Okay, let's talk about tactical management.
This is the idea that the organization needs to
decide what to do on a day to day or week to week or a month to month basis. What kind of moves or maneuvers should they make in order to improve their
market share or to attract more customers
improve their bottom line?
If we remember, tactics are those things that are done
as a as actions to support a strategy.
Those are the smaller actions, strategies, the bigger action.
So one of the ways we can think about this is
having the organization create a plan which supports
their tactical goals.
We really can't spend too much time emphasizing
the importance of proper planning
when, when a proper plan has put in place than everything that flows from that plan should be more efficient and more smoothly operating. Other things to think about would be creating benchmarks.
So there are several benchmarks which already in existence are in are considered industry standards.
We have ah, NIST has their controls matrix for using the Special Pub 853
we have the fisma Federal Information Security Management Act,
OPM three operational sorry. Organizational Project Management Maturity model.
then we have the business continuity maturity model of BC Mm.
And lastly, we have some ice, oh, standards of the 27,000 Steri Siri's, which gives us our C m m, which is the capability maturity model I was referring to see mm in a previous section when we're talking about,
different metrics for measuring quality control and so forth.
at every level within the organization are expected to re provide some type of leadership.
That's why they are managers. That's why they're
tasked with leading those people, or resource is that are under their control
effectively towards their goals. When a leader is effective,
then they can get the best performance out of the employees that they are managing.
If the leader is ineffective, then you end up with with problems that are all crawl across the map
people doing things on their own without authorization,
employees that are directionless and don't know what's expected of them.
Sometimes this happens organizations that grow very quickly,
where the size of the organization outstrips the ability of the managers to keep a handle on everything
it's really important to have some minimum requirements.
We need some type of performance reporting,
some type of record. Keeping in a general sense that could be a very large scale or a very small scale just depends on
the situation at hand.
And then we need to think about how
we implement security controls.
These could be physical security controls, Elektronik, logical controls and so on.
There's a lot of variety there,
but the important thing is is that there is some attention paid to the security controls themselves,
to make sure that there's a demonstrated need for the control, that it was implemented correctly and that you're monitoring and testing it to make sure that it's working as expected.
Now we have some more detail about the capability maturity model.
As we can see, we've got six different levels,
and this is used by the Corbett
Framework, which is developed hayasaka
at the zero level. That means you're basically a brand new organization. You're not doing anything
regarding metrics or measurement or performance improvement,
so that's that's the starting place
Some efforts are being made to
make the organization more mature. You're starting to identify those areas that can be measured,
starting to think about how the measurement might take place and what you might do with this information.
the organization is at least at able to repeat its processes,
to do some some functions on a repetitive basis
could be something like registering a new customer,
subscribing someone to a new service,
you know, processing an invoice. Whatever the case might be, it's repeatable because there's a process in place and a procedure in place that's effectively working
processes and procedures and standards within the organization. More documentation has been produced.
Maur. People in the organization are aware of what's expected,
an overall sense that the organization is more mature as a result.
At Level four. Now, we're managing the different moving pieces at a more effective way.
So we built some foundation,
and managers can now move things around and measure things as they see fit in order to
continue to improve the performance of the company or the organization.
And at the fifth level, we're now optimizing,
so everything is in place all the processes Aaron Place. Everything's repeatable is well documented,
but we're not. We're looking for ways to improve just those little bits and pieces that can enhance our efficiency and productivity.
So this is why the C. M M is as valuable as a way to rank maturity of an organization.
We have to think about risk management. This is a broad topic.
It has a lot of applicability,
two different aspects of what an organization does.
We know that there are strategic risks. There's tactical risks,
an operational risks.
Tactical and operational risks are sort of similar because they're both considered a short term.
different time frames for strategic risk. If we spend a $1,000,000 on equipment today,
how long will we will it take before we get some return on that investment that that would be more of a strategic risk That could be a year from now or two years from now.
We also have to understand inherent risks.
This means that there's some things that are risky, no matter how will you protect it.
So if you use 1/3 party to do some service or provide some function for your organization. There's inherent risk that remember how well that organizations managed
because you don't have full control over it. There's inherent risk.
Or, if you use off the shelf software versus developing your own software,
the risks in both of those areas. They're different types of risks, perhaps,
but risks nonetheless.
And we have to remember
that they're in most cases, there's no way to completely remove risk. There's always some residual level of risk that remains
the goal, and risk management, then
Be able to identify the remaining level of risk
to make sure that's within your risk tolerance
and that it's not outside that range.
When risks are identified, their outside your risk tolerance, then you have to take some kind of action to re mediate that.
So there couple simple formulas that can be used
to calculate some of these factors.
For instance, we can take the asset value abbreviated as a V
multiply that by an exposure factor known as E F. This is a percentage,
and that could give you what's known as a single loss expectancy.
So let's say I've got a building that's worth a $1,000,000. My asset value would be one million.
Um, the exposure factor for some kind of a threat. Let's say the threat is fire.
I might get bringing a subject matter expert who says, Well, you've got sprinklers, you've got extinguishers, the buildings made of this material and so on. They say, Well, if a fire happened, maybe half the building would be destroyed,
so my exposure factor would be 50% in that case.
Therefore, my single loss expectancy would be a $1,000,000 times 50% $500,000.
So a very simple example of
ah, fire in a $1,000,000 building might destroy half. Now it might take a 1,000,000 or half a $1,000,000 rather to repair that damage
We can also expand a little bit on this to say
my single loss expectancy
can also be multiplied by the annual rate of occurrence.
Are you having more than one fire per year in your building? Probably really bad thing if that's happening.
but if if my single loss expectancy was $500,000
and I expect to have
you know a fire every 10 years,
I have to express the annual rate of occurrence as a fraction one over 10
and therefore my annual loss expectancy would be 50 times are sorry, 500,000 times loan over time, which would be 50,000.
So you're the annual loss expectancy
to understand how much money
needs to be allocated over a given period of time. It could be, ah, multiple times within a single year
or multiple events within ah, five year time span, a 10 year time span
in the case of a fire,
Hopefully that will be something that wouldn't happen very often at all. But maybe once every 10 years would be a reasonable estimate based on different factors.
So you probably should have
an expectation of setting aside $50,000 a year during that 10 year period to be able to endure
Ahh, $500,000 loss in a single event,
these are very simple algebra formulas. Nothing complicated here. But do be aware of these two forms for the exam because you will see questions relating to this. What about risk as it relates to personnel?
Whenever you hire somebody, there is some risk
if you don't do a proper background check. For instance,
you might discover when it's too late that that person has been arrested for fraud or for theft,
and now they're already working for you and may represent a risk.
there could also be risks. When you used contractors or you outsource
people from another country, they might have different laws and regulations covering their employment.
For instance, for European Union employees,
they have, ah very well defined
regulations regarding moving people around, moving them from one country to another. You might be liable for
employee benefits relocation expenses if you fire somebody that lives in the U.
So, of course you're your legal experts, and HR personnel should be able to
navigate these waters more carefully. But it's important, understand? There is some risk involved.