Hello, everyone. This is instructor Gerry Roberts. This is risk policies and security controls.
In this video, we're gonna talk about what security policies are. We're going to talk about what is actually in documentation for security,
how this all fits with risk management
and using a risk management framework to help us guide those policies.
First of all, what are security policies,
the security policies, air organizational policies put in place to enhance security?
So that might be something like an acceptable computer usage document that employees must sign in. And here, too,
that's a policy that tells them what they can and cannot do with their computers.
Now this could be in one document or could be spread across many documents.
Usually, these documents are living documents
edited when new risks are identified or new information is gathered.
Sometimes we find out new things about risks, and we have to change our policies and procedures. So it's always being worked on
what's actually in security documentation.
So usually, what you'll find in a document about security
are responsible parties
and sometimes a call tree. If there are more than one person responsible
security controls that are supposed to be in place
training requirements such as information awareness training.
Now some companies do that on a regular basis, such as yearly. I've heard some government places do it every six months. It just depends on the company.
Policies and procedures are also in here and those again, or things like acceptable computer usage policies.
And if there are other related documents that you might need to reference the location of those documents and the names are usually somewhere
in that document,
and those could be like your D R P or your B C P.
Now, how did they fit in with risk management
now? Security policies air one way to layout mitigation and other strategies for dealing with risk.
In our example of the computer usage documentation
we could tell users hate. You're not allowed to use specific things like, and I'll pick on Facebook because that's an easy example. But you're not allowed to go on Facebook because people keep getting viruses from Facebook games
that could be acceptable use policy.
And as part of that policy, Facebook might be blocked so users can't actually access it,
so that could be one policy.
this helps us mitigate risk because if they don't
go visit Facebook and play the Facebook games, they're not gonna be exposed to a risk of those viruses that you sometimes get from there.
Now, most risk management plans are gonna have some sort of security policies in them.
You know, these policies air derived. Their multiple methods included the risk assessment stage, a risk management,
and sometimes they are derived from pure accidents such as the Facebook policy which happened to me at a company I worked at.
Ah, we had a social media team and they needed to access Facebook. But because Facebook was accessible to everyone, we ended up getting a bunch of viruses because people were playing games that were not sanctioned by Facebook. There were third parties
and they had issues.
So that could happen. And that could be one way you get your actual policies.
there's something called a risk management framework that is available to help you guide your policies and procedures.
There are several of these available, and they help you organize and help you put things together for your risk management activities.
The framer exposed to help lay the ground for your plan it access a blueprint,
some examples that you might be familiar with. NIST has several risk management frameworks. So does so
and those you confined on their website, and you can use those to help you guide your set up for your risk management.
Now, a lot of these have some steps for creating documents. What to include in some of the documents where to find resource is so these frameworks could be super useful, I was suggest definitely taking a look at them. Not all of them work for every organization, but if one is available that helps work for you,
then I would definitely suggest looking into it
and taking it into consideration. Putin put a year of documentation together.
All right, that's it for a short
lecture here. So it's time for post assessment question.
What might be in a security policy diet payment
that the responsible parties,
or what we have all of the above in our documentation for security policies.
So I'll give you a few moments to figure that out.
You can pause if you'd like, and we'll come back to the answer,
all right. The answer is all of the above,
you might have your responsible parties in there.
Security controls air definitely usually in there,
as well as training information for security awareness training and other and user trading that might be necessary.