Alignment of Security Function MindMap (1 of 3) | CISSP Domain 1
Summary
TLDRIn this video, Rob Witcher from Destination Certification provides an in-depth review of major CISSP exam topics, focusing on aligning security functions with business goals. He emphasizes the importance of adopting a CEO mindset, understanding corporate and security governance, and differentiating between accountability and responsibility. The video covers essential concepts such as risk management, procurement security, and the significance of policies, standards, and guidelines. Rob also highlights the critical role of awareness, training, and education in security, and offers strategic advice to help candidates pass the CISSP exam confidently.
Takeaways
- π The script is a guide for passing the CISSP exam, focusing on the alignment of security functions to business goals and objectives.
- π§ The presenter, Rob Witcher, emphasizes the importance of having the right mindset for the exam, thinking like a CEO rather than getting too technical.
- π’ Corporate governance is defined as the system of rules, practices, and processes that direct and control an organization to achieve its goals.
- π‘οΈ Security governance is a subset of corporate governance, focusing on aligning security practices with the organization's overall goals to enable business success.
- π Understanding the difference between accountability and responsibility is crucial; accountability cannot be delegated, while responsibility can.
- π Export control laws like ITAR and EAR restrict the export of certain cryptographic systems, emphasizing the importance of due diligence in security.
- π Policies, standards, procedures, and baselines are essential components of a security program, with each serving a specific purpose in directing behavior and setting security measures.
- π Transborder data flow laws, also known as data residency or data localization laws, are becoming increasingly important in the regulation of data movement across borders.
- π Ethics are integral to security programs, with the ISCΒ² code of ethics being a key reference point for CISSP candidates and professionals.
- ποΈ Procurement security involves integrating security requirements from the beginning of the procurement process, ensuring that service providers understand and meet these requirements.
- π¨βπ« Awareness, training, and education are vital for ensuring that everyone in an organization understands their security responsibilities and how to fulfill them.
Q & A
What is the main purpose of the video series presented by Rob Witcher?
-The main purpose of the video series is to help viewers review key topics and pass the CISSP exam, with a focus on aligning security functions with business goals and objectives.
What is the critical mindset advice given by Rob for studying for and taking the CISSP exam?
-The critical mindset advice is to think like a CEO, focusing on management-level considerations rather than getting too technical, as the CISSP is a management-level certification.
What does corporate governance entail according to the script?
-Corporate governance is the system of rules, practices, and processes by which an organization is directed and controlled to achieve its goals and objectives, typically focused on increasing the value of the organization.
How is security governance defined in the context of the script?
-Security governance is the system of rules, practices, and processes by which the security function is directed and controlled, ensuring it is aligned with the overall organizational goals and objectives.
Why is it important for security professionals to view their role as enablers rather than just a cost center?
-It is important because security professionals should help the business achieve its goals and objectives, mitigating risks in a way that allows the organization to move forward rather than simply blocking actions due to risk.
What is the difference between accountability and responsibility in the context of security governance?
-Accountability is the ownership and ultimate answerability for something, and it cannot be delegated. Responsibility, on the other hand, is the duty to act based on the direction of those who are accountable, and it can be delegated.
What are the two major export laws mentioned in the script, and what do they restrict?
-The two major export laws mentioned are ITAR (International Traffic in Arms Regulations) and EAR (Export Administration Regulations). They restrict the manufacturing, sales, and distribution of specific technologies, products, software, and services, including certain cryptographic systems.
What is the purpose of transborder data flow laws, also known as data residency or data localization laws?
-Transborder data flow laws are focused on restricting or preventing the flow of data across physical borders, often requiring that personal data collected from citizens be stored within the country where the citizens reside.
Why is it important for organizations to codify their ethics in a policy?
-It is important to have consistent ethics across all employees, and codifying ethics in a policy ensures that everyone is aware of the expected behavior and standards, which can help maintain a positive and ethical organizational culture.
What are the four principles of the ISCΒ² Code of Ethics that candidates for CISSP certification are expected to memorize?
-The four principles are: 1) Protect society, the common good, necessary public trust and confidence, and the infrastructure. 2) Act honorably, honestly, justly, responsibly, and legally. 3) Provide diligent and competent service to principals. 4) Advance and protect the profession.
How do policies, standards, procedures, and guidelines differ in the context of an organization's security framework?
-Policies are corporate laws that direct behavior within an organization, stating what must be done. Standards define specific mandatory hardware and software mechanisms. Procedures are step-by-step mandatory actions. Guidelines are recommended actions, not mandatory, and are useful for suggesting best practices that are not yet fully implemented.
What is the role of procurement security in the context of the script?
-Procurement security must be involved from the start of the procurement process to understand and validate the business requirements for what is being procured. It ensures that security requirements are defined and evaluated in the procurement process and translated into a legally binding SLA (Service Level Agreement) with the service provider.
What is the difference between awareness, training, and education as discussed in the script?
-Awareness is an informal process of communication aimed at changing cultural sensitivity to a topic or issue. Training is semi-formal and provides specific skills necessary to perform a security-related task. Education involves teaching fundamental concepts to enhance understanding and professional capability.
Outlines
π Introduction to CISSP Exam Preparation
Rob Witcher introduces himself and the purpose of the video series, which is to help viewers prepare for the CISSP (Certified Information Systems Security Professional) exam. He emphasizes the importance of aligning security functions with business goals and objectives, and stresses the need for a management-level mindset rather than a technical one. The video series includes a set of mindmap videos covering key topics for the exam. Rob also mentions the importance of understanding the difference between accountability and responsibility in a security context, and provides a brief introduction to corporate governance and security governance.
π Understanding Security Governance and Compliance
This paragraph delves into the specifics of security governance, the importance of aligning security with organizational goals, and the distinction between accountability and responsibility. It explains that while responsibility can be delegated, accountability cannot. The paragraph also touches on the historical context of export control laws, such as ITAR and EAR, and the Wassenaar Arrangement, which are relevant to the field of cryptography. Additionally, it covers the basics of transborder data flow laws, privacy considerations, and the significance of ethics in security, specifically referencing the ISCΒ² Code of Ethics.
π The Framework of Security Policies and Procedures
The third paragraph outlines the structure of security policies, standards, procedures, baselines, and guidelines within an organization. It explains the role of policies as corporate laws that dictate mandatory actions, while standards define specific technical requirements. Procedures provide step-by-step instructions for implementing security measures, and baselines set minimum security configurations. Guidelines, on the other hand, are recommendations rather than mandatory actions. The paragraph also discusses the importance of risk management in security governance and the involvement of security in the procurement process to ensure service level requirements and agreements align with security needs.
π οΈ Security Training and the CEO Mindset for Exam Success
The final paragraph focuses on the importance of security training and education for employees, distinguishing between awareness, training, and education. It stresses the need for a CEO mindset when approaching the CISSP exam, as it is a management-level certification. Rob provides advice on how to study and take the exam with a strategic mindset, rather than a technical one, and encourages viewers to watch a free video on adopting this mindset to increase their chances of passing the exam. He concludes by wishing viewers success in their studies.
Mindmap
Keywords
π‘Corporate Governance
π‘Security Governance
π‘Accountability
π‘Responsibility
π‘Due Diligence
π‘Due Care
π‘ITAR (International Traffic in Arms Regulations)
π‘EAR (Export Administration Regulations)
π‘Wassenaar Arrangement
π‘Transborder Data Flow Laws
π‘ISCΒ² Code of Ethics
π‘Policies
π‘Standards
π‘Procedures
π‘Baselines
π‘Guidelines
π‘Risk Management
π‘Service Level Agreement (SLA)
π‘Awareness Training
π‘Education
Highlights
Rob Witcher from Destination Certification is here to help you pass the CISSP exam.
The mind map series helps review key topics needed to confidently pass the CISSP exam.
The CISSP is a management-level certification; think like a CEO, not technically.
Corporate governance involves rules, practices, and processes to achieve organizational goals and objectives.
Security governance aligns the security function with business goals to enable the organization.
Security professionals should help businesses mitigate risks rather than just saying no.
Accountability cannot be delegated; responsibility can be delegated to others.
Due diligence and due care are important concepts in security governance.
Understanding import/export laws like ITAR and EAR is crucial for security professionals.
Transborder data flow laws restrict the flow of data across physical borders.
ISCΒ² Code of Ethics is critical for the CISSP exam and includes protecting society, acting honorably, providing diligent service, and advancing the profession.
Policies are corporate laws directing behavior within an organization.
Good policies are simple and easy to read, defining mandatory actions and configurations.
Risk management helps determine how to protect organizational assets with limited resources.
Everyone is responsible for security, and awareness training and education are vital.
Training and education provide specific skills and fundamental concepts for security professionals.
Thinking like a CEO is the most important advice for passing the CISSP exam.
Destination Certification offers a 'Think like a CEO' video to help with the CISSP exam.
Transcripts
hey I'm Rob Witcher from destination
certification and I'm here to help you
pass the cissp exam we're going to go
through a review of the major topics
related to the alignment of the security
function to business goals and
objectives this is the first video in
our complete set of mindmap videos this
mind map series is meant to help you
review the key topics you need to know
to confidently pass the cisp exam there
are two other mindmap videos for domain
one and a total of 30 of these mindmap
videos I've included links to all the
other mindmap videos in the description
[Music]
below before I launch into this first
mind map I'd like to give you a critical
bit of advice that will make it
massively easier for you to study for
and confidently pass the cissp exam you
need to have the right mindset in your
studies and especially on the exam cisp
is a management level certification so
you need to be really careful not to
think too technically you need to think
like a CEO I'll explain this critical
mindset more at the end of this video
all right so starting high level and
thinking like a CEO would let's launch
into this first mind map and Define
corporate governance corporate
governance is the system of rules
practices and processes by which an
organization is directed and controlled
to achieve its goals and objectives that
are typically focused on increasing the
value of the organization so
fundamentally corporate governance is
about ensuring an organization has clear
goals and objectives and everyone in the
company is aligned towards achieving
those goals and objectives security
governance then is the system of rules
practices and processes by which the
security function is directed and
controlled a crucial part of security
governance is aligning the security
function to the overall organizational
goals and objectives so that security
can help the business achieve its goals
and objectives so that security is an
enabler for the business this is
something crucial that we always need to
keep in mind as Security Professionals
our job is to help the business achieve
its goals and objectives to be an
enabler for the business we don't want
to be the shop of no we wouldn't always
we shouldn't always be telling the
business no you can't do that it's too
risky we should ideally be saying
something more like here's the risk and
here's how we can help you mitigate
those risks so that the organization can
achieve its goals and objectives so now
you know the focus of security to help
the organization achieve its goals and
objectives to be an enabler to the
business to help increase the value of
the organization and not just be a cost
center a critical part of governance is
having clearly defined roles and
responsibilities so people know exactly
what they're supposed to be doing what
they're accountable for and what they're
responsible for
let's spend a few minutes here on these
terms accountability and responsibility
these are terms often used
interchangeably but there is actually a
massive difference between them that is
very important to understand from a
security perspective let's start by
defining accountability accountability
means the ownership of something
accountability means the ultimate
answerability blameworthiness and
liability put simply accountability is
where the buck stops the throat that
gets chok if something goes
wrong and really crucially
accountability can never ever be
delegated the owner of an asset is
accountable for the security of their
asset and they can never delegate that
accountability to a subordinate
contractor or service provider or anyone
else they can't delegate their
accountability to
anyone what can be delegated is
responsibility the responsible party
will Implement and enforce controls
based on the direction of those that are
accountable a perfect example is a
public cloud service provider the CSP
will be responsible for storing
processing and securing a customer's
data but ultimately the customer remains
accountable for the security of their
data the customer cannot Outsource the
accountability for protecting their data
but they can delegate the
responsibility the concept of
accountability versus responsibility is
going to come up again and again and
again it's crucial to understand the
difference du is the responsible
protection of assets based on the goals
and objectives of the organization due
diligence is the demonstrated ability to
prove due care to stakeholders upper
management Regulators customers
shareholders Etc there's an interesting
bit of security history related to
import export controls I'm wildly
oversimplifying here but essentially
during the 1970s and 80s some amazing
advancements were happening in
cryptography super secure new algorithms
like Dez were being created and whole
new amazing techniques like asymmetric
cryptography were invented these new
algorithms at and techniques essentially
allowed data to be encrypted such that
no one in the world could decrypt it
including organizations like the NSA who
wanted to be able to decrypt and read
anyone's data I need to stop picking on
the NSA here they might be listening so
laws were put in place to restrict the
export of certain cryptographic
algorithms and systems to make sure that
they didn't get in the hands of s
Soviets these are serious laws and
violations could see you thrown in
federal prison so that's the history of
it the two major export laws you need to
know about are itar and E they both
restrict the manufacturing sales and
distribution of specific Technologies
products software and services these
laws restrict the export of certain
cryptographic systems itar the
international traffic in arms
focuses on the export of Defense
articles things like missiles and
satellites technical data and defense
Services keyword there related to itar
is that it focuses on defense related
items e the export Administration
regulations regulates dual use items not
covered by itar but also still applies
to some defense related items the wasar
arrangement is very different from itar
and E in importantly the wasar
arrangement is voluntary not a strict
law and it's also a multinational
agreement between 42 signing members 42
countries the wasar arrangement is a
voluntary export control regime where
signatories exchange information on
transfers of Conventional Weapons and
dual use goods and Technologies now
another type of law that is very
relevant today trans border data flow
laws also commonly referred to as data
residency laws or data localization laws
these laws are focused on restricting or
preventing the flow of data across
physical borders for example many
countries require that the personal data
collected from their citizens be stored
on systems within their country privacy
is not a massive topic on the cisp exam
but it is large enough to Warrant its
own mindmap so for now I'll simply say
you cannot achieve privacy without
security and we'll talk more about
privacy in the next mindmap video
ethics are very important to address as
part of your security program
organizations want their employees to
act ethically and consistently the
challenge is that each of us have very
different ethical values so for an
organization to have consistent ethics
across all their employees they must
codify their ex ethics write them down
in a policy policies are essentially
corporate laws we'll talk about that
more in a
moment what are ethics based on a good
answer is that ethics are based on doing
nothing that is harmful to anyone else
now this part is critical to memorize
for the exam the ISC squared code of
ethics ISC squared takes this very
seriously it is a requirement of you
becoming a cissp that you agree to abide
by this code of ethics ISC squar wants
to make sure that you know this code of
ethics and how to interpret them so
you're going to see at least a question
or two about these on the cisp exam I'm
going to read them out here memorize the
wording and the order they are meant to
be acted upon in order number one
protect Society the common good
necessary public trust and confidence
and the
infrastructure number two act honorably
honestly justly responsibly and legally
number three provide diligent and
competent service to
principals number four advance and
protect the
profession let's now get into an
important discussion of policies and as
I mentioned earlier policies are
essentially corporate laws policies are
how we direct Behavior within an
organization policies tell people what
they must do the overarching security
policy defines an organization's overall
approach to security the overarching
security policy is provided and
supported by the board of directors and
Senior Management the policy defines the
goals and objectives for the security
function and ensures security is aligned
with the overall business goals and
objetives functional security policies
on the other hand are more detailed
policies that address specific security
requirements and practices such as
Access Control encryption instant
response and data backups Etc an
organization will have a functional
policy for each of these and many more
good policies are simple easy to read
documents that state simple rules such
as every laptop must have malware
protection policies are corporate laws
policies tell people what they must do
standards define specific mandatory
hardware and software mechanisms for
example an organization standard might
be that Norton Antivirus is required is
the required antimalware solution for
all Windows
laptops procedures are step-by-step
Mandatory Actions for example an organ
ganization could have a procedure for
how to install Norton AntiVirus on
Windows laptops the exact steps must be
followed to correctly install and
configure the antimalware software
procedures are essentially a stepbystep
set of instructions actions for how to
do
something baselines are minimum levels
of security and Define mandatory
configurations for security mechanisms
and products for example an organization
could have a configuration Baseline for
Windows laptops the configuration
Baseline is essentially a checklist of
all the things that need to be done to
correctly configure and lock down a
laptop before it starts being used for
example the configuration Baseline would
require that at a minimum the host based
firewall be enabled certain patches be
installed the Norton Antivirus be
installed and configured correctly by
the way I keep mentioning Norton here in
the hopes of getting sponsored so if
you're listening to
um all right guidelin guidelines are
recommended actions recommended listen
carefully here guidelines are not
mandatory they're what someone should do
not what someone must do guidelines are
useful when an organization knows they
should be doing something but they
haven't fully implemented it yet so for
example the organization might want to
have multiactor authentication for all
administrative accounts but if there are
systems that don't support that yet the
organization is setting itself up for
failure if they create a mandatory
requirement for multiactor
authentication for admin access to all
systems instead the organization can
create a guideline it would be good to
have MFA for admin access to all systems
but it's not a requirement
yet risk management is a super important
topic risk management is a rically
important tool that we use as Security
Professionals to help us F out how to
best protect the assets of the
organization with the limited resources
that we have there's a mind map
dedicated to risk management and I'm
mentioning it here as risk management is
a critical part of security
governance procurement security must be
involved in the procurement process
right from the start of the process this
starts with understanding and validating
the business requirements for whatever
is being procured if it's a service
being procured then the security
requirements are defined in the SLR the
service level requirements document the
requirements documented in the SLR will
be used in the procurement process to
evaluate how well each service meets the
security requirements once a particular
service provider is selected then the
requirements listed in the SLR will be
translated to a new document the SLA
service level agreement the SLA is an
addendum to the legally binding contract
making the SLA legally binding as well
the SLA describes the services to be
provided the service targets specific
responsibilities Etc partically the SLA
is used to clearly communicate
requirements to a service provider to
say hey service provider I need you to
make sure you're doing this that and the
other
thing going back to what I mentioned
earlier accountability can never be
outsourced but responsibilities can so
the SLA is a Cru crucial document that
the owner of an asset uses to make sure
the service provider clearly understands
their responsibilities who is
responsible for security the answer
everyone this is absolutely true
everyone is responsible for security but
it's not good enough to just say hey
everyone's responsible for security
everyone needs to know what specifically
they're responsible for from a security
perspective and how they're supposed to
do whatever it is they're responsible
for and that's why we have the last
little piece to talk about here
awareness training and education I'm
going to give you succinct definitions
of each awareness is an informal process
of communication such as emails posters
Etc with the goal of changing cultural
sensitivity to a given topic or issue
for example making employees aware of
this thing called fishing and that they
should be careful of what links they
click on in emails that's a good example
of awareness training is semi-formal and
provides specific skills necessary to
perform something related to security
for example if a company buys a bunch of
Cisco firewalls then some employees are
going to need to be trained on how to
deploy and manage Cisco firewalls this
is training specific skills finally
education is about teaching fundamental
concepts our cisp master class is a
perfect example of Education we teach
folks the fundamental concepts of
security so they can be better security
professionals and pass the CIS exam all
right that is an overview of security
governance within domain one covering
the most critical Concepts you need to
know for the exam as an added bonus in
this first mindmap video I want to share
with you the most important advice I can
give you for passing the cisp exam you
need to approach your studies and
especially the exam with the right
mindset as I said the cisp is a
management level certification if you
answer the questions on the ex exam with
a technical mindset you will very likely
fail unfortunately so how should you
approach your studies and most
importantly the exam by thinking like a
CEO I made a video on this mindset of
thinking like a CEO which you can watch
for free by clicking on the link in the
description below I would highly
recommend that you take a few minutes to
watch the video we've trained and guided
thousands of people just like yourself
to confidently pass the cisp exam over
the last 20 plus years and we've
received hundreds of emails over the
years from our students saying things
like thinking like a CEO worked it was
the single biggest factor that held me
pass the exam so that's why I'm sharing
this with you I know it works and it
will help you pass the cisp exam so
check out our free think like a CEO
video link is in the description
below all the best in your
[Music]
studies
Browse More Related Video
[BO] KhΓ³a ΔΓ o tαΊ‘o An ninh thΓ΄ng tin ISMS
ISO 27001 Getting Started | Everything you need to know | ISO 27001 Basics
AZ-104 Exam EP 01: AZ104 Course Introduction
NCSC Cyber security training for school staff
Security Standards - CompTIA Security+ SY0-701 - 5.1
I Passed the CompTIA Security+ Certification in 9 Days
5.0 / 5 (0 votes)