CISM

Course
Time
12 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
9

Video Transcription

00:02
how other risks come with data ownership. And if you'll recall,
00:06
it's the owner of the information that determines classifications.
00:10
And by determining the classifications, they determine the degree of security they
00:15
who has access to the information.
00:18
That's a really important role.
00:21
So when we talk about that, the question then becomes,
00:24
well, who owns the information?
00:27
Is it the user? Rarely is it the processor, is it? Senior management is the head of the organization, and the answer is,
00:36
Oh, no.
00:37
But
00:38
the individual that is
00:40
in charge of developing your policy should know, and that should be well,
00:45
there should be a clear line of ownership because of the responsibilities that the data owner has
00:52
with
00:52
with the systems as well.
00:55
So we need to make sure that that's well documented
00:58
and that we have a clear path.
01:02
Four, uh, ownership to be traced.
01:04
All right, now, third party Chris.
01:08
So if I were to say to revolts
01:11
by outsourcing
01:15
by outsourcing work, I eliminate my wrist.
01:18
Thank goodness I got somebody else to take care of all of this for me.
01:23
I can almost hear some of you laughing now because you've probably worked with contractors in real life,
01:30
I can tell you, you may take on more risk by outsourcing work because sometimes contractors outside source to subcontractors, to subcontractors and your several instances away from the folks that are actually doing the work.
01:45
You're turning over the control and access to 1/3 party.
01:51
So, you know, that's the very nature of outsourcing. You no longer have control over it.
01:56
Well,
01:57
the risks associated with that man we can think about. Okay, well, how do I know how my vendor hires people? How it that's people with the on boarding process is
02:08
Can I make sure that non disclosure agreements are in their proper place?
02:14
What sort of back up and disaster recovery and business continuity plan does that vendor
02:19
or the subcontractor of the subcontractor,
02:23
um, would are their requirements as far as
02:29
communications, what information they have to provide
02:31
me?
02:32
How did they separate out my information from another coming
02:37
just
02:38
Are they going to meet the compliance needs that I have?
02:42
And once again, the answer is I don't.
02:46
But the way I do know
02:47
is first of all, before I select 1/3 party vendor, I want to get
02:53
I would get an assessment of that vendor from a neutral entity. Whether
02:59
they have certifications
03:00
ice of 9000.
03:02
He has a little bit dated. But you know,
03:06
what are their processes? Are there I su 27,001 compliant
03:10
Howard? They certified.
03:12
And then, of course, the next thing is I need a well written contract.
03:15
Now I can guarantee one of the things that you'll see come up in this material multiple times is the necessity tohave a well written service level, agree,
03:28
and to ensure the service level agreement details what your needs are.
03:31
We'd also like that right toe audit so that I can ensure my needs are being met, writes in the contract. I want to make sure they're following the contract,
03:40
and a lot of times, you know. Now, when we're thinking about third party risk, my mind immediately goes to the cloud.
03:49
So when you look at evaluations of cloud service providers, those audits air conducted based on how well the CSP, the cloud service provider,
03:59
meets their service level agreement. So do they do with their promising to do
04:05
so?
04:06
Really, All the cloud is is just 1/3 party vendor right. We're just outsourcing. I'm outsourcing, perhaps management of my data
04:15
on outsourcing
04:16
the network infrastructure and infrastructures as a service. You know, really, What type of cloud structure you have is determined by what you're outsourcing, if that makes sense,
04:29
But
04:30
there's there's very little that you cannot send to the cloud today.
04:34
So what it means is we're not eliminating Bris.
04:39
We're just transferring risk
04:41
to that third party. But remember, you cannot trends
04:45
for liability.
04:46
We're still ultimately liable.
04:49
And even if the cloud service provider is responsible for a compromise
04:55
our clients
04:56
all they see is that we've compromised their dad, right? So we have to be very careful and purposeful. Not just that. But how do we send information to the cloud, right? That's not the clouds.
05:08
A cloud service provider.
05:10
How do we
05:12
that our employees how do we create accounts? How did they authenticate to service is in the cloud that's on us. A swell.
05:20
So we could just go on and on and then, you know, with the cloud also, you might hear about things like vendor lock in where the clouds stores your information very proprietary formats. So if you need to leave.
05:33
It makes it difficult to get your dad back.
05:36
What about data remnants? Once I leave a cloud service provider, I can't very well go there and shred their hard drive.
05:43
So that's where we need to use crypto shredding. It's just encrypting it in such way. Can't decrypt.
05:50
You know, these are things we have to discuss before we determine.
05:55
Yeah, we're gonna migrate to the cloud and we have to continue to assess it
06:00
as we move forward because
06:02
the cloud has a tremendous amount of benefit,
06:04
just like everything else. It brings risks in a swell
06:10
on. And then the last things for us. The risk scenarios go
06:14
Project and program management. I cannot tell you how many times
06:18
I have viewed projects that have failed. Maybe they were over budget.
06:24
Maybe they came in late. Maybe they used a resource. Is maybe halfway through.
06:29
Uh,
06:29
it wasn't feasible
06:33
on and on on so many reasons, usually
06:38
and this may be a stretch, but I've found almost always when projects fail,
06:43
it goes back to the very beginning of a project with identifying requirements and turning those requirements into a scope of work. If you've ever heard Scope, creep,
06:54
man, scope, creep will
06:56
kill
06:57
Project
06:58
and scope Creep is one of those things where you know, with Project Management you have a set amount of defined world,
07:04
and based on that set amount of defying work, you've created a budget and you've created this schedule.
07:11
But if all of a sudden I start finding that one piece of work leads to another leads to another
07:15
doing all of this work
07:17
that doesn't really add to the project that isn't defined by the requirement.
07:23
All of a sudden I'm behind schedule and I'm over budget. And I'm not moving towards our ultimate results of scope. Creep will kill you.
07:31
Lack of funding, changing requirements. Those of you that have been in project management. I bet you could add to that list sort of ad. And,
07:40
um, but
07:41
projects fail in many times
07:44
goes back to a problem with requirements if it doesn't go back to a problem with requirements and hearing those out
07:49
many times. Also, it's poor risk

Up Next

CISM

Cybrary's Certified Information Security Manager (CISM) course is a great fit for IT professionals looking to move up in their organization and advance their careers and/or current CISMs looking to learn about the latest trends in the IT industry.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor