Alignment of Security Function MindMap (1 of 3) | CISSP Domain 1

Destination Certification
8 Oct 202316:59

Summary

TLDRIn this video, Rob Witcher from Destination Certification provides an in-depth review of major CISSP exam topics, focusing on aligning security functions with business goals. He emphasizes the importance of adopting a CEO mindset, understanding corporate and security governance, and differentiating between accountability and responsibility. The video covers essential concepts such as risk management, procurement security, and the significance of policies, standards, and guidelines. Rob also highlights the critical role of awareness, training, and education in security, and offers strategic advice to help candidates pass the CISSP exam confidently.

Takeaways

  • πŸ“˜ The script is a guide for passing the CISSP exam, focusing on the alignment of security functions to business goals and objectives.
  • 🧐 The presenter, Rob Witcher, emphasizes the importance of having the right mindset for the exam, thinking like a CEO rather than getting too technical.
  • 🏒 Corporate governance is defined as the system of rules, practices, and processes that direct and control an organization to achieve its goals.
  • πŸ›‘οΈ Security governance is a subset of corporate governance, focusing on aligning security practices with the organization's overall goals to enable business success.
  • πŸ”‘ Understanding the difference between accountability and responsibility is crucial; accountability cannot be delegated, while responsibility can.
  • 🌐 Export control laws like ITAR and EAR restrict the export of certain cryptographic systems, emphasizing the importance of due diligence in security.
  • πŸ“‘ Policies, standards, procedures, and baselines are essential components of a security program, with each serving a specific purpose in directing behavior and setting security measures.
  • 🌍 Transborder data flow laws, also known as data residency or data localization laws, are becoming increasingly important in the regulation of data movement across borders.
  • πŸ” Ethics are integral to security programs, with the ISCΒ² code of ethics being a key reference point for CISSP candidates and professionals.
  • πŸ›οΈ Procurement security involves integrating security requirements from the beginning of the procurement process, ensuring that service providers understand and meet these requirements.
  • πŸ‘¨β€πŸ« Awareness, training, and education are vital for ensuring that everyone in an organization understands their security responsibilities and how to fulfill them.

Q & A

  • What is the main purpose of the video series presented by Rob Witcher?

    -The main purpose of the video series is to help viewers review key topics and pass the CISSP exam, with a focus on aligning security functions with business goals and objectives.

  • What is the critical mindset advice given by Rob for studying for and taking the CISSP exam?

    -The critical mindset advice is to think like a CEO, focusing on management-level considerations rather than getting too technical, as the CISSP is a management-level certification.

  • What does corporate governance entail according to the script?

    -Corporate governance is the system of rules, practices, and processes by which an organization is directed and controlled to achieve its goals and objectives, typically focused on increasing the value of the organization.

  • How is security governance defined in the context of the script?

    -Security governance is the system of rules, practices, and processes by which the security function is directed and controlled, ensuring it is aligned with the overall organizational goals and objectives.

  • Why is it important for security professionals to view their role as enablers rather than just a cost center?

    -It is important because security professionals should help the business achieve its goals and objectives, mitigating risks in a way that allows the organization to move forward rather than simply blocking actions due to risk.

  • What is the difference between accountability and responsibility in the context of security governance?

    -Accountability is the ownership and ultimate answerability for something, and it cannot be delegated. Responsibility, on the other hand, is the duty to act based on the direction of those who are accountable, and it can be delegated.

  • What are the two major export laws mentioned in the script, and what do they restrict?

    -The two major export laws mentioned are ITAR (International Traffic in Arms Regulations) and EAR (Export Administration Regulations). They restrict the manufacturing, sales, and distribution of specific technologies, products, software, and services, including certain cryptographic systems.

  • What is the purpose of transborder data flow laws, also known as data residency or data localization laws?

    -Transborder data flow laws are focused on restricting or preventing the flow of data across physical borders, often requiring that personal data collected from citizens be stored within the country where the citizens reside.

  • Why is it important for organizations to codify their ethics in a policy?

    -It is important to have consistent ethics across all employees, and codifying ethics in a policy ensures that everyone is aware of the expected behavior and standards, which can help maintain a positive and ethical organizational culture.

  • What are the four principles of the ISCΒ² Code of Ethics that candidates for CISSP certification are expected to memorize?

    -The four principles are: 1) Protect society, the common good, necessary public trust and confidence, and the infrastructure. 2) Act honorably, honestly, justly, responsibly, and legally. 3) Provide diligent and competent service to principals. 4) Advance and protect the profession.

  • How do policies, standards, procedures, and guidelines differ in the context of an organization's security framework?

    -Policies are corporate laws that direct behavior within an organization, stating what must be done. Standards define specific mandatory hardware and software mechanisms. Procedures are step-by-step mandatory actions. Guidelines are recommended actions, not mandatory, and are useful for suggesting best practices that are not yet fully implemented.

  • What is the role of procurement security in the context of the script?

    -Procurement security must be involved from the start of the procurement process to understand and validate the business requirements for what is being procured. It ensures that security requirements are defined and evaluated in the procurement process and translated into a legally binding SLA (Service Level Agreement) with the service provider.

  • What is the difference between awareness, training, and education as discussed in the script?

    -Awareness is an informal process of communication aimed at changing cultural sensitivity to a topic or issue. Training is semi-formal and provides specific skills necessary to perform a security-related task. Education involves teaching fundamental concepts to enhance understanding and professional capability.

Outlines

00:00

πŸ“˜ Introduction to CISSP Exam Preparation

Rob Witcher introduces himself and the purpose of the video series, which is to help viewers prepare for the CISSP (Certified Information Systems Security Professional) exam. He emphasizes the importance of aligning security functions with business goals and objectives, and stresses the need for a management-level mindset rather than a technical one. The video series includes a set of mindmap videos covering key topics for the exam. Rob also mentions the importance of understanding the difference between accountability and responsibility in a security context, and provides a brief introduction to corporate governance and security governance.

05:02

πŸ”’ Understanding Security Governance and Compliance

This paragraph delves into the specifics of security governance, the importance of aligning security with organizational goals, and the distinction between accountability and responsibility. It explains that while responsibility can be delegated, accountability cannot. The paragraph also touches on the historical context of export control laws, such as ITAR and EAR, and the Wassenaar Arrangement, which are relevant to the field of cryptography. Additionally, it covers the basics of transborder data flow laws, privacy considerations, and the significance of ethics in security, specifically referencing the ISCΒ² Code of Ethics.

10:02

πŸ“‹ The Framework of Security Policies and Procedures

The third paragraph outlines the structure of security policies, standards, procedures, baselines, and guidelines within an organization. It explains the role of policies as corporate laws that dictate mandatory actions, while standards define specific technical requirements. Procedures provide step-by-step instructions for implementing security measures, and baselines set minimum security configurations. Guidelines, on the other hand, are recommendations rather than mandatory actions. The paragraph also discusses the importance of risk management in security governance and the involvement of security in the procurement process to ensure service level requirements and agreements align with security needs.

15:04

πŸ› οΈ Security Training and the CEO Mindset for Exam Success

The final paragraph focuses on the importance of security training and education for employees, distinguishing between awareness, training, and education. It stresses the need for a CEO mindset when approaching the CISSP exam, as it is a management-level certification. Rob provides advice on how to study and take the exam with a strategic mindset, rather than a technical one, and encourages viewers to watch a free video on adopting this mindset to increase their chances of passing the exam. He concludes by wishing viewers success in their studies.

Mindmap

Keywords

πŸ’‘Corporate Governance

Corporate governance is the system of rules, practices, and processes by which an organization is directed and controlled to achieve its goals and objectives. In the video, it is defined as ensuring that the organization has clear goals and objectives and that everyone in the company is aligned towards achieving those goals. This concept is fundamental as it establishes the overall framework within which security governance operates.

πŸ’‘Security Governance

Security governance is the system of rules, practices, and processes by which the security function is directed and controlled. The video emphasizes the importance of aligning the security function with the overall organizational goals and objectives, making security an enabler for the business. This ensures that security supports business goals rather than just being a cost center.

πŸ’‘Accountability

Accountability means the ownership of something, entailing ultimate answerability, blameworthiness, and liability. In the video, it is stressed that accountability cannot be delegated; the owner of an asset is always accountable for its security. This concept is crucial for understanding roles within security governance, as it delineates who is ultimately responsible for security outcomes.

πŸ’‘Responsibility

Responsibility refers to the tasks and duties that can be delegated to others to implement and enforce controls based on the direction of those who are accountable. The video differentiates responsibility from accountability by explaining that while accountability cannot be delegated, responsibility can be. For instance, a cloud service provider may be responsible for securing data, but the customer remains accountable for its security.

πŸ’‘Due Diligence

Due diligence is the demonstrated ability to prove due care to stakeholders, such as upper management, regulators, and customers. The video explains that due diligence involves responsibly protecting assets based on the goals and objectives of the organization. It is crucial for regulatory compliance and building trust with stakeholders.

πŸ’‘Due Care

Due care refers to the responsible protection of assets based on the goals and objectives of the organization. In the video, due care is described as the practical implementation of security measures to ensure asset protection. It involves taking necessary steps to prevent harm or loss, aligning with the organization's governance policies.

πŸ’‘ITAR (International Traffic in Arms Regulations)

ITAR regulates the export of defense-related articles, technical data, and services. The video mentions ITAR in the context of historical laws that restrict the export of cryptographic systems to prevent them from reaching adversaries. It highlights the importance of understanding export control laws in the context of security governance.

πŸ’‘EAR (Export Administration Regulations)

EAR regulates dual-use items that can be used for both civilian and military purposes. The video discusses EAR alongside ITAR, emphasizing the need for security professionals to be aware of these regulations to ensure compliance when dealing with cryptographic systems and technologies.

πŸ’‘Wassenaar Arrangement

The Wassenaar Arrangement is a voluntary export control regime where member countries exchange information on transfers of conventional weapons and dual-use goods and technologies. The video contrasts it with ITAR and EAR, explaining that it is not a strict law but a multinational agreement, highlighting the global aspect of security governance.

πŸ’‘Transborder Data Flow Laws

These laws, also known as data residency or data localization laws, restrict or prevent the flow of data across physical borders. The video mentions these laws to illustrate the importance of understanding legal requirements for data storage and transfer, which is crucial for ensuring compliance and protecting privacy.

πŸ’‘ISCΒ² Code of Ethics

The ISCΒ² Code of Ethics consists of four principles: protect society, act honorably, provide diligent service, and advance the profession. The video emphasizes the importance of adhering to this code for CISSP certification, highlighting its role in guiding ethical behavior and decision-making in security governance.

πŸ’‘Policies

Policies are corporate laws that direct behavior within an organization by defining what must be done. The video explains that policies provide the overarching guidelines for security, supported by the board of directors and senior management, to ensure alignment with business goals.

πŸ’‘Standards

Standards define specific mandatory hardware and software mechanisms. In the video, an example is given of an organization's standard requiring Norton Antivirus for all Windows laptops. Standards ensure consistency and compliance with security policies.

πŸ’‘Procedures

Procedures are step-by-step mandatory actions for specific tasks. The video describes procedures as detailed instructions, such as how to install and configure antivirus software. Procedures ensure that security tasks are performed correctly and consistently.

πŸ’‘Baselines

Baselines are minimum levels of security that define mandatory configurations for security mechanisms. The video mentions configuration baselines for laptops, which serve as checklists to ensure devices are securely configured before use. Baselines help maintain a consistent security posture.

πŸ’‘Guidelines

Guidelines are recommended actions that are not mandatory. The video highlights that guidelines suggest best practices, such as implementing multi-factor authentication, without requiring immediate compliance. They provide flexibility while encouraging improved security measures.

πŸ’‘Risk Management

Risk management is the process of identifying, assessing, and prioritizing risks to allocate resources effectively for asset protection. The video underscores its importance as a critical part of security governance, helping organizations make informed decisions to mitigate risks.

πŸ’‘Service Level Agreement (SLA)

An SLA is a legally binding document that defines the services and responsibilities of a service provider. The video explains that SLAs ensure that service providers understand their security responsibilities, which can be delegated, while accountability remains with the asset owner.

πŸ’‘Awareness Training

Awareness training involves informal communication to increase cultural sensitivity to security issues. The video gives the example of phishing awareness to educate employees about the risks of clicking on suspicious links. Awareness training is essential for fostering a security-conscious culture.

πŸ’‘Education

Education involves teaching fundamental concepts to enhance security knowledge. The video mentions the CISSP master class as an example, which provides foundational security education to help professionals pass the CISSP exam and improve their security expertise.

Highlights

Rob Witcher from Destination Certification is here to help you pass the CISSP exam.

The mind map series helps review key topics needed to confidently pass the CISSP exam.

The CISSP is a management-level certification; think like a CEO, not technically.

Corporate governance involves rules, practices, and processes to achieve organizational goals and objectives.

Security governance aligns the security function with business goals to enable the organization.

Security professionals should help businesses mitigate risks rather than just saying no.

Accountability cannot be delegated; responsibility can be delegated to others.

Due diligence and due care are important concepts in security governance.

Understanding import/export laws like ITAR and EAR is crucial for security professionals.

Transborder data flow laws restrict the flow of data across physical borders.

ISCΒ² Code of Ethics is critical for the CISSP exam and includes protecting society, acting honorably, providing diligent service, and advancing the profession.

Policies are corporate laws directing behavior within an organization.

Good policies are simple and easy to read, defining mandatory actions and configurations.

Risk management helps determine how to protect organizational assets with limited resources.

Everyone is responsible for security, and awareness training and education are vital.

Training and education provide specific skills and fundamental concepts for security professionals.

Thinking like a CEO is the most important advice for passing the CISSP exam.

Destination Certification offers a 'Think like a CEO' video to help with the CISSP exam.

Transcripts

play00:00

hey I'm Rob Witcher from destination

play00:02

certification and I'm here to help you

play00:04

pass the cissp exam we're going to go

play00:06

through a review of the major topics

play00:08

related to the alignment of the security

play00:10

function to business goals and

play00:12

objectives this is the first video in

play00:14

our complete set of mindmap videos this

play00:16

mind map series is meant to help you

play00:18

review the key topics you need to know

play00:20

to confidently pass the cisp exam there

play00:23

are two other mindmap videos for domain

play00:25

one and a total of 30 of these mindmap

play00:28

videos I've included links to all the

play00:30

other mindmap videos in the description

play00:34

[Music]

play00:42

below before I launch into this first

play00:44

mind map I'd like to give you a critical

play00:46

bit of advice that will make it

play00:48

massively easier for you to study for

play00:50

and confidently pass the cissp exam you

play00:53

need to have the right mindset in your

play00:55

studies and especially on the exam cisp

play00:59

is a management level certification so

play01:02

you need to be really careful not to

play01:04

think too technically you need to think

play01:07

like a CEO I'll explain this critical

play01:09

mindset more at the end of this video

play01:12

all right so starting high level and

play01:14

thinking like a CEO would let's launch

play01:16

into this first mind map and Define

play01:18

corporate governance corporate

play01:20

governance is the system of rules

play01:22

practices and processes by which an

play01:25

organization is directed and controlled

play01:27

to achieve its goals and objectives that

play01:30

are typically focused on increasing the

play01:32

value of the organization so

play01:34

fundamentally corporate governance is

play01:36

about ensuring an organization has clear

play01:38

goals and objectives and everyone in the

play01:41

company is aligned towards achieving

play01:44

those goals and objectives security

play01:46

governance then is the system of rules

play01:48

practices and processes by which the

play01:50

security function is directed and

play01:52

controlled a crucial part of security

play01:54

governance is aligning the security

play01:56

function to the overall organizational

play01:58

goals and objectives so that security

play02:00

can help the business achieve its goals

play02:03

and objectives so that security is an

play02:05

enabler for the business this is

play02:06

something crucial that we always need to

play02:09

keep in mind as Security Professionals

play02:11

our job is to help the business achieve

play02:13

its goals and objectives to be an

play02:16

enabler for the business we don't want

play02:18

to be the shop of no we wouldn't always

play02:22

we shouldn't always be telling the

play02:24

business no you can't do that it's too

play02:25

risky we should ideally be saying

play02:28

something more like here's the risk and

play02:30

here's how we can help you mitigate

play02:32

those risks so that the organization can

play02:34

achieve its goals and objectives so now

play02:37

you know the focus of security to help

play02:39

the organization achieve its goals and

play02:41

objectives to be an enabler to the

play02:44

business to help increase the value of

play02:47

the organization and not just be a cost

play02:49

center a critical part of governance is

play02:51

having clearly defined roles and

play02:53

responsibilities so people know exactly

play02:55

what they're supposed to be doing what

play02:57

they're accountable for and what they're

play02:59

responsible for

play03:00

let's spend a few minutes here on these

play03:02

terms accountability and responsibility

play03:05

these are terms often used

play03:07

interchangeably but there is actually a

play03:09

massive difference between them that is

play03:11

very important to understand from a

play03:13

security perspective let's start by

play03:15

defining accountability accountability

play03:18

means the ownership of something

play03:20

accountability means the ultimate

play03:22

answerability blameworthiness and

play03:24

liability put simply accountability is

play03:27

where the buck stops the throat that

play03:29

gets chok if something goes

play03:31

wrong and really crucially

play03:34

accountability can never ever be

play03:37

delegated the owner of an asset is

play03:39

accountable for the security of their

play03:41

asset and they can never delegate that

play03:43

accountability to a subordinate

play03:45

contractor or service provider or anyone

play03:47

else they can't delegate their

play03:49

accountability to

play03:51

anyone what can be delegated is

play03:54

responsibility the responsible party

play03:56

will Implement and enforce controls

play03:58

based on the direction of those that are

play04:00

accountable a perfect example is a

play04:02

public cloud service provider the CSP

play04:05

will be responsible for storing

play04:07

processing and securing a customer's

play04:09

data but ultimately the customer remains

play04:12

accountable for the security of their

play04:14

data the customer cannot Outsource the

play04:17

accountability for protecting their data

play04:18

but they can delegate the

play04:20

responsibility the concept of

play04:22

accountability versus responsibility is

play04:24

going to come up again and again and

play04:26

again it's crucial to understand the

play04:28

difference du is the responsible

play04:30

protection of assets based on the goals

play04:32

and objectives of the organization due

play04:35

diligence is the demonstrated ability to

play04:39

prove due care to stakeholders upper

play04:42

management Regulators customers

play04:44

shareholders Etc there's an interesting

play04:46

bit of security history related to

play04:47

import export controls I'm wildly

play04:50

oversimplifying here but essentially

play04:51

during the 1970s and 80s some amazing

play04:54

advancements were happening in

play04:56

cryptography super secure new algorithms

play04:58

like Dez were being created and whole

play05:02

new amazing techniques like asymmetric

play05:04

cryptography were invented these new

play05:06

algorithms at and techniques essentially

play05:09

allowed data to be encrypted such that

play05:11

no one in the world could decrypt it

play05:14

including organizations like the NSA who

play05:17

wanted to be able to decrypt and read

play05:18

anyone's data I need to stop picking on

play05:20

the NSA here they might be listening so

play05:22

laws were put in place to restrict the

play05:24

export of certain cryptographic

play05:25

algorithms and systems to make sure that

play05:27

they didn't get in the hands of s

play05:30

Soviets these are serious laws and

play05:33

violations could see you thrown in

play05:35

federal prison so that's the history of

play05:37

it the two major export laws you need to

play05:40

know about are itar and E they both

play05:44

restrict the manufacturing sales and

play05:47

distribution of specific Technologies

play05:49

products software and services these

play05:52

laws restrict the export of certain

play05:54

cryptographic systems itar the

play05:57

international traffic in arms

play06:00

focuses on the export of Defense

play06:02

articles things like missiles and

play06:04

satellites technical data and defense

play06:06

Services keyword there related to itar

play06:09

is that it focuses on defense related

play06:11

items e the export Administration

play06:15

regulations regulates dual use items not

play06:19

covered by itar but also still applies

play06:22

to some defense related items the wasar

play06:25

arrangement is very different from itar

play06:28

and E in importantly the wasar

play06:30

arrangement is voluntary not a strict

play06:33

law and it's also a multinational

play06:35

agreement between 42 signing members 42

play06:39

countries the wasar arrangement is a

play06:41

voluntary export control regime where

play06:44

signatories exchange information on

play06:46

transfers of Conventional Weapons and

play06:48

dual use goods and Technologies now

play06:50

another type of law that is very

play06:51

relevant today trans border data flow

play06:54

laws also commonly referred to as data

play06:56

residency laws or data localization laws

play06:59

these laws are focused on restricting or

play07:01

preventing the flow of data across

play07:03

physical borders for example many

play07:06

countries require that the personal data

play07:09

collected from their citizens be stored

play07:10

on systems within their country privacy

play07:15

is not a massive topic on the cisp exam

play07:18

but it is large enough to Warrant its

play07:19

own mindmap so for now I'll simply say

play07:23

you cannot achieve privacy without

play07:25

security and we'll talk more about

play07:27

privacy in the next mindmap video

play07:30

ethics are very important to address as

play07:33

part of your security program

play07:35

organizations want their employees to

play07:37

act ethically and consistently the

play07:40

challenge is that each of us have very

play07:42

different ethical values so for an

play07:44

organization to have consistent ethics

play07:46

across all their employees they must

play07:49

codify their ex ethics write them down

play07:52

in a policy policies are essentially

play07:54

corporate laws we'll talk about that

play07:56

more in a

play07:57

moment what are ethics based on a good

play08:01

answer is that ethics are based on doing

play08:03

nothing that is harmful to anyone else

play08:07

now this part is critical to memorize

play08:10

for the exam the ISC squared code of

play08:12

ethics ISC squared takes this very

play08:15

seriously it is a requirement of you

play08:17

becoming a cissp that you agree to abide

play08:20

by this code of ethics ISC squar wants

play08:22

to make sure that you know this code of

play08:24

ethics and how to interpret them so

play08:26

you're going to see at least a question

play08:28

or two about these on the cisp exam I'm

play08:31

going to read them out here memorize the

play08:33

wording and the order they are meant to

play08:36

be acted upon in order number one

play08:40

protect Society the common good

play08:43

necessary public trust and confidence

play08:45

and the

play08:46

infrastructure number two act honorably

play08:50

honestly justly responsibly and legally

play08:55

number three provide diligent and

play08:58

competent service to

play09:00

principals number four advance and

play09:03

protect the

play09:04

profession let's now get into an

play09:06

important discussion of policies and as

play09:08

I mentioned earlier policies are

play09:10

essentially corporate laws policies are

play09:13

how we direct Behavior within an

play09:15

organization policies tell people what

play09:17

they must do the overarching security

play09:20

policy defines an organization's overall

play09:23

approach to security the overarching

play09:25

security policy is provided and

play09:27

supported by the board of directors and

play09:29

Senior Management the policy defines the

play09:31

goals and objectives for the security

play09:32

function and ensures security is aligned

play09:34

with the overall business goals and

play09:37

objetives functional security policies

play09:39

on the other hand are more detailed

play09:41

policies that address specific security

play09:43

requirements and practices such as

play09:45

Access Control encryption instant

play09:47

response and data backups Etc an

play09:50

organization will have a functional

play09:51

policy for each of these and many more

play09:54

good policies are simple easy to read

play09:57

documents that state simple rules such

play10:00

as every laptop must have malware

play10:02

protection policies are corporate laws

play10:05

policies tell people what they must do

play10:08

standards define specific mandatory

play10:11

hardware and software mechanisms for

play10:14

example an organization standard might

play10:16

be that Norton Antivirus is required is

play10:19

the required antimalware solution for

play10:21

all Windows

play10:22

laptops procedures are step-by-step

play10:26

Mandatory Actions for example an organ

play10:29

ganization could have a procedure for

play10:31

how to install Norton AntiVirus on

play10:33

Windows laptops the exact steps must be

play10:36

followed to correctly install and

play10:38

configure the antimalware software

play10:40

procedures are essentially a stepbystep

play10:42

set of instructions actions for how to

play10:45

do

play10:46

something baselines are minimum levels

play10:50

of security and Define mandatory

play10:52

configurations for security mechanisms

play10:54

and products for example an organization

play10:58

could have a configuration Baseline for

play11:00

Windows laptops the configuration

play11:02

Baseline is essentially a checklist of

play11:04

all the things that need to be done to

play11:06

correctly configure and lock down a

play11:09

laptop before it starts being used for

play11:12

example the configuration Baseline would

play11:14

require that at a minimum the host based

play11:17

firewall be enabled certain patches be

play11:20

installed the Norton Antivirus be

play11:22

installed and configured correctly by

play11:25

the way I keep mentioning Norton here in

play11:26

the hopes of getting sponsored so if

play11:28

you're listening to

play11:30

um all right guidelin guidelines are

play11:32

recommended actions recommended listen

play11:35

carefully here guidelines are not

play11:37

mandatory they're what someone should do

play11:41

not what someone must do guidelines are

play11:45

useful when an organization knows they

play11:47

should be doing something but they

play11:49

haven't fully implemented it yet so for

play11:51

example the organization might want to

play11:53

have multiactor authentication for all

play11:55

administrative accounts but if there are

play11:57

systems that don't support that yet the

play12:00

organization is setting itself up for

play12:02

failure if they create a mandatory

play12:04

requirement for multiactor

play12:05

authentication for admin access to all

play12:07

systems instead the organization can

play12:10

create a guideline it would be good to

play12:13

have MFA for admin access to all systems

play12:15

but it's not a requirement

play12:18

yet risk management is a super important

play12:21

topic risk management is a rically

play12:24

important tool that we use as Security

play12:27

Professionals to help us F out how to

play12:29

best protect the assets of the

play12:31

organization with the limited resources

play12:33

that we have there's a mind map

play12:36

dedicated to risk management and I'm

play12:37

mentioning it here as risk management is

play12:39

a critical part of security

play12:42

governance procurement security must be

play12:45

involved in the procurement process

play12:48

right from the start of the process this

play12:50

starts with understanding and validating

play12:52

the business requirements for whatever

play12:54

is being procured if it's a service

play12:56

being procured then the security

play12:58

requirements are defined in the SLR the

play13:00

service level requirements document the

play13:04

requirements documented in the SLR will

play13:06

be used in the procurement process to

play13:09

evaluate how well each service meets the

play13:11

security requirements once a particular

play13:14

service provider is selected then the

play13:16

requirements listed in the SLR will be

play13:19

translated to a new document the SLA

play13:22

service level agreement the SLA is an

play13:25

addendum to the legally binding contract

play13:28

making the SLA legally binding as well

play13:31

the SLA describes the services to be

play13:33

provided the service targets specific

play13:36

responsibilities Etc partically the SLA

play13:40

is used to clearly communicate

play13:42

requirements to a service provider to

play13:45

say hey service provider I need you to

play13:47

make sure you're doing this that and the

play13:49

other

play13:50

thing going back to what I mentioned

play13:52

earlier accountability can never be

play13:54

outsourced but responsibilities can so

play13:57

the SLA is a Cru crucial document that

play14:00

the owner of an asset uses to make sure

play14:02

the service provider clearly understands

play14:04

their responsibilities who is

play14:06

responsible for security the answer

play14:11

everyone this is absolutely true

play14:14

everyone is responsible for security but

play14:16

it's not good enough to just say hey

play14:18

everyone's responsible for security

play14:20

everyone needs to know what specifically

play14:22

they're responsible for from a security

play14:24

perspective and how they're supposed to

play14:26

do whatever it is they're responsible

play14:28

for and that's why we have the last

play14:30

little piece to talk about here

play14:32

awareness training and education I'm

play14:35

going to give you succinct definitions

play14:36

of each awareness is an informal process

play14:40

of communication such as emails posters

play14:42

Etc with the goal of changing cultural

play14:46

sensitivity to a given topic or issue

play14:49

for example making employees aware of

play14:51

this thing called fishing and that they

play14:53

should be careful of what links they

play14:54

click on in emails that's a good example

play14:57

of awareness training is semi-formal and

play15:00

provides specific skills necessary to

play15:02

perform something related to security

play15:04

for example if a company buys a bunch of

play15:06

Cisco firewalls then some employees are

play15:09

going to need to be trained on how to

play15:11

deploy and manage Cisco firewalls this

play15:14

is training specific skills finally

play15:17

education is about teaching fundamental

play15:20

concepts our cisp master class is a

play15:23

perfect example of Education we teach

play15:25

folks the fundamental concepts of

play15:26

security so they can be better security

play15:28

professionals and pass the CIS exam all

play15:31

right that is an overview of security

play15:33

governance within domain one covering

play15:35

the most critical Concepts you need to

play15:37

know for the exam as an added bonus in

play15:40

this first mindmap video I want to share

play15:42

with you the most important advice I can

play15:44

give you for passing the cisp exam you

play15:46

need to approach your studies and

play15:49

especially the exam with the right

play15:51

mindset as I said the cisp is a

play15:55

management level certification if you

play15:57

answer the questions on the ex exam with

play15:58

a technical mindset you will very likely

play16:01

fail unfortunately so how should you

play16:05

approach your studies and most

play16:07

importantly the exam by thinking like a

play16:09

CEO I made a video on this mindset of

play16:12

thinking like a CEO which you can watch

play16:14

for free by clicking on the link in the

play16:16

description below I would highly

play16:18

recommend that you take a few minutes to

play16:19

watch the video we've trained and guided

play16:22

thousands of people just like yourself

play16:23

to confidently pass the cisp exam over

play16:26

the last 20 plus years and we've

play16:28

received hundreds of emails over the

play16:30

years from our students saying things

play16:32

like thinking like a CEO worked it was

play16:35

the single biggest factor that held me

play16:36

pass the exam so that's why I'm sharing

play16:39

this with you I know it works and it

play16:42

will help you pass the cisp exam so

play16:45

check out our free think like a CEO

play16:46

video link is in the description

play16:49

below all the best in your

play16:52

[Music]

play16:57

studies

Browse More Related Video

[BO] KhΓ³a Δ‘Γ o tαΊ‘o An ninh thΓ΄ng tin ISMS

ISO 27001 Getting Started | Everything you need to know | ISO 27001 Basics

AZ-104 Exam EP 01: AZ104 Course Introduction

NCSC Cyber security training for school staff

Security Standards - CompTIA Security+ SY0-701 - 5.1

I Passed the CompTIA Security+ Certification in 9 Days

Rate This
β˜…
β˜…
β˜…
β˜…
β˜…

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Related Tags
CISSP ExamSecurity GovernanceCEO MindsetRisk ManagementData PrivacyCompliance LawsEthics in SecurityAwareness TrainingPolicy FrameworkProcurement Security