5 hours 58 minutes
welcome back to CyberRays is. Of course, I'm your instructor, Brad Roads. Next on our journey through domain, one of Aesop's is technical management. Got a lot to cover here.
In this video, we're gonna talk about planning decisions, configuration management, information management, quality assurance and automation.
Let's get rolling.
So in planning, you need to memorize this diagram. If you're If you're studying for the S IP, they cost
scope of performance and time of versus quality diagram.
This is a pretty straightforward thing to grasp.
If you wanna have more scope, it's gonna cost you more. It's gonna take more time. If you want it faster, it's gonna cost you a lot more and you're gonna have to do less. If you want something that's lower cost, it's gonna probably be less scope and take more time. So this is a bounce triangle. And so if you want high quality stuff,
right, you have to understand this and you're going to see this cost scope and time a discussion throughout the domains of Aesop's because it's so very important. So memorize this chart
decisions. We make three kinds of decisions or support three kinds of decisions. Aziz. He's one. We make people decisions.
What kind of things do people need from requirements? Perspective? And then ultimately, how do we support the customers? We have to make recommendations on technology. Should we buy the latest greatest widget that's going to help secure our data and systems? Or should we not?
And then we also are very much involved in monetary decisions. Uh, in today's world of complex systems, these things cost a lot of money on. If we are not paying attention to the budget and just blow all the budget and the money, guess what, then? Are organizations potentially go out of business? So what we're really talking about here is trade offs. We have to make distinct
and risk based trades
on what we do with people, technology and obviously dollars. And so we're gonna talk about trade off studies much later in the in our discussions together. But I want you to know that we have to make these trade offs and is he's recommend those based on our experiences
configuration management. Oh, we have a whole section coming up on configuration management, but the bottom line that I want you to take away from this super complex chart is that if we do not manage systems, especially complex systems that include multiple pieces and parts from a systems engineering perspective, a security systems engineering perspective,
we're bound to create vulnerabilities and exploitable problems for our systems.
So configuration management configuration control change management. However you decide, determined Or however your organization in terms. It has to be a deliberative, well thought out process to ensure that our systems remain secure as you make changes as we pull out technology as we put new stuff in
as we change processes, all of that stuff is all fair game in the configuration management arena
eso information is What we're talking about here is an easy it's the information systems, security, engineering, professional concentration. So obviously, information is a key part of what we do. There's the cybersecurity engineering aspect, but then there's also the information security engineering aspect. When it comes to people, do they do they have the right accesses to the stuff they need access to,
do we need to restrict them based on something like zero trust architecture, we've talked about previously
processes processes are incredibly important. If we don't have processes in place that we do not have consistent execution across your organization is these are well used in terms of developing processes. Toe help, manage information systems,
technology. We've already talked, talked about technology briefly. Technology is a huge part of what we do is is he's. But it also is a huge part of where we have to say, Maybe we don't need a technology solution. Maybe we can do that with a process solution or a people or HR solution.
So those non technical solutions and information management are just as effective in many cases
as are expensive technology solutions. And then the last thing. And I add, this year people process technology is pretty easy. We've all heard these terms before. Another one I like to talk about here is data and information. What is the data were protecting? What is the information we're protecting? Weah's SC's need to understand that piece and part of our organization
so that we can make recommendations on how
best to handle that getting much more complex these days when we talk about cloud based systems,
quality quality is something that if she's do a lot of we look at both assurance and control. So assurance
is, are we measuring the performance of a process of product correctly? So basically, we're doing. We're assessing whether we're actually doing stuff correctly or right.
Quality control is actually looking at. Do we have a at actual program for doing quality management? And it has really nothing to do with assurance. Quality control is actually making sure the program works. Quality assurance is actually doing the program, so we do that quite often as ISI. So you need to remember the difference between those two terms.
Automation, love, automation, love this picture here of the automated vacuum. So if you have pets, I've got a couple of pets. Pets are fun, but if a pet makes a mess on the floor, if you bought the low end automated vacuum, it's not going to sense that there's something in the way of its patent. It's just kind of like, you know, spread that whatever
mess all over your living room, and that's probably not the best
thing to do. So that comes down to the fact that when we do automation in information security, cybersecurity, right, we have to test it. We don't just stick it in operations on automate something and hope it works, right? We actually to test it and integrated properly on, we have to make sure it's well documented.
Why do we do automation? We do it because we want to reduce repetitive processes. Human beings
are not great at repetitive processes. It just the way it is, the way we're built, right? We're really good at seeing that thing that stands out. That's not necessarily repetitive. And so when we work through these things, we wanna make sure that we do. Also with automation is the reporting piece
logging. We don't wanna put out an automated capability and not actually gather data back from it to see if it's actually performing correctly.
Boy, it would really think if you were doing something with data and that automated process failed and you have no notification that it actually happened to fail. So you need to make sure that's built in throughout the course of development, especially if you're using automation systems.
So what did we cover in the some in this lesson? Ah lot. We looked at planning decisions, configuration management, information management, Q and automation. These air, all areas from a technical management perspective that sees, do a lot of working and need to have familiarity with whether they sit for the sip, concentration or not,
we'll see you next time.
Certified Information Systems Security Professional (CISSP) 2021
CISSP is the basis of advanced information assurance knowledge for information security professionals. Often referred ...
16 CEU/CPE Hours Available
Certificate of Completion Offered
ISC2 CISSP Practice Test: Certified Information Systems Security Professional
There is a growing need for information security leaders who possess the depth of expertise ...