00:00
break a bunch of stuff and
00:00
you didn't do change management,
00:00
somebody is liable for that and that's a problem.
00:00
We're going to talk about access control.
00:00
We are going to talk about data classification,
00:00
data support and operation,
00:00
so much of what we do today is data.
00:00
When you think about processes you do as an SE,
00:00
you need to understand
00:00
process flows from data construction,
00:00
through data protection, to data end-of-life.
00:00
As an SE, that's engineering.
00:00
That is literally what are my requirements for my data?
00:00
What's the architecture for my data?
00:00
What is the disposal plan for my data?
00:00
That whole set of things is done right there.
00:00
Other policies and things that affect
00:00
the way we do our processes is NIST,
00:00
the National Institute for Standards and Technology.
00:00
If you worked for the US government
00:00
or as a contractor for the US government,
00:00
you will see those used quite frequently.
00:00
Then the other thing I want you to
00:00
keep in mind here that many times
00:00
our processes as SEs
00:00
are influenced by jurisdiction and laws.
00:00
If you were to operate in, say, California,
00:00
you have an entirely different set
00:00
of laws that you have to deal with than,
00:00
say, Vermont, or say over in Europe.
00:00
The way you do your processes,
00:00
and how transparent they are,
00:00
and what they do are definitely
00:00
going to be tied to the laws,
00:00
regulations, and rule sets
00:00
based on the jurisdiction you find yourself in.
00:00
Software assurance.
00:00
We've talked about the system development life cycle as
00:00
being focused on systems and
00:00
the systems engineering aspect,
00:00
well, here we're going to talk real
00:00
briefly about software assurance.
00:00
As a SE,
00:00
you need to have processes in
00:00
place that help you understand whether
00:00
you have a software deployed or in
00:00
your environment that is free from vulnerabilities.
00:00
One of the biggest challenges with software
00:00
today is that when we create software,
00:00
and anybody can create software,
00:00
we have not done it securely.
00:00
Many cases, software is
00:00
created just to get something to work.
00:00
You see that a lot in Agile,
00:00
which is okay, and security is an afterthought.
00:00
It's bolted on at the end,
00:00
and ultimately, costs a whole heck of a lot more.
00:00
The definition of Software Assurance there is from
00:00
the Committee on National Security System, CNSS 4009.
00:00
This is the one you should understand as
00:00
an SE and understand that
00:00
these standards and requirements are out there,
00:00
especially if you're working
00:00
for a government organization.
00:00
Finally, we have the CMMC, and that's
00:00
the Cybersecurity Maturity Model Certification.
00:00
This is basically demonstrating the maturity of
00:00
an organization to protect
00:00
itself from a cybersecurity perspective.
00:00
It goes from Level 1 to Level 5.
00:00
Level 5 is clearly the most mature,
00:00
and Level 0,
00:00
we've got some practices, say,
00:00
mid-level managed is where we've
00:00
got some policies and a plan,
00:00
and then optimizing is where we actually practice,
00:00
and implement the plans,
00:00
and do the right things, and standardize
00:00
our documentation across everything.
00:00
Well, if you are going to be
00:00
an SE and you're going to work for
00:00
either a government organization,
00:00
the United States, or DOD,
00:00
or whatever the case may be,
00:00
or you're going to be a contractor
00:00
working for one of those organizations,
00:00
you are now required to meet
00:00
these levels and demonstrate a certain CMMC level.
00:00
What does this mean? That means that if as an SE,
00:00
you're going to be building the processes
00:00
that support getting to this,
00:00
and actually practicing them,
00:00
but contracts are going to be awarded or not
00:00
awarded to your organization if you're a contractor,
00:00
if you don't meet the minimum level
00:00
specified for that contract.
00:00
Let's say the government specifies that Level 3 is
00:00
the minimum level you need to have to run
00:00
a specific contract or operate on a specific contract,
00:00
and you're only on Level 2, guess what?
00:00
You are likely going to be
00:00
disqualified from actually getting that contract.
00:00
Keep that in mind as an SE,
00:00
you need to understand
00:00
CMMC and the processes it takes to get there.
00:00
In this lesson, we
00:00
covered organizational authority
00:00
varies between government,
00:00
industry, all of those things.
00:00
We talked about security policies and how they
00:00
influence the processes that we use as an SE.
00:00
We talked briefly about
00:00
Software Assurance and why that's important,
00:00
and then we looked at the CMMC,
00:00
the Cybersecurity Maturity Model Certification,
00:00
and the fact that if you are going to be
00:00
a government contractor or work in the government,
00:00
you are going to have to actually utilize
00:00
this standard to either judge contracts or try to
00:00
be awarded contracts based on
00:00
the fact that you actually meet
00:00
the appropriate level of maturity for an organization.
00:00
I will see you next time.
Up Next