Did you know Cybrary has FREE video training? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
Tactical management is the idea that the organization needs to decide what to do on a regular (e.g. week to week, month to month) basis. These are tactics which are done to support a strategy. This lesson discusses how an organization can make a plan to support their tactical goals and various models such as the Capability Maturity Model to measure and achieve goals. Participants also learn about risk management. [toggle_content title="Transcript"] Okay, let's talk about tactical management. This is the idea that the organization needs to decide what to do on a day-to-day or week-to-week or a month-to-month basis, what kind of moves or maneuvers should they make in order to improve their market share, or to attract more customers, or to improve their bottom line? If we remember, tactics are those things that are done as actions to support a strategy. Those are the smaller actions. The strategy is the bigger action. So one of the ways we can think about this is having the organization create a plan which supports their tactical goals. We really can't spend too much time emphasizing the importance of proper planning. When a proper plan is put in-place, then everything that flows from that plan should be more efficient and more smoothly operating. Other things to think about would be creating benchmarks. So there are several benchmarks which are already in existence and are considered industry standards. NIST has their controls matrix for using the special PUB 800-53. We have the FISMA: Federal Information Security Management Act. OPM3: the Organizational Project Management Maturity Model by the PMI. Then we have the Business Continuity Maturity Model, the BCMM. Lastly we have some ISO standards: the 27000 series; which gives us our CMM, which is the Capability Maturity Model. I was referring to the CMM in a previous section where we were talking about different metrics for measuring quality control, and so forth. So managers at every level within the organization are expected to provide some type of leadership. That's why they are managers. That's why they are tasked with leading those people or resources that are under their control effectively toward their goals. When a leader is effective, then they can get the best performance out of the employees that they are managing. If a leader is ineffective, then you end up with problems that are all across the map. People doing things on their own without authorization, employees that are directionless, and don't know what's expected of them. Sometimes this happens in organizations that grow very quickly, where the size of the organization outstrips the ability of the managers to keep a handle on everything. So it's really important to have some minimum requirements. We need some type of performance reporting. Some type of record keeping in a general sense that could be a very large scale or a very small scale. It just depends on the situation at-hand. Then we need to think about how we implement security controls. These could be physical security controls, electronic, logical controls, and so on. There's a lot of variety there, but the important thing is that there is some attention paid to the security controls themselves to make sure that there is a demonstrated need for the control, that it was implemented correctly and that you're monitoring and testing it to make sure that it's working as expected. Now we have some more detail about the capability maturity model. As we can see, we've got six different levels. This is used by the COBIT framework, which is developed by ISACA. At the zero level, that means you're basically a brand-new organization. You're not doing anything regarding metrics or measurement or performance improvement. So that's the starting place. At level 1, some efforts are being made to make the organization more mature. You're starting to identify those areas that can be measured, starting to think about how the measurement might take place and what you might do with this information. At level 2, the organization is at least able to repeat its processes. So it's able to do some functions on a repetitive basis. It could be something like registering a new customer. Subscribing someone to a new service, or processing an invoice; whatever the case might be. It's repeatable because there's a process in-place and a procedure in-place that's effectively working. At the third level, now we've got more defined processes and procedures and standards within the organization. More documentation has been produced. More people in the organization are aware of what's expected and there's an overall sense that the organization is more mature as a result. At level 4, now we're managing the different moving pieces at a more effective way. So we built some foundation and managers can now move things around and measure things as they see fit in order to continue to improve the performance of the company or the organization. At the fifth level, we're now optimizing. So everything is in-place, all the processes are in-place, everything's repeatable, it's well documented, but now we're looking for ways to improve just those little bits and pieces that can enhance our efficiency and productivity. So this is why the CMM is valuable as a way to rank maturity of an organization. We have to think about risk management. This is a broad topic which has a lot of applicability to different aspects of what an organization does. We know that there are strategic risks. There's tactical risks, and operational risks. Tactical and operational risks are sort of similar because they're both considered short-term, but we have different time frames for strategic risk. If we spend $1million on equipment today, how long will it take before we get some return on that investment? That would be more of a strategic risk. That could be a year from now, or two years from now. We also have to understand inherent risks. This means that there are some things that are risky no matter how well you protect it. So if you use a third-party to do some service or provide some function for your organization, there's inherent risk there, no matter how well that organization is managed, because you don't have full control over it. There's inherent risk. Or if you use off-the-shelf software versus developing your own software. There are risks in both of those areas. They are different types of risks, perhaps, but risks nonetheless. We have to remember that in most cases there's no way to completely remove risk. There is always some residual level of risk that remains. The goal in risk management then is to be able to identify the remaining level of risk to make sure that it's within your risk tolerance and that it's not outside that range. When risks are identified that are outside your risk tolerance, then you have to take some kind of action to re-mediate that. So there are a couple of simple formulas that can be used to calculate some of these factors. For instance, we can take the asset value, abbreviated as AV, multiply that by an exposure factor: known as EF, and this is a percentage, and that can give you what's known as a single loss expectancy. So let's say I've got a building that's worth $1million. My asset value would be $1million, the exposure factor for some kind of a threat, let's say the threat is fire. I might bring in a subject matter expert who says, 'Well, you've got sprinklers. You've got extinguishers. The building's made of this material.' and so on. They say, 'Well, if a fire happened, maybe half the building would be destroyed.' So my exposure factor would be 50% in that case. Therefore, my single loss expectancy would be $1million x 50% = $500,000. So a very simple example of a fire in a million-dollar building might destroy half now. It might take half a million dollars to repair that damage, from one event. We can also expand a little bit on this to say, 'My single loss expectancy can also be multiplied by the annual rate of occurrence.' Are you having more than one fire per year in your building? Probably a really bad thing if that's happening. But if my single loss expectancy was $500,000, and I expect to have a fire every ten years, then I would have to express the annual rate of occurrence as a fraction: 1/10. Therefore, my annual loss expectancy would be 500,000 x 1/10, which would be 50,000. So the annual loss expectancy is intended to understand how much money needs to be allocated over a given period of time. It could be multiple times within a single year, or multiple events within a five-year time span, a ten-year time span. In the case of a fire, hopefully that will be something that wouldn't happen very often at all, but maybe once every ten years would be a reasonable estimate based on different factors. So you probably should have an expectation of setting aside $50,000 a year during that ten-year period to be able to endure a $500,000 loss in a single event. Does that make sense? Okay. These are very simple algebra formulas. Nothing complicated here. Do be aware of these two formulas for the exam, because you will see questions relating to this. What about risk as it relates to personnel? Whenever you hire somebody, there is some risk. If you don't do a proper background check, for instance, you might discover, when it's too late, that that person's been arrested for fraud or for theft. Now they're already working for you and may represent a risk because of that. There could also be risks when you use contractors or you outsource people from another country. They might have different laws and regulations covering their employment. For instance, for European Union employees, they have very well defined regulations regarding moving people around, moving them from one country to another. You might be liable for employee benefits and relocation expenses if you fire somebody that lives in the EU. So, of course, your legal experts and HR personnel should be able to navigate these waters more carefully, but it's important to understand there is some risk involved. [/toggle_content]