5 hours 25 minutes
Hello again and welcome to the eight C I s P P Certification course with Sai Buri. Risk assessment consistency part What?
I am Shalane Hutchins, your instructor
and this module will cover roles and responsibilities that are consistent with the risk assessment process within an organization.
Many different individuals within an organisation contribute to the successful information protections. Many will have a role to play in the risk assessment process.
Security is everyone's responsibility within the organization.
All indie users are responsible for understanding the policies and procedures that are applicable to his or her job function.
Users must have knowledge of their responsibilities and be trained to a level that is adequate to reduce the risk of loss to an acceptable level.
Although the titles and scope of responsibility of the individuals may vary from organisation to organisation, the following rolls support the implementation of security controls.
Executive Management maintains the overall responsibility for protection of the information assets,
the business operations, air dependent upon information being available,
accurate and protected from individuals without a need to know,
they must be aware of the risks that they are accepting. 40 organization
executive Management is responsible for providing security leadership and governance 40 organization
the information security officers and maintain a subset of responsibilities of the C I. S O.
Specifically, the isil is responsible for the design, implementation, management and review of the organization's security policies, standards, procedures, baselines and guidelines.
This individuals often uniquely situated within the organization to be able to highlight and identify security risks during the assessment process
and smaller organizations such as a startup in the healthcare industry, this role becomes increasingly important and challenging as the company grows.
Partnering with risk leaders is so important to ensure security is appropriately designed, and it can also be pretty cool
when working in an environment with smart people. A security officer can leverage technologists to help design and implement the appropriate security measures.
In my experience, it's about getting those technologists to understand the why behind what you're asking them to do
Once they understand that you can find more creative ways to achieve your goals,
the privacy officer will have knowledge of information systems, information, security, privacy and legal requirements and be able to identify and manage the associated risk in business impact to system changes, interconnections and sharing practices.
The privacy officers responsible for reviewing organization practices and procedures to ensure the compliance with the relevant privacy laws and policies.
Additionally, the privacy officer will be able to make risk management recommendations to prevent incidents of compromise in this use of help or personal information,
Drafting of security policies, standards and supporting guidelines. Procedures in baselines is coordinated through the information security. Professional
guidance is provided for technical security issues and emerging threats that are considered for the adoption of policies.
This individual possesses technical knowledge and is able to inform the risk assessment process. 40 Organization,
a business executive or manager, is typically responsible for information asset thes air the individuals that are that assigned the appropriate classifications to the information assets.
They ensure that the business information is protected with appropriate controls.
The owners or their delegates may be required to approve access to the information
owners or their delegates are responsible for understanding the risks that exist with regards to the information they control.
A data custodian is an individual or function that takes care the information on behalf of the owner.
These individuals ensure that the information is available to the end users and is backed up to enable recovery in the event of a data loss for corruption.
This group administers access rights to the information assets. Individuals and Fistful will have important business and operations knowledge to share. To inform the risk management process,
I t auditors determine whether users, owners, custodians, systems and networks are in compliance with security policies, procedures, standards and other requirements.
The auditors provide independent assurance to management on the appropriateness of security controls and provide an independent view of the controls and their effectiveness.
Business continuity planners developed contingency plans to prepare for any occurrence that could have the ability to impact the company's objectives negatively.
We reviewed the various threat vectors that could affect an organization, including earthquakes to Naples. Blackouts, fires, etcetera. The business continuity planner informs the risk assessment process and ensures that business processes can continue through the disaster in court needs
those activities with the business unit
areas and I t professionals responsible for recovery.
I T professionals are responsible for designing security controls into information systems and testing the controls and implementing the system in production environments.
They work with the business owners to ensure the design solution provides security controls commensurate with the criticality sensitivity and availability requirements of the application.
They provide vital data around system's vulnerabilities and controls that beat directly into the risk assessment process.
A security administrator manages three user access request process and insurers that privileges are provided to those individuals who have been authorized for access by application or system or data owners.
These individuals have elevated privileges and create and delete accounts and access permissions. This professional will feed relevant systems and security information into the risk assessment Pressel,
a networker systems administrator, configures network and server hardware and the operating systems to ensure that the information can be available and accessible. They maintain the infrastructure by installing patches and updates to systems.
The administrator tests and implements system upgrades to ensure the continued reliability of servers and network devices.
This professional will feed relevant system and security information into the risk assessment process.
The individuals assigned to the physical security role established relationships with external law enforcement, such as the local police agencies, state police or the FBI to assistant investigations.
Physical security personnel managed the installation, maintenance and ongoing operations of surveillance systems, alarm systems and card reader access control systems,
physical security personnel interface with system security. Human resource is facilities and legal in business areas to ensure that the practices are integrated.
Now it's time for a knowledge check
who assigns appropriate classification to information assets
that is correct.
Who provides independent assurance to management on the appropriate controls.
The information systems auditor.
Did you get that one right?
Who directs, coordinates plans and organizes security activities?
The security officer.
So today we talked about roles and responsibilities as they apply to the risk assessment process for consistency, stay tuned for Part two.