Okay, So if we do have this need for information Security Management program, what's that gonna look like? And what are the elements that are gonna help make this successful? Well, of course, just like we kind of already talked about is senior management's involvement, keeping in mind that senior management really has an understanding
off all the elements of a business and how they work together.
So they're gonna be able to help us prioritize and understand there's critical business functions. And they're gonna help us understand what's best in order of how we spend our budget. And they'll also answer the question for us, how much security we need. And I know that kind of sounds like one of those questions when you say
how much security is enough.
You know, people always say, never have too much security, but we can. You can actually have too much security when when the amount of security that you have interferes with the work of the business, right? So, for instance, if I sell ice cream ice cream cones at the mall
and I have to do a retina scan, every comma access the cash register
that's too expensive. It takes too long. It doesn't make any sense right now. Technically, that would be more secure. So what we have to do is we have to think about security in terms of cost benefit analysis, how much security is enough to support the function and the business needs of our environment.
And that's where Senior management's involvement comes in. They have that bird's eye view of the organization is a whole and help us on and can help us to prioritize.
Ah, that's where governance comes in. Senior management governs the organization, and they have to do so actively. And a big part of governance is laying out the policies and standards, procedures and guidelines for which the rest of a sitting organization have to follow. If you were to ask
who is ultimately responsible for security,
you know, many people would say everybody, we're all responsible,
you know, really, when it comes right down to it, the ultimate responsibility of the security of an organization, this senior management,
they're the ones who are liable. They're the ones who have been entrusted with the company assets. They're the ones that could be sued. That could have repercussions if the regulations are not followed. So it ultimately is senior management who's responsible for the security of the organization,
our security, the rest of us.
Our job is to follow the policies, procedure, standards and guidelines as set out by senior management, Right? So they lay out the policies. That's what they do is part of governance. Everybody else within the organization is accountable for following those policies. Okay,
roles and responsibilities. When we do set out this program, we have to have a
thorough understanding off who is gonna satisfy which he needs within the organization in relation to information security.
So what is Thean formacion security officers supposed to do what our system owners supposed to do what our end users and really defining that information through our policies so that everybody understands what their part to play is
that needs to be part of our program.
All right. Service level agreements and outsourcing. Basically third parties. Many organizations today, uh, interact with third parties to one degree or another. We have procurement. We may have contract employees. We work with vendors that provide a service is and service level agreements.
So we've got to address how we're gonna procure
how we're gonna outsource. And then what? Sort of, um uh who's our contract administrator? What our security needs from those processes that we outsource again. Part of our program is a hole,
A data classification. Are we working with classified data? And we also have to keep in mind that private sector can use classification of data as well. So extremely sensitive company information
might be classified as confidential. You know, we've probably seen these for internal use only documents. And so So classifications is not just a convention used by the government military,
Ah, certification and accreditation. What processes do we go through in order to bring systems into our environment to make sure that that system meets the security requirement? So for those of you that work in the government or military, you know, I can't just bring any system in and connect to
our network, you know, depending on the type of network that it is, we have security standards.
So how do we make sure that the system is certified, which means technically secure as well as accredited management signs off on it in order to be in a network
thes terms change from time to time, you know, authorization, different terms. But ultimately what we need is a technical evaluation of the product,
and then we need management to accept it. And that's traditionally been called certification and accreditation. And then, ultimately we have to have a means of audit. And audit is all about a camp accountability, making sure that policies are put in place, that policies are effective, that policies are being followed
so all of those elements come together,
and this would be the basis for Security management program.