Time
8 hours 35 minutes
Difficulty
Intermediate
CEU/CPE
9

Video Description

Tactical management is the idea that the organization needs to decide what to do on a regular (e.g. week to week, month to month) basis. These are tactics which are done to support a strategy. This lesson discusses how an organization can make a plan to support their tactical goals and various models such as the Capability Maturity Model to measure and achieve goals. Participants also learn about risk management.

Video Transcription

00:04
Okay, let's talk about tactical management.
00:08
This is the idea that the organization needs to
00:11
decide what to do on a day to day or week to week or a month to month basis. What kind of moves or maneuvers should they make in order to improve their
00:19
market share or to attract more customers
00:23
or two
00:25
improve their bottom line?
00:27
If we remember, tactics are those things that are done
00:31
as a as actions to support a strategy.
00:34
Those are the smaller actions, strategies, the bigger action.
00:37
So one of the ways we can think about this is
00:41
having the organization create a plan which supports
00:45
their tactical goals.
00:49
We really can't spend too much time emphasizing
00:52
the importance of proper planning
00:55
when, when a proper plan has put in place than everything that flows from that plan should be more efficient and more smoothly operating. Other things to think about would be creating benchmarks.
01:07
So there are several benchmarks which already in existence are in are considered industry standards.
01:15
We have ah, NIST has their controls matrix for using the Special Pub 853
01:22
we have the fisma Federal Information Security Management Act,
01:26
OPM three operational sorry. Organizational Project Management Maturity model.
01:34
By the PM I
01:34
then we have the business continuity maturity model of BC Mm.
01:40
And lastly, we have some ice, oh, standards of the 27,000 Steri Siri's, which gives us our C m m, which is the capability maturity model I was referring to see mm in a previous section when we're talking about,
01:53
uh,
01:53
different metrics for measuring quality control and so forth.
01:57
So managers
02:00
at every level within the organization are expected to re provide some type of leadership.
02:05
That's why they are managers. That's why they're
02:07
tasked with leading those people, or resource is that are under their control
02:13
effectively towards their goals. When a leader is effective,
02:16
then they can get the best performance out of the employees that they are managing.
02:22
If the leader is ineffective, then you end up with with problems that are all crawl across the map
02:29
people doing things on their own without authorization,
02:31
uh,
02:32
employees that are directionless and don't know what's expected of them.
02:38
Sometimes this happens organizations that grow very quickly,
02:42
where the size of the organization outstrips the ability of the managers to keep a handle on everything
02:46
so
02:47
it's really important to have some minimum requirements.
02:52
We need some type of performance reporting,
02:54
some type of record. Keeping in a general sense that could be a very large scale or a very small scale just depends on
03:01
the situation at hand.
03:05
And then we need to think about how
03:07
we implement security controls.
03:10
These could be physical security controls, Elektronik, logical controls and so on.
03:15
There's a lot of variety there,
03:19
but the important thing is is that there is some attention paid to the security controls themselves,
03:24
to make sure that there's a demonstrated need for the control, that it was implemented correctly and that you're monitoring and testing it to make sure that it's working as expected.
03:36
Now we have some more detail about the capability maturity model.
03:39
As we can see, we've got six different levels,
03:43
and this is used by the Corbett
03:46
Framework, which is developed hayasaka
03:49
at the zero level. That means you're basically a brand new organization. You're not doing anything
03:55
regarding metrics or measurement or performance improvement,
03:59
so that's that's the starting place
04:02
at level one.
04:04
Some efforts are being made to
04:08
make the organization more mature. You're starting to identify those areas that can be measured,
04:13
starting to think about how the measurement might take place and what you might do with this information.
04:18
At Level two,
04:20
the organization is at least at able to repeat its processes,
04:26
so its able to
04:28
to do some some functions on a repetitive basis
04:30
could be something like registering a new customer,
04:33
subscribing someone to a new service,
04:36
you know, processing an invoice. Whatever the case might be, it's repeatable because there's a process in place and a procedure in place that's effectively working
04:46
at the third level.
04:47
Now we've got,
04:49
uh, more,
04:50
more defined
04:54
processes and procedures and standards within the organization. More documentation has been produced.
04:59
Maur. People in the organization are aware of what's expected,
05:03
and there's a
05:05
an overall sense that the organization is more mature as a result.
05:10
At Level four. Now, we're managing the different moving pieces at a more effective way.
05:16
So we built some foundation,
05:19
and managers can now move things around and measure things as they see fit in order to
05:27
continue to improve the performance of the company or the organization.
05:30
And at the fifth level, we're now optimizing,
05:33
so everything is in place all the processes Aaron Place. Everything's repeatable is well documented,
05:40
but we're not. We're looking for ways to improve just those little bits and pieces that can enhance our efficiency and productivity.
05:47
So this is why the C. M M is as valuable as a way to rank maturity of an organization.
05:54
We have to think about risk management. This is a broad topic.
05:58
It has a lot of applicability,
06:00
two different aspects of what an organization does.
06:03
We know that there are strategic risks. There's tactical risks,
06:08
an operational risks.
06:10
Tactical and operational risks are sort of similar because they're both considered a short term.
06:16
But we have
06:18
different time frames for strategic risk. If we spend a $1,000,000 on equipment today,
06:25
how long will we will it take before we get some return on that investment that that would be more of a strategic risk That could be a year from now or two years from now.
06:34
We also have to understand inherent risks.
06:38
This means that there's some things that are risky, no matter how will you protect it.
06:43
So if you use 1/3 party to do some service or provide some function for your organization. There's inherent risk that remember how well that organizations managed
06:53
because you don't have full control over it. There's inherent risk.
06:57
Or, if you use off the shelf software versus developing your own software,
07:01
the risks in both of those areas. They're different types of risks, perhaps,
07:05
but risks nonetheless.
07:08
And we have to remember
07:10
that they're in most cases, there's no way to completely remove risk. There's always some residual level of risk that remains
07:16
the goal, and risk management, then
07:19
is too.
07:20
Be able to identify the remaining level of risk
07:24
to make sure that's within your risk tolerance
07:27
and that it's not outside that range.
07:30
When risks are identified, their outside your risk tolerance, then you have to take some kind of action to re mediate that.
07:36
So there couple simple formulas that can be used
07:41
to calculate some of these factors.
07:44
For instance, we can take the asset value abbreviated as a V
07:48
multiply that by an exposure factor known as E F. This is a percentage,
07:55
and that could give you what's known as a single loss expectancy.
07:59
So let's say I've got a building that's worth a $1,000,000. My asset value would be one million.
08:05
Um, the exposure factor for some kind of a threat. Let's say the threat is fire.
08:09
I might get bringing a subject matter expert who says, Well, you've got sprinklers, you've got extinguishers, the buildings made of this material and so on. They say, Well, if a fire happened, maybe half the building would be destroyed,
08:24
so my exposure factor would be 50% in that case.
08:28
Therefore, my single loss expectancy would be a $1,000,000 times 50% $500,000.
08:33
So a very simple example of
08:37
ah, fire in a $1,000,000 building might destroy half. Now it might take a 1,000,000 or half a $1,000,000 rather to repair that damage
08:45
from one event.
08:46
We can also expand a little bit on this to say
08:50
my single loss expectancy
08:52
can also be multiplied by the annual rate of occurrence.
08:56
Are you having more than one fire per year in your building? Probably really bad thing if that's happening.
09:01
Uh,
09:01
but if if my single loss expectancy was $500,000
09:07
and I expect to have
09:09
you know a fire every 10 years,
09:13
then I would
09:13
I have to express the annual rate of occurrence as a fraction one over 10
09:18
and therefore my annual loss expectancy would be 50 times are sorry, 500,000 times loan over time, which would be 50,000.
09:28
So you're the annual loss expectancy
09:31
is intended
09:33
to understand how much money
09:35
needs to be allocated over a given period of time. It could be, ah, multiple times within a single year
09:43
or multiple events within ah, five year time span, a 10 year time span
09:50
in the case of a fire,
09:50
Hopefully that will be something that wouldn't happen very often at all. But maybe once every 10 years would be a reasonable estimate based on different factors.
09:58
So you probably should have
10:01
an expectation of setting aside $50,000 a year during that 10 year period to be able to endure
10:07
Ahh, $500,000 loss in a single event,
10:11
the next dance.
10:13
Okay,
10:13
these are very simple algebra formulas. Nothing complicated here. But do be aware of these two forms for the exam because you will see questions relating to this. What about risk as it relates to personnel?
10:28
Whenever you hire somebody, there is some risk
10:31
if you don't do a proper background check. For instance,
10:33
you might discover when it's too late that that person has been arrested for fraud or for theft,
10:41
and now they're already working for you and may represent a risk.
10:46
Because of that,
10:48
there could also be risks. When you used contractors or you outsource
10:52
people from another country, they might have different laws and regulations covering their employment.
11:00
For instance, for European Union employees,
11:05
they have, ah very well defined
11:07
regulations regarding moving people around, moving them from one country to another. You might be liable for
11:16
employee benefits relocation expenses if you fire somebody that lives in the U.
11:22
So, of course you're your legal experts, and HR personnel should be able to
11:28
navigate these waters more carefully. But it's important, understand? There is some risk involved.

Up Next

Certified Information System Auditor (CISA)

In order to face the dynamic requirements of meeting enterprise vulnerability management challenges, CISA course covers the auditing process to ensure that you have the ability to analyze the state of your organization and make changes where needed.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor